PowerTech Shines a Light on ‘Black Hole’ Commands
February 19, 2013 Alex Woodie
Despite all the auditing and journaling functions in the IBM i OS, it’s still possible for a user to issue commands without accountability. For example, when users start an interactive SQL session, they are basically invisible to the administrator until the session ends. To help thwart this black hole of liability, PowerTech has added a new feature to Authority Broker that uses screenshots of the 5250 session to all track activity, regardless of the tool they’re using.
PowerTech’s Authority Broker enables security administrators to temporarily grant users and programmers special authorities, such as ALLOBJ and SECADM, so they can perform activities that require those authorities. This prevents the users from needing those authorities in their regular user profiles, thereby reducing an organization’s security risk and exposure to regulations like PCI, SOX, and HIPAA.
A key feature of Authority Broker since it launched in 2005 has been the capability to track what users do while in the user profile with the elevated authority. This auditing function worked well for commands issued on a command line. But it was completely useless for tracking activities done within certain “black hole” environments, says PowerTech director of security technologies Robin Tatam.
“We’ll see a user issue a STRSQL command, and we’re blind until they come out of the SQL environment and they resume entering commands on the command line,” Tatam tells IT Jungle. “The challenge on the i platform has always been those invisible commands.”
Interactive SQL is the big blind spot in IBM i security vision, and a good number of PowerTech customers have asked the company to shine a light into their users’ interactive SQL activities. While it’s possible to reconstruct some of what users do during interactive SQL sessions using object-level tracking, it can take a bit of work to figure out exactly what commands the users entered to effect the changes.
So PowerTech set out to work on the interactive SQL problem. It hasn’t completely addressed the issue in an automated way. As an intermediate solution, it introduced the screenshot tracking function with Authority Broker 4.0, which is generally available now.
Take a Picture
The screenshot functionality is triggered every time users hit a function key or hit the enter button. Security administrators can view a powerful user’s activities in near real time, or review them after the fact by basically scrolling down through a document, like viewing a PowerPoint, and see each successive screen in the session. The screenshots can also be bundled and emailed automatically to trusted addresses.
The software doesn’t track every single keystroke, but it captures every executed command–which is a lot more than PowerTech could offer before. It’s a somewhat rudimentary approach to security (GoPro head cams on all workers’ heads, anyone?), but it works.
“The biggest benefit with screen capture is it allows us to get away from the audit challenge where the user goes into what I refer to as the invisible commands or black hole commands … that exist on the system, but don’t have audit functionality, and which don’t issue commands under the cover,” Tatam says. “It allows us to look over the shoulder of the person who’s running the activities, and see in near real time what they’re doing, including the commands they’re entering, which function key their pressing.”
The screen capture function is based on the PeekPlus screen-capture functionality developed by Bytware, also a Help/Systems company just like PowerTech. It helps to solve the mystery of what users were doing not only while they were in an interactive SQL session, but while using other tools and environments, too.
“It’s allowed us to take this much further than we originally anticipated, which was an interim solution for the SQL thing,” Tatam continues. “We said, ‘Wow, it does other things. What happens if you get into SST? What happens if you get into QShell or DFU? What happens if you do a Telnet session to another box?’ And it tracks it all. We’ll create, in essence, a breadcrumb trail of user activities, regardless of where they go. We don’t care. So even if they come up with some user-written application, we’ll track that, too.”
Programmers are the main targets of Authority Broker in general, and the new screen capture capability will shine a bright light of truth on their black art. So while (most) programmers aren’t devious or deceitful by nature, regulations like SOX, PCI, and HIPAA require organizations to assume that they are, and to erect walls between the code masters and their work. That, obviously, is a problem when applications need to be worked on. The reality is, programmers have to be let out of their dev and test environments on occasion, to fix broken things in production.
So while Authority Broker’s job is to protect organizations from evil programmers, the tool can, counter-intuitively, also be a salve for those persecuted coders. With Authority Broker now keeping an eye on those black holes of access, security officers can feel good about giving programmers the authorities they need, the pall of suspicion is lifted off programmers, and auditors will be (a little bit) less angry about everything. With such a setup in place, it can actually reduce an organization’s regulatory exposure, and may even avoid the need for audits, Tatam says.