SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - May 8, 2013 - Auditing CL Command Usage

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i May 8, 2013 - Vol 3, Issue 28

	Feature Article Auditing Control Language Command Usage By Dan Riehl When I discuss the topic of auditing, I'm referring to the IBM i auditing capability in which certain predefined activities or events cause an audit log record to be written as a formatted journal entry to the system's audit journal QAUDJRN. Auditing using QAUDJRN isn't automatically configured, so when you first start your system, you must configure the IBM i QAUDJRN auditing to meet your specific auditing requirements as defined by the system administrator, the security officer, the security policy, and your IT auditors. Once you've configured your auditing environment, regular reporting of the QAUDJRN activities and events should be instituted to ensure adherence to policy. When audit journal entries are written to QAUDJRN, you have the sound basis needed to accurately analyze and report on current and historical events. Even assuming a regular QAUDJRN reporting regimen, there will be occasions when you need to go back and dig out past events. These past events may have negatively affected your system, or you may want simply to check on who did what, when. For example, you may want to determine who changed Fred's user profile to assign him ALLOBJ and SECADM special authority. When did it occur, and how was it accomplished? In cases like this, you can use forensic evaluation methods to extract the relevant audit entries from QAUDJRN to determine the culprit. In recent cases, I have been asked to use the QAUDJRN forensic reporting methods to solve some interesting mysteries, such as: A particular user profile keeps becoming disabled. Why? An RPG program ran correctly on Saturday but ended abnormally on Sunday. Did someone change the program between Saturday and Sunday? Who changed the System Value QCRTAUT from CHANGE to ALL, and when did the change occur? How did a new file end up in a library with incorrect private authorities, when the library's CRTAUT was specified correctly? Who has used the UPDDTA(DFU) command, and what files were they viewing and potentially editing? What CL commands were run from the command line by all ALLOBJ users? Who has run compiler commands (e.g., CRTRPGPGM, CRTBNDRPG, CRTCLPGM, etc.) to create new programs on the production system? All these mysteries were successfully solved by using the forensic analysis of the QAUDJRN journal. It is important to note that I was able to analyze the audit entries because the customers were auditing the particular events that comprised these incidents. For example, if the auditing setup did not include the QAUDLVL* system value inclusion of SECURITY, I wouldn't have been able to discover who changed the system value QCRTAUT. Changes to system values are audited only when QAUDLVL contains the value SECURITY or the sub-value SECCFG. Read about the details of Auditing and Reporting from QAUDJRN*
In This Issue Featured Article - Audit CL Commands Featured Video - Steal Your User Profile! Security Shorts - QAUDJRN Reporting Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor Safestone Technologies Skyview Partners, Inc Sponsor Cilasoft Security Solutions	IBM i Security Resources John Earl Memorial Tribute - Jan 2013 IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives Search Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 Open Security Foundation - DataLoss DB PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security News Townsend Security Releases Short Educational Data Privacy Videos for Business Leaders Townsend Security is launching a unigue data privacy education campaign with three short videos: Why is Unprotected Data a Business Problem?, What is Encryption Key Management?, and Encryption Key Management for the Cloud. Information and view the Videos 10th Anniversary: PowerTech's "State of IBM i Security Study 2013" Recorded Webcast - Sponsored by PowerTech Robin Tatam, Director of Security Technologies for PowerTech, reveals the latest results from a decade of ongoing research into the security configuration of IBM i. Pre-Recorded Webcast from Wednesday, May 1, 2013. More Information and View the Recorded Webcast IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i Top Security and Privacy Concerns with BYOD (Bring Your Own Device) with Carol Woodbury Live Webcast - Presented by Skyview Partners Wednesday, May 22 10:00am CDT More Information and Register to Attend Live Hands-On IBM i Security Assessment Workshop for IBM i with Dan Riehl Full Length Training Workshop - May 21 - 24 Dan Riehl presents this 3.5-Day Live Online Hands-on Security Assessment Workshop. More Information and Register to Attend Live Hands-On IBM i System Administration and Control Workshop with Dan Riehl Full Length Training Workshop - June 17-21 Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend
Featured YouTube Educational Video IBM i Security Yes, I Can Steal Your User Profile!
Security Shorts - Alternate QAUDJRN Extraction Method By Dan Riehl In the above Feature Article "Auditing CL Command Usage". I explain how you can extract information from the system QAUDJRN audit journal to provide a formatted output file containing events, such as when a System Value is changed. In that article, I show a method that uses a combination of two commands, Create Duplicate Object (CRTDUPOBJ) and Display Journal (DSPJRN). The information extracted is all the events in which a System Value was changed. The CRTDUPOBJ command is used to create a usable copy of the IBM-supplied model file for the SV Type of Journal Entries. Once the usable copy of the IBM model file is created with CRTDUPOBJ, the command DSPJRN is used to extract the SV journal entries from QAUDJRN and place them into our copy of the IBM model output file, thereby letting us use simple query tools or download to Excel to evaluate the System Value Change events. There IS Another, and Possibly Easier, Method While this is one way to extract the data and place it into a usable format, IBM has also provided an alternative method, which you might choose over the two-step method I use in the Feature Article. In release V5R4, IBM introduced the CL command Copy Audit Journal Entries (CPYAUDJRNE). The command, in effect, replaces the older Display Audit Journal Entries (DSPAUDJRNE) command, which only let you print a list of the QAUDJRN journal entries; and the printed list is often missing key data elements from the journal entry. CPYAUDJRNE helps you extract data from the system audit journal (QAUDJRN) and place that data into an entry-specific output file. It would be nice if the new command had the same filtering capability as the more capable DSPJRN command. It lets you filter only by journal entry type, user, journal receivers or from-date/time to-date/time. The DSPJRN command allows additional selection criteria over CPYAUDJRNE, such as Program name and Job that caused the System Value change. However, if you do not need that extra filtering, I recommend using CPYAUDJRNE over the two-step method of CRTDUPOBJ and DSPJRN. The output file(s) created by the CPYAUDJRNE command is journal-entry�type specific, so you end up with the same result as explained in my Feature article that uses the two-step approach. Here's an example of using CPYAUDJRNE to extract the SV (System Value Change) entries for the date and time period specified in the command. CPYAUDJRNE ENTTYP(SV) OUTFILE(MYAUDIT/A0512) JRNRCV(CURCHAIN) FROMTIME('04/19/2013' '04:00:00') TOTIME('04/20/2013' '04:00:00') This command creates an output file named A0512SV, which contains the SV entries for the time period. You can then use IBM's Query or another query tool to present the data the way you want it. For example, to list all the System Value Changes for that time period, you could use the command: RUNQRY QRYFILE((MYAUDIT/A0512SV))* You can review The 6.1 CPYAUDJRNE command documentation here.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops Intro RPG IV Programming Intro RPG/400 Programming IBM i COBOL Programming Interactive Programming Workshops Introduction to System Operations Expanded System Operations Workshop System Administration and Control Expanded Security Workshop Control Language Programming IBM i Concepts and Facilities Concepts & Control Language Query Workshop

Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017