V5R2 Security System Value Lock

April 14, 2004 Hey, Wayne

Editor’s Note: Security questions for the Four Hundred Guru are now being answered by Wayne O. Evans, one of the top OS/400 security experts in the world. Wayne designed security features on the AS/400 and S/38 during his 27 years at IBM and is a well-known and highly respected consultant, author, educator, and speaker. His security tips will become a regular item in Guru newsletters.

The security reference manual for OS/400 V5R2 says, “New for V5R2, you can restrict users from changing several security-related system values. These restrictions can prevent even a user with *SECADM and *ALLOBJ authority from changing these system values with the CHGSYSVAL command.” Why are users with *SECADM and *ALLOBJ authority prevented from changing security-related system values with the CHGSYSVAL command?

What is the risk if users change any security system value with CHGSYSVAL? If I use this feature, what’s the proper way to change security system values?

–John

Some computer systems go through a major system configuration, often called sysgen (system generation), in which the system administrator determines what features should be installed in the operating system. This often involves compiling and linking programs. On large IBM mainframes, this is often a major process that takes two to four hours and has to be done each time a new release is installed. The programs are added and removed from the operating system to create the “system image,” a collection of programs that represent the features the administrator wants to use, such as which database management system or which security product. The sysgen can be a very lengthy process because the individual components often come from different vendors. In fact, the installation needs to “purchase” the individual pieces (like database, security product, communications software). There are many combinations possible, and not every combination can be tested to be sure that the software is compatible (uses the same interfaces and provides equivalent function).

Contrast this with OS/400. One vendor, IBM, provides the OS/400 operating system. (That is why OS/400 is said to be a closed system.) System administrators do not need to go through a lengthy sysgen process to add and remove programs. The programs are always there in OS/400. If the programs are the same in all OS/400 installations at the same release level, then how do system managers configure OS/400 to run for their company?

You probably guessed the answer already. System managers customize the version of OS/400 for their organization by setting system values. With this understanding you can get a better appreciation for the importance of system values. System values represent how the system is configured for the installation.

Let’s focus on just one system value: QSECURITY. Changing this system value has a dramatic impact on the way OS/400 secures a system.

SECURITY LAYERS

Multiple protection layers often describe good security. The protection layers for the change of system values are:

1. Authorized user on the system.

2. Authorized to CHGSYSVAL command.

3. *ALLOBJ and *SECADM special authority.

4. Service Lock = *YES. (new in V5R2)

5. Change system value.

The user must be able to sign on and be authorized to the CHGSYSVAL command. For the security system values, the user must also have *ALLOBJ and *SECADM special authority. With V5R2, there is the additional protection that the service lock must be *YES. Then, and only then, can the system value be changed.

There is actually another layer that I did not show. The value must be one of those allowed for the system value.

The change to the service lock would have a similar protection diagram, which I will leave as an exercise for you readers.

V5R2 ADDS PROTECTION

A user with Security Administrator (*SECADM) and All Object (*ALLOBJ) special authorities can alter security system values. Because setting the system values can have such a major impact, system administrators do not want to trust just any user with *ALLOBJ and *SECADM special authority. There are often too many of these users on the system.

In V5R2, IBM gave system administrators an option to require something extra to change security system values. This sounds like a system configuration option or system value. But IBM was not stupid, so rather than create a system value to control other system values, it made a DST option.

The answer to your final question, how to change system values, is just like before: use the CHGSYSVAL command. However I hope that after you get security set correctly, you take advantage of the new V5R2 support to lock security-related system values.

The following information from IBM’s manuals on systems management and security (in PDF format) is included here so you have a complete understanding of this support.

LOCK AND UNLOCK SECURITY-RELATED SYSTEM VALUES

System service tools (SST) and dedicated service tools (DST) provide an option that allows you to prevent changes to a variety of security related system values. When the “allow change of security related system values” service tools option is set to no, the system values can’t be changed using the Change System Value (CHGSYSVAL) command (or any other user interface). Setting this option to no is useful if, for example, you have settings for security level (QSECURITY). Selecting no for this option ensures that applications can’t change these system value settings.

HOW TO LOCK THE LOCK

You must have a service tool profile and password to lock or unlock the security-related system values. This ensures that not just every user with *ALLOBJ and *SECADM can change the lock. To lock or unlock security-related system values with the Start System Service Tools (STRSST) command, follow these steps:

1. Open a character-based interface.

2. On the command line, type STRSST.

3. Type your user name and password.

4. Select option 7 (“work with system security”).

5. Type 1 to unlock security-related system values, or 2 to lock security-related system values in “allow security system value changes.”

SYSTEM VALUES LOCKED BY V5R2 FUNCTION

The following table identifies the system values that are affected by this option.

Lockable system values:

Activate action auditing	QAUDLVL
Activate object auditing	QAUDCTL
Audit journal error action	QAUDENACN
Default auditing for newly created objects	QCRTOBJAUD
Maximum number of journal entries in auxiliary storage	QAUDFRCLVL
Local controllers and devices	QAUTOCFG
Pass-through devices and Telnet	QAUTOVRT
Action to take when a device error occurs	QDEVRCYACN
Remote controllers and devices	QAUTORMT
Time-out interval	QDSCJOBITV
When job reaches time-out	QINACTMSGQ
Password expiration	QPWDEXPITV
Restrict consecutive digits	QPWDLMTAJC
Restricted characters	QPWDLMTCHR
Restrict repeating characters	QPWDLMTREP
Password level	QPWDLVL
Maximum password length	QPWDMAXLEN
Minimum password length	QPWDMINLEN
Require a new character in each position	QPWDPOSDIF
Require at least one digit	QPWDRQDDGT
Password reuse cycle	QPWDRQDDIF
Password validation program	QPWDVLDPGM
Allow remote service of system	QRMTSRVATR
Verify object signatures on restore	QVFYOBJRST
Convert objects during restore	QFRCCVNRST
Allow restore of security sensitive objects	QALWOBJRST
Security level	QSECURITY
Allow server security information to be retained	QRETSVRSEC
Users who can work with programs with adopted authority	QUSEADPAUT
Default authority for newly created objects in QSYS.LIB file system	QCRTAUT
Allow use of shared or mapped memory with write capability	QSHRMEMCTL
Allow these objects in . . .	QALWUSRDMN
Use pass-through or Telnet for remote sign-on	QRMTSIGN
Display sign-on information	QDSPSGNINF
Restrict privileged users to specific device session	QLMTSECOFR
Limit each user to one device session	QLMTDEVSSN
Incorrect sign-on attempts	QMAXSIGN
When maximum is reached	QMAXSGNACN

–Wayne O. Evans

Security articles authored by Wayne O. Evans can be found on his Web site, www.woevans.com. E-mail: woevans@aol.com

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search