Security monitoring on IBM i: Watching your super users

Rich Loeber

Every System i shop has a few super users that security officers need to be concerned about. For one reason or another, a few user profiles just have to have full access to your system. This tip will show you one way to check up on what these users are doing by using the system security journal.

For specific user profiles, you can set up additional security auditing over and above what your system is configured to capture. To make sure that your super users are not overstepping their bounds, you can set up the security journal to capture additional security events for these specific profiles.

To get started, you need to have the security journal active on your system. If it is not active, you can just run the change security auditing (CHGSECAUD) command. Running the command with the defaults shipped with the operating system will set up the security journal (QAUDJRN). By setting the default values to *NONE, you will limit what the security journal captures so you can experiment with tracking an individual users profile activity. Of course, if you already have the security journal active and running on your system, you can skip this step and continue on with setting up the individual profile controls.

With the security audit active, you are now able to set up specific event controls at the user profile level. This is done using the change user auditing (CHGUSRAUD) command. Type this command in and use the F4 key to prompt for the parameters. For this tip, we'll concentrate on the AUDLVL parameter and what things you can track at the user profile level. These include the following:

• *CMD - records command strings used by the profile in the journal for your review. With this setting, you can see what specific OS commands the super user is using and make sure that command line abuse is not happening.
• *CREATE - tracks all new objects created by the super user
• *DELETE - tracks object deletion by a super user. Because this is a concern for super users, you can track it easily using this method.
• *OBJMGT - tracks object renames and moves
• *SAVRST - tracks save and restore operations by the super user
• *SERVICE - tracks the super user's use of system service tools
• *SPLFDTA - tracks actions taken on spool files
• *SYSMGT - tracks system management functions

I see by reviewing information for i/OS 6.1 that there are a number of new functions also available that you might want to explore if you are running on that OS level. The AUDLVL parameter accepts many more options that I've listed here. For your installation, you may find some of the other values of particular interest.

A nice side benefit of logging super user activity to the security journal is that it is a good proof for your auditors that super user profiles are being used responsibly. Every auditor who knows what they are doing is concerned about what super users are up to. This method goes a long way to satisfy their requirements.

If you have any questions about anything included in this tip, or you would like the sample, you can reach me at rich@kisco.com. All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

[an error occurred while processing this directive] [an error occurred while processing this directive] Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file iSeries security tips Security considerations for IBM i backups Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.