IBM Support

Restricted access to error reporting

How To


Summary

Any user on the system can view the error report using errpt command, exposing internal system errors to the all users.

Objective

Securing the error report such that only privileged users can view.

Environment

AIX 7200-03-00 onwards

Steps

The restriction can be enabled or disabled by a system administrator using "/usr/lib/errdemon -R enable"
and "/usr/lib/errdemon -R disable".  This restriction is disabled by default.

When the restriction is disabled, any user can view the system error report.
(0) testuser @ spruce1: /
# errpt
IDENTIFIER TIMESTAMP  T C RESOURCE_NAME  DESCRIPTION
DE84C4DB   0711092118 I O ConfigRM       IBM.ConfigRM daemon has started.
69350832   0711091818 T S SYSPROC        SYSTEM SHUTDOWN BY USER
9DBCFDEE   0711091918 T O errdemon       ERROR LOGGING TURNED ON

To enable the restriction
(0) root @ spruce1: /
# /usr/lib/errdemon -R enable

(0) root @ spruce1: /
# /usr/lib/errdemon -l
Error Log Attributes
--------------------------------------------
Log File                /var/adm/ras/errlog
Log Size                1048576 bytes
Memory Buffer Size      32768 bytes
Duplicate Removal       true
Duplicate Interval      10000 milliseconds
Duplicate Error Maximum 1000
PureScale Logging       off
PureScale Logstream     CentralizedRAS/Errlog
Restrict errpt to privileged users      enable

After enabling the restriction, non-authorized users who try to view the errpt will receive an error message.

(0) testuser @ spruce1: /
# errpt
errpt:
        User does not has sufficient authorizations.


How to enable a user to view error report?

Make a privileged user by assigning authorization for aix.ras.error.errpt

(0) root @ spruce1: /
# mkrole authorizations="aix.ras.error.errpt" role_errpt

(0) root @ spruce1: /
# chuser roles=role_errpt testuser

(0) root @ spruce1: /
# setkst
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.


Now the normal user "testuser"can execute errpt

(0) testuser @ spruce1: /
# swrole role_errpt
testuser's Password:

(0) testuser @ spruce1: /
# errpt
IDENTIFIER TIMESTAMP  T C RESOURCE_NAME  DESCRIPTION
DE84C4DB   0711092118 I O ConfigRM       IBM.ConfigRM daemon has started.
69350832   0711091818 T S SYSPROC        SYSTEM SHUTDOWN BY USER
9DBCFDEE   0711091918 T O errdemon       ERROR LOGGING TURNED ON

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
15 September 2021

UID

ibm10719269

Page Feedback