How can i track the Communication between LPARs?


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
How can i track the Communication between LPARs?

Hello Everyone,
i got a question in AIX. How can i track the communication between LPARs.
i mean how can we find if a program/account trying to access a directory/file inside AIX LPAR or from another LPAR ?

if some one is trying to access our LPAR. where can i track those info? or a outside program denied permission while accessing some folder in AIX. where can find the logs ??

Thanks
admin
# 2  
Hi,

i'm not a specalist in these security features of AIX. But as far as i know, you have to configure the audit subsystem and the syslog facility to get these information.

Auditing and Accounting on AIX - IBM Redbooks

Here you can define which file in which way should be monitored:
Example: [/etc/security/audit/objects]
Code:
/etc/security/audit/config:
        w = "AUD_CONFIG_WR"

/etc/security/audit/objects:
        w = "FILE_Open"

/etc/syslog.conf:
        w = "FILE_Open"

/etc/passwd:
        w = "PASSWORD_Change"

A successfull configuration will generate a entry in /var/adm/authlog like:
Code:
May  2 10:51:13 xxxxxxxxx auth|security:notice audit: FILE_Open ; root ; OK ; Global ;   write event detected ;/etc/security/tsd/tsd.dat

You also need to configure your syslog facility to get the required information.
Example: [/etc/syslog.conf]
Code:
auth.info                                /var/adm/authlog rotate size 5m files 10

Restart syslogd:
Code:
stopsrc -s syslogd
startsrc -s syslogd

Finally the "last" command will give you some informationen about (previous) logins.

Hope this helps a bit...
# 3  
-=XrAy=- brings up some interesting points - I am glad he knows of these two core security mechanisms. And the redbook is a good starting point - even considering that it was written in October 2002 (these mechanisms have been available from at least 1996).

I would like to suggest you take a look at a couple of my blogs on IBMSystemsMagazine, in particular SecuringAIX: Combining audit and syslog where I describe how this command
Code:
auditstream -m -c general | tee -a /audit/general.bin | auditselect -e "result==FAIL && command!=java" | auditpr -v | logger -p local1.warn -t audit &

integrates audit with syslog.

And/or perhaps -=XrAy=- can tell us where he got his example from, as audit does not write automatically to syslog. The output (with comment built-in) is quite nice!

For this kind of detection, today! I would use a PowerSC component known as RTC - Real-Time-Compliance. "Real-Soon" I will be doing a writeup on that in my blog SecuringAIX.
However, more in general, two partitions aka LPAR on a POWER server are isolated by the firmware. Connections and monitoring of network activity would be the same as for a standalone host.
Properly configured, "disks" local to one partition are not accessible from another partition. The exception to this could be the VIO server when using VSCSI as the VIOS hosts the disks. Normally, VIOS are considered part of the managed system and "regular", unauthorized users/administrators are not permitted access. Again, under proper configuration and management conditions "side-ways" access should not be possible. This also can be additionaly protected by using NPIV rather than VSCSI. Now the storage team can control which partitions can see the "disks" aka LUNS by controlling/managing which virtual HBA(s) may access the luns.
Note: in a POWERHA/SystemMirror configuration is is considered normal that two partitions may access the same "disk". There are tools in PowerHA/SystemMirror to monitor which system has "active" access.

In short, AIX, POWER and VIOS have been repeated certified. See IBM AIX: AIX operating system certifications for an overview.

I hope this helps.
# 4  
Hi Michael,

here are the configuration files:

/etc/security/audit/config
Code:
start:
        binmode = off
        streammode = on

bin:
        bincompact = off
        backupsize = 0
        backuppath = /audit
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

stream:
        cmds = /etc/security/audit/streamcmds

classes:
        general = USER_SU,PASSWORD_Change
        objects = S_PASSWD_READ,S_PASSWD_WRITE,AUD_CONFIG_WR
        files = No_Events
        TCPIP = No_Events
        SRC = No_Events
        kernel = No_Events
        SVIPC = No_Events
        mail = No_Events
        cron = No_Events

users:
        default = loginout,general

role:

/etc/security/audit/streamcmds
Code:
/usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &

/etc/security/audit/stream2syslog.ksh
Code:
awk '/^S_GROUP_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^AUD_CONFIG_WR/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^FILE_Open/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; sub(/\//,";/",$2); print act,";",user,";",stat,";",app,";",$2; FS=" "} \
     /^FILE_Owner/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; print act,";",user,";",stat,";",app,";",$1,";",$2; FS=" "} \
     /^FILE_Mode/ {act=$1; user=$2; stat=$3; app=$NF; getline; mode=$2; filename=$NF; print act,";",user,";",stat,";",app,";",mode,";",filename; FS=" "} \
     /^FILE_Accessx/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="detected"; print act,";",user,";",stat,";",app,";",$2; FS=" "} \
     /^S_PASSWD_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^PASSWORD_Change/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0}' |\
logger -r -p auth.notice -t audit

When you start the audit subsystem [audit start], you will find the following background process:
Code:
sh -c /usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &?

regards
This User Gave Thanks to -=XrAy=- For This Post:
# 5  
rather than a complex awk command using the command
Code:
auditselect -c objects | auditpr -v | logger -r -p auth.notice -t audit &

should accomplish the same thing. I would normally also pipe thru a tee to save what I am reporting (in binary format) so mine preferred line would look like:
Code:
auditselect -c objects | tee /audit/objects.bin | auditpr -v | logger -r -p auth.notice -t audit &

And, ideally, /audit/objects.bin would be a trusted log (physically stored, rotated and backup performed on a VIO server)
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Creating LPARS in AIX
sekar52
Hi, I have a p520 with 2 cpus and 10gb of ram.Is it sufficient enough to create 2 lpars.What other things we have to check.... AIX
2
AIX
Cloning OS using alt_disk_install to new LPARs
snchaudhari2
Hi Folks, I am working on a task - Cloning the OS from fullSystem partition to 3 new LPAR's using alt_disk_install. I just wanted to clarify my steps here. 1. alt_disk_install -CBO hdisk1 and rename it to alt1 2. alt_disk_install -CBO hdisk2 and rename it to alt2 3. alt_disk_install...... AIX
4
AIX
Simple questions about LPARs
bstring
Hello, I am looking into virtualizing AIX 7.1 on our p7 machine that already has AIX 7.1 installed on it. I have a few questions about them: 1) In order to gain LPAR functionality, do I need to purchase PowerVM software? 2) I read that LPARs are managed from locally attached graphical...... AIX
1
AIX
Inherited VIO server an LPARs
rbatte1
Lucky me, someone has installed a server and got it running with the best intentions, but leaving me a headache. :wall: We have a simple p520 with 4 disks. 2x145Gb & 2x300Gb. The smaller disk pair have been built into a VIO mirrored rootvg, and quite right too. The other two disks form a...... AIX
3
AIX
Possible to track FTP user last login? Last and Finger don't track them.
LordJezo
Like the topic says, does anyone know if it is possible to check to see when an FTP only user has logged in? Because the shell is /bin/false and they are only using FTP to access the system doing a "finger" or "last" it says they have never logged in. Is there a way to see when ftp users log in...... UNIX for Dummies Questions & Answers
1
UNIX for Dummies Questions & Answers