Post on 23-Oct-2015
description
© 2010 IBM Corporation
IBM Power Systems Technical University
October 18–22, 2010 — Las Vegas, NV
Session Title: IBM i AuditCapabilities
Speaker Name: Bruce F. Bading
Session ID: SE02
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 3
Agenda
Security basics
Configuring i5/OS auditing
Recommended settings
Getting information out of the journal
Practical applications
Scenarios for protection
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 4
Three Parts of Security
Confidentiality– Keeping people from seeing things they shouldn’t
Integrity– Keeping people from changing things they shouldn’t
Accountability– Gathering and evaluating activity that occurred on the
system
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 5
The Security PROCESS
RepeatRepeat
RepeatRepeat
Repeat
1. Assess Vulnerabilities
2. Plan Countermeasures
3. Deploy Countermeasures
4. Repeat
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 6
Security Plan Foundation Questions
What and where is the important data on the system?
Who is using the system, what data are they accessing, and for what purpose?
Which access methods are available for which data?
Which services or applications invoke other services?
Which services or applications must operate with more than user authority (e.g. adopt/swap)?
What mechanisms can be used to transfer data from the system?
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 8
To Make Auditing Meaningful …Physical Security
Strong passwords– QPWD* system values– QMAXSIGN, QMAXSIGNACN
No shared accounts
*PUBLIC *EXCLUDE on all profiles
Object level authorization control– Minimal users with *ALLOBJ– Secure sensitive objects (data)– Prevent access to service tools (SST, DST, DMPxxx, TRCxxx,
etc)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 9
Features of Security Audit Journal
IBM i
Audit Journal, QAUDJRN *JRN
Current Receiver Previous Receiver Previous Receiver
Journal Receiver Chain, *JRNRCV
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 10
Types of Auditing
System wide– Object create and delete– Security/System functions– Login failures– Job auditing
Object specific auditing– Object read and write
User specific auditing– Security/System functions performed by the audited user– Command auditing– Object read and write
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 11
Auditing Plan
What are we trying to detect?– Which system events?– What/which objects?– By which users?
How often must we evaluate this action?
What should be done when it is detected?
What events do NOT need to be audited– Signal to noise ratio
How long should audit data be retained?
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 12
System level audit controls
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 13
Auditing System Values
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 14
Is Audit running on your systemDisplay Security Auditing – DSPSECAUD
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 15
Configuring auditing for the first time
Change Security Auditing – CHGSECAUD
Change Security Auditing – CHGSECAUD• Creates QSYS/QAUDJRN journal• Creates and attaches the journal receiver• Changes QAUDCTL and QAUDLVL system values
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 16
Configuring Auditing - QAUDCTL (on/off switch)
QAUDCTL (On/Off switch)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 17
QAUDLVL – system-wide action auditing
New in V5R4
To determine what these values do, hit Help or look in IBM i Security Reference, Chapter 9
Caution: Carefully consider what auditing is enabled. Some categories generate significant amounts of audit entries
Audit settings that apply to every user & job
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 18
Auditing System Values – iSeries Navigator
(QAUDCTL - *AUDLVL)
(QAUDCTL - *OBJAUD)(QAUDCTL - *NOQTEMP)
(QAUDLVL)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 19
Auditing System Values – iSeries Navigator
(QAUDENDACN - *NOTIFY)
(QAUDFRCLVL)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 20
Auditing System Values – iSeries Navigator
(QCRTOBJAUD)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 21
Object and user level audit settings
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 22
Auditing Sensitive Objects – All usersQAUDCTL system value must include the value *OBJAUD
Specify auditing of objects with the CHGOBJAUD, CHGDLOAUD, CHGAUD commands
Entries are written to the system auditing journal QAUDJRN
No auditing is done for this object under any circumstances
Read and update operations to the object are audited.
Update operations to the object are audited
CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*ALL)
CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*CHANGE)
CHGOBJAUD OBJ(libname/objname) OBJTYPE(objtype) OBJAUD(*NONE)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 23
CHGAUD
To turn on object auditing for an object in the IFS, run CHGAUD, specifying the pathname of the object.
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 24
Display of audit settings – QSYS objects
AuditValue
DSPOBJD OBJ(PAYLIB/PAYROLL) OBJTYPE(*FILE) DETAIL(*FULL)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 25
Display of audit settings – IFS objects
AuditValue
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 27
Auditing Users – Object and action auditIndividual user profiles can be audited
– Powerful profiles QSECOFR, ZSECOFR, MYADMIN– Troublesome users– Problems have occurred
QAUDCTL system value must include the value *OBJAUD or *AUDLVL
CHGUSRAUD command starts/stops auditing a User
Entries are written to the auditing journal QAUDJRN
User’s AUDLVL can contain *CMD to record all commands run by the user
CHGUSRAUD USRPRF(QSECOFR) OBJAUD(*CHANGE) AUDLVL(*CREATE *CMD)
Complement of QAUDLVL
sysval
*NONE, *ALL, *CHANGE
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 28
User action auditing – Security event audit
Note: To enable user auditing, must specify QAUDCTL(*AUDLVL)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 29
User action auditing – Display of User setting
ObjectandUseraudit
setting
DSPUSRPRF USRPRF(QSECOFR)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 30
CHGUSRAUD – iSeries Navigator
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 31
Object Auditing – QAUDCTL(*OBJAUD)
Only updates are audited
Audits when profile accessing object has its object auditing value set to either *CHANGE or *ALL
QCRTOBJAUD system value sets the object auditing value for newly created objects. Default = *NONE
DSPLIBD - Create object auditing value. Default = *SYSVAL
See Security Reference, Appendix E to see what operations cause an audit entry
Both reads and updates are
audited
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 32
Using CHGOBJAUD OBJ(PATIENTFIL) OBJAUD(*NONE)
OBJAUD(*NONE)
OPEN READ
OPEN UPDATE
OPEN UPDATE
OPEN READ
PATIENT FILE
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 33
Using CHGOBJAUD OBJ(PATIENTFIL) OBJAUD(*ALL)
OPEN READ
OPEN UPDATE
OPEN UPDATE
OPEN READ OBJAUD(*ALL)
PATIENT FILE
© 2010 IBM Corporation
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 35
Using CHGOBJAUD OBJ(PATIENTFIL) OBJAUD(*USRPRF)The User Profile’s OBJAUD value is ONLY evaluated if the Object’s OBJAUD value is set to *USRPRF
OPEN READ
OPEN UPDATE
OPEN READ
OPEN UPDATE
OBJAUD(*ALL)
OBJAUD(*ALL)
OBJAUD(*NONE)
OBJAUD(*CHANGE)
PATIENT FILE
OBJAUD(*USRPRF)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 36
Recommended Audit SettingsQAUDCTL
– *OBJAUD– *AUDLVL– *NOQTEMP
QAUDLVL– *AUTFAIL– *SECURITY (or *SECCFG and *SECRUN in V5R3 and higher)– *CREATE– *DELETE– *SAVRST– *SERVICE– *PGMFAIL
Note: May need additional values if running HA softwareNote: Each customer must evaluate the appropriate settings for their company
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 37
New Auditing Values in V5R3 and V5R4V5R3
QAUDLVL– *SECURITY is subsetted into
• *SECCFG – user profile, system value changes, network attributes, etc• *SECDIRSRV – directory services• *SECIPC – interprocess communications• *SECNAS – network authentication ticket verification (Kerberos)• *SECRUN – runtime changes of object ownership, authorization list, etc• *SECSCKD – secure socket descriptors• *SECVFY – verification of profile handles and tokens• *SECVLDL - usage of validation list entries
– *NETCMN is subsetted into• *NETBAS - basic network events – SSL connections, APPN “firewall” activities• *NETCLU – cluster resource groups• *NETFAIL – security-related network failures – e.g., secure socket port not available• *NETSCK - mail filtered, mail rejected, give and take socket descriptors
– *AUDLVL2 (must be specified or QAUDLVL2 is ignored)
QAUDLVL2 (overflow for QAUDLVL)Subsetted values only available at the system value level (not user)Recommend values -- *SECCFG, *SECRUN
V5R4 *ATNEVT – used to discover denial of service attacks
© 2010 IBM Corporation
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 40
Display Journal command (DSPJRN)
DSPJRN JRN(QAUDJRN) FROMTIME('03/24/07') JRNCDE((T)) ENTTYP(AF)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 41
Display Audit Journal Entries (DSPAUDJRNE)
DSPAUDJRNE is an old interface that IBM no longer updates. IBM Partnerproducts are available to harvest audit journal data.
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 43
Audit entries
*N in the Object Name field of an audit entry indicates the object is a pathname
Pathname is a 5002 character field at the end of the audit journal entry
Must use DSPJRN (Display Journal) command to display – easiest to send to an outfile and run a query
– See iSeries Security Reference manual, Appendix F for outfile layout
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 44
DSPJRN to an outfile
i5/OS has a model outfile in QSYS for each audit journal entry type– QASYxxJy where
• xx = the two-letter audit journal entry type• y = the file format
CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) OBJTYPE(*FILE) + TOLIB(QTEMP)
DSPJRN JRN(QSYS/QAUDJRN) RCVRNG(*CURCHAIN) + FROMTIME('08/18/2004' '08:00:00') JRNCDE((T)) ENTTYP(AF) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) + OUTFILE(QTEMP/QASYAFJ5)
New command – CPYAUDJRNE (V5R4)– Performs CRTDUPOBJ QSYS/QASYxxJ5 model outfile and subsequent
DSPJRN to outfile in one, simplified step
© 2010 IBM Corporation
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 46
View Audit Journal Data in an OUTFILE
Quick View of the Audit Data
• RUNQRY QRY(*NONE) QRYFILE(QTEMP/QAUDITAF)
Detailed Analysis of the Audit Data
• SQL or STRQRY
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 47
Defining a query – STRQRY Command
Once the outfile has been generated, define a query to get the information you want, e.g., Path name
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 48
Results of query
Pathname
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 49
Display Journal command (DSPJRN)
DSPJRN JRN(QAUDJRN) FROMTIME('03/24/08') JRNCDE((T)) ENTTYP(AF)
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 50
DSPJRN – more details
Results of taking F10=Display only entry details
© 2010 IBM Corporation
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 52
Numerous i5/OS partners provide additional tools
– Reporting & Monitoring
– Security Configuration
– Encryption
– Network Security
– Authentication/Biometrics
– IBM i Security website, a link to business partners:• http://www-03.ibm.com/systems/i/security/
IBM Business Partners – Products to “mine” audit journal data
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 53
Chapter 9 – iSeries Security Reference
Look for the auditing value, then for the 2-letter Journal Entry Types to see what information is available
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 54
Layout of AF – QASYAFJ5 - outfile
Appendix F, iSeries Security Reference
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 55
Practical uses of the audit journal
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 56
Audit Journal Recommendations
Activate Audit on the Server– Activate both user level audit and system wide audit features
Monitor the audit journal for suspicious activity.– ISV products available to monitor the journal
Archive the audit data so it is available for use at a later date if necessary!
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 57
Suggested Super User Auditing
Focus on misconduct and proving misconduct
Focus on real people and all their profiles
Use CHGUSRAUD to set at least
– *CMD
– *SAVRST
– *SECURITY
– *OBJMGT
– *SERVICE
– *SYSMGT
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 58
Debugging using the audit journal
Turn on *PGMADP using CHGUSRAUD, then look for PA – A or PA -J entries to find “inappropriate” uses of adopted authority
Use the DO entries to determine how an object was deleted
Use the CO entries to determine if objects are being created into a directory (so it can be secured)
Use AF entries to determine whether an “authority failure” really is an authority failure
– Especially useful when reworking the security scheme of an entire application and the security changes are blamed for EVERYfailure!
Object update (ZC) and object read (ZR) entries can help you determine what processes are accessing files you are about to secure
Before making changes, look at the current entries to see what is “normal”
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 59
Managing Journal Receivers
Use the CRTJRN QSYS/QAUDJRN MNGRCV(*SYSTEM) parameter when creating the security audit journal
Saving and deleting a receiver in order to preserve audit data
– CHGJRN QSYS/QAUDJRN JRNRCV(*GEN)
– SAVOBJ
– DLTJRNRCV
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV Dan Riehl
| 60
For More InformationiSeries Security Reference, SC41-5302
– For a PDF, go to www.iseries.ibm.com/infocenter• Chapter 9 – auditing• Appendix F – auditing model outfiles• Appendix G – by object type what actions cause a ZR or ZC audit journal entry
IBM i and i5/OS Security & Compliance: A Practical Guide by Carol Woodbury, ISBN: 978-1-58304-124-6, 2009
www.skyviewpartners.com
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV
61
This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM offerings available in your area.Information in this document concerning non-IBM products was obtained from the suppliers of these products or other public sources. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY 10504-1785 USA. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or guarantees either expressed or implied.All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions.IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal without notice.IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies.All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary.IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this document may have been made on development-level systems. There is no guarantee these measurements will be the same on generally-available systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document should verify the applicable data for their specific environment.
Revised September 26, 2006
Special notices
© 2010 IBM Corporation
IBM Power Systems Technical University — Las Vegas, NV
62
IBM, the IBM logo, ibm.com AIX, AIX (logo), AIX 6 (logo), AS/400, Active Memory, BladeCenter, Blue Gene, CacheFlow, ClusterProven, DB2, ESCON, i5/OS, i5/OS (logo), IBM Business Partner (logo), IntelliStation, LoadLeveler, Lotus, Lotus Notes, Notes, Operating System/400, OS/400, PartnerLink, PartnerWorld, PowerPC, pSeries, Rational, RISC System/6000, RS/6000, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, WebSphere, xSeries, z/OS, zSeries, AIX 5L, Chiphopper, Chipkill, Cloudscape, DB2 Universal Database, DS4000, DS6000, DS8000, EnergyScale, Enterprise Workload Manager, General Purpose File System, , GPFS, HACMP, HACMP/6000, HASM, IBM Systems Director Active Energy Manager, iSeries, Micro-Partitioning, POWER, PowerExecutive, PowerVM, PowerVM (logo), PowerHA, Power Architecture, Power Everywhere, Power Family, POWER Hypervisor, Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo), POWER2, POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER7, pureScale, System i, System p, System p5, System Storage, System z, Tivoli Enterprise, TME 10, TurboCore, Workload Partitions Manager and X-Architecture are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (®or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml
The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org.UNIX is a registered trademark of The Open Group in the United States, other countries or both. Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.Microsoft, Windows and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both.Intel, Itanium, Pentium are registered trademarks and Xeon is a trademark of Intel Corporation or its subsidiaries in the United States, other countries or both.AMD Opteron is a trademark of Advanced Micro Devices, Inc.Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries or both. TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC).SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are trademarks of the Standard Performance Evaluation Corp (SPEC).NetBench is a registered trademark of Ziff Davis Media in the United States, other countries or both.AltiVec is a trademark of Freescale Semiconductor, Inc.Cell Broadband Engine is a trademark of Sony Computer Entertainment Inc.InfiniBand, InfiniBand Trade Association and the InfiniBand design marks are trademarks and/or service marks of the InfiniBand Trade Association. Other company, product and service names may be trademarks or service marks of others.
Revised February 9, 2010
Special notices (cont.)