Auditing IBM AS400, iSeries, and System i - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Auditing IBM AS400, iSeries, and System i

Description:

John Earl. Chief Technology Officer. The PowerTech Group, Inc. Agenda ... What's in a Name? Server. AS/400 (1988 1998) iSeries (1998 2004) i5 (2004 2006) ... – PowerPoint PPT presentation

Number of Views:471
Avg rating:3.0/5.0
Slides: 29
Provided by: john195
Category:

less

Transcript and Presenter's Notes

Title: Auditing IBM AS400, iSeries, and System i


1
Auditing IBM AS/400, iSeries, and System i
  • John Earl
  • Chief Technology Officer
  • The PowerTech Group, Inc.

2
Agenda
  • IBM AS/400 System i market
  • Auditing AS/400
  • Resources for AS/400 auditors
  • Questions answers

3
Whats in a Name?
  • Server
  • AS/400 (1988 1998)
  • iSeries (1998 2004)
  • i5 (2004 2006)
  • System i (2006)
  • Operating System
  • OS/400 (1993 2004)
  • i5/OS (2004)

4
System i Market
  • 98 of Fortune1000 run System i
  • Source IBM
  • 400,000 systems installed worldwide
  • 45 US, 35 Europe with 20 Asia
  • 30,000 new systems ship annually
  • Price range from 12,000 to 1 million
  • 16,000 banks run on the System i

5
i Integration
6
The Perfect Storm of Vulnerability
  • Security awareness among OS/400 professionals is
    low
  • OS/400 awareness among audit professionals is low
  • Some of the most valuable data in any
    organization is on the AS/400

7
What To Look For On An AS/400
  • OS/400 auditing essentials
  • System Values
  • Base Auditing capabilities
  • Library and Directory Settings
  • Network Access
  • User Profiles
  • Powerful Users

8
OS/400 Auditing Essentials
  • System Values
  • Are the foundation of a secure system
  • Define things like default public authority,
    default paths, base security level, audit levels,
    etc.
  • Typically require security officer privileges to
    change
  • Should seldom be changed
  • Should be verified on a regular basis

9
System Values
10
Reference Resources for AS/400
11
Base Auditing Capabilities
  • The System Security Audit Journal (QAUDJRN) holds
    security related event log data
  • On OS/400, journals are W.O.R.M. (write once read
    many) type objects
  • The Audit System Values describe what audit
    information will be logged to QAUDJRN
  • OS/400 has great capturing capability for audit
    information, but reporting capability is less
    robust

12
Base Auditing Capability
13
Library and Directory Settings
  • Controlling the path is an essential part of
    security
  • OS/400 paths come in two basic flavors,
    Traditional Unix paths, and OS/400 libraries
  • It is not unusual that the public has rights to
    add objects to where the operating system lives
    (Library QSYS)
  • Libraries where the user has CHANGE rights (or
    better) are a serious exposure

14
The Publics Authority to Libraries
15
Network Access
  • It is common for users to have at least change
    rights to data
  • OS/400 ships with all TCP/IP services active by
    default
  • Users who can change or delete data Open
    servers like FTP and ODBC Disaster

16
Open Access from PCs
  • Standard tools allow users to directly get data
    from the System i
  • The OS does not log this activity

17
Unprotected Network Access
18
Network Access
19
Protecting the System
20
OS/400 User IDs
  • Un-monitored user IDs are the easiest way to get
    into any system
  • OS/400 administrators have not proved to be
    particularly strong on monitoring users
  • Passwords on OS/400 can be weaker than other
    systems

21
OS/400 User IDs
22
Powerful Users
  • On OS/400, Root capability is divided into eight
    different special authorities
  • The granularity allows you to segment
    Communications, from hardware, from Sysop
    ability, etc.
  • The most important of these special authorities
    is ALLOBJ
  • OS/400 special authorities tend to be handed out
    liberally

23
Administrative Rights
24
Resources for AS/400 Auditors 123
  • Compliance Assessment tool shown in this
    presentation
  • Open Source OS/400 Security Policy
  • State of the System i Security Study

Auditor resource areawww.audit400.com
25
Resource 1 Compliance Assessment
26
Resource 2 Open Source Security Policy
27
Resource 3 State of System i Security
28
Questions?
Auditor Resource Site www.audit400.com
Write a Comment
User Comments (0)
About PowerShow.com