Check for user objects in protected libraries

Use object authority to control who can add programs to protected libraries. User objects other than programs can represent a security exposure when they are in system libraries.

Every server job has a library list. The library list determines the sequence in which the system searches for an object if a library name is not specified with the object name. For example, when you call a program without specifying where the program is, the system searches your library list in order and runs the first copy of the program that it finds.

The iSeries Security Reference provides more information about the security exposures of library lists and calling programs without a library name (called an unqualified call). It also provides suggestions for controlling the content of library lists and the ability to change the system library lists.

For your system to run properly, certain system libraries, such as QSYS and QGPL, must be in the library list for every job. You should use object authority to control who can add programs to these libraries. This helps to prevent someone from placing an imposter program in one of these libraries with the same name as a program that appears in a library later in the library list.

You should also evaluate who has authority to the CHGSYSLIBL command and monitor SV records in the security audit journal. A devious user could place a library ahead of QSYS in the library list and cause other users to run unauthorized commands with the same names as IBM-supplied commands.

Use the SECBATCH menu option 28 (to submit immediately) or 67 (to use the job scheduler) to run the Print User Objects (PTRUSROBJ) command. The PRTUSROBJ command prints a list of user objects (objects not created by IBM®) that are in a specified library. You can then evaluate the programs on the list to determine who created them and what function they perform.

User objects other than programs can also represent a security exposure when they are in system libraries. For example, if a program writes confidential data to a file whose name is not qualified, that program might be fooled into opening an imposter version of that file in a system library.