Common Sense Security Auditing - gomitec.com · 11 Common Sense Security Auditing Copyright 2006 Dan Riehl 2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential

1

Common Sense Security Auditing

Copyright 2006 Dan Riehl

Extending iSeries Security

PowerTech Confidential © 2006 PowerTech Group, Inc. All rights reserved.

Common Sense iSeriesSecurity Auditing

Dan RiehlDirector of Services

The PowerTech Group, [email protected]

2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com [email protected]

Auditing Capabilities

> Define i5 Security Auditing> The Security Audit Journal> Auditing Objects> Auditing Users> Reporting Tools

2




Security Auditing Defined

> Security Auditing is NOT!n Journaling database file record changesn Capturing before and after images of data recordsn Auditing financial records

> Security Auditing IS!n Recording and reporting security and other system events

u Who changed that user profile?u Who deleted that logical file?u Who tried to access the Payroll file? u Who changed that system value?u Who deleted that spooled file?

> Uses a special journal named QAUDJRN that you can create

> All security auditing functions require *AUDIT special authority

Why collect TB of data when youcannot tell WHO did what?

No Shared Profiles!


Security Auditing Three-Step

1. Create a journal receiver

2. Create the Journal QAUDJRN in library QSYS and attach the receiver

3. Set the system values QAUDCTL, QAUDLVL and QAUDLVL2(V5R3) for desired amount of auditing.

As with other journals, you must manage the receivers

3




Or use the Auditing One-Step!

CHGSECAUD QAUDCTL(*AUDLVL *OBJAUD *NOQTEMP) + QAUDLVL(*AUTFAIL *SECURITY *SERVICE +

*DELETE *OBJMGT *PGMFAIL) + JRNRCV(audlib/AUDRCV0001)

This creates the journal and the journal receiver and sets the system values.


Setting the QAUDCTL System Value

> QAUDCTL(*AUDLVL *OBJAUD *NOQTEMP) Recommended

QAUDCTL is the controller of what events you want to collect

> *NONE – No Auditing will take place on this system

> *AUDLVL – Enable auditing for the events identified in the QAUDLVL and QAUDLVL2 System values

> *OBJAUD – Enable Object auditing, if you decide to audit any objects.

> *NOQTEMP – Do not record events that occur within a job’s QTEMP Library.

NOAuditing

Auditing

Auditing

Optional IF Auditing

4




Setting the QAUDLVL and QAUDLVL2 System Values

QAUDLVL determines the nature of the events that are audited

QAUDLVL(*AUTFAIL *SECURITY *SERVICE *CREATE + *DELETE *OBJMGT *SAVRST *PGMFAIL)

> QAUDCTL system value must contain *AUDLVL

> *NONE means system -wide auditing isn’t done, but auditing is performed for users who have a value other than *NONE specified in the AUDLVL parameter of their user profiles via CHGUSRAUD

> *AUDLVL2 means that you will specify some additional audit level values in the QAUDLVL2 system value.

> *AUTFAIL means unsuccessful log-on attempts and unauthorized attempts to use sensitive objects are audited. These include rejected connection attempts, invalid network sign-on attempts, and attempts to perform an operation or access an object to which the user isn’t authorized.

> *CREATEmeans the creation of new objects or objects that replace existing objects is audited.



> *DELETEmeans the deletion of objects is audited.

> *JOBDTA means start, change, hold, release, and end job operations are audited. This includes server sessions and remote connection jobs.

> *NETCMNmeans violations detected by the APPN Filter support are audited. New Breakouts and selections in V5R3.

> *OBJMGT means object rename and move operations are audited.

> *OFCSRV means OfficeVision for OS/400 tasks (e.g., changing the system distribution directory, opening a mail log) are audited.

> *OPTICAL means that usage of optical volumes is logged

> *PGMADP means the starts and ends of programs that adopt authority will generate an audit entry.

5





> *PGMFAIL means programs that run a restricted machine interface instruction or access objects via an unsupported interface are audited.

> *PRTDTA means printing job output is audited whether the output is sentdirectly to a printer, sent to a remote system, or spooled and printed on a local machine.

> *SAVRST means save and restore operations are audited.

> *SECURITY means a wide range of security-related activities are audited, including: New Breakouts and selections in V5R3n changing an object’s audit value or a user’s audit setting n changing an authorization list or an object’s authority n changing an object’s ownership n creating, restoring, or changing a user profile n requests to reset the DST QSECOFR password n generating a profile handle through the QSYGETPH API n changing a network attribute, system value, or service attribute



> *SERVICE means using System Service Tools.

> *SPLFDTA means creating, changing, holding, and releasing spooled files is audited. An audit journal entry will also be written when someone other than the owner of a spooled file views it.

> *SYSMGT means changing backup options, automatic cleanup options, and power on/off schedules using Operational Assistant is audited. Changing the system reply list and access path recovery times is also audited.

6




Additional Auditing System Values

> QAUDFRCLVL – How many audit records cached before being written to disk?n For most of us, we use the default for performance

u *SYS – Let the system decide

n For highly secure requirementsu 1 – Write each audit record as created

> QAUDENDACN – What happens if the system cannot write an audit record to the journal?n For most of us, we use the default

u *NOTIFY – Send a message

n For highly secure requirementsu *PWRDWNSYS – Ouch !! PWRDWNSYS *IMMED


Auditing Sensitive Objects

> QAUDCTL system value must include the value *OBJAUD

> Specify auditing of objects with the CHGOBJAUD, CHGDLOAUD, CHGAUD commands

> Entries are written to the system auditing journal QAUDJRN

> No auditing is done for this object under any circumstances

> Read and update operations to the object are audited.

> Update operations to the object are audited

CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*ALL)

CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*CHANGE)

CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*NONE)

7




Auditing Sensitive Objects

> Object Auditing based upon the user

> Audit only if the user accessing the object has a value other of *ALL or *CHANGE specified on their user profile’s OBJAUD value.

CHGUSRAUD USRPRF(DAN) OBJAUD(*CHANGE)

CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*USRPRF)


Using CHGOBJAUD … OBJAUD(*NONE)

PATIENT FILE

OBJAUD(*NONE)

OPEN READ

OPEN UPDATE

OPEN UPDATE

OPEN READ

8




Using CHGOBJAUD … OBJAUD(*ALL)

PATIENT FILE

OBJAUD(*ALL)

OPEN READ

OPEN UPDATE

OPEN UPDATE

OPEN READ


Using CHGOBJAUD … OBJAUD(*CHANGE)

PATIENT FILE

OBJAUD(*CHANGE)

OPEN READ

OPEN UPDATE

OPEN UPDATE

OPEN READ

OBJAUD(*USRPRF) we’ll see

9




What can be Audited for Objects?

> Security Reference Guide… Appendix E

> Operations Common to All Object Types: n Read operation

u CRTDUPOBJ Create Duplicate Object (with caveats) u DMPOBJ Dump Object u DMPSYSOBJ Dump System Object u SAVxxx commands



> Operations Common to All Object Types: n Change operation

u APYJRNCHG Apply Journaled Changes u CHGJRNOBJ Change Journaled Object u CHGOBJD Change Object Description u CHGOBJOWN Change Object Owner u CRTxxxxxx Create object (with Caveats)u DLTxxxxxx Delete object (with Caveats)u ENDJRNxxx End Journaling u GRTOBJAUT Grant Object Authority u Many more…

10





> Operations for Command (*CMD): n Read operation

u Run When command is run ( Creates a CD audit entry )

n Change operation u CHGCMD Change Command u CHGCMDDFT Change Command Default



> Operations for File (*FILE): (PF-DTA and LF)n Read operation

u CPYF Copy File u Open Open of a file for read u DSPPFM Display Physical File Member u CRTPF Create Physical Fileu CRTLF Create Logical File

NOTE: You DO NOT get any audit trail of record level activity.

11





> Operations for File (*FILE): (PF-DTA and LF) > Change operation

u Open Open a file for modification u ADDLFM Add Logical File Member u ADDPFCST Add Physical File Constraint u ADDPFM Add Physical File Member u ADDPFTRG Add Physical File Trigger u ADDPFVLM Add Physical File Variable Length Member u APYJRNCHGX Apply Journal Changes Extend u CHGDDMF Change DDM File u CHGLF Change Logical File u CHGLFM Change Logical File Member u CHGPF Change Physical File u Object Auditing Change to Object u CHGPFCST Change Physical File Constraint u CHGPFM Change Physical File Member u CLRPFM Clear Physical File Member u CPYF Copy File (open file for modification, such as adding records, clearing a member, or saving a member u INZPFM Initialize Physical File Member u RGZPFM Reorganize Physical File Member u RMVM Remove Member u RMVPFCST Remove Physical File Constraint u RMVPFTGR Remove Physical File Trigger u RNMM Rename Member


Specifying Auditing for New Objects Created

> System Value QCRTOBJAUD – Controls auditing of new objects

n None (*NONE)New objects are set to not audit.

n User settings (*USRPRF)New objects are set to *USRPRF for Object auditing

n Changes to objects (*CHANGE)New objects are set to *CHANGE for Object auditing

n All access of objects (*ALL)New objects are set to *ALL for Object auditing

n BUT…. Look at the library level value for QCRTOBJAUD.

n CRTLIB/CHGLIB LIB(DANLIB) CRTOBJAUD(*SYSVAL) is the default

n If auditing, change the library or file level auditing, not the system value

12




Auditing Users

> Individual user profiles can be auditedn Powerful profiles QSECOFR, ZSECOFR, MYADMINn Troublesome usersn Problems have occurred

> QAUDCTL system value must include the value *OBJAUD or *AUDLVL

> CHGUSRAUD command starts/stops auditing a User> Entries are written to the auditing journal QAUDJRN

> User’s AUDLVL can contain *CMD to record all commands run by the user

CHGUSRAUD USRPRF(QSECOFR) OBJAUD(*CHANGE) AUDLVL(*CREATE *CMD)

Complement of System Level

*NONE, *ALL, CHANGE


Using CHGOBJAUD … OBJAUD(*USRPRF)

The User Profile’s OBJAUD value is ONLY evaluated if the Object’s OBJAUD value is set to *USRPRF

PATIENT FILE

OBJAUD(*USRPRF)

OPEN READ

OPEN UPDATE

OPEN READ

OPEN UPDATE

OBJAUD(*ALL)

OBJAUD(*ALL)

OBJAUD(*CHANGE) OBJAUD(*NONE)

13




Object auditing Lessons

> If you want to record all OPEN’s (Read-only or update mode) to a sensitive file, set the object’s OBJAUD value to *ALL.

> If you want to record all OPEN’s in update mode, set the object’s OBJAUD value to *CHANGE.

> If you only want to record access by a selected group of users, set the object’s OBJAUD value to *USRPRFn And set the user profile OBJAUD value to *ALL or *CHANGE


I5/OS Audit Reporting Tools (From V5R3 Security Reference)

> Once you have set up the security auditing function, you can use several different methods to analyze the events that are logged:

n Viewing selected entries at your workstation using the DSPJRN commandn Using a query tool with DSPJRN OUTPUT(*OUTFILE)n Program to analyze entries – grow your own or get a packagen Using the Display Audit Journal Entries (DSPAUDJRNE) command

u Note: IBM has stopped providing enhancements for the DSPAUDJRNE command. The command does not support all security audit record types, and the command does not list all the fields for the records it does support.

14




Journal Entry Types

Figure 3 From IBM’s iSeries Security Reference IBM Pub# SC41-5302-06 Type DescriptionAD Auditing changesAF Authority failureAP Obtaining adopted authorityAU Attribute changesCA Authority changesCD Command string auditCO Create objectCP User profile changed, created, or restoredDO Delete objectDS DST security password resetJD Change to user parameter of a job descriptionJS Actions that affect jobsNA Network attribute changedOM Object move or renameOR Object restoreOW Object ownership changedPA Program changed to adopt authorityPO Printed outputPS Profile swapPW Invalid passwordSE Subsystem routing entry changedSF Actions to spooled filesSM System management changesST Use of service toolsSV System value changedVL Account limit exceededVP Network password errorYC DLO object accessed (change)YR DLO object accessed (read)ZC Object accessed (change)ZR Object accessed (read)


Questions?

Any Questions?

Documents

Common Sense Security Auditing - gomitec.com · 11 Common Sense Security Auditing Copyright 2006 Dan Riehl 2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential