A user’s ability to execute commands in a green-screen environment is controlled by the limit capabilities (LMTCPB) parameter on their profile.
Although without exit programs to extend IBM i security functions, even limited capability users could invoke commands through network interfaces such as FTP as long as:
- The user also has either public or private authority to the command object
- The user can satisfy any special authority requirements for the function being performed.
While this may sound sufficiently complicated, a large number of commands have open public authority and no special authority restrictions.
Traditionally, once a user gains access to command functions, the operating system does little to police when and how commands are run. A user with permission to power down the server during a weekend maintenance window can leverage that privilege at 10 a.m. on a Monday if they see fit. Programmers may utilize file editors to modify data in any file they have access to; even if corporate policy restricts it. And, security officers can simply turn off the server’s auditing functions despite regulatory compliance mandates to the contrary. The examples are endless.
Powertech’s Command Security has forever altered the way administrators and auditors view the IBM i command line. By intercepting a command before it’s executed, a powerful rules-based engine conditionally determines if there are additional actions that should be performed before—or as part of—the requested command. While preventing a command from executing is the most requested action and one that is easily accomplished, numerous additional actions are available:
- Overriding command parameters
- Sending a message
- Running an alternate command
- Many more
Multiple actions can be stacked together, creating a flexible, conditional environment to oversee commands. The best part? The conditions and actions of Command Security are enforceable against ANY user—including QSECOFR!
Based on customer feedback, PowerTech added additional decision criteria by which administrators can choose to control commands. Six data sources for conditional checking further Command Security’s ability to determine when an action should be performed, including:
*ACGCDE – The current user’s accounting code
*JOBUSER – The job’s sign-on user
*LMTCPB – The current user’s limit capability flag
*SPCAUT – The current user’s special authorities
*USRCLS – The current user’s user class
*USRPGM – A user-supplied condition evaluator
For ultimate flexibility, the *USRPGM condition enables complex evaluations that are not possible in the base application. An administrator specifies a user-written program that indicates to Command Security whether the desired criteria have been met. Examples of this flexible condition include determining if a particular subsystem is active or if a specific record exists in a data file.
An additional “action” is also included:
*QUEUEMSG – Send a predefined message description to a message queue
If your organization struggles with unconditional command execution, or has an audit department expressing concern over the commands available to privileged users, Command Security is just the ticket! Regardless of whether it’s necessary to block commands, notify an administrator, or preempt the requested command with another, Command Security is easy to use and provides an important function previously lacking in IBM i.