SecureMyi.com Security and Systems Management Newsletter for the IBM i                 May 22, 2013 - Vol 3, Issue 29
Live Online Workshops - from The 400 School


Security software



Security? See how SKYVIEW PARTNERS can help!


Feature Article

Auditing User Activity on IBM i - QAUDJRN

By Dan Riehl

In this second installment of the series dealing with forensic analysis by using the QAUDJRN journal, the focus is on the forensic analysis of user activity. I discuss how to audit and report on various activities performed by a particular user, and I also show how to audit and report on security-related events caused by all users. As examples, I examine how to audit and report on every time QSECOFR changes a system value, and I also discuss how to audit and report on every occurrence in which any user deletes any object.

Auditing Revisited

I encourage you to review the previous article in this series (" Auditing CL Command Usage" from the May 8, 2013 Issue of the SecureMyi Security Newsletter), which discusses the basics of auditing and reporting from the system security audit journal QAUDJRN.

In order to begin reporting on security related activities, you must first configure your system to perform the auditing functions you need. The system values QAUDCTL and QAUDLVL must be set for your desired level of auditing, and the QAUDJRN journal must have been created on your system.

Every security-related event that occurs on your system is tied to a particular user. In this article, the focus is on reporting on the activities performed by a user.

Usually, we want to report on the activities of our powerful users such as QSECOFR and system administrator users. Powerful IT users and other users with command-line access have the freedom to navigate the system outside of the constraints of a menu system that would otherwise confine their activities to those allowed by their menu options. Having said that, let me also say that you can audit and report on the activities of any user, regardless of the user's power or ability to navigate the system.

When you want to be able to audit and report on the activities of a particular user, you must first decide which events you're interested in collecting. If you don't care whether someone moves a spooled file report from one output queue to another, or if you don't care when a program adopts authority, it affects your choices when configuring auditing. If you want to be able to track each time a new library is created on the system or every time a file is deleted, it likewise affects your auditing configuration. The events that can be audited are described by a combination of the allowable values for the system values QAUDLVL and QAUDLVL2, and the allowable values for the AUDLVL attribute of each user profile.

Read about the Auditing User Activity

In This Issue


Featured Article - Auditing User Activity

Featured Video - Using Authorization Lists

Security Shorts - Authority to a Library?

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit RZKH.de

Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    The PowerTech Group

    Skyview Partners, Inc

Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute - Jan 2013

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1


Open Security Foundation - DataLoss DB

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter




Follow SecureMyi on YouTube






Security software

IBM i Security Calendar of Events


Live Security Related Webcasts and Training for IBM i

Top Security and Privacy Concerns with BYOD (Bring Your Own Device)
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Wednesday, May 22 10:00am CDT
More Information and Register to Attend

Enforcing the Integrity of Your IBM i Data and Server
Live Webcast - Presented by PowerTech
Thursday, May 23 1:00pm CDT
More Information and Register to Attend

Top 5 Single Sign-on Myth-Buster Myths
with Patrick Botz

Live Webcast - Presented by Skyview Partners
Wednesday, June 12 10:00am CDT
More Information and Register to Attend

IBM i Encryption Simplified with DB2 Field Procedures
Live Webcast - Presented by Linoma Software
Thursday, June 13 Noon CDT
More Information and Register to Attend

Live Hands-On IBM i System Administration and Control Workshop
with Dan Riehl

Full Length Training Workshop - June 17-21
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On IBM i Security Assessment Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 15-18
Dan Riehl presents this 3.5-Day Live Online Hands-on Security Assessment Workshop.
More Information and Register to Attend

Get your FTP Server into Compliance
Live Webcast - Presented by Linoma Software
Thursday, July 18 Noon CDT
More Information and Register to Attend




Security? See how SKYVIEW PARTNERS can help!



Featured YouTube Educational Video

Common Misconceptions when using Authorization Lists

Featured Video - IBM i Security - Common Misconceptions - Using Authorization Lists

Cannot Access YouTube from your office? Download the video in wmv format.   Click to Download the wmv file
Live Online Workshops - from The 400 School

Security Shorts -

Misconceptions on Authorities to Libraries

By Dan Riehl

A popular misconception held by many people is that if a library is secured as *PUBLIC AUT(*USE), then this library authority provides Read-Only access to the files that reside in the library. For most of us who read this newsletter, we know that this is not true.

Here are the rules for library authorities.

*EXCLUDE Authority

If a user has *EXCLUDE authority to a library, they cannot access the library, nor can they access the objects within the library.

*USE Authority

If a user has *USE authority to a library, they can access the library, but cannot change attributes of the library, such as the library text. The user cannot add new objects to the library.

When it comes to accessing the objects within the library, the object authority is the determining factor. For example, if a user has *EXCLUDE authority to a file in the library, they cannot access the file. If a user has *USE authority to a file in the library, they have read-only access to the file. If the user has *CHANGE authority to a file, they can open the file for update and manipulate the records in the file (add, change, delete). If the user has *ALL rights to the file in the library, the user may perform all operations on the file including deleting the file. Yes, that's right. If a user has *USE authority to a library, the user can delete an object from the library if the user has *ALL authority, which includes *OBJEXIST authority to the object.

*CHANGE Authority

If a user has *CHANGE authority to a library, they can access the library and can change some attributes of the library. Changes to some attributes require the additional *OBJMGT(Object Management) authority to the library.

All of the same object rules are in effect as when the user has *USE authority to the library, but there is one big difference. If a user has *CHANGE authority to a library, they can create new objects in the library. That is the only real difference between *USE and *CHANGE authority to a library. If you have *CHANGE authority, you can add new objects.

*ALL Authority

If a user has *ALL authority to the library, the user can access the library, and may even be able to delete the library and all the objects within the library.

However, if the user does not have *ALL authority, or a mixture of *OBJEXIST and *OBJOPR authority to the objects in the library, the user cannot delete those objects and therefore cannot delete the library.

If a user has the authority to delete all the objects in the library, then the library itself can be deleted. All of the same rules apply to object access as when the user has *USE or *CHANGE rights to the library.

What about *ALLOBJ Authority?

When dealing with library and object authorities, you always have to take into account that some user profiles have *ALLOBJ special authority. When a user has *ALLOBJ special authority, there are no restrictions on accessing objects in your user libraries. A user with *ALLOBJ special authority can read, change and even delete any object in any user library on the system.

(Note: There are some objects that may not be deleted even by a user with *ALLOBJ special authority. For example, user profiles cannot be deleted by an *ALLOBJ user, unless that user also has *SECADM special authority.)

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

Intro RPG IV Programming
Intro RPG/400 Programming
IBM i COBOL Programming
Interactive Programming Workshops
Introduction to System Operations
Expanded System Operations Workshop
System Administration and Control
Expanded Security Workshop
Control Language Programming
IBM i Concepts and Facilities
Concepts & Control Language
Query Workshop



Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017