|
Feature Article
Forensic Analysis using QAUDJRN - CL Command Usage
By Dan Riehl
In the first article of this series dealing with forensic analysis using the QAUDJRN journal, the focus is on the forensic analysis of CL command usage. I show you how to audit and report on every CL command run by a particular user and also how to audit and report on every use of a particular CL command of interest. As examples, I examine how to audit and report on every CL command run by QSECOFR, and I show how to audit and report on every usage of the Change User Profile (CHGUSRPRF) CL command.
What Is Auditing?
When I discuss the topic of auditing, I'm referring to the IBM i auditing capability in which certain predefined activities or events cause an audit log record to be written as a formatted journal entry to the system's audit journal QAUDJRN. Auditing using QAUDJRN isn't automatically configured, so when you first start your system, you must configure the IBM i QAUDJRN auditing to meet your specific auditing requirements as defined by the system administrator, the security officer, the security policy, and your IT auditors.
Once you've configured your auditing environment, regular reporting of the QAUDJRN activities and events should be instituted to ensure adherence to policy. When audit journal entries are written to QAUDJRN, you have the sound basis needed to accurately analyze and report on current and historical events.
Even assuming a regular QAUDJRN reporting regimen, there will be occasions when you need to go back and dig out past events. These past events may have negatively affected your system, or you may want simply to check on who did what, when. For example, you may want to determine who changed Fred's user profile to assign him *ALLOBJ and *SECADM special authority. When did it occur, and how was it accomplished?
In cases like this, you can use forensic evaluation methods to extract the relevant audit entries from QAUDJRN to determine the culprit. In recent cases, I have been asked to use the QAUDJRN forensic reporting methods to solve some interesting mysteries, such as:
- A particular user profile keeps becoming disabled. Why?
- An RPG program ran correctly on Saturday but ended abnormally on Sunday. Did someone change the program between Saturday and Sunday?
- Who changed the System Value QCRTAUT from *ALL to *CHANGE, and when did the change occur?
- How did a new file end up in a library with incorrect private authorities, when the library's CRTAUT was specified correctly?
- Who has used the UPDDTA(DFU) command, and what files were they viewing and potentially editing?
- What CL commands were run from the command line by all *ALLOBJ users?
- Who has run compiler commands (e.g., CRTRPGPGM, CRTBNDRPG, CRTCLPGM, etc.) to create new programs on the production system?
All these mysteries were successfully solved by using the forensic analysis methods for the QAUDJRN journal.
Read More
|
IBM i Security Industry News
Raz-Lee Security is offering the worldwide AS/400 community its recently-released 2012 Anti-Virus product for FREE with a permanent license.
Read more about the FREE offer, and Download the software.
CCSS announces new security features available within the latest version (V7) of its real-time message monitoring and escalation solution, QMessage Monitor (QMM).
View the CCSS Video explaining the new features in V7.
IBM i Security Calendar of Events
Live Security Webcasts for IBM i
Integrating IBM i Security with Enterprise SIEM and Monitoring Solutions
Expert Webinar Series - Sponsored by Software Engineering of America, Inc
Thursday February 2 1:00 p.m. EST
More Information and Register to Attend
Coffee with Carol: Where do I Start with IBM i Security?
Featuring Carol Woodbury
Sponsored by Skyview Partners
Wednesday February 8 10:00 a.m CST
More Information and Register to Attend
Best Practices for Security and Compliance with IBM i
Featuring Jeff Uehling of IBM and Carol Woodbury of SkyView Partners
Sponsored by IBM
Thursday February 9 2:00 p.m EST
More Information and Register to Attend
Product Update Webcast - New Features in AP-Journal
Razz-Lee Security
Thursday February 9 10:00 a.m EST
Send Email for More Information
Understanding Log Management on the IBM i
Sponsored by Townsend Security
Tuesday February 14 2:00 p.m EST
More Information and Register to Attend
Addressing and Automating Audit Requirements for the IBM i
Featuring Carol Woodbury
Sponsored by Skyview Partners
Wednesday February 22 Noon CST
More Information and Register to Attend
Additional IBM i Security Related Events
March 21-22 - 27th Annual Spring Technical Conference
Wisconsin Midrange Computer Professional Association
The conference will be held at Grand Geneva in Lake Geneva, WI.
More Information and Register to Attend
April 10-13 - Live 4-Day Expanded Security Workshop for IBM i
Live Online Security Workshop from The 400 School and SecureMyi.com
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i
April 10-13. Very limited seating. Register early to reserve your seat in the class.
May 6-9 - COMMON User Group - Annual Conference and Expo - Anaheim, CA
|
|
Security Shorts -
The Truth About Library Authorities
By Dan Riehl
A popular misconception is that if a library is secured as *PUBLIC AUT(*USE), then this library authority provides Read-Only access to the files that reside in the library. For most of use who read this newsletter, we know that this is not true.
Here are the rules for library authorities.
*EXCLUDE Authority
If a user has *EXCLUDE authority to a library, they cannot access the library, nor can they access the objects within the library.
*USE Authority
If a user has *USE authority to a library, they can access the library, but cannot change attributes of the library, such as the library text. The user cannot add new objects to the library.
When it comes to accessing the objects within the library, the object authority is the determining factor. For example, if a user has *EXCLUDE authority to a file in the library, they cannot access the object. If a user has *USE authority to a file in the library, they have read-only access to the file. If the user has *CHANGE authority to a file, they can open the file for update and manipulate the records in the file (add, change, delete). If the user has *ALL rights to the file in the library, the user may perform all operations on the file including deleting the file. Yes, that's right. If a user has *USE authority to a library, the user can delete an object from the library if the user has *ALL authority or *OBJEXIST authority to the object.
*CHANGE Authority
If a user has *CHANGE authority to a library, they can access the library and can change some attributes of the library. Changes to some attributes require the additional *OBJMGT(Object Management) authority to the library. All of the same object rules are in effect as when the user has *USE authority to the library, but there is one big difference. If a user has *CHANGE authority to a library, they can create new objects in the library. That is the only real difference between *USE and *CHANGE authority to a library. If you have *CHANGE authority, you can add new objects.
*ALL Authority
If a user has *ALL authority to the library, the user can access the library, and may even be able to delete the library and all the objects within the library. However, if the user does not have *ALL authority, or a mixture of *OBJEXIST and *OBJOPR authority to the objects in the library, the user cannot delete those objects and therefore cannot delete the library. If a user has the authority to delete all the objects in the library, then the library itself can be deleted. All of the same rules apply to object access as when the user has *USE or *CHANGE rights to the library.
What about *ALLOBJ Authority?
When dealing with library and object authorities, you always have to take into account that some user profiles have *ALLOBJ special authority. When a user has *ALLOBJ special authority, there are no restrictions on accessing objects in your user libraries. A user with *ALLOBJ special authority can read, change and even delete any object in any user library on the system.
(Note: There are some objects that may not be deleted even by a user with *ALLOBJ special authority. For example, user profiles cannot be deleted by an *ALLOBJ user, unless that user also has *SECADM special authority.)
|
Sponsored Links
Expert Level Security Consulting
IT Security and Compliance Group, LLC
In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming
Live Online Hands-On Workshops
Special February-April Class Discounts
Now Accepting Credit Cards
System Operations Workshop-Feb 27-Mar 2
System Administration & Control - Mar 12-16
Interactive RPG IV Programming - Mar 26-30
Expanded Security Workshop - Apr 10-13
Control Language Programming - Apr 16-20
Intro to RPG IV Programming - Apr 30-May 4
|
