AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
#Power
 View Only

  • 1.  Why does AIXPert change raw devices attribute and how ?

    Posted Wed June 25, 2008 10:45 AM

    Originally posted by: longgonl2008long


    Why does AIXPert change raw devices attribute and how ?
    when I run aixpert -l default on our Database server(db2), the owner attribues of raw devices for db2 in /dev were changed to root.And this made our applications error.
    I check the log of aixpert, the aixpert will run 'sysck' when set default security level.However, this will not happen on the servers TCB. So i wander why ?
    #AIX-Forum


  • 2.  Re: Why does AIXPert change raw devices attribute and how ?

    Posted Wed June 25, 2008 06:20 PM

    Originally posted by: SystemAdmin


    AIXpert is all about security hardening best practices. This of course includes ensuring the OS install base is consistent. This reduces the possibility of weakened security through mis-configuration or malicious configuration. Therefore aixpert runs sysck. More details can be found on the IBM docs, search on sysck or aixpert.

    Having said this, we also know all of the aixpert settings do not work for all of the computers all of the time. I think Churchill said this. Therefore, when using aixpert in your environment you might want to de-select (turn off) this option. sysck might be run in the following rules / scripts

    Disable unsecure commands (disrmtcmdshls)
    Disable unsecure daemons (disrmtdmnshls)
    Removes SUID from remote Commands (rmsuidfrmrcmdshls)
    #AIX-Forum


  • 3.  Re: Why does AIXPert change raw devices attribute and how ?

    Posted Thu June 26, 2008 10:39 AM
      |   view attached

    Originally posted by: longgonl2008long


    Thanks very much for the reply.
    I have check the sysck and did't found that sysck can change the attribue of raw devices. The doc. says it will check and modify the file system only.
    I found this in the log of aixpert (/etc/security/aixpert/log), and the raw devices' owner were changed to be root.

    + echo /etc/security/aixpert/bin/execmds
    /etc/security/aixpert/bin/execmds
    + eval tcbck -y ALL
    + tcbck -y ALL
    3001-024 The file /dev/rwms_dtatbslv_00 has the wrong file owner.
    3001-025 The file /dev/rwms_dtatbslv_00 has the wrong file group.
    + 114 -ne 0
    + dspmsg -s 10 aixpert.cat 2 execmds.sh: Failed to execute %s\n tcbck -y ALL
    execmds.sh: Failed to execute tcbck
    + exit 1

    However, Our server dosen't have TCB ,and I don't know how it happened?
    The attachment is the aixpert log file.
    #AIX-Forum

    Attachment(s)

    log
    attachment_14102573_aixpert.log   329 KB 1 version


Related Content