2
• Introductions
• The History Log & The Audit Journal
• Starting to Audit
• Auditing a User Profile/Object/Access
• Working with the Audit Journal
• Free Offer / Resources for Security Officers
• Questions and Answers
4
• Premier Provider of Security Solutions & Services
– 18 years in the security industry as an established thought leader
– Customers in over 70 countries, representing every industry
– Security Subject Matter Expert for COMMON
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual “State of IBM i Security” Report
8
• Legislation such as Sarbanes-Oxley (SOX),
HIPAA, GLBA, State Privacy Acts
• Industry Regulations such as Payment Card
Industry (PCI DSS)
• Internal Activity Tracking
• High Availability
• Application Research & Debugging
9
• Introductions
• The History Log & The Audit Journal
• Starting to Audit
• Auditing a User Profile/Object/Access
• Working with the Audit Journal
• Free Offer / Resources for Security Officers
• Questions and Answers
10
• Display the History Log using the command:
DSPLOG LOG(QHST)
• Place your cursor on messages, and press Help to view
second-level information.
• Second-level information can provide debug-type details about
the program, job, or user that caused the entry to be written.
11
12
13
• The DSPLOG command supports filtering using a timestamp
range, as well as specific message IDs
• The majority of security messages fall between CPF2200 and
CPF2299. Specify a generic value (CPF2200) to filter down to
just those messages quickly:
DSPLOG LOG(QHST) MSGID(CPF2200)
PERIOD(timestamp)
14
• The History Log files—named QHSTyyyddn, where yyddd is a
Julian date and n is a sequence number—are placed the QSYS
library.
• When the maximum file size is reached (controlled by the
QHSTLOGSIZ system value), a new file is created. Or, specify
*DAILY to create a new file for each day.
Have a strategy to save the log data
for later review, if necessary
15
• IBM provides a custom resource—the Security Audit Journal—
for recording security-related events
• Consider setting up a profile with *AUDIT special authority
specifically to maintain the auditing controls
• Events are recorded to the audit journal based on the
configuration of audit controls—system, user, object
• The operating system does not come with a security audit
journal; you have to create it before you can start auditing
16
17
• First, create a library to contain the audit journal receivers:
CRTLIB LIB(SECJRNLIB) TEXT(‘Security Journal Library’)
• This allows you to secure the contents, and makes it easier to
manage audit data
18
• The Security Audit Journal must be called QAUDJRN and it
must reside in the QSYS library
• Although you can create the components and set the system
value controls manually, most people prefer to use the Change
Security Auditing (CHGSECAUD) command to pull all the
components together
19
20
• Introductions
• The History Log & The Audit Journal
• Starting to Audit
• Auditing a User Profile/Object/Access
• Working with the Audit Journal
• Free Offer / Resources for Security Officers
• Questions and Answers
21
QAUDCTL – Auditing Control
• This system value acts as an on/off switch to activate the
auditing function
– Specify *NONE to turn auditing OFF
– Specify *AUDLVL to turn auditing ON
• Other recommended options include:
– *OBJAUD—enables object-level auditing
– *NOQTEMP—instructs the system to ignore activities in a
job’s QTEMP temporary library
22
Auditing Values
• This parameter corresponds to the QAUDLVL system value,
and its overflow companion QAUDLVL2
• Use this value to designate what system-level activities you
want to audit
• A special value of *DFTSET translates to the following values:
*AUTFAIL, *CREATE, *DELETE, *SECURITY, *SAVRST
23
• In IBM i 7.1, 16 categories are available for system-wide
auditing. Three of these allow you to further customize them
(indicated by italics).
*ATNEVT Attention Event
*AUTFAIL Authority Failure
*CREATE Object Creations
*DELETE Object Deletions
*JOBDTA Actions Affecting Jobs (*JOBxxx)
*NETCMN Network Communications (*NETxxx)
*OBJMGT Object Management
24
*OPTICAL Optical Drive Operations
*PGMADP Program Adoptions
*PGMFAIL Program Failure
*PRTDTA Print Data
*SAVRST Save and Restore Operations
*SECURITY Security Operations (*SECxxx)
*SERVICE Service Functions
*SPLFDTA Spooled File Functions
*SYSMGT System Management
Note: All values, except *ATNEVT, also can be specified
for individual users
25
There are two other auditing-related system values that you
should be aware of, but probably won’t change:
QAUDFRCLVL – Auditing Force Level
Specifies how many audit records should be cached before
they must be written to disk
If your security policy requires ALL records to be written to
disk, set this to 0; otherwise use the default value, *SYS, to
maximize performance
26
QAUDENDACN – Auditing End Action
Specifies what should happen if the server is unable to
continue auditing
The default value, *NOTIFY, sends a message to QSYSOPR
(and QSYSMSG)
The value *PWRDWNSYS forces the system to immediately
power down! After the system IPLs, a user with *ALLOBJ and
*AUDIT authority must restore auditing and bring the system
out of restricted state.
27
• Introductions
• The History Log & The Audit Journal
• Starting to Audit
• Auditing a User Profile/Object/Access
• Working with the Audit Journal
• Free Offer / Resources for Security Officers
• Questions and Answers
28
• In addition to system-wide auditing, you can audit specific user
activities
• Turn on user auditing using the Change User Auditing
(CHGUSRAUD) command This is distinct from the normal profile commands (for separation of duties)
• User auditing works with object-level auditing to audit specific
objects when they are accessed by audited users
• In addition to QAUDLVL values, an extra option (*CMD) is
available for select user-profile auditing
29
30
• The operating system allows you to audit access to specific
objects
• Object auditing works with user-level auditing to audit specific
objects when they are accessed by audited users
• Turn on object auditing using the Change Object Auditing
(CHGOBJAUD) command after you specify *OBJAUD in the
QAUDCTL system value
• Specify either *ALL or *CHANGE to audit file opens, or file-open-
for-change requests
31
32
• Specify *USRPRF to have the operating system check the user
profile’s OBJAUD value to determine if object auditing is required,
and what operations (Read/Change) to record.
NOTE: This is an object-level operation and does NOT audit data
changes. Database journaling is required for record/field auditing.
• To audit an object in the IFS, follow the same procedure, but use
the Change Auditing Value (CHGAUD) command.
33
34
To Audit New Objects
A new object inherits its auditing value from the CRTOBJAUD
library attribute where it resides
If the library has a value of *SYSVAL, the value is inherited from
the QCRTOBJAUD system value (default of *NONE)
CAUTION: Changing the QCRTOBJAUD system value could
generate a potentially large number of auditing events
35
Source: IBM i and i5/OS Security & Compliance: A Practical Guide, 29th Street Press
36
• Some actions originating from the network may not be
recorded by native auditing controls
• If objects are being audited, or a user
performs an audited action (for
example, deleting an object), that
access is tracked
• Common network actions include
ODBC and FTP
• Consider using an exit program to ensure control and auditing
of these types of transactions
37
• To see if you have exit programs in place, review
the system registry, use the WRKREGINF command,
or use PowerTech’s FREE Compliance Assessment tool
38
• Introductions
• The History Log & The Audit Journal
• Starting to Audit
• Auditing a User Profile/Object/Access
• Working with the Audit Journal
• Free Offer / Resources for Security Officers
• Questions and Answers
39
• After auditing is configured and
actively collecting, review how to
extract the audited information
• Download the System i Security
Reference manual to see detailed
information about QAUDLVL values,
the AUDLVL value from user profile
auditing, and the layout of audit journal data
• All journal entries contain basic information (date, time, user,
job information, and the entry type code), followed by entry-
specific data
40
There are 3 main options to display or print audit journal data:
1. Display Audit Journal Entry (DSPAUDJRNE)
Simplified version of the DSPJRN command with
parameters specific for most entries in the security audit
journal (no longer updated by IBM).
Does not support IFS events (requires DSPJRN)
Cannot sort or query data (only screen and sending output
to a spooled file are supported)
41
42
43
2. Display Journal (DSPJRN)
Basic way to review activities in (any) journal
Requires an understanding of the format of the journal
data; data is not parsed by the command
Supports the name of IFS objects
Helps if you have an exact timestamp as DSPJRN does
not sort the data
44
3. Copy Audit Journal Entry (CPYAUDJRNE)
Combines the DSPJRN command with copying the data to
an output file
The output file layout is based on the entry code
Extracted data can be queried, for sorting and printing
Default output file name is QAUDITxx where xx is the audit
type code
45
Consider Reviewing the Following Journal Type Codes
AF Authority Failures
CP Profile Activities (Create/Change)
Password Changes
SV System Value Changes
PW Invalid Passwords
46
For User Auditing
CD Command Executed
For Object Auditing
ZC Object Changed
ZR Object Read
47
Archiving
• Check with your legal department for retention information.
Attorneys and auditors may have to defend the information in
court, so give them what they need.
• If you do not have legal support, consider 30+ days online,
and unrestricted offline (PCI regulations require 90 days
online, and 1 year offline).
48
• Alternatively, evaluate a
commercial auditing solution
to more easily interrogate
the audit journal data
49
• Introductions
• The History Log & The Audit Journal
• Starting to Audit
• Auditing a User Profile/Object/Access
• Working with the Audit Journal
• Free Offer / Resources for Security Officers
• Questions and Answers
50
51
Online Compliance Guide Security Policy
52
1. Free graphical Compliance Assessment
2. Open Source Security Policy
3. The State of IBM i Security Study
4. Online Compliance Guide
5. Webinars / Education Events
6. Articles and White Papers
7. Security Blog (www.powertechblog.com)
8. Twitter Feed (www.twitter.com/powertechgroup)
9. Monthly Newsletter: PowerNews
Find all this at www.powertech.com
53
• Introductions
• Regulations on IBM i
• How the Data was Collected
• The State of IBM i Security Study
• Free Offer / Resources for Security Officers
• Questions and Answers
54
55
www.powertech.com (800) 915-7700 [email protected]