Live Update Support for AIX Auditing

Starting with AIX Version 7.2, the AIX operating system provides the AIX Live Update function that allows the application of interim fixes (ifix) without requiring a system restart. As part of Live Update operation, the workload processes are checkpointed, and moved over to the Surrogate. At the end, workloads resume on the Surrogate in a chrooted environment.

There are few limitations with Live update and AIX Audit is one of them. Currently Live Update works when auditing is enabled only in BIN mode, but you cannot perform Live Update if the audit is configured in stream mode. One would find the error message as shown in the Fig 2.

Starting with AIX Version 7.3 TL3, Live Update feature is supported when AIX Auditing is enabled in both BIN and STREAM mode. The use of the “watch” command to observe a program is also supported while the Live Update operation is in progress.

Configurations to support AIX Auditing in Live Update Environment:

A new configuration field “audit_stream_check” is added as part of /var/adm/ras/liveupdate/lvupdate.template. This file contains the most recent descriptions of all possible fields for Live Update operation. This file can be used to further configure lvupdate.data located in the /var/adm/ras/liveupdate path. The ‘geninstall’ command would use this file for the relevant input data for the Live Update operation. Below gives how the stanza looks for this new field.

Fig 1

Prior to 7.3 TL3 Or if the “audit_stream_check” is set to “yes”,  Auditing in STREAM mode is blocked as below.

Fig 2

Configuration and Function of Audit Subsystem in Live Update Environment:

There is no change in configurations for Audit Sub-system to support Live Update. Audit logs - trail or stream files will get appended once Live Update operation is completed on the Surrogate. The loss of audit logs during blackout is negligible. Once the Surrogate is running, audit is enabled immediately even before the workloads resume. So, any audit events from the workload resume will be captured without loss.

If AIX Auditing was enabled prior to Live Update and once it completes, “audit query” should reflect status as “ON” as below.

Fig 3

Live Update Support in “watch” command:

The use of the “watch” command to observe a program is also supported while the Live Update operation is in progress. You might lose the records of audit events that occur after the watch command and the other observed commands resume on the surrogate LPAR until the audit operation is completely enabled on these processes.  Loosing audit data may not be acceptable in a strict compliance environments, hence a careful study is required before consuming this functionality.