There are two kinds of obvious passwords:
1. Dictionary words or common acronyms
2. Names or phrases that are in common use within your organisation
Fortunately there are some simple ways to prevent users making poor choices:
1. Enforce password history. This prevents a password from being re-used.
# chsec -f /etc/security/user -s default -a <setting>=<restriction>
histsize = 4
histexpire = 26
minage = 1
maxage = 52
maxexpired = 8
2. Set password pattern restrictions e.g. a password must have at least one capital letter or number
# chsec -f /etc/security/user -s default -a <setting>=<restriction>
logintimes =
pwdwarntime = 5
loginretries = 5
minalpha = 2
minother = 2
minlen = 8
mindiff = 4
maxrepeats = 2
3. Use a custom dictionary to prevent the use of words that are in common use in your organisation or are so common as to be easily guessed:
Create a text fileor use the standard "/usr/share/dict/words" file and create a list of banned words or terms e.g.
Vodafone01
1106HHAmsterdam
Discount!
Set the AIX default password restrictions to check these words when a user changes their password:
# chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words
Once the restrictions are in place the users are then prevented from choosing a word from this list:
$ passwd
Changing password for "test"
test's Old password:
test's New password: (the password entered is “test”)
3004-335 Passwords must not match words in the dictionary.
Sunday, 31 August 2014
Friday, 29 August 2014
Running a server in Turbocore Mode
You can configure a model 780 or 795 server to run in
TurboCore mode (rather than the standard MaxCore mode) in order to improve performance of processes that cannot take advantage of threading. In this mode up to half of the processor cores on each single-chip module (SCM) are disabled and their L3 cache is made available to the active processor cores on the chip, which provides a performance boost to the active cores.
The number of cores used in TurboCore mode is equal to the number of activated processors, but only up to a maximum of half the number of cores physically installed.
A server with 32 physical processor cores (14 activated), running in TurboCore mode. If you re-IPL the system and switch to MaxCore mode, you now have 14 processor cores running in MaxCore mode. The same is true if you switch from TurboCore to MaxCore mode.
If the server has an odd number of activated cores only half the number of physical cores will be available.
There are special rules that apply when ordering a 780 or 795 that is intended to be used in TurboCore mode. The server can be delivered ready configured in this mode.
The change applies to the entire server and not just an LPAR and is managed via the ASMI interface.
The number of cores used in TurboCore mode is equal to the number of activated processors, but only up to a maximum of half the number of cores physically installed.
A server with 32 physical processor cores (14 activated), running in TurboCore mode. If you re-IPL the system and switch to MaxCore mode, you now have 14 processor cores running in MaxCore mode. The same is true if you switch from TurboCore to MaxCore mode.
If the server has an odd number of activated cores only half the number of physical cores will be available.
There are special rules that apply when ordering a 780 or 795 that is intended to be used in TurboCore mode. The server can be delivered ready configured in this mode.
The change applies to the entire server and not just an LPAR and is managed via the ASMI interface.
Wednesday, 27 August 2014
Analysing Java performance
A badly configured Java VM can affect the performance of your entire system.
The behaviour of the Java garbage collector can be an indication of configuration and performance problems, however in order to get this information you need to start your VM with some extra options:
Logging is activated with the "-verbose:gc" option and redirected to a file using the "-Xverbosegclog:< file >" option.
Verbose logging captures many types of GC events, including:
regular GC cycles
allocation failures
heap expansion and contraction
concurrent marking events
scavenger collections.
Verbose logs also show the approximate length of time many events take, the number of bytes processed (if applicable), and other relevant metrics.
For more information see the IBM Java performance page:
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.doc.diagnostics.60/diag/tools/gcpd_verbosegc.html
The Java Performance Advisor is an automated Java testing tool and can be downloaded from:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Power%20Systems/page/Java%20Performance%20Advisor%20%28JPA%29
The behaviour of the Java garbage collector can be an indication of configuration and performance problems, however in order to get this information you need to start your VM with some extra options:
Logging is activated with the "-verbose:gc" option and redirected to a file using the "-Xverbosegclog:< file >" option.
Verbose logging captures many types of GC events, including:
regular GC cycles
allocation failures
heap expansion and contraction
concurrent marking events
scavenger collections.
Verbose logs also show the approximate length of time many events take, the number of bytes processed (if applicable), and other relevant metrics.
For more information see the IBM Java performance page:
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.doc.diagnostics.60/diag/tools/gcpd_verbosegc.html
The Java Performance Advisor is an automated Java testing tool and can be downloaded from:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Power%20Systems/page/Java%20Performance%20Advisor%20%28JPA%29
NISTIR 7966 (Draft). Security of Automated Access. Management Using Secure Shell.
NIST (National Institute of Standards and Technology) has just published a draft version of their view on the correct way (best practices) to manage SSH keys:
http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf
http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf
Tuesday, 26 August 2014
Mounting a Windows filesystem on AIX
A lot of people don't realise that there are two optional AIX filesets on the Expansion DVD that enable you to mount a CIFS filesystem on AIX:
bos.cifs_fs.rte Runtime for SMBFS
bos.cifs_fs.smit SMIT Interface for SMBFS
Once installed you have to reboot your server to activate the kernel extension.
You should now see that the mount command now accepts the "-v cifs" argument, and that smitty mount also has CIFS as a valid choice from the F4 popup.
Example:
# mount -v cifs -n laptop/Andrew/Password /Users /mnt
# df /mnt
Filesystem 512-blocks Free %Used Iused %Iused Mounted on
laptop:/Users 1916172280 967849240 50% 0 0% /mnt
# ls -l /mnt
total 5
drwxr-xr-x 1 root system 16384 Aug 25 08:38 Andrew
drwxr-xr-x 1 root system 16384 May 27 09:20 Backup
drwxr-xr-x 1 root system 16384 Aug 30 2013 Default
drwxr-xr-x 1 root system 16384 Jun 04 09:57 Public
drwxr-xr-x 1 root system 16384 Jan 29 2014 andre_000
-rwxr-xr-x 1 root system 174 Aug 22 2013 desktop.ini
See the mount manual page for more options.
If you have the "samba-client" fileset installed you can also see what your Windows machines are sharing e.g.
# smbclient -L //laptop -U Andrew
Enter Andrew's password:
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Users Disk
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
Server Comment
--------- -------
Workgroup Master
--------- -------
bos.cifs_fs.rte Runtime for SMBFS
bos.cifs_fs.smit SMIT Interface for SMBFS
Once installed you have to reboot your server to activate the kernel extension.
You should now see that the mount command now accepts the "-v cifs" argument, and that smitty mount also has CIFS as a valid choice from the F4 popup.
Example:
# mount -v cifs -n laptop/Andrew/Password /Users /mnt
# df /mnt
Filesystem 512-blocks Free %Used Iused %Iused Mounted on
laptop:/Users 1916172280 967849240 50% 0 0% /mnt
# ls -l /mnt
total 5
drwxr-xr-x 1 root system 16384 Aug 25 08:38 Andrew
drwxr-xr-x 1 root system 16384 May 27 09:20 Backup
drwxr-xr-x 1 root system 16384 Aug 30 2013 Default
drwxr-xr-x 1 root system 16384 Jun 04 09:57 Public
drwxr-xr-x 1 root system 16384 Jan 29 2014 andre_000
-rwxr-xr-x 1 root system 174 Aug 22 2013 desktop.ini
See the mount manual page for more options.
If you have the "samba-client" fileset installed you can also see what your Windows machines are sharing e.g.
# smbclient -L //laptop -U Andrew
Enter Andrew's password:
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Users Disk
Domain=[LAPTOP] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
Server Comment
--------- -------
Workgroup Master
--------- -------
Monday, 25 August 2014
Managing you cron logs
Previous versions of AIX would keep writing to the same cronlog until either the disk filled, you restarted the process, or manually managed the file. AIX 6.1 introduced the "/etc/cronlog.conf" configuration file and it is now possible to automatically limit the size of the log file an to automatically rotate versions e.g.
logfile=/var/adm/cron.log
size=100K
rotate=4
archive=/usr/home
compress
Will write to "cron.log" and automatically rotate and compress it:
# ls -l /var/adm/cron.log*
-rw-rw-r-- 1 root cron 79986 Aug 25 14:00 /var/adm/cron.log
-rw-rw-r-- 1 root cron 15301 Aug 12 13:40 /var/adm/cron.log.0.Z
-rw-rw-r-- 1 root cron 15018 Aug 16 11:45 /var/adm/cron.log.1.Z
-rw-rw-r-- 1 root cron 14334 Aug 18 13:45 /var/adm/cron.log.2.Z
-rw-rw-r-- 1 root cron 14878 Aug 21 06:40 /var/adm/cron.log.3.Z
logfile=/var/adm/cron.log
size=100K
rotate=4
archive=/usr/home
compress
Will write to "cron.log" and automatically rotate and compress it:
# ls -l /var/adm/cron.log*
-rw-rw-r-- 1 root cron 79986 Aug 25 14:00 /var/adm/cron.log
-rw-rw-r-- 1 root cron 15301 Aug 12 13:40 /var/adm/cron.log.0.Z
-rw-rw-r-- 1 root cron 15018 Aug 16 11:45 /var/adm/cron.log.1.Z
-rw-rw-r-- 1 root cron 14334 Aug 18 13:45 /var/adm/cron.log.2.Z
-rw-rw-r-- 1 root cron 14878 Aug 21 06:40 /var/adm/cron.log.3.Z
Sunday, 24 August 2014
AIX Introductory videos
Here are some nice short Youtube videos that give a nice gentle introduction to AIX:
https://www.youtube.com/playlist?list=PL9B56AF2EBE0F1432
https://www.youtube.com/playlist?list=PL9B56AF2EBE0F1432
Subscribe to:
Comments (Atom)