Command Line Security – Part 1

By Rich Loeber

When a user on your IBM i system signs on to a terminal session, they will be presented with a command line.  Given enough security permissions, a user can do just about anything from that command line, if they are inquisitive enough.  This article will discuss several options for controlling what a user can, and more importantly what they cannot do, when they are presented with a command line.

Controlling use of the command line begins with the way your user profile is set up.  Specifically, the option to “Limit capabilities” (LMTCPB).  This will define what, if any, controls the system will impose over use of the command line.  Unfortunately, many systems just use the default “*NO” setting for this value and that leaves the command line wide open for use (and abuse).

There are three possibilities for the LMTCPB parameter in the user profile:

 

  • *NO – means there are NO limits on the user of the command line.  In addition to processing commands from the command line, the user can also make certain changes to their user profile that you might not want them making.
  • *PARTIAL – this is a little better than the *NO option and it limits certain actions that the user can take at signon and from the command line, but they can still run commands.
  • *YES – this is the best option for most of your users.  The user cannot specify different parameters for menu and library from the signon screen and they cannot change the setup for their user profile.  The user also is not permitted to run any IBM i OS commands from the command line.

“But,” your user says, “I need to be able to check my output reports using the WRKSPLF or WRKOUTQ command!”  This is a common issue in some shops, but setting the LMTCPB for the user profile to *NO or *PARTIAL is not the answer.  If a user needs to use a very limited set of IBM i OS commands, the best way to solve that issue is by creating menu options for them to use.  They can continue to run the commands from the menu option with no problem.

One thing to also be careful about is the starting menu that you present to your user.  Again, the default that comes from IBM is to give your users access to the IBM i OS “MAIN” menu in QSYS.  This menu can easily lead an inquisitive user to options and capabilities that you probably don’t want them seeing or using.  If you follow the menu options, you can easily get into areas where a user just does not belong.  So, make sure that you specify a starting menu that strictly limits where the user can go.  Spend some time testing your menu structures to make sure that they do not lead a user to capabilities that they should not be granted.

Next time around, in Part 2 of this article, I’ll take a look at how to effectively limit how users use of commands in the IBM i OS when you absolutely have to let users have access to the command line.

If you have any questions about this topic, you can reach me at rich at kisco.com,  I’ll try to answer your questions.  All email messages will be answered.

Changing Your Signon Screen – A Good Idea

By Rich Loeber

The classic IBM i signon screen has been around since forever.  I first saw it in 1988 when I took delivery of my first AS/400 system, a lowly B10.  In the old days, the appearance of the signon screen made no difference since the system was a closed system.  With the advent of networks, this situation changed dramatically.

Today, all IBM i systems are networked and users connect via that network connection.  The signon screen is projected to terminal emulation software throughout the network and even over the Internet for users that are accessing the system from remote locations.  Because of this, the signon screen standard context can be easily recognized by people with malicious intent and scrubbed (sniffed) for user id and password information.

Granted, for many users, this information is encrypted.  But, with the proliferation of open access protocols, there are many emulators that do not encrypt this information.  Examples of this are hand-held devices (tablets and phones) and the Telnet capabilities of Windows platforms.  For my own system, I access it when traveling via my Android smartphone and no encryption is taking place.

A second reason is that the classic signon screen presents a field that could provide a saavy user with a way to bypass your intended signon process sequence.  Next time you sign on using this screen, just type QCMD in the “Program/procedure” field and you will get a demonstration of what I mean.

For these reasons, it is probably a good idea to design your own signon screen and that you change the standard terminology used to identify the User and Password fields and disallowing the “Program/procedure” field.  Making the change is fairly easy, but you need to be careful and you need to test your new screen before rolling it out for general use.

IBM ships the source code for the standard signon screen in a source physical file named QAWTSSRC in library QSYS.  In this source file, you will find two sets of code for the two possible standard screens on your system, QDSIGNON and QDSIGNON2.  The first is used when you have standard 10 character passwords configured and the latter is used when you have set your system up for long (128 character) passwords/pass-phrases.  I recommend that you move the source that you want to use into a separate library, thereby preserving the original source in case you get in trouble.

Once you have the source moved into your own library, you can then use Screen Design Aid (SDA, PDM option #17) to make your changes.  When working on your screen, make sure that you observe the following:

  • Do not delete any of the input capable fields that are on the signon screen.
  • Do not change the sequence of any of the input capable fields.  You can move them around on the screen, but keep their sequence in tact.
  • Do not change the characteristics, especially field lengths, for any of the input capable fields.
  • Do not attempt to use any DDS HELP capabilities for the signon screen.

Since one objective is to change the reference to “User” and “Password”, pick out suitable replacements for these and make sure to change the text for those areas.  I would suggest alternatives here, but that could just start a new default standard which would defeat the objective of this tip.

The second objective can be accomplished by removing the text field for the “Program/procedure” field and then changing the PROGRAM field so that it is non-display.  This will keep the integrity of the signon screen while preventing this field from being used.

When you are all done, compile the screen into a library other than QSYS.  To implement the new screen, you will need to update the subsystem description.  You can use the Change Subsystem Description (CHGSBSD) command; press the F10 key to display all parameters and you’ll find one that controls the signon screen in use.  Test your new screen in the QPGMR subsystem to make sure it works as desired before rolling it out to QINTER and other production subsystems.  I strongly recommend that you NOT use an alternate signon screen for your system console which is typically associated with the QCTL subsystem.

If you have any questions about this topic, you can reach me at rich at kisco.com, I’ll give it my best shot.  All email messages will be answered.

IBM i SMTP Relay Controls

By Rich Loeber

Many IBM i shops keep the SMTP server active on their system to support host-based applications that format and send e-mail messages directly from their IBM i system.  With the SMTP server active, you could leave your system open to spammers who could take over the SMTP server to relay their spam messages.  This tip describes how to control SMTP relay on your system.  You can check to see if SMTP is active on your system by running the following command:

WRKACTJOB SBS(QSYSWRK) JOB(QTSM*)

If there are any tasks displayed, then the SMTP server is active on your system.

Controlling SMTP mail relay involves two processes.  First, you have to set the ALWRLY parameter in the SMTP Attributes on your SMTP server.  This is updated using the CHGSMTPA (Change SMTP Attributes) command.  Keep in mind that your user profile must have the *IOSYSCFG special authority to be able to use the CHGSMTPA command.

If you just want to deny all mail relays, set this value to *NONE and you’re all set, you can stop reading now and move on with your life.  However, if you are sending mail from your IBM i using the SNDDST command, SNDSMTPEMM command or other program-controlled methods, you cannot leave this setting at *NONE as it will block mail being sent from your system.  Simply changing this setting to *ALL is not a good idea either as this will allow anyone to relay mail through your system.  The best choices are one of the following:

•    *LIST – only IP addresses that match an *ACCEPT SMTP list entry will be allowed or denied
•    *NEAR – only IP addresses that match a *NEAR SMTP list entry will be allowed
•    *BOTH – the system will look at both the *LIST and *NEAR entries

Once you have this part configured and have specified one of the three recommended settings, you will then have to update the SMTP list to indicate who can relay mail.  This is done using the ADDMSTPLE (Add SMTP List Entry) command.  There are a lot of options for this, but as a simple example let’s set up an entry that will permit mail to be relayed from your IBM i.  If you system has an IP address of 10.100.2.1, then you would add a relay accept transaction that looks like the following:

ADDSMTPLE TYPE(*ACCEPT) INTNETADR(’10.100.1.2′)
SUBNETMASK(’255.255.255.255′)

This entry will accept all SMTP mail that is sent from the specific IP address indicated in the INTNETADR parameter.  The subnet mask used here is coded so that only the specific IP address will be processed.  You can also use this command to post a *REJECT or *NEAR entry to the SMTP list to indicate specific IP addresses to be rejected or to define a system to be considered as a *NEAR system.  Varying the subnet mask can let you define ranges of IP addresses and if you need help on how to code these entries, feel free to contact me.  Once entries have been added to the SMTP list, you can delete them using the RMVSMTPLE (Remove SMTP List Entry) command.  It would be nice if IBM provided a WRKSMTPLE command too, but the test system I work on has no sign of this feature.

If you have been using SMTP list entries for a while, you may need to know what entries are already established on your system but IBM i provides no support for a review function.  You can, however, review what is already set up by examining the various members in the file anmed QATMADRLST in library QUSRSYS.  Each member, which you will find appropriately named, contains the list entries for that type.  I simple query report can list the entries and you can remove unwanted entries as needed.

If you have any questions about this topic, you can reach me at rich at kisco.com, I’ll give it my best shot.  All email messages will be answered.

Security and Performance Issues

By Rich Loeber

Normally, you would not think of system performance in terms of a security issue.  But, if someone with the right know-how is abusing privileges on your system, then it becomes a security issue.  This tip will help you to identify some performance issues that fall into this category.

A performance issue that has security implications can happen when someone with the right special authorities on their user profile abuses those and consumes excessive system resource in their own interest.  This can happen, for example, when programmers boost the execution priority for their jobs at the expense of interactive processing.  It can also happen when someone runs a batch job interactively, thereby bringing other interactive users to a crawl.  When this occurs, it is clearly a security issue as the user or users in question are abusing their assigned privileges.

Controlling the execution priority of a job is a function of the Job Priority.  This is set by the Job Description that is used for the job.  It can also be changed on the fly by someone with *JOBCTL special authority associated with their user profile.  If you see this happening, you might want to just remove *JOBCTL from their user profile.  Restricting access to the CHGJOB command can also help.  The CHGJOB command is shipped from IBM with public access set to *USE, so any user profile can use the command.  Restricting access could affect applications running on your system, so you should consider this change carefully.

To restrict access to the CHGJOB command, run the following command on your system:

GRTOBJAUT OBJ(CHGJOB) OBJTYPE(*CMD) USER(*PUBLIC)
AUT(*EXCLUDE)

This will change the command so that only authorized user profiles can use it.  To add a user profile to those allowed access to this command, use the following command:

GRTOBJAUT OBJ(CHGJOB) OBJTYPE(*CMD) USER(MYUSRPRF)
AUT(*USE)

This will allow the profile MYUSRPRF to use this command while excluding all others.  Of course, any user profile with All Object Authority (*ALLOBJ) will still have access, so that wrinkle also has to be allowed for.

Limiting access to command objects on your system is a good way to control who can do what.  Another command that you should consider for similar treatment is the Change Shared Storage Pool (CHGSHRPOOL) command.  This command can be used to control performance characteristics for jobs running on your system through the allocation of memory resources and processing time slices.

If you still have problems with performance issues preventing production from getting done efficiently, there may be a problem of users running batch jobs interactively.  If your applications are running from IBM i OS commands, you can change the commands so that they will not function when called in an interactive environment.  You can do this using the Change Command (CHGCMD) command, setting the ALLOW parameter to remove the *INTERACT, *IPGM and *REXX options.

If you make changes to any IBM i OS commands, you should keep a list of the commands changed and the specific changes made.  Installing PTFs or OS upgrades from IBM could change them back, so you should keep your list with your IBM i OS documentation to serve as a reminder to check the commands following a PTF install or OS upgrade.

If you have any questions about this topic, you can reach me at rich at kisco.com, I’ll give it my best shot.  All email messages will be answered.

Library List Security – Part 2

By Rich Loeber

As discussed in my last tip, controlling the library list and the list environment on your system is important to running a secure application.  Abusing the library list environment could easily cause a wrong (and possibly malicious) program to run or to access an incorrect data file.  In fact, in my work doing software support, I am often be presented with an inexplicable scenario only to find that wrong programs or data have been processed because a wrong object was referenced.

In the previous tip, I talked about the system library list component.  The library list environment also includes a user library list and two specific libraries, the current library and the production library.

The user library list is maintained as system value QUSRLIBL.  This is a list of libraries that will always be present for all users of your system at signon time.  The user library list can also be modified by the Job Description in effect at processing time.  This list should be kept to a minimum.  Most shops that I’ve seen have the QGPL and QTEMP libraries in this list which may be helpful.  The QTEMP library is often used by applications for work files and objects and the QGPL library is often used by system applications.  Shops that are very concerned about security issues will often leave these libraries off the list.  Just as with the system library list, you should take steps necessary to restrict users from making changes to the system values and job descriptions that can update how the user library list environment is set.

The only other candidates for inclusion in the user library list should be libraries that all users will need access to.  This might include a general use utility library or some other such library that all users need access to.  Unfortunately, because of ignorance of how library lists work, many shops load these up with lots of application library names just to get their applications to run and then they just leave the lists cluttered up leaving lots of room for problems down the road.  If you have specific application requirements, it is best to include them in the Job Description and not in user library list system value.

Once you have settled on your system library list and user library list, there are still two more ways to add library control to your jobs.  These are the Product Library and the Current Library.  When the IBM i OS searches for objects, it searches the system library list first, then the product library, current library and finally the user library list.

The Product Library and Current Library are controlled by the IBM i command object or by the menu from which they are run.  When you create your applications, you should take care to make sure that the users who have access to create command objects and menu objects are limited to trusted users.  There are a small number of IBM i commands that can be used to create and modify *CMD objects; make certain that access to these IBM i commands is limited.  The same is true for creating and maintaining menus on your system.

When you create commands and/or menus, you should take some time to consider how you want the Product and Current libraries set up.  It is an easy way to make sure that your application library is available for processing without cluttering up your user library list with unnecessary entries that apply to everyone.

If you have any questions about this topic, you can reach me at rich at kisco.com, I’ll give it my best shot.  All email messages will be answered.

 

Library List Security – Part 1

By Rich Loeber

The library list on your IBM i controls how the IBM i OS searches for objects when no specific library has been coded.  Changes to the library list could easily be used to execute a rogue program or cause your processing to run against an incorrect set of data.  Controlling how your library lists are set up on your system can mean the difference between secure and insecure processing.

The library list has four main components.  These are the system library list, the current library, the product library and the user library list.  When an object access is requested by a program and the request is not library specific, the IBM i OS will search the system for the object requested in this sequence.  The first object found with the right name and object type will be used.  This could be to satisfy a program-to-program call, a request for a data file object or any other object access request.

The best and most secure solution is to always code your object requests as library specific.  For testing and other reasons, using the search capabilities of the library list can be a very handy solution.  But, as you can see, it poses security risks.

The easiest illustration of a security risk is interposing an alternate (and malicious) program so that it gets called in place of the actual program object you really want to call.  The alternate program could, for example, do the same processing but store credit card information in a private file for later access and abuse.  Your user has no knowledge that anything unusual is going on but information from their processing is being hijacked.

To limit the possibilities it is important that you specifically limit the number of libraries that appear in your library lists.  You must also control who is allowed to make changes and you must have a clear business case made to add new libraries to either the system or user library list.

The system library list is maintained as a system value and should be kept to a minimum.  The entry for the IBM i library, QSYS, is a requirement for IBM i OS functions to run properly.  In many shops, the QSYS2 library is also needed as it contains objects required for many system APIs.  If your code, or a software vendor’s code, uses any IBM i  OS APIs, you’ll need this library in the system list.  From the factory, you will normally also find the QHLPSYS and QUSRSYS libraries.  The QHLPSYS library contains the help text panel groups for the IBM i OS and should be left in the list, but you should make sure that public only has *USE access to objects in the library.  Leaving QUSRSYS in the list is another matter.  It should also have a public setting of *USE, but you should examine other special authorities set up for the library to make sure that the ability to create and add objects to this library is severely limited.  If you find any other libraries in the system library list, you must check their availability to the public and make sure they are restricted.  You should also validate the business reason for having non-IBM libraries in the system library list on your system.

In a future tip, I’ll take a look at controlling the user library list and the current and production library entries.

If you have any questions about this topic, you can reach me at rich at kisco.com, I’ll give it my best shot.  All email messages will be answered.

Annual Checkup

By Rich Loeber

A few years ago, when I passed the age when I thought I might live forever and started maturing (a little), I decided that it would be a good idea to go see my doctor once a year for an annual checkup.  It was paid for by insurance and there was just no good reason not to go.  That first checkup (after many years of neglect, I might add) turned out OK.  The doctor told me a few things that I already knew (loose weight, get more exercise) and generally thought that I was doing OK.

After that first checkup, I got the annual appointment into my schedule and started going faithfully.  Then, after we moved up to the mountains of Northern New York, the doctor at our new home came back with a different response to my checkup.  He saw some things that didn’t look right and wanted to schedule some additional tests.  To make a long story short, he found a blocked cardiac artery and we were able to deal with it well before the onset of a heart attack.

What, you ask, does this have to do with computer security on your IBM i system?  Just this …. you need to do a full system checkup at least once a year just to see if there are any surprises.  I have done dozens of these checkups over the years on systems under my responsibility and I ALWAYS find something that needs attention.  If you’re responsible for system security, you need to do this, and year end is a good time to be thinking about it.  Nobody gets much work done during the last couple of weeks of the year and it’s a good time to go tinkering around in your system.

So, what should you include in your checkup?  Here’s a list of things to start with.  It is by no means comprehensive but will probably get you started and lead you into the areas where you need to be concerned:

●    Check the security settings in your system values using the Print System Security Attributes [PRTSYSSECA] command and reconcile differences on your system from the recommended settings.
●    List the user profiles on your system and check for employees who have left or changed their job assignment.
●    Create a database of your user profiles using the DSPUSRPRF command with the *OUTFILE option, then run a series of query reports to search for expired passwords, profiles with *ALLOBJ authority, and so on as appropriate for your installation.
●    Run the Security Wizard in the IBM i  Navigator (Or Access Client Solutsion) and check any differences on your system from the recommendations suggested.
●    Using the user profile database already created, list your user profiles by group to make sure that the groups are set up as you expect to see them.
●    Create a database of all *FILE objects on your system using the DSPOBJD command with the *OUTFILE option.  Then generate a report using your favorite query tool of new files created since your last audit and make sure that security on these new objects complies with established policies.
●    Run the Analyze Default Passwords [ANZDFTPWD] command to make sure that no default passwords exist on your system.
●    Check *FILE objects on your system with *PUBLIC access authority using the Print Publicly Auth Objects [PRTPUBAUT] command.  Make sure that the objects with public access all comply with established policies.
●    Go to the SECTOOLS menu and see if any of the options available can be of specific help to your audit efforts.
●    Review your backup process and offsite storage arrangements.  Do a physical inspection of the offsite location and make sure you can quickly and easily identify and retrieve backup sets.

Due to space constraints, this is not a comprehensive list but is intended to get you started on the audit process.  As you go through it, document both what you are doing and your findings.  That way, when next year end rolls around, you’ll be better prepared for the process and you’ll have a baseline to compare your results with.  Good luck, and I hope you don’t find any clogged arteries!

If you have any questions about this topic, you can reach me at rich at kisco.com, I’ll give it my best shot.  All email messages will be answered.

Anatomy of an IBM i Hack Attempt

By Rich Loeber

Kisco Information Systems keeps a lone IBM i server connected directly to the Internet in order to test it’s SafeNet/i exit point security software in a real world environment. In the past, we have reported on our experience with quarterly reports in 2013 and even an update earlier this year in March 2017.

Last month we experienced an unusual and persistent hack attempt that surprised us by its depth and the amount of time that was used.  This blog post is to report on what happened and, perhaps, remind everyone about how important it is to take hacking seriously in this day and age.

Starting at 20:30 on October 20, 2017 someone from IP address 79.137.65.236 began a persistent FTP script attack on our server.  This happened on a Saturday evening when nobody was in the office to notice any unusual network traffic. The attack consisted of signon attempts via the FTP server using a very long series of profile names.  The signon attempts were repeated every few seconds.

The script being used called for each of the hack attempts to be repeated 85 times with the same user profile.  We don’t capture the passwords being used, but it is obvious that each attempt was trying to use a different password.  In our case, since our SafeNet/i did not recognize the IP address that was being used as a valid client address, the IBM i OS never got to the point of password validation and subsequent deactivation of the profile by the OS.

The user profiles used during this hack attempt were mostly comprised of common English first names such as ANDREA, BARBARA, KIM, ROBERT and so on.  There were also a few coomon Hispanic names used such as JUAN and FERNANDO.  Other profiles were also used and some of them got special attention with additional signon attempts.  The profile name ADMINISTRA was used 255 times (85 three times?).  Other common profiles that deserved extra attention included ADMIN, INFO, SPAM, “NULL” and, for some reason, BARBARA, all of which were attempted 170 times (85 twice?).

In addition to these common profile names, quite a few other “common” technical terms were  used, each for its own series of 85 tries.  These included profile names like ABACUS, ACCESS, ACCOUNT, ADMIN, APPLE, BACKUP, DEMO, GARAGE, MAIL, MAILSCANNE, ORANGE, NETGEAR1, PASSWORD, PAYMENTS, POSTMASTER, QWERTY, QWERASDF, SALES, SCANNER, TEMP, TEST, USER, WEB, WEBMASTER, WELCOME,123 and SYSADMIN.

The hack came to an end on Sunday morning when I received an email from SafeNet/i advising  me that thousands of break in attempts had been made.  When I checked the system I found that it was still going on and simply turned the FTP server off.  Nobody needed FTP on a Sunday morning.  I restarted the FTP server about an hour later, but the hack did not resume.

After the hack was done, I did a lookup using the IP address that was used and it traced back to the RIPE Network Coordination Center in The Netherlands.  A few days later we reported the abuse attempt to them.  Shortly after reporting it, we received a standard reply email that was un-formatted and very difficult to read.  We went to the RIPE website and there was a place to trace the IP address within their organization and it traced back to an organization in France.  An abuse report submitted to them has not been answered as of yet.  Based on past experience, trying to trace back an abuser is a rabbit hole that you can rarely get out of.  In the past, we have tried reporting hack attempts to the local police, state police and the FBI, always to no avail.

There are some take away things to think about from just this one hack attempt.  You should consider the following:

  • Review your user profiles and look for common English first names.  Consider changing them to something more complex.
  • Stay away from common technical terms, and even some uncommon ones, for user profile use.
  • Don’t run the FTP server when it isn’t needed.  The FTP script hack is the one used most frequently.  If the server isn’t active, it can’t be hacked.
  • Make sure that you have exit point software installed and active to control which IP addresses are allowed to connect to your system.  Our SafeNet/i does this and successfully fended of this entire hacking scenario on our box.

The whole point of the FTP hack is to discover working user profiles and, hopefully, also uncover one that is using a very common password.  Once a hacker has this, they are ready to come back via Telnet or some other server connection and really get into your system.  You need to be prepared to stop them before that can happen.

If you have questions about details of the report, feel free to contact me directly by email (rich at kisco.com).

Watch Your User Profiles

By Rich Loeber

Once you’ve set up a user profile on your IBM i systems, are you tracking changes to it over it’s lifetime?

The user profile is your first line of defense in the ongoing battle of protecting your system.  When a new employee shows up for work, you go to great lengths to get their profile set up just right.  You make sure that they get access to the menus and files they need to get their work done and you set up their object access accordingly.  If you’ve been at this a while, you probably already have a mental checklist of all the things that you need to do for a new user in each department or work group in your shop.

But, what about subsequent changes to those profiles.  Are you watching these updates to make sure that your carefully engineered security scheme is being maintained over the life of each user profile?

In the IBM i OS, there are a couple of ways that you can monitor for this.

First, you can use the system security audit journal as an after-the-fact review process for user profile changes and updates.  To run this report, use the Display Audit Journal Entries (DSPAUDJRNE) command.  Prompt the command using the F4 key and select the entry type code CP (Change user profile entries).  The resulting report will show you at least some of the user profile change activity for the selected period of time on your system.

If you want more immediate information about user profile changes, then the only alternative is for you to code an exit program.  There are four possible exit points that you can use on the system to track user profile activity:

QIBM_QSY_CRT_PROFILE    Create User Profile
QIBM_QSY_CHG_PROFILE    Change User Profile
QIBM_QSY_DLT_PROFILE    Delete User Profile (2 points, one before the other after)
QIBM_QSY_RST_PROFILE    Restore User Profile

An exit point is a marker in the IBM i OS where you can attach your own program.  The OS will call your program, passing parameters, during the process of working with these user profile events.  You can code your program do meet your very specific needs.  This can include on-line notification, detailed change tracking, rules enforcement and more.  You can even pass a return code back to the exit point indicating that the profile change should be disallowed.

Your will find more details about creating exit programs to work with these user profile exit points in the IBM i Security Reference manual.  Registering your program can be done using the Work With Registration Information (WRKREGINF) command.  You will see many exit points displayed, be sure to limit your changes to the specific exits named above.

If you don’t want to code your own solution, there is an audit reporting feature built into Kisco’s iEventMonitor software that can be used for near real time reporting of profile change events.  It is available for a free trial if you’d like to find out if would be helpful in your situation.

If you have any questions about this topic, you can reach me at rich at kisco.com.  I’ll give it my best shot.  All email messages will be answered.

Snooping On Critical Files

By Rich Loeber

If you’re a regular reader, you’ll know that last time around, I presented a method where you can use IBM i/OS object auditing to keep track of who is doing what with selected files and objects.  That’s a good way to keep a record of what’s happening with these critical resources on your system, but no matter how often you check results, it is always after the fact.  This time, I’ll give you a way to track and report on file access for read, change and/or delete with immediate, real time notification.  Using this method, you’ll know right away when someone is in the critical file you want to keep an eye on.  And, nobody will know about it except you, if you can keep quiet about something this cool.

To accomplish this trick, we’ll create a very simple trigger program and then associate it with the file you want to track.  Keeping the trigger program simple is a key to success for this method of object tracking control.  Keep in mind that every time the file is accessed for the method you choose (which you will see as you read on), the trigger program will be run by the system and it will run in line with the application that is accessing your file.  I’ll put in some cautions along the way to point out where this might be an issue.

A trigger program is nothing more than a standard IBM i/OS *PGM object.  When it is associated with a *FILE, the OS will call the program according to the instructions you provide with the trigger file registration.  Your trigger program must have two parameters, one for information about the event and the other a simple binary two byte number that will provide you with the length of the first parameter information.  The first parm can be variable, but for a simple application like this one, you can code it at a fixed length.  The variable length is there to support multiple record length files and the actual record contents are passed to the trigger program, but for our purposes, we won’t be using that part of the information.  I code the first parameter with a length of 136 and the second parameter with a length of 2.  The first 30 positions of parameter 1 contain the file name, library name and member name in that order.  Position 31 will have an indicator as to the trigger event and position 32 has the trigger time indicator.

You associate the trigger program with the file by using the Add Physical File Trigger (ADDPFTRG) command.  The parameters on this are fairly self explanatory.  Since you don’t want to hold up production, use the *AFTER option for your trigger time setting.
The trigger event will indicate when you want the trigger to be called and the values are:

  • *INSERT – whenever a record is added to the file
  • *DELETE – whenever a record is deleted from the file
  • *UPDATE – whenever an existing record is changed in the file
  • *READ – whenever an existing record in the file is read

A word of warning about using the *READ option, this can generate a huge number of calls to your trigger program and it is probably for the best if you avoid using it.  If you want to track multiple events, you will have to register each one with a separate use of the ADDPFTRG command.

When you’re all done with your tracking project, remember to clear your trigger file registrations.  This is done using the Remove Physical File Trigger (RMVPFTRG) command.  Just use the defaults once the file is specified and all of the trigger registrations can be removed at once.

How you code your trigger program itself depends on what you want to find out.  If you’re looking for a specific user profile, then check for it.  If you’re looking for a specific time of day or day of the week, check for that.  When you’ve found something that qualifies, or if you just want to report on everything, use the SNDMSG to send a message to your user profile (or a list of user profiles that you store in a data area) and you’re done.  If you use the SNDDST to send an email notification, it would be best to do this via a SBMJOB so that the application processing is not held up while you get this sent.

To better explain this technique, I’ve written a simple CLLE program that can be used with any file and contains comments along the way to show different options that you might want to implement.  If you’d like a copy of this trigger file shell program for free, just let me know and I’ll send you a copy via Email.

If you don’t want to bother with coding your own solution, Kisco’s iFileAudit software has this capability built in along with a lot of other neat ways to keep track of what’s going on with your files.  It is available for a free trial on your system.

You can reach me at rich at kisco.com, I’ll do my best to answer.  All email messages will be answered.