Prior to 1995, IBM shipped all of it's own libraries with *PUBLIC *CHANGE authority. If *PUBLIC has any authority greater than AUT(*USE) to a library, anyone with a valid user profile and password can get a catalog of all objects in a library, and delete objects out of the library (assuming delete authority to the specific object in question).
Run the library authority report with option for PUBLIC authorities only set to "Y" to identify any libraries to which Public has greater than *USE authority.
If *PUBLIC has *CHANGE authority to a library, anyone with a valid user profile and password can get a catalog of all objects in a library, and delete objects out of the library (again, assuming Delete authority to the specific object in question).
|
|
*ALL authority conveys the right to anyone to delete the library. Most auditors recommend that *PUBLIC authority should be set to *EXCLUDE for production programs and databases. |
Also, identify any high security library objects, and then use the library authority report with specific library names entered as parameters. List all authorities for these objects.
IBM also ships the default system value for QCRTAUT as *CHANGE. The QCRTAUT system value controls the authority that *PUBLIC will receive to newly created objects stored in a library. While this attribute can (and should) be controlled at an individual library level, most library descriptions refer to the system value to receive their setting.
If the customer’s system has it's QCRTAUT system value set to *CHANGE, this means that every new object that is created in any application library will automatically grant *CHANGE rights to the *PUBLIC.
You may want to consider changing this value to a more restrictive setting, *USE, or even *EXCLUDE, and then using a change management product such as Turnover (from SoftLanding Systems) to regulate the authority of newly created objects. *CHANGE authority is certain to be too permissive for some objects (programs, print files, display files, etc.) and too restrictive for other objects (certain data files, message queues, data queues, etc.).
PowerTech Recommendations
Use the Compliance Monitor 'Library Object Authority Information' report to audit all library object authority data.
Library Object Authority Information
Click to view expanded excerpt
from report
Relevant Standards:
COBIT DS5.3 – Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable.
ISO 27002 (17799) 11.6.1 - Information Access Restriction
Access to information and application system functions by users and support personnel should be restricted in accordance with the defined access control policy.
