Tracking remote access users on System i

In the System i world, it was always possible to track system access through user profiles. All that was necessary was activating and configuring the system audit journal to allow information to be accumulated. Using the display journal (DSPJRN) command judiciously, you could get a list of who signed on to the system and when.

This worked well when the common method of system access was via a green screen terminal, either hard wired or through a terminal emulator like iSeries Access. But in the era of network connections through TCP/IP server functions in the operating system (OS), this model doesn't work as neatly. Users can now log into your system using FTP or iSeries Access leaving little to no trace in your security journals.

In certain cases, however, an audit journal record for "process user profile swap" is left and recorded as a type. This can happen on a logon from iSeries Access using the TCP Signon Server. After a successful logon, iSeries Access seems to do a user profile swap to the QUSER profile, and this gets logged in the journal. In this situation, you could scan the journal for records and gather information about the user profiles establishing network connections with this method.

You can also see a record of remote users connecting to your system using iSeries Access and other, similar clients from the system history log. If you run the display log (DSPLOG) command, you can start the process by scanning for the CPIAD09 message. Do this by using the following command form:

This will show you any evidence of remote logon activity.

But these options are just a drop in the bucket compared to everything that can go on within your system "under the covers." If someone attempts to sign on to your system via FTP using a user profile that doesn't exist on your system for example, even...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Security considerations for IBM i backups Developing a security incident response system for System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Remote Access to iSeries Controlling remote access on your IBM i Remove character limits from domain or users on RMTUSER Displaying an image from the AS/400 on a PC, troubleshooting Running a job on the iSeries after it has been transferred to a PC Use a virtual directory to move a .bmp file from the IFS to a remote server SQL7008 error in iSeries Access and journals Telnet connection repeatedly closes Users unable to sign off of AS/400 How to: Transfer unlimited data to Excel from AS/400 User authorities for running a remote procedure on the AS/400 Remote Access to iSeries Research Security Tools User being locked out by Windows share on iSeries Controlling remote access on your IBM i Checking in on your IBM i authorization lists Expanded password rules available in System i/OS 6.1 How to tell if you're using the right security level Search400.com Products of the Year 2008 Detecting system changes made by outside IP address System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment Encrypting files or fields on the iSeries

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

journaling all security events won't record this access. Because this is a popular method that hackers use to try and break into your system, it would be beneficial to know if and when attempts like these are being made.

When IBM opened up the system to TCP/IP connectivity, their solution to this issue was, and still is, to provide exit points in the OS. For servers such as FTP, Telnet, SQL and TCP Signon, the OS lets you create your own program to monitor network activity and even control access to it.

The problem with this approach is that it is entirely passive. The OS is shipped with no exit program in place, and the fact that exit points even exist is still not widely known. In the meantime, all sorts of nefarious system connection activity can be going on without the security officer ever knowing. As a vendor that sells an exit point solution for the System i, I commonly hear from customers starting to use our product that they had no idea so much activity was going on via network server connections.

Another problem with this approach is that coding and maintaining your own exit point solution is a daunting task. Over the dozen years or so that exit points have been around, some of their data streams have changed significantly. To IBM's credit, they have left the old data stream in place and created a new exit point for the enhanced version, but you will have to re-code your application to take advantage of improvements when they are made.

The best solution available is to purchase a good exit point solution. There are a lot to choose from in the System i marketplace today, and the maintenance problem then becomes your software vendor's headache, not yours. Also, most solutions cover all of the exit points available, so you will be fully protected. These exit point solutions give you control over which user profiles can access your system and, in many cases, what objects they can work with. Additionally, all network activity can be logged, so you can finally see everything that is going on "under the covers."

If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All email messages will be answered.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.