Learn why event auditing is necessary and how to configure it.
This second powerpoint of the series introduces event auditing, which covers the basics and more:
- Why auditing is necessary
- Determine if IBM i auditing is currently active
- How to configure auditing with one simple command
- What audit events are recorded (and which are missed!)
- How high availability (HA) applications often make critical events disappear
- Event reporting and real-time alerting
2. HelpSystems Corporate Overview. All rights reserved.
• Introductions
• Why Audit?
• Starting to Audit
• Auditing a User Profile or an Object
• Working with the Audit Journal
• Questions and Answers
Today’s Agenda
3. HelpSystems Corporate Overview. All rights reserved.
Your Speaker
ROBIN TATAM, CBCA CISM
Director of Security Technologies
952-563-2768
robin.tatam@helpsystems.com
4. HelpSystems Corporate Overview. All rights reserved.
• Premier IBM i Security Products (globally-recognized “PowerTech” brand)
– Represented by industry veteran, Robin Tatam, CISM
• Comprehensive IBM i Security Services
– Represented by industry veteran, Carol Woodbury, CRISC
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual “State of IBM i Security” Report
About HelpSystems’ Security Investment
5. HelpSystems Corporate Overview. All rights reserved.
Today’s Agenda
• Introductions
• Why Audit?
• Starting to Audit
• Auditing a User Profile or an Object
• Working with the Audit Journal
• Questions and Answers
6. HelpSystems Corporate Overview. All rights reserved.
• Regulatory Compliance demands it!
– Legislation such as Sarbanes-Oxley (SOX), HIPAA, GLBA, State Privacy Acts
– Industry Regulations such as Payment Card Industry (PCI DSS)
• Event and User Activity Tracking
• High Availability
• Application Research & Debugging
Why Should You Audit?
9. HelpSystems Corporate Overview. All rights reserved.
Who’s Auditing on IBM i?
A significant portion of the 85% that are auditing:
1. Aren’t collecting the recommended events
2. Aren’t keeping the data long enough for it to be useful
3. Have no archiving or retention policy
4. Do not proactively review the audit data
5. Have no tools to help them
Often, High Availability (HA) software
configures auditing for it’s own needs and
the organization doesn’t even know about it
Tell-tale signs of this include not auditing for *AUTFAIL
events (which wouldn’t be replicated)
10. HelpSystems Corporate Overview. All rights reserved.
Today’s Agenda
• Introductions
• Why Audit?
• Starting to Audit
• Auditing a User Profile or an Object
• Working with the Audit Journal
• Questions and Answers
11. HelpSystems Corporate Overview. All rights reserved.
• IBM provides a custom resource—the Security Audit
Journal—for recording security-related events
• The operating system does not come with a security audit
journal; you have to create it before you can start auditing
• Consider setting up a profile with *AUDIT special authority
specifically to maintain the auditing controls
• Events are recorded to the audit journal
based on the configuration of audit
controls—system, user, object
The Security Audit Journal
12. HelpSystems Corporate Overview. All rights reserved.
• First, create a library to contain the audit journal receivers:
CRTLIB LIB(SECJRNLIB) TEXT(‘Security Journal Library’)
• This allows you to secure the contents, and makes it easier to
manage audit data
IBM defaults the audit journal receiver library to QGPL which is
not a good place to store user objects, especially such
important ones
The Security Audit Journal
13. HelpSystems Corporate Overview. All rights reserved.
• The Security Audit Journal must be called QAUDJRN and it
always resides in the QSYS library
• Although you can create the components and set the system
value controls manually, most people prefer to use the
Change Security Auditing (CHGSECAUD) command to pull all
the components together
The Security Audit Journal
15. HelpSystems Corporate Overview. All rights reserved.
“QAUDCTL system value”
• This system value acts as an on/off switch to
activate the auditing function
– Specify *NONE to fully turn auditing OFF
– Specify *AUDLVL to turn system-level event auditing ON
– Specify *OBJAUD to turn object-level auditing ON
• Other recommended customizing option:
– *NOQTEMP—instructs the system to ignore activities in a
job’s QTEMP temporary library
Starting To Audit
16. HelpSystems Corporate Overview. All rights reserved.
“Auditing values”
• This parameter corresponds to the QAUDLVL system value,
and its overflow companion QAUDLVL2
• Use this value to designate what system-level activities you
want to audit
• A special value of *DFTSET (default set) translates to the
following values:
*AUTFAIL, *CREATE, *DELETE, *SECURITY, *SAVRST
Starting To Audit
17. HelpSystems Corporate Overview. All rights reserved.
“Initial Journal Receiver”
• This parameter indicates the name and location for the initial
journal receiver (which holds the data)
• Include a sequence number in the name for subsequent
receivers to be named similarly
• If auditing is already active, this
parameter is ignored
– To redirect active auditing to a new library,
create a new journal receiver and then
attach it to the journal and subsequent
receivers will be created in the same place.
Starting To Audit
18. HelpSystems Corporate Overview. All rights reserved.
“Auditing Values”
• QAUDLVL cannot hold all of the possible option combinations
so IBM added QAUDLVL, referenced only if QAUDLVL includes
the value *AUDLVL2
• My personal preference is to set QUADLVL to *AUDLVL2 and
then place all of the desired audit values in QAUDLVL2
Starting To Audit
*AUDLVL2
*CREATE
*SECURITY
*AUTFAIL
*DELETE
*SAVRST
…
QAUDLVL QAUDLVL2
19. HelpSystems Corporate Overview. All rights reserved.
• In IBM i 7.3, 21 categories are available for system-wide auditing. Three
of these allow you to further subset them (indicated by italics).
*ATNEVT Attention Event
*AUTFAIL Authority Failure
*CREATE Object Creations
*DELETE Object Deletions
*JOBDTA Actions Affecting Jobs (*JOBxxx)
*NETCMN Network Communications (*NETxxx)
*NETSCK Socket Connections (used to be part of *NETCMN until 7.3)
*NETSECURE Secure Network Connections
*NETTELNET TELNET Connections
*OBJMGT Object Management
Note: All values, except *ATNEVT, also can be specified for individual users
Starting To Audit
20. HelpSystems Corporate Overview. All rights reserved.
*OPTICAL Optical Drive Operations
*PGMADP Program Adoptions
*PGMFAIL Program Failure
*PTFOBJ PTF Object
*PTFOPR PTF Operations
*PRTDTA Print Data
*SAVRST Save and Restore Operations
*SECURITY Security Operations (*SECxxx)
*SERVICE Service Functions
*SPLFDTA Spooled File Functions
*SYSMGT System Management
Note: All values, except *ATNEVT, also can be specified for individual users
Starting To Audit
21. HelpSystems Corporate Overview. All rights reserved.
There are two other auditing-related system values that you
should be aware of, but probably won’t change:
QAUDFRCLVL – Auditing Force Level
Specifies how many audit records should be cached before
they must be written to disk
If your security policy requires ALL records to be written to
disk, set this to 0; otherwise use the default value, *SYS, to
maximize performance
Starting To Audit
22. HelpSystems Corporate Overview. All rights reserved.
QAUDENDACN – Auditing End Action
Specifies what should happen if the server is unable to
continue auditing
The default value, *NOTIFY, sends a message to QSYSOPR
(and QSYSMSG)
The value *PWRDWNSYS forces the system to immediately
power the server down! After the system IPLs, a user with
*ALLOBJ and *AUDIT authority must restore auditing and
bring the system out of restricted state.
Starting To Audit
23. HelpSystems Corporate Overview. All rights reserved.
While auditing is certainly
a good thing, be cautious of
auditing every type of event
for all users as it will likely be
the data equivalent of trying
to drink from a fire hose!
If you determine that your server generates more events than
can be reasonably processed, consider tools to help you as well
as possibly auditing only those users who can run commands –
and that’s not all of them, right?!
Starting To Audit
24. HelpSystems Corporate Overview. All rights reserved.
Today’s Agenda
• Introductions
• Why Audit?
• Starting to Audit
• Auditing a User Profile or an Object
• Working with the Audit Journal
• Questions and Answers
25. HelpSystems Corporate Overview. All rights reserved.
• In addition to system-wide auditing, you can audit the activities
of specific users
• Turn on user auditing using the Change User Auditing
(CHGUSRAUD) command
– This is distinct from the normal profile commands (for separation of duties)
• In addition to all but one of the QAUDLVL values,
an extra option for command activities (*CMD)
is available for user auditing
• User auditing can be coordinated with object-level
auditing to allow for auditing of specific objects
when they are accessed by specific users
Auditing A User Profile
27. HelpSystems Corporate Overview. All rights reserved.
• You can audit access to specific objects
• Object auditing works with user-level auditing to audit specific
objects when they are accessed by audited users
• Turn on object auditing using the Change Object
Auditing (CHGOBJAUD) command but it will only
work if you specify *OBJAUD in the QAUDCTL
system value
• Specify the desired auditing value:
• *NONE to deactivate auditing for the object
• *CHANGE to audit only open-for-change accesses,
• *ALL to audit open-for-read and open-for-change accesses,
• *USRPRF to defer the setting to the user profile’s object auditing setting
Auditing A Specific Object
28. HelpSystems Corporate Overview. All rights reserved.
• Specifying *USRPRF directs the operating system defer to the user
profile’s OBJAUD attribute to determine if object auditing is desired, and
what operations (open-for-read / open-for-change) to audit.
• To audit an object located in the IFS, follow the exact same procedures as
for a native object, but use the Change Auditing Value (CHGAUD)
command.
Auditing A Specific Object
31. HelpSystems Corporate Overview. All rights reserved.
Auditing A Specific Object
NOTE: Object auditing does NOT audit data changes.
Database journaling is required for record/field auditing.
32. HelpSystems Corporate Overview. All rights reserved.
To Audit New Objects
A newly-created native object inherits its auditing value from the
CRTOBJAUD attribute from the library where it resides
If the library has a value of *SYSVAL, the value is inherited from
the QCRTOBJAUD system value (IBM-supplied default of
*NONE)
CAUTION: Changing the QCRTOBJAUD system value could
potentially generate a large number of audit events
Auditing A Specific Object
33. HelpSystems Corporate Overview. All rights reserved.
Will It Be Audited?
Source: IBM i and i5/OS Security & Compliance: A Practical Guide, 29th Street Press
34. HelpSystems Corporate Overview. All rights reserved.
What Won’t Be Audited?
• Some actions originating from the network may not be recorded by
native auditing controls
• If objects are being audited, or a user
performs an audited action (for
example, deleting an object), that
access is tracked
• Common network actions that are not audited
include database access via ODBC and FTP
• Exit program facilitate auditing of these types of transactions, and are
also able to prevent users from running commands—sometimes
independent of their command line privileges as specified per their
profile’s LMTCPB attribute
35. HelpSystems Corporate Overview. All rights reserved.
• To see if you have exit programs in place, review
the system registry, use the WRKREGINF command,
or use HelpSystems’ FREE Security Scan tool
What Won’t Be Audited?
36. HelpSystems Corporate Overview. All rights reserved.
What Won’t Be Audited?
• Some native user activities will also not be audited:
• Interactive SQL
• Data File Utility (DFU)
• System Service Tools (SST)
• QSHELL
• Application Usage
• User actions that are not command-based
• Consider using a third-party auditing function to augment native
auditing and capture missing events
37. HelpSystems Corporate Overview. All rights reserved.
Today’s Agenda
• Introductions
• Why Audit?
• Starting to Audit
• Auditing a User Profile or an Object
• Working with the Audit Journal
• Questions and Answers
38. HelpSystems Corporate Overview. All rights reserved.
Working With The Audit Journal
• After auditing is configured and
actively collecting, review how to
extract the audited information
• Download the IBM i Security
Reference manual to see detailed
information about configuring auditing,
and the layout of audit journal data
• All journal entries contain basic information (date, time, user,
job information, and the entry type code), followed by entry-
specific data that varies depending on the entry type
39. HelpSystems Corporate Overview. All rights reserved.
There are 3 main options to display or print audit journal data:
1. Display Audit Journal Entry (DSPAUDJRNE)
Simplified version of the DSPJRN command with parameters specific
for most entries in the security audit journal (no longer updated by
IBM but still useful)
Does not support IFS events
Cannot sort or query data as it only supports sending results to
screen or to a spooled file
Working With The Audit Journal
42. HelpSystems Corporate Overview. All rights reserved.
2. Display Journal (DSPJRN)
Basic way to review activities in (any) journal
Requires an understanding of the format of the journal
data; data is not parsed by the command
Supports the name of IFS objects
Helps if you have an exact timestamp as DSPJRN does
not sort the data
Working With The Audit Journal
43. HelpSystems Corporate Overview. All rights reserved.
3. Copy Audit Journal Entry (CPYAUDJRNE)
Combines the DSPJRN command with copying the data to
an output file
The output file layout is based on the entry code
Extracted data can be queried, for sorting and printing
Default output file name is QAUDITxx where xx is the audit
type code
Working With The Audit Journal
44. HelpSystems Corporate Overview. All rights reserved.
Consider Reviewing the Following Journal Type Codes
AF Authority Failures
CP Profile Activities (Create/Change)
Password Changes
SV System Value Changes
PW Invalid Passwords
Working With The Audit Journal
45. HelpSystems Corporate Overview. All rights reserved.
For User Auditing
CD Command Executed
For Object Auditing
ZC Object Changed
ZR Object Read
Working With The Audit Journal
46. HelpSystems Corporate Overview. All rights reserved.
Archiving
• Defer to your legal counsel or auditor for retention information.
Attorneys and auditors may have to defend the information in court,
so give them what they need
• Most breaches take upwards of 6 months (not 24 hrs!) to detect and
investigate and some take much longer
• If you do not have legal support, consider
30 days online and 1 year offline
(PCI requires 1 year retention).
Working With The Audit Journal
Retention should not be an admin’s decision based on disk utilization
47. HelpSystems Corporate Overview. All rights reserved.
• Alternatively, evaluate a
commercial auditing solution
to more easily interrogate
the audit journal data
Working With The Audit Journal
48. HelpSystems Corporate Overview. All rights reserved.
Today’s Agenda
• Introductions
• Why Audit?
• Starting to Audit
• Auditing a User Profile or an Object
• Working with the Audit Journal
• Questions and Answers
50. HelpSystems Corporate Overview. All rights reserved.
http://www.helpsystems.com/getting-started-security-series
Thank You
See you on June 27th at 12 noon CST to learn about PC Access