May 2013 NEWSBYTs
Tuesday, April 30th, 2013
by Heather Beck, Product Support Manager, Bytware
If you have a well-implemented security plan, you have already identified your end users and have given careful consideration to their authorization roles. But what about security within your IT department? Have you restricted the authority of your IT staff members or software vendors who supply applications on your system? Do you have any IT consultants that have access to your system? Individuals within your IT department pose the greatest security threat of all. As with all other employees, IT staff members should only be authorized to those functions that require them to do their job. Generally, IT workers are trusted; but you can’t base your security on trust.
An obvious first step in taking control (remember security is a business function), is to ensure that all users are properly authorized to perform their jobs AND are otherwise restricted. You must identify the authorization roles within the IT department as well. Consider your operator who must coordinate with end users to resolve workstation issues, job issues, and printing problems. They may even schedule daily batch jobs. Do you have a communications administrator who maintains device descriptions and network configurations? Are they the same person as your operator or network administrator? After you’ve defined roles for your own IT staff members, you mustn’t forget about those vendors and consultants. They are an integral part of your IT environment.
There is also a looming threat regarding profile swapping. Profile swapping is a common technique used to elevate a user’s authority only when they need it. Using the IBM-supplied User Profile Swap APIs is a good way to temporarily gain control of another user profile. Once a job has been changed to run under a new user profile, every activity happening after that will fall under that new profile. For example, if you were to display spooled files, you would see the spooled files for the new user profile that you swapped to even though you signed on under your own user profile. And if you submitted a new job, it would be submitted under the new profile. There are many business reasons to use this technique but it can also come at a heavy price.
So you’ve defined your profiles and granted and revoked authorities, but your system and users aren’t static. Employees and business requirements change. And even if their authorities are well-defined and will never change, there are times they could potentially be acting like someone else (profile swapping!). Therefore you must also take steps to constantly audit these users and authorities to ensure your security is effective over time. You need a peek into your system on a periodic basis to be sure you’re not still relying on trust with your IT staff.
The System Audit Journal allows you to perform user level event auditing. You can audit an IT staff member’s actions or their use of particular objects, or both by using the CHGUSRAUD command. This command gives you an excellent tool to spot-check users with *ALLOBJ special authority. QAUDJRN even logs a PS audit journal entry when a profile swap has taken place.
To enhance your security and assist in investigating suspicious activity, a screen-capture utility like Bytware’s PeekPlus can be invaluable. PeekPlus gives you the ability to view another user’s screen in real time, up to the last keystroke. Screen activity can even be recorded to a file to provide a permanent audit trail or it can be imported to any word processor to document incidents. Security administrators need tools that allow them to investigate security matters from their own terminal, and PeekPlus allows them to view another user’s screen with or without their knowledge.
Although you trust your IT staff, you may still need to monitor their activity or record their screens for evidence gathering, internal HR-related investigations, or just general security auditing. Have you ever wondered what exactly your night operator is doing when you’re not there? Wouldn’t it be nice to keep track of their screens to review the following morning? Or do you have trouble with someone answering messages incorrectly on the Console during day-end operations? Wouldn’t it be helpful if your IT consultants or software vendors knew they were being watched when they accessed your system? You can use PeekPlus to document the screen contents of any interactive job and send the screens to a file or printer. You can submit a job to capture screens to a database file, and that job will run until the device is signed off. You can then import the file into another application or download to your PC. You can also automate the screen capturing process using a CL program or job schedule entry.
Just because you have a well-implemented security plan, doesn’t mean trust will get you far. Consider the users in your IT department, define their roles clearly, and get tools to help you minimize the risk.
If you would like to find out more about PeekPlus contact us at 775.851.2900 or visit http://www.bytware.com/pp.
How to Prevent IFS Worms from Making Off with Your Critical Data
By Sandi Moore, Technical Consultant, Bytware
Throughout the day, we all receive hundreds, if not thousands, of emails in our Inbox from various sources—including co-workers, customers, vendors, and more. We rely on our corporate mail server and our local PC virus scanning to protect us from threats that may be hiding in those emails. Our mail admins remind us time and again to avoid opening unsolicited attachments or clicking on links from unknown persons. Data is constantly flowing through web browsers, FTP servers, shared network drives, removable media, and many other avenues. Knowing that these are all paths to infection, we scan and secure them as well. But what about your IBM i?
In recent months, we have seen a rash of virus infections that have had a frustrating impact on the IFS for many customers. W32/autorun.worm.aaeh is a worm that spreads by making copies of itself on removable drives and mounted network shares (i.e. your mapped drive to the IFS) and embeds copies of itself in ZIP and RAR files. It will hide the directories on removable drives and replace those directories with copies of itself—using the same filename as the hidden directory—so that when a user opens the mapped drive, it looks like their folder; but it is really the virus. It also checks for certain file types, changes the attributes to hidden, and creates a copy of itself with the same filename as the hidden file. The result? When you try to access your file, you are instead launching the virus. And this is just on your IBM i. The issues caused on PCs run even deeper.
The clean-up process ties up massive man-hours and involves using WRKLNK to find the affected directories and remove the bad files, as well as running CHGATR command to change the attributes of all the hidden files back to their correct state. Along the way you must try to prevent users from launching copies of the worm again and undoing the cleanup already done. The good news is that the damage from this virus is superficial, if not annoying. The next one could be more like the MyDoom virus that deleted files from any mapped drive it found.
Can this be prevented? Yes, the spread and damage of a virus can be prevented with a combination of strategies. First, limit who has the ability to map a drive to your system. For those who do need this ability, limit what functions they are allowed to perform through that mapped drive. A virus launched on a PC has all of the authority of the User who launched it, so if you have someone with SECADM mapping a drive that connects automatically, you have the potential for big problems.
Second, implement a native anti-virus software package on your IBM i to scan your directories for viruses. StandGuard Anti-Virus allows you to take advantage of the IBM-supported on-access scanning to prevent the virus from spreading. On-access scanning is done in real-time as the file is accessed through the File Server and any file found to be infected is stopped dead in its tracks. It also allows you to scan your full system on a regularly scheduled basis to look for files that enter through the many other means available such as FTP, optical drives, backups and other.
You never know what is hiding on your system until you scan it. And with regulatory standards such as PCI-DSS requiring the deployment of anti-virus software, you’ll not only be cutting off threats such as W32/autorun.worm.aaeh at the pass, but also ensuring that your organization is fully prepared for reporting and audits.
12 Ways MessengerPlus and Robot/SCHEDULE Can Work Together!
By Chuck Losinski
The scheduling functionality built into IBM i can help you take control of the jobs running on your system. But if you truly want to unleash the power of MessengerPlus for automated systems management, combining it with Robot/SCHEDULE from Help/Systems is the perfect solution. Robot/SCHEDULE takes you beyond the basics of IBM i scheduling with the ability to create finely tuned workflows that match perfectly to the unique requirements of your environment. Here are 12 ways that MessengerPlus and Robot/SCHEDULE can enhance your operations.
1. Have MessengerPlus monitor for the SLA messages that Robot/SCHEDULE can generate. (See Figure 1.)
Robot/SCHEDULE has a built-in job monitoring function that can monitor for and detect if:
a. Your job did not complete on time or ran too long
b. Your job ran too quickly (file might be empty)
c. Your job did not start on time
Figure 1: Job monitors
2. Let Robot/SCHEDULE fetch your PTF updates for MessengerPlus by scheduling the MPRUNUPD command at the best time for YOU. Possibly make this process dependent upon your month end process completing. This is called “Reactivity” in Robot/SCHEDULE and allows simple or complex dependency processing depending upon your needs. See the example job flow diagram from Robot/SCHEDULE (Figure 2).
Figure 2: Job flow diagram showing job dependencies
3. Have MessengerPlus monitor the critical Robot/SCHEDULE jobs that constitute the engine of Robot/SCHEDULE in the RBTSLEEPER subsystem. Critical jobs:
a. ROBOT
b. ROBOTREACT
c. ROBOTJM
d. ROBOTAUDIT
e. ROBOTSBMJ
4. Have MessengerPlus monitor the RBTSLEEPER subsystem to make sure it is active and running the various Robot products.
5. Monitor for the RB16404 message from your Robot/SCHEDULE jobs which indicates that one of your Robot jobs ended abnormally. These jobs can also be displayed in the Robot/SCHEDULE Schedule Activity Monitor for a visual indication that a job has ended abnormally. The Schedule Activity Monitor shows you a 24-hour forecast of your job schedule, the jobs that are queued or running, and the completed jobs. It automatically refreshes to give you an up-to-the-minute status of your Robot jobs. (See Figure 3.)
Figure 3: Schedule Activity Monitor
6. Embed the MessengerPlus command to send an email (SNDPGRMSG) when your job stream is starting, you’ve reached a critical checkpoint, or your job stream has completed. Unlike the native IBM i scheduler, Robot/SCHEDULE jobs can contain multiple commands and can stop processing the job if any of the commands fail. (See Figure 4).
Figure 4: Command entry in Robot/SCHEDULE
7. Schedule the MessengerPlus commands to hold (HLDMON) and release (RLSMON) resource monitoring during a month end process or another time.
8. Schedule the MessengerPlus Event Monitoring (PRTEVT) report giving you a detail report of the exceptions to the resource monitoring, job monitoring or message history. Use Robot/SCHEDULE Reserved Command Variables to fully automate the date range submission for the report. (See Figure 5).
9. Schedule the MessengerPlus command to delete Event History based on days old, monitor name, status, type, originating system, and severity.
10. Schedule the MessengerPlus command to end (ENDMP) then restart (STRMP) MessengerPlus due to the limitation on the number times and ILE program can be called. We recommend doing this on a weekly basis.
11. Using the “EVERY” option in Robot/SCHEDULE to run a job every X minutes, schedule a “heartbeat” message using the SNDPGRMSG that MessengerPlus is active. Send that to the operations team responsible for monitoring all systems. There are many advanced scheduling options built into Robot/SCHEDULE to handle all of your complex scheduling needs. (See Figure 6).
12. And last but not least use the conversion from the native scheduler to import all your batch jobs into Robot/SCHEDULE. This will allow you can take advantage of all the great features of Robot/SCHEDULE described above to automate, monitor, and control your scheduled jobs using the Robot/REPLAY plug-in and the Enterprise plug-in for Windows, Unix, and Linux. (This last one has nothing to do with MessengerPlus but we wanted an even dozen!)
Q&A
How can I secure Telnet by User ID if no User ID was sent upon connection?
The Telnet server normally allows clients to connect without providing a User ID and password. This makes it easier for users to try different User IDs and passwords using the sign-on screen. Additionally, it would prevent your system security tool from being able to enforce Telnet policies based on User ID, because no User ID was sent.
StandGuard Network Security builds upon the OS design and requires a User ID and password to be sent upon connection. The option is provided to require the Telnet Client to send a valid User ID and password on the connection request. This makes it more difficult for users to try different User IDs and passwords, and prevents devices from being automatically selected and subsequently disabled due to invalid sign-on attempts. It allows StandGuard Network Security to enforce Telnet policies based on User ID (or group).
Do I have to run StandGuard Anti-Virus under user QSECOFR or can I use my own profile?
Several parts of the application need *SECOFR authority from time to time and the functions are submitted by default under the STANDGUARD user profile, but when STANDGUARD needs more authority it swaps to QSECOFR. The profile that STANDGUARD swaps to is listed in a data area. If you don’t want STANDGUARD swapping to QSECOFR when necessary, you can change the user profile that is used. Please use a profile that has *ALLOBJ, *SECADMN and has a directory entry. To make the change:
CALL PGM(STANDGUARD/AVCHGAO) PARM(userprofile STANDGUARD)
The program needs 2 parms, the preferred user profile name, and the STANDGUARD library name.