introductions - lisug benefits from ibms free... · source: ibm i thand i5/os security &...

2

• Introductions

• The History Log & The Audit Journal

• Starting to Audit

• Auditing a User Profile/Object/Access

• Working with the Audit Journal

• Free Offer / Resources for Security Officers

• Questions and Answers

3

ROBIN TATAM, CISM

Director of Security Technologies

952-563-2768

[email protected]

4

• Premier Provider of Security Solutions & Services

– 18 years in the security industry as an established thought leader

– Customers in over 70 countries, representing every industry

– Security Subject Matter Expert for COMMON

• IBM Advanced Business Partner

• Member of PCI Security Standards Council

• Authorized by NASBA to issue CPE Credits for Security Education

• Publisher of the Annual “State of IBM i Security” Report

http://www8.software.ibm.com/bpconnections/bpcms.nsf/BPE/0D129368771B9F9786256C4A0067C0A3?OpenDocument&OpenFrameset

8

• Legislation such as Sarbanes-Oxley (SOX),

HIPAA, GLBA, State Privacy Acts

• Industry Regulations such as Payment Card

Industry (PCI DSS)

• Internal Activity Tracking

• High Availability

• Application Research & Debugging

9

• Introductions







10

• Display the History Log using the command:

DSPLOG LOG(QHST)

• Place your cursor on messages, and press Help to view

second-level information.

• Second-level information can provide debug-type details about

the program, job, or user that caused the entry to be written.

13

• The DSPLOG command supports filtering using a timestamp

range, as well as specific message IDs

• The majority of security messages fall between CPF2200 and

CPF2299. Specify a generic value (CPF2200) to filter down to

just those messages quickly:

DSPLOG LOG(QHST) MSGID(CPF2200)

PERIOD(timestamp)

14

• The History Log files—named QHSTyyyddn, where yyddd is a

Julian date and n is a sequence number—are placed the QSYS

library.

• When the maximum file size is reached (controlled by the

QHSTLOGSIZ system value), a new file is created. Or, specify

*DAILY to create a new file for each day.

Have a strategy to save the log data

for later review, if necessary

15

• IBM provides a custom resource—the Security Audit Journal—

for recording security-related events

• Consider setting up a profile with *AUDIT special authority

specifically to maintain the auditing controls

• Events are recorded to the audit journal based on the

configuration of audit controls—system, user, object

• The operating system does not come with a security audit

journal; you have to create it before you can start auditing

17

• First, create a library to contain the audit journal receivers:

CRTLIB LIB(SECJRNLIB) TEXT(‘Security Journal Library’)

• This allows you to secure the contents, and makes it easier to

manage audit data

18

• The Security Audit Journal must be called QAUDJRN and it

must reside in the QSYS library

• Although you can create the components and set the system

value controls manually, most people prefer to use the Change

Security Auditing (CHGSECAUD) command to pull all the

components together

20

• Introductions







21

QAUDCTL – Auditing Control

• This system value acts as an on/off switch to activate the

auditing function

– Specify *NONE to turn auditing OFF

– Specify *AUDLVL to turn auditing ON

• Other recommended options include:

– *OBJAUD—enables object-level auditing

– *NOQTEMP—instructs the system to ignore activities in a

job’s QTEMP temporary library

22

Auditing Values

• This parameter corresponds to the QAUDLVL system value,

and its overflow companion QAUDLVL2

• Use this value to designate what system-level activities you

want to audit

• A special value of *DFTSET translates to the following values:

*AUTFAIL, *CREATE, *DELETE, *SECURITY, *SAVRST

23

• In IBM i 7.1, 16 categories are available for system-wide

auditing. Three of these allow you to further customize them

(indicated by italics).

*ATNEVT Attention Event

*AUTFAIL Authority Failure

*CREATE Object Creations

*DELETE Object Deletions

*JOBDTA Actions Affecting Jobs (*JOBxxx)

*NETCMN Network Communications (*NETxxx)

*OBJMGT Object Management

24

*OPTICAL Optical Drive Operations

*PGMADP Program Adoptions

*PGMFAIL Program Failure

*PRTDTA Print Data

*SAVRST Save and Restore Operations

*SECURITY Security Operations (*SECxxx)

*SERVICE Service Functions

*SPLFDTA Spooled File Functions

*SYSMGT System Management

Note: All values, except *ATNEVT, also can be specified

for individual users

25

There are two other auditing-related system values that you

should be aware of, but probably won’t change:

QAUDFRCLVL – Auditing Force Level

Specifies how many audit records should be cached before

they must be written to disk

If your security policy requires ALL records to be written to

disk, set this to 0; otherwise use the default value, *SYS, to

maximize performance

26

QAUDENDACN – Auditing End Action

Specifies what should happen if the server is unable to

continue auditing

The default value, *NOTIFY, sends a message to QSYSOPR

(and QSYSMSG)

The value *PWRDWNSYS forces the system to immediately

power down! After the system IPLs, a user with *ALLOBJ and

*AUDIT authority must restore auditing and bring the system

out of restricted state.

27

• Introductions







28

• In addition to system-wide auditing, you can audit specific user

activities

• Turn on user auditing using the Change User Auditing

(CHGUSRAUD) command This is distinct from the normal profile commands (for separation of duties)

• User auditing works with object-level auditing to audit specific

objects when they are accessed by audited users

• In addition to QAUDLVL values, an extra option (*CMD) is

available for select user-profile auditing

30

• The operating system allows you to audit access to specific

objects

• Object auditing works with user-level auditing to audit specific

objects when they are accessed by audited users

• Turn on object auditing using the Change Object Auditing

(CHGOBJAUD) command after you specify *OBJAUD in the

QAUDCTL system value

• Specify either *ALL or *CHANGE to audit file opens, or file-open-

for-change requests

32

• Specify *USRPRF to have the operating system check the user

profile’s OBJAUD value to determine if object auditing is required,

and what operations (Read/Change) to record.

NOTE: This is an object-level operation and does NOT audit data

changes. Database journaling is required for record/field auditing.

• To audit an object in the IFS, follow the same procedure, but use

the Change Auditing Value (CHGAUD) command.

34

To Audit New Objects

A new object inherits its auditing value from the CRTOBJAUD

library attribute where it resides

If the library has a value of *SYSVAL, the value is inherited from

the QCRTOBJAUD system value (default of *NONE)

CAUTION: Changing the QCRTOBJAUD system value could

generate a potentially large number of auditing events

35

Source: IBM i and i5/OS Security & Compliance: A Practical Guide, 29th Street Press

36

• Some actions originating from the network may not be

recorded by native auditing controls

• If objects are being audited, or a user

performs an audited action (for

example, deleting an object), that

access is tracked

• Common network actions include

ODBC and FTP

• Consider using an exit program to ensure control and auditing

of these types of transactions

37

• To see if you have exit programs in place, review

the system registry, use the WRKREGINF command,

or use PowerTech’s FREE Compliance Assessment tool

38

• Introductions







39

• After auditing is configured and

actively collecting, review how to

extract the audited information

• Download the System i Security

Reference manual to see detailed

information about QAUDLVL values,

the AUDLVL value from user profile

auditing, and the layout of audit journal data

• All journal entries contain basic information (date, time, user,

job information, and the entry type code), followed by entry-

specific data

40

There are 3 main options to display or print audit journal data:

1. Display Audit Journal Entry (DSPAUDJRNE)

Simplified version of the DSPJRN command with

parameters specific for most entries in the security audit

journal (no longer updated by IBM).

Does not support IFS events (requires DSPJRN)

Cannot sort or query data (only screen and sending output

to a spooled file are supported)

43

2. Display Journal (DSPJRN)

Basic way to review activities in (any) journal

Requires an understanding of the format of the journal

data; data is not parsed by the command

Supports the name of IFS objects

Helps if you have an exact timestamp as DSPJRN does

not sort the data

44

3. Copy Audit Journal Entry (CPYAUDJRNE)

Combines the DSPJRN command with copying the data to

an output file

The output file layout is based on the entry code

Extracted data can be queried, for sorting and printing

Default output file name is QAUDITxx where xx is the audit

type code

45

Consider Reviewing the Following Journal Type Codes

AF Authority Failures

CP Profile Activities (Create/Change)

Password Changes

SV System Value Changes

PW Invalid Passwords

46

For User Auditing

CD Command Executed

For Object Auditing

ZC Object Changed

ZR Object Read

47

Archiving

• Check with your legal department for retention information.

Attorneys and auditors may have to defend the information in

court, so give them what they need.

• If you do not have legal support, consider 30+ days online,

and unrestricted offline (PCI regulations require 90 days

online, and 1 year offline).

48

• Alternatively, evaluate a

commercial auditing solution

to more easily interrogate

the audit journal data

49

• Introductions







51

Online Compliance Guide Security Policy

52

1. Free graphical Compliance Assessment

2. Open Source Security Policy

3. The State of IBM i Security Study

4. Online Compliance Guide

5. Webinars / Education Events

6. Articles and White Papers

7. Security Blog (www.powertechblog.com)

8. Twitter Feed (www.twitter.com/powertechgroup)

9. Monthly Newsletter: PowerNews

Find all this at www.powertech.com

53

• Introductions

• Regulations on IBM i

• How the Data was Collected

• The State of IBM i Security Study



55

www.powertech.com (800) 915-7700 [email protected]

introductions - lisug benefits from ibms free... · source: ibm i thand i5/os security &...

Documents