Author |
Message
|
kevinf2349 |
Posted: Wed Jun 07, 2006 9:26 am Post subject: Audit trail |
|
|
 Grand Master
Joined: 28 Feb 2003 Posts: 1311 Location: USA
|
I am looking for a way to tell who deleted a queue from a z/OS (5.3.1) queue manager. We are capturing SMF record types 115 and 116 but reading through the manual for MP1B I don't see anything that looks like it will tell me....but I am still investigating.
If there isn't anything currently being cut in an SMF record does anyone know if there is an exit point that will allow us to cut such a record?
Ideally we would like to cut a record for creation, alter or delete.
Any help would be appreciated. |
|
Back to top |
|
 |
wschutz |
Posted: Wed Jun 07, 2006 9:47 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
z/OS MQ command events? _________________ -wayne |
|
Back to top |
|
 |
markt |
Posted: Wed Jun 07, 2006 10:02 am Post subject: |
|
|
 Knight
Joined: 14 May 2002 Posts: 508
|
command events are V6
config events (so you'd know about the deletion, but not necessarily who) are V5.3 |
|
Back to top |
|
 |
wschutz |
Posted: Wed Jun 07, 2006 10:12 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
ah...missed the version bit....  _________________ -wayne |
|
Back to top |
|
 |
kevinf2349 |
Posted: Wed Jun 07, 2006 6:01 pm Post subject: |
|
|
 Grand Master
Joined: 28 Feb 2003 Posts: 1311 Location: USA
|
Well I have a sort of work around. I changed the REXX exec to prevent anyone but the system admins from nuking a queue via ISPF...and even those that can have a record written to a dataset to produce an audit trail.
Thought occured.....how granular is ACF2 MQ security? It seems like we have to give all or nothing when it comes to queue. (According to our ACF2 folks anyway).
Is there a way of using ACF2 to allow API calls but deny ALTER or DELETE except for 'certain authorised users'/ Our auditors are going to have a hissy fit if we can't lock this sucker down. |
|
Back to top |
|
 |
tleichen |
Posted: Wed Jun 14, 2006 7:13 am Post subject: |
|
|
Yatiri
Joined: 11 Apr 2005 Posts: 663 Location: Center of the USA
|
Wouldn't these be in the SMF log, as well?  _________________ IBM Certified MQSeries Specialist
IBM Certified MQSeries Developer |
|
Back to top |
|
 |
kevinf2349 |
Posted: Wed Jun 14, 2006 10:43 am Post subject: |
|
|
 Grand Master
Joined: 28 Feb 2003 Posts: 1311 Location: USA
|
Quote: |
Wouldn't these be in the SMF log, as well? |
Nope. At least not that I could see. |
|
Back to top |
|
 |
RogerLacroix |
Posted: Wed Jun 14, 2006 8:35 pm Post subject: |
|
|
 Jedi Knight
Joined: 15 May 2001 Posts: 3264 Location: London, ON Canada
|
kevinf2349 wrote: |
Thought occured.....how granular is ACF2 MQ security? It seems like we have to give all or nothing when it comes to queue. (According to our ACF2 folks anyway). |
No, you can do granular security with ACF2. I wote a mini-course for ACF2 / MQ security years ago. I'll need to dig it up when I get home from the MQ Conf.
Regards,
Roger Lacroix
Capitalware Inc. _________________ Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
Back to top |
|
 |
RogerLacroix |
Posted: Sun Jun 18, 2006 9:59 pm Post subject: |
|
|
 Jedi Knight
Joined: 15 May 2001 Posts: 3264 Location: London, ON Canada
|
Hi,
Ok, here we go:
- Create a SAFDEF record for the queue manager
- Create a SAFDEF RESLEVEL for the queue manager
- Create / Add the appropriate Switch Profile - in my notes I have 9 Switch Profiles listed.
- Create / Add a CLASMAP for each MQ Object that you want security on.
- Finally, create / add the individual Resource Rules to apply user's ACL (Access Control List)
The documentation that I got from CA (many, many moons ago) on applying ACF2 security for MQ was sparse, very basic and wrong. i.e. You applied a 'NO' switch profile to enable it!! (weird but true)
Hope that helps.
Regards,
Roger Lacroix
Capitalware Inc. _________________ Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
Back to top |
|
 |
kevinf2349 |
Posted: Mon Jun 19, 2006 5:41 am Post subject: |
|
|
 Grand Master
Joined: 28 Feb 2003 Posts: 1311 Location: USA
|
Thanks Roger.  |
|
Back to top |
|
 |
bruce2359 |
Posted: Thu Aug 23, 2007 8:21 am Post subject: |
|
|
Guest
|
Quote: |
you can do granular security with ACF2. I wote a mini-course for ACF2 / MQ security years ago. I'll need to dig it up when I get home from the MQ Conf. |
Roger. Can you share this mini-course?
Thanks. |
|
Back to top |
|
 |
RogerLacroix |
Posted: Mon Aug 27, 2007 9:11 am Post subject: |
|
|
 Jedi Knight
Joined: 15 May 2001 Posts: 3264 Location: London, ON Canada
|
bruce2359 wrote: |
Can you share this mini-course? |
Hi,
Sorry but no.
Regards,
Roger Lacroix
Capitalware Inc. _________________ Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
Back to top |
|
 |
zpat |
Posted: Tue Aug 28, 2007 12:16 am Post subject: |
|
|
 Jedi Council
Joined: 19 May 2001 Posts: 5866 Location: UK
|
The RACROUTE AUTH that MQ issues on a MQQUEUE class resource can be used to grant access to messages only (ie UPDATE access) and not DELETE or ALTER if so controlled by the External Security Manager.
ACF2 rules provide equivalent permissions to RACF at this level. You just need to define rules to protect the MQQUEUE class resources with the appropriate level of access . It's not just a question of switch profiles.
http://www-1.ibm.com/support/docview.wss?uid=isg1II06967 |
|
Back to top |
|
 |
|