abakus
Here you will find:
- System information including changelog
- Initial configuration of AIX 7.1
Status update
2015-02-10 - successful test of new serial console access
2015-01-26 - www FS reduced to 5GB
2014-10-15 - Installed UTF-8 locale support filesets bos.loc.com.utf, bos.loc.utf.EN_US (export LANG=EN_US)
2014-09-30 - disabled Bash again because it it still uncertain whether all vulnerabilities are found
2014-09-27 - OS update to 7100-03-03-1415 +RPM update (among others: gcc git make openssl rsync screen tmux vim wget)
2014-09-27 - up 411 days, 18:55, 1 user, load average: 0.01, 0.28, 0.47
2014-09-25 - updated Bash with patched version and re-enabled it
2014-09-25 - disabled Bash due to a vulnerability, see CVE-2014-6271
2014-09-25 - if your login doesn't work, contact me!
2014-07-03 - upgraded python to python-2.6.8-1 +python-devel-2.6.8-1.aix5.1.ppc.rpm python-libs-2.6.8-1.aix5.1.ppc.rpm python-tools-2.6.8-1.aix5.1.ppc.rpm python-test-2.6.8-1
2014-07-03 - installed tcl-8.5.15-1 tcl-devel-8.5.15-1 tk-8.5.15-1 tk-devel-8.5.15-1 freetype2-2.4.10-1 fontconfig-2.8.0-2 tkinter-2.6.8-1 libffi-3.0.13-1
2014-05-23 - moved install stuff to datavg/private location, rotated a ~1GB failedlogin file
2014-02-17 - installed file-libs file python-magic nano
2013-08-28 - installed XL C compiler manual pages (vac.man.en_US fileset)
2013-08-23 - installed GNU m4 automake autoconf
2013-03-13 - installed httrack from source. To have SSL support, please see http://forum.httrack.com/readmsg/30599/18996/index.html
2013-03-05 - short downtime because the machine wasn't turned back on
2012-10-25 - installed gcc vim (request)
2012-10-17 - XL C compiler aug2012 fix packs
2012-10-12 - After installing updates to ipfl.rte, network seems to be free of errors, although ipfilter will not be used (there is an external firewall anyway)
2012-10-11 - TX failure errors seem to be resolved by avoiding the use of ipf/ipnat (errors were still present even without the bad modules)
2012-10-06 - errpt BFE4C025 SCAN_ERROR_CHRP sysplanar0/B150FD01 "CEC hardware System resources deconfigured.."
2012-10-11 - one 1GB memory DIMM shows error B123E500. After shutdown, the module and its pair are deconfigured and the server now runs with 10GB of RAM.
2012-10-10 - Interface speed set to 1000_Full_Duplex, but getting TX errors...
2012-10-09 - errpt: 4FC185D1 GOENT_TX_ERR ent1/TRANSMIT FAILURE coming up infrequently
2012-10-09 - installed IPFilter firewall (ipfl.rte), started ipnat port redirect
2012-10-08 - started NMON data collection (testing phase)
2012-10-06 - commit of updates
2012-10-06 - errpt: BFE4C025 SCAN_ERROR_CHRP sysplanar0/B123E500 (FRU: 12R8255) "Memory subsystem including external cache Predictive error"
2012-10-05 - installed rsync screen tmux
2012-10-04 - FPM restrictions in effect; bash added to login shells
2012-10-02 - moved into server room! Serial console access provided. Online!
2012-10-01 - prepared for transfer (graphics adapter removed)
2012-09-29 - OS update to 7100-01-05-1228
2012-09-27 - syslog setup
2012-09-27 - rootvg mirrored
2012-08-30 - errpt: BFE4C025 SCAN_ERROR_CHRP sysplanar0/B7006970 "PCI host bridge failure" (didn't come back since then, might have been due to the first warmup or disassembly...)
2012-08-30 - OS base install 7100-01-04-1216
Configuration
Hardware information: IBM IntelliStation POWER 285 (9111-285)
CPU - 1x 1.9GHz POWER5+ single core module
RAM - 12GB 10GB usable, max=32GB (8x 4GB) 533MHz DDR2
HDD - 2x72GB for rootvg mirror, 2x72GB for other purposes
LAN - local: 1GbE switch/autoneg, Internet: down ~90Mbits/s (ftp), up ~35 Mbits/s (http)
Active Ethernet device attributes (using ISNO):
- tcp_sendspace=131072
- tcp_recvspace=65536
- rfc1323=0
- mtu=1500
Naming conventions (planned)
Home directories
- LV name: h_$user
- Mount point: /home/$user
- Mode: 0700
- Size: 1GB?
WPARs
- WPAR name: w0..w9
- WPAR LVs: w0_hd4 etc
- RAM: 1GB?
- CPU: 10%?
File repositories - Install (root/readonly)
- bos/ - Base
- exp/ - Expansion pack
- fix/ - Fix packs
- rpm/ - 3party RPM
- xlc/ - XL C/C++ compiler
TODO: Source code directories, version control, web/service filesystem hierarchy
Network
IP address - local network on en0 (just for testing)
mktcpip -i en0 -a 192.168.1.30 -h abakus -m 255.255.255.0 -g 192.168.1.1 -s
IPv4
vi /etc/netsvc.conf
OpenSSH: disable root, set IPv4 etc (TODO: X11, reverse lookup)
vi /etc/ssh/sshd_config
DNS
I won't be using netcd, as running it as non-root user doesn't seem to be possible
Using OpenDNS nameservers at the moment. Consider adding the 'rotate' directive.
vi /etc/resolv.conf
vi /etc/netcd.conf
Time sync
TODO
System
Timezone
chtz CET-1CEST,M3.5.0,M10.5.0
Remove dump devices
dumpctrl -P ldmpoff
sysdumpdev -P -p /dev/sysdumpnull
rmlv lg_dumplv
umount /var/adm/ras/livedump
rmfs /var/adm/ras/livedump
platform_dump -F 0
umount /var/adm/ras/platform
rmfs /var/adm/ras/platform
Remove admin filesystem
umount /admin
rmfs /admin
System object
chdev -l sys0 -a iostat=true -a max_logname=16
Mirror rootvg
extendvg rootvg hdisk1; mirrorvg -S rootvg hdisk1
bosboot -ad /dev/hdisk0 && bosboot -ad /dev/hdisk1
bootlist -m normal hdisk0 hdisk1
Increase filesystems
chfs -a size=512M /tmp
chfs -a size=512M /var
chfs -a size=512M /opt
chfs -a size=2G /usr
MOTD
done (very simple, no disclaimer)
The 'failedlogin' file
You can link it anywhere you like to make sure / doesn't get filled up. Here is an example.
rm /etc/security/failedlogin
touch /var/adm/ras/failedlogin
ln -s /var/adm/ras/failedlogin /etc/security/failedlogin
Users, security
Strong password algorithm
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha1
User home and ulimit
mkuser $user; passwd $user
mklv -y h_$user -t jfs2 rootvg 40
# the above means 5GB here - can start with 1 LP then chfs -a size=1GB or something similar when the FS is ready
crfs -v jfs2 -d h_$user -m /home/$user -Ay
mount /home/$user
chown -R $user.staff /home/$user
chmod 0700 /home/$user
chuser fsize=-1 $user
Root home
chuser home=/root root
mkdir /root
chmod 0700 /root
# or chuser umask=77 root (the default is 22)
Separate group for viewing syslog
mkgroup syslog
lsgroup syslog
chgrpmem -m + root syslog
chgrpmem -m + $user syslog
File Permissions Manager/TCB
restore with:
fpm -l default -f /var/security/fpm/log/10042012_23:22:27
AIX audit
TODO
Remote syslog
TODO
Sudo/sudoers
TODO (if ever)
Firewall
See this page about IPFilter (ipfl.rte).
Filesystems
Create filesystem for install repository
mklv -y install -t jfs2 rootvg 50
crfs -v jfs2 -d install -m /install -Ay
mount /install
Copy base media
mount -v cdrfs -o ro /dev/cd0 /mnt
mkdir -p /install/bos/7100-01-04-1216
cp -r /mnt/installp/ppc/* /install/bos/7100-01-04-1216
#repeat for DVD2
Expansion Pack is in .tar.gz format
Please consider that at least some of these filesets have updates already!
mkdir -p /install/exp/7100-052012
cp /tmp/installp/ppc/* /install/exp/7100-052012/
perzl.org 'mirror'
mkdir -p /install/rpm/perzl
cd /install/rpm/perzl
ftp -i 178.254.6.100
> passive
> binary
> cd latest/aix71
> mget *.rpm
AIX update to the latest fix level
Here is a method to estimate the download size of the latest updates. First, save the 'bare' listing from fixget to fixget.txt.
Get the download size by listing the ftp directory (I used 'script -c ncftp' from Linux for this purpose) -> ncftp.out, then grep for the exact versions you need to download.
while read url; do grep $(basename $url) ncftp.out; done < Downloads/fixget.txt | awk '{SUM+=$5} END {print SUM}'
You can pass fixget.txt as input (-i) to wget. This is 750MB now for 7.1
You can convert the U*.bff filenames to their actual name with the 'bffcreate -cd <dir>' command, or just list the filesets in the directory with 'bffcreate -ld <dir>'
The update:
install_all_updates -pviYd.
install_all_updates -viYd.
install_all_updates -pvYd.
install_all_updates -vYd.
Installed base level: 7100-01-04-1216, actual (latest) level: 7100-01-05-1228, 117 filesets updated.
Extra filesets
OpenSSH/OpenSSL was installed right from the base DVD
installp -agXYd /mnt/installp/ppc openssh.base
Extras
installp -agXYd. bos.adt bos.help.msg.en_US
installp -agXYd . lsof.base lsof.man.en_US
Manuals
installp -agXYd. infocenter.man.EN_US.commands infocenter.man.EN_US.files infocenter.man.EN_US.libs
catman -w
C compiler evaluation version - must overwrite xlC.rte 11.1.0.2!
installp -agXYd. vac.C vacpp.cmp vacpp.tnb vac.aix53.lib memdbg.aix53.adt xlC.rte 12.1.0.0
RPMs so far (from perzl.org)
bzip2 unzip
gettext zlib bash info readline pcre libiconv libidn openssl => wget
libgcc libpcap libstdc++ lua expat db4 gdbm sqlite gmp python-libs python => nmap
rsync screen libevent tmux
libevent libffi glib2 perl-5.8.8 => irssi (NB: perl scripts don't work in this build :/ )
less libssh libssh2 openldap (!) curl git
mpfr libmpc-0.9-1 gcc-cpp => gcc (NB: the latest version of libmpc is not suitable for the gcc 4.7.2-1 package)
vim-enhanced vim-common
Short update for Perzl latest
wget -O perzlorg_aix71_latest.html ftp://www.oss4aix.org/compatible/aix71/
rpm -qa --qf "%{NAME}\n" | sort | while read pkg; do grep "/$pkg\-[[:digit:]]" perzlorg_aix71_latest.html; done | sed 's/.*href=\"\(.*\)\">.*/\1/g' > update.txt
wget -b -c -i update.txt
rpm -Uvh --test *.rpm
# wget what is missing and fix other dependencies
Network services
Disable services started from inittab
cp /etc/inittab /etc/inittab.orig
rmitab ctrmc
rmitab qdaemon
rmitab writesrv
rmitab uprintfd
chitab "rcnfs:23456789:off:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons"
chitab "aso:23456789:off:/usr/bin/startsrc -s aso"
telinit q
stopsrc -s ctrmc
stopsrc -g nfs
stopsrc -s aso
stopsrc -g rsct_rm
Disable services started from rc.tcpip - I don't need anything to be running except sshd, syslogd and sendmail
lssrc -a | grep active
chrctcp -Sd aixmibd
chrctcp -Sd snmpmibd
chrctcp -Sd hostmibd
chrctcp -Sd snmpd
chrctcp -Sd portmap
# Note that disabling portmap this way doesn't work due to a change in rc.tcpip in 7.1!
chrctcp -Sd inetd
Adjust syslogd config as mentioned in aixinstall
The config will be pasted with cat.
mv /etc/syslog.conf /etc/syslog.conf.orig
cat > /etc/syslog.conf
mkdir /var/adm/ras/syslog
chgrp syslog /var/adm/ras/syslog
chmod 0750 /var/adm/ras/syslog
awk '{print $2}' /etc/syslog.conf | xargs -l touch
ls -l /var/adm/ras/syslog
stopsrc -s syslogd
startsrc -s syslogd
ls -l /var/adm/ras/syslog
Sendmail listening on localhost - see aixinstall
vi /etc/mail/sendmail.cf
stopsrc -s sendmail && startsrc -s sendmail
A final check
This is how the base system should look like after disabling every unnecessary service.
It assumes that SNMP, NFS, FTP, etc. are not used and that further services will be configured later.
# lssrc -a | grep active
syslogd ras 2752688 active
sendmail mail 3407986 active
sshd ssh 3735676 active
# netstat -an | grep LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp4 0 0 127.0.0.1.25 *.* LISTEN
Of course the ssh port can be put anywhere else than the default.
Extra services
Webserver - TODO. IBM's Apache httpd fileset from Expansion pack requires linuxtoolbox RPM versions which would interfere with perzl's packages. nginx won't compile with xlC. Either newer Apache from source or nginx with gcc.
Git - TODO, RPM is installed already.
WPAR - TODO
Performance monitoring (topasrec, nmon...) - both are running now. In the long term, one of them must go.
Documentation