Session Title: i5/os Security Auditing Setup and Best Practices

(1)

IBM Systems & Technology Group

Technical Conference

14 – 18 April, 2008, Sevilla, Spain

Session Title: i5/OS Security Auditing

Setup and Best Practices

Thomas Barlen

Consulting IT Specialist

IBM STG Lab Services

Session ID: iOS06

(2)

ibm.com/redbooks

International Technical Support Organization

© 2008 IBM Corporation

2

Thomas Barlen Auditing Best Practices

IBM Systems & Technology Group Technical Conference

Notices

This information was developed for products and services offered in the U.S.A. Note to U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any nonIBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 105041785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to nonIBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning nonIBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to nonIBM products. Questions on the capabilities of nonIBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute

(3)

ibm.com/redbooks

Trademarks

The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:

The following terms are trademarks of other companies:

Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or

both.

Java and all Javabased trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States,

other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.

Redbooks (logo)™

IBM eServer™

AS/400®

i5/OS®

IBM®

iSeries

IBM®

OS/400®

Redbooks

System i

System i5

(4)

ibm.com/redbooks

Acknowledgements

�

This presentation was developed by Thomas Barlen, IBM Europe STG Lab

Services. Thomas is based in Germany, but works worldwide on mostly System i

related security projects and presents at technical conferences.

(5)

ibm.com/redbooks



Audit journal analysis



User auditing



Object auditing



Systemwide auditing

Agenda



Setting up system auditing in i5/OS



Introduction to audit and logging

(6)

ibm.com/redbooks



User auditing



Object auditing



Systemwide auditing

Agenda



(7)

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference

Audit / Logging

Confidentiality

Integrity

Authorization / Access Control

Security goals

Organizations, products, and processes have to meet certain

security goals

Authentication

(8)

ibm.com/redbooks

International Technical Support Organization

Requirements

Many different government regulations and industryspecific

requirements exist that dictate compliance of regulations with IT

processes and assets

Examples:

SarbanesOxley act (a.k.a. SOX) is an US law to establish trust in

public companies and protect investors

Recommends compliance with COBIT (Control Objectives of Information and

Related Technology) – COBIT is not part of SOX

Some requirements of the SOX Public Company Accounting Oversight

Board (PCAOB) are:

Controls designed to prevent or detect fraud, including who performs the

controls and the regulated segregation of duties

Controls over the periodend financial reporting process

Controls over safeguarding of assets

(9)

ibm.com/redbooks

Requirements (2)

SOX….

Internal controls

Section 302 of the Act mandates a set of internal procedures designed to

ensure accurate financial disclosure.

Moreover, under Section 404 of the Act, management is required to

produce an “internal control report” as part of each annual Exchange Act

report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of

management for establishing and maintaining an adequate internal

control structure and procedures for financial reporting.”

IT controls, IT audit, and SOX

“The nature and characteristics of a company's use of information

technology in its information system affect the company's internal control

over financial reporting."

(10)

ibm.com/redbooks

Requirements (3)

Other laws and regulations

Health Insurance Portability and Accountability Act (HIPAA)

Payment Card Industry (PCI) Digital Security Standard

Excerpt:

•

Track and monitor all access to network

resources and cardholder data

Regularly test security systems and processes

Regularly Monitor and

Test Networks

Protect stored data

•

Encrypt transmission of cardholder data and

sensitive

information across public networks

Protect Cardholder

Data

(11)

ibm.com/redbooks

Reasons to use auditing and logging

Laws and industryregulations require auditing

Internal or external auditors require it

You want to know what privileged users do on your system

(i.e. command auditing)

Keep track of object usage (i.e. how frequently an object has

been accessed)

Log actions, tasks, and access attempts of external partners

and consultants

Your corporate security policies demand auditing and logging

Job accounting

(12)

ibm.com/redbooks

International Technical Support Organization

i5/OS audit capabilities overview

The i5/OS system audit journal logs system events

Logged events cannot be changed in the journal

Different event categories exist

Log entry details vary by category

User applications can also log entries into the system audit journal

For systemgenerated entries, Appendix F –

Layout of Audit Journal Entries

of the IBM Systems iSeries Security Reference, contains information about

how to interpret the journal entries

Audit

Journal

User

action

Object

access

Authority

change

User appl

event

(13)

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference

i5/OS system audit journal event categories (1)

Security category

*SECCFG

*SECDIRSRV

*SECIPC

*SECNAS

*SECRUN

*SECURITY

*SECSCKD

*SECVFY

*SECVLDL

User profile operations, Change program that adopt authority,

change of system values, QSECOFR pwd reset, etc.

Directory services events, such as audit change, successful

bind, authority and pwd change, ownership change, etc.

Interprocess Communications changes, such as authority,

create, delete, or get of an IPC object

Network Authentication Service (Kerberos) events

Security runtime events, such as changes to object ownership,

authorization list, primary group of an object

Socket descriptor events, such as a socket descriptor was given

to another job and receive descriptor

Verification functions, i.e. a target user profil passthrough

session, a profile handle was generated

Changes to validation list objects are audited

(14)

ibm.com/redbooks

International Technical Support Organization

�

More security related categories

*AUTFAIL

*PGMADP

*

PGMFAIL

Authorization failure events, such as all access failures (signon, authorization, job

submission), incorrect password or user ID entered from a device

Adopting authority from a program owner is audited

Program failures are audited, i.e. a blocked instruction, validation value failure,

domain violation

*ATNEVT

The Attention Event value must be specified when Intrusion Detection Services is

configured and IDS events should be logged to the audit journal

(15)

ibm.com/redbooks

International Technical Support Organization

Networking categories

*NETBAS

*NETCLU

*NETFAIL

*NETSCK

*NETCMN

Network base function events. For example, IP rules actions,

sockets connections, APPN Directory search filter

Cluster or cluster resource group operations are audited, such

as switch, failover, start, end, update attributes, etc.

Network failures are audited, i.e. socket port not available

Auditing of socket tasks, such as accept, connect, DHCP

address assigned

(16)

ibm.com/redbooks

i5/OS system audit journal event categories (4)

Object management categories

*OBJMGT

*CREATE

*DELETE

Generic object tasks are audited, such as moving and

renaming objects

Audit records are written when objects are newly created or replaced

Audit records are written when objects are deleted

(17)

ibm.com/redbooks

Miscellaneous categories

*JOBDTA

*OPTICAL

*PRTDTA

*SAVRST

Job start and stop data are audited as well as when a job gets held, released,

stopped, continued, changed, and disconnected

All optical functions are audited, such as adding or removing optical cartridges,

changing the authorization list used to secure an optical volume, etc.

Printing functions are audited. For example, printing a spooled file, printing with

parameter SPOOL(*NO)

Auditing of save and restore operations including events when a system state

program is restored, when job descriptions that contain user names are restored

*SERVICE

A list of service commands and API calls are audited

*SPLFDTA

Spooled file functions are audited, such as creating, deleting, displaying, copying,

holding, and releasing a spool file.

*SYSMGT

System management tasks, such as hierarchical file system registration, and

changes for Operational Assistant functions or system reply lists are audited

(18)

ibm.com/redbooks

How about the performance impact?

There is no general information that tells exactly what the performance impact

is when turning on the system audit journal

The performance impact depends on:

–

The number and type of events you want to journal

•

systemwide events or just on an object level or only for actions of a certain user

–

The number of journal receivers you want to keep on the system > disk storage

–

The system value

QAUDFRCLVL

•

specifies the number of entries in the journal before the system forces the data to be

written to disk

•

default is set to *SYS > the system decides based on system load when to store the

information to disk

1

2

3

4

5

6

48

…

97 98

99 100

QAUDFRCLVL



It depends!

Security

Performance

…

(19)

ibm.com/redbooks

International Technical Support Organization

When an error occurs with the audit journal

What happens in the case of the unlikely event of an error with the

QAUDJRN?

Should new entries just be skipped?

The action to be taken is defined in the i5/OS system value QAUDENDACN

QAUDENDACN

value?

Log audit entry error

*NOTIFY

*PWRDWNSYS

send notification to

QSYSOPR/QSYSMSG

Action that caused the

audit event continues

Set QAUDCTL to

*NONE and send

notification every hour

If sending an audit entry

fails, the system ends with

SRC B900 3D10

After IPL, system comes

up in restricted state

QAUDCTL is set to *NONE

At first IPL, user with *AUDIT

or *ALLOBJ must sign on

(20)

ibm.com/redbooks

Valuable information resource

The most valuable resource for setting up and analyzing the system audit

journal is the

System i Security Reference, SC415302

found in the iSeries Information Center at

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp

under

Security>iSeries Security Reference

(21)

ibm.com/redbooks

International Technical Support Organization



User auditing



Object auditing



Systemwide auditing

Agenda



(22)

ibm.com/redbooks

i5/OS audit journal implementation overview

System Value

QAUDCTL

*AUDLVL

*NOQTEMP

*OBJAUD

System Value

QAUDLVL

QAUDLVL2

*SECCFG

*AUTFAIL

*DELETE

…

i5/OS Object 1

OBJAUD(*NONE)

Audit Journal

Journal Receiver

JRNLIB/AUDRCV

1

3

4

i5/OS Object 2

OBJAUD(*ALL)

5

Audit Journal

Journal

QSYS/QAUDJRN

2

i5/OS Object 3

OBJAUD(*USRPRF)

i5/OS User Profile

OBJAUD(*CHANGE)

AUDLVL(*CMD

*CREATE)

5

6

Analyze

Audit Journal

DSPJRN

CPYAUDJRNE

*1 = V5R4

Initial setup steps

(23)

ibm.com/redbooks

Journal receiver considerations

Some considerations need to be taken into account when deciding for the

storage location of the journal receiver

You should be able to access and work with the journal even if the system

ASP on the journaled system has been destroyed

There are basically two alternatives

1

2

System ASP

QAUDJRN

User ASP

Jrn Receiver

SYSA

SYSB

System ASP

LIB: AUDSYSA

QAUDJRN

Remote

journall

ing

System ASP

QAUDJRN

LIB: AUDSYSA

QAUDJRN

(24)

ibm.com/redbooks

Creating the journal receiver

As with any other journal, the journal receiver has to be created before the

journal itself

Always use a dedicated library for the journal receiver

Always remember to limit public access as much as possible

CRTJRNRCV JRNRCV(AUDLIB/AUDJRN0001)

TEXT('System audit journal receiver')

AUT(*EXCLUDE)

(25)

ibm.com/redbooks

Creating the journal

The system audit journal has a fixed name > QAUDJRN

It has to be created in library QSYS

Specify the journal receiver that you created in the previous step

CRTJRN JRN(QSYS/QAUDJRN) JRNRCV(AUDLIB/AUDJRN0001)

TEXT('System audit journal') AUT(*USE)

(26)

ibm.com/redbooks

International Technical Support Organization

QAUDCTL – The master switch

The system value QAUDCTL is the master switch to turn on system auditing

The valid values are:

Means Not Available and is a Read Only value that is displayed when the

user who works with the QAUDCTL system value does not

have AUDIT or ALLOBJ special authority

*NOTAVL

Most actions on objects in QTEMP are not logged. This value is only

allowed in combination with *AUDLVL and/or *OBJAUD

*NOQTEMP

Turns on object auditing. Audit records are only written for objects that

have the object auditing value set and the corresponding action took

place

*OBJAUD

Turn on systemwide auditing. The level of auditing is specified in the

QAUDLVL and QAUDLVL2 system values

*AUDLVL

Turns off auditing on the system, this value cannot be specified with any

other value

*NONE

Description

Value

(27)

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference



User auditing



Object auditing



Systemwide auditing

Agenda



(28)

ibm.com/redbooks

International Technical Support Organization

Systemwide auditing overview

Systemwide auditing events are configured through the

QAUDLVL and QAUDLVL2 system values

System value QAUDCTL must be set to *AUDLVL

There is no threshold for the number of entries that will be

written to the QAUDJRN for a specific event

For every occurrence of an event, another entry will be written to the

journal

(29)

ibm.com/redbooks

Selecting auditing events

You can specify the event types via 5250 command line or through iSeries Navigator

(Security>Policies>Auditing Policy)

Display System Value

System value . . : QAUDLVL

Description . . : Security auditing level

Auditing Auditing

options options

*CREATE *SECDIRSRV

*DELETE *SECNAS

*AUTFAIL *SECRUN

*NETBAS *SECVLDL

*NETFAIL

*NETSCK

*JOBDTA

*PGMADP

*PGMFAIL

*SECCFG

*SAVRST

(30)

ibm.com/redbooks

International Technical Support Organization

Using both QAUDLVL and QAUDLVL2

•

When more than 16 auditing values need to be specified for

QAUDLVL, you need to use the QAUDLVL2 system value as well

System value . . : QAUDLVL

Auditing Auditing

options options

*CREATE *SECDIRSRV

*DELETE *SECNAS

*AUTFAIL *SECRUN

*NETBAS *SECVLDL

*NETFAIL *AUDLVL2

*NETSCK

*JOBDTA

*PGMADP

*PGMFAIL

*SECCFG

*SAVRST

System value . . : QAUDLVL2

Auditing Auditing

options options

*SERVICE

*SECVFY

(31)

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference



User auditing



Object auditing



Systemwide auditing

Agenda



(32)

ibm.com/redbooks

International Technical Support Organization

Created by

Thomas Barlen

IBM Germany

Object auditing overview

Object auditing actions are defined on a per object basis

•

Object auditing values for new objects can be set via library or system

value settings

Whether an audit entry is written to the journal can also be delegated to the

individual user profile

*USRPRF is a good default value

Object

OBJAUD

Library

CRTOBJAUD

SysValue

QCRTOBJAUD

The user profile of the user accessing this

object is used to determine if an audit record is

be sent for this access

*USRPRF

All change or read accesses to this object by

all users are logged

*ALL

All change accesses to this object by all users

are logged

*CHANGE

No audit entry will be written

*NONE

Description

Value

(33)

ibm.com/redbooks

Enabling object auditing for a QSYS.LIB object

Object auditing values need to be defined for every object

•

The object auditing parameter is not part of a

Create

command

•

For objects in the QSYS.LIB file system, the following command

must be used to define object auditing

Originally created by Thomas Barlen IBM Germany

CHGOBJAUD OBJ(PRODLIB1/ORDER) OBJTYPE(*FILE)

OBJAUD(*CHANGE)

(34)

ibm.com/redbooks

Enabling object auditing for an i5/OS IFS object

Similar to enabling object auditing for QSYS.LIB objects there is also a

command for turning on object auditing for objects in the Integrated File

System (IFS)

CHGAUD OBJ('/barlen/app.properties') OBJAUD(*ALL)

(35)

ibm.com/redbooks

Example of using *CHANGE for object auditing

CHGOBJAUD OBJ(BARLEN/USRLIST) OBJTYPE(*FILE)

OBJAUD(*CHANGE)

Command

Display Object Description Full

Library 1 of 1

Object . . . : USRLIST Attribute . . . : PF

Library . . . : BARLEN Owner . . . : BARLEN

Library ASP device . : *SYSBAS Library ASP group . : *SYSBAS

Type . . . : *FILE Primary group . . . : *NONE

Change/Usage information:

Change date/time . . . : 03/12/07 16:57:12

Usage data collected . . . : YES

Last used date . . . :

Days used count . . . : 0

Reset date . . . :

Allow change by program . . . : NO

Auditing/Integrity information:

Object auditing value . . . : *CHANGE

Digitally signed . . . : NO

Object

(36)

ibm.com/redbooks

Example of using *USRPRF for object auditing

CHGAUD OBJ('/barlen/hodsplit') OBJAUD(*USRPRF)

Command

Display Attributes

Object . . . : /barlen/hodsplit

Creation date/time . . . : 03/11/07 10:51:29

Last access date/time . . . : 03/12/07 09:09:07

Data change date/time . . . : 03/12/07 08:54:37

Attribute change date/time . . . : 03/12/07 17:01:15

Size of object data in bytes . . . : 45056

Allocated size of object . . . : 45056

Directory format . . . : *TYPE2

Size of extended attributes . . . : 0

Storage freed . . . : No

Auditing value . . . : *USRPRF

Object domain . . . : *SYSTEM

Object

(37)

ibm.com/redbooks



User auditing



Object auditing



Systemwide auditing

Agenda



(38)

ibm.com/redbooks

User auditing overview

User auditing can be defined for:

object events when *USRPRF is specified in the object description in

the OBJAUD parameter

actions that are performed by a specific user profile

Object auditing

Action auditing

*NONE

*CHANGE

*ALL

*NONE *CMD *CREATE

*DELETE *JOBDTA *OBJMGT

*OFCSRV *OPTICAL *PGMADP

*SAVRST *SECURITY *SERVICE

*SPLFDTA *SYSMGT

(39)

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference

Enabling per user auditing

User auditing cannot be defined with the CRTUSRPRF or CHGUSRPRF

command

The CHGUSRAUD command has to be used to define user auditing

CHGUSRAUD USRPRF(BARLEN)

OBJAUD(*CHANGE)

AUDLVL(*SECURITY *SAVRST *SERVICE)

(40)

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference

Example of turning on user auditing

CHGUSRAUD USRPRF(BARLEN THOMAS ISV1)

OBJAUD(*CHANGE)

AUDLVL(*CMD *SECURITY *SAVRST *SERVICE)

Always recommended for privileged users

Display User Profile – Basic

User profile . . . : BARLEN

Object auditing value . . . : *CHANGE

Action auditing values . . . : *CMD

*SAVRST

*SECURITY

*SERVICE

User ID number . . . : 1000

Group ID number . . . : 114

Command

UsrPrf

(41)

ibm.com/redbooks



User auditing



Object auditing



Systemwide auditing

Agenda



(42)

ibm.com/redbooks

i5/OS audit journal analysis overview

The audit journal can serve two purposes

log events and in case of a problem start analysis

log events and analyze journal on a regular basis (preventive)

Let‘s explore the analysis based on the manual process

Task overview

Select journal

entries

Format journal

entries

Interpret journal

entries

Act on

results

(43)

ibm.com/redbooks

International Technical Support Organization

Selecting audit journal entries

Selecting and displaying journal entries is done through the DSPJRN

command

Need to specify the entry type and journal name, other parameters are

optional

Display Journal (DSPJRN)

Type choices, press Enter.

Journal . . . > QAUDJRN Name, *INTSYSJRN

Library . . . *LIBL Name, *LIBL, *CURLIB

Journaled physical file:

File . . . Name, *ALLFILE, *ALL

Library . . . *LIBL Name, *LIBL, *CURLIB

Member . . . *FIRST Name, *FIRST, *ALL, *NONE

…

Number of journal entries . . . *ALL Number, *ALL

Journal codes:

Journal code value . . . *ALL *ALL, *CTL, A, B, C, D, E.

Journal code selection . . . . ALLSLT, IGNFILSLT...

+ for more values

Journal entry types . . . > AF Character value, *ALL, *RCD

+ for more values

(44)

ibm.com/redbooks

Formatting entries via model outfiles

Depending on the event type, the system generates audit journal entries of different

entry types

Each entry contains a common set of base information and entry typespecific

information

Displaying the raw journal entry does not provide very meaningful information

Display Journal Entry

Object . . . : Library . . . :

Member . . . :

Incomplete data . . : No Minimized entry data : *NONE

Sequence . . . : 380607

Code . . . : T Audit trail entry

Type . . . : AF Authority failure

Entry specific data

Column *...+....1....+....2....+....3....+....4....+....5

00001 'ASOFTWARE QSYS *LIB QPADEV0005BARLEN2 '

00051 '001015 BARLEN2 0000'

00101 '000 '

00151 ' '

00201 ' '

00251 ' '

00301 ' '

(45)

ibm.com/redbooks

Formatting entries via model outfiles (2)

Model outfiles exist for every entry type

The model outfiles are stored in QSYS > need to be copied into a work library

Work with Objects Using PDM I5OSP4

Library . . . QSYS Position to . . . .

Position to type . . . . .

Type options, press Enter.

2=Change 3=Copy 4=Delete 5=Display 7=Rename

8=Display description 9=Save 10=Restore 11=Move ...

Opt Object Type Attribute Text

QASYADJE *FILE PFDTA Outfile for journal entry type AD

QASYADJ4 *FILE PFDTA Outfile for journal entry type AD

QASYADJ5 *FILE PFDTA Outfile for journal entry type AD

QASYAFJE *FILE PFDTA Outfile for journal entry type AF

QASYAFJ4 *FILE PFDTA Outfile for journal entry type AF

QASYAFJ5 *FILE PFDTA Outfile for journal entry type AF

QASYAPJE *FILE PFDTA Outfile for journal entry type AP

QASYAPJ4 *FILE PFDTA Outfile for journal entry type AP

More...

Parameters or command

Entry type

Outfile format

(46)

ibm.com/redbooks

Formatting entries via model outfiles (3)

Journal entries can be dumped into the corresponding model outfile

The entries in the outfile are formatted and can be easily processed by Query

Display Report

Position to line . . .

Line ....+....1....+....2....+....3....+....4....+....5....+....

Type Job User Job User Object Library Obj

name name number profile name name type

000001 AF QPADEV0005 BARLEN2 1,015 BARLEN2 SOFTWARE QSYS *LIB

000002 AF QPADEV0005 BARLEN2 1,015 BARLEN2 *N *N *DIR

000003 AF ADMIN QTMHHTTP 1,047 QTMHHTTP *N *N *DIR

000006 AF ADMIN QTMHHTTP 1,052 QTMHHTTP N N *DIR

****** ******** End of report ********

CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP) NEWOBJ(AF)

DATA(*YES)

DSPJRN JRN(QAUDJRN) FROMTIME(031407 090000) ENTTYP(AF) OUTPUT(*OUTFILE)

OUTFILFMT(*TYPE5)OUTFILE(QTEMP/AF)

(47)

ibm.com/redbooks

Selecting audit journal entries (V5R4 and higher)

Option from V5R3 still available

Starting from V5R4, a new command provides simplified selection and

formatting options >

CPYAUDJRNE

Copy Audit Journal Entries (CPYAUDJRNE)

Type choices, press Enter.

Journal entry types . . . AF *ALL, AD, AF, AP, AU, CA...

+ for more values

Output file prefix . . . QAUDIT Name

Library . . . QTEMP Name, *CURLIB

Output member options:

Member to receive output . . . *FIRST Name, *FIRST

Replace or add records . . . . REPLACE REPLACE, *ADD

User profile . . . *ALL Name, *ALL

Journal receiver searched:

Starting journal receiver . . *CURRENT Name, *CURRENT, *CURCHAIN

Library . . . Name, *LIBL, *CURLIB

Ending journal receiver . . . Name, *CURRENT

Library . . . Name, *LIBL, *CURLIB

Starting date and time:

Starting date . . . > 031407 Date, *FIRST

Starting time . . . > 090000 Time

Creates a file with the extension

of the entry type

i.e. for AF, the file is QAUDITAF

(48)

ibm.com/redbooks

Example 1 of interpreting a journal entry

e

Example of an AF entry

Display Report

Shi

.+...71....+...72....+...73....+...74....+

Violation Object Library Object

type name name type

A SOFTWARE QSYS *LIB

A *N *N *DIR

A QSRV QUSRSYS *MSGQ

(49)

ibm.com/redbooks

Example 2 of interpreting a journal entry

e

Example of a system value change

Display Report

Position to line . . .

Line ....+....1....+....2....+....3....+....4....+....5....+....6

Type Job User Job User Entry System New

name name number profile type value value

00001 SV QPADEV0003 BARLEN 1,013 BARLEN A QCRTAUT *ALL

00002 SV QPADEV0003 BARLEN 1,013 BARLEN A QCRTAUT *EXCLUDE

****** ******** End of report ********

(50)

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference

Example 3 – Command auditing

Example of command auditing turned on for a specific user

Display Report

n to line . . . ....+....1....+....2....+....3....+....4....+....5

Type Job User Job User CL Command

name name number profile PGM string

CD QZRCSRVS QUSER 962 BARLEN N QSYS/CPYPTFGRP PTFGRP(SF99311) …

CD QZRCSRVS QUSER 964 BARLEN N QSYS/CPYPTFGRP PTFGRP(SF99323) …

CD QZRCSRVS QUSER 966 BARLEN N QSYS/CRTSAVF

FILE(QGPL/QSF99315G)

CD QZRCSRVS QUSER 964 BARLEN N QSYS/DLTF FILE(QGPL/QSF99323G)

CD QZRCSRVS QUSER 962 BARLEN N QSYS/DLTF FILE(QGPL/QSF99311G)

CD DSP01 BARLEN 1,012 BARLEN N MKDIR DIR('/download')

CD DSP01 BARLEN 1,012 BARLEN N MKDIR

DIR('/download/group140307')

CD DSP01 BARLEN 1,012 BARLEN N CD DIR('/download/group140307')

(51)

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference

Automating parts of the audit journal analysis

Write a CL program that automates manual tasks and run the program

through the job scheduler

CPYAUDJRNE

RUNQRY

ADDJOBSCDE JOB(ANALYZESV) CMD(CALL

PGM(AUDLIB/AUDITAF)) FRQ(*WEEKLY) SCDDY(*ALL)

SCDTIME(233000)

Review reports

(52)

ibm.com/redbooks

Products that can help you working with the journal

Do you have to do all these tasks by yourself?

Not necessarily



Some audit journal management and analysis

tasks can be done by readily available software

products in the market

The following list shows some of the vendors

who are registered at the IBM System i Tools

Innovation site that offer these kinds of

functions

There are more vendors out there….you need to

search the Web

(53)

ibm.com/redbooks

Summary

You should now know:

the purpose of the i5/OS system audit journal

the various event categories

how to set up the audit journal environment

how to set up systemwide auditing

how to set up object auditing

how to set up user auditing

how to analyze the audit journal

(54)

ibm.com/redbooks

Additional information

System i Security Reference, SC415302

found in the iSeries Information Center at

under

Security>iSeries Security Reference

IBM System i Tools Innovation site with security vendors

http://www304.ibm.com/jct09002c/partnerworld/wps/pub/systems/i/technical/iii/tools_improve?gcLang=

en#secureyour

http://www304.ibm.com/jct09002c/partnerworld/wps/pub/systems/i/technical/en#secureyour

Session Title: i5/os Security Auditing Setup and Best Practices

IBM Systems & Technology Group

© 2008 IBM Corporation

The following terms are trademarks of other companies:

other countries, or both.

ibm.com/redbooks

related security projects and presents at technical conferences.

ibm.com/redbooks

IBM Systems & Technology Group Technical Conference

International Technical Support Organization

Related Technology) – COBIT is not part of SOX

Controls over safeguarding of assets

produce an “internal control report” as part of each annual Exchange Act

technology in its information system affect the company's internal control

Excerpt:

Protect Cardholder

Keep track of object usage (i.e. how frequently an object has

International Technical Support Organization

For system­generated entries, Appendix F –

IBM Systems & Technology Group Technical Conference

Directory services events, such as audit change, successful

Socket descriptor events, such as a socket descriptor was given

International Technical Support Organization

Program failures are audited, i.e. a blocked instruction, validation value failure,

International Technical Support Organization

as switch, failover, start, end, update attributes, etc.

i5/OS system audit journal event categories (4)

ibm.com/redbooks

stopped, continued, changed, and disconnected

program is restored, when job descriptions that contain user names are restored

changes for Operational Assistant functions or system reply lists are audited

The performance impact depends on:

QAUDFRCLVL

International Technical Support Organization

*NOTIFY

up in restricted state

journal is the

International Technical Support Organization

i5/OS audit journal implementation overview

OBJAUD(*CHANGE)

storage location of the journal receiver

System ASP

journal itself

Creating the journal

International Technical Support Organization

have *AUDIT or *ALLOBJ special authority

place

IBM Systems & Technology Group Technical Conference

International Technical Support Organization

For every occurrence of an event, another entry will be written to the

System value . . : QAUDLVL

International Technical Support Organization

options options

IBM Systems & Technology Group Technical Conference

International Technical Support Organization

individual user profile

all users are logged

Enabling object auditing for a QSYS.LIB object

CHGOBJAUD OBJ(PRODLIB1/ORDER) OBJTYPE(*FILE)

System (IFS)

Command

Last used date . . . :

Example of using *USRPRF for object auditing

Size of extended attributes . . . : 0

Agenda

the OBJAUD parameter

IBM Systems & Technology Group Technical Conference

IBM Systems & Technology Group Technical Conference

*SAVRST

Agenda

log events and in case of a problem start analysis

International Technical Support Organization

Journal . . . > QAUDJRN Name, *INTSYSJRN

Journal code selection . . . . *ALLSLT, *IGNFILSLT...

Depending on the event type, the system generates audit journal entries of different

Sequence . . . : 380607

Formatting entries via model outfiles (2)

2=Change 3=Copy 4=Delete 5=Display 7=Rename

QASYAFJE *FILE PF­DTA Outfile for journal entry type AF

Parameters or command

For systemgenerated entries, Appendix F –

have AUDIT or ALLOBJ special authority

Journal code selection . . . . ALLSLT, IGNFILSLT...

QASYAFJE *FILE PFDTA Outfile for journal entry type AF

000006 AF ADMIN QTMHHTTP 1,052 QTMHHTTP N N *DIR

formatting options >

Replace or add records . . . . REPLACE REPLACE, *ADD

how to set up systemwide auditing