Hello Everyone,
i got a question in AIX. How can i track the communication between LPARs.
i mean how can we find if a program/account trying to access a directory/file inside AIX LPAR or from another LPAR ?
if some one is trying to access our LPAR. where can i track those info? or a outside program denied permission while accessing some folder in AIX. where can find the logs ??
Thanks
admin
Hi,
i'm not a specalist in these security features of AIX. But as far as i know, you have to configure the audit subsystem and the syslog facility to get these information.
Auditing and Accounting on AIX - IBM Redbooks
Here you can define which file in which way should be monitored:
Example: [/etc/security/audit/objects]
/etc/security/audit/config:
w = "AUD_CONFIG_WR"
/etc/security/audit/objects:
w = "FILE_Open"
/etc/syslog.conf:
w = "FILE_Open"
/etc/passwd:
w = "PASSWORD_Change"
A successfull configuration will generate a entry in /var/adm/authlog like:
May 2 10:51:13 xxxxxxxxx auth|security:notice audit: FILE_Open ; root ; OK ; Global ; write event detected ;/etc/security/tsd/tsd.dat
You also need to configure your syslog facility to get the required information.
Example: [/etc/syslog.conf]
auth.info /var/adm/authlog rotate size 5m files 10
Restart syslogd:
stopsrc -s syslogd
startsrc -s syslogd
Finally the "last" command will give you some informationen about (previous) logins.
Hope this helps a bit...
-=XrAy=- brings up some interesting points - I am glad he knows of these two core security mechanisms. And the redbook is a good starting point - even considering that it was written in October 2002 (these mechanisms have been available from at least 1996).
I would like to suggest you take a look at a couple of my blogs on IBMSystemsMagazine, in particular SecuringAIX: Combining audit and syslog where I describe how this command
auditstream -m -c general | tee -a /audit/general.bin | auditselect -e "result==FAIL && command!=java" | auditpr -v | logger -p local1.warn -t audit &
integrates audit with syslog .
And/or perhaps -=XrAy=- can tell us where he got his example from, as audit does not write automatically to syslog. The output (with comment built-in) is quite nice!
For this kind of detection, today! I would use a PowerSC component known as RTC - Real-Time-Compliance . "Real-Soon" I will be doing a writeup on that in my blog SecuringAIX.
However, more in general, two partitions aka LPAR on a POWER server are isolated by the firmware. Connections and monitoring of network activity would be the same as for a standalone host.
Properly configured, "disks" local to one partition are not accessible from another partition. The exception to this could be the VIO server when using VSCSI as the VIOS hosts the disks. Normally, VIOS are considered part of the managed system and "regular", unauthorized users/administrators are not permitted access. Again, under proper configuration and management conditions "side-ways" access should not be possible. This also can be additionaly protected by using NPIV rather than VSCSI. Now the storage team can control which partitions can see the "disks" aka LUNS by controlling/managing which virtual HBA (s) may access the luns.
Note: in a POWERHA/SystemMirror configuration is is considered normal that two partitions may access the same "disk". There are tools in PowerHA/SystemMirror to monitor which system has "active" access.
In short, AIX, POWER and VIOS have been repeated certified. See IBM AIX: AIX operating system certifications for an overview.
I hope this helps.
Hi Michael,
here are the configuration files:
/etc/security/audit/config
start:
binmode = off
streammode = on
bin:
bincompact = off
backupsize = 0
backuppath = /audit
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
stream:
cmds = /etc/security/audit/streamcmds
classes:
general = USER_SU,PASSWORD_Change
objects = S_PASSWD_READ,S_PASSWD_WRITE,AUD_CONFIG_WR
files = No_Events
TCPIP = No_Events
SRC = No_Events
kernel = No_Events
SVIPC = No_Events
mail = No_Events
cron = No_Events
users:
default = loginout,general
role:
/etc/security/audit/streamcmds
/usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &
/etc/security/audit/stream2syslog.ksh
awk '/^S_GROUP_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
/^AUD_CONFIG_WR/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
/^FILE_Open/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; sub(/\//,";/",$2); print act,";",user,";",stat,";",app,";",$2; FS=" "} \
/^FILE_Owner/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; print act,";",user,";",stat,";",app,";",$1,";",$2; FS=" "} \
/^FILE_Mode/ {act=$1; user=$2; stat=$3; app=$NF; getline; mode=$2; filename=$NF; print act,";",user,";",stat,";",app,";",mode,";",filename; FS=" "} \
/^FILE_Accessx/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="detected"; print act,";",user,";",stat,";",app,";",$2; FS=" "} \
/^S_PASSWD_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
/^PASSWORD_Change/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0}' |\
logger -r -p auth.notice -t audit
When you start the audit subsystem [audit start], you will find the following background process:
sh -c /usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &?
regards
rather than a complex awk command using the command
auditselect -c objects | auditpr -v | logger -r -p auth.notice -t audit &
should accomplish the same thing. I would normally also pipe thru a tee to save what I am reporting (in binary format) so mine preferred line would look like:
auditselect -c objects | tee /audit/objects.bin | auditpr -v | logger -r -p auth.notice -t audit &
And, ideally, /audit/objects.bin would be a trusted log (physically stored, rotated and backup performed on a VIO server)
Thanks XrAV and Michael . Appreciate your help! 
I will take note of your ideas...and will review the RED BOOK on audit.