SecureMyi.com Security and Systems Management Newsletter for the IBM i                 February 12, 2014 - Vol 4, Issue 2
Security Training from SecureMyi.com
Security software from Powertech



Skyview Partners



Software from Cilasoft



      Security Training from The 400 School



      Security Training from The 400 School



      Security Training from The 400 School



      Security Training from The 400 School



Checkup - CL Command Security Vulnerabilities

By Carsten Flensburg

The IBM i Operating System includes several hundred Control Language(CL) commands, many of which provide access to critical and sensitive system and security functions. IBM puts a lot of effort into restricting access to these commands by setting public authority adequately and, if necessary, requires additional user profile special authority in order to successfully execute sensitive commands.

The command’s public or private authority could however for some reason be changed at a later point and so could the command’s Allow limited user attribute, which normally excludes end-users from running most CL commands. Add to this the number of user created commands and 3rd party vendor supplied commands that exist on most systems and you’re looking at quite a challenge in order to manage, monitor and audit access to the CL commands.

Are the CL Commands Created by IBM?

We often assume that all commands in the main operating system library QSYS were supplied to us by IBM. But, how can you be sure? User created commands possibly masquerading as legitimate IBM supplied commands may be implementing malware on your system. WRKCMDSEC can help you detect commands that were not created by IBM.

And the Validity Checking Program(VCP)?

Another area of Security/Audit concern is that a Validity Checking Program(VCP) may have been added to an IBM or Vendor supplied command. This method is used by some to enforce additional command rules or to add some additional logic to a CL command when it is used. A Validity Checking Program may also be used as an insertion point for potential malware.

The WRKCMDSEC command can help you determine if a command has a Validity Checking Program.

Commands for Limited Users

Each CL command(*CMD) definition contains an attribute named ALWLMTUSR(Allow Limited User) that determines if the command can be run at a command line by users that have been created as Limited Capabilities Users (i.e. LMTCPB(*YES)).

IBM ships certain non-intrusive commands like DSPMSG(Display Message) and DSPJOBLOG(Display Job log) as ALWLMTUSR(*YES), thereby allowing Limited Capabilities users to run these commands at a command line. But, for protection, IBM ships almost all CL commands with the setting ALWLMTUSR(*NO), in which Limited Capabilities Users cannot run the commands at a command line.

CL Commands like DLTLIB(Delete Library) and DLTF(Delete File) would be very dangerous in the hands of an end-user, but thankfully these are two of the commands that are shipped from IBM with the attribute ALWLMTUSR(*NO). For more information on the Misconceptions on User Limited Capabilities and Command Line access, see Dan Riehl's article in the July 10, 2012 issue of the SecureMyi Newsletter.

When it comes to a command's Allow Limited User attribute, there are occasions when a software vendor will ship you commands that allow limited users to use those commands. I have also seen occasions when a system administrator has changed the attribute on certain IBM and other vendor supplied commands to enable otherwise restricted users to run these commands at a command line. These commands may cause vulnerabilities when you rely upon a user's command line restriction to prevent them from running CL commands at a command line. Commands that are specified as ALWLMTUSR(*YES) CAN be run by a user that is command line restricted.

The only way to view the ALWLMTCPB attribute of a CL command is to use the command DSPCMD. The command only allows you to view one command at a time. So, DSPCMD it is an unworkable solution when you need to determine which commands on your system allow Limited Capabilities Users to run the command from a command line.

WRKCMDSEC to the Rescue!

The Work with Command Security (WRKCMDSEC) command, allows you to locate and list CL commands of particular interest based on an array of security related selection criteria, including *PUBLIC authority and ALWLMTUSR(allow limited user) setting, as well as the presence of a validity checking program, the command call state, proxy command status, command creator domain and even the command change date.

The resulting CL command list can be either displayed in a work with-panel or produce a printed list or placed into an output file.

Here’s the command prompt for WRKCMDSEC :


                     Work with Command Security (WRKCMDSEC)
                                                       
 Type choices, press Enter.                           
                                                       
 Command  . . . . . . . . . . . .   *ALL          Name, generic*, *ALL 
   Library  . . . . . . . . . . .     *LIBL       Name, *LIBL, *CURLIB... 
 Select:                                                             
   Allow limited user . . . . . .   *ALL          *ALL, *YES, *NO 
   Proxy command  . . . . . . . .   *ALL          *ALL, *YES, *NO 
   Validity check program . . . .   *ALL          *ALL, *YES, *NO   
   Command created by . . . . . .   *ALL          *ALL, *IBM, *USER    
   Command state  . . . . . . . .   *ALL          *ALL, *SYSTEM, *USER  
   Public authority . . . . . . .   *ANY          *ANY, *NONEXCL, *EXCLUDE...
   Earliest change date . . . . .   *ANY          Date, *ANY  
 Sort order . . . . . . . . . . .   *CMD          *CMD, *LIB  
 Output . . . . . . . . . . . . .   *             *, *PRINT, *OUTFILE 

You specify a subset of commands or all commands in the specified library or *ALLUSR, *USRLIBL and *ALL. Specifying *ALL will search all of the libraries on the system. You can also set the selection criteria to further narrow the resulting command list. You also define whether the list should be presented in command or library order and specify one of the three output options; display, printed list or output file. Here’s an example of what the display option presents:


                          Work with Command Security                 SECUREMYI
                                                             01-08-14  17:24:29
 List order . . . :   *CMD                Position to  . . .                   
                                                                              
 Type options, press Enter.                                               
   2=Change   4=Delete   5=Display   6=Display program   7=Work with command
   8=Work with object    9=Edit object authority   10=Change object auditing 
                                                                            
                              Created                 Public     Limited 
 Opt  Command     Library     By          Owner       Authority  User     Proxy 
 __   ADDACC      QSYS        *IBM        QSYS        *EXCLUDE    *NO     *NO 
 __   ADDAJE      QSYS        *IBM        QSYS        *USE        *NO     *NO 
 __   ADDALRACNE  QSYS        *IBM        QSYS        *USE        *NO     *NO 
 __   ADDALRD     QSYS        *IBM        QSYS        *USE        *NO     *NO   
 __   ADDALRSLTE  QSYS        *IBM        QSYS        *USE        *NO     *NO   
 __   ADDAUTLE    QSYS        *IBM        QSYS        *USE        *NO     *NO   
 __   ADDBKP      QSYS        *IBM        QSYS        *USE        *NO     *NO   
 __   ADDBNDDIRE  QSYS        *IBM        QSYS        *USE        *NO     *NO   
                                                                        More... 
 Parameters or command                                                          
 ===> ________________________________________________________________________ 
 F3=Exit      F4=Prompt    F5=Refresh   F9=Retrieve   F10=Security Tools      
 F11=View 2   F12=Cancel   F17=Top      F18=Bottom                     

You have four list views showing the most significant security related command information and attributes. You toggle between the different views using the function key F11. All columns and panel areas are explained in more detail using the cursor sensitive help text. Simply place your cursor to the column or area of interest and press F1=Help. The Display screen options allow you to perform a variety of object and security management functions. These include CHGCMD(Change Command), WRKCMD(Work with Command), DSPCMD(Display Command) DSPPGM(Display the Command Processing Program), EDTOBJAUT(Edit Object Authority), and CHGOBJAUD(Change Object Auditing) to select the OBJAUD value for the command.

If a command's Object Auditing(OBJAUD) value is set to *ALL, then, each time the command is used by anyone, from anywhere, an audit entry will be written to the security audit journal QAUDJRN, containing the entire command string and the related information on Who, When, How, etc. (This assumes you have QAUDJRN auditing enabled on your system.)

The WRKCMDSEC command does not include information about command change or command retrieve exit programs having been registered for the commands listed, I will present that utility in an upcoming article in the SecureMyi Security Newsletter.

Get the Source Code, and Create the Command

The following source code members are involved in creating the WRKCMDSEC command:

CBX800  -- RPGLE  -- Work with Command Security - CPP 
CBX800E -- RPGLE  -- Work with Command Security - UIM Exit Program  
CBX800H -- PNLGRP -- Work with Command Security - Help 
CBX800P -- PNLGRP -- Work with Command Security - Panel Group
CBX800V -- RPGLE  -- Work with Command Security - VCP 
CBX800X -- CMD    -- Work with Command Security  

CBX800M -- CLP    -- Work with Command Security - Build command 

To create all above objects, compile and run the program CBX800M, following the instructions in the source header. Simply run the program to create the entire utility.

Download a zip file containing all of the source code.



You’ll also find compilation instructions in the respective source headers. For the WRKCMDSEC command processing program CBX800 to compile, you'll need to download and copy a SQLCLI_H member created by Scott Klement to a QRPGLESRC source file in your job's library list. Below I've provided a link to a zip file containing the correct version of the SQLCLI_H copy member.



Download the SQLCLI_H copy member



About the Author

Carsten Flensburg

Carsten is the author of the column "Carsten's Security Code for IBM i" that appears regularly in the SecureMyi Security Newsletter.

He has also been a long time technical editor and author for iProDeveloper. He is an IBM i application development manager for Novasol, the European vacation rental company of Wyndham Worldwide Corporation.

Carsten lives in Copenhagen, Denmark, with his wife, Dorthe, and his two children, Julian and Emilie.





   
      Security Training from SecureMyi.com


      Security Training from SecureMyi.com


© Copyright 2014 - IT Security and Compliance Group