Getting Started
This chapter guides you through the steps necessary to begin using Action for the first time. Also covered in this chapter are the basic procedures for configuring the product for day-to-day use.
Obtaining Your Authorization Code
A valid product authorization code is required to run this product. Please contact your authorized Raz-Lee distributor or reseller to receive the proper code. If you are evaluating the product, you will receive a temporary authorization code valid for 30 days. If you have purchased a license, you will receive a permanent authorization code that is specific to the serial number and model of the computer on which it is installed. If you upgrade your System i hardware, or purchase a more recent version of the product, you must request a new authorization code.
Starting Action for the First Time
Users must have *AUDIT special authority to use this product. An additional product password may also be required to access certain functions. The default product password is QSECOFR. We recommend changing this password as soon as possible.
To start Action, type the STRACT command in the command line, and then ENTER. The Action Main menu appears.
| AUACTMN Action iSecurity/Action System: RLDEV Select one of the following: Settings Actions 1. Activate Real-Time Detection 31. Work with Actions 35. Run an Action Real-Time Detection Rules Reports 11. Real Time Auditing (Audit) 41. Display Log 12. Firewall/Screen (Firewall) 13. Status & Active Job (SysCtl) Definitions 14. Message Queue (SysCtl) 51. Time Group Control Features Maintenance 21. User Management 81. System Configuration 22. Authority Adoption 82. Maintenance Menu 23. Object Integrity 83. Central Administration Selection or command 89. Base Support ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
System Configuration
Action is ready-to-run right out of the box. You should review and modify certain system configuration parameters that control important features prior to using the product for the first time.
It should be pointed out that there is no “typical” or “optimal” configuration for a security product such as Action. Each installation or application has different operational criteria and security needs. The security requirements for a large manufacturing environment are quite different from those for a bank, a software developer or a service organization.
This section discusses the following configuration settings:
-
Entering authorization code
-
Enabling real-time detection (Audit, Firewall, Screen, Active jobs and system status)
-
iSecurity password
-
SMS messaging
-
E-Mail definitions
-
Pager (Beeper) interface
-
To configure Action, select 81. System Configuration from the Action Main Menu (STRACT). The iSecurity/Base System Configuration screen appears.
-
Continue to the following options. After you modify any of the parameters accessible from this menu, the message “Modify data, or press Enter” appears upon return to the menu.
-
You must press Enter again to save your changes and leave this menu. If you press F3, you will lose any changes that you have made.
Entering your Authorization Code
If you did not enter your authorization code during the installation process, do so now. Perform the following steps.
-
Select 81 >F22=Enter Authorization Code.
-
Enter your computer serial number and authorization code in the spaces provided. Press Enter to continue.
NOTE: If you enter an incorrect code, you will receive an error message when you attempt to access product features. If this occurs, simply repeat the above procedure to enter the correct code.
Modifying Operators’ Authorities
The Operators' authority management is now maintained from one place for the entire iSecurity on all its modules.
There are three default groups:
-
*AUD#SECAD- All users with both *AUDIT and *SECADM special authorities. By default, this group has full access (Read and Write) to all iSecurity components.
-
*AUDIT - All users with *AUDIT special authority. By default, this group has only Read authority to Audit.
-
*SECADM- All users with *SECADM special authority- By default, this group has only Read authority to Firewall.
iSecurityrelated objects are secured automatically by product authorization lists (named security1P). This strengthens the internal security of the product. It is essential that you use Work with Operators to define all users who have *SECADM, *AUDITor *AUD#SECADprivileges, but do not have all object authority. The Work with Operators screen has Usr (user management) and Adm for all activities related to starting, stopping subsystems, jobs, import/export and so on. iSecurity automatically adds all users listed in Work with Operators to the appropriate product authorization list.
Users may add more operators, delete them, and give them authorities and passwords according to their own judgment. Users can even make the new operators’ definitions apply to all their systems; therefore, upon import, they will work on every system.
Password = *BLANK for the default entries. Use DSPPGM GSIPWDR to verify. The default for other user can be controlled as well.
If your organization wants the default to be *BLANK, then the following command must be used:
CRTDTAARA SMZTMPC/DFTPWD *char 10
This command creates a data area called DFTPWD in library SMZTMPC. The data area is 10 bytes long and is blank.
NOTE: When installing iSecurity for the first time, certain user(s) might not have access according to the new authority method. Therefore, the first step you need to take after installing is to edit those authorities.
To modify operators’ authorities:
-
Select 89 > 11. Work with Operators from the Action Main Menu (STRACT). The Work with Operators screen appears.
| Work with Operators Type options, press Enter. 1=Select 3=Copy 4=Delete Auth.level: 1=*USE, 3=*QRY(FW,AU,JR,SU,CT), 5=*DFN(CT,EN,SU), 9=*FULL User System FW SC PW CD AV AU AC CA JR SU VS RP CO CT UM EN AD *AUD#SECAD RLDEV 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 *AUDIT RLDEV 9 9 9 9 9 9 *SECADM RLDEV 9 9 9 9 9 9 ALEXM RLDEV 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 ALEX3 RLDEV 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 AMNON RLDEV 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 DB RLDEV 9 9 9 9 9 9 9 1 9 9 9 9 9 9 9 9 9 GS RLDEV 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 MARY RLDEV 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 QSECOFR RLDEV 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 More... FW=Firewall SC=Screen PW=Password CD=Command AU=Audit AC=Action AV=Antivirus CA=Capture JR=Journal VS=Visualizer UM=User Mgt. AD=Admin RP=Replication CO=Compliance CT=Chg Tracker EN=Encryption SU=SafeUpd F3=Exit F6=Add new F8=Print F11=*SECADM/*AUDIT authority F12=Cancel |
-
Type 1 next to the user to modify user authorities (or press F6 to add a new user). The Modify Operator screen appears.
| Modify Operator Operator . . . . . . . . . TEST System . . . . . . . . . . RLDEV *ALL, Name Operator password . . . . . *SAME Name, *SAME, *BLANK Auth.level: 1=*USE, 3=*QRY(FW,AU,CT,SU,JR), 5=*DFN(CT,EN,SU), 9=*FULL Firewall . . . . . . . . . FW 9 Screen . . . . . . . . . . SC 9 Password . . . . . . . . . PW 9 Command . . . . . . . . . . CD 9 AntiVirus . . . . . . . . . AV 9 Audit . . . . . . . . . . . AU 9 Action . . . . . . . . . . AC 9 Capture . . . . . . . . . . CA 9 Journal . . . . . . . . . . JR 9 Safe Update . . . . . . . . SU 9 Visualizer . . . . . . . . VS 9 Replication . . . . . . . . RP 9 Compliance . . . . . . . . CO 9 Change Tracker . . . . . . CT 9 User Management . . . . . . UM 9 Encryption . . . . . . . . EN 9 Administrator . . . . . . . AD 9 The Report Generator is used by most modules and requires 1 or 3 in Audit. Consider 1 or 3 for your auditors (with 3 they can create/modify queries). *APR=Approver. F3=Exit F12=Cancel |
Most modules use the Report Generator which requires access to the Audit module. For all users who will use the Report Generator, you should define their access to the Audit module as either 1 or 3. Option 1 should be used for users who will only be running queries. Use option 3 for all users who will also be creating/modifying queries.
-
Set authorities and press Enter. A message is prompted informing that the user being added/modified was added to the Authority list that secures the product's objects; the user carries Authority *CHANGE and will be granted Object operational authority. The Authority list is created in the installation/release upgrade process. The SECURITY_P user profile is granted Authority *ALL whilst the *PUBLIC is granted Authority *EXCLUDE. All objects in the libraries of the product (except some restricted special cases) are secured via the Authority list.
Log QSH, PASE activity
To be able to log QSH and PASE activity, the iSecurity Capture module must be installed and active. Capture all screens that can enter QSH or PASE commands.
-
Select 81 > 3. Log QSH, PASE activity from the Action Main Menu (STRACT). The Log QSHELL (QSH, PASE) Commands screen appears.
| Log QSHELL (QSH, PASE) Commands 23⁄07⁄19 11:38:19 Type options, press Enter. Log QSHELL (QSH, PASE) activity . . Y Y=Yes, N=No Audit can log QSH (STRQSH) and PASE (CALL QP2TERM) activities. Both are Unix like shell interpreters. Some limitations exist. See manual. Minutes between collections . . . . 3 99=*NOMAX Log collection is partially based on periodic activity. Notes: Audit type CD sub type 8 represents QSH commands. Audit type CD sub type 9 represents PASE commands. Interactive QSHELL activity is added to QAUDJRN, audit code U type RR. Prerequisites: The module iSecurity⁄Capture must be installed and active. All screens which may enter QSH or PASE commands must be captured. F3=Exit F12=Cancel |
Enter the required parameters and press Enter.
NOTE Audit type CD sub type 8 represents QSH commands. Audit type CD sub type 9 represents PASE commands. Interactive QSHELL activity is added to QAUDJRN, audit code U type RR.
Enabling Real-Time Detection
In order for Action to send alert messages and run command scripts, you must enable real-time detection and to specify several parameters. In addition, you must also enable real-time detection in the Audit, Firewall and Screen applications.
To work with these parameters:
-
Select 5. Auto start activities in ZAUDIT from the iSecurity/Base System Configuration screen (STRACT > 81). The Auto Start Activities in ZAUDIT Subsystem screen appears.
| Auto Start Activities in ZAUDIT Subsystem 23⁄07⁄19 11:38:43 Type options, press Enter. Real-Time Auditing (All systems) . . . Y Y=Yes, N=No Status & Active jobs . . . . . . . . . Y Y=Yes, N=No Firewall & Screen (Action) . . . . . . Y Y=Yes, A=Always, N=No Selecting A will perform Action even if Firewall is in *FYI. (1) Message Queues (2) . . . . . . . . . . Y Y=Yes, N=No Replication of User, Pwd, SysVal . . . N Y=Yes, N=No (1) Action must be running in real mode (not in *FYI) (2) Only message queues marked as Active definition A=Auto start, are started. 0 F3=Exit F12=Previous |
-
Type ‘Y’ to automatically start system activities after the activation of subsystem ZAUDIT (as shown above) and press Enter. You are returned to the iSecurity/Base System Configuration menu.
-
Select 11. General Definitions from the iSecurity/Base System Configuration menu (STRACT > 81). The Action General Definitions screen appears.
| Action General Definitions 14/08/25 13:40:54 Work in *FYI* (Simulation) mode . . . . . Y Y=Yes, N=No *FYI* is an acronym for "For Your Information". In this mode, security rules are fully operational, but no action is taken. Log CL script commands . . . . . . . . . 3 1=No, 2=Fails, 3=All For events processed a long time after they occurred Send message only if within . . . . . . 60 Minutes Run scripts only if within . . . . . . 60 Minutes Do not perform actions for events if the time passed since they have occured passed the specified limits. F3=Exit F12=Previous |
-
Enter your required parameters and press Enter.
Enabling Real-Time Detection in Audit
-
To enable real-time detection in Audit, that module must be installed. If not, see your Raz-Lee distributor.
-
Select 2. Activation from the Audit main menu. The Activation menu appears.
-
Select 1. Activate ZAUDIT subsystem from the Activation menu. Audit starts to work.
Enabling Real-Time Detection in Firewall & Screen
To enable real-time detection in Firewall and Screen, these modules must be installed. See your Raz-Lee distributor for more information.
-
Select 81 from the Firewall (STRFW) or Screen (STRSCN)Main menu. The iSecurity (part I) Global Parameters screen appears.
-
Select 7. Enable ACTION (CL Script + more) from the iSecurity (part I) Global Parameters menu. The Enable Real-Time Detection Screen appears.
| Enable Real-Time Detection Real-time detection allows Action to react automatically to security events generated by Firewall and Screen. When enabled, these events are checked against pre-defined rules, which trigger alert messages and/or command scripts. Action must be installed and running in order to take advantage of this functionality. If Firewall is working in *FYI mode, Action will NOT perform its activity. Type options, press Enter. Enable ACTION for Firewall . . 1 4=By Server definition 1=Global override - Stop using ACTION 2=Global override - Send rejects 3=Global override - Send all Enable ACTION for Screen . . . N Y, N F3=Exit F12=Previous |
-
Enter 4 to enable real-time detection for Firewall by the server definitions.
Message Queue
This new unique solution enables real-time auditing on message queues. Users have the option to:
-
Modify rules according to all the message queue parameters
-
Respond to the message by alerting the user (emails, SMS) and by reacting to it directly (send auto response).
Each message queue is classified to a group ID. This helps distinguish between QSECOFR and other standard users.
Working with Message Queues
This unique solution enables real-time auditing on message queues. Users have the option to:
-
Modify rules according to all the message queue parameters
-
Respond to the message by alerting the user (emails, SMS) and by reacting to it directly (send auto response).
To work with message queues:
-
Select 14. Message Queue (SysCtl) from the Action Main menu (STRACT > 81). The Message Queues menu appears.
| AUMSGM Message Queue iSecurity⁄SysCtl System: S520 Select one of the following: Settings Build Rules for displayed Msgs 1. Control Message Queues⁄QHST 51. Build rules from Displayed Msgs 55. Display History Log (Audit version) Real-Time Detection Rules 11. Message Queue rules Activate MSGQ detection 21. Activate 22. Deactivate Set Start 35. Set Start of QHST Time Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=AS⁄400 main menu |
-
Select options 11. Message Queue rules. The Work with Message Queues screen appears.
-
Type 1=select to modify rules. A table of explanations follows the Work with Message Queues wizard, which comprises Work with Message Queues and Modify Selection Rule.
| Work with Message Queues Rules & Actions for Message Queue Subset by entry . . by description . . Type option, press Enter. by classification. C=Compliance,.. 1=Select 3=Copy 4=Delete 8=Msg 9=Explanation & Classification Opt Entry Seq Act Cont. Description @0 999.9 N N N Default for: Message queue (Group Id 0) @0 @1 1.0 Y Y N Message queue (Group Id 1) 999.9 N N N Default for: Message queue (Group Id 1) @1 @2 999.9 N N Default for: Message queue (Group Id 2) @2 @3 999.9 N N Default for: Message queue (Group Id 3) @3 @4 999.9 N N Default for: Message queue (Group Id 4) @4 @5 999.9 N N Default for: Message queue (Group Id 5) @5 @6 999.9 N N Default for: Message queue (Group Id 6) @6 @7 999.9 N N Default for: Message queue (Group Id 7) @7 @8 999.9 N N Default for: Message queue (Group Id 8) @8 @9 1.0 Y Y N Test More... F3=Exit F6=Add New F8=Print F11=No⁄Default F12=Cancel F22=Renumber Modify data, or press Enter to confirm. |
SMS Definitions
To send alert messages via SMS messaging, you must subscribe to a commercial SMS service. SMS service may be supplied by your cellular telephone provider or an independent service provider. Typically, SMS messages are sent to your supplier via the Internet, and the supplier then forwards the message to the recipient.
SMS messaging through Action, in addition to the following message types (pager and e-mail), does not require any special hardware. However, you may implement hardware if your system is not linked to the internet.
To work with SMS definitions:
-
Select 81 > 14. SMS/Special Definitions from the iSecurity/Base System Configuration menu. The Action SMS/Special Definitions screen appears.
-
Set parameters as explained.
| Action SMS⁄Special Definitions 23⁄07⁄19 11:40:31 When SMS or Special (usually used for Beeper) options are selected, Action calls a standard program. See below another option. In the USA and some other countries, it is possible to use a free SMS or Beeper service. It is done by sending the message via email. The email addres is made of the phone number and a cellular provider specific extension. i.e. number@vtext.com will send SMS to a Verizon number. To use, enter the full email address, instead of the phone number. Action will send an email to the Destination with the Message text. You may override this method. To do so, create a program AUALR6R for SMS, or AUALR7R for Special in library SMZ4DTA. When called, these programs receives the parameters: - Destination (A 64) - Message (A 1000) Example programs are in SMZ4⁄AUSOURCE AUALR6R and AUALR7R. F3=Exit F12=Cancel |
Please contact your local distributor for additional assistance with SMS definitions.
E-Mail Definitions
Before Action can send e-mail messages, your System i must be properly configured to send e-mail and at least one e-mail user must be defined in the Directory Entries table (WRKDIRE). This procedure can be quite complex and is beyond the scope of this manual. Please refer to the appropriate IBM documentation for more details on these procedures.
To configure Action to send e-mail messages, perform the following steps in order:
-
Select 81 > 13 from the iSecurity/Base System Configuration menu. The
E-Mail Definitions screen appears.
| E-mail Definitions 23/10/24 10:17:08 Type options, press Enter. E-mail Method . . . . . . . 3 1=Not secured, 3=Secured, 9=None Reply to mail address . . . NOREPLY Use an existing address. Some SMTP servers check this. For Secured E-mail Support Mail (SMTP) server name . . smtp.ionos.com Mail server, *LOCALHOST Use the Mail Server as defined for outgoing mail. Port . . . . . . . . . . . 587 SSL Secured Y Y=Yes, N=No If Secured, E-mail user . . avdb@razleesecurity.com Password . ************************ F3=Exit F10=Verify E-mail configuration F12=Cancel |
-
Enter the required parameters and press Enter.
Advanced Messaging (Central Adm.)
SIEM Support
Numerous iSecurity products integrate with SEM/SIEM systems by sending security alerts instantaneously to these systems; web-based alerts are supported using Twitter www.twitter.com (can transmit up to 1000 lines per second). Message alerts contain detailed event information about application data changes, deletes or reads of objects and files, emergency changes in user authorities, IFS viruses detected, malicious network access to the System i, and more.
Syslog Parameters
The syslog standards, LEEF and CEF send data in Field mode enabling pairs of data to be displayed, i.e. Field name and Field value. QHST, QSYSOPR and others in the message queue are supported in LEED and CEF field mode. UDP, TCP and TLS (encrypted) protocols are supported and once the settings are turned on, the SIEM can intercept the message and make it legible for the Syslog Admin. Standard message support for edited messages and replacement values exist, enabling sending information in any free format as well as LEEF and CEF.
To send syslog messages for SIEM:
-
Select 81 > 30. Main Control. The Main Control for SIEM & DAM screen is displayed.
| Main Control for SIEM & DAM 23⁄07⁄19 11:48:50 Run rules before sending . . . N Y=Yes, N=No Send SYSLOG Messages to SIEM SIEM 1: kiwi . . . . . . N Y=Yes, N=No, A=Action only SIEM 2: VictorPC . . . . . . Y Y=Yes, N=No, A=Action only SIEM 3: QRADAR . . . . . . N Y=Yes, N=No, A=Action only Use Action-Only to send syslog messages from Action, without QAUDJRN info. To increase performance, add SIEM Processors by ADDAJE JOB(AU..n) n=SIEM ID. Send JSON messages (for DAM). . N Y=Yes, N=No As only operation . . . . . . . N Y=Yes, N=No If Y, information is not collected, and no other functionality is performed. Skip info if SIEM is inactive . Y Y=Yes, N=No Y is recommended, unless it is the only operation. Note: Re-activate subsystem after changes. F3=Exit F12=Cancel |
-
Enter the required parameters and press Enter.
Triple Syslog Definitions (#1-#3)
Events from IBM i, and different Audit entry types are sent to a remote SYSLOG server according to range of severities such as emergency, alert, critical, error, warning and more. When Send SYSLOG messages (for SIEM) is set to Yes in the Main Control for SIEM & DAM definitions, the product will automatically send all events according to the Severity range to auto send(list below) for the message structure selected, as described in the table below.
The option to use more than one SIEM is implemented on a separate job per SIEM. This is enabled by an intermediate buffer which assists SIEM to overcome communication problems or SIEM downtime, while sending a message to QSYSOPR when the buffer is full or processes are delayed. For this purpose Triple Syslog definitions are required, which are described in this section.
To configure SIEM message structure:
-
Select 81 > 31/32/33. SIEM 1, SIEM 2, SIEM 3 in the iSecurity/Base System Configuration menu. The selected SIEM Definitions screen is displayed.
| SIEM 1 Definitions 23⁄07⁄19 11:52:10 SIEM 1 name . . . . . . . . . . Kiwi Port: 514 SYSLOG type . . . . . . . . . . 1 1=UDP, 2=TCP, 3=TLS Destination address . . . . . . 1.1.1.129 "Severity" range to auto send . 0 - 5 Emergency - Notice (significant) "Facility" to use . . . . . . . 22 Local use 6 (Local6) Msg structure or *LEEF, *CEF . *CEF *LEEF, *CEF, *CEF-SPLUNK, or mix variables and constants (ex & %): &1=First level msg &3=Msg Id. &4=System &5=Module &6=IP &7=Audit type &E=SubType &8=Host name &9=User &H=Hour &M=Minute &S=Second &X=Time &d=Day in month &m=Month (mm) &y=Year (yy) &x=Date &a⁄&A=Weekday (abbr⁄full) &b⁄&B=Month name (abbr⁄full) Convert data to CCSID . . . . . 0 0=Default, 65535=No conversion Maximum length . . . . . . . . 1024 128-9800 Note: Re-activate subsystem after changes. F3=Exit F12=Cancel F22=Set SYSLOG handling per audit sub-type |
|
Parameter |
Description |
|---|---|
|
SIEM # name |
The name of the Syslog |
|
Port |
The port the Syslog is listening to according to the SYSLOG type |
|
SYSLOG type |
1=UDP 2=TCP 3=TLS (SYSLOG over TLS uses port number 6514) |
|
Destination address |
Enter the destination IP address (without quotes) |
|
Severity range to auto send |
Enter the severity range at which the SYSLOG message will be sent: 0-7 Emergency – DEBUG Where:
|
|
Facility to use |
Enter the facility from which the SYSLOG message will be sent Where:
|
|
Message Structure |
Two built-in message structures are available which send data in Field Mode by pairs of Field name and Field value: *LEEF = Log Event Extended Format *CEF = Common Event Format -Or- Use mixed variables and constants (ex & %). (For more information on LEEF/CEF, see Original Input Formats). |
|
Convert data to CCSID |
0 = Default 65535 = No conversion |
|
Maximum length |
128 - 9800 |
-
Enter the required parameters and press Enter.
Syslog simulation
To see how the Syslog definitions work without actually setting up the software on an IP address and to receive the Syslog messages:
-
Download Kiwi Syslog Server from http://www.kiwisyslog.com
-
Enter the PC IP address in the field on the Syslog definition screen. The command entry of Get Authority on Demand (GETAOD) writes a Syslog message and can be seen immediately in the Kiwi Syslog Server.
JSON Definitions
-
Select 34. JSON Definitions (for DAM) from the iSecurity/Base System Configuration menu. The JSON Definitions screen appears.
| JSON Definitions 23⁄07⁄19 12:06:27 Type choices, press Enter. Type . . . . . . . . . . 2 1=UPD, 2=TCP Port . . . . . . . . . . 2001 Destination address . . . 85.147.173.33 Convert data to CCSID . . 0 0=Default, 65535=No conversion F3=Exit F12=Cancel |
-
Enter the required parameters and press Enter.
SNMP Definitions
You can use SNMP traps to supplement your SIEM data and increase security on your system.
-
Select 36. SNMP Definitions from the iSecurity/Base System Configuration menu. The SNMP Definitions screen appears.
| SNMP Definitions 23⁄07⁄19 12:07:53 SNMP Support Generate SNMP Traps . . . . . Y Y=Yes, N=No, A=Action only The selection which messages to send is taken from the SYSLOG definition screen. F3=Exit F12=Cancel |
-
Type Y to generate SNMP traps to monitor network attached devices for conditions that warrant administrative attention.
NOTE: The selection of which messages to send is taken from the SYSLOG definition screen.
To prompt and receive alerts, define an Alert Message in Action (Use 31.Work with Actions in the Action Main menu).