| Author |
Message
|
| PeterPotkay |
 Posted: Wed Aug 13, 2014 8:45 am Post subject: Make MQ copy its AMQERR01.log entries into the syslog? |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
The chmod 2770 permissions on the /var/mqm/qmgrs/MyQM/errors directory are a pain in the butt. Our monitoring tools can’t get in there. Apparently the permissions will revert back to this anytime the QM restarts. See here:
http://www-01.ibm.com/support/docview.wss?uid=swg21228976
Yeah, they give a kludgy work around. But then there are other tech notes that say don’t mess with MQ dir permissions – period.
http://www-01.ibm.com/support/docview.wss?uid=swg21265111
So, while I scratch my head, wondering what the big deal was, why didn’t IBM allow read access to world for the MQ error logs, what’s the harm with reading an error log…how about getting the entries to go to the syslog. WMB does that by default. On Windows, MQ copies it into the Event Viewer.
All our monitoring tools have access to the syslog by default, so if our MQ entries were there as well it would be easy.
Anyone done this? How?
Other ideas?
I really do not want to add those monitoring IDs into the mqm group – who the heck knows who has access to those IDs.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed Aug 13, 2014 9:26 am Post subject: Re: Make MQ copy its AMQERR01.log entries into the syslog? |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| PeterPotkay wrote: |
So, while I scratch my head, wondering what the big deal was, why didn’t IBM allow read access to world for the MQ error logs, what’s the harm with reading an error log… |
Closes a security exposure, I imagine. The MQ error logs contain channel names, ip addresses, and so on.
SYSLOG (z/OS-speak) is usually secured with UACC(NONE) for the same reason. READ access is granted to those who need to do so.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 13, 2014 9:30 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The problem with a startup service making those files world readable is that when MQ rolls the logs the new log is probably not world readable.
Back to the cron job doing the chmod a+r... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 13, 2014 9:45 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Aug 13, 2014 10:03 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
At a previous place of work, this was a real PITA for developers. Even on a DEV system we had to raise a request on the sysadmins to get us the files so we could get additional data on the errors that were happening.
In the end, I created a shell script that was started by a cron job that ran every two minutes and copied the AMQERR01.log file to a location that was accessible by the developers.
Sadly the security people decided that this was an unacceptable security hole even though this was a dev system and it was vetoed.
Thankfully the Admin manager took the Security people out the back and gave them a good talking too in his broad 'scouse'. The solution was implemented the next day.  
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 13, 2014 12:40 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
AFAIK this just makes the link visible to everybody but the access is still restricted to the actual file's properties...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 13, 2014 12:44 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
AFAIK this just makes the link visible to everybody but the access is still restricted to the actual file's properties... |
I thought there was a way to make a link that had different permissions.
 |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Aug 13, 2014 12:50 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| smdavies99 wrote: |
| Sadly the security people decided that this was an unacceptable security hole even though this was a dev system ... |
Readable test and dev error logs expose channel and queue names. Given that you likely use the same names in prod, you open an attack vector for prod.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 13, 2014 1:41 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| bruce2359 wrote: |
| smdavies99 wrote: |
| Sadly the security people decided that this was an unacceptable security hole even though this was a dev system ... |
Readable test and dev error logs expose channel and queue names. Given that you likely use the same names in prod, you open an attack vector for prod. |
Even if your channel auth records show the workings of a paranoid mind?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Aug 13, 2014 2:59 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Security through obscurity is not something to hang your hat on. As often as we harp about document, document, document, odds are the queue names and channel names are found in dozens if not hundreds of places already. They are probably in the monitoring tool we are discussing here because they are being monitored!
Any security solution that folds as soon as the attacker simply knows the name of the queue was a failure regardless.
Now, I do like your line of thinking though. Is there other stuff in the AMQERR01.LOG that is considred confidentia?. Why would IBM make the QM error logs with 660 permissions, but the server's AMQERR01.log is available for the world to read? What's so secret in the QM error log?
On the list server Roger suggested using rsync to copy the file to another readable location, similiar to what smdavies99 is proposing. Simple. Annoying that I have to do that. Would be less annoying if I knew of a legit reason why IBM made the error log 660.
Tim proposed sudo commands for the monitoring tool. That's an idea, as long as the list is short of what commands they need. Waiting for the monitoring guy to get back to me.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Aug 13, 2014 3:03 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Security is like an onion... or is it like garlic?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Aug 13, 2014 3:34 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Why not run rsync as a daemon? You could do:
- Create a directory called /var/mqm/qmgrs/MyQM/errors_clone/
- Set the permission of /var/mqm/qmgrs/MyQM/errors_clone/ to be whatever you need
- Create an MQ service for that QMgr to invoke rsync to clone /var/mqm/qmgrs/MyQM/errors/ to /var/mqm/qmgrs/MyQM/errors_clone/
Now you can have your monitoring tools watch /var/mqm/qmgrs/MyQM/errors_clone/ without any issues.
| Code: |
| rsync --daemon --chmod=ug=rw,o=r /var/mqm/qmgrs/MyQM/errors/ /var/mqm/qmgrs/MyQM/errors_clone/ |
Note the ",o=r" for the chmod. It set world permission to read.
You can look up the man page for rsync at http://linux.die.net/man/1/rsync
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Aug 14, 2014 4:50 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
My 2 cents worth...
I like this path better for the cloned errors files: /var/mqm/errors/<QmgrName>/ |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Aug 14, 2014 4:59 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
So I've reviewed the man page and Googled to boot, but I can't find the answer to how often rsync as a daemon will check the source file. I don't see any options that say check every x seconds, nor do I see anything that says it checks every x seconds by default.
Is it checking constantly as fast as it can, moving differences from source to destination?
I did open a PMR asking if its safe for rsync to be fiddling with the QM's error log file. And for some background info on why IBM chose to restrict read access to world for the QM errors logs but not the MQ server error logs. Will share the results.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
