| Greetings!
We seem to be getting a lot of questions about i5/OS auditing functions in recent months. I'm guessing it's because there are several laws and regulations that either require or strongly suggest that certain activity and file accesses be "logged". Logging in the i5/OS and "i" world is known as "auditing." So I thought that I'd answer some of the questions we're receiving in this month's newsletter.
Many operating systems have a simple file where log information is kept. While the access to this file may be controlled, entries can generally be modified or deleted; therefore you'll see some regulations such as the Payment Card Industry's Data Security Standards require that logs be protected from modification. This is not necessary with i5/OS.
Below, I also show how SkyView Policy Minder and SkyView Risk Assessor can help.
Sincerely,
 Carol Woodbury, President
SkyView Partners, Inc. |
| Questions? |
|
Before I get started, I want to say that SkyView Partners is committed to delivering security compliance products and services that provide our customers with sound advice that saves them time and reduces the costs and complexities of attaining and maintaining compliance.
Now, on to this month's i & i5/OS Security Tip. | |
| Where is the log (or audit) information kept? |
|
i5/OS auditing is implemented via journals. The journal is not where the data is kept. Rather, the actual audit journal entries are kept in an object called a journal receiver. The reason the IBM developers chose to implement i5/OS auditing using a journal and journal receiver is because you cannot modify or remove entries from a journal receiver. Thus, you can be assured of the integrity of the data journal data.
To manage the information in the log (that is, the QAUDJRN journal), you manage the journal receivers. You cannot clear a journal receiver. Rather, you save them and then delete them from the system. Even if you could clear a journal receiver (which you can't) you wouldn't want to. Why? Because you want to be able to retrieve the data should you require it for forensic or investigative purposes. You may need to modify your back-up strategy to ensure you are saving all journal receivers associated with QAUDJRN and are doing so in a way that allows you easily retrieve them from your long-term storage if the requirement arises. |
| Enabling Auditing |
You turn on auditing by specifying either *OBJAUD or *AUDLVL in the QAUDCTL system value. This system value is the "On/Off" switch for auditing. If this value is *NONE, auditing is not active.
To turn on action auditing, such as the logging of authority failures, invalid sign on attempts, deletion of objects, etc modify the QAUDLVL system value. Some actions produce more audit journal entries than others. To determine the types of actions that cause an audit journal entry to occur, check out Chapter 9 of the Security Reference manual (available from the IBMInformationCenter.) |
| Getting information out of the i5/OS Audit Journal |
|
Several methods exist for retrieving information out of the audit journal.
- Run the DSPAUDJRNE command. The default is to look for the AF - or authority failure entries. The result is just a subset of the information from the AF audit journal entries. However, there is often enough information to determine what has caused a particular entry to be generated.
- If you want more of the information that's in the audit journal entry or if you see *N as the object name (indicating that the object is in the IFS), then you must dump the audit journal entries to an outfile and query the results.
To do that, create a duplicate of the model outfile for the audit journal entry type:
CRTDUPOBJ OBJ(QASYxxJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
where xx is the audit journal entry type you're looking for - in your case of an authority failure, it would be "AF".
Then display the audit journal to an outfile type:
DSPJRN JRN(QAUDJRN) FROMTIME('09/25/06') JRNCDE((T)) ENTTYP(xx) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/QASYxxJ5)
Now you can display the file or run a query or SQL statement to see all fields in the audit journal. V5R4 provides a command, CPYAUDJRNE which combines the CRTDUPBOJ and DSPJRN into one command. The audit journal model outfiles are described in Appendix F of the iSeries Security Reference manual, available from the IBM Information Center.
* * *
Carol's Tech Tip |
|
How SkyView Policy Minder can Help |
|
SkyView Policy Minder is an i & i5/OS security compliance tool that provides a mechanism for comparing your systems' current settings against the requirements of your established (or desired) security policy. Policy Minder is about "enforcing" your security policy. Policy Minder is designed to automate the process of keeping your i5/OS and OS/400 security configuration in compliance with your existing security policy.
-
If you have initialized the system value category, then Policy Minder brought in the current auditing system values settings and established those as your policy. Now, if any of those values change, a Policy Minder compliance check of the System value category will identify the changes. Finally, you can run Fixit to fix the issue. |
| How SkyView Risk Assessor can Help |
SkyView Risk Assessor is an i5/OS & OS/400 security diagnostic tool that performs an automated risk analysis. Risk Assessor is about "judging" your security configuration against best practices. Risk Assessor provides comprehensive, easy-to-understand, easy-to-produce and unbiased reports that fulfill the need for regular vulnerability assessments, as specified in nearly every security regulation, specification or standard.
- In the System value section of the main Risk Assessor report, the auditing system values are explained. Risk Assessor will show the system value name, what the current setting is, what the recommended value, and if there is a deviation from best practice.
* * *
| |
|
|
|
|
Carol Woodbury's Bio |
|
|
|
Carol Woodbury is President and co-founder of SkyView Partners, Inc. and is the designer and architect of the SkyView Partners' products.
Carol has over 17 years in the security industry, 10 of those working as the Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. |
| Who is SkyView Partners? |
|
SkyView Partners Inc. is a firm specializing in security policy and compliance software and services for IBM System i (AS/400, iSeries)customers.
| |
|
