Reporting Elevated IBM i Privileges to SIEM
December 7, 2016 Alex Woodie
Why work hard to find a back door when you can go through the front door? This is the gist of the enlightened hacker mind, which understands there is an excess of user profiles equipped with administrative privileges floating around most shops. Now new software from Townsend Security can detangle the complexity of authority levels and give intelligent SIEM tools the data they need to keep hackers out of IBM i.
Far too many IBM i shops weaken their security by handing out special authorities like they’re candy canes at a Christmas party. PowerTech has documented this unfortunate phenomenon quite well over the years with its annual State of IBM i Security Study, which shows the average shop has hundreds of user with *SPLCTL and *JOBCTL authorities. By contrast, user profiles with the more powerful *ALLOBJ and *SECADM authorities typically exist in the dozens (see Fig. A).
This isn’t a theoretical problem. Cybercriminals are finding ways into IBM i systems. In 2014, Townsend Security CEO Patrick Townsend explained how compromised PCs were allowing the bad guys to launch brute force dictionary attacks in an attempt to compromise the user ID and passwords of QSECOFR user profiles. “Attacks are happening and are being successful against the IBM i,” Townsend told IT Jungle then.
You’ll also remember the European IT worker who last year shared his recipe for IBM i privilege escalation at the annual DEF CON conference for hackers. The core of the hack was finding a way to gain access to powerful user profiles by tricking Java APIs to gain clear text versions of passwords and taking advantage of the fact that some IBM i shops assign ownership of applications and application users profiles to the same group.
To be fair, hackers try to compromise every system by walking in the front door if they can. It’s not just IBM i servers. Taking over a user profile with elevated privilege like *ALLOBJ, or landing a QSECOFR user profile, essentially gives the hacker a “golden key” to do anything they want to the system. In the past month, system makers have issued security patches to fix privilege escalation flaws in Linux and Android OSes.
But in this little corner of the IT jungle, the IBM i takes precedence. That’s why understanding the peculiarities of IBM i security relative to other platforms, and taking steps to address any shortcomings, should be a priority for any IBM i professional who values the integrity of his company’s and customers’ data.
Townsend Security recently took a shot at cleaning up the sometimes confusing state of elevated privileges on the IBM i platform with an update to Alliance LogAgent, an IBM i product that packages and sends log data from the IBM i server to Security Information and Event Management (SIEM) solutions, which always run on different platforms.
The key enhancement is the addition of a single field to the log. The newly added field does one thing: inform the SIEM tool if administrator privileges have been detected in a particular piece of log data, or not.
It’s a relatively simple change. But this simplicity is deceptive because untangling elevated privileges can be quite a chore in real-world IBM i systems, where regular user profiles can temporarily gain access to heightened privileges through adopted authority.
“Many IBM i customers have struggled with identifying who on their system has elevated privileges,” the Townsend CEO says in a press release. “It is crucial to identify and strictly control these users, as cyber criminals often use privilege escalation to enable the exfiltration of sensitive data.”
At first glance, an IBM i account may appear to have normal user privileges, but may in fact inherit higher privileges through a Group Profile or Supplemental Group Profile, Townsend says. “Alliance LogAgent now detects these elevated privileges in real time, and provides the security administrator with an easy-to-use report to identify the source of elevated privileges,” he adds. “We think this is a crucial enhancement that will help IBM i customers better secure their platforms.”
The change works with plain vanilla SIEM solutions that speak Syslog, as well as the IBM QRadar solution, which uses the Log Event Extended Format (LEEF) standard. The software also supports the HPE ArcSight product, which speaks Common Event Format (CEF).
Townsend has also added a new local assessment report to the new release of Alliance LogAgent. The company says the report is easy to use and will “reduce the overhead of inspecting and adjusting privileges of IBM i users.” For more information, see townsendsecurity.com.