IT Jungle Volume 5, Number
4 -- January 25, 2005
Debuts iSeries Security Reporting Tool
English developer CXL
unveiled a new software utility this month called AZScan
that tells users how security settings have been configured
on their OS/400, Unix, or OpenVMS midrange systems.
In addition to revealing what the actual security settings
are, the sub-$500, PC-based AZScan also provides an
explanation of settings and recommends ways to make
them more secure.
AZScan is actually three
products in one, and a license to AZScan gives users
the right to run security scans with any of the individual
products, which include AScan (OS/400 V4R4 and later),
VScan (for HP/DEC Alpha/VAX systems), and UScan (for
75 different Unix variants). OS/400 shops that don't
need the other two products can just ignore them.
The AZScan products are
intended to be used periodically, to gauge the relative
strength or weakness of a server's security settings.
Each time an AZScan product is used, it generates a
report that tells users the exact state of their security
setting for particular operating systems, and it provides
an explanation of the setting and makes recommendations
about how to improve it.
Two different types of
reports are provided for each product. The zipped Word
file and HTML files are basically identical and provide
detailed information about every security setting, whereas
the "heat map" report generates a numeric score based
on how the server rated in the various areas, which
are weighted according to the risk they can pose to
The HTML and Word reports
make liberal use of color-coding that tells administrators
which areas of the system are at low, medium, and high
risk. For example, if the system is set to disable a
user profile after five unsuccessful sign-in attempts,
the report will highlight this area of the report in
yellow, for medium risk, and recommend that the administrator
lower this number to three unsuccessful sign-in attempts
before disabling the user profile. There are also numerous
charts and graphs for various security-related settings,
such as the distribution of authorities among user profiles,
the number of days required between password resets,
and so forth.
The AScan component checks
53 different security-related settings in OS/400. These
are broken down into eight main areas, including system,
auditing, system passwords, users, sign-on controls,
special authorities, groups, and user passwords. Explanations
and recommendations are provided for each of the settings.
The UScan component checks 74 security settings on all
major (and many minor) Unix operating systems, and VScan
checks 89 OpenVMS Versions 7.1 through 7.3.
Setting up AScan to run
is a matter of copying two files from an OS/400 server,
including the System Profile file and the User Profile
file, onto the PC equipped with AScan. (The techniques
for other operating systems are similar.) Both of these
files can be generated using fairly simple commands
provided by the vendor. Setup and use of the AScan,
VScan, and UScan products is handled through a fourth
component of AZScan, called the Controller.
can get the same information gathered by AZScan without
spending any money. But AZScan does the grunt work of
gathering the data into a single report, and does a
good job of generating colorful and insightful reports
that are easier to digest, particularly for auditors
who may be unfamiliar with the system.
CXL developed AZScan
to run on Windows PCs, as opposed to running directly
on the host systems, to minimize the impact on the monitored
system, says David Robinson, CXL's chief executive.
"The main idea behind the tool was to have something
which was free standing and remote from the systems
it was reviewing so that it could not crash a live system
or even affect the performance," he says.
London-based CXL worked
with a major U.S. investment firm and an OS/400 security
software company in the development of AZScan, Robinson
says. "Our aim has been to produce a simple to use product
which will find your security issues, explain the implications
of these problems, and recommend solutions. All this
is done in the context of your security policy and the
many regulatory conditions which are now imposed on
business," he says.
Although pricing hasn't
yet been nailed down, Robinson says a one-year license
for AZScan will likely be about $440, with five free
"runs," or reviews, which can be used with any of the
three products. Additional runs can be bought at about
$35 each, or less for bulk purchases. For more information
and downloads, go to www.cxlsecure.com.