Pinned topic RBAC privileged commands with ALLOW_ALL logged to syslog
kern:notice unix: The privilege command /usr/sbin/lspv, is executed by user with id 208
I assume that these are logged because a user is executing a command that's listed in /etc/security/privcmds, even though the command is configured with "accessauths = ALLOW_ALL". And that would be fine for commands entered occasionally from an interactive session, but on this LPAR there are performance monitoring scripts that run these sorts of commands (netstat, vmstat, etc.) constantly throughout the day. It creates a lot of noise and makes it harder to see real problems.
I would also guess -- though I can't find it in the docs anywhere -- that the default behavior in 7.1 has changed from that of 6.1, so that these messages are generated when they weren't before. The commands in question were also in /etc/security/privcmds in 6.1, but we weren't getting syslog notifications for them (my syslog.conf is essentially the same).
Any ideas on how I can turn this behavior off, either globally or via a role, etc.?
woodstea 06000099N25 Posts
Re: RBAC privileged commands with ALLOW_ALL logged to syslog2012-07-02T16:05:51ZThis is the accepted answer. This is the accepted answer.One solution I've considered is to remove the commands in question from /etc/security/privcmds. I'm not sure though what effect that might have now or in the future. Perhaps the innate privileges tied to those commands are now necessary for a non-root user to execute the command successfully. Or if not now, they will be as the RBAC model matures.
From my point of view messages about privileged commands with ALLOW_ALL ought to go to a lower syslog level. If we don't care who executes them, shouldn't their execution be more of an INFO or DEBUG sort of event?
armink 0100003YXA6 Posts
Re: RBAC privileged commands with ALLOW_ALL logged to syslog2015-04-13T15:39:57ZThis is the accepted answer. This is the accepted answer.
- woodstea 06000099N2
I faced the same problem... and found your posting. Unfortunately nothing else, so I raised a call at IBM.
I got an astonishing answer: The developers just decided to log everything. Period. So this is no bug but a "feature".
They offered 3 solutions:
- disable RBAC ( chdev -l sys0 -a enhanced_RBAC=false )
- ignore kernel messages in syslog (kern.notice). Unfortunately you'll loose all other kern.notice messages.
- use rsyslog, it has more filter choices
Most of the affected users disable RBAC completely... I'll think about that too.
Sebastian_vdV 120000A7AA1 Post
Re: RBAC privileged commands with ALLOW_ALL logged to syslog2015-05-06T07:12:00ZThis is the accepted answer. This is the accepted answer.
Sorry for re-opening this old one, but some time has past since last reply and we here wanna know, if there are any news from anybody regarding the inital question and how to avoid the filling of the syslog with "dumb" entries?