Hardening Your i5OS Security

Copyright 2008 The PowerTech Group, Inc.

Hardening i5/OS

iNSIGHT 2008 - System i Security and Compliance Conference

John EarlChief Technology Officer

[email protected]

Copyright 2006–2008 John EarliNSIGHT 2008

• Why Bother?» i5/OS is already secure.» Hackers don’t know anything about

i5/OS.» Nobody has every hacked our system.» We have good people working for us.» Our auditors never have a problem

with it.

Hardening i5/OS


Hardening i5/OS

• Some of the default settings on i5/OS Are not good enough for industrial strength security» Original i5/OS settings had to accommodate

early S/36 and S/38 application designs» IBM Assumed that you would strengthen past

the default settings.» Awareness of i5/OS in the hacking community

was fairly low, but…


Auditing System Values

Audit these System Values

*NETBAS *NETFAIL *NONEAuditing level extension

QAUDLVL2

Allow auditing by User (at least)

*USRPRF*NONEAudit value for new objects

QCRTOBJAUD

*AUTFAIL *CREATE *DELETE *OBJMGT *PGMFAIL *SAVRST *SYSMGT *SECURITY *SERVICE *AUDLVL2

*AUDLVL, *OBJAUD, *NOQTEMP

Target Value

Audit these System Values

-Use extension

*NONESecurity auditing level

QAUDLVL

Use QAUDLVL and Object auditing

*NONEControl for object and user action auditing

QAUDCTL

ExplanationShip Value

DescriptionSystem Value


Password System Values

8

128

3

2

AEIOU

1

90 or less

Target Value

10 bytes

128 bytes

128 byte pwds, no W98 Supt.

Not repeated consecutively

Vowels not allowed

Adjacent Digits not allowed

Must change every 90 days

Explanation

6Minimum password length

QPWDMINLEN

8Maximum password length

QPWDMAXLEN

0Password levelQPWDLVL

0Restrict repeating characters

QPWDLMTREP

*NONERestricted charactersQPWDLMTCHR

0Restrict consecutive digits

QPWDLMTAJC

*NOMAXPassword expiration in days

QPWDEXPITV

Ship ValueDescriptionSystem Value


Password System Values

*REGFAC

5

1

1

Target Value

Name a regulating program

Must be unique in the last 10

Require a digit

Same Character can be in same position

Explanation

*NONEPassword Validation Program

QPWDVLDPGM

0Password reuse cycleQPWDRQDDIF

0Require at least one digit

QPWDRQDDGT

0Limit Password Character Positions

QPWDPOSDIF

Ship ValueDescriptionSystem Value


Workstation control System Values

Disconnect Job*DSCJOB*ENDJOBAction for failed deviceQDEVRCYACN

Disconnect job at timeout

*DSCJOB*NONEInactive interactive job action or message queue name

QINACTMSGQ

75

15

1

0

0

Target Value

Disconnect a dormant job in 75 minutes

240Time-out interval for disconnected jobs (in minutes)

QDSCJOBITV

Time out after 15 minutes

*NONETime-out interval for inactive jobs

QINACTITV

Show signon information

0Display signon informationQDSPSGNINF

Auto Configturned off

1Automatic configuration for remote controllers

QAUTORMT

Auto Configturned off

1Automatic device configuration

QAUTOCFG




Integrity System Values

User State objects must be signed (3 will restore unsigned objects)

5 (or 3)3Verify object signatures during restore

QVFYOBJRST

Convert all objects (Sometimes 5)

71Convert objects during restore

QFRCCVNRST

Sometimes, *ALWPTF, *ALWPGMADP

*NONE*ALLAllow restore of security sensitive objects

QALWOBJRST

40 or 50

QTEMP and/or any other library for this purpose

Target Value

Enforce OS Integrity

40Security levelQSECURITY

Where can USRIDX, USRSPC be built?

*ALLAllow user domain objects in libraries

QALWUSRDMN




Job Description Tightening

• On V5R4 we found…» 67 JOBD’s *PUBLIC has *USE authority to.» 12 JOBD’s *PUBLIC has *CHANGE authority to.» 20 JOBD’s that name a default user and allow

*PUBLIC *USE (at least).• For 1, the user is QSYS!

» 4 Job Descriptions that *PUBLIC has *CHANGE authority to and USER is QTCP.

• Abandon QSECURITY level 30!


Network System Values

Do not allow00Allow remote IPL’sQRMTIPL*VERIFY

Needed Number

Target value

Verify User and Password

*FRCSIGNONRemote sign-on control

QRMTSIGN

Not needed for Telnet – set to 0?

*CALCAvailable display station pass-through server jobs

QPASTHRSVR

ExplanationShipped Value



Secure older network interfaces

• System/36 File transfer program QY2FTML» Ships with *PUBLIC *USE» Can be used to transfer data bi-directionally

• Network Attribute Values

Use an Exit Program

*REJECT, or *REGFAC

*OBJAUTPCS access program

PCSACC

Search list in WRKNETJOBE

*REJECT, or *SEARCH

*FILEJob action for SNA input stream

JOBACN

Use an Exit Program

*REJECT, or *REGFAC

*OBJAUTDDM Access program library

DDMACC

ExplanationTarget value

Ship ValueDescriptionNetwork Value


Object Security System Values

A named authorization list

All libraries should be *PUBLIC *USE

*EXCLUDERecommended

Limit who can create these programs

*NONEList of users who can create or change programs to accept adopted authority

QUSEADPAUT

Do not allow users to add objects to libraries in QSYSLIBL

QSYS, QSYS2, QHLPSYS, QUSRSYS

Default System library list

QSYSLIBL

Control this at the library level

*CHANGEDefault Public authority for newly created objects in QSYS.LIB

QCRTAUTExplanationShip ValueDescriptionSystem Value


System Library Authority

•On one V5R4 System I counted 77 IBM Libraries…•66 Libraries were set to *PUBLIC *USE•4 Libraries were set to *PUBLIC *CHANGE:

•QGPL•QQFTEMP•QSCnnnnnnn (APAR libraries)•QSERVICE

•7 Libraries were set to *PUBLIC *EXCLUDE:•QDIRSRV2•QGPLTEMP•QHTTP•QSPL•QSRVAGT•QUSRDIRDB•QUSRTEMP


*PUBLIC Authority to new Objects

•On one V5R4 System I counted 77 IBM Libraries…•42 Libraries were set to CRTAUT(*CHANGE)•30 Libraries were set to CRTAUT(*SYSVAL)•2 Libraries were set to CRTAUT(*USE)•2 Libraries were set to CRTAUT(*EXCLUDE)


Protect the Root!


Other Directories with *PUBLIC = *RWX

•These directories should likely be at *X or *RX too.•/home

•/linux

•/wsphere

•/www

•/QDLS

•/QFileSvr.400

•/QOpenSys

•Use caution – and test!


Turn off Servers you are not usingWhat starts with a STRTCPSVR command•*ASFTOMCAT Apache Tomcat Server•*BOOTP Bootstrap Protocol•*CIMOM Common Information Model Object Manager•*DBG Debug Server•*DDM DDM Server•*DHCP Dynamic Host Configuration Protocol•*DIRSRV LDAP•*DLFM DataLink File Manager•*DNS Domain Name Server•*DOMINO Domino•*EDRSQL Extended Dynamic Remote SQL•*FTP File Transfer Protocol•*HOD Host on Demand•*HTTP HTTP Server


Turn off Servers you are not usingWhat else starts with a STRTCPSVR command•*INETD Internet Daemon•*LPD Line Printer Daemon•*MGTC Management Central•*NETSVR Net Server•*NSLD Network Station Login Daemon•*NTP Simple Network Time Protocol•*ODPA On Demand Platform Authentication•*ONDMD On Demand Server•*POP Post Office Protocol•*QOS Quality of Service Server•*REXEC Remote Execution Servers•*ROUTED Router Daemon•*SMTP Simple Mail Transfer Protocol•*SNMP Simple Network Management Protocol


Turn off Servers you are not usingWhat else starts with a STRTCPSVR command•*TCM Trigger Cache Manager•*TELNET Telnet•*TFTP Trivial FTP•*VPN Virtual Private Networking•*WEBFACING Webfacing Server


Solving the Problem

• Network Exit Programs can record and control iSeries access through the network interfaces

» IBM supplies Exit Points in each network server • Controlling network access requests• Network request access logging

» Can be configured to realize an Increase or Decrease in object authorities

Implement Network Exit Programs


Fix the Signon Screen CPF Messages•Change the signon Screen CPF Messages to not give Clues

•CPF1107 - Password not correct for user profile. •CPF1109 – Not Authorized to Subsystem.•CPF1110 – Not Authorized to Workstation.•CPF1116 – Next invalid sign-on attempt disables device•CPF1118 - No password associated with user &1.•CPF1120 - User &1 does not exist.•CPF1133 - Value &1 is not a valid name.•CPF1392 – Next invalid Sign-on attempt disables user profile•CPF1392 – User profile &1 cannot sign on.

•Change the messages to:•Logon refused•Keep a log of the old meanings


Questions?

John EarlChief Technology OfficerThe PowerTech Groupwww. powertech.comjohn.earl@ powertech.com

Documents

Hardening Your i5OS Security