Home » Release News » Audit Release News

Audit Release News

  • In STRSEC>89>59, a new parameter was added:

Mask UsrPrf with dft pwd. ??--??---- ?=Display,
%=Display, random if blank

This new parameter is used to define which characters will be displayed at Audit $P
reports output.

Example:

A$P
$P Users with default password
Control: T, B, +/-
User |User |Display S
|Class |Informati
| |
AA--CC---- *USER *SYSVAL
AB--E ---- *USER *SYSVAL
AG--UP---- *SECOFR *SYSVAL
AL--X ---- *USER *SYSVAL
AL--22---- *USER *SYSVAL
AO--PC---- *USER *SYSVAL
AU--SE---- *USER *SYSVAL
AV--HA---- *SECOFR *SYSVAL
AZ--  ---- *USER *SYSVAL
AZ-- ---- *USER *SYSVAL
A1-- ---- *USER *SYSVAL
A1-- ---- *USER *SYSVAL
A6-- ---- *USER *SYSVAL
BA--CH---- *USER *SYSVAL
BB-- ---- *USER *SYSVAL

  • New sources of information for queries added.
  • QHST support now includes break‐down of messages into their parameters.
  • Query Generator enhanced to support three different groups of summaries.
  • A support of IASP is now available.
  • Export Query – Users may now select one or more queries and export them to a remote machine/LPAR.
  • Multiple reports may now be ZIPed into a single file.
  • “No Data” Notification Added to Email Subject of Empty Reports – Subject name contains *NO DATA* will indicate “No exception found”.
    Since security is based of exception identification, this addition saves time as there is no need to open empty reports.
  • There is an optional enhanced auto‐disable of user profile with generic names.
  • There is now an auto delete of dormant or disabled user profile.
  • Copy time group – export/import feature now enable the delete of entries from the remote system.
  • Support of generic options is now available for general groups.
  • Domain restriction while sending email form Audit to inhibit sending emails to unwanted recipients.
  • There is a new query option to use initial object selection for reports.
  • There is a new $R query for IFS lists.
  • Queries footnote now contains the initial filter selection.
  • Report group summaries are available now.
  • Groups export – import feature includes delete on remote.
LEEF, CEF Field mode support, with Sub‐Type sensitivity
  • LEEF – a standard used by IBM® QRadar™, as well as the CEF used by HP™ ArcSight™ and others, are now supported. Both offer the sending of data in Field Mode by pairs of Field name and Field value.
  • iSecurity™ supports all QAUDJRN messages.
    Formatting is by Audit Type and Sub type or by Firewall server.
    In this way, for audit types that represent different activities, e.g. Type OM with sub
    types: M-Move and R-Rename, only relevant fields will be sent.
  • QHST, QSYSOPR and any other Message Queue are supported in LEEF and CEF field mode.
  • Standard message support, i.e. message edited with its replacement values is preserved.
    This enables sending information in any free format as well as LEEF and CEF.
SMS and Special Support

Standard support for SMS (“Text”) and Special Message from within Audit is now available.

The Special Option is usually used for Beeper messages.

The SMS and Special Support feature utilizes the support of eMail‐to‐SMS/Special functionality provided by many telecommunication service providers.

In the USA and some other countries this is a free service.

To use the SMS/Special Definitions option, type: STRAUD>81>12

Support for Add QAUDJRN Sequence Number to SIEM
*CEF/*LEEF Fields

Support was added for the Add QAUDJRN Sequence Number to SIEM *CEF/*LEEF fields.
It is triggered by a new option in Global Installation Defaults (STRAUD>89>59).

Messages to SIEM in *CEF Structure

Messages to SIEM in *CEF Structure now allow customers to select whether Standard CEF Extension Field Names are sent or not.

The default is – Y.

This feature is controlled by a new parameter in the Global Installation Defaults (STRAUD>89>59>Page Down ) and the field name is Standard CEF Extension Field Names.

QHST SIEM Support

The support for QHST SIEM was changed to utilize the advantages of OS/400™ Asynchronous Job.

Other internal changes were also implemented.

The OS/400™ Asynchronous Job improves system performances.

QHST Duplication Prevention

An internal software assessment was added to prevent duplicates.

Bug Fix
  • DSPAULOG now properly supports OUTFILE for type CP.
  • CHKISA and DSPISA (Check/Display iSecurity Authorization Status) now reports status of Authority Code of IMPERVA SecureSphere™ Agent.
New Audit Codes

New Audit Journal entry types and sub‐types were added to support OS/400™ Releases up to 7.3.

Also, new fields codes were added to existing Audit™ types in 7.3, including refresh of
IBM® texts for convenient user experience for values and descriptions.

Global Installation Defaults Enhanced

This option has been enhanced and reshaped.

Among the enhancements:

  • Product‐Admin Email.
  • Add SYSTEM to query mail subject.
Review and Update of Description and Possible Values of all Audit Code Fields
  • Since Audit provides a description of fields in the Audit Entries, along with their possible values (codes), a full review and update, as necessary, of all field text Audit Codes was supplemented.
  • The number of fields in Audit Journal Entries reached 5 digits.
  • Customers are reminded that on display screens, pressing Help while pointing to a field will display the field description, possible entries, and their description.
  • Once on entry screens, pressing the F4 key while pointing onto a field will display the above and enable selecting one or several values (for LIST comparison).
New Audit Type

In STRAUD>1>1, new Audit Types were added to support OS/400™ Release 7.3.

These include:

*NETSECURE V7R3M0 36. | Secure network connections
*NETTELSVR V7R3M0 37. | Telnet Server connections
*NETUDP    V7R3M0 38. | UDP traffic

NOTE: Starting with OS/400™ release 7.3, the role of *NETCMN was changed – it now only writes security Audit Journal Entries for
a subset of the *NETSCK functions. It does not write security Audit Journal Entries for accepts and connects.

Audit™ types CP and C@ (User Profile Changes) were enhanced.

Changes related to OS/400™ release 7.2
  • New Audit Types:
    • *PTFOBJ Changes to PTF objects
    • *PTFOPR PTF operations
  • New Audit Journal entries:
    • AX Row and Column Access Control
    • PF PTF Operations
    • PU PTF Object Changes
    • X2 Query Manager Profile Changes
Raz‐Lee Entry Types Added

A new Raz‐Lee entry type was added – $F Command Attributes for Limited Capabilities users (STRAUD>41>1).

The $F Command Attributes can be used to create reports about Limited Capabilities
users and more.

Deleting Unused Disabled Users

Users who were in the *DISABLED state for a long period of time may be deleted
according to their Last used date, Create date, and Sign on date.

User Profiles which are Group Profiles will never be deleted.

Exceptions may be added to generic* names list and excluded from delete even if *DISABLED.

NOTE: Users in the disable exceptions list cannot be deleted.

NOTE: During Auto‐Deletion, some messages are sent to QSYSOPR.

Global Installation Configuration Update

Global installation configuration (STRADU>89>59) was enhanced by:

  • Refresh Z* report definitions: Y
    Y=Yes, A=Replace all
  • *AUTO Level of message: 1
    1=1st‐*AUTO1, 2=2nd‐*AUTO2
  • Standard auto disable – Y
    Y=Yes
    NOTE: Check manual before changing.
  • For SIEM:
    • Syslog source Port/IP
    • TLS Application ID SIEM
New Email Support Introduced

A new email update was installed into Raz‐Lee’s products.

New Email Support Introduced

In STRAUD>82>93, the option to copy queries From/To the SMZ4DTA file exists.

By selecting the file to back up, the user can save queries or recover queries in the event of data loss.

NOTE: This activity requires backups of files AUSELQP and AUSELCP to be on both the From and To libraries.

Export/Import Definitions

Export/Import definition commands now support:

  • Configuration file
  • Scheduled Entries
CEF and LEEF

Improved CEF and LEEF support was introduced.

Check Raz‐Lee Authorization (CHKISA) has New OUTPUT(*EMAIL) Support

Status of authorization codes will be emailed with new check Raz‐Lee Authorization OUTPUT(*EMAIL) support.

Set Start of Auditing Time (SETRTAUD)

Set Start of Auditing Time (SETRTAUD) was enhanced to enable entering the QHST
transmission Starting date and time.

 

Triple Syslog Definitions

Raz‐Lee’s Audit product now support sending Syslog messages to up to three (3)
SIEM products simultaneously:

  • In Syslog definitions, select option 81 in from the main menu of any product (i.e. STRAUD>81>32/33/34 or STRFW8171/72/73).
    The SYSLOG message is now enabled for multiple SIEM messages (note the SIEM 1, SIEM 2 and SIEM 3 option items) and message structures using built‐in as well as mixed variables and constants.
  • The feature enables adjustable Port, Severity, Facility and Length while offering Syslog Types: UDP, TCP and TLS (encrypted) support in CEF and LEEF and
    user editable modes, using filters for relevant fields.
  • Processing of SIEM is done on a separate job per SIEM.
    A buffer exists to allow intermediate communication problems, or SIEM downtime.
  • Once this buffer is full, the processing is delayed.
    A message is then sent to QSYSOPR, and an attempt is reconstructed while communication is made periodically and consistently.
ZIP Report Generator Output

The ZIP parameter was added to the report generator command.
When using the Report Scheduler, it is possible to specify ZIP in the group definition.
Doing so will ZIP all following report output to a single ZIP file.

Unique Support of Message Field for LEEF and CEF mode

OS/400™ Messages are defined as text with “Replacement Variables”: &1, &2… iSecurity has the capability of extracting the “Replacement Variables” and placing them as proper pairs of Field name and Field value, when LEEF or CEF mode is defined.

Currently the product supports several hundreds of most popular messages.

For example, let’s take message CPF1164 with the following text:

“Job 654242/QSYSOPR/BACKUP ended on 7/03/16 at 01:00:06;
1.267 seconds used; end code 50”.

Field Name: Field Value
Msg_ID: CPF1164
Msg_file: QCPFMSG
Msg_Queue: QHST
Msg Job: 654242/QSYSOPR/BACKUP ended on 7/03/16 at 01:00:06; 1.267 seconds used; end code 50
Job_name: BACKUP
Job_user: QSYSOPR
Job_number: 654242
Ended_on: 7/03/16
At: 01:00:06
CPU_seconds_used: 1.267
End_severity: 50

NOTE: Not all fields appear in this example.

The highlighted information represents the extraction of replacement variables from the message.

This has very important implications as it provides a standard access to all the message data fields.

This is an iSecurity™ unique feature which is new to the market. Presently iSecurity™/
Audit supports several hundreds of these messages, a number which will grow.

  • Major performance change in LOG and Report access time. Improvement of 80% expected in certain situations.
Source IP Determination
  • In Global Installation Defaults (STRAUD>89>59), a SYSLOG source Port/IP field was added (UDP only).
  • Major performance change in LOG and Report access time. Improvement of 80% expected in certain situations.
Moving Query Definitions

A new function Copy Queries from Backup (STRAUD>82>93) enables technicians to load a full set of reports (i.e. files AUSELQP and AUSELCP from SMZ4DTA) to a user defined library and select which reports to copy from it.

Once selected, the user has to select the From and To libraries, and following press on the Enter key, the list of reports in the From library is displayed.

This option may be important, for example, when some reports have been accidentally deleted, and there is a need to load them from a backup.

  • New or Improved Query Sources of Information

In Work with Queries (STRAUD>41>1), the following new report types were added:

$H File members

This type provides reporting of large file members, file members that require reorganization, obtain source members names that were used to create the objects, and more. $H can be run if 1=Fast mode (takes minutes for the entire system), or 2=Standard mode (takes much longer).

Choose according to the operating system’s level and the type of information required, as the Standard mode includes more fields.

$X Library information [run RTVDSKINF first]

Library information, including size and percentage of disk space is included.

The execution of a report of this type requires a pre‐run of the standard Retrieve Disk Information (RTVDSKINF) Command.

Information is then taken from this run.

$@ History log

Reports information from the QHST log.

$9 Interface to any spool file query

Intercept any number of spool files that are created by execution of a command or a program.

The spool files are assembled into free format text that is handled by the report generator.

Using this $9 type the full range of the report generator capabilities are opened for use, including HTML, PDF output.

Running on multiple systems, sending by Email and more.

Exporting & Moving Query Definitions
  • The Work with Queries (STRAUD 41>1) enables exporting selective queries.

To do so select X=Export for one or many queries, in one or more instances.

When F3=Exit is pressed, a screen is displayed allowing the user to specify the target system or systems group (Multi System must be available).

Alternatively, *NONE can be entered.

*NONE will display the name of the *SAVF that is created, and the Import command parameters that are required on the report system to load the exported reports.

With *NONE it is the customer’s responsibility to transfer the *SAVF to the target systems.

  • A new function Copy Queries from Backup (STRAUD 82>93) enables technicians to load a full set of reports (i.e. files AUSELQP and AUSELCP from SMZ4DTA) to a user defined library and select which reports to copy from it.

Once the reports are selected, the user has to select the from and to libraries, and after pressing the Enter key, the list of reports in the From library is displayed.

This option may be important, for example, when some reports have been accidentally deleted, and there is a need to load them from a backup.

New Query Capabilities with Sort‐Break Level, Sort Order, and Multi System

The Query Generator was enhanced to support sorting and layout of sorted data:

  • Break after change of a specified number of key fields will cause a subtitle to appear when a change is encountered. Fields that appear on the subtitle will be omitted from detail lines.
  • Sort order can be defined as A=Ascending D=Descending
  • Records to include can be 1=All 2=One record per key (this item is mentioned to show the complete picture).
  • When a query is running on multiple systems, the System Field containing the System Name will be implicitly added to the printed fields, if not there.
Additional Queries
  • Some new queries were added to include the Definitions in the Query Generator:
    • Z$9_AUDFN $9 Audit definitions
    • Z$9_FWDFN $9 Firewall definitions
  • A wide set of object related reports. To view them, subset by “classification=Q”.
    NOTE: Most reports default to QGPL information, in order to prevent unintentional run of such a query for the entire system – a long process.
    • Z$I_CHG    $I Objects changed (QGPL), Exc. PF
    • Z$I_DMGED  $I Damaged objects (QGPL)
    • Z$I_MISS   $I Objects which their sources are missing (QGPL)
    • Z$I_OBJC   $I Objects by creator (QGPL)
    • Z$I_OWN    $I Objects by owner (QGPL)
    • Z$I_SCOFR  $I Objects owned by QSECOFR (QGPL)
    • Z$I_SIZE   $I Largest objects (QGPL, Above 100MB)
    • Z$I_SRC    $I Objects source (QGPL)
    • Z$I_SYS    $I Objects by system (QGPL)
    • Z$I_UNSVD  $I Unsaved objects (QGPL)
    • Z$I_USE    $I Objects by Usage Date (QGPL)
    • Z$J_OBJ    $J Object authority (QGPL), by object
    • Z$J_USR    $J Object authority (QGPL), by user
    • Z$K_ALL    $K User profile job descriptions with high authority
    • Z$Q_SCOFR  $Q Programs that adopt QSECOFR authority
    • Z$U_ALLUSR $U All Authorization Lists Users
    • ZCO_ALL    CO All Created Objects
    • ZOR_ALL    OR All Restored Objects
New Network Attributes Added

Some Network Attributes were added, including: DTACPR, DTACPRINM, ALRHLDCNT.

This might affect Set Audit Compliance Base‐Line (STRAUD>41>62), as well as relevant reports.

Auto‐Delete Unused Disabled User Profiles
  • A new function was added for Auto‐Delete of Unused Disabled User Profiles (STRAUD>62>21-22).
    This function (available from release 6.1 and up) will delete users who were in *DISABLED state for a long period as stated by their Last Used Date, Create Date, Sign‐on Date.
    User Profiles which are Group Profiles will never be deleted.
  • An Exception List which accepts generic* names can be used to exclude certain user profiles.
  • User profiles which were already excluded from Auto Disable (STRAUD>62>11-12)
    are considered as excluded in this function, even if found *DISABLED.
  • Some reports accompany the Auto‐Delete function:
    • ZDO_INADLT DO – Users that were DELETED due to inactivity.
      This is a standard report.
    • Z$@_INADLT $@ – Log of Auto‐Delete activity.
      This includes information on users that could be deleted and users which, from
      some reason, could not be deleted.
      This is a textual report that includes two (2) types of messages:
      • Auto‐Delete – User XXXX could not be deleted:
        MsgId + MsgText of the reason.
      • Auto‐Delete – User XXXX inactive since YYYY‐MM‐DD deleted.

During Auto‐Deletion, these messages are also sent to QSYSOPR

Global Installation Defaults Enhanced

This option was enhanced and reshaped.

Included in the enhancements:

  • Product‐Admin Email
  • Add SYSTEM to query mail subject
Email Definitions

The Email Configuration Screen (STRAUD>89>2) now supports F10=Verify Email configuration.

Selecting this option will result in sending a mail to the Product‐Admin Email that is defined in Global Installation Defaults (STRAUD>89>59).

DDM Data Queues Extended Support
  • IBM has repaired its definition requirements for DDM Data Queues. See: http://www-01.ibm.com/support/docview.wss?uid=nas8N1020951. Accordingly, a new parameter was added for the System Definition (STRAUD>83>1). Entry of this parameter is
    recommended in all cases, and is required based on the PTF level of the system.
  • The DDM Data Queues are re‐constructed automatically by the System Definition option (STRAUD>83>2). This program also handles the TCP/IP Host Table Entry and performs ADDTCPHTE or CHGTCPHTE to automatically apply the definition.
Support of User Absence Security was extended to all Releases

User Absence Security (STRAUD>62>41) and current implementation and displays are available for all releases of OS/400™.

  • During Audit installation, a repository of all user profiles and their parameters is built to support the C@ audit type that shows the changes in the user profile parameters in the format of Parameter: New‐value (old‐value).
    In installations with a large number of user profiles this meant that the installation process was significantly extended.
    This process is now run in a separate job, considerably shortening the installation process.
  • Audit Export/Import now handles groups.
  • In Syslog Definitions (STRAUD>81>32), the SYSLOG message was changed to now include the Sub‐Type of the Audit type.
  • When the result of a query is an IFS file, the date is now included in the object name.
  • Changes were made to the JS Audit type to clarify the report information.