October 13, 2011 - Vol 1, Issue 1
Hidden Configuration Options for IBM i Security and Systems Management
Customize access to sensitive functions and system operations
IBM hasn't tried to keep these treasures hidden, but, as far as I know, IBM hasn't gone out of its way to educate us about them either. These "hidden" configuration options let you customize access to several security-, system-, and network-related functions through a simple CL command interface or through Navigator for i (Navigator, for short).
The CL commands Work with Function Usage (WRKFCNUSG), Change Function Usage (CHGFCNUSG), and Display Function Usage (DSPFCNUSG), are the command interfaces to these "hidden" configuration options. Navigator provides access to these configuration options through a little-known application I discuss shortly.
What Is "Function Usage"?
Sensitive Control Language commands and system operations are typically restricted to a select group of users through a combination of object authorities (i.e., are you authorized to use the command?) and special authorities (i.e., do you have the special authorities—e.g., *SECADM, *JOBCTL—required to run this command or function?).
Function Usage is an additional hidden layer placed on certain sensitive operations. For example, to create a user profile, a user needs to be authorized to use the command Create User Profile (CRTUSRPRF), and then the CRTUSRPRF command checks whether the user running the command has Security Administrator (*SECADM) special authority. If so, the profile can be created. In this case, no additional hidden Function Usage configuration options are involved.
When a user wants to examine the active joblog of an *ALLOBJ user (e.g., QSECOFR), however, the user must be authorized to the DSPJOBLOG command, must have Job Control (*JOBCTL) special authority, and must have *ALLOBJ authority. Those are the system's default rules. But by changing the hidden configuration options of Function Usage, you can override the rules to let anyone with *JOBCTL special authority view the active joblog of the *ALLOBJ user.
Because these configuration options are hidden in Function Usage, most of us concede to giving the operations staff *ALLOBJ authority. There seems to be no other way of allowing them to view the active joblog of an *ALLOBJ user when the job has failed. They must be able to troubleshoot the problem by viewing the active joblog. But we can change the rules by changing the Function Usage.
Work with Function Usage
IBM maintains a registry of functions that provide hidden configuration options via Function Usage. One of the functions, as we've discussed, is the configuration of which users can view the active joblog of an *ALLOBJ user. The registered name of that function is QIBM_ACCESS_ALLOBJ_JOBLOG.
To access the settings for these registered functions, IBM has provided the CL commands Work with Function Usage (WRKFCNUSG), Change Function Usage (CHGFCNUSG), and Display Function Usage (DSPFCNUSG). shows the resultant screen when the command WRKFCNUSG FCNID(*ALL) is used.
To learn more about the CHGFCNUSG command, see the reference at the IBM i Information Center Http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/chgfcnusg.htm
Which Functions Have Special Hidden Function Usage Configuration Options?
shows a list, by category, of those functions for which you can provide customized access by manipulating the Function Usage values. As shows, you can configure controls for several functions, including:
· Who can access the active joblog of an *ALLOBJ user?
· Who can run a communications (service) trace?
· Who can watch any job?
· Who can send files by using the IBM i OS FTP client?
· Who can download a file by using the FTP server?
· Who can run the RMTCMD.exe from his or her PC to this system?
Application Administration: GUI Version of WRKCFNUSG
provides access to the Application Administration tool. This tool is, in
effect, the GUI interface to the WRKFCNUSG facility—a much friendlier
interface, I might add. To access this tool, in Navigator, right-click
your system name or IP address and select Application Administration,
the Application Administration main window with the Host Applications tab
selected. The list of functions is the same as those in WRKFCNUSG
display, but in the GUI form. You then click the name of the function you
want to customize. The Customize button becomes active. Click the
Customize button. shows
how you can select the users and customization options for
the Access job log of *ALLOBJ job function. Again, here
we see that Group_ops can display the job log of *ALLOBJ users. When your
customizations are complete, click OK.
the service trace function with the group Group_sec set as allowed to run
service traces, such as Start Communications Trace (STRCMNTRC). The
communication trace facility needs to be tightly controlled because it can
easily be used to harvest user IDs and passwords in a non-SSL Telnet
environment or non-SSL FTP environment. When SSL isn't used for these
applications, user IDs and passwords are sent in clear text and can be
easily captured by running a communications trace on your TCP/IP
shows customization for downloading files to your PC via FTP. In this figure, you can see that we're letting only the groups Group_ops and Group_sec use the FTP server to download files (send files, from the server's perspective, as shown in the figure). To accomplish that configuration, we clear the Default access check box and the Users with all object system privilege check box. Clearing the checkbox for users with all object privilege specifies that not even QSECOFR or other *ALLOBJ user can use FTP to download files, unless they're in one of the allowed groups. Again, there's no audit trail of FTP access unless you have a network exit point program that provides for this logging.
Document and Communicate the "Hidden" Configuration Options
When you customize access to functions by using these tools, remember that the configuration options are hidden from most users. Who, besides you, knows what rules have been set up in Application Administration or through the WRKFCNUSG command?
When users are restricted from functions, and they don't know why they've been rejected, there has to be a method in place for your system administrators and the help desk to know why users are being rejected. Is it one of your hidden configuration options? Make sure that you document and communicate these configurations as appropriate and that the staff knows you're using Application Administration and Function Usage configurations.
the president and security specialist for the .
Dan performs IBM i security assessments and provides customized security
services for his customers. He also provides training in all aspects
of IBM i security and other technical areas through his training