SecureMyi.com Security and Systems Management Newsletter for the IBM i                 December 10, 2014 - Vol 4, Issue 20
Security Training from Skyview
Security software from Powertech



Skyview Partners



Software from Cilasoft



Training from The 400 School



Training from The 400 School



Training from The 400 School



Auditing Your Exit Point Security with QAUDJRN for IBM i

By Dan Riehl

I have heard these and similar questions often; 'Who removed my exit program?" or 'Where did my FTP and Create User Profile registered Exit Programs go? Perhaps a more interesting question might be "How did that Exit Program get Registered in the first place?"

If you have created the QAUDJRN journal, and have set the associated System Values(QAUDCTL and QAUDLVL) correctly, you have an audit trail of all changes that have been made to the Exit Point Registry. There are 2 auditing methods you can use to collect information about Exit Point Registry changes. You can use Object Auditing, and/or you can use Event auditing. When dealing with the Exit Point Registry, I think you will find that Event auditing may be a better choice for you. But, I'll present both methods and you can choose which one you like. You may prefer to use both, which is what I actually recommend.

Auditing the Object

The Exit Point Registry is stored in the object QUSEXRGOBJ in library QUSRSYS. The object type is *EXITRG.

In order to start auditing the Exit Point Registry object you first need to ensure that the QAUDCTL system value includes the value *OBJAUD. This allows you to being auditing access to objects. Once this is done, you can then start auditing changes to the registry object using the following command.

CHGOBJAUD OBJ(QUSRSYS/QUSEXRGOBJ) OBJTYPE(*EXITRG) OBJAUD(*CHANGE)

Now, whenever a change is made to the registry, a ZC(Object Accessed for Change) journal entry is written to the QAUDJRN journal, indicating that the QUSEXRGOBJ object was accessed in Update mode, and/or was changed. Additional information provided in the ZC journal entry includes information like Job User, Current User, Job Name, Program that made the change, the timestamp of the entry, etc.

The operations that can be audited for the Exit Point Registry QUSEXRGOBJ object are:

  • ADDEXITPGM --- Add Exit Program CL Command
  • QUSADDEP --- Add Exit Program API
  • QusAddExitProgram --- Add Exit Program API
  • QUSDRGPT --- Unregister Exit Point API
  • QusDeregisterExitPoint --- Unregister Exit Point API
  • QUSRGPT --- Register Exit Point API
  • QusRegisterExitPoint --- Register Exit Point API
  • QUSRMVEP --- Remove Exit Program API
  • QusRemoveExitProgram --- Remove Exit Program API
  • RMVEXITPGM --- Remove Exit Program CL Command
  • WRKREGINF --- Work with Registration Information CL Command
    •

To review all ZC entries, you can use your favorite QAUDJRN reporting software. In V5R4 IBM provided the command CPYAUDJRNE(Copy Audit Journal Entries) which is a very nice command to extract information from QAUDJRN. Here's the command you can use to extract the ZC(Object Accessed for Change) entries into a formatted output file.

CPYAUDJRNE ENTTYP(ZC) OUTFILE(MYLIB/QAUDIT)

This will create a file QAUDITZC in library MYLIB. The columns in the output file are specific to the ZC journal entry type. To list the ZC entries, you can use the command:

RUNQRY *N MYLIB/QAUDITZC

If you are auditing numerous objects on your system, you will need to select only the records where the object name is QUSEXRGOBJ.

Auditing the Event of a change to the Exit Point Registry

To audit security configuration events, like a change to the exit point registry, you set the System value QAUDCTL to include the value *AUDLVL, and include the value *SECCFG or *SECURITY in the QAUDLVL, or QAUDLVL2, system value.

If this is done, and someone or some process manipulates the Exit Point Registry, a journal entry is written to the QAUDJRN journal. The journal entry type for this access is GR(Generic Record). As of IBM i 6.1, all GR entries are related to the Exit Point Registry.

You can review the GR entries just like the ZC entries. Here's the command you can use to extract the GR entries into a formatted output file.

CPYAUDJRNE ENTTYP(GR) OUTFILE(MYLIB/QAUDIT)

This will create a file QAUDITGR in library MYLIB. The columns in the output file are specific to the GR journal entry type. To list the GR entries, you can use the command:

RUNQRY *N MYLIB/QAUDITGR

The information provided includes what function was performed, Job User, Current User, Job Name, Program used, Timestamp, etc.


About the Author

Dan Riehl is the Editor of the SecureMyi Security Newsletter and a Security Specialist for
the IT Security and Compliance Group

Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.

Dan Riehl on LinkedIn

   
Training from 400school.com


© Copyright 2014 - IT Security and Compliance Group