The Security Log tool is designed to assist in auditing *ALLOBJ
users. The SNDSECLOG command is intended to be used as the first
command of an initial program for such a user. The command displays
a screen and requires the user to enter a 'purpose' of why he is
signing on. The command then sends a journal entry to the QAUDJRN
journal with the 'purpose'. Other SECLOG commands are used to
convert and display the information.
The QAUDJRN journal (Audit Journal) must exist. The journal entry
written is a code 'U' (for User) and an entry type of 'SL' (for
Security Log).
While the SECLOG function is intended for use with *ALLOBJ users, it
may be used for any non-limited user (LMTCPB must be *NO).
SNDSECLOG may be used multiple times in the same job if required by
the user to describe a different 'purpose'.
Auditing *ALLOBJ users
----------------------
Any user with *ALLOBJ authority is clearly a concern for the
integrity of user data as well as the system. There is nothing that
can be done to prevent an *ALLOBJ user from doing anything he wants
on the system. Auditing of *ALLOBJ users can be considered essential
in some installations.
A good security practice would be to have two profiles for *ALLOBJ
users. The normal profile would not have the *ALLOBJ right and would
be used for normal usage. The *ALLOBJ profile would be used when
needed.
The SECLOG tool can be used to identify a 'purpose' of each signon.
Other auditing functions can then be used to determine what was
actually done.
A good auditing function to consider would be to audit the commands
that were entered. This is discussed later with the DSPAUDCMD tool.
Getting started with SECLOG
---------------------------
Unless otherwise noted, all of the following commands must be entered
by a user with *ALLOBJ authority.
** The file that will be used to display the journal entries
created by SNDSECLOG must be created:
CRTSECLOG SECLOGPLIB(xxx)
The SECLOGP file would be created in the named library and the
*PUBLIC user would be excluded from any use. The library name
is stored in the SECLOG data area in TAASECURE to allow the
other SECLOG commands to determine where the file is. There
should only be one SECLOGP file on the system when using the
SECLOG tool.
** As a test, enter the SNDSECLOG command:
SNDSECLOG
A display appears that requires an entry for a 'Purpose'. The
field cannot be blank and there is no F key to cancel the
function. When SNDSECLOG is used as the first command in an
initial program, system request cancel is not allowed.
After some 'purpose' has been entered, use of the Enter key
will cause a journal entry to be sent to the QAUDJRN (Audit
Journal).
SNDSECLOG can be used by any user and may be entered multiple
times in the same job if required.
** The CVTSECLOG command can now be run to convert the SNDSECLOG
journal entries to the SECLOGP file that was created by
CRTSECLOG. The command would normally be entered without any
parameters as:
CVTSECLOG
Each time CVTSECLOG is run, the SECLOGP file is cleared and
the entries (U SL) are converted from the QAUDJRN journal.
The default is to use the entire chain of receivers for the
QAUDJRN journal. The data is then ready to be reviewed by
DSPSECLOG.
Clearing the file on each use is intended as a security aid to
prevent an *ALLOBJ user from changing the data in a permanent
data base file.
Because the SECLOG tool uses the journal, it would be very
difficult for any user to destroy or change the information.
** The data can then be reviewed with DSPSECLOG:
DSPSECLOG
A subfile is displayed of the journal entries. Option 5 may
be used to review the 'Purpose'.
Selection criteria on DSPSECLOG will allow selection by a
range of dates and a specific user profile.
Using DSPAUDCMD to determine the commands entered
-------------------------------------------------
The DSPAUDCMD tool provides a command that allows a review of the
commands that were entered by a user. DSPAUDCMD requires the use of
the AUDLOG tool which converts the journal entries to a data base
file. While this is not as a secure as using the journal directly,
it simplifies the review of the commands entered. See the later
section on 'Additional auditing concerns'.
See the discussion of the DSPAUDCMD tool for what is required.
Setting the Initial Program for the use of SECLOG
-------------------------------------------------
If the user already has an initial program, you need to modify it
such as:
PGM
TAATOOL/SNDSECLOG
CALL /* Users normal initial program */
Using a CALL to the users existing initial program would be
recommended because it would allow the user to tailor his initial
program without changing the name of the initial program in the user
profile. See the later section on 'Additional auditing concerns'.
If the user has no initial program, you must create one. For
example, if the user uses the MAIN menu, the program would appear as:
PGM
TAATOOL/SNDSECLOG
GO MAIN
ENDPGM
Signon display
--------------
The default signon displays shipped with the system (QDSIGNON and
QDSIGNON2) allow a user to enter a program/procedure or menu. This
bypasses the initial program described in the user profile. It is
possible to change the signon display to eliminate these options.
Each subsystem may have its own signon display. This is determined
by the SGNDSPF parameter on CHGSBSD. You can read about changing the
signon display by using the system Information Center and the
discussion of 'Changing the signon display file'. The source for the
two display files are in the source file QWATSSRC in QSYS.
You may also want to consider allowing the signon display to have a
place for messages to inform the users of some important information
such as 'Shutdown will occur at 9:00 PM this evening'. See the TAA
Tool CHGSGNTXT.
For a small number of *ALLOBJ users, you should retain at least the
program/procedure option on the signon display. If there is a
problem that cannot be solved using the normal initial program, you
will want to have an option to go directly to a command line display
such as QCMD.
Bypassing the initial program function would bypass the intent of
SECLOG unless the user entered the SNDSECLOG command after reaching a
command entry display. There is a solution to check for this. You
must be using the job accounting journal. Job accounting will
provide an entry that the user signed on. A special command,
CHKSECLOG may be used to ensure that an *ALLOBJ user that signed on
has an entry in the SECLOGP file. See the discussion of CHKSECLOG.
CHKSECLOG Command
-----------------
You must be using Job Accounting (QACGJRN journal) to use CHKSECLOG.
CHKSECLOG accesses either one or all *ALLOBJ type users and searches
the job accounting journal for interactive jobs. The qualified job
information of each interactive job is checked for a matching record
in the SECLOGP file. Exceptions are noted.
Note that the job accounting journal is checked and not the TAA
JOBACG tool files. Therefore, a good time to use CHKSECLOG is before
you cleanup the journal receivers for the QACGJRN journal. Before
running CHKSECLOG, you should first run CVTSECLOG to ensure you have
the current information. Then, a typical command would be:
CHKSECLOG USER(*ALLALLOBJ)
A listing would be displayed with one line per *ALLOBJ user and the
number of interactive jobs (signons) along with an indication of
whether there are matching records in the SECLOGP file. This will
provide a good check of any user who is not making an entry using the
SNDSECLOG command (such as bypassing the use of the initial program
which prompts for the command).
If any *ALLOBJ users have signed on during the dates specified, a
separate spooled file is created with the details. This is the same
spooled file that is output by specifying an individual user on
CHKSECLOG.
While CHKSECLOG is intended for *ALLOBJ users, the command may be
used for any user. The listing will note whether the user has the
*ALLOBJ special authority.
SECLOG data area in TAASECURE
------------------------------
To simplify the use of other SECLOG commands, the CRTSECLOG command
writes the name of the library containing the SECLOGP file to the
SECLOG data area in TAASECURE.
An *ALLOBJ user can change the value, but this would most likely
result in an error with the other SECLOG commands.
To change the library, use DLTSECLOG which will delete the existing
file and then use CRTSECLOG with a different library name.
General auditing comments
-------------------------
No approach can ever prevent a knowledgeable *ALLOBJ user from
tampering with the system and eliminating any audit trail. For
example, the service tools must provide the capability to change any
byte on the system. Allowing the user to restore objects that were
created on a different system can impact the integrity of the system.
To tamper with the object form of an object such as a program or a
journal receiver would take a level of knowledge that significantly
differs from what the typical externally oriented user knows. While
this is highly unlikely, nothing is impossible.
The system provides outstanding security and auditing capability to
make it difficult for a user to change the system without leaving an
audit trail. This assumes that you have taken some precautions such
as described in the next section.
Additional auditing concerns
----------------------------
To ensure the integrity of the SECLOG approach, you may want to audit
for other possible concerns. This will require auditing individual
objects. You must first ensure that the system value QAUDCTL is set
to allow object auditing (one of the entries must be *OBJAUD).
If object auditing is specified for an object as OBJAUT(*CHANGE) and
a change occurs, a journal entry is written with a journal code of
'T' and an entry type of 'ZC'.
** If you are using the TAA AUDLOG tool (such as required by the
DSPAUDCMD tool), you should ensure that any changes to the
AUDLOGP file are only done by a specific user using the
supplied AUDLOG commands. You can cause a journal entry for
any change by entering:
CHGOBJAUD OBJ(xxx/AUDLOGP) OBJTYPE(*FILE)
OBJAUD(*CHANGE)
You can specify CHGOBJAUD for any sensitive object on the
system.
** A special TAA tool CHKAUDLOGP exists to help check for valid
changes to the AUDLOGP file such as the use of CVTAUDLOG. The
command should be entered periodically and would typically be
entered as:
CHKAUDLOGP
A listing would be output of any changes that are not done by
the TAA AUDLOG commands.
** If you are using the TAA JOBACG tool (such as required by the
CHKSECLOG command), you should ensure that any changes to the
JOBACTP file are only done by a specific user using the
supplied JOBACG commands. You can cause a journal entry for
any change by entering:
CHGOBJAUD OBJ(xxx/JOBACGP) OBJTYPE(*FILE)
OBJAUD(*CHANGE)
** A special TAA tool CHKJOBACGP exists to help check for valid
changes to the JOBACGP file such as the use of CVTJOBACG. The
command should be entered periodically and would typically be
entered as:
CHKJOBLOGP
A listing would be output of any changes that are not done by
the TAA JOBACG commands.
** SECLOG assumes that a job started by an *ALLOBJ user occurs
interactively. CHKSECLOG will describe these jobs. DSPAUDCMD
can then be used to review the commands that were entered.
An interactive job can submit batch jobs, but DSPAUDCMD will
describe the submitted function which could be further checked
with DSPAUDCMD.
However, there are many ways to start a batch job or enter
commands without submitting a batch job. For example, a job
may be started by the use of an auto start job or an option on
FTP to run commands associated with an FTP transfer.
Using the job accounting journal will help you identify all
jobs started by a user and note any that were not started in a
conventional manner. An option on the DSPJOBACG display will
allow you to invoke DSPAUDCMD which will describe the commands
that were entered for a particular job.
** Most users do not change the TAA objects even though source is
included for most of the tools. Changing one of the TAA Tools
involving SECLOG could certainly be an exposure to the
integrity of the tool. The CHKTAACRT command can be used to
determine if any objects in the TAAOOL library were not
created on a TAASYSnn system. It is valid to change a TAA
tool, but an auditor may want to review what has changed and
why.
Simplifying the auditing process
--------------------------------
The use of SECLOG, the JOBACG, and DSPAUDCMD tools can be used to
assist an auditor in determining what an *ALLOBJ user is actually
doing on the system.
To determine that other potential exposures are not occurring, an
approach would be to use the SCNAUDLOG command (requires the use of
the AUDLOG tool).
For example, assume you are using the AUDLOG tool and have requested
object auditing as described in the previous section on a sensitive
object such as the Accounts Receivable file. You may want to know if
any changes had occurred to the file by a specific user profile. You
could use the command:
SCNAUDLOG SEARCH(arfile) JRNCDE(T ZC)
USER(xxx)
SECLOG escape messages you can monitor for
------------------------------------------
None. Escape messages from based on functions will be re-sent.
CRTSECLOG Command parameters *CMD
----------------------------
SECLOGPLIB The name of the library which will contain the
SECLOGP file.
The name of the library is stored in the SECLOG data
area in TAASECURE to allow other SECLOG commands to
determine where the SECLOGP file is.
A library name of TAATOOL or QTEMP may not be used.
SRCLIB The source library to use for the QATTDDS file
source. The default is *TAAARC to use the source
from the TAA Archive.
A specific user library may be named, but the source
file must be QATTDDS.
DLTSECLOG Command parameters *CMD
----------------------------
The command has no parameters.
SNDSECLOG Command parameters *CMD
----------------------------
The command has no parameters. A prompt will appear which allows the
'purpose' to be entered.
CVTSECLOG Command parameters *CMD
----------------------------
RCVRNG The receiver range of the QAUDJRN journal to be
used. The default is *CURCHAIN meaning the current
chain of receivers.
A two part entry may be made for the starting
journal receiver (and library) and the ending
journal receiver (and library).
*CURRENT may also be used for the starting journal
receiver to mean the current active receiver of the
QAUDJRN journal.
FROMTIME The From date and time to convert entries for. The
default is blank for both date and time meaning the
date/time of the first journal entry as described by
the RCVRNG parameter will be used. If a date is
entered, a time must also be entered. A date should
be entered in job date format and a time entered in
HHMMSS format.
TOTIME The To date and time to convert entries for. The
default is blank for both date and time meaning the
date/time of the last journal entry as described by
the RCVRNG parameter will be used. If a date is
entered, a time must also be entered. A date should
be entered in job date format and a time entered in
HHMMSS format.
DSPSECLOG Command parameters *CMD
----------------------------
STRDATE The start date to be displayed. The default is
*BEGIN meaning the first date of the entry in the
SECLOGP file.
ENDDATE The end date to be displayed. The default is *END
meaning the last date of the entry in the SECLOGP
file.
USER The user profile to be selected. *ALL is the
default for all users. A specific user may be
named.
CHKSECLOG Command parameters *CMD
----------------------------
USER The user name to be checked.
The special value *ALLALLOBJ may be used to check
all *ALLOBJ users. An entry of *ALLALLOBJ causes a
summary listing to be output with one line per
*ALLOBJ user. A separate listing also occurs for
*ALLOBJ user who has has caused an interactive job
during the specified start and end dates.
While CHKSECLOG is intended for *ALLOBJ users, it
may be used on any user profile.
STRDATE The start date to be used to access entries from the
job accounting journal. The default is *BEGIN
meaning the first date of the journal entry in the
current journal receiver chain.
ENDDATE The end date to be used to access entries from the
job accounting journal. The default is *END meaning
the last date of the journal entry in the current
journal receiver chain.
ALLINT A *YES/*NO parameter that determines if all
interactive jobs will be listed or just those where
there is no corresponding entry in the SECLOGP file.
*NO is the default meaning only the exceptions are
listed.
*YES may be specified to list all interactive jobs.
OUTPUT How to output the results. * is the default to
display the spooled file if the command is entered
interactively. The spooled file is deleted after it
is displayed . if the display is ended with F3/F12
or the Enter key. To retain the spooled file, you
may use the the System Request 'Cancel' function and
the spooled file will exist in a HLD status.
If the command is entered in batch or *PRINT is
specified, the spooled file is output and retained.
Restrictions
------------
Only an *ALLOBJ user can enter the commands CRTSECLOG, DLTSECLOG,
CVTSECLOG, and DSPSECLOG.
Prerequisites
-------------
The following TAA Tools must be on your system:
ADJVAR Adjust variable
CHKALLOBJ Check *ALLOBJ special authority
CHKOBJ2 Check object 2
CPYTAADDS Copy TAA DDS
CVTTIM Convert time
EDTVAR Edit variable
FMTLIN Format line
HLRMVMSG HLL remove messages
RSNLSTMSG Resend last message
RTVSYSVAL3 Retrieve system value 3
SCNVAR Scan variable
SNDCOMPMSG Send completion message
SNDESCINF Send escape information
SNDESCMSG Send escape message
SNDJLGMSG Send job log message
SNDSTSMSG Send status message
UPDPFILE Update PFILE keyword
Implementation
--------------
None, the tool is ready to use.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
SNDSECLOG *CMD TAASEKL QATTCMD
CVTSECLOG *CMD TAASEKL2 QATTCMD
CRTSECLOG *CMD TAASEKL3 QATTCMD
DLTSECLOG *CMD TAASEKL4 QATTCMD
DSPSECLOG *CMD TAASEKL5 QATTCMD
CHKSECLOG *CMD TAASEKL6 QATTCMD
TAASEKLC *PGM CLP TAASEKLC QATTCL
TAASEKLC2 *PGM CLP TAASEKLC2 QATTCL
TAASEKLC3 *PGM CLP TAASEKLC3 QATTCL
TAASEKLC4 *PGM CLP TAASEKLC4 QATTCL
TAASEKLC5 *PGM CLP TAASEKLC5 QATTCL
TAASEKLC6 *PGM CLP TAASEKLC6 QATTCL
TAASEKLC15 *PGM CLP TAASEKLC15 QATTCL
TAASEKLC16 *PGM CLP TAASEKLC16 QATTCL
TAASEKLC17 *PGM CLP TAASEKLC17 QATTCL
TAASEKLC26 *PGM CLP TAASEKLC26 QATTCL
TAASEKLR2 *PGM RPG TAASEKLR2 QATTRPG
TAASEKLR5 *PGM RPG TAASEKLR5 QATTRPG
TAASEKLR6 *PGM RPG TAASEKLR6 QATTRPG
TAASEKLR26 *PGM RPG TAASEKLR26 QATTRPG
TAASEKLD *FILE DSPF TAASEKLD QATTDDS
TAASEKLE *FILE DSPF TAASEKLE QATTDDS
TAASEKLP *FILE PF TAASEKLP QATTDDS
TAASEKLQ *FILE PF TAASEKLQ QATTDDS
TAASEKLS *FILE PF TAASEKLS QATTDDS
Structure
---------
SNDSECLOG Cmd
TAASEKLC CL pgm
CVTSECLOG Cmd
TAASEKLC2 CL pgm
TAASEKLR2 RPG pgm
CRTSECLOG Cmd
TAASEKLC3 CL pgm
DLTSECLOG Cmd
TAASEKLC4 CL pgm
DSPSECLOG Cmd
TAASEKLC5 CL pgm
TAASEKLR5 RPG pgm
TAASEKLC15 CL pgm - Does FMTLIN
TAASEKLC16 CL pgm - Does CVTDAT
TAASEKLC17 CL pgm - Determines *ALLOBJ user
CHKSECLOG Cmd
TAASEKLC6 CL pgm
TAASEKLR6 RPG pgm
TAASEKLC26 CL pgm
TAASEKLR26 RPG pgm
|
