Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Securing AIX - Hardening Lesson 101
Operating Systems AIX Securing AIX - Hardening Lesson 101 Post 302772833 by MichaelFelt on Wednesday 27th of February 2013 01:58:40 AM
Old 02-27-2013
Now is a good time to look at so-called Role Based Access Control solutions - aka RBAC, rather than sudo. IT audit requirements are moving in this direction.
If you go sudo - it is not enough to install it and let everyone just sudo su -.

And be sure and define a seperate group, no files in it, only admins, with are allowed to su to root (sugroups setting for root is the name of this group, default is keyword ALL - meaning any group is accepted)

AIX supplies ssh on the DVD with AIX 6.1 and AIX 7.1, no additional download needed.

Big plus on suggestion to setup non-rootvg filesystems (i.e., not just a seperate filesystem, but have an additional volume group for these items, so that "rootvg" can be replaced (e.g., fresh install) and you will not lose any vital configuration information by accident. Not saying the steps to "replace" rootvg are simple, but this is much simplier than losing the info, or having to extract outdated information from an "ancient" mksysb backup file.

edit motd: yes, but a standard message for all systems - best practice seems to be to mention that only authorized users are permitted, and actions may be logged. Proceding implies consent and other "legal stuff".

Important change: change the pwd_algorithm setting (none set, so crypt by default) in /etc/security/login.cfg

All the other edits, disabling programs, root login, etc. - just use
# aixpert -l h (or #aixpert -l high)
 

8 More Discussions You Might Find Interesting

1. Solaris

Hardening Solaris

What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:) (5 Replies)
Discussion started by: rcmrulzz
5 Replies

2. UNIX for Advanced & Expert Users

Lesson Learned: Dual boot XP and Fedora 9

This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution. I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of... (1 Reply)
Discussion started by: rlandon@usa.net
1 Replies

3. Shell Programming and Scripting

Rename multiple files lesson

Hi All, So I found a cool way to change extensions to multiple files with: for i in *.doc do mv $i ${i%.doc}.txt done However, what I want to do is move *.txt to *_0hr.txt but the following doesn't work: for i in *.txt do mv $i ${i%.txt}_0hr.txt done My questions are (1) Why... (2 Replies)
Discussion started by: ScKaSx
2 Replies

4. Shell Programming and Scripting

Textfile lesson

Tag allerseits Ich habe ein umfangreiches Script. Darin möchte ich zu Beginn ein textfile lesen. Den ersten Satz. Dann kommen mehrere Instruktionen und dann soll wieder gelesen werden. Den zweiten Satz. Etc. Ich kann also das herkömmliche while read xyz / do ... done nicht benützen. ... (0 Replies)
Discussion started by: lazybaer
0 Replies

5. Cybersecurity

securing AIX box

Guys, i want to securing AIX after install by scrath. Is anybody can inform about the standard port which used by AIX? (0 Replies)
Discussion started by: michlix
0 Replies

6. AIX

Securing AIX

Guys, i want to securing AIX after install by scratch. Is anybody can inform about the standard port which used by AIX? (4 Replies)
Discussion started by: michlix
4 Replies

7. AIX

AIX 101 : Sys Admin Pocket Survival Guide

HOW-TO AIX Admin 101 Sys Admin Pocket Survival Guide - AIX Worth checking it out and printing it. (1 Reply)
Discussion started by: filosophizer
1 Replies

8. Web Development

Oracle Jet - LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding

Working on LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding in this Oracle JET online course - Soar higher with Oracle JavaScript Extension Toolkit (JET), I have created this code for incidents.js I cannot get the load average data in this Oracle JET test to update the... (4 Replies)
Discussion started by: Neo
4 Replies

LEARN ABOUT AIX

mksysb

Commands Reference, Volume 3, i - m

mksysb_Command

  Purpose

   Creates  an	installable image of the root volume group either
in a file or
   onto a bootable tape.

  Syntax

   mksysb [ -a ] [ -A ] [ -b Number ] [ -e ] [ -F filename ] [
   -i ] [ -m ] [ -p ] [ -t argument ] [ -v ] [ -V ] [
   -X ] Device | File

  Description

   Attention: Running the mkszfile or mksysb  commands	with  the
LC_All
   environment	variable  set  (especially  to a non-C value) can
cause
   unexpected system bahavior such as a mixture of character sets
in outputs.
   To  resolve the problem, unset the LC_ALL variable and restart
the program.

   The mksysb command creates a backup of  the	operating  system
(that is, the
   root  volume  group).  You  can use this backup to reinstall a
system to its
   original state after it has been corrupted. If you create  the
backup on
   tape,  the tape is bootable and includes the installation pro-
grams needed
   to install from the backup.

   The file-system image is in backup-file format. The tape  for-
mat includes a
   boot image, a bosinstall image, and an empty table of contents
followed by
   the system backup (root volume group) image. The  root  volume
group image
   is  in  backup-file	format,  starting with the data files and
then any
   optional map files.

   When a bootable backup of a root volume group is created,  the
boot image
   reflects  the  currently running kernel. If the current kernel
is the 64-bit
   kernel, the backup's boot image is also 64-bit,  and  it  only
boots 64-bit
   systems.  If  the current kernel is a 32-bit kernel, the back-
up's boot image
   is 32-bit, and it can boot both 32-bit and 64-bit systems.

   One of the data files mksysb uses is the  /bosinst.data  file.
If a
   /bosinst.data file doesn't exist, /var/adm/ras/bosinst.data is
copied to /
   (root). In AIX 4.3.3 and later versions, mksysb always updates
the
   target_disk_data  stanzas  in  bosinst.data to match the disks
currently in
   the root volume group of the system where the  mksysb  command
is running.

   If  you  are  using a customized /bosinst.data file and do not
want the
   target_disk_data stanzas updated, you must create the file
   /save_bosinst.data_file. The mksysb command	does  not  update
/bosinst.data
   if the /save_bosinst.data_file exists.

   Notes:

    1. The image the mksysb command creates does not include data
on raw
       devices or in user-defined paging spaces.
    2. If you are using a system with a remote-mounted /usr  file
system, you
       cannot reinstall your system from a backup image.
    3.	The  mksysb command may not restore all device configura-
tions for
       special features, such as  /dev/netbios	and  some  device
drivers not
       shipped with the product.
    4.	Some rspc systems for AIX^(R) 5.1 and earlier do not sup-
port booting
       from tape. When you make a bootable  mksysb  image  on  an
rspc system for
       AIX  5.1  and  earlier  that does not support booting from
tape, the
       mksysb command issues a warning indicating that	the  tape
will not be
       bootable.  You  can  install  a mksysb image from a system
that does not
       support booting from tape by booting from a CD and  enter-
ing
       maintenance  mode. In maintenance mode you will be able to
install the
       system backup from tape.
    5. The mksysb command uses the backup command to  create  its
archive
       image. The mksysb command will also save the EA format for
any JFS2
       filesystems being backed up. It uses the /usr/bin/mkvgdata
shell
       script to save this information.

   To create a backup of the operating system to CD, please refer
to the mkcd
   command.

  Flags

   -a	       Does not backup extended attributes or NFS4 ACLs.
   -A	       Backs up DMAPI file system files.
	       Specifies the number of 512-byte blocks	to  write
in a single
	       output  operation.  When the backup command writes
to tape
	       devices, the default is 100 for backups by name.

   -b Number   The write size is the number of blocks  multiplied
by the block
	       size.  The  default write size for the backup com-
mand writing to
	       tape devices is 51200 (100 * 512) for  backups  by
name. The
	       write  size must be an even multiple of the tape's
physical
	       block size.
	       Excludes files listed in  the  /etc/exclude.rootvg
file from
	       being  backed  up.  The rules for exclusion follow
the pattern
	       matching rules of the grep command.

	       If you want to  exclude	certain  files	from  the
backup, create
	       the  /etc/exclude.rootvg  file, with an ASCII edi-
tor, and enter
	       the patterns of file names that you  do	not  want
included in
	       your  system  backup  image.  The patterns in this
file are input
	       to the pattern matching conventions  of	the  grep
command to
	       determine  which  files	will be excluded from the
backup. If you
	       want to	exclude  files	listed	in  the  /etc/ex-
clude.rootvg file,
	       select  the  Exclude Files field and press the Tab
key once to
	       change the default value to yes.

	       For example, to exclude all the	contents  of  the
directory
	       called  scratch,  edit the exclude file to read as
follows:

		    /scratch/
   -e
	       For example, to exclude the contents of the direc-
tory called
	       /tmp,  and  avoid  excluding any other directories
that have /tmp
	       in the pathname, edit the exclude file to read  as
follows:

		    ^./tmp/

	       All  files  are	backed	up relative to . (current
working
	       directory). To exclude any file or  directory  for
which it is
	       important  to  have the search match the string at
the beginning
	       of the line, use ^ (caret character) as the  first
character in
	       the  search string, followed by . (dot character),
followed by
	       the filename or directory to be excluded.

	       If the filename or directory being excluded  is	a
substring of
	       another filename or directory, use ^. (caret char-
acter
	       followed by dot character) to  indicate	that  the
search should
	       begin  at  the  beginning of the line and/or use $
(dollar sign
	       character) to indicate that the search should  end
at the end
	       of the line.
	       Specifies  a  previously created mksysb image from
which a
   -F filename backup tape will be created. An	attempt  will  be
made to make
	       the  backup tape bootable. Additionally, this flag
must be used
	       in conjunction with a tape device.
	       Calls the mkszfile command,  which  generates  the
/image.data
	       file. The /image.data file contains information on
volume
	       groups,	logical  volumes,  file  systems,  paging
space, and
	       physical  volumes. This information is included in
the backup
	       for future use by the installation process.
	       Note:
	       Before running the mkszfile command,  ensure  that
enough space
	       is  available in the /tmp file to store a boot im-
age. This
   -i	       space is needed during both backup  and	installa-
tion. To
	       determine  the  amount of space needed in the /tmp
file, issue
	       the following command:

	       bosboot -q -a -d device

	       If you use the -X flag with  the  mksysb  command,
you do not
	       need  to  run the bosboot command to determine the
amount of
	       space needed in the /tmp file.
	       Calls the mkszfile command, with the  -m  flag  to
generate map
	       files.
   -m	       Note:
	       The use of the -m flag causes the functions of the
-i flag to
	       be executed also.
	       Disables software packing of the files as they are
backed up.
   -p	       Some tape drives use their own packing or compres-
sion
	       algorithms.
	       Specifies the path to the directory or file system
used to
	       create a boot image from the mksysb file specified
by the -F
   -t argument flag. If the -t flag is not used with the -F flag,
the boot
	       image  is created in the /tmp file by default. Ap-
proximately
	       100 MB of free space is required. After	the  boot
image is
	       created, this space is freed.
   -v	       Verbose mode. Lists files as they are backed up.
	       Verifies a tape backup. This flag causes mksysb to
verify the
   -V	       file header of each file on the	backup	tape  and
report any
	       read errors as they occur.
	       Specifies  to  automatically  expand the /tmp file
system if
   -X	       necessary. The /tmp file system may need to be ex-
tended to
	       make  room  for	the  boot  image  when creating a
bootable backup
	       to tape.

  Parameters

   Device | File	   Specifies the name of  the  device  or
file.

  Examples

    1. To generate a system backup and create an /image.data file
(generated
       by the mkszfile command) to a tape device named /dev/rmt0,
type:

	 mksysb -i /dev/rmt0

    2. To generate a system backup and create an /image.data file
with map
       files (generated by the mkszfile command) to a tape device
named
       /dev/rmt1, type:

	 mksysb -m /dev/rmt1

    3.	To  generate a system backup with a new /image.data file,
but exclude
       the files in directory /home/user1/tmp, create the file
       /etc/exclude.rootvg containing the line	/home/user1/tmp/,
and type:

	 mksysb -i -e /dev/rmt1

       This command will backup the /home/user1/tmp directory but
not the
       files it contains.

    4.	To  generate  a  system  backup  file  named  /mksysb_im-
ages/node1 and a new
       /image.data file for that image, type:

	 mksysb -i /mksysb_images/node1"

       Note:
       This  file  will not be bootable and can only be installed
using Network
       Installation Management (NIM).
    5. To generate a system backup on the tape in /dev/rmt0,  and
then verify
       the readability of file headers, enter:

	 mksysb  /dev/rmt0 -V

  Files

   /usr/bin/mksysb		  Contains the mksysb command.

  Related Information

   The backup command, bosboot command, mkcd command,
   mkszfile command.

   The /image.data file.

   A  procedure  to  verify the mksysb backup can be found in the
article
   Creating system backups in the Installation and migration.

________________________________________________________________________________

		      Commands Reference, Volume 3, i - m

mksysb_Command

  Purpose

   Creates  an	installable image of the root volume group either
in a file or
   onto a bootable tape.

  Syntax

   mksysb [ -a ] [ -A ] [ -b Number ] [ -e ] [ -F filename ] [
   -i ] [ -m ] [ -p ] [ -t argument ] [ -v ] [ -V ] [
   -X ] Device | File

  Description

   Attention: Running the mkszfile or mksysb  commands	with  the
LC_All
   environment	variable  set  (especially  to a non-C value) can
cause
   unexpected system bahavior such as a mixture of character sets
in outputs.
   To  resolve the problem, unset the LC_ALL variable and restart
the program.

   The mksysb command creates a backup of  the	operating  system
(that is, the
   root  volume  group).  You  can use this backup to reinstall a
system to its
   original state after it has been corrupted. If you create  the
backup on
   tape,  the tape is bootable and includes the installation pro-
grams needed
   to install from the backup.

   The file-system image is in backup-file format. The tape  for-
mat includes a
   boot image, a bosinstall image, and an empty table of contents
followed by
   the system backup (root volume group) image. The  root  volume
group image
   is  in  backup-file	format,  starting with the data files and
then any
   optional map files.

   When a bootable backup of a root volume group is created,  the
boot image
   reflects  the  currently running kernel. If the current kernel
is the 64-bit
   kernel, the backup's boot image is also 64-bit,  and  it  only
boots 64-bit
   systems.  If  the current kernel is a 32-bit kernel, the back-
up's boot image
   is 32-bit, and it can boot both 32-bit and 64-bit systems.

   One of the data files mksysb uses is the  /bosinst.data  file.
If a
   /bosinst.data file doesn't exist, /var/adm/ras/bosinst.data is
copied to /
   (root). In AIX 4.3.3 and later versions, mksysb always updates
the
   target_disk_data  stanzas  in  bosinst.data to match the disks
currently in
   the root volume group of the system where the  mksysb  command
is running.

   If  you  are  using a customized /bosinst.data file and do not
want the
   target_disk_data stanzas updated, you must create the file
   /save_bosinst.data_file. The mksysb command	does  not  update
/bosinst.data
   if the /save_bosinst.data_file exists.

   Notes:

    1. The image the mksysb command creates does not include data
on raw
       devices or in user-defined paging spaces.
    2. If you are using a system with a remote-mounted /usr  file
system, you
       cannot reinstall your system from a backup image.
    3.	The  mksysb command may not restore all device configura-
tions for
       special features, such as  /dev/netbios	and  some  device
drivers not
       shipped with the product.
    4.	Some rspc systems for AIX^(R) 5.1 and earlier do not sup-
port booting
       from tape. When you make a bootable  mksysb  image  on  an
rspc system for
       AIX  5.1  and  earlier  that does not support booting from
tape, the
       mksysb command issues a warning indicating that	the  tape
will not be
       bootable.  You  can  install  a mksysb image from a system
that does not
       support booting from tape by booting from a CD and  enter-
ing
       maintenance  mode. In maintenance mode you will be able to
install the
       system backup from tape.
    5. The mksysb command uses the backup command to  create  its
archive
       image. The mksysb command will also save the EA format for
any JFS2
       filesystems being backed up. It uses the /usr/bin/mkvgdata
shell
       script to save this information.

   To create a backup of the operating system to CD, please refer
to the mkcd
   command.

  Flags

   -a	       Does not backup extended attributes or NFS4 ACLs.
   -A	       Backs up DMAPI file system files.
	       Specifies the number of 512-byte blocks	to  write
in a single
	       output  operation.  When the backup command writes
to tape
	       devices, the default is 100 for backups by name.

   -b Number   The write size is the number of blocks  multiplied
by the block
	       size.  The  default write size for the backup com-
mand writing to
	       tape devices is 51200 (100 * 512) for  backups  by
name. The
	       write  size must be an even multiple of the tape's
physical
	       block size.
	       Excludes files listed in  the  /etc/exclude.rootvg
file from
	       being  backed  up.  The rules for exclusion follow
the pattern
	       matching rules of the grep command.

	       If you want to  exclude	certain  files	from  the
backup, create
	       the  /etc/exclude.rootvg  file, with an ASCII edi-
tor, and enter
	       the patterns of file names that you  do	not  want
included in
	       your  system  backup  image.  The patterns in this
file are input
	       to the pattern matching conventions  of	the  grep
command to
	       determine  which  files	will be excluded from the
backup. If you
	       want to	exclude  files	listed	in  the  /etc/ex-
clude.rootvg file,
	       select  the  Exclude Files field and press the Tab
key once to
	       change the default value to yes.

	       For example, to exclude all the	contents  of  the
directory
	       called  scratch,  edit the exclude file to read as
follows:

		    /scratch/
   -e
	       For example, to exclude the contents of the direc-
tory called
	       /tmp,  and  avoid  excluding any other directories
that have /tmp
	       in the pathname, edit the exclude file to read  as
follows:

		    ^./tmp/

	       All  files  are	backed	up relative to . (current
working
	       directory). To exclude any file or  directory  for
which it is
	       important  to  have the search match the string at
the beginning
	       of the line, use ^ (caret character) as the  first
character in
	       the  search string, followed by . (dot character),
followed by
	       the filename or directory to be excluded.

	       If the filename or directory being excluded  is	a
substring of
	       another filename or directory, use ^. (caret char-
acter
	       followed by dot character) to  indicate	that  the
search should
	       begin  at  the  beginning of the line and/or use $
(dollar sign
	       character) to indicate that the search should  end
at the end
	       of the line.
	       Specifies  a  previously created mksysb image from
which a
   -F filename backup tape will be created. An	attempt  will  be
made to make
	       the  backup tape bootable. Additionally, this flag
must be used
	       in conjunction with a tape device.
	       Calls the mkszfile command,  which  generates  the
/image.data
	       file. The /image.data file contains information on
volume
	       groups,	logical  volumes,  file  systems,  paging
space, and
	       physical  volumes. This information is included in
the backup
	       for future use by the installation process.
	       Note:
	       Before running the mkszfile command,  ensure  that
enough space
	       is  available in the /tmp file to store a boot im-
age. This
   -i	       space is needed during both backup  and	installa-
tion. To
	       determine  the  amount of space needed in the /tmp
file, issue
	       the following command:

	       bosboot -q -a -d device

	       If you use the -X flag with  the  mksysb  command,
you do not
	       need  to  run the bosboot command to determine the
amount of
	       space needed in the /tmp file.
	       Calls the mkszfile command, with the  -m  flag  to
generate map
	       files.
   -m	       Note:
	       The use of the -m flag causes the functions of the
-i flag to
	       be executed also.
	       Disables software packing of the files as they are
backed up.
   -p	       Some tape drives use their own packing or compres-
sion
	       algorithms.
	       Specifies the path to the directory or file system
used to
	       create a boot image from the mksysb file specified
by the -F
   -t argument flag. If the -t flag is not used with the -F flag,
the boot
	       image  is created in the /tmp file by default. Ap-
proximately
	       100 MB of free space is required. After	the  boot
image is
	       created, this space is freed.
   -v	       Verbose mode. Lists files as they are backed up.
	       Verifies a tape backup. This flag causes mksysb to
verify the
   -V	       file header of each file on the	backup	tape  and
report any
	       read errors as they occur.
	       Specifies  to  automatically  expand the /tmp file
system if
   -X	       necessary. The /tmp file system may need to be ex-
tended to
	       make  room  for	the  boot  image  when creating a
bootable backup
	       to tape.

  Parameters

   Device | File	   Specifies the name of  the  device  or
file.

  Examples

    1. To generate a system backup and create an /image.data file
(generated
       by the mkszfile command) to a tape device named /dev/rmt0,
type:

	 mksysb -i /dev/rmt0

    2. To generate a system backup and create an /image.data file
with map
       files (generated by the mkszfile command) to a tape device
named
       /dev/rmt1, type:

	 mksysb -m /dev/rmt1

    3.	To  generate a system backup with a new /image.data file,
but exclude
       the files in directory /home/user1/tmp, create the file
       /etc/exclude.rootvg containing the line	/home/user1/tmp/,
and type:

	 mksysb -i -e /dev/rmt1

       This command will backup the /home/user1/tmp directory but
not the
       files it contains.

    4.	To  generate  a  system  backup  file  named  /mksysb_im-
ages/node1 and a new
       /image.data file for that image, type:

	 mksysb -i /mksysb_images/node1"

       Note:
       This  file  will not be bootable and can only be installed
using Network
       Installation Management (NIM).
    5. To generate a system backup on the tape in /dev/rmt0,  and
then verify
       the readability of file headers, enter:

	 mksysb  /dev/rmt0 -V

  Files

   /usr/bin/mksysb		  Contains the mksysb command.

  Related Information

   The backup command, bosboot command, mkcd command,
   mkszfile command.

   The /image.data file.

   A  procedure  to  verify the mksysb backup can be found in the
article
   Creating system backups in the Installation and migration.
All times are GMT -4. The time now is 06:05 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy