Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Getting Started with IBM i Security: Event Auditing

206 vues

Publié le

Learn why event auditing is necessary and how to configure it.

This second powerpoint of the series introduces event auditing, which covers the basics and more:
- Why auditing is necessary
- Determine if IBM i auditing is currently active
- How to configure auditing with one simple command
- What audit events are recorded (and which are missed!)
- How high availability (HA) applications often make critical events disappear
- Event reporting and real-time alerting

Publié dans : Logiciels
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Getting Started with IBM i Security: Event Auditing

  1. 1. All trademarks and registered trademarks are the property of their respective owners.© HelpSystems LLC. All rights reserved. Getting Started With IBM i Security: Auditing
  2. 2. HelpSystems Corporate Overview. All rights reserved. • Introductions • Why Audit? • Starting to Audit • Auditing a User Profile or an Object • Working with the Audit Journal • Questions and Answers Today’s Agenda
  3. 3. HelpSystems Corporate Overview. All rights reserved. Your Speaker ROBIN TATAM, CBCA CISM Director of Security Technologies 952-563-2768 robin.tatam@helpsystems.com
  4. 4. HelpSystems Corporate Overview. All rights reserved. • Premier IBM i Security Products (globally-recognized “PowerTech” brand) – Represented by industry veteran, Robin Tatam, CISM • Comprehensive IBM i Security Services – Represented by industry veteran, Carol Woodbury, CRISC • Member of PCI Security Standards Council • Authorized by NASBA to issue CPE Credits for Security Education • Publisher of the Annual “State of IBM i Security” Report About HelpSystems’ Security Investment
  5. 5. HelpSystems Corporate Overview. All rights reserved. Today’s Agenda • Introductions • Why Audit? • Starting to Audit • Auditing a User Profile or an Object • Working with the Audit Journal • Questions and Answers
  6. 6. HelpSystems Corporate Overview. All rights reserved. • Regulatory Compliance demands it! – Legislation such as Sarbanes-Oxley (SOX), HIPAA, GLBA, State Privacy Acts – Industry Regulations such as Payment Card Industry (PCI DSS) • Event and User Activity Tracking • High Availability • Application Research & Debugging Why Should You Audit?
  7. 7. HelpSystems Corporate Overview. All rights reserved. Who’s Auditing on IBM i? Free Download: 2016 State of IBM i Security
  8. 8. HelpSystems Corporate Overview. All rights reserved. Who’s Auditing on IBM i? 15% 85% Systems Being Audited
  9. 9. HelpSystems Corporate Overview. All rights reserved. Who’s Auditing on IBM i? A significant portion of the 85% that are auditing: 1. Aren’t collecting the recommended events 2. Aren’t keeping the data long enough for it to be useful 3. Have no archiving or retention policy 4. Do not proactively review the audit data 5. Have no tools to help them Often, High Availability (HA) software configures auditing for it’s own needs and the organization doesn’t even know about it Tell-tale signs of this include not auditing for *AUTFAIL events (which wouldn’t be replicated)
  10. 10. HelpSystems Corporate Overview. All rights reserved. Today’s Agenda • Introductions • Why Audit? • Starting to Audit • Auditing a User Profile or an Object • Working with the Audit Journal • Questions and Answers
  11. 11. HelpSystems Corporate Overview. All rights reserved. • IBM provides a custom resource—the Security Audit Journal—for recording security-related events • The operating system does not come with a security audit journal; you have to create it before you can start auditing • Consider setting up a profile with *AUDIT special authority specifically to maintain the auditing controls • Events are recorded to the audit journal based on the configuration of audit controls—system, user, object The Security Audit Journal
  12. 12. HelpSystems Corporate Overview. All rights reserved. • First, create a library to contain the audit journal receivers: CRTLIB LIB(SECJRNLIB) TEXT(‘Security Journal Library’) • This allows you to secure the contents, and makes it easier to manage audit data IBM defaults the audit journal receiver library to QGPL which is not a good place to store user objects, especially such important ones The Security Audit Journal
  13. 13. HelpSystems Corporate Overview. All rights reserved. • The Security Audit Journal must be called QAUDJRN and it always resides in the QSYS library • Although you can create the components and set the system value controls manually, most people prefer to use the Change Security Auditing (CHGSECAUD) command to pull all the components together The Security Audit Journal
  14. 14. HelpSystems Corporate Overview. All rights reserved. The Security Audit Journal
  15. 15. HelpSystems Corporate Overview. All rights reserved. “QAUDCTL system value” • This system value acts as an on/off switch to activate the auditing function – Specify *NONE to fully turn auditing OFF – Specify *AUDLVL to turn system-level event auditing ON – Specify *OBJAUD to turn object-level auditing ON • Other recommended customizing option: – *NOQTEMP—instructs the system to ignore activities in a job’s QTEMP temporary library Starting To Audit
  16. 16. HelpSystems Corporate Overview. All rights reserved. “Auditing values” • This parameter corresponds to the QAUDLVL system value, and its overflow companion QAUDLVL2 • Use this value to designate what system-level activities you want to audit • A special value of *DFTSET (default set) translates to the following values: *AUTFAIL, *CREATE, *DELETE, *SECURITY, *SAVRST Starting To Audit
  17. 17. HelpSystems Corporate Overview. All rights reserved. “Initial Journal Receiver” • This parameter indicates the name and location for the initial journal receiver (which holds the data) • Include a sequence number in the name for subsequent receivers to be named similarly • If auditing is already active, this parameter is ignored – To redirect active auditing to a new library, create a new journal receiver and then attach it to the journal and subsequent receivers will be created in the same place. Starting To Audit
  18. 18. HelpSystems Corporate Overview. All rights reserved. “Auditing Values” • QAUDLVL cannot hold all of the possible option combinations so IBM added QAUDLVL, referenced only if QAUDLVL includes the value *AUDLVL2 • My personal preference is to set QUADLVL to *AUDLVL2 and then place all of the desired audit values in QAUDLVL2 Starting To Audit *AUDLVL2 *CREATE *SECURITY *AUTFAIL *DELETE *SAVRST … QAUDLVL QAUDLVL2
  19. 19. HelpSystems Corporate Overview. All rights reserved. • In IBM i 7.3, 21 categories are available for system-wide auditing. Three of these allow you to further subset them (indicated by italics). *ATNEVT Attention Event *AUTFAIL Authority Failure *CREATE Object Creations *DELETE Object Deletions *JOBDTA Actions Affecting Jobs (*JOBxxx) *NETCMN Network Communications (*NETxxx) *NETSCK Socket Connections (used to be part of *NETCMN until 7.3) *NETSECURE Secure Network Connections *NETTELNET TELNET Connections *OBJMGT Object Management Note: All values, except *ATNEVT, also can be specified for individual users Starting To Audit
  20. 20. HelpSystems Corporate Overview. All rights reserved. *OPTICAL Optical Drive Operations *PGMADP Program Adoptions *PGMFAIL Program Failure *PTFOBJ PTF Object *PTFOPR PTF Operations *PRTDTA Print Data *SAVRST Save and Restore Operations *SECURITY Security Operations (*SECxxx) *SERVICE Service Functions *SPLFDTA Spooled File Functions *SYSMGT System Management Note: All values, except *ATNEVT, also can be specified for individual users Starting To Audit
  21. 21. HelpSystems Corporate Overview. All rights reserved. There are two other auditing-related system values that you should be aware of, but probably won’t change: QAUDFRCLVL – Auditing Force Level Specifies how many audit records should be cached before they must be written to disk If your security policy requires ALL records to be written to disk, set this to 0; otherwise use the default value, *SYS, to maximize performance Starting To Audit
  22. 22. HelpSystems Corporate Overview. All rights reserved. QAUDENDACN – Auditing End Action Specifies what should happen if the server is unable to continue auditing The default value, *NOTIFY, sends a message to QSYSOPR (and QSYSMSG) The value *PWRDWNSYS forces the system to immediately power the server down! After the system IPLs, a user with *ALLOBJ and *AUDIT authority must restore auditing and bring the system out of restricted state. Starting To Audit
  23. 23. HelpSystems Corporate Overview. All rights reserved. While auditing is certainly a good thing, be cautious of auditing every type of event for all users as it will likely be the data equivalent of trying to drink from a fire hose! If you determine that your server generates more events than can be reasonably processed, consider tools to help you as well as possibly auditing only those users who can run commands – and that’s not all of them, right?! Starting To Audit
  24. 24. HelpSystems Corporate Overview. All rights reserved. Today’s Agenda • Introductions • Why Audit? • Starting to Audit • Auditing a User Profile or an Object • Working with the Audit Journal • Questions and Answers
  25. 25. HelpSystems Corporate Overview. All rights reserved. • In addition to system-wide auditing, you can audit the activities of specific users • Turn on user auditing using the Change User Auditing (CHGUSRAUD) command – This is distinct from the normal profile commands (for separation of duties) • In addition to all but one of the QAUDLVL values, an extra option for command activities (*CMD) is available for user auditing • User auditing can be coordinated with object-level auditing to allow for auditing of specific objects when they are accessed by specific users Auditing A User Profile
  26. 26. HelpSystems Corporate Overview. All rights reserved. Auditing A User Profile
  27. 27. HelpSystems Corporate Overview. All rights reserved. • You can audit access to specific objects • Object auditing works with user-level auditing to audit specific objects when they are accessed by audited users • Turn on object auditing using the Change Object Auditing (CHGOBJAUD) command but it will only work if you specify *OBJAUD in the QAUDCTL system value • Specify the desired auditing value: • *NONE to deactivate auditing for the object • *CHANGE to audit only open-for-change accesses, • *ALL to audit open-for-read and open-for-change accesses, • *USRPRF to defer the setting to the user profile’s object auditing setting Auditing A Specific Object
  28. 28. HelpSystems Corporate Overview. All rights reserved. • Specifying *USRPRF directs the operating system defer to the user profile’s OBJAUD attribute to determine if object auditing is desired, and what operations (open-for-read / open-for-change) to audit. • To audit an object located in the IFS, follow the exact same procedures as for a native object, but use the Change Auditing Value (CHGAUD) command. Auditing A Specific Object
  29. 29. HelpSystems Corporate Overview. All rights reserved. Auditing A Specific Object Native Object
  30. 30. HelpSystems Corporate Overview. All rights reserved. Auditing A Specific Object Integrated File System Object
  31. 31. HelpSystems Corporate Overview. All rights reserved. Auditing A Specific Object NOTE: Object auditing does NOT audit data changes. Database journaling is required for record/field auditing.
  32. 32. HelpSystems Corporate Overview. All rights reserved. To Audit New Objects A newly-created native object inherits its auditing value from the CRTOBJAUD attribute from the library where it resides If the library has a value of *SYSVAL, the value is inherited from the QCRTOBJAUD system value (IBM-supplied default of *NONE) CAUTION: Changing the QCRTOBJAUD system value could potentially generate a large number of audit events Auditing A Specific Object
  33. 33. HelpSystems Corporate Overview. All rights reserved. Will It Be Audited? Source: IBM i and i5/OS Security & Compliance: A Practical Guide, 29th Street Press
  34. 34. HelpSystems Corporate Overview. All rights reserved. What Won’t Be Audited? • Some actions originating from the network may not be recorded by native auditing controls • If objects are being audited, or a user performs an audited action (for example, deleting an object), that access is tracked • Common network actions that are not audited include database access via ODBC and FTP • Exit program facilitate auditing of these types of transactions, and are also able to prevent users from running commands—sometimes independent of their command line privileges as specified per their profile’s LMTCPB attribute
  35. 35. HelpSystems Corporate Overview. All rights reserved. • To see if you have exit programs in place, review the system registry, use the WRKREGINF command, or use HelpSystems’ FREE Security Scan tool What Won’t Be Audited?
  36. 36. HelpSystems Corporate Overview. All rights reserved. What Won’t Be Audited? • Some native user activities will also not be audited: • Interactive SQL • Data File Utility (DFU) • System Service Tools (SST) • QSHELL • Application Usage • User actions that are not command-based • Consider using a third-party auditing function to augment native auditing and capture missing events
  37. 37. HelpSystems Corporate Overview. All rights reserved. Today’s Agenda • Introductions • Why Audit? • Starting to Audit • Auditing a User Profile or an Object • Working with the Audit Journal • Questions and Answers
  38. 38. HelpSystems Corporate Overview. All rights reserved. Working With The Audit Journal • After auditing is configured and actively collecting, review how to extract the audited information • Download the IBM i Security Reference manual to see detailed information about configuring auditing, and the layout of audit journal data • All journal entries contain basic information (date, time, user, job information, and the entry type code), followed by entry- specific data that varies depending on the entry type
  39. 39. HelpSystems Corporate Overview. All rights reserved. There are 3 main options to display or print audit journal data: 1. Display Audit Journal Entry (DSPAUDJRNE) Simplified version of the DSPJRN command with parameters specific for most entries in the security audit journal (no longer updated by IBM but still useful) Does not support IFS events Cannot sort or query data as it only supports sending results to screen or to a spooled file Working With The Audit Journal
  40. 40. HelpSystems Corporate Overview. All rights reserved. Working With The Audit Journal
  41. 41. HelpSystems Corporate Overview. All rights reserved. Working With The Audit Journal
  42. 42. HelpSystems Corporate Overview. All rights reserved. 2. Display Journal (DSPJRN) Basic way to review activities in (any) journal Requires an understanding of the format of the journal data; data is not parsed by the command Supports the name of IFS objects Helps if you have an exact timestamp as DSPJRN does not sort the data Working With The Audit Journal
  43. 43. HelpSystems Corporate Overview. All rights reserved. 3. Copy Audit Journal Entry (CPYAUDJRNE) Combines the DSPJRN command with copying the data to an output file The output file layout is based on the entry code Extracted data can be queried, for sorting and printing Default output file name is QAUDITxx where xx is the audit type code Working With The Audit Journal
  44. 44. HelpSystems Corporate Overview. All rights reserved. Consider Reviewing the Following Journal Type Codes AF Authority Failures CP Profile Activities (Create/Change) Password Changes SV System Value Changes PW Invalid Passwords Working With The Audit Journal
  45. 45. HelpSystems Corporate Overview. All rights reserved. For User Auditing CD Command Executed For Object Auditing ZC Object Changed ZR Object Read Working With The Audit Journal
  46. 46. HelpSystems Corporate Overview. All rights reserved. Archiving • Defer to your legal counsel or auditor for retention information. Attorneys and auditors may have to defend the information in court, so give them what they need • Most breaches take upwards of 6 months (not 24 hrs!) to detect and investigate and some take much longer • If you do not have legal support, consider 30 days online and 1 year offline (PCI requires 1 year retention). Working With The Audit Journal Retention should not be an admin’s decision based on disk utilization
  47. 47. HelpSystems Corporate Overview. All rights reserved. • Alternatively, evaluate a commercial auditing solution to more easily interrogate the audit journal data Working With The Audit Journal
  48. 48. HelpSystems Corporate Overview. All rights reserved. Today’s Agenda • Introductions • Why Audit? • Starting to Audit • Auditing a User Profile or an Object • Working with the Audit Journal • Questions and Answers
  49. 49. HelpSystems Corporate Overview. All rights reserved. Questions
  50. 50. HelpSystems Corporate Overview. All rights reserved. http://www.helpsystems.com/getting-started-security-series Thank You See you on June 27th at 12 noon CST to learn about PC Access

×