Auditing AS400

Document Sample
Auditing AS400 Powered By Docstoc
					Auditing IBM AS/400,
iSeries, and System i

John Earl
Chief Technology Officer
The PowerTech Group, Inc.

•   IBM AS/400 & System i market
•   Auditing AS/400
•   Resources for AS/400 auditors
•   Questions & answers
What’s in a Name?

• Server
  » AS/400™     (1988 – 1998)

  » iSeries™    (1998 – 2004)

  » i5™         (2004 – 2006)

  » System i™   (2006)

• Operating System
  » OS/400      (1993 – 2004)

  » i5/OS ™     (2004)
System i Market

• 98% of Fortune1000 run System i
    » Source: IBM

• 400,000 systems installed worldwide
     » 45% US, 35% Europe with 20% Asia
•   30,000 new systems ship annually
     » Price range from $12,000 to $1 million +
•   16,000 banks run on the System i
i = Integration

                  JD Edwards
The Perfect Storm of Vulnerability

• Security awareness among OS/400
    professionals is low
•   OS/400 awareness among audit
    professionals is low
•   Some of the most valuable data in
    any organization is on the AS/400
What To Look For On An AS/400

   • OS/400 auditing essentials
     » System Values
     » Base Auditing capabilities
     » Library and Directory Settings
     » Network Access
     » User Profiles
     » Powerful Users
OS/400 Auditing Essentials

 • System Values
   » Are the foundation of a secure system
   » Define things like default public
     authority, default paths, base security
     level, audit levels, etc.
   » Typically require security officer
     privileges to change
   » Should seldom be changed
   » Should be verified on a regular basis
System Values
Reference Resources for AS/400
Base Auditing Capabilities

•   The System Security Audit Journal
    (QAUDJRN) holds security related event
    log data
     » On OS/400, journals are W.O.R.M. (write once
      read many) type objects
    » The Audit System Values describe what audit
      information will be logged to QAUDJRN
    » OS/400 has great capturing capability for audit
      information, but reporting capability is less
Base Auditing Capability
Library and Directory Settings

•   Controlling the path is an essential part of
     » OS/400 paths come in two basic flavors,
      Traditional Unix paths, and OS/400 libraries
    » It is not unusual that the public has rights to
      add objects to where the operating system
      lives (Library QSYS)
    » Libraries where the user has *CHANGE rights
      (or better) are a serious exposure
The Public’s Authority to Libraries
Network Access

• It is common for users to have at
    least ‘change’ rights to data
•   OS/400 ships with all TCP/IP services
    active by default
•   Users who can change or delete data
    + Open servers like FTP and ODBC
    = Disaster
Open Access from PCs

      •Standard tools allow users to directly
       get data from the System i

      •The OS does not log this activity
Unprotected Network Access
Network Access
Protecting the System
OS/400 User IDs

• Un-monitored user IDs are the
    easiest way to get into any system
•   OS/400 administrators have not
    proved to be particularly strong on
    monitoring users
•   Passwords on OS/400 can be weaker
    than other systems
OS/400 User ID’s
Powerful Users

• On OS/400, Root capability is divided
 into eight different special authorities
  » The granularity allows you to segment
    Communications, from hardware, from
    Sysop ability, etc.
  » The most important of these special
    authorities is *ALLOBJ
  » OS/400 special authorities tend to be
    handed out liberally
Administrative Rights
Resources for AS/400 Auditors

• Compliance Assessment tool shown
    in this presentation
•   Open Source OS/400 Security Policy
•   State of the System i Security Study

          Auditor resource area
Resource #1 – Compliance Assessment
Resource #2 – Open Source Security
Resource #3 – State of System i Security

   Auditor Resource Site: