71 lines
4.8 KiB
HTML
71 lines
4.8 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Check for user objects in protected libraries" />
|
|
<meta name="abstract" content="Use object authority to control who can add programs to protected libraries. User objects other than programs can represent a security exposure when they are in system libraries." />
|
|
<meta name="description" content="Use object authority to control who can add programs to protected libraries. User objects other than programs can represent a security exposure when they are in system libraries." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvdevelopintrusiondetectstrat.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="checkuserobj" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Check for user objects in protected libraries</title>
|
|
</head>
|
|
<body id="checkuserobj"><a name="checkuserobj"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Check for user objects in protected libraries</h1>
|
|
<div><p>Use object authority to control who can add programs to protected
|
|
libraries. User objects other than programs can represent a security exposure
|
|
when they are in system libraries.</p>
|
|
<p>Every server job has a library list. The library list determines the sequence
|
|
in which the system searches for an object if a library name is not specified
|
|
with the object name. For example, when you call a program without specifying
|
|
where the program is, the system searches your library list in order and runs
|
|
the first copy of the program that it finds. </p>
|
|
<p>The <cite>iSeries Security Reference</cite> provides more
|
|
information about the security exposures of library lists and calling programs
|
|
without a library name (called an unqualified call). It also provides suggestions
|
|
for controlling the content of library lists and the ability to change the
|
|
system library lists. </p>
|
|
<p>For your system to run properly, certain system libraries, such as QSYS
|
|
and QGPL, must be in the library list for every job. You should use object
|
|
authority to control who can add programs to these libraries. This helps to
|
|
prevent someone from placing an imposter program in one of these libraries
|
|
with the same name as a program that appears in a library later in the library
|
|
list. </p>
|
|
<p>You should also evaluate who has authority to the <span class="cmdname">CHGSYSLIBL</span> command
|
|
and monitor SV records in the security audit journal. A devious user could
|
|
place a library ahead of QSYS in the library list and cause other users to
|
|
run unauthorized commands with the same names as IBM-supplied commands.</p>
|
|
<p>Use the SECBATCH menu option <kbd class="userinput">28</kbd> (to submit immediately)
|
|
or <kbd class="userinput">67</kbd> (to use the job scheduler) to run the Print User
|
|
Objects (<span class="cmdname">PTRUSROBJ</span>) command. The <span class="cmdname">PRTUSROBJ</span> command
|
|
prints a list of user objects (objects not created by IBM<sup>®</sup>) that are in a specified library. You
|
|
can then evaluate the programs on the list to determine who created them and
|
|
what function they perform. </p>
|
|
<p>User objects other than programs can also represent a security exposure
|
|
when they are in system libraries. For example, if a program writes confidential
|
|
data to a file whose name is not qualified, that program might be fooled into
|
|
opening an imposter version of that file in a system library.</p>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvdevelopintrusiondetectstrat.htm" title="The following information is a collection of tips to help you detect potential security exposures.">Prevent and detect security exposures</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |