Hardening Your i5OS Security

  • View
    48

  • Download
    6

Embed Size (px)

DESCRIPTION

hardening guide

Text of Hardening Your i5OS Security

iNSIGHT 2008 - System i Security and Compliance Conference

Hardening i5/OS

John EarlChief Technology Officerjohn.earl@powertech.com 206-669-3336

Copyright 2008 The PowerTech Group, Inc.

Hardening i5/OS

Why Bother? i5/OS is already secure. Hackers dont know anything abouti5/OS. Nobody has every hacked our system. We have good people working for us. Our auditors never have a problem with it.

iNSIGHT 2008

Copyright 20062008 John Earl

Hardening i5/OS Some of the default settings on i5/OS Arenot good enough for industrial strength security Original i5/OS settings had to accommodateearly S/36 and S/38 application designs IBM Assumed that you would strengthen past the default settings. Awareness of i5/OS in the hacking community was fairly low, butiNSIGHT 2008

Copyright 20062008 John Earl

Auditing System ValuesSystem Value QAUDCTL Description Control for object and user action auditing Ship Value *NONE Target Value *AUDLVL, *OBJAUD, *NOQTEMP *AUTFAIL *CREATE *DELETE *OBJMGT *PGMFAIL *SAVRST *SYSMGT *SECURITY *SERVICE *AUDLVL2 *NETBAS *NETFAIL *USRPRF Explanation Use QAUDLVL and Object auditing Audit these System Values -Use extension Audit these System Values Allow auditing by User (at least)

QAUDLVL

Security auditing *NONE level

QAUDLVL2 QCRTOBJAUD

Auditing level extension Audit value for new objects

*NONE *NONE

iNSIGHT 2008

Copyright 20062008 John Earl

Password System ValuesSystem Value QPWDEXPITV QPWDLMTAJC QPWDLMTCHR QPWDLMTREP QPWDLVL QPWDMAXLEN QPWDMINLEN Description Password expiration in days Restrict consecutive digits Restricted characters Restrict repeating characters Password level Maximum password length Minimum password length Ship Value *NOMAX 0 *NONE 0 0 8 6 Target Value 90 or less 1 AEIOU 2 3 128 8 Explanation Must change every 90 days Adjacent Digits not allowed Vowels not allowed Not repeated consecutively 128 byte pwds, no W98 Supt. 128 bytes 10 bytes

iNSIGHT 2008

Copyright 20062008 John Earl

Password System ValuesSystem Value QPWDPOSDIF Description Limit Password Character Positions Ship Value 0 Target Value 1 Explanation Same Character can be in same position Require a digit Must be unique in the last 10 Name a regulating program

QPWDRQDDGT QPWDRQDDIF QPWDVLDPGM

Require at least one digit Password reuse cycle Password Validation Program

0 0 *NONE

1 5 *REGFAC

iNSIGHT 2008

Copyright 20062008 John Earl

Workstation control System ValuesSystem Value QAUTOCFG QAUTORMT QDEVRCYACN QDSPSGNINF QINACTITV QINACTMSGQ QDSCJOBITV Description Automatic device configuration Automatic configuration for remote controllers Action for failed device Display signon information Time-out interval for inactive jobs Inactive interactive job action or message queue name Time-out interval for disconnected jobs (in minutes) Ship Value 1 1 *ENDJOB 0 *NONE *NONE 240 Target Value 0 0 *DSCJOB 1 15 *DSCJOB 75 Explanation Auto Config turned off Auto Config turned off Disconnect Job Show signon information Time out after 15 minutes Disconnect job at timeout Disconnect a dormant job in 75 minutes

iNSIGHT 2008

Copyright 20062008 John Earl

Integrity System ValuesSystem Value QALWUSRDMN Description Allow user domain objects in libraries Security level Allow restore of security sensitive objects Verify object signatures during restore Ship Value *ALL Target Value QTEMP and/or any other library for this purpose 40 or 50 *NONE Explanation Where can USRIDX, USRSPC be built? Enforce OS Integrity Sometimes, *ALWPTF, *ALWPGMADP User State objects must be signed (3 will restore unsigned objects) Convert all objects (Sometimes 5)

QSECURITY QALWOBJRST

40 *ALL

QVFYOBJRST

3

5 (or 3)

QFRCCVNRST

Convert objects during 1 restoreCopyright 20062008 John Earl

7

iNSIGHT 2008

Job Description Tightening

On V5R4 we found 67 JOBDs *PUBLIC has *USE authority to. 12 JOBDs *PUBLIC has *CHANGE authority to. 20 JOBDs that name a default user and allow*PUBLIC *USE (at least). For 1, the user is QSYS! 4 Job Descriptions that *PUBLIC has *CHANGE authority to and USER is QTCP.

Abandon QSECURITY level 30!iNSIGHT 2008Copyright 20062008 John Earl

Network System Values

System Value QPASTHRSVR

Description Available display station pass-through server jobs Allow remote IPLs Remote sign-on control

Shipped Value *CALC

Target value Needed Number 0 *VERIFY

Explanation Not needed for Telnet set to 0? Do not allow Verify User and Password

QRMTIPL QRMTSIGN

0 *FRCSIGNON

iNSIGHT 2008

Copyright 20062008 John Earl

Secure older network interfaces System/36 File transfer program QY2FTML Ships with *PUBLIC *USE Can be used to transfer data bi-directionally Network Attribute ValuesNetwork Value DDMACC JOBACN PCSACC Description DDM Access program library Job action for SNA input stream PCS access program Ship Value *OBJAUT *FILE *OBJAUT Target value Explanation

*REJECT, or Use an Exit *REGFAC Program *REJECT, or Search list in *SEARCH WRKNETJOBE *REJECT, or Use an Exit *REGFAC Program

iNSIGHT 2008

Copyright 20062008 John Earl

Object Security System ValuesSystem Value QCRTAUT Description Default Public authority for newly created objects in QSYS.LIB Default System library list Ship Value *CHANGE Recommended *EXCLUDE Explanation Control this at the library level

QSYSLIBL

QSYS, QSYS2, QHLPSYS, QUSRSYS

All libraries should be *PUBLIC *USE

Do not allow users to add objects to libraries in QSYSLIBL Limit who can create these programs

QUSEADPAUT

List of users who *NONE can create or change programs to accept adopted authority

A named authorization list

iNSIGHT 2008

Copyright 20062008 John Earl

System Library AuthorityOn one V5R4 System I counted 77 IBM Libraries 66 Libraries were set to *PUBLIC *USE 4 Libraries were set to *PUBLIC *CHANGE:QGPL QQFTEMP QSCnnnnnnn QSERVICE QDIRSRV2 QGPLTEMP QHTTP QSPL QSRVAGT QUSRDIRDB QUSRTEMP (APAR libraries)

7 Libraries were set to *PUBLIC *EXCLUDE:

iNSIGHT 2008

Copyright 20062008 John Earl

*PUBLIC Authority to new Objects

On one V5R4 System I counted 77 IBM Libraries 42 Libraries were set to CRTAUT(*CHANGE) 30 Libraries were set to CRTAUT(*SYSVAL) 2 Libraries were set to CRTAUT(*USE) 2 Libraries were set to CRTAUT(*EXCLUDE)

iNSIGHT 2008

Copyright 20062008 John Earl

Protect the Root!

iNSIGHT 2008

Copyright 20062008 John Earl

Other Directories with *PUBLIC = *RWXThese directories should likely be at *X or *RX too./home /linux /wsphere /www /QDLS /QFileSvr.400 /QOpenSys

Use caution and test!

iNSIGHT 2008

Copyright 20062008 John Earl

Turn off Servers you are not usingWhat starts with a STRTCPSVR command*ASFTOMCAT *BOOTP *CIMOM *DBG *DDM *DHCP *DIRSRV *DLFM *DNS *DOMINO *EDRSQL *FTP *HOD *HTTP Apache Tomcat Server Bootstrap Protocol Common Information Model Object Manager Debug Server DDM Server Dynamic Host Configuration Protocol LDAP DataLink File Manager Domain Name Server Domino Extended Dynamic Remote SQL File Transfer Protocol Host on Demand HTTP ServerCopyright 20062008 John Earl

iNSIGHT 2008

Turn off Servers you are not usingWhat else starts with a STRTCPSVR command*INETD *LPD *MGTC *NETSVR *NSLD *NTP *ODPA *ONDMD *POP *QOS *REXEC *ROUTED *SMTP *SNMP Internet Daemon Line Printer Daemon Management Central Net Server Network Station Login Daemon Simple Network Time Protocol On Demand Platform Authentication On Demand Server Post Office Protocol Quality of Service Server Remote Execution Servers Router Daemon Simple Mail Transfer Protocol Simple Network Management ProtocolCopyright 20062008 John Earl

iNSIGHT 2008

Turn off Servers you are not usingWhat else starts with a STRTCPSVR command*TCM *TELNET *TFTP *VPN *WEBFACING Trigger Cache Manager Telnet Trivial FTP Virtual Private Networking Webfacing Server

iNSIGHT 2008

Copyright 20062008 John Earl

Implement Network Solving the Problem Exit Programs Network Exit Programs can record andcontrol iSeries access through the network interfaces IBM supplies Exit Points in each network server Controlling network access requests Network request access logging Can be configured to realize an Increase orDecrease in object authoritiesiNSIGHT 2008Copyright 20062008 John Earl

Fix the Signon Screen CPF MessagesChange the signon Screen CPF Messages to not give CluesCPF1107 - Password not correct for user profile. CPF1109 Not Authorized to Subsystem. CPF1110 Not Authorized to Workstation. CPF1116 Next invalid sign-on attempt disables device CPF1118 - No password associated with user &1. CPF1120 - User &1 does not exist. CPF1133 - Value &1 is not a valid name. CPF1392 Next invalid Sign-on attempt disables user profile CPF1392 User profile &1 cannot sign on.

Change the messages to:Logon refused Keep a log of the old meanings

iNSIGHT 2008

Copyright 20062008 John Earl

Questions?

John EarlChief Technology OfficerThe PowerTech Group www. powertech.com john.earl@ powertech.comiNSIGHT 2008Copyright 20062008 John Earl