by Dave Teal, Security Solutions Architect, XYPRO Technology Corporation
The BASE24 Online Maintenance File (OMF) contains audit information about users who have logged on and logged off the BASE24 Pathway system as well as information about users who have accessed or attempted to access (i.e. read, add, delete, update) records in BASE24 files accessed through the BASE24 Pathway system.
For reads, a record is only written to the OMF if the record contains cardholder data, such as a Primary Account Number (PAN). In addition, OMF records are written when users attempt to read a record from the file or when a security violation occurs, for example:
An OMF record is not written if a user attempts a Read or a Read Next function and the record is not retrieved successfully.
BASE24 provides the means to generate two OMF audit reports:
The OMF audit reports include the information from a single day’s OMF file(s), displayed in chronological order.
The OMF-AUDIT parameter in the Logical Network Configuration File (LCONF) affects OMF audit reporting. This parameter controls the amount of information that is written to the OMF and is, therefore, available for reporting.
The OMF-AUDIT parameter has three settings:
The OMF is created daily on the first attempt to write a record after midnight. An additional OMF is created when the current OMF becomes full. The standard OMF naming convention is AYYMMDDn.
XYGATE BASE24 Mover
XYPRO developed the BASE24 Mover so that BASE24 Pathway security audit data can be collected, normalized, alerted, and added to the XYGATE Merged Audit (XMA) database, similar to all other security audit data that XMA collects on the NonStop.
Figure 1 shows XMA collecting from a variety of security audit data sources on the NonStop, including BASE24.
At a minimum, BASE24 security audit data stored in the XMA database can be queried and reported for a single day or for multiple days, depending on the data retention period of the XMA database.
Figure 2 shows a sample XMA database query using the XYGATE Report Manager (XRM) GUI.
Using the same GUI, a report can be easily produced.
Figure 3 shows a sample report.
With one exception, the BASE24 Mover collects all necessary OMF data except record images. The exception is the Security (SEC) file. The BASE24 Mover collects SEC record images and, in the case of an update, contrasts the two record images and resolves the differences. This results in identifying the fields that have changed because of an update. Figure 4 shows an example query where the Start and End Time fields in the BASE24 Security (SEC) file were modified. The BASE24 Mover contrasts the before and after record images to resolve the change and capture it in the XMA database. The RESULT column shows that the values were changed from 00:00 to 05:00 and 23:59 to 12:59 and then returned to their original values.
Optionally, BASE24 security audit data can be alerted to a Security Information and Event Management (SIEM) appliance or to XYPRO’s XYGATE SecurityOne (XS1) real time Security Intelligence and Analytics solution.
The BASE24 Mover can easily be added using XMA_MANAGER.
Figure 5 shows the use of the XMA_MANAGER macro to set the parameters for adding the BASE24 Mover.
The XMA BASE24 Mover collects all user activity audit records from the BASE24 OMF file. Security-related EMS event generated by Pathway and NCPCOM are captured by the XMA EMS Mover. These combined sources enable logging for all BASE24 security activity into the XMA NonStop SQL database for reporting and alerting as well as seamless and secure integration within your enterprise SIEM, without custom programming or time-consuming data manipulation.
For more information on how to license the BASE24 Mover for XYGATE Merged Audit, please contact your account executive or visit www.XYPRO.com.