FW: [HP3000-L] Finding stream job signons - Hewlett Packard

This is a discussion on FW: [HP3000-L] Finding stream job signons - Hewlett Packard ; I'm really looking for the batch signons. We have MANMAN, and some commands allow the user to submit a job via the output options. I'm doing this for auditing purposes - we want to limit the ability to submit jobs ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: FW: [HP3000-L] Finding stream job signons

  1. FW: [HP3000-L] Finding stream job signons

    I'm really looking for the batch signons. We have MANMAN, and some
    commands allow the user to submit a job via the output options. I'm
    doing this for auditing purposes - we want to limit the ability to
    submit jobs just to our batch signons. We don't want the application
    users to have the ability to submit jobs.

    Thanks,

    Jim.

    -----Original Message-----
    From: HP-3000 Systems Discussion [mailto:HP3000-L@RAVEN.UTC.EDU] On
    Behalf Of Dave Powell, MMfab
    Sent: Monday, July 14, 2008 2:57 PM
    To: HP3000-L@RAVEN.UTC.EDU
    Subject: Re: [HP3000-L] Finding stream job signons

    We have used both Jim's tricks, except that in our case it is command
    files,
    not jobs, that use "echo" to build jobs. We don't have UDCs doing it,
    but
    that should be possible too.

    Have you considered turning it around and tracking the ids of jobs that
    actually log on ? There's a big hole with jobs / logons that aren't
    used
    often, unless you track for a LONG time, but otherwise it should be
    easy.

    I suspect there is someing in the system logs, but if there isn't, you
    can
    roll your own. In a system logon UDC, insert lines like:
    if not hpinteractive
    echo !hpjobname, !hpuser, !hpaccount >> somefile
    endif
    If it matters, you could also track "hpstreamedby", date & time, etc.

    Then have something read that file and count whatever you need.
    At our site, "not hpinteractive" = "is a job". I think a creative
    person
    could find ways for that not to be true, but I suspect most sites don't
    play
    those tricks.


    __________________________________________________ ______

    This e-mail is intended solely for the person or entity to which it is
    addressed and may contain confidential and/or privileged information.
    Any review, dissemination, copying, printing, forwarding or other use of
    this e-mail by persons or entities other than the addressee is
    prohibited. If you have received this e-mail in error, please contact
    the sender immediately and delete the material from your computer.
    Opinions, conclusions and other information in this message that do not
    relate to the official business of Altra Industrial Motion, Inc. shall
    be understood as neither given or endorsed by it.

    * To join/leave the list, search archives, change list settings, *
    * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


  2. Re: FW: [HP3000-L] Finding stream job signons

    In message
    <035FADD3481A8C46AA63D5EA06ACAF1A6C9674@PTG-CHBGExch01.ptgroup.ptgnet.us>
    , "English, Jim" writes
    >I'm really looking for the batch signons. We have MANMAN, and some
    >commands allow the user to submit a job via the output options. I'm
    >doing this for auditing purposes - we want to limit the ability to
    >submit jobs just to our batch signons. We don't want the application
    >users to have the ability to submit jobs.
    >
    >Thanks,
    >
    >Jim.


    How about you:

    Create a UDC for 'STREAM' and ensure it's in scope for your application
    users.

    Ensure it accepts whatever can follow 'STREAM' and then reports
    something like: "You are not allowed to STREAM " PARM.

    And then sets the error code that a failure to stream would set, so that
    if issued programmatically, it falls into whatever the program does when
    a jobstream can't be launched.

    --
    Roy Brown 'Have nothing in your houses that you do not know to be
    Kelmscott Ltd useful, or believe to be beautiful' William Morris

    * To join/leave the list, search archives, change list settings, *
    * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


  3. Re: FW: [HP3000-L] Finding stream job signons

    Jim wrote:
    > >I'm really looking for the batch signons. We have MANMAN, and some
    > >commands allow the user to submit a job via the output options. I'm
    > >doing this for auditing purposes - we want to limit the ability to
    > >submit jobs just to our batch signons. We don't want the application
    > >users to have the ability to submit jobs.


    How about removing BA capability from the users?

    (:ALTUSER USER;CAP=-BA)

    That would prevent them from submitting jobs. They could alter the !JOB line
    for a different user but they'd have to know the password, which is an
    entirely different auditing exercise...

    Mark W.

    * To join/leave the list, search archives, change list settings, *
    * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


  4. Re: FW: [HP3000-L] Finding stream job signons

    Hi Jim & Mark
    Possible idea to explore:

    UDC/Command file replacement for stream command that creates your
    audit trail for each and every job launch by all users whether they
    should be doing it or not...You could have the UDC/command file/script
    write out the information about the job being streamed and who is doing
    it and when to both a log file of sorts *AND* the console...

    I did this with several programs (IOBOF, GOD, etc)in a former life
    so that when a user other than the "command staff of the 3k" tried to
    execute them... The Console printed a record of who, what where and when
    and if they succeeded... If this was done outside of certain time
    periods ... I got a page from the system with a specific numeric value.

    Was very funny (in a sick, paranoid, grim way ... I know I am a sick
    puppy hehehe) when I narrowed down who was trying to use the GOD program
    since we didn't have it!!! ... We had IOBOFX or whatever SRN named their
    Nugget I created the UDC when I noticed some "weird" system activity
    and attempts to run SYS account programs and things...

    You can even nowadays with the POSIX shell do all sorts of other
    wonderful things like emailing yourself details... Putting up TCPDUMP
    and invoke it to watch who was streaming the job... All sorts of fun to
    be had

    Art "off to get certified on Network Penetration Testing" Bahrs

    Thanks,
    Art
    Art Bahrs, CISSP
    Security Engineer
    Providence Health & Services
    Arthur.Bahrs@Providence.org
    Phone: 503-216-2722


    -----Original Message-----
    From: HP-3000 Systems Discussion [mailto:HP3000-L@RAVEN.UTC.EDU] On
    Behalf Of Mark Wonsil
    Sent: Tuesday, July 22, 2008 1:36 PM
    To: HP3000-L@RAVEN.UTC.EDU
    Subject: Re: FW: [HP3000-L] Finding stream job signons

    Jim wrote:
    > >I'm really looking for the batch signons. We have MANMAN, and some
    > >commands allow the user to submit a job via the output options. I'm
    > >doing this for auditing purposes - we want to limit the ability to
    > >submit jobs just to our batch signons. We don't want the application
    > >users to have the ability to submit jobs.


    How about removing BA capability from the users?

    (:ALTUSER USER;CAP=-BA)

    That would prevent them from submitting jobs. They could alter the !JOB
    line for a different user but they'd have to know the password, which is
    an entirely different auditing exercise...

    Mark W.

    * To join/leave the list, search archives, change list settings, *
    * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


    DISCLAIMER:
    This message is intended for the sole use of the addressee, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete this message.

    * To join/leave the list, search archives, change list settings, *
    * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


+ Reply to Thread