Keep An Audit Eye On Your System Values!
Robin Tatam
Hopefully, you reviewed and configured your System i server’s system values as part of your security procedures. If not, you should take the time to familiarize yourself with these values to understand how they impact security. With each new release of the operating system, IBM adds more system values (information about how to use these values is available in the Memo To Users and at the online Information Center). And, once these values are set, you must ensure they stay that way. But, manually comparing values is both labor intensive and error prone—there are better approaches.
IBM Lock Down
Starting with V5R2 of the operating system, IBM offered the ability to lock selected system values using System Service Tools (SST). This lock down prevents even the most powerful users from making changes. However, many people won’t use this feature because they aren’t comfortable with the SST interface and they are afraid they won’t be able to unlock these values later.
Compliance Monitor, the leading IBM i audit forensics and report solution from PowerTech, offers two ways to help with this process:
Event Monitoring
If you are auditing *SECURITY events in the audit journal, modifying any system value causes an SV event to be written. Compliance Monitor can report the details of those events, including information about the value change and the user that initiated the change. And, if a value is changed and then returned to its original value, Compliance Monitor registers two separate change events.
Scorecard Analysis
Compliance Monitor’s System Scorecard (see Figure 1) provides a rapid, point-in-time compliance check of key system values against policy. System values are graded using a weighted scale that you can specify to create an overall compliance rating. You can use its Best Practices policy to determine whether a system is well configured and its Policy Editor to customize the policy for special requirements. Compliance Monitor performs its analysis and presents an easy-to-read dashboard report that you can use to prove compliance to auditors, or to highlight policy discrepancies that need to be fixed.
Figure 1: A Sample System Value Scorecard
Compliance Monitor’s unique architecture lets you apply a centralized policy to any number of end point reporting systems, or each end point can have a custom policy. For example, all production partitions could use one central policy, while each Development and Test partition has their own policy. And, international organizations can use different policies based on each country’s requirements and regulations.
Figure 2: Compliance Monitor’s Integrated Policy Editor
You can define system value requirements with flexibility. After you select the system value you want to review (Figure 3), you can specify whether a certain setting is allowed, disallowed, or required. Then, you can define both a severity and the penalty to assess during the analysis if the value becomes non-compliant. Finally, if a system value should not be included in the review, you can select Allow any value and the attribute settings are ignored.
Figure 3: Policy Settings for the QSECURITY System Value
You can export and import policies between systems for easy administration. And, the policy editor lets you access normal system values and other attributes, such as whether changes are allowed to security system values.
Real-time Alerting
If you want to be notified when a system value is modified, you can use PowerTech Interact for real-time alerts of activities, including QAUDJRN events. With Interact, you can communicate with enterprise monitoring solutions, and escalate events to cell phones or using e-mail with powerful tools like Robot/CONSOLE and Robot/ALERT.
Working Together
To keep your system secure and compliant, you need to work with IBM i security controls to set your system values properly and ensure they remain in compliance. PowerTech’s Compliance Monitor and Interact bring together event monitoring, scorecard analysis, and real-time alerts for a complete security compliance solution.