PowerTech Blocks IBM i Commands with New Tool

July 26, 2011 Alex Woodie

IBM i administrators can prevent users from executing certain commands with the new Command Security tool unveiled by PowerTech this month. Command Security features a rule-based control mechanism that can block commands for certain users and circumstances, or even modify the command before execution. It also features an audit trail that ensures attempts to use specific commands won’t go unnoticed.

While the text-based command line is viewed by Windows and Web aficionados as a vestigial backwater overlooked by computer evolution, devotees of the IBM i server understand how powerful and useful the command line can be. Instead of fooling around with a mouse and multiple graphical menus crowding the screen, the clean, green interface of a 5250 session gives the experienced operator incredible freedom to execute an untold number of complex system tasks with a few quick strikes of the keyboard.

Unfortunately, great power requires great responsibility. In the right hands, the command line can provide an operator with a speed advantage over his GUI-loving colleagues. But it can also magnify the inexperience of a careless operator, and lead to harm of the system and application environment. This is why most regular employees are not given access to command lines.

For example, accidentally typing PWRDWNSYS into the command line and pressing enter will cause the Power Systems server to, well, power down. The CHGSYSVAL command can similarly lead to unintended consequences. These are the types of commands that users may wish to block first using Command Security, says PowerTech director of security technologies Robin Tatum.

Command Security provides several levels of protection against potentially harmful commands. Administrators can choose to simply monitor and be notified of the usage of commands by one or more operators, authorized users, or even third-party applications. It can also be used to completely block the execution of certain IBM system or third-party application commands.

Command Security can also be configured to allow commands to be executed in certain circumstances (maybe allowing PWRDWNSYS to be used after the end of the work day). It can even modify the parameters of certain commands before they are executed, which could be handy for meeting company requirements. And it keeps a history of all command usage in a secure journal, which can be important for reporting and regulatory compliance purposes.

“Not all commands have the potential for misuse,” Tatam says in a press release. “Command Security gives users the flexibility to control just the commands and situations that could compromise system data or security. Plus, it works with almost any IBM i command and can control commands in third-party applications.”

The new offering becomes the sixth offering in PowerTech’s product suite, and the second new product added this year. Last month, the company’s corporate parent, Help/Systems, bought PowerTech an early Christmas present: the powerful database change monitoring tool DataThread, from Innovatum. Other products include Network Security, which protects exit points; Compliance Monitor, which provides security auditing and reporting; Authority Broker, which controls the use of powerful IBM i user profiles; and Interact, which communicates real-time IBM i security events to third-party security information and event management (SIEM) products.

Command Security works with i5/OS V5R4 and IBM i 6.1 and 7.1. Pricing was not disclosed. For more information see www.powertech.com.