Have you ever used the WRKREGINF (Work with Registration Information) command? Do you even know what Registration Information is anyway? Simply put, it is the sum of all registered exit points and exit programs that allow IBM, third party vendors, and you to do custom processing when an event occurs on your system.

For example, IBM provides a registered exit point for the process of changing a user profile. It let you do some custom programming when a user profile is changed. You accomplish your custom processing by writing a program and registering it using the WRKREGINF command or the ADDEXITPGM (Add Exit Program) command.

There are many categories of registered exit points. Some are for backup and recovery, user profile maintenance, network access (like FTP and ODBC), and many others. Thankfully, the ability to add an exit program to the registry is restricted to users with security officer access. I say thankfully because it is possible to override the normal functioning of the system by adding exit programs -- that’s what the exit points were designed for.

A few releases ago, IBM provided us with the capability to add exit programs to CL commands. These are referred to as command exit programs. So, if you wanted to add your own custom logic to a CL command, you could do that through registering an exit program for the IBM-supplied exit point named QIBM_QCA_CHG_COMMAND.

When installing third party vendor-supplied packages, you are often required to log on to the System i with a security officer-level user profile. This, in itself, is not a bad thing. But, you probably don't know what that vendor install process is doing to your system.

I was at a customer site performing a security assessment. I was running a standard auditing report from my bag of tricks and discovered a little surprise deposited by a third party vendor’s install process -- an exit program for the IBM supplied command APYPTF(Apply Program Temporary Fix). I was very puzzled. Why would a vendor want to hook themselves into the PTF process when the product itself had NO relationship to system fixes?

I questioned the vendor about what this exit program was doing there. The vendor did not have any kind of reasonable answer, and advised that it was alright to remove the exit program if I wanted to and that it would not affect their application. So why was it there in the first place? Hmmmm…

You can review all the exit programs on your system by using the WRKREGINF command and paging through all the screens, or you can print a report using the very same command.

The Next Time You Load a Vendor Package

I want to suggest something that may increase your comfort level when installing new software. Start the i/OS auditing function for the user doing the install, and make sure that it is auditing command execution and system changes. When the install is complete, run some auditing reports to see just what the install process did on your system.

Here’s a command to start auditing a user’s actions before you start the install process:

CHGUSRAUD  USRPRF(MYUSER) +
           AUDLVL(*CMD *CREATE *SYSMGT *DELETE *SERVICE 
                  *SAVRST *SECURITY *OBJMGT)