Q: We license several PowerTech products and sometimes I have a hard time remembering the various product commands. Can I put them on a menu?

We’ve already created one for you. It’s called the PowerTech Products Menu, and it’s available FREE from our Web site. It has everything you need to access your licensed products, start and end Compliance Monitor system monitors, and display product information.

Just follow the simple steps below and you’re ready to go.  Enjoy!

1. Download the PowerTech Products Menu from our Web site (you must be logged in to the site).
2. Create a save file on the System i using the following command:CRTSAVF QGPL/P1PTUT01
3. FTP the product menu save file to the System i and execute the following command:

RSTLICPGM LICPGM(1PTUT01) DEV(*SAVF) SAVF(QGPL/P1PTUT01)

4. Enter the command GO POWERTECH from a command prompt to display the menu.

PowerTech Product Menu

Paul “Paulie” Culin is a Senior Security Engineer with the PowerTech Group. As a product expert, his role at PowerTech includes managing client training and implementation services, as well as hosting security presentations, Webinars, and product demonstrations. Paul has thirteen years of experience in the security field.

Robin Tatam

It’s interesting to talk to the IBM i community about viruses and anti-virus software. The subject comes up frequently during my travels and it’s an item that I think each enterprise should evaluate. In general, people seem to fall into two groups: either they think it’s pointless based on what they’ve heard about IBM i, or they are completely onboard with the idea and are running anti-virus software on their IBM i systems.

According to Wikipedia, a virus is a form of malware that can copy itself from one computer to another. (There are many types of malware, including Trojan horses, worms, adware and spyware. Most of us are familiar with these.) I prefer my own definition: Any unauthorized code—active or dormant—designed to perform a function that is not part of a company’s official application initiative.

IBM i has long been touted as being impenetrable to viruses. Partly because of its native object structure that prevents executable code from being embedded inside non‑executable objects. For example, you can’t hide program code inside a database, file‑type object. I have heard reports of a virus being technically possible inside IBM i, but they are far from prevalent and are usually dismissed by security officers.

However, there are important exceptions: Traditional library and object structures might not be as susceptible to viruses as a Windows server, but other structures are. For example, the Integrated File System (IFS) can easily contain infected files. Often, client-server type applications such as Lotus Domino, WebSphere, and the Navigator for i, have access to the IFS. And, outside users often use an IBM i disk as a shared network repository. A virus in the IFS is a significant threat—during a viral outbreak, most IBM i servers remain connected to the network which can cause recurring infection.

Some companies scan IBM i network drives from another network server, but this is not a good idea. Trying to remotely scan thousands of IFS objects means a strong chance of poor scanning performance and a significant increase in network bandwidth use (which translates to slower network communication for everyone). Plus, there are increased risks from the shared read/write requirement and the use of a common profile with *ALLOBJ authority.

Bytware, PowerTech’s sister company and the only supplier of a native IBM i anti‑virus solution powered by a commercial-grade scan engine, notes the following about IBM i viruses:

• IBM i is not free from virus threats and can host and spread viruses
• Viruses can be undetected on IBM i and can attack other systems
• Undetected viruses can pass through IBM i mail
• The IFS is the perfect host for viruses

IBM provides exit points to allow a program such as StandGuard Anti‑Virus from Bytware to scan. StandGuard Anti‑Virus:

• Was designed for IBM i, System p, AIX, Linux on x86, and Domino servers
• Is powered by McAfee commercial scanning engine
• Cannot be disabled by viruses
• Has both green screen and GUI interfaces
• Uses IBM i scanning for both on-demand and open/close scanning
• Uses object integrity scanning to protect IBM digital signatures

My advice is to examine how you use your IBM i file structures. If files are written to or read from the IFS, anti-virus protection is critical. If you’re not sure, give Bytware a call at 775-851-2900 and they’ll be happy to help. And don’t forget, anti‑virus software is necessary for some regulation compliance, such as requirement 5 of the Payment Card Industry’s PCI-DSS standards.

There are other types of malicious code threats. Imagine a startup program that performs a PWRDWNSYS command! Even though this might not be considered a “virus”, it would be extremely disruptive to a production environment. Or, what about an unauthorized program registered as a password change validation program that illegally records user passwords as they are set.

With the team of StandGuard Anti-Virus and PowerTech’s Compliance Monitor and Interact, you can make short work of any of these threats. This team can monitor and report any changes to system values, such as QSTRUPPGM or QPWDVLDPGM, before they become a problem. Visit www.bytware.com and www.powertech.com for more information.

Robin Tatam

Hopefully, you reviewed and configured your System i server’s system values as part of your security procedures. If not, you should take the time to familiarize yourself with these values to understand how they impact security. With each new release of the operating system, IBM adds more system values (information about how to use these values is available in the Memo To Users and at the online Information Center). And, once these values are set, you must ensure they stay that way. But, manually comparing values is both labor intensive and error prone—there are better approaches.

IBM Lock Down

Starting with V5R2 of the operating system, IBM offered the ability to lock selected system values using System Service Tools (SST). This lock down prevents even the most powerful users from making changes. However, many people won’t use this feature because they aren’t comfortable with the SST interface and they are afraid they won’t be able to unlock these values later.

Compliance Monitor, the leading IBM i audit forensics and report solution from PowerTech, offers two ways to help with this process:

Event Monitoring

If you are auditing *SECURITY events in the audit journal, modifying any system value causes an SV event to be written. Compliance Monitor can report the details of those events, including information about the value change and the user that initiated the change. And, if a value is changed and then returned to its original value, Compliance Monitor registers two separate change events.

Scorecard Analysis

Compliance Monitor’s System Scorecard (see Figure 1) provides a rapid, point-in-time compliance check of key system values against policy. System values are graded using a weighted scale that you can specify to create an overall compliance rating. You can use its Best Practices policy to determine whether a system is well configured and its Policy Editor to customize the policy for special requirements. Compliance Monitor performs its analysis and presents an easy-to-read dashboard report that you can use to prove compliance to auditors, or to highlight policy discrepancies that need to be fixed.

Figure 1: A Sample System Value Scorecard

Compliance Monitor’s unique architecture lets you apply a centralized policy to any number of end point reporting systems, or each end point can have a custom policy. For example, all production partitions could use one central policy, while each Development and Test partition has their own policy. And, international organizations can use different policies based on each country’s requirements and regulations.

Figure 2: Compliance Monitor’s Integrated Policy Editor

You can define system value requirements with flexibility. After you select the system value you want to review (Figure 3), you can specify whether a certain setting is allowed, disallowed, or required. Then, you can define both a severity and the penalty to assess during the analysis if the value becomes non-compliant. Finally, if a system value should not be included in the review, you can select Allow any value and the attribute settings are ignored.

Figure 3: Policy Settings for the QSECURITY System Value

You can export and import policies between systems for easy administration. And, the policy editor lets you access normal system values and other attributes, such as whether changes are allowed to security system values.

Real-time Alerting

If you want to be notified when a system value is modified, you can use PowerTech Interact for real-time alerts of activities, including QAUDJRN events. With Interact, you can communicate with enterprise monitoring solutions, and escalate events to cell phones or using e-mail with powerful tools like Robot/CONSOLE and Robot/ALERT.

Working Together

To keep your system secure and compliant, you need to work with IBM i security controls to set your system values properly and ensure they remain in compliance. PowerTech’s Compliance Monitor and Interact bring together event monitoring, scorecard analysis, and real-time alerts for a complete security compliance solution.

Q: Compliance Monitor has some product user profiles that are set to never expire. Can they be changed to meet our password requirements?

A: Compliance Monitor has four profiles: PLCMOWN is the object owner for the Endpoint; PLCM2OWN is the object owner for the Consolidator; PLCM2ADM is the profile used to sign on to the product for the first time; PLCMADM is used for communication between the Consolidator and the Endpoint.

The object owner profiles are set to *DISABLED and have the suffix “OWN” to denote their use, so they don’t attract attention. However, PLCM2ADM and PLCMADM might.

PLCM2ADM can be set to *DISABLED if you sign on to the product under an alternate authorized profile. If you set the password expiration interval at *SYSVAL and the password expires, you must use the command PTCMT2/CHGPCM2PWD to reset it. This encrypts the password in a special password store.

PLCMADM must be set to *ENABLED. We recommend that you leave the password expiration interval set to *NOMAX because if you have multiple Endpoints and you change the password on one Endpoint, you must change it on all your Endpoints to match. Plus, each Compliance Monitor user must enter the password in each PC GUI installation, so that could be a problem for large deployments. We recommend leaving PLCMADM as is—the password is securely maintained in the triple-DES encrypted password store on the Consolidator.

Paul “Paulie” Culin is a Senior Security Engineer with the PowerTech Group. As a product expert, his role at PowerTech includes managing client training and implementation services, as well as hosting security presentations, Webinars, and product demonstrations. Paul has thirteen years of experience in the security field.

by Oshan Indika

Every day, security professionals are overwhelmed by the number of incidents they must manage. When you look at the ever-increasing number of systems and devices in an enterprise, it’s clear why events originating from all these sources can cause information overload. And, if you don’t use the correct tools to manage this information, you can miss critical events and possibly compromise the confidentiality, integrity, and availability of the data you’re trying to protect.

What exactly is an incident? According to the International Information Systems Security Certification Consortium (ISC)2 (www.isc2.org):

A security incident is an adverse event or series of events that adversely impacts the security or ability of an organization to conduct normal business.

This definition introduces another important term: event. An event is simply an observable occurrence—an aspect that can be documented, verified, and analyzed.

The most important thing to understand from the definition is that several events—perhaps from different sources (systems, devices)—can be part of a broader security incident. The ability to correlate events to an incident is one of the most important functions of a SIEM (Security Information and Event Management) tool. Other major functions are consolidation (of logs), notification (e-mail, pager, SMS), and reporting.

To understand the importance of the big picture from an enterprise point of view, let’s look at a sample of events from multiple sources:

• Exit point monitoring software on the System i reports a rejected FTP remote command attempt

• QAUDJRN reports invalid sign-on attempts on QSECOFR via Telnet

• The IDS (Intrusion Detection System) in the perimeter firewall reports attempts to access the System i IP address on the FTP and Telnet ports

• Abnormal traffic patterns inbound and outbound on a Windows server on FTP and Telnet ports

If you look at these events individually, it’s difficult to identify whether anything is happening. And, if you happen to connect them later, it may be too late. But, when you use a SIEM tool, you see the link between the events and understand that they are part of a single security incident: Someone is trying to access a critical server (the System i) from the perimeter and is targeting it from a compromised Windows server.

This incident contained just four events–imagine isolating those four events out of the thousands that occur across your enterprise every day. And, if each team (Windows, System i, firewall, and so on) investigates these events in isolation, it would take considerable time and resources to come to the correct conclusion.

This is why each critical system and device in the enterprise should escalate security events to a centralized server managed by a SIEM tool. Many SIEM tools provide a syslog server to consolidate events from various systems (Windows, Unix, Linux) and devices (routers, switches, firewalls). This syslog method of collecting log information has become the de facto standard in the industry. In fact, many vendors, including ArcSight, Symantec, TriGeo, LogRhythm, Loglogic, and Kiwi, offer a syslog-based interface to gather event information from various sources.

From a System i point of view, it is vital that important security events be pushed to a syslog server on a real-time basis and be part of the bigger picture of enterprise security information. Powertech’s Interact lets you escalate security-related events from the System i to a syslog server. You can even filter these events by user, IP address, day, and time, and assign them a criticality value to control the amount of data sent to the server.

You can use Interact to:

• Send events from the System i security audit journal (QAUDJRN). These events include changes to user profiles and system values; invalid login attempts; objects that are changed, deleted, moved; intrusions detected, and more.

• Capture and send critical operating system messages from QSYSOPR or QSYSMSG by monitoring for critical events such as Critical storage threshold reached or Profile disabled due to invalid logins.

• Include all allowed and rejected transactions from PowerTech Network Security to monitor network access to the server through FTP, ODBC, and Remote Command.

It’s time for the System i to become part of the enterprise view, rather than an island of security information. Interact is the solution that helps the System i become part of the big picture!

Oshan Indika has over 12 years of IT experience in enterprise infrastructure management, including system administration on a variety of platforms, (System i [AS/400], Windows, UNIX, Linux, and Solaris); LAN/WAN network administration (frame relay); and security firewalls.

Oshan works as a Technical Consultant for Help/Systems International in the Asia-Pacific office.

By Robin Tatam

Like the countless thunderstorms that have rocked the Midwest this year, the summer months are rolling over us quickly. It’s hard to believe that it’s already time to start thinking about new backpacks and pencil cases for the kids. So, to help get you in a  “back to school” frame of mind, PowerTech cordially invites you to join us for some educational opportunities over the next few months. Our wide selection of eTraining courses, security workshops, and other online resources are designed to accommodate your budget and your schedule, and to make your job easier.

PowerTech Solution eTraining

We are pleased to announce that we are expanding our eTraining portfolio. If you don’t need an on-site trainer at your location, sign up for one of our popular online classes. Most courses are a manageable one-hour session (Authority Broker is two hours) and are presented using WebEx at 10 a.m. CT on the dates shown below.

• Authority Broker                                                          September 2
• Network Security – The Basics                                   September 23
• Network Security – Advanced (Part 1)                        September 28
• Network Security – Advanced (Part 2)                        September 30

HOT TIP! Registration is required. The seats fill fast, so reserve yours today!

Security Workshops

Readers of my weekly blog know that my half-day security workshops were popular events this past spring. So, we’re offering them again this fall with a new selection of cities. We’re currently reviewing facilities for the following locations and dates:

Dallas, TX             Sept.

Atlanta, GA           Sept.

Las Vegas, NV      Nov.

Boston, MA           Dec.

We’ll post an up-to-date workshop schedule at www.powertech.com when it’s available

i5/OS Security Training

If you’re interested in learning more about the controls you already own with IBM i, I strongly recommend this course. Offered in five, one-hour sessions, it’s an excellent prerequisite for security officers, system administrators, and programmers who need to learn—or simply brush up on—IBM i security topics.

A sample of the topics covered:

• View IBM i security components
• Manage user and group profiles
• Manage authorization lists
• Work with system values that affect security
• Understand IBM i object security
• Understand Integrated File System (IFS) security

The next course is scheduled at 1 p.m. (CT) on

September 14, 16, 20, 22, and 24

Find additional details & enrollment information online.

Other online resources

Compliance Guide

Designed as a resource for auditors and security officers, the PowerTech Compliance Guide is a comprehensive online handbook to establishing Best Practices security and regulatory compliance.

Webinars

PowerTech’s popular free one-hour Webinars are offered several times a month with topics such as Managing Powerful Users, Assessing Your System in 15 Minutes, and Configuring IBM i Auditing.  Visit www.powertech.com for the upcoming Webinar schedule and for previously recorded content.

Security Blog

If you want to see photos and keep tabs on my travels around the world, as well as read about items of interest on IBM i security, point your browser to www.powertech.com/blog

Twitter Feed

If you are a twitterer, follow our security event feed at www.twitter.com/powertechgroup. You’ll receive notice of blog postings, upcoming Webinars and Workshops, and current event items pertinent to security and IBM i.

PowerNews

We publish our electronic newsletter monthly as a great way to stay in touch with PowerTech. Feature articles, product tips and techniques, and information on currently shipping product versions make it a must-read.

Articles and White Papers

When it comes to IBM i security, trust PowerTech as your first-line resource. Visit us online for access to informative articles and white papers, such as the popular State of IBM i Security study—a unique annual analysis of the security configuration of more than 200 IBM i systems. And, if you don’t have a security policy, we even offer an open‑source document to help you get started.