AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only

  • 1.  RBAC privileged commands with ALLOW_ALL logged to syslog

    Posted Fri June 29, 2012 07:39 PM

    Originally posted by: woodstea


    I've just upgraded an AIX LPAR from 6100-07-04 to 7100-01-04. I'm now seeing a large number of entries in syslog that look like this:

    kern:notice unix: The privilege command /usr/sbin/lspv, is executed by user with id 208

    I assume that these are logged because a user is executing a command that's listed in /etc/security/privcmds, even though the command is configured with "accessauths = ALLOW_ALL". And that would be fine for commands entered occasionally from an interactive session, but on this LPAR there are performance monitoring scripts that run these sorts of commands (netstat, vmstat, etc.) constantly throughout the day. It creates a lot of noise and makes it harder to see real problems.

    I would also guess -- though I can't find it in the docs anywhere -- that the default behavior in 7.1 has changed from that of 6.1, so that these messages are generated when they weren't before. The commands in question were also in /etc/security/privcmds in 6.1, but we weren't getting syslog notifications for them (my syslog.conf is essentially the same).

    Any ideas on how I can turn this behavior off, either globally or via a role, etc.?

    Regards,
    Rob


  • 2.  Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    Posted Mon July 02, 2012 12:06 PM

    Originally posted by: woodstea


    One solution I've considered is to remove the commands in question from /etc/security/privcmds. I'm not sure though what effect that might have now or in the future. Perhaps the innate privileges tied to those commands are now necessary for a non-root user to execute the command successfully. Or if not now, they will be as the RBAC model matures.

    From my point of view messages about privileged commands with ALLOW_ALL ought to go to a lower syslog level. If we don't care who executes them, shouldn't their execution be more of an INFO or DEBUG sort of event?


  • 3.  Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    Posted Mon April 13, 2015 11:40 AM

    Originally posted by: armink


    I faced the same problem... and found your posting. Unfortunately nothing else, so I raised a call at IBM.

    I got an astonishing answer: The developers just decided to log everything. Period. So this is no bug but a "feature".

    They offered 3 solutions:

    1. disable RBAC ( chdev -l sys0 -a enhanced_RBAC=false )
    2. ignore kernel messages in syslog (kern.notice). Unfortunately you'll loose all other kern.notice messages.
    3. use rsyslog, it has more filter choices

    Most of the affected users disable RBAC completely... I'll think about that too.

     

    Armin



  • 4.  Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    Posted Fri August 02, 2013 11:47 AM

    Originally posted by: DavidWong1


    Hi Rob, did you ever find a solution this this?  We're facing the same issue.

    David.



  • 5.  Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    Posted Wed August 21, 2013 04:53 PM

    Originally posted by: woodstea23


    No, I'm afraid I never did.



  • 6.  Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    Posted Wed May 06, 2015 03:12 AM

    Originally posted by: Sebastian_vdV


    Sorry for re-opening this old one, but some time has past since last reply and we here wanna know, if there are any news from anybody regarding the inital question and how to avoid the filling of the syslog with "dumb" entries?

     

    BR

    Sebastian



Related Content