Message Monitoring Software from CCSS Gets Tighter Security
June 22, 2004 Dan Burger
The emphasis on security resounds throughout the industry these days. With tough auditing compliance a mandate for many organizations (and a priority for some, when mandates are not forcing the issue), it’s not uncommon for IT departments to be tightening down the security screws. So it’s not surprising that iSeries systems management software developer CCSS focused on security threats when adding features to QMessage Monitor Version 6. What is surprising are the 426 new possibilities for auditing.
Rest assured, however, this report will not cover all 426.
What you do need to know about the latest QMessage Monitor is that it has the capability to monitor the audit journal (QAUDJRN), the depot for security failure messages. It also provides filters that limit the number of audit journal entries converted into messages, and provides a method for monitoring all QHST log entries. CCSS claims to be providing “total monitoring coverage of important messages from the main system queues.”
The security feature set includes monitoring for authority failures, such as those due to MONMSG statements in CL programs, which can cause programs to malfunction. The FTP access feature identifies, in real time, users attempting to access the iSeries via FTP and records details of the attempt in the audit journal. All suspicious attempts can be validated to confirm whether the access was legitimate. As with all messages, critical threats are forwarded to an appropriate contact or to a group of contacts, according to severity, staff availability, and preferred communication device, to ensure that no intrusion attempt remains undetected by system or security managers.
Changes to critical system values are also detected, and details pertaining to the user, the original value, and the new changed value for each change are recorded. User profile changes are also identified. By clicking the message details, managers can view information pertaining to the user instigating the change, along with the original and new status. Two additional features are dedicated to objects that adopt QSECOFR authority. The first highlights, in real time, the programs that are using this level of authority and will detect, for example, a program that adopts this level when it starts. The second highlights objects being restored to the system with QSECOFR authority.
All users entering an invalid password are acknowledged, as are users who attempt to use service tools without proper authorization. A log of these activities can help security and system managers to build an accurate accounting of the methods and trends adopted by individuals to access system data, and can also help to distinguish and resolve user errors and mistakes. Similarly, users who delete spool files or objects, either accidentally or deliberately, will also be identified in real time. According to CCSS, these features can prevent mysterious disappearance of critical reports that were scheduled to run, and will enforce a high degree of accountability and “best practice” procedures.
Another monitoring feature detects when jobs have been submitted and started, and then monitors scheduling products and their activities. Previously, users would only be alerted to events that did not occur. With Version 6, time once wasted while waiting for scheduled tasks to finish is now eliminated. For example, a critical scheduled job, such as payroll or purchase ledger updates, which may take several hours, can be monitored so that managers have real-time confirmation of their submission and start times and dates, reducing the time it takes to resolve any problematic or unusual circumstances surrounding critical jobs that may need restarting.
Along with the security features added to Qmessage Monitor Version 6, CCSS added enhancements to the activity log, escalation procedures, and PC console areas of the product.
Three features have been added to the functionality of the activity log. The first is a time stamp that notes the date and time when a message is received on the message queue and is recorded in the history file. The second enhancement involves the MMLOGINQ command and allows users to save and reuse the variables, rather than re-entering this same information later. The third feature provides an enhanced visual reference to message log inquiries. It allows operators to view inquiries in their original console display color, making it easier to identify specific messages and groups of messages according to type.
Operators responding to critical messages now have the capability of an MMGETXTD command that allows the retrieval of up to 999 fields holding message data. An internal modem support feature provides the option of using the internal modem included in most new iSeries systems. Users can choose their modem option when defining their pager configuration within the escalation procedure.
QMessage Monitor’s PC console has added functionality that improves users’ ability to work with specific jobs. By right-clicking a given message, users can choose from three options for working with jobs. The first option is to work with an individual job that is easily located in a panel that launches the iSeries Navigator Jobs window. That takes the user access to the normal OS/400 functions against a nominated job, which useful for identifying and resolving problems associated with rogue jobs. The second option is to work with jobs according to user profile; in this case the “iSeries Navigator jobs” window is launched, showing all the current active jobs for that user. In the third scenario, users can launch the window according to job name, and access all the current active jobs for that name before making use of OS/400 functions. Working with jobs in this way provides a logical path between message and job management and saves time.
CCSS product pricing is based on CPW values. The company has 12 price groupings, which the company calls “bands,” covering the entire range of iSeries i5 systems, starting with band 1, which applies to systems with 250 CPW or less (iSeries Model 250s and 270s) and progressing to band 12, which applies to systems in the 15,000 to 40,000 CPW range (iSeries Model 870 and 890s). The pricing is also done on a per-system basis, rather than charging for a license on each partition. The cost of Qsystem Monitor Version 6 begins at $3,000.