| Author |
Message
|
| vsathyan |
 Posted: Thu Mar 10, 2016 4:01 am Post subject: Capturing configuration event user id |
 |
|
Centurion
Joined: 10 Mar 2014
Posts: 121
|
Is there a way we can get the user id of a person who executed mqsc commands in a mqm account (sudoed).
In linux, let us say i login with my user account and then sudo to mqm, do a runmqsc and define, alter or delete an object.
Have configuration events enabled, i see that the event messages are being sent to the system.admin.config.event queue. However, it shows the user id as mqm (as the runmqsc session was running from the user 'mqm') and not the original id of the person who did this change.
It is difficult to trace who made the changes to MQ in this case. Is there a known method or tool to capture this?
Thanks in advance,
vsathyan
_________________
Custom WebSphere MQ Tools Development C# & Java
WebSphere MQ Solution Architect Since 2011
WebSphere MQ Admin Since 2004 |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Mar 10, 2016 5:12 am Post subject: Re: Capturing configuration event user id |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| vsathyan wrote: |
| Is there a way we can get the user id of a person who executed mqsc commands in a mqm account (sudoed). |
The sudo log.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Mar 10, 2016 5:42 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
you could decide to not allow any changes to your queue managers unless they are done via a script. The changes can then be put into source control so that when things go wrong (As they surely will do) you have a record of what was done and when.
The script could also include a before and after run of 'dummqcfg'.
IMHO, just letting people loose with runmqsc even via a sudo is asking for trouble in the long run.
Obviosuly there has to be exceptions such as granting extra MAXDEPTH to a queue when things go wrong.
I've seen a problem where root access was approved and granted to a Solaris system to update some kernel params and then update MQ. The job also included the need to delete a directory tree. Sadly the person doing it forgot to check their current directory and did an 'rm -fr .' from /
Humans will make mistakes. It is up to the responsible admins to put procedures and practices in place to make the possibility of errors go a low as possible.
 could end up as  leading to 
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Mar 10, 2016 5:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| smdavies99 wrote: |
| Sadly the person doing it forgot to check their current directory and did an 'rm -fr .' from / |
It's a shame you missed my story about
at MQTC 2015.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Mar 10, 2016 6:09 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
For scripts that we have where the user has done a sudo to the mqm id, we track the user with the following command:
CURRENT_USER=`who -m 2>/dev/null|awk '{print $1}'`
I did also raise an RFE for IBM to include the terminal for the user ("to include the terminal for the user" should be reworded to "include the user id tied to the terminal") in the configuration events, so there would be a way to see the user who did the sudo to mqm -> http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=77154
Unfortunately, it was rejected.
_________________
Working with MQ since 2010.
Last edited by tczielke on Thu Mar 10, 2016 7:37 am; edited 1 time in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Mar 10, 2016 7:31 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Thought you had the pid of the process... can't you trace that one back? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Mar 10, 2016 7:35 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| fjb_saper wrote: |
| Thought you had the pid of the process... can't you trace that one back? |
I didn't quite follow that. If that was a comment for my post, can you elaborate more on what you are asking?
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Mar 10, 2016 2:16 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| tczielke wrote: |
I didn't quite follow that. If that was a comment for my post, can you elaborate more on what you are asking?
I did also raise an RFE for IBM to include the terminal for the user ("to include the terminal for the user" should be reworded to "include the user id tied to the terminal") in the configuration events, so there would be a way to see the user who did the sudo to mqm -> http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=77154
|
I was looking for a process id to be passed to the event message.
Looks like the only thing being passed, besides the userid, is a security id.
Don't know where that one comes from... or if you could use it for auditing purposes...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Mar 10, 2016 11:22 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| fjb_saper wrote: |
I was looking for a process id to be passed to the event message.
|
Ah yes. But...
If you are running on Unix/Linux the PID is in the words of a Pink floyd song, 'here today, gone tomorrow'. do just about anything and a new process is created. Not the easiest thing to track back with.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| tczielke |
| Posted: Fri Mar 11, 2016 6:52 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
I think the most practical option here is using the sudo log to see who logged under the mqm id. Of course if multiple people did a sudo to mqm, how do you know which one did the configuration change under mqm? Also, sudo logs can be root protected, even for read access. Not sure if your Linux administrator is keen on opening up the access for read to someone other than root.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 11, 2016 7:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| tczielke wrote: |
| Of course if multiple people did a sudo to mqm, how do you know which one did the configuration change under mqm? |
It's possible (at least under AIX & Linux) to have a keystroke log for the sudo session. Not the most convenient way of tracking changes to be sure, but it does discriminate who did what.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
