The purpose is to create a Standard Operating Environment which can be installed through NIM, and offers all functionality as configured on 5.3:

All default configuration and setup
- For example DNS, NTP, filesystems, additional software, etc.
Tuning
- For example limitations, unnecessary software and services, etc.
User Environment
- Profile and homedir configuration
Security
- AIX security
- LDAP authentication on eDirectory
- Sudo
- Syslog

Although the paragraphs will refer to more necessary when necessary the overall document on which this article is based is AIX Post Install. That document was created on AIX 5.3 and gives a lot of background information. This document adds specific information for AIX 6.1, but does not copy the background information which is also valid for AIX 5.3. So, in conclusion, if you need more information the AIX Post Install is your best place to start.

Installation

The installation is performed through NIM and the version installed is:

6100-04-03-1009

which was released in February 2010. During the install I accepted all default settings.

How to add a client in NIM
How to install a NIM client

Default Configuration

Change Root

Change root's password by issuing the command 'passwd' on the commandline after login.
Change root's account through smitty by issuing the command 'smitty users' on the commandline:
- Change / Show Characteristics of a User
  - Select the root user
    - Set root's home directory to /home/root

Note:

You'll have to create the /home/root directory and set permissions.
Because Root's home is initially set to / you might want to copy root's files to it's new home directory.

DNS

Setup DNS by editing the 'resolv.conf' configuration file:

# vi /etc/resolv.conf
nameserver      10.10.10.100
nameserver      10.10.10.101
search  intranet.company.nl company.local

Note:

The search entry can have up to a maximum of 1024 characater strings for the DomainName variable.
The first DomainName variable is interpreted as the default domain name.
The DomainName variable is the name of a domain that should be included in the search list.
The domain entry and search entry are mutually exclusive. If both entries are used, the one that appears last will override the other.

NTP

Timezone

Setup the timezone through 'smitty':

System Environments
- Change / Show Date, Time, and Time Zone
  - Change Time Zone Using System Defined Values
  - Select your country (NL - Netherlands)
  - Select your time zone name (Europe/Amsterdam - (GMT+01:00/GMT+02:00) Central Europe)
  - Confirm

NTP Config

Setup NTP by editing the 'ntp.conf' configuration file:

# vi /etc/ntp.conf
#broadcastclient
driftfile /etc/ntp.drift
tracefile /etc/ntp.trace
server ntp.company.nl

Set the Time

# ntpdate ntp.company.nl
 3 Mar 10:02:29 ntpdate[250036]: step time server 10.10.10.100 offset 0.975368 sec
# ntpdate ntp.company.nl
 3 Mar 10:02:39 ntpdate[250040]: adjust time server 10.10.10.100 offset 0.000045 sec

NTP Service

Configure the NTP service to start automatically through 'smitty xntpd':

Start Using the xntpd Subsystem
- BOTH

Reboot

To completely setup time and related services correctly reboot since the timezone change requires one.

NFS

Add the company NFS share through 'smitty manfs'

Network File System (NFS)
- Network File System (NFS)
  - Add a File System for Mounting
  - Pathname of mount point [/exports/install]
  - Pathname of remote directory [/exports/install]
  - Host where remote directory resides [fileserver.company.nl]
  - Mount now, add entry to /etc/filesystems or both? [both]
  - /etc/filesystems entry will mount the directory on system restart. [yes]
  - Mode for this NFS file system [read-only]
  - Transport protocol to use [udp]
  - Allow execution of setuid and setgid programs in this file system? [no]
  - Allow device access via this mount? [no]

Check

There is a new filesystem defined in /etc/filesystems:

/exports/install:
        dev             = "/exports/install"
        vfs             = nfs
        nodename        = fileserver.company.nl
        mount           = true
        options         = ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys
        account         = false

This filesystem is already mounted:

# mount
  node       mounted        mounted over    vfs       date        options
-------- ---------------  ---------------  ------ ------------ ---------------
         /dev/hd4         /                jfs2   Mar 03 10:13 rw,log=/dev/hd8
         /dev/hd2         /usr             jfs2   Mar 03 10:13 rw,log=/dev/hd8
         /dev/hd9var      /var             jfs2   Mar 03 10:13 rw,log=/dev/hd8
         /dev/hd3         /tmp             jfs2   Mar 03 10:13 rw,log=/dev/hd8
         /dev/hd1         /home            jfs2   Mar 03 10:14 rw,log=/dev/hd8
         /dev/hd11admin   /admin           jfs2   Mar 03 10:14 rw,log=/dev/hd8
         /proc            /proc            procfs Mar 03 10:14 rw
         /dev/hd10opt     /opt             jfs2   Mar 03 10:14 rw,log=/dev/hd8
         /dev/livedump    /var/adm/ras/livedump jfs2   Mar 03 10:14 rw,log=/dev/hd8
fileserver.company.nl /exports/install /exports/install nfs3   Mar 03 10:32 ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys

Filesystems

When AIX gets installed the filesystem gets a certain amount of space dependent on the size of the disk and what is installed:

# df -m
Filesystem    MB blocks      Free %Used    Iused %Iused Mounted on
/dev/hd4         320.00    154.38   52%    12990    25% /
/dev/hd2        2144.00    355.22   84%    39261    31% /usr
/dev/hd9var      192.00     17.66   91%     6439    57% /var
/dev/hd3          64.00     61.55    4%       24     1% /tmp
/dev/hd1          32.00     31.62    2%       11     1% /home
/dev/hd11admin    128.00    127.63    1%        5     1% /admin
/proc                 -         -    -         -     -  /proc
/dev/hd10opt      96.00     12.57   87%     1886    37% /opt
/dev/livedump    256.00    255.64    1%        4     1% /var/adm/ras/livedump

Change the size of the filesystems using the 'chfs' command:

# chfs -a size=2G /
# chfs -a size=4G /usr
# chfs -a size=1G /var
# chfs -a size=1G /tmp
# chfs -a size=512M /home
# chfs -a size=10G /opt

Result:

# df -m
Filesystem    MB blocks      Free %Used    Iused %Iused Mounted on
/dev/hd4        2048.00   1882.11    9%    12990     3% /
/dev/hd2        4096.00   2306.92   44%    39261     7% /usr
/dev/hd9var     1024.00    849.48   18%     6441     4% /var
/dev/hd3        1024.00   1021.37    1%       24     1% /tmp
/dev/hd1         512.00    511.55    1%       11     1% /home
/dev/hd11admin    128.00    127.63    1%        5     1% /admin
/proc                 -         -    -         -     -  /proc
/dev/hd10opt   10240.00  10155.02    1%     1886     1% /opt
/dev/livedump    256.00    255.64    1%        4     1% /var/adm/ras/livedump

Additional Software

Download the latest rpms:
IBM AIX Toolbox for Linux Applications Information page
Actual FTP download site
Get SSH and SSL from the AIX installation and expansion DVDs.

Install AIX Software

Install AIX software with 'smitty install_latest':

enter dir with software

......
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
rpm.rte                     3.0.5.51        USR         APPLY       SUCCESS
rpm.rte                     3.0.5.51        ROOT        APPLY       SUCCESS
openssl.base                0.9.8.1100      USR         APPLY       SUCCESS
openssl.base                0.9.8.1100      ROOT        APPLY       SUCCESS
openssh.base.client         5.2.0.5300      USR         APPLY       SUCCESS
openssh.base.server         5.2.0.5300      USR         APPLY       SUCCESS
openssh.base.client         5.2.0.5300      ROOT        APPLY       SUCCESS
openssh.base.server         5.2.0.5300      ROOT        APPLY       SUCCESS

Install RPMS

This is a selection of RPMS I like to install on an AIX system:

# rpm -iv *.rpm
bash-3.2-1
gcc-4.2.0-3
gettext-0.10.40-8
less-382-1
lsof-4.61-3
sudo-1.6.9p15-2noldap
tar-1.14-2
vim-common-6.3-1
vim-enhanced-6.3-1
vim-minimal-6.3-1
which-2.14-1

SSH and SSL Config

SSH must be configured so X11 forwarding works as well. In a later configuration stage root will be forbidden to logon remotely, but for now that is still allowed. Configuration includes two files: /etc/ssh/sshd_config and /etc/ssh/ssh_config:

bash-3.2# cat /etc/ssh/sshd_config | grep '^[A-z]'
Protocol 2
PermitRootLogin yes
IgnoreRhosts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
TCPKeepAlive yes
XauthLocation /usr/bin/X11/xauth
Banner /etc/secure_banner
Subsystem       sftp    /usr/libexec/sftp-server

bash-3.2# cat /etc/ssh/ssh_config | grep '^[A-z]'
ForwardX11 yes
ConnectTimeout 30
Protocol 2

Restart the ssh daemon:

# /etc/rc.d/rc2.d/Ssshd stop
# /etc/rc.d/rc2.d/Ssshd start

After restarting your session you can issue 'xclock' to see if it's working.

See CygWin - X op Windows to see how to setup your local Windows installation for X11 forwarding.

Note: Don't forget to create and place you secure_banner in /etc.

Oracle Requirements

Oracle has a few requirements when installed on an AIX box, and one of them is not installed by default: bos.adt.libm. The package can be installed using the NIM server:

bash-3.2# lslpp -l bos.adt.libm                                                                                        
lslpp: Fileset bos.adt.libm not installed. 

bash-3.2# nimclient -l -L ms-soe6
......
lpp_6100_04_03      lpp_source
......
bash-3.2# nimclient -o allocate -a lpp_source=lpp_6100_04_03
bash-3.2# nimclient -l -c resources ms-soe6
lpp_6100_04_03     lpp_source
bash-3.2# nimclient -o cust -a lpp_source=lpp_6100_04_03 -a filesets=bos.adt.libm
......

bash-3.2# lslpp -l bos.adt.libm
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.adt.libm               6.1.4.0  APPLIED    Base Application Development
                                                 Math Library

See AIX NIM for more information on how to install software using a NIM server.

Tuning

AIX Limitations

For system stability reasons AIX has a few limitations which interfere (within our company) with production processes.

SWAP

By default, the swap space is defined as 512 MB which is a little bit low when oracle, websphere or any other demanding application is running.
Set the paging space to 4 GB for better performance:

bash-3.2# lsps -a
Page Space      Physical Volume   Volume Group    Size %Used Active Auto  Type Chksum
hd6             hdisk0            rootvg         512MB     2   yes   yes    lv     0
bash-3.2# chps -s 112 hd6
bash-3.2# lsps -a
Page Space      Physical Volume   Volume Group    Size %Used Active Auto  Type Chksum
hd6             hdisk0            rootvg        4096MB     1   yes   yes    lv     0

Large Files

By default no one on the system is allowed to work with large files to prevent the filesystems from becoming full too fast, but we need root to work with large files. To do so, adjust the /etc/security/limits and these lines in the root section:

root:
        fsize = -1
        data = -1
        stack = -1

Network

By default, AIX waits 200 ms before sending the TCP acknowledgement. To disable this setting issue:

bash-3.2# no -p -o tcp_nodelayack=1
Setting tcp_nodelayack to 1
Setting tcp_nodelayack to 1 in nextboot file

In AIX Post Install are extended tests regarding AIX performance and more background information.

Memory

When running Oracle the memory is better adjusted to meet the demands Oracle can make:

bash-3.2# vmo -p -o minperm%=5 -o maxperm%=90 -o maxclient%=90 -o lru_file_repage=0
Setting minperm% to 5 in nextboot file
Modification to restricted tunable maxperm%, confirmation required yes/no yes
Setting maxperm% to 90 in nextboot file
Modification to restricted tunable maxclient%, confirmation required yes/no yes
Setting maxclient% to 90 in nextboot file
Modification to restricted tunable lru_file_repage, confirmation required yes/no yes
Setting lru_file_repage to 0 in nextboot file
Setting minperm% to 5
Setting maxperm% to 90
Warning: a restricted tunable has been modified
Setting maxclient% to 90
Warning: a restricted tunable has been modified
Setting lru_file_repage to 0
Warning: a restricted tunable has been modified

The default settings are:

vmo -p -o minperm%=20 -o maxperm%=80 -o maxclient%=80 -o lru_file_repage=1

Unnecessary Software

Software that is unnecessary:

Alternate Disk Installation:
- bos.alt_disk_install.boot_images
- bos.alt_disk_install.rte
Cluster Systems Management:
- csm.client
- csm.core
- csm.deploy
- csm.diagnostics
- csm.dsh
- csm.gui.dcem

To remove these packages issue:

installp -u bos.alt_disk_install.boot_images bos.alt_disk_install.rte csm.client csm.core csm.deploy csm.diagnostics csm.dsh csm.gui.dcem

According to KPMG security

AIX Security Hardening:
- bos.aixpert.cmds
- bos.aixpert.websm
Reliable Scalable Cluster Technology (RSCT)
- rsct.core.gui
- rsct.core.lprm
- rsct.core.sensorrm

installp -u bos.aixpert.cmds bos.aixpert.websm rsct.core.gui rsct.core.lprm rsct.core.sensorrm

Unnecessary Services

For more information about the services see the AIX Services Documentation.

Unnecessary Inetd Subservers

Use these commands to turn all subservers off:

chsubserver -d -v ftp -p tcp
chsubserver -d -v telnet -p tcp
chsubserver -d -v shell -p tcp
chsubserver -d -v kshell -p tcp
chsubserver -d -v login -p tcp
chsubserver -d -v klogin -p tcp
chsubserver -d -v exec -p tcp
chsubserver -d -v comsat -p udp
chsubserver -d -v uucp -p tcp
chsubserver -d -v bootps -p udp
chsubserver -d -v finger -p tcp
chsubserver -d -v systat -p tcp
chsubserver -d -v netstat -p tcp
chsubserver -d -v tftp -p udp
chsubserver -d -v talk -p udp
chsubserver -d -v ntalk -p udp
chsubserver -d -v rquotad -p udp
chsubserver -d -v rexd -p tcp
chsubserver -d -v rstatd -p udp
chsubserver -d -v rusersd -p udp
chsubserver -d -v rwalld -p udp
chsubserver -d -v sprayd -p udp
chsubserver -d -v pcnfsd -p udp
chsubserver -d -v echo -p tcp
chsubserver -d -v echo -p udp
chsubserver -d -v discard -p tcp
chsubserver -d -v discard -p udp
chsubserver -d -v chargen -p tcp
chsubserver -d -v chargen -p udp
chsubserver -d -v daytime -p tcp
chsubserver -d -v daytime -p udp
chsubserver -d -v time -p tcp
chsubserver -d -v time -p udp
chsubserver -d -v instsrv -p tcp
chsubserver -d -v xmquery -p udp
chsubserver -d -v imap2 -p tcp
chsubserver -d -v pop3 -p tcp
chsubserver -d -v wsmserver -p tcp

After disabling all subservers don't forget to refresh the inetd daemon:

refresh -s inetd

Unnecessary Subsystems

Use these commands to stop and disable subsystems that are automatically started by AIX but are not needed:

chrctcp -S -d inetd
chrctcp -S -d snmpd
chrctcp -S -d hostmibd
chrctcp -S -d snmpmibd
chrctcp -S -d aixmibd
chrctcp -S -d writesrv
chrctcp -S -d qdaemon

inetd: nternet daemon
snmpd: simple network management protocol
snmpmibd: extends snmp possibilities
hostmibd: extends snmp possibilities
aixmibd: extends snmp possibilities
writesrv: enables the ability to receive massages from users from a remote system
qdaemon: printer queue daemon

Remove Services from Inittab

Inittab starts a few more services which can be removed from inittab using these commands:

rmitab piobe
rmitab writesrv
rmitab qdaemon
rmitab naudio
rmitab naudio2
rmitab xmdaily
rmitab pconsole

piobe: spooler backend
naudio(2): configures pci audio devices
xmdaily: collects data regarding performance information
pconsole: system director console (web administration tool)

SLP DA

Since the introduction of AIX 6.1 TL 3 an extra service can be disabled. More information can be found in this pdf (page 16).

To disable this Systems Director Common Agent (which is like a SLP DA) follow these steps:

Comment out these line in /etc/inittab:

#platform_agent:2:once:/usr/bin/startsrc -s platform_agent >/dev/null 2>&1
#cimservices:2:once:/usr/bin/startsrc -s cimsys >/dev/null 2>&1

Also run these commands:

sudo /opt/ibm/director/agent/runtime/agent/bin/endpoint.sh stop
The LWI Nonstop Profile was not running.
sudo /opt/ibm/director/agent/runtime/nonstop/bin/installnonstop.sh -uninstallservice

User Environment

Profile

I used AIX Profile to setup the profile for all users.

Home Directory

I used AIX Home Directory to setup the automatic creation of home directories for users.

Security

AIX Security

Intruder Lockout

To prevent brute force account hacking enable intruder lockout. This can be done by editing '/etc/security/login.cfg':

default:
        sak_enabled = false
        logintimes =
        logindisable = 4
        logininterval = 60
        loginreenable = 30
        logindelay = 5

For more information about these settings please check this page.

Valid Shells

Add bash to the list of valid shells, which can be done in the same file, '/etc/security/login.cfg':

usw:
         shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/u
sr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin
/snappd,/bin/bash,/usr/bin/bash
         maxlogins = 32767
         logintimeout = 60
         maxroles = 8
         auth_type = STD_AUTH

Default User Settings

Set the default options for new created users to a higher level of security, 'vi /etc/security/user':

default:
        admin = false
        login = false
        su = false
        daemon = true
        rlogin = true
        sugroups =
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 022
        expires = 0
        SYSTEM = "compat"
        logintimes =
        pwdwarntime = 7
        account_locked = false
        loginretries = 3
        histexpire = 26
        histsize = 4
        minage = 1
        maxage = 13
        maxexpired = -1
        minalpha = 5
        minother = 3
        minlen = 8
        mindiff = 1
        maxrepeats = 2
        dictionlist =
        pwdchecks =

Root Login

Set, in the same file, that root is allowed to login, 'vi /etc/security/user':

root
       login = true

Automatic Timeout

Set an automatic timeout for sessions of one hour, 'vi /etc/profile':

.......
# Automatic logout, include in export line if uncommented
TMOUT=3600
......
export LOGNAME MAIL MAILMSG TERM TMOUT
......

Sendmail Privacy

Edit the /etc/sendmail.cf file to minimize the information sendmail shows on connection:

# privacy flags
O PrivacyOptions=goaway

See Sendmail Security Quick Fixes for more information about sendmail security.

Don't forget to restart sendmail afterwards.

LDAP

LDAP authentication has been setup as described in AIX LDAP authentication on eDirectory.

Sudo

Sudo security has been setup as described in Sudo.

Root

You now have to make the final changes to the root account. Since you now have sudo rights for LDAP users root should no longer be allowed to login, except in emergencies. So, make sure users are allowed to 'su' to root and that root is only allowed a local login. You can change that in 'smitty users':

Change / Show Characteristics of a User
- Select root
- Another user can SU TO USER?
  - Set from “false” to “true”.
- User can LOGIN REMOTELY(rsh,tn,rlogin)?
  - Set from “true” to “false”.

Also, don't forget to change the '/etc/ssh/sshd_config' to make sure root is not allowed to log in over ssh as well:

PermitRootLogin no

Syslog

Syslog has been setup as described in SYSLOG.

Tanti Technology

Saturday, 1 March 2014

AIX 6.1