TAA Tools
SECLOG          SECURITY LOG                           TAASEKL

The  Security Log  tool  is  designed  to assist  in  auditing  *ALLOBJ
users.   The  SNDSECLOG command  is intended  to be  used as  the first
command  of an initial program  for such a user.   The command displays
a screen  and requires  the user  to enter  a  'purpose' of  why he  is
signing on.   The  command then  sends a journal  entry to  the QAUDJRN
journal  with  the  'purpose'.    Other  SECLOG  commands  are used  to
convert and display the information.

The QAUDJRN  journal (Audit  Journal) must  exist.   The journal  entry
written  is a  code 'U'  (for  User) and  an  entry type  of 'SL'  (for
Security Log).

While  the SECLOG function is  intended for use with  *ALLOBJ users, it
may be used for any non-limited user (LMTCPB must be *NO).

SNDSECLOG may be  used multiple times  in the same job  if required  by
the user to describe a different 'purpose'.

Auditing *ALLOBJ users
----------------------

Any  user  with  *ALLOBJ  authority  is  clearly   a  concern  for  the
integrity of  user data as well  as the system.  There  is nothing that
can  be done to  prevent an *ALLOBJ  user from doing  anything he wants
on the system.   Auditing of *ALLOBJ users can be  considered essential
in some installations.

A  good security practice  would be  to have  two profiles  for *ALLOBJ
users.   The normal profile would not  have the *ALLOBJ right and would
be used  for normal  usage.   The *ALLOBJ  profile would  be used  when
needed.

The SECLOG  tool can be  used to identify  a 'purpose' of  each signon.
Other  auditing  functions  can then  be  used  to  determine what  was
actually done.

A good auditing  function to consider  would be to  audit the  commands
that were entered.   This is  discussed later with the  DSPAUDCMD tool.

Getting started with SECLOG
---------------------------

Unless otherwise  noted, all of the following  commands must be entered
by a user with *ALLOBJ authority.

  **   The  file  that  will be  used  to display  the  journal entries
       created by SNDSECLOG must be created:

             CRTSECLOG  SECLOGPLIB(xxx)

       The SECLOGP file would be  created in the named library  and the
       *PUBLIC user would  be excluded from any use.   The library name
       is  stored in  the SECLOG  data area in  TAASECURE to  allow the
       other SECLOG commands  to determine  where the file  is.   There
       should only  be one SECLOGP  file on  the system when  using the
       SECLOG tool.

  **   As a test, enter the SNDSECLOG command:

             SNDSECLOG

       A display  appears that requires an entry  for a 'Purpose'.  The
       field cannot  be blank  and there  is  no F  key to  cancel  the
       function.   When SNDSECLOG is  used as the  first command in  an
       initial program, system request cancel is not allowed.

       After  some 'purpose'  has been  entered, use  of the  Enter key
       will  cause a  journal entry  to be  sent to the  QAUDJRN (Audit
       Journal).

       SNDSECLOG can be  used by any user  and may be entered  multiple
       times in the same job if required.

  **   The CVTSECLOG  command can now  be run to convert  the SNDSECLOG
       journal  entries  to  the  SECLOGP  file  that  was  created  by
       CRTSECLOG.  The  command would normally  be entered without  any
       parameters as:

             CVTSECLOG

       Each time  CVTSECLOG is  run, the  SECLOGP file  is cleared  and
       the  entries  (U SL)  are  converted from  the  QAUDJRN journal.
       The default is  to use  the entire  chain of  receivers for  the
       QAUDJRN journal.    The data  is then  ready to  be reviewed  by
       DSPSECLOG.

       Clearing the  file on each use is intended  as a security aid to
       prevent  an *ALLOBJ user  from changing the  data in a permanent
       data base file.

       Because the  SECLOG  tool uses  the journal,  it  would be  very
       difficult for any user to destroy or change the information.

  **   The data can then be reviewed with DSPSECLOG:

             DSPSECLOG

       A subfile  is displayed  of the journal  entries.  Option  5 may
       be used to review the 'Purpose'.

       Selection  criteria  on  DSPSECLOG  will  allow  selection  by a
       range of dates and a specific user profile.

Using DSPAUDCMD to determine the commands entered
-------------------------------------------------

The DSPAUDCMD  tool provides  a command  that allows  a  review of  the
commands that were  entered by a user.   DSPAUDCMD requires the  use of
the  AUDLOG tool  which converts  the  journal entries  to a  data base
file.  While this  is not as  a secure as  using the journal  directly,
it  simplifies the  review of  the  commands entered.    See the  later
section on 'Additional auditing concerns'.

See the discussion of the DSPAUDCMD tool for what is required.

Setting the Initial Program for the use of SECLOG
-------------------------------------------------

If  the user  already has  an initial  program, you  need to  modify it
such as:

             PGM
     TAATOOL/SNDSECLOG
             CALL       /* Users normal initial program */

Using   a  CALL  to  the  users   existing  initial  program  would  be
recommended because  it  would allow  the user  to  tailor his  initial
program without  changing the name of  the initial program in  the user
profile.  See the later section on 'Additional auditing concerns'.

If  the  user  has  no initial  program,  you  must  create  one.   For
example, if the user uses the MAIN menu, the program would appear as:

             PGM
     TAATOOL/SNDSECLOG
             GO         MAIN
             ENDPGM

Signon display
--------------

The default  signon  displays shipped  with  the system  (QDSIGNON  and
QDSIGNON2) allow  a user to  enter a program/procedure  or menu.   This
bypasses  the initial  program described in  the user  profile.   It is
possible to change the signon display to eliminate these options.

Each subsystem may  have its own  signon display.   This is  determined
by the SGNDSPF parameter  on CHGSBSD.  You can read  about changing the
signon  display  by  using   the  system  Information  Center  and  the
discussion  of 'Changing the signon display  file'.  The source for the
two display files are in the source file QWATSSRC in QSYS.

You may also  want to consider  allowing the signon  display to have  a
place for  messages to inform  the users of some  important information
such  as 'Shutdown will  occur at 9:00  PM this evening'.   See the TAA
Tool CHGSGNTXT.

For a small  number of *ALLOBJ  users, you should  retain at least  the
program/procedure  option  on  the  signon display.    If  there  is  a
problem  that cannot be  solved using  the normal initial  program, you
will want to have an  option to go directly  to a command line  display
such as QCMD.

Bypassing  the initial  program  function would  bypass  the intent  of
SECLOG unless  the user entered the SNDSECLOG  command after reaching a
command  entry display.   There is a  solution to check  for this.  You
must  be  using the  job  accounting  journal.    Job  accounting  will
provide  an  entry  that  the  user  signed on.    A  special  command,
CHKSECLOG  may be used  to ensure that  an *ALLOBJ user  that signed on
has an entry in the SECLOGP file.  See the discussion of CHKSECLOG.

CHKSECLOG Command
-----------------

You must be  using Job Accounting (QACGJRN  journal) to use  CHKSECLOG.

CHKSECLOG accesses  either one or all  *ALLOBJ type users  and searches
the  job accounting journal  for interactive  jobs.  The  qualified job
information of each interactive  job is checked  for a matching  record
in the SECLOGP file.  Exceptions are noted.

Note  that the  job  accounting  journal is  checked  and not  the  TAA
JOBACG tool  files.  Therefore, a good time  to use CHKSECLOG is before
you  cleanup the  journal receivers  for the  QACGJRN journal.   Before
running CHKSECLOG, you  should first run  CVTSECLOG to ensure you  have
the current information.  Then, a typical command would be:

             CHKSECLOG   USER(*ALLALLOBJ)

A listing  would be displayed  with one line  per *ALLOBJ user  and the
number  of  interactive  jobs (signons)  along  with  an  indication of
whether there  are matching records  in the  SECLOGP file.   This  will
provide a good check  of any user who is not making  an entry using the
SNDSECLOG  command (such as  bypassing the  use of the  initial program
which prompts for the command).

If any  *ALLOBJ users  have signed  on during  the dates  specified,  a
separate spooled file  is created with the  details.  This is  the same
spooled  file  that  is output  by  specifying  an  individual user  on
CHKSECLOG.

While  CHKSECLOG  is intended  for *ALLOBJ  users,  the command  may be
used for  any user.   The listing will  note whether  the user has  the
*ALLOBJ special authority.

SECLOG data area in TAASECURE
------------------------------

To simplify  the use  of other SECLOG  commands, the  CRTSECLOG command
writes  the name  of  the library  containing the  SECLOGP file  to the
SECLOG data area in TAASECURE.

An *ALLOBJ  user  can change  the value,  but  this would  most  likely
result in an error with the other SECLOG commands.

To change  the library,  use DLTSECLOG which  will delete  the existing
file and then use CRTSECLOG with a different library name.

General auditing comments
-------------------------

No  approach  can  ever  prevent  a  knowledgeable  *ALLOBJ  user  from
tampering with  the  system  and  eliminating any  audit  trail.    For
example, the service  tools must provide  the capability to  change any
byte on  the system.   Allowing the user  to restore objects  that were
created  on a different system can  impact the integrity of the system.

To tamper with  the object  form of an  object such as  a program or  a
journal  receiver would take  a level  of knowledge  that significantly
differs  from what the  typical externally oriented user  knows.  While
this is highly unlikely, nothing is impossible.

The system  provides outstanding  security and  auditing capability  to
make it difficult  for a user to  change the system without  leaving an
audit  trail.  This assumes  that you have taken  some precautions such
as described in the next section.

Additional auditing concerns
----------------------------

To ensure the integrity of the  SECLOG approach, you may want to  audit
for other  possible concerns.   This  will require auditing  individual
objects.   You must first ensure  that the system value  QAUDCTL is set
to allow object auditing (one of the entries must be *OBJAUD).

If  object auditing is  specified for an  object as OBJAUT(*CHANGE) and
a change  occurs, a journal  entry is  written with  a journal code  of
'T' and an entry type of 'ZC'.

  **   If you  are using the TAA  AUDLOG tool (such as  required by the
       DSPAUDCMD  tool),  you should  ensure  that any  changes  to the
       AUDLOGP  file are  only  done  by  a  specific  user  using  the
       supplied AUDLOG  commands.   You can cause  a journal  entry for
       any change by entering:

             CHGOBJAUD  OBJ(xxx/AUDLOGP) OBJTYPE(*FILE)
                          OBJAUD(*CHANGE)

       You  can  specify  CHGOBJAUD for  any  sensitive  object on  the
       system.

  **   A special TAA  tool CHKAUDLOGP  exists to help  check for  valid
       changes to the AUDLOGP  file such as the use of  CVTAUDLOG.  The
       command  should be entered  periodically and would  typically be
       entered as:

             CHKAUDLOGP

       A  listing would be output  of any changes that  are not done by
       the TAA AUDLOG commands.

  **   If you are using  the TAA JOBACG tool  (such as required by  the
       CHKSECLOG command),  you should ensure  that any changes  to the
       JOBACTP  file  are  only  done  by  a  specific  user using  the
       supplied JOBACG commands.   You  can cause a  journal entry  for
       any change by entering:

             CHGOBJAUD  OBJ(xxx/JOBACGP) OBJTYPE(*FILE)
                          OBJAUD(*CHANGE)

  **   A special  TAA tool  CHKJOBACGP exists to  help check  for valid
       changes to  the JOBACGP file such as the  use of CVTJOBACG.  The
       command should be  entered periodically and  would typically  be
       entered as:

             CHKJOBLOGP

       A listing would  be output of any  changes that are not  done by
       the TAA JOBACG commands.

  **   SECLOG  assumes that  a job  started by  an *ALLOBJ  user occurs
       interactively.   CHKSECLOG will describe  these jobs.  DSPAUDCMD
       can then be used to review the commands that were entered.

       An interactive  job can  submit batch jobs,  but DSPAUDCMD  will
       describe the  submitted function which could  be further checked
       with DSPAUDCMD.

       However,  there are  many  ways to  start a  batch job  or enter
       commands without submitting  a batch  job.  For  example, a  job
       may be started by  the use of an auto start job  or an option on
       FTP to run commands associated with an FTP transfer.

       Using  the job  accounting journal  will  help you  identify all
       jobs started by a user and note  any that were not started in  a
       conventional manner.   An option  on the DSPJOBACG  display will
       allow you  to invoke DSPAUDCMD which will  describe the commands
       that were entered for a particular job.

  **   Most  users do not change the  TAA objects even though source is
       included for most of the  tools.  Changing one of the  TAA Tools
       involving  SECLOG   could  certainly  be  an   exposure  to  the
       integrity  of the tool.   The  CHKTAACRT command can  be used to
       determine  if  any  objects  in  the  TAAOOL  library  were  not
       created on  a TAASYSnn  system.   It is  valid to  change a  TAA
       tool,  but an auditor  may want to  review what has  changed and
       why.

Simplifying the auditing process
--------------------------------

The use  of SECLOG,  the JOBACG,  and DSPAUDCMD  tools can  be used  to
assist an  auditor  in determining  what an  *ALLOBJ  user is  actually
doing on the system.

To  determine that  other  potential  exposures are  not  occurring, an
approach  would be  to use the  SCNAUDLOG command (requires  the use of
the AUDLOG tool).

For example, assume  you are using the  AUDLOG tool and have  requested
object auditing  as described  in the previous  section on  a sensitive
object such  as the Accounts Receivable file.   You may want to know if
any changes had occurred to the  file by a specific user profile.   You
could use the command:

             SCNAUDLOG    SEARCH(arfile) JRNCDE(T ZC)
                            USER(xxx)

SECLOG escape messages you can monitor for
------------------------------------------

None.  Escape messages from based on functions will be re-sent.

CRTSECLOG Command parameters                          *CMD
----------------------------

   SECLOGPLIB    The  name  of  the  library  which  will  contain  the
                 SECLOGP file.

                 The name  of the library is stored  in the SECLOG data
                 area in TAASECURE  to allow other  SECLOG commands  to
                 determine where the SECLOGP file is.

                 A library name  of TAATOOL or  QTEMP may not  be used.

   SRCLIB        The  source  library  to  use  for  the  QATTDDS  file
                 source.    The default  is *TAAARC  to use  the source
                 from the TAA Archive.

                 A specific user library  may be named, but the  source
                 file must be QATTDDS.


DLTSECLOG Command parameters                          *CMD
----------------------------

The command has no parameters.


SNDSECLOG Command parameters                          *CMD
----------------------------

The command has  no parameters.  A prompt will  appear which allows the
'purpose' to be entered.


CVTSECLOG Command parameters                          *CMD
----------------------------

   RCVRNG        The  receiver  range  of  the  QAUDJRN  journal  to be
                 used.  The  default is  *CURCHAIN meaning the  current
                 chain of receivers.

                 A  two  part  entry  may  be  made  for  the  starting
                 journal   receiver  (and   library)  and   the  ending
                 journal receiver (and library).

                 *CURRENT may  also be  used for  the starting  journal
                 receiver to  mean the current  active receiver  of the
                 QAUDJRN journal.

   FROMTIME      The From  date and time  to convert entries  for.  The
                 default  is blank for  both date and  time meaning the
                 date/time of the  first journal entry as  described by
                 the  RCVRNG parameter  will be  used.   If  a date  is
                 entered,  a time must also be  entered.  A date should
                 be entered in  job date format and  a time entered  in
                 HHMMSS format.

   TOTIME        The To  date and  time to  convert entries  for.   The
                 default  is blank for  both date and  time meaning the
                 date/time of the  last journal entry  as described  by
                 the RCVRNG  parameter  will be  used.   If  a date  is
                 entered, a  time must also be entered.   A date should
                 be  entered in job  date format and  a time entered in
                 HHMMSS format.


DSPSECLOG Command parameters                          *CMD
----------------------------

   STRDATE       The start  date  to  be  displayed.   The  default  is
                 *BEGIN  meaning the  first date  of the  entry  in the
                 SECLOGP file.

   ENDDATE       The  end date  to be displayed.   The  default is *END
                 meaning the  last date  of the  entry  in the  SECLOGP
                 file.

   USER          The  user  profile  to  be  selected.    *ALL  is  the
                 default  for  all  users.    A  specific user  may  be
                 named.


CHKSECLOG Command parameters                          *CMD
----------------------------

   USER          The user name to be checked.

                 The special  value *ALLALLOBJ  may  be used  to  check
                 all *ALLOBJ  users.  An  entry of *ALLALLOBJ  causes a
                 summary  listing  to  be  output  with  one  line  per
                 *ALLOBJ  user.   A  separate  listing also  occurs for
                 *ALLOBJ user  who has  has caused  an interactive  job
                 during the specified start and end dates.

                 While  CHKSECLOG is  intended  for  *ALLOBJ users,  it
                 may be used on any user profile.

   STRDATE       The  start date to be used  to access entries from the
                 job  accounting  journal.    The  default  is   *BEGIN
                 meaning the  first date  of the  journal entry in  the
                 current journal receiver chain.

   ENDDATE       The  end date to  be used  to access entries  from the
                 job accounting journal.   The default is *END  meaning
                 the last  date  of the  journal entry  in the  current
                 journal receiver chain.

   ALLINT        A   *YES/*NO   parameter   that  determines   if   all
                 interactive  jobs will  be listed or  just those where
                 there is no corresponding  entry in the SECLOGP  file.

                 *NO  is the  default meaning  only the  exceptions are
                 listed.

                 *YES  may be specified  to list  all interactive jobs.

   OUTPUT        How to  output  the results.    *  is the  default  to
                 display the  spooled file  if the  command is  entered
                 interactively.   The spooled file  is deleted after it
                 is displayed .   if the display  is ended with  F3/F12
                 or the  Enter key.   To retain  the spooled file,  you
                 may use  the the System Request  'Cancel' function and
                 the spooled file will exist in a HLD status.

                 If  the  command  is  entered in  batch  or  *PRINT is
                 specified, the  spooled file  is output and  retained.


Restrictions
------------

Only  an *ALLOBJ  user  can enter  the  commands CRTSECLOG,  DLTSECLOG,
CVTSECLOG, and DSPSECLOG.

Prerequisites
-------------

The following TAA Tools must be on your system:

     ADJVAR          Adjust variable
     CHKALLOBJ       Check *ALLOBJ special authority
     CHKOBJ2         Check object 2
     CPYTAADDS       Copy TAA DDS
     CVTTIM          Convert time
     EDTVAR          Edit variable
     FMTLIN          Format line
     HLRMVMSG        HLL remove messages
     RSNLSTMSG       Resend last message
     RTVSYSVAL3      Retrieve system value 3
     SCNVAR          Scan variable
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDJLGMSG       Send job log message
     SNDSTSMSG       Send status message
     UPDPFILE        Update PFILE keyword

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   SNDSECLOG     *CMD                   TAASEKL       QATTCMD
   CVTSECLOG     *CMD                   TAASEKL2      QATTCMD
   CRTSECLOG     *CMD                   TAASEKL3      QATTCMD
   DLTSECLOG     *CMD                   TAASEKL4      QATTCMD
   DSPSECLOG     *CMD                   TAASEKL5      QATTCMD
   CHKSECLOG     *CMD                   TAASEKL6      QATTCMD
   TAASEKLC      *PGM       CLP         TAASEKLC      QATTCL
   TAASEKLC2     *PGM       CLP         TAASEKLC2     QATTCL
   TAASEKLC3     *PGM       CLP         TAASEKLC3     QATTCL
   TAASEKLC4     *PGM       CLP         TAASEKLC4     QATTCL
   TAASEKLC5     *PGM       CLP         TAASEKLC5     QATTCL
   TAASEKLC6     *PGM       CLP         TAASEKLC6     QATTCL
   TAASEKLC15    *PGM       CLP         TAASEKLC15    QATTCL
   TAASEKLC16    *PGM       CLP         TAASEKLC16    QATTCL
   TAASEKLC17    *PGM       CLP         TAASEKLC17    QATTCL
   TAASEKLC26    *PGM       CLP         TAASEKLC26    QATTCL
   TAASEKLR2     *PGM       RPG         TAASEKLR2     QATTRPG
   TAASEKLR5     *PGM       RPG         TAASEKLR5     QATTRPG
   TAASEKLR6     *PGM       RPG         TAASEKLR6     QATTRPG
   TAASEKLR26    *PGM       RPG         TAASEKLR26    QATTRPG
   TAASEKLD      *FILE      DSPF        TAASEKLD      QATTDDS
   TAASEKLE      *FILE      DSPF        TAASEKLE      QATTDDS
   TAASEKLP      *FILE      PF          TAASEKLP      QATTDDS
   TAASEKLQ      *FILE      PF          TAASEKLQ      QATTDDS
   TAASEKLS      *FILE      PF          TAASEKLS      QATTDDS

Structure
---------

SNDSECLOG   Cmd
   TAASEKLC   CL pgm

CVTSECLOG   Cmd
   TAASEKLC2  CL pgm
     TAASEKLR2   RPG pgm

CRTSECLOG   Cmd
   TAASEKLC3  CL pgm

DLTSECLOG   Cmd
   TAASEKLC4  CL pgm

DSPSECLOG   Cmd
   TAASEKLC5  CL pgm
     TAASEKLR5   RPG pgm
       TAASEKLC15  CL pgm    - Does FMTLIN
       TAASEKLC16  CL pgm    - Does CVTDAT
       TAASEKLC17  CL pgm    - Determines *ALLOBJ user

CHKSECLOG   Cmd
   TAASEKLC6  CL pgm
     TAASEKLR6   RPG pgm
     TAASEKLC26  CL pgm
       TAASEKLR26  RPG pgm
					

Added to TAA Productivity tools January 15, 2012


Home Page Up to Top