Re: ifs security and qpwfserver autl change gotchas? -- MIDRANGE-L

Hi all,

Last December, after having read a few articles on the subject, we run
some tests trying to access libraries and files from a Unix terminal. We
run some commands from the terminal command line and yes! we were able to
rename and delete files in libraries (v7r2); at least we couldn't change
the content . Obviously the terminal and the IBM system were in the same
local network. We knew this was critical.

When in January a ransomware accessed the intranet we discovered it when
the /home was already been attacked but not the other file systems, so Qsys
was safe.

In March we changed the IBM I system to a Power9 running v7r4 and I made
the changes you are talking about: *public hasn't write privileges on root
nor to the most of other directories and files, and *public is excluded
from qpwfserver autl.

We are still struggling a bit with the finest tune of ifs user authorities,
but still alive.

I don't know if this is enough to protect us when (not if) a new ransomware
will access our intranet, but so far so good.

Hope it helps.

Il Ven 28 Mag 2021, 10:25 <stefan@xxxxxxxxxx> ha scritto:

Hi Patrik,

Probably not, my intention was to point out that remote access by a user
with *allobj access will still expose the qsys.lib part of the IFS.
"Remote" is this case means QNTC, Netserver and QFilesvr.400 where the
latter might be used to copy objects between lpars.

Best regards

Stefan

--
No trees were killed in the sending of this message, but a large number of
electrons were terribly upset.

Stefan Tageson
+46 732 369934
stefan@xxxxxxxxxx

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Patrik
Schindler
Sent: Friday, May 28, 2021 10:18 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: ifs security and qpwfserver autl change gotchas?

Hello Stefan,

Am 27.05.2021 um 22:23 schrieb stefan@xxxxxxxxxx:

Yes, but " By setting Public authority on the QPWFSERVER AUTL to
*EXCLUDE, the users are restricted from accessing QSYS.LIB file system
by these methods

Emphasizing my limited knowledge, is there any point in accessing QSYS.LIB
by "remote" means, like a network share? The objects there are special, no
stream files. I guess, there's nothing within Windows can cope with.

:wq! PoC

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link:
https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com