Troubleshooting
Problem
This document describes how to set up and use object auditing.
Resolving The Problem
The Case of the Secret Data: A Security Auditing of an Object Example
I was cleaning my keyboard in the Security office at Karnath, Inc, when The Boss came in. "Someone may be looking at the Secret Data file. I've heard rumors that Raugost Corp. may be working on something similar to what we're doing, and I'm afraid they may be getting information from us! Who is doing it? How can we find out?"
"I'll get right on it, Boss," I answered.
First I checked who was authorized to the file:
DSPOBJAUT RESEARCH/SECRETDATA
Only the people who should be authorized were authorized. *PUBLIC was *EXCLUDE. If it was one of them, then we were in trouble anyway. So I decided to work on the theory that someone else was getting in somehow.
"This looks like a job for Object Auditing!" I exclaimed.
First, I set the auditing system value to allow object auditing:
WRKSYSVAL QAUDCTL
I took Option 2 and added *OBJAUD
Then I turned on object auditing on the file:
CHGOBJAUD OBJ(RESEARCH/SECRETDATA) OBJTYPE(*FILE) OBJAUD(*ALL)
Then I waited.
At the end of the day, I checked to see what sort of access we had on the file. I checked my Security Reference Manual, Chapter 9 to see what type of record I should be looking at. In table 9-2, Security Auditing Journal Entries, I saw that ZR is generated whenever an object being audited is read.
CPYAUDJRNE ENTTYP(ZR) OUTFILE(QGPL/QAUDIT)
This command will create a file named QAUDITZR in the QGPL library, you can change the name of the destination library on the previous command if needed.
I started query and looked at the records.
We caught them! The first two entries were okay. The DarkLord is in charge of the program and has explicit authorization to the file. The Boss has *ALLOBJ special authority. I checked with him, and he was reviewing the project reports that are in a member of the file. The third access today was by user OLOGHAI using program CALLCMD. A little research found CALLCMD in library QGPL. I used RTVCLSRC and found it was just a call to system program QCMD. The problem was that the program was owned by user profile BOSS, and displaying the program showed that program attribute User Profile was set to *OWNER. Therefore, whoever ran the program had a command line and *ALLOBJ authority.
Entry 4 shows that job 370352/GOBLIN4/QPADEV0006 accessed it somehow. The program was QCMD, so no help there. One unusual thing is the USER PROFILE. It is BOSS. That tells me that while the job was running, it switched to user profile BOSS. The Get Profile Handle (QSYGETPH) API and Set Profile (QWTSETP) API would do this. To use these APIs, you must know the user profile's password. So, however Goblin4 did it, he needed the BOSS' password, and access to the BOSS' terminal.
Entry 5 shows that someone used File Transfer Protocol (FTP) to access the file. The user ID given was BOSS, so my guess is that however Goblin4 got the BOSS' password, he gave it to someone else or used it himself to download the data to some other computer using FTP. I did check with the Boss, and he denies knowing how to use FTP.
Some further investigation showed that the Boss was not very careful with his password. He gave it to Goblin4 when he asked him for some help on his terminal. He did not think to change the password afterward. Also, a little observation showed he frequently left his office open with the terminal logged on. That was probably how OLOGHAI changed the ownership of his CALLCMD program. The program was deleted.
Changing the Boss' password and behavior stopped the illegal access to the file.
The Boss, however, was transferred to the offices in Dis, and will not be giving anyone a chance to access secret files again. Goblin4 and OlogHai are no longer with the company.
Case closed.
Appendix: The Query
During the course of the case, I created a file AUDZR, put the security journal records into it, and ran a query on it. For people unfamiliar with Query, here are the steps I used to create the report above. First, get to the query menu.
STRQRY
Select Option 1, Work with queries. This brings up the Work with Queries screen. Select Option 1, Create, and give the query a name like ZRQRY. The screen will look like this:
After pressing the Enter, you are shown the Define a Query screen. The only parts of the query we need for this are Specify file selections and Select and sequence fields. Type 1 next to them in the option column.
When you press the Enter, you will be presented with the Specify file selections screen. Put the file name AUDZR in the file field and change the library if you need to. Press the Enter key, and the format will be filled in.
Press the Enter key, and the Select and Sequence fields are shown. These are the fields described in Appendix F of the Security Reference manual. Type a number next to the fields in the order you want them presented. After you press the Enter key, those fields you selected are moved to the top of the list in the order you selected them. The fields I selected are shown here. This is not to say that all these fields are needed or that other fields might not be useful (in particular, the date and time of access might be important). However, as shown above, User of Job and User profile name fields are not necessarily redundant.
After you have selected your fields, and pressed the Enter key, you will be back at the Define the Query Menu. You may run your query now (interactively) by pressing PF5. If you do not like the way the query looks, or need some other fields, you can change it as often as you like. When you have the query looking the way you want, press PF3 to exit.
You are shown the Exit This Query screen. You can save your query, set the query name, and run the query interactively or in batch from this screen.
When you run the query again, the data must be refreshed using the DSPJRN command or you get the same report again. To re-run the query, at the Work with Queries screen where you defined the query, select Option 9 to run the query interactively or Option 8 to submit a batch job (which will put the report in a spool file). The query name will have to be entered on this screen for these options to work.
Here is an example of the parameters for running the query interactively:
I was cleaning my keyboard in the Security office at Karnath, Inc, when The Boss came in. "Someone may be looking at the Secret Data file. I've heard rumors that Raugost Corp. may be working on something similar to what we're doing, and I'm afraid they may be getting information from us! Who is doing it? How can we find out?"
"I'll get right on it, Boss," I answered.
First I checked who was authorized to the file:
DSPOBJAUT RESEARCH/SECRETDATA
Only the people who should be authorized were authorized. *PUBLIC was *EXCLUDE. If it was one of them, then we were in trouble anyway. So I decided to work on the theory that someone else was getting in somehow.
"This looks like a job for Object Auditing!" I exclaimed.
First, I set the auditing system value to allow object auditing:
WRKSYSVAL QAUDCTL
I took Option 2 and added *OBJAUD
Change System Value System value . . . . . : QAUDCTL Description . . . . . : Auditing control Type choices, press Enter. Auditing control *AUDLVL *OBJAUD F3=Exit F5=Refresh F12=Cancel |
Then I turned on object auditing on the file:
CHGOBJAUD OBJ(RESEARCH/SECRETDATA) OBJTYPE(*FILE) OBJAUD(*ALL)
Then I waited.
At the end of the day, I checked to see what sort of access we had on the file. I checked my Security Reference Manual, Chapter 9 to see what type of record I should be looking at. In table 9-2, Security Auditing Journal Entries, I saw that ZR is generated whenever an object being audited is read.
CPYAUDJRNE ENTTYP(ZR) OUTFILE(QGPL/QAUDIT)
This command will create a file named QAUDITZR in the QGPL library, you can change the name of the destination library on the previous command if needed.
I started query and looked at the records.
Display Report Query . . . : XZS2039/ZRQRY Report width . . . . . : 96 Position to line . . . . . Shift to column . . . . . . ___ Line ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8....+....9....+. JOB JOB JOB PROGRAM USER ENTRY OBJECT LIBRARY ACCESS NAME USER NUMBER NAME PROFILE TYPE NAME NAME TYPE 000001 QPADEV0101 BOSS 369,422 QCMD BOSS R SECRETDATA XZS2039 30 000002 QPADEV0101 DARKLORD 369,427 QCMD DARKLORD R SECRETDATA XZS2039 30 000003 QPADEV0123 OLOGHAI 370,346 CALLCMD OLOGHAI R SECRETDATA XZS2039 30 000004 QPADEV0006 GOBLIN4 370,352 QCMD BOSS R SECRETDATA XZS2039 30 000005 QTFTP02201 QTCP 370,301 QTMFSRVR BOSS R SECRETDATA XZS2039 30 ****** ******** End of report ******** Bottom F3=Exit F12=Cancel F19=Left F20=Right F21=Split F22=Width 80 |
We caught them! The first two entries were okay. The DarkLord is in charge of the program and has explicit authorization to the file. The Boss has *ALLOBJ special authority. I checked with him, and he was reviewing the project reports that are in a member of the file. The third access today was by user OLOGHAI using program CALLCMD. A little research found CALLCMD in library QGPL. I used RTVCLSRC and found it was just a call to system program QCMD. The problem was that the program was owned by user profile BOSS, and displaying the program showed that program attribute User Profile was set to *OWNER. Therefore, whoever ran the program had a command line and *ALLOBJ authority.
Entry 4 shows that job 370352/GOBLIN4/QPADEV0006 accessed it somehow. The program was QCMD, so no help there. One unusual thing is the USER PROFILE. It is BOSS. That tells me that while the job was running, it switched to user profile BOSS. The Get Profile Handle (QSYGETPH) API and Set Profile (QWTSETP) API would do this. To use these APIs, you must know the user profile's password. So, however Goblin4 did it, he needed the BOSS' password, and access to the BOSS' terminal.
Entry 5 shows that someone used File Transfer Protocol (FTP) to access the file. The user ID given was BOSS, so my guess is that however Goblin4 got the BOSS' password, he gave it to someone else or used it himself to download the data to some other computer using FTP. I did check with the Boss, and he denies knowing how to use FTP.
Some further investigation showed that the Boss was not very careful with his password. He gave it to Goblin4 when he asked him for some help on his terminal. He did not think to change the password afterward. Also, a little observation showed he frequently left his office open with the terminal logged on. That was probably how OLOGHAI changed the ownership of his CALLCMD program. The program was deleted.
Changing the Boss' password and behavior stopped the illegal access to the file.
The Boss, however, was transferred to the offices in Dis, and will not be giving anyone a chance to access secret files again. Goblin4 and OlogHai are no longer with the company.
Case closed.
Appendix: The Query
During the course of the case, I created a file AUDZR, put the security journal records into it, and ran a query on it. For people unfamiliar with Query, here are the steps I used to create the report above. First, get to the query menu.
STRQRY
Select Option 1, Work with queries. This brings up the Work with Queries screen. Select Option 1, Create, and give the query a name like ZRQRY. The screen will look like this:
Work with Queries Type choices, press Enter. Option . . . . . . 1 1=Create, 2=Change, 3=Copy, 4=Delete 5=Display, 6=Print definition 8=Run in batch, 9=Run Query . . . . . . . ZRQRY Name, F4 for list Library . . . . . XZS2039 Name, *LIBL, F4 for list |
After pressing the Enter, you are shown the Define a Query screen. The only parts of the query we need for this are Specify file selections and Select and sequence fields. Type 1 next to them in the option column.
Define the Query Query . . . . . . : ZRQRY Option . . . . . : CREATE Library . . . . : XZS2039 CCSID . . . . . . : 37 Type options, press Enter. Press F21 to select all. 1=Select Opt Query Definition Option 1 Specify file selections Define result fields 1 Select and sequence fields Select records Select sort fields Select collating sequence Specify report column formatting Select report summary functions Define report breaks Select output type and output form Specify processing options |
When you press the Enter, you will be presented with the Specify file selections screen. Put the file name AUDZR in the file field and change the library if you need to. Press the Enter key, and the format will be filled in.
Specify File Selections Type choices, press Enter. Press F9 to specify an additional file selection. File . . . . . . . . . QAUDITZR Name, F4 for list Library . . . . . . QGPL___ Name, *LIBL, F4 for list Member . . . . . . . . *FIRST Name, *FIRST, F4 for list Format . . . . . . . . QASYZRJE Name, *FIRST, F4 for list |
Press the Enter key, and the Select and Sequence fields are shown. These are the fields described in Appendix F of the Security Reference manual. Type a number next to the fields in the order you want them presented. After you press the Enter key, those fields you selected are moved to the top of the list in the order you selected them. The fields I selected are shown here. This is not to say that all these fields are needed or that other fields might not be useful (in particular, the date and time of access might be important). However, as shown above, User of Job and User profile name fields are not necessarily redundant.
Select and Sequence Fields Type sequence number (0-9999) for the names of up to 500 fields to appear in the report, press Enter. Seq Field Text Len Dec 1 ZRJOB Name of job 10 2 ZRUSER User of job 10 3 ZRNBR Number of job 6 0 4 ZRPGM Name of program 10 5 ZRUSPF User profile name 10 6 ZRETYP Type of entry 1 7 ZRONAM Name of object 10 8 ZRACTP Type of access 5 0 ZRENTL Length of entry 5 0 ZRSEQN Sequence number 10 0 ZRCODE Journal code 1 ZRENTT Entry type 2 More... F3=Exit F5=Report F11=Display names only F12=Cancel F13=Layout F20=Renumber F21=Select all F24=More keys Press Enter to confirm. |
After you have selected your fields, and pressed the Enter key, you will be back at the Define the Query Menu. You may run your query now (interactively) by pressing PF5. If you do not like the way the query looks, or need some other fields, you can change it as often as you like. When you have the query looking the way you want, press PF3 to exit.
You are shown the Exit This Query screen. You can save your query, set the query name, and run the query interactively or in batch from this screen.
When you run the query again, the data must be refreshed using the DSPJRN command or you get the same report again. To re-run the query, at the Work with Queries screen where you defined the query, select Option 9 to run the query interactively or Option 8 to submit a batch job (which will put the report in a spool file). The query name will have to be entered on this screen for these options to work.
Here is an example of the parameters for running the query interactively:
Work with Queries Type choices, press Enter. Option . . . . . . 9 1=Create, 2=Change, 3=Copy, 4=Delete 5=Display, 6=Print definition 8=Run in batch, 9=Run Query . . . . . . . ZRQRY Name, F4 for list Library . . . . . XZS2039 Name, *LIBL, F4 for list F3=Exit F4=Prompt F5=Refresh F12=Cancel |
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]
Historical Number
11475050
Was this topic helpful?
Document Information
Modified date:
17 September 2020
UID
nas8N1018413