× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2016

RE: Determine how pwrdwnsys was executed

I agree with you that I don't believe the user just blatantly ran the PWRDWNSYS command. The command itself has a secondary confirmation screen that they would have had to acknowledge as well (assuming that wasn't modified and removed in your environment). It really sounds like a process (such as PTF apply or a backup, even if it was a simple save of an object. I've seen some of the simplest backups bring a system down when a user isn't careful, especially on a development system) was submitted, especially with the fact that image catalogs were unloaded as part of the same process.



-----Original Message-----
From: Paul Getz
Sent: Wednesday, June 8, 2016 8:26 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: RE: Determine how pwrdwnsys was executed

Jim,

The fact that the PWRDWNSYS was initiated as *IMMED, is the concerning part. The default for this "Option" parameter is *CNTRLD. The command had to have gotten submitted somehow. Not sure if you have software to scan programs for the command (e.g. Hawkeye).

Is it possible this user ran a program that issued this command?

Is it possible that this user had previously disconnected from a session and then recovered from a previous session and that's why the job log doesn't show anything?

Have you reviewed any scheduled jobs to see if maybe this was something that was scheduled?

I guess I would still be asking the user what exactly they were doing at the time they signed on. If the answer is that they just signed on and then the system started powering down, that doesn't really sound logical.


Just my opinion of course. Hope you get to root cause.

Regards,
Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Franz
Sent: Tuesday, June 7, 2016 3:28 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: Determine how pwrdwnsys was executed

Do not have user audited - will recommend (but we think from logs user did not type and execute this cmd).
PWRDWNSYS environment variable - not set, and worth doing User has attention key pgm (QUSCMDLN) and why this is needed is not known, but again we think user did not type and execute cmd)

On Tue, Jun 7, 2016 at 3:10 PM, Mark S Waterbury < mark.s.waterbury@xxxxxxxxxxxxx> wrote:

Jim:

The first thing I would look at is:

DSPOBJAUT PWRDWNSYS *CMD

The IBM shipped default is *PUBLIC *EXCLUDE.

What does that look like on your system(s)?

Also, prompt the PWRDWNSYS command and press F10, then put the cursor
in the CONFIRM parameter field and press F1=Help to learn how you can
set a system-wide environment variable to help prevent such "accidents".

HTH,

Mark S. Waterbury


On 6/7/2016 2:18 PM, Jim Franz wrote:

Looking for clues to determine what happened.
V7R1 development system cume 15142
IBM iAccess for windows 7.1 latest svc pack

What we know so far is that a user logged onto a development system
(to do some testing.
1 minute later QHST log indicates PWRDWNSYS initiated by the user,
but users log (with 4 00 *seclvl and log CL *YES in jobd ) shows no
command line entry of any command. Her story is no menu options executed...

No menu source shows pwrdwnsys or endsys (have searched for an api
but not found one). Aware of GO POWER menu but not found a menu to
connect to this.

Message ID . . . . . . : CPI0995 Severity . . . . . . . :
00
Message type . . . . . :
Information
Date sent . . . . . . : 06/07/16 Time sent . . . . . . :
11:01:49


Message . . . . : PWRDWNSYS command issued with parameters
specified.
Cause . . . . . : The Power Down System (PWRDWNSYS) command was
requested
by
job 477963/XXXXX/BS7515C with the following parameters
specified:
-- How to end
*IMMED
-- Delay time
3600
-- Restart options
*NO
-- IPL source
*PANEL
-- End subsystem option
*DFT
-- Timeout option
*CONTINUE
-- Confirm
*ENVVAR
-- Image catalog

From job . . . . . . . . . . . : QSYSARB4
User . . . . . . . . . . . . : QSYS
Number . . . . . . . . . . . : 390670

From program . . . . . . . . . : QWCASDSM


Only other odd item is in user's job log, Image Catalogs on system
unloaded
(CPCBC11) in 12 seconds prior to message about PWRDWNSYS (CPF0901) -
I would have expected "after".

No packaged exit programs (have recommended previously..) QAUDJRN is
active - not sure how to see remote command...

Auditing
options
*ATNEVT
*SECURITY
*PGMFAIL
*SAVRST
*AUTFAIL
*SERVICE
PC has been scanned

Jim



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.