SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - May 9, 2012 - Forensic Analysis using QAUDJRN Part 2 - Tracing User Activity

Tweet
May 9, 2012 - Vol 2, Issue 8

	Forensic Analysis using QAUDJRN Part 2 Tracing User Activity By Dan Riehl In this second installment of the series dealing with forensic analysis by using the QAUDJRN journal, the focus is on the forensic analysis of user activity. I discuss how to audit and report on various activities performed by a particular user, and I also show how to audit and report on security-related events caused by all users. As examples, I examine how to audit and report on every time QSECOFR changes a system value, and I also discuss how to audit and report on every occurrence in which any user deletes any object. Auditing Revisited I encourage you to review the previous article in this series (" Forensic Analysis Using QAUDJRN, Part 1: CL Command Usage" from the February 1, 2012 Issue of the SecureMyi Security Newsletter), which discusses the basics of auditing and reporting from the system security audit journal QAUDJRN. In order to begin reporting on security related activities, you must first configure your system to perform the auditing functions you need. The system values QAUDCTL and QAUDLVL must be set for your desired level of auditing, and the QAUDJRN journal must have been created on your system. Every security-related event that occurs on your system is tied to a particular user. In this article, the focus is on reporting on the activities performed by a user. Usually, we want to report on the activities of our powerful users such as QSECOFR and system administrator users. Powerful IT users and other users with command-line access have the freedom to navigate the system outside of the constraints of a menu system that would otherwise confine their activities to those allowed by their menu options. Having said that, let me also say that you can audit and report on the activities of any user, regardless of the user's power or ability to navigate the system. When you want to be able to audit and report on the activities of a particular user, you must first decide which events you're interested in collecting. If you don't care whether someone moves a spooled file report from one output queue to another, or if you don't care when a program adopts authority, it affects your choices when configuring auditing. If you want to be able to track each time a new library is created on the system or every time a file is deleted, it likewise affects your auditing configuration. The events that can be audited are described by a combination of the allowable values for the system values QAUDLVL and QAUDLVL2, and the allowable values for the AUDLVL attribute of each user profile. *Read More*
In This Issue Feature Article - Forensic Analysis with QAUDJRN - Tracing User Activity Featured Video- Misconceptions on User Ownership & Authority Security Shorts- Alternate QAUDJRN Extraction Method Industry News and Calendar Security Resources Security Quick Links SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH Please Visit Our Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor Skyview Partners, Inc Sponsor FastPass Corp Cilasoft Security Solutions Software Engineering of America	IBM i Security and Audit Resources IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Featured YouTube Educational Video IBM i Security Misconceptions on Ownership and Authority to User Profiles
IBM i Security News Bytes Cilasoft Introduces "Elevated Authority Manager" For IBM i Elevated Authority Manager(EAM) is a software solution that allows IT managers to temporarily give specific authorities to selected users. To further manage the process, the included reporting and alerting features of EAM lets IT managers know the precise actions performed by users during the period they have been granted any special authority. Download the EAM Brochure in pdf format Raz-Lee Launches into the Database Universe with Revolutionary "DB-Gate" Raz-Lee Security has releases a unique database access product, DB-Gate, which enables IBM i (AS/400) users to connect to virtually any type of remote database or data source without any middleware (software or hardware). This patent-pending technology utilizes standard SQL statements and works from all native SQL commands and programming languages. View the Press Release for More Information on DB-Gate Arpeggio Software releases new Version of SIFT-IT Free Edition SIFT-IT is a QAUDJRN monitoring and alerting tool for the IBM i (AS/400). More Information, and Download SIFT-IT Free New Book - Now Shipping - IBM i Security Administration and Compliance By Carol Woodbury The Book is Now Shipping - You can Order your copy at the MCPress Online Bookstore More Information and order from MCPress Online. Free - New White Paper "How Much Security is Enough?" Skyview Partners released the newest of its IBM i Security-Based White Papers by Carol Woodbury Download the Free White Paper IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i Webinar - Implementing Security Best Practices for the IBM i Featuring Carol Woodbury - Sponsored by Skyview Partners Thursday May 17 1:00 PM EDT More Information and Register to Attend Webinar - The 2012 State of IBM i Security Study Sponsored by PowerTech Wednesday May 30 1:00 PM CDT PowerTech releases the findings of its yearly IBM i Security Study in this live presentation. It is Always "Eye Opening" and thought provoking for us Security folks. More Information and Register to Attend Live 4-Day Hands-On Expanded Security Workshop for IBM i August 21-24 9:00am - 4:00pm Central Time Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i. More Information and Register to Attend Security Related Seminars and Conferences for IBM i May 6-9 - - COMMON User Group - Annual Conference and Expo - Anaheim, CA June 9-12 - - COMMON Europe Congress of 2012 Common Europe is Celebrating their 50Th Anniversary Conference, held in Vienna, Austria

Security Shorts Alternative to Extracting and Formatting QAUDJRN By Dan Riehl In the above Feature Article "Forensic Analysis using QAUDJRN Part 2". I explain how you can extract information from the system QAUDJRN audit journal to provide a formatted output file containing events, such as when a System Value is changed. In that article, I show a method that uses a combination of two commands, Create Duplicate Object (CRTDUPOBJ) and Display Journal (DSPJRN). The information extracted is all the events in which a System Value was changed. The CRTDUPOBJ command is used to create a usable copy of the IBM-supplied model file for the SV Type of Journal Entries. Once the usable copy of the IBM model file is created with CRTDUPOBJ, the command DSPJRN is used to extract the SV journal entries from QAUDJRN and place them into our copy of the IBM model output file, thereby letting us use simple query tools or download to Excel to evaluate the System Value Change events. There IS Another, and Possibly Better, Way While this is one way to extract the data and place it into a usable format, IBM has also provided an alternative method, which you might choose over the two-step method I use in the Feature Article. In release V5R4, IBM introduced the CL command Copy Audit Journal Entries (CPYAUDJRNE). The command, in effect, replaces the older Display Audit Journal Entries (DSPAUDJRNE) command, which only let you print a list of the QAUDJRN journal entries; and the printed list is often missing key data elements from the journal entry. CPYAUDJRNE helps you extract data from the system audit journal (QAUDJRN) and place that data into an entry-specific output file. It would be nice if the new command had the same filtering capability as the more capable DSPJRN command. It lets you filter only by journal entry type, user, journal receivers or from-date/time to-date/time. The DSPJRN command allows additional selection criteria over CPYAUDJRNE, such as Program name and Job that caused the System Value change. However, if you do not need that extra filtering, I recommend using CPYAUDJRNE over DSPJRN. The output file(s) created by the CPYAUDJRNE command is journal-entry�type specific, so you end up with the same result as explained in my Feature article that uses the two-step approach. Here's an example of using CPYAUDJRNE to extract the SV (System Value Change) entries for the date and time period specified in the command. CPYAUDJRNE ENTTYP(SV) OUTFILE(MYAUDIT/A0512) JRNRCV(CURCHAIN) FROMTIME('05/19/2012' '04:00:00') TOTIME('05/20/2012' '04:00:00') This command creates an output file named A0512SV, which contains the SV entries for the time period. You can then use IBM's Query or another query tool to present the data the way you want it. For example, to list all the System Value Changes for that time period, you could use the command: RUNQRY QRYFILE((SECURITY/A0%12SV))* You can review The 6.1 CPYAUDJRNE command documentation here.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Tool Selection & Configuration Customized Security Programming Live Training from The 400 School IBM i System Administration Jun 25-29 IBM i System Operations Jul 16-19 IBM i Security Workshop Aug 21-24


Send your IBM i Security Related News and Events! Sponsor the SecureMyi.com Security Newsletter © Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017