SecureMyi.com Security and Systems Management Newsletter for the IBM i February 12, 2014 - Vol 4, Issue 2
Checkup - CL Command Security Vulnerabilities
By Carsten Flensburg
The IBM i Operating System includes several hundred Control Language(CL) commands, many of which provide access to critical and sensitive system and security functions. IBM puts a lot of effort into restricting access to these commands by setting public authority adequately and, if necessary, requires additional user profile special authority in order to successfully execute sensitive commands.
The commandís public or private authority could however for some reason be changed at a later point and so could the commandís Allow limited user attribute, which normally excludes end-users from running most CL commands. Add to this the number of user created commands and 3rd party vendor supplied commands that exist on most systems and youíre looking at quite a challenge in order to manage, monitor and audit access to the CL commands.
Are the CL Commands Created by IBM?
We often assume that all commands in the main operating system library QSYS were supplied to us by IBM. But, how can you be sure? User created commands possibly masquerading as legitimate IBM supplied commands may be implementing malware on your system. WRKCMDSEC can help you detect commands that were not created by IBM.
And the Validity Checking Program(VCP)?
Another area of Security/Audit concern is that a Validity Checking Program(VCP) may have been added to an IBM or Vendor supplied command. This method is used by some to enforce additional command rules or to add some additional logic to a CL command when it is used. A Validity Checking Program may also be used as an insertion point for potential malware.
The WRKCMDSEC command can help you determine if a command has a Validity Checking Program.
Commands for Limited Users
Each CL command(*CMD) definition contains an attribute named ALWLMTUSR(Allow Limited User) that determines if the command can be run at a command line by users that have been created as Limited Capabilities Users (i.e. LMTCPB(*YES)).
IBM ships certain non-intrusive commands like DSPMSG(Display Message) and DSPJOBLOG(Display Job log) as ALWLMTUSR(*YES), thereby allowing Limited Capabilities users to run these commands at a command line. But, for protection, IBM ships almost all CL commands with the setting ALWLMTUSR(*NO), in which Limited Capabilities Users cannot run the commands at a command line.
CL Commands like DLTLIB(Delete Library) and DLTF(Delete File) would be very dangerous in the hands of an end-user, but thankfully these are two of the commands that are shipped from IBM with the attribute ALWLMTUSR(*NO). For more information on the Misconceptions on User Limited Capabilities and Command Line access, see Dan Riehl's article in the July 10, 2012 issue of the SecureMyi Newsletter.
When it comes to a command's Allow Limited User attribute, there are occasions when a software vendor will ship you commands that allow limited users to use those commands. I have also seen occasions when a system administrator has changed the attribute on certain IBM and other vendor supplied commands to enable otherwise restricted users to run these commands at a command line. These commands may cause vulnerabilities when you rely upon a user's command line restriction to prevent them from running CL commands at a command line. Commands that are specified as ALWLMTUSR(*YES) CAN be run by a user that is command line restricted.
The only way to view the ALWLMTCPB attribute of a CL command is to use the command DSPCMD. The command only allows you to view one command at a time. So, DSPCMD it is an unworkable solution when you need to determine which commands on your system allow Limited Capabilities Users to run the command from a command line.
WRKCMDSEC to the Rescue!
The Work with Command Security (WRKCMDSEC) command, allows you to locate and list CL commands of particular interest based on an array of security related selection criteria, including *PUBLIC authority and ALWLMTUSR(allow limited user) setting, as well as the presence of a validity checking program, the command call state, proxy command status, command creator domain and even the command change date.
The resulting CL command list can be either displayed in a work with-panel or produce a printed list or placed into an output file.
Hereís the command prompt for WRKCMDSEC :
Work with Command Security (WRKCMDSEC) Type choices, press Enter. Command . . . . . . . . . . . . *ALL Name, generic*, *ALL Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB... Select: Allow limited user . . . . . . *ALL *ALL, *YES, *NO Proxy command . . . . . . . . *ALL *ALL, *YES, *NO Validity check program . . . . *ALL *ALL, *YES, *NO Command created by . . . . . . *ALL *ALL, *IBM, *USER Command state . . . . . . . . *ALL *ALL, *SYSTEM, *USER Public authority . . . . . . . *ANY *ANY, *NONEXCL, *EXCLUDE... Earliest change date . . . . . *ANY Date, *ANY Sort order . . . . . . . . . . . *CMD *CMD, *LIB Output . . . . . . . . . . . . . * *, *PRINT, *OUTFILE
You specify a subset of commands or all commands in the specified library or *ALLUSR, *USRLIBL and *ALL. Specifying *ALL will search all of the libraries on the system. You can also set the selection criteria to further narrow the resulting command list. You also define whether the list should be presented in command or library order and specify one of the three output options; display, printed list or output file. Hereís an example of what the display option presents:
Work with Command Security SECUREMYI 01-08-14 17:24:29 List order . . . : *CMD Position to . . . Type options, press Enter. 2=Change 4=Delete 5=Display 6=Display program 7=Work with command 8=Work with object 9=Edit object authority 10=Change object auditing Created Public Limited Opt Command Library By Owner Authority User Proxy __ ADDACC QSYS *IBM QSYS *EXCLUDE *NO *NO __ ADDAJE QSYS *IBM QSYS *USE *NO *NO __ ADDALRACNE QSYS *IBM QSYS *USE *NO *NO __ ADDALRD QSYS *IBM QSYS *USE *NO *NO __ ADDALRSLTE QSYS *IBM QSYS *USE *NO *NO __ ADDAUTLE QSYS *IBM QSYS *USE *NO *NO __ ADDBKP QSYS *IBM QSYS *USE *NO *NO __ ADDBNDDIRE QSYS *IBM QSYS *USE *NO *NO More... Parameters or command ===> ________________________________________________________________________ F3=Exit F4=Prompt F5=Refresh F9=Retrieve F10=Security Tools F11=View 2 F12=Cancel F17=Top F18=Bottom
You have four list views showing the most significant security related command information and attributes. You toggle between the different views using the function key F11. All columns and panel areas are explained in more detail using the cursor sensitive help text. Simply place your cursor to the column or area of interest and press F1=Help. The Display screen options allow you to perform a variety of object and security management functions. These include CHGCMD(Change Command), WRKCMD(Work with Command), DSPCMD(Display Command) DSPPGM(Display the Command Processing Program), EDTOBJAUT(Edit Object Authority), and CHGOBJAUD(Change Object Auditing) to select the OBJAUD value for the command.
If a command's Object Auditing(OBJAUD) value is set to *ALL, then, each time the command is used by anyone, from anywhere, an audit entry will be written to the security audit journal QAUDJRN, containing the entire command string and the related information on Who, When, How, etc. (This assumes you have QAUDJRN auditing enabled on your system.)
The WRKCMDSEC command does not include information about command change or command retrieve exit programs having been registered for the commands listed, I will present that utility in an upcoming article in the SecureMyi Security Newsletter.
Get the Source Code, and Create the Command
The following source code members are involved in creating the WRKCMDSEC command:>
CBX800 -- RPGLE -- Work with Command Security - CPP CBX800E -- RPGLE -- Work with Command Security - UIM Exit Program CBX800H -- PNLGRP -- Work with Command Security - Help CBX800P -- PNLGRP -- Work with Command Security - Panel Group CBX800V -- RPGLE -- Work with Command Security - VCP CBX800X -- CMD -- Work with Command Security CBX800M -- CLP -- Work with Command Security - Build command
To create all above objects, compile and run the program CBX800M, following the instructions in the source header. Simply run the program to create the entire utility.
Youíll also find compilation instructions in the respective source headers. For the WRKCMDSEC command processing program CBX800 to compile, you'll need to download and copy a SQLCLI_H member created by Scott Klement to a QRPGLESRC source file in your job's library list. Below I've provided a link to a zip file containing the correct version of the SQLCLI_H copy member.
About the Author
Carsten lives in Copenhagen, Denmark, with his wife, Dorthe, and his two children, Julian and Emilie.