The Limited Capability flag in the user profile will prevent end users from entering commands at the traditional OS/400 command line interface. Users with profiles set to LMTCPB(*NO) have full access to commands to which they are authorized. If a user has Command Line authority ( LMTCPB(*NO or *PARTIAL) ) on OS/400, they have the ability to run virtually any of the 2000+ commands that are shipped with the OS/400 operating system (V5R3).
Some of these commands, such as DSPJOB and DSPLIB, may not be of great concern. Other commands such as ENDJOB, ENDSBS, and DLTJOB are of greater concern – especially if the underlying objects are not properly secured. If a user has access to a command line, the number of things that they can do is often limitless.
PowerTech Recommendations
Use the Compliance Monitor 'Profiles with Command Line' report to audit all command line usage.
Profiles with Command Line Report
Click to view expanded
excerpt from report
How Commands Are Entered
A user can enter commands from a variety of interfaces.
Some of the better known command entry points are:
The User’s Initial Menu
Subsequent menu options such as WRKJOB, WRKOUTQ or WRKJOBQ, or other IBM screens
Hidden Function Keys (F17) in business applications
FTP prompts
Clients Access’ Remote Command facility
DDM’s Remote Command facility
REXEC
Relevant Standards:
COBIT DS5.3 - Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements.
COBIT DS5.4 – User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included.
ISO 27002 (17799) 11.5.4 - Use of System Utilities
The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled.
ISO 27002 (17799) 11.2.2 - Privilege Management
Special privileges should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (11.1.1.), i.e. the minimum requirement for their functional role only when needed.