AIX 6.

1
The purpose is to create a Standard Operating Environment which can be installed
through NIM, and offers all functionality as configured on 5.3:

• All default configuration and setup

o For example DNS, NTP, filesystems, additional software, etc.
• Tuning
o For example limitations, unnecessary software and services, etc.
• User Environment
o Profile and homedir configuration
• Security
o AIX security
o LDAP authentication on eDirectory
o Sudo
o Syslog

Although the paragraphs will refer to more necessary when necessary the overall
document on which this article is based is AIX Post Install. That document was created
on AIX 5.3 and gives a lot of background information. This document adds specific
information for AIX 6.1, but does not copy the background information which is also
valid for AIX 5.3. So, in conclusion, if you need more information the AIX Post Install is
your best place to start.

Installation
The installation is performed through NIM and the version installed is:
6100-04-03-1009

which was released in February 2010. During the install I accepted all default settings.

How to add a client in NIM How to install a NIM client

Default Configuration
Change Root

• Change root's password by issuing the command 'passwd' on the commandline

after login.
• Change root's account through smitty by issuing the command 'smitty users' on
the commandline:
o Change / Show Characteristics of a User
 Select the root user
  Set root's home directory to /home/root

Note:

• You'll have to create the /home/root directory and set permissions.

• Because Root's home is initially set to / you might want to copy root's files to it's
new home directory.

DNS
Setup DNS by editing the 'resolv.conf' configuration file:
# vi /etc/resolv.conf
nameserver 10.10.10.100
nameserver 10.10.10.101
search intranet.company.nl company.local

Note:

• The search entry can have up to a maximum of 1024 characater strings for the
DomainName variable.
• The first DomainName variable is interpreted as the default domain name.
• The DomainName variable is the name of a domain that should be included in the
search list.
• The domain entry and search entry are mutually exclusive. If both entries are
used, the one that appears last will override the other.

NTP

Timezone
Setup the timezone through 'smitty':

• System Environments
o Change / Show Date, Time, and Time Zone
 Change Time Zone Using System Defined Values
 Select your country (NL - Netherlands)
 Select your time zone name (Europe/Amsterdam -
(GMT+01:00/GMT+02:00) Central Europe)
 Confirm

NTP Config
Setup NTP by editing the 'ntp.conf' configuration file:
# vi /etc/ntp.conf
#broadcastclient
driftfile /etc/ntp.drift
tracefile /etc/ntp.trace
server ntp.company.nl
Set the Time
# ntpdate ntp.company.nl
3 Mar 10:02:29 ntpdate[250036]: step time server 10.10.10.100 offset
0.975368 sec
# ntpdate ntp.company.nl
3 Mar 10:02:39 ntpdate[250040]: adjust time server 10.10.10.100 offset
0.000045 sec

NTP Service
Configure the NTP service to start automatically through 'smitty xntpd':

• Start Using the xntpd Subsystem

o BOTH

Reboot
To completely setup time and related services correctly reboot since the timezone change
requires one.

NFS
Add the company NFS share through 'smitty manfs'

• Network File System (NFS)

o Network File System (NFS)
 Add a File System for Mounting
 Pathname of mount point [/exports/install]
 Pathname of remote directory [/exports/install]
 Host where remote directory resides [fileserver.company.nl]
 Mount now, add entry to /etc/filesystems or both? [both]
 /etc/filesystems entry will mount the directory on system restart.
[yes]
 Mode for this NFS file system [read-only]
 Transport protocol to use [udp]
 Allow execution of setuid and setgid programs in this file system?
[no]
 Allow device access via this mount? [no]

Check
There is a new filesystem defined in /etc/filesystems:
/exports/install:
dev = "/exports/install"
vfs = nfs
nodename = fileserver.company.nl
mount = true
options = ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys
account = false

This filesystem is already mounted:

# mount
node mounted mounted over vfs date
options
-------- --------------- --------------- ------ ------------
---------------
/dev/hd4 / jfs2 Mar 03 10:13
rw,log=/dev/hd8
/dev/hd2 /usr jfs2 Mar 03 10:13
rw,log=/dev/hd8
/dev/hd9var /var jfs2 Mar 03 10:13
rw,log=/dev/hd8
/dev/hd3 /tmp jfs2 Mar 03 10:13
rw,log=/dev/hd8
/dev/hd1 /home jfs2 Mar 03 10:14
rw,log=/dev/hd8
/dev/hd11admin /admin jfs2 Mar 03 10:14
rw,log=/dev/hd8
/proc /proc procfs Mar 03 10:14 rw
/dev/hd10opt /opt jfs2 Mar 03 10:14
rw,log=/dev/hd8
/dev/livedump /var/adm/ras/livedump jfs2 Mar 03 10:14
rw,log=/dev/hd8
fileserver.company.nl /exports/install /exports/install nfs3 Mar 03
10:32 ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys

Filesystems
When AIX gets installed the filesystem gets a certain amount of space dependent on the
size of the disk and what is installed:
# df -m
Filesystem MB blocks Free %Used Iused %Iused Mounted on
/dev/hd4 320.00 154.38 52% 12990 25% /
/dev/hd2 2144.00 355.22 84% 39261 31% /usr
/dev/hd9var 192.00 17.66 91% 6439 57% /var
/dev/hd3 64.00 61.55 4% 24 1% /tmp
/dev/hd1 32.00 31.62 2% 11 1% /home
/dev/hd11admin 128.00 127.63 1% 5 1% /admin
/proc - - - - - /proc
/dev/hd10opt 96.00 12.57 87% 1886 37% /opt
/dev/livedump 256.00 255.64 1% 4 1%
/var/adm/ras/livedump

Change the size of the filesystems using the 'chfs' command:

# chfs -a size=2G /
# chfs -a size=4G /usr
# chfs -a size=1G /var
# chfs -a size=1G /tmp
# chfs -a size=512M /home
# chfs -a size=10G /opt

Result:

# df -m
Filesystem MB blocks Free %Used Iused %Iused Mounted on
/dev/hd4 2048.00 1882.11 9% 12990 3% /
/dev/hd2 4096.00 2306.92 44% 39261 7% /usr
/dev/hd9var 1024.00 849.48 18% 6441 4% /var
/dev/hd3 1024.00 1021.37 1% 24 1% /tmp
/dev/hd1 512.00 511.55 1% 11 1% /home
/dev/hd11admin 128.00 127.63 1% 5 1% /admin
/proc - - - - - /proc
/dev/hd10opt 10240.00 10155.02 1% 1886 1% /opt
/dev/livedump 256.00 255.64 1% 4 1%
/var/adm/ras/livedump

Additional Software
Download the latest rpms:
IBM AIX Toolbox for Linux Applications Information page Actual FTP download site
Get SSH and SSL from the AIX installation and expansion DVDs.

Install AIX Software

Install AIX software with 'smitty install_latest':

• enter dir with software

...<cut>...
Installation Summary
--------------------
Name Level Part Event
Result
-----------------------------------------------------------------------
--------
rpm.rte 3.0.5.51 USR APPLY
SUCCESS
rpm.rte 3.0.5.51 ROOT APPLY
SUCCESS
openssl.base 0.9.8.1100 USR APPLY
SUCCESS
openssl.base 0.9.8.1100 ROOT APPLY
SUCCESS
openssh.base.client 5.2.0.5300 USR APPLY
SUCCESS
openssh.base.server 5.2.0.5300 USR APPLY
SUCCESS
openssh.base.client 5.2.0.5300 ROOT APPLY
SUCCESS
openssh.base.server 5.2.0.5300 ROOT APPLY
SUCCESS

Install RPMS
This is a selection of RPMS I like to install on an AIX system:
# rpm -iv *.rpm
bash-3.2-1
gcc-4.2.0-3
gettext-0.10.40-8
less-382-1
lsof-4.61-3
sudo-1.6.9p15-2noldap
tar-1.14-2
vim-common-6.3-1
vim-enhanced-6.3-1
vim-minimal-6.3-1
which-2.14-1

SSH and SSL Config

SSH must be configured so X11 forwarding works as well. In a later configuration stage
root will be forbidden to logon remotely, but for now that is still allowed. Configuration
includes two files: /etc/ssh/sshd_config and /etc/ssh/ssh_config:
bash-3.2# cat /etc/ssh/sshd_config | grep '^[A-z]'
Protocol 2
PermitRootLogin yes
IgnoreRhosts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
TCPKeepAlive yes
XauthLocation /usr/bin/X11/xauth
Banner /etc/secure_banner
Subsystem sftp /usr/libexec/sftp-server
bash-3.2# cat /etc/ssh/ssh_config | grep '^[A-z]'
ForwardX11 yes
ConnectTimeout 30
Protocol 2

Restart the ssh daemon:

# /etc/rc.d/rc2.d/Ssshd stop
# /etc/rc.d/rc2.d/Ssshd start

After restarting your session you can issue 'xclock' to see if it's working.

See CygWin - X op Windows to see how to setup your local Windows installation for
X11 forwarding.

Note: Don't forget to create and place you secure_banner in /etc.

Oracle Requirements
Oracle has a few requirements when installed on an AIX box, and one of them is not
installed by default: bos.adt.libm. The package can be installed using the NIM server:
bash-3.2# lslpp -l bos.adt.libm
lslpp: Fileset bos.adt.libm not installed.

bash-3.2# nimclient -l -L ms-soe6

...<cut>...
lpp_6100_04_03 lpp_source
...<cut>...
bash-3.2# nimclient -o allocate -a lpp_source=lpp_6100_04_03
bash-3.2# nimclient -l -c resources ms-soe6
lpp_6100_04_03 lpp_source
bash-3.2# nimclient -o cust -a lpp_source=lpp_6100_04_03 -a
filesets=bos.adt.libm
...<cut>...

bash-3.2# lslpp -l bos.adt.libm

Fileset Level State Description
---------------------------------------------------------------------
-------
Path: /usr/lib/objrepos
bos.adt.libm 6.1.4.0 APPLIED Base Application
Development
Math Library

See AIX NIM for more information on how to install software using a NIM server.

Tuning
AIX Limitations
For system stability reasons AIX has a few limitations which interfere (within our
company) with production processes.

SWAP
By default, the swap space is defined as 512 MB which is a little bit low when oracle,
websphere or any other demanding application is running.
Set the paging space to 4 GB for better performance:
bash-3.2# lsps -a
Page Space Physical Volume Volume Group Size %Used Active
Auto Type Chksum
hd6 hdisk0 rootvg 512MB 2 yes
yes lv 0
bash-3.2# chps -s 112 hd6
bash-3.2# lsps -a
Page Space Physical Volume Volume Group Size %Used Active
Auto Type Chksum
hd6 hdisk0 rootvg 4096MB 1 yes
yes lv 0

Large Files
By default no one on the system is allowed to work with large files to prevent the
filesystems from becoming full too fast, but we need root to work with large files. To do
so, adjust the /etc/security/limits and these lines in the root section:
root:
fsize = -1
data = -1
stack = -1

Network
By default, AIX waits 200 ms before sending the TCP acknowledgement. To disable this
setting issue:
bash-3.2# no -p -o tcp_nodelayack=1
Setting tcp_nodelayack to 1
Setting tcp_nodelayack to 1 in nextboot file

In AIX Post Install are extended tests regarding AIX performance and more background
information.

Memory
When running Oracle the memory is better adjusted to meet the demands Oracle can
make:
bash-3.2# vmo -p -o minperm%=5 -o maxperm%=90 -o maxclient%=90 -o
lru_file_repage=0
Setting minperm% to 5 in nextboot file
Modification to restricted tunable maxperm%, confirmation required
yes/no yes
Setting maxperm% to 90 in nextboot file
Modification to restricted tunable maxclient%, confirmation required
yes/no yes
Setting maxclient% to 90 in nextboot file
Modification to restricted tunable lru_file_repage, confirmation
required yes/no yes
Setting lru_file_repage to 0 in nextboot file
Setting minperm% to 5
Setting maxperm% to 90
Warning: a restricted tunable has been modified
Setting maxclient% to 90
Warning: a restricted tunable has been modified
Setting lru_file_repage to 0
Warning: a restricted tunable has been modified

The default settings are:

vmo -p -o minperm%=20 -o maxperm%=80 -o maxclient%=80 -o

lru_file_repage=1

Unnecessary Software
Software that is unnecessary:

• Alternate Disk Installation:

o bos.alt_disk_install.boot_images
o bos.alt_disk_install.rte
• Cluster Systems Management:
o csm.client
o csm.core
o csm.deploy
o csm.diagnostics
o csm.dsh
o csm.gui.dcem

To remove these packages issue:

installp -u bos.alt_disk_install.boot_images bos.alt_disk_install.rte
csm.client csm.core csm.deploy csm.diagnostics csm.dsh csm.gui.dcem

According to KPMG security,

• AIX Security Hardening:

o bos.aixpert.cmds
o bos.aixpert.websm
• Reliable Scalable Cluster Technology (RSCT)
o rsct.core.gui
o rsct.core.lprm
o rsct.core.sensorrm

installp -u bos.aixpert.cmds bos.aixpert.websm rsct.core.gui rsct.core.lprm

rsct.core.sensorrm

Unnecessary Services

Unnecessary Inetd Subservers

Use these commands to turn all subservers off:
chsubserver -d -v ftp -p tcp
chsubserver -d -v telnet -p tcp
chsubserver -d -v shell -p tcp
chsubserver -d -v kshell -p tcp
chsubserver -d -v login -p tcp
chsubserver -d -v klogin -p tcp
chsubserver -d -v exec -p tcp
chsubserver -d -v comsat -p udp
chsubserver -d -v uucp -p tcp
chsubserver -d -v bootps -p udp
chsubserver -d -v finger -p tcp
chsubserver -d -v systat -p tcp
chsubserver -d -v netstat -p tcp
chsubserver -d -v tftp -p udp
chsubserver -d -v talk -p udp
chsubserver -d -v ntalk -p udp
chsubserver -d -v rquotad -p udp
chsubserver -d -v rexd -p tcp
chsubserver -d -v rstatd -p udp
chsubserver -d -v rusersd -p udp
chsubserver -d -v rwalld -p udp
chsubserver -d -v sprayd -p udp
chsubserver -d -v pcnfsd -p udp
chsubserver -d -v echo -p tcp
chsubserver -d -v echo -p udp
chsubserver -d -v discard -p tcp
chsubserver -d -v discard -p udp
chsubserver -d -v chargen -p tcp
chsubserver -d -v chargen -p udp
chsubserver -d -v daytime -p tcp
chsubserver -d -v daytime -p udp
chsubserver -d -v time -p tcp
chsubserver -d -v time -p udp
chsubserver -d -v instsrv -p tcp
chsubserver -d -v xmquery -p udp
chsubserver -d -v imap2 -p tcp
chsubserver -d -v pop3 -p tcp
chsubserver -d -v wsmserver -p tcp

After disabling all subservers don't forget to refresh the inetd daemon:

refresh -s inetd

Unnecessary Subsystems
Use these commands to stop and disable susbsystems that are automatically started by
AIX but are not needed:
bash-3.2# chrctcp -S -d inetd
bash-3.2# chrctcp -S -d snmpd
bash-3.2# chrctcp -S -d hostmibd
bash-3.2# chrctcp -S -d snmpmibd
bash-3.2# chrctcp -S -d aixmibd
bash-3.2# chrctcp -S -d writesrv
bash-3.2# chrctcp -S -d qdaemon

• inetd: nternet daemon

• snmpd: simple network management protocol
• snmpmibd: extends snmp possibilities
• hostmibd: extends snmp possibilities
• aixmibd: extends snmp possibilities
• writesrv: enables the ability to receive massages from users from a remote system
• qdaemon: printer queue daemon

Remove Services from Inittab

Inittab starts a few more services which can be removed from inittab using these
commands:
rmitab piobe
rmitab writesrv
rmitab qdaemon
rmitab naudio
rmitab naudio2
rmitab xmdaily
rmitab pconsole

• piobe: spooler backend

• naudio(2): configures pci audio devices
• xmdaily: collects data regarding performance information
• pconsole: system director console (web administration tool)

User Environment
Profile
I used AIX Profile to setup the profile for all users.

Home Directory
I used AIX Home Directory to setup the automatic creation of home directories for users.

Security
AIX Security

Intruder Lockout
To prevent brute force account hacking enable intruder lockout. This can be done by
editing '/etc/security/login.cfg':
default:
sak_enabled = false
logintimes =
logindisable = 4
logininterval = 60
loginreenable = 30
logindelay = 5

For more information about these settings please check this page.

Valid Shells
Add bash to the list of valid shells, which can be done in the same file,
'/etc/security/login.cfg':
usw:
shells =
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr
/bin/bsh,/usr/bin/csh,/u
sr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/u
sr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin
/snappd,/bin/bash,/usr/bin/bash
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH

Default User Settings

Set the default options for new created users to a higher level of security, 'vi
/etc/security/user':
default:
admin = false
login = false
su = false
daemon = true
rlogin = true
sugroups =
 admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "compat"
logintimes =
pwdwarntime = 7
account_locked = false
loginretries = 3
histexpire = 26
histsize = 4
minage = 1
maxage = 13
maxexpired = -1
minalpha = 5
minother = 3
minlen = 8
mindiff = 1
maxrepeats = 2
dictionlist =
pwdchecks =

Root Login
Set, in the same file, that root is allowed to login, 'vi /etc/security/user':
root
login = true

Automatic Timeout
Set an automatic timeout for sessions of one hour, 'vi /etc/profile':
...<cut>....
# Automatic logout, include in export line if uncommented
TMOUT=3600
...<cut>...
export LOGNAME MAIL MAILMSG TERM TMOUT
...<cut>...

Sendmail Privacy
Edit the /etc/sendmail.cf file to minimize the information sendmail shows on connection:
# privacy flags
O PrivacyOptions=goaway

See Sendmail Security Quick Fixes for more information about sendmail security.

Don't forget to restart sendmail afterwards.

LDAP
LDAP authentication has been setup as described in AIX LDAP authentication on
eDirectory.
Sudo
Sudo security has been setup as described in Sudo.

Root
You now have to make the final changes to the root account. Since you now have sudo
rights for LDAP users root should no longer be allowed to login, except in emergencies.
So, make sure users are allowed to 'su' to root and that root is only allowed a local login.
You can change that in 'smitty users':

• Change / Show Characteristics of a User

o Select root
o Another user can SU TO USER?
 Set from “false” to “true”.
o User can LOGIN REMOTELY(rsh,tn,rlogin)?
 Set from “true” to “false”.

Also, don't forget to change the '/etc/ssh/sshd_config' to make sure root is not allowed to
log in over ssh as well:

PermitRootLogin yes

Syslog
Syslog has been setup as described in SYSLOG.