How To
Summary
Any user on the system can view the error report using errpt command, exposing internal system errors to the all users.
Objective
Securing the error report such that only privileged users can view.
Environment
AIX 7200-03-00 onwards
Steps
The restriction can be enabled or disabled by a system administrator using "/usr/lib/errdemon -R enable"
and "/usr/lib/errdemon -R disable". This restriction is disabled by default.
When the restriction is disabled, any user can view the system error report.
(0) testuser @ spruce1: /
# errpt
IDENTIFIER TIMESTAMP T C RESOURCE_NAME DESCRIPTION
DE84C4DB 0711092118 I O ConfigRM IBM.ConfigRM daemon has started.
69350832 0711091818 T S SYSPROC SYSTEM SHUTDOWN BY USER
9DBCFDEE 0711091918 T O errdemon ERROR LOGGING TURNED ON
To enable the restriction
(0) root @ spruce1: /
# /usr/lib/errdemon -R enable
# /usr/lib/errdemon -R enable
(0) root @ spruce1: /
# /usr/lib/errdemon -l
Error Log Attributes
--------------------------------------------
Log File /var/adm/ras/errlog
Log Size 1048576 bytes
Memory Buffer Size 32768 bytes
Duplicate Removal true
Duplicate Interval 10000 milliseconds
Duplicate Error Maximum 1000
PureScale Logging off
PureScale Logstream CentralizedRAS/Errlog
Restrict errpt to privileged users enable
After enabling the restriction, non-authorized users who try to view the errpt
will receive an error message.
(0) testuser @ spruce1: /
# errpt
errpt:
User does not has sufficient authorizations.
How to enable a user to view error report?
Make a privileged user by assigning authorization for aix.ras.error.errpt
(0) root @ spruce1: /
# mkrole authorizations="aix.ras.error.errpt" role_errpt
(0) root @ spruce1: /
# chuser roles=role_errpt testuser
(0) root @ spruce1: /
# setkst
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.
Now the normal user "testuser"
can execute errpt
(0) testuser @ spruce1: /
# swrole role_errpt
testuser's Password:
(0) testuser @ spruce1: /
# errpt
IDENTIFIER TIMESTAMP T C RESOURCE_NAME DESCRIPTION
DE84C4DB 0711092118 I O ConfigRM IBM.ConfigRM daemon has started.
69350832 0711091818 T S SYSPROC SYSTEM SHUTDOWN BY USER
9DBCFDEE 0711091918 T O errdemon ERROR LOGGING TURNED ON
Was this topic helpful?
Document Information
Modified date:
15 September 2021
UID
ibm10719269