Carol Woodbury's IBM i Security Tip - JUL 2009

Security Compliance Boot Camp - Click Here to Register

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Carol Woodbury's IBM i & i5/OS Security Tip

Working with the IFS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

July 2009

Greetings!

I've found that when working with the Integrated File System (IFS) that it's more of the exception rather than the rule that an organization's security policy requires the entire IFS' security scheme be re-worked. Rather, I typically see three issues that organizations want advice on - securing one or two directories that contain private data, finding out when new objects are created - especially under the root directory and setting the right ownership and authorities on newly-created objects.

Let's address each in turn.

Securing a Directory Containing Personal Information
Many organizations have one or two directories that contain files with private or confidential information. It's not that applications put the information there or individual users. These files are typically created by a batch process that runs on a scheduled basis. The typical contents of these files are credit card transactions that are going to the processing bank, payroll information being sent to the payroll processor, tax information going to state or local governments, etc. In other words, the typical content of these files is quite sensitive. Yet, if the *PUBLIC authority of the directory was left at the default, it's likely that everyone on the system has access to these files. The approach I offer to our clients is this: Determine under which profile the batch process runs and grant that profile DTAAUT(*RWX) and OBJAUT(*NONE) to the directory. Authorize any other group or individuals that need to verify or otherwise work with the files with the same authority. Then set *PUBLIC authority to *DTAAUT(*EXCLUDE) and OBJAUT(*NONE). This configuration provides access to those users and processes with a business need and prevents all other access.

How SkyView Policy Minder Can Help

To ensure these directories remain properly secured, use the Directory Authority (*DIRAUT) category to define a template (policy) that matches the configuration described above. Run regular compliance checks to ensure no additional users have been authorized and that the *PUBLIC authority on the directory has not been changed. If the current authorities do not match the authorities defined in your policy, you can update the policy if the changes were due to a change in business practices or you can run FixIt to change the security settings back.

Discovering Newly Created Objects

Knowing that a new object has been created into root or another directory can help simplify the security administration of the IFS. If the new directory is for a product or application, you may need to ensure it is backed up or replicated properly. But if you don't know about it, it's hard to add it to your existing processes. Also, your policy may dictate into which directories new objects or new sub-directories can be created.

How SkyView Policy Minder Can Help

Use the 'Allow new object' feature when you create a template in the *DIRAUT category to discover new objects created into a particular directory, including the root ('/') directory.

Setting the Right Authority and Ownership on newly-created Objects

Getting the right authorities set on newly-created objects in the IFS can be frustrating especially because the IFS ignores the Owner parameter in the user profile. (That's the parameter that transfers the ownership of newly-created objects to a user's group). Another irritation is the fact that streamfiles don't inherit the authorities of the directory they're created into. Because of the way the IFS works (or doesn't as the case may be) the problem that typically arises is that one user has created an object (often a file) that another user needs to access. Unless you take action, the user needing access often doesn't have sufficient authority. Another problem comes when you try to delete the user's profile. Any objects created in the IFS are owned by the user - not the user's group; therefore, you have to do something with these objects before you can delete the profile. The only way to resolve these frustrations is to change the owner and/or authorities on these newly-created objects.

How SkyView Policy Minder Can Help

You can create a *DIRAUT template (policy) that defines how a directory - as well as the objects in the directory - need to be owned and authorized. When you run a compliance check on the policy, it will identify any objects that do not have the correct owner, *PUBLIC authority, private authority, primary group authority or authorization list. While you can change any object that's out of compliance manually, the easier approach is to schedule FixIt to run on a regular basis so that the ownership and authority issues are resolved at least daily. We have some customers that run a compliance check and FixIt multiple times daily. The purpose is to ensure their applications' IFS objects are owned and authorized properly, eliminating users from having insufficient authority to access the objects and ensuring that the users do not own the IFS objects.

Summary

I hope that this discussion has helped resolve some of the issues you've experienced in working with the IFS.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
View the Recorded Webinar
"IFS Security" presented by Carol Woodbury
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Because the IFS does not always follow the traditional i5/OS security model, the security of the IFS is often ignored; therefore, important data may not be secured properly when it is stored in the IFS.

During this free, 60 minute webinar, security expert Carol Woodbury describes:

How IFS security compares to native i5/OS security
How to determine what authority is required to a directory or object
How to remediate (change) from the current authority settings to more appropriate settings as well as how to determine what the 'more appropriate setting' might be
How auditing works with IFS objects
How to use i5/OS commands to help you manage IFS security

You can also watch the recording of this Webinar, which has been stored at: https://www2.gotomeeting.com/register/840926251.