| Author |
Message
|
| mqjeff |
 Posted: Fri Mar 18, 2016 5:45 am Post subject: |
 |
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Well, then I remember wrong.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
 |
| umatharani |
| Posted: Fri Mar 18, 2016 7:04 am Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
|
| Back to top |
|
|
| ghoshly |
| Posted: Sun May 22, 2016 7:18 pm Post subject: |
|
|
Partisan
Joined: 10 Jan 2008
Posts: 325
|
I am currently on MQ 7.5 and WMB 8.
I see the similar issue for FDC files, core dump, trace etc. which is written by mqm user without accepting its UMASK value. That results not even read permission to those files for "Others" / World.
I believe this validate flag would be applicable for MQ 7.5. I would try this one. |
|
| Back to top |
|
|
| Dread86 |
| Posted: Tue Aug 09, 2016 8:52 pm Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
Hi All,
-rw-rw---- 1 mqm mqm 2097833 Jun 5 05:52 AMQERR03.LOG
-rw-rw---- 1 mqm mqm 2097745 Jun 5 05:53 AMQERR02.LOG
-rw-rw---- 1 mqm mqm 1922389 Aug 10 04:08 AMQERR01.LOG
As i have mentioned in the previous posts my monitoring tool need to read this Queue manager logs. Say my monitoring tool runs with user "ABC" and as this ABC falls into other user, it wont have access to read the above queue manager logs. I can give the read permissions to ABC user but whnever qmngr updates the logs the permission is gone.
So i decided to add "ABC" user to mqm group so that ABC can directly read the log files. I wanted to know whether adding the "ABC" user as admin is correct option? By doing so ABC user has runmqsc access as mqm has and can do whatever wants. Is their any option to limit the runmqsc access to only ABC user present in mqm? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 10, 2016 4:48 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Dread86 wrote: |
| I wanted to know whether adding the "ABC" user as admin is correct option? |
No.
| Dread86 wrote: |
| By doing so ABC user has runmqsc access as mqm has and can do whatever wants. |
Yes it can. That's why it's not the right option.
| Dread86 wrote: |
| Is their any option to limit the runmqsc access to only ABC user present in mqm? |
No. All members of the mqm group have mqm authority. That's how the product works.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Dread86 |
| Posted: Wed Aug 10, 2016 4:52 am Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
| Hmm.. Any other best solutions for allowing ABC user to read the queue manager logs? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 10, 2016 4:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
ln -s ?
I think sudo can be configured to only allow specific commands?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Dread86 |
| Posted: Wed Aug 10, 2016 5:02 am Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
| I tried it earlier but didn't work. Let me give a try again. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 10, 2016 5:24 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Dread86 wrote: |
| Hmm.. Any other best solutions for allowing ABC user to read the queue manager logs? |
You could use splunk (or similar) to copy the logs to a different location with appropriate security.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Dread86 |
| Posted: Wed Aug 10, 2016 5:30 am Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
| Splunk should also access the error log location as non-mqm user right, which is again the same problem. how is this possible? |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Aug 10, 2016 5:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Dread86 wrote: |
| Splunk should also access the error log location as non-mqm user right, which is again the same problem. how is this possible? |
UMASK or Splunk option to give the copies the correct permissions for your ABC user.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Aug 10, 2016 8:29 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
One site where I worked, we were not allowed (so called security experts) to give anyone including the MQ Admins unticketed access to the MQ Logs. They said we could read the data in the messages on the queues at the same time....
After a while the Unix Admins got fed up with our constant requests they set up a cron job to copy them to a location we could read. It ran every 5 minutes.
The Security people went ballistic until they were shown the logs and asked 'where is the customer sensitive data in them?'
Naturally, they could not point to it so they let us carry on reading the copied logs.
We still had to raise a ticket to do anything related to the information in the logs but the amount of suppoty tickets dropped by around 90%.
I wish there was a documented (and therefore supported) way of getting read only access to the logs for non mqm group users provided by IBM. Support in the real world would be an awfuyl lot easier.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 10, 2016 8:36 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You could probably set up a logstash-monitor (or any of a large number of other "read/parse/send" solutions) to run as the mqm user and place the error data somewhere else.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Dread86 |
| Posted: Wed Aug 10, 2016 6:52 pm Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
| smdavies99 wrote: |
One site where I worked, we were not allowed (so called security experts) to give anyone including the MQ Admins unticketed access to the MQ Logs. They said we could read the data in the messages on the queues at the same time....
After a while the Unix Admins got fed up with our constant requests they set up a cron job to copy them to a location we could read. It ran every 5 minutes.
The Security people went ballistic until they were shown the logs and asked 'where is the customer sensitive data in them?'
Naturally, they could not point to it so they let us carry on reading the copied logs.
We still had to raise a ticket to do anything related to the information in the logs but the amount of suppoty tickets dropped by around 90%.
I wish there was a documented (and therefore supported) way of getting read only access to the logs for non mqm group users provided by IBM. Support in the real world would be an awfuyl lot easier. |
I reached out to IBM regarding this non-mqm access. They too dont have any solution to this; instead recommending to run some cron jobs to change the file permissions regularly.[/quote] |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Aug 11, 2016 3:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Or you could create an MQ service that ran something that read the logs and copied/stored them somewhere else...
Then this would run under mqm and have access.
There are a ton of solutions like the ELK stack https://www.elastic.co/ But logstash->elasticsearch->kibana is not a bad one.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
|
|
