| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| OS logs (Linux/Solaris) that show client channel connections |
« View previous topic :: View next topic » |
| Author |
Message
|
| pakuma3 |
 Posted: Thu Jul 05, 2018 11:11 am Post subject: OS logs (Linux/Solaris) that show client channel connections |
 |
|
Newbie
Joined: 27 Feb 2015
Posts: 9
|
Hi guys, big fan of the mods 
In RHEL, we had somebody accidentally modify a CHLAUTH record and Im trying to figure out who (to improve security measures). It was an obvious mistake but nobody is admitting to this. Our queue manager has no events enabled at all (channel, configuration, etc.). We searched for entered commands in history and sudosh logs on the server and nobody else has entered CLI mode with runmqsc (QMGR) in this server. Also checked /var/log/messages, secure, and wtmp but there is nothing we can detect as "fishy".
Since no events were enabled at the time, nothing shows up in the MQ logs. Our best bet is that this was done either by Explorer or through runmqsc -c (QMGR), but what I cant find is how these connections from MQ clients are logged in any OS level logs (like tty, ssh, telnet, etc.). We are suspicious of 2 Solaris servers that have the authorized IDs mapped to "mqm" user in this RHEL server and another 2 Windows servers that have MQ Explorer, I tried to check here but I dont notice anything strange.
Perhaps I'm not looking for the right pattern.
Could somebody please point me in the right direction? Thanks in advance |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jul 05, 2018 8:21 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If you are logging it look for a svrconn type channel that was active at the time of the change and that would allow admin access.
(Between started and ended recorded states). It just might show from which ip the connection was coming... This would have been in the MQ logs not in the OS logs...
Hope it helps
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| LJM |
| Posted: Fri Jul 06, 2018 7:15 am Post subject: |
|
|
Novice
Joined: 05 Jul 2018
Posts: 22
|
Horse has bolted, you need to secure access,
start by adding some MCA user to your SVRCONN channels. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jul 06, 2018 7:54 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| LJM wrote: |
Horse has bolted, you need to secure access,
start by adding some MCA user to your SVRCONN channels. |
The whole stable has gone...
...if an incoming user is mapped to an MQAdmin ID. It's not so simple just to put in an MCAUSER value, you have to put in the controls around it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pakuma3 |
| Posted: Fri Jul 06, 2018 11:30 pm Post subject: |
|
|
Newbie
Joined: 27 Feb 2015
Posts: 9
|
Thanks guys, fortunately, due to network security, we know it was one of "us". But yes, we most likely have to create different sets of authorizations to map to.
Will try and do a dmpmqlog. All events (CHLEV, CONFIGEV, CMDEV, CHADEV) were disabled at the time but I hope we find something juicy anyways.
Thanks guys  |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
