| Greetings!
A few months ago I wrote about the need to pay attention to how the directories and objects in directories (such as stream files) are secured. This month I'm expanding on that to discuss file shares, another feature of the IFS that is often overlooked.
Below, I discuss "What is a File Share?" In addition, I describe how SkyView Risk Assessor can help you examine file shares, as well as, how SkyView Policy Minder can help you manage file shares.
Sincerely,
 Carol Woodbury, President
SkyView Partners, Inc. |
| Questions? |
|
Before I get started, I want to say that SkyView Partners is committed to delivering security-related products and services that provide our customers with sound advice and that save them time in their quest to achieve a more secure environment.
Now, on to your i5/OS Security Tech Tip for October, 2007. | |
| What is a file share? |
A file share allows the directory it's associated with to be available from network interfaces. Think of your network as a long hallway. As you cruise down the hallway, most doors are closed, but there are a few doors that are open (these are the file shares) and if you show the guard your pass and it's valid (this is your i5/OS user profile and password), you're allowed to enter the door off the hallway. Sometimes only you can open the door and once opened, there's very little to see. (This is an example of a file share for a directory that has no subdirectories and contains only objects you or your group is allowed to work with.) However, on occasion you may enter a door that takes you through a vast labyrinth of rooms and other hallways with wide-open doors for all to walk through. You may be amazed at the wealth contained in each of the rooms. (This is an example of a file share that's been assigned to the root ('/') directory. Once the root directory is shared, the QSYS.LIB file system is shared. What does that mean? That means that, assuming the user has sufficient i5/OS authority, all libraries are available through your network including the database files in those libraries. Imagine the "wealth" of information stored in those files!
File shares are often used to enable drive mapping. In the Windows world, shares are often defined to enable drive mapping for file and document sharing. The same can be implemented in the IFS. Imagine what is available to you - and every user on the system, if you map a drive to root and the object authority of all libraries and files is at least *USE. All database files are now available through a Windows Explorer session. |
| Using Risk Assessor to Examine File Shares |
If you have the SkyView Risk Assessor product, the SKYSHARES report lists all of the file shares, the directory they're assigned to and whether they've been defined as read only or read/write. The QPSECPVT report lists the public authority of root ('/') as well as root's subdirectories, so that you can determine the level of risk the file shares pose to your system. Risk Assessor also provides advice for controlling who can create and modify file shares. Finally, Risk Assessor lists whether a Guest profile has been defined which allows access to the system without having an i5/OS profile and password. |
| Using Policy Minder to Manage File Shares |
Policy Minder allows you to define which file shares your policy allows on each system. Initializing the File Share category will gather the shares currently on the system and define those as your initial policy. You can analyze that list and determine whether any shares need to be removed from the system. Then, when you run a compliance check on the File Share category, the category will be out of compliance if new file shares have been created or an existing file share removed from the system. This compliance check automates the process of managing file shares on your system.
In addition, you can use the Directory Authority category to automate the process of checking the authorities and ownership of IFS directories and files, ensuring those settings remain in compliance with your organizations policies. |
| What's the Big Deal about File Shares? |
|
File shares are not inherently a security risk, but they can be if they are assigned to the wrong directory or the object level security for the directory or library is not appropriate for its contents. Make sure you are using the features of the SkyView products to automate the checking of file shares and other policy settings. | |
|
|
|
|
Carol Woodbury's Bio |
|
|
|
Carol Woodbury is President and co-founder of SkyView Partners, Inc. and is the designer and architect of the SkyView Partners' products.
Carol has over 17 years in the security industry, 10 of those working the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. |
| Who is SkyView Partners? |
|
SkyView Partners Inc. is a specializes in security policy compliance management and assessment software, as well as security services for IBM System i (AS/400, iSeries)customers.
| |
|
