Author |
Message
|
mqjeff |
Posted: Fri Mar 18, 2016 5:45 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
Well, then I remember wrong. _________________ chmod -R ugo-wx / |
|
Back to top |
|
 |
umatharani |
Posted: Fri Mar 18, 2016 7:04 am Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008 Posts: 39
|
|
Back to top |
|
 |
ghoshly |
Posted: Sun May 22, 2016 7:18 pm Post subject: |
|
|
Partisan
Joined: 10 Jan 2008 Posts: 333
|
I am currently on MQ 7.5 and WMB 8.
I see the similar issue for FDC files, core dump, trace etc. which is written by mqm user without accepting its UMASK value. That results not even read permission to those files for "Others" / World.
I believe this validate flag would be applicable for MQ 7.5. I would try this one. |
|
Back to top |
|
 |
Dread86 |
Posted: Tue Aug 09, 2016 8:52 pm Post subject: |
|
|
Novice
Joined: 15 Mar 2016 Posts: 15
|
Hi All,
-rw-rw---- 1 mqm mqm 2097833 Jun 5 05:52 AMQERR03.LOG
-rw-rw---- 1 mqm mqm 2097745 Jun 5 05:53 AMQERR02.LOG
-rw-rw---- 1 mqm mqm 1922389 Aug 10 04:08 AMQERR01.LOG
As i have mentioned in the previous posts my monitoring tool need to read this Queue manager logs. Say my monitoring tool runs with user "ABC" and as this ABC falls into other user, it wont have access to read the above queue manager logs. I can give the read permissions to ABC user but whnever qmngr updates the logs the permission is gone.
So i decided to add "ABC" user to mqm group so that ABC can directly read the log files. I wanted to know whether adding the "ABC" user as admin is correct option? By doing so ABC user has runmqsc access as mqm has and can do whatever wants. Is their any option to limit the runmqsc access to only ABC user present in mqm? |
|
Back to top |
|
 |
Vitor |
Posted: Wed Aug 10, 2016 4:48 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Dread86 wrote: |
I wanted to know whether adding the "ABC" user as admin is correct option? |
No.
Dread86 wrote: |
By doing so ABC user has runmqsc access as mqm has and can do whatever wants. |
Yes it can. That's why it's not the right option.
Dread86 wrote: |
Is their any option to limit the runmqsc access to only ABC user present in mqm? |
No. All members of the mqm group have mqm authority. That's how the product works. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
Dread86 |
Posted: Wed Aug 10, 2016 4:52 am Post subject: |
|
|
Novice
Joined: 15 Mar 2016 Posts: 15
|
Hmm.. Any other best solutions for allowing ABC user to read the queue manager logs? |
|
Back to top |
|
 |
mqjeff |
Posted: Wed Aug 10, 2016 4:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
ln -s ?
I think sudo can be configured to only allow specific commands? _________________ chmod -R ugo-wx / |
|
Back to top |
|
 |
Dread86 |
Posted: Wed Aug 10, 2016 5:02 am Post subject: |
|
|
Novice
Joined: 15 Mar 2016 Posts: 15
|
I tried it earlier but didn't work. Let me give a try again. |
|
Back to top |
|
 |
Vitor |
Posted: Wed Aug 10, 2016 5:24 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Dread86 wrote: |
Hmm.. Any other best solutions for allowing ABC user to read the queue manager logs? |
You could use splunk (or similar) to copy the logs to a different location with appropriate security. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
Dread86 |
Posted: Wed Aug 10, 2016 5:30 am Post subject: |
|
|
Novice
Joined: 15 Mar 2016 Posts: 15
|
Splunk should also access the error log location as non-mqm user right, which is again the same problem. how is this possible? |
|
Back to top |
|
 |
Vitor |
Posted: Wed Aug 10, 2016 5:57 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Dread86 wrote: |
Splunk should also access the error log location as non-mqm user right, which is again the same problem. how is this possible? |
UMASK or Splunk option to give the copies the correct permissions for your ABC user. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
smdavies99 |
Posted: Wed Aug 10, 2016 8:29 am Post subject: |
|
|
 Jedi Council
Joined: 10 Feb 2003 Posts: 6076 Location: Somewhere over the Rainbow this side of Never-never land.
|
One site where I worked, we were not allowed (so called security experts) to give anyone including the MQ Admins unticketed access to the MQ Logs. They said we could read the data in the messages on the queues at the same time....
After a while the Unix Admins got fed up with our constant requests they set up a cron job to copy them to a location we could read. It ran every 5 minutes.
The Security people went ballistic until they were shown the logs and asked 'where is the customer sensitive data in them?'
Naturally, they could not point to it so they let us carry on reading the copied logs.
We still had to raise a ticket to do anything related to the information in the logs but the amount of suppoty tickets dropped by around 90%.
I wish there was a documented (and therefore supported) way of getting read only access to the logs for non mqm group users provided by IBM. Support in the real world would be an awfuyl lot easier. _________________ WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
Back to top |
|
 |
mqjeff |
Posted: Wed Aug 10, 2016 8:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
You could probably set up a logstash-monitor (or any of a large number of other "read/parse/send" solutions) to run as the mqm user and place the error data somewhere else. _________________ chmod -R ugo-wx / |
|
Back to top |
|
 |
Dread86 |
Posted: Wed Aug 10, 2016 6:52 pm Post subject: |
|
|
Novice
Joined: 15 Mar 2016 Posts: 15
|
smdavies99 wrote: |
One site where I worked, we were not allowed (so called security experts) to give anyone including the MQ Admins unticketed access to the MQ Logs. They said we could read the data in the messages on the queues at the same time....
After a while the Unix Admins got fed up with our constant requests they set up a cron job to copy them to a location we could read. It ran every 5 minutes.
The Security people went ballistic until they were shown the logs and asked 'where is the customer sensitive data in them?'
Naturally, they could not point to it so they let us carry on reading the copied logs.
We still had to raise a ticket to do anything related to the information in the logs but the amount of suppoty tickets dropped by around 90%.
I wish there was a documented (and therefore supported) way of getting read only access to the logs for non mqm group users provided by IBM. Support in the real world would be an awfuyl lot easier. |
I reached out to IBM regarding this non-mqm access. They too dont have any solution to this; instead recommending to run some cron jobs to change the file permissions regularly.[/quote] |
|
Back to top |
|
 |
mqjeff |
Posted: Thu Aug 11, 2016 3:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
Or you could create an MQ service that ran something that read the logs and copied/stored them somewhere else...
Then this would run under mqm and have access.
There are a ton of solutions like the ELK stack https://www.elastic.co/ But logstash->elasticsearch->kibana is not a bad one. _________________ chmod -R ugo-wx / |
|
Back to top |
|
 |
|