AIX Tips and Tricks
Translate
Thursday 5 November 2015
AIX announces AIX 7.2
I found this article in the latest release of the AIX Systems Magazine: http://www.ibmsystemsmag.com/aix/trends/whatsnew/aix72-commitment/
Whilst I am encouraged to hear that IBM continues to develop AIX I cannot help feeling that they are now retreating within themselves and no longer talking to the rest of thie IT World as many of the new features can only be described as niche and not really relevant for the rest of us.
For me the killer feature of Linux is the ability to use tools such as YUM to download a product with a single command without having to worry about dependencies. That said there are still some areas where Linux us weak e.g. the lack of a mirrored boot disk, and mksysb.
Whilst I am encouraged to hear that IBM continues to develop AIX I cannot help feeling that they are now retreating within themselves and no longer talking to the rest of thie IT World as many of the new features can only be described as niche and not really relevant for the rest of us.
For me the killer feature of Linux is the ability to use tools such as YUM to download a product with a single command without having to worry about dependencies. That said there are still some areas where Linux us weak e.g. the lack of a mirrored boot disk, and mksysb.
Sunday 9 August 2015
Show differences between LPAR Profile and Running configuration on IBM POWER servers
prdiff - Show differences between LPAR Profile and Running configuration on IBM POWER servers
http://prdiff.sourceforge.net/
Sunday 14 June 2015
Maintaining an AIX firewall
IBM quietly added a firewall capability (known as ipfilters) to AIX 6.1, however they did not do a particularly good job of either publicising or documenting it. You can either configure ipfilt from the command-line or via smit. The ipfilt toolset is part of the LPP: bos.net.ipsec.rte.
1. If you already have an .exp file make a copy of your firewall rules file (e.g. ipsec_fltr_rule.exp) and copy to a temporary directory, or export it as follows:
# expfilt -v4 -f /tmp/ipfilt.exp
Directory /tmp/ipfilt.exp created.
Filter rule 2 for IPv4 has been exported successfully.
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule 5 for IPv4 has been exported successfully.
...
..
Filter rule 56 for IPv4 has been exported successfully.
Filter rule(s) have been exported to /tmp/ipfilt.exp/ipsec_fltr_rule.exp successfully.
2. flush all existing filter rules
/usr/sbin/rmfilt -v4 -n all
3. import filter rule file from directory
/usr/sbin/impfilt -f /root
4. list imported filter rules
/usr/sbin/lsfilt -v 4 –O
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all 0 none Default Rule
2 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 69 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10569
3 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 67 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10567
4 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 43 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10543
5 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 25 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10525
6 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 19 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10519
7 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 13 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10513
8 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 11 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10511
9 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 666 b
oth inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.105666
10 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 635
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10563
5
11 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 547
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10554
7
12 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 546
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10554
6
13 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 194
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10519
4
14 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 162
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10516
2
5. Activate the new rules
/usr/sbin/mkfilt -v4 -u -g start
You can also configure ipfilt from smit as follows:
smitty tcpip
TCP/IP
Move cursor to desired item and press Enter.
Minimum Configuration & Startup
Further Configuration
Use DHCP for TCPIP Configuration & Startup
IPV6 Configuration
Quality of Service Configuration & Startup
Configure IP Security (IPv4)
Configure IP Security (IPv6)
Configure IP Security (IPv4):
Configure IP Security (IPv4)
Move cursor to desired item and press Enter.
Start/Stop IP Security
Basic IP Security Configuration
Advanced IP Security Configuration
Advanced IP Security Configuration:
Advanced IP Security Configuration
Move cursor to desired item and press Enter.
Configure IP Security Filter Rules
List Active IP Security Filter Rules
Activate/Update/Deactivate IP Security Filter Rule
List Encryption Modules
Start/Stop IP Security Filter Rule Log
Start/Stop IP Security Tracing
Backup IKE Database
Restore IKE Database
Initialize IKE Database
View IKE XML DTD
Configure IP Security Filter Rules
Configure IP Security Filter Rules
Move cursor to desired item and press Enter.
List IP Security Filter Rules
Add an IP Security Filter Rule
Change IP Security Filter Rules
Move IP Security Filter Rules
Export IP Security Filter Rules
Import IP Security Filter Rules
Delete IP Security Filter Rules
The import thing to remember is that if you activate the rules and you make a mistake you will be immediately locked-out of your system, so ensure you have a console session open.
1. If you already have an .exp file make a copy of your firewall rules file (e.g. ipsec_fltr_rule.exp) and copy to a temporary directory, or export it as follows:
# expfilt -v4 -f /tmp/ipfilt.exp
Directory /tmp/ipfilt.exp created.
Filter rule 2 for IPv4 has been exported successfully.
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule 5 for IPv4 has been exported successfully.
...
..
Filter rule 56 for IPv4 has been exported successfully.
Filter rule(s) have been exported to /tmp/ipfilt.exp/ipsec_fltr_rule.exp successfully.
2. flush all existing filter rules
/usr/sbin/rmfilt -v4 -n all
3. import filter rule file from directory
/usr/sbin/impfilt -f /root
4. list imported filter rules
/usr/sbin/lsfilt -v 4 –O
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
packets 0 all 0 none Default Rule
2 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 69 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10569
3 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 67 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10567
4 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 43 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10543
5 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 25 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10525
6 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 19 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10519
7 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 13 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10513
8 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 11 bo
th inbound no all packets 0 all 300 none AIXpert:IPv4:ShunHost192.168.1.10511
9 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 666 b
oth inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.105666
10 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 635
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10563
5
11 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 547
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10554
7
12 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 546
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10554
6
13 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 194
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10519
4
14 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 162
both inbound no all packets 0 all 300 none AIXpert:IPv4:ShunPort192.168.1.10516
2
5. Activate the new rules
/usr/sbin/mkfilt -v4 -u -g start
You can also configure ipfilt from smit as follows:
smitty tcpip
TCP/IP
Move cursor to desired item and press Enter.
Minimum Configuration & Startup
Further Configuration
Use DHCP for TCPIP Configuration & Startup
IPV6 Configuration
Quality of Service Configuration & Startup
Configure IP Security (IPv4)
Configure IP Security (IPv6)
Configure IP Security (IPv4):
Configure IP Security (IPv4)
Move cursor to desired item and press Enter.
Start/Stop IP Security
Basic IP Security Configuration
Advanced IP Security Configuration
Advanced IP Security Configuration:
Advanced IP Security Configuration
Move cursor to desired item and press Enter.
Configure IP Security Filter Rules
List Active IP Security Filter Rules
Activate/Update/Deactivate IP Security Filter Rule
List Encryption Modules
Start/Stop IP Security Filter Rule Log
Start/Stop IP Security Tracing
Backup IKE Database
Restore IKE Database
Initialize IKE Database
View IKE XML DTD
Configure IP Security Filter Rules
Configure IP Security Filter Rules
Move cursor to desired item and press Enter.
List IP Security Filter Rules
Add an IP Security Filter Rule
Change IP Security Filter Rules
Move IP Security Filter Rules
Export IP Security Filter Rules
Import IP Security Filter Rules
Delete IP Security Filter Rules
The import thing to remember is that if you activate the rules and you make a mistake you will be immediately locked-out of your system, so ensure you have a console session open.
Wednesday 6 May 2015
An interesting article about MPIO performance
MPIO (Multi-path IO) has always been an interesting and complex subject. This article has some interesting suggestions:
https://www.ibm.com/developerworks/aix/library/au-aix-mpio/
https://www.ibm.com/developerworks/aix/library/au-aix-mpio/
Sunday 19 April 2015
PCI-DSS 3.1
The latest version of PCI-DSS (3.1) has recently released http://searchsecurity.techtarget.com/news/4500244448/PCI-DSS-31-debuts-requires-detailed-new-SSL-security-management-plan and this includes much tighter rules on the use of certificates and encryption algorithms.
Tuesday 14 April 2015
Locking-down smit
It is possible to restrict a user's access to smit (menus) and to escape to the shell from a smit session:
If you run:
$ export SMIT_SHELL=n
for a user when they press F9 they will see the following error message:
+--------------------------------------------------------------------------+
| INFORMATION MESSAGE |
| |
| Press Enter or Cancel to return to the |
| application. |
| |
| The Shell function is not available for this |
| session. |
| |
| F1=Help F2=Refresh F3=Cancel |
F1| F8=Image F10=Exit Enter=Do |
F9+--------------------------------------------------------------------------+
Menu access can also be restricted by editing "/etc/security/smitacl.user" and adding a stanza for a user e.g.
$ cat /etc/security/smitacl.user
default:
screens = *
funcmode = roles+acl
backup:
screens = shutdown,mksysb
funcmode = roles+acl
If you run:
$ export SMIT_SHELL=n
for a user when they press F9 they will see the following error message:
+--------------------------------------------------------------------------+
| INFORMATION MESSAGE |
| |
| Press Enter or Cancel to return to the |
| application. |
| |
| The Shell function is not available for this |
| session. |
| |
| F1=Help F2=Refresh F3=Cancel |
F1| F8=Image F10=Exit Enter=Do |
F9+--------------------------------------------------------------------------+
Menu access can also be restricted by editing "/etc/security/smitacl.user" and adding a stanza for a user e.g.
$ cat /etc/security/smitacl.user
default:
screens = *
funcmode = roles+acl
backup:
screens = shutdown,mksysb
funcmode = roles+acl
Subscribe to:
Posts (Atom)