29
Fri, Nov
0 New Articles

Has My IBM i Been Breached?

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Carol provides tips for what to examine to help determine if your system’s been breached.

This discussion stems from a conversation I had with a friend who asked what information is available on IBM i to help an organization determine whether they had been breached. These tips are not meant to be a replacement for a formal breach investigation service. In fact, I highly recommend that you develop an incident response plan and consider putting an outside firm on retainer in the event you’re breached. The information I provide here needs to be a part of a larger plan but may be helpful in determining whether you need to call in outside resources for further analysis...or help you come to the conclusion that nothing happened.

What Does the Audit Journal Say?

As you read this discussion, you’ll find that what you’ve configured for auditing and how long you’re keeping your audit journal receivers are key to how completely you can perform an investigation. For example, the first thing you’ll need to do is establish a timeframe for your investigation. If you’ve been told that your data has appeared on the dark web, the timeframe of your investigation may need to be vast…as in weeks or months. If that happened to you, how far back could you go to perform analysis? In other words, taking into consideration what you have in long-term storage, how far back could you investigate? If it’s only two weeks, that’s likely not long enough to perform this type of an investigation. Contrast that with an investigation of activity that occurred while a firewall was down, leaving your network open to direct access for a few hours. Hopefully, you would be alerted to this situation quickly, such that you may have the audit journal receivers on your system and not have to pull back any from storage.

Once you’ve established the time frame and restored any audit journal receivers required to support that time frame, you can start looking around. The first thing you want to establish is whether there were any changes to what was being audited. I would look for changes prior to the time frame you’re investigating. For an investigation that spans several months, you may want to pull the SV (system value) audit journal entries, looking for changes to the QAUDCTL and QAUDLVL system values for at least a month prior. For an investigation spanning a few hours, it may be sufficient to look for changes 24–48 hours prior to the start of the time frame. Continue to look for changes throughout the time frame being investigated. Why look for changes to these two system values? To determine if auditing was turned off for a period of time and/or actions weren’t being audited. In other words, you need be able to know that you have a contiguous and full set of audit journal entries.

If you have *JOBDTA or *JOBBAS specified in QAUDLVL, the first set of audit entries I’ll look at are the JS entries. *JOBDTA or the subset, *JOBBAS, logs the start, stop, release, and hold of every job on the system. The volume of entries this value generates on busy systems causes many organizations to leave this value out of QAUDLVL, but this information is invaluable when looking for inappropriate activity. With the information in the JS entry, you can determine if there were any connections originating from IP addresses that you don’t recognize (such as connections coming from external IP addresses when the only connections should be internal IP addresses) or processes started using profiles you don’t expect (such as FTP transfers running with a service account created for ODBC connections).

The next audit journal entries I look at are the PW (password) entries. The first set I examine are the PW subtype P entries. These are attempts to authenticate with an incorrect password. Note that this is not just users attempting to sign on to a green-screen. Attempts to log into any interface (FTP, ODBC, SSH, etc.) as well as attempts to sign on to the traditional signon display are logged. I look at these entries to determine if someone is trying to access the system using the well-known QSECOFR, QPGMR, QUSER, etc. system-provided user profiles, I also check for a more systematic attack, looking for several attempts to find a valid user ID/password combination but stopping short of disabling the profile. (If the attacker had found a valid combination, they would have been logged in, which would have resulted in a JS entry.) Finally, I look for PW U entries. These entries are attempts to sign on with an incorrect user profile name. While looking at these entries, you’ll get your share of people who have simply mistyped their profile name or typed their password into the User field, but you’ll also see if someone has tried to attack your system using an automated bot. You’ll likely see authentication attempts to use the profile name of ROOT or ADMIN (the equivalent of QSECOFR in UNIX/Linux and Windows, respectively) and attempts to authenticate via the FTP or SSH (Secure Shell Daemon). You can also see if someone has systematically attempted to find valid user names. Side note: If you have a SIEM, I think it’s important to send all PW entries to that device. Unless someone is targeting a specific IBM i partition, it’s likely that attacks will hit many systems across your organization. Detecting that this activity is occurring on multiple systems and types of operating systems may allow your organization to more quickly spot an attack.

Another feature that may help you detect a widespread event is called Intrusion Detection and is enabled by specifying *ATNEVT in the QAUDLVL system value. This feature detects attacks at the IP stack level. While you can be alerted to these entries via email or message, you can also send the corresponding IM audit entries to your SIEM to assist in detecting widespread attacks. More information on Intrusion Detection on IBM i can be found in the IBM i Information Center: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzaubpdf.pdf?view=kc

What Do You Do If You Detect What You Feel Is Inappropriate Access?

If you see evidence that someone has gained access to your environment, the next step is to attempt to determine what actions were taken. If object auditing has been enabled on your objects and, in particular, on your database files, you can pull the ZC audit entries and correlate the dates, times, and profiles discovered previously with the updates to objects. Unfortunately, many organizations haven’t configured the object auditing to include the reads of objects, but if you have, you can examine the ZR entries as well. Another place to look for activity, especially if you have no object auditing enabled, is in the database journals. Again, most organizations don’t log the reads of records, so you may only have evidence of records that were updated or deleted during the timeframe you’re investigating.

You may also want to look at the DO (deletion of objects), CO (creation of objects), and OM (object moves or renames) as well as the CP (creation of and changes to user profiles) audit journal entries. The challenge in looking at all of these audit entries will be to separate normal activity from abnormal.

Last but certainly not least is to examine the logs of your exit point software. Unless the attacker is an insider, it’s unlikely that someone is going to save a database file directly from IBM i and walk away with the media. So how do you determine what information was read and removed from (or uploaded to) your system? This is where exit point software provides a valuable piece of the puzzle you’re assembling. For each exit point that has a program registered and for which logging is enabled, you can review the transactions that occurred during the timeframe you’re investigating, narrowing down your search using the information previously gathered from the audit journal. Depending on what you’re logging, you should be able to see which files were downloaded or uploaded. The information provided in these logs is invaluable during this type of investigation because it fills in the gaps left by the audit journal. For example, as noted above, most organizations don’t have the reads of objects configured, so an exit program log will show when a file was downloaded, which protocol was used, the profile that authenticated, and the originating IP address. Even if object auditing is enabled, you’d see in the ZR entry that the file was read using ODBC but you wouldn’t have the exact SQL used.

What Do You Have Available if You Don’t Have Auditing Enabled or Exit Point Software?

The history log (QHST) is available if you have nothing else, but that will only provide successful connections, and depending on the connection type, you may or may not get the IP address. While QHST lists attempts to use an incorrect password, it doesn’t log attempts using an incorrect user name. In other words, you may get a peek into inappropriate activity, but there’s no way to get the full picture by only analyzing the history log.

What If You Find an Active Connection?

If you find a connection to your system that you determine is not appropriate, your first reaction may be to terminate that connection immediately. But is that really the right thing to do? It’s one thing to find past activity; it’s another to discover it’s currently happening. If you find an active connection, your incident response team must make the call as to whether the connection is immediately terminated. They may want to try to determine the origin of the connection and/or work with law enforcement to discover who’s behind the attack. Immediately terminating the connection may ruin that opportunity. You absolutely cannot make this decision by yourself nor should you be making any sort of configuration changes during the investigation that could tip off the intruder or jeopardize evidence preservation. This underscores the need to do “tabletop” exercises that allow you to go through different scenarios of an attack so that the incident response team is aware of the types of actions that are appropriate for each scenario and you know exactly what steps to take should you find an active connection.

Summary

This discussion was not meant to be an exhaustive list of everything that can be examined on IBM i during an investigation. My goals with this article were to get you to start thinking about what information you would have available in your environment should you be called upon to do an investigation and to make sure you’ve got an incident response plan in place that includes IBM i. After reading this article and analyzing your current IBM i configuration, you may decide to enable more auditing, or send audit information to your SIEM, or purchase an exit point solution, simply to have more activity logged even if you don’t want to ever add rules to restrict access. If the configuration of your IBM i is lacking—in other words, you wouldn’t have sufficient information to do an investigation—I encourage you to act now since it’s (obviously) too late once an event occurs!

Carol Woodbury

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.


MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

Mastering IBM i Security Mastering IBM i Security
Get the must-have guide by the industry’s #1 security authority.
List Price $49.95

Now On Sale

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: