| Author |
Message
|
| jeevan |
 Posted: Wed May 13, 2009 1:22 pm Post subject: Finding history of permission in MQ |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
To my wonder, when I did amqoamd -m qmgr -f, it did not only show the user which were removed ( revoked the permission), also displayed a whole lot more. Means, all the other users in other queue manager in that box. However, amqoamd -m qmgr -s does not. Is that what is supposed to be?
Also, dspmqaut does not display either.
I also have another problem. In one of the queue managers, I could not run amqoamd -m qmgr -s but I can still run amqoamd -m qmgr -f. Is there any difference in these two switches except the format how the data is displayed?
system info: WMQ: 6.0.2.2 and OS: Solaris 10
Thanks a lot
Last edited by jeevan on Thu May 14, 2009 8:19 am; edited 2 times in total |
|
| Back to top |
|
 |
| jeevan |
| Posted: Wed May 13, 2009 2:18 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
When I run saveqmgr in order to see what it generates, the output gave me some insight.
For example, the ids amqoamd -f displays might be the whole ids which were authorised in the past but their permissions were revoked but with -s I can only get what requires to run in order to make currently permission. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed May 13, 2009 5:39 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Jeevan, be aware that Unix OAM only associates MQ authorities with Unix Group names. Userids (aka principals) are not stored in OAM.
When you see displays of userids, it is done by resolving whoever is in the authorised group at the time, as per the Unix security settings in /etc/passwd and /etc/group.
_________________
Glenn |
|
| Back to top |
|
|
| jeevan |
| Posted: Thu May 14, 2009 8:14 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| gbaddeley wrote: |
Jeevan, be aware that Unix OAM only associates MQ authorities with Unix Group names. Userids (aka principals) are not stored in OAM.
When you see displays of userids, it is done by resolving whoever is in the authorised group at the time, as per the Unix security settings in /etc/passwd and /etc/group. |
As I said, both amqoamd -f and saveqmgr -z command dumps all the users who are not active but were granted permission at some point. Is there a way to find out ( even programatically) that when these permission were granted and revoked?
we found a strange situation that permission of a certain users were revoked from a queue manager and I am eager to find when was that done. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu May 14, 2009 8:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I don't believe the OAM stores any audit trail of permission changes.
You can run saveqmgr -z on a daily or hourly basis and store the output under change control. But I don't think there's any way to get historical data. |
|
| Back to top |
|
|
| vol |
| Posted: Thu May 14, 2009 10:10 pm Post subject: |
|
|
Acolyte
Joined: 01 Feb 2009
Posts: 69
|
| ask the registered admins of the system when they did it. if there are too many of them or they do not know, you have a serious security problem. |
|
| Back to top |
|
|
| gs |
| Posted: Fri May 15, 2009 5:23 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
| vol wrote: |
| ask the registered admins of the system when they did it. if there are too many of them or they do not know, you have a serious security problem. |
Agreed. Also, you might be interested in an MQ object deployment tool that has auditing capabilities. |
|
| Back to top |
|
|
| Pavan Kumar PNV |
| Posted: Mon Jun 01, 2009 1:22 am Post subject: |
|
|
Acolyte
Joined: 03 Feb 2007
Posts: 66
|
Yes, may be something like Appwatch from MQ Software. Any other tools you can think of?
_________________
_____________
Pavan Pendyala
http://pavanz.blogspot.com |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Mon Jun 01, 2009 1:36 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jun 01, 2009 4:05 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Pavan Kumar PNV wrote: |
| Yes, may be something like Appwatch from MQ Software. Any other tools you can think of? |
QPasa from the same supplier can do that for you too.
However this means that you have to strictly adhere to the tool for changing security on the object.
If you are really paranoid the only right way to determine approximately when is to take the output of saveqmgr -z or -Z and put it under source control. It will not tell you who though. Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Jun 02, 2009 8:36 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| fjb_saper wrote: |
| Pavan Kumar PNV wrote: |
| Yes, may be something like Appwatch from MQ Software. Any other tools you can think of? |
QPasa from the same supplier can do that for you too.
However this means that you have to strictly adhere to the tool for changing security on the object.
If you are really paranoid the only right way to determine approximately when is to take the output of saveqmgr -z or -Z and put it under source control. It will not tell you who though. Have fun |
Actually, we are not so much con concerned about the 'who' as we are only two of us. But some time, we have to do in hurry and not documented properly which later on become kind of burden. Some time, we also do verbal request, for which there is not documentation support. So, we just wanted to know when was done. if we could get who much better but not a problem. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jun 02, 2009 11:19 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jeevan wrote: |
| Actually, we are not so much con concerned about the 'who' as we are only two of us. But some time, we have to do in hurry and not documented properly which later on become kind of burden. |
Don't ever do security-related changes in a hurry 
| jeevan wrote: |
| Some time, we also do verbal request, for which there is not documentation support. |
I do so hope you don't do this in Production...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jeevan |
| Posted: Thu Jun 04, 2009 9:30 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| exerk wrote: |
| jeevan wrote: |
| Actually, we are not so much con concerned about the 'who' as we are only two of us. But some time, we have to do in hurry and not documented properly which later on become kind of burden. |
Don't ever do security-related changes in a hurry
| jeevan wrote: |
| Some time, we also do verbal request, for which there is not documentation support. |
I do so hope you don't do this in Production... |
No not at all. In prod, we can not touch until change request is approved. |
|
| Back to top |
|
|
|
|
