Steps used for customizing an AIX 6.1 install image.
WARNING: It requires further refinement. Some steps may be different or unnecessary in other environments.
Settings used for install:
Expand maximum user name length
chdev -l sys0 -a max_logname=64Enable online disk statistics
chdev -l sys0 -a iostat=trueEnable full system core dumps
chdev -l sys0 -a fullcore=trueSet a strong password algorithm instead of crypt()
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha1Change timezone to CEST (Hungary)
chtz CET-1CEST,M3.5.0,M10.5.0Install custom crontab for root
crontab /tmp/install/config/crontab.txtGenerate man whatis database
catman -wDisable sendmail, inetd
chrctcp -Sd sendmailchrctcp -Sd inetdInstall custom ntp.conf
cp /tmp/install/config/ntp.conf /etc/touch /etc/ntp.drift /etc/ntp.traceEnable xntpd
chrctcp -Sa xntpdInstall custom syslog.conf
cp /tmp/install/config/syslog.conf /etc/Syslogd still cannot create logfiles...
touch /var/adm/ras/syslogReload syslogd
refresh -s syslogdSave inittab
cp /etc/inittab /etc/inittab.DEFAULTDisable a lot of stuff from inittab
chitab "mkatmpvc:2:off:/usr/sbin/mkatmpvc >/dev/console 2>&1"chitab "atmsvcd:2:off:/usr/sbin/atmsvcd >/dev/console 2>&1"chitab "sniinst:2:off:/var/adm/sni/sniprei > /dev/console 2>&1"chitab "piobe:2:off:/usr/lib/lpd/pioinit_cp >/dev/null 2>&1 # pb cleanup"chitab "qdaemon:off:/usr/bin/startsrc -sqdaemon"chitab "writesrv:off:/usr/bin/startsrc -swritesrv"chitab "uprintfd:off:/usr/sbin/uprintfd"chitab "naudio2::off:/usr/sbin/naudio2 > /dev/null"chitab "naudio::off:/usr/sbin/naudio > /dev/null"chitab "ntbl_reset:2:off:/usr/bin/ntbl_reset_datafiles"chitab "rcwpars:2:off:/etc/rc.wpars > /dev/console 2>&1 # Corrals autostart"chitab "xmdaily:2:off:/usr/bin/topasrec -L -s 300 -R 1 -r 6 -o /etc/perf/daily/ -ypersistent=1 2>&1 >/dev/null #Start local binary recording"chitab "ha_star:h2:off:/etc/rc.ha_star >/dev/console 2>&1"Reload init
telinit qDisable livedump and remove filesystem
dumpctrl -P ldmpoffbosboot -aumount /var/adm/ras/livedumprmfs /var/adm/ras/livedumpRemove default unused /admin filesystem
umount /adminrmfs /adminRemove failedlogin file from /
rm -f /etc/security/failedlogintouch /var/adm/ras/failedloginln -sf /var/adm/ras/failedlogin /etc/security/failedloginInstall custom sudoers -- TODO: migrate to sudo with LDAP support
cp /tmp/install/config/sudoers /etc/Install custom hosts and resolv.conf
cat /tmp/install/config/hosts.add >> /etc/hostscp /tmp/install/config/resolv.conf /etc/Configure IPv4 name resolution in /etc/netsvc.conf
hosts = local4, bind4
Separate root home
mkdir /rootchmod 700 /rootchown root:system /rootchuser home=/root fsize=-1 root # set file size to unlimited for rootProfiles, environment files, user skeleton
cp /tmp/install/profile/* /root/cp /tmp/install/config/.ids /etc/security/.idscp /tmp/install/config/mkuser.sys /etc/security/mkuser.syscp /tmp/install/profile/* /etc/security/Remove unnecessary 'guest' user
rmuser guestFunction to extend valid shells with bash
add_bash="echo $(lssec -f /etc/security/login.cfg -s usw -a shells | awk -F\= '{print $2}'),/usr/bin/bash" if [ $(grep -c bash /etc/security/login.cfg) = 0 ]; then cp /etc/security/login.cfg /etc/security/login.cfg.DEFAULT chsec -f /etc/security/login.cfg -s usw -a shells=$add_bash fiCheck which users have a valid shell and remote (network) login enabled and disable (some of) them:
# lsuser -a rlogin shell ALL | grep truedaemon rlogin=truebin rlogin=truesys rlogin=trueadm rlogin=truenobody rlogin=truelpd rlogin=trueuser1 rlogin=true shell=/usr/bin/bashuser2 rlogin=true shell=/usr/bin/kshBy default, the following default system users have a shell and rlogin enabled, but these have no password set: lp invscout ipsec nuucp
Root rlogin can be disabled... although sshd_config would restrict root login anyway.
Network parameters
no -r -o tcp_keepinit=40 -o tcp_keepintvl=10 -o tcp_keepidle=600 -o tcp_sendspace=262144 -o tcp_recvspace=262144VM parameters recommended especially for Oracle and 6.1!
vmo -r -o lru_file_repage=0 -o maxpin%=80 -o page_steal_method=1 \-o strict_maxperm=0 -o minperm%=3 -o maxperm%=90 -o maxclient%=90 -o v_pinshm=1Commit left over updates
installp -c allUninstall some bloat
installp -gu bos.esagent bos.ecc_client.rte lwi.runtime csm.deployInstall selected extra filesets
rm -f /tmp/install/bff/.tocinstallp -acgXYd /tmp/install/bff/ allThis list of extras is specific to our site
# xlsmp.rte xlsmp_aix52.rte bos.content_list# bos.adt.libm bos.cifs_fs.rte# tivoli.tsm.client.api.32bit tivoli.tsm.client.ba.32bit.base# tivoli.tsm.client.ba.32bit.common tivoli.tsm.client.ba.32bit.web# gsksa.rte gskta.rte# idsldap.cltbase61 idsldap.clt64bit61 idsldap.clt32bit61These are our custom builds
# intl.openssh61 intl.openssl61 intl.net-snmpAdd some storage drivers
# xiv.hostattachment.tools xpyvopenssh config
cp /tmp/install/config/sshd_config /etc/ssh/TSM client
mkitab "dsmsched:2:respawn:/usr/tivoli/tsm/client/ba/bin/dsmc sched >/dev/null 2>&1 #TSM"cp /tmp/install/conf/dsm.sys /usr/tivoli/tsm/client/ba/bin/rpm -ivh --nodeps /tmp/install/rpm/gettext-*rm -f /tmp/install/rpm/gettext-*rpm -ivh /tmp/install/rpm/*updtvpkgInstall custom LDAP configuration files
rm -rf /etc/security/ldap/cp -r /tmp/install/ldap/ /etc/security/cp /tmp/install/config/methods.cfg /etc/methods.cfgrestart-secldapclntdReset RSCT / RMC info to avoid duplicate node IDs etc (should be run automatically?? See /usr/sbin/rsct/README/rsct.core.README)
/usr/sbin/rsct/install/bin/recfgct--- THE END ---
Restrict setuid binaries to the minimum
fpm -l highCreate a modular syslog logging (one log per facility, separate directory for syslog files)
Make sure you mkdir every new dir and touch every logfile, and beware of files readable by everyone!
Example syslog.conf:
kern.debug /var/adm/ras/syslog/kern.log rotate time 1wuser.debug /var/adm/ras/syslog/user.log rotate time 1wmail.debug /var/adm/ras/syslog/mail.log rotate time 1wdaemon.debug /var/adm/ras/syslog/daemon.log rotate time 1wauth.debug /var/adm/ras/syslog/auth.log rotate time 1wsyslog.debug /var/adm/ras/syslog/syslog.log rotate time 1wlpr.debug /var/adm/ras/syslog/lpr.log rotate time 1wnews.debug /var/adm/ras/syslog/news.log rotate time 1wuucp.debug /var/adm/ras/syslog/uucp.log rotate time 1wlocal0.debug /var/adm/ras/syslog/local0.log rotate time 1wlocal1.debug /var/adm/ras/syslog/local1.log rotate time 1wlocal2.debug /var/adm/ras/syslog/local2.log rotate time 1wlocal3.debug /var/adm/ras/syslog/local3.log rotate time 1wlocal4.debug /var/adm/ras/syslog/local4.log rotate time 1wlocal5.debug /var/adm/ras/syslog/local5.log rotate time 1wlocal6.debug /var/adm/ras/syslog/local6.log rotate time 1wlocal7.debug /var/adm/ras/syslog/local7.log rotate time 1w+Restrict access to syslog logs
Disable topasrec
chitab "xmdaily:2:off:/usr/bin/topasrec -L -s 300 -R 1 -r 6 -o /etc/perf/daily/ -ypersistent=1 2>&1 >/dev/null #Start local binary recording"telinit qKill the topasrec process, remove leftover logs
find /etc/perf -type f ( -name \*topas -o -name \*log\* ) -exec rm {} \;+Maybe configure nmon later
Configure sshd port and key based auth
Port 4321PasswordAuthentication noMake sendmail listen on localhost only (vi /etc/sendmail cf; refresh -s sendmail)
# O DaemonPortOptions=Name=MTAO DaemonPortOptions=NAME=NoMTA4, Family=inet, Addr=127.0.0.1Create a few new filesystems...
Setup WPARs based on template files
Disable system dump
Change default shell for users to bash ???
Enable bash completion
Some extra steps to consider:
Update September 2012
- Install manuals: infocenter.man.EN_US.commands infocenter.man.EN_US.files infocenter.man.EN_US.libs
- Install every debug fileset: *.adt*
- # chdev -l sys0 -a iostat=true -a max_logname=16