Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How can i track the Communication between LPARs?
Operating Systems AIX How can i track the Communication between LPARs? Post 302802109 by MichaelFelt on Friday 3rd of May 2013 02:01:44 AM
Old 05-03-2013
-=XrAy=- brings up some interesting points - I am glad he knows of these two core security mechanisms. And the redbook is a good starting point - even considering that it was written in October 2002 (these mechanisms have been available from at least 1996).

I would like to suggest you take a look at a couple of my blogs on IBMSystemsMagazine, in particular SecuringAIX: Combining audit and syslog where I describe how this command
Code:
auditstream -m -c general | tee -a /audit/general.bin | auditselect -e "result==FAIL && command!=java" | auditpr -v | logger -p local1.warn -t audit &

integrates audit with syslog.

And/or perhaps -=XrAy=- can tell us where he got his example from, as audit does not write automatically to syslog. The output (with comment built-in) is quite nice!

For this kind of detection, today! I would use a PowerSC component known as RTC - Real-Time-Compliance. "Real-Soon" I will be doing a writeup on that in my blog SecuringAIX.
However, more in general, two partitions aka LPAR on a POWER server are isolated by the firmware. Connections and monitoring of network activity would be the same as for a standalone host.
Properly configured, "disks" local to one partition are not accessible from another partition. The exception to this could be the VIO server when using VSCSI as the VIOS hosts the disks. Normally, VIOS are considered part of the managed system and "regular", unauthorized users/administrators are not permitted access. Again, under proper configuration and management conditions "side-ways" access should not be possible. This also can be additionaly protected by using NPIV rather than VSCSI. Now the storage team can control which partitions can see the "disks" aka LUNS by controlling/managing which virtual HBA(s) may access the luns.
Note: in a POWERHA/SystemMirror configuration is is considered normal that two partitions may access the same "disk". There are tools in PowerHA/SystemMirror to monitor which system has "active" access.

In short, AIX, POWER and VIOS have been repeated certified. See IBM AIX: AIX operating system certifications for an overview.

I hope this helps.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Possible to track FTP user last login? Last and Finger don't track them.

Like the topic says, does anyone know if it is possible to check to see when an FTP only user has logged in? Because the shell is /bin/false and they are only using FTP to access the system doing a "finger" or "last" it says they have never logged in. Is there a way to see when ftp users log in... (1 Reply)
Discussion started by: LordJezo
1 Replies

2. AIX

Virtual Ethernet VIO HMC LPARs

Hi, I am little confused about the virtual Ethernet configuration on VIO and Client Partitions. There is alot of info on the internet but it gets more confusing.... If I have LHEA, it is very simple. Just assign LHEA (logical host ethernet adapter) to client partition -> run smitty tcpip and... (10 Replies)
Discussion started by: filosophizer
10 Replies

3. AIX

Inherited VIO server an LPARs

Lucky me, someone has installed a server and got it running with the best intentions, but leaving me a headache. :wall: We have a simple p520 with 4 disks. 2x145Gb & 2x300Gb. The smaller disk pair have been built into a VIO mirrored rootvg, and quite right too. The other two disks form a... (3 Replies)
Discussion started by: rbatte1
3 Replies

4. AIX

Shared Disk in VIOS between two LPARs ?

is there any way to create shared virtual disk between two LPARs like how you can do it using Storage through Fiber on two servers ? Trying to stimulate HACMP between two LPARs (1 Reply)
Discussion started by: filosophizer
1 Replies

5. AIX

Simple questions about LPARs

Hello, I am looking into virtualizing AIX 7.1 on our p7 machine that already has AIX 7.1 installed on it. I have a few questions about them: 1) In order to gain LPAR functionality, do I need to purchase PowerVM software? 2) I read that LPARs are managed from locally attached graphical... (1 Reply)
Discussion started by: bstring
1 Replies

6. AIX

Cloning OS using alt_disk_install to new LPARs

Hi Folks, I am working on a task - Cloning the OS from fullSystem partition to 3 new LPAR's using alt_disk_install. I just wanted to clarify my steps here. 1. alt_disk_install -CBO hdisk1 and rename it to alt1 2. alt_disk_install -CBO hdisk2 and rename it to alt2 3. alt_disk_install... (4 Replies)
Discussion started by: snchaudhari2
4 Replies

7. AIX

Creating LPARS in AIX

Hi, I have a p520 with 2 cpus and 10gb of ram.Is it sufficient enough to create 2 lpars.What other things we have to check. (2 Replies)
Discussion started by: sekar52
2 Replies

8. AIX

Automation of AIX LPARs reboot

Hello Everyone, Can you please help me with the following questions regarding recycling LPARs. 1) Is it recommended to automate the reboot of AIX LPARs with a script ? i mean we've few App LPARs and Database LPARs. we would like to bring down LPARs on last sunday of every month for about 1... (4 Replies)
Discussion started by: System Admin 77
4 Replies

9. AIX

Is it must to enable TCB on AIX LPARs ?

Hi, I've verified my AIX 7.1 LPAR , and TCB is disabled by default. #odmget -q attribute=TCB_STATE PdAt PdAt: uniquetype = "" attribute = "TCB_STATE" deflt = "tcb_disabled" values = "" width = "" type = "" generic = "" ... (3 Replies)
Discussion started by: System Admin 77
3 Replies

10. AIX

Changing VLAN on AIX lpars in the same subnet

Hi Guys, Our lpars is currently running on 2 different vlans (20, 30). Now we have a requirement that vlan 30 needs to be change to vlan 31 at the same subnet. I'm not sure on what is the best approach for this or what change is involve on the AIX side. This is our setup. Network switch -... (5 Replies)
Discussion started by: kaelu26
5 Replies

LEARN ABOUT DEBIAN

ns_requestauthorize

ns_requestauthorize(3aolserver) 			    AOLserver Built-In Commands 			   ns_requestauthorize(3aolserver)

__________________________________________________________________________________________________________________________________________________

NAME

       ns_requestauthorize - commands

SYNOPSIS

       ns_requestauthorize option ?arg arg ...?
_________________________________________________________________

DESCRIPTION

   ns_requestauthorize method URL authuser authpassword ?ipaddr?
       Ask  the  server  to check permissions using nsperm.  This function does the same permission check that the AOLserver does before serving a
       URL. If the nsperm module is loaded, the algorithm is as follows.

       1. If the authuser is "nsadmin", the password is correct, and the IP address of the client is allowed nsadmin access, then access is autho-
	  rized.

       2. Find the relevant permission record. If an exact match for the method and URL combination is not found, the end of the URL is pared down
	  until a match is found. For example, if there is no match for `/products/cereals/raisin_bran.html,' then the server looks for a  permis-
	  sion record for the URL `/products/cereals.' If that permission record is specified as "Exact URL match is NOT required", then that per-
	  mission record is used.

       By default, the server comes with a row that says GET on `/' is open to the world. If no relevant permission record  is	found,	access	is
       denied (forbidden).

       1. If the authuser is in the "Allow Users" list, access is permitted. If the authuser is a member of a group in the "Allow Groups" list and
	  not in the "Deny Users" list, access is permitted.

       2. If the host is in the "Hosts to allow" list, access is permitted. If the host is in the "Hosts to deny" list, access is denied.

       3. If the request does not come in with authorization data, access is denied.

       4. The user and password are verified. If there is no password specified in the database, any password is accepted.

       5. Otherwise, access is denied.

   Return Values:
       The following values can be returned by ns_requestauthorize.

       OK	  The user has permission to execute this URL and method.

       DENIED	  The user does not have permission to execute this URL and method.

       FORBIDDEN  There is no possible user/password/IP Address combination that would give authorization.

       ERROR	  There was an error.

SEE ALSO

       ns_passwordcheck, ns_crypt

KEYWORDS

AOLserver								4.0					   ns_requestauthorize(3aolserver)
All times are GMT -4. The time now is 12:00 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy