Translate

Thursday, 5 November 2015

Nice to get a mention


http://ibmsystemsmag.com/Blogs/AIXchange/November-2015/A-List-of-System-Scanning-Tools/

AIX announces AIX 7.2

I found this article in the latest release of the AIX Systems Magazine: http://www.ibmsystemsmag.com/aix/trends/whatsnew/aix72-commitment/

Whilst I am encouraged to hear that IBM continues to develop AIX I cannot help feeling that they are now retreating within themselves and no longer talking to the rest of thie IT World as many of the new features can only be described as niche and not really relevant for the rest of us.

For me the killer feature of Linux is the ability to use tools such as YUM to download a product with a single command without having to worry about dependencies. That said there are still some areas where Linux us weak e.g. the lack of a mirrored boot disk, and mksysb.

Sunday, 9 August 2015

Sunday, 14 June 2015

Maintaining an AIX firewall

IBM quietly added a firewall capability (known as ipfilters) to AIX 6.1, however they did not do a particularly good job of either publicising or documenting it. You can either configure ipfilt from the command-line or via smit. The ipfilt toolset is part of the LPP: bos.net.ipsec.rte.

1. If you already have an .exp file make a copy of your firewall rules file (e.g. ipsec_fltr_rule.exp) and copy to a temporary directory, or export it as follows:

# expfilt -v4 -f /tmp/ipfilt.exp
Directory /tmp/ipfilt.exp created.
Filter rule 2 for IPv4 has been exported successfully.
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule 5 for IPv4 has been exported successfully.
...

..
Filter rule 56 for IPv4 has been exported successfully.
Filter rule(s) have been exported to /tmp/ipfilt.exp/ipsec_fltr_rule.exp successfully.


2. flush all existing filter rules

    /usr/sbin/rmfilt -v4 -n all

3. import filter rule file from directory
   /usr/sbin/impfilt -f /root

4. list imported filter rules
   /usr/sbin/lsfilt -v 4 –O




1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
 packets 0 all 0 none  Default Rule
2 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 69 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10569
3 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 67 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10567
4 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 43 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10543
5 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 25 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10525
6 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 19 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10519
7 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 13 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10513
8 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 11 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10511
9 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 666 b
oth inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.105666

10 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 635
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10563
5
11 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 547
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10554
7
12 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 546
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10554
6
13 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 194
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10519
4
14 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 162
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10516
2

5. Activate the new rules
   /usr/sbin/mkfilt -v4 -u -g start

You can also configure ipfilt from smit as follows:

smitty tcpip

                                     TCP/IP

Move cursor to desired item and press Enter.

  Minimum Configuration & Startup
  Further Configuration
  Use DHCP for TCPIP Configuration & Startup
  IPV6 Configuration
  Quality of Service Configuration & Startup
  Configure IP Security (IPv4)
  Configure IP Security (IPv6)


Configure IP Security (IPv4):




                          Configure IP Security (IPv4)

Move cursor to desired item and press Enter.

  Start/Stop IP Security
  Basic IP Security Configuration
  Advanced IP Security Configuration


Advanced IP Security Configuration:

                       Advanced IP Security Configuration

Move cursor to desired item and press Enter.

  Configure IP Security Filter Rules
  List Active IP Security Filter Rules
  Activate/Update/Deactivate IP Security Filter Rule
  List Encryption Modules
  Start/Stop IP Security Filter Rule Log
  Start/Stop IP Security Tracing
  Backup IKE Database
  Restore IKE Database
  Initialize IKE Database
  View IKE XML DTD

Configure IP Security Filter Rules




                       Configure IP Security Filter Rules

Move cursor to desired item and press Enter.

  List IP Security Filter Rules
  Add an IP Security Filter Rule
  Change IP Security Filter Rules
  Move IP Security Filter Rules
  Export IP Security Filter Rules
  Import IP Security Filter Rules
  Delete IP Security Filter Rules


The import thing to remember is that if you activate the rules and you make a mistake you will be immediately locked-out of your system, so ensure you have a console session open.





Wednesday, 6 May 2015

An interesting article about MPIO performance

MPIO (Multi-path IO) has always been an interesting and complex subject. This article has some interesting suggestions:

https://www.ibm.com/developerworks/aix/library/au-aix-mpio/

Sunday, 19 April 2015

PCI-DSS 3.1

The latest version of PCI-DSS (3.1) has recently released http://searchsecurity.techtarget.com/news/4500244448/PCI-DSS-31-debuts-requires-detailed-new-SSL-security-management-plan and this includes much tighter rules on the use of certificates and encryption algorithms.

Tuesday, 14 April 2015

Locking-down smit

It is possible to restrict a user's access to smit (menus) and to escape to the shell from a smit session:

If you run:

$ export SMIT_SHELL=n

for a user when they press F9 they will see the following error message:

  +--------------------------------------------------------------------------+
  |                           INFORMATION MESSAGE                            |
  |                                                                          |
  | Press Enter or Cancel to return to the                                   |
  | application.                                                             |
  |                                                                          |
  |   The Shell function is not available for this                           |
  |   session.                                                               |
  |                                                                          |
  | F1=Help                 F2=Refresh              F3=Cancel                |
F1| F8=Image                F10=Exit                Enter=Do                 |
F9+--------------------------------------------------------------------------+

Menu access can also be restricted by editing "/etc/security/smitacl.user" and adding a stanza for a user e.g.

$ cat /etc/security/smitacl.user
default:
        screens    =    *
        funcmode   =    roles+acl
backup:
        screens    =    shutdown,mksysb
        funcmode   =    roles+acl