Spool control special authority allows a user to access all spool files on all output queues on the entire system - including reports on protected output queues.
Countermeasures:
- Grant spool control special authority and access to output queues on a need to use basis
- Use exit point software for the NETPRT service.
- Security relevant reports should be removed after usage
Youtube Video: IBM i (AS/400, iSeries) Security 4 - Spool Control
Description: The video compares spool file access to non-public output queues.
Sys_1 | *NONE |
Sys_2 | *ALLOBJ |
Sys_3 | *JOBCTL |
Sys_4 | *SPLCTL |
(SYS_1, SYS_2... are names in my host table, pointing to the same system, but with different users).