|
||
|
SecureMyi.com Security and Systems Management Newsletter for the IBM i
February 27, 2013 - Vol 3, Issue 24
|
||
|
||
|
Feature Article
By Dan Riehl The numerous System Values on the IBM i are the main controlling system settings that determine how your system operates. For example, the System Value QCRTAUT determines what the default *PUBLIC authority will be for newly created objects. The System Value QALWOBJRST determines if there are any restrictions on the programs and service programs that can be restored onto the system. The System Values QTIME and QDATE store the current system time and date respectively. When you aren't the only one at your company who has security officer privileges or high levels of authority, one of these other powerful users can change the settings stored in these System Values. In one particular "real life" example, an unwise change to the QCRTAUT System Value caused the system to assign incorrect *PUBLIC authority settings to newly created objects, leaving them open to abuse. In order to protect these high-impact, Security-related System Values, IBM has provided a Lock/Unlock mechanism that's available through System Service Tools (STRSST). In order to access the Lock/Unlock setting, a user must have *SERVICE special authority and a powerful Service Tools User ID and Password. These Service Tools User IDs and Passwords aren't the same as the operating system User IDs and Passwords. These are special Service Tools User IDs, like 11111111, 22222222 and, yes, QSECOFR. But the Service Tools user QSECOFR is a different user than the operating system's QSECOFR user profile, typically with a different, and case sensitive, password. To access the System Values Lock/Unlock function, enter the command Start System Service Tools (STRSST) and, when prompted, enter QSECOFR as the User ID and supply the QSECOFR SST Password. You are then presented with the System Service Tools menu. (Note: If you have created other powerful Service Tools User IDs, similar to QSECOFR, you can optionally log into Service Tools using one of these.) This article further explains the Pros and Cons of setting the Security System Value Lock in SST. I highly encourage you to Set the Lock! |
|
In This Issue
Quick Links
Our Newsletter Sponsors
Platinum Sponsor |
IBM i Security ResourcesJohn Earl Memorial Tribute - Jan 2013 IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and ArchivesSearch Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards 
|
|
IBM i Security and Systems Management News BytesBytware Introduces Messenger 8Bytware, a division of Help/Systems, has announced a new version of their IBM i message monitoring tool, Messenger 8. This latest update adds new ease-of-use enhancements in the areas of job management and compliance reporting. These enhancements help users more easily identify jobs running on their systems that are critical to business operations. By facilitating fine-tuned searches, helping IT staff collaborate on incident response, and enhancing the built-in capabilities of IBM i, Messenger 8 brings message monitoring in line with the latest approaches to server management. See more about the new version from Bytware. New Cilasoft Product Releases May Change the way you Secure Your IBM i Cilasoft Security Solutions, announced the release of a new version of their CONTROLER security software for IBM i that makes use of several new and updated IBM i exit points, including the newly enhanced Open Database File exit point, and the new 7.1 Socket exit points. CONTROLER has traditionally monitored, logged and controled numerous IBM i exit points, including network exit points, CL command exits for CL command control, and STRSQL, RUNQTU, SQL Exec and ODBC, JDBC execution. The addition to CONTROLER of the new and updated exit points in IBM i 7.1, presents an impressive suite. Read the Cilasoft Press Release. IBM i Security Calendar of Events
|
|
|
Featured YouTube Educational VideoIBM i Security
|
||
Security Shorts -
By Dan Riehl I have heard the question many times; 'Who removed my exit program?" Or 'Where did my FTP and Create User Profile registered exit programs go? Perhaps a more interesting question might be "How did that exit program get there?" If you have created the QAUDJRN journal, and have set the associated System Values(QAUDCTL QAUDLVL QAUDLVL2) correctly, you have an audit trail of all changes that have been made to your exit point registry. There are 2 auditing methods you can use to collect information about Exit Point Registry changes. You can use Object Auditing, and/or you can use Event auditing. When dealing with the exit point registry, I think you will find that Event auditing may be an easier choice. But, I'll present both methods and you can choose which one you like. You may prefer to use both, which is what I use and recommend. Auditing the Exit Point Registry ObjectThe Exit Point Registry is stored in the object QUSEXRGOBJ in library QUSRSYS. The object type is *EXITRG. In order to start auditing the Exit Point Registry object you first need to ensure that the QAUDCTL system value includes the value *OBJAUD. This allows you to being auditing access to objects. Once this is done, you can then start auditing changes to the registry object using the following command. CHGOBJAUD OBJ(QUSRSYS/QUSEXRGOBJ) OBJTYPE(*EXITRG) OBJAUD(*CHANGE) Now, whenever a change is made to the registry, a ZC(Object Accessed for Change) journal entry is written to the QAUDJRN journal, indicating that the QUSEXRGOBJ object was accessed in Update mode, and/or was changed. Additional information provided in the ZC journal entry includes information like Job User, Current User, Job Name, Program that made the change, the timestamp of the entry, etc. The operations that can be audited for the QUSEXRGOBJ object are: ADDEXITPGM Add Exit Program CL Command QUSADDEP Add Exit Program API QusAddExitProgram Add Exit Program API QUSDRGPT Unregister Exit Point API QusDeregisterExitPoint Unregister Exit Point API QUSRGPT Register Exit Point API QusRegisterExitPoint Register Exit Point API QUSRMVEP Remove Exit Program API QusRemoveExitProgram Remove Exit Program API RMVEXITPGM Remove Exit Program CL Command WRKREGINF Work with Registration Information CL Command To review all ZC entries, you can use your favorite QAUDJRN reporting software. In V5R4 IBM provided the command CPYAUDJRNE(Copy Audit Journal Entries) which is a very nice command to extract information from QAUDJRN. Here's the command you can use to extract the ZC(Object Accessed for Change) entries into a formatted output file. CPYAUDJRNE ENTTYP(ZC) OUTFILE(MYLIB/QAUDIT) This will create a file QAUDITZC in library MYLIB. The columns in the output file are specific to the ZC journal entry type. To list the ZC entries, you can use the command: RUNQRY *N MYLIB/QAUDITZC If you are auditing numerous objects on your system, you will need to select only the records where the object name is QUSEXRGOBJ. Auditing the Event of a change to the Exit Point RegistryTo audit security configuration events, like a change to the exit point registry, you set the System value QAUDCTL to include the value *AUDLVL, and include the value *SECCFG or *SECURITY in the QAUDLVL, or QAUDLVL2, system value. If this is done, and someone or some process manipulates the Exit Point Registry, a journal entry is written to the QAUDJRN journal. The journal entry type for this access is GR(Generic Record). As of IBM i 6.1, all GR entries are related to the Exit Point Registry. You can review the GR entries just like the ZC entries. Here's the command you can use to extract the GR entries into a formatted output file. CPYAUDJRNE ENTTYP(GR) OUTFILE(MYLIB/QAUDIT) This will create a file QAUDITGR in library MYLIB. The columns in the output file are specific to the GR journal entry type. To list the GR entries, you can use the command: RUNQRY *N MYLIB/QAUDITGR The information provided includes what function was performed, Job User, Current User, Job Name, Program used, Timestamp, etc. The SecureMyi Newsletter always provides a link to QAUDJRN Journal Entry Record Layouts in the Security Resources Section For your convenience, the QAUDJRN Journal Emtry Record Layouts for 6.1 are also here. |
Sponsored Links
IBM i, iSeries and AS/400
|
|
|
||
|
Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com | St Louis MO 63017 |
||