Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
html
By Dan Riehl
Adapted from System iNEWS Magazine article “Common Sense Security Auditing” by Dan Riehl
The IBM System i provides a plethora of options when it comes to auditing security-related events. I
think many of us have shied away from auditing because, from a cursory view, auditing seems only
to eat up disk space and generate far more data than a normal human can digest. But I think if we
take a common sense approach to security auditing, it's possible to eliminate the drawbacks and
get the vital information we need to properly manage the system.
When we speak of security auditing, we are not talking about journaling database files and other
objects. We are not taking before and after images of data records. Security auditing is recording
security-related events to the system security journal named QAUDJRN. The events recorded are
incidents such as "Bad Password entered," "Attempt to access a file without proper authorization,"
"Joe accessed the sensitive Payroll file," "Library MYLIB deleted," and "Mary changed the
QSTRUPPGM system value." Only if we implement security auditing can these and many other
security-related events be trapped and recorded.
One of the main sources of confusion regarding auditing is that we have a feeling that it's an all or
nothing proposition. Either we have to audit everything or we don't audit anything. In this article, I
provide a simple game plan for configuring your OS/400 security auditing so that you can begin to
see, and manage, what's really happening on your system. Once you begin to see the benefits,
you will want to learn more about the system auditing options and features with a view to creating a
more stable and secure system.
*AUTFAIL -- Records failed sign-on attempts and unauthorized attempts to access files and
other objects
*SECURITY -- Records many security-sensitive operations such as changing a system value,
resetting the QSECOFR DST password, and changing Object authority and ownership
*SERVICE -- Records the use of System Service Tools (STRSST) and Dedicated Service Tools
(DST)
*DELETE -- Records the deletion of any object
*OBJMGT -- Records object move and rename operations (you need this only on a production
box)
*PGMFAIL -- Records programs running restricted MI instructions or accessing internal
OS/400 structures through unsupported interfaces (required information if you're moving to
system security level 40 from a lower level)
There are many more options one could use for the AUDLVL values, but some of these (e.g.,
*PGMADP, *JOBDTA, *SPLFDTA) can generate a ton of journal entries and are normally of little
value.
The *OBJAUD value means that we want to audit certain files and other objects that we will identify
in step two as being sensitive. The *NOQTEMP value means that we don't want to audit anything a
job does in its own QTEMP library. (For example, at the end of a job, the system deletes all objects
in QTEMP. By specifying *NOQTEMP, we prevent the recording of all these routine deletions.)
With an OBJAUD (Object Auditing) value of *NONE, the system performs no object auditing for the
object. A value of *CHANGE causes the system to audit all changes to the object. The value *ALL
audits each change or use of the object. The value *USRPRF instructs the system to check the
user profile's OBJAUD parameter to see what, if any, auditing it should perform. This is the value
we'll use for heavily used files, which we'll discuss in a moment.
When the audited object is a database file, the system records any OPEN operation against the
file. If *ALL is specified for OBJAUD, the system records all file OPEN operations. If *CHANGE is
specified, the system records only OPEN for UPDATE operations. Security auditing doesn't care
whether records are altered, so the OPEN for INPUT only or OPEN for UPDATE is the only thing
recorded. To audit the contents of an IFS file, you can use commands CHGDLOAUD (Change
Document Library Object Audit) and CHGAUD (Change Audit).
So, for seldom-used sensitive files, we'll turn on object auditing as follows (where myfile and
mylibrary indicates your sensitive file):
This will record every file OPEN operation, as well as the execution of CL commands that access or
change the file object.
For heavily used files, we have to use a different approach (Figure 1). In this case, we'll set the
OBJAUD value of the object to *USRPRF. This means we'll record file accesses only if the user
profile performing the access has its object auditing value set to indicate that object accesses for
that user should be recorded.
Using this approach, we do not audit file access by the typical end users of the file, which filters out
normal accesses we don't want to read about anyway. Who cares if the payroll clerk accesses the
payroll file? To understand how we record file accesses only by certain users, we need to know the
relationship between object auditing and user auditing.
If we specify *NONE for OBJAUD, recording of access to objects is controlled completely by the
object itself. For instance, if the object's OBJAUD value is *NONE or *USRPRF, no auditing takes
place. If the object's OBJAUD value is set to *ALL, the system records all operations. If the
OBJAUD value is set to *CHANGE, the system records only change operations.
If we specify *CHANGE or *ALL for the user profile's OBJAUD value, the system checks the object
to see whether the object's OBJAUD value is set to *USRPRF. If that's true, then the user profile
OBJAUD value takes control to record all accesses (or only change accesses) to the object.
In the scenario where we want to record sensitive object access only for certain users, we set the
OBJAUD value in the object to *USRPRF and set the OBJAUD value in the user profile to *ALL or
*CHANGE:
One note of caution: When first implementing auditing for objects, watch out for system
performance degradation. Many times, when using the techniques described here, the
performance impact may be negligible -- but not always. It may be that, due to performance
problems, it will only be possible to turn on object auditing for a small sampling period (e.g., 20
minutes) to see which users are accessing certain objects.
command executed by the user. For commands contained in CL programs that were created as
*LOG(*NO) and ALWRTVCLSRC(*NO), the entire command string isn't logged, but at least the
command name is logged.
Here is a common sense way to set up user auditing for a powerful or inquisitive user:
journal entries:
The ENTTYP parameter indicates the type of information we want to view. In this example, we
indicate the entry type as "AF," which displays authority failures. Using the DSPAUD JRNE
command is a challenge because we need to know what journal entry types we want to view.
Pressing F1 (Help) in the command prompt lists the allowable values for a specific entry type.
Again, the Security Reference is the best resource for locating the entry types and what they mean.
Some of the more common entry types listed in the V5R2 Security Reference are in Figure 3.
While we haven't discussed all the possible actions one could take to start and configure system
security auditing, we've established a great "common sense" starting point.
Figure 3
From IBM’s iSeries Security Reference IBM Pub# SC41-5302-06
Entry
Type Description
AD Auditing changes
AF Authority failure
AP Obtaining adopted authority
AU Attribute changes
CA Authority changes
CD Command string audit
CO Create object
CP User profile changed, created, or restored
DO Delete object
DS DST security password reset
JD Change to user parameter of a job description
JS Actions that affect jobs
NA Network attribute changed
OM Object move or rename
OR Object restore
OW Object ownership changed
PA Program changed to adopt authority
PO Printed output
PS Profile swap
PW Invalid password
SE Subsystem routing entry changed
SF Actions to spooled files
SM System management changes
ST Use of service tools
SV System value changed
VL Account limit exceeded
VP Network password error
YC DLO object accessed (change)
YR DLO object accessed (read)
ZC Object accessed (change)
ZR Object accessed (read)