iSeries FIM File Integrity Monitoring on IBM i

Iseries File Integrity Monitoring

File integrity monitoring FIM for IBM i requires monitoring the system security audit journal and DB2 database journals to detect unauthorized changes to files and their contents. FIM projects are usually due to compliance regulations such as PCI, 23 NYCRR 500 and like regulatory requirements, which will significantly reduce the file integrity monitoring scope to specific database files and object changes in QAUDJRN. In addition to implementing file integrity monitoring, you will need to ensure user authorities and access control policies are correctly defined and monitored for changes going forward. On an iSeries, many of these settings can be defined from the system or using iSeries Navigator, although it makes sense to also use IBM i security exit programs for access control policies.

Monitoring iSeries database field level changes will likely be the primary focus of the FIM compliance objective, which requires the DB2 files to have journaling enabled to audit the file activities, such as open, read, update, add, delete and close operations. As a result, any changes made to or within the database file will be recorded, including user who made the change, when the change occurred, type of change, program name used to make the change, job information and like details of the event. As a result, these audit entries are automatically put in an associated audit journal which can be queried, reports can be run against and alerts can be triggered by an IDS. Depending on the compliance or audit requirement, it is likely the FIM event logs must be forwarded to a SIEM security tool like QRadar or a SYSLOG Server tool like Splunk which are used to centralize event logs for security monitoring.

Completing most of these tasks for the system audit journal and database field level changes can be very difficult without using a third party tool like Enforcive, Cilasoft or Patrick Townsend (collaboratively all now Syncsort product lines). However the basic FIM capabilities are inherent to OS400 and the integrated DB2 database, which IBM provides instructions for the iSeries AS400 system security audit journal and journaling of DB2 files. After completion, your system will only have the basic audit foundation completed, and the remaining steps needed to address the specific compliance or audit requirements will require a lot of hard work or the use of one of the mentioned iSeries FIM security solutions. These tools not only simply file integrity monitoring, they typically enhance the logs, add filtering or suppression of unwanted noise and provide the additional required features and processes needed for other aspects of the compliance regulation or audit requirements not offered by the operating system.

In addition to implementing FIM, it is good practice to implement other IBM i security measures, such as object level access controls for user accessing system over the network using exit programs, multi-factor authentication, profile swapping to provide temporary elevated authority instead of giving profiles special authorities they do not need and implementing DB2 field level encryption for sensitive database files. In addition, we provide Security as a Service and Manage Security Service offerings, as well as provide security project implementation and consulting services. Please contact as directly with Enforcive, Cilasoft or Patrick Townsend (Syncsort) product questions, general FIM questions or to schedule a demonstration and trial of a FIM solution.