Tracking Access to Your Sensitive Files


SecureMyi.com Security and Systems Management Newsletter for the IBM i July 15, 2015 - Vol 5, Issue 8

	Feature Article Tracking Access to Your Sensitive Files By Dan Riehl - SecureMyi.com In this article on auditing using the QAUDJRN journal, the focus is on detecting access to sensitive files. In our heavily regulated environment, it's crucial that we keep prying eyes out of personal, private, and sensitive data. We also need to protect our files against unauthorized changes. The information I present here doesn't let you block unsanctioned access, but it can tell you when this access happens, after the fact. I once heard it said, "That which we cannot prevent, we must be able to detect." I discuss how to audit and report on file access under everyday scenarios. I also discuss the various auditing options and how to configure the correct level of auditing you need to accomplish your reporting objectives. As examples, I examine how to audit and report on every event in which an IT staff member accesses the sensitive CREDITCARD file, whether for inquiry or for update. I also examine how to audit and report on every file accessed by using ODBC and whether the access was for inquiry or for update. The object-auditing methods I present here don't let you detect or report on database record updates; rather, I'm dealing with file level access only, and whether the file access was for inquiry only or for update. I cover detecting and reporting on database record-level update events in the September 24, 2014 issue of SecureMyi Newsletter. Auditing Revisited I encourage you to review the previous articles in this series Auditing and Reporting the Use of CL Commands and Auditing User Activity from the SecureMyi Security Newsletter. Object Auditing To audit and report on file access and access to other objects, the system value QAUDLVL must contain the value OBJAUD. Once you've set the system value, you need to tell the system which objects you want to audit and the level of auditing you require. To begin auditing an object, you use the Change Object Auditing (CHGOBJAUD) command. Here's the command's format: CHGOBJAUD OBJ(Library-name/Object-name) OBJTYPE(Object-Type) + OBJAUD(ALL, CHANGE, USRPRF, NONE) To begin auditing ALL access to the sensitive file named CREDITCARD* the command is: *CHGOBJAUD OBJ(PRODLIB/CREDITCARD) OBJTYPE(FILE) OBJAUD(ALL)* Once this command is run, every time the file is accessed, an journal entry is written to the QAUDJRN journal. If the file is accessed in a read-only operation, a journal entry type of ZR (object opened for read) will be written. If the file is accessed for an update operation, a journal entry type of ZC (object opened for change) will be written. The formats of the ZC and ZR journal entry types are virtually identical. The ZC format fields begin with the prefix ZC, and the ZR format has the same fields, but the field names have the prefix of ZR. Figure 1 shows the entire ZR journal entry format (as defined in the IBM-supplied model file QASYZRJ5). *Read More . . .*
In This Issue Featured Article - Tracking File Access Security Shorts - Save Spooled Files Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification

Live Security Related Webcasts and Training for IBM i July Events IFS Security: Don't Leave Your Server Vulnerable with Robin Tatam Live Webcast - Presented by Powertech Wednesday, July 15 10:00am CT More Information and Register to Attend Live Hands-On - Query for i WRKQRY Workshop for Technical Staff and End Users with Dan Riehl Training Workshop - July 27 - Presented by The 400 School, Inc. Dan Riehl presents this Full-Day Live Online Hands-on Workshop. More Information and Register to Attend August Events Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - August 10-14 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i Concepts with Control Language Programming Workshop with Dan Riehl Training Workshop - August 17-21 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries, AS/400 Expanded Security Workshop with Dan Riehl Training Workshop - August 31 - September 3 - Presented by SecureMyi and The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend September Events Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i with Dan Riehl Training Workshop - September 9-10 - Presented by The 400 School, Inc. Dan Riehl presents this 2-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - Expanded Control Language Programming Workshop with Dan Riehl Training Workshop - September 28 - October 2 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend October Events Live Hands-On - Security and Vulnerability Assessment Workshop for IBM i with Dan Riehl Training Workshop - October 13-16 - Presented by SecureMyi and The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend
Security Shorts Save All Your Spooled File Reports By Dan Riehl - SecureMyi.com Since V5R4 we have had the capability to save the spooled file reports residing in our output queues. Prior to V5R4, when you saved an output queue, or saved a library containing output queues, only the output queue object itself was saved, not the contents(the spooled file reports) in the output queue. Since the V5R4 upgrade, many of us have not updated our backup routines to take advantage of this new support. Instead, when we save a library or an output queue, we still only save the output queue object, but not the spooled files contained in the output queue. The following command saves all objects in the PRODLIB library, including all the spooled files in all the output queues that reside in the library: *SAVLIB LIB(PRODLIB) DEV(TAP01) SPLFDTA(ALL)** When you do a SAVLIB(Save Library) or SAVOBJ(Save Object) command, you must specify SPLFDTA(ALL) in order to save the spooled files in the saved output queues. The parameter SPLFDTA(ALL) is the key to saving the spooled files. I encourage you to update your backup routines to begin saving your spooled files. But, perhaps you are using the IBM supplied SAVE menu to perform your backups, and not a home grown backup program. Or perhaps your vendor supplied backup software does not give you the option to save your spooled files. If that is the case, then here is a simple solution. Below is the source code for a Control Language program you can use that will save all of the output queues on your system and will save all of the spooled files in those output queues. This would be a nice program to add to your weekly backup routine. Note: In this program you must replace 'TAP02' with the name of your backup device. PGM /* Save Spooled Files / DCL VAR(&MSGID) TYPE(CHAR) LEN(7) DCL VAR(&MSGF) TYPE(CHAR) LEN(10) DCL VAR(&MSGFLIB) TYPE(CHAR) LEN(10) DCL VAR(&MSGDTA) TYPE(CHAR) LEN(100) DCLF FILE(QADSPOBJ) MONMSG MSGID(CPF0000) EXEC(GOTO ERROR) DSPOBJD OBJ(ALL/ALL) OBJTYPE(OUTQ) + OUTPUT(OUTFILE) OUTFILE(QTEMP/QADSPOBJ) OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ) LOOP: RCVF MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(ENDIT)) SAVOBJ OBJ(&ODOBNM) LIB(&ODLBNM) DEV(TAP02) + OBJTYPE(OUTQ) SPLFDTA(ALL) GOTO LOOP ENDIT: RETURN ERROR: RCVMSG MSGTYPE(LAST) MSGDTA(&MSGDTA) MSGID(&MSGID) + MSGF(&MSGF) SNDMSGFLIB(&MSGFLIB) MONMSG CPF0000 /* Just in case / SNDPGMMSG MSGID(&msgid) MSGF(&msgflib/&msgf) MSGDTA(&msgdta) + MSGTYPE(ESCAPE) MONMSG CPF0000 /* Just in case */ ENDPGM When it comes time to recover a deleted spooled file, or an entire output queue, you can use the command RSTOBJ(Restore Object) to restore the saved output queue, including the spooled files.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming LIVE Training from The 400 School, Inc Customized IBM i (iSeries, AS/400) Training - Presented Live at your offices LIVE Online Hands-On Workshops Security and Auditing Workshops System Operations Workshops System Administration and Control ILE RPG IV Programming ILE COBOL Programming Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2015 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017