Gateway 2012 IBM i audit capabilities · IBM i Audit Capabilities Jeffrey Uehling IBM i security...
-
Upload
duongquynh -
Category
Documents
-
view
220 -
download
5
Transcript of Gateway 2012 IBM i audit capabilities · IBM i Audit Capabilities Jeffrey Uehling IBM i security...
© Copyright IBM Corporation 2012
IBM i Audit Capabilities
Jeffrey Uehling
IBM i security development
2 © Copyright IBM Corporation 2012
Content and Contributions
Some content in this presentation was contributed by:
Carol Woodbury, President and Co-FounderSkyView Partners, [email protected]
Dan RiehlIT Security and Compliance Group, [email protected]
3 © Copyright IBM Corporation 2012
Agenda
� Security basics
� Configuring i5/OS auditing
� Recommended settings
� Getting information out of the journal
� Practical applications
� Scenarios for protection
4 © Copyright IBM Corporation 2012
Three Parts of Security
� Confidentiality
- Keeping people from seeing things they shouldn’t
� Integrity
- Keeping people from changing things they shouldn’t
� Accountability
- Gathering and evaluating activity that occurred on the system
5 © Copyright IBM Corporation 2012
The Security PROCESS
� Repeat
- Repeat
� Repeat
- Repeat
� Repeat
1. Assess Vulnerabilities
2. Plan Countermeasures
3. Deploy Countermeasures
4. Repeat
6 © Copyright IBM Corporation 2012
Security Plan Foundation Questions
� What and where is the important data on the system?
� Who is using the system, what data are they accessing, and
for what purpose?
� Which access methods are available for which data?
� Which services or applications invoke other services?
� Which services or applications must operate with more than
user authority (e.g. adopt/swap)?
� What mechanisms can be used to transfer data from the
system?
7 © Copyright IBM Corporation 2012
Why Use Auditing
� Evaluate the completeness of a security plan
� Ensure security controls are working
� Ensure security plan is still valid
� Gather data for future system changes
8 © Copyright IBM Corporation 2012
To Make Auditing Meaningful …
� Physical Security
� Strong passwords
- QPWD* system values
- QMAXSIGN, QMAXSIGNACN
� No shared accounts
� *PUBLIC *EXCLUDE on all profiles
� Object level authorization control
- Minimal users with *ALLOBJ
- Secure sensitive objects (data)
- Prevent access to service tools (SST, DST, DMPxxx, TRCxxx, etc)
9 © Copyright IBM Corporation 2012
Features of Security Audit Journal
IBM i
Audit Journal, QAUDJRN *JRN
Current Receiver Previous Receiver Previous Receiver
Journal Receiver Chain, *JRNRCV
10 © Copyright IBM Corporation 2012
Types of Auditing
� System wide
- Object create and delete
- Security/System functions
- Login failures
- Job auditing
� Object specific auditing
- Object read and write
� User specific auditing
- Security/System functions performed by the audited user
- Command auditing
- Object read and write
11 © Copyright IBM Corporation 2012
Auditing Plan
� What are we trying to detect?
- Which system events?
- What/which objects?
- By which users?
� How often must we evaluate this action?
� What should be done when it is detected?
� What events do NOT need to be audited
- Signal to noise ratio
� How long should audit data be retained?
13 © Copyright IBM Corporation 2012
i5/OS audit journal implementation overview
System ValueQAUDCTL
*AUDLVL*NOQTEMP*OBJAUD
System ValueQAUDLVL
QAUDLVL2
*SECCFG*AUTFAIL*DELETE…
i5/OS Object 1
OBJAUD(*NONE)
Audit Journal
Journal ReceiverJRNLIB/AUDRCV
1
3
4
i5/OS Object 2
OBJAUD(*ALL)
5
Audit Journal
Journal QSYS/QAUDJRN
2
i5/OS Object 3
OBJAUD(*USRPRF)
i5/OS User Profile
OBJAUD(*CHANGE)AUDLVL(*CMD
*CREATE)
5
6
AnalyzeAudit Journal
DSPJRNCPYAUDJRNE
*1 = V5R4
Initial setup steps
IBM and XYZ Company Confidential – Security Health Check
15 © Copyright IBM Corporation 2012
Is Audit running on your system?
� Display Security Auditing – DSPSECAUD
16 © Copyright IBM Corporation 2012
Configuring auditing for the first time
� Change Security Auditing – CHGSECAUD
Change Security Auditing – CHGSECAUD
1. Creates QSYS/QAUDJRN journal
2. Creates and attaches the journal receiver3. Changes QAUDCTL and QAUDLVL system values
17 © Copyright IBM Corporation 2012
Configuring Auditing - QAUDCTL (on/off switch)
QAUDCTL (On/Off switch)
*NONE – auditing is Off
*OBJAUD – reads or updates to
individual objects will be audited if auditing has been turned on for the
object by running CHGOBJAUD
*AUDLVL – audits system-wide actions specified in QAUDLVL and
individual actions when
CHGUSRAUD has been run
*NOQTEMP – eliminates audit entries for objects created in and
deleted from QTEMP
18 © Copyright IBM Corporation 2012
QAUDLVL and QAUDLVL2, system-wide action auditing
To determine what these values do, hit Help or look in
IBM i Security Reference, Chapter 9
Caution: Carefully consider what auditing is enabled.
Some categories generate significant amounts of audit
entries
Audit settings that apply to every user & job
19 © Copyright IBM Corporation 2012
Auditing System Values – iSeries Navigator
(QAUDCTL - *AUDLVL)
(QAUDCTL - *OBJAUD)
(QAUDCTL - *NOQTEMP)
(QAUDLVL)
20 © Copyright IBM Corporation 2012
Auditing System Values – iSeries Navigator
(QAUDENDACN - *NOTIFY)
(QAUDFRCLVL)
23 © Copyright IBM Corporation 2012
Auditing Sensitive Objects – All users
� QAUDCTL system value must include the value *OBJAUD
� Specify auditing of objects with the CHGOBJAUD, CHGDLOAUD, CHGAUD commands
� Entries are written to the system auditing journal QAUDJRN
� No auditing is done for this object under any circumstances
� Read and update operations to the object are audited.
� Update operations to the object are audited
CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*ALL)
CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*CHANGE)
CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*NONE)
24 © Copyright IBM Corporation 2012
CHGAUD
To turn on object auditing for an object in the IFS, run
CHGAUD, specifying the pathname of the object.
25 © Copyright IBM Corporation 2012
Display of audit settings – QSYS objects
AuditValue
DSPOBJD OBJ(PAYLIB/PAYROLL) OBJTYPE(*FILE) DETAIL(*FULL)
27 © Copyright IBM Corporation 2012
� Security Audit provides who accesses what object
� A combination of security audit and “data object” journaling provides the complete audit trail
� Turn on journaling for *FILE and IFS *STMF sensitive objects to
get the complete audit of modification of data
� CRTJRNRCV JRNRCV(MYLIB/MYRCV0001)
� CRTJRN JRN(MYLIB/MYJRN) JRNRCV(MYLIB/MYRCV0001)
� STRJRNPF FILE(MYLIB/MYFILE) JRN(MYLIB/MYJRN) IMAGES(*BOTH)
� QSYS/STRJRN OBJ(('/mydir/dir1/stmf1' *INCLUDE))
JRN('/qsys.lib/mylib.lib/myjrn.jrn')
Auditing continued – Data Objects
28 © Copyright IBM Corporation 2012
Auditing Sensitive Objects – Specific users
� Object Auditing based upon the user level audit setting
� Audit only if the user accessing the object has a value of *ALL or *CHANGE specified on their user
profile’s OBJAUD value.
CHGUSRAUD USRPRF(DAN) OBJAUD(*CHANGE)
CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*USRPRF)
29 © Copyright IBM Corporation 2012
Auditing Users – Object and action audit
� Individual user profiles can be audited- Powerful profiles QSECOFR, ZSECOFR, MYADMIN- Troublesome users- Problems have occurred
� QAUDCTL system value must include the value *OBJAUD or *AUDLVL
� CHGUSRAUD command starts/stops auditing a User� Entries are written to the auditing journal QAUDJRN
� User’s AUDLVL can contain *CMD to record all commands run by the user
CHGUSRAUD USRPRF(QSECOFR) OBJAUD(*CHANGE) AUDLVL(*CREATE *CMD)
Complement of
QAUDLVL sysval
*NONE, *ALL,
*CHANGE
30 © Copyright IBM Corporation 2012
User action auditing – Security event audit
Note: To enable user auditing, must specify QAUDCTL(*AUDLVL)
31 © Copyright IBM Corporation 2012
User action auditing – Display of User setting
Objectand
User
audit
setting
DSPUSRPRF USRPRF(QSECOFR)
33 © Copyright IBM Corporation 2012
Object Auditing – QAUDCTL(*OBJAUD)
Only updates are audited
Audits when profile accessing object has its object auditing value set to either *CHANGE or *ALL
QCRTOBJAUD system value sets the object auditing value for newly created objects. Default = *NONE
DSPLIBD - Create object auditing value. Default = *SYSVAL
See Security Reference, Appendix E to see what operations cause an audit entry
Both reads and updates are
audited
34 © Copyright IBM Corporation 2012
Using CHGOBJAUD OBJ(PATIENTFIL) OBJAUD(*NONE)
PATIENT FILE
OBJAUD(*NONE)
OPEN READ
OPEN UPDATE
OPEN UPDATE
OPEN READ
35 © Copyright IBM Corporation 2012
Using CHGOBJAUD OBJ(PATIENTFIL) OBJAUD(*ALL)
PATIENT FILE
OBJAUD(*ALL)
OPEN READ
OPEN UPDATE
OPEN UPDATE
OPEN READ
36 © Copyright IBM Corporation 2012
Using CHGOBJAUD OBJ(PATIENTFIL) OBJAUD(*CHANGE)
PATIENT FILE
OBJAUD(*CHANGE)
OPEN READ
OPEN UPDATE
OPEN UPDATE
OPEN READ
OBJAUD(*USRPRF) we’ll see
37 © Copyright IBM Corporation 2012
Using CHGOBJAUD OBJ(PATIENTFIL) OBJAUD(*USRPRF)
The User Profile’s OBJAUD value is ONLY evaluated
if the Object’s OBJAUD value is set to *USRPRF
PATIENT FILE
OBJAUD(*USRPRF)
OPEN READ
OPEN UPDATE
OPEN READ
OPEN UPDATE
OBJAUD(*ALL)
OBJAUD(*ALL)
OBJAUD(*CHANGE) OBJAUD(*NONE)
38 © Copyright IBM Corporation 2012
Recommended Audit Settings
� QAUDCTL
- *OBJAUD
- *AUDLVL
- *NOQTEMP
� QAUDLVL
- *AUTFAIL
- *SECURITY
- *CREATE
- *DELETE
- *SAVRST
- *SERVICE
- *PGMFAIL
Note: May need additional values if running HA software
Note: Each customer must evaluate the appropriate settings for their company
39 © Copyright IBM Corporation 2012
Subsetted Auditing Values
� QAUDLVL- *SECURITY is subsetted into
� *SECCFG – user profile, system value changes, network attributes, etc� *SECDIRSRV – directory services� *SECIPC – interprocess communications� *SECNAS – network authentication ticket verification (Kerberos)� *SECRUN – runtime changes of object ownership, authorization list, etc� *SECSCKD – secure socket descriptors� *SECVFY – verification of profile handles and tokens� *SECVLDL - usage of validation list entries
- *NETCMN is subsetted into� *NETBAS - basic network events – SSL connections, APPN “firewall”
activities� *NETCLU – cluster resource groups� *NETFAIL – security-related network failures – e.g., secure socket port
not available� *NETSCK - mail filtered, mail rejected, give and take socket
descriptors- *AUDLVL2 (must be specified or QAUDLVL2 is ignored)
� QAUDLVL2 (overflow for QAUDLVL)
40 © Copyright IBM Corporation 2012
New Auditing Values in 6.1
6.1
� QAUDLVL
- *JOBDTA is subsetted into
� *JOBBAS – starting, stopping, holding, releasing, canceling or changing a job
� *JOBCHGUSR – changes to a thread’s user or group profiles
� Subsetted values added to the CHGUSRAUD command
- Only available at the system value level prior to 6.1
� *ATNEVT – more events monitored, easier configuration
- Search for “ATNEVT” in IBM Information Center for steps to configure
42 © Copyright IBM Corporation 2012
Display Journal command (DSPJRN)
DSPJRN JRN(QAUDJRN) FROMTIME('03/24/07') JRNCDE((T)) ENTTYP(AF)
43 © Copyright IBM Corporation 2012
Display Audit Journal Entries (DSPAUDJRNE)
DSPAUDJRNE is an old interface that IBM no longer updates. IBM Partner
products are available to harvest audit journal data.
44 © Copyright IBM Corporation 2012
Output from DSPAUDJRNE
Indicates an IFS object named with a pathname
45 © Copyright IBM Corporation 2012
Audit entries
� *N in the Object Name field of an audit entry indicates the
object is a pathname
� Pathname is a 5002 character field at the end of the audit
journal entry
� Must use DSPJRN (Display Journal) command to display –
easiest to send to an outfile and run a query
- See Security Reference manual, Appendix F for outfile layout
46 © Copyright IBM Corporation 2012
DSPJRN to an outfile
� i/OS has a model outfile in QSYS for each audit journal entry type- QASYxxJy where
� xx = the two-letter audit journal entry type
� y = the file format
� CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) OBJTYPE(*FILE) + TOLIB(QTEMP)
� DSPJRN JRN(QSYS/QAUDJRN) RCVRNG(*CURCHAIN) + FROMTIME('08/18/2004' '08:00:00') JRNCDE((T)) ENTTYP(AF) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) + OUTFILE(QTEMP/QASYAFJ5)
� New command – CPYAUDJRNE (V5R4)- Performs CRTDUPOBJ QSYS/QASYxxJ5 model outfile and subsequent
DSPJRN to outfile in one, simplified step
47 © Copyright IBM Corporation 2012
Copy Audit Journal Entries (CPYAUDJRNE)
New command – CPYAUDJRNE (V5R4)
- Performs CRTDUPOBJ QSYS/QASYxxJ5 model outfile and subsequent
DSPJRN to outfile in one, simplified step
48 © Copyright IBM Corporation 2012
View Audit Journal Data in an OUTFILE
Quick View of the Audit Data
• RUNQRY QRY(*NONE) QRYFILE(QTEMP/QAUDITCO)
Detailed Analysis of the Audit Data
• SQL or STRQRY
50 © Copyright IBM Corporation 2012
Defining a query – STRQRY Command
Once the outfile has been generated, define a query to get the information you want, e.g., Path name
52 © Copyright IBM Corporation 2012
Display Journal command (DSPJRN)
DSPJRN JRN(QAUDJRN) FROMTIME('03/24/08') JRNCDE((T)) ENTTYP(AF)
F10
53 © Copyright IBM Corporation 2012
DSPJRN – more details
Results of taking F10=Display only entry details
55 © Copyright IBM Corporation 2012
� Numerous IBM i partners provide additional tools
- Reporting & Monitoring
- Security Configuration
- Encryption
- Network Security
- Authentication/Biometrics
- IBM i Security website, a link to business partners:� http://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html
IBM Business Partners – Products to “mine” audit journal data
56 © Copyright IBM Corporation 2012
Chapter 9 – iSeries Security Reference
Look for the auditing value, then for the 2-letter Journal Entry Types
to see what information is available
57 © Copyright IBM Corporation 2012
Layout of AF – QASYAFJ5 - outfile
Appendix F, iSeries Security Reference
59 © Copyright IBM Corporation 2012
Audit Journal Recommendations
� Activate Audit on the Server- Activate both user level audit and system wide audit features
� Monitor the audit journal for suspicious activity.
- Business Partner products available to monitor the journal
�Archive the audit data so it is available for use at a later date if necessary!
60 © Copyright IBM Corporation 2012
Suggested Super User Auditing
� Focus on misconduct and proving misconduct
� Focus on real people and all their profiles
� Use CHGUSRAUD to set at least
- *SAVRST
- *SECURITY
- *OBJMGT
- *SERVICE
- *SYSMGT
61 © Copyright IBM Corporation 2012
Debugging using the audit journal
� Turn on *PGMADP using CHGUSRAUD, then look for PA – A or PA - J entries to find “inappropriate” uses of adopted authority
� Use the DO entries to determine how an object was deleted
� Use the CO entries to determine if objects are being created into a directory (so it can be secured)
� Use AF entries to determine whether an “authority failure” really is an authority failure - Especially useful when reworking the security scheme of an entire
application and the security changes are blamed for EVERY failure!
� Object update (ZC) and object read (ZR) entries can help you determine what processes are accessing files you are about to secure
� Before making changes, look at the current entries to see what is “normal”
62 © Copyright IBM Corporation 2012
Managing Journal Receivers
� Use the CRTJRN QSYS/QAUDJRN MNGRCV(*SYSTEM) parameter
when creating the security audit journal
� Saving and deleting a receiver in order to preserve audit data
- CHGJRN QSYS/QAUDJRN JRNRCV(*GEN)
- SAVOBJ
- DLTJRNRCV
63 © Copyright IBM Corporation 2012
For More Information
� iSeries Security Reference, SC41-5302
- For a PDF, go to
http://publib.boulder.ibm.com/infocenter/iseries/v7r1m0/index.jsp
� Chapter 9 – auditing
� Appendix F – auditing model outfiles
� Appendix G – by object type, what actions cause a ZR or ZC audit
journal entry
� Experts’ Guide to OS/400 and i5/OS Security by Carol
Woodbury and Patrick Botz, ISBN 1-58304-096-X, 29th
Street Press 2004.
64 © Copyright IBM Corporation 2012
This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in
other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM
offerings available in your area.
Information in this document concerning non-IBM products was obtained from the suppliers of these products or other public sources. Questions
on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give
you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY
10504-1785 USA.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives
only.
The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or
guarantees either expressed or implied.
All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the
results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations
and conditions.
IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions
worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment
type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal
without notice.
IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies.
All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are
dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this
document may have been made on development-level systems. There is no guarantee these measurements will be the same on generally-
available systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document
should verify the applicable data for their specific environment.
Revised September 26, 2006
Special notices
65 © Copyright IBM Corporation 2012
IBM, the IBM logo, ibm.com AIX, AIX (logo), AIX 5L, AIX 6 (logo), AS/400, BladeCenter, Blue Gene, ClusterProven, DB2, ESCON, i5/OS, i5/OS (logo), IBM Business Partner (logo), IntelliStation, LoadLeveler, Lotus, Lotus Notes, Notes, Operating System/400, OS/400, PartnerLink, PartnerWorld, PowerPC, pSeries, Rational, RISC System/6000, RS/6000, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, WebSphere, xSeries, z/OS, zSeries, Active Memory, Balanced Warehouse, CacheFlow, Cool Blue, IBM Systems Director VMControl, pureScale, TurboCore, Chiphopper, Cloudscape, DB2 Universal Database, DS4000, DS6000, DS8000, EnergyScale, Enterprise Workload Manager, General Parallel File System, , GPFS, HACMP, HACMP/6000, HASM, IBM Systems Director Active Energy Manager,
iSeries, Micro-Partitioning, POWER, PowerExecutive, PowerVM, PowerVM (logo), PowerHA, Power Architecture, Power Everywhere, Power Family, POWER Hypervisor,
Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo), POWER2, POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER6+, POWER7, System i, System p, System p5, System Storage, System z, TME 10, Workload Partitions Manager and X-Architecture are trademarks
or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries.
A full list of U.S. trademarks owned by IBM may be found at: http://www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
AltiVec is a trademark of Freescale Semiconductor, Inc.
AMD Opteron is a trademark of Advanced Micro Devices, Inc.
InfiniBand, InfiniBand Trade Association and the InfiniBand design marks are trademarks and/or service marks of the InfiniBand Trade Association.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.
Microsoft, Windows and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both.
NetBench is a registered trademark of Ziff Davis Media in the United States, other countries or both.
SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are trademarks of the Standard Performance Evaluation Corp (SPEC).
The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org.
TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC).
UNIX is a registered trademark of The Open Group in the United States, other countries or both.
Other company, product and service names may be trademarks or service marks of others.
Revised December 2, 2010
Special notices (cont.)