SecureMyi.com Security and Systems Management Newsletter for the IBM i November 12, 2014 - Vol 4, Issue 19
Create User Profile - Forcing Policy on IBM i.
By Dan Riehl
When creating User Profiles on the IBM i, whether through a Control Language command like Create User Profile (CRTUSRPRF) or through the IBM i Navigator for Windows interface, you have the option to include your own customized processing when the profile is created. Through this customised processing, you can help enforce your security policy regarding the creation of User Profiles.
In the October 22, 2014 issue of the SecureMyi Security Newsletter, I presented an article on how a simple flaw in the creation of a User Profile could render the profile as vulnerable to being "hyjacked". The article presented here will provide you with a tool that will allow you to enforce strict policy on the creation of User Profiles so that newly created profiles will not be subject to that User Profile simple flaw.
IBM has established and documented an "Exit Point" for the Create User Profile operation. An exit point is a place in the process in which you can include your own custom logic (i.e. an exit program) to perform additional tasks. In this article we will examine adding your own logic to the Create User Profile process.
There are two operations that must be performed when implementing any exit program. The first is to create the exit program, the second is to register your exit program with the operating system, which "turns ON" your custom logic. We'll discuss how to perform both of these steps.
The Exit Program
The exit program can be written in just about any language: CLP, CLLE, CLE, RPG, RPGLE, CBL, etc. It can be an ILE(Integrated Language Environment) program or an OPM(Original Program Model) program.
In this sensitive task of adding logic to the Create User Profile operation, you'll want to make sure that the exit program is secured against potential abuse. Only give *USE authority to those users that create your user profiles, *PUBLIC authority should be set to *EXCLUDE.
The exit program runs within the same job as the Create User Profile function. So the current user of the job that is creating a new user profile will also be the user running the exit program. and so must have authority to the program.
When Using Adopted Authority to Create User Profiles
Some organizations do not assign powerful special authorities to the users that create and maintain User Profiles. Instead, they use an adopted authority scheme which allows the users to temporarily assume the authority of a more powerful user through an operating system feature called Program Adoption of Authority.
One important technical issue about your Create User Profile exit program is that if the job that is creating the new user profile is running under adopted authority, that adopted authority is NOT passed to the exit program.
So, if your Create User Profile exit program is going to perform sensitive operations,(e.g., change the new user's password, change the owner of the profile, registering the user in the distribution directory), the exit program itself must adopt the authority of a powerful "Security Officer" type user profile. To accomplish this, change the owner (CHGOBJOWN) of the exit program to QSECOFR(or other powerful user) and specify the USRPRF(*OWNER) parameter on the CRT**PGM command that is used to create the exit program. These actions will cause your exit program to temporarily adopt the authority of the powerful user profile, supplying the ability to perform actions that would otherwise be restricted.
(Note: If your users that create user profiles have powerful "Security Officer" type user profiles, you do not to be concerned about the adopted authority issues presented here. This is only for cases in which adopted authority is being used to provide access to the Create User Profile function.)
What Will You Do in Your Exit Program?
The Create User Profile exit program is called whenever anyone creates a new User Profile. The exit program receives one lump of data, as a parameter, which contains a few different pieces of information, including the name of the user profile that has just been created (the most important part).
If the user that is creating the users profile is a powerful user, or if the exit program adopts the authority of QSECOFR, or a similar powerful user profile, there are really no limits on the actions that can be performed in the exit program. It is only limited by what the current user or the adopted user is allowed to do.
Here are some examples of some useful functions that can be performed in the Create User Profile exit program:
Example Exit Program: Change User Profile Owner
Over the years I have advocated that all user profiles that we create should be owned by QSECOFR, Should be set to *PUBLIC AUT(*EXLUDE) and that NO User should have private authorities to other users' User profiles.
Again, I point you to the October 22, 2014 issue of the SecureMyi Security Newsletter, that explains the vulnerabilities when your user profiles are not secured correctly and not owned in accordance to best security practices for IBM i.
Presented here is a simple Control Language program that can be used as an exit program that will enforce the policy that all newly created user profiles will be owned by QSECOFR.
The exit program receives an input parameter and from that input value extracts the name of the newly created user profile. It then sets the ownership of that new user profile to QSECOFR, and revokes the current owner's authority. If the program is being run by QSECOFR, it does not change the ownership.
Error handling code makes up the bulk of the exit program code. But as a safety mechanism, IBM has implemented their own safety features, so that if an error occurs in your exit program, it does not affect the original user profile creation. The only thing affected is that the desired end result of your exit program may not be realized.
The Exit Program: All New Profiles are Owned by QSECOFR
/* Program name..... CRTPRFEXIT */ /* You may freely use this code as long as the Copyright */ /* and Authorship information is retained in this source member */ /* No warranty of any kind is expressed or implied. */ /* Copyright 2011-2014 - IT Security and Compliance Group */ /* Author….. Dan Riehl www.SecureMyi.com */ /* If the program will be used by a user that does not have */ /* *SECADM and *ALLOBJ special authority, this */ /* Exit program must Adopt QSECOFR USRPRF(*Owner) */ /* AUT(*EXCLUDE), AUT(*USE) for GROUP that Creates Profiles */ /* This program will set the owner of newly created */ /* User profiles to QSECOFR. */ /* The IBM Registered Exit point is QIBM_QSY_CRT_PROFILE */ /* CL Command to add the exit program to the exit point */ /* ADDEXITPGM EXITPNT(QIBM_QSY_CRT_PROFILE) + */ /* FORMAT(CRTP0100) PGMNBR(*HIGH) + */ /* PGM(Library-name/CRTPRFEXIT) TEXT('Change the + */ /* owner of new profiles to QSECOFR') */ PGM PARM(&Exit_Info) DCLPRCOPT USRPRF(*OWNER) AUT(*EXCLUDE) DCL &Exit_info *CHAR 38 DCL &user *CHAR 10 DCL &curuser *CHAR 10 /* Message handling variables */ DCL &msgid *CHAR 7 DCL &msgf *CHAR 10 DCL &msgflib *CHAR 10 DCL &msgdta *CHAR 100 MONMSG MSGID(CPF0000) EXEC(GOTO ERROR) RTVJOBA CURUSER(&CURUSER) IF COND(&CURUSER = 'QSECOFR') THEN(GOTO + CMDLBL(ENDIT)) CHGVAR VAR(&USER) VALUE(%SST(&EXIT_INFO 29 10)) CHGOBJOWN OBJ(&USER) OBJTYPE(*USRPRF) NEWOWN(QSECOFR) Endit: RETURN /* Normal end of program */ ERROR: RCVMSG MSGTYPE(*LAST) MSGDTA(&msgdta) MSGID(&msgid) + MSGF(&msgf) SNDMSGFLIB(&msgflib) MONMSG CPF0000 /* Just in case */ SNDPGMMSG MSGID(&msgid) MSGF(&msgflib/&msgf) + MSGDTA(&msgdta) MSGTYPE(*ESCAPE) MONMSG CPF0000 /* Just in case */ ENDPGM
About the Code
The DCLPRCOPT CL command is relatively new. Detail on its use can be found here at the IBM InfoCenter.
DCLPRCOPT allows you to specify, among other things, compiler options that will override the options entered on the CRTCLPGM or CRTBNDCL. In this example, I force the program options of USRPRF(*OWNER) and AUT(*EXCLUDE) to make the program adopt authority and to set *PUBLIC authority to *EXCLUDE.
Registering the Exit Program
In order to make your exit program active, you add the program to the exit point registry using the command Work with Registration Information (WRKREGINF), or you can use the Add Exit Program (ADDEXITPGM) command, as shown here:
ADDEXITPGM EXITPNT(QIBM_QSY_CRT_PROFILE) + FORMAT(CRTP0100) PGMNBR(*HIGH) + PGM(Library-name/CRTPRFEXIT) TEXT('Change the + owner of new profiles to QSECOFR')
You can very easily implement this simple exit program. Possibly you may only want the exit program to send you a message when a new User Profile is created. You can perhaps try that first to get comfortable with the exit program concept. You may then continue to add levels of complexity and usefulness to your exit program.
As with all new code, test it thoroughly before implementing it in production.While it's quite easy to just copy and paste the code, you can download a text file containing the source code here.
Additional Related References
About the Author
Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.