CHKCPPAUT -- Check CPP Authority

CHKCPPAUT CHECK CPP AUTHORITY TAASEFQ
The Check CPP Authority command checks command objects in one or more libraries that are specified as PUBLIC EXCLUDE. If the Command Processing Program (CPP) is not PUBLIC EXCLUDE, the command is flagged. If your intent is to prevent access by the PUBLIC user to a command, the CPP should also be considered for PUBLIC EXCLUDE to prevent the use of the CALL command to the CPP. The intent of CHKCPPAUT is flag those situations where your security may not be as good as you think it is. A typical command would be: CHKCPPAUT LIB(xxx) All the commands in the named library that have an EXCLUDE authorization would be checked to see if the CPP was also EXCLUDE. You must have ALLOBJ special authority to use a LIB value beginning with Q, or the special values LIBL, ALL, ALLUSR, ALLUSR2, ALLNONQ, or IBM. You will have authorization exceptions if you specify libraries containing objects that you are not authorized to. You can omit these libraries with the OMITLIB parameter. If your library request will cause the processing of the Q libraries, the TAATOOL library, or a separate library containing TAATOOL commands (based on a TAATOOL install option), you may want to omit them with the OMITLIB parameter such as: CHKCPPAUT LIB(ALL) OMITLIB(Q TAATOOL) QSECURITY System Value and Object Domain ---------------------------------------- If your system has a QSECURITY system value of Level 40 or above, the system provides automatic protection in that any programs in the system domain cannot be called using the CALL command. This includes all programs used as CPPs for system commands. Only system programs can exist in the system domain. Programs created by commands such as CRTCLPGM or CRTBNDRPG only exist in the user domain. You can see the domain of a program by using the TAA DSPOBJD2 command. Objects controlled by an Authorization List ------------------------------------------- You may secure a command and/or its CPP using the same or different Authorization Lists (AUTL). CHKCPPAUT determines that if an Authorization List exists and the PUBLIC authority to the object is AUTL, that the authority comes from the Authorization List. Commands which specify LIBL or CURLIB for the CPP --------------------------------------------------- If a command specifies a qualified library name of LIBL or CURLIB, the library list of the user running the CHKCPPAUT command is used. If LIBL is used, the first program found on the library list is considered to be the CPP. This may provide misleading information. TAA Productivity Tool Exceptions -------------------------------- CHGUSRPWD The tool requires the user to modify programs and place them in the TAASECURE library. Since this is a secure library, the function cannot be used by a PUBLIC user. SNDUSRBRK The SNDUSRBRK CPP is intended to be run in a CL program. This allows a CL program to determine that the user needs to send a break messages. The command is PUBLIC EXCLUDE and the program TAAMSHJC is PUBLIC USE. The SNDUSRBRK2 command requires the user to be authorized to the TAASNDBRK Authorization List. It uses the same TAAMSHJC program as the CPP. The function only sends a break message to a user and is not a significant security concern. Calling the CPP directly from a command line would be difficult because the user must key a 256 byte message. SBMJOB2 The SBMJOB2 and SBMJOB3 commands use different defaults than the system SBMJOB command. The TAA commands use the SBMJOB CPP in QSYS. If you are at Security Level 40 or above, the CPP cannot be called directly. CHKCPPAUT escape messages you can monitor for --------------------------------------------- TAA9891 No libraries were found to process TAA9892 No commands were found to process Escape messages from based on functions will be re-sent. Command parameters CMD ------------------ LIB The list of libraries to be processed. Up to 300 libraries may be entered (including generic names) or the special values LIBL, USRLIBL, CURLIB, ALLUSR, ALLUSR2, ALLNONQ, IBM, or ALL. For LIBL and USRLIBL, if a current library exists, it will be considered before the libraries on the user portion of the library list. If the current library is also part of the user portion of the library list, it will only appear once. ALLUSR means any library that was not created by the system according to the CHKIBMLIB command. ALLUSR2 means any library that meets the criteria specified for the SAVLIB LIB(ALLUSR) function. This excludes # libraries such as #SEULIB and includes QUSRSYS, QGPL, etc. See the help text for the SAVLIB LIB parameter for a complete description. ALLNONQ means any library that does not begin with the letter Q. An entry of IBM causes all libraries to be included as per the definition of the CHKIBMLIB tool. Product libraries (those in the product portion of the library list) are never included. You must have ALLOBJ special authority to use a value of ALL, ALLUSR, ALLUSR2, ALLNONQ, or IBM. LIBTYPE Whether to select all or a specified library type. ALL is the default to select all types. PROD may be used to select only production (PROD) libraries. TEST may be used to select only test (TEST) libraries. OMITLIB A list of up to 300 libraries or generic library names that should be omitted. NONE is the default. An omit list may not be entered for LIB(CURLIB). Any library entered is checked for existence. No check occurs to see if an omit library would have been selected. For example, if LIB(LIBL) is entered with OMITLIB(ABC) and library ABC is not on the library list, no error occurs. Restrictions ------------ See previous comments. Prerequisites ------------- The following TAA Tools must be on your system: CHKALLOBJ Check ALLOBJ special authority CHKDUPLST Check duplicate list EDTVAR Edit variable EXTLST Extract list EXTLST2 Extract list 2 RTVCMDA Retrieve command attributes RTVOBJAUT Retrieve object authority RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDESCMSG Send escape message SNDSTSMSG Send status message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- CHKCPPAUT CMD TAASEFQ QATTCMD TAASEFQC PGM CLP TAASEFQC QATTCL TAASEFQC2 PGM CLP TAASEFQC2 QATTCL TAASEFQR PGM RPG TAASEFQR QATTRPG

CHKCPPAUT       CHECK CPP AUTHORITY                    TAASEFQ


The Check CPP Authority  command checks command objects in  one or more
libraries  that are  specified  as *PUBLIC  *EXCLUDE.   If  the Command
Processing  Program  (CPP)  is  not *PUBLIC  *EXCLUDE,  the  command is
flagged.  If your  intent is to prevent  access by the *PUBLIC user  to
a command,  the CPP should also  be considered for  *PUBLIC *EXCLUDE to
prevent the use of the CALL command to the CPP.

The  intent of CHKCPPAUT  is flag those situations  where your security
may not be as good as you think it is.

A typical command would be:

             CHKCPPAUT     LIB(xxx)

All  the  commands  in  the   named  library  that  have  an   *EXCLUDE
authorization would be checked to see if the CPP was also *EXCLUDE.

You must  have *ALLOBJ special authority  to use a LIB  value beginning
with  Q,  or   the  special  values  *LIBL,  *ALL,  *ALLUSR,  *ALLUSR2,
*ALLNONQ, or *IBM.

You  will  have  authorization  exceptions  if  you  specify  libraries
containing  objects that  you are  not  authorized to.    You can  omit
these libraries with the OMITLIB parameter.

If your  library request will cause the processing  of the Q libraries,
the   TAATOOL  library,  or  a   separate  library  containing  TAATOOL
commands (based  on a  TAATOOL install option),  you may  want to  omit
them with the OMITLIB parameter such as:

             CHKCPPAUT     LIB(*ALL) OMITLIB(Q* TAATOOL)

QSECURITY System Value and Object Domain
----------------------------------------

If your system  has a QSECURITY system value of Level  40 or above, the
system  provides  automatic  protection in  that  any  programs  in the
system domain cannot be called  using the CALL command.  This  includes
all programs  used as CPPs for  system commands.  Only  system programs
can exist  in the system domain.  Programs  created by commands such as
CRTCLPGM or CRTBNDRPG only exist in the  user domain.  You can see  the
domain of a program by using the TAA DSPOBJD2 command.

Objects controlled by an Authorization List
-------------------------------------------

You may  secure a command  and/or its CPP  using the same  or different
Authorization  Lists   (*AUTL).    CHKCPPAUT  determines   that  if  an
Authorization  List exists and  the *PUBLIC authority  to the object is
*AUTL, that the authority comes from the Authorization List.

Commands which specify *LIBL or *CURLIB for the CPP
---------------------------------------------------

If a command  specifies a qualified library  name of *LIBL or  *CURLIB,
the library  list of  the user running  the CHKCPPAUT command  is used.
If  *LIBL  is used,  the first  program found  on  the library  list is
considered to be the CPP.

This may provide misleading information.

TAA Productivity Tool Exceptions
--------------------------------

   CHGUSRPWD     The tool  requires  the user  to modify  programs  and
                 place them  in the TAASECURE  library.  Since  this is
                 a  secure library,  the function cannot  be used  by a
                 *PUBLIC user.

   SNDUSRBRK     The SNDUSRBRK  CPP  is intended  to  be run  in  a  CL
                 program.  This  allows a CL program to  determine that
                 the  user  needs  to  send  a  break  messages.    The
                 command  is *PUBLIC *EXCLUDE  and the program TAAMSHJC
                 is  *PUBLIC *USE.    The SNDUSRBRK2  command  requires
                 the   user  to   be   authorized   to  the   TAASNDBRK
                 Authorization  List.     It  uses  the  same  TAAMSHJC
                 program as the CPP.

                 The function  only sends  a break  message  to a  user
                 and is  not a significant  security concern.   Calling
                 the  CPP   directly  from  a  command  line  would  be
                 difficult  because  the  user  must  key  a  256  byte
                 message.

   SBMJOB2       The  SBMJOB2   and  SBMJOB3  commands   use  different
                 defaults  than the  system  SBMJOB command.    The TAA
                 commands  use the SBMJOB  CPP in QSYS.   If you are at
                 Security Level 40 or  above, the CPP cannot be  called
                 directly.

CHKCPPAUT escape messages you can monitor for
---------------------------------------------

      TAA9891    No libraries were found to process

      TAA9892    No commands were found to process

Escape messages from based on functions will be re-sent.

Command parameters                                    *CMD
------------------

   LIB           The  list of  libraries to  be processed.   Up  to 300
                 libraries  may  be entered  (including  generic names)
                 or  the  special  values  *LIBL,  *USRLIBL,   *CURLIB,
                 *ALLUSR, *ALLUSR2, *ALLNONQ, *IBM, or *ALL.

                 For *LIBL and  *USRLIBL, if a current  library exists,
                 it  will  be considered  before the  libraries  on the
                 user portion  of the  library list.   If  the  current
                 library  is also  part  of  the  user portion  of  the
                 library list, it will only appear once.

                 *ALLUSR  means any  library  that was  not  created by
                 the system according to the CHKIBMLIB command.

                 *ALLUSR2  means  any library  that meets  the criteria
                 specified  for   the  SAVLIB  LIB(*ALLUSR)   function.
                 This  excludes   #  libraries  such   as  #SEULIB  and
                 includes  QUSRSYS, QGPL, etc.   See the  help text for
                 the SAVLIB LIB parameter  for a complete  description.

                 *ALLNONQ means  any library that  does not  begin with
                 the letter Q.

                 An entry  of *IBM causes all  libraries to be included
                 as per the definition of the CHKIBMLIB tool.

                 Product libraries  (those in  the product  portion  of
                 the library list) are never included.

                 You  must have  *ALLOBJ  special  authority to  use  a
                 value of  *ALL, *ALLUSR, *ALLUSR2,  *ALLNONQ, or *IBM.

   LIBTYPE       Whether  to select  all or  a specified  library type.
                 *ALL is the default to select all types.

                 *PROD may  be used  to select  only production  (PROD)
                 libraries.

                 *TEST  may   be  used  to  select   only  test  (TEST)
                 libraries.

   OMITLIB       A  list  of up  to  300 libraries  or  generic library
                 names that should be omitted.   *NONE is the  default.

                 An omit list may not be entered for LIB(*CURLIB).

                 Any library entered is checked for existence.

                 No check occurs  to see if an omit  library would have
                 been   selected.    For  example,   if  LIB(*LIBL)  is
                 entered with OMITLIB(ABC)  and library ABC  is not  on
                 the library list, no error occurs.

Restrictions
------------

See previous comments.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHKALLOBJ       Check *ALLOBJ special authority
     CHKDUPLST       Check duplicate list
     EDTVAR          Edit variable
     EXTLST          Extract list
     EXTLST2         Extract list 2
     RTVCMDA         Retrieve command attributes
     RTVOBJAUT       Retrieve object authority
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCMSG       Send escape message
     SNDSTSMSG       Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   CHKCPPAUT     *CMD                   TAASEFQ       QATTCMD
   TAASEFQC      *PGM       CLP         TAASEFQC      QATTCL
   TAASEFQC2     *PGM       CLP         TAASEFQC2     QATTCL
   TAASEFQR      *PGM       RPG         TAASEFQR      QATTRPG

Added to TAA Productivity tools July 15, 2003

Home Page

Up to Top