ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportOS logs (Linux/Solaris) that show client channel connections

Post new topicReply to topic
OS logs (Linux/Solaris) that show client channel connections View previous topic :: View next topic
Author Message
pakuma3
PostPosted: Thu Jul 05, 2018 11:11 am Post subject: OS logs (Linux/Solaris) that show client channel connections Reply with quote

Newbie

Joined: 27 Feb 2015
Posts: 2

Hi guys, big fan of the mods

In RHEL, we had somebody accidentally modify a CHLAUTH record and Im trying to figure out who (to improve security measures). It was an obvious mistake but nobody is admitting to this. Our queue manager has no events enabled at all (channel, configuration, etc.). We searched for entered commands in history and sudosh logs on the server and nobody else has entered CLI mode with runmqsc (QMGR) in this server. Also checked /var/log/messages, secure, and wtmp but there is nothing we can detect as "fishy".

Since no events were enabled at the time, nothing shows up in the MQ logs. Our best bet is that this was done either by Explorer or through runmqsc -c (QMGR), but what I cant find is how these connections from MQ clients are logged in any OS level logs (like tty, ssh, telnet, etc.). We are suspicious of 2 Solaris servers that have the authorized IDs mapped to "mqm" user in this RHEL server and another 2 Windows servers that have MQ Explorer, I tried to check here but I dont notice anything strange.

Perhaps I'm not looking for the right pattern.

Could somebody please point me in the right direction? Thanks in advance
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Jul 05, 2018 8:21 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19701
Location: LI,NY

If you are logging it look for a svrconn type channel that was active at the time of the change and that would allow admin access.
(Between started and ended recorded states). It just might show from which ip the connection was coming... This would have been in the MQ logs not in the OS logs...

Hope it helps

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
LJM
PostPosted: Fri Jul 06, 2018 7:15 am Post subject: Reply with quote

Newbie

Joined: 05 Jul 2018
Posts: 1

Horse has bolted, you need to secure access,

start by adding some MCA user to your SVRCONN channels.
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Jul 06, 2018 7:54 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5873

LJM wrote:
Horse has bolted, you need to secure access,

start by adding some MCA user to your SVRCONN channels.

The whole stable has gone...

...if an incoming user is mapped to an MQAdmin ID. It's not so simple just to put in an MCAUSER value, you have to put in the controls around it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
pakuma3
PostPosted: Fri Jul 06, 2018 11:30 pm Post subject: Reply with quote

Newbie

Joined: 27 Feb 2015
Posts: 2

Thanks guys, fortunately, due to network security, we know it was one of "us". But yes, we most likely have to create different sets of authorizations to map to.
Will try and do a dmpmqlog. All events (CHLEV, CONFIGEV, CMDEV, CHADEV) were disabled at the time but I hope we find something juicy anyways.

Thanks guys
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportOS logs (Linux/Solaris) that show client channel connections
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.