ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvcheckuserobj.htm

71 lines
4.8 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Check for user objects in protected libraries" />
<meta name="abstract" content="Use object authority to control who can add programs to protected libraries. User objects other than programs can represent a security exposure when they are in system libraries." />
<meta name="description" content="Use object authority to control who can add programs to protected libraries. User objects other than programs can represent a security exposure when they are in system libraries." />
<meta name="DC.Relation" scheme="URI" content="rzamvdevelopintrusiondetectstrat.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="checkuserobj" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Check for user objects in protected libraries</title>
</head>
<body id="checkuserobj"><a name="checkuserobj"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Check for user objects in protected libraries</h1>
<div><p>Use object authority to control who can add programs to protected
libraries. User objects other than programs can represent a security exposure
when they are in system libraries.</p>
<p>Every server job has a library list. The library list determines the sequence
in which the system searches for an object if a library name is not specified
with the object name. For example, when you call a program without specifying
where the program is, the system searches your library list in order and runs
the first copy of the program that it finds. </p>
<p>The <cite>iSeries Security Reference</cite> provides more
information about the security exposures of library lists and calling programs
without a library name (called an unqualified call). It also provides suggestions
for controlling the content of library lists and the ability to change the
system library lists. </p>
<p>For your system to run properly, certain system libraries, such as QSYS
and QGPL, must be in the library list for every job. You should use object
authority to control who can add programs to these libraries. This helps to
prevent someone from placing an imposter program in one of these libraries
with the same name as a program that appears in a library later in the library
list. </p>
<p>You should also evaluate who has authority to the <span class="cmdname">CHGSYSLIBL</span> command
and monitor SV records in the security audit journal. A devious user could
place a library ahead of QSYS in the library list and cause other users to
run unauthorized commands with the same names as IBM-supplied commands.</p>
<p>Use the SECBATCH menu option <kbd class="userinput">28</kbd> (to submit immediately)
or <kbd class="userinput">67</kbd> (to use the job scheduler) to run the Print User
Objects (<span class="cmdname">PTRUSROBJ</span>) command. The <span class="cmdname">PRTUSROBJ</span> command
prints a list of user objects (objects not created by IBM<sup>®</sup>) that are in a specified library. You
can then evaluate the programs on the list to determine who created them and
what function they perform. </p>
<p>User objects other than programs can also represent a security exposure
when they are in system libraries. For example, if a program writes confidential
data to a file whose name is not qualified, that program might be fooled into
opening an imposter version of that file in a system library.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvdevelopintrusiondetectstrat.htm" title="The following information is a collection of tips to help you detect potential security exposures.">Prevent and detect security exposures</a></div>
</div>
</div>
</body>
</html>