| Author |
Message
|
| sebastianhirt |
 Posted: Wed Sep 06, 2006 11:24 am Post subject: |
 |
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
| Michael Dag wrote: |
any mechanism would be welcome!
however not being able to track runmqsc commands (which does NOT require the command server and therefore is used in many organisations!) is a real 'pain' nowadays... (auditors referring to SOX etc...)! |
I once wrote a 3 line (ksh on AIX) shell script that I used as a wrapper around runmqsc. All it basically did was writting logs about every single line you type into runmqsc. OK. This sounds a bit obsesive, but proved to be usefull in many situations 
If you want to have it, let me know and I'll see whether I find the script somewhere. |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Wed Sep 06, 2006 11:47 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| sebastianhirt wrote: |
I once wrote a 3 line (ksh on AIX) shell script that I used as a wrapper around runmqsc. All it basically did was writting logs about every single line you type into runmqsc. OK. This sounds a bit obsesive, but proved to be usefull in many situations
If you want to have it, let me know and I'll see whether I find the script somewhere. |
the point was logging in MQ itself about configuration changes, sure there is the administration wrapper (but believe it is cat 2 and does not exploit V6 yet) also this post provides a 'wrapper'
http://www.mqseries.net/phpBB2/viewtopic.php?t=23799&highlight=replace+runmqsc
I feel given the audit requirements being more and more important in the eyes of some people** (business managers, auditors) that MQ itself should provide this at any level. not just through catching PCF to command server or a 'wrapper'.
**) I say some people, but I for myself always have thought and still think MQ needs more robust security, so I am very happy to be backed by the magic of SOX... 
Also the 'blunt' method of mqm should be a thing of the past... (mqroot, mqadmin, mqcontrol, mqread groups should be 'replacements')
I have seen many requests for 'read-only' access or start stop only etc... in the past, but no 'built in' features to match it.
setmqaut doesn't cut it for objects that do not exist yet...
runmqsc is great, remote administration through the command server is great. mqm itself is great
but from a SOX point of view the product has a number of blindspots that need to be 'fixed' ...
another option... to this would be the LOG! (I know the information is therem including all information about who executed what etc...)
@Markt what about an dmpconfiglog that reads the logs and spits uit the config records? starting with a supportpac and then move to cat 3?
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 06, 2006 11:54 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| Michael Dag wrote: |
| setmqaut doesn't cut it for objects that do not exist yet... |
yes, it does. setmqaut ... -o SYSTEM.** works just fine for objects that don't exist yet.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Sep 06, 2006 12:01 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| jefflowrey wrote: |
| Michael Dag wrote: |
| setmqaut doesn't cut it for objects that do not exist yet... |
yes, it does. setmqaut ... -o SYSTEM.** works just fine for objects that don't exist yet. |
 how does that deal with me creating TEST123 Queue or BLA123 and how do I set someone up to be just able to display all information but be able to change it? ...
with setmqaut I would need to autorise each user/group for each new Queue or object with only display authority (I know about wildcards, but that assumes a predefined format) I just don't want to lay awake all night thinking 'did I restrict access or didn't I???'
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| markt |
| Posted: Wed Sep 06, 2006 12:01 pm Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 512
|
| Quote: |
| the LOG! (I know the information is therem including all information about who executed what etc...) |
No it's not.
And whether or not a function would be a good idea to include in future versions of WMQ (where it has to compete with all the many other ideas for priorities, resources etc), there can be some value in exploiting existing capabilities.
Last edited by markt on Wed Sep 06, 2006 12:04 pm; edited 1 time in total |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Sep 06, 2006 12:03 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| markt wrote: |
| Quote: |
| the LOG! (I know the information is therem including all information about who executed what etc...) |
No it's not. |
it isn't ??? I thought each new config was written to the LOG and have seen some records where a userid was in there aswell, I have tried to decypher the information, but failed...
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 06, 2006 12:06 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You can define authorizations for the ** profile for a generic group, and then enhance or restrict those authorizations for specific users.
But an LDAP OAM would still be a dandy thing.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Sep 06, 2006 12:13 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| markt wrote: |
| And whether or not a function would be a good idea to include in future versions of WMQ (where it has to compete with all the many other ideas for priorities, resources etc), there can be some value in exploiting existing capabilities. |
I fully agree, maybe a good topic for an article or redpiece?
How would you answer this question from your corporate auditor?
"so you are saying this piece of software that enables our entire business, can not provide a report about who made which change to it's configuration and when?"
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Sep 06, 2006 3:46 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| Michael Dag wrote: |
How would you answer this question from your corporate auditor?
"so you are saying this piece of software that enables our entire business, can not provide a report about who made which change to it's configuration and when?" |
Isn't that why companies like Candle (now IBM) and MQSoftware and others make some bucks selling us their solution for managing MQ config changes?? 
(Yes I know it does not exclude the backdoor changes...)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Sep 06, 2006 5:43 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| fjb_saper wrote: |
| Michael Dag wrote: |
How would you answer this question from your corporate auditor?
"so you are saying this piece of software that enables our entire business, can not provide a report about who made which change to it's configuration and when?" |
Isn't that why companies like Candle (now IBM) and MQSoftware and others make some bucks selling us their solution for managing MQ config changes??
|
Sure... they use the SOX argument aswell
| fjb_saper wrote: |
(Yes I know it does not exclude the backdoor changes...) |
Exactly... it's fake 'control'... I could be in and out of your system without your 'agent' (from whoever, including MQDocument ) ever detecting I was there...
I know I am playing devils advocate here, but lately I am getting more and more of these questions and simply can't answer them with a straight face anymore
(believe me ... I used to be able to do that pretty well...  )
- configuration auditing
- security (not just by obscurity...)
- message auditing
are getting more and more hot topics then anything else these days...
even the last one like message auditing is harder and harder to answer these days...
auditor: "so which messages passed through MQ between 1 and 2 am to Q 'XYZ'?"
me: "I don't know"
auditor: "why not?"
me: "MQ was designed to deliver messages, so it does..."
auditor: "so it doesn't keep track of what it did?"
me: "well... internally... but that information is not accessible"
auditor: "huh? what do you mean... not accessible?"
and on and on.... you get my point hopefully...
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Sep 06, 2006 7:30 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| Michael Dag wrote: |
auditor: "so which messages passed through MQ between 1 and 2 am to Q 'XYZ'?"
me: "I don't know"
auditor: "why not?"
me: "MQ was designed to deliver messages, so it does..."
auditor: "so it doesn't keep track of what it did?"
me: "well... internally... but that information is not accessible"
auditor: "huh? what do you mean... not accessible?" |
you: What you (auditors) do not have a licence for beaucoup $$$ that allows you to examine the logs and replay the messages?
Auditor: (smart) would that be all the messages
you: er... only the persistent ones...(assuming linear logging SOX mandatory)
Auditor: So anybody could do a request (non persistent) and obtain information and you have no way of tracing (even after the fact) who obtained fraudulously the information.... Hmm.....
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Sep 07, 2006 12:32 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Sep 07, 2006 2:12 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Any auditor who asks why your messaging infrastructure isn't an enterprise data warehouse isn't worth the money you are paying them.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| markt |
| Posted: Thu Sep 07, 2006 6:09 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 512
|
| Next time SupportPac MS0P gets updated (which will not be for a few weeks, when I'm back in the office) it will include the code to generate Command Events for PCF messages sent to the command server on the Distributed platforms - and the Explorer plugin in that SupportPac can also decode those events. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Sep 07, 2006 7:03 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| markt wrote: |
| it will include the code to generate Command Events for PCF messages sent to the command server on the Distributed platforms |
interesting. looking forward to what this may bring.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
|
|
