|
prumschlag@phdinc.com wrote: > Hi, all. I am looking for some help. > > Two files (one physical and one logical) have disappeared from our system >today. > They are JD Edwards control files that are referenced often by programs all >over > the system. Based on the timing of jobs completing successfully and jobs > blowing up with File Not Found errors, we have narrowed the time slot down to > somewhere between 13:55 and 13:58. We would like to know how this has >happened > so we can prevent it from happening again. If you have the Security Audit Journal (QAUDJRN) active and are auditing for object deletions (System value QAUDLVL = *DELETE), the information should be readily availabe in the audit log. If not, TURN QAUDJRN ON!! (CHGSECAUD command). Seriously, it's free and it is nothing short of a lifesaver. > We figure the choices are 1) Someone deleted them either intentionally or > unintentionally, 2) JD Edwards programs messed up, or 3) OS/400 lost the > files. We are pursuing 1 and 2, but no one here will 'fess up and JDE swears > that there is no function in the system that would delete these files. I >don't > want to blame the AS/400, but I have to at least consider the possibility. Is > anyone aware of any system records that would help us trace this? The system > log does not have that kind of detail, and because this is a JDE control file > it is kept in a library that is not journaled. I'd bet against #2, and bet heavily against #3. It's more likely someone got directly at your data with something like FTP or Ops Nav, or ODBC, or ... and "intentionally or unintentionally" deleted the files. JD Edwards can be exceptionally vulnerable to these kinds of security breaches because every object is typically owned by the user profile 'JDE' and every user belongs to the group profile 'JDE'. Unfortunately, this makes every user a defacto "owner" of every object in the JD Edwards application, with all associated (including object deletion) rights. When the user has the rights to get directly at your data with something like FTP, or DDM, they will completely bypass the traditional JD Edwards "menu security" and have unlimited access to the application. It's very easy to see how an object could be deleted under these circumstances. An active QAUDJRN will show you who did this. If the breach was through a network access, Exit Programs can prevent it's re-occurance by regulating which users are allowed access using things like FTP, Ops Nav, etc. (Fair disclaimer - PowerTech is an Exit Program Vendor). jte -- John Earl johnearl@400security.com The PowerTech Group 206-575-0711 PowerLock Network Security www.400security.com -- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
