Topic
  • 5 replies
  • Latest Post - ‏2015-05-06T07:12:00Z by Sebastian_vdV
woodstea
woodstea
5 Posts

Pinned topic RBAC privileged commands with ALLOW_ALL logged to syslog

‏2012-06-29T23:39:29Z |
I've just upgraded an AIX LPAR from 6100-07-04 to 7100-01-04. I'm now seeing a large number of entries in syslog that look like this:

kern:notice unix: The privilege command /usr/sbin/lspv, is executed by user with id 208

I assume that these are logged because a user is executing a command that's listed in /etc/security/privcmds, even though the command is configured with "accessauths = ALLOW_ALL". And that would be fine for commands entered occasionally from an interactive session, but on this LPAR there are performance monitoring scripts that run these sorts of commands (netstat, vmstat, etc.) constantly throughout the day. It creates a lot of noise and makes it harder to see real problems.

I would also guess -- though I can't find it in the docs anywhere -- that the default behavior in 7.1 has changed from that of 6.1, so that these messages are generated when they weren't before. The commands in question were also in /etc/security/privcmds in 6.1, but we weren't getting syslog notifications for them (my syslog.conf is essentially the same).

Any ideas on how I can turn this behavior off, either globally or via a role, etc.?

Regards,
Rob
Updated on 2012-07-02T16:05:51Z at 2012-07-02T16:05:51Z by woodstea
  • woodstea
    woodstea
    5 Posts

    Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    ‏2012-07-02T16:05:51Z  
    One solution I've considered is to remove the commands in question from /etc/security/privcmds. I'm not sure though what effect that might have now or in the future. Perhaps the innate privileges tied to those commands are now necessary for a non-root user to execute the command successfully. Or if not now, they will be as the RBAC model matures.

    From my point of view messages about privileged commands with ALLOW_ALL ought to go to a lower syslog level. If we don't care who executes them, shouldn't their execution be more of an INFO or DEBUG sort of event?
  • DavidWong1
    DavidWong1
    1 Post

    Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    ‏2013-08-02T15:46:36Z  

    Hi Rob, did you ever find a solution this this?  We're facing the same issue.

    David.

  • woodstea23
    woodstea23
    4 Posts

    Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    ‏2013-08-21T20:53:29Z  

    Hi Rob, did you ever find a solution this this?  We're facing the same issue.

    David.

    No, I'm afraid I never did.

  • armink
    armink
    6 Posts

    Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    ‏2015-04-13T15:39:57Z  
    • woodstea
    • ‏2012-07-02T16:05:51Z
    One solution I've considered is to remove the commands in question from /etc/security/privcmds. I'm not sure though what effect that might have now or in the future. Perhaps the innate privileges tied to those commands are now necessary for a non-root user to execute the command successfully. Or if not now, they will be as the RBAC model matures.

    From my point of view messages about privileged commands with ALLOW_ALL ought to go to a lower syslog level. If we don't care who executes them, shouldn't their execution be more of an INFO or DEBUG sort of event?

    I faced the same problem... and found your posting. Unfortunately nothing else, so I raised a call at IBM.

    I got an astonishing answer: The developers just decided to log everything. Period. So this is no bug but a "feature".

    They offered 3 solutions:

    1. disable RBAC ( chdev -l sys0 -a enhanced_RBAC=false )
    2. ignore kernel messages in syslog (kern.notice). Unfortunately you'll loose all other kern.notice messages.
    3. use rsyslog, it has more filter choices

    Most of the affected users disable RBAC completely... I'll think about that too.

     

    Armin

  • Sebastian_vdV
    Sebastian_vdV
    1 Post

    Re: RBAC privileged commands with ALLOW_ALL logged to syslog

    ‏2015-05-06T07:12:00Z  

    Sorry for re-opening this old one, but some time has past since last reply and we here wanna know, if there are any news from anybody regarding the inital question and how to avoid the filling of the syslog with "dumb" entries?

     

    BR

    Sebastian