August 2017
Version: 9.8.2
-
Additional Commands. In order to enhance the way in which DetectIT Agent for RSA SecurID can be configured and used, the following commands have been added:
- CHKACESRV, Check Agent Configuration Status. This command provides a simple method for checking the state of the Agent’s configuration. The processing looks at the relevant exit points that are accessible via WRKREGINF. Prompting the 'Application Name' on the CHKACESRV command provides a list of those Exit Points that can be reviewed.
- DSPAGTPRF, Display Agent Profile. Review the profiles that have been configured for SecurID authentication. The details are available as a report or within an output file. The name and library for the output file can be specified by the user.
-
PRTSIDAUDR, Print Configuration Activity. This command provides an audit report showing the configuration activity. The date and time range can be entered together with the required type of configuration. For example: User profiles maintained for authentication, Client/Server applications activated etc.
-
PRTSIDEXCP, Print Profile Exception Changes. Review the User Profile maintenance activity that has been performed outside the Agent software that would affect the SecurID authentication. This is effectively the second of two methods to help prevent users from bypassing the authentication. The process makes use of the IBM i System Audit journal, QAUDJRN. Therefore, it is more of an 'after the event' review. The first and recommended method is to configure the 'Change command exit programs' Exit Point using the option entitled 'Work with client application availability'.
-
STRSIDJRN, Start Agent Configuration Auditing. By default, the required auditing is started as part of an installation and/or upgrade to version 9.8.2 (or later). The auditing makes use of IBM functions and as such it is possible for an administrator with the appropriate authority and/or IBM i knowledge to remove / undo the audit configuration. This command provides a simple method to ensure the auditing is (re)activated on all the relevant Agent objects.
-
VFYJRNCPCL, Verify QAUDJRN Collection. This command can be used to verify that the required QAUDJRN auditing configuration has been put in place and is currently still active. The use of QAUDJRN is not essential for ensuring users do not bypass the SecurID Authentication. However, if another configuration such as the 'Change command exit programs' Exit Point is no longer making use of a program supplied with this software, QAUDJRN provides a secondary method to review any User Profile changes.
- VFYSIDJRCL, Verify Agent Auditing. Review the audit configuration for the Agent to ensure it is still active.
- Auditing and Reporting of Activity within the Agent. Activity auditing and reporting functions have been introduced within the Agent software. The auditing makes use of a journal technique and also an Exit Point. New commands have also been included to provide reporting over the audit activity. In addition, it is possible to activate an Exit Point function that ensures the SecurID authentication is not being bypassed. For example, to prevent a user from running the IBM CHGPRF command to change the initial program and/or library that is required on their User Profile.
-
Additional Menu for Audit Configuration and Reporting. A new menu, MSCT002I, has been created to provide a single interface for the additional auditing- related functionality and commands. This new menu is accessible via new menu option, 20 “Audit Configuration and Reporting Menu” on the initial Agent Administrator menu, MSCT000I.
-
Client/Server Applications Added. The following client / server applications have been added to the list of applications processed by DetectIT Agent for RSA SecurID:
-
Retrieve command exit programs. This is more for functionality within the IBM i itself. However, for activation it is part of the Registration Facility (behind the WRKREGINF command) and therefore is activated in the same manner as the more familiar client / server applications such as FTP, REXEC etc. ‘Retrieve command exit programs’ provides the ability to check and prevent users from removing the Agent authentication program, @ACE/MSCT111C, from their User Profile.
-
May 2017
Version: 9.8.1
- HelpSystems style licensing. This change has been included for completeness. Version 9.8.0 had been created to help identify which version of licensing was being used within the software i.e. Safestone (9.7.0 and earlier) or HelpSystems (from 9.8.0).
- Compatibility with IBM i 7.2 and i 7.3. Version 9.8.0 was the first version to be compatible with 7.2 and also 7.3 of the IBM i operating system. If you are planning to install or upgrade to 7.2 or 7.3, please ensure that you plan to install, or upgrade to, at least Version 9.8.0 of DetectIT Agent for RSA SecurID at the same time.
- Upgrade does not require QSECOFR. As from version 9.8.1, installations and upgrades no longer require the use of the QSECOFR profile nor a profile that is part of the QSECOFR group. However, the alternative profile must have the same Special Authorities as QSECOFR on the intended release level of IBM i. Versions prior to 9.8.1 required the software to be installed or upgraded using the QSECOFR security officer profile or a profile with QSECOFR as the Group Profile.
- Agent Administrator is not part of the QSECOFR group. When the agent software is installed or upgraded the Agent Administrator profile, ACEDTI is no longer created nor updated with Group Profile of QSECOFR. Instead, ACEDTI has the Group Profile parameter, GRPPRF set to *NONE.
- The Node Secret Encryption Algorithm has changed. The data within the Node Secret, /var/ace/securid is no longer encrypted using DES. With the way the new cryptographic method returns the data, the file is now 1024 bytes instead of 512.
- Agent for RSA SecurID now allows for selection of configured exit point formats. When checking applications with multiple formats, for example: FTP or REXEC, the processing now allows a format to be selected even when that same format has an Exit Program registered within the IBM i Registration Facility. Previously, when checking multiple formats, the application could not be selected if an Exit Program had been configured against any of the formats for that application.
- Authenticate FTP from one IBM i system to another. It is now possible to authenticate an FTP request being performed from one IBM i system to another. The previous processing assumed the FTP would be performed from a Windows system to an IBM i system.