|
We seem to be getting a lot of questions about i5/OS auditing functions
in recent months. I'm guessing it's because there are several laws and
regulations that either require or strongly suggest that certain activity
and file accesses be "logged". Logging in the i5/OS and "i"
world is known as "auditing." So I thought that I'd answer
some of the questions we're receiving in this month's newsletter.
Many operating systems have a simple file where log information is
kept. While the access to this file may be controlled, entries can generally
be modified or deleted; therefore you'll see some regulations such as
the Payment Card Industry's Data Security Standards require that logs
be protected from modification. This is not necessary with i5/OS.
Where is the log (or audit) information kept?
i5/OS auditing is implemented via journals. The journal is not where
the data is kept. Rather, the actual audit journal entries are kept
in an object called a journal receiver. The reason the IBM developers
chose to implement i5/OS auditing using a journal and journal receiver
is because you cannot modify or remove entries from a journal receiver.
Thus, you can be assured of the integrity of the data journal data.
To manage the information in the log (that is, the QAUDJRN journal),
you manage the journal receivers. You cannot clear a journal receiver.
Rather, you save them and then delete them from the system. Even if
you could clear a journal receiver (which you can't) you wouldn't want
to. Why? Because you want to be able to retrieve the data should you
require it for forensic or investigative purposes. You may need to modify
your back-up strategy to ensure you are saving all journal receivers
associated with QAUDJRN and are doing so in a way that allows you easily
retrieve them from your long-term storage if the requirement arises.
Enabling Auditing
You turn on auditing by specifying either *OBJAUD or *AUDLVL in
the QAUDCTL system value. This system value is the "On/Off"
switch for auditing. If this value is *NONE, auditing is not active.
To turn on action auditing, such as the logging of authority failures,
invalid sign on attempts, deletion of objects, etc modify the QAUDLVL
system value. Some actions produce more audit journal entries than others.
To determine the types of actions that cause an audit journal entry
to occur, check out Chapter 9 of the Security Reference manual (available
from the IBM Information Center.)
Getting information out of the i5/OS Audit Journal
Several methods exist for retrieving information out of the audit
journal.
- Run the DSPAUDJRNE command. The default is to look for the AF -
or authority failure entries. The result is just a subset of the information
from the AF audit journal entries. However, there is often enough
information to determine what has caused a particular entry to be
generated.
- If you want more of the information that's in the audit journal
entry or if you see *N as the object name (indicating that the object
is in the IFS), then you must dump the audit journal entries to an
outfile and query the results.
To do that, create a duplicate of the model outfile for the audit journal
entry type:
CRTDUPOBJ OBJ(QASYxxJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
entry type you're looking for - in your case of an authority failure,
it would be "AF".
Then display the audit journal to an outfile type:
DSPJRN JRN(QAUDJRN) FROMTIME('09/25/06') JRNCDE((T)) ENTTYP(xx)
+
OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/QASYxxJ5)
Now you can display the file or run a query or SQL statement to see
all fields in the audit journal. V5R4 provides a command, CPYAUDJRNE
which combines the CRTDUPBOJ and DSPJRN into one command. The audit
journal model outfiles are described in Appendix F of the iSeries Security
Reference manual, available from the IBM Information Center.
Carol's Tech Tip
How SkyView Policy Minder can Help
SkyView Policy Minder is an i5/OS & OS/400 security compliance tool
that provides a mechanism for comparing your systems' current settings
against the requirements of your established (or desired) security policy.
Policy Minder is about "enforcing" your security policy. Policy
Minder is designed to automate the process of keeping your i5/OS and
OS/400 security configuration in compliance with your existing security
policy.
If you have initialized the system value category, then Policy Minder
brought in the current auditing system values settings and established
those as your policy. Now, if any of those values change, a Policy
Minder compliance check of the System value category will identify
the changes. Finally, you can run Fixit to fix the issue.
How SkyView Risk Assessor can Help
SkyView Risk Assessor is an i5/OS & OS/400 security diagnostic tool
that performs an automated risk analysis. Risk Assessor is about "judging"
your security configuration against best practices. Risk Assessor provides
comprehensive, easy-to-understand, easy-to-produce and unbiased reports
that fulfill the need for regular vulnerability assessments, as specified
in nearly every security regulation, specification or standard.
In the System value section of the main Risk Assessor report, the
auditing system values are explained. Risk Assessor will show the
system value name, what the current setting is, what the recommended
value, and if there is a deviation from best practice.
SkyView Partners Solutions
- Customers say … “Risk Assessor automatically provides an independent,
comprehensive security overview and has reduced our overall audit
time and expense.”
-
Customers say … “With Policy Minder we have automated our
security compliance procedure, saving us time and making
sure that our desired security configuration stays in place.”
About the author
Carol Woodbury spent 16 years with IBM in Rochester, MN. She served
for more than 10 years as the AS/400 Security Architect and Chief
Engineering Manager of Security Technology for IBM's Enterprise Server
Group. During this time Carol provided security architecture and design
consultations with IBM Business Partners and large AS/400 customers.
She is known worldwide as an author and speaker on security technology,
specializing in OS/400 and i5/OS security issues. Carol co-authored
the popular book, Experts'
Guide to OS/400 and i5/OS Security from 29th Street Press, has
written numerous articles on security and is a technical editor for
the IBM Systems Magazine. Carol is also a subject matter expert on
security for COMMON, security author for Experts Journal, contributing
author on security for System iNEWS and MC Press Online and the security
expert for search400.
|
