how can i track the Communication between AIX LPARs

[passion7aix]

Hello Everyone,
i got a question in AIX. How can i track the communication between LPARs.
i mean how can we find if a program/account trying to access a directory/file inside AIX LPAR or from another LPAR ?

if some one is trying to access our LPAR. where can i track those info? or a outside program denied permission while accessing some folder in AIX. where can find the logs ??

Thanks,
admin

 

[AIXLogician]

Hmmm,

With AIX you can go to a granular level of monitoring and management.

If any one is trying to login to your system, he either has an account or snooped someone's password.
You have to look at the network services to track any remote user and shell/protocol they are using like ftp, telnet, rsh, rexec etc.., and you can block these by commenting them from /etc/inetd.conf file (then run refresh -s inetd).

If you are using a secure protocol or shell (ex: ssh, sftp), the user name and password is protected.

In any case if you run who or w, it will list you currently logged users. You will know who is it.

If the use is locally running any file or script you can trace it down, if you suspect a user is running a script you can grep to that user and it will disable the process id for each of executable.

You can track who was trying to login.
All the system logs are managed by syslog daemon, (/etc/syslog.conf), and they can be found under /var/adm or /var/log like messages, sudo logs, su logs, sshd logs etc..,

Also if you run who -u wmtp (under /var/adm), it will give you list of user and their IP addresses and time of login.

For failed login attempts you can look in /etc/security for file called failedlogin
run who -u failedlogin, it will list all the names and IP addressess

If you are suspecting someone is accessing a particular directory or file system, which they are not suppose to
run fuser -cu /<file system or directory name>, it will list you the user name and process id.


Note: Accessing from another LPAR can happen in two cases,
1. Either the user exist on local system.
2. The ssh key pair is exchanged.

Tightened your security by block unsecure ports.[tt][/tt]

 

[passion7aix]

Thanks much for your useful info. Appreciate your help @AIXLogician
The information which you posted is really useful to me.sorry i did not gave specific info.

here is the thing,

we exported some file system over the network using NFS on to 2 AIX LPARs. Some program from those 2 LPARs wanted to access the Source LPAR's file system. Initially i have not provided the root access to other destination LPARs via NFS.

some account/program from destination LPAR wanted to access a file in NFS file share. But we got some file not found error.
then i provided the root authority to 2 LPARs. it worked.

my question was " where can we track the deinal/accceptance information on source LPAR"


[root@source lpar]/var/adm/ras>
-rw-r--r-- 1 root system 266844 Apr 23 12:12 syslog.caa

i found some useful info in that file. But am still skeptical about it.

any idea is highly appreciated.

Thanks,
admin