Agenda
IBM AS/400 & System i market Auditing AS/400 Resources for AS/400 auditors Questions & answers
Whats in a Name?
Server
AS/400 iSeries i5 System i
(1988 1998) (1998 2004) (2004 2006) (2006)
Operating System
OS/400 i5/OS
(1993 2004) (2004)
System i Market
i = Integration
JD Edwards
System Values
Are the foundation of a secure system Define things like default public
authority, default paths, base security level, audit levels, etc. Typically require security officer privileges to change Should seldom be changed Should be verified on a regular basis
System Values
The System Security Audit Journal (QAUDJRN) holds security related event log data On OS/400, journals are W.O.R.M. (write once
read many) type objects The Audit System Values describe what audit information will be logged to QAUDJRN OS/400 has great capturing capability for audit information, but reporting capability is less robust
Controlling the path is an essential part of security OS/400 paths come in two basic flavors,
Traditional Unix paths, and OS/400 libraries It is not unusual that the public has rights to add objects to where the operating system lives (Library QSYS) Libraries where the user has *CHANGE rights (or better) are a serious exposure
Network Access
Standard tools allow users to directly get data from the System i
The OS does not log this activity
Network Access
Powerful Users
Administrative Rights
Questions?