Comments on: Is a special authority needed for active socket connections?

By: tomliotta

tomliotta — Wed, 30 Nov 2011 22:39:18 +0000

Will see if our audit team accepts this change or not.

With the IBM document to justify the change, it could be acceptable. Still, I would make a call to IBM Support and ask for some specific justification for the requirement or for IBM-recommended alternatives.

Tom

By: gfroehlich

gfroehlich — Wed, 30 Nov 2011 10:10:26 +0000

To give the user QTMHHTTP *JOBCTL let the problem disappear.

Will see if our audit team accepts this change or not.

If somebody has an idea for an alternative, please let me know.

Thanks
Gabriel

By: tomliotta

tomliotta — Tue, 29 Nov 2011 21:41:14 +0000

I’m using DSPJRN or DSPAUDJRNE and create a file with it. Use DSPJRN or CPYAUDJRNE -- DSPAUDJRNE is only okay for basic overviews. It should not be used for precise details. See MustGather: Security Issues and Using Auditing to Track Spooling Activity for a couple of the various documents that discourage the use of DSPAUDJRNE for specific analysis. As for the actual problem, I see a V5R3 document, DSPAUDJRNE Shows Numerous AF K Entries after Upgrading to R530, that could apply equally well to V5R4. It looks as if adding *JOBCTL to the QTMHHTTP is worth a try in order to verify that it is the problem. If the problem disappears, then it becomes one of seeing if any alternative exists. Tom

By: gfroehlich

gfroehlich — Tue, 29 Nov 2011 16:27:19 +0000

To use CPYAUDJRNE makes no difference in the result: there is no object or path information ore any other information that gives me a hint on what authority is missing.

Gabriel

By: rayj1031

rayj1031 — Tue, 29 Nov 2011 16:05:28 +0000

Try the CPYAUDJRNE command.

http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/cpyaudjrne.htm

This command was added in v5r4m0. I have not experimented with this command but since it was just released I would expect it to provide the most information.

By: gfroehlich

gfroehlich — Tue, 29 Nov 2011 08:45:52 +0000

I’m using DSPJRN or DSPAUDJRNE and create a file with it.

There is only one record with a path information with type A not K, this was possibly a wrong file permission on the socket. The rest has no additional information except the port.

Is there something that I can do to get more information?

Gabriel

By: tomliotta

tomliotta — Mon, 28 Nov 2011 23:42:57 +0000

The “*INSTR” part should be saying that a machine instruction signaled the violation. The “*N/*N” part is for the Object Library and Object Name subfields; but I wouldn’t expect those to have anything but “*N” in them for this.

What would be more useful would be anything in the path or folder fields farther out in the AF format. What are you using to view the entries?

I’ve never needed any authorities for general sockets work. Zend/PHP runs on a couple of our systems with no problems, though we’re not accessing LDAP through it.

Tom

By: gfroehlich

gfroehlich — Mon, 28 Nov 2011 08:26:25 +0000

In the audit entries are no object information: *INSTR/*N/*N
There is one entry of thousands that shows a path information. This points to the socket used for communication between native apache and PASE PHP jobs.

The reason why I’m thinking that the entries happen at opening remote socket connections, are the remote ports in the audit log entries: 389=LDAP, 80=HTTP (SOAP requests) and 10137=ZendServer remote debug.

Is it possible that a bind to a remote socket needs *IOSYSCFG?

Gabriel

By: tomliotta

tomliotta — Sat, 26 Nov 2011 07:20:06 +0000

For AF entries, detail type K means “An attempt was made to perform an operation for which the user did not have the required special authority.”

I don’t have a Zend/PHP configuration to experiment with for now, but I wouldn’t be comfortable adding any special authority to any server profile in any case.

What objects show up in audit entries?

Tom