Documente Academic
Documente Profesional
Documente Cultură
kpmg IRM
31 March 2003
LvR/VU
Contents MAR/2003
CONTENTS
• History
• Architecture
• Application and Operating System/400
(AS/400 and OS/400)
• Physical security levels
• Logical security levels
• Object management
• Security implementation
• Special security feature
• Auditing
• (Part X. Only for the AS/400 auditor)
Note
AS/400 = hardware
OS/400 = operating system
AS/400 architecture & security 2
1
LvR/VU
Contents ... MAR/2003
LvR/VU
Optional literature MAR/2003
OPTIONAL LITERATURE
• IBM “AS/400 System Concepts”
• Ernst & Young “Technical reference series: Audit, Control and Security of
the IBM AS/400” (1994) (description, control objectives, audit questions)
2
LvR/VU
Optional literature . . . MAR/2003
LvR/VU
Security topology MAR/2003
End user
Network security
Measures depend upon security
Security in system/service objectives and the enterprise’s
‘Frontdoor’ security strategy
Security in application
3
LvR/VU
Access path within AS/400 (MEY model) MAR/2003
User
Userprofiles
profiles
security
OS/400
Objectsecurity
Initial Command
Initialmenu
menu Command
processors
processors
Object
Application
Applicationsoftware
software Tools
Tools&&utilities
utilities
OS/400
OS/400data
database
basemanagement
managementfunctions
functions
DATA
AS/400 architecture & security 7
LvR/VU
Highlights MAR/2003
3. Special Authorizations
6. Journaling
4
LvR/VU
History of AS/400 MAR/2003
System/34
System/34 1974
Data Base
included System/38 1978
in OS System/38
System/36 1982
System/36
AS/400 1987
AS/400
AS/400-Y10
PowerPC
PowerPCAS/400
AS/400 1995
LvR/VU
Architecture AS/400 MAR/2003
System
System Main
Main
processor
processor storage
storage
BCU
BCU BCU
BCU BCU
BCU
IOBU
IOBU IOBU
IOBU
IOBU
IOBU
Display
Communication BE
BE
UU
Printer IOBU
IOBU DASD BE
BE
UU
DASD = Direct Access Storage Device (disks)
BCU = Bus Control Unit
IOBU = I/O Bus Unit (Communication Controller)
BEU = Bus Extentsion Unit
AS/400 architecture & security 10
5
LvR/VU
Architecture AS/400 ... MAR/2003
ARCHITECTURE
• Untill 1995, the system processor was designed with the System/370
architecture which is also used in mainframes with the S/390
architecture
• The system processor had a 32 bit data path and a 48 bit addressing
structure to address 281 Tera bytes
LvR/VU
Communication protocols MAR/2003
6
LvR/VU
Communication protocols ... MAR/2003
NETWORK PROTOCOLS
To manage network access AS/400 supports the most common available
network protocols.
LvR/VU
Communication protocols ... MAR/2003
7
LvR/VU
Machine interface AS/400 MAR/2003
Compilers Applica-
Utilities tions
High-level machine
Operating System/400 (OS/400)
Hardware
LvR/VU
Machine interface AS/400 ... MAR/2003
8
LvR/VU
Machine interface AS/400 ... MAR/2003
The three machine layers, called the high-level machine, also provide many functions
normally implemented in the Operating System
TRADITIONAL
TRADITIONAL OPERATING SYSTEM/400
OPERATING
OPERATINGSYSTEM
SYSTEM (OS/400)
Task
Taskmanagement
management AS/400 HARDWARE
Resource
Resourcemanagement
management (Machine interface )
Storage Task management
Storagemanagement
management
Database Resource management
Databasemanagement
management Storage management
Security management
Security management Data access
etc.
etc. Database management
TRADITIONAL Security management
TRADITIONAL
HARDWARE etc.
HARDWARE
Machine
Machineinterface
interface Hardware
Hardware
Hardware
LvR/VU
Database system MAR/2003
9
LvR/VU
Database system ... MAR/2003
LvR/VU
Integrated File System MAR/2003
To extend the use of the AS/400 system, file server architectures from
different vendors can be handled by the integrated file system. The
integrated file system supports a set of industry standard APIs to the
streamfile system and the hierarchical directory. The file access
protocols which are supported by AS/400 are:
AS/400
10
LvR/VU
Single level storage MAR/2003
RE
Traditional mainframe with
an address space per user and AS/400 - OS/400
TU
IT NT
separate data sets on disks
EC
CH RE
264 bytes = 16.000.000
OS/390
AR FFE
Tera bytes address
space
space
space
space
DI
addressspace
addressspace
addressspace
GBaddress
GBaddress
GBaddress
Object:
Object:program
program
22GB
22GB
22GB
Object:
Object:screen
screen
DASD Object:
Object:“data”
“data”
LvR/VU
Single level storage ... MAR/2003
SYSTEM
SYSTEM MAIN
MAINSTORAGE
STORAGE
PROCESSOR
PROCESSOR AUXILIARY STORAGE
paging
on DASD
VAT DIR
11
LvR/VU
Single level storage ... MAR/2003
Program
ProgramA123
A123 Program
ProgramA143
A143 Data
DataGFHJ
GFHJ
e c ts
j
Data
Data5RF
5RF Program
ProgramXG63
XG63
Command
CommandAB6
AB6
oMenub
Menu567
567 Menu
Menu765
765 Command
CommandUY
UY
Queue
Queue Etc.
Etc.etc.
etc.etc.
etc.till
tillmaximum
maximumspace
space
LvR/VU
Object oriented MAR/2003
Data
Data(e.g.,
(e.g.,data
datarecords,
records,programs,
programs,sources,
sources,etc.
etc.))
12
LvR/VU
Object types MAR/2003
OBJECT TYPES
To storage information in the AS400 system there are defined 73 different
types of objects, e.g.
Type Contents
• Library − object names (like a directory)
• Data − data records (database records)
• Program − executable programs
• Source − source of programs like cobol, pascal, C etc.
• User profile − userid descriptions and priviledges
• Journal − logging records
• Job queue − jobs to handle
• Output queue − output from jobs
• Device description − device parameters
• Job description − job control language
AS/400 architecture & security 25
LvR/VU
Object administration MAR/2003
13
LvR/VU
Physical security MAR/2003
Keylock
Keylock Power
Powerdown
down Remote
Remoteoror Main
Main Attended
Attended
position
position command
command timed
timedIPL
IPL switch
switchIPL
IPL IPL
IPL
SECURE
SECURE YES
YES NO
NO NO
NO NO
NO
AUTO
AUTO YES
YES YES
YES NO
NO NO
NO
NORMAL
NORMAL YES
YES YES
YES YES
YES NO
NO
MANUAL
MANUAL YES
YES NO
NO YES
YES YES
YES
Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools)
LvR/VU
Logical security levels MAR/2003
14
LvR/VU
Logical security levels ... MAR/2003
LvR/VU
Integrity checking MAR/2003
INTEGRITY CHECKING
ISOLATION: AS/400 has system state and user state
programs
Security level = 40
• the APIs (Application Program Interface) must be used by a user
program to interact with a system program
Security level = 50
• the APIs must also be used by a user program to interact with another
user program
AS/400 architecture & security 30
15
LvR/VU
Integrity checking ... MAR/2003
INTEGRITY CHECKING
no integrity
System State Domain System State Domain
problem
integrity
User State Domain problem User State Domain
• intentionally no problem
• no journalling of activities
• level 50 enforces use of API in the user domain
LvR/VU
Special authorizations MAR/2003
SPECIAL AUTHORIZATIONS
Within the AS/400 system there are definitions with a system wide
authority scope. When a user is defined with a special authorization
he/she is able to do
PRIVILEDGE AUTHORIZED TO DO
• ∗ALLOBJ − access every system resource
• ∗SECADM − create / change user profiles
• ∗SAVSYS − save / restore
• ∗JOBCTL − manipulate jobs on the system
• ∗SPLCTL − all spool functions
• ∗SERVICE − service functions
• ∗AUDIT − audit related functions
• ∗IOSYSCFG − change system configuration
AS/400 architecture & security 32
16
LvR/VU
User classes MAR/2003
USER CLASSES
FR
∗ALLOBJ ∗SECO
∗SERVICE ∗IOSYSCFG
∗SPLCTL
PR
YSO
∗SECA ∗S MR
DM ∗PG
∗SECADM ∗JOBCTL
∗SAVSYS
LvR/VU
User classes . . . MAR/2003
USER CLASSES
Special authorities can be grouped together. These grouping is called a
USERCLASS
17
LvR/VU
Pre-defined user profiles MAR/2003
• QSECOFR
• QPGMR
• QSYSOPR
• QSRV
• QSRVBAS
• QUSER
Note: The passwords must be changed as soon as the system is IPLed for
the first time, to prevent other users to sign on with these highly
authorized userids
LvR/VU
User profile MAR/2003
USER PROFILE
With security level 20 or higher, the user can only access the system if
there is a user profile defined. A user profile can be created through a
panel interface or by issuing the CRTUSRPRF command. The contents
of the user-profile may be
18
LvR/VU
Authentication MAR/2003
AUTHENTICATION
System wide password syntax options
• QPWDMINLEN minimum length of password
• QPWDMAXLEN maximum length (up to 10 characters)
• QPWDRQDDIF new password must differ from 32 previous
• QPWDLMTCHR specify up to 10 characters not allowed for password
• QPWDPOSDIF character in new must be different from character in same
position in old
• QPWDLMTREP characters not be used more than once
• QPWDLMTAJC numbers 0 to 9 not next to another
• QPWDVLDPGM use password syntax checker
• QPWDRQDDGT at least one numeric
Other system wide password options
• QPWDEXPITV maximum number of days the password is valid
• QMAXSIGN maximum number of unsuccessful sign-on attempts
• QDSPSGNINF display date/time of last sign-on etc. after successful sign-on
AS/400 architecture & security 37
LvR/VU
Group profile MAR/2003
GROUP PROFILE
A group profile has the same structure as a user profile: it becomes a group
profile when it is named as a group in a user profile. The contents of the
group profile may be
19
LvR/VU
Group structure MAR/2003
GROUP STRUCTURE
Group
Groupprofile
profile Group
Groupprofile
profile
GROUP
GROUPAA GROUP
GROUPBB
User
Userprofile
profile User
Userprofile
profile User
Userprofile
profile User
Userprofile
profile
USER
USERA1A1 USER
USERA2A2 USER
USERB1B1 USER
USERB2B2
Group=A
Group=A Group=A,B
Group=A,B Group=B
Group=B Group=B
Group=B
• The groups are independent definitions and do not have any relation to
one another
• A user can be a member of maximum 16 groups
AS/400 architecture & security 39
LvR/VU
Object header authority MAR/2003
HEADER
HEADER
functional
functionaldata
data
!
AUTHORITY ACCESS RIGHTS to HEADER
• ∗OBJOPR − use/look at the object information
• ∗OBJMGT − grant other users to use the object
• ∗OBJEXIST − totally control the object
20
LvR/VU
Object data authority MAR/2003
header
header
FUNCTIONAL
FUNCTIONALDATA
DATA
Prior to access the contents of the object, the user must have at least ∗OBJOPR
authority to the object. If so, data access can be controlled with five different
levels
AUTHORITY ACCESS RIGHTS to FUNCTIONAL DATA
!
• ∗READ - Read the entries of the functional data
• ∗ADD - Add entries to the functional data
• ∗UPD - Update entries of the functional data
• ∗DLT - Delete entries of the functional data
• ∗EXECUTE - Only execute the related program
AS/400 architecture & security 41
LvR/VU
Object authority MAR/2003
OBJECT AUTHORITY
The get access to the object the user needs at least access to the header
information before he/she is allowed to access the data part of the object. To
have access to the data the user needs in addition to the header access at least
read access to the data part of the object. In this example all users have read
access to the data.
PUBLIC authority
START SEARCH ∗OBJOPR ∗READ
data
21
LvR/VU
Object authority grouping MAR/2003
∗OBJEXIST ∗ALL
∗OBJMGT
∗CHAN SE
GE ∗U
∗OBJOPR
∗DLT
∗READ
∗UPD
∗ADD
LvR/VU
Object authority grouping . . . MAR/2003
22
LvR/VU
Public authorization MAR/2003
PUBLIC AUTHORIZATION
When most of the users must have the same access authority to the object,
this access authority is set into the object header. The authorization is
called PUBLIC and is given to the object during creation
OBJECT
OBJECTHEADER
HEADER
Object All Users
Objecttype
type
Owner
Owner
PUBLIC authority ∗∗USE
PUBLICauthority USE
FUNCTIONAL
FUNCTIONALDATA
DATA
Note: In this example all users have read access to this object
(∗USE includes ∗OBJOPR and ∗READ)
AS/400 architecture & security 45
LvR/VU
Private authority MAR/2003
PRIVATE AUTHORITY
When a specific user must have limited or higher access rights related to
the public authority, the user’s access is administrated in his/her user
profile extension
header
header USER PROFILE (is an object)
user
userinformation
information
list
listof
ofowned
ownedobjects
objects
LIST
LISTOF
OFOBJECTS
OBJECTSAUTHORIZED
AUTHORIZED
TO
TOACCESS
ACCESSWITH
WITHTHE
THEAUTHORITY
AUTHORITY Single User
OBJEXAMPLE ∗∗CHANGE
OBJEXAMPLE CHANGE
Note: When there is a private access definition for the object, lower then the
public authority, it will be marked in the object header
AS/400 architecture & security 46
23
LvR/VU
Authorization list MAR/2003
AUTHORIZATION LIST
When another object is created and it needs the same authorization scheme
this newly created object can be connected to the same list
LvR/VU
Authorization list ... MAR/2003
header
header
AUTHORIZATION LIST (is an object)
ANJA
ANJA ∗∗ALL
ALL
EDWIN
EDWIN ∗∗CHANGE
CHANGE
RONALD
RONALD ∗∗USE
USE
LEEN
LEEN ∗∗AUTLMGT
AUTLMGT
∗∗PUBLIC
PUBLIC ∗∗EXCLUDE
EXCLUDE
The example above shows a list which can be used by an object to control its
access rights. There is also defined a specific access control authorization
called ∗AUTLMGT. This gives the user (or group) the ability to maintain this
authorization list
Note: When the public authorization in the object specifies that the authority list
will be used the entry ∗PUBLIC will give the public authorization
AS/400 architecture & security 48
24
LvR/VU
Authorization list ... MAR/2003
Object
Objecttype
type
Owner
Owner
ANJA ∗ALL AUTHORIZATION
EDWIN ∗CHANGE
AUTHORIZATIONLIST LISTABC
ABC
RONALD ∗USE
Public authority∗∗AUTL
Publicauthority AUTL
LEEN ∗AUTLMGT
∗PUBLIC ∗EXCLUDE
Functional
Functionaldata
data
Note: In this example the public authority is now used from the
authorization list entry ∗PUBLIC
LvR/VU
Authorization check flow MAR/2003
AS/400 looks whether the user has a Special authority. If no Special authority,
the next step will be to look for a Specific authority defined etc. When any
authorization definition for the object is found the search will stop
This mechanism is called exclusive access control and is the opposite of
accumulated access control
AS/400 architecture & security 50
25
LvR/VU
Adopted security MAR/2003
ADOPTED SECURITY
• AS/400 security allows a user to adopt the access authorization of the
owner of a program
• When a user is allowed to execute a program owned by another user, the
authority can be adopted
• The user then has the same access authority to the objects as the owner
of it
!
w ed
LUDE al
lo
∗EXC t DATA
DATAB23B23
no
∗USE fo
r BAS
Via program BAS
of user B: allowed
User A User B
AS/400 architecture & security 51
LvR/VU
Adopted security ... MAR/2003
Owner
Owneruser
userBB
Public authority∗∗EXCLUDE
Public authority EXCLUDE
DATA
DATAB23
B23
User A has
• ∗EXCLUDE for data B23
Owner
Owneruser
userBB
• ∗USE for program BAS
Public authority∗∗USE
Publicauthority USE
PROGRAM
PROGRAMBAS:
BAS:Adopting
Adoptingauthority
authority
active
active
Note: In this example, user B has access authority of ∗ALL to the object
with data B23. User A can only access it through the program BAS
AS/400 architecture & security 52
26
LvR/VU
Adopted security: another example MAR/2003
DATA
DATAX24
X24
∗U
SE
for
B2S
LvR/VU
Adopted security: another example ... MAR/2003
27
LvR/VU
Dedicated Service Tools MAR/2003
• SECURITY
Used by the security officer to do all DST functions and change the DST
passwords
• FULL
To use all DST functions except DST passwords changes
• BASIC
To use DST functions not affecting sensitive data
Note: The security officer must change the DST passwords after installing
the system. With the CHGDSTPWD the DST passwords can be reset
LvR/VU
Journaling MAR/2003
JOURNALING
The journal entries can be selectively retrieved from the journal receiver.
Sample object definitions are available for saving the different journal
entry types
Journal
Journalactivated
activated
AS/400
AS/400 with
SECURITY withsystem
systemvalue
value
SECURITYEVENT
QAUDJRN((∗∗JRN)
EVENT QAUDJRN JRN)
Journal
Journallevel
levelactivated
activated
with
withsystem
systemvalues
valuese.g.
e.g.
∗∗AUTFAIL ∗ PGMFAIL
AUTFAIL ∗PGMFAIL
Security
Securityofficer
officer
Journal
Journalreceiver
receiver
USERRECV
USERRECV
AS/400 architecture & security 56
28
LvR/VU
Security definition interface MAR/2003
LvR/VU
ONLY FOR THE AS/400 AUDITOR MAR/2003
PART
PART X
X
ADDITIONAL
ADDITIONAL INFORMATION
INFORMATION
ONLY
ONLY FOR
FOR THE
THE AS/400
AS/400 AUDITOR
AUDITOR
29
LvR/VU
Limited users MAR/2003
LIMITED USERS
Users can be limited to change the initial menu, initial program and
current library. When a user does a sign on, the user profile definition
may contain an initial menu to display or a program to execute. The
signed on user can only use this menu structure or can only execute the
defined program when limited capabilities = YES
When a user is PARTIAL limited (also defined in the user-profile) the user
may change the main menu and is allowed to issue commands from the
command line
LvR/VU
Library security MAR/2003
LIBRARY SECURITY
Give the public authority for the objects in the library as high as necessary
and the public authority for the library ∗EXCLUDE
30
LvR/VU
Library security ... MAR/2003
LIBRARY SECURITY
DATA
DATA
LIBRARY A
Owner
Owneruser
userAA
Public authority∗∗EXCLUDE
Publicauthority EXCLUDE Public ∗∗USE
Public USE
OBJECT
OBJECTAA DATA
DATA
OBJECT
OBJECTBB
OBJECT
OBJECTCC Public ∗∗USE
Public USE
etc.
etc.
DATA
DATA
LvR/VU
Physical versus logical file security MAR/2003
A physical file which contains the physical records can be accessed directly
by the users or indirectly with a logical file definition. This logical file
definition can give a different view to the physical data
The following physical file object P cannot be accessed directly because the
user has no access to the header information
By given access to a logical file with certain view to the physical data, a user
only has access to that part of the data
31
LvR/VU
Physical versus logical file security ... MAR/2003
LvR/VU
Authority holder MAR/2003
AUTHORITY HOLDER
AS/400 gives the opportunity to setup an object authority before the creation
of an object. This mechanisme is called an authority holder. The authority
holder is a dummy object header containing all header information of an
object. It will be connected to the object’s data part when the data is
created
AUTHORITY HOLDER
32
LvR/VU
Adopted security MAR/2003
Owner
Owneruser
userBB
Public authority∗∗EXCLUDE
Public authority EXCLUDE
DATA
DATAB23
B23
User A has
• ∗EXCLUDE for data B23
Owner
Owneruser
userBB
• ∗USE for program BAS
Public authority∗∗USE
Public authority USE
PROGRAM
PROGRAMBAS:
BAS:Adopting
Adoptingauthority
authority
active
active
Note: In this example, user B has access authority of ∗ALL to the object
with data B23. User A can only access it through the program BAS
AS/400 architecture & security 65
LvR/VU
Adopted security: search sequence MAR/2003
Library
LibraryBBcontaining
containing program
programAAand
andprogram
programBB
Library
LibraryAAcontaining
containingprogram
programAA
Library
LibraryAAcontaining
containing program
programAA
Library
LibraryBBcontaining
containing program
programAAand
andprogram
programBB
AS/400 architecture & security 66
33
LvR/VU
Adopted security ... MAR/2003
ADOPTED SECURITY
To eliminate the possibility to use the library sequence the program call
should supply the library name by using the ‘qualified name’ in the
CALL command
Another way to eliminate this security problem is not to call the program,
but to transfer control (TFRCTL) to program A
With TFRCTL program A will not adopt the authorization of user B. This
can only be done when appropriate for the program logic flow
LvR/VU
Journaling MAR/2003
JOURNALING
To activate journaling the security officer must create the
QSYS/QAUDJRN journal and a journal receiver. The journal located in
the system library, acts as an intermediary
The journal receiver is the object that will hold journal entries and can be
defined by the security officer using his/her own naming conventions
The journal is created with the following commands
CRTJRN JRN(QAUDJRN) LIB(QSYS)
QAUDJRN(∗JRN)
QAUDLVL(∗AUTFAIL ∗PGMFAIL)
JRNRCV(USERRECV)
To set the level of journaling the system value QAUDLVL must be set.
Possible values are
∗NONE, ∗AUTFAIL, ∗SAVRST, ∗DELETE, ∗SECURITY, ∗CREATE,
∗OBJMGT and ∗PGMFAIL
34