16A AS400 Architecture and Security

PART 16-A AS/400 ARCHITECTURE & SECURITY
Leen van Rij

kpmg IRM vrije Universiteit amsterdam 31 March 2003
File 16-A AS400 architecture & security
2003
Contents
LvR/VU MAR/2003
CONTENTS
History Architecture Application and Operating System/400 (AS/400 and OS/400) Physical security levels Logical security levels Object management Security implementation Special security feature Auditing (Part X. Only for the AS/400 auditor) Note AS/400 = hardware OS/400 = operating system
AS/400 architecture & security 2
Contents ...
Contents Literature Highlights History Architecture Communication support Machine Interface AS/400 Database System Integrated File System Single level storage Object oriented Object types Physical security Logical security levels Integrity checking Special authorizations User classes Pre-defined user profiles User profile Group profile AS/400 architecture & security Group structure Object header authority Object data authority Object authority Grouping Public authorization Private authority Authorization list Authorization Check flow Adopted security Dedicated service tools Journaling Security definition interface ONLY FOR THE AS/400 AUDITOR: Limited users Library security Physical versus logical file security Authority holder Adopted security Journaling
LvR/VU MAR/2003
Optional literature
LvR/VU MAR/2003
OPTIONAL LITERATURE
IBM AS/400 System Concepts IBM AS/400 Security Concepts & Planning IBM AS/400 Guide to enabling C2 security IBM Application System/400 Technology Ernst & Young A practical approach to logical access control McGraw-Hill (1993) (see chapter AS/400 access control) Ernst & Young Technical reference series: Audit, Control and Security of the IBM AS/400 (1994) (description, control objectives, audit questions) Fred de Koning e.a. Beveiliging en controle in een AS/400-omgeving Paardekooper & Hoffman (1995)
Optional literature . . .
LvR/VU MAR/2003
STRUCTURE OF:
Ernst & Young
AS/400 Audit Reference
Overview Hardware Software Logical access path Utilities Backup and Recovery Objects Libraries Initial menus and programs
System security
system keylock system values authorities user and group profiles authorization lists etc.
Procedural and administrative controls Control Concerns Examples

5
AS/400 architecture & security
Security topology
TOPOLOGY OF SECURITY LAYERS
End user Network security Frontdoor Security in system/service Security in application Physical security of the computing center Computing center staff Access control Operating system Hardware
LvR/VU MAR/2003
Measures depend upon security objectives and the enterprises security strategy
DATA
Trusted Computing Base (TCB - certified using US Department of Defense standards)
Note: The security measures in the network, services and applications may use the Access Control in the TCB. Although this access control mechanism may have been classified in accordance with the US DoD standards, the actual security depends upon how the security facilities are used.
Access path within AS/400 (MEY model) End users MIS personnel
LvR/VU MAR/2003
OS/400 communication functions OS/400 communication functions User profiles User profiles Initial menu Initial menu Application software Application software Command Command processors processors Tools & utilities Tools & utilities
AS/400 model, see Ernst & Young book on logical access control
OS/400 data base management functions OS/400 data base management functions
DATA
Object security Object security
OS/400
Highlights
LvR/VU MAR/2003
HIGHLIGHTS FOR THE EDP AUDITOR

1. 2. 3. 4. 5. 6. Apropriate security levels active Identification, Authentication (User and Group profiles) Special Authorizations Public and Specific Authorization (including Authorization list) Dedicated Service Tools Journaling
History of AS/400
LvR/VU MAR/2003
HISTORY OF APPLICATION SYSTEM/400 (AS/400) System/34 System/34 Data Base included in OS System/36 System/36 AS/400 AS/400 AS/400-Y10 PowerPC AS/400 PowerPC AS/400
1974 System/38 System/38 1978 1982 1987 1995

9
Architecture AS/400
LvR/VU MAR/2003
System System processor processor

BCU BCU IOBU IOBU Display Printer IOBU IOBU
Main Main storage storage

BCU BCU IOBU IOBU IOBU IOBU Communication DASD BE BE U U BE BE U U BCU BCU
DASD BCU IOBU BEU
= Direct Access Storage Device (disks) = Bus Control Unit = I/O Bus Unit (Communication Controller) = Bus Extentsion Unit
10
Architecture AS/400 ...
LvR/VU MAR/2003
ARCHITECTURE
Untill 1995, the system processor was designed with the System/370 architecture which is also used in mainframes with the S/390 architecture The system processor had a 32 bit data path and a 48 bit addressing structure to address 281 Tera bytes The addressing architecture is designed to handle 64 bit addressing, which is fully implemented in the newer systems using the PowerPC architecture
11
Communication protocols
LvR/VU MAR/2003
PHYSICAL CONNECTION PROTOCOLS

For communication purposes AS/400 supports on the physical layer a variety of data link and network protocols A standard port is used for Logical ECS (Electric Customer Support) Optional adapters supports the protocols connection ASYNC (ASYNChronous) BSC (Binary Synchronous Communication) SDLC (Synchronous Data Link Control) X.21, X.25, X.31, V.24, V.35 and V.36 ISDN (Integrated Services Digital Network) Twinaxial Data Link Control Ethernet Token-ring FDDI (Fiber Distributed Data Interface) al Physic Wireless LAN n Fax (V.34) nnectio
co
Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
12
Communication protocols ...
LvR/VU MAR/2003
NETWORK PROTOCOLS
To manage network access AS/400 supports the most common available network protocols.
Logical connection Asynchronous Binary Synchronous Communications (BSC) System Network Architecture (SNA) Advanced Peer-to-Peer Network (APPN) Transmission Control Protocol/Internet Protocol (TCP/IP) Open Systems Interconnection (OSI) Multiprotocol Transport Networking (MPTN) Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
al Physic connec
tion
13
Communication protocols ...
LvR/VU MAR/2003
APPLICATION COMMUNICATION PROTOCOLS

To enable applications using communication AS/400 supports call interfaces like
Advanced Program-to-Program Communications (APPC) SNA Distribution Services (SNADS) Distributed Remote Data Access Open Systems Interconnection (OSI) Object Distribution Facility (ODF) Client Access/400 Transmission Control Protocol (TCP) File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) User Datagram Protocol (UDP) Line Printer Requester/Line Printer Daemon Protocol al TELNET Physic
tion connec
Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
Machine interface AS/400
LvR/VU MAR/2003
MACHINE INTERFACE AS/400
Compilers Utilities
Applications High-level machine

15 LvR/VU MAR/2003 16
Operating System/400 (OS/400)

Vertical Micro Code Horizontal Micro Code Hardware
Machine interface AS/400 ...
MACHINE INTERFACE AS/400

The AS/400 is a layered architecture machine To use the hardware only high-level machine instructions are available The high level machine instructions are understood by the VERTICAL MICROCODE layer and translated to basic machine instructions The basic machine instructions are implemented by the HORIZONTAL MICROCODE layer and transfered to the hardware The hardware layer executes the instruction The Vertical and Horizontal Micro Code layer together with the hardware is called the HIGH-LEVEL MACHINE With the PowerPC architecture there is only one layer of microcode to implement the machine interface.
Machine interface AS/400 ...
LvR/VU MAR/2003
The three machine layers, called the high-level machine, also provide many functions normally implemented in the Operating System TRADITIONAL TRADITIONAL OPERATING SYSTEM OPERATING SYSTEM Task management Task management Resource management Resource management Storage management Storage management Database management Database management Security management Security management etc. etc. TRADITIONAL TRADITIONAL HARDWARE HARDWARE Machine interface Machine interface Hardware Hardware OPERATING SYSTEM/400 (OS/400) AS/400 HARDWARE (Machine interface ) Task management Resource management Storage management Data access Database management Security management etc. Hardware
Note: Implementing functions in micro code benefits the systems performance

Database system
LvR/VU MAR/2003
INTEGRATED DATABASE SYSTEM

AS/400 has an integrated Database management system. It is a BASE feature of the AS/400 Within AS/400 Database access is only allowed by ONE Application Programming Interface (API). Access security will be done by this interface and there is no redundant access control mechanisme available. There is only one focal point for access control The Database is designed on two concepts The physical files, containing the data The logical files gives the posibility to define an alternate view to the data records and fields The user, when authorized, can access the data directly from the physical file or through the logical file The AS/400 Database system is also used as a physical storage by the product Data Base 2 (DB2/400) which extend the Data Base features
Database system ...
LvR/VU MAR/2003
INTEGRATED DATABASE SYSTEM

The AS/400 system can be used as a Database server. To connect to the AS/400 Database, protocols from different vendors are supported. These protocols are Open Database Connect (ODBC) from Microsoft Data Access Language (DAL) from Appel System Query Language Connect (SQL CON) from Oracle Distributed Relational Database Architecture (DRDA) from IBM
System A
Database X
System B
AS/400 Database Y
19
Integrated File System
LvR/VU MAR/2003
INTEGRATED FILE SYSTEM (IFS)

To extend the use of the AS/400 system, file server architectures from different vendors can be handled by the integrated file system. The integrated file system supports a set of industry standard APIs to the streamfile system and the hierarchical directory. The file access protocols which are supported by AS/400 are: Root file system: OS/2, DOS and Windows NT compatible QOpenSys file system: Posix, XPG, UNIX compatible QLANSrv file system: OS/2 Lan Manager compatible AS/400 File system X
File system Y
20
10
Single level storage Traditional mainframe with an address space per user and separate data sets on disks OS/390 2 GB address space 2 GB address space 2 GB address space 2 GB address space 2 GB address space 2 GB address space
LvR/VU MAR/2003
DI AR FFE CH RE IT NT EC TU RE
AS/400 - OS/400 264 bytes = 16.000.000 Tera bytes address space Object: program Object: program Object: screen Object: screen Object: data Object: data
DASD
AS/400: everything in one virtual address space

Single level storage ...
LvR/VU MAR/2003
SINGLE LEVEL STORAGE

AS/400 provides single-level addressability of all virtual storage. This is transparent addressing, making both MAIN an AUXILIARY storage appear contiguous to an end user and an application
One virtual address space

SYSTEM SYSTEM PROCESSOR PROCESSOR VAT
MAIN STORAGE MAIN STORAGE DIR paging
AUXILIARY STORAGE on DASD
VAT = Virtual Address Translation DIR = Directory used by VAT to keep track of virtual storage contents Note: When data or instructions are needed for executing by the system processor it will be brought into main storage. When there is a shortage of main storage the data and/or instruction not needed anymore are transfered back to auxiliary storage on DASD
11
Single level storage ...
LvR/VU MAR/2003
AS/400 single-level storage gives the ability to have data storage independent of device types. All data including programs, source, data, databases etc. are mapped into this single virtual address space
AS/400 VIRTUAL ADDRESS SPACE Program A123 Program A143 Program A123 Program A143 Data 5RF Data 5RF Command AB6 Command AB6 Queue Queue
Program XG63 Program XG63
Menu 567 Menu 765 Command UY Menu 567 Menu 765 Command UY Etc. etc. etc. till maximum space Etc. etc. etc. till maximum space
23
cts je b
Data GFHJ Data GFHJ
Object oriented
LvR/VU MAR/2003
OBJECT ORIENTED DESIGN

Definition: Everything on the system that can be stored or retrieved is contained in an object The high level machine is designed to treat everything the same through the use of a generic object structure
General object structure

Object type Object type Owner Owner Public Authorithy Public Authorithy etc. etc. OBJECT HEADER
(Control Information)
FUNCTIONAL OBJECT (data)
Data (e.g., data records, programs, sources, etc. )) Data (e.g., data records, programs, sources, etc.
12
Object types
LvR/VU MAR/2003
OBJECT TYPES
To storage information in the AS400 system there are defined 73 different types of objects, e.g.
Type
Library Data Program Source User profile Journal Job queue Output queue Device description Job description
Contents
object names (like a directory) data records (database records) executable programs source of programs like cobol, pascal, C etc. userid descriptions and priviledges logging records jobs to handle output from jobs device parameters job control language
25
Object administration
LvR/VU MAR/2003
OBJECT ADMINISTRATION
START OBJECT SEARCH LIBRARY 1
OBJECT X OBJECT X OBJECT Y OBJECT Y
OBJECT X MEMBER A MEMBER A MEMBER B MEMBER B MEMBER C MEMBER C OBJECT Y
QSYS
LIBRARY 1 LIBRARY 2 LIBRARY 3
OBJECT Z OBJECT Z
LIBRARY 2 DATABASE
OBJECT K OBJECT K OBJECT L OBJECT L OBJECT M OBJECT M
26
13
Physical security
LvR/VU MAR/2003
KEYLOCK SWITCH
On front panel AS/400, with a physical key (to be stored safely)
Normal
Manual
Secure
Keylock Keylock position position SECURE SECURE AUTO AUTO NORMAL NORMAL MANUAL MANUAL Power down Power down command command YES YES YES YES YES YES YES YES Remote or Remote or timed IPL timed IPL NO NO YES YES YES YES NO NO Main Main switch IPL switch IPL NO NO NO NO YES YES YES YES
Auto
Attended Attended IPL IPL NO NO NO NO NO NO YES YES
Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools)
Logical security levels
LvR/VU MAR/2003
LOGICAL SECURITY LEVELS

AS/400 is designed to activate different levels of security. The levels are controlled by setting the system parameter QSECURITY(xx) 10 - no security 20 - userid and password checking 30 - object authorization verification 40 - application must use AS/400 call interface 50 - DoD C2 security
Note: to guarantee data integrity, at least the system parameter *QSECURITY(30) must be set by the Security administrator prior to user access to the system
14
Logical security levels ...
LvR/VU MAR/2003
DESCRIPTION OF SECURITY LEVELS

10 - No security level at all. A user-profile will be automaticaly be defined when a user signs on 20 - User-profile and password must be defined prior to sign on 30 - Like 20, but access to objects is also controlled (resource access control active). The user must have the appropriate access authority to use the resources. 40 - Like 30, but the machine interface cannot be used directly by the programs. It can only be used through the AS/400 call interface. All access is controlled/checked by AS/400. Journalling must be active so reports can be created 50 - Extend level 40 to meet DoD C2 classification. The users are only allowed to access their own objects through the AS/400 defined Application Programming Interface (API). Bypassing journalling of an object access is no longer possible
Integrity checking
LvR/VU MAR/2003
INTEGRITY CHECKING ISOLATION: AS/400 has system state and user state programs
Security level = 10, 20 and 30 user and system programs can freely interact with the high-level machine Security level = 40 the APIs (Application Program Interface) must be used by a user program to interact with a system program Security level = 50 the APIs must also be used by a user program to interact with another user program
15
Integrity checking ...
LvR/VU MAR/2003
INTEGRITY CHECKING
System State Domain no integrity problem System State Domain
integrity problem when not checked API must be used with level 40
integrity User State Domain problem User State Domain intentionally no problem no journalling of activities level 50 enforces use of API in the user domain
Special authorizations
LvR/VU MAR/2003
SPECIAL AUTHORIZATIONS
Within the AS/400 system there are definitions with a system wide authority scope. When a user is defined with a special authorization he/she is able to do
PRIVILEDGE ALLOBJ SECADM SAVSYS JOBCTL SPLCTL SERVICE AUDIT IOSYSCFG
AUTHORIZED TO DO
access every system resource create / change user profiles save / restore manipulate jobs on the system all spool functions service functions audit related functions change system configuration
32
16
User classes
LvR/VU MAR/2003
USER CLASSES ALLOBJ SERVICE SPLCTL

SECA
DM
SECO
FR
IOSYSCFG
R OP YS MR S PG
SECADM
JOBCTL SAVSYS
33
User classes . . .
LvR/VU MAR/2003
USER CLASSES
Special authorities can be grouped together. These grouping is called a USERCLASS class SECOFR SECADM SYSOPR PGMR USER authority
ALLOBJ SECADM SAVSYS JOBCTL SPLCTL SERVICE IOSYSCFG
10/20
10/20
10/20
10/20 10/20
Note: 10/20 refer to the security level 10 and 20. When one of these is active, the ALLOBJ authority is assigned to this classes automaticly. The refers to security level 30, 40 and 50
17
Pre-defined user profiles
LvR/VU MAR/2003
PRE-DEFINED USER PROFILES

When AS/400 is installed, there are 6 prefined user profiles available to access the system. They are to create other user profiles to access the system. The 6 default userids are QSECOFR QPGMR QSYSOPR QSRV QSRVBAS QUSER
Note: The passwords must be changed as soon as the system is IPLed for the first time, to prevent other users to sign on with these highly authorized userids
User profile
LvR/VU MAR/2003
USER PROFILE
With security level 20 or higher, the user can only access the system if there is a user profile defined. A user profile can be created through a panel interface or by issuing the CRTUSRPRF command. The contents of the user-profile may be
USER PROFILE (is an object)

Userid User class Group name (up to 16 groups) Initial program Initial menu Current library
Password Password expiration Special authority Accounting code Limited capability
( Note: This is only a partial content )

18
Authentication
LvR/VU MAR/2003
AUTHENTICATION
System wide password syntax options
QPWDMINLEN QPWDMAXLEN QPWDRQDDIF QPWDLMTCHR QPWDPOSDIF QPWDLMTREP QPWDLMTAJC QPWDVLDPGM QPWDRQDDGT minimum length of password maximum length (up to 10 characters) new password must differ from 32 previous specify up to 10 characters not allowed for password character in new must be different from character in same position in old characters not be used more than once numbers 0 to 9 not next to another use password syntax checker at least one numeric maximum number of days the password is valid maximum number of unsuccessful sign-on attempts display date/time of last sign-on etc. after successful sign-on
37
Other system wide password options

QPWDEXPITV QMAXSIGN QDSPSGNINF
Group profile
LvR/VU MAR/2003
GROUP PROFILE
A group profile has the same structure as a user profile: it becomes a group profile when it is named as a group in a user profile. The contents of the group profile may be
GROUP PROFILE (is an object)

Userid User class Group Initial program Initial menu Current library (is groupname) (class for group) (NONE) (not relevant) (not relevant) (not relevant) (NONE) Password expiration (not relevant)
Password Special authority
(for group) Accounting code (not relevant) Limited capability (not relevant)
( Note: This is only a partial contents )

19
Group structure
LvR/VU MAR/2003
GROUP STRUCTURE
Group profile Group profile GROUP A GROUP A Group profile Group profile GROUP B GROUP B
User profile User profile USER A1 USER A1 Group=A Group=A
User profile User profile USER A2 USER A2 Group=A,B Group=A,B
User profile User profile USER B1 USER B1 Group=B Group=B
User profile User profile USER B2 USER B2 Group=B Group=B
The groups are independent definitions and do not have any relation to one another A user can be a member of maximum 16 groups
Object header authority
LvR/VU MAR/2003
OBJECT HEADER AUTHORITY HEADER HEADER
functional data functional data
AS/400 is object oriented: all stored information is contained in an object. There are 3 authority levels to control the header information This authority is specific for every user-object combination. The user may
AUTHORITY

ACCESS RIGHTS to HEADER

use/look at the object information grant other users to use the object totally control the object
OBJOPR OBJMGT OBJEXIST

!
40
20
Object data authority
LvR/VU MAR/2003
OBJECT DATA AUTHORITY

header header
FUNCTIONAL DATA FUNCTIONAL DATA
Prior to access the contents of the object, the user must have at least OBJOPR authority to the object. If so, data access can be controlled with five different levels
AUTHORITY
ACCESS RIGHTS to FUNCTIONAL DATA

- Read the entries of the functional data - Add entries to the functional data - Update entries of the functional data - Delete entries of the functional data - Only execute the related program
READ ADD UPD DLT EXECUTE
!
41 LvR/VU MAR/2003
Object authority
OBJECT AUTHORITY
The get access to the object the user needs at least access to the header information before he/she is allowed to access the data part of the object. To have access to the data the user needs in addition to the header access at least read access to the data part of the object. In this example all users have read access to the data. PUBLIC authority START SEARCH
OBJOPR READ
data
42
21
Object authority grouping
LvR/VU MAR/2003
OBJECT AUTHORITY GROUPING OBJEXIST OBJMGT

CHAN
GE
ALL
SE
DLT
OBJOPR READ UPD ADD
43
Object authority grouping . . .
LvR/VU MAR/2003
OBJECT AUTHORITY GROUPING

Object header and functional data access authorities can be grouped to system defined values, controlling the access to the object Combination Object authority Data authority
USE CHANGE ALL
OBJOPR OBJOPR OBJOPR OBJMGT OBJEXIST
READ READ, ADD, UPD, DLT READ ADD UPD, DLT
EXCLUDE Access always denied LIBCRTAUT Access determined by the library where the object is USER DEF
registered Combination defined by the user
44
22
Public authorization
LvR/VU MAR/2003
PUBLIC AUTHORIZATION
When most of the users must have the same access authority to the object, this access authority is set into the object header. The authorization is called PUBLIC and is given to the object during creation
OBJECT HEADER OBJECT HEADER
Object type Object type Owner Owner PUBLIC authority USE PUBLIC authority USE
All Users
FUNCTIONAL DATA FUNCTIONAL DATA

Note: In this example all users have read access to this object (USE includes OBJOPR and READ)
Private authority
LvR/VU MAR/2003
PRIVATE AUTHORITY
When a specific user must have limited or higher access rights related to the public authority, the users access is administrated in his/her user profile extension header header user information user information list of owned objects list of owned objects LIST OF OBJECTS AUTHORIZED LIST OF OBJECTS AUTHORIZED TO ACCESS WITH THE AUTHORITY TO ACCESS WITH THE AUTHORITY OBJEXAMPLE CHANGE OBJEXAMPLE CHANGE Note: When there is a private access definition for the object, lower then the public authority, it will be marked in the object header
USER PROFILE (is an object)
Single User
23
Authorization list
LvR/VU MAR/2003
AUTHORIZATION LIST
Another possibility to control access is to create an authorization list. This list will be created when there are users or groups with different access rights to a group of objects An object can be connected to this authorization list The advantage of an authorization list is that it can be created prior to the creation of the object and it will not be deleted when an object is deleted When another object is created and it needs the same authorization scheme this newly created object can be connected to the same list
47
Authorization list ...
LvR/VU MAR/2003
AUTHORIZATION LIST CONTENTS

The authorization list by itself is also an object. The list is treated as every other object in the system header header ANJA ANJA EDWIN EDWIN RONALD RONALD LEEN LEEN PUBLIC PUBLIC
AUTHORIZATION LIST (is an object) ALL ALL CHANGE CHANGE USE USE AUTLMGT AUTLMGT EXCLUDE EXCLUDE
The example above shows a list which can be used by an object to control its access rights. There is also defined a specific access control authorization called AUTLMGT. This gives the user (or group) the ability to maintain this authorization list Note: When the public authorization in the object specifies that the authority list will be used the entry PUBLIC will give the public authorization
24
Authorization list ...
LvR/VU MAR/2003
AUTHORIZATION LIST CONNECTION

When an object is created or changed the authorization list can be specified. The architecture gives the possibility to specify only ONE list per object Authorization List ABC Object authorizations are defined in Authorization List ABC Object type Object type Owner Owner AUTHORIZATION LIST ABC AUTHORIZATION LIST ABC Public authority AUTL Public authority AUTL Functional data Functional data
ANJA ALL EDWIN CHANGE RONALD USE AUTLMGT LEEN PUBLIC EXCLUDE
Note: In this example the public authority is now used from the authorization list entry PUBLIC
Authorization check flow
LvR/VU MAR/2003
AUTHORIZATION CHECK FLOW

Authorization check flow sequence: 1. Special authority of the user 2. Specific authority of the user 3. User on authorization list 4. Special authority of the group 5. Specific authority of the group 6. Group on authorization list 7. PUBLIC authority in object 8. PUBLIC on authorization list AS/400 looks whether the user has a Special authority. If no Special authority, the next step will be to look for a Specific authority defined etc. When any authorization definition for the object is found the search will stop This mechanism is called exclusive access control and is the opposite of accumulated access control
25
Adopted security
LvR/VU MAR/2003
ADOPTED SECURITY
AS/400 security allows a user to adopt the access authorization of the owner of a program When a user is allowed to execute a program owned by another user, the authority can be adopted The user then has the same access authority to the objects as the owner of it ! d we LUDE llo DATA B23 EXC DATA B23 ta no
USE fo r BAS
User A
Via program BAS of user B: allowed User B

51
Adopted security ...
LvR/VU MAR/2003
ADOPTED SECURITY: an example

Owner user B Owner user B Public authority EXCLUDE Public authority EXCLUDE
User A has EXCLUDE for data B23 USE for program BAS
DATA B23 DATA B23 Owner user B Owner user B Public authority USE Public authority USE PROGRAM BAS: Adopting authority PROGRAM BAS: Adopting authority active active
Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BAS
26
Adopted security: another example
LvR/VU MAR/2003
ADOPTED SECURITY: another example

When a program allows adoption of the authority of the program owner, the program must be created with the command CRTPGM PROG(B2S) USRPRF(OWNER) When program adoption is active, the authority will be propagated by subsequently called programs DATA X24 DATA X24
U SE for
B2S
User A
User B
User X
53
Adopted security: another example ...
LvR/VU MAR/2003
ADOPTED SECURITY: another example User A has USE for program B2S EXCLUDE for data X24
Owner user B Owner user B PROGRAM B2S: call program X2U PROGRAM B2S: call program X2U
USE
Owner user X Owner user X PROGRAM X2U PROGRAM X2U
DATA X24 DATA X24
PROGRAM X2U has ALSO USE authority to DATA X24 Note: Adopted security is the only accumulated security within AS/400
27
Dedicated Service Tools
LvR/VU MAR/2003
DEDICATED SERVICE TOOLS

Dedicated service tools are used to solve problems occuring in the licensed internal code and to work with disk configurations. To use these tools the system must be attendedly IPLed with the key lock in position MANUAL. There are three levels of DST authorization SECURITY Used by the security officer to do all DST functions and change the DST passwords FULL To use all DST functions except DST passwords changes BASIC To use DST functions not affecting sensitive data Note: The security officer must change the DST passwords after installing the system. With the CHGDSTPWD the DST passwords can be reset
Journaling
LvR/VU MAR/2003
JOURNALING
The journal entries can be selectively retrieved from the journal receiver. Sample object definitions are available for saving the different journal entry types AS/400 AS/400 SECURITY EVENT SECURITY EVENT Journal activated Journal activated with system value with system value QAUDJRN ((JRN) QAUDJRN JRN) Journal level activated Journal level activated with system values e.g. with system values e.g. AUTFAIL PGMFAIL AUTFAIL PGMFAIL Security officer Security officer Journal receiver Journal receiver USERRECV USERRECV
28
Security definition interface
LvR/VU MAR/2003
SECURITY DEFINITION INTERFACE

Menu interface (started with GO SECURITY) Define User Profile User Profile Password Password Expired User Class Current library Initial Program Initial Menu == > command ________ ________ ________ ________ ________ ________ ________ Command interface CRTUSRPRF CHGUSRPRF DLTUSRPRF DSPUSRPRF CHGPWD DSPAUTUSR CHGPRF WRKUSRPRF Create user profile Change user profile Delete user profile Display user profile Change password Display authorized users Change profile (normal users) Work with user profile
57
ONLY FOR THE AS/400 AUDITOR
LvR/VU MAR/2003
PART X PART X ADDITIONAL INFORMATION ADDITIONAL INFORMATION ONLY FOR THE AS/400 AUDITOR ONLY FOR THE AS/400 AUDITOR
58
29
Limited users
LvR/VU MAR/2003
LIMITED USERS
Restrictions can be defined in the user profile, the so called limited capability (LMTCPB) Users can be limited to change the initial menu, initial program and current library. When a user does a sign on, the user profile definition may contain an initial menu to display or a program to execute. The signed on user can only use this menu structure or can only execute the defined program when limited capabilities = YES When a user is PARTIAL limited (also defined in the user-profile) the user may change the main menu and is allowed to issue commands from the command line
59
Library security
LvR/VU MAR/2003
LIBRARY SECURITY
To administrate the existence of the object a library is used. Libraries are also objects and to find the existence of an object the user needs at least USE access to the library to search for the objects described in it Give the public authority for the objects in the library as high as necessary and the public authority for the library EXCLUDE Authority for the library must be given to individual users
60
30
Library security ...
LvR/VU MAR/2003
LIBRARY SECURITY USER C USER B has USE

Public USE Public USE DATA DATA Public USE Public USE DATA DATA Public USE Public USE DATA DATA
LIBRARY A
Owner user A Owner user A Public authority EXCLUDE Public authority EXCLUDE OBJECT A OBJECT A OBJECT B OBJECT B OBJECT C OBJECT C etc. etc.
Physical versus logical file security
LvR/VU MAR/2003
PHYSICAL VERSUS LOGICAL FILE SECURITY

A physical file which contains the physical records can be accessed directly by the users or indirectly with a logical file definition. This logical file definition can give a different view to the physical data The following physical file object P cannot be accessed directly because the user has no access to the header information By given access to a logical file with certain view to the physical data, a user only has access to that part of the data
62
31
Physical versus logical file security ...
LvR/VU MAR/2003
PHYSICAL VERSUS LOGICAL FILE SECURITY

OBJECT L1 Public authority OBJOPR Public authority OBJOPR Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS A EN B FIELDS A EN B PHYSICAL FILE P PHYSICAL FILE P OBJECT L2 Public authority CHANGE Public authority CHANGE Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS X EN Y FIELDS X EN Y PHYSICAL FILE P PHYSICAL FILE P
FILE P Public authority NONE Public authority NONE Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS FIELDS DATA DATA
Authority holder
LvR/VU MAR/2003
AUTHORITY HOLDER
AS/400 gives the opportunity to setup an object authority before the creation of an object. This mechanisme is called an authority holder. The authority holder is a dummy object header containing all header information of an object. It will be connected to the objects data part when the data is created AUTHORITY HOLDER Public authority USE Object header created in advance
Connected when DATA is created DATA created in the future
64
32
Adopted security
LvR/VU MAR/2003
ADOPTED SECURITY: an example

Owner user B Owner user B Public authority EXCLUDE Public authority EXCLUDE
User A has EXCLUDE for data B23 USE for program BAS
DATA B23 DATA B23 Owner user B Owner user B Public authority USE Public authority USE PROGRAM BAS: Adopting authority PROGRAM BAS: Adopting authority active active
Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BAS
Adopted security: search sequence
LvR/VU MAR/2003
ADOPTED SECURITY: SEARCH SEQUENCE

The search for program A can be changed by the library sequence. When program B calls program A, program A will be found in Library B SEARCH SEARCH Library B containing program A and program B Library B containing program A and program B Library A containing program A Library A containing program A
If Library A is placed in front of Library B, program A is found in the other library which can result in the execution of a controlled program and give unpredicted results like a security breach Library A containing program A Library A containing program A Library B containing program A and program B Library B containing program A and program B
66
33
Adopted security ...
LvR/VU MAR/2003
ADOPTED SECURITY
To eliminate the possibility to use the library sequence the program call should supply the library name by using the qualified name in the CALL command CALL Lib (B)/PROGRAM(A) Program A will only be used from lib B Another way to eliminate this security problem is not to call the program, but to transfer control (TFRCTL) to program A With TFRCTL program A will not adopt the authorization of user B. This can only be done when appropriate for the program logic flow
67
Journaling
LvR/VU MAR/2003
JOURNALING
To activate journaling the security officer must create the QSYS/QAUDJRN journal and a journal receiver. The journal located in the system library, acts as an intermediary The journal receiver is the object that will hold journal entries and can be defined by the security officer using his/her own naming conventions The journal is created with the following commands CRTJRN JRN(QAUDJRN) LIB(QSYS) QAUDJRN(JRN) QAUDLVL(AUTFAIL PGMFAIL) JRNRCV(USERRECV) To set the level of journaling the system value QAUDLVL must be set. Possible values are
NONE, AUTFAIL, SAVRST, DELETE, SECURITY, CREATE, OBJMGT and PGMFAIL

34

16A AS400 Architecture and Security

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

16A AS400 Architecture and Security

Diunggah oleh

Hak Cipta:

Format Tersedia

PART 16-A AS/400 ARCHITECTURE & SECURITY

Leen van Rij

File 16-A AS400 architecture & security

Ernst & Young

AS/400 Audit Reference

Procedural and administrative controls Control Concerns Examples

AS/400 architecture & security

Trusted Computing Base (TCB - certified using US Department of Defense standards)

Object security Object security

HIGHLIGHTS FOR THE EDP AUDITOR

AS/400 architecture & security

1974 System/38 System/38 1978 1982 1987 1995

System System processor processor

Main Main storage storage

DASD BCU IOBU BEU

AS/400 architecture & security

Architecture AS/400 ...

AS/400 architecture & security

PHYSICAL CONNECTION PROTOCOLS

Communication protocols ...

Communication protocols ...

APPLICATION COMMUNICATION PROTOCOLS

Machine interface AS/400

MACHINE INTERFACE AS/400

Applications High-level machine

Operating System/400 (OS/400)

Machine interface AS/400 ...

MACHINE INTERFACE AS/400

Machine interface AS/400 ...

Note: Implementing functions in micro code benefits the systems performance

INTEGRATED DATABASE SYSTEM

Database system ...

INTEGRATED DATABASE SYSTEM

Integrated File System

INTEGRATED FILE SYSTEM (IFS)

AS/400: everything in one virtual address space

Single level storage ...

SINGLE LEVEL STORAGE

One virtual address space

MAIN STORAGE MAIN STORAGE DIR paging

AUXILIARY STORAGE on DASD

Single level storage ...

Program XG63 Program XG63

Data GFHJ Data GFHJ

OBJECT ORIENTED DESIGN

General object structure

FUNCTIONAL OBJECT (data)

AS/400 architecture & security

OBJECT X MEMBER A MEMBER A MEMBER B MEMBER B MEMBER C MEMBER C OBJECT Y

AS/400 architecture & security

Logical security levels

LOGICAL SECURITY LEVELS

Logical security levels ...

DESCRIPTION OF SECURITY LEVELS

Integrity checking ...

PRIVILEDGE ALLOBJ SECADM SAVSYS JOBCTL SPLCTL SERVICE AUDIT IOSYSCFG

AS/400 architecture & security

USER CLASSES ALLOBJ SERVICE SPLCTL

AS/400 architecture & security

ALLOBJ SECADM SAVSYS JOBCTL SPLCTL SERVICE IOSYSCFG

Pre-defined user profiles

PRE-DEFINED USER PROFILES

USER PROFILE (is an object)