© 2011 ibm corporation ibm i security mind your own business

© 2011 IBM Corporation

IBM i SecurityMind Your Own Business


®

2

™

IBM i Security

• Type 2 Diabetes – a manifestation of improperly managed health

Primarily Diet – carbohydrates – we love the white stuff

Exercise – or lack thereof

• Breach - a manifestation of improperly managed information

Data – we are addicts of information – constant thirst for more

Security – largely unchecked – we provide information without

discernment as to its interpretation and how it will be used. This is

true even for those authorized to it!


®

3

™

IBM i Security

• Type 2 Diabetes – rethink everything!

Diet – what am I putting in my body? “Live to eat or eat to live”

Exercise – maybe a 30 minute walk isn’t so bad

• Breach - rethink everything !

Data – what are you putting on your system?

Security – what are we doing?

What is important? What would be lost if the information was compromised?

Who should have and to what?

How do we create applications?

Do we have standards for development? For user administration? For the system?

Who is monitoring the standards


®

4

™

IBM i Security

• Type 2 Diabetes – can be controlled / reversed with effort

Journaling – getting it down on paper

Exercise – getting out of the chair – 30 min a day

• Breach - can be controlled / prevented with effort

Journaling – key indicators, monitoring

Security – administrating users, applications, the system


®

5

™

IBM i Security

• Getting it down on paper…

GO SECTOOLS

DSPUSRPRF USRPRF(*ALL) TYPE(*BASIC) OUTPUT(*OUTFILE)

OUTFILE(SECLIB/ALLUSERS)

DSPOBJD to outfile and query

DSPOBJAUT to outfile and query join with DSPOBJD outfile

PRTSYSSECA

System API’s – QSYLOBJP, QUSROBJD, QSYRUSRA, QDCLCFGD, QSYLATLO,

QUSRTVEI, QUSLOBJ, QSYRUSRI, QWDRJOBD, QLIRLIBD, etc…

QATO* files in QUSRSYS


®

6

™

IBM i Security


®

7

™

IBM i Security


®

8

™

IBM i Security


®

9

™

IBM i Security


®

10

™

IBM i Security


®

11

™

IBM i Security


®

12

™

IBM i Security


®

13

™

IBM i Security


®

14

™

IBM i Security


®

15

™

IBM i Security


®

16

™

IBM i Security


®

17

™

IBM i Security

• Type 2 Diabetes – positive changes

Mind – think clearly

Sleep – feel refreshed

Energized – feel better

New Clothes – weight loss

• Breach - positive changes

Mind – Security confidence

Sleep – no worries

Energized – more processor for real work

New Clothes – may need to purchase (or build) new applications


®

18

™

IBM i Security

Logging and Monitoring


®

19

™

IBM i Security

What is Security Auditing ?

• Security Auditing IS Documenting security and other system events

Who changed a particular user profile? Who deleted a specific logical file? Who tried to access the Credit Card file? Who changed a system value? Who deleted a spooled file?

• Security Auditing is NOT Journaling record changes Capturing before and after images of file changes Auditing payroll or financial records


®

20

™

IBM i Security

Reasons to use Auditing and Logging

• Laws and industry-regulations require auditing• Internal or external auditors require it• Your corporate security policies demand it• You want to know what privileged users do on your system (i.e.

command auditing)• Keep track of object usage (i.e. how frequently an object has

been accessed)• Log actions, tasks, and access attempts of external partners and

consultants• Logging is important for tracking sensitive transactions and

operations• Job accounting


®

21

™

IBM i Security

IBM i Auditing Overview

• The IBM i operating system audit journal logs system events

• Logged events cannot be changed in the journal

• Different event categories exist

Log entry details vary by category

• User applications can also log entries into the system audit journal

• For system-generated entries, refer to Appendix F – Layout of Audit Journal Entries in the IBM i Security Reference manual. It contains information about how to interpret the journal entries


®

22

™

IBM i Security

Performance Impact ?

Performance can vary widely when turning on the System Audit Journal. The impact if any will depend on:•The number and type of events you want to journal

system-wide events or just on an object level or only for actions of a certain user

•The number of journal receivers you want to keep on the system and the available disk storage•The system value QAUDFRCLVL

specifies the number of entries in the journal before the system forces the data to be written to disk

default is set to *SYS letting the system decide based on system load when to write the information to disk


®

23

™

IBM i Security

IBM i Auditing Implementation Overview

Create Journal ReceiverCreate Journal Receiver1

2

3

4

Create Create QAUDJRN QAUDJRN inin QSYS QSYS

Set Set QAUDCTL QAUDCTL System Value to System Value to Activate AuditingActivate Auditing

(*AUDLVL *NOQTEMP *OBJAUD)(*AUDLVL *NOQTEMP *OBJAUD)

Set Set QAUDLVL QAUDLVL andand QAUDLVL2 QAUDLVL2 System ValuesSystem Values

((*SECURITY *AUTFAIL *DELETE … *SECURITY *AUTFAIL *DELETE … ))

Audit Audit ProfilesProfiles of users with of users with Special AuthoritiesSpecial AuthoritiesOBJAUD(*CHANGE)OBJAUD(*CHANGE)

AUDLVL(*CMD *CREATE)AUDLVL(*CMD *CREATE)

INITIAL STEPS OTHER TASKS

Audit Sensitive Audit Sensitive ObjectsObjectsOBJAUD(*NONE)OBJAUD(*NONE)

Audit Sensitive Audit Sensitive ObjectsObjectsOBJAUD(*ALL)OBJAUD(*ALL)

Audit Sensitive Audit Sensitive ObjectsObjectsOBJAUD(*USRPRF)OBJAUD(*USRPRF)

Analyze the Audit JournalAnalyze the Audit JournalDSPJRNDSPJRN

CPYAUDJRNECPYAUDJRNE


®

24

™

IBM i Security

IBM i Auditing Implementation Setup


®

25

™

IBM i Security

IBM i User Auditing

Enabled on a per user basis:

• User auditing cannot be defined with the CRTUSRPRF or CHGUSRPRF command

• Use the CHGUSRAUD command to define user auditing


®

26

™

IBM i Security

Audit Users with Special Authorities

Any user that requires special authorities should have auditing turned on for their profile and checked on a regular basis. PCI DSS regulations require it.

•PCI DSS 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

•PCI DSS 10.2 Implement automated audit trails for all system components to reconstruct the following events:

•PCI DSS 10.2.2 All actions taken by any individual with root or administrative privileges.


®

27

™

IBM i Security

IBM i User Auditing - EXAMPLE

Enabled on a per user basis or in multiples

At a minimum,

is recommended for all privileged users


®

28

™

IBM i Security

IBM i Object Auditing – QSYS.LIB Objects

• Object auditing actions are defined as needed on a per object basis• The object auditing parameter is not part of a Create command• For objects in the QSYS.LIB file system, the following command

must be used to define object auditing

CHGOBJAUD OBJ(PCIDTALIB/PCIDTA) OBJTYPE(*FILE) OBJAUD(*CHANGE)


®

29

™

IBM i Security

IBM i Object Auditing – IFS Objects

Similar to enabling object auditing for QSYS.LIB objects there is also a command for turning on object auditing for objects in the Integrated File System (IFS)

CHGAUD OBJ('/PCIDTAIMG/SHADOWF/app.properties') OBJAUD(*ALL)


®

30

™

IBM i Security

IBM i Object Auditing – EXAMPLE 1


®

31

™

IBM i Security

IBM i Object Auditing – EXAMPLE 2


®

32

™

IBM i Security

Object Auditing Tips

• If you want to record all OPEN’s of a physical file in Read-only or Update mode, set the object’s OBJAUD value to *ALL

• If you want to record all OPEN’s of a physical file in Update mode, set the object’s OBJAUD value to *CHANGE.

• If you only want to record access by a selected group of users, set the object’s OBJAUD value to *USRPRF

Then set the OBJAUD parameter of the user profile to *ALL or *CHANGE


®

33

™

IBM i Security

IBM i Auditing Considerations

• Some transactions that originate from the network may not necessarily be recorded in the audit journal (ODBC, FTP) Objects that are being audited will have entries Consider use of Exit Programs to ensure auditing is being

performed

• Archive information in the audit journal regularly 30 days online (90 days if required by PCI) 1 year offline as minimum (more if you can)

• Consider 3rd Party solutions that can provide a multitude of mechanisms to record, interrogate and monitor the audit journals.


®

34

™

IBM i Security

IBM i Auditing Considerations

Review the following Journal entries as a minimum:• Authority failures (AF)• User Profile activities and Password changes (CP)

Especially for QSECOFR and QSRV DST QSECOFR reset

• System Value changes (SV)• Use of various Service Tools• Invalid Passwords (PW)

P - Invalid password attempts for powerful users Y – Service tools id not valid Z – Service tools password not valid


®

35

™

IBM i Security

IBM i Auditing – Valuable Resource

The most valuable resource for setting up and analyzing the system audit journal is:

iSeries Security Reference

Version 6 Release 1

SC41-5302-10

Also…

IBM i Information Center

http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp


®

36

™

IBM i Security


®

37

™

IBM i Security

Trademarks and Disclaimers8 IBM Corporation 1994-2009. All rights reserved.References in this document to IBM products or services do not imply that IBM intends to make them available in every country.Trademarks of International Business Machines Corporation in the United States, other countries, or both can be found on the World Wide Web at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.UNIX is a registered trademark of The Open Group in the United States and other countries.Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and are used under license therefrom.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.

Information is provided "AS IS" without warranty of any kind.

The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.

Prices are suggested U.S. list prices and are subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.

© 2011 ibm corporation ibm i security mind your own business

Documents