Give developers and administrators access without losing control of security

How much authority do your developers and administrators need on your production systems? Does each programmer need *ALLOBJ authority? Have you ever failed a security audit because of too many user profiles with too much special authority? When end users call your Help Desk for help with authority problems, does the Help Desk ask for the end user’s password and then sign on to test the authority issue?

Robot/SECURITY handles *ALLOBJ security issues
Robot/SECURITY can help you handle all of these issues. Robot/SECURITY is actually five security products in one package: Exit Point Monitoring, QAUDJRN Monitoring, Security Auditing, Forensics, and Profile Exchange. With Profile Exchange, a user can “swap” to a different profile, on demand, at any time. The Robot/SECURITY Administrator defines all Profile Exchange users and their access schedules.

The administrator can review all requests
At your option, the Robot/SECURITY Administrator can preview profile exchange requests and approve or deny them using e-mail, an i5/OS message, or Robot/SECURITY.

Robot/SECURITY logs all profile exchange activity
Robot/SECURITY provides a comprehensive log of profile exchange activity, including the requester and the activity associated with the request. At the end of a profile exchange session, Robot/SECURITY automatically e-mails the user’s activity log to the Robot/SECURITY Administrator. Anyone who needs to can view the detail online, or in a printed report, and can use the Exchange Audit History List panel to drill into QAUDJRN records to review the events of the exchange activity.

Call 1-800-328-1000 today to request a FREE demo or a FREE 30-day trial of Robot/SECURITY.

Contributed by Tom Huntington, Vice President of Technical Services

Can multiple people use profile exchange to exchange to the same alternate user profile?
Yes, they can. When multiple users exchange to the same profile, it can be a little harder to investigate which user made a specific change while using the profile. You need to refer to the Robot/SECURITY Activity List to determine which user was using Profile Exchange at that time to determine who was responsible for the change.

When a user has successfully exchanged to a profile with greater access privileges, can they use that authority to create new Robot/SCHEDULE jobs or other disruptive acts?
Yes, they could. However, if you use the security features of the Robot products correctly, you can prevent this type of mischief. For example, you can lock out alternate profiles from sensitive areas. If a user performs a malicious action while using Profile Exchange, Robot/SECURITY maintains a complete log of events to help you identify and prosecute the perpetrator.

During the time on the Access Schedule that a user is allowed to do a profile exchange, can they exchange as often as they want to?
Yes, users can exchange as many times as they wish within the times allowed on their access schedule.

Can you schedule profile exchanges within Robot/SCHEDULE jobs?
Yes, you can schedule profile exchanges as part of a Robot/SCHEDULE job by inserting the commands to start (RSESTREXC) and end (RSEENDEXC) profile exchange.

Note: This exchange affects only the batch job submitted by Robot/SCHEDULE; it has no effect on any interactive jobs.

Here’s how to cut through the clutter in QAUDJRN and learn more

You hear the same complaints again and again: The security audit journal, QAUDJRN, contains too many entries. It’s too hard to make sense of all the details. Do you really care that you have 1592 program adopt entries one day, and only 450 the next? Do you need to copy the journal receiver to a database file every day? What exactly do all the different entry types mean?

The System i operating system provides commands that allow you to see the contents of the audit journal. The Display Audit Journal Entry (DSPAUDJRNE) command copies the entries to a display or report. However, the command has not been updated for a few years and it misses some of the newer entry types and formats. The Display Journal (DSPJRN) command can dump any journal receiver to an output file (database file). In both cases, the end result is an unformatted file that you can massage using your favorite query tool, such as SEQUEL.

The problem with both of these approaches is that they do not include other sources on the system that track jobs or users and their associated entries to create a complete audit trail.

To fully investigate a security event, you may need to look for information in QSYSOPR and QHST. In addition, the exit point history for critical servers such as FTP, ODBC, and JDBC, can provide valuable information. With all of these sources, you can more accurately piece together the trail for a job or user on the system.

Robot/SECURITY uncovers the transactions
Robot/SECURITY can take the security-related events for a date range, job, or user from multiple sources on the system and build exactly the output you desire. You can select from a list of potential system sources, such as QAUDJRN, QHST, and QSYSOPR (see Figure 1).

In addition, the Robot/SECURITY database contains usage data for common communication server exit points. It also maintains detailed log entries for user actions during profile exchange operations. You select the sources of information to include and your auditor gets a clear picture of what was accessed on the system.

From security sources to the detail
When you click Run, Robot/SECURITY interrogates your system to obtain the detailed entries. After all sources are checked, it displays the information in a graphical display directly on your PC. The entries are summarized by source type, including a counter of the number of entries from each source (see Figure 2).

(Click on screenshot above to see larger image.)

QAUDJRN is broken down by entry type for each audited area, such as PW (Password Failure) or AF (Authority Failure). Robot/SECURITY’s Forensics Analysis Utility offers a data filter that lets you limit the data shown to the entries that meet your criteria. For example, you can display only the entries related to a specific file or library.

Five-in-one convenience
Robot/SECURITY is really five security products in one package—forensics is just one part of the product. Give it a trial to see the other components: exit point monitoring, QAUDJRN monitoring, security auditing, and profile exchange.

Contributed by Tom Huntington, Vice President of Technical Services

I have two files on my System i. One is a parts list that includes prices. The other contains new prices. Is there an easy way to get the new prices into the parts list?

Use SEQUEL to do a JOIN UPDATE. When you do a JOIN UPDATE you automatically update a System i file with data from another System i file! (We believe this is unique in the System i world.) Here’s an example:

UPDATE SET((LSTPC.1 NEW_PRICE.2))
SQL(’FROM PARTMAST, NEWPRICE JOIN PRDNO.1 = PRDNO.2′)

Important note: The file you are updating must be the primary (first) file in the SQL statement.

The first parameter in the SET clause is the column name (field) to be updated. In this example, it is the LSTPC (List Price) field. The second parameter in the SET clause assigns the new value to the column name. In this example, we specify that another field, NEW_PRICE, will supply the value. Alternatively, the value parameter could contain a literal value or a derived character or numeric value, depending on your requirements. For instance, you might want to multiply LSTPC by a numeric value to come up with a new List Price.

The SQL FROM clause specifies the two database files required for the operation and the JOIN identifies the fields used to join the files together. The SQL statement in this example is fairly basic. It updates all LSTPC fields in the PARTMAST file. You also could use WHERE and CASE statements to apply conditional updates in your target file.

When you do a profile exchange in Robot/SECURITY, does the Security Audit Journal (QAUDJRN) show actions taken as being carried out by the “original” user profile or the “exchanged to” user profile?

Any changes made by a person using profile exchange show up in QAUDJRN as being carried out by the “exchanged to” or alternate user profile. If you need to investigate further, check the Robot/SECURITY Profile Exchange Activity List to determine who was using the alternate user profile at that time. The activity list also shows actions performed during the exchange.

As part of the introduction of Robot/SECURITY, Help/Systems sent a mailing to selected customers describing the new product as “above top secret.” This mailer, resembling a dossier about a spy and including a security badge, provided the option to enter a sweepstakes to win night-vision goggles. Entrants had to read the mailing carefully and enter their security badge number on a special landing page on the Help/Systems Web site.

When the sweepstakes closed on October 24, the winner was:
Duane Jessup
Information Technology
Toll Brothers, Inc.

Our congratulations go out to Duane. We thank everyone who entered the sweepstakes.

New product addresses the need to manage System i security policies

Help/Systems, the world’s leader in automated operations and business intelligence software for the IBM System i, announces the release of Robot/SECURITY, the i5/OS security monitoring and auditing package. In today’s business climate, System i security is vital. Robot/SECURITY is the only security software that combines five critical System i security tools in one package to help users develop a complete security strategy for their System i.

Profile Exchange authorizes users to assume the authority of another user profile temporarily. Administrators define alternate user profiles that are assigned special authorities. When users need a different authority level, they can exchange to an alternate user profile, assume the necessary authority, complete their tasks, then return to their standard authority level.

Exit Point Monitoring controls who is allowed to access the System i through server exit points. Robot/SECURITY monitors selected exit points and helps control access to the system. Users define which exit points to control and the level of management needed.

The Security Audit checks system security settings and compares them to industry best practices. Users can audit system value settings, user profiles, network attributes, servers, libraries, files, commands, programs, directories and other objects for proper private and public authorities, and set authority policies for their company. A comprehensive set of reports provides a complete audit record.

QAUDJRN Monitoring provides real-time monitoring of the security audit journal. Robot/SECURITY monitors for authority failures, user profile changes, invalid password attempts, and system value changes, and notifies the user when potential security problems occur.

The Forensics Analysis Utility is a PC tool that consolidates data from several sources, including Robot/SECURITY profile exchange and exit point monitoring, the system audit journal (QAUDJRN), the system history log (QHST), QSYSOPR and other message queues, and other Help/Systems products, to help users research system security activity by user, job, or date.

Robot/SECURITY makes it easy to implement, audit, and maintain security policies, while providing the flexibility users need to take full control of their System i security procedures.

For more information, visit www.helpsystems.com/ops/security.html.