Exporting IBM i Data to Syslog

Transcription

1 Exporting IBM i Data to Syslog A White Paper from Safestone Technologies By Nick Blattner, System Engineer

2 Contents Overview... 2 Safestone... 2 SIEM consoles... 2 Parts and Pieces... 3 Putting it all Together... 3 Conclusion... 4 About Safestone... 5 Safestone s Solutions for Audit and Compliance

3 Overview Exporting security information from IBM i to other platforms can be challenging, particularly to enterprise-class security consoles. A few of the issues that are encountered include capturing data in real-time on IBM i, filtering the events, and formatting the data for the console on the remote platform. Safestone Technologies developed iconnect to meet these challenges and extend SIEM consoles to incorporate IBM i security events. The IBM i (i5/os) generates an immense amount of security data in its logs and journals. iconnect monitors, captures, filters and formats this data into relevant security event messages and transfers them to syslog console for subsequent correlation and aggregation. iconnect captures over 300 different events, including: - Network Access Object Changes User Profile Details System Journal Entries SQL commands System History Log Entries The events can be sent from your IBM i on a schedule that you determine, and can be reported on as often as every minute to once a day, depending on individual requirements. iconnect is preconfigured with a wide selection of security events, and it is also extensible. If you want to add IBM i events that are not preconfigured, or even your own application events, iconnect is able to support this. Safestone Safestone has been providing IBM i security solutions for 25 years. DetectIT is the security suite of products that customers use to secure their systems; iconnect is included in the suite. SIEM consoles There are many providers of Security Information and Event Management consoles who solve organizations most complex and sensitive security challenges. These consoles transform raw log and event data into critical information, to help organizations simplify compliance, identify and respond to high-risk events, and optimize IT and network operations. All the consoles correlate syslog data because the events can be critical to creating a complete picture of what is happening in real-time. Safestone s iconnect will capture security events and feed them to syslog, allowing the IBM i data to be correlated with any other server s security information. 2

4 Parts and Pieces A number of components make up the environment that captures and moves the events to the console. Once they have been broken down to their component parts, it is easier to understand what is captured, and what architecture is required to move the events from IBM i. DetectIT is an IBM i application. It is a suite of modules designed to convert raw i5/os security events into relevant security information. It was originally designed to create audit reports to document compliance for internal and external auditors, but was architected such that it was easy to capture security events for other purposes. iconnect uses several of these modules, including Security Audit and Detection and Network Traffic Controller to capture the events you want to see. The following section explains some details of these modules and what they do: - The Security Audit and Detection module is designed to capture system audit journal (QAUDJRN) events, and history log (QHST) activity. Events from these two sources make up the majority of security events that administrators and auditors will want to see. Security Audit and Detection includes filtering to select specific QAUDJRN events, so you don t have to collect everything. This flexibility is essential for minimizing performance issues and to reducing data collection that doesn t provide security value. The Network Traffic Controller module uses the IBM TCP/IP and Host Server exit points to capture network traffic. Remote connections like FTP or ODBC (Object DataBase Connectivity) can be monitored at a granular level including the user, source and destination IP addresses, and the details of the activity itself. This information can t be captured natively in i5/os; only the exit points can allow you to see it. There is filtering available in Network Traffic Controller too, so that repetitive traffic that isn t important can be excluded. Both modules collect the data into a repository, and also support sending the events to external sources like message queues, and syslog. Sending events to syslog is what makes DetectIT so powerful and flexible, since all SIEM consoles understand this protocol. IBM i supports syslog natively in the PASE environment and DetectIT includes a syslog daemon to write the events to it. iconnect uses the remote syslog function to export the events from syslog on IBM i to syslog referenced by an SIEM console. Putting it all Together Having examined the various elements of iconnect, they can now be put together. Most iconnect customers already have a SIEM console installed and want to see IBM i events in it. They install DetectIT on the IBM i, which can be administered using the traditional green-screen interface or from a GUI installed on the administrator s PC. Configuration can be completed in a couple of hours, and there is detailed documentation for configuring DetectIT and syslog. The biggest challenges facing an administrator are usually network issues, such as open firewalls, so that syslog events can be sent from DetectIT to the remote syslog, or name resolution issues. 3

5 The diagram below illustrates how the process works. Conclusion iconnect is a powerful application that allows any IBM i event to be exported to a SIEM console. It uses several modules in the DetectIT security suite to capture system journal, history log, and network traffic events. Filtering is available to control the volume and type of events collected, and scheduling to control when. The events are sent to syslog running in the PASE environment on the IBM i, and from there they are sent using native remote syslog to the console. iconnect will feed security information to any console that supports syslog, which makes it a valuable tool for any organization running an enterprise security console. 4

6 About Safestone Safestone is the leading supplier of security, audit and compliance solutions for IBM Power Systems (i, AIX, Linux). Their module-based solutions are flexible, scalable, easy to implement and use and they address all varying degrees of audit, compliance and security requirements. An Advanced IBM Business Partner and long-standing member of the IBM i ISV Advisory Council, Safestone helps businesses meet compliance regulations (Sarbanes-Oxley, PCI DSS, Basel II, HIPAA) and information. Partner of choice for global financial and banking institutions with the most stringent security and compliance requirements, Safestone provides the most comprehensive solution in System i security to over 500 blue-chip customers worldwide. Their global network, developed over more than 25 years provides localized sales, consultancy and professional services to help organizations manage all their System i security requirements. Safestone s Solutions for Audit and Compliance Security Audit and Detection comprehensive real time intrusion detection and alerting allowing pro-active management of security events and potential breaches. Risk & Compliance Monitor identifies policy compliance vulnerabilities by reporting against off-the-shelf policies (Sarbanes-Oxley, PCI DSS, Basel II, ISO 27002, etc.), and in so doing helping to prepare organizations for audit. Powerful User Passport enables system administrators to limit the number of powerful users. It provides auditors and management a comprehensive audit trail of user activities. DetectIT Password Self-Help enables users to reset their own passwords on System i immediately, without needing to call the Help Desk and wait for the request to be processed. The user is presented with a series of challenge-response questions to validate their authenticity. If approved, the password reset is made instantly. Compliance Center is a powerful and flexible query-based reporting solution that simplifies the task of collecting and converting a vast array of audit, compliance and security events into compliance reports. Reports can be scheduled and automated with easy-to-read graphics. User Profile Manager provides full identity management systems across multiple System i machines / partitions. For more information please contact: - [email protected] Call: (US) or +44 (0) (UK) 5