Post on 03-Apr-2018
7/28/2019 Auditing AS400
1/28
Auditing IBM AS/400,iSeries, and System i
John EarlChief Technology Officer
The PowerTech Group, Inc.
7/28/2019 Auditing AS400
2/28
Agenda
IBM AS/400 & System i market Auditing AS/400 Resources for AS/400 auditors Questions & answers
7/28/2019 Auditing AS400
3/28
Whats in a Name?
Server AS/400 (1988 1998)
iSeries (1998 2004) i5 (2004 2006) System i (2006)
Operating System OS/400 (1993 2004) i5/OS (2004)
7/28/2019 Auditing AS400
4/28
System i Market
98% of Fortune1000 run System i Source: IBM
400,000 systems installed worldwide 45% US, 35% Europe with 20% Asia 30,000 new systems ship annually
Price range from $12,000 to $1 million + 16,000 banks run on the System i
7/28/2019 Auditing AS400
5/28
i = Integration
JD Edwards
http://www.oracle.com/index.htmlhttp://www.manh.com/http://www.sap.com/index.epxhttp://www.fiserv.com/default.htmhttp://www.ssaglobal.com/http://www.lawson.com/wcw.nsf/pub/GlobalStartPage7/28/2019 Auditing AS400
6/28
The Perfect Storm of Vulnerability
Security awareness among OS/400professionals is low
OS/400 awareness among auditprofessionals is low
Some of the most valuable data inany organization is on the AS/400
7/28/2019 Auditing AS400
7/28
What To Look For On An AS/400
OS/400 auditing essentials System Values
Base Auditing capabilities Library and Directory Settings Network Access User Profiles Powerful Users
7/28/2019 Auditing AS400
8/28
OS/400 Auditing Essentials
System Values Are the foundation of a secure system Define things like default public
authority, default paths, base securitylevel, audit levels, etc.
Typically require security officer privileges to change
Should seldom be changed Should be verified on a regular basis
7/28/2019 Auditing AS400
9/28
System Values
7/28/2019 Auditing AS400
10/28
Reference Resources for AS/400
7/28/2019 Auditing AS400
11/28
Base Auditing Capabilities
The System Security Audit Journal(QAUDJRN) holds security related eventlog data On OS/400, journals are W.O.R.M. (write once
read many) type objects The Audit System Values describe what audit
information will be logged to QAUDJRN OS/400 has great capturing capability for audit
information, but reporting capability is lessrobust
7/28/2019 Auditing AS400
12/28
Base Auditing Capability
7/28/2019 Auditing AS400
13/28
Library and Directory Settings
Controlling the path is an essential part of security OS/400 paths come in two basic flavors,
Traditional Unix paths, and OS/400 libraries It is not unusual that the public has rights to
add objects to where the operating systemlives (Library QSYS)
Libraries where the user has *CHANGE rights(or better) are a serious exposure
7/28/2019 Auditing AS400
14/28
The Publics Authority to Libraries
7/28/2019 Auditing AS400
15/28
Network Access
It is common for users to have atleast change rights to data
OS/400 ships with all TCP/IP servicesactive by default
Users who can change or delete data+ Open servers like FTP and ODBC= Disaster
7/28/2019 Auditing AS400
16/28
Open Access from PCs
Standard tools allow users to directlyget data from the System i
The OS does not log this activity
7/28/2019 Auditing AS400
17/28
Unprotected N etwork Access
7/28/2019 Auditing AS400
18/28
Network Access
7/28/2019 Auditing AS400
19/28
Protecting the System
7/28/2019 Auditing AS400
20/28
OS/400 User IDs
Un-monitored user IDs are theeasiest way to get into any system
OS/400 administrators have notproved to be particularly strong onmonitoring users
Passwords on OS/400 can be weaker than other systems
7/28/2019 Auditing AS400
21/28
OS/400 User IDs
7/28/2019 Auditing AS400
22/28
Powerful Users
On OS/400, Root capability is dividedinto eight different special authorities
The granularity allows you to segmentCommunications, from hardware, fromSysop ability, etc.
The most important of these specialauthorities is *ALLOBJ
OS/400 special authorities tend to behanded out liberally
7/28/2019 Auditing AS400
23/28
Administrative Rights
7/28/2019 Auditing AS400
24/28
Resources for AS/400 Auditors123
Compliance Assessment tool shownin this presentation
Open Source OS/400 Security Policy State of the System i Security Study
Auditor resource areawww.audit400.com
7/28/2019 Auditing AS400
25/28
Resource #1 Compliance Assessment
7/28/2019 Auditing AS400
26/28
Resource #2 Open Source SecurityPolicy
7/28/2019 Auditing AS400
27/28
Resource #3 State of System i Security
7/28/2019 Auditing AS400
28/28
Questions?
Auditor Resource Site:www.audit400.com