Make important security events trigger an alarm.
To have any chance of preventing a major security breach, early detection of suspicious activities is critical. Fortunately, IBM i contains comprehensive event auditing functionality that is capable of satisfying most regulatory requirements. Using the Change Security Auditing (CHGSECAUD) command, you can create the security audit journal and the initial journal receiver, as well as configure the two main auditing system values—QAUDCTL and QAUDLVL.
In addition to general system events, you should also consider auditing the activities of powerful users and attempts to access important objects. You can configure these two tasks using the Change User Auditing (CHGUSRAUD) and Change Object Auditing (CHGOBJAUD) commands, respectively. You can find additional information on these commands in the IBM Information Center or in the white paper "Common Sense Security Auditing" available on the PowerTech Web site.
Once the event data is flowing into the security audit journal, the challenge becomes what to do with the audit data. Unfortunately, many IBM i shops do nothing with it, although collecting the data does at least allow forensics to be performed later, should that become necessary.
A commercial audit reporting tool, such as Compliance Monitor from PowerTech, provides a valuable way to quickly review static configuration elements (user profiles, system values, and so on), as well as easily filter and analyze the dynamic events written to the audit journal.
But what if you don't have the time or inclination to perform ongoing forensic analysis? Or what if you're concerned that an important event won't be noticed in a timely enough manner to prevent it from becoming a far bigger and potentially serious issue? Interact, from PowerTech, offers the answer.
Real-Time Event Handling
Interact, a powerful real-time notification agent for IBM i, can process more than 500 system event types. Using Interact, you can escalate IBM i events to interested parties in several ways:
- Syslog server—If you're using a Security Information and Event Management (SIEM) solution, IBM i events can be escalated to it in the industry-standard syslog format (see Figure 1). Enterprise monitoring solutions such as ArcSight, LogRhythm, and Tivoli provide powerful event correlation and categorization functionality for a wide range of servers, now including Power Systems servers running IBM i.
Figure 1: Interact can send IBM i events to your enterprise monitoring solution. (Click image to enlarge.)
- Message queue—Message queue solutions, such as Robot/CONSOLE and Robot/ALERT from Help/Systems and MessengerPlus from Bytware, can escalate messages in numerous ways. This usually involves generating formatted messages that are sent to one or more recipients via email or to a mobile device such as a cell phone or PDA.
- Internet Security Systems—If you're using an IBM ISS monitoring solution, Interact can relay events to the console immediately in an ISS-compatible format.
Not Just IBM i System Events
Interact's benefits extend beyond the escalation of system-generated events. This is important because some types of activities do not generate events. For example, network interfaces such as FTP and ODBC do not include any type of logging capability. While some network functions may cause an auditable event (for example, an object deletion), downloading or uploading a data file is typically transparent—a major compliance violation.
By combining the power of Interact with PowerTech's other security solutions, you gain the important ability to escalate other types of security events as well. By adding PowerTech Network Security, you can detect permitted and failed network access attempts. Imagine being notified proactively that a user logged in to FTP or unsuccessfully attempted to run a remote command through REXEC! Additionally, PowerTech Authority Broker can detect and escalate user profile switches to ensure that the activities are deemed appropriate and necessary.
Sit Back and Relax
If you would like to put Interact (or any PowerTech solution) through its paces, we make it easy with a free 30-day trial. Trial applications are fully functional and can be licensed permanently without reinstalling. We can even help you with the configuration process! After all, if we're going to save you time and effort by bringing the security events to you, we want to make setting up the tools as easy as 1-2-3.