Auditing IBM AS400, iSeries, and System i

1
Auditing IBM AS/400, iSeries, and System i

• John Earl
• Chief Technology Officer
• The PowerTech Group, Inc.

2
Agenda

• IBM AS/400 System i market
• Auditing AS/400
• Resources for AS/400 auditors
• Questions answers

3
Whats in a Name?

• Server
• AS/400 (1988 1998)
• iSeries (1998 2004)
• i5 (2004 2006)
• System i (2006)
• Operating System
• OS/400 (1993 2004)
• i5/OS (2004)

4
System i Market

• 98 of Fortune1000 run System i
• Source IBM
• 400,000 systems installed worldwide
• 45 US, 35 Europe with 20 Asia
• 30,000 new systems ship annually
• Price range from 12,000 to 1 million
• 16,000 banks run on the System i

5
i Integration
6
The Perfect Storm of Vulnerability

• Security awareness among OS/400 professionals is
  low
• OS/400 awareness among audit professionals is low
• Some of the most valuable data in any
  organization is on the AS/400

7
What To Look For On An AS/400

• OS/400 auditing essentials
• System Values
• Base Auditing capabilities
• Library and Directory Settings
• Network Access
• User Profiles
• Powerful Users

8
OS/400 Auditing Essentials

• System Values
• Are the foundation of a secure system
• Define things like default public authority,
  default paths, base security level, audit levels,
  etc.
• Typically require security officer privileges to
  change
• Should seldom be changed
• Should be verified on a regular basis

9
System Values
10
Reference Resources for AS/400
11
Base Auditing Capabilities

• The System Security Audit Journal (QAUDJRN) holds
  security related event log data
• On OS/400, journals are W.O.R.M. (write once read
  many) type objects
• The Audit System Values describe what audit
  information will be logged to QAUDJRN
• OS/400 has great capturing capability for audit
  information, but reporting capability is less
  robust

12
Base Auditing Capability
13
Library and Directory Settings

• Controlling the path is an essential part of
  security
• OS/400 paths come in two basic flavors,
  Traditional Unix paths, and OS/400 libraries
• It is not unusual that the public has rights to
  add objects to where the operating system lives
  (Library QSYS)
• Libraries where the user has CHANGE rights (or
  better) are a serious exposure

14
The Publics Authority to Libraries
15
Network Access

• It is common for users to have at least change
  rights to data
• OS/400 ships with all TCP/IP services active by
  default
• Users who can change or delete data Open
  servers like FTP and ODBC Disaster

16
Open Access from PCs

• Standard tools allow users to directly get data
  from the System i
• The OS does not log this activity

17
Unprotected Network Access
18
Network Access
19
Protecting the System
20
OS/400 User IDs

• Un-monitored user IDs are the easiest way to get
  into any system
• OS/400 administrators have not proved to be
  particularly strong on monitoring users
• Passwords on OS/400 can be weaker than other
  systems

21
OS/400 User IDs
22
Powerful Users

• On OS/400, Root capability is divided into eight
  different special authorities
• The granularity allows you to segment
  Communications, from hardware, from Sysop
  ability, etc.
• The most important of these special authorities
  is ALLOBJ
• OS/400 special authorities tend to be handed out
  liberally

23
Administrative Rights
24
Resources for AS/400 Auditors 123

• Compliance Assessment tool shown in this
  presentation
• Open Source OS/400 Security Policy
• State of the System i Security Study

Auditor resource areawww.audit400.com
25
Resource 1 Compliance Assessment
26
Resource 2 Open Source Security Policy
27
Resource 3 State of System i Security
28
Questions?
Auditor Resource Site www.audit400.com