Auditing AS400

7/28/2019 Auditing AS400

1/28

Auditing IBM AS/400,iSeries, and System i

John EarlChief Technology Officer

The PowerTech Group, Inc.


2/28

Agenda

IBM AS/400 & System i market Auditing AS/400 Resources for AS/400 auditors Questions & answers


3/28

Whats in a Name?

Server AS/400 (1988 1998)

iSeries (1998 2004) i5 (2004 2006) System i (2006)

Operating System OS/400 (1993 2004) i5/OS (2004)


4/28

System i Market

98% of Fortune1000 run System i Source: IBM

400,000 systems installed worldwide 45% US, 35% Europe with 20% Asia 30,000 new systems ship annually

Price range from $12,000 to $1 million + 16,000 banks run on the System i


5/28

i = Integration

JD Edwards
http://www.oracle.com/index.htmlhttp://www.manh.com/http://www.sap.com/index.epxhttp://www.fiserv.com/default.htmhttp://www.ssaglobal.com/http://www.lawson.com/wcw.nsf/pub/GlobalStartPage


6/28

The Perfect Storm of Vulnerability

Security awareness among OS/400professionals is low

OS/400 awareness among auditprofessionals is low

Some of the most valuable data inany organization is on the AS/400


7/28

What To Look For On An AS/400

OS/400 auditing essentials System Values

Base Auditing capabilities Library and Directory Settings Network Access User Profiles Powerful Users


8/28

OS/400 Auditing Essentials

System Values Are the foundation of a secure system Define things like default public

authority, default paths, base securitylevel, audit levels, etc.

Typically require security officer privileges to change

Should seldom be changed Should be verified on a regular basis


9/28

System Values


10/28

Reference Resources for AS/400


11/28

Base Auditing Capabilities

The System Security Audit Journal(QAUDJRN) holds security related eventlog data On OS/400, journals are W.O.R.M. (write once

read many) type objects The Audit System Values describe what audit

information will be logged to QAUDJRN OS/400 has great capturing capability for audit

information, but reporting capability is lessrobust


12/28

Base Auditing Capability


13/28

Library and Directory Settings

Controlling the path is an essential part of security OS/400 paths come in two basic flavors,

Traditional Unix paths, and OS/400 libraries It is not unusual that the public has rights to

add objects to where the operating systemlives (Library QSYS)

Libraries where the user has *CHANGE rights(or better) are a serious exposure


14/28

The Publics Authority to Libraries


15/28

Network Access

It is common for users to have atleast change rights to data

OS/400 ships with all TCP/IP servicesactive by default

Users who can change or delete data+ Open servers like FTP and ODBC= Disaster


16/28

Open Access from PCs

Standard tools allow users to directlyget data from the System i

The OS does not log this activity


17/28

Unprotected N etwork Access


18/28

Network Access


19/28

Protecting the System


20/28

OS/400 User IDs

Un-monitored user IDs are theeasiest way to get into any system

OS/400 administrators have notproved to be particularly strong onmonitoring users

Passwords on OS/400 can be weaker than other systems


21/28

OS/400 User IDs


22/28

Powerful Users

On OS/400, Root capability is dividedinto eight different special authorities

The granularity allows you to segmentCommunications, from hardware, fromSysop ability, etc.

The most important of these specialauthorities is *ALLOBJ

OS/400 special authorities tend to behanded out liberally


23/28

Administrative Rights


24/28

Resources for AS/400 Auditors123

Compliance Assessment tool shownin this presentation

Open Source OS/400 Security Policy State of the System i Security Study

Auditor resource areawww.audit400.com


25/28

Resource #1 Compliance Assessment


26/28

Resource #2 Open Source SecurityPolicy


27/28

Resource #3 State of System i Security


28/28

Questions?

Auditor Resource Site:www.audit400.com

Auditing AS400

Documents

Transcript of Auditing AS400