How can i track the Communication between LPARs?


Thread Tools Search this Thread
# 1  
Old 05-01-2013
How can i track the Communication between LPARs?

Hello Everyone,
i got a question in AIX. How can i track the communication between LPARs.
i mean how can we find if a program/account trying to access a directory/file inside AIX LPAR or from another LPAR ?

if some one is trying to access our LPAR. where can i track those info? or a outside program denied permission while accessing some folder in AIX. where can find the logs ??

# 2  
Old 05-02-2013

i'm not a specalist in these security features of AIX. But as far as i know, you have to configure the audit subsystem and the syslog facility to get these information.

Auditing and Accounting on AIX - IBM Redbooks

Here you can define which file in which way should be monitored:
Example: [/etc/security/audit/objects]
        w = "AUD_CONFIG_WR"

        w = "FILE_Open"

        w = "FILE_Open"

        w = "PASSWORD_Change"

A successfull configuration will generate a entry in /var/adm/authlog like:
May  2 10:51:13 xxxxxxxxx auth|security:notice audit: FILE_Open ; root ; OK ; Global ;   write event detected ;/etc/security/tsd/tsd.dat

You also need to configure your syslog facility to get the required information.
Example: [/etc/syslog.conf]
Code:                                /var/adm/authlog rotate size 5m files 10

Restart syslogd:
stopsrc -s syslogd
startsrc -s syslogd

Finally the "last" command will give you some informationen about (previous) logins.

Hope this helps a bit...
# 3  
Old 05-03-2013
-=XrAy=- brings up some interesting points - I am glad he knows of these two core security mechanisms. And the redbook is a good starting point - even considering that it was written in October 2002 (these mechanisms have been available from at least 1996).

I would like to suggest you take a look at a couple of my blogs on IBMSystemsMagazine, in particular SecuringAIX: Combining audit and syslog where I describe how this command
auditstream -m -c general | tee -a /audit/general.bin | auditselect -e "result==FAIL && command!=java" | auditpr -v | logger -p local1.warn -t audit &

integrates audit with syslog.

And/or perhaps -=XrAy=- can tell us where he got his example from, as audit does not write automatically to syslog. The output (with comment built-in) is quite nice!

For this kind of detection, today! I would use a PowerSC component known as RTC - Real-Time-Compliance. "Real-Soon" I will be doing a writeup on that in my blog SecuringAIX.
However, more in general, two partitions aka LPAR on a POWER server are isolated by the firmware. Connections and monitoring of network activity would be the same as for a standalone host.
Properly configured, "disks" local to one partition are not accessible from another partition. The exception to this could be the VIO server when using VSCSI as the VIOS hosts the disks. Normally, VIOS are considered part of the managed system and "regular", unauthorized users/administrators are not permitted access. Again, under proper configuration and management conditions "side-ways" access should not be possible. This also can be additionaly protected by using NPIV rather than VSCSI. Now the storage team can control which partitions can see the "disks" aka LUNS by controlling/managing which virtual HBA(s) may access the luns.
Note: in a POWERHA/SystemMirror configuration is is considered normal that two partitions may access the same "disk". There are tools in PowerHA/SystemMirror to monitor which system has "active" access.

In short, AIX, POWER and VIOS have been repeated certified. See IBM AIX: AIX operating system certifications for an overview.

I hope this helps.
# 4  
Old 05-03-2013
Hi Michael,

here are the configuration files:

        binmode = off
        streammode = on

        bincompact = off
        backupsize = 0
        backuppath = /audit
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

        cmds = /etc/security/audit/streamcmds

        general = USER_SU,PASSWORD_Change
        files = No_Events
        TCPIP = No_Events
        SRC = No_Events
        kernel = No_Events
        SVIPC = No_Events
        mail = No_Events
        cron = No_Events

        default = loginout,general


/usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &

awk '/^S_GROUP_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^AUD_CONFIG_WR/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^FILE_Open/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; sub(/\//,";/",$2); print act,";",user,";",stat,";",app,";",$2; FS=" "} \
     /^FILE_Owner/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; print act,";",user,";",stat,";",app,";",$1,";",$2; FS=" "} \
     /^FILE_Mode/ {act=$1; user=$2; stat=$3; app=$NF; getline; mode=$2; filename=$NF; print act,";",user,";",stat,";",app,";",mode,";",filename; FS=" "} \
     /^FILE_Accessx/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="detected"; print act,";",user,";",stat,";",app,";",$2; FS=" "} \
     /^S_PASSWD_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
     /^PASSWORD_Change/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0}' |\
logger -r -p auth.notice -t audit

When you start the audit subsystem [audit start], you will find the following background process:
sh -c /usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &?

This User Gave Thanks to -=XrAy=- For This Post:
MichaelFelt (05-03-2013)
# 5  
Old 05-03-2013
rather than a complex awk command using the command
auditselect -c objects | auditpr -v | logger -r -p auth.notice -t audit &

should accomplish the same thing. I would normally also pipe thru a tee to save what I am reporting (in binary format) so mine preferred line would look like:
auditselect -c objects | tee /audit/objects.bin | auditpr -v | logger -r -p auth.notice -t audit &

And, ideally, /audit/objects.bin would be a trusted log (physically stored, rotated and backup performed on a VIO server)
# 6  
Old 05-07-2013
Thanks XrAV and Michael . Appreciate your help! Smilie I will take note of your ideas...and will review the RED BOOK on audit.

Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
Topas - CPU count inconsistent across LPARs maraixadm AIX 3 1 Week Ago 04:24 PM
Changing VLAN on AIX lpars in the same subnet kaelu26 AIX 5 06-19-2016 10:32 PM
Rebooting redundant VIOs and mirroring of PVs they serve to client LPARs maraixadm AIX 3 03-13-2016 04:04 PM
How to use dsadm command to run command on multi lpars? rainbow_bean AIX 1 04-11-2014 04:36 PM
Is it must to enable TCB on AIX LPARs ? System Admin 77 AIX 3 10-18-2013 04:11 PM
Automation of AIX LPARs reboot System Admin 77 AIX 4 09-09-2013 05:01 AM
Creating LPARS in AIX sekar52 AIX 2 08-20-2013 01:25 PM
Cloning OS using alt_disk_install to new LPARs snchaudhari2 AIX 4 05-22-2013 07:13 PM
Simple questions about LPARs bstring AIX 1 12-28-2012 02:34 AM
Shared Disk in VIOS between two LPARs ? filosophizer AIX 1 12-17-2012 09:41 AM
Inherited VIO server an LPARs rbatte1 AIX 3 02-20-2011 08:39 AM
Virtual Ethernet VIO HMC LPARs filosophizer AIX 10 06-16-2009 12:39 PM
Communication over firewall ajnabi Security 5 09-02-2008 04:40 PM
Possible to track FTP user last login? Last and Finger don't track them. LordJezo UNIX for Dummies Questions & Answers 1 11-08-2007 01:21 PM