Solved

Report on Signon and Failed Signon attempts AS400 V5R4

Posted on 2011-09-02
7
3,595 Views
Last Modified: 2013-12-06
Hi,

I need to create a audit report for all signon and signoff attempts.

I would like something like

User ID   |    Time/Date   |    IP Address   |   Signon

I have enabled auditing in Go SecTools option 10
Is there an easy way to generate this report?

Thanks, Joe
0
Comment
Question by:joe90kane
  • 4
  • 2
7 Comments
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 36476029
Joe,

Security auditing isn't really designed to track signon and signoff activities (you can track -failed- logons due to a bad password by querying for PW entries, however).  Chapter 9, Appendix E, and Appendix F explains auditing in detail, including how the audit journals are laid out, how to extract data for reporting, etc.  

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/books/sc415302.pdf

The "Job Notification Exit Point" (QIBM_QWT_JOBNOTIFY) is probably a better way to get what you want.  You can write a (or buy packaged software) that monitor this exit point and log the data to a database file that you can later query when you need to produce your reports.  THis exit point works a little different from most others, in that you associate a data queue instead of a program.

When a relevant event occurs, and this exit point is enabled, the system will put an entry on the specified data queue.  You would typically write a never-ending program to monitor this queue and write entries out to a database file that you can later query to generate your report, or you could run a scheduled process to empty out the queue from time to time.  This second approach is liable to result in a very large data queue object on a busy system, however.

Here are the doc for this exit point: http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Fapis%2Fxjobntfy.htm
Example Data Queue processing programs:  http://systeminetwork.com/article/apis-example-data-queue-apis-and-cl-commands-part-4
A couple of freeware programs (I haven't used them) that use this exit point to log batch and interactive job activity: http://www.help400.de/Eng/Freeware.htm

I hate to throw another wrinkle at you, but, can you define what is considered a "signon" or "signoff" for the purpose of this request?  The Job Notify exit point is great for activities that cause a brand new job to be initiated (or ended), like Telnet logon, terminal logon, Host On Demand logon, and STRPASTHR.

It isn't so useful with services that make use of prestart jobs, like the Client Access host server jobs:

Network print server
Remote command and distributed program call server
Central server
Database server
Secure database server
File server
Secure file server
Data queue server
Signon server (unique to servers using sockets communications support)

These server jobs provide users with access to the AS/400 database, the ability to run system commands through various facilities, the ability to access spooled file, and much more.

Other services, such as some of the TCP servers (FTP, for example) also operate in a similar manner.

Even though the user enters a user ID and password to access these services, a new job is often not created.  Instead, the user is attached to and existing pre-started job, and the job's security context is switched to run under the user's profile temporarily.  When the user disconnects of logs off, the job is not terminated - it just switches back to run under a system profile.

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Frzaii%2Frzaiimstprestrtjob.htm
http://www.ibmsystemsmag.com/ibmi/administrator/systemsmanagement/Managing-TCP-IP/?page=2

So, depending on the purpose of the audit report, you may need to consider tracking logon and logoff to these (and other server-type jobs) facilities.  IBM provides Exit Points for most or all of these servers.  If you need to cover a large number of services, however, you may want to consider purchasing one of the several excellent third-party Exit Point security suites available on the market, which often include robust security audit reporting tools, too:

http://www.powertech.com/powertech/PowerTech_Web_NetworkSecurity.asp
http://www.netiq.com/products/iseriesmgmt/default.asp
http://www.enforcive.com/as400-security

As you can see, this can quickly grow into a big, complex issue, so you may want to consider bringing in an expert to help the first time you go though implementing AS/400 security auditing and reporting

- Gary Patterson



0
 
LVL 1

Author Comment

by:joe90kane
ID: 36483091
Hi Gary,

Thank you for the explanation,

For a quick example I want to view all accounts that have a failed login attempt againest them, the Date & time + IP address is available.

Is this easily generated?
0
 
LVL 27

Accepted Solution

by:
tliotta earned 500 total points
ID: 36492158
I want to view all accounts that have a failed login attempt againest them...

Assuming that auditing is enabled, failed logon attempts will be logged as journal code 'T' entry type 'PW' in the QAUDJRN journal.

The simplest view of those is with:

DSPAUDJRNE ENTTYP(PW) JRNRCV(*CURCHAIN) OUTPUT(*)

A number of parms can be changed to filter results. You might request the *CURRENT receiver instead of the whole current chain, or name specific receivers. Filtering by date/time is possible. For output, you can specify OUTPUT(*PRINT) instead of to the display.

However, the DSPJRNE command has limitations that make it unsuitable for your question. You would need to use the DSPJRN command instead in order to see IP addresses associated with the journal entries.

You can have DSPJRN send its output to a database file. From there, you could run any queries that you needed. For failed logons (T/PW entries), you can experiment with something like this:

== > CRTDUPOBJ OBJ(QASYPWJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP) NEWOBJ(MYPW5)
== > DSPJRN JRN(QAUDJRN) JRNCDE((T)) ENTTYP(PW) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5)
OUTFILE(MYPW5)

Use CRTDUPOBJ to get a copy of the system's model file for PW entries. Then list the PW entries into the file that you just created. A simple RUNQRY command over the file you created will show you what you would have available.

From that starting point, things can go in a number of directions.

As Gary said, you should start with a clear understanding of what is meant by "signon" or "signoff". Logging into a telnet session is a very specific operation. But failed signon attempts will be signaled through any of the servers. Telnet may be a very small part of that.

Further, many "signons" might never show any corresponding "signoffs". It can be tricky trying to determine what constitutes a "signoff" for any given "signon".

Tom
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 27

Expert Comment

by:tliotta
ID: 36492189
Typo "However, the DSPJRNE command..." should be "However, the DSPAUDJRNE command...".

Tom
0
 
LVL 1

Author Comment

by:joe90kane
ID: 36494702
Hi Tom.

This works great 'DSPAUDJRNE ENTTYP(PW) JRNRCV(*CURCHAIN) OUTPUT(*)' but as you asid it doesnt display the time/date or IP address of the users.

I have ran

== > CRTDUPOBJ OBJ(QASYPWJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP) NEWOBJ(MYPW5)
== > DSPJRN JRN(QAUDJRN) JRNCDE((T)) ENTTYP(PW) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(MYPW5)



Im not sure what RUNQRY I need to display the report.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 36499360
The RUNQRY command was a suggested example of a default kind of "query". After successfully running the above two commands, you should be able to run this command:

== > RUNQRY  *n  MYPW5

A more complete version of the same command is RUNQRY QRYFILE((QTEMP/MYPW5)) but using defaults can sometimes simplify things.

The resulting output will show the various data elements available for each journal entry. Many of the columns will duplicate other rows because they're all the same type of entry. Regardless, knowing what's available is important in order to decide what's needed.

Tom
0
 
LVL 27

Expert Comment

by:tliotta
ID: 36526212
Once the available data is reasonably understood after looking at it, different queries (and different types of queries) can be created to present the data in needed forms. If query assistance is needed, it might be best under a new question since query capabilities can vary widely between systems, depending on options that are installed. Simple queries of the above data is probably easy to fit within this question.

Tom
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I get XP mode to work on WIndows 7? 14 103
AS400 user directory 6 115
URL to download Windows 10 Enterprise 64-bit .ISO 4 289
WORM compliant device  what is it? 12 76
Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question