T-Series Servers: Solaris messages files filled with SC Alert: Audit events (Open, Close, Activate Session)

Asset ID:	1-72-1531113.1
Update Date:	2017-10-05
Keywords:

Solution Type Problem Resolution Sure

Solution 1531113.1 : T-Series Servers: Solaris messages files filled with SC Alert: Audit events (Open, Close, Activate Session)

Applies to:

SPARC T3-1 - Version All Versions to All Versions [Release All Releases]
SPARC T5-2 - Version All Versions to All Versions [Release All Releases]
SPARC T5-4 - Version All Versions to All Versions [Release All Releases]
SPARC T5-8 - Version All Versions to All Versions [Release All Releases]
SPARC T3-2 - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.

Symptoms

The /var/adm/messages file and console contain SC Alert: Audit events, similar to the following:

SC Alert: [ID 404897 daemon.notice] Audit | minor: root : Activate Session : authentication type = MD5 : privilege level = admin : initial outbound sequence number = 0x5D6D6C4A : challenge string = 0x7E 0x15 0x5E 0x23 0x6C 0x16 0x5C 0xAD 0x21 0x2A 0xE0 0x3 0x5E 0x87 0x3B 0x3 : success
SC Alert: [ID 709409 daemon.notice] Audit | minor: root : Set Session Privilege Level: privilege level = admin : success
SC Alert: [ID 156894 daemon.notice] Audit | minor: root : Close Session : session ID = 1860162966 : success
SC Alert: [ID 438350 daemon.notice] Audit | minor: root : Open Session : object = "/SP/session/type" : value = "shell" : success
SC Alert: [ID 665947 daemon.notice] Audit | minor: root : Close Session : object = "/SP/session/type" : value = "shell" : success
SC Alert: [ID 836814 daemon.notice] Audit | minor: root : Activate Session : authentication type = MD5 : privilege level = admin : initial outbound sequence number = 0x60411ACD : challenge string = 0x9F 0xA 0xB1 0x8C 0xD8 0xAA 0xAF 0x5 0xF8 0x75 0xFD 0xBF 0x2 0xCB 0xEB 0x79 : success
SC Alert: [ID 665947 daemon.notice] Audit | minor: root : Close Session : object = "/SP/session/type" : value = "shell" : success
SC Alert: [ID 438350 daemon.notice] Audit | minor: root : Open Session : object = "/SP/session/type" : value = "shell" : success

SC Alert: Audit events can also be seen in the ILOM snapshot data in the ilom/@usr@local@bin@spshexec_show_-script_@X@logs@audit@list.out file (>= ILOM 3.2.1) or ilom/@usr@local@bin@spshexec_show_-script_@X@logs@event@list.out (< ILOM 3.2.1):

##### ilom/@usr@local@bin@spshexec_show_-script_@X@logs@audit@list.out (>= ILOM 3.2.1) / ilom/@usr@local@bin@spshexec_show_-script_@X@logs@event@list.out (< ILOM 3.2.1) #####

37307 Mon Feb 4 17:13:56 2013 Audit     Log       minor          root : Open Session : object = "/SP/session/type" : value = "shell" : success
37300 Mon Feb 4 17:08:55 2013 Audit     Log       minor          root : Open Session : object = "/SP/session/type" : value = "shell" : success
37294 Mon Feb 4 17:08:13 2013 Audit     Log       minor          root : Set Session Privilege Level: privilege level = admin : success
37293 Mon Feb 4 17:08:13 2013 Audit     Log       minor          root : Activate Session : authentication type = MD5 : privilege level = admin : initial outbound sequence number = 0xCF6B41A9 : challenge string =0xB9 0xBD 0xBE 0x7A 0x85 0x3F 0x95 0x92 0xB9 0x3C 0xE0 0x55 0xC7 0x5B 0x47 0x4F : success
37291 Mon Feb 4 17:08:06 2013 Audit     Log       minor          root : Open Session : object = "/SP/session/type" : value = "shell" : success
37282 Mon Feb 4 17:07:09 2013 Audit     Log       minor          root : Set Session Privilege Level: privilege level = admin : success
37281 Mon Feb 4 17:07:09 2013 Audit     Log       minor          root : Activate Session : authentication type = MD5 : privilege level = admin : initial outbound sequence number = 0x550F8492 : challenge string =0x7B 0xF1 0x88 0x30 0x56 0xA4 0x97 0xC 0xBA 0x3E 0xF5 0xBE 0x88 0xE7 0x6A 0x9E : success
37278 Mon Feb 4 17:03:12 2013 Audit     Log       minor          root : Set Session Privilege Level: privilege level = admin : success
37277 Mon Feb 4 17:03:12 2013 Audit     Log       minor          root : Activate Session : authentication type = MD5 : privilege level = admin : initial outbound sequence number = 0x172A9FC4 : challenge string =0xF1 0xAB 0x15 0x55 0x5B 0x1B 0x80 0xF9 0xC1 0xC8 0x80 0x1B 0xD 0x7A 0xA7 0x4E : success
37275 Mon Feb 4 17:03:06 2013 Audit     Log       minor          root : Open Session : object = "/SP/session/type" : value = "shell" : success
37266 Mon Feb 4 17:02:09 2013 Audit     Log       minor          root : Set Session Privilege Level: privilege level = admin : success
37265 Mon Feb 4 17:02:09 2013 Audit     Log       minor          root : Activate Session : authentication type = MD5 : privilege level = admin : initial outbound sequence number = 0xD5FEC1E1 : challenge string =0xFA 0x8B 0x41 0x21 0xE3 0x2D 0x55 0xFD 0xB5 0x64 0x1C 0x66 0xB6 0x16 0xA7 0xE9 : success
37262 Mon Feb 4 16:58:57 2013 Audit     Log       minor          root : Open Session : object = "/SP/session/type" : value = "shell" : success
37256 Mon Feb 4 16:58:16 2013 Audit     Log       minor          root : Set Session Privilege Level: privilege level = admin : success
37255 Mon Feb 4 16:58:16 2013 Audit     Log       minor          root : Activate Session : authentication type = MD5 : privilege level = admin : initial outbound sequence number = 0xD51DBA87 : challenge string =0xFA 0x40 0x33 0xEE 0xA3 0x8 0xA7 0xCB 0x64 0xAF 0x5 0x2B 0x9E 0xA6 0x470x87 : success
37253 Mon Feb 4 16:58:07 2013 Audit     Log       minor          root : Open Session : object = "/SP/session/type" : value = "shell" : success
37244 Mon Feb 4 16:57:09 2013 Audit     Log       minor          root : Set Session Privilege Level: privilege level = admin : success
37243 Mon Feb 4 16:57:09 2013 Audit     Log       minor          root : Activate Session : authentication type = MD5 : privilege level = admin : initial outbound sequence number = 0x5E9A288 : challenge string = 0xA0 0x1C 0xE8 0xB4 0xFD 0x73 0x31 0xFC 0x27 0x58 0xEC 0x34 0x1A 0x87 0xF0x1E : success

Cause

The SC Alert: Audit events are ILOM audit events, they just indicates audit information (login/logout/session information) from the ILOM, and do not indicate a bug.

All versions of ILOM (and ALOM before it) have supported this functionality.

If you are using OPS Center, those are likely OPS Center logins, monitoring the environment. They are normal when there is a monitoring tool like Ops Center present and enabled.

ILOM does not allow auditing to be turned off.

Solution

The events SC Alert are still forwarded on the host's /var/adm/messages file, regardless if it is a Event or Audit.

In ILOM >= ILOM 3.2.1, the audit events are separated (are reported in the audit list file:/persist/logmgr_audit.log, show /SP/logs/audit/list), they don't appear in the event list (/persist/logmgr.log, show /SP/logs/event/list) anymore), but the events (SC Alert: Event / Audit) are still forwarded on the host's /var/adm/messages file and there are no plans for now to change this.

Workaround

As a workaround, you may manually redirect the SC alerts into a separate log file or you may prevent that these SC alerts show up in any log file by making several changes, as described below.

Option 1: to manually redirect the SC Alert (Event / Audit) events to a separate log file (the recommendation is to use Option 1)

1. check to see, if there is a directory called "fmd" under the path: /usr/platform/`uname -i`/lib/fm

a) example from a Sparc Enterprise T5220 Server:

bash-3.2# uname -i
SUNW,SPARC-Enterprise-T5220
bash-3.2#
bash-3.2# ls /usr/platform/`uname -i`/lib/fm
topo
bash-3.2#

b) example from a Sun Fire T5240 Server:

bash-3.2# uname -i
SUNW,T5240
bash-3.2# ls /usr/platform/`uname -i`/lib/fm
fmd topo
bash-3.2#

2. if there is a directory called "fmd" under the path: /usr/platform/`uname -i`/lib/fm

then open in vi the file: /usr/platform/`uname -i`/lib/fm/fmd/plugins/etm.conf

else open in vi the file: /usr/platform/sun4v/lib/fm/fmd/plugins/etm.conf

3. add the following entries at the end of the corresponding etm.conf file

setprop etm_alert_facility LOG_LOCAL0

4. restart the fmd service

# svcadm disable svc:/system/fmd:default
# svcadm enable svc:/system/fmd:default

5. add the following entry at the end of the file /etc/syslog.conf

local0.info /var/adm/ilomlog

Hint: Separate text strings with tabs, not spaces, in syslog.conf.
This way you avoid getting the following error upon restart of the system-log service:

bash-3.2# svcadm restart svc:/system/system-log:default
syslogd: line 32: unknown priority name "info /var/adm/ilomlog"

6. create the file "/var/adm/ilomlog"

# touch /var/adm/ilomlog

7. bring the file "/var/adm/ilomlog" under control of logadm

# logadm -C 4 -P "`date +%c`" -a 'kill -HUP `cat /var/run/syslog.pid`' -w /var/adm/ilomlog

8. restart the system-log service

# svcadm disable svc:/system/system-log:default
# svcadm enable svc:/system/system-log:default

All subsequent logins to the ILOM will generate SC Alert: Audit events that will be stored in the file /var/adm/ilomlog

Option 2: to prevent, that the SC Alert (Event / Audit) events show up in the /var/adm/messages file

1. check to see, if there is a directory called "fmd" under the path: /usr/platform/`uname -i`/lib/fm

setprop etm_alert_syslog false

Please be aware of a typo in the commentary field of the etm.conf file;
it shows an incorrect example of the following command:

Incorrect command: "setprop etm_alert_syslogd false"
Correct command: "setprop etm_alert_syslog false"

4. restart the fmd service

# svcadm disable svc:/system/fmd:default
# svcadm enable svc:/system/fmd:default

All subsequent logins to the ILOM won't generate any SC Alert: Audit events in the file /var/adm/messages

References

<BUG:17602655> - TYPO IN ETM.CONF

Attachments

This solution has no attachment