• V5R2 Security System Value Lock

    April 14, 2004 Hey, Wayne

    Editor’s Note: Security questions for the Four Hundred Guru are now being answered by Wayne O. Evans, one of the top OS/400 security experts in the world. Wayne designed security features on the AS/400 and S/38 during his 27 years at IBM and is a well-known and highly respected consultant, author, educator, and speaker. His security tips will become a regular item in Guru newsletters.

    The security reference manual for OS/400 V5R2 says, “New for V5R2, you can restrict users from changing several security-related system values. These restrictions can prevent even a user with *SECADM and *ALLOBJ authority from changing these system values with the CHGSYSVAL command.” Why are users with *SECADM and *ALLOBJ authority prevented from changing security-related system values with the CHGSYSVAL command?

    What is the risk if users change any security system value with CHGSYSVAL? If I use this feature, what’s the proper way to change security system values?

    –John

    Some computer systems go through a major system configuration, often called sysgen (system generation), in which the system administrator determines what features should be installed in the operating system. This often involves compiling and linking programs. On large IBM mainframes, this is often a major process that takes two to four hours and has to be done each time a new release is installed. The programs are added and removed from the operating system to create the “system image,” a collection of programs that represent the features the administrator wants to use, such as which database management system or which security product. The sysgen can be a very lengthy process because the individual components often come from different vendors. In fact, the installation needs to “purchase” the individual pieces (like database, security product, communications software). There are many combinations possible, and not every combination can be tested to be sure that the software is compatible (uses the same interfaces and provides equivalent function).

    Contrast this with OS/400. One vendor, IBM, provides the OS/400 operating system. (That is why OS/400 is said to be a closed system.) System administrators do not need to go through a lengthy sysgen process to add and remove programs. The programs are always there in OS/400. If the programs are the same in all OS/400 installations at the same release level, then how do system managers configure OS/400 to run for their company?

    You probably guessed the answer already. System managers customize the version of OS/400 for their organization by setting system values. With this understanding you can get a better appreciation for the importance of system values. System values represent how the system is configured for the installation.

    Let’s focus on just one system value: QSECURITY. Changing this system value has a dramatic impact on the way OS/400 secures a system.

    SECURITY LAYERS

    Multiple protection layers often describe good security. The protection layers for the change of system values are:

    1. Authorized user on the system.

    2. Authorized to CHGSYSVAL command.

    3. *ALLOBJ and *SECADM special authority.

    4. Service Lock = *YES. (new in V5R2)

    5. Change system value.

    The user must be able to sign on and be authorized to the CHGSYSVAL command. For the security system values, the user must also have *ALLOBJ and *SECADM special authority. With V5R2, there is the additional protection that the service lock must be *YES. Then, and only then, can the system value be changed.

    There is actually another layer that I did not show. The value must be one of those allowed for the system value.

    The change to the service lock would have a similar protection diagram, which I will leave as an exercise for you readers.

    V5R2 ADDS PROTECTION

    A user with Security Administrator (*SECADM) and All Object (*ALLOBJ) special authorities can alter security system values. Because setting the system values can have such a major impact, system administrators do not want to trust just any user with *ALLOBJ and *SECADM special authority. There are often too many of these users on the system.

    In V5R2, IBM gave system administrators an option to require something extra to change security system values. This sounds like a system configuration option or system value. But IBM was not stupid, so rather than create a system value to control other system values, it made a DST option.

    The answer to your final question, how to change system values, is just like before: use the CHGSYSVAL command. However I hope that after you get security set correctly, you take advantage of the new V5R2 support to lock security-related system values.

    The following information from IBM’s manuals on systems management and security (in PDF format) is included here so you have a complete understanding of this support.

    LOCK AND UNLOCK SECURITY-RELATED SYSTEM VALUES

    System service tools (SST) and dedicated service tools (DST) provide an option that allows you to prevent changes to a variety of security related system values. When the “allow change of security related system values” service tools option is set to no, the system values can’t be changed using the Change System Value (CHGSYSVAL) command (or any other user interface). Setting this option to no is useful if, for example, you have settings for security level (QSECURITY). Selecting no for this option ensures that applications can’t change these system value settings.

    HOW TO LOCK THE LOCK

    You must have a service tool profile and password to lock or unlock the security-related system values. This ensures that not just every user with *ALLOBJ and *SECADM can change the lock. To lock or unlock security-related system values with the Start System Service Tools (STRSST) command, follow these steps:

    1. Open a character-based interface.

    2. On the command line, type STRSST.

    3. Type your user name and password.

    4. Select option 7 (“work with system security”).

    5. Type 1 to unlock security-related system values, or 2 to lock security-related system values in “allow security system value changes.”

    SYSTEM VALUES LOCKED BY V5R2 FUNCTION

    The following table identifies the system values that are affected by this option.

    Lockable system values:

    Activate action auditing QAUDLVL
    Activate object auditing QAUDCTL
    Audit journal error action QAUDENACN
    Default auditing for newly created objects QCRTOBJAUD
    Maximum number of journal entries in auxiliary storage QAUDFRCLVL
    Local controllers and devices QAUTOCFG
    Pass-through devices and Telnet QAUTOVRT
    Action to take when a device error occurs QDEVRCYACN
    Remote controllers and devices QAUTORMT
    Time-out interval QDSCJOBITV
    When job reaches time-out QINACTMSGQ
    Password expiration QPWDEXPITV
    Restrict consecutive digits QPWDLMTAJC
    Restricted characters QPWDLMTCHR
    Restrict repeating characters QPWDLMTREP
    Password level QPWDLVL
    Maximum password length QPWDMAXLEN
    Minimum password length QPWDMINLEN
    Require a new character in each position QPWDPOSDIF
    Require at least one digit QPWDRQDDGT
    Password reuse cycle QPWDRQDDIF
    Password validation program QPWDVLDPGM
    Allow remote service of system QRMTSRVATR
    Verify object signatures on restore QVFYOBJRST
    Convert objects during restore QFRCCVNRST
    Allow restore of security sensitive objects QALWOBJRST
    Security level QSECURITY
    Allow server security information to be retained QRETSVRSEC
    Users who can work with programs with adopted authority QUSEADPAUT
    Default authority for newly created objects in QSYS.LIB file system QCRTAUT
    Allow use of shared or mapped memory with write capability QSHRMEMCTL
    Allow these objects in . . . QALWUSRDMN
    Use pass-through or Telnet for remote sign-on QRMTSIGN
    Display sign-on information QDSPSGNINF
    Restrict privileged users to specific device session QLMTSECOFR
    Limit each user to one device session QLMTDEVSSN
    Incorrect sign-on attempts QMAXSIGN
    When maximum is reached QMAXSGNACN

    –Wayne O. Evans

    Security articles authored by Wayne O. Evans can be found on his Web site, www.woevans.com. E-mail: woevans@aol.com

    Tags:

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Leave a Reply

Content archive