Transcription
WHITE PAPERFile Integrity Monitoring forPower Systems Running IBM iBy Robin TatamABSTRACT:The exponential growth of databreaches over the past ten yearshas been followed by numerousregulatory standards, includingthe Sarbanes-Oxley Act, HIPAA,and PCI DSS. These standardscall for companies to adoptsecurity best practices and oftenrequire that changes made toserver configurations and criticalapplication data are visible. Thiswhite paper examines how fileintegrity monitoring (FIM) relates toPower Systems servers running IBM i(as well as System i‰ servers runningi5/OS, and iSeries or AS/400‰ serversrunning OS/400). It also highlightswhen and how PowerTech productscan provide a solution.The PowerTech Group, Inc.www.powertech.com info@powertech.comTEL USA:TOLL FREE:Introduction to File Integrity MonitoringAlthough file-level monitoring is relatively new in termsof security, identifying changes to file data is not a recentrequirement. For years, programmers on IBM i have used varioustechniques to compare source files when looking for variationsin application source code. Life-cycle management softwarealleviated much of the manual effort involved in keeping track ofmultiple iterations of source code. But there are many companieswithout access to this type of solution. They continue to rely onsimple content comparison to determine the differences that existin multiple iterations of a program’s source code.Merriam-Webster defines integrity as the “firm adherence to acode of especially moral or artistic values: incorruptibility.” Toaccomplish integrity, we have to establish procedures and employcontrols so that a server—and its data—do not become corrupted.Monitoring practices have to evolve to encompass configurationcontrols and application data in order to ensure that onlyapproved changes are taking place.There are two basic approaches to file integrity monitoring:1) Baseline comparison2) Real-time change notification253.872.7788800.915.7700Copyright 2012. PowerTech is a registered trademark of The PowerTech Group, Inc.AS/400 and System i are registered trademarks of IBM. All other product and companynames are trademarks of their respective holders.C071FIM2
Regardless of which technique is utilized, file integritymonitoring should provide an organization withvisibility to: Which user initiated the changeWhat application or function made the changeWhen the change was madeThe before and after value of the changeWhether the change was authorizedPCI DSS 2.0: Payment Card Industry DataSecurity StandardSecure audittrails so theycannot bealtered(10.5.5)Use file integrity monitoring orchange-detection software onlogs to ensure that existing logdata cannot be changed withoutgenerating alerts (although newdata being added should notcause an alert).Regularly testsecurity systemsand processes(11.5)Deploy file integrity monitoring software to alert personnelto unauthorized modificationof critical system files, configuration files, or content files;and configure the software toperform critical file comparisons at least weekly.Why Monitor File Integrity?Security controls are designed and deployed in aneffort to ensure that server and application dataaccess is given only to users with demonstrable need.However, experts advise that no single security layeror control should ever be considered impenetrable.Being proactive about monitoring a server providesan additional safety net that alerts an organization tounapproved—and possibly illicit—activity.Many organizations struggle to accurately assess thescope of a breach. The task is simplified if the servermaintains a log of user access. Being able to identifyand prove that an unauthorized user saw only a smallsubset of a large database can have an enormousimpact on the required response.Modern regulatory standards often call for monitoringof “critical files” so that unauthorized changes canbe detected. Although far from an exhaustive list,three examples of commonly encountered auditing orregulatory standards that require an FIM initiative aredescribed in the following tables.What File Integrity Monitoring Means toIBM Power Systems Running IBM iIBM Power Systems servers are uniquely capable ofhosting numerous operating systems, including IBM i,AIX, and Linux, as well as applications that run outsidethe confines of the legacy QSYS.LIB and QDLS filesystems (including WebSphere, Lotus Domino, andApache web servers). These operating systems andapplications may execute with different file integritymonitoring requirements. As such, this discussion isfocused on native IBM i.The PowerTech Group, Inc.www.powertech.com info@powertech.comFor more information about PCI complianceon IBM i, visit www.pciblueprint.com.NIST SP 800-53: Security controls for FederalInformation Systems and OrganizationsInformationSystem Backup(CP-9)The organization conductsbackups of user- and systemlevel information and protectsthe confidentiality and integrityof the backup ys monitoring devices:(i) strategically within the information system to collectorganization-determinedessential information; and(ii) at ad hoc locations withinthe system to track specifictypes of transactions of interestto the organization.Software andInformationIntegrity(SI-7)The information system detectsunauthorized changes tosoftware and information.p. 2
HIPAA: Security Standards for the Protection ofElectronic PHITechnicalSafeguards(45 CFR 164.312)(c) (1) Implement policies andprocedures to protect electronicprotected health informationfrom improper alteration ordestruction.(c) (2) Implement electronicmechanisms to corroboratethat electronic protectedhealth information has notbeen altered or destroyed inan unauthorized manner.Despite the inclusion of a comprehensive, built-insecurity infrastructure, IBM i security controls oftenremain unconfigured.1 Comprehensive monitoringcan easily be undermined by an overall weak securityconfiguration. As such, common shortcomingsshould be addressed to “harden” the overall securityenvironment. Experts recommend that security should beemployed using a defense-in-layers strategy, and that theoperating system controls should provide the foundationupon which other tools and functions are built.It’s important that the server is configured to supportthe concept of integrity protection. If the overallsecurity level of the server (QSECURITY) is belowIBM’s minimum recommended value of 40, if usershave excessive authority, or if *PUBLIC carries theshipped default authority of *CHANGE to applicationlibraries, it will be possible to detect—but difficult toprevent—configuration changes. If the necessary stepsare taken, IBM i conforms to the Controlled AccessProtection Profile (CAPP), which replaced the TrustedComputing Systems Evaluation Criteria (TCSEC) C2for which previous versions and releases of OS/400qualified.File integrity monitoring is implemented primarily inresponse to a regulatory requirement, as real-time(continuous) monitoring is a relatively new conceptfor most IBM i installations. Fortunately, the capabilityto detect changes to the system configuration anddatabase files exists within the base operating system;and commercial security applications are available toensure that critical events are escalated to concernedparties.The IBM i operating system relies far less onconfiguration files than other operating systems, suchas Windows and Linux. Instead, many configurationsettings are established through a special facilitycalled system values. There are more than one hundredand fifty system values within IBM i v7.1 and most ofthese should be actively monitored for unauthorizedmodification.The primary intent of file integrity monitoring is todetect unauthorized configuration changes. As such,on IBM i the discussion may more appropriately becalled simply “integrity monitoring.”Operating System IntegrityA major concern for audit and security personnel isthe risk that a server’s operating system will becomecorrupted through accidental means or maliciousintent. Contrary to popular belief, it is possible—andrelatively easy—for a powerful user to damage IBM iand render the server unusable until a reload of the OSis performed from bootable media.To prevent malicious use of these techniques, thispaper will not document further instructions. It will,however, discuss considerations for preventing abuseof the operating system.According to the annual “State of IBM i Security” study available fordownload at www.powertech.com1The PowerTech Group, Inc.www.powertech.com info@powertech.comp. 3
Object IntegrityServers running at QSECURITY levels of 40 or 50enforce object integrity to prevent direct objectaccess, which means addressing the object’s internalsdirectly via pointers.At these security levels, user applications are requiredto use system interfaces (commands and APIs) togain access to system objects. In addition, several keyintegrity controls are employed, including: Authority Checking, enforced by thesystem interface Parameter Validation Object Domain Checking Hardware Storage Protection (HSP)Under IBM i, every object has a “domain” and everyprogram has a “state.” These attributes—viewed usingthe DSPPGM and DSPOBJD commands, respectively—control how the object can be accessed. The displayof a program will look similar to Figure 1. Programsrunning in the *SYSTEM state can directly accessobjects in both *USER and *SYSTEM domains;programs running in the *USER state can only access*USER domain objects.Hardware Storage Protection (HSP) is a powerfulintegrity feature that’s built in—and enforced by—thePower hardware. In order to fully understand theprotection provided by HSP, a deep understandingof IBM i infrastructure is necessary and is beyond thescope of this paper. In simple terms, HSP polices theinteraction between elements above and below theMachine Interface (MI).Digital signatures protect the Licensed Program Products(LPPs), the Operating System, and the Firmware. Usingthe CHKOBJITG (Check Object Integrity) command, anadministrator can interrogate any application program,OS program, or Licensed Internal Code (LIC) executableto see if has been modified. If user code tries to accesscontrol blocks designated for use only by the LIC, thehardware throws an exception, the Licensed Internal Codethrows an error to the user code and, of course, access isdenied.The PowerTech Group, Inc.www.powertech.com info@powertech.comEvent Log IntegrityMost regulatory standards mandate that importantevents must be logged. The intent is for the logs toprovide irrefutable proof regarding important activitiesthat have occurred on the server. Due to their forensicnature, these logs typically have to be monitoredto ensure that event records are never modified orremoved. Most standards permit new event records tobe written without generating an alert.IBM i contains a unique tamper-proof repository(QAUDJRN) that’s designed specifically to log systemand user activities. Single entries cannot be removedor altered regardless of the authority of the user. Itis, however, possible for event records to be deleteden masse via the deletion of an entire audit journalreceiver, or for the operating system’s event auditingfunction to be “turned off.” For this reason, there areseveral important recommendations regarding howIBM i auditing should be configured and managed:Contain Audit Information within Specific LibrariesThe default library for audit journal receivers isQGPL, which is shipped by IBM but is considereda user library as it changes frequently. This nondedicated library can represent a challenge duringhousekeeping tasks or system migrations. QGPLships with *PUBLIC authority of *CHANGE whichpermits access by any user. It’s recommended thataudit journal receivers be located in a dedicatedlibrary that’s secured from the general userpopulation.p. 4
Remove *AUDIT Special Authority from UsersUsers with *ALLOBJ and *AUDIT special authorityhave the potential to configure what types ofevents and users are audited. They can also turnthe auditing function on and off. If the organizationsupports a separate auditor role, then *AUDITauthority should be removed from any otheruser. It should be noted that users that possess*ALLOBJ can potentially grant themselves *AUDITspecial authority.Control Access to Auditing-Related CommandsThere are numerous commands that can impactthe integrity of the IBM i auditing function andshould be secured. As a powerful supplementallayer, PowerTech Command Security (PTCS) canprevent abuse by standard and powerful users —for example, users with *ALLOBJ special authority—using flexible, rule-based restrictions.Many commands should be considered as candidatesfor lockdown, although this is difficult to do againstpowerful users without a solution such as CommandSecurity. The commands listed below pertain only tothe auditing function and are not guaranteed to be theonly commands that could compromise the integrityof the auditing repository.The following commands are shipped with PUBLIC(*USE) and require that the user have authority toaccess the objects impacted by the delete operation.They require no special authority and should besecured from abuse by all users:DLTLIBDLTJRNRCVDelete LibraryDelete Journal ReceiverThe following command is shipped with PUBLIC(*EXCLUDE) and requires that the user have access tothe command, the QAUDJRN audit journal, and the oldand new receivers. It requires no special authority andshould be secured from abuse by powerful users:CHGJRNChange JournalThe PowerTech Group, Inc.www.powertech.com info@powertech.comThe following commands are shipped with PUBLIC(*USE) and require that the user possess *AUDITspecial authority. They should be secured from abuseby powerful users:CHGUSRAUDCHGOBJAUDCHGAUDChange User AuditingChange Object AuditingChange Auditing (IFS)The following command is shipped with PUBLIC(*EXCLUDE) and requires that the user have access tothe command, plus *AUDIT special authority in orderto change the QAUDxxx system values. It should besecured from abuse by powerful users:CHGSYSVALChange System ValueThe following command requires that the user have*ALLOBJ and *AUDIT special authorities. It should besecured from abuse by powerful users:CHGSECAUDChange Security AuditingThe audit function included within IBM i doesn’ttypically encompass activities that originate fromthe network (e.g. FTP or ODBC). This is an importantconsideration and is discussed in the “Network Access”section.For more detailed information on IBM i auditing, referto the PowerTech paper “Security Auditing in the RealWorld,” available for download at www.powertech.com.System ValuesAs previously mentioned, the IBM i operating systemdetermines many of its configuration settings througha mechanism called System Values. Although notall system values are considered critical to security,a majority should be protected and monitored forchanges.Baseline ComparisonSystem values should be compared against apolicy baseline on a regular basis. Exceptionsbetween the baseline and actual values shouldbe reported immediately, the cause determinedand made compliant as soon as feasibly possible.p. 5
This comparison can be performed manually froma printed list or using a purpose-built auditingsolution such as PowerTech Compliance Monitor. Monitor For Changes Logged To QAUDJRNBaseline comparisons work well for a point-intime validation. However, there remains a riskthat a program or user could change a systemvalue and subsequently change it back beforenon-compliance can be detected by baselinecomparison. In addition to baseline verification, it’sstrongly recommended that auditing be configuredto include *SECURITY events, and that the eventlog be reviewed for “SV” entries indicating that asystem value was altered.To automate this process, PowerTech providestwo powerful solutions. Compliance Monitor isdesigned to search on any event logged withinQAUDJRN and generate easy-to-read forensicreports of the results. PowerTech Interact canmonitor QAUDJRN for the arrival of a loggedevent and escalate a notification in real-time toa message queue, ISS console, or SIEM (syslog)solution.Prevent Unauthorized Change Using PowerTechCommand SecurityCommand Security is a command line monitoringsolution. It controls how and when a commandcan be executed through a powerful combinationof selective conditions and associated actions. Asan exit program solution, it’s even effective againstpowerful users—a set of users that were previouslyconsidered unstoppable. Although it’s capable ofmonitoring any command, in the current context itshould be configured to monitor the CHGSYSVALcommand.Lock Down Via SSTIBM i permits a subset of system values to belocked in order to prevent alteration by any user.This restriction was provided to eliminate the riskof programs or users changing system valueswithout permission; and is performed inside theconfinement of System Service Tools (SST) toencompass users with *ALLOBJ special authority.The PowerTech Group, Inc.www.powertech.com info@powertech.comUnlike Command Security, this capability is all-ornothing; but is still recommended as it provides anadditional layer of security. The list of “lockable”system values for the installed operating systemrelease can be found in the help text of theCHGSYSVAL command.Anti-VirusNo discussion about operating system integrity wouldbe complete without covering the ongoing challengeof viruses and malicious code. Unlike other popularoperating systems, IBM i’s unique infrastructure ishighly virus-resistant. This is partly due to the fact thatit’s not possible to change an object from one type toanother. In Windows, for example, an object’s type isbased upon its filename extension. This means you cansimply rename a file to change its type—for example,making an executable appear to be a .pdf document.This type of object manipulation is not possible in IBM idue to protection provided by HSP.Viral infection typically entails the virus embeddingand hiding executable code inside other objects. IBM iobject binaries cannot be modified without recreatingthe object and cannot masquerade as anything buttheir original object type. This prevents the initialinfection and spread of viral code.Other file systems remain vulnerable to viral infectionand should be monitored using a commercial anti-virussolution, such as StandGuard Anti-Virus (SGAV).Powered by McAfee, SGAV is a native IBM i solutionthat is fully integrated with the operating system’s ownanti-virus enablement features. This solution providesscheduled, on-demand, and open/close scanning offiles stored in the Integrated File System (IFS), as wellas Lotus Domino databases, AIX, and Linux. All normalanti-virus capabilities are available, including thedownload of up-to-date virus signatures from McAfeeand infected object quarantine and cleansing.It should be noted that malicious code can be writtenfor IBM i, just as it can on any server. A program thatperforms a Power Down System (PWRDWNSYS)command could be configured as the server’s “startup” program and cause a frustrating and costlyp. 6
cycle of power up and power down events. Althoughtechnically not a virus, this is definitely malware andgood security practices, such as monitoring andprotecting system values, should be utilized to reducethis risk.SQL LANGUAGESlanguagesSQL SIZING- SQL standard list of database limitsSYSJARCONTENTS- registry of classes related to JavaroutinesSYSJAROBJECTSConfiguration FilesIt is critical that user authorities be closely guarded,and access by privileged users be monitored, using acombination of profile and object auditing. PowerTechAuthority Broker manages the temporary assignmentof administrator privileges and the monitoring ofpowerful users, and can reduce the risk associatedwith system access by these users.Some examples of files that should not be directlyaccessed include:Library QSYS (or iASP equivalent):- registry of all physical files, logicalfiles, SQL tables, views, indexes,packages, and aliases.QADBXRDBD- registry and configuration foraccessing remote databases.Library QSYS2 (or iASP equivalent):SYSROUTINES- registry of jarids related to JavaroutinesMuch of the operating systems configuration ishandled via system values. However, database files doexist that contain elements of system configuration.Generally, these system files are secured from users.However, in many organizations the proliferation ofusers with powerful administrative rights like *ALLOBJmakes these objects vulnerable.QADB*- SQL standard list of supported- registry of all user-defined routines(functions & procedures)SYSROUTDEP- registry of all routine dependenciesSYSPARMS- registry of all routine parametersSYSSEQOBJECTS- registry of all sequence objectsSYSTYPES- registry of all user-defined typesSYSVARIABLES- registry of all global variablesSYSVARIABLEDEP- registry of all global variabledependenciesSYSIXADV- index advice tableSQL FEATURES- SQL standard list of supportedSYSTEXT*- registry of Omnifind configurationXSR*- registry of all XML schemas(XSROBJECTS)Library QRECOVERY (or iASP equivalent):QDBAL*- ALTER TABLE status filesQDBIX*- Create index build status filesQDBRG*- Reorganize status filesQDBTI*- Omnifind text index build status filesQADBERAP- Asynchronuos index rebuild(EDTRBDAP equivalent)QSQ901S- SQL -901 LoApplication IntegrityIf your organization stores data in DB2 files, there’sa good chance that much of that information isconsidered “critical” to the application that maintainsit and the business unit that owns it.The objective of file integrity monitoring within theapplication layer is to ensure that critical data is onlyaccessed by authorized users through approvedapplications, thereby assuring its availability andaccuracy.Powerful users, such as administrators andprogrammers, usually have access to productiondata. Regulatory compliance often demands thatthis be revoked to prevent unauthorized activitiesor accidental mishaps. Even though not directlyrelated to FIM, user management solutions should beevaluated to ensure consistent profile configuration,and to audit and control user access to productiondata. PowerTech’s PowerAdmin and Authority Brokersolutions were designed specifically to address theserequirements and satisfy compliance regulations.featuresThe PowerTech Group, Inc.www.powertech.com info@powertech.comp. 7
The IBM i operating system contains severalmechanisms to support the concept of FIM, althoughthey weren’t specifically designed for security integritymonitoring and do not exhibit all of the characteristicsof a modern FIM solution. They do, however, providethe necessary foundation for application developersand commercial providers to build FIM solutions.JournalingIBM i includes an integrated DB2 database with theability to capture changes made to database objects.This function is known as journaling, and it can trackthe before and after image of a database record.Originally used for recovery purposes, it is commonlyused for high availability replication, and can also beused to generate an audit trail.As with the security audit journal, the data collectedby the database journaling function is stored in journalreceivers, which are simply containers much like astructureless file.There are two main considerations when journalingis used for non-audit purposes (for example for highavailability replication or application recovery) versus FIM.RetentionAfter a non-audit data change has been safelywritten to the disk, or replicated successfully toa high availability system (two common uses forjournaling), there is no further use for the journaldata. High availability applications are oftenconfigured to purge non-audit journal informationafter 24 hours. The retention requirement for auditjournal data is typically longer than for non-auditdata. Some regulatory standards call for changedata to be retained for 12 months or longer, soawareness of retention requirements in crucial.Before and After ImagesJournaling can be configured to capture therecord’s original (“before”) data and the changed(“after”) data. With non-audit journaling, only thechanged data may be required, however with auditjournaling for FIM, it is typical to capture andstore the before and after images.The PowerTech Group, Inc.www.powertech.com info@powertech.comThe main technical challenge with journaling forthe purpose of auditing is that the captured datais unformatted, rendering manual analysis difficultand extremely time consuming. There are nocolumns to parse the data and no key fields to sortit. There are also no search capabilities, reporting,or alerting functions. After a change is made to thedata, the journal receiver contents must be displayedand manually analyzed to determine if the changewas authorized. Unfortunately, this process is notconducive to the timely discovery of illicit activity,allowing a perpetrator plenty of time to completetheir activities.Journaling is capable of recording events that impactdata (add, update, delete) but not the viewing ofa data record. In some cases, simply viewing thedata could be construed as a breach and should bemonitored. For example, perhaps payroll or medicalinformation should only be displayed within theconfines of the approved application. Depending onthe sensitivity of the data, being able to determine thetype and scope of a breach can prove highly valuableand this functionality should be provided by a readcapable monitoring technique, such as triggers.Despite these limitations, journaling remains therecommended approach to audit database changes.Enhancing its functionality to detect activities in realtime, to differentiate between irregular and normalbusiness activity, and to escalate the notificationof violations yields significant Return On SecurityInvestment (ROSI).Organizations don’t typically benefit from notificationof every single event in a large file. Criteria mustbe specified to indicate the normal source of thoseevents, which fields are critical, and the acceptablerange of data values. This enables the business todetermine if a change is a normal business transactionmade via an approved application. Reducing thenumber of false or unimportant alerts prevents theover-notification that typically leads to complacencyand overlooking when an unauthorized event doesoccur.p. 8
The following table lists examples of data events thatmay require selective handling.DatabaseEventEventDatabaseCustomer name changes viaMaintenance ApplicationAuditAudit DesiredDesiredNOSTRJRNPFENDJRNPFStart Journaling Physical FileEnd Journaling Physical FileOther commands, such as DLTJRNRCV and CHGJRNshould be controlled as already described under EventLog Integrity.TriggersCustomer A/R balance changes(by more than 100,000)YESSalary increases by more than 10%(via maintenance application)YESSalary increases by more than 10%(via DFU)YES ALERTDeletion of an Accounts PayableRecordbe restricted—especially when used against auditjournal receivers. Some examples include:YESThe benefit of reacting selectively extends beyondsecurity—it enables raised awareness to the presenceof any database issue, including inventory errors andaccounting inaccuracies.Many customers have found success usingPowerTech’s DataThread. Originally written for thehighly regulated pharmaceutical industry, this solutioncomplements IBM i journaling with selective auditing,notification, and logging capabilities. If a databaseis already journaled for other purposes, such as highavailability, the existing journal receivers can be used.A trigger is a database function within DB2 thatpermits an application program to be invoked duringvarious database operations. There are four triggerevents that can be used to monitor a file: INSERTCHANGEDELETEREADUsing the Add Physical File Trigger (ADDPPFTRG)command, triggers can be set to “fire” before or afterthe activity on the file has occurred.Triggers are able to provide similar functionality todatabase journaling by accessing the before and afterimage of a database record, although performance isoften a consideration due to the overhead of programinvocation. Trigger programs should be carefully testedto establish the impact on application performancewhen added.Once configured, DataThread diligently observes fileactivity for data events that are outside the boundsof normal business activities, based on rules specifiedwithin the product. DataThread monitors selectivechanges in a single field, or logs every data event thatimpacts the entire file.Journaling is designed to capture and store databaserecord images; however, the functionality of a triggerprogram is controlled by the programmer that writesit. A trigger program receives information about adata event. Depending on the type of event, this mayinclude the before and after image of the record.This can then be acted upon in any manner, includingstoring the before and after image in a log or evenoverriding the data before it is written to disk.Journal commands should be audited and controlledusing command line restrictions, object access, and amodern command monitoring solution like PowerTechCommand Security. Journal-related commands shouldThere are disadvantages to using triggers for auditpurposes, not least of which is that every triggerprogram has to be written. Many auditors frownupon the conflict of interest in self-policing whenThe PowerTech Group, Inc.www.powertech.com info@powertech.comp. 9
an organization’s own programmers are involved inbuilding the monitoring controls. Building, testing, andmaintaining security applications with the necessaryrobust functionality is not a priority for most I.T.departments—especially when there are commercialsolutions available.integration of a messaging solution into the triggerprogram. An electronic signature function enforcesaccountability by tying a database event to a user. Thisis accomp
The primary intent of file integrity monitoring is to detect unauthorized configuration changes. As such, on IBM i the discussion may more appropriately be called simply "integrity monitoring." Operating System Integrity A major concern for audit and security personnel is the risk that a server's operating system will become
