Auditing IBM AS/400, iSeries, and System i

John Earl Chief Technology Officer The PowerTech Group, Inc.

Agenda

IBM AS/400 & System i market Auditing AS/400 Resources for AS/400 auditors Questions & answers

Whats in a Name?

Server
AS/400 iSeries i5 System i
(1988 1998) (1998 2004) (2004 2006) (2006)

Operating System
OS/400 i5/OS
(1993 2004) (2004)

System i Market

98% of Fortune1000 run System i

Source: IBM

400,000 systems installed worldwide

45% US, 35% Europe with 20% Asia 30,000 new systems ship annually Price range from $12,000 to $1 million + 16,000 banks run on the System i

i = Integration

JD Edwards

The Perfect Storm of Vulnerability

Security awareness among OS/400

professionals is low OS/400 awareness among audit professionals is low Some of the most valuable data in any organization is on the AS/400

What To Look For On An AS/400

OS/400 auditing essentials

System Values Base Auditing capabilities Library and Directory Settings Network Access User Profiles Powerful Users

OS/400 Auditing Essentials

System Values
Are the foundation of a secure system Define things like default public
authority, default paths, base security level, audit levels, etc. Typically require security officer privileges to change Should seldom be changed Should be verified on a regular basis

System Values

Reference Resources for AS/400

Base Auditing Capabilities

The System Security Audit Journal (QAUDJRN) holds security related event log data On OS/400, journals are W.O.R.M. (write once
read many) type objects The Audit System Values describe what audit information will be logged to QAUDJRN OS/400 has great capturing capability for audit information, but reporting capability is less robust

Base Auditing Capability

Library and Directory Settings

Controlling the path is an essential part of security OS/400 paths come in two basic flavors,
Traditional Unix paths, and OS/400 libraries It is not unusual that the public has rights to add objects to where the operating system lives (Library QSYS) Libraries where the user has *CHANGE rights (or better) are a serious exposure

The Publics Authority to Libraries

Network Access

It is common for users to have at

least change rights to data OS/400 ships with all TCP/IP services active by default Users who can change or delete data + Open servers like FTP and ODBC = Disaster

Open Access from PCs

Standard tools allow users to directly get data from the System i
The OS does not log this activity

Unprotected Network Access

Network Access

Protecting the System

OS/400 User IDs

Un-monitored user IDs are the

easiest way to get into any system OS/400 administrators have not proved to be particularly strong on monitoring users Passwords on OS/400 can be weaker than other systems

OS/400 User IDs

Powerful Users

On OS/400, Root capability is divided

into eight different special authorities The granularity allows you to segment
Communications, from hardware, from Sysop ability, etc. The most important of these special authorities is *ALLOBJ OS/400 special authorities tend to be handed out liberally

Administrative Rights

Resources for AS/400 Auditors 123

Compliance Assessment tool shown

in this presentation Open Source OS/400 Security Policy State of the System i Security Study

Auditor resource area www.audit400.com

Resource #1 Compliance Assessment

Resource #2 Open Source Security Policy

Resource #3 State of System i Security

Questions?

Auditor Resource Site: www.audit400.com