SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - December 10, 2014 - Auditing Your Exit Point Security with QAUDJRN for IBM i iSeries AS400

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i December 10, 2014 - Vol 4, Issue 20

The SecureMyi Newsletter will be taking a Holiday and Will Return January 7, 2015. Have a Blessed Holiday Season! See you Next Year!
	Feature Article Auditing Your Exit Point Security with QAUDJRN for IBM i By Dan Riehl - SecureMyi.com I have heard these and similar questions often; 'Who removed my exit program?" or 'Where did my FTP and Create User Profile registered Exit Programs go? Perhaps a more interesting question might be "How did that Exit Program get Registered in the first place?" If you have created the QAUDJRN journal, and have set the associated System Values(QAUDCTL and QAUDLVL) correctly, you have an audit trail of all changes that have been made to the Exit Point Registry. There are 2 auditing methods you can use to collect information about Exit Point Registry changes. You can use Object Auditing, and/or you can use Event auditing. When dealing with the Exit Point Registry, I think you will find that Event auditing may be a better choice for you. But, I'll present both methods and you can choose which one you like. You may prefer to use both, which is what I actually recommend. Auditing the Object The Exit Point Registry is stored in the object QUSEXRGOBJ in library QUSRSYS. The object type is EXITRG. In order to start auditing the Exit Point Registry object you first need to ensure that the QAUDCTL system value includes the value OBJAUD. This allows you to being auditing access to objects. Once this is done, you can then start auditing changes to the registry object using the following command. *CHGOBJAUD OBJ(QUSRSYS/QUSEXRGOBJ) OBJTYPE(EXITRG) OBJAUD(CHANGE)* Now, whenever a change is made to the registry, a ZC(Object Accessed for Change) journal entry is written to the QAUDJRN journal, indicating that the QUSEXRGOBJ object was accessed in Update mode, and/or was changed. Additional information provided in the ZC journal entry includes information like Job User, Current User, Job Name, Program that made the change, the timestamp of the entry, etc. The operations that can be audited for the Exit Point Registry QUSEXRGOBJ object are: ADDEXITPGM --- Add Exit Program CL Command QUSADDEP --- Add Exit Program API QusAddExitProgram --- Add Exit Program API QUSDRGPT --- Unregister Exit Point API QusDeregisterExitPoint --- Unregister Exit Point API QUSRGPT --- Register Exit Point API QusRegisterExitPoint --- Register Exit Point API QUSRMVEP --- Remove Exit Program API QusRemoveExitProgram --- Remove Exit Program API RMVEXITPGM --- Remove Exit Program CL Command WRKREGINF --- Work with Registration Information CL Command To review all ZC entries, you can use your favorite QAUDJRN reporting software. In V5R4 IBM provided the command CPYAUDJRNE(Copy Audit Journal Entries) which is a very nice command to extract information from QAUDJRN. Here's the command you can use to extract the ZC(Object Accessed for Change) entries into a formatted output file. CPYAUDJRNE ENTTYP(ZC) OUTFILE(MYLIB/QAUDIT) *Read More . .* On a Related Topic, See The "Security Shorts" Section of the Newsletter "Tracking Changes to the Job Scheduler - WRKJOBSCDE"
In This Issue Featured Article - Auditing Exit Points Security Shorts - Tracking Job Schedule Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification

Security Related News for IBM i Skyview Partners Announce "Deep Dive" Security Training for IBM i - Las Vegas, NV Skyview Partners announces its Annual "Deep Dive" Security Training for 2015. Skyview's own Carol Woodbury will be presenting this "Deep Dive" into IBM i Security. The Two-Day Training Event will be held in Las Vegas, NV on January 27 and 28th. For More Information and to Register to Attend Live Security Related Webcasts and Training for IBM i January Events Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - January 12-16 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries Expanded Security Workshop for IBM i, iSeries & AS/400 with Dan Riehl Training Workshop - January 20-23 - Presented by The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend "Deep Dive" Security Training - Las Vegas NV with Carol Woodbury Live Two-Day Training Event - Presented by Skyview Partners Location: The Mandarin Oriental Hotel in Las Vegas, NV Dates: January 27 and 28. More Information and Register to Attend February Events Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - February 23-27 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend

Security Shorts Tracking Changes to the Job Scheduler - WRKJOBSCDE By Dan Riehl - SecureMyi.com Recently I received an urgent call from a customer. Someone had added an entry to the IBM i job scheduler(WRKJOBSCDE) that caused all user profiles to be DISABLED after ONE day of inactivity. Obviously, several user profiles became disabled. The job schedule entry for this activity is named QSECIDL1, and is added to the job schedule when the command ANZPRFACT(Analyse Profile Activity) is run. This option is available from the SECTOOLS menu. It should be noted that several of the SECTOOLS menu options update entries on the job schedule. The IBM i job scheduler is implemented as an object named QDFTJOBSCD. The object type is JOBSCD. The JOBSCD object type has limited interfaces and does not store the actual schedule in a database file. So, to track changes to the Job Scheduler, you cannot monitor a database file, instead you can audit for update access to the job schedule object using the command: CHGOBJAUD (QUSRSYS/QDFTJOBSCD) OBJTYPE(JOBSCD) OBJAUD(CHANGE)* When this command is used, any update access to the job schedule will generate a journal entry in the QAUDJRN journal. The journal entry type is ZC (Object opened for change). In addition to auditing the job schedule object, you will also want to start auditing the Control Language commands that are used to manipulate the job schedule. *CHGOBJAUD (QSYS/ADDJOBSCDE) OBJTYPE(CMD) OBJAUD(ALL)* *CHGOBJAUD (QSYS/CHGJOBSCDE) OBJTYPE(CMD) OBJAUD(ALL)* *CHGOBJAUD (QSYS/RMVJOBSCDE) OBJTYPE(CMD) OBJAUD(ALL)* And start auditing specific CL commands that update the schedule, like: *CHGOBJAUD (QSYS/ANZPRFACT) OBJTYPE(CMD) OBJAUD(ALL)* When any of these commands are used, a journal entry is written to QAUDJRN. In this case the journal entry type is CD (Command string audit).		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming LIVE Training from The 400 School, Inc Customized IBM i (iSeries, AS/400) Training - Presented Live at your offices LIVE Online Hands-On Workshops ILE RPG IV Programming ILE COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017