The Authorization Security Component of User Manual - Raz-Lee
Contents
1. ss as e x QSECOFR Users must be defined as E mail users prior to using this screen The required parameters may be found by using the HRKDIRE command This option does not support attached files F3 Exit F12 Cancel E mail Definitions 2 Select Email sending method 3 Define mail server 4 Define user ID and Email address Authority on Demand 3 User Manual 25 Chapter 3 System Configuration RAZ LEE gt The iSeries Security Experts SYSLOG Overview Current security regulations and auditing best practices dictate that log files from network access attempts and critical system components be monitored by a real time alert system tracking potential security failures and abnormal changes to application data Until recently iSecurity satisfied this requirement by sending real time e mail and operator message alerts and executing CL scripts when such events occurred However with the increasing prevalence of site wide Intrusion Detection and Security Information Management systems which present managers with an end to end view of security related events at different network nodes it has become increasingly important to display security related events from the System i in the same manner iSecurity s new Syslog capability sends events from various System i facilities such as logs and message systems to a remote Syslog server and categorizes the events according to a range of severities such as emergency alert cri2. 9 Define an action to execute when the new authorization takes effect Sending the message to a MSGQ and or an email address Emergency Rule 1 Press F7 to add emergency rule Screen 1 2 Add Authority Rules Emergency use onl yx Type choices press Enter This is an active rule Jj Y N Requesting user If xGRPPRF accept for its members Authority provider Rule title Conditions uhen appl ies N Not Activity must begin From 1 01 01 6 00 To 31 12 99 23 59 Time group week schedule IP Address i Subnet mask PIN Code Perform Provide authority by 1 Add authority of Provider 2 Suap to Providers profile Max work time minutes 30 G xNOMRX Send message to PROVIDER MSGQ mame and library To E mail mail mail xPROVIDER F3 Exit F12 Cancel Emergency Rules In Emergency Rules the PIN field is mandatory and only a user profile with emergency operator authority see chapter 2 First Steps Operators allowed to change this rule Authority on Demand 3 User Manual 12 Chapter 2 First Steps RAZ LEE gt The iSeries Security Experts Activation Activate the Authority on Demand monitor in order to activate the message that stipulates that work time is over and to activate the action feature see chapter 3 System configuration General Definitions ODCTL Activation Authority on Demand System 44K1246 Select one of the following Activation 1
3. appears 2 Select 11 Work with Operators from the Maintenance Menu The Work with Operators screen appears 3 Press F6 to add new user Authority on Demand 3 User Manual 6 Chapter 2 First Steps RAZ LEE gt The iSeries Security Experts Modify Operator 4 Select the user level of authority 1 USE For auditors only who will run reports on AOD user activities 5 EMERGENCY User can edit emergency rules and give emergency rights to pre defined users 9 FULL Full product authorization capabilities A message is prompted informing that the user being added modified was added to the Authority list that secures the product s objects the user carries Authority CHANGE and will be granted Object operational authority The Authority list is created in the installation release upgrade process The SECURITY_P user profile is granted Authority ALL whilst the PUBLIC is granted Authority EXCLUDE All objects in the libraries of the product except some restricted special cases are secured via the Authority list Authority on Demand 3 User Manual 7 Chapter 2 First Steps RAZ LEE gt The iSeries Security Experts Authority Provider 1 Select option 5 Authority Providers The Work with Authority Provider screen appears This screen shows a list of user authorization definitions that can be applied on demand to another user profile Work with Authority Provider Type options press Enter Position to 1
4. 3 User Manual 26 Chapter 3 System Configuration RAZ LEE The iSeries Security Experts To see how the Syslog definitions work without actually setting up a software on an IP address and to receive the Syslog messages follow this procedure 1 Download Kiwi Syslog Server from http www kiwisyslog com 2 Enter the PC IP address in the field on the Syslog definition screen Syslog works very easily using this product The command entry of Get Authority on Demand GETAOD writes a Syslog message and can be seen immediately in Kiwi Syslog Server syslog Daemon Version 8 3 48 help 8 a A EX amp Display 00 Defau 12 31 2008 11 40 07 11 36 18 10 46 00 10 40 54 10 37 27 10 37 13 Local amp Notice Local6 Notice Local6 Notice Local6 Notice Local6 Notice Local6 Notice T1141 S44K1246 iSecurity AutOnDmnd SA4K1246 iSecurity AutOnDmnd S44K1246 iSecurity AutOnDmnd S44K1246 iSecurity AutOnDmnd S44K1246 iSecurity AutOnDmnd S44K1246 iSecurity AutOnDmnd ODE4101 ELI End add authority of user QSECOFR in job 225010 ELI QPADE 0007 ODE4001 ELI Start add authority of user QSECOFR in job 225010 ELI QPADEV0007 ODE4001 ELI Start add authority of user QSECOFR in job 225004 ELI QPADE V0007 ODE4001 ELI Start add authority of user QSECOFR in job 224997 ELI QPADE V0007 ODE4001 ELI Start add authority of user QSECOFR in job 224958 ELI QPADE V0007 ODE4101 ELI End add authority of u
5. Activate Authority on Demand Nou 2 De activate Authority on Demand Nou 5 Hork Hith Active Monitor Jobs Global Activation 13 Activate at IPL 14 Do Not Activate at IPL The first use of GETAOD Get Authority on Demand command will also activate the product monitor Selection or command gt F3 Exit F4 Prompt F9 Retrieve F12 Cancel F13 Information Assistant F16 AS 400 main menu Activation It is strongly recommended that you configure Authority on Demand to activate automatically each time an IPL occurs on your System i To work with activation select 11 Activation from the main menu Manual Activation e To manually activate the Authority on Demand monitor select 1 Activate Capture Now from the Activation menu e To manually de activate the Authority on Demand monitor select 2 De activate Capture Now from the Activation menu Automatic Activation e To activate Authority on Demand automatically each time an IPL occurs select 13 Activate at IPL from the Activation menu e To cancel automatic activation select 14 Do Not Activate at IPL from the Activation menu Authority on Demand 3 User Manual 13 Chapter 2 First Steps RAZ LEE The iSeries Security Experts Verifying that the Authority on Demand Monitor is Active Select 5 Work With Active Monitor Jobs from the Activation menu to view the Authority on Demand monitor subsystem The Work with Subsystem Jobs screen appears It should dis
6. Authority on Demand Now 4 To add more systems enter the controlling system name by selecting option 82 Maintenance Menu gt 59 Force DTAQ re creation Communication parameters To add more connection parameters install iSecurity Base with SMZA libraries Enter the information by STRAUD gt Option 83 Central Administration gt 1 Work with network definitions At present we support MODE Note To change parameter in the network definitions select 82 Maintenance Menu gt 59 Force DTAQ re creation and force DTAQ re creation Authority on Demand 3 User Manual 22 Chapter 3 System Configuration RAZ LEE gt The iSeries Security Experts Exit Programs With user Exit Program a user can specify a program name which will overrule the Get Authority on Demand rule definitions of allow or reject the request This program can also modify the reason given by the requester for the temporary authorization A template program can be found in SMZO ODSOURCE ODVERIFY Select option 3 Exit programs Exit Programs Type options press Enter GETAOD verification program NONE Name XNONE Librar s 6 90 wx a ms You may specify a program name which will overrule the Get Authority on Demand decision to allou or reject the request This program can also modify the reason given by the requester A template program can be found in SMZO ODSOURCE ODVERIFY F3 Exit F12 Cancel Exit Programs Authority on Demand 3
7. Select 4 Remove Subset Opt Provider Description AU FINANCE Finance Department HR HR Department PGM R amp D Department SECOPR Security Officer Bottom F3 Exit F6 Add New F8 Print F12 Cancel Work with Authority Provider Authority on Demand 3 User Manual 8 Chapter 2 First Steps RAZ LEE The iSeries Security Experts 2 Press F6 to add a new authority provider Type choices press Enter Authority Provider Description On Provide Add libraries to xLIBL Run before Run after Default notification Information Y Yes E mail mail mail F3 Exit F4 Prompt Add Authority Provider SECOPR Security Officer Interactive Batch MSGQ name library Y QSECOPR ADMIN RAZLEE COM I F12 Cancel Add Authority Provider 3 Type an existing user profile or press F4 to prompt a list of users for selection 4 Type a descriptive text Add libraries to LIBL Run before Run after Description Add additional libraries access authorization to LIBL Type in a list of libraries separated by a space Type the name of a program you want to execute immediately before the new authorization is applied Type the name of a program you want to execute immediately after the new authorization is applied 5 Define an informative action that will execute when the new authorization takes effect Select interactive or batch mode for sending a message send to a MSGQ and o
8. Add Authority Rules 3 Inthe Requesting user field enter the profile of the user that requested the authorization or press F4 to obtain a list of users for selection 4 Type the name of the authority provider in the Authority Provider field 5 Type a description of the request for this temporary authorization in the Rule title field 6 Add conditions to determine when the rule should apply and when the authority should be provided optional Parameter Description Time Set Blank Yes N Not this Time Set Define when the rule applies and the user can request the temporary authorization Press F4 to select or create a time group PIN Code Add additional security password Not a mandatory field IP Address Blank Yes N Not this IP Address Subnet mask Define IP address and subnet mask Press F4 to select from a list of possible subnet masks 7 Select the type of the authority requested add or swap authorizations Authority on Demand 3 User Manual 11 Chapter 2 First Steps RAZ LEE gt The iSeries Security Experts NOTE Selecting option 2 Swap will also swap the user name in the records and logs Using option 1 Add will give the Requester the authorities of the Provider in addition to the existing authorities In this case the original requester user profile will be kept and will appear in the records and logs 8 Limit the work time in minutes Type 0 for unlimited amount of minutes
9. Authority on Demand The Authorization Security Component of iSecurity User Manual Version 3 RAZAEE s Security Experts Copyright Notice Copyright Raz Lee Security Inc All rights reserved This document is provided by Raz Lee Security for information purposes only Raz Lee Security is a registered trademark of Raz Lee Security Inc Action System Control User Management Assessment Firewall Screen Password Audit Capture View Visualizer FileScope Anti Virus AP Journal O are trademarks of Raz Lee Security Inc Other brand and product names are trademarks or registered trademarks of the respective holders Microsoft Windows is a registered trademark of the Microsoft Corporation Adobe Acrobat is a registered trademark of Adobe Systems Incorporated Information in this document is subject to change without any prior notice The software described in this document is provided under Raz Lee s license agreement This document may be used only in accordance with the terms of the license agreement The software may be used only with accordance with the license agreement purchased by the user No part of this document may be reproduced or retransmitted in any form or by any means whether electronically or mechanically including but not limited to photocopying recording or information recording and retrieval systems without written permission given by Raz Lee Security Inc Visit our website at http w
10. ESE TE setesacesesscacscsetesasesscsosuseccsdesessoacccdssacsessaue 21 EXit PROGTAINS siccscsssussccsivecessewsssoseseussseasssuseccusesenasnis ceusssvecsesdsseusssuuse tosssecssausslcessesssesccdssussensesccsaavecedsdesstss 23 Retention Period 5 ccssessssesscssasecccsssetesesenessessvocssbececseotsebeusesesaescosssedesesessssevnebsssnobessoabebeessonsseed sossesbosecsessseass 24 Beal Def ETUDIANTS TREATISE 25 SV SEO G 26 OVO V LEW EEE EE azc on fan da va silos TENENTE 26 Using SYSLOG 26 Authority on Demand 3 User Manual iv About This Manual Chapter 1 System i Authority on Demand Overview Emergency access to critical application data and processes is one of the most common security slips which are uncovered in System i AS 400 audits Currently manual approaches to this problem are not only error prone but do not comply with regulations and auditors stringent security requirements Authority on Demand AOD enforces segregation of duties and enables relevant personnel to obtain access to approved information when needed thereby saving valuable time and resources AOD S real time audit of access rights protects sensitive corporate assets and significantly reduces the number of profiles with excessive special authorities AOD was developed as a result of numerous requests from iSecurity customers worldwide In direct response to the gr
11. NTH Current month Previous month YEARSTR PRVYEARS Current year Previous year SUN SAT Day of week Authority requester User profile who requested the authorization Authority provider an existing user profile that provides the authorization of records to Process Maximum number of records to process Authority on Demand 3 User Manual 17 Chapter 2 First Steps RAZ LEE gt The iSeries Security Experts NOMAX No maximum Default Output directly from the screen PRINT OUTFILE Operation type ALL ADD SWAP ALLOW REJECT RELEASE Job name User Selects a subset of records by OS 400 job name Job name Selects a subset of records by OS 400 job number Number Filter by Time Group IN Include all records in time group Relationship OUT Include all records not in time group NONE Do not use time group even if included in query definition Filter by time group Time group Name Name of time group SELECT Select time group from list at run time 2 Select option 42 Print Log Entered Commands to print activity log with commands entries The activity log is composed of audit and journal logs Type choices Display last m Display AOD Log Entries DSPRODLOG press Enter inutes Number XBYTIME MBYTIME Starting date and time Starting date Starting time XCURRENT 000000 Date XCURRENT xYES
12. TERDAY Time Ending date and time Ending date Ending time Authority requester Authority prov System to run for Sm Number of records to process Output XCURRENT 235959 xRLL xRLL Date XCURRENT XYESTERDRY Time Name generick XALL Name generick XRLL XCURRENT Name genericX XCURRENT xNOMRX Number NOMAX XPRINT X XPRINT xOUTFILE XCHDENT XYES xCHDENT xCMD xNO ider Rttach activity log Rttach captured screen Attach file record changes F3 Exit F4 Prompt F13 Hou to use this display F5 Refresh xNO xNO F18 Rdditional parameters F24 More keus XYES xNO XYES xSUM xLOG xNO More F12 Cancel Print Log and commands info Authority on Demand 3 User Manual 18 Chapter 2 First Steps RAZ LEE The iSeries Security Experts 3 Select option 43 Print Log Attachments to print activity log captured screens and journaled updates This option prints Captured screens FileScope updates summary Type choices Display last minutes Starting date Starting date Starting time Display AOD Log Entries DSPRODLOG press Enter Number XBYTIME MBYTIME XCURRENT 000000 and time Date Time XCURRENT xYESTERDRY Ending date and time Ending date Ending time Authority requester Authority provider System to run Number Output Attach Attach Attach F3 Exit Attach activity log of records to p
13. User Manual 23 Chapter 3 System Configuration RAZ LEE gt The iSeries Security Experts Retention Period 1 Select option 9 Log Retention to set the number of days during which the log is retained and to define a backup program for the collected data AOD Log Retention Type options press Enter Data retention period days po Days 99 xNOMAX Backup program for data XNONE Name XSTD NONE Backup program library You may specify a backup program to run automatically before deleting old data This program runs prior to automatic deletion of data uhenever the retention period expires The xSTD program is SMZO ODSOURCE ODRODBKP F3 Exit F12 Cancel AOD Log Retention 2 Define the data retention period days 3 Specify the backup program you would like execute before the recorded data is deleted Authority on Demand 3 User Manual 24 Chapter 3 System Configuration RAZ LEE gt The iSeries Security Experts E Mail Definitions 1 Select option 13 E Mail Definitions off the System Configuration menu E mail Definitions Type options press Enter E mail Method 6 4 ipn ew eG 2 1 Advanced 2 Native 9 None Advanced mode is recommended for simplicity and performance Advanced E mail Support Mail SMTP server name XLOCRLHOST Mail server XLOCRLHOST Use the Mail Server as defined for outgoing mail in MS Outlook Native E mail E mail User ID and fiddress User Profile
14. apter 1 System i Authority on Demand eeeseeseeseeeeseeeeeee nennen 1 OD VET VICW Ee E sOveuevuessbesesseonsesaesssdesesen 1 W OPM OW eer sandees 2 Authority on Demand Features ccssccssscsssscsccscsssscsssscssscesscccssscsscssscscssessscssscssssesssssssesssssssssscess 3 I 3 Add or Swap Security Levels ieiti iii de le Lie cerei Ree TREES Tbe ALIGN 3 Authority Transfer Rules amp Providers eee essent enne nne nnne 3 Safe Recovery from Emergency Situations eese eese esent nenne nente enne nne nnns 3 Full Monitoring Capabilities eee sees eene nennen etre aiena rennen enne nne 3 Part of a Comprehensive Solution eee esee esent nne enne nne enne tns tnnt enne nnn 3 Version 3 0 NOW HOatures e 4 Chapter 2 First Steps PW nwindigena ad t S Fwd e c riso esros so Emergency lcm Activation Time Groups Get Authority on Demand Display Authority on Demand Release Authority on Demand Chapter 3 System Configuration aenea sesso ttt tu nd asa ratam e qa d Sao AsERM sea ERE p EFE RRNSEV Iis a REE 20 General D liniloDs 55 v eee eese eoe cotes o ae Q6 Cae Sepe Te seot ECT ESE
15. art and end times for the cursor line and below Authority on Demand 3 User Manual 15 Chapter 2 First Steps RAZ LEE gt The iSeries Security Experts Get Authority on Demand To activate Authority on Demand log in with the requester user profile type the command GETAOD on a command line or STRAOD and select option 31 Get Authority on Demand Get Authority On Demand GETROD Type choices press Enter Authority provider Name XSELECT Reason XBYPIN PIN Code Number Bottom F3 Exit F4 Prompt F5 Refresh Fi2 Cancel F13 How to use this display F24 More keys Get Authority on Demand 1 Insert the authorities provider user profile 2 The Reason field has been extended to 240 chars and its default is to BYPIN This value is acceptable only if PIN number was specified 3 Enter the PIN code as defined in the previous step Authority Rules Display Authority on Demand To display the new authorization currently in use type the command DSPAOD on a command line or STRAOD and select option 32 Display Authority on Demand Release Authority on Demand To release Authority on Demand and work with the standard authorizations type the command RLSAOD on a command line or STRAOD and select option 33 Release Authority on Demand Authority on Demand 3 User Manual 16 Chapter 2 First Steps RAZ LEE The iSeries Security Experts Log Display the Authority on Demand activity log to view the contents of the hi
16. ay use To starting working with Authority on Demand type STRAOD The main menu appears ODMENU Authority On Demand iSecurity System 720 Select one of the following Author ity Log 1 Authority On Demand Rules 41 Display Log 42 Print Log Entered Commands 5 Authority Providers 43 Print Log Attachments 6 Time Groups Attachments Audit Log Commands Captured Screens Control Journal led Updates 11 Activation Operations 31 Get Authority On Demand GETROD Maintenance 32 Display Authority On Demand DSPROD 81 System Configuration 33 Release Authority On Demand RLSROD 82 Maintenance Menu Selection or command gt I F3 Exit F4 Prompt F9 Retrieve F12 Cancel Fi3 Information Assistant F16 AS 400 main menu Authority on Demand main menu Operators There are three default groups AUD SECAD All users with both AUDIT and SECADM special authorities By default this group has full access Read and Write to all iSecurity components AUDIT All users with AUDIT special authority By default this group has only Read authority for Audit SECADM All users with SECADM special authority By default this group has only Read authority for Firewall iSecurity product objects are secured automatically using product authorization lists named security P This strengthens the internal security of the products The product authorization lists are accessed in all products via option 817 gt f
17. low Ad Hoc access to critical data can enable a programmer to run reports which abended etc Full Monitoring Capabilities AOD logs and monitors all relevant activities so that managers can receive regular audit reports of AOD activity as well as real time e mail alerts when employees request higher authority Part of a Comprehensive Solution AOD constitutes a major addition to iSecurity and solidifies iSecurity s position as the most comprehensive security suite of products on the market for System i security and compliance solutions Authority on Demand 3 User Manual 3 Chapter 1 System i Authority on Demand RAZ LEE gt The iSeries Security Experts Version 3 0 New Features 1 New internal system allows Emergency Operator option 82 gt 11 limited access to rules definition Three levels of operator authorization can be defined from option 82 gt 11 1 USE For auditors only who will run reports on AOD user activities 5 EMERGENCY User can edit emergency rules and give emergency rights to pre defined users 9z FULL Full product authorization capabilities In the GETAOD command option 31 the Reason field defaults to BYPIN This value is acceptable only if the PIN number was specified The value BYPIN is replaced by the rule explanation given by either the Emergency Operator or the product administrator respective to the type of rule and the existence of explanation up to 240 chars A new option wa
18. o be defined individually for each rule which will be the dominant definition of the two Type the number of minutes to inform a user with temporary authorization that the work time is about to end Set an action to be executed in batch or interactive when the work time has ended Type Y in the Apply rules to group profile members if rules can be applied to group profiles members Define the name to specify of the Remote Location as can be seen in the DSPNETA of the remote location at the Controlling System field Behind the screens the product is using DTAQs Read more about this option in Multi Site Support Authority on Demand 3 User Manual 21 Chapter 3 System Configuration RAZ LEE gt The iSeries Security Experts Multi Site Support Multi site support ensures that a control location will collect others sites Log info besides its own To access it use the parameter SYSTEM in the DSPAODLOG Display Authority on Demand Log command The SYSTEM parameter supports CURRENT ALL generic and name To define the controlling system name select option 81 System Configuration gt 1 General Definitions First time activation 1 Select option 81 System Configuration gt 1 General Definitions to define the Controlling System CTL 2 Select option 82 Maintenance Menu gt 59 Force DTAQ re creation 3 To activate select option 11 Activation from the main menu and activate by selecting option 1 Activate
19. ograms 9 Log Retention 13 E Mail Definitions Security Event Manager SEM 21 Syslog Definitions General 91 Language Support Selection gt L 99 Copyright Notice Release ID 83 3 89 86 10 4465D5R 720 206A Authorization code IE CE ET 0 F3 Exit F22 Enter Authorization Code Authority on Demand System Configuration Authority on Demand 3 User Manual 20 Chapter 3 System Configuration RAZ LEE gt The iSeries Security Experts General Definitions 1 Select option 1 General Definitions to set the temporary authorization work span and define how to handle the ending of this work span General Definitions Type options press Enter Default for maximum work time minutes G xNOMRX Minutes earlier to inform uork time end Q No warning When max time is reached if batch O xNONE S HLDJOB 9 ENDJOB if interactive G xNONE 3 DSCJOB S HLDJOB 9 ENDJOB Apply rules to group profile members Y Yes N No This is the default for interpreting rules in which the requester is a group profile If Y the rule applies to all the members of the group profile During processing only the first rule found applies Controlling system NONE System XCTL NONE If specified log information is sent to this system Use XCTL in the controlling system See manual for prerequisites F3 Exit F12 Cancel General Definitions Set general maximum work time in minutes Maximum work time can als
20. onfiguring the product Online Help System 1 context sensitive help is available at any time by pressing the F1 key A help window appears containing explanatory text that relates to the function or option currently in use Online help will shortly be available in Windows help format for viewing on a PC with terminal emulation Authority on Demand 3 User Manual ii About This Manual RAZ LEE gt The iSeries Security Experts Typography Conventions Menu options field names and function key names are written in Sans Serif Bold References to chapters or sections are written in Italic OS 400 commands and system messages are written in Bold Italic Key combinations are separated by a dash for example Shift Tab Emphasis is written in Times New Roman bold Authority on Demand 3 User Manual iii About This Manual Table of Contents About This Manwual einer rtr teta tainen tu re enhn auno poe ER RR aRADRE MEE ERR RR RED S RADAR RR RR RR RSS ERaRE ii Who Should Read This BOOK Cr M ii Product Documentation Overview eee eese ceste esee eene eene en ens tns etna tosta setas tse tns toss ens en s ense tn sna sea ii Printed Materials ccccccccccccccsssccceesccseescccssuseccceseesecsececsseeccesseecesseeccesssecceaseesecseeccesseacecseesecsueceessseesensteses ii 0n w GwGG edd tae ate aaa E ii Typography ASOMTISIDUUI iii Ch
21. owing security related concerns of different sized enterprises Raz Lee now offers a solution which allocates special authorities on an as needed basis while at the same time tightening controls over the allocation of these special authorities using advanced logging and reporting facilities Authority on Demand 3 User Manual 1 Chapter 1 System i Authority on Demand RAZLEE The iSeries Security Experts Workflow Authority on Demand Workflow Workflow Authority on Demand 3 User Manual 2 Chapter 1 System i Authority on Demand RAZ LEE gt The iSeries Security Experts Authority on Demand Features Easy to Use AOD simplifies the process of granting special authorities when necessary and incorporates easy to use reporting and monitoring mechanisms to ensure that this extremely sensitive and potentially dangerous capability is not misused Add or Swap Security Levels AOD can either grant a requestor a totally new security authority level SWAP or add additional security rights to a requestor s original security level ADD a feature totally unique to AOD Authority Transfer Rules amp Providers AOD allows for pre defining special authority providers and special authority transfer rules in accordance with specific site security policies Safe Recovery from Emergency Situations AOD enables recovering from different types of emergency situations with minimum risk of human error For example AOD can al
22. play several lines similar to those on the screenshot below Time Groups Time groups are sets of time and day parameters that can be used as filter criteria when working with authority rules 1 Select option 6 Time Groups from the main menu Define Time Groups Type options press Enter 1 Select 4 Delete Opt Time Group Description il EVENING All days 18 88 22 00 WEEKENDS Late Friday Saturday amp Sunday WORKHOURS Our site s working hours Bottom F3 Exit F6 Add new F8 Pr int F12 Cancel Define Time Groups 2 Type 1 to select a time group for modification or press F6 to add a new time group Authority on Demand 3 User Manual 14 Chapter 2 First Steps RAZ LEE The iSeries Security Experts Change Time Group Time Group WEEKENDS Description fate Friday Saturday amp Sunday Type choices press Enter Start End Start Monday 0 08 0 00 8 08 Tuesday Wednesday 8 0 08 Thursday 0 08 Friday 00 23 59 Saturday 0 00 23 59 Sunday 08 23 59 Note fin End time earlier than the Start time refers to the follouing day Example Monday 28 80 08 80 means from Monday 20 00 until Tuesday 08 00 F3 Exit F8 Print F12 Cancel Fi3 Repeat time Fi4 Clear time Add Time Group 3 Typea time group name and description 4 Enter start and end times for each period using 24 hour notation Option Description F13 Copy start and end times from cursor line to all subsequent days F14 Erase the st
23. r an email address Authority on Demand 3 User Manual 9 Chapter 2 First Steps RAZ LEE gt The iSeries Security Experts Authority Rules 1 Select option 1 Authority on Demand Rules from the main menu Work with Authority Rules Role in product Security Admin Type options press Enter Position to 1 Select 4 Remove S Display Subset Opt Provider Requester QSECOFR ZION Test on product QSECOFR ZION Authority granted to user zion to test product Bottom You can define regular or Emergency rules When needed an authorized operator can enable or modify emergency rules F3 Exit F6 Add New F7 Add Emergency F8 Print F12 Cancel Work with Authority Rules 2 Type 1 to select a rule for modification or press F6 to add a new rule Authority on Demand 3 User Manual 10 Chapter 2 First Steps RAZ LEE The iSeries Security Experts Screen 1 2 Add Authority Rules Type choices press Enter Requesting user i If xGRPPRF accept for its members N Authority provider a Rule title Conditions uhen applies N Not Activity must begin From 1 01 81 0 00 To 31 12 99 23 59 Time group week schedule IP Address B Subnet mask PIN Code Perform Provide authority by 1 Rdd authority of Provider i 2 Suap to Providers profile Max uork time minutes 38 G xNOHRX Send message to XPROVIDER MSGQ mame and library To E mail mail mail XPROVIDER F3 Exit F4 Prompt F12 Cancel
24. rocess activity log captured screen file record changes F4 Prompt F13 Hou to use this display XCURRENT 235959 xRLL xRLL XCURRENT xNOMRX XPRINT XCHDENT xNO xNO Date Time Name genericx XALL Name genericx XRLL Name generick XCURRENT Number NOMAX x XPRINT xOUTFILE XYES XCHDENT xCHD NO xYES xNO XYES xSUM LOG xNO XCURRENT xYESTERDRY POR v n9 5 More F5 Refresh Fi8 fidditional parameters F12 Cancel F24 More keys Print Log and full Audit info Parameter Description YES Attach a log with full Audit log entries information CMD Attach a log with full Audit commands entries information NO Do not attach Attach captured screen YES Attach captured screen NO Do not attach captured screen Attach file record changes YES updates from journal as long as the receivers are online If the system also has Raz Lee s AP Journal you will receive a print in field mode Otherwise the changes will be printed using the system commands as character strings SUM Journal sum LOG Journal log NO Do not attach journalled record Authority on Demand 3 User Manual 19 Chapter 2 First Steps Chapter 3 System Configuration Select option 81 System Configuration from the main menu ODPARMR Authority On Demand System Configuration Select one of the following Authority On Demand 1 General Definitions 3 Exit pr
25. rom the main product menu Authority on Demand 3 User Manual 5 Chapter 2 First Steps RAZ LEE gt The iSeries Security Experts It is essential that Work with Operators be used to define all users who have SECADM AUDIT or AUDZSECAD privileges but don t have all object authority The AOD Work with Operators screen lists Usr user management and Adm authorities for all activities related to starting and stopping subsystems and jobs import export of definitions and so on iSecurity automatically adds all users listed in Work with Operators to the appropriate product authorization list Users may add more operators i e user profiles delete operators and give them authorities and passwords according to their own judgment Users can even make the new operator s definitions apply to all their systems therefore upon import they will work on every system Password BLANK for the default entries Use DSPPGM GSIPWDR to verify The default for other users can be controlled as well If the system administrator wishes to set the default to BLANK they should enter CRTDTAARA SMZTMPC DFTPWD char 10 NOTE When installing iSecurity for the first time certain user s might not have access with the new authority method Therefore the first step you need to take after installing is to edit those authorities To modify operator s authorities follow this procedure 1 Select 82 Maintenance Menu from the main menu The Maintenance Menu
26. s added to the main menu option 11 Activation which activates the Authority on Demand monitor This is needed in order to activate the feature that reports when the time period for extended authorities has ended and to activate the Action feature Logs using Option 42 a user can print the activity log for command entries which is composed of Audit and Journal logs Using Option 43 a user can print and attach activity logs captured screens and journaled updates Define general time limit for session option 81 21 or specific time limit per rule option 1 from the main menu New option 81 gt 3 added to the menu with the ability to enter a user Exit Program With Exit Program a user may specify a program name which will overrule the Get Authority on Demand decision to allow or reject the request This program can also modify the reason given by the requester A template program can be found in SMZO ODSOURCE ODVERIFY New option 81 gt 21 Syslog Definitions added to the menu With this option a user can define whether to send a Syslog message to what IP address from which facility in what range of severity and the message format Authority on Demand 3 User Manual 4 Chapter 1 System i Authority on Demand Chapter 2 First Steps This chapter guides you through the steps necessary to begin using Authority on Demand for the first time Also covered in this chapter are the basic procedures for configuring the product for day to d
27. ser QSECOFR in job 224958 ELI QPADE 0007 11 43 12 31 2008 Kiwi Syslog Server Authority on Demand 3 User Manual 27 Chapter 3 System Configuration RAZ LEE gt The iSeries Security Experts SYSLFC SYSLOG FACILITY KERNEL MESSAGES USER LEVEL MESSAGES MAIL SYSTEM SYSTEM DAEMONS SECURITY AUTHORIZATION MESSAGES SYSLOGD INTERNAL LINE PRINTER SUBSYSTEM NETWORK NEWS SUBSYSTEM UUCP SUBSYSTEM CLOCK DAEMON SECURITY AUTHORIZATION MESSAGES FTP DAEMON NTP SUBSYSTEM LOG AUDIT LOG ALERT CLOCK DAEMON LOCAL USE 0 LOCALO LOCAL USE 1 LOCAL1 LOCAL USE 2 LOCAL2 LOCAL USE 3 LOCAL3 LOCAL USE 4 LOCAL4 LOCAL USE 5 LOCALS LOCAL USE 6 LOCAL6 LOCAL USE 7 LOCAL7 SYSLSV SYSLOG SEVERITY EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE SIGNIFICANT INFORMATIONAL DEBUG Authority on Demand 3 User Manual 28 Chapter 3 System Configuration RAZ LEE gt The iSeries Security Experts Maintenance Menu The Maintenance Menu enables you set and display global definitions for Authority on Demand To access the Maintenance Menu select 82 Maintenance Menu from the main menu For more information please contact Raz Lee at 1 888 RAZLEE4 7295334 or at 972 9 9588860 or contact your local distributor Authority on Demand 3 User Manual 29 Chapter 3 System Configuration
28. story log quickly and easily in a standard format using basic filter criteria 1 Type DSPAODLOG on a command line or STRAOD and select option 41 Display Activity Log Display AOD Log Entries DSPRODLOG Type choices press Enter Display last minutes MBYTIME Number XBYTIME Starting date and time Starting date XCURRENT Date XCURRENT xYESTERDAY Starting time 000000 Time Ending date and time Ending date Ending time XCURRENT Date XCURRENT xYESTERDAY 235959 Time Authority requester xRLL Name generick XALL Ruthority provider xRLL Name genericx XRLL Number of records to process XNOMRX Number xNOMAX X XPRINT xOUTFILE Operation type Additional Parameters XRLL xRDD xSHRP xRLLOH More F3 Exit F4 Prompt F5 Refresh Fi 2 Cancel F13 Hou to use this display F24 More keys Parameter Display last minutes Display AOD Log Entries DSPAODLOG Description Selects only those events occurring within the previous number of minutes as specified by the user Number Enter the desired number of minutes BYTIME According to start and end times specified below Starting date amp time Ending date amp time Selects only those events occurring within the range specified by the start and end date time combination Date and time Enter the appropriate date or time CURRENT Current day YESTERDAY Previous day WEEKSTR PRVWEEKS Current week Previous week MONTHSTR PRVMO
29. tical error warning notice informational and debug The Syslog feature enables the system administrator to decide under which conditions the System i should send a Syslog message to choose the IP address of the Syslog server the facility from which the message is sent the severity range and the recipients as well as decide whether the Syslog message should contain all events from iSecurity Firewall or only the rejected entries Using Syslog Select option 21 Syslog Definitions and define whether to send a Syslog message to what IP address from which facility list of optional facilities below in what range of severity list below and how the message looks SYSLOG Definitions SYSLOG Support Send SYSLOG messages Y Yes N No Destination address without quotation marks Facility LOCAL USE 1 LOCAL1 Range of severities to send 8 Emergency Message structure amp B amp X amp 4 iSecurituy amp 5 amp 6 amp 7 amp 8 amp 9 amp 3 amp 1 Mix Variables and constants except amp to compose message amp i First level msg amp 2 Second level msg amp 3 Msg Id amp 4 System amp 5 Module amp 6 Prod Id amp 7 Audit type amp 8 Host name amp 9 User amp H Hour amp M Minute amp S Second amp X T ime amp d Day in month amp m Month mm amp y Year yy amp x Date amp a amp R Heekday abbr full amp b amp B Month name abbr full F3 Exit F12 Cancel SYSLOG definitions Authority on Demand
30. ww razlee com Record your Product Authorization Code Here Computer Model Serial Number Authorization Code Authority on Demand 3 User Manual i About This Manual About This Manual Who Should Read This Book This user guide is intended for system administrators and security administrators responsible for the implementation and management of security on System i systems However any user with basic knowledge of System i operations will be able to make full use of this product after reading this book Product Documentation Overview Raz Lee takes customer satisfaction seriously Our products are designed for ease of use by personnel at all skill levels especially those with minimal System i experience The documentation package includes a variety of materials to get you familiar with this software quickly and effectively Printed Materials This user guide is the only printed documentation necessary for understanding Authority on Demand It is available in user friendly PDF format and may be displayed or printed using Adobe Acrobat Reader version 4 0 or higher Acrobat Reader is included on the product CD ROM Authority on Demand includes a single user guide that covers the following topics Introduction Installation Start up and Initial Configuration Using Authority on Demand This manual contains concise explanations of the various product features as well as step by step instructions for using and c
Download Pdf Manuals
Related Search