System iNetwork Head Nav Subscribe Log In Contact Us Advertise User login Username: * Password: * Request new password

Search Primary links Forums Archives Code Blogs Podcasts Webcasts e-Learning Guides Newsletters About Us Contact Us About the Network Tech Editor Profiles Editorial Calendar Writers Kit Advertise Join Network Categories RPG Programming Other Languages Application Development Database/SQL Availability Security Systems Management Networking IT Mgmt/Careers Site Links Solutions Store Events UK Centre Jobs System iPortal Home Content Beware of Registered Exit Programs - Yours and Theirs Article ID: 56895Posted July 2nd, 2008 in Systems Management By:Dan Riehl Have you ever used the WRKREGINF (Work with Registration Information) command? D o you even know what Registration Information is anyway? Simply put, it is the s um of all registered exit points and exit programs that allow IBM, third party v endors, and you to do custom processing when an event occurs on your system. For example, IBM provides a registered exit point for the process of changing a user profile. It let you do some custom programming when a user profile is chang ed. You accomplish your custom processing by writing a program and registering i t using the WRKREGINF command or the ADDEXITPGM (Add Exit Program) command. There are many categories of registered exit points. Some are for backup and rec overy, user profile maintenance, network access (like FTP and ODBC), and many ot hers. Thankfully, the ability to add an exit program to the registry is restrict ed to users with security officer access. I say thankfully because it is possibl e to override the normal functioning of the system by adding exit programs -- th at s what the exit points were designed for.

A few releases ago, IBM provided us with the capability to add exit programs to CL commands. These are referred to as command exit programs. So, if you wanted t o add your own custom logic to a CL command, you could do that through registeri ng an exit program for the IBM-supplied exit point named QIBM_QCA_CHG_COMMAND. When installing third party vendor-supplied packages, you are often required to log on to the System i with a security officer-level user profile. This, in itse lf, is not a bad thing. But, you probably don't know what that vendor install pr ocess is doing to your system. I was at a customer site performing a security assessment. I was running a stand ard auditing report from my bag of tricks and discovered a little surprise depos ited by a third party vendor s install process -- an exit program for the IBM supp lied command APYPTF(Apply Program Temporary Fix). I was very puzzled. Why would a vendor want to hook themselves into the PTF process when the product itself ha d NO relationship to system fixes? I questioned the vendor about what this exit program was doing there. The vendor did not have any kind of reasonable answer, and advised that it was alright to remove the exit program if I wanted to and that it would not affect their applic ation. So why was it there in the first place? Hmmmm You can review all the exit programs on your system by using the WRKREGINF comma nd and paging through all the screens, or you can print a report using the very same command. The Next Time You Load a Vendor Package I want to suggest something that may increase your comfort level when installing new software. Start the i/OS auditing function for the user doing the install, and make sure that it is auditing command execution and system changes. When the install is complete, run some auditing reports to see just what the install pro cess did on your system. Here s a command to start auditing a user s actions before you start the install pro cess: CHGUSRAUD USRPRF(MYUSER) + AUDLVL(*CMD *CREATE *SYSMGT *DELETE *SERVICE *SAVRST *SECURITY *OBJMGT) Bookmark/Search this post with: Login to post comments Email this page Printer-friendly version Related Links Securing your CL Commands Each version ! Managing Restricted Commands Control CL Commands with Command Exit Programs -- Part 1 Killer Club Tech Exploring The Mysterious User Profile User Options ProVIP Sponsors ProVIP Sponsors