The Print Program Security command provides a good review of the
security aspects of a program. It extracts information from various
sources, points out considerations (if appropriate), and provides
helpful hints to tighten up security.
To secure a program is not as easy as it looks. There are many
different things to consider. PRTPGMSEC brings them together.
A typical command would be entered as:
PRTPGMSEC PGM(xxx)
Spooled output would be provided that includes such things as:
** The basic information about the program (e.g. type, owner,
create and change dates).
** Whether the program has been changed since it was created.
** Usage information about the program.
** If it is a CL program, the status of the LOG and ALWRTVSRC
parameters.
** Whether the source file and member that were used for the
create still exist.
** Does the *PUBLIC have 'change' or 'read' authority to the
source file.
** If the member exists and it is a CL program, whether user
written commands exist (based on the CHK400CMD TAA Tool).
** If the member exists, the last source change date per SEU is
compared against the same information stored in the object. A
determination is made if the source has been changed since the
program was created.
** The special authorities of the program owner.
** Whether the owner is a group profile.
** Whether the owner is a member of a group and if so, the name
of the group profile and the special authorities of the group
profile.
** Whether the program adopts the users profile.
** Whether the program allows a program higher in the stack to
pass on an adopted profile's authority.
** The authority to the program.
** If an authorization list is used, the name of the list and
where the public gains its authorization from (the object or
the authorization list) is shown. If from the authorization
list, the authority of the *PUBLIC user is shown.
** The last save and restore information about the program.
** The cross reference information (files and programs used by
the program).
** If the program adopts a security sensitive profile and uses
either QCMD or QCMDEXC, it is specifically highlighted.
** If any libraries exist before QSYS on the system portion of
the library list, a list of the users who can add to these
libraries is shown.
Security considerations are highlighted by a ** for minor
considerations and *** for major considerations. This allows you to
quickly scan with DSPSPLF for the information.
Helpful hints are provided to assist you in providing better
security.
Command parameters *CMD
------------------
PGM The qualified name of the program. The library
value defaults to *LIBL.
Restrictions
------------
You must be authorized to a variety of objects to successfully use
PRTPGMSEC. The objects include the program, the owners profile, the
authorization list, etc.
In general, the command works best with a user that has *ALLOBJ
special authority. No program adoption occurs during the execution
of the program. System security is used to prevent access.
Prerequisites
-------------
The following TAA Tools must be on your system:
ALCTMPMBR Allocate temporary member
CHK400CMD Check i5/OS commands
CHKRPGCALL Check RPG CALLs
CVTSYSLVL Convert system level
RTVOBJAUT Retrieve object authority
RTVPGMA Retrieve program attributes
SNDCOMPMSG Send completion message
SNDESCMSG Send escape message
SNDSTSMSG Send status message
Implementation
--------------
None, the tool is ready to use.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
PRTPGMSEC *CMD TAASECS QATTCMD
TAASECSC *PGM CLP TAASECSC QATTCL
TAASECSC2 *PGM CLP TAASECSC2 QATTCL
TAASECSC3 *PGM CLP TAASECSC3 QATTCL
TAASECSR *PGM RPG TAASECSR QATTRPG
Structure
---------
PRTPGMSEC Cmd
TAASECSC CL pgm
TAASECSR RPG Pgm
TAASECSC2 CL pgm
TAASECSC3 CL pgm
|
