SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - January 4, 2012 - Intrusion Detection - Auditing Registered Exit Programs

<

Tweet
January 4, 2012 - Vol 2, Issue 1

	Feature Article The IBM i Intrusion Detection System By Dan Riehl How do you know if someone is scanning your IP ports for vulnerabilities? Or how do you know if you're being attacked by denial of service attacks like a SYN Flood or Smurf attack? The IBM i Intrusion Detection System (IDS) alerts you when an attack against the system is in progress. In most cases, you have no other way to monitor for these intrusion events. With IBM i version 6.1 and 7.1, you can have the IDS up and running in a few minutes. IBM i Navigator for Windows provides an IDS Setup Wizard, which makes setting up the IDS a very simple process. On my system, I had it up and running in about 30 minutes—25 of those were spent reading the documentation and the On-Line help text. Why do I need an Intrusion Detection System? An IBM i connected to any network should be running the IDS. Some may say they're protected behind a corporate firewall and therefore are immune to these types of attacks. But attacks also come from inside your network, and as far as outside attacks, do you want to bet the security and availability of your System that the firewalls can reject ALL unwanted traffic? Each host system needs to be the final arbiter of who and what has access to the system resources. You cannot disregard the security of the IBM i simply because you have a firewall. In most cases, it's the IBM i in your data center that manages and protects the critical company jewels. It's the system that stores the very sensitive data that you must protect. Setting up the IDS on your IBM i just makes sense. When an attack occurs, instant notification of the attack can be sent to a message queue as well as via email to several email addresses you stipulate. When you see an incoming attack, you can then take preventative actions to stop the attack or prevent the attacker from getting to you again. As prevention, you can set packet filtering rules within IBM i Navigator and adjust firewall rules as needed. The IDS is a detection system; it, alone, cannot prevent an attack. In addition to monitoring for attacks, the IDS also detects if the IBM i is being used as the attacker of another system. You would certainly want to know if someone is launching an attack from within your system. Read More.
Thank you for your subscription to the SecureMyi Security Newsletter! This Newsletter has only One Agenda: To provide education on IBM i Security in order to help us all make our systems more secure. All my very best to you in 2012, Dan Riehl - SecureMyi Security Newsletter Editor		Happy New Year to you! In 2012, we are changing the schedule of the Newsletter. The Newsletter will now be published on alternating Wednesdays. Watch for great new articles and videos. This year will include articles from industry expert guest authors. We will also be presenting Source code for Load-And-Go Security utilities for IBM i. In addition, we will be schedulding a series of Educational Webcasts dealing specifically with Security for the IBM i. 2012 will be an exciting year for IBM i Security - Stay Tuned!
In This Issue Featured Article - IBM i Intrusion Detection Featured Video - Pitfalls in using 1982 Security Scheme Security Shorts - Auditing Exit Point Registry Industry News and Calendar Security Resources Quick Links SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home and Archives Please Visit Our Sponsors Platinum Sponsor The 400 School, Inc. Gold Sponsor Skyview Partners, Inc.	IBM i Security and Audit Resources Free Security Videos from Securemyi.com IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security News Bytes Linoma releases Managed File Transfer Solution GoAnywhere Director 4.0 Review the announcement from Linoma In the last week of the year, the folks at Linoma Software released Version 4.0 of their managed file transfer solution. Raz-Lee's iSecurity Certified for IBM's Q1 Labs Security Intelligence Partner Program More information on the Q1 Labs Partnership Raz-Lee continues to grow iSecurity partnerships through integrating iSecurity with enhanced formats for data transfer including LEEF (Log Event Enhanced Format), AXIS (Asset Exchange Information Souce) and other Q1 Labs' standard formats. The 400 School, Inc. and SecureMyi.com Live Online Security Workshop from The 400 School and SecureMyi.com Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i Jan 17-20, 2012. Very limited seating. Register early to reserve your seat in the class. IBM i Security Calendar of Events Live Security Webcasts for IBM i Using Policy Minder for IBM i for PCI Compliance Presented by Carol Woodbury - Sponsored by Skyview Partners Wednesday January 26 10:00 a.m. PST More Information and Register to Attend More Security Events Jan 17-20 - The 400 School - Live Online Security Workshop May 6-9 - COMMON-A User Group - Annual Conference and Expo - Anaheim, CA
Featured YouTube Educational Video IBM i Security The Pitfalls of Relying on a 1982 Security Scheme in 2012 Cannot Access YouTube from your office? Download the video in wmv format.
Security Shorts - Who Removed my Exit Program? (WRKREGINF) By Dan Riehl I have heard the question many times; 'Who removed my exit program?" Or 'Where did my FTP and Create User Profile registered exit programs go? Perhaps a more interesting question might be "How did that exit program get there?" If you have created the QAUDJRN journal, and have set the associated System Values(QAUDCTL and QAUDLVL) correctly, you have an audit trail of all changes that have been made to your exit point registry. There are 2 auditing methods you can use to collect information about Exit Point Registry changes. You can use Object Auditing, and/or you can use Event auditing. When dealing with the exit point registry, I think you will find that Event auditing may be a better choice. But, I'll present both methods and you can choose which one you like. You may prefer to use both, which is what I recommend. Auditing the Object The Exit Point Registry is stored in the object QUSEXRGOBJ in library QUSRSYS. The object type is EXITRG. In order to start auditing the Exit Point Registry object you first need to ensure that the QAUDCTL system value includes the value OBJAUD. This allows you to being auditing access to objects. Once this is done, you can then start auditing changes to the registry object using the following command. *CHGOBJAUD OBJ(QUSRSYS/QUSEXRGOBJ) OBJTYPE(EXITRG) OBJAUD(CHANGE)* Now, whenever a change is made to the registry, a ZC(Object Accessed for Change) journal entry is written to the QAUDJRN journal, indicating that the QUSEXRGOBJ object was accessed in Update mode, and/or was changed. Additional information provided in the ZC journal entry includes information like Job User, Current User, Job Name, Program that made the change, the timestamp of the entry, etc. The operations that can be audited for the QUSEXRGOBJ object are: ADDEXITPGM --- Add Exit Program CL Command QUSADDEP --- Add Exit Program API QusAddExitProgram --- Add Exit Program API QUSDRGPT --- Unregister Exit Point API QusDeregisterExitPoint --- Unregister Exit Point API QUSRGPT --- Register Exit Point API QusRegisterExitPoint --- Register Exit Point API QUSRMVEP --- Remove Exit Program API QusRemoveExitProgram --- Remove Exit Program API RMVEXITPGM --- Remove Exit Program CL Command WRKREGINF --- Work with Registration Information CL Command To review all ZC entries, you can use your favorite QAUDJRN reporting software. In V5R4 IBM provided the command CPYAUDJRNE(Copy Audit Journal Entries) which is a very nice command to extract information from QAUDJRN. Here's the command you can use to extract the ZC(Object Accessed for Change) entries into a formatted output file. CPYAUDJRNE ENTTYP(ZC) OUTFILE(MYLIB/QAUDIT) This will create a file QAUDITZC in library MYLIB. The columns in the output file are specific to the ZC journal entry type. To list the ZC entries, you can use the command: *RUNQRY N MYLIB/QAUDITZC** If you are auditing numerous objects on your system, you will need to select only the records where the object name is QUSEXRGOBJ. Auditing the Event of a change to the Exit Point Registry To audit security configuration events, like a change to the exit point registry, you set the System value QAUDCTL to include the value AUDLVL, and include the value SECCFG or SECURITY in the QAUDLVL, or QAUDLVL2, system value. If this is done, and someone or some process manipulates the Exit Point Registry, a journal entry is written to the QAUDJRN journal. The journal entry type for this access is GR(Generic Record). As of IBM i 6.1, all GR entries are related to the Exit Point Registry. You can review the GR entries just like the ZC entries. Here's the command you can use to extract the GR entries into a formatted output file. CPYAUDJRNE ENTTYP(GR) OUTFILE(MYLIB/QAUDIT)* This will create a file QAUDITGR in library MYLIB. The columns in the output file are specific to the GR journal entry type. To list the GR entries, you can use the command: *RUNQRY N MYLIB/QAUDITGR** The information provided includes what function was performed, Job User, Current User, Job Name, Program used, Timestamp, etc.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Live Online Hands-On Workshops Special Fall/Winter Class Discounts Now Accepting Credit Cards IBM i Security Workshop - Jan 17-20 Interactive COBOL Programming - Jan 23-27 System Operations Workshop-Feb 27-Mar 2 System Administration & Control - Mar 12-16 Interactive RPG IV Programming - Mar 26-30

Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2011 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017