Getting Started with IBM i Security

© 2014 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners1

GETTING STARTED WITH

IBM I SECURITY

Rev: 09/13/12

Welcome


Your Presenter

ROBIN TATAM, CISM

Director of Security Technologies

952-563-2768

[email protected]


Within 5 years, the amount of data stored

worldwide will grow by

4,300%

Did You Know…


80%of that growth will be on enterprise

servers like yours.

Did You Know…


— Colin Parris

The world is already swimming in

8 zettabytes (ZB) of datacollected from more than a trillion mobile

endpoints on the “internet of things.”

Did You Know…


What Is a Zettabyte?


Ask yourself…

o How will this impact your Power Server?

o Do you have the proper tools to manage this growth?

o How do you go about securing this data in a liveenvironment?

o How do you address data usage?

o Who is using the data and why?

o How can you keep your servers compliant?

Big Data and Your Data Center


In The Blue Corner…

Security vs. Compliance


Security

A state of being whose ultimate objective is to prevent unauthorized

or undesired activity



Compliance

The adherence to a stated policy or standard



Warning: You can be fully complianteven if the policy or standard does not outline desirable practices!


Policy:• Don’t audit• Allow any user to modify data• Permit data to be taken home


The primary goal of a compliance standard is to act as a guideline to help maintain an acceptable level of operating procedures and security.

Regulations are:

– Not a precise technical roadmap

– Have to be interpreted

– Often outline a basic minimum



Businesses rely on auditors to be interpreters.

Unfortunately, many don’t speak the ‘i’ language.

4.3.2 Privilegedaccount access should…

Don’t grantend users *ALLOBJ



Okay SOX, whatshould I set my

system values to?!

Regulations don’t usually speak ‘technology’, and certainly don’t speak ‘i’.



Far too many organizations approach compliance as the sole objective without seeing the value to their security.


What’s the least I can doand still be able to check

the box to say I did it?


Unfortunately, the fact that most organizations have to invest so much to achievecompliance shows how our security has fallen short.

Make security your objective; compliance will often takecare of itself.



Do you have your ownregulatory directive?



Maybe you say NO!as you don’t have to deal with

PCI, HIPAA, SOX, GLBA, BASEL II, etc.



Buteveryone

should have one



It’s called a

security policy



How susceptible is myIBM Power Systems

server to attack?

“I was assured this server was secure!”

Why Do We Care? We’re On Power Systems!



The IBM ioperatingsystem is secure





The IBM ioperatingsystem is secure



The IBM i operatingsystem is highly securable



Secure Securable

A Common Misconception


But are you using them?

IBM i contains numerous world-class security features!

A Common Misconception


PowerTech uses anonymous audit data from our Compliance Assessment tool to compile an annual study of security statistics.

This study (available online) provides a picture of what IBM i shops are currently doing with their security controls.

And, year after year, it shows that there is definitely still room (and a need) for improvement!

(The study sample consists of security-aware environments.)

This Popular Document Suggests Most People Aren’t!


QSECURITY: System Security Level


Who’s Using the Audit Journal?


Library Authority


In the 1990s, IBM supplemented Object Level security with a suite of exit points,which are temporary interruptions in anOS process in order to invoke a user-written program.

The function of an exit program for network access can be anything–but security officers typically want it to:

• Audit (as IBM doesn’t)• Control (as good object security is often

lacking)

It then has to return a pass/fail to the exit point.

A New Function of IBM i


Exit Point Coverage


Exit Point Coverage


ProgrammersClaim they need *ALLOBJ authority to fix production applications

System AdministratorsClaim they need *IOSYSCFG authority to configure and change the system

OperatorsClaim they need *JOBCTL, *SPLCTL, and *SAVSYS to IPL and do backups and other specialized functions

VendorsCan’t imagine running without Security Officer rights

Powerful Users


END USER # 427

Oh, and Let’s Not Forget…


Limit Capabilities *NO

User Class *PGMR

Initial Menu QSYS/MAIN

Special Authorities: *ALLOBJ, *JOBCTL

IBM Navigator for i

END USER # 427

Hackers Aren’t The Only Threat


Endless Examples of Insider Breaches


IBM i uses three main user entities:

1. User Profile

This is what we typically think of as a “user”

2. SST/DST UserA user of low-level system admin tools

3. Validation List UsersMaintained by applications (e.g., HTTP users)

User Profiles


User Profiles are objects of type *USRPRF.

They define each user’s capabilities, defaultenvironment settings, and resource authority.

IBM supplies a number of profiles with the system− basic ones, and others associated with licensed products (e.g., QSECOFR, QBRMS).

User Profiles


A profile/password is thebiggest hurdle you can putbetween a person and yourcorporate data—so makeit count!

Don’t ever assume “my users could not/would not (know how to) do that”—you already gave them a valid login.

General Requirements


3

Mistakes Are Made


Date: September 1, 2004 12:49pmAuthor: R. H.Subject: Oops!

HELP!!! I've accidentally deleted program QCMD inQSYS (spelling error using DLTPGM). The system has crashed. Any suggestions? I assume anIPL will be required, but is there anything else thatcan be suggested? This is bad.

A posting at iSeriesNetwork.com

*%#!, Now What Do I Do?!


How did this user fix this issue?

a) Restore the deleted object

b) Restore the operating system

c) IPL and reinstall the entire OS from media



How did this user fix this issue?

a) Restore the deleted object

b) Restore the operating system

c) IPL and reinstall the entire OS from media



The #1 issue citedby auditors is:

Control and monitoring of powerful users

Auditors Are In Agreement


Auditors Are In Agreement

What defines a powerful user?

1. Carry one or more special authorities

2. Granted private authority

3. Access to a system withpermissive public accessto production data

PLUS the ability to execute commands


User Class

Five templates exist to classifybased on common types of users:

*SECOFR Security Officer

*SECADM Security Administrator

*SYSOPR System Operator

*PGMR Programmer

*USER User

User Settings


User Class

Each template controls IBM menu options and default special authority assignment:

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

*SECOFR

*SECADM

*SYSOPR

*PGMR

*USER

User Settings


• IBM provides a custom resource—the Security Audit Journal—for recording security-related events.

• Consider setting up a profile with *AUDIT special authority specifically to maintain the auditing controls.

• Events are recorded to the audit journal based on the configuration of audit controls—system, user, object.

• The operating system does not come with a security audit journal; you have to create it before you can start auditing.

The Security Audit Journal


Who’s Using The Audit Journal


• First, create a library to contain the audit journal receivers:

CRTLIB LIB(SECJRNLIB) TEXT(‘Security Journal Library’)

• This allows you to secure the contents, and makes it easier to manage audit data.



• The Security Audit Journal must be called QAUDJRN and it must reside in the QSYS library.

• Although you can create the components and set the system value controls manually, most people prefer to use the Change Security Auditing (CHGSECAUD) command to pull all the components together.



QAUDCTL – Auditing Control

• This system value acts as an on/off switch to activate the auditing function:

– Specify *NONE to turn auditing OFF

– Specify *AUDLVL to turn auditing ON

• Other recommended options include:

– *OBJAUD—enables object-level auditing

– *NOQTEMP—instructs the system to ignore activities in a job’s QTEMP temporary library

Starting To Audit


Auditing Values

• This parameter corresponds to the QAUDLVL system value, and its overflow companion QAUDLVL2.

• Use this value to designate what system-level activities you want to audit.

• A special value of *DFTSET translates to the following values:

*AUTFAIL, *CREATE, *DELETE, *SECURITY, *SAVRST

Starting To Audit


In IBM i 7.2, 18 categories are available for system-wide auditing. Three of these allow you to further customize them (indicated by italics).

*ATNEVT Attention Event

*AUTFAIL Authority Failure

*CREATE Object Creations

*DELETE Object Deletions

*JOBDTA Actions Affecting Jobs (*JOBxxx)

*NETCMN Network Communications (*NETxxx)

*OBJMGT Object Management

*OPTICAL Optical Drive Operations

Starting To Audit


Starting To Audit

*PTFOBJ Changes to PTF Objects

*PTFOPR PTF Operations

*PGMADP Program Adoptions

*PGMFAIL Program Failure

*PRTDTA Print Data

*SAVRST Save and Restore Operations

*SECURITY Security Operations (*SECxxx)

*SERVICE Service Functions

*SPLFDTA Spooled File Functions

*SYSMGT System Management

Note: All values, except *ATNEVT, can be specified for individual users.


Auditing a User Profile


• In addition to system-wide auditing, you can audit specific user activities.

• Turn on user auditing using the Change User Auditing (CHGUSRAUD) command.This is distinct from the normal profile commands (for separation of duties).

• User auditing works with object-level auditing to audit specific objects when they are accessed by audited users.

• In addition to QAUDLVL values, an extra option (*CMD) is available for select user-profile auditing.

Auditing a User Profile


Auditing an Object


• The operating system allows you to audit access tospecific objects.

• Object auditing works with user-level auditing to audit specific objects when they are accessed by audited users.

• Turn on object auditing using the Change Object Auditing (CHGOBJAUD) command after you specify *OBJAUD in the QAUDCTL system value.

• Specify either *ALL or *CHANGE to audit file opens, or file-open-for-change requests.

Auditing an Object


• Specify *USRPRF to have the operating system check the user profile’s OBJAUD value to determine if object auditing is required, and what operations (Read/Change) to record.

NOTE: This is an object-level operation and does NOT audit data changes. Database journaling is required for record/field auditing.

• To audit an object in the IFS, follow the same procedure, but use the Change Auditing Value (CHGAUD) command.

Auditing an Object


To Audit New Objects

A new object inherits its auditing value from the CRTOBJAUD library attribute where it resides.

If the library has a value of *SYSVAL, the value is inherited from the QCRTOBJAUD system value (default of *NONE).

CAUTION: Changing the QCRTOBJAUD system value could generate a potentially large number of auditing events.

Auditing an Object


Source:IBM i and i5/OS

Security & Compliance:A Practical Guide

29th Street Press

Will It Be Audited?


• Some actions originating from the network may not be recorded by native auditing controls.

• If objects are being audited, or a user performs an audited action (for example, deleting an object), that access is tracked.

• Common network actions include ODBC and FTP.

• Consider using an exit program to ensure control and auditing of these types of transactions.

Auditing Network Access


• To see if you have exit programs in place, reviewthe system registry, use the WRKREGINF command,or use PowerTech’s FREE Compliance Assessment tool.

Auditing Network Access


• After auditing is configured andactively collecting, review how toextract the audited information.

• Download the Security Reference manual to see detailed informationabout QAUDLVL values, the AUDLVLvalue from user profile auditing, and the layout of audit journal data.

• All journal entries contain basic information (date, time, user, job information, and the entry type code), followed by entry-specific data.

Working With The Audit Journal


There are 3 main options to display or print audit journal data:

1. Display Audit Journal Entry (DSPAUDJRNE)

Simplified version of the DSPJRN command with parameters specific for most entries in the security audit journal (no longer updated by IBM)

Does not support IFS events (requires DSPJRN)

Cannot sort or query data (only screen and sending output to a spooled file are supported)







2. Display Journal (DSPJRN)

Basic way to review activities in (any) journal

Requires an understanding of the format of the journal data; data is not parsed by the command

Supports the name of IFS objects

Helps if you have an exact timestamp as DSPJRN does not sort the data



3. Copy Audit Journal Entry (CPYAUDJRNE)

Combines the DSPJRN command with copying the data to an output file

The output file layout is based on the entry code

Extracted data can be queried, for sorting and printing

Default output file name is QAUDITxx where xx is the audit type code



Consider Reviewing the Following Journal Type Codes

AF Authority Failures

CP Profile Activities (Create/Change)

Password Changes

SV System Value Changes

PW Invalid Passwords



For User Auditing

CD Command Executed

For Object Auditing

ZC Object Changed

ZR Object Read



Archiving

• Check with your legal department for retention information. Attorneys and auditors may have to defend the information in court, so give them what they need.

• If you do not have legal support, consider 30+ days online, and unrestricted offline (PCI regulations require 90 days online, and 1 year offline).



‘i’ can contract a virus!

Long thought to be immune to the virus threat, IBM i can act as the source of virus problems on your network.

Virus activity can be discovered on:

• Mapped Drives• FTP• Image Catalogs• Backup Tapes• High Availability

A Common Myth: IBM i has Viral Immunity


“Security by obscurity”is no longer a good option…

Of course, it never really was!

v

Hacking for Dummies?

Security By Obscurity


What’s integrated?

– Intrusion Detection System (IDS)

– Support for Role-Based Access (RBAC)

– Object-level security

– Event auditing

– Operating system integrity protection

– Security exit points

What Comes Free (or Cheap)?


What else is needed?

– Security exit programs

– User provisioning and management

– Real-time audit notification

– Database monitoring

– Audit and compliance reporting

– Anti-virus software

What Upgrades Are Available?


Education!

• Read the current “State of IBM i Security” study

• Research security topics through articles and white papers

• Attend security workshops and webinars (CONGRATS!)

• Download the IBM Security Reference Manual

• Use Google!

Getting a Grip


Mitigation!

• Evaluate current security infrastructure

• Establish baseline system values

• Consider object-level security

• Augment security with exit programs

• Activate event auditing

• Set up audit reporting schedule for configuration settings

• Enable temporary privilege escalation

Getting a Grip


• Data is secured by out-of-date methods (if at all).

• Management assumes data is secured as no one is advising them otherwise.

• Regulatory demands are the primary catalyst of change.

The Past and The Present


• More regulatory mandates trying to stem data loss.

• Businesses will be called upon to react faster using more calculated methods.

• Potential for corporate and consumer ”breach fatigue.”

The Future


Do NO thing

The Worst Plan


Take ACT ion

The Best Plan


• IT Security has (but has to keep) executive attention

– This is the best opportunity to solve long-standing problems

– Gain management approval now

– Fight symptoms of “breach fatigue”

• Control users with broad authority to production data

– Leaving users unchecked is both an audit exception and an accident waiting to happen

– Don’t accept that powerful users have to be limitless

• Limit the use of—and necessity for—powerful profiles

– Monitor and report when power is used

Summary


• SECURITY and COMPLIANCE are not the same

• IBM i ships in an “allow-all” configuration and CORRECTIVE ACTION must be taken to move to a “deny-all” configuration

• OS and tooling should play COMPLEMENTARY ROLES

• RISK is reduced; never totally eliminated

– Learn from other company’s experiences

Summary


How Can PowerTech Help Us?


6 categories of review

Completes in under 5 minutes

Includes executive summary

Accompanied by live review and Q&A

Personalized recommendations

7-day grace period

FREE!

Option 1 — Rapid Vulnerability Scan


System Auditing Controls

Unsecured Profiles

Public Authorities

Password Policy

Administrative Rights

Analyzed by Certified Auditor

100+ Pages with Detailed Explanations

Option 2 — Deep Dive Assessment


Familiarize yourself with the Ponemon Institute.

Perform cost analysis of a breach:• Forensic analysis• Notification• Lawsuits• Loss of customer confidence• Corporate embarrassment• Suspension of ability to trade• Lowered business valuation• Jail terms

A significant breach can be a enterprise killer!

Additional Steps for Cost Justification


Visit PowerTech online to access:

www.helpsystems.com/powertech

• State of IBM i Security Study

• Online Compliance Guide

• Open source security policy

• Articles

• Webinars/educational events

• White papers

• PowerNews monthly e-newsletter

• Security solution datasheets

Free Online Resources


Thank You For Joining Us

ROBIN TATAMDirector of Security Technologies

(952) [email protected]

www.helpsystems.com/powertech

Software

Getting Started with IBM i Security