Bookmark and Share
RSS

Recent Posts

Restricting Access to the AIX Error Report

October 16, 2018

Awhile back on Twitter, Chris Gibson noted that, starting with AIX 7.2 TL3, administrators will be able to prevent non-privileged users from viewing the AIX error report.

IBM Support has the details:

The restriction can be enabled or disabled by system administrator using "/usr/lib/errdemon -R enable" and "/usr/lib/errdemon -R disable." By default the restriction is disabled.

When the restriction is disabled, any user can view system error report.
# errpt
IDENTIFIER TIMESTAMP  T C RESOURCE_NAME  DESCRIPTION
DE84C4DB   0711092118 I O ConfigRM     IBM.ConfigRM daemon has started.
69350832   0711091818 T S SYSPROC        SYSTEM SHUTDOWN BY USER
9DBCFDEE   0711091918 T O errdemon       ERROR LOGGING TURNED ON

To enable the restriction
(0) root @ spruce1:/
# /usr/lib/errdemon -R enable

(0) root @ spruce1:/
# /usr/lib/errdemon -l

Error Log Attributes
--------------------------------------------
Log File                 /var/adm/ras/errlog
Log Size                1048576 bytes
Memory Buffer Size      32768 bytes
Duplicate Removal       true
Duplicate Interval      10000 milliseconds
Duplicate Error Maximum 1000
PureScale Logging       off
PureScale Logstream     CentralizedRAS/Errlog
Restrict errpt to privileged users      enable

After enabling the restriction, it will prompt error message if a non-authorized users try to view error report.

(0) testuser @ spruce1:/
# errpt
errpt:
        User does not has sufficient authorizations.

How to enable a user to view error report?
Make him a privileged user by assigning authorization aix.ras.error.errpt

(0) root @ spruce1:/
# mkrole authorizations="aix.ras.error.errpt" role_errpt

(0) root @ spruce1:/
# chuser roles=role_errpt testuser

(0) root @ spruce1:/
# setkst
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.

Now the normal user "testuser" can execute errpt

(0) testuser @ spruce1:/
# swrole role_errpt
testuser's Password:

(0) testuser @ spruce1:/
# errpt
IDENTIFIER TIMESTAMP  T C RESOURCE_NAME  DESCRIPTION
DE84C4DB    0711092118 I O ConfigRM            IBM.ConfigRM daemon has started.
69350832       0711091818 T S SYSPROC            SYSTEM SHUTDOWN BY USER
9DBCFDEE   0711091918 T O errdemon              ERROR LOGGING TURNED ON


If this applies to your environment, be sure to add this to your build documentation, checklists and gold images once you've updated to AIX 7.2 TL3.

Posted October 16, 2018| Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus