Blog | Townsend Security

Actively Monitoring Your IBM i for Security and Compliance

Written by Patrick Townsend | Jun 13, 2014 5:32:00 PM

Active monitoring is one of the core security recommendations to help prevent unauthorized access to sensitive systems and information. It is a requirement of a wide variety of compliance regulations such as PCI-DSS, HIPAA/HITECH Act, GLBA/FFIEC, FISMA, and many others. From a security perspective, active monitoring makes it into the SANS Top 20 list of things you should do, and is a key recommendation from the US Cyber Security teams.

What are the core requirements for active monitoring and what are the special challenges for the IBM i platform? Some core requirements include:

  • Centralize security events from all servers and PCs
  • Perform real-time collection to one central repository
  • Real-time monitoring of events
  • Conduct real-time event correlation for pattern recognition
  • Store events in historical archives for forensics
  • Pro-actively alert the security team for possible breaches
  • Provide event query and reporting services

To meet these requirements for active monitoring, the IBM i can’t be an island of event information. IBM i security events must be consolidated with event information for all of your PCs, servers, and network devices to get a complete picture. Because the volume of events is typically quite large, most organizations will deploy a centralized log collection server combined with a SIEM solution that provides event correlation, real-time monitoring, alerting, and log collection archival.

One of the biggest challenges for IBM i customers is the large number of sources for log information. These include:

  • IBM Security Audit Journal QAUDJRN
  • System operator message queue (QSYSOPR, QSYSMSG)
  • System history message file QHST
  • IBM exit points (SQL, Telnet, FTP, and many more)
  • Linux/Unix style logs (Apache, OpenSSH, Perl, PHP, etc.)
  • DB2 column access
  • User and ISV applications

A good security event collection strategy will have to address all of these sources. Added to the large number or sources are some additional challenges:

  • Security event collection applications are not provided by IBM. They must be written by in-house developers or acquired from third parties.
  • Security information is in non-standard, proprietary IBM formats.
  • There are no native communications applications to securely transmit event information to a log collection or SIEM server.
  • There is no application management structure (start, stop, re-start, audit, etc) for log collection activities.

Alliance LogAgent helps IBM i customers meet all of these challenges. It collects security event information from all significant log sources, converts information to industry standard formats including the syslog format (RFC 3164) and Common Event format (CEF), provides filtering options for messages, and securely transmits them to the log collection server or SIEM solution. Alliance LogAgent keeps track of event sources and won’t skip messages due to an IPL or network outages.

Alliance LogAgent is compatible with all major log collection servers and SIEM solutions, and is an affordable solution for small organizations. View our webinar "IBM i Logging for Compliance and SIEM Integration" to learn more about meeting compliance regulations and sending logs to any SIEM.

 
Patrick