SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - May 22, 2013 - QAUDJRN - Auditing User Activity on IBM i

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i May 22, 2013 - Vol 3, Issue 29

	Feature Article Auditing User Activity on IBM i - QAUDJRN By Dan Riehl In this second installment of the series dealing with forensic analysis by using the QAUDJRN journal, the focus is on the forensic analysis of user activity. I discuss how to audit and report on various activities performed by a particular user, and I also show how to audit and report on security-related events caused by all users. As examples, I examine how to audit and report on every time QSECOFR changes a system value, and I also discuss how to audit and report on every occurrence in which any user deletes any object. Auditing Revisited I encourage you to review the previous article in this series (" Auditing CL Command Usage" from the May 8, 2013 Issue of the SecureMyi Security Newsletter), which discusses the basics of auditing and reporting from the system security audit journal QAUDJRN. In order to begin reporting on security related activities, you must first configure your system to perform the auditing functions you need. The system values QAUDCTL and QAUDLVL must be set for your desired level of auditing, and the QAUDJRN journal must have been created on your system. Every security-related event that occurs on your system is tied to a particular user. In this article, the focus is on reporting on the activities performed by a user. Usually, we want to report on the activities of our powerful users such as QSECOFR and system administrator users. Powerful IT users and other users with command-line access have the freedom to navigate the system outside of the constraints of a menu system that would otherwise confine their activities to those allowed by their menu options. Having said that, let me also say that you can audit and report on the activities of any user, regardless of the user's power or ability to navigate the system. When you want to be able to audit and report on the activities of a particular user, you must first decide which events you're interested in collecting. If you don't care whether someone moves a spooled file report from one output queue to another, or if you don't care when a program adopts authority, it affects your choices when configuring auditing. If you want to be able to track each time a new library is created on the system or every time a file is deleted, it likewise affects your auditing configuration. The events that can be audited are described by a combination of the allowable values for the system values QAUDLVL and QAUDLVL2, and the allowable values for the AUDLVL attribute of each user profile. Read about the Auditing User Activity
In This Issue Featured Article - Auditing User Activity Featured Video - Using Authorization Lists Security Shorts - Authority to a Library? Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor The PowerTech Group Skyview Partners, Inc Sponsor Cilasoft Security Solutions	IBM i Security Resources John Earl Memorial Tribute - Jan 2013 IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives Search Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 Open Security Foundation - DataLoss DB PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i Top Security and Privacy Concerns with BYOD (Bring Your Own Device) with Carol Woodbury Live Webcast - Presented by Skyview Partners Wednesday, May 22 10:00am CDT More Information and Register to Attend Enforcing the Integrity of Your IBM i Data and Server Live Webcast - Presented by PowerTech Thursday, May 23 1:00pm CDT More Information and Register to Attend Top 5 Single Sign-on Myth-Buster Myths with Patrick Botz Live Webcast - Presented by Skyview Partners Wednesday, June 12 10:00am CDT More Information and Register to Attend IBM i Encryption Simplified with DB2 Field Procedures Live Webcast - Presented by Linoma Software Thursday, June 13 Noon CDT More Information and Register to Attend Live Hands-On IBM i System Administration and Control Workshop with Dan Riehl Full Length Training Workshop - June 17-21 Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On IBM i Security Assessment Workshop for IBM i with Dan Riehl Full Length Training Workshop - July 15-18 Dan Riehl presents this 3.5-Day Live Online Hands-on Security Assessment Workshop. More Information and Register to Attend Get your FTP Server into Compliance Live Webcast - Presented by Linoma Software Thursday, July 18 Noon CDT More Information and Register to Attend
Featured YouTube Educational Video Common Misconceptions when using Authorization Lists Cannot Access YouTube from your office? Download the video in wmv format.

Security Shorts - Misconceptions on Authorities to Libraries By Dan Riehl A popular misconception held by many people is that if a library is secured as PUBLIC AUT(USE), then this library authority provides Read-Only access to the files that reside in the library. For most of us who read this newsletter, we know that this is not true. Here are the rules for library authorities. EXCLUDE Authority If a user has EXCLUDE authority to a library, they cannot access the library, nor can they access the objects within the library. USE Authority If a user has USE authority to a library, they can access the library, but cannot change attributes of the library, such as the library text. The user cannot add new objects to the library. When it comes to accessing the objects within the library, the object authority is the determining factor. For example, if a user has EXCLUDE authority to a file in the library, they cannot access the file. If a user has USE authority to a file in the library, they have read-only access to the file. If the user has CHANGE authority to a file, they can open the file for update and manipulate the records in the file (add, change, delete). If the user has ALL rights to the file in the library, the user may perform all operations on the file including deleting the file. Yes, that's right. If a user has USE authority to a library, the user can delete an object from the library if the user has ALL authority, which includes OBJEXIST authority to the object. CHANGE Authority If a user has CHANGE authority to a library, they can access the library and can change some attributes of the library. Changes to some attributes require the additional OBJMGT(Object Management) authority to the library. All of the same object rules are in effect as when the user has USE authority to the library, but there is one big difference. If a user has CHANGE authority to a library, they can create new objects in the library. That is the only real difference between USE and CHANGE authority to a library. If you have CHANGE authority, you can add new objects. ALL Authority If a user has ALL authority to the library, the user can access the library, and may even be able to delete the library and all the objects within the library. However, if the user does not have ALL authority, or a mixture of OBJEXIST and OBJOPR authority to the objects in the library, the user cannot delete those objects and therefore cannot delete the library. If a user has the authority to delete all the objects in the library, then the library itself can be deleted. All of the same rules apply to object access as when the user has USE or CHANGE rights to the library. What about ALLOBJ Authority? When dealing with library and object authorities, you always have to take into account that some user profiles have ALLOBJ special authority. When a user has ALLOBJ special authority, there are no restrictions on accessing objects in your user libraries. A user with ALLOBJ special authority can read, change and even delete any object in any user library on the system. (Note: There are some objects that may not be deleted even by a user with ALLOBJ special authority. For example, user profiles cannot be deleted by an ALLOBJ user, unless that user also has *SECADM special authority.)		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops Intro RPG IV Programming Intro RPG/400 Programming IBM i COBOL Programming Interactive Programming Workshops Introduction to System Operations Expanded System Operations Workshop System Administration and Control Expanded Security Workshop Control Language Programming IBM i Concepts and Facilities Concepts & Control Language Query Workshop

Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017