Upload
balan7277
View
61
Download
6
Embed Size (px)
DESCRIPTION
hardening guide
Citation preview
Copyright 2008 The PowerTech Group, Inc.
Hardening i5/OS
iNSIGHT 2008 - System i Security and Compliance Conference
John EarlChief Technology Officer
Copyright 2006–2008 John EarliNSIGHT 2008
• Why Bother?» i5/OS is already secure.» Hackers don’t know anything about
i5/OS.» Nobody has every hacked our system.» We have good people working for us.» Our auditors never have a problem
with it.
Hardening i5/OS
Copyright 2006–2008 John EarliNSIGHT 2008
Hardening i5/OS
• Some of the default settings on i5/OS Are not good enough for industrial strength security» Original i5/OS settings had to accommodate
early S/36 and S/38 application designs» IBM Assumed that you would strengthen past
the default settings.» Awareness of i5/OS in the hacking community
was fairly low, but…
Copyright 2006–2008 John EarliNSIGHT 2008
Auditing System Values
Audit these System Values
*NETBAS *NETFAIL *NONEAuditing level extension
QAUDLVL2
Allow auditing by User (at least)
*USRPRF*NONEAudit value for new objects
QCRTOBJAUD
*AUTFAIL *CREATE *DELETE *OBJMGT *PGMFAIL *SAVRST *SYSMGT *SECURITY *SERVICE *AUDLVL2
*AUDLVL, *OBJAUD, *NOQTEMP
Target Value
Audit these System Values
-Use extension
*NONESecurity auditing level
QAUDLVL
Use QAUDLVL and Object auditing
*NONEControl for object and user action auditing
QAUDCTL
ExplanationShip Value
DescriptionSystem Value
Copyright 2006–2008 John EarliNSIGHT 2008
Password System Values
8
128
3
2
AEIOU
1
90 or less
Target Value
10 bytes
128 bytes
128 byte pwds, no W98 Supt.
Not repeated consecutively
Vowels not allowed
Adjacent Digits not allowed
Must change every 90 days
Explanation
6Minimum password length
QPWDMINLEN
8Maximum password length
QPWDMAXLEN
0Password levelQPWDLVL
0Restrict repeating characters
QPWDLMTREP
*NONERestricted charactersQPWDLMTCHR
0Restrict consecutive digits
QPWDLMTAJC
*NOMAXPassword expiration in days
QPWDEXPITV
Ship ValueDescriptionSystem Value
Copyright 2006–2008 John EarliNSIGHT 2008
Password System Values
*REGFAC
5
1
1
Target Value
Name a regulating program
Must be unique in the last 10
Require a digit
Same Character can be in same position
Explanation
*NONEPassword Validation Program
QPWDVLDPGM
0Password reuse cycleQPWDRQDDIF
0Require at least one digit
QPWDRQDDGT
0Limit Password Character Positions
QPWDPOSDIF
Ship ValueDescriptionSystem Value
Copyright 2006–2008 John EarliNSIGHT 2008
Workstation control System Values
Disconnect Job*DSCJOB*ENDJOBAction for failed deviceQDEVRCYACN
Disconnect job at timeout
*DSCJOB*NONEInactive interactive job action or message queue name
QINACTMSGQ
75
15
1
0
0
Target Value
Disconnect a dormant job in 75 minutes
240Time-out interval for disconnected jobs (in minutes)
QDSCJOBITV
Time out after 15 minutes
*NONETime-out interval for inactive jobs
QINACTITV
Show signon information
0Display signon informationQDSPSGNINF
Auto Configturned off
1Automatic configuration for remote controllers
QAUTORMT
Auto Configturned off
1Automatic device configuration
QAUTOCFG
ExplanationShip Value
DescriptionSystem Value
Copyright 2006–2008 John EarliNSIGHT 2008
Integrity System Values
User State objects must be signed (3 will restore unsigned objects)
5 (or 3)3Verify object signatures during restore
QVFYOBJRST
Convert all objects (Sometimes 5)
71Convert objects during restore
QFRCCVNRST
Sometimes, *ALWPTF, *ALWPGMADP
*NONE*ALLAllow restore of security sensitive objects
QALWOBJRST
40 or 50
QTEMP and/or any other library for this purpose
Target Value
Enforce OS Integrity
40Security levelQSECURITY
Where can USRIDX, USRSPC be built?
*ALLAllow user domain objects in libraries
QALWUSRDMN
ExplanationShip Value
DescriptionSystem Value
Copyright 2006–2008 John EarliNSIGHT 2008
Job Description Tightening
• On V5R4 we found…» 67 JOBD’s *PUBLIC has *USE authority to.» 12 JOBD’s *PUBLIC has *CHANGE authority to.» 20 JOBD’s that name a default user and allow
*PUBLIC *USE (at least).• For 1, the user is QSYS!
» 4 Job Descriptions that *PUBLIC has *CHANGE authority to and USER is QTCP.
• Abandon QSECURITY level 30!
Copyright 2006–2008 John EarliNSIGHT 2008
Network System Values
Do not allow00Allow remote IPL’sQRMTIPL*VERIFY
Needed Number
Target value
Verify User and Password
*FRCSIGNONRemote sign-on control
QRMTSIGN
Not needed for Telnet – set to 0?
*CALCAvailable display station pass-through server jobs
QPASTHRSVR
ExplanationShipped Value
DescriptionSystem Value
Copyright 2006–2008 John EarliNSIGHT 2008
Secure older network interfaces
• System/36 File transfer program QY2FTML» Ships with *PUBLIC *USE» Can be used to transfer data bi-directionally
• Network Attribute Values
Use an Exit Program
*REJECT, or *REGFAC
*OBJAUTPCS access program
PCSACC
Search list in WRKNETJOBE
*REJECT, or *SEARCH
*FILEJob action for SNA input stream
JOBACN
Use an Exit Program
*REJECT, or *REGFAC
*OBJAUTDDM Access program library
DDMACC
ExplanationTarget value
Ship ValueDescriptionNetwork Value
Copyright 2006–2008 John EarliNSIGHT 2008
Object Security System Values
A named authorization list
All libraries should be *PUBLIC *USE
*EXCLUDERecommended
Limit who can create these programs
*NONEList of users who can create or change programs to accept adopted authority
QUSEADPAUT
Do not allow users to add objects to libraries in QSYSLIBL
QSYS, QSYS2, QHLPSYS, QUSRSYS
Default System library list
QSYSLIBL
Control this at the library level
*CHANGEDefault Public authority for newly created objects in QSYS.LIB
QCRTAUTExplanationShip ValueDescriptionSystem Value
Copyright 2006–2008 John EarliNSIGHT 2008
System Library Authority
•On one V5R4 System I counted 77 IBM Libraries…•66 Libraries were set to *PUBLIC *USE•4 Libraries were set to *PUBLIC *CHANGE:
•QGPL•QQFTEMP•QSCnnnnnnn (APAR libraries)•QSERVICE
•7 Libraries were set to *PUBLIC *EXCLUDE:•QDIRSRV2•QGPLTEMP•QHTTP•QSPL•QSRVAGT•QUSRDIRDB•QUSRTEMP
Copyright 2006–2008 John EarliNSIGHT 2008
*PUBLIC Authority to new Objects
•On one V5R4 System I counted 77 IBM Libraries…•42 Libraries were set to CRTAUT(*CHANGE)•30 Libraries were set to CRTAUT(*SYSVAL)•2 Libraries were set to CRTAUT(*USE)•2 Libraries were set to CRTAUT(*EXCLUDE)
Copyright 2006–2008 John EarliNSIGHT 2008
Protect the Root!
Copyright 2006–2008 John EarliNSIGHT 2008
Other Directories with *PUBLIC = *RWX
•These directories should likely be at *X or *RX too.•/home
•/linux
•/wsphere
•/www
•/QDLS
•/QFileSvr.400
•/QOpenSys
•Use caution – and test!
Copyright 2006–2008 John EarliNSIGHT 2008
Turn off Servers you are not usingWhat starts with a STRTCPSVR command•*ASFTOMCAT Apache Tomcat Server•*BOOTP Bootstrap Protocol•*CIMOM Common Information Model Object Manager•*DBG Debug Server•*DDM DDM Server•*DHCP Dynamic Host Configuration Protocol•*DIRSRV LDAP•*DLFM DataLink File Manager•*DNS Domain Name Server•*DOMINO Domino•*EDRSQL Extended Dynamic Remote SQL•*FTP File Transfer Protocol•*HOD Host on Demand•*HTTP HTTP Server
Copyright 2006–2008 John EarliNSIGHT 2008
Turn off Servers you are not usingWhat else starts with a STRTCPSVR command•*INETD Internet Daemon•*LPD Line Printer Daemon•*MGTC Management Central•*NETSVR Net Server•*NSLD Network Station Login Daemon•*NTP Simple Network Time Protocol•*ODPA On Demand Platform Authentication•*ONDMD On Demand Server•*POP Post Office Protocol•*QOS Quality of Service Server•*REXEC Remote Execution Servers•*ROUTED Router Daemon•*SMTP Simple Mail Transfer Protocol•*SNMP Simple Network Management Protocol
Copyright 2006–2008 John EarliNSIGHT 2008
Turn off Servers you are not usingWhat else starts with a STRTCPSVR command•*TCM Trigger Cache Manager•*TELNET Telnet•*TFTP Trivial FTP•*VPN Virtual Private Networking•*WEBFACING Webfacing Server
Copyright 2006–2008 John EarliNSIGHT 2008
Solving the Problem
• Network Exit Programs can record and control iSeries access through the network interfaces
» IBM supplies Exit Points in each network server • Controlling network access requests• Network request access logging
» Can be configured to realize an Increase or Decrease in object authorities
Implement Network Exit Programs
Copyright 2006–2008 John EarliNSIGHT 2008
Fix the Signon Screen CPF Messages•Change the signon Screen CPF Messages to not give Clues
•CPF1107 - Password not correct for user profile. •CPF1109 – Not Authorized to Subsystem.•CPF1110 – Not Authorized to Workstation.•CPF1116 – Next invalid sign-on attempt disables device•CPF1118 - No password associated with user &1.•CPF1120 - User &1 does not exist.•CPF1133 - Value &1 is not a valid name.•CPF1392 – Next invalid Sign-on attempt disables user profile•CPF1392 – User profile &1 cannot sign on.
•Change the messages to:•Logon refused•Keep a log of the old meanings
Copyright 2006–2008 John EarliNSIGHT 2008
Questions?
John EarlChief Technology OfficerThe PowerTech Groupwww. powertech.comjohn.earl@ powertech.com