1 / 122

iSecurity Audit Training

iSecurity Audit Training. iSecurity Products Overview - by product name. Audit, Action Capture Change Tracker System Control User Profile Replication System Value Replication Central Admin. Auditing. 3. 1. Evaluation. 6. PCI, HIPAA, SOX or Security Breach or Management Decision.

grace
Download Presentation

iSecurity Audit Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. iSecurity Audit Training

  2. iSecurity Products Overview - by product name Audit, Action Capture Change Tracker System Control User Profile ReplicationSystem Value Replication Central Admin Auditing 3 1 Evaluation 6 PCI, HIPAA, SOX or Security Breach or Management Decision Firewall Authority on Demand Anti-Virus Command Screen Password Native Object Security Protection 4 Compliance Evaluator Visualizer BI Syslog/SNMP for SIEM 2 Assessment Databases DB-Gate Application Auditing View FileScope 5 7 8 2

  3. Audit Features • At-a-glance, user-friendly display of QAUDJRN activity covering all audit types • Reduces disk space by filtering system audit data, leaving only requested data • Easy definition of audit related security rules • Query Wizard enables creating queries quickly without programming • Various report formats include e-mail/HTML/PDF/CSV • Powerful Report Generator includes over 250 predefined reports • Ready-made reports suited to SOX • Enables selecting, sorting and filtering fields in reports • Advanced scheduler runs reports at specified times, e-mailing results to your desktop • Real-time initiation of responses to potential threats and security violations

  4. What is Audited • User Activity • When you want to focus on a particular user or group • Object Access • For critical objects • System Security Audit Journal • Real Time Detection • Send alerts etc (in combination with Action) • Populates the iSecurity Audit Log

  5. iSecurity Reports and Queries Individual Product’s User Defined Queries Firewall & Audit built-in Queries Report Generator and Scheduler Execute query over single or multiple systems IFS storage Display on green screen or GUI workstation Spool file Native DB files FileScope SHWFC or native DB viewers View GUI table View in GUI and e-mail PDF, HTML, CSV attachments Print or Export as Excel, CSV, HTML, PDF, ODF

  6. iSecurity Audit: Information Sources SIEM Support: Syslog, SNMP • OS/400 Objects • Users • Authorities • Objects • Scheduled Jobs • Etc. QAUDJRN • Current Activity • Active Jobs • System Status • Sharepools • Message Queues • QSYSOFR • Any other • Message Queue Audit Filtered Data I5/OS ` Receivers Log Alert via Action Report Generator & Visualizer: Screen, GUI, PDF, HTML (by email)

  7. Audit QAUDJRN Flow Diagram • Alert • Email • MSGQ • SMS • CL Script (with parameters) • Call PGNS • CHGUSRPRF *DISABLED Audit I5/OS Audit QAUDJRN ` Audit Files Receivers Visualizer Data Warehouse Business Intelligence Screen, Print. HTML, PDF, CSV, OutFile, Excel via GUI Report Scheduler Auto Maintenance QAUDJRN is the log of OS/400

  8. Setting up Audit • Determine which events are to be audited by i5/OS • Determine which of these events are to be monitored and reported upon by AUDIT (“Real Time Auditing”) • Real-time detection must be activated on your system in order to enable triggering actions and posting events in the Audit history log. It is recommended that you allow OS/400 to activate real-time detection automatically at IPL. • Determine which Users are to be audited • Determine which Objects are to be audited

  9. Operators

  10. Operators

  11. Audit Journal Entries • Define in System Values • DSPSECAUD • QAUDCTL – determines if i5/OS auditing is active at high level • *AUDLVL for detail audit types • *OBJAUD all auditable objects are audited • *NOQTEMP • QAUDLVL & QAUDLVL2

  12. Audit Journal Entries • CHGOBJAUD – Auditing of a specific OS/400 object • CHGAUD – Auditing at object level using Path • CHGDLOAUD – Auditing of Document Library Objects • CHGUSRAUD – Auditing at User Level

  13. Audit Journal Entries

  14. Audit Journal Entries

  15. Audit Journal Entries

  16. Audit Journal Entries

  17. Audit Journal Entries

  18. Audit Journal Entries

  19. Audit Journal Entries

  20. Audit Journal Entries

  21. Audit Journal Entries

  22. Audit Journal Entries

  23. Audit Journal Entries

  24. Audit Journal Entries

  25. Audit Journal Entries

  26. Real Time Auditing • Copies selected i5/OS journal entries into the AUDIT log files • Allows selection of specific entries thus reducing space required on system • Improves readability • Allows action* to be taken on specific entries • Create SYSLOGs • Export to Visualizer

  27. Real Time Auditing

  28. Real Time Auditing

  29. Real Time Auditing

  30. Real Time Auditing

  31. Real Time Auditing

  32. Real Time Auditing

  33. Real Time Auditing • Example -Auditing thedeletion of an object • Method 1 – *DELETE (alldeletes) createstoomany log entries • Method 2 – Object Auditing • Method 3 – User Auditing

  34. Method 1

  35. Method 1

  36. Method 2 Object Auditing

  37. Method 2 Object Auditing

  38. Method 2 Object Auditing

  39. Method 2 Object Auditing

  40. Filter Conditions • Filter criteria to limit application of Real-Time detection Rules to certain conditions • Will reduce the amount of data in the logs • Will allow selection for Action & Messaging (separate product) • Uses SQL like operators (EQ, NE, LE, GE etc)

  41. Method 2 Object Auditing

  42. Method 2 Object Auditing

  43. Method 2 Object Auditing

  44. Method 2 Object Auditing

  45. Method 2 Object Auditing

  46. Method 2 Object Auditing

  47. Method 2 Object Auditing

  48. User Activity Auditing • Audit Powerful Users • Forensic auditing • User specific auditing (objects, commands, save/restore etc) • Requires AUDLVL set ‘on’ to create Audit Journal Entries

  49. User Activity Auditing • Will log information only for selected users as opposed to all users • Example If *DELETE object is set on at a global level the audit log will be filled with many delete logs from everyday routines. • Selecting at User level will reduce logging to only the “interesting” users. • Independent of general auditing settings

More Related