AIX install
Steps used for customizing an AIX 6.1 install image.
WARNING: It requires further refinement. Some steps may be different or unnecessary in other environments.
Settings used for install:
- JFS2/64bit as default on 6.1
- Install graphics software (X11)
- Don't install system management software (pconsole)
- Install all drivers
- Don't use Trusted AIX
System
General
Expand maximum user name length
chdev -l sys0 -a max_logname=64
Enable online disk statistics
chdev -l sys0 -a iostat=true
Enable full system core dumps
chdev -l sys0 -a fullcore=true
Set a strong password algorithm instead of crypt()
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha1
Change timezone to CEST (Hungary)
chtz CET-1CEST,M3.5.0,M10.5.0
Install custom crontab for root
crontab /tmp/install/config/crontab.txt
Generate man whatis database
catman -w
Network services, inittab
Disable sendmail, inetd
chrctcp -Sd sendmail
chrctcp -Sd inetd
Install custom ntp.conf
cp /tmp/install/config/ntp.conf /etc/
touch /etc/ntp.drift /etc/ntp.trace
Enable xntpd
chrctcp -Sa xntpd
Install custom syslog.conf
cp /tmp/install/config/syslog.conf /etc/
Syslogd still cannot create logfiles...
touch /var/adm/ras/syslog
Reload syslogd
refresh -s syslogd
Save inittab
cp /etc/inittab /etc/inittab.DEFAULT
Disable a lot of stuff from inittab
chitab "mkatmpvc:2:off:/usr/sbin/mkatmpvc >/dev/console 2>&1"
chitab "atmsvcd:2:off:/usr/sbin/atmsvcd >/dev/console 2>&1"
chitab "sniinst:2:off:/var/adm/sni/sniprei > /dev/console 2>&1"
chitab "piobe:2:off:/usr/lib/lpd/pioinit_cp >/dev/null 2>&1 # pb cleanup"
chitab "qdaemon:off:/usr/bin/startsrc -sqdaemon"
chitab "writesrv:off:/usr/bin/startsrc -swritesrv"
chitab "uprintfd:off:/usr/sbin/uprintfd"
chitab "naudio2::off:/usr/sbin/naudio2 > /dev/null"
chitab "naudio::off:/usr/sbin/naudio > /dev/null"
chitab "ntbl_reset:2:off:/usr/bin/ntbl_reset_datafiles"
chitab "rcwpars:2:off:/etc/rc.wpars > /dev/console 2>&1 # Corrals autostart"
chitab "xmdaily:2:off:/usr/bin/topasrec -L -s 300 -R 1 -r 6 -o /etc/perf/daily/ -ypersistent=1 2>&1 >/dev/null #Start local binary recording"
chitab "ha_star:h2:off:/etc/rc.ha_star >/dev/console 2>&1"
Reload init
telinit q
Filesystems, dump
Disable livedump and remove filesystem
dumpctrl -P ldmpoff
bosboot -a
umount /var/adm/ras/livedump
rmfs /var/adm/ras/livedump
Remove default unused /admin filesystem
umount /admin
rmfs /admin
System configuration files
Remove failedlogin file from /
rm -f /etc/security/failedlogin
touch /var/adm/ras/failedlogin
ln -sf /var/adm/ras/failedlogin /etc/security/failedlogin
Install custom sudoers -- TODO: migrate to sudo with LDAP support
cp /tmp/install/config/sudoers /etc/
Install custom hosts and resolv.conf
cat /tmp/install/config/hosts.add >> /etc/hosts
cp /tmp/install/config/resolv.conf /etc/
Configure IPv4 name resolution in /etc/netsvc.conf
hosts = local4, bind4
Users
Separate root home
mkdir /root
chmod 700 /root
chown root:system /root
chuser home=/root fsize=-1 root # set file size to unlimited for root
Profiles, environment files, user skeleton
cp /tmp/install/profile/* /root/
cp /tmp/install/config/.ids /etc/security/.ids
cp /tmp/install/config/mkuser.sys /etc/security/mkuser.sys
cp /tmp/install/profile/* /etc/security/
Remove unnecessary 'guest' user
rmuser guest
Function to extend valid shells with bash
add_bash="echo $(lssec -f /etc/security/login.cfg -s usw -a shells | awk -F\= '{print $2}'),/usr/bin/bash"
if [ $(grep -c bash /etc/security/login.cfg) = 0 ]; then
cp /etc/security/login.cfg /etc/security/login.cfg.DEFAULT
chsec -f /etc/security/login.cfg -s usw -a shells=$add_bash
fi
Check which users have a valid shell and remote (network) login enabled and disable (some of) them:
# lsuser -a rlogin shell ALL | grep true
daemon rlogin=true
bin rlogin=true
sys rlogin=true
adm rlogin=true
nobody rlogin=true
lpd rlogin=true
user1 rlogin=true shell=/usr/bin/bash
user2 rlogin=true shell=/usr/bin/ksh
By default, the following default system users have a shell and rlogin enabled, but these have no password set: lp invscout ipsec nuucp
Root rlogin can be disabled... although sshd_config would restrict root login anyway.
Kernel tunables
Network parameters
no -r -o tcp_keepinit=40 -o tcp_keepintvl=10 -o tcp_keepidle=600 -o tcp_sendspace=262144 -o tcp_recvspace=262144
VM parameters recommended especially for Oracle and 6.1!
vmo -r -o lru_file_repage=0 -o maxpin%=80 -o page_steal_method=1 \
-o strict_maxperm=0 -o minperm%=3 -o maxperm%=90 -o maxclient%=90 -o v_pinshm=1
Software
Commit left over updates
installp -c all
Uninstall some bloat
installp -gu bos.esagent bos.ecc_client.rte lwi.runtime csm.deploy
Extra BFF filesets from the AIX install kit
Install selected extra filesets
rm -f /tmp/install/bff/.toc
installp -acgXYd /tmp/install/bff/ all
This list of extras is specific to our site
# xlsmp.rte xlsmp_aix52.rte bos.content_list
# bos.adt.libm bos.cifs_fs.rte
# tivoli.tsm.client.api.32bit tivoli.tsm.client.ba.32bit.base
# tivoli.tsm.client.ba.32bit.common tivoli.tsm.client.ba.32bit.web
# gsksa.rte gskta.rte
# idsldap.cltbase61 idsldap.clt64bit61 idsldap.clt32bit61
These are our custom builds
# intl.openssh61 intl.openssl61 intl.net-snmp
Add some storage drivers
# xiv.hostattachment.tools xpyv
Filesets post-install configuration
openssh config
cp /tmp/install/config/sshd_config /etc/ssh/
TSM client
mkitab "dsmsched:2:respawn:/usr/tivoli/tsm/client/ba/bin/dsmc sched >/dev/null 2>&1 #TSM"
cp /tmp/install/conf/dsm.sys /usr/tivoli/tsm/client/ba/bin/
Open source tools in RPM format
rpm -ivh --nodeps /tmp/install/rpm/gettext-*
rm -f /tmp/install/rpm/gettext-*
rpm -ivh /tmp/install/rpm/*
updtvpkg
LDAP setup
Install custom LDAP configuration files
rm -rf /etc/security/ldap/
cp -r /tmp/install/ldap/ /etc/security/
cp /tmp/install/config/methods.cfg /etc/methods.cfg
restart-secldapclntd
Considerations for mksysbs
Reset RSCT / RMC info to avoid duplicate node IDs etc (should be run automatically?? See /usr/sbin/rsct/README/rsct.core.README)
/usr/sbin/rsct/install/bin/recfgct
--- THE END ---
Hobby server additions
Restrict setuid binaries to the minimum
fpm -l high
Create a modular syslog logging (one log per facility, separate directory for syslog files)
Make sure you mkdir every new dir and touch every logfile, and beware of files readable by everyone!
Example syslog.conf:
kern.debug /var/adm/ras/syslog/kern.log rotate time 1w
user.debug /var/adm/ras/syslog/user.log rotate time 1w
mail.debug /var/adm/ras/syslog/mail.log rotate time 1w
daemon.debug /var/adm/ras/syslog/daemon.log rotate time 1w
auth.debug /var/adm/ras/syslog/auth.log rotate time 1w
syslog.debug /var/adm/ras/syslog/syslog.log rotate time 1w
lpr.debug /var/adm/ras/syslog/lpr.log rotate time 1w
news.debug /var/adm/ras/syslog/news.log rotate time 1w
uucp.debug /var/adm/ras/syslog/uucp.log rotate time 1w
local0.debug /var/adm/ras/syslog/local0.log rotate time 1w
local1.debug /var/adm/ras/syslog/local1.log rotate time 1w
local2.debug /var/adm/ras/syslog/local2.log rotate time 1w
local3.debug /var/adm/ras/syslog/local3.log rotate time 1w
local4.debug /var/adm/ras/syslog/local4.log rotate time 1w
local5.debug /var/adm/ras/syslog/local5.log rotate time 1w
local6.debug /var/adm/ras/syslog/local6.log rotate time 1w
local7.debug /var/adm/ras/syslog/local7.log rotate time 1w
+Restrict access to syslog logs
Disable topasrec
chitab "xmdaily:2:off:/usr/bin/topasrec -L -s 300 -R 1 -r 6 -o /etc/perf/daily/ -ypersistent=1 2>&1 >/dev/null #Start local binary recording"
telinit q
Kill the topasrec process, remove leftover logs
find /etc/perf -type f ( -name \*topas -o -name \*log\* ) -exec rm {} \;
+Maybe configure nmon later
Configure sshd port and key based auth
Port 4321
PasswordAuthentication no
Make sendmail listen on localhost only (vi /etc/sendmail cf; refresh -s sendmail)
# O DaemonPortOptions=Name=MTA
O DaemonPortOptions=NAME=NoMTA4, Family=inet, Addr=127.0.0.1
Create a few new filesystems...
Misc
Setup WPARs based on template files
Disable system dump
Change default shell for users to bash ???
Enable bash completion
TODO
Some extra steps to consider:
- increase /tmp /opt and further filesystems
- add LDAP server to the /etc/hosts (IP address is required...)
- run mksecldap
- add LDAP users (addldapuser)
Update September 2012
- Install manuals: infocenter.man.EN_US.commands infocenter.man.EN_US.files infocenter.man.EN_US.libs
- Install every debug fileset: *.adt*
- # chdev -l sys0 -a iostat=true -a max_logname=16