By Rich Loeber,
One of the cardinal rules of securing your IBM i system is to prevent users from having open access to the i/OS command line unless absolutely necessary. Typically, access to the command line is limited to operators, programmers and other IT staff users who need it to get their jobs done. But, users in general should never be granted the use of the command line.
But, a knowledgeable PC user, using PC-based software tools such a iSeries Navigator, can run commands on your system without obtaining a signon screen and command line. Also, when a user submits a remote command, IBM’s i/OS does not honor the Limit Capability (LMTCPB) setting for the user profile in use. In my book, that is a significant security exposure! Granted, the user must be knowledgeable, but it can be done.
There are several ways that this can be accomplished, as follows:
• Using DDM (Distributed Data Management), a user can open a file and use the remote command function to run any command on the remote system.
• Using the iSeries Navigator client, or other similar PC software, a user can issue a command through DPC (Distributed Program Call) APIs without even using DDM.
• Using remote SQL and ODBC, some software can provide a remote command function without using either DDM or DPC
So, what’s a security officer to do?
To deal with the DDM issue, one easy way to control this is to simply turn DDM access off completely for your system. You should first verify that no current applications running on your system require DDM, DRDA (Distributed Relational Database Architecture) or DB2. To shut DDM off, simply run the following command:
This step is pretty drastic and will obviously not work for many shops where DDM, DRDA and/or DB2 are in use on a regular basis. For those shops, your best defense is an aggressive security policy that protects your critical data assets.
If you want to take an more active approach to this issue, then you’ll have to look into coding an exit point program, or you can purchase a third party software package that implements exit point processing. The easiest approach when creating your own exit program is to limit use of remote commands to a list of known user profiles. This will allow you to grant permission to process remote commands for known and trusted user profiles while denying permission to all others. In the exit point process, you can set a flag that will return a failure status to the PC software issuing the remote command process, so your user will know why their attempt failed. You can find more information about exit point programming in several different manuals. These include:
- Implementation Guide for iSeries Security and Auditing – GG24-4200
- iSeries Security Reference – SC41-5302
- iSeries System API Reference book