-
-
Save forstie/bce185329f3587346cc69f33fb7c5ffe to your computer and use it in GitHub Desktop.
-- | |
-- When an IFS directory includes W (write), you are exposed to malware attacks | |
-- Use this to review and overcome this topic for the all important ROOT directory | |
-- | |
-- For help on this or related security topics, contact Robert and team... | |
-- http://ibm.biz/IBMiSecurity | |
-- Robert Andrews - robert.andrews@us.ibm.com | |
-- | |
stop; | |
-- | |
-- Is the IFS root open to attack? | |
-- | |
select data_authority, | |
regexp_replace(data_authority, 'W', '') as remove_write | |
from table ( | |
qsys2.ifs_object_privileges('/') | |
) | |
where authorization_name = '*PUBLIC'; | |
stop; | |
-- | |
-- Protect the IFS root from attack | |
-- (this will remove the W from (*PUBLIC) | |
-- | |
begin | |
declare remove_write varchar(5) for sbcs data; | |
declare Public_Write_Count integer; | |
select count(*) | |
into Public_Write_Count | |
from table ( | |
qsys2.ifs_object_privileges('/') | |
) | |
where authorization_name = '*PUBLIC' and | |
data_authority like '%W%'; | |
if (Public_Write_Count = 1) then | |
select regexp_replace(data_authority, 'W', '') | |
into remove_write | |
from table ( | |
qsys2.ifs_object_privileges('/') | |
) | |
where authorization_name = '*PUBLIC'; | |
call qsys2.qcmdexc('QSYS/CHGAUT OBJ(''/'') USER(*PUBLIC) DTAAUT(''' concat | |
remove_write concat ''') '); | |
end if; | |
end; |
new years 2021, and i'm trying not to yell as much in my sql. made it to february!
You need to have 5770SS1 option 39 International Components for Unicode installed to run this code. Otherwise the code fails.
Install option 39 thru GO LICPGM, option 11. This will create a library QICU. If option 39 is not installed, and you are running this code with ACS-Run SQL Scripts - you will get an error that says something like QQQSVREG *SRVPGM in QSYS does not exist (even when it is there). If you run the script in the green screen, it will fail. exit sql back to a command line and display the job log. It will say the QICU does not exist, giving you the clue to install Option 39 to create lib QICU (International Components for Unicode). See https://www.ibm.com/docs/en/i/7.2?topic=category-international-components-unicode-apis
Yes, regexp_replace() is the piece that requires option 39.
This query can be used to understand if this pre-req is satisfied.
select *
from QSYS2.SOFTWARE_PRODUCT_INFO
where product_option = '39';
Hi Scot, this SQL statement also work to protect the root (public) from Ransomware attacks or only malware?
Just love you are using lowercase (lover case) for you gists - so much more readable. Spread the word and hoist it to standard :)
ps love this gist :)