1.  Home
  2. MIDRANGE-L
  3. April 2008

RE: Anti-virus for i5OS

There is a difference between *ALLOBJ authority and QSECOFR. My main
issue here is with the requirement to use QSECOFR. I also have issues
with the requirement of *ALLOBJ but that is a separate one and easier to
justify in certain cases. It is each admin's responsibility to be aware
of and develop their own security standards. In our case we rarely if
ever use the actual QSECOFR profile.

Remember, QSECOFR does not just have *ALLOBJ, it also has *AUDIT,
*IOSYSCFG, *JOBCTL, *SAVSYS, *SECADM, *SERVICE and *SPLCTL.

Sorry, but a user with *ALLOBJ can give themselves *AUDIT, *IOSYSCFG,
*JOBCTL, *SAVSYS, *SECADM and *SPLCTL. From "Expert's Guide to OS/400 and
i5/OS Security", page 67:

"For example, *ALLOBJ special authority gives a user unlimited access to
and control over ALL objects-a user with *ALLOBJ special authority can
perform any function on any object on your system."

There is only a one step difference between a user with *ALLOBJ and
QSECOFR, that of the user with *ALLOBJ going into their own profile and
granting themselves the missing options. You can lock both *ALLOBJ users
and QSECOFR out of certain sysvals by pushing them up to SST level
maintenance, but if you've given a user *ALLOBJ you might as well have
made them QSECOFR.

Do you want your new software package to adjust your auditing level,
create a PPP connection and add a job schedule entry that calls home and
reports **anything it wants** from your system? ABC Corp may have just
used "social engineering" to get you to install your very own iSeries
virus!

A totally false question. Who is going to say yes? The point is that
merely changing the user id used for installation from QSECOFR to one with
*ALLOBJ hasn't fixed anything. I can do anything with *ALLOBJ that I can
do with QSECOFR. The user with *ALLOBJ has full rights to the QSECOFR
profile. If he doesn't, he can just grant himself those rights.

As hinted at above, you can push auditing values to SST level, so that
even QSECOFR can't change them. The point remains, *ALLOBJ is essentially
no different from QSECOFR..........


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.