Security: Object Auditing

The Case of the Secret Data: A Security Auditing of an Object Example

I was cleaning my keyboard in the Security office at Karnath, Inc, when The Boss came in. "Someone may be looking at the Secret Data file. I've heard rumors that Raugost Corp. may be working on something similar to what we're doing, and I'm afraid they may be getting information from us! Who is doing it? How can we find out?"

"I'll get right on it, Boss," I answered.

First I checked who was authorized to the file:

DSPOBJAUT RESEARCH/SECRETDATA

Only the people who should be authorized were authorized. *PUBLIC was *EXCLUDE. If it was one of them, then we were in trouble anyway. So I decided to work on the theory that someone else was getting in somehow.

"This looks like a job for Object Auditing!" I exclaimed.

First, I set the auditing system value to allow object auditing:

WRKSYSVAL QAUDCTL

I took Option 2 and added *OBJAUD
 

Change System Value System value . . . . . :   QAUDCTL Description  . . . . . :   Auditing control Type choices, press Enter. Auditing control *AUDLVL *OBJAUD F3=Exit   F5=Refresh   F12=Cancel

Then I turned on object auditing on the file:

CHGOBJAUD OBJ(RESEARCH/SECRETDATA) OBJTYPE(*FILE) OBJAUD(*ALL)

Then I waited.

At the end of the day, I checked to see what sort of access we had on the file. I checked my Security Reference Manual, Chapter 9 to see what type of record I should be looking at. In table 9-2, Security Auditing Journal Entries, I saw that ZR is generated whenever an object being audited is read.

CPYAUDJRNE ENTTYP(ZR) OUTFILE(QGPL/QAUDIT)

This command will create a file named QAUDITZR in the QGPL library, you can change the name of the destination library on the previous command if needed.

I started query and looked at the records.
 

Display Report                                                           Query . . . :   XZS2039/ZRQRY                                     Report width . . . . . :      96 Position to line  . . . . .                                       Shift to column  . . . . . . ___ Line   ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8....+....9....+.                                  JOB         JOB          JOB      PROGRAM     USER        ENTRY  OBJECT      LIBRARY     ACCESS        NAME        USER         NUMBER   NAME        PROFILE     TYPE   NAME        NAME        TYPE 000001 QPADEV0101  BOSS        369,422   QCMD        BOSS          R    SECRETDATA  XZS2039         30                             000002 QPADEV0101  DARKLORD    369,427   QCMD        DARKLORD      R    SECRETDATA  XZS2039         30 000003 QPADEV0123  OLOGHAI     370,346   CALLCMD     OLOGHAI       R    SECRETDATA  XZS2039         30  000004 QPADEV0006  GOBLIN4     370,352   QCMD        BOSS          R    SECRETDATA  XZS2039         30  000005 QTFTP02201  QTCP        370,301   QTMFSRVR    BOSS          R    SECRETDATA  XZS2039         30  ****** ********  End of report  ********                                                                                                        Bottom F3=Exit      F12=Cancel      F19=Left      F20=Right      F21=Split      F22=Width 80

We caught them! The first two entries were okay. The DarkLord is in charge of the program and has explicit authorization to the file. The Boss has *ALLOBJ special authority. I checked with him, and he was reviewing the project reports that are in a member of the file. The third access today was by user OLOGHAI using program CALLCMD. A little research found CALLCMD in library QGPL. I used RTVCLSRC and found it was just a call to system program QCMD. The problem was that the program was owned by user profile BOSS, and displaying the program showed that program attribute User Profile was set to *OWNER. Therefore, whoever ran the program had a command line and *ALLOBJ authority.

Entry 4 shows that job 370352/GOBLIN4/QPADEV0006 accessed it somehow. The program was QCMD, so no help there. One unusual thing is the USER PROFILE. It is BOSS. That tells me that while the job was running, it switched to user profile BOSS. The Get Profile Handle (QSYGETPH) API and Set Profile (QWTSETP) API would do this. To use these APIs, you must know the user profile's password. So, however Goblin4 did it, he needed the BOSS' password, and access to the BOSS' terminal.

Entry 5 shows that someone used File Transfer Protocol (FTP) to access the file. The user ID given was BOSS, so my guess is that however Goblin4 got the BOSS' password, he gave it to someone else or used it himself to download the data to some other computer using FTP. I did check with the Boss, and he denies knowing how to use FTP.

Some further investigation showed that the Boss was not very careful with his password. He gave it to Goblin4 when he asked him for some help on his terminal. He did not think to change the password afterward. Also, a little observation showed he frequently left his office open with the terminal logged on. That was probably how OLOGHAI changed the ownership of his CALLCMD program. The program was deleted.

Changing the Boss' password and behavior stopped the illegal access to the file.

The Boss, however, was transferred to the offices in Dis, and will not be giving anyone a chance to access secret files again. Goblin4 and OlogHai are no longer with the company.

Case closed.

Appendix: The Query

During the course of the case, I created a file AUDZR, put the security journal records into it, and ran a query on it. For people unfamiliar with Query, here are the steps I used to create the report above. First, get to the query menu.

STRQRY

Select Option 1, Work with queries. This brings up the Work with Queries screen. Select Option 1, Create, and give the query a name like ZRQRY. The screen will look like this:
 

Work with Queries Type choices, press Enter.  Option  . . . . . .   1              1=Create, 2=Change, 3=Copy, 4=Delete                                       5=Display, 6=Print definition                                       8=Run in batch, 9=Run  Query . . . . . . .   ZRQRY          Name, F4 for list    Library . . . . .     XZS2039      Name, *LIBL, F4 for list

After pressing the Enter, you are shown the Define a Query screen. The only parts of the query we need for this are Specify file selections and Select and sequence fields. Type 1 next to them in the option column.
 

Define the Query                                                                                         Query . . . . . . :   ZRQRY             Option  . . . . . :   CREATE  Library . . . . :     XZS2039         CCSID . . . . . . :      37                                                                     Type options, press Enter.  Press F21 to select all.                  1=Select                                                                                                                               Opt    Query Definition Option                                       1     Specify file selections                                             Define result fields                                         1     Select and sequence fields                                         Select records                                                     Select sort fields                                                 Select collating sequence                                            Specify report column formatting                                   Select report summary functions                                     Define report breaks                                               Select output type and output form                                 Specify processing options

When you press the Enter, you will be presented with the Specify file selections screen. Put the file name AUDZR in the file field and change the library if you need to. Press the Enter key, and the format will be filled in.
 

Specify File Selections                                                                                         Type choices, press Enter.  Press F9 to specify an additional           file selection.                                                                                                                             File . . . . . . . . .   QAUDITZR       Name, F4 for list               Library  . . . . . .     QGPL___      Name, *LIBL, F4 for list     Member . . . . . . . .   *FIRST         Name, *FIRST, F4 for list     Format . . . . . . . .   QASYZRJE       Name, *FIRST, F4 for list

Press the Enter key, and the Select and Sequence fields are shown. These are the fields described in Appendix F of the Security Reference manual. Type a number next to the fields in the order you want them presented. After you press the Enter key, those fields you selected are moved to the top of the list in the order you selected them. The fields I selected are shown here. This is not to say that all these fields are needed or that other fields might not be useful (in particular, the date and time of access might be important). However, as shown above, User of Job and User profile name fields are not necessarily redundant.
 

Select and Sequence Fields                                                                                                             Type sequence number (0-9999) for the names of up to 500 fields to               appear in the report, press Enter.                                                                                                                           Seq   Field             Text                                          Len  Dec    1  ZRJOB             Name of job                                    10          2  ZRUSER            User of job                                    10          3  ZRNBR             Number of job                                   6    0    4  ZRPGM             Name of program                                10          5  ZRUSPF            User profile name                              10          6  ZRETYP            Type of entry                                   1          7  ZRONAM            Name of object                                 10           8  ZRACTP            Type of access                                  5    0       ZRENTL            Length of entry                                 5    0       ZRSEQN            Sequence number                                10    0       ZRCODE            Journal code                                    1             ZRENTT            Entry type                                      2                                                                                                                                                                                                                                             More...   F3=Exit          F5=Report         F11=Display names only    F12=Cancel         F13=Layout       F20=Renumber      F21=Select all            F24=More keys     Press Enter to confirm.

After you have selected your fields, and pressed the Enter key, you will be back at the Define the Query Menu. You may run your query now (interactively) by pressing PF5. If you do not like the way the query looks, or need some other fields, you can change it as often as you like. When you have the query looking the way you want, press PF3 to exit.

You are shown the Exit This Query screen. You can save your query, set the query name, and run the query interactively or in batch from this screen.

When you run the query again, the data must be refreshed using the DSPJRN command or you get the same report again. To re-run the query, at the Work with Queries screen where you defined the query, select Option 9 to run the query interactively or Option 8 to submit a batch job (which will put the report in a spool file). The query name will have to be entered on this screen for these options to work.

Here is an example of the parameters for running the query interactively:
 

Work with Queries                                                                                                         Type choices, press Enter.                                                                                                                                 Option  . . . . . .   9              1=Create, 2=Change, 3=Copy, 4=Delete                                        5=Display, 6=Print definition                                                8=Run in batch, 9=Run                   Query . . . . . . .   ZRQRY          Name, F4 for list                         Library . . . . .     XZS2039      Name, *LIBL, F4 for list                                                                                                                                                                                                                                                                                                                             F3=Exit       F4=Prompt       F5=Refresh       F12=Cancel