Configuration Guide IBM iseries AS/400 Last Modified: Tuesday, March 11, 2014 Event Source (Device) Product Information Vendor IBM Event Source (Device) iseries AS400 Supported Versions V5R2 and above Additional Downloads For FTP: auditpgm.txt, ftpscript.txt, ftemplate.txt, chkftp.txt For SFTP: auditsftp.txt, sftpcmd.txt RSA Product Information Supported Version RSA envision 4.0 and 4.1 Event Source (Device) Type iseries, 58 Collection Method File Reader Event Source (Device) Class.Subclass Host. Mainframe Content 2.0 Table Mainframe This document contains the following information for the IBM iseries event source: Configuration Instructions Release Notes 20140311-145050 Release Notes 20140109-164535 Release Notes 20131211-220046 Release Notes 20131211-220046 Release Notes 20130827-213206 Release Notes 20121024-162733 Copyright 2012 EMC Corporation. All Rights Reserved.
IBM iseries AS/400 Configuration Instructions Configure IBM iseries You can set up the IBM iseries event source to send log information to the RSA envision platform using either FTP or SFTP. To configure IBM iseries: 1. Follow these steps to download the files that you need. Note: The files are available on RSA SecurCare Online (SCOL) and on the envision appliance. a. Log on to SecurCare Online (SCOL). b. In the Browse by Product Family section, click RSA envision. c. From the navigation pane at the top, select Documentation, and click RSA envision Device Configurations. d. From the list, find the IBM iseries (AS400) event source. Select the appropriate file, depending on your transfer protocol: To use FTP for transferring log data, download auditpgm.txt, ftemplate.txt, and ftpscript.txt. To use SFTP for transferring log data, download auditsftp.txt and sftpcmd.txt. 2. Set up and run the appropriate files. For details, see Script File Details. 3. Add IBM iseries to the NIC File Reader Service. a. Log on to the envision platform with administrator credentials. b. Select Overview > System Configuration > Services > Device Services > Manage File Reader Service. c. Click Add. d. Complete the fields as follows. Field IP address File reader type Action Enter the IP address of your IBM iseries event source. Select ISERIES. e. Ensure that Start File Reader Service on Apply is selected. f. Click Apply. 2 Configure IBM iseries
Script File Details There are three command files, auditpgm.txt, auditsftp.txt, and chkftp.txt. These files write audit data to a file and then transfer the data to the RSA envision platform. The auditpgm.txt and auditsftp.txt files both transfer data from the iseries to the envision platform. Note the following differences between the auditpgm.txt and auditsftp.txt files: The auditpgm.txt program uses FTP for file transfers. The chkftp.txt subroutine is required for FTP error checking. The AUDITLIB/FTPOUT file is required. The chkftp.txt compile will fail if the AUDITLIB/FTPOUT file has not been created. The auditsftp.txt uses SFTP, and also performs the following tasks: converts the audit extract file from one database file type to another database file type converts the new file from EBCDIC to ASCII copies the database file to an Integrated File System file that is input to the SFTP step Note: The chkftp.txt subroutine is not required if you use auditsftp.txt. There is an option for auditpgm.txt and auditsftp.txt to dynamically create an FTP / SFTP command file. If selected, this option generates an FTP / SFTP command file each time that auditpgm.txt or auditsftp.txt runs. The dynamically created FTP / SFTP command file contains a put statement that has a unique receiving (to) file name that appends the date and time as part of the receiving file names. The date and time component of the file name is in _YYMMDD_HHMMSS format. For example, the put statement generated for an audit data file created on September 20, 2012 at 03:35:15 would look like the following if you are using auditpgm.txt: PUT AUDITLIB/AUDITDTA.AUDITDTA ISERIES_A.B.C.D/auditdta_120920_033515.txt and like this if you are using auditsftp.txt: put /home/auditlib/auditdta.txt ISERIES_A.B.C.D/ auditdta_120920_033515.txt To use this option, see the instructions for setting the &BLDFTPFLAG program variable in auditpgm.txt (for FTP) or auditsftp.txt (for SFTP). Additional instructions for dynamically creating an FTP command file are provided in auditpgm.txt, ftpscript.txt, and ftemplate.txt. Additional instructions for dynamically creating an SFTP command file are provided in auditsftp.txt and sftpcmd.txt. The default is for the static ftpscript.txt command file to be used for auditpgm.txt FTP commands, and for the static sftpcmd.txt command file to be used for auditsftp.txt SFTP commands. Script File Details 3
Set up the IBM iseries Command File There are three script files: sftpcmd.txt This SFTP script is called by program AUDITLIB/AUDITSFTP to send the audit data to the envision platform. ftpscript.txt This FTP script is called by program AUDITLIB/AUDITPGM to send the audit data to the envision platform. ftemplate.txt This FTP script is required by program AUDITLIB/AUDITPGM to dynamically generate a QCLSRC/FTPSCRIPT file if the dynamic FTP script creation option is chosen. To set up the iseries command file: 1. Follow the program setup instructions in the command file for the transfer protocol (FTP or SFTP) that you are using: If you are using FTP, use auditpgm.txt and chkftp.txt. If you are using SFTP, use auditsftp.txt. Note: After you transfer a script file to the iseries platform, set its CL program member type to CLP. 2. In the instructions for the command file, you need to replace some text with the actual IP address of the iseries event source on the envision appliance. The ftpscript.txt and sftpcmd.txt command files each have a line with a placeholder for a directory name on the envision appliance: ISERIES_10.100.255.255. You need to replace "10.100.255.255" with the actual IP Address of the iseries event source that you use. Note: If you select the dynamic FTP/SFTP command file creation option, you must replace the value in the &IPADDR program variable in auditpgm.txt (for FTP) or auditsftp.txt (for SFTP) with the actual IP Address of the iseries event source. 3. If you are using auditpgm.txt be sure to follow the instructions for creating the AUDITLIB/FTPOUT file before compiling chkftp.txt. The AUDITLIB/FTPOUT file contains the FTP output. Note: The chkftp.txt compile fails if you do not create this file prior to compiling the subroutine. 4. Follow the program run instructions in the appropriate file to transfer the log data to the envision platform. Selecting Specific Entry Types to Collect The auditpgm.txt or auditsftp.txt CL program automatically selects all Entry Types for Journal Code T. To select specific Entry Types you can add an ENTTYP parameter to the DSPJRN command, for 4 Script File Details
example: ENTTYP(AF CA CP CY SO VN PW VP VR) Starting the Collection Process from the Present Time If you have been writing to the iseries journal for a period of time and are concerned about running the script files for the first time, you may want to follow one of these suggestions, to start the collection process at the present time, rather than at some time in the past: Comment out the FTP line at the bottom of auditpgm.txt for the first run. Pre-populate the AUDITLIB/TIME and AUDITLIB/DATE files with the date from which to start collecting. Otherwise, the script uses the last time that the audit data was read from the Audit Journal (QAUDJRN). Script File Details 5
iseries Audit Journal (QAUDJRN) Entry Types Supported by the RSA envision Platform Entry AD AF AP AU CA CD CO CP CQ CU CV CY DI DO DS EV GR GS IP IR IS JD JS KF LD ML NA ND NE O1 O2 O3 OM OR OW PA PG Description Auditing changes Authority failure Obtaining adopted authority Attribute changes Authority changes Command string audit Create object User profile changed, created, or restored Change of *CRQD object Cluster Operations Connection verification Cryptographic Configuration Directory Server Delete object DST security password reset System environment variables Generic record Socket description was given to another job Interprocess Communication IP Rules Actions Internet security management Change to user parameter of a job description Actions that affect jobs Key ring file LD Link, unlink, or look up directory entry Link, unlink, or look up directory entry Office services mail actions Network attribute changed APPN directory search filter violation APPN end point filter violation Optical Access Single File or Directory Optical Access Dual File or Directory Optical Access Volume Object move or rename Object restore Object ownership changed Program changed to adopt authority Change of an object s primary group 6 iseries Audit Journal (QAUDJRN) Entry Types Supported by the RSA envision Platform
Entry Description PO Printed output PS Profile swap PS Profile swap PW Invalid password RA Authority change during restore RJ Restoring job description with user profile specified RO Change of object owner during restore RP Restoring adopted authority program RQ Restoring a *CRQD object RU Restoring user profile authority RZ Changing a primary group during restore SD Changes to system distribution directory SE Subsystem routing entry changed SF Actions to spooled files SG Asynchronous Signals SK Secure sockets connections SM Systems management changes SO Server security user information actions ST Use of service tools SV System value changed VA Changing an access control list VC Starting or ending a connection VF Closing server files VL Account limit exceeded VN Logging on and off the network VO Validation list actions VP Network password error VR Network resource access VS Starting or ending a server session VU Changing a network profile VV Changing service status X0 Network authentication YC DLO object accessed (change) YR DLO object accessed (read) ZC Object accessed (change) ZR Object accessed (read) iseries Audit Journal (QAUDJRN) Entry Types Supported by the RSA envision Platform 7
IBM iseries AS/400 Release Notes (20140311-145050) New and Updated Event Messages in IBM iseries AS/400 For complete details on new and updated messages, see the Event Source Update Help. 8 iseries Audit Journal (QAUDJRN) Entry Types Supported by the RSA envision Platform
IBM iseries AS/400 Release Notes (20140109-164535) What's New in This Release RSA has updated Content 2.0 table information for IBM iseries AS/400. New and Updated Event Messages in IBM iseries AS/400 For complete details on new and updated messages, see the Event Source Update Help. IBM iseries AS/400 Release Notes (20131211-220046) New and Updated Event Messages in IBM iseries AS/400 For complete details on new and updated messages, see the Event Source Update Help. IBM iseries AS/400 Release Notes (20130827-213206) What's New in This Release RSA has updated the IBM iseries AS/400 event source to Content 2.0. Content 2.0 features new tables and improvements to the parsing of event data into variables in those new tables. For rules and reports, note the following: For factory reports, as existing event sources are converted to Content 2.0, their device-specific reports are updated to work with the new content. In some cases, class-specific reports have replaced device-specific reports. Factory correlated rules have been modified to take advantage of the improved tables, variables and parsing. Custom rules, that involve event sources updated to work with Content 2.0, need to be rewritten. Custom reports may not produce the same results as previously. For guidance on updating custom reports, see the accompanying table documentation and the RSA envision Content Inspection Tool guide. New and Updated Event Messages in IBM iseries AS/400 For complete details on new and updated messages, see the Event Source Update Help. IBM iseries AS/400 Release Notes (20121024-162733) What's New in This Release RSA has updated scripts for IBM iseries AS/400. iseries Audit Journal (QAUDJRN) Entry Types Supported by the RSA envision Platform 9