IBM i journals and logs are the trusted source of audit information accepted by IBM i security and audit professionals as they contain a trail of access attempts, command line activity, changes to sensitive data, changes to system objects and more. However, IBM i log files contain massive amounts of data - and they are difficult to setup, report and alert on.
View this webcast on-demand to learn more about key topics such as:
• Key IBM i logs
• Auditing and monitoring for security incidents
• Leveraging 3rd party solutions that analyze security data
• How Syncsort can help
Developer Data Modeling Mistakes: From Postgres to NoSQL
Security 101: IBM i Security Auditing and Reporting
1. Security 101: IBM i Security
Auditing and Reporting
Richard Marko
Director, Technical Services – Security Products
1
2. Today’s Agenda
• Key IBM i Logs
• Basics of Security Monitoring
• Leveraging 3rd Party Solutions
• How Syncsort Can Help
3. IBM i has GREAT audit logs
• System Journal – QAUDJRN
• Other IBM Journals are available
• Database (Application) Journals – for Before and After Images
• QHST Log Files – DSPLOG Command
• System Message Queues – QSYSOPR, QSYSMSG
But, they are not easy to use for inquiry, reporting, and alerting.
3
IBM i Audit Logs
4. 4
• Make sure QAUDJRN is active on your system - DSPSECAUD
• If not, turn it on manually or CHGSECAUD
• What settings should you have?
• QAUDCTL – *AUDLVL, *OBJAUD, *NOQTEMP
• QAUDLVL – Depends how far you want to go
• QAUDLVL2 – Use if you have more than 15, must specify *AUDLVL2 in QAUDLVL
• QAUDENDACN - *NOTIFY (Default)
• QAUDFRCLVL - *SYS (Default)
• IBM has subsetted the Audit Levels so they are more granular and specific
• There are over 35 settings in OS 7.3
• For *ATNEVT – Attention Events, there is more setup (Intrusion Detection System)
in the IBM Navigator for i
IBM i System Journal (QAUDJRN) is your Friend
5. 5
• The System Journal is made up of three levels of auditing:
• System
• User
• Object
• They work together (inclusive)
• Use the commands CHGUSRAUD and CHGOBJAUD to specify additional more specific auditing
• *CMD can only be included in the User Auditing (CHGUSRAUD) – good for Privileged Users
• Object Auditing (CHGOBJAUD) is good for Critical or Private/Confidential files
Other Levels of Auditing in QAUDJRN
6. 6
Change User Auditing - CHGUSRAUD
• For Object Auditing Value and User Action
Auditing
• Object Auditing will log change accesses
(*CHANGE) or change and read accesses (*ALL)
this user does to objects.
• User Action Auditing specifies the level of
activity audit for this user profile.
• The full list of QAUDLVL codes are available PLUS
*CMD to log every command this user executes
on the system.
• Using *CMD for privileged users is
recommended.
7. 7
Change Object Auditing - CHGOBJAUD
• For Object Auditing Value
• Object Auditing will log change accesses
(*CHANGE) or change and read accesses (*ALL)
to this object.
• If *USRPRF specified it then looks at the User
for Object Auditing Value setting (DSPUSRPRF)
to determine if object is audited and how.
8. Where does it come from:
• System Value – QCRTOBJAUD
• Default auditing value when objects are created into a library or directory
• The options are *NONE, *USRPRF, *CHANGE, and *ALL
• Library Description – CRTOBJAUD parameter
• Specifies the auditing value for objected created in this library
• *SYSVAL is the default value
• The other options are *NONE, *USRPRF, *CHANGE, and *ALL
• User Profile
• Auditing parameters not available on the CRTUSRPRF or CHGUSRPRF
commands
• Must use CHGUSRAUD command to set
• The options for Object Auditing are *NONE, *CHANGE, and *ALL
8
Object Auditing
9. Other IBM i Journals
Working with IBM-supplied journals – v7.3
QACGJRN QSYS - Keeps job accounting information. Job Accounting in the Work Management
topic describes the use of this optional journal.
QPFRADJ QSYS - Keeps a log of dynamic performance tuning information. Job Accounting in the Work
Management topic describes using this optional journal.
QAOSDIAJRN QUSRSYS - Provides recovery for the document library files and the distribution
files. Used by Integrated xSeries Server.
QPMCCCAJRN QUSRSYS - A system managed journal used internally by performance data collectors to
insure the integrity of their database transactions.
QASOSCFG QUSRSYS - The journal for the QASOSCFG physical file. The QASOSCFG file stores
secure client SOCKets Secure (SOCKS) configuration data. The Client SOCKS support topic
provides more information about SOCKS.
QSNADS QUSRSYS - Provides an audit trail for SNADS activity.
QAUDJRN QSYS - Keeps an audit record of security-relevant activity on the system. The Security
Reference describes this optional journal.
QSZAIR QUSRSYS - A journal for Storage Management Services (SMS)
QCQJMJRN QUSRSYS - Provides an audit trail for Managed System Services. QSNMP QUSRSYS - Provides an audit trail for network management information. Simple Network
Management Protocol (SNMP) describes using this journal.
QDSNX QUSRSYS - Provides an audit trail for DSNX activity. QSXJRN QUSRSYS - Provides a log of the activity that occurs in the database files for service-related
activity. Keep the information in this journal for 30 days.
QIPFILTER QUSRSYS - Provides information for troubleshooting and auditing IP filter rules. See the
IP filtering and network address translation topic for more information about IP filtering rules.
QTOVDBJRN QUSRSYS - A journal for virtual private networking (VPN).
QIPNAT QUSRSYS - Provides information for troubleshooting and auditing network address
translation (NAT). See the IP filtering and network address translation topic for more information
about NAT.
QVPN0001 QUSRSYS - Provides an audit trail for Virtual Private Networking (VPN) connections. TCP/IP
Configuration and Reference describes this journal.
QLYJRN QUSRSYS - Keeps a log of transactions made to the Application Development Manager
datastore files.
QYPSDBJRN QUSRSYS - A journal for the systems management platform
QLYPRJLOG QUSRSYS - Keeps the project logs for the Application Development Manager licensed
program. Used by the system if recovery is necessary.
QZCAJRN QUSRSYS - Contains a record for each SNMP PDU in and out of the SNMP agent, by PDU type
(SNMP GET, SNMP GETNEXT, SNMP SET, SNMP TRAP).
QLZALOG QUSRSYS - Used by the licensed management program to log requests that exceed the
usage limit of a license.
QZMF QUSRSYS - Provides an audit trail for the mail server framework. AnyMail/400 Mail Server
Framework Support provides more information about this journal.
9
10. 10
Setup journaling for Database files (*FILE) and IFS Stream
files (*STMF) for sensitive objects to get a complete
audit of changes, including adds, changes, and deletes to
data/file.
Also used by:
• HA/DR Software packages like MIMIX and Quick-EDD/HA
• Application Development teams for Commitment Control
File Journaling
Commands:
• CRTJRNRCV JRNRCV(MYLIB/MYRCV0001)
• CRTJRN JRN(MYLIB/MYJRN) JRNRCV(MYLIB/MYRCV0001)
• STRJRNPF FILE(MYLIB/MYFILE) JRN(MYLIB/MYJRN)
IMAGES(*BOTH)
• STRJRN OBJ(('/mydir/dir1/stmf1' *INCLUDE))
JRN('/qsys.lib/mylib.lib/myjrn.jrn')
12. Basics of Security Monitoring
12
A strong IBM i security foundation requires solutions that draw a
perimeter around your system and its data – capturing security
data that you can monitor.
With security tools you can:
• Gain visibility into system and data access
• Track changes to system settings and data
• Control expanding privileges and track the actions of
powerful user profiles
• Strengthen login security and track failed attempts
• See your environment the way a malicious
actor would see it
You can’t monitor what you aren’t watching!
13. Alerts and Reporting
13
Security tools generate the log entries required to create a
complete audit trail of events on your system. By leveraging that
information to generate alerts and reports, those tools will also:
• Simplify the process of analyzing complex IBM i journals
• Detect security incidents when they occur
• Quickly highlight compliance deviations
• Raise alerts and deliver reports in multiple formats
• Distribute reports via SMTP, FTP, IFS, SIEM
Full visibility into security issues!
14. • Security tools allow you to:
• Gain visibility into activities on your system
• Be alerted to security events that require your attention
• Create reports for compliance and security auditors, partners,
customers and your management team
• Integrating data from those solutions into a Security Information
and Event Management (SIEM) solution adds the benefits of:
• Integrating IBM i security data with data from other IT platforms
• Analyzing security data using advanced SIEM technology for
correlation, pattern matching, and threat detection
• Supporting information sharing and collaboration across teams
• Facilitating integration with case management and ticketing systems
• Demonstrating regulatory compliance
SIEM Integration
14
16. Sensitive Data Protection
Protecting the privacy of sensitive
data by ensuring that it cannot be
read by unauthorized persons
using encryption, tokenization
and secure file transfer
Intrusion
Detection/Prevention
Ensuring comprehensive control
of unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Security & Compliance
Assessments
Assessing your security risks or
regulatory compliance
Auditing and Monitoring
Gaining visibility into all security
activity on your IBM i and
optionally feeding it to an
enterprise console
Syncsort’s Security
products address the
primary issues that
should be on every
security officer and
system admin’s radar
screen
16
17. Syncsort’s Global Professional Security Services team combines years
of security experience and expertise to add value to your IT team.
Whether you are preparing for a single-site audit or a multi-faceted
enterprise implementation, our Professional Services group enables
you to implement security on your system quickly while applying
proven best practices and reducing your cost of ownership.
• Secure your systems and data
• Meet compliance requirements
• Focus internal resources on business requirements
• Take advantage of extensive security experience and expertise
• Stay current with security technologies and best practices
• Fast-track security implementations
• Accelerate skills acquisition
• Gain peace of mind
17
Professional Services
18. Protect your mission-critical data with the highest level of security
with Syncsort’s exclusive Managed Security Service offerings. Let the
experts of the Syncsort Global Services team handle all of the
monitoring, optimization, software updates and testing of your
security Syncsort solutions so that staff can focus on other IT
priorities.
• Reduce the chances of a security breach or a compliance violation
• Free your IT staff to work on other important projects
• Benefit from the vast experience of Syncsort experts
• Enjoy the latest security features with automated software
updates
• Receive a free yearly Security Risk Assessment as part of the deal
18
Managed Services