IBM continues to provide new and enhanced features to help us secure IBM i and ACS version 1.1.9.9 is no exception. Two security features are included in this version: passphrase protected SSH keys used by Open Source Package Management and 16 new Examples provided in the Insert from Examples feature of Run SQL Scripts.
The complete list of ACS 1.1.9.9 enhancements is available from IBM at this link.
Why is this important? Many IBM i shops are using code repositories such as GitHub. The need to secure code repositories has risen in recent years. Organizations are requiring security measures to control who can access, modify and/or manage code in their repositories. For example, the ability to push code to the repository is often secured with an SSH private key. However, if a bad actor gains access to the system from which the code is being pushed, they have unrestricted access to the private key and can perform malicious acts on that code. Adding a passphrase to the private key protects it from misuse. Providing this support via ACS keeps it in line with the industry requirements for secure code management.
If you’ve heard Scott Forstie (Db2 for i Business Architect) speak recently, you know that he’s been raising the awareness for the need to secure Db2 for i data. His point is, what good does it do to have a world-class database if the data isn’t secure? I couldn’t agree more! To that end, he’s provided 16 new examples that anyone can use to determine how exposed their data is:
Security - Audit Journal CD review
Security - Auditing configuration for commands
Security - Commands that Limited Capabilities can use
Security - Db2 for i - Delete attack vector
Security - Db2 for i - Insert attack vector
Security - Db2 for i - Query attack vector
Security - Db2 for i - RENAME attack
Security - Db2 for i - Trigger attack vector
Security - Db2 for i - Update attack vector
Security - IFS home directories (detail)
Security - IFS home directories (summary)
Security - Library List security review
Security - Powerful commands
Security - Special Authority and Db2 data
Security - User profile attack vector
Security - Users with Limited Capabilities
To get to these, open Run SQL Scripts and go to Edit, Examples, Insert from Examples. Change the drop down to IBM i Services and scroll down to the Security section. Click on the example name and the SQL appears in the right window. You can use the example as is – simply use the Insert button to add it into your Run SQL Scripts window. Or, you can modify it and save the modified version as your own example. Each example has a description (purpose) of the SQL and most have the minimum required release is provided. Note - No new IBM i Services were added – just new examples of how to make use of existing services with an emphasis on helping you determine your data’s security risk level.
Why is adding these examples so important? Anything that raises awareness for the need to take action to secure data residing on IBM i is a good thing. Data has value to organizations and needs to be secured but often is not. In addition, gone is the excuse organizations make saying they don’t know where to start or how to get their IBM i Security configuration information. All organizations need to do is insert the examples or one of the previously supplied examples and run the SQL – it can’t be easier than that!
One of my favorite additions is the Security – Commands that Limited Capabilities can Use example. Over the years, I’ve been shocked which commands have been modified so that a limited capability user can run them. This SQL allows you to easily display the list. Of course, a limited capability user can run any command via Run SQL Scripts, but that’s for another article!
While you can run these examples as a profile with *ALLOBJ, I think the better visual is to run them as a profile that doesn’t have *ALLOBJ as this helps drive home the ease in which your end users can easily get a list of files they could exploit (assuming you haven’t taken action to secure your data.) If you get results you’re not expecting and don’t have the expertise to resolve the issues, don’t hesitate to contact us for a discussion of your options.
IBM delivered more than just these two security enhancements in the ACS 1.1.9.9 release. Here’s the full list of updates for this and previous releases.
Contributed by:
Carol Woodbury
IBM i Security SME
Kisco Systems
RELATED POSTS
BROWSE KISCO U
PRODUCT CONTENT
