Manage Learn to apply best practices and optimize your operations.

Message monitor for security events

How to monitor security logs in real time.

Your system is in use by your user community all day long. Depending on the size of your shop and the number of users, there could be hundreds or even thousands of security decisions being made by your security setup on a minute by minute, hour by hour, day by day basis. If you've done your homework well, those security arrangements will all work to protect your data from being used incorrectly.

But, how do you know when a security violation has been made? One way is to keep security auditing active on your system and run regular reports from the security audit journal. In fact, that is a good practice to implement, but it is not going to give you quick feedback when a serious security violation occurs.

When a critical security violation happens, an error notice is posted to the system operator message queue (QSYSOPR). The problem, however, is that LOADS of messages in most shops go to the system operator message queue and it is easy to lose one in the haze of all that activity.

To address the problem of the security messages getting lost in the system operation message queue, OS/400 has an alternate message queue capability set up. Check your system to see of the QSYSMSG message queue exists in QSYS library. If you don't see one, just create using the CRTMSGQ command. Once the QSYSMSG message queue is on your system, all critical security related messages will also be posted to this message queue along with your system operator queue. Now, all you need to do is make sure that you end up knowing when a message has been posted.

The quick and easy way is to log on to the system and run the following command:

 CHGMSGQ MSGQ(QSYS/QSYSMSG) DLVRY(*BREAK)

Once this is done, whenever a message is posted to the QSYSMSG message queue, it will be displayed on your terminal session as a break message. But, this could be a problem. First, it requires that you always be logged on and it limits the number of people who can monitor for security events to one. A better solution is to create a little CL program to "watch" the message queue for you and then forward the message on to your user profile (or a series of user profiles) when they happen.

This way, you and your security team can find out about security problems in real time and won't have to wait for audit journal analysis to see that serious security violations are happening.

I have put together a simple little message monitor CL program that works with a set of up to five user profiles stored in a simple data area. If you're interested in getting a copy of this code, or if you have any questions about this tip, send me an e-mail and I'll do my best to answer. All e-mail messages will be responded to.


Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the AS/400 market.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

Get better control over user profiles
Every iSeries shop has the potential to have active user profiles on the system for users who have left the company. Unless your personnel department is extra careful about global notifications when people leave, you may have a security exposure that you don't even know about. But you can, if you're careful about setting up user profiles, take care of this problem when new profiles are created.

Can users alter audit logs?
One user writes, "Our external auditor has stated that two of our can alter the audit logs. While I can see that maybe possible for them to delete the audit journals, is it possible for them to delete or alter individual records without leaving footprints?" Search400.com security expert Carol Woodbury responds.

Testing resource security
Security guru Rich Loeber looks at how you can go about testing your resource security setup. There are two things that you need to test and evaluate on your system. First, you have to make sure users have sufficient authority to get all of their work done without a problem. Once that has been established, you then need to go back and make sure users don't have too much authority, thereby compromising the confidentiality issues that prompted you to secure specific resources in the first place.

Top 10 security tips
There's no such thing as being too secure. Even if you run an iSeries, there are still a few things you must do to protect your system and your data. These tips can help you out.

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close