Get Your IBM i Audit On: Tips For A Smooth Deployment

July 14, 2014 Alex Woodie

In today’s highly regulated environment, little is left to chance–including the possibility your IBM i security is misconfigured. One way to keep ahead of the auditors’ wrath is to become familiar with the auditing functions of the IBM i platform and to ensure it is set up correctly for your particular needs. Jeff Uehling, IBM‘s security architect for IBM i, recently provided some auditing tips in a webinar hosted by PowerTech.

The advent of regulations like PCI DSS, HIPAA, SOX, GLBA, and HITECH have raised the level of scrutiny on computer systems to uncomfortably high levels. While companies in the healthcare, retail, and financial services industries have borne the brunt of the regulatory oversight, just about every publicly traded company has been affected in some way or another.

“We’ve certainly seen an explosion of audit and other security technology within our community,” Uehling said last week during the webinar. That’s good news for the HelpSystems‘ subsidiary, as well as the various other vendors that sell tools that simplify security and auditing on the platform. While the IBM i platform has powerful security and auditing capabilities–namely the QAUDJRN audit journal–they are not always easy to use.

The QAUDJRN and related auditing functions have a close relationship with the IBM i security controls that determine what users can access which data and objects, and at what times and in what methods. That’s by design. One of the reasons IBM first added auditing to the platform way back with OS/400 V1R3 was to validate that the security plan was working. Big production Power Systems servers today will commonly have more than 30 applications running simultaneously, and staying on top of the constantly changing mix of users, data, and objects is too big of a task to be left solely to human administrators.

IBM i security architect Jeff Uehling

“It’s easy for things to get out of compliance,” Uehling said. “That’s why auditing is a big part of that, to make sure somebody hasn’t accidently opened up your data to have some user who should not be seeing it, authorized [to see the data]. Audit is a great way to go through and make sure your gathering the right information and validate it on the back end.”

The QAUDJRN is a read-only lockbox (to borrow a phrase from Al Gore) that collects information about what objects and data users have accessed. The fact that it cannot be tampered with makes it an ideal way to ensure that system administrators with ALLOBJ authority and other special powers are not circumventing security controls on the platform in pursuit of fraudulent activity. It allows organizations to treat their administrators like Ronald Reagan treated the Soviets: trust, but verify.

There are three main areas that IBM i auditing looks at: users, objects, and jobs. A system-wide auditing net can be set up to capture information about every job run on the system, including interactive, batch, and communication jobs. The platform also gives users the capability to audit specific objects, namely database files or IFS files or programs. Finally, user-specific auditing functions can also be set up to scrutinize the actions of particular users, such as the systems administrators and security officers that organizations are forced to trust.

IBM i shops that want a fine-grained picture of all activities that powerful users or jobs performed while perusing systems–especially data files with sensitive information–will want to ensure that file journaling is turned on. While object auditing will detect whether a user or job accessed or viewed a file, it won’t necessarily tell the auditor what they did.

“If you opened a database file for modification, you will get an audit record saying they opened a file for modification,” Uehling said. “But if you changed a million records in that file, you’re only going to get one audit record with no indication of what changed. So the capability for the security audit journal and the actual file journalingâ€¦.will actually log every single modification made to the object type that you started journaling onâ€¦ The combination â€¦gives you a very nice complete audit trail.”

While it is possible to audit every single activity of every user, job, and object on the system, that’s not the best way to configure auditing. “If you turn on every single capability to audit every action on the system, you’ll get gigabytes of data in a hurry,” Uehling says. “So an auditing plan is important. [You want to ask yourself], what are you trying to detect? Which users? What objects? What events should we audit, and what should we not audit? It all boils down to knowing where your sensitive data is.”

About eight out of nine IBM i shops have the QAUDJRN auditing function turned on and are actively collecting data that can be used in an audit, according to PowerTech’s latest State Of IBM i Security report. When an IBM i shop turns on auditing for the first time, it can be rude awakening, said Robin Tatam, PowerTech’s director of security technologies.

“The knee-jerk reaction that I see a lot of times is we go from auditing nothing to auditing everything, and we’re so inundated with audit traffic that people panic and they feel like they’re standing in front of a fire hose and they turn it back off,” said Tatam, who hosted last week’s webinar with Uehling.

The best advice is to strive for a “happy medium” between the two extremes. A good place to start is by using the default settings that IBM provides with the OS. “There are a few other items that we tag,” Tatam said, in particular activity occurring over the network interfaces, like FTP and ODBC, which aren’t automatically monitored by the OS.

Once you start collecting data in the QAUDJRN, the next question becomes: What do you do with it? It can be a daunting task to query the data in the QAUDJRN journal receivers in a meaningful way, in part due to the large volume of data inevitably stored there, and the cryptic formats. While IBM provides basic tools, as well as the capability to export the data to an external file, it mostly leaves this area open to third-party vendors.

Uehling provided a link, www-03.ibm.com/systems/power/software/i/security/partner_showcase.html, where interested parties can peruse third-party security software solutions for IBM i. Among the products listed there that will assist with a QAUDJRN query are:

CILASOFT QJRN/400, which tracks the QAUDJRN;/li>
CXL‘s AZScan, which can audit the security of IBM i, Unix, VMS, and Oracle systems;/li>
Enforcive Information Systems‘ (formerly Bsafe) Cross Platform Audit, which provides field-level before and after images for IBM i, Windows, AIX and Linux platforms;/li>
Kisco Information Systems‘ iFileAudit, which tracks the file audit journal;/li>
PowerTech’s Compliance Monitor, which tracks and compresses the QAUDJRN;/li>
Raz-Lee Security‘s iSecurity iBi and AP-Journal, which track the QAUDRJRN
SkyView Partners‘ Audit Journal Reporter, which track the QAUDJRN
Trinity Guard‘s TGAuditor, which was designed specifically for auditors

The most important thing is to get QAUDJRN auditing turned on, and start collecting those journal receivers (resist the temptation to delete them to clear up DASD!). Even if you have no immediate plans to do anything with the data, just having the audit log in your possession can be a great form of insurance.

“If you don’t have it turned on, you definitely want to take a look at it,” Uehling said. “I can’t stress it enough. Get auditing turned on, archive the data as long as you can, save the journal receivers, and if you do have a situation where you find out that your network was penetrated a day ago, a week ago, an hour ago–that’s really the only data you have that might help you figure out what happened on your server.”