| Author |
Message
|
| happyj |
 Posted: Tue Dec 22, 2009 7:35 am Post subject: Audit of changes to mq objects |
 |
|
Voyager
Joined: 07 Feb 2005
Posts: 87
|
Hi
Is there a way on (non z/OS) platforms of getting an audit trail
of configuration changes to queues / channels etc. I know there is
the ALTTIME and ALTDATE information but a record of user 'xyz'
changed MAXDEPTH from X to Y would be very useful.
I could schedule a saveqmgr at regular intervals and run a compare
on the output but this wouldn't record which user made the change
or if changes were made and then reversed.
Any ideas welcome. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Tue Dec 22, 2009 7:51 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Configuration Events are now (MQ 7.0.1.0) available on non z/OS platforms.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Dec 22, 2009 8:26 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| This assumes that your changes are not all being made by the mqm userid for one reason or another! |
|
| Back to top |
|
|
| happyj |
| Posted: Tue Dec 22, 2009 9:07 am Post subject: |
|
|
Voyager
Joined: 07 Feb 2005
Posts: 87
|
| Thanks Peter, thats very useful and yes point taken about the mqm user. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Tue Dec 22, 2009 10:05 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| zpat wrote: |
| This assumes that your changes are not all being made by the mqm userid for one reason or another! |
can you elaborate a little, do you mean all changes are made by mqm user or users in mqm group?
I am trying to get my head around this new functioality as it is supposed to audit trial exactly the user who can turn these things off...
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Dec 22, 2009 10:58 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Sometimes people set mqm as the mcauser on their admin channel - in which case everything will be done by that userid (mqm).
Not sure what happens with sudo to mqm - but if only mqm has the admin rights - that's what will get logged.
If you want accountability do the mq admin under individual userids that have membership of mqm group (and set mqm as the principal Unix group to avoid the setmqaut problem). |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Dec 22, 2009 11:26 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Dec 22, 2009 11:39 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| Configuration Events are now (MQ 7.0.1.0) available on non z/OS platforms. |
Oddly worded. Sounds like config events are not supported on z/OS.
Of course, config events have been supported for quite some time on WMQ for z/OS.
When enabled, the qmgr creates event messages about configuration changes, and put them to the SYSTEM.ADMIN.CONFIG.EVENT queue.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Dec 22, 2009 12:45 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| zpat wrote: |
| This assumes that your changes are not all being made by the mqm userid for one reason or another! |
Do changes made by the mqm ID not generate Config Events?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Dec 22, 2009 12:57 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| Do changes made by the mqm ID not generate Config Events? |
I've not had my hands on 7.0.1, but on z/OS all configuration changes cause config event messages.
Given its stated purpose, I'd suspect config changes by mqm cause config event messages, too.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Dec 22, 2009 1:00 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| PeterPotkay wrote: |
| zpat wrote: |
| This assumes that your changes are not all being made by the mqm userid for one reason or another! |
Do changes made by the mqm ID not generate Config Events? |
I think the issue here is that a lot of shops allow admins to su to the mqm user, which pretty much negates any usefulness in the monitoring of config events if all changes are by one user.
My current shop won't sanction any users su'ing to mqm directly from the admins' user as it is considered a security risk for us to know the mqm password - so they give us root instead!
A lot of places are going to have to review, or should review, their security procedures now in regard to WMQ to this added functionality...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Dec 22, 2009 1:16 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
OK, that makes more sense now. If you and I both make changes, but as mqm, the COnfig Events will be there, but will say mqm did both, and it would be difficult if not impossible to prove who did what.
But at least you would be able to tell what changed and when. Better than flying 100% blind.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Tue Dec 22, 2009 3:32 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| PeterPotkay wrote: |
OK, that makes more sense now. If you and I both make changes, but as mqm, the COnfig Events will be there, but will say mqm did both, and it would be difficult if not impossible to prove who did what.
But at least you would be able to tell what changed and when. Better than flying 100% blind. |
yes but as mqm you can turn these events off and later on or remove the messages from the config event queue without anyone knowing...
so the question is how can you make changes without being mqm or having mqm (group) authority so you can't alter the config event notification or remove the messages from the queue...
IMHO this is a painted lock on the door... but please proof me wrong...
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Dec 22, 2009 3:39 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Michael Dag wrote: |
...yes but as mqm you can turn these events off and later on or remove the messages from the config event queue without anyone knowing...
so the question is how can you make changes without being mqm or having mqm (group) authority so you can't alter the config event notification or remove the messages from the queue...
IMHO this is a painted lock on the door... but please proof me wrong... |
I would expect that the sudden 'loss' of events from a particular queue manager, as noted by the monitoring software being used, would be an indication. That or centralise the queue somewhere else, i.e. redefine as a QR to a collector queue manager somewhere.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Dec 22, 2009 4:47 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| exerk wrote: |
| Michael Dag wrote: |
...yes but as mqm you can turn these events off and later on or remove the messages from the config event queue without anyone knowing...
so the question is how can you make changes without being mqm or having mqm (group) authority so you can't alter the config event notification or remove the messages from the queue...
IMHO this is a painted lock on the door... but please proof me wrong... |
I would expect that the sudden 'loss' of events from a particular queue manager, as noted by the monitoring software being used, would be an indication. That or centralise the queue somewhere else, i.e. redefine as a QR to a collector queue manager somewhere. |
There may be no loss of event messages. Turn off config events, make your bad boy changes, turn config events back on. No config event for your naughty change.
BUT, I think turning config events on and off generates config messages.
BUT, you could intercept those and delete them. 
I guess there's a way around everything if you have super user access, just like if you have root access you can get around stuff. There is a certain level of trust that comes with having mqm (or mqm level access) or root.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
