January 4, 2012 - Vol 2, Issue 1
Live Training from The 400 School

Carol Woodbury gives you seven quick tips for passing your audit. Download her white paper now! Brought to you by SkyView Partners

Feature Article

The IBM i Intrusion Detection System

By Dan Riehl

How do you know if someone is scanning your IP ports for vulnerabilities? Or how do you know if you're being attacked by denial of service attacks like a SYN Flood or Smurf attack?

The IBM i Intrusion Detection System (IDS) alerts you when an attack against the system is in progress. In most cases, you have no other way to monitor for these intrusion events. With IBM i version 6.1 and 7.1, you can have the IDS up and running in a few minutes. IBM i Navigator for Windows provides an IDS Setup Wizard, which makes setting up the IDS a very simple process. On my system, I had it up and running in about 30 minutesó25 of those were spent reading the documentation and the On-Line help text.

Why do I need an Intrusion Detection System?

An IBM i connected to any network should be running the IDS. Some may say they're protected behind a corporate firewall and therefore are immune to these types of attacks. But attacks also come from inside your network, and as far as outside attacks, do you want to bet the security and availability of your System that the firewalls can reject ALL unwanted traffic?

Each host system needs to be the final arbiter of who and what has access to the system resources. You cannot disregard the security of the IBM i simply because you have a firewall. In most cases, it's the IBM i in your data center that manages and protects the critical company jewels. It's the system that stores the very sensitive data that you must protect. Setting up the IDS on your IBM i just makes sense.

When an attack occurs, instant notification of the attack can be sent to a message queue as well as via email to several email addresses you stipulate. When you see an incoming attack, you can then take preventative actions to stop the attack or prevent the attacker from getting to you again. As prevention, you can set packet filtering rules within IBM i Navigator and adjust firewall rules as needed. The IDS is a detection system; it, alone, cannot prevent an attack.

In addition to monitoring for attacks, the IDS also detects if the IBM i is being used as the attacker of another system. You would certainly want to know if someone is launching an attack from within your system.

Read More.

Thank you for your subscription to the SecureMyi Security Newsletter!

This Newsletter has only One Agenda:
To provide education on IBM i Security in order to help us all make our systems more secure.

All my very best to you in 2012,

Dan Riehl - SecureMyi Security Newsletter Editor

Happy New Year to you!

In 2012, we are changing the schedule of the Newsletter. The Newsletter will now be published on alternating Wednesdays.

Watch for great new articles and videos. This year will include articles from industry expert guest authors. We will also be presenting Source code for Load-And-Go Security utilities for IBM i.

In addition, we will be schedulding a series of Educational Webcasts dealing specifically with Security for the IBM i.

2012 will be an exciting year for IBM i Security - Stay Tuned!

In This Issue

Featured Article - IBM i Intrusion Detection

Featured Video - Pitfalls in using 1982 Security Scheme

Security Shorts - Auditing Exit Point Registry

Industry News and Calendar

Security Resources

Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home and Archives

Please Visit Our Sponsors

Platinum Sponsor
      The 400 School, Inc.

Gold Sponsor
      Skyview Partners, Inc.

IBM i Security and Audit Resources

Free Security Videos from Securemyi.com

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow securemyi on Twitter

Follow securemyi on YouTube

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Skyview Partners - Tools for Security and Compliance

IBM i Security News Bytes

Linoma releases Managed File Transfer Solution GoAnywhere Director 4.0
Review the announcement from Linoma
In the last week of the year, the folks at Linoma Software released Version 4.0 of their managed file transfer solution.

Raz-Lee's iSecurity Certified for IBM's Q1 Labs Security Intelligence Partner Program
More information on the Q1 Labs Partnership
Raz-Lee continues to grow iSecurity partnerships through integrating iSecurity with enhanced formats for data transfer including LEEF (Log Event Enhanced Format), AXIS (Asset Exchange Information Souce) and other Q1 Labs' standard formats.

The 400 School, Inc. and SecureMyi.com
Live Online Security Workshop from The 400 School and SecureMyi.com
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i
Jan 17-20, 2012. Very limited seating. Register early to reserve your seat in the class.

IBM i Security Calendar of Events

Live Security Webcasts for IBM i

Using Policy Minder for IBM i for PCI Compliance
Presented by Carol Woodbury - Sponsored by Skyview Partners
Wednesday January 26 10:00 a.m. PST
More Information and Register to Attend

More Security Events

Jan 17-20 - The 400 School - Live Online Security Workshop

May 6-9 - COMMON-A User Group - Annual Conference and Expo - Anaheim, CA

Featured YouTube Educational Video

IBM i Security

The Pitfalls of Relying on a 1982 Security Scheme in 2012

Featured Video - The Pitfalls of Relying on a 1982 Security Scheme in 2012

Cannot Access YouTube from your office? Download the video in wmv format.   Click to Download the wmv file

Security Shorts - Who Removed my Exit Program?

By Dan Riehl

I have heard the question many times; 'Who removed my exit program?" Or 'Where did my FTP and Create User Profile registered exit programs go? Perhaps a more interesting question might be "How did that exit program get there?"

If you have created the QAUDJRN journal, and have set the associated System Values(QAUDCTL and QAUDLVL) correctly, you have an audit trail of all changes that have been made to your exit point registry. There are 2 auditing methods you can use to collect information about Exit Point Registry changes. You can use Object Auditing, and/or you can use Event auditing. When dealing with the exit point registry, I think you will find that Event auditing may be a better choice. But, I'll present both methods and you can choose which one you like. You may prefer to use both, which is what I recommend.

Auditing the Object

The Exit Point Registry is stored in the object QUSEXRGOBJ in library QUSRSYS. The object type is *EXITRG.

In order to start auditing the Exit Point Registry object you first need to ensure that the QAUDCTL system value includes the value *OBJAUD. This allows you to being auditing access to objects. Once this is done, you can then start auditing changes to the registry object using the following command.


Now, whenever a change is made to the registry, a ZC(Object Accessed for Change) journal entry is written to the QAUDJRN journal, indicating that the QUSEXRGOBJ object was accessed in Update mode, and/or was changed. Additional information provided in the ZC journal entry includes information like Job User, Current User, Job Name, Program that made the change, the timestamp of the entry, etc.

The operations that can be audited for the QUSEXRGOBJ object are:

ADDEXITPGM --- Add Exit Program CL Command  
QUSADDEP --- Add Exit Program API 
QusAddExitProgram --- Add Exit Program API 
QUSDRGPT --- Unregister Exit Point API 
QusDeregisterExitPoint --- Unregister Exit Point API 
QUSRGPT --- Register Exit Point API 
QusRegisterExitPoint --- Register Exit Point API 
QUSRMVEP --- Remove Exit Program API 
QusRemoveExitProgram --- Remove Exit Program API 
RMVEXITPGM --- Remove Exit Program CL Command 
WRKREGINF --- Work with Registration Information CL Command  

To review all ZC entries, you can use your favorite QAUDJRN reporting software. In V5R4 IBM provided the command CPYAUDJRNE(Copy Audit Journal Entries) which is a very nice command to extract information from QAUDJRN. Here's the command you can use to extract the ZC(Object Accessed for Change) entries into a formatted output file.


This will create a file QAUDITZC in library MYLIB. The columns in the output file are specific to the ZC journal entry type. To list the ZC entries, you can use the command:


If you are auditing numerous objects on your system, you will need to select only the records where the object name is QUSEXRGOBJ.

Auditing the Event of a change to the Exit Point Registry

To audit security configuration events, like a change to the exit point registry, you set the System value QAUDCTL to include the value *AUDLVL, and include the value *SECCFG or *SECURITY in the QAUDLVL, or QAUDLVL2, system value.

If this is done, and someone or some process manipulates the Exit Point Registry, a journal entry is written to the QAUDJRN journal. The journal entry type for this access is GR(Generic Record). As of IBM i 6.1, all GR entries are related to the Exit Point Registry.

You can review the GR entries just like the ZC entries. Here's the command you can use to extract the GR entries into a formatted output file.


This will create a file QAUDITGR in library MYLIB. The columns in the output file are specific to the GR journal entry type. To list the GR entries, you can use the command:


The information provided includes what function was performed, Job User, Current User, Job Name, Program used, Timestamp, etc.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts

Now Accepting Credit Cards

IBM i Security Workshop - Jan 17-20
Interactive COBOL Programming - Jan 23-27
System Operations Workshop-Feb 27-Mar 2
System Administration & Control - Mar 12-16
Interactive RPG IV Programming - Mar 26-30

Classes at your offices. IBM i, iSeries AS/400?  The 400 School, Inc.

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2011 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017