Monthly Release Notes - August 2017
|Automate||Bytware||CCSS||Document Management (RJS)|
- Fixed an issue when authenticating users via the RESTful API when the user is configured to use LDAP authentication.
Agent for RSA SecurID
Additional Commands. In order to enhance the way in which DetectIT Agent for RSA SecurID can be configured and used, the following commands have been added:
- CHKACESRV, Check Agent Configuration Status. This command provides a simple method for checking the state of the Agent’s configuration. The processing looks at the relevant exit points that are accessible via WRKREGINF. Prompting the 'Application Name' on the CHKACESRV command provides a list of those Exit Points that can be reviewed.
- DSPAGTPRF, Display Agent Profile. Review the profiles that have been configured for SecurID authentication. The details are available as a report or within an output file. The name and library for the output file can be specified by the user.
PRTSIDAUDR, Print Configuration Activity. This command provides an audit report showing the configuration activity. The date and time range can be entered together with the required type of configuration. For example: User profiles maintained for authentication, Client/Server applications activated etc.
PRTSIDEXCP, Print Profile Exception Changes. Review the User Profile maintenance activity that has been performed outside the Agent software that would affect the SecurID authentication. This is effectively the second of two methods to help prevent users from bypassing the authentication. The process makes use of the IBM i System Audit journal, QAUDJRN. Therefore, it is more of an 'after the event' review. The first and recommended method is to configure the 'Change command exit programs' Exit Point using the option entitled 'Work with client application availability'.
STRSIDJRN, Start Agent Configuration Auditing. By default, the required auditing is started as part of an installation and/or upgrade to version 9.8.2 (or later). The auditing makes use of IBM functions and as such it is possible for an administrator with the appropriate authority and/or IBM i knowledge to remove / undo the audit configuration. This command provides a simple method to ensure the auditing is (re)activated on all the relevant Agent objects.
VFYJRNCPCL, Verify QAUDJRN Collection. This command can be used to verify that the required QAUDJRN auditing configuration has been put in place and is currently still active. The use of QAUDJRN is not essential for ensuring users do not bypass the SecurID Authentication. However, if another configuration such as the 'Change command exit programs' Exit Point is no longer making use of a program supplied with this software, QAUDJRN provides a secondary method to review any User Profile changes.
- VFYSIDJRCL, Verify Agent Auditing. Review the audit configuration for the Agent to ensure it is still active.
- Auditing and Reporting of Activity within the Agent. Activity auditing and reporting functions have been introduced within the Agent software. The auditing makes use of a journal technique and also an Exit Point. New commands have also been included to provide reporting over the audit activity. In addition, it is possible to activate an Exit Point function that ensures the SecurID authentication is not being bypassed. For example, to prevent a user from running the IBM CHGPRF command to change the initial program and/or library that is required on their User Profile.
Additional Menu for Audit Configuration and Reporting. A new menu, MSCT002I, has been created to provide a single interface for the additional auditing- related functionality and commands. This new menu is accessible via new menu option, 20 “Audit Configuration and Reporting Menu” on the initial Agent Administrator menu, MSCT000I.
Client/Server Applications Added. The following client / server applications have been added to the list of applications processed by DetectIT Agent for RSA SecurID:
Retrieve command exit programs. This is more for functionality within the IBM i itself. However, for activation it is part of the Registration Facility (behind the WRKREGINF command) and therefore is activated in the same manner as the more familiar client / server applications such as FTP, REXEC etc. ‘Retrieve command exit programs’ provides the ability to check and prevent users from removing the Agent authentication program, @ACE/MSCT111C, from their User Profile.