During this period of enforced lockdown Rowton Staff have been encouraged to spend more time on Training and Education.
A recent webinar I watched was one from a series by Robin Tatum from HelpSystems entitled 2020 State of IBM i Security Study. https://www.helpsystems.com/cta/download-state-ibm-i-security-study-guide
One of the points discussed which stood out for me was about Exit Points. At this point I have a confession to make. I’ve been working on IBM Systems since 1980 as an RPG developer and in all that time have never found reason to enable an exit point. I suppose this is what piqued my interest and I thought I should learn a bit more about them.
What Are Exit Points?
Think of an entrance to a building which has a security guard to get past before you can go in. You walk up the entrance, the security guard sees you and waves you through, no questions, no identity check, nothing, you’re in, even though the guard has never seen you before. He might as well not be there.
Well exit points on IBM i are a bit like that and the majority of systems have the above scenario for all kinds of functions, FTP, ODBC, JDBC, DDM to name but four. This means that anyone with sufficient authority and knowledge of the system can download system data to an external device and you would know nothing about it.
Let’s take a Payroll master file as an example. If you know the library and file name, no problem, download it to and PC, (straight into Excel if you like) and take it away to browse at it at your leisure. Now I agree your standard IBM i user would not know how to do this but it’s not difficult to find out how and the software needed to do it is loaded on the majority of IBM i users PCs by default.
The problem is that without exit points and the programs to go with them the system is unable to provide an audit trail of user requests from common network access functions such as FTP and ODBC.
IBM’s explanation of an exit point goes something like this. An exit point signifies the point in a system function or program where control is turned over to one or more exit programs to perform a function.
Exit Points = Control And Knowledge
Wouldn’t it be great to know who had attempted to download a sensitive file and that they had been prevented from doing so? Exit point programs give you the ability to do just that. An exit point program should be doing two things, checking if the request is valid thereby allowing or denying the request and adding to an audit log so all requests to FTP say, were logged. This is achieved with an exit point program which you can write yourself.
What happens is the FTP function is requested and because there is an exit point program registered the security guard sees you but this time, say’s “Hold on a second (or in the case of an IBM i POWER9 a millisecond!) give me your credentials and I’ll go see if you are authorised to do this.
At this point in the process the operating system hands over control to you, the programmer and your exit program is called with a predefined set of parameters. These may include User profile, requested file, IP address making the request, and much more.
What the exit program does with the parameters passed to it is up the programmer, you may decide that only user profiles in a group called “Admin” can use FTP or only certain IP Addresses can use ODBC. Maybe you decide you just need to record details of the request before your exit program ends and control passes back to the operating system which will examine the returned parameters to decide if the request is approved or denied.
Why Are Exit Points So Good?
The great things about exit points is that there is no way around them. They are part of the operating system and you can’t bypass the OS on IBM i; it just doesn’t work like that. This is one of the things that makes IBM i one of the most securable servers you can buy.
Let’s be clear about something, some people assume that IBM i is secure out of the box, with its default configuration but that isn’t so, it needs to be configured and Exit Programs can play a key part in this configuration.
There are commercial products out there which do all the leg work for you and very quickly give you visibility of who’s doing what on your system and for sites with no IT staff this is the way to go.
Where Are Exit Points Defined?
The majority of exit points are defined in a system repository called the Registration facility. From a command line type in WRKREGINF to see the IBM defined exit points you didn’t know you already had!
Some of the historical exit points are still defined in system values and network attributes but even those now typically point to an exit point that’s been defined in the Registration facility it is from here you can find out which exit point format (parameter list) is required for your exit program to successfully interface with the exit point and add your exit program to the exit point so your program gets called.
Here’s the first screen’s worth of pre-defined exit points.
Exit points are IBM’s way of giving us the ability to customise and/or obtain additional control over a function. Exit programs make administering and securing the system easier. For more information on the exit program parameter lists go to the IBM Knowledge Center then on the left hand side -> Programming -> Application Programming Interfaces > API Finder. Go to Find By Group and click Go.
In my next article I will select a couple of exit points and dig deeper into how to configure, use and maintain them. In the meantime, keep safe and well.
Pop By And Say “Hi”
Oh, I almost forgot to mention that the i-ug International i-power 2020 event, for obvious reasons, is going to be virtual this year. It will be held over 2 days on Wednesday 10th and Thursday 11th June and is FREE for everyone. You can register HERE and once you’ve done that you’re virtually there!
RAYMOND JOHNSON says
I agree with your exit point discussion wholeheartedly.
One of my favorite customer demonstrations to justify an exit point solution is this:
Walk up to any computer in the organization and open a DOS window or command prompt. Chances are, this will work.
Enter the command “RMTCMD CRTLIB xyz”
Then go look at the list of libraries to observe that the library was created.
Then ask the question, “If I had entered the command “PWRDWNSYS *IMMED” instead of CRTLIB, what would have happened?
This is only one of the many exitpoints you need to be monitoring.