AIX install
Steps used for customizing an AIX 6.1 install image.
WARNING: It requires further refinement. Some steps may be different or unnecessary in other environments.
Settings used for install:
- JFS2/64bit as default on 6.1
- Install graphics software (X11)
- Don't install system management software (pconsole)
- Install all drivers
- Don't use Trusted AIX
System
General
Expand maximum user name length
chdev -l sys0 -a max_logname=64Enable online disk statistics
chdev -l sys0 -a iostat=trueEnable full system core dumps
chdev -l sys0 -a fullcore=trueSet a strong password algorithm instead of crypt()
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha1Change timezone to CEST (Hungary)
chtz CET-1CEST,M3.5.0,M10.5.0Install custom crontab for root
crontab /tmp/install/config/crontab.txtGenerate man whatis database
catman -wNetwork services, inittab
Disable sendmail, inetd
chrctcp -Sd sendmailchrctcp -Sd inetdInstall custom ntp.conf
cp /tmp/install/config/ntp.conf /etc/touch /etc/ntp.drift /etc/ntp.traceEnable xntpd
chrctcp -Sa xntpdInstall custom syslog.conf
cp /tmp/install/config/syslog.conf /etc/Syslogd still cannot create logfiles...
touch /var/adm/ras/syslogReload syslogd
refresh -s syslogdSave inittab
cp /etc/inittab /etc/inittab.DEFAULTDisable a lot of stuff from inittab
chitab "mkatmpvc:2:off:/usr/sbin/mkatmpvc >/dev/console 2>&1"chitab "atmsvcd:2:off:/usr/sbin/atmsvcd >/dev/console 2>&1"chitab "sniinst:2:off:/var/adm/sni/sniprei > /dev/console 2>&1"chitab "piobe:2:off:/usr/lib/lpd/pioinit_cp >/dev/null 2>&1 # pb cleanup"chitab "qdaemon:off:/usr/bin/startsrc -sqdaemon"chitab "writesrv:off:/usr/bin/startsrc -swritesrv"chitab "uprintfd:off:/usr/sbin/uprintfd"chitab "naudio2::off:/usr/sbin/naudio2 > /dev/null"chitab "naudio::off:/usr/sbin/naudio > /dev/null"chitab "ntbl_reset:2:off:/usr/bin/ntbl_reset_datafiles"chitab "rcwpars:2:off:/etc/rc.wpars > /dev/console 2>&1 # Corrals autostart"chitab "xmdaily:2:off:/usr/bin/topasrec -L -s 300 -R 1 -r 6 -o /etc/perf/daily/ -ypersistent=1 2>&1 >/dev/null #Start local binary recording"chitab "ha_star:h2:off:/etc/rc.ha_star >/dev/console 2>&1"Reload init
telinit qFilesystems, dump
Disable livedump and remove filesystem
dumpctrl -P ldmpoffbosboot -aumount /var/adm/ras/livedumprmfs /var/adm/ras/livedumpRemove default unused /admin filesystem
umount /adminrmfs /adminSystem configuration files
Remove failedlogin file from /
rm -f /etc/security/failedlogintouch /var/adm/ras/failedloginln -sf /var/adm/ras/failedlogin /etc/security/failedloginInstall custom sudoers -- TODO: migrate to sudo with LDAP support
cp /tmp/install/config/sudoers /etc/Install custom hosts and resolv.conf
cat /tmp/install/config/hosts.add >> /etc/hostscp /tmp/install/config/resolv.conf /etc/Configure IPv4 name resolution in /etc/netsvc.conf
hosts = local4, bind4
Users
Separate root home
mkdir /rootchmod 700 /rootchown root:system /rootchuser home=/root fsize=-1 root # set file size to unlimited for rootProfiles, environment files, user skeleton
cp /tmp/install/profile/* /root/cp /tmp/install/config/.ids /etc/security/.idscp /tmp/install/config/mkuser.sys /etc/security/mkuser.syscp /tmp/install/profile/* /etc/security/Remove unnecessary 'guest' user
rmuser guestFunction to extend valid shells with bash
add_bash="echo $(lssec -f /etc/security/login.cfg -s usw -a shells | awk -F\= '{print $2}'),/usr/bin/bash" if [ $(grep -c bash /etc/security/login.cfg) = 0 ]; then cp /etc/security/login.cfg /etc/security/login.cfg.DEFAULT chsec -f /etc/security/login.cfg -s usw -a shells=$add_bash fiCheck which users have a valid shell and remote (network) login enabled and disable (some of) them:
# lsuser -a rlogin shell ALL | grep truedaemon rlogin=truebin rlogin=truesys rlogin=trueadm rlogin=truenobody rlogin=truelpd rlogin=trueuser1 rlogin=true shell=/usr/bin/bashuser2 rlogin=true shell=/usr/bin/kshBy default, the following default system users have a shell and rlogin enabled, but these have no password set: lp invscout ipsec nuucp
Root rlogin can be disabled... although sshd_config would restrict root login anyway.
Kernel tunables
Network parameters
no -r -o tcp_keepinit=40 -o tcp_keepintvl=10 -o tcp_keepidle=600 -o tcp_sendspace=262144 -o tcp_recvspace=262144VM parameters recommended especially for Oracle and 6.1!
vmo -r -o lru_file_repage=0 -o maxpin%=80 -o page_steal_method=1 \-o strict_maxperm=0 -o minperm%=3 -o maxperm%=90 -o maxclient%=90 -o v_pinshm=1Software
Commit left over updates
installp -c allUninstall some bloat
installp -gu bos.esagent bos.ecc_client.rte lwi.runtime csm.deployExtra BFF filesets from the AIX install kit
Install selected extra filesets
rm -f /tmp/install/bff/.tocinstallp -acgXYd /tmp/install/bff/ allThis list of extras is specific to our site
# xlsmp.rte xlsmp_aix52.rte bos.content_list# bos.adt.libm bos.cifs_fs.rte# tivoli.tsm.client.api.32bit tivoli.tsm.client.ba.32bit.base# tivoli.tsm.client.ba.32bit.common tivoli.tsm.client.ba.32bit.web# gsksa.rte gskta.rte# idsldap.cltbase61 idsldap.clt64bit61 idsldap.clt32bit61These are our custom builds
# intl.openssh61 intl.openssl61 intl.net-snmpAdd some storage drivers
# xiv.hostattachment.tools xpyvFilesets post-install configuration
openssh config
cp /tmp/install/config/sshd_config /etc/ssh/TSM client
mkitab "dsmsched:2:respawn:/usr/tivoli/tsm/client/ba/bin/dsmc sched >/dev/null 2>&1 #TSM"cp /tmp/install/conf/dsm.sys /usr/tivoli/tsm/client/ba/bin/Open source tools in RPM format
rpm -ivh --nodeps /tmp/install/rpm/gettext-*rm -f /tmp/install/rpm/gettext-*rpm -ivh /tmp/install/rpm/*updtvpkgLDAP setup
Install custom LDAP configuration files
rm -rf /etc/security/ldap/cp -r /tmp/install/ldap/ /etc/security/cp /tmp/install/config/methods.cfg /etc/methods.cfgrestart-secldapclntdConsiderations for mksysbs
Reset RSCT / RMC info to avoid duplicate node IDs etc (should be run automatically?? See /usr/sbin/rsct/README/rsct.core.README)
/usr/sbin/rsct/install/bin/recfgct--- THE END ---
Hobby server additions
Restrict setuid binaries to the minimum
fpm -l highCreate a modular syslog logging (one log per facility, separate directory for syslog files)
Make sure you mkdir every new dir and touch every logfile, and beware of files readable by everyone!
Example syslog.conf:
kern.debug /var/adm/ras/syslog/kern.log rotate time 1wuser.debug /var/adm/ras/syslog/user.log rotate time 1wmail.debug /var/adm/ras/syslog/mail.log rotate time 1wdaemon.debug /var/adm/ras/syslog/daemon.log rotate time 1wauth.debug /var/adm/ras/syslog/auth.log rotate time 1wsyslog.debug /var/adm/ras/syslog/syslog.log rotate time 1wlpr.debug /var/adm/ras/syslog/lpr.log rotate time 1wnews.debug /var/adm/ras/syslog/news.log rotate time 1wuucp.debug /var/adm/ras/syslog/uucp.log rotate time 1wlocal0.debug /var/adm/ras/syslog/local0.log rotate time 1wlocal1.debug /var/adm/ras/syslog/local1.log rotate time 1wlocal2.debug /var/adm/ras/syslog/local2.log rotate time 1wlocal3.debug /var/adm/ras/syslog/local3.log rotate time 1wlocal4.debug /var/adm/ras/syslog/local4.log rotate time 1wlocal5.debug /var/adm/ras/syslog/local5.log rotate time 1wlocal6.debug /var/adm/ras/syslog/local6.log rotate time 1wlocal7.debug /var/adm/ras/syslog/local7.log rotate time 1w+Restrict access to syslog logs
Disable topasrec
chitab "xmdaily:2:off:/usr/bin/topasrec -L -s 300 -R 1 -r 6 -o /etc/perf/daily/ -ypersistent=1 2>&1 >/dev/null #Start local binary recording"telinit qKill the topasrec process, remove leftover logs
find /etc/perf -type f ( -name \*topas -o -name \*log\* ) -exec rm {} \;+Maybe configure nmon later
Configure sshd port and key based auth
Port 4321PasswordAuthentication noMake sendmail listen on localhost only (vi /etc/sendmail cf; refresh -s sendmail)
# O DaemonPortOptions=Name=MTAO DaemonPortOptions=NAME=NoMTA4, Family=inet, Addr=127.0.0.1Create a few new filesystems...
Misc
Setup WPARs based on template files
Disable system dump
Change default shell for users to bash ???
Enable bash completion
TODO
Some extra steps to consider:
- increase /tmp /opt and further filesystems
- add LDAP server to the /etc/hosts (IP address is required...)
- run mksecldap
- add LDAP users (addldapuser)
Update September 2012
- Install manuals: infocenter.man.EN_US.commands infocenter.man.EN_US.files infocenter.man.EN_US.libs
- Install every debug fileset: *.adt*
- # chdev -l sys0 -a iostat=true -a max_logname=16