|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carol Woodbury's IBM i & i5/OS Security Tip
Creating a Baseline and
Resolving an Audit Finding
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 2009 |
| Greetings!
Recently a company received an audit finding because they didn't have a 'baseline" of their current security setup. I was called in to help. When I'm called in to help remediate an audit finding I want to make sure I understand the intent of the audit finding to ensure the solution that's put into place satisfies the requirements. Audit requirements can be vague so it's important to have an understanding of the intent of the finding before doing any work.
As I discussed this requirement with the organization's security officer he explained that their auditor was concerned that, because they had no baseline settings for their iSeries (IBM i) that they had no way to know if something changed or to ensure all changes were managed through their change management system. Let's take a closer look.
Is having a baseline a reasonable audit requirement?
To me, this was a very reasonable requirement from the auditor. I have seen many organizations where administrators can change any setting they want without warning or gaining the approval of any other groups. I also see organizations setup authorization lists and re-work the authorities to critical files and then never bother to check periodically to make sure those settings don't degrade. The intent of this finding was to prevent this type of situation from occurring.
Because the audit finding didn't give the details on which parts of i5/OS should have a baseline, we needed to determine what made sense for their business. After all, the primary goal of an external audit is typically to ensure that processes and controls are in place to ensure the integrity of the organization's data.
We determined that the most critical areas for which a baseline was needed were: the security-relevant system values, the list of powerful users (that is, any user that has *ALLOBJ special authority or is a member of a group that has *ALLOBJ), users authorized to authorization lists and the object authority schemes of the organization's key applications. While these are the areas that make sense for the IBM i world, similar baselines could be developed for Unix or Windows - the list of users with root or admin rights, password composition rules, audit settings and file permissions, for example.
("Creating a Baseline and Resolving an Audit Finding" is continued below.)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Free Webinar - Wednesday, June 24th @ 8:00 am PDT "Getting the Most out of your Audit Journal" presented by Carol Woodbury
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The i5/OS audit journal has a wealth of information, but most people think of it solely as a repository for authority failure information or that if they turn on auditing, they'll have to review each and every record. Neither is true!
In this free, 60 minute Webinar, Carol will discuss audit configuration, various methods for obtaining information out of the audit journal, how to write reports to help with compliance issues and using the information in the audit journal to aide debug day-to-day issues.
Time permitting, Carol will also address other key topics, give helpful advice, & field questions from the audience.
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
("Creating a Baseline and Resolving an Audit Finding" continued from above.)
How SkyView Partners can Help
Creating the system value baseline was very easy. All we had to do was take the option to initialize the system value policies and SkyView Policy Minder for IBM i & i5/OS gathered up all of the current settings and created the system value baseline (or "policy") for us. We printed the policy (using the Print Policy (PRTPOL) command and that category was done.
We did the same thing for authorization lists. By initializing the authorization list category, Policy Minder found all of the authorization lists on the system along with the users and their authorities and made that the authorization list policy (i.e., baseline). We printed the policy and went on to address the issue of powerful users.
To create the baseline for all of the powerful users (i.e., users with *ALLOBJ special authority or in a group with *ALLOBJ) we created a user profile template. We defined the template so that Policy Minder would find all of the users that either have *ALLOBJ special authority or are in the QSECOFR group. (If they had other groups with *ALLOBJ, we would have included those as well.) Then we set the template attribute called "Allow new profile" to be *NO. Once the template was created, we ran a compliance check on the template. This first compliance check established the baseline of the profiles having *ALLOBJ and/or were a member of QSECOFR. We printed this list using the Print Compliance (PRTCPL) command. Now it was on to the security scheme of the applications.
To develop the baseline (policy) for the applications' security settings we first had to decide which applications to address. We decided that the financial and inventory control applications were the most critical to the organization. (This choice will obviously vary from organization to organization.) We created a library template for each application using the library category of Policy Minder. This allowed us to document the owning profile, *PUBLIC and private authority settings, adopted authority settings and the authorization list securing the application objects. Once these templates were defined, we ran PRTPOL to document the baseline settings.
Ongoing Examinations
While not explicitly stated as a requirement we also felt that the auditors would expect the baselines to be examined on an ongoing basis. To accomplish this, we scheduled weekly compliance checks using Policy Minder's CHECK command. The reports automatically emailed to the administrators by CHECK will point out any differences between the actual settings on the system and the settings as defined in the policy. Or, as in the case of the powerful users, any profile created with or changed to have *ALLOBJ or be a member of QSECOFR since the last compliance check. Issues will either be remediated or, if the appropriate change control has been approved, the policy will be modified. Regardless of whether issues are identified or the reports' summary page states that everything is in compliance, the reports will be proof to the auditors that the policies (baselines) are being checked regularly.
Could we have done more? Absolutely. We could have taken advantage of Policy Minder's ability to monitor programs that adopt a particular profile, such as QSECOFR, for example. But for this particular audit requirement, we felt this was the best way to start. This organization may choose to broaden their baselines in the future, but for now, the audit requirement is fulfilled.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
SkyView Partners Solutions
SkyView Partners is dedicated to providing software to help you tackle your security compliance and policy issues.
SkyView Policy Minder is an IBM i & i5/OS security compliance management tool that automates security policy compliance monitoring and delivers comprehensive security administration functionality. With Policy Minder you can monitor compliance with security policy and quickly return your security configuration to comply with the established security policy.
SkyView Risk Assessor is an automated IBM i & i5/OS security diagnostic tool that analyzes security information from more than 100+ "risk points" across i5/OS & OS/400. With Risk Assessor you see your systems security settings compared to security best practices. The output lets you understand vulnerabilities and determine adjustments to security policy.
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
News Article:
"Poor Economy Leads To Rise In Sneaky IT Behavior "
DarkReading
by Kelly Jackson Higgins
11 Jun 2009
More than one-third of IT professionals have used their admin rights to view human resources records, customer databases, M&A plans, layoff lists, and marketing information.
IT snooping is on the rise, with more IT professionals admitting they're tempted to abuse their access privileges, according to a newly released report ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Free Webinar
During this webinar Carol Woodbury demonstrates how SkyView Policy Minder allows you to document your policy, discover differences between the current settings and your policy requirements and fix the settings to match your policy requirements.
Carol will show actual examples of some of the more than 20 manual security compliance processes that she has encountered at clients and how these processes have now been replaced and automated using SkyView Policy Minder, cutting compliance costs dramatically. |
|
About Carol Woodbury ...
Carol Woodbury is President and co-founder of SkyView Partners Inc. a company specializing in security policy and compliance software and services. Carol is a system security expert, a noted author, an award-winning presenter and architect of the SkyView products.
| |
|
|
| About SkyView Partners ...
SkyView Partners is committed to delivering security compliance products and services that provide our customers with sound advice that saves them time and reduces the costs and complexities of attaining and maintaining compliance.
For more information
425-458-4975
© Copyright 2009 SkyView Partners Inc.
All rights reserved. |
|
|
|
|
