| Author |
Message
|
| bcostacurta |
 Posted: Tue Feb 09, 2010 6:57 am Post subject: Logs about MQSeries objects |
 |
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Hello,
is there a log where the creation, modification .. about the MQSeries object lifetime are written on the z/OS ?
I need to trace a change on a remote queue on a production environment.
Thanks for your help.
Bye,
Bruno |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Feb 09, 2010 7:32 am Post subject: Re: Logs about MQSeries objects |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bcostacurta wrote: |
is there a log where the creation, modification .. about the MQSeries object lifetime are written on the z/OS ?
I need to trace a change on a remote queue on a production environment.
|
There are a number of ways you can set up an audit like this; I'm not aware it's audited by default (SMF records or similar).
One alternative is to take the limited number of people who have high enough RACF authority to make such a change on production, put them in a room and question them until one cracks.
You do have the RACF locked down tight don't you? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 09, 2010 11:20 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Two event queues should be of interest to you:
SYSTEM.ADMIN.CONFIG.EVENT, if enabled, contains event messages about object attribute changes.
SYSTEM.ADMIN.COMMAND.EVENT, if enabled, contains event messages about commands issued to the qmgr.
Take a look at the WMQ System Setup and WMQ System Administration Guide manuals - not sure which.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 09, 2010 11:59 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bruce2359 wrote: |
Two event queues should be of interest to you:
SYSTEM.ADMIN.CONFIG.EVENT, if enabled, contains event messages about object attribute changes.
SYSTEM.ADMIN.COMMAND.EVENT, if enabled, contains event messages about commands issued to the qmgr. |
This is indeed one of the methods I alude to above. Regretably both of these are disabled by default.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 09, 2010 1:25 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| ...both of these are disabled by default. |
Seems to make sense that these are disabled until action is taken to do something with the event messages that will collect there.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 09, 2010 1:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bruce2359 wrote: |
| Quote: |
| ...both of these are disabled by default. |
Seems to make sense that these are disabled until action is taken to do something with the event messages that will collect there. |
Quite so, but this fact does make it hard for the OP to investigate a change which has apparently already happened.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 09, 2010 1:53 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
The same can also be said of SMF records - non-enabled by default. The sysprog needs to enable SMF to capture statistical and accounting information for the qmgr.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 09, 2010 2:24 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bruce2359 wrote: |
| The same can also be said of SMF records - non-enabled by default. The sysprog needs to enable SMF to capture statistical and accounting information for the qmgr. |
Hence my original comment "SMF records or similar".
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bcostacurta |
| Posted: Thu Feb 11, 2010 12:32 am Post subject: |
|
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
We were able to find who modified the objects in a very basic way :
our mq tools connected via a dedicated svrconn channel, so looking at the chin log file we saw the user connected at the time of objects modifications (alteration time is indicated on the mq object).
About RACF, a conclusion of this experience is that we need to enforce RACF and security setup per user.
Also logging about the mqseries objects creation, alteration, etc... is certainly something to consider and (regarding faisability) to put in place.
Bye,
Bruno |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Feb 11, 2010 7:32 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| ...we saw the user connected at the time of objects modifications |
An end-user did this? Or a systems programmer/sysadmin?
In any case, security on administrative tasks and tools, and on svrconn channels is a must.
| Quote: |
| we need to enforce RACF and security setup per user. |
The usual way to look at things that need security is to deny access to everything - UACC(NONE), then grant appropriate access to the group of users that needs that level of access - NOT per user.
Setting up security for WMQ on z/OS is in the WMQ for z/OS System Setup manual.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
