Login or Register to Ask a Question and Join Our Community


AIX

How can i track the Communication between LPARs?

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX How can i track the Communication between LPARs?
# 1  
Old 05-01-2013
How can i track the Communication between LPARs?
Hello Everyone,
i got a question in AIX. How can i track the communication between LPARs.
i mean how can we find if a program/account trying to access a directory/file inside AIX LPAR or from another LPAR ?

if some one is trying to access our LPAR. where can i track those info? or a outside program denied permission while accessing some folder in AIX. where can find the logs ??

Thanks
admin
# 2  
Old 05-02-2013
Hi,

i'm not a specalist in these security features of AIX. But as far as i know, you have to configure the audit subsystem and the syslog facility to get these information.

Auditing and Accounting on AIX - IBM Redbooks

Here you can define which file in which way should be monitored:
Example: [/etc/security/audit/objects]
Code:
/etc/security/audit/config:
        w = "AUD_CONFIG_WR"

/etc/security/audit/objects:
        w = "FILE_Open"

/etc/syslog.conf:
        w = "FILE_Open"

/etc/passwd:
        w = "PASSWORD_Change"

A successfull configuration will generate a entry in /var/adm/authlog like:
Code:
May  2 10:51:13 xxxxxxxxx auth|security:notice audit: FILE_Open ; root ; OK ; Global ;   write event detected ;/etc/security/tsd/tsd.dat

You also need to configure your syslog facility to get the required information.
Example: [/etc/syslog.conf]
Code:
auth.info                                /var/adm/authlog rotate size 5m files 10

Restart syslogd:
Code:
stopsrc -s syslogd
startsrc -s syslogd

Finally the "last" command will give you some informationen about (previous) logins.

Hope this helps a bit...
# 3  
Old 05-03-2013
-=XrAy=- brings up some interesting points - I am glad he knows of these two core security mechanisms. And the redbook is a good starting point - even considering that it was written in October 2002 (these mechanisms have been available from at least 1996).

I would like to suggest you take a look at a couple of my blogs on IBMSystemsMagazine, in particular SecuringAIX: Combining audit and syslog where I describe how this command
Code:
auditstream -m -c general | tee -a /audit/general.bin | auditselect -e "result==FAIL && command!=java" | auditpr -v | logger -p local1.warn -t audit &

integrates audit with syslog.

And/or perhaps -=XrAy=- can tell us where he got his example from, as audit does not write automatically to syslog. The output (with comment built-in) is quite nice!

For this kind of detection, today! I would use a PowerSC component known as RTC - Real-Time-Compliance. "Real-Soon" I will be doing a writeup on that in my blog SecuringAIX.
However, more in general, two partitions aka LPAR on a POWER server are isolated by the firmware. Connections and monitoring of network activity would be the same as for a standalone host.
Properly configured, "disks" local to one partition are not accessible from another partition. The exception to this could be the VIO server when using VSCSI as the VIOS hosts the disks. Normally, VIOS are considered part of the managed system and "regular", unauthorized users/administrators are not permitted access. Again, under proper configuration and management conditions "side-ways" access should not be possible. This also can be additionaly protected by using NPIV rather than VSCSI. Now the storage team can control which partitions can see the "disks" aka LUNS by controlling/managing which virtual HBA(s) may access the luns.
Note: in a POWERHA/SystemMirror configuration is is considered normal that two partitions may access the same "disk". There are tools in PowerHA/SystemMirror to monitor which system has "active" access.

In short, AIX, POWER and VIOS have been repeated certified. See IBM AIX: AIX operating system certifications for an overview.

I hope this helps.
# 4  
Old 05-03-2013
Hi Michael,

here are the configuration files:

/etc/security/audit/config
Code:
start:
        binmode = off
        streammode = on

bin:
        bincompact = off
        backupsize = 0
        backuppath = /audit
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

stream:
        cmds = /etc/security/audit/streamcmds

classes:
        general = USER_SU,PASSWORD_Change
        objects = S_PASSWD_READ,S_PASSWD_WRITE,AUD_CONFIG_WR
        files = No_Events
        TCPIP = No_Events
        SRC = No_Events
        kernel = No_Events
        SVIPC = No_Events
        mail = No_Events
        cron = No_Events

users:
        default = loginout,general

role:

/etc/security/audit/streamcmds
Code:
/usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &

/etc/security/audit/stream2syslog.ksh
Code:
awk '/^S_GROUP_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^AUD_CONFIG_WR/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^FILE_Open/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; sub(/\//,";/",$2); print act,";",user,";",stat,";",app,";",$2; FS=" "} \
     /^FILE_Owner/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; print act,";",user,";",stat,";",app,";",$1,";",$2; FS=" "} \
     /^FILE_Mode/ {act=$1; user=$2; stat=$3; app=$NF; getline; mode=$2; filename=$NF; print act,";",user,";",stat,";",app,";",mode,";",filename; FS=" "} \
     /^FILE_Accessx/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="detected"; print act,";",user,";",stat,";",app,";",$2; FS=" "} \
     /^S_PASSWD_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^PASSWORD_Change/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0}' |\
logger -r -p auth.notice -t audit

When you start the audit subsystem [audit start], you will find the following background process:
Code:
sh -c /usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &?

regards
This User Gave Thanks to -=XrAy=- For This Post:
MichaelFelt
# 5  
Old 05-03-2013
rather than a complex awk command using the command
Code:
auditselect -c objects | auditpr -v | logger -r -p auth.notice -t audit &

should accomplish the same thing. I would normally also pipe thru a tee to save what I am reporting (in binary format) so mine preferred line would look like:
Code:
auditselect -c objects | tee /audit/objects.bin | auditpr -v | logger -r -p auth.notice -t audit &

And, ideally, /audit/objects.bin would be a trusted log (physically stored, rotated and backup performed on a VIO server)
# 6  
Old 05-07-2013
Thanks XrAV and Michael . Appreciate your help! Smilie I will take note of your ideas...and will review the RED BOOK on audit.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. AIX

Changing VLAN on AIX lpars in the same subnet

Hi Guys, Our lpars is currently running on 2 different vlans (20, 30). Now we have a requirement that vlan 30 needs to be change to vlan 31 at the same subnet. I'm not sure on what is the best approach for this or what change is involve on the AIX side. This is our setup. Network switch -... (5 Replies)
Discussion started by: kaelu26
5 Replies

2. AIX

Is it must to enable TCB on AIX LPARs ?

Hi, I've verified my AIX 7.1 LPAR , and TCB is disabled by default. #odmget -q attribute=TCB_STATE PdAt PdAt: uniquetype = "" attribute = "TCB_STATE" deflt = "tcb_disabled" values = "" width = "" type = "" generic = "" ... (3 Replies)
Discussion started by: System Admin 77
3 Replies

3. AIX

Automation of AIX LPARs reboot

Hello Everyone, Can you please help me with the following questions regarding recycling LPARs. 1) Is it recommended to automate the reboot of AIX LPARs with a script ? i mean we've few App LPARs and Database LPARs. we would like to bring down LPARs on last sunday of every month for about 1... (4 Replies)
Discussion started by: System Admin 77
4 Replies

4. AIX

Creating LPARS in AIX

Hi, I have a p520 with 2 cpus and 10gb of ram.Is it sufficient enough to create 2 lpars.What other things we have to check. (2 Replies)
Discussion started by: sekar52
2 Replies

5. AIX

Cloning OS using alt_disk_install to new LPARs

Hi Folks, I am working on a task - Cloning the OS from fullSystem partition to 3 new LPAR's using alt_disk_install. I just wanted to clarify my steps here. 1. alt_disk_install -CBO hdisk1 and rename it to alt1 2. alt_disk_install -CBO hdisk2 and rename it to alt2 3. alt_disk_install... (4 Replies)
Discussion started by: snchaudhari2
4 Replies

6. AIX

Simple questions about LPARs

Hello, I am looking into virtualizing AIX 7.1 on our p7 machine that already has AIX 7.1 installed on it. I have a few questions about them: 1) In order to gain LPAR functionality, do I need to purchase PowerVM software? 2) I read that LPARs are managed from locally attached graphical... (1 Reply)
Discussion started by: bstring
1 Replies

7. AIX

Shared Disk in VIOS between two LPARs ?

is there any way to create shared virtual disk between two LPARs like how you can do it using Storage through Fiber on two servers ? Trying to stimulate HACMP between two LPARs (1 Reply)
Discussion started by: filosophizer
1 Replies

8. AIX

Inherited VIO server an LPARs

Lucky me, someone has installed a server and got it running with the best intentions, but leaving me a headache. :wall: We have a simple p520 with 4 disks. 2x145Gb & 2x300Gb. The smaller disk pair have been built into a VIO mirrored rootvg, and quite right too. The other two disks form a... (3 Replies)
Discussion started by: rbatte1
3 Replies

9. AIX

Virtual Ethernet VIO HMC LPARs

Hi, I am little confused about the virtual Ethernet configuration on VIO and Client Partitions. There is alot of info on the internet but it gets more confusing.... If I have LHEA, it is very simple. Just assign LHEA (logical host ethernet adapter) to client partition -> run smitty tcpip and... (10 Replies)
Discussion started by: filosophizer
10 Replies

10. UNIX for Dummies Questions & Answers

Possible to track FTP user last login? Last and Finger don't track them.

Like the topic says, does anyone know if it is possible to check to see when an FTP only user has logged in? Because the shell is /bin/false and they are only using FTP to access the system doing a "finger" or "last" it says they have never logged in. Is there a way to see when ftp users log in... (1 Reply)
Discussion started by: LordJezo
1 Replies
Login or Register to Ask a Question