Getting Started with IBM i Security: Event Auditing

All trademarks and registered trademarks are the property of their respective owners.© HelpSystems LLC. All rights reserved.
Getting Started With
IBM i Security:
Auditing

HelpSystems Corporate Overview. All rights reserved.
• Introductions
• Why Audit?
• Starting to Audit
• Auditing a User Profile or an Object
• Working with the Audit Journal
• Questions and Answers
Today’s Agenda

Your Speaker
ROBIN TATAM, CBCA CISM
Director of Security Technologies
952-563-2768
robin.tatam@helpsystems.com

• Premier IBM i Security Products (globally-recognized “PowerTech” brand)
– Represented by industry veteran, Robin Tatam, CISM
• Comprehensive IBM i Security Services
– Represented by industry veteran, Carol Woodbury, CRISC
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual “State of IBM i Security” Report
About HelpSystems’ Security Investment

Today’s Agenda
• Introductions
• Why Audit?
• Starting to Audit
• Auditing a User Profile or an Object
• Working with the Audit Journal
• Questions and Answers

• Regulatory Compliance demands it!
– Legislation such as Sarbanes-Oxley (SOX), HIPAA, GLBA, State Privacy Acts
– Industry Regulations such as Payment Card Industry (PCI DSS)
• Event and User Activity Tracking
• High Availability
• Application Research & Debugging
Why Should You Audit?

Who’s Auditing on IBM i?
Free Download: 2016 State of IBM i Security

15%
85%
Systems Being Audited

A significant portion of the 85% that are auditing:
1. Aren’t collecting the recommended events
2. Aren’t keeping the data long enough for it to be useful
3. Have no archiving or retention policy
4. Do not proactively review the audit data
5. Have no tools to help them
Often, High Availability (HA) software
configures auditing for it’s own needs and
the organization doesn’t even know about it
Tell-tale signs of this include not auditing for *AUTFAIL
events (which wouldn’t be replicated)

• IBM provides a custom resource—the Security Audit
Journal—for recording security-related events
• The operating system does not come with a security audit
journal; you have to create it before you can start auditing
• Consider setting up a profile with *AUDIT special authority
specifically to maintain the auditing controls
• Events are recorded to the audit journal
based on the configuration of audit
controls—system, user, object
The Security Audit Journal

• First, create a library to contain the audit journal receivers:
CRTLIB LIB(SECJRNLIB) TEXT(‘Security Journal Library’)
• This allows you to secure the contents, and makes it easier to
manage audit data
IBM defaults the audit journal receiver library to QGPL which is
not a good place to store user objects, especially such
important ones

• The Security Audit Journal must be called QAUDJRN and it
always resides in the QSYS library
• Although you can create the components and set the system
value controls manually, most people prefer to use the
Change Security Auditing (CHGSECAUD) command to pull all
the components together

“QAUDCTL system value”
• This system value acts as an on/off switch to
activate the auditing function
– Specify *NONE to fully turn auditing OFF
– Specify *AUDLVL to turn system-level event auditing ON
– Specify *OBJAUD to turn object-level auditing ON
• Other recommended customizing option:
– *NOQTEMP—instructs the system to ignore activities in a
job’s QTEMP temporary library
Starting To Audit

“Auditing values”
• This parameter corresponds to the QAUDLVL system value,
and its overflow companion QAUDLVL2
• Use this value to designate what system-level activities you
want to audit
• A special value of *DFTSET (default set) translates to the
following values:
*AUTFAIL, *CREATE, *DELETE, *SECURITY, *SAVRST
Starting To Audit

“Initial Journal Receiver”
• This parameter indicates the name and location for the initial
journal receiver (which holds the data)
• Include a sequence number in the name for subsequent
receivers to be named similarly
• If auditing is already active, this
parameter is ignored
– To redirect active auditing to a new library,
create a new journal receiver and then
attach it to the journal and subsequent
receivers will be created in the same place.
Starting To Audit

“Auditing Values”
• QAUDLVL cannot hold all of the possible option combinations
so IBM added QAUDLVL, referenced only if QAUDLVL includes
the value *AUDLVL2
• My personal preference is to set QUADLVL to *AUDLVL2 and
then place all of the desired audit values in QAUDLVL2
Starting To Audit
*AUDLVL2
*CREATE
*SECURITY
*AUTFAIL
*DELETE
*SAVRST
…
QAUDLVL QAUDLVL2

• In IBM i 7.3, 21 categories are available for system-wide auditing. Three
of these allow you to further subset them (indicated by italics).
*ATNEVT Attention Event
*AUTFAIL Authority Failure
*CREATE Object Creations
*DELETE Object Deletions
*JOBDTA Actions Affecting Jobs (*JOBxxx)
*NETCMN Network Communications (*NETxxx)
*NETSCK Socket Connections (used to be part of *NETCMN until 7.3)
*NETSECURE Secure Network Connections
*NETTELNET TELNET Connections
*OBJMGT Object Management
Note: All values, except *ATNEVT, also can be specified for individual users
Starting To Audit

*OPTICAL Optical Drive Operations
*PGMADP Program Adoptions
*PGMFAIL Program Failure
*PTFOBJ PTF Object
*PTFOPR PTF Operations
*PRTDTA Print Data
*SAVRST Save and Restore Operations
*SECURITY Security Operations (*SECxxx)
*SERVICE Service Functions
*SPLFDTA Spooled File Functions
*SYSMGT System Management
Note: All values, except *ATNEVT, also can be specified for individual users
Starting To Audit

There are two other auditing-related system values that you
should be aware of, but probably won’t change:
QAUDFRCLVL – Auditing Force Level
Specifies how many audit records should be cached before
they must be written to disk
If your security policy requires ALL records to be written to
disk, set this to 0; otherwise use the default value, *SYS, to
maximize performance
Starting To Audit

QAUDENDACN – Auditing End Action
Specifies what should happen if the server is unable to
continue auditing
The default value, *NOTIFY, sends a message to QSYSOPR
(and QSYSMSG)
The value *PWRDWNSYS forces the system to immediately
power the server down! After the system IPLs, a user with
*ALLOBJ and *AUDIT authority must restore auditing and
bring the system out of restricted state.
Starting To Audit

While auditing is certainly
a good thing, be cautious of
auditing every type of event
for all users as it will likely be
the data equivalent of trying
to drink from a fire hose!
If you determine that your server generates more events than
can be reasonably processed, consider tools to help you as well
as possibly auditing only those users who can run commands –
and that’s not all of them, right?!
Starting To Audit

• In addition to system-wide auditing, you can audit the activities
of specific users
• Turn on user auditing using the Change User Auditing
(CHGUSRAUD) command
– This is distinct from the normal profile commands (for separation of duties)
• In addition to all but one of the QAUDLVL values,
an extra option for command activities (*CMD)
is available for user auditing
• User auditing can be coordinated with object-level
auditing to allow for auditing of specific objects
when they are accessed by specific users
Auditing A User Profile

Auditing A User Profile

• You can audit access to specific objects
• Object auditing works with user-level auditing to audit specific
objects when they are accessed by audited users
• Turn on object auditing using the Change Object
Auditing (CHGOBJAUD) command but it will only
work if you specify *OBJAUD in the QAUDCTL
system value
• Specify the desired auditing value:
• *NONE to deactivate auditing for the object
• *CHANGE to audit only open-for-change accesses,
• *ALL to audit open-for-read and open-for-change accesses,
• *USRPRF to defer the setting to the user profile’s object auditing setting
Auditing A Specific Object

• Specifying *USRPRF directs the operating system defer to the user
profile’s OBJAUD attribute to determine if object auditing is desired, and
what operations (open-for-read / open-for-change) to audit.
• To audit an object located in the IFS, follow the exact same procedures as
for a native object, but use the Change Auditing Value (CHGAUD)
command.

Native Object

Integrated File System Object

NOTE: Object auditing does NOT audit data changes.
Database journaling is required for record/field auditing.

To Audit New Objects
A newly-created native object inherits its auditing value from the
CRTOBJAUD attribute from the library where it resides
If the library has a value of *SYSVAL, the value is inherited from
the QCRTOBJAUD system value (IBM-supplied default of
*NONE)
CAUTION: Changing the QCRTOBJAUD system value could
potentially generate a large number of audit events

Will It Be Audited?
Source: IBM i and i5/OS Security & Compliance: A Practical Guide, 29th Street Press

What Won’t Be Audited?
• Some actions originating from the network may not be recorded by
native auditing controls
• If objects are being audited, or a user
performs an audited action (for
example, deleting an object), that
access is tracked
• Common network actions that are not audited
include database access via ODBC and FTP
• Exit program facilitate auditing of these types of transactions, and are
also able to prevent users from running commands—sometimes
independent of their command line privileges as specified per their
profile’s LMTCPB attribute

• To see if you have exit programs in place, review
the system registry, use the WRKREGINF command,
or use HelpSystems’ FREE Security Scan tool

• Some native user activities will also not be audited:
• Interactive SQL
• Data File Utility (DFU)
• System Service Tools (SST)
• QSHELL
• Application Usage
• User actions that are not command-based
• Consider using a third-party auditing function to augment native
auditing and capture missing events

Working With The Audit Journal
• After auditing is configured and
actively collecting, review how to
extract the audited information
• Download the IBM i Security
Reference manual to see detailed
information about configuring auditing,
and the layout of audit journal data
• All journal entries contain basic information (date, time, user,
job information, and the entry type code), followed by entry-
specific data that varies depending on the entry type

There are 3 main options to display or print audit journal data:
1. Display Audit Journal Entry (DSPAUDJRNE)
Simplified version of the DSPJRN command with parameters specific
for most entries in the security audit journal (no longer updated by
IBM but still useful)
Does not support IFS events
Cannot sort or query data as it only supports sending results to
screen or to a spooled file

2. Display Journal (DSPJRN)
Basic way to review activities in (any) journal
Requires an understanding of the format of the journal
data; data is not parsed by the command
Supports the name of IFS objects
Helps if you have an exact timestamp as DSPJRN does
not sort the data

3. Copy Audit Journal Entry (CPYAUDJRNE)
Combines the DSPJRN command with copying the data to
an output file
The output file layout is based on the entry code
Extracted data can be queried, for sorting and printing
Default output file name is QAUDITxx where xx is the audit
type code

Consider Reviewing the Following Journal Type Codes
AF Authority Failures
CP Profile Activities (Create/Change)
Password Changes
SV System Value Changes
PW Invalid Passwords

For User Auditing
CD Command Executed
For Object Auditing
ZC Object Changed
ZR Object Read

Archiving
• Defer to your legal counsel or auditor for retention information.
Attorneys and auditors may have to defend the information in court,
so give them what they need
• Most breaches take upwards of 6 months (not 24 hrs!) to detect and
investigate and some take much longer
• If you do not have legal support, consider
30 days online and 1 year offline
(PCI requires 1 year retention).
Retention should not be an admin’s decision based on disk utilization

• Alternatively, evaluate a
commercial auditing solution
to more easily interrogate
the audit journal data

Questions

http://www.helpsystems.com/getting-started-security-series
Thank You
See you on June 27th at 12 noon CST to learn about PC Access

Getting Started with IBM i Security: Event Auditing

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (13)

Destacado

Destacado (20)

Similar a Getting Started with IBM i Security: Event Auditing

Similar a Getting Started with IBM i Security: Event Auditing (20)

Más de HelpSystems

Más de HelpSystems (20)

Último

Último (20)

Getting Started with IBM i Security: Event Auditing