| Author |
Message
|
| saneben |
 Posted: Wed Aug 17, 2005 6:51 am Post subject: Monitoring runmqsc commands |
 |
|
Voyager
Joined: 04 Apr 2004
Posts: 96
|
Hi,
We have installed MQ V5.3 on Aix. the issue is that the there is an user id with the MQM group on the unix level and the users can use the user ID and access runmqsc commands.
Is there any log by which the runmqsc cammand can be monitored or checked later. Example if a queue property is altered I need to know what property was changed.
I cannot change the password of the User ID as it will affect the application. This will be fixed later.
Any suggestions to download a MQ Utility to monitor the MQ commands is also welcome.
Regards
Sanjiv |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Aug 17, 2005 7:01 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
There is no auditing built into runmqsc.
There is no auditing of the sort you're looking for, as far as I know, built into MQ.
You can script a set of runmqsc commands to display things, and schedule that to run on a schedule, and use the output to monitor the changes.
You should remove the user from the mqm group, and only grant it the specific priviledges it needs - unless the user is 'mqm'. Then you are in trouble until you can change the password.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| csmith28 |
| Posted: Wed Aug 17, 2005 7:03 am Post subject: |
|
|
Grand Master
Joined: 15 Jul 2003
Posts: 1196
Location: Arizona
|
No log as such. Though I haven't done it you may want to have a look at setting up your SYSTEM.ADMIN.QMGR.EVENT queue.
Jeff beat me to the suggestion of removing the offending user from the mqm group.
_________________
Yes, I am an agent of Satan but my duties are largely ceremonial. |
|
| Back to top |
|
|
| dgolding |
| Posted: Wed Aug 17, 2005 7:10 am Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
|
| Back to top |
|
|
| Anirud |
| Posted: Wed Aug 17, 2005 12:09 pm Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
| MS0E support pack, as dgolding has specified, is the best fit for your requirement. It gives you an audit trail of the commands used under runmqsc. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Aug 17, 2005 12:54 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Assuming you can prevent people from using runmqsc.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| dgolding |
| Posted: Wed Aug 17, 2005 10:56 pm Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
Well, they should be taken out of the mqm group and added to another, like mqmdev. If you can't get them out of the group then there is nothing you can do to prevent them doing anything.
I was at one site where it was impossible to use the mqm user - it was disabled, no logins, no setuser to it. Everything had to be done by proxy users. |
|
| Back to top |
|
|
| malammik |
| Posted: Thu Aug 18, 2005 5:27 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2005
Posts: 397
Location: Philadelphia, PA
|
|
| Back to top |
|
|
| dgolding |
| Posted: Thu Aug 18, 2005 5:35 am Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
But that means you allow users unlimited access to runmqsc commands - because they are user or group mqm.
Also, sudo will only tell you a command (say runmqsc) has been run - not what was run with the command.
If you want to both limit what a user can do, and record what he did anyway, runmqadm is your man. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Aug 18, 2005 8:15 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
If you don't use MS0E and don't want to re-invent the wheel...
you can schedule (using your own scheduler) MQDocument to take periodic snapshots of your Qmgr and security settings and show you what changed...
I have to say if between snapshots a parameter is changed and then returned to the original value, the snapshot can not detect that change... 
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| sysera |
| Posted: Mon Sep 12, 2005 10:48 am Post subject: |
|
|
Acolyte
Joined: 20 May 2005
Posts: 53
|
Just for kicks, I wrote this for those of us with a use for it. Replace your real runmqsc with it, in your users path that is. Just like the real thing, except...it logs. 
#!/bin/bash
#This script pretends to be the runmqsc command.
#Set your log variables
WHO=`whoami`
WHEN=`date "+%Y-%h-%d@%H:%M:%S"`
WHERE=`hostname`
#Print the splash message, alter to taste
echo "5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED."
echo "Starting MQSC for queue manager $1"
echo ""
#Watch for the user to enter "end"
while [ "$COMMAND" != "end" ]; do
#Read user input
read COMMAND
#If input empty, mimic the : runmqsc returns
if [ "$COMMAND" = "" ]; then
echo ""
echo " :"
else
echo ""
#Take each command and output it to a log file
echo "Who: $WHO - When: $WHEN - Where: $WHERE What: $COMMAND" >> /tmp/yourlogfile
#Actually run the command in the real runmqsc
#You may want to use the exact path, for example "/usr/sbin/runmqsc" and remove the real runmqsc from the users path
#And then replace it with this dummy runmqsc.
echo $COMMAND | runmqsc $1
fi
done |
|
| Back to top |
|
|
|
|
