| Greetings!
In the ongoing process of securing your system, one thing you may choose to address is the default setting of the QCRTAUT system value. Below, I begin with discussing the purpose of the QCRTAUT system value and then get into the considerations you'll want to make before changing this value.
Sincerely,
 Carol Woodbury, President
SkyView Partners, Inc. |
| Questions? |
|
Before I get started, I want to say that SkyView Partners is committed to delivering security compliance products and services that provide our customers with sound advice that saves them time and reduces the costs and complexities of attaining and maintaining compliance.
Now, on to this month's i5/OS Security Tip. | |
| What is QCRTAUT? |
|
QCRTAUT (Create authority) provides the *PUBLIC authority setting when most i5/OS objects are created. The next time you create a new file or data area, prompt (Press F4 on) the command and look for the Authority (AUT) parameter. For most create commands, the AUT parameter defaults to the value *LIBCRTAUT. What is *LIBCRTAUT? The library that the object is being created into has an attribute called Create Authority. *LIBCRTAUT means to set the *PUBLIC authority of the object being created to the value of the library's Create authority attribute. What is the library's Create authority attribute? The default is *SYSVAL, which means that it uses the value of the QCRTAUT system value. So when an object is created, its *PUBLIC authority defaults to *LIBCRTAUT which says to look at the library's Create authority which defaults to look at the QCRTAUT system value. Because value of QCRTAUT is shipped by IBM as *CHANGE, most objects on the system are created with *PUBLIC authority *CHANGE. |
| Considerations before Changing QCRTAUT |
|
Now let's look at the considerations to make prior to changing QCRTAUT. First, it should go without saying that QCRTAUT should never be changed to *ALL. However, it is appropriate to consider changing it to *USE or *EXCLUDE. When I guide clients through the process of changing QCRTAUT, we start by getting a list of all of the libraries on the system and downloading it to a spreadsheet. You can use Policy Minder to do this by creating a *LIBAUT template that includes all libraries. (Don't bother creating an object template.) Run a compliance check on this template then run the Output Compliance (OUTCPL) command from the SKYVIEWPMP library specifying STATUS(*ALL). This will create a file in the /SkyView/Policy Minder directory which you can drag onto your desktop and open with Excel.
Once you have the spreadsheet, separate the libraries into four categories - IBM / IBM licensed product libraries, vendor product libraries, application libraries and user / developer libraries. The next step is to determine whether the libraries' Create authority attribute can remain at *SYSVAL or whether it needs to be overridden with a specific value.
You can typically leave the IBM libraries with their current settings. (You will see some with their Create authority attribute set to *SYSVAL and some overridden with a specific value such as *CHANGE.) For the vendor libraries, we consider whether or not objects are being created into the libraries or whether the objects (programs, commands, files, etc) are just being utilized. If it's the latter then we leave those library settings alone as well. If objects are being created into the libraries, then you have to consider whether the vendor product will continue to work correctly if the *PUBLIC authority of the newly created objects is set to *USE or *EXCLUDE. If it won't run correctly, then you can consider changing those libraries' Create authority value to *CHANGE.
For the application libraries, you must consider whether the application's security scheme will support newly created objects with a *PUBLIC authority of *USE or *EXCLUDE. If it won't, then you'll be forced into leaving those objects created with *PUBLIC *CHANGE. To continue to have the objects created with *PUBLIC *CHANGE, set the Create authority attribute of those libraries to *CHANGE. Personal or user libraries can typically be left at *SYSVAL because it is usually the individual user accessing the objects in his or her library and the *PUBLIC authority setting won't matter.
A little known fact is that you can specify an authorization list for a library's Create authority value. I have used this feature when reworking an application's security scheme and securing the application's files with an authorization list. It works especially well when the application files are in a separate library from the application programs. I specify the authorization list name for the library's Create authority value and, from then on, all objects created into the library will be secured with that authorization list.
* * *
Carol's Tech Tip |
| How SkyView Policy Minder can help |
SkyView Policy Minder is an i5/OS & OS/400 security compliance tool that provides a mechanism for comparing your systems' current settings against the requirements of your established (or desired) security policy. Policy Minder is about "enforcing" your securitypolicy.
When creating a Library authority template (*LIBAUT) in Policy Minder, you can specify the appropriate value for the library's Create authority attribute. Then, you can run regular compliance checks to ensure that this library attribute remains set correctly. In addition, you can run compliance checks on the System value (*SYSVAL) category to ensure that the QCRTAUT system value remains set to the appropriate value.
* * *
| |
|
|
|
|
Carol Woodbury's Bio |
|
|
|
Carol Woodbury is President and co-founder of SkyView Partners, Inc. and is the designer and architect of the SkyView Partners' products.
Carol has over 17 years in the security industry, 10 of those working the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. |
| Who is SkyView Partners? |
|
SkyView Partners Inc. is a firm specializing in security policy and compliance software and services for IBM System i (AS/400, iSeries)customers.
| |
|
