abakus

Here you will find:

- System information including changelog

- Initial configuration of AIX 7.1

Status update

2015-02-10 - successful test of new serial console access

2015-01-26 - www FS reduced to 5GB

2014-10-15 - Installed UTF-8 locale support filesets bos.loc.com.utf, bos.loc.utf.EN_US (export LANG=EN_US)

2014-09-30 - disabled Bash again because it it still uncertain whether all vulnerabilities are found

2014-09-27 - OS update to 7100-03-03-1415 +RPM update (among others: gcc git make openssl rsync screen tmux vim wget)

2014-09-27 - up 411 days, 18:55, 1 user, load average: 0.01, 0.28, 0.47

2014-09-25 - updated Bash with patched version and re-enabled it

2014-09-25 - disabled Bash due to a vulnerability, see CVE-2014-6271

2014-09-25 - if your login doesn't work, contact me!

2014-07-03 - upgraded python to python-2.6.8-1 +python-devel-2.6.8-1.aix5.1.ppc.rpm python-libs-2.6.8-1.aix5.1.ppc.rpm python-tools-2.6.8-1.aix5.1.ppc.rpm python-test-2.6.8-1

2014-07-03 - installed tcl-8.5.15-1 tcl-devel-8.5.15-1 tk-8.5.15-1 tk-devel-8.5.15-1 freetype2-2.4.10-1 fontconfig-2.8.0-2 tkinter-2.6.8-1 libffi-3.0.13-1

2014-05-23 - moved install stuff to datavg/private location, rotated a ~1GB failedlogin file

2014-02-17 - installed file-libs file python-magic nano

2013-08-28 - installed XL C compiler manual pages (vac.man.en_US fileset)

2013-08-23 - installed GNU m4 automake autoconf

2013-03-13 - installed httrack from source. To have SSL support, please see http://forum.httrack.com/readmsg/30599/18996/index.html

2013-03-05 - short downtime because the machine wasn't turned back on

2012-10-25 - installed gcc vim (request)

2012-10-17 - XL C compiler aug2012 fix packs

2012-10-12 - After installing updates to ipfl.rte, network seems to be free of errors, although ipfilter will not be used (there is an external firewall anyway)

2012-10-11 - TX failure errors seem to be resolved by avoiding the use of ipf/ipnat (errors were still present even without the bad modules)

2012-10-06 - errpt BFE4C025 SCAN_ERROR_CHRP sysplanar0/B150FD01 "CEC hardware System resources deconfigured.."

2012-10-11 - one 1GB memory DIMM shows error B123E500. After shutdown, the module and its pair are deconfigured and the server now runs with 10GB of RAM.

2012-10-10 - Interface speed set to 1000_Full_Duplex, but getting TX errors...

2012-10-09 - errpt: 4FC185D1 GOENT_TX_ERR ent1/TRANSMIT FAILURE coming up infrequently

2012-10-09 - installed IPFilter firewall (ipfl.rte), started ipnat port redirect

2012-10-08 - started NMON data collection (testing phase)

2012-10-06 - commit of updates

2012-10-06 - errpt: BFE4C025 SCAN_ERROR_CHRP sysplanar0/B123E500 (FRU: 12R8255) "Memory subsystem including external cache Predictive error"

2012-10-05 - installed rsync screen tmux

2012-10-04 - FPM restrictions in effect; bash added to login shells

2012-10-02 - moved into server room! Serial console access provided. Online!

2012-10-01 - prepared for transfer (graphics adapter removed)

2012-09-29 - OS update to 7100-01-05-1228

2012-09-27 - syslog setup

2012-09-27 - rootvg mirrored

2012-08-30 - errpt: BFE4C025 SCAN_ERROR_CHRP sysplanar0/B7006970 "PCI host bridge failure" (didn't come back since then, might have been due to the first warmup or disassembly...)

2012-08-30 - OS base install 7100-01-04-1216

Configuration

Hardware information: IBM IntelliStation POWER 285 (9111-285)

CPU - 1x 1.9GHz POWER5+ single core module

RAM - 12GB 10GB usable, max=32GB (8x 4GB) 533MHz DDR2

HDD - 2x72GB for rootvg mirror, 2x72GB for other purposes

LAN - local: 1GbE switch/autoneg, Internet: down ~90Mbits/s (ftp), up ~35 Mbits/s (http)

Active Ethernet device attributes (using ISNO):

- tcp_sendspace=131072

- tcp_recvspace=65536

- rfc1323=0

- mtu=1500

Naming conventions (planned)

Home directories

  • LV name: h_$user
  • Mount point: /home/$user
  • Mode: 0700
  • Size: 1GB?

WPARs

  • WPAR name: w0..w9
  • WPAR LVs: w0_hd4 etc
  • RAM: 1GB?
  • CPU: 10%?

File repositories - Install (root/readonly)

  • bos/ - Base
  • exp/ - Expansion pack
  • fix/ - Fix packs
  • rpm/ - 3party RPM
  • xlc/ - XL C/C++ compiler

TODO: Source code directories, version control, web/service filesystem hierarchy

Network

IP address - local network on en0 (just for testing)

mktcpip -i en0 -a 192.168.1.30 -h abakus -m 255.255.255.0 -g 192.168.1.1 -s

IPv4

vi /etc/netsvc.conf

OpenSSH: disable root, set IPv4 etc (TODO: X11, reverse lookup)

vi /etc/ssh/sshd_config

DNS

I won't be using netcd, as running it as non-root user doesn't seem to be possible

Using OpenDNS nameservers at the moment. Consider adding the 'rotate' directive.

vi /etc/resolv.conf
vi /etc/netcd.conf

Time sync

TODO

System

Timezone

chtz CET-1CEST,M3.5.0,M10.5.0

Remove dump devices

dumpctrl -P ldmpoff
sysdumpdev -P -p /dev/sysdumpnull
rmlv lg_dumplv
umount /var/adm/ras/livedump
rmfs /var/adm/ras/livedump
platform_dump -F 0
umount /var/adm/ras/platform
rmfs /var/adm/ras/platform

Remove admin filesystem

umount /admin
rmfs /admin

System object

chdev -l sys0 -a iostat=true -a max_logname=16

Mirror rootvg

extendvg rootvg hdisk1; mirrorvg -S rootvg hdisk1
bosboot -ad /dev/hdisk0 && bosboot -ad /dev/hdisk1
bootlist -m normal hdisk0 hdisk1

Increase filesystems

chfs -a size=512M /tmp
chfs -a size=512M /var
chfs -a size=512M /opt
chfs -a size=2G /usr

MOTD

done (very simple, no disclaimer)

The 'failedlogin' file

You can link it anywhere you like to make sure / doesn't get filled up. Here is an example.

rm /etc/security/failedlogin
touch /var/adm/ras/failedlogin
ln -s /var/adm/ras/failedlogin /etc/security/failedlogin

Users, security

Strong password algorithm

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha1

User home and ulimit

mkuser $user; passwd $user
mklv -y h_$user -t jfs2 rootvg 40

# the above means 5GB here - can start with 1 LP then chfs -a size=1GB or something similar when the FS is ready

crfs -v jfs2 -d h_$user -m /home/$user -Ay
mount /home/$user
chown -R $user.staff /home/$user
chmod 0700 /home/$user
chuser fsize=-1 $user

Root home

chuser home=/root root
mkdir /root
chmod 0700 /root

# or chuser umask=77 root (the default is 22)

Separate group for viewing syslog

mkgroup syslog
lsgroup syslog
chgrpmem -m + root syslog
chgrpmem -m + $user syslog

File Permissions Manager/TCB

restore with:

fpm -l default -f /var/security/fpm/log/10042012_23:22:27

AIX audit

TODO

Remote syslog

TODO

Sudo/sudoers

TODO (if ever)

Firewall

See this page about IPFilter (ipfl.rte).

Filesystems

Create filesystem for install repository

mklv -y install -t jfs2 rootvg 50
crfs -v jfs2 -d install -m /install -Ay
mount /install

Copy base media

mount -v cdrfs -o ro /dev/cd0 /mnt
mkdir -p /install/bos/7100-01-04-1216
cp -r /mnt/installp/ppc/* /install/bos/7100-01-04-1216
#repeat for DVD2

Expansion Pack is in .tar.gz format

Please consider that at least some of these filesets have updates already!

mkdir -p /install/exp/7100-052012
cp /tmp/installp/ppc/* /install/exp/7100-052012/

perzl.org 'mirror'

mkdir -p /install/rpm/perzl
cd /install/rpm/perzl
ftp -i 178.254.6.100
> passive

> binary

> cd latest/aix71
> mget *.rpm

AIX update to the latest fix level

Here is a method to estimate the download size of the latest updates. First, save the 'bare' listing from fixget to fixget.txt.

Get the download size by listing the ftp directory (I used 'script -c ncftp' from Linux for this purpose) -> ncftp.out, then grep for the exact versions you need to download.

while read url; do grep $(basename $url) ncftp.out; done  < Downloads/fixget.txt | awk '{SUM+=$5} END {print SUM}'

You can pass fixget.txt as input (-i) to wget. This is 750MB now for 7.1

You can convert the U*.bff filenames to their actual name with the 'bffcreate -cd <dir>' command, or just list the filesets in the directory with 'bffcreate -ld <dir>'

The update:

install_all_updates -pviYd.
install_all_updates -viYd.
install_all_updates -pvYd.
install_all_updates -vYd.

Installed base level: 7100-01-04-1216, actual (latest) level: 7100-01-05-1228, 117 filesets updated.

Extra filesets

OpenSSH/OpenSSL was installed right from the base DVD

installp -agXYd /mnt/installp/ppc openssh.base

Extras

installp -agXYd. bos.adt bos.help.msg.en_US
installp -agXYd . lsof.base lsof.man.en_US

Manuals

installp -agXYd. infocenter.man.EN_US.commands infocenter.man.EN_US.files infocenter.man.EN_US.libs
catman -w

C compiler evaluation version - must overwrite xlC.rte 11.1.0.2!

installp -agXYd. vac.C vacpp.cmp vacpp.tnb vac.aix53.lib memdbg.aix53.adt xlC.rte 12.1.0.0

RPMs so far (from perzl.org)

bzip2 unzip

gettext zlib bash info readline pcre libiconv libidn openssl => wget

libgcc libpcap libstdc++ lua expat db4 gdbm sqlite gmp python-libs python => nmap

rsync screen libevent tmux

libevent libffi glib2 perl-5.8.8 => irssi (NB: perl scripts don't work in this build :/ )

less libssh libssh2 openldap (!) curl git

mpfr libmpc-0.9-1 gcc-cpp => gcc (NB: the latest version of libmpc is not suitable for the gcc 4.7.2-1 package)

vim-enhanced vim-common

Short update for Perzl latest

wget -O perzlorg_aix71_latest.html ftp://www.oss4aix.org/compatible/aix71/

rpm -qa --qf "%{NAME}\n" | sort | while read pkg; do grep "/$pkg\-[[:digit:]]" perzlorg_aix71_latest.html; done | sed 's/.*href=\"\(.*\)\">.*/\1/g' > update.txt

wget -b -c -i update.txt

rpm -Uvh --test *.rpm

# wget what is missing and fix other dependencies

Network services

Disable services started from inittab

cp /etc/inittab /etc/inittab.orig
rmitab ctrmc
rmitab qdaemon
rmitab writesrv
rmitab uprintfd
chitab "rcnfs:23456789:off:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons"
chitab "aso:23456789:off:/usr/bin/startsrc -s aso"
telinit q
stopsrc -s ctrmc
stopsrc -g nfs
stopsrc -s aso
stopsrc -g rsct_rm

Disable services started from rc.tcpip - I don't need anything to be running except sshd, syslogd and sendmail

lssrc -a | grep active
chrctcp -Sd aixmibd
chrctcp -Sd snmpmibd
chrctcp -Sd hostmibd
chrctcp -Sd snmpd
chrctcp -Sd portmap

# Note that disabling portmap this way doesn't work due to a change in rc.tcpip in 7.1!

chrctcp -Sd inetd

Adjust syslogd config as mentioned in aixinstall

The config will be pasted with cat.

mv /etc/syslog.conf /etc/syslog.conf.orig
cat > /etc/syslog.conf
mkdir /var/adm/ras/syslog
chgrp syslog /var/adm/ras/syslog
chmod 0750 /var/adm/ras/syslog
awk '{print $2}' /etc/syslog.conf | xargs -l touch
ls -l /var/adm/ras/syslog
stopsrc -s syslogd
startsrc -s syslogd
ls -l /var/adm/ras/syslog

Sendmail listening on localhost - see aixinstall

vi /etc/mail/sendmail.cf
stopsrc -s sendmail && startsrc -s sendmail

A final check

This is how the base system should look like after disabling every unnecessary service.

It assumes that SNMP, NFS, FTP, etc. are not used and that further services will be configured later.

# lssrc -a | grep active
 syslogd          ras              2752688      active
 sendmail         mail             3407986      active
 sshd             ssh              3735676      active
# netstat -an | grep LISTEN
tcp4       0      0  *.22                   *.*                    LISTEN
tcp4       0      0  127.0.0.1.25           *.*                    LISTEN

Of course the ssh port can be put anywhere else than the default.

Extra services

Webserver - TODO. IBM's Apache httpd fileset from Expansion pack requires linuxtoolbox RPM versions which would interfere with perzl's packages. nginx won't compile with xlC. Either newer Apache from source or nginx with gcc.

Git - TODO, RPM is installed already.

WPAR - TODO

Performance monitoring (topasrec, nmon...) - both are running now. In the long term, one of them must go.

Documentation

http://www.redbooks.ibm.com/redpapers/pdfs/redp4078.pdf