by Heather Beck, Product Support Manager, Bytware

If you have a well-implemented security plan, you have already identified your end users and have given careful consideration to their authorization roles. But what about security within your IT department? Have you restricted the authority of your IT staff members or software vendors who supply applications on your system? Do you have any IT consultants that have access to your system? Individuals within your IT department pose the greatest security threat of all. As with all other employees, IT staff members should only be authorized to those functions that require them to do their job. Generally, IT workers are trusted; but you can’t base your security on trust.

An obvious first step in taking control (remember security is a business function), is to ensure that all users are properly authorized to perform their jobs AND are otherwise restricted. You must identify the authorization roles within the IT department as well. Consider your operator who must coordinate with end users to resolve workstation issues, job issues, and printing problems. They may even schedule daily batch jobs. Do you have a communications administrator who maintains device descriptions and network configurations? Are they the same person as your operator or network administrator? After you’ve defined roles for your own IT staff members, you mustn’t forget about those vendors and consultants. They are an integral part of your IT environment.

There is also a looming threat regarding profile swapping. Profile swapping is a common technique used to elevate a user’s authority only when they need it. Using the IBM-supplied User Profile Swap APIs is a good way to temporarily gain control of another user profile. Once a job has been changed to run under a new user profile, every activity happening after that will fall under that new profile. For example, if you were to display spooled files, you would see the spooled files for the new user profile that you swapped to even though you signed on under your own user profile. And if you submitted a new job, it would be submitted under the new profile. There are many business reasons to use this technique but it can also come at a heavy price.

So you’ve defined your profiles and granted and revoked authorities, but your system and users aren’t static. Employees and business requirements change. And even if their authorities are well-defined and will never change, there are times they could potentially be acting like someone else (profile swapping!). Therefore you must also take steps to constantly audit these users and authorities to ensure your security is effective over time. You need a peek into your system on a periodic basis to be sure you’re not still relying on trust with your IT staff.

The System Audit Journal allows you to perform user level event auditing. You can audit an IT staff member’s actions or their use of particular objects, or both by using the CHGUSRAUD command. This command gives you an excellent tool to spot-check users with *ALLOBJ special authority. QAUDJRN even logs a PS audit journal entry when a profile swap has taken place.

To enhance your security and assist in investigating suspicious activity, a screen-capture utility like Bytware’s PeekPlus can be invaluable. PeekPlus gives you the ability to view another user’s screen in real time, up to the last keystroke. Screen activity can even be recorded to a file to provide a permanent audit trail or it can be imported to any word processor to document incidents. Security administrators need tools that allow them to investigate security matters from their own terminal, and PeekPlus allows them to view another user’s screen with or without their knowledge.

Although you trust your IT staff, you may still need to monitor their activity or record their screens for evidence gathering, internal HR-related investigations, or just general security auditing. Have you ever wondered what exactly your night operator is doing when you’re not there? Wouldn’t it be nice to keep track of their screens to review the following morning? Or do you have trouble with someone answering messages incorrectly on the Console during day-end operations? Wouldn’t it be helpful if your IT consultants or software vendors knew they were being watched when they accessed your system? You can use PeekPlus to document the screen contents of any interactive job and send the screens to a file or printer. You can submit a job to capture screens to a database file, and that job will run until the device is signed off. You can then import the file into another application or download to your PC. You can also automate the screen capturing process using a CL program or job schedule entry.

Just because you have a well-implemented security plan, doesn’t mean trust will get you far. Consider the users in your IT department, define their roles clearly, and get tools to help you minimize the risk.

If you would like to find out more about PeekPlus contact us at 775.851.2900 or visit http://www.bytware.com/pp.

How to Prevent IFS Worms from Making Off with Your Critical Data

By Sandi Moore, Technical Consultant, Bytware

Throughout the day, we all receive hundreds, if not thousands, of emails in our Inbox from various sources—including co-workers, customers, vendors, and more. We rely on our corporate mail server and our local PC virus scanning to protect us from threats that may be hiding in those emails. Our mail admins remind us time and again to avoid opening unsolicited attachments or clicking on links from unknown persons. Data is constantly flowing through web browsers, FTP servers, shared network drives, removable media, and many other avenues. Knowing that these are all paths to infection, we scan and secure them as well. But what about your IBM i?

In recent months, we have seen a rash of virus infections that have had a frustrating impact on the IFS for many customers. W32/autorun.worm.aaeh is a worm that spreads by making copies of itself on removable drives and mounted network shares (i.e. your mapped drive to the IFS) and embeds copies of itself in ZIP and RAR files. It will hide the directories on removable drives and replace those directories with copies of itself—using the same filename as the hidden directory—so that when a user opens the mapped drive, it looks like their folder; but it is really the virus. It also checks for certain file types, changes the attributes to hidden, and creates a copy of itself with the same filename as the hidden file. The result? When you try to access your file, you are instead launching the virus. And this is just on your IBM i. The issues caused on PCs run even deeper.

The clean-up process ties up massive man-hours and involves using WRKLNK to find the affected directories and remove the bad files, as well as running CHGATR command to change the attributes of all the hidden files back to their correct state. Along the way you must try to prevent users from launching copies of the worm again and undoing the cleanup already done. The good news is that the damage from this virus is superficial, if not annoying. The next one could be more like the MyDoom virus that deleted files from any mapped drive it found.

Can this be prevented? Yes, the spread and damage of a virus can be prevented with a combination of strategies. First, limit who has the ability to map a drive to your system. For those who do need this ability, limit what functions they are allowed to perform through that mapped drive. A virus launched on a PC has all of the authority of the User who launched it, so if you have someone with SECADM mapping a drive that connects automatically, you have the potential for big problems.

Second, implement a native anti-virus software package on your IBM i to scan your directories for viruses. StandGuard Anti-Virus allows you to take advantage of the IBM-supported on-access scanning to prevent the virus from spreading. On-access scanning is done in real-time as the file is accessed through the File Server and any file found to be infected is stopped dead in its tracks. It also allows you to scan your full system on a regularly scheduled basis to look for files that enter through the many other means available such as FTP, optical drives, backups and other.

You never know what is hiding on your system until you scan it. And with regulatory standards such as PCI-DSS requiring the deployment of anti-virus software, you’ll not only be cutting off threats such as W32/autorun.worm.aaeh at the pass, but also ensuring that your organization is fully prepared for reporting and audits.

Find out more about protecting your IFS! Register for our May 15 webinar “3 IFS Weaknesses You Must Secure—Now!”

12 Ways MessengerPlus and Robot/SCHEDULE Can Work Together!

By Chuck Losinski

The scheduling functionality built into IBM i can help you take control of the jobs running on your system. But if you truly want to unleash the power of MessengerPlus for automated systems management, combining it with Robot/SCHEDULE from Help/Systems is the perfect solution. Robot/SCHEDULE takes you beyond the basics of IBM i scheduling with the ability to create finely tuned workflows that match perfectly to the unique requirements of your environment. Here are 12 ways that MessengerPlus and Robot/SCHEDULE can enhance your operations.

1. Have MessengerPlus monitor for the SLA messages that Robot/SCHEDULE can generate. (See Figure 1.)

Robot/SCHEDULE has a built-in job monitoring function that can monitor for and detect if:

a. Your job did not complete on time or ran too long
b. Your job ran too quickly (file might be empty)
c. Your job did not start on time

Figure 1: Job monitors

2. Let Robot/SCHEDULE fetch your PTF updates for MessengerPlus by scheduling the MPRUNUPD command at the best time for YOU. Possibly make this process dependent upon your month end process completing. This is called “Reactivity” in Robot/SCHEDULE and allows simple or complex dependency processing depending upon your needs. See the example job flow diagram from Robot/SCHEDULE (Figure 2).

Figure 2: Job flow diagram showing job dependencies

3. Have MessengerPlus monitor the critical Robot/SCHEDULE jobs that constitute the engine of Robot/SCHEDULE in the RBTSLEEPER subsystem. Critical jobs:

a. ROBOT
b. ROBOTREACT
c. ROBOTJM
d. ROBOTAUDIT
e. ROBOTSBMJ

4. Have MessengerPlus monitor the RBTSLEEPER subsystem to make sure it is active and running the various Robot products.

5. Monitor for the RB16404 message from your Robot/SCHEDULE jobs which indicates that one of your Robot jobs ended abnormally. These jobs can also be displayed in the Robot/SCHEDULE Schedule Activity Monitor for a visual indication that a job has ended abnormally. The Schedule Activity Monitor shows you a 24-hour forecast of your job schedule, the jobs that are queued or running, and the completed jobs. It automatically refreshes to give you an up-to-the-minute status of your Robot jobs. (See Figure 3.)

Figure 3: Schedule Activity Monitor

6. Embed the MessengerPlus command to send an email (SNDPGRMSG) when your job stream is starting, you’ve reached a critical checkpoint, or your job stream has completed. Unlike the native IBM i scheduler, Robot/SCHEDULE jobs can contain multiple commands and can stop processing the job if any of the commands fail. (See Figure 4).

Figure 4: Command entry in Robot/SCHEDULE

7. Schedule the MessengerPlus commands to hold (HLDMON) and release (RLSMON) resource monitoring during a month end process or another time.

8. Schedule the MessengerPlus Event Monitoring (PRTEVT) report giving you a detail report of the exceptions to the resource monitoring, job monitoring or message history. Use Robot/SCHEDULE Reserved Command Variables to fully automate the date range submission for the report. (See Figure 5).

9. Schedule the MessengerPlus command to delete Event History based on days old, monitor name, status, type, originating system, and severity.

10. Schedule the MessengerPlus command to end (ENDMP) then restart (STRMP) MessengerPlus due to the limitation on the number times and ILE program can be called. We recommend doing this on a weekly basis.

11. Using the “EVERY” option in Robot/SCHEDULE to run a job every X minutes, schedule a “heartbeat” message using the SNDPGRMSG that MessengerPlus is active. Send that to the operations team responsible for monitoring all systems. There are many advanced scheduling options built into Robot/SCHEDULE to handle all of your complex scheduling needs. (See Figure 6).

12. And last but not least use the conversion from the native scheduler to import all your batch jobs into Robot/SCHEDULE. This will allow you can take advantage of all the great features of Robot/SCHEDULE described above to automate, monitor, and control your scheduled jobs using the Robot/REPLAY plug-in and the Enterprise plug-in for Windows, Unix, and Linux. (This last one has nothing to do with MessengerPlus but we wanted an even dozen!)

Want to try combining MessengerPlus and Robot/SCHEDULE for yourself? Try Robot/SCHEDULE free for 30 days.

Q&A

How can I secure Telnet by User ID if no User ID was sent upon connection?

The Telnet server normally allows clients to connect without providing a User ID and password. This makes it easier for users to try different User IDs and passwords using the sign-on screen. Additionally, it would prevent your system security tool from being able to enforce Telnet policies based on User ID, because no User ID was sent.

StandGuard Network Security builds upon the OS design and requires a User ID and password to be sent upon connection. The option is provided to require the Telnet Client to send a valid User ID and password on the connection request. This makes it more difficult for users to try different User IDs and passwords, and prevents devices from being automatically selected and subsequently disabled due to invalid sign-on attempts. It allows StandGuard Network Security to enforce Telnet policies based on User ID (or group).

Do I have to run StandGuard Anti-Virus under user QSECOFR or can I use my own profile?

Several parts of the application need *SECOFR authority from time to time and the functions are submitted by default under the STANDGUARD user profile, but when STANDGUARD needs more authority it swaps to QSECOFR. The profile that STANDGUARD swaps to is listed in a data area. If you don’t want STANDGUARD swapping to QSECOFR when necessary, you can change the user profile that is used. Please use a profile that has *ALLOBJ, *SECADMN and has a directory entry. To make the change:

CALL PGM(STANDGUARD/AVCHGAO) PARM(userprofile STANDGUARD)

The program needs 2 parms, the preferred user profile name, and the STANDGUARD library name.

Thursday, February 14, 2013

Messenger 8 adds improved job management and easier compliance reporting

Bytware, a division of Help/Systems, LLC and provider of systems management and security solutions for IBM Power Systems servers, is pleased to announce a new version of their IBM i message monitoring tool, Messenger 8. This latest update adds new ease-of-use enhancements in the areas of job management and compliance reporting.

These enhancements help users and managers of IBM Power Systems servers—including AS/400, iSeries, and System i—more easily identify jobs running on their systems that are critical to business operations. By facilitating fine-tuned searches, helping IT staff collaborate on incident response, and enhancing the built-in capabilities of IBM i, Messenger 8 brings message monitoring in line with the latest approaches to server management.

As Bytware Product Support Manager Heather Beck explains, “More and more of our customers are deploying virtualization technologies, and our products need to support that flexible infrastructure. Messenger now supports Live Partition Mobility to guarantee there is no outage with their systems monitoring while they are performing that load balancing act.”

Messenger 8 also adds new tools to streamline compliance audits and reporting. Managers can easily create detailed lists of all devices associated with the system, along with their numbers, to whom they belong, and schedules configured for them. These reports make it simple to satisfy auditors by clearly presenting all information up front.

Lastly, with security at the forefront in today’s corporate environment, a new enhancement brings support for servers that require SSL authentication. This feature gives managers the freedom to encrypt communications through any server or mail service—including Gmail—and satisfy important aspects of auditing and compliance.

Messenger 8 is available now, and a free trial can be requested through the Bytware website at www.bytware.com/m8.

Ask any group of security professionals which area of IBM i security is most often ignored and, chances are, the unanimous response will be “the Integrated File System.” Although it’s been around since V3R1, the Integrated File System, or IFS, remains a shrouded mystery that represents significant risk to many IBM i organizations.

One popular misconception is that the IFS is a separate and distinct file structure that was added to store and serve PC files; and if you don’t store PC files on your IBM i system, there’s nothing to worry about. Part of this misconception comes from the fact that when the IFS first appeared, the entire system save (GO SAVE, option 21) procedure was expanded to include an IFS save in addition to saving native objects and DLOs (the original mechanism used to serve PC files).

The Real IFS

In reality, “IFS” is the umbrella term for all of the various file systems, including native objects in the /QSYS.lib folder and DLOs in the /QDLS folder. In fact, if you look at the help text for a full system save, you’ll see that an IFS save simply omits the paths to items already saved by traditional save commands. Technically, the entire server can be backed up by saving the IFS (although the Licensed Internal Code can’t restore the operating system if saved in that format).

IFS Security Risks are Real

So, why is there a security risk associated with the IFS? It starts with the fact that you work with the IFS using your normal IBM i credentials. The system interface doesn’t differentiate how a user profile accesses data. If you can sign on to a green screen application, you also can potentially access the IFS. As with network interfaces such as FTP and ODBC, if your native objects are secured using only menu or application-level security, a user may have sufficient object authority to read, change, or delete data—even basic read-only rights allow data to be leaked. This is because IBM i ships with a public authority default of *CHANGE. If your security administrators or application vendors haven’t secured your application objects (and most haven’t), users have unlimited access to the data.

It’s easy to access IFS directories using powerful tools like IBM Navigator for i and Windows Explorer, both of which provide users with the ability to exercise their full IBM i authorities. A user can casually delete a folder in Windows Explorer, only to find out later that it was an application library on the server. Unfortunately, there’s no recycling bin and no undelete for these folders. With permissive public authority and the common over-assignment of All Object (*ALLOBJ) special authority, this is an expensive mistake that can happen in the blink of an eye. If that’s not enough to make you sit up and take notice, be aware that activities that don’t violate the permission levels of an object typically aren’t audited!

Can You Secure the IFS?

Because IFS authority can be complex, time consuming, and prone to over-securing, the IFS often is ignored in a company’s security plan. It’s best if you make changes in manageable phases, and document changes so they can be undone if necessary.

So, what can you do and where do you start? The best security practices result from the synergy between three components: IBM i controls, Bytware solutions, and administrator deployment.

IBM i Controls

While it may seem that the “ball was dropped” with IFS security, the reality is that IBM i can protect an object (or “stream file” in IFS terminology) from any user or access method—but only if the authorities are configured correctly. IFS authority is built on a UNIX-type model and uses different terminology. Authority templates used to secure the data rights of native objects including *USE, *CHANGE, and *EXCLUDE are replaced with combinations of read (*R), write (*W), and execute (*X) permissions.

The following table shows a comparison between native IBM i and IFS data authorities.IBM ships public permission to the base IFS folder (commonly referred to as the “root”) as *RWX. Change this to *RX to prevent users from creating new objects and folder structures in the root. The other IBM-supplied folder structures under the root typically are configured correctly and should not be changed.

The /QSYS.LIB folder structure contains the operating system and user libraries, and is the most sensitive folder in the IFS. Users rarely require access to this structure via the IFS. This is fortunate because they can do extensive damage in a short amount of time. IBM i has a special authorization list, QPWFSERVER, designed to prevent anyone without *ALLOBJ special authority from accessing this critical folder. QPWFSERVER ships with public=*USE. Change this immediately to public=*EXCLUDE. You can grant users who have a business need to access this structure, but lack *ALLOBJ special authority, private authority to the authorization list. File shares should be mapped to specific libraries (or files) to reduce the amount of damage these users can do. Remember, users with *ALLOBJ special authority cannot be restricted from any object—native or IFS.

Add Bytware Solutions

Bytware’s popular exit point monitoring solution, StandGuard Network Security, enhances IBM i controls with powerful access and auditing functions. It allows you to observe and restrict activities such as copying, opening, and deleting stream files without the complexity and overhead of maintaining IBM i authorities. Using a simple object-based approach you can monitor IFS directories to notify security personnel if users attempt to access files to which they have no authority. And, because this functionality rides on top of the operating system’s authority checks, it’s effective with *ALLOBJ users.

StandGuard Network Security silently audits all IFS activities. Typically, organizations start using reports generated by StandGuard Network Security to build a knowledge base of legitimate access before they define access control rules. These rules can be based on the general activity (copy, delete, create), or on the stream file or directory affected. Rules can be for a single user, a group profile, or the IP address of a user’s workstation. You can make the rules as permissive or restrictive as you wish, and gain visibility and control that you can’t attain with IBM i alone. StandGuard Network Security also provides protection for your native objects by controlling user access through powerful interfaces such as FTP, ODBC/JDBC, and remote command.

Additionally, the product’s command security capabilities can secure the WRKLNK command and control IFS access from a user’s 5250 session. Its public authority default of *USE means that any user with command line permission can access the same structures as the desktop tools mentioned earlier. Other commands allow users to create and change directories, and work with, change, and display authorities. Authorize only the users who need legitimate access to these commands. Controlling how and when any command can be executed is the answer to command restriction requirements.

StandGuard Network Security can also evaluate conditions in the network environment and perform actions when a user—including those with *ALLOBJ special authority—invokes a monitored command. Actions include stopping the command from being executed, modifying the command, and sending a notification message. And, it maintains a complete command use audit trail for auditors.

You Can Secure The IFS!

Combining IBM i controls with Bytware’s StandGuard Network Security helps close the door on IFS vulnerability. By following a few simple recommendations, IFS security risks disappear. Enhance the security of your IBM server by looking to the most trusted partners in IBM i security: Bytware.

Learn more about StandGuard Network Security and request a free trial by visiting www.bytware.com/ns.

Fine-Tune Subsystem Monitoring with Messenger 8

by Sandi Moore, Technical Consultant, Bytware

At any given time, there can be hundreds, if not thousands of jobs running on your IBM Power Systems server in a variety of subsystems. If any one of those jobs or subsystems is missing, critical processes can halt and workflow becomes disrupted. The longer the job is down, the more it compounds the problem.

Messenger has long had the ability to monitor the WRKACTJOB screen for problems such as high CPU usage, status or response time, or for jobs and subsystems that should be running. But what if there are supposed to be three jobs with the same name running at the same time? Or five jobs with different names running in a subsystem?

This task has become easier with Messenger 8 thanks to a new Subsystem monitor. This new monitor allows you to watch a specific subsystem for a number of jobs running or not running, as well as for specific conditions such as greater than, less than, equal to, or not equal to any number of jobs with specific variables such as User, Type, Status, or Function. This new functionality allows you to pinpoint problems quickly and resolve them promptly.

The QSYSWRK subsystem has numerous jobs that are critical for many applications to run properly and is automatically started by the OS after an IPL. The server job for a TCP/IP application must start in the QSYSWRK subsystem. If you are running MSF (Mail Server Framework), you need to have three QMSF jobs in the QSYSWRK subsystem. DRDA server jobs and their associated listener job run in this subsystem.

You can easily configure Messenger’s Subsystem monitor to notify you if the QSYSWRK subsystem has no jobs running in it by setting up a compare EQ 0 jobs.

To monitor for the three QMSF jobs that should be running in the QSYSMSG subsystem, you can add an Event monitor specifically for that condition. You will be notified if there are less than three occurrences of the QMSF jobs. Messenger can be configured to automatically start them for you, too.

Another potential problem on the system is when you have too many occurrences of a specific job. It’s possible that it has been submitted too many times, or the first occurrence of the job failed to end and now you have two. Messenger can notify you if you have more than one occurrence. Using a generic job name, you have the ability to check even if the job name changes with subsequent submissions.

With larger systems, you may run into a problem with too many jobs in a specific subsystem. If you have users who start multiple interactive sessions unnecessarily, that can put a drain on your resources. You can monitor for a threshold of jobs in the subsystem or narrow it down further.

The flexibility of Messenger allows you to define the focus of your monitoring to keep you up-to-date on what is critical for your system and your environment. With Messenger, there is no more guessing or hoping that your subsystems are running as they should.

If you’ve yet to upgrade to Messenger 8, contact us at 775.851.2900. We would be happy to help you take advantage of these latest enhancements.

Go Beyond Network Security to Tackle the Top Security Issues Facing the IFS

You understand that network security is critical for protecting the data stored on your IBM Power Systems server, and you understand that the Integrated File System is at the center of it all. But guarding against excessive user authority isn’t the end of protection. What you may not realize is that the IFS can quietly host and spread viruses and malicious code.
To help you learn more about this threat and other top security issues, we’ve put together an exclusive IFS Security Bundle. Comprised of an IFS Security White Paper, recorded IFS Security Webinar, and the StandGuard Anti-Virus Technical Packet, this bundle can help you identity areas of risk and ensure that you have all the proper protection in place.

Don’t let your organization make headlines following a security breach. Download the IFS Security Bundle today.

Q&A

I am getting ready to upgrade my OS. How can I tell what version of your software I am running and if it is compatible with my new OS?

To determine the version of a Bytware solution that is running on your system, use the following commands:

• For Messenger, run command DSPPTF 0MP2000
• For StandGuard Network Security, run DSPPTF 0SG3000
• For StandGuard Anti-Virus, run DSPPTF 0AV2000

For each product, after running the command refer to the “Release of base option,” which is the same as the version.

For PeekPlus, go to the PEEK screen and refer to the bottom of the display. Once you know your version, you can refer to the Compatibility chart on our website at http://www.bytware.com/support/compatibility-chart.html to see if the current version of your software is compatible with your new OS.

I need to create a custom report of my StandGuard Network Security Events and export them to a spreadsheet. How can I do this?

In order to create a report, you will need to use StandGuard Network Security’s IBM Navigator for i plug-in. (If you have not already installed the plug-in, please refer to the User Guide for easy instructions.)

Open Navigator for i, go to System > Security > StandGuard Network Security, and open the Events panel. Using the Search menu, narrow down the types of events you want to include. Select the File menu, Preferences, Fields in events table to select what event fields you want included in your report.

Once you have done this, you can go to the File menu, select Export, choose either all events or just selected events, and then export to a Comma-separated or Space-delimited file and save in any location you want. You are now ready to import that file into your spreadsheet to display in a chart or graph.

I have noticed that my JOBRUN monitor only notifies me once when it finds a Job not running on my system. Is there a way to have it notify me repeatedly until the job is started again?

You can have Messenger repeat the notification by adding a Repeat on the *PAGE action. Locate the *PAGE action on your JOBRUN monitor or Event monitor, do a “2” to change, define the “Repeat until acknowledged” minutes to set how long to wait between pages, and then press Enter twice to save the change. Messenger will now send your notification repeatedly (for all future occurrences) until the job is back up and running and the Event is acknowledged.