When an IFS directory includes W (write), you are exposed to malware attacks. Use this to review and overcome this topic for the all important ROOT directory.

Protect the IFS root for *PUBLIC

-- 
-- When an IFS directory includes W (write), you are exposed to malware attacks
-- Use this to review and overcome this topic for the all important ROOT directory
--
-- For help on this or related security topics, contact Robert and team...
-- http://ibm.biz/IBMiSecurity
-- Robert Andrews - robert.andrews@us.ibm.com
--
stop;

-- 
-- Is the IFS root open to attack?
--
select data_authority, 
       regexp_replace(data_authority, 'W', '') as remove_write
  from table (
      qsys2.ifs_object_privileges('/')
    )
  where authorization_name = '*PUBLIC';
stop;

--
-- Protect the IFS root from attack
-- (this will remove the W from (*PUBLIC)
--
begin
  declare remove_write varchar(5) for sbcs data;
  declare Public_Write_Count integer;
  select count(*)
    into Public_Write_Count
    from table (
        qsys2.ifs_object_privileges('/')
      )
    where authorization_name = '*PUBLIC' and
          data_authority like '%W%';
  if (Public_Write_Count = 1) then
    select regexp_replace(data_authority, 'W', '')
      into remove_write
      from table (
          qsys2.ifs_object_privileges('/')
        )
      where authorization_name = '*PUBLIC';
    call qsys2.qcmdexc('QSYS/CHGAUT OBJ(''/'') USER(*PUBLIC) DTAAUT(''' concat
        remove_write concat ''') ');
  end if;
end;

Yes, regexp_replace() is the piece that requires option 39.

This query can be used to understand if this pre-req is satisfied.

select *
from QSYS2.SOFTWARE_PRODUCT_INFO
where product_option = '39';

Hi Scot, this SQL statement also work to protect the root (public) from Ransomware attacks or only malware?