Exspans Systems Inc Logo home
 
Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment   Page 3 of 3      Prev   1   2   3
automan

Avatar / Picture

Moderator
Registered:
Posts: 136
Reply with quote  #31 
My apologies for not being around to respond in a more timely fashion. The substitution was originally intended to be as flexible as possible so that all the normal substitutions one would expect, can be done easily, but also allow scope for a creative person to design complex substitutions if needed. It also allows you to get into trouble if you do not observe care in naming conventions. One of the reasons that the manuals suggest the use of a character like & in names, is that it does not appear in normal words. If single letters are used for variable names, there is a greater probability that a word in a variable will match. It was known a while ago that uncontrolled substitution could lead to problems if they are allowed to expand beyond the length of the text or variable. The maximum length that substitutions could expand to was fixed at 255. AutoMan is made of software layers. At the base are common functions, which includes string handling. On top of that lay is a systems services interface layer, which AutoMan logic invokes to create its hooks. The text handling features are actually performed by modules in the low level support library. A few months ago I had one of my team update the "make" procedures to rationalize the JCL. I made the mistake of telling him to use "the latest libraries" and he included the next level of system support libraries, which was being prepared to simplify and enhance some processes. For a short time software was generated using the next level object library which is has some incompatibilities with code assembled using the current macro interfaces. This resulted in a few people having problems with some string handling functions. The libraries were corrected and these problems do not occur anymore. If anyone does experience a problem with uncontrolled expansion due to variable name selection, all they have to do is ask support to send the correct code.
0
rakesh

Member
Registered:
Posts: 52
Reply with quote  #32 
Hi Automan,

Let me write to support to get a latest beta V3.3. I hope that version is developed with the correct libs. I will post here how my testing going :-)

Thank you
0
automan

Avatar / Picture

Moderator
Registered:
Posts: 136
Reply with quote  #33 
This is our result using 3 REXX procs SECCOPEN SECFAILS and SECCLOSE to capture information from message ICH408I into a logging dataset. This was run on AutoMan V3.2 Rev 2.2

SECCOPEN
http://forums.exspans.ca/file?id=2403592

SECFAILS
http://forums.exspans.ca/file?id=2403591

SECCLOSE
http://forums.exspans.ca/file?id=2403590

Message intercept to capture message
http://forums.exspans.ca/file?id=2403588

TSO Logon
http://forums.exspans.ca/file?id=2403593

Console Log
http://forums.exspans.ca/file?id=2403587

REXX exec log
http://forums.exspans.ca/file?id=2403589

Data written to logging dataset
http://forums.exspans.ca/file?id=2403586

Attached Images
jpeg DUMPDATA.JPG (43.50 KB, 6 views)
jpeg logonlog.JPG (59.06 KB, 6 views)
jpeg MSGPARM.JPG (71.26 KB, 6 views)
jpeg REXXLOG.JPG (94.53 KB, 7 views)
jpeg SECCLOSE.JPG (25.58 KB, 5 views)
jpeg SECFAILS.JPG (30.26 KB, 5 views)
jpeg tsologon.JPG (74.13 KB, 6 views)

0
rakesh

Member
Registered:
Posts: 52
Reply with quote  #34 
Hi,

I narrowed down the error i am getting.

Automan is logging all the security failures as expected except when the failure is for below IDs

ICH408I USER(UUCP ) GROUP(UUCPG ) NAME(####################) 897
LOGON/JOB INITIATION - INVALID PASSWORD ENTERED AT TERMINAL D21A1809
IRR013I VERIFICATION FAILED. INVALID PASSWORD GIVEN.
ICH408I USER(PUBLIC ) GROUP(EXTERNAL) NAME(####################) 899
LOGON/JOB INITIATION - INVALID PASSWORD ENTERED AT TERMINAL D21A1809
IRR013I VERIFICATION FAILED. INVALID PASSWORD GIVEN.


Only in these cases, Automan is taking abend and it's shutting down itself after 10+ abends. Not sure what is special about these messages.

Few observations
1) These access attempts always comes in a set just with few seconds difference. So, definitely not an attempt by human
2) These errors are not coming from our TCP terminal. The terminal here D21* but our TCP terminal starts with TCP*. This again proves definitely not an attempt by human

ICH408I USER(UUCP ) GROUP(UUCPG ) NAME(####################) 299
LOGON/JOB INITIATION - INVALID PASSWORD ENTERED AT TERMINAL TCPA7867

3) The ID PUBLIC doesn't have TSO segment defined. So, its not a TSO logon attempt.

I am completely lost what's going on here.

--------------

I understand this is more than a Automan issue but trying to understand why Automan sees only these two access failures as different and takes abends?

For now, i completely removed this logging from my MESSAGES to monitor.
If you can provide me some kind of traces or slips to get you more doc to analyze \, i am happy to do that.

BTW, i am having this issue in both V3.2 rev2.2 and V3.3 beta

Thank you
0
zboxassist

Member
Registered:
Posts: 89
Reply with quote  #35 
IIRC, your script defines variable XT. Note that GROUP(EXTERNAL) contains XT which make get replaced.
Try using VAR &XT instead.

ICH408I USER(PUBLIC ) GROUP(EXTERNAL) NAME(####################) 899
LOGON/JOB INITIATION - INVALID PASSWORD ENTERED AT TERMINAL D21A1809
IRR013I VERIFICATION FAILED. INVALID PASSWORD GIVEN.

__________________
zboxassist
0
rakesh

Member
Registered:
Posts: 52
Reply with quote  #36 
good catch. I just replaced it. Will post here if that address the problem.

Thank you
0
Zamin

Avatar / Picture

Member
Registered:
Posts: 67
Reply with quote  #37 
There is a good reason the manual suggests using characters that do not appear often in text in variable names. I have not been caught out like this, but it is easy to do. I did ask a few years ago why they did not require and enforce a naming standard, and name length, on variable names, and I was told at that time that flexibility was more important. The user in general should have control over what they replace and into what, and that they had some responsibility of thinking about their intent when writing code. Simon gave me a little parable about someone who went to a knife maker and asked for the sharpest knife it was possible to get, then complained when he cut himself because it was too sharp. I read on another thread that problems caused by name selection have been fixed. I hope that it gets backleveled to V3.2 even though I am not affected, because I see how easy it is to write problematic code. I think I have an automatic problem avoidance routine in my brain, because I have not yet managed to write any GAL that loops or abends.
0
zboxassist

Member
Registered:
Posts: 89
Reply with quote  #38 
Many years ago, I asked Simon a similar question about using an escape character to invoke variable substitution (e.g. &varname method). In his response, he said that he had customers who depended on the current recursive replacement process because it was so powerful. (During that discussion, he told me the knife maker parable.) If we could do it all over, I would make simple replacement the default, and provide a recursive replacement function. Of course, that is not reasonable or practical to make such a fundamental change now.
__________________
zboxassist
0
automan

Avatar / Picture

Moderator
Registered:
Posts: 136
Reply with quote  #39 
I think I have used the knife maker parable to quite a number of people. But I am beginning to see that maybe I might have some responsibility for giving people a tool they can abuse and cut themselves with. There is an example of creative replacement in the GAL manual, to show that it is intended to work this way. The point is that it is under a user's control how they use it, without forcing a standard on them. Maybe the manuals need to emphasize it a bit more, but the more words in the manuals, the less likely they are to read them.
0
zboxassist

Member
Registered:
Posts: 89
Reply with quote  #40 
How does it go? You can lead a horse to water, but you cannot make him drink. So that means you can write a great manual, but you cannot make the user read it. They can refuse to read, but I read the manual, and what the power.
__________________
zboxassist
0
Zamin

Avatar / Picture

Member
Registered:
Posts: 67
Reply with quote  #41 
I read the manuals too. I wonder how many people think they can install and use complex software without doing that. I think the only one I have not read end to end is the messages manual.
0
Grazillda

Avatar / Picture

Member
Registered:
Posts: 48
Reply with quote  #42 
If you run Automan with MESSAGE STAGE=2 selected and your message intercept script abends, it recovers and tries again. But if it keeps abending after 10 retries Automan shuts the message intercept down.
0
automan

Avatar / Picture

Moderator
Registered:
Posts: 136
Reply with quote  #43 
In V3.3 there will be an ENVIR parameter STAGE2 ERRHNDL=YES MAXFAIL=0

This will allow user control of how the stage 2 error handler is to operate. It can be on or off. If it is on it can be set to 0 so that it never comes down, or to a user selected number of abends that are allowed to occur before declaring the interface non-operational. With fixes to character replacement scanning in V3.3 this will like never be needed.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:


Create your own forum with Website Toolbox!