Coffee With Carol: Demystifying IFS Security

2y ago
22 Views
2 Downloads
2.30 MB
25 Pages
Last View : 10d ago
Last Download : 2m ago
Upload by : Matteo Vollmer
Transcription

9/24/2018Coffee with Carol:Demystifying IFS SecurityCarol Woodbury, CISSP, CRISC, PCIPVP Global Security ry2018 IBM ChampionAgendaReasons for modifying IFS (Integrated File System) securityHow security differs between the IFS and traditional IBM i libraries and objectsAuditing and the IFSExample of securing a directoryNetServerFile sharesGuest services1

9/24/2018What is the IFS?A hierarchical file systemAdded to iSeries in V3R6 to aide in portingUnix applications to run on IBM iReasons for examining IFS securityDefault access is the equivalent of *PUBLIC *ALL allows inappropriateDirectory creationStorage of objectsPC backups, movies, music, pictures, etcDamage from malwareMost organizations have some confidential information stored in the IFS and itrequires y-services2

9/24/2018Which file systems?All statements made apply to both /Root and /QOpenSysWhere they’re the Same and Where they’re DifferentSameDifferentAuthority checking algorithmAuthority names*RWX vs *CHANGE*PUBLIC authorityIgnores QCRTAUT system valueCan use authorization lists andprivate authoritiesIgnores ownership setting inUser profileIgnores adopted authorityNeed to look in different ty-services3

9/24/2018IFS authorities mapped to IBM i S Authorities*RWX Read/Write/Execute, Object authorities: *All (*ALL)*RWX Read/Write/Execute (*CHANGE)*RW Read/Write*RX Read/Execute (*USE)*R Read*WX Write/Execute*W Write*X ExecuteNeed: *R to read a file or to list the contents of a directory *W to write to a file or add a file to a directory *X to traverse through a directory, e.g., curity-services4

9/24/2018Managing Authoritiesand OwnershipHelpSystems. All rights reserved.Two sets of authority to manageCHGAUT – Change Authority commandMust consider the appropriate authority for both theData authorities and the Object authoritiesSpecifying *ALL for Directory subtree allows you to setthe authorities on the entire ices5

9/24/2018Two sets of authority to manageWRKAUT – Work with Authority commandNote: This is the recommended setting for ‘/’Data authorities *RX, Object authorities *NONEWorking with permissions in Navigator for s6

9/24/2018Permissions and Change ownershipChange Owner services7

9/24/2018Auditing and the IFSHelpSystems. All rights reserved.Configuring auditing on an IFS objectCHGAUD – Change Auditing ervices8

9/24/2018IFS audit entries*N in the Object Name field of an audit entry indicates theobject is a pathname (an object in the IFS)Pathname is a 5002 character field at the end of the auditjournal entryUse CPYAUDJRNE command to display and view the results inQTEMP/QAUDITxxCPYAUDJRNE – Copy Audit Journal EntriesCreates a file named QAUDITCO in vices9

9/24/2018Results of query / SQL of QTEMP/QAUDITCOChanging Authorities on aDirectoryHelpSystems. All rights -services10

9/24/2018Application authorization optionsAdopted authority is ignoredOptions:User has direct authority viaWhat we typically use*PUBLICIndividual (private) authority for user or groupPrimary group authorityAuthorization listUse one of the swap APIsProfile swapProfile tokenSet UID or Set GIDPlanning to change authoritiesIdentify directory(s) to be securedIdentify which users or processes are required to access the directoriesDon’t forget manual processes, batch jobs, etc that write to the directoryDetermine where authority is going to come fromTypically grant a private authority to a group or secure with an authorization listDetermine *PUBLIC authority settingOften set to DTAAUT(*EXCLUDE) rity-services11

9/24/2018Modifying authoritiesWhat authorities are needed?OBJAUT(*NONE) and DTAAUT(*X) to traverse all directories in a ) and DTAAUT(*RX) to the directory to read or list the contentsDirectory File1 File2OBJAUT(*NONE) and DTAAUT(*RWX) to the directory to create objects into itOBJAUT(*NONE) and DTAAUT(*WX) to the directory to rename or delete objects in the directoryOBJAUT (*OBJMGT) at the object level to copy or rename objectsOBJAUT(*OBJEXIST) at the object level to delete objectsExample – Securing the /payroll -services12

9/24/2018Determining the profiles that need accessLook at the owner of the objects in the directoryExamine the CO and DO audit entriesMay need to examine OM entries (object moves)Examine the ZR and ZC entries for objects being read/updatedJob schedule entries (for batch jobs reading from / writing to thedirectory being secured)Determining what Authority is RequiredDisplay the owner of the objects And/Or Display theCO audit entries for the -services13

9/24/2018Start authority collection for SERVICE1 – V7R3Query the collection for services14

9/24/2018Set the authoritiesOr make SERVICE1 the owner of /payrollMore on AuthoritiesHelpSystems. All rights -services15

9/24/2018Notes on IFS authoritiesroot (‘/’) CANNOT be set to *EXCLUDE – many things will start to failShould be *PUBLIC DTAAUT(*RX) OBJAUT(*NONE)But check to make sure that no temporary objects are being created/ deleted into root prior to securingWhat applies to ‘/’ can be applied to ‘/QOpenSys’IBM Directories:/QIBM already set to DTAAUT(*RX) OBJAUT(*NONE)Set ‘/home’ to OBJAUT(*NONE) DTAAUT(*RX)Create a home directory for individuals requiring them. Make them theowner and set *PUBLIC to DTAAUT(*EXCLUDE) OBJAUT(*NONE)Do NOT remove private authorities granted to IBM profiles !*PUBLIC authorityIgnores QCRTAUT system value, so how is *PUBLIC set?Typically inherits ALL authorities of the directory it’s being created intoAuthorization list, *PUBLIC, private, etcExceptions:CPYTOIMPF and CPYTOSTMFDoes not copy private authorities or AUTL*PUBLIC and primary group are set to *EXCLUDEOwner has *RWXNeed to change after the create using CHGAUTBehavior changed in V6R1 – now have the option to inherit from the directorycreat(), move(), mkdir() APIs where the authority can be -services16

9/24/2018CPYTOSTMF as of V6R1Tools for managing IFS authorities - SECTOOLSSECTOOLS – PRTPUBAUT and PRTPVTAUTNote: Use caution when specifying *YES to search rity-services17

9/24/2018Proliferation of private authorities/Images/2018/Finance/January/Images – Created by (therefore, owned by): GIBBS/Images/2018 – Owner: TONY, Private authority – GIBBS/Images/2018/Finance – Owner: ZIVA, Private authorities – GIBBS, TONY/Images/2018/Finance/January – Owner: MAGEE, Private auts – GIBBS, TONY, ZIVA/Images/2018/Finance/January/xxxxx.doc – Owner: App ProfileImages will be owned by App Profile and each will have a private authority forGIBBS, TONY, ZIVA and MAGEE.Discover which profiles have excess private authorities via PRTPRFINT (Print profileinternals) and WRKOBJPVTReduce time for SAVSECDTA using -services18

9/24/2018NetServer – File Shares andMoreHelpSystems. All rights reserved.File sharesFile shares make the directory “available” to the networkManage file shares through Navigator for iA file share can be created by the owner of a directory, orsomeone with *ALLOBJ or *IOSYSCFG special authorityShares can be Read-only or Read-WriteMust still have sufficient IBM i authority to the directories sharedHide the share from broadcast by NetServer by adding a ‘ to theend of the nameSharename 19

9/24/2018List of file sharesFile sharesA hand underneath the folder indicates it’s rvices20

9/24/2018File shares – the Dangers!Many systems have shared ‘/’ (root)This is a HUGE exposure because it shares /QSYS.LIB – in other words –all libraries on the system. If data is not protected, this is an easy way tocorrupt dataA read/write share exposes the entire system to malwareA share to root is NOT required to share a sub-directoryRecommendations:Review all file shares, removing those that are no longer neededRoot RecommendationsAvoid sharing ‘/’ if at all possibleIf required, use a Read-only share if at all possibleHide the share – add a to the endBe creative with the nameSet *PUBLIC authority of root toDTAAUT(*RX) OBJAUT(*NONE)Note:Make sure nothing is being created into root prior to setting this authority– look at the CO audit journal ervices21

fessional-security-services22

9/24/2018NetServer Guest Profile - PropertiesNetServer – Disabled Profiles Only disabled NetServer profile NOT IBM i profile. Message CPIB682 sent to QSYSOPR for disabled NetServer vices23

9/24/2018HelpSystems’ Solution Based ApproachProfessional Security ServicesRisk AssessmentUncover your system’s securityvulnerabilities and prepare a detailed reportfilled with expert findings andrecommendations.ManagedSecurity ServicesBridge the gab between auditors andIT staff by enlisting exports to monitoryour IBM i security and preparein-depth reports every month.DATASECURITYLIFECYCLERemediationImplement your new securityarchitecture and ensure IT staff has theknowledge to maintain the new curity-servicesPenetration TestingTest your security defenses throughpenetration testing—ethical hackingrequired by auditors that highlightsthe danger of security vulnerabilities.ArchitectureClose security gaps with a re-architectedapplication security scheme designed byIBM i experts to meet your unique needs.24

l-security-serviceswww.helpsystems.com800-328-1000 al-security-services25

Carol Woodbury, CISSP, CRISC, PCIP VP Global Security Services carol.woodbury@helpsystems.com @carolwoodbury 2018 IBM Champion . Examine the CO and DO audit entries May need to examine OM entries (object moves) . Review all file shares, removing those that are no longer needed

Related Documents:

The IFS Customer Engagement Center enforces some aspects of required information when sending a case to support (Report Issue to IFS) with mandatory fields and encourages the remaining aspects using a case description template. Such functionality is one of the reasons why the IFS Customer Eng

Feb 10, 2016 · IFS named a ‘leader’ in Gartner Magic Quadrant December 14. For the third consecutive year, IFS was recognized as a ‘leader’ in the 2015 Gartner Magic Quadrant for Single-Instance ERP for Product Centric Midmarket Companies. -tech automotive manufacturer to deploy IFS Applications December 21. A global provider of electromagnetic components

Once IFS has attained all of the required documentation to adequately demonstrate that all DOL requirements have been met, IFS will submit the LC to DOL via the online PERM system. IFS must retain all files documenting satisfaction of the requirements in an audit file. This file must be kept at IFS for five (5) years in lieu of a possible DOL .

What is Internal Family Systems (IFS) Therapy? "Internal Family Systems (IFS) Therapy is a psychotherapeutic modality developed in the mid-1980s, based on the observation that clients sometimes experience subpersonalities that come into internal conflict when dealing with challenges. The IFS model likens these subpersonalities to an internal .

Coffee: The quality of the coffee and water used is directly related to the quality of the coffee brewed. We highly recommend using freshly ground coffee or commercially packed coffee that is sealed for freshness. The proper amount of ground coffee and water is critical to the finished brew. A ratio of 2 Tablespoons of coffee for every 6 oz. of .

drink coffee, coffee samples based on each of the following six brewing methods were analysed: Filter coffee brewed coffee maker, French press coffee, boiling coffee, coffee brewed in mocha pot, home-brewed espresso and espresso from cafes. The water used f

May 23, 2012 · coffee-shop owners have shifted away from traditional coffee preparation methods to European-style coffee-brewing techniques. Trade: The Tanzanian Coffee Board conducts coffee auctions in Moshi, Tanzania at the base of Mt. Kilimanjaro. Below, please find export data provided by the Tanzania Coffee Board. Tan

ONLINE REGISTRATION: A STEP-BY-STEP GUIDE CONTENTS OVERVIEW 3 HOW TO LOG IN TO ONLINE REGISTRATION 6 PERSONAL DETAILS 7 1. Personal Information (Gender, Marital Status, Mobile Phone No.) 8 2. Social Background (Occupational Background, No. of Dependants). 9 3. Country of Origin/Domicile 9 4. Home Address 10 5. Term Time Address 11 6. Emergency Contact Details 12 7. Disabilities 14 8. Previous .