March 14, 2012 - Vol 2, Issue 6 Security Workshop

SEA On Demand Learning

Carsten's Security Code for IBM i

Managing the Online Retention of Audit Data

Downloadable Source code included!

By Carsten Flensburg

When you decide to begin auditing security related events on your system to the QAUDJRN journal, or when you start journaling changes to physical files, data areas or data queues, you must also decide how you are going to manage the online retention of the journal's receivers.

The journal receivers are the storage areas used for the audit records generated by system auditing or database journaling. If left unchecked, these journal receivers will continue to expand in size and number, and may ultimately consume all of your available disk space.

When you want to control how long journal receivers are available online, you will want to "age" the receivers. For example, if you want to keep five days' worth of transactions online, you can either manually delete the old receivers or run the RMVJRNRCV(Remove Journal Receivers) command presented here.

The Remove Journal Receivers (RMVJRNRCV) command lets you age the receivers and optionally connect the journal to a new receiver.

You can run this command from a command line, or better yet, place the command in your job scheduler to ensure daily or weekly "Aging" of your journal receivers.

You can use this command to manage all of your journals, including QAUDJRN and database journals to perform an intelligent deletion of old receivers.

Read More and access the Source Code Download

In This Issue

Carsten's Security Code for IBM i

Featured Video - Secret Security Options

Security Shorts - Checking Exit Programs

Industry News and Calendar

Security Resources

Security Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home and Archives

Need Access to an IBM i?   Visit RZKH

Please Visit Our Sponsors

Platinum Sponsor
      The 400 School, Inc

Gold Sponsor
      Software Engineering of America

      Cilasoft Security Solutions

      Skyview Partners, Inc

IBM i Security and Audit Resources

IBM i Security Videos from

SecureMyi Newsletter Home and Archives

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layouts 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow securemyi on Twitter

Follow securemyi on YouTube

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

SEA On Demand Learning

Featured YouTube Video

IBM i Security - Function Usage - The Secret Security Options

Featured Video - Functiion Usage - The Secret Security Options

Cannot Access Youtube from your office? Here is the presentation in wmv format.   Click to Download the wmv file

IBM i Security Calendar of Events

Live Security Related Webcasts for IBM i

How do you Control your Powerful Users on the IBM i?
Sponsored by SafeStone
Wednesday March 14th 11:00 AM Eastern Time
More Information and Register to Attend

An Auditor's View: Assessing IBM i Security Vulnerabilities
Featuring Powertech's Compliance Assessment Software - Sponsored by Powertech
Wednesday March 14 1:00 PM Central Time
More Information and Register to Attend

Security Related Training, Seminars, and Conferences for IBM i

March 21-22 - The 27th Annual Spring Technical Conference
Wisconsin Midrange Computer Professional Association
The conference will be held at Grand Geneva in Lake Geneva, WI.
More Information and Register to Attend

April 2-4 - The Power of i
The 22nd Annual Northeast IBM i User Groups Conference

The largest technical conference in New England for IBM i (AS/400, iSeries, Power Systems).
Over 75 sessions in five categories, including Security. Location: Framingham, MA
More Information and Register to Attend

April 10-13 - Live 4-Day Expanded Security Workshop for IBM i
Live Online Security Workshop from The 400 School and
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i
April 10-13. Very limited seating. Register early to reserve your seat in the class.

May 6-9 - COMMON User Group - Annual Conference and Expo - Anaheim, CA

Cilasoft Security Solutions - Intelligently Engineered Security Solutions

SEA - On Demand Learning

Security Shorts

Registered Exit Programs

What You Donít Know Can Hurt You !

By Dan Riehl

Have you ever used the WRKREGINF command? It is the IBM i command to Work with Registration Information. So, you ask, "What is Registration Information anyway?" Simply put, it is the registered exit points and exit programs that allow IBM, third party vendors and you to do some custom processing when an event occurs on your system.

For example, IBM provides a registered exit point for the process of creating a user profile. It allows you to do some custom programming when a user profile is created. You accomplish your custom processing by writing a program, and registering the program using the WRKREGINF command or the ADDEXITPGM(Add Exit Program) command.

There are many categories of exit points. Some are for Backup and Recovery, User Profile maintenance, Network Access(Like FTP and ODBC), and many others. Thankfully, the ability to add an exit program to the registry is restricted to a user with Security Officer access. I say thankfully, because it is possible through adding exit programs to override the normal functioning of the system. Thatís what the exit points were designed for.

Now, please let me take you a step further . . .

Several releases ago, IBM provided us with the capability to add exit programs to Control Language commands. These are referred to as Command Exit programs. So, if you wanted to add your own custom logic to a CL command, you could do that through registering your own custom written program to the IBM supplied exit point named QIBM_QCA_CHG_COMMAND.

Please, just one more step with me . . .

When installing third party vendor supplied packages you are often required to log-on to the system as QSECOFR, or similar powerful user profile. This, in itself, is not a bad thing. But, do you know what the vendor's install process is doing to your system?

I was recently at a customer site performing a security assessment and was running a standard audit report from my bag of tricks and discovered a little surprise deposited by a third party vendorís install process. The vendor had added an exit program for the IBM supplied Control Language command APYPTF(Apply Program Temporary Fix). I was puzzled. Why would a well-respected software vendor want to hook their own logic into the PTF process, especially when the software product itself had absolutely NO relationship to system fixes or PTFs?

I questioned the vendor about what this exit program was doing there. The vendor did not provide any kind of reasonable answer, and advised me that it was ok to remove the exit program if I wanted to, it would not affect their application. So why was it there in the first place? Hmmmm . . .

You can review all the exit programs on your system by using the WRKREGINF command, and paging through all the screens, or you can print a report using the same command. You will find that the printed report is a bit complex, but look for exit programs, especially Non-IBM supplied exit programs.

In an upcoming issue of the newsletter we will provide the source code for a command that will provide a better list of registered exit programs.

So What Do I Do Now?

I want to suggest something that may increase your comfort level when installing new software. Start the IBM i auditing function for the user doing the install, to include auditing command execution and system changes. When the install is complete, run some auditing reports to determine what happened during the install process.

Hereís a command to start auditing a userís actions before you start the install process.

(Note: If you are auditing some of these at the system level(i.e. in the QAUDLVL system value, you do not need to include them at the User level. But you will want to include at least *CMD, since that cannot be specified at the system level. It will provide an audit trail of every CL command executed by that user.


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Tool Selection & Configuration
Customized Security Programming

SEA On Demand Learning

Live Training from The 400 School

System Administration-Mar 12-16

Expanded Security Workshop-Apr 10-13

Control Language Workshop-Apr 16-20

RPG IV Programming-Apr 30-May 4

Send your IBM i Security Related News and Events!           Sponsor the Security Newsletter

© Copyright 2012 -, all rights reserved | St Louis MO 63017