Archive for the ·

security

· Category...

July 13, 2012 2:43 pm

topas error: ERROR: Assert Failure in file=”nmonDisplay.c” in function=”init_diskadapter_stats” at line=3137

Comments Off
by    in AIX,security

Problem:

 

When a normal user tried to run topas command on AIX 5.3 server, the following errors were received:

myuserid [AIXserver] /home/myuserid: topas
ERROR: Assert Failure in file=”nmonDisplay.c” in function=”init_diskadapter_stats” at line=3137
ERROR: Reason=System call returned -1
ERROR: Expression=[[retcode=perfstat_diskadapter(&perfid,p->adapt, sizeof(perfstat_diskadapter_t), adapters)]]
ERROR: errno=13
ERROR: errno means : Permission denied
ERROR: Sizeof cpu=592 cpu_total=664 disk=480 diskadapter=192 diskpath=304 disktotal=64, memory=208 netbuff=120 netif=208 netiftotal=64 paging=240 partition=480 protocol=720

myuserid [AIXserver] /home/myuserid: oslevel -s
5300-12-01-1016

 

Root cause:

 

The setuid bit was removed for file /usr/lib/perf/libperfstat_updt_dictionary

myuserid [AIXserver] /home/myuserid: ls -l /usr/lib/perf/libperfstat_updt_dictionary
-rwxr-xr-x 1 root system 8582 Mar 12 2010 /usr/lib/perf/libperfstat_updt_dictionary

 

Solution:

Add setuid bit to /usr/lib/perf/libperfstat_updt_dictionary

root [AIXserver] /# chmod u+s /usr/lib/perf/libperfstat_updt_dictionary
root [AIXserver] /# ls -l /usr/lib/perf/libperfstat_updt_dictionary
-rwsr-xr-x 1 root system 8582 Mar 12 2010 /usr/lib/perf/libperfstat_updt_dictionary

Now topas works for normal user.

tags: , , , ,
Comments Off
June 17, 2012 11:41 pm

Auditing an Object

Comments Off
by    in AIX,security

Question

How can I audit a specific command or file on AIX?

Cause

Need to know which user or process is executing a command or opening a file for READ or WRITE.

Answer

The following steps can be used to configure AIX Auditing to audit individual files (including commands) for READ, WRITE and/or EXEC access.

1) Make changes to audit config file to enable streammode auditing…

#vi /etc/security/audit/config

start:
binmode = off
streammode = on

With streammode, you will immediately get the output in text format. If you choose binmode, you will have to convert the data from binary to text before reading it (see Technote: AIX System Security Audit for more details -
http://www.aixmind.com/?p=2429 )

2) Confirm the following line is in /etc/security/audit/streamcmds file

/usr/sbin/auditstream | auditpr -v > /audit/stream.out &

Note that there is a “-v” after auditpr. The -v is not set by default, but it gives you more information. If you want to limit what events will be monitored you can also modify this
file to use the auditselect command, eg…

# vi /etc/security/audit/streamcmds

/usr/sbin/auditstream | /usr/sbin/auditselect -e “command!=cron && command!=at” | auditpr -v > auditstream.out &

This command would exclude from the audistream.out file the information that would be gathered from cron and at. This is probably not something you would want to do in your circumstance.

* See the AIX System Security Audit technote for more information on using auditselect.

3) Edit the /etc/security/audit/objects file to add an entry for the object/file you want to audit (replace path/to/filename and FILENAME with actual path and filename to be audited)

eg:

/path/to/filename:
w = “S_FILENAME_WRITE”

The above line will audit writes to the file, but you can also audit reads and/or execute (for commands) with…

r = “S_FILENAME_READ”
and/or
x = “S_FILENAME_EXECUTE”

4) Edit the /etc/security/audit/events file to include the following:

* /path/to/filename
S_FILENAME_WRITE = printf ” %s “

If you included READ and/or EXECUTE entries in step 3, you will also need to add the following entries to the events file…

S_FILENAME_READ = printf ” %s “
and/or
S_FILENAME_EXECUTE = printf ” %s “

5) Start auditing. On the command line type:

# audit start

if you need to reset auditing for any reason, simply exec…

# audit shutdown; audit start

6) Wait until the issue to occur, or perform steps to duplicate the problem being audited.

7) Stop auditing and check the output file for FILENAME entries

# audit shutdown
# cd /audit
# cat stream.out

The audit record is displayed as follows (example is for auditing a WRITE to a file)…

S_FILENAME_WRITE root OK Wed mar 06 2012 <application_name>
audit object write event detected /path/to/filename

 

Source:  http://www-304.ibm.com/support/docview.wss?uid=isg3T1013098

tags: , ,
Comments Off
April 8, 2012 10:53 am

How to Apply ACL to New Files Automatically

Comments Off
by    in AIX,security

Question

How can I set up a directory that will automatically apply ACLs (Access Control Lists)?

Answer

Using an ACL is a way to set restrictions on the use of a file beyond the standard AIX or Unix discretionary access control. These can be set on an individual or group basis, and rights can be given or taken away as needed.

The concept of having a directory with ACLs on it, and then automatically applying those ACLs to any files created in that directory is called inheritance. AIX ACLs do not support inheritance, but NFSV4 ACLs do. NFSV4 ACL is platform-independent, so it can be supported on many clients or servers.

Most filesystem types in AIX do not support NFSV4 ACLs. CFS, UDF, JFS, and JFS2 with extended attribute version 1 (EAv1) do not support these. However JFS2 filesystems using EAv2 do, so they can be used for this purpose.

1. Use a JFS2 filesystem
If you have an existing JFS2 filesystem that can be used, or create one if you do not have one already

# crfs -v jfs2 -g datavg -m /myfs -A yes -a size=2G

2. Change the filesystem to use Extended Attributes Version 2

# chfs -a ea=v2 /myfs

3. Create a directory, or identify an existing directory

# cd /myfs
# mkdir newdir

4. Convert the directory to use NFS4 ACLs:

# aclconvert -t NFS4 newdir

5. Edit the ACL

# export EDITOR=/usr/bin/vi
# acledit newdir

You should see this in the file:

*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo

To allow inheritance for all files and directories underneath this dir, add the strings “fi” (for files) and “di” (for directories) to any ACLs you create. Those ACLs will be propagated to each file created from now on.

*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi
s:(OWNER@): d o
s:(GROUP@): a rRxadcs
s:(GROUP@): d wpWDACo
s:(EVERYONE@): a rRxadcs
s:(EVERYONE@): d wpWDACo

Create a file in your directory and check the ACL list on it:

# cd newdir
# touch newfile
# aclget newfile

*
* ACL_type NFS4
*
*
* Owner: root
* Group: system
*
s:(OWNER@): a rwpRWxDaAdcCs fidi

tags: , , , ,
Comments Off
Older Posts »