SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - March 14, 2012 - Manage Online Retention of Audit Data

Tweet
March 14, 2012 - Vol 2, Issue 6

	Carsten's Security Code for IBM i Managing the Online Retention of Audit Data Downloadable Source code included! By Carsten Flensburg When you decide to begin auditing security related events on your system to the QAUDJRN journal, or when you start journaling changes to physical files, data areas or data queues, you must also decide how you are going to manage the online retention of the journal's receivers. The journal receivers are the storage areas used for the audit records generated by system auditing or database journaling. If left unchecked, these journal receivers will continue to expand in size and number, and may ultimately consume all of your available disk space. When you want to control how long journal receivers are available online, you will want to "age" the receivers. For example, if you want to keep five days' worth of transactions online, you can either manually delete the old receivers or run the RMVJRNRCV(Remove Journal Receivers) command presented here. The Remove Journal Receivers (RMVJRNRCV) command lets you age the receivers and optionally connect the journal to a new receiver. You can run this command from a command line, or better yet, place the command in your job scheduler to ensure daily or weekly "Aging" of your journal receivers. You can use this command to manage all of your journals, including QAUDJRN and database journals to perform an intelligent deletion of old receivers. *Read More and access the Source Code Download*
In This Issue Carsten's Security Code for IBM i Featured Video - Secret Security Options Security Shorts - Checking Exit Programs Industry News and Calendar Security Resources Security Quick Links SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home and Archives Need Access to an IBM i? Visit RZKH Please Visit Our Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor Software Engineering of America Sponsor Cilasoft Security Solutions Skyview Partners, Inc	IBM i Security and Audit Resources IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layouts 6.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Featured YouTube Video IBM i Security - Function Usage - The Secret Security Options Cannot Access Youtube from your office? Here is the presentation in wmv format.
IBM i Security Calendar of Events Live Security Related Webcasts for IBM i How do you Control your Powerful Users on the IBM i? Sponsored by SafeStone Wednesday March 14th 11:00 AM Eastern Time More Information and Register to Attend An Auditor's View: Assessing IBM i Security Vulnerabilities Featuring Powertech's Compliance Assessment Software - Sponsored by Powertech Wednesday March 14 1:00 PM Central Time More Information and Register to Attend Security Related Training, Seminars, and Conferences for IBM i March 21-22 - The 27th Annual Spring Technical Conference Wisconsin Midrange Computer Professional Association The conference will be held at Grand Geneva in Lake Geneva, WI. More Information and Register to Attend April 2-4 - The Power of i The 22nd Annual Northeast IBM i User Groups Conference The largest technical conference in New England for IBM i (AS/400, iSeries, Power Systems). Over 75 sessions in five categories, including Security. Location: Framingham, MA More Information and Register to Attend April 10-13 - Live 4-Day Expanded Security Workshop for IBM i Live Online Security Workshop from The 400 School and SecureMyi.com Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i April 10-13. Very limited seating. Register early to reserve your seat in the class. May 6-9 - COMMON User Group - Annual Conference and Expo - Anaheim, CA

Security Shorts Registered Exit Programs What You Don�t Know Can Hurt You ! By Dan Riehl Have you ever used the WRKREGINF command? It is the IBM i command to Work with Registration Information. So, you ask, "What is Registration Information anyway?" Simply put, it is the registered exit points and exit programs that allow IBM, third party vendors and you to do some custom processing when an event occurs on your system. For example, IBM provides a registered exit point for the process of creating a user profile. It allows you to do some custom programming when a user profile is created. You accomplish your custom processing by writing a program, and registering the program using the WRKREGINF command or the ADDEXITPGM(Add Exit Program) command. There are many categories of exit points. Some are for Backup and Recovery, User Profile maintenance, Network Access(Like FTP and ODBC), and many others. Thankfully, the ability to add an exit program to the registry is restricted to a user with Security Officer access. I say thankfully, because it is possible through adding exit programs to override the normal functioning of the system. That�s what the exit points were designed for. Now, please let me take you a step further . . . Several releases ago, IBM provided us with the capability to add exit programs to Control Language commands. These are referred to as Command Exit programs. So, if you wanted to add your own custom logic to a CL command, you could do that through registering your own custom written program to the IBM supplied exit point named QIBM_QCA_CHG_COMMAND. Please, just one more step with me . . . When installing third party vendor supplied packages you are often required to log-on to the system as QSECOFR, or similar powerful user profile. This, in itself, is not a bad thing. But, do you know what the vendor's install process is doing to your system? I was recently at a customer site performing a security assessment and was running a standard audit report from my bag of tricks and discovered a little surprise deposited by a third party vendor�s install process. The vendor had added an exit program for the IBM supplied Control Language command APYPTF(Apply Program Temporary Fix). I was puzzled. Why would a well-respected software vendor want to hook their own logic into the PTF process, especially when the software product itself had absolutely NO relationship to system fixes or PTFs? I questioned the vendor about what this exit program was doing there. The vendor did not provide any kind of reasonable answer, and advised me that it was ok to remove the exit program if I wanted to, it would not affect their application. So why was it there in the first place? Hmmmm . . . You can review all the exit programs on your system by using the WRKREGINF command, and paging through all the screens, or you can print a report using the same command. You will find that the printed report is a bit complex, but look for exit programs, especially Non-IBM supplied exit programs. In an upcoming issue of the newsletter we will provide the source code for a command that will provide a better list of registered exit programs. So What Do I Do Now? I want to suggest something that may increase your comfort level when installing new software. Start the IBM i auditing function for the user doing the install, to include auditing command execution and system changes. When the install is complete, run some auditing reports to determine what happened during the install process. Here�s a command to start auditing a user�s actions before you start the install process. (Note: If you are auditing some of these at the system level(i.e. in the QAUDLVL system value, you do not need to include them at the User level. But you will want to include at least CMD, since that cannot be specified at the system level. It will provide an audit trail of every CL command executed by that user. CHGUSRAUD USRPRF(MYUSER) + AUDLVL(CMD CREATE SYSMGT SERVICE SAVRST SECURITY OBJMGT)		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Tool Selection & Configuration Customized Security Programming Live Training from The 400 School System Administration-Mar 12-16 Expanded Security Workshop-Apr 10-13 Control Language Workshop-Apr 16-20 RPG IV Programming-Apr 30-May 4


Send your IBM i Security Related News and Events! Sponsor the SecureMyi.com Security Newsletter © Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017