# AIX 管理技巧 ##### Install fileset from ISO ``` # 先掛載 DVD ISO file 至 /mnt/iso # 範例: 安裝 devices.scsi.disk root@aixvm:ppc> ls -l /mnt/iso/installp/ppc/devices.scsi.disk -rw-r--r-- 2 4000 4000 1445888 Oct 28 2022 /mnt/iso/installp/ppc/devices.scsi.disk root@aixvm:ppc> cd /mnt/iso/installp/ppc/ root@aixvm:ppc> installp -acgXYd . devices.scsi.disk ``` ##### Install lsof Where to download the lsof, bind, rsyslog, openssh, openssl, etc packages? - URL: [https://www.ibm.com/resources/mrs/assets/packageList?source=aixbp&lang=en\_US](https://www.ibm.com/resources/mrs/assets/packageList?source=aixbp&lang=en_US) lsof\_4.892.tar ```bash tar xf lsof_4.892.tar cd lsof_4.892 installp -acgXYd . lsof.base lsof.license lsof.man.en_US lsof -v ``` ```bash tar xf lsof_4.892.tar cd lsof_4.892 smitty installp # Install Software # INPUT device / directory for software [.] << Input a dot # SOFTWARE to install [_all_latest] << Esc + 4, Esc + 7 # ACCEPT new license agreements? yes ``` ##### User & Group ```bash # Create a new user mkuser admin="false" pgrp="staff" gecos="Test User" test3 mkuser admin="false" pgrp="staff" groups="sshusers" gecos="Test User" test3 # Remove a user rmuser -p ``` ##### Network Check the interface ```bash lsdev -Cc if lsdev -Cc adapter lscfg -vpl ent0 lsattr -El ent0 lsattr -El en0 ``` Configure the network ```bash # Set the ip/netmask/gateway /usr/sbin/mktcpip -h'aixvm' -a'192.168.99.100' -m'255.255.255.0' -i'en0' -g'192.168.99.1' -A'no' -t'N/A' # Set the DNS server addr echo "nameserver 1.1.1.1" > /etc/resolv.conf ``` Check the port opened ```bash netstat -Aan ``` ##### 資安相關指令 ```shell # Login Failed who /etc/security/failedlogin | tail -50 # Check the number of previous unsucessful logins for the account to confirm it is blocked lsuser -a account_locked unsuccessful_login_count {ALL|user_name} # To check with particular user’s last password changed pwdadm -q {user_name} lssec -f /etc/security/passwd -a lastupdate -s {user_name} lsuser -a lastupdate {user_name} ## Convert the EPOCH-TIME perl -le 'print scalar localtime $ARGV[0]' {epochtime} # Reset unsucessful login counter chsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s {user_name} # Unlock the locked account chuser account_locked=false {user_name} # Lock account chuser account_locked=true {user_name} # List the locked accounts lsuser ALL | sed -n '/account_locked=true/p' | sed '/sshd/d' | awk '{print $1}' ``` 登入失敗後自動鎖定 - 可指定帳號或全域設定 - 注意:retry 的次數是累計制,登入成功一次,計數不會歸零 - 解鎖方式是歸零登入失敗的計數 ```bash chuser loginretries=5 lsuser -a loginretries ``` ##### 系統密碼算法 檢查目前系統設置: `/etc/security/login.cfg`,預設不會有 pwd\_algorithm 這項,AIX 使用 crypt 函數對密碼進行加密,更多資訊請前往: [Traditional password crypt function](https://www.ibm.com/docs/en/aix/7.2.0?topic=algorithm-traditional-password-crypt-function) ``` usw: shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93 maxlogins = 32767 logintimeout = 60 maxroles = 8 auth_type = STD_AUTH pwd_algorithm = ssha256 ``` 檢查系統有支援的密碼算法 - 檢視檔案: `/etc/security/pwdalg.cfg`,預設有 smd5, ssha1, ssha256, ssha512 這幾項。 變更密碼算法:執行以下指令 ```bash chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512 ``` ##### Mount CD-ROM & ISO ```bash # Mount CD-ROM mount -V cdrfs -o ro /dev/cd0 /mnt # Mount/Umount ISO file loopmount -i aix61_dvd.iso -o "-V cdrfs -o ro" -m /mnt loopumount -l loop0 -m /mnt ``` ##### 解封 HMC root - [解锁 HMC8 及 HMC9 的 root 用户](https://www.talkwithtrend.com/Article/245935) ##### Restrictd users to switch to root ```bash # Create a group sysadm mkgroup sysadm # Add the user1 that is allowed to su to root into the group sysadm chgrpmem -m + user1 sysadm lsgroup sysadm chsec -f /etc/security/user -s root -a sugroups=sysadm # Reset to the default, sugroups=ALL # Alternatively smitty user # Change / Show Characteristics of a User # User Name [root] # SU GROUPS [sysadm] ``` ##### Restricted Shell 針對指定帳號限制登入後的預設 Shell 環境的執行權限 教學: - [How to Use a Restricted Shell](https://www.ibm.com/support/pages/how-use-restricted-shell) Defaul Shell: ```shell # Change the default shell for the user to the restricted shell such as rksh or Rsh. chuser shell=/usr/bin/rksh # OR chsh /usr/bin/rksh ``` .profile: ```shell # Add the commands that are allowd to run by the user into the directory. mkdir /usr/bin/restricted cd /usr/bin/restricted ln -s /usr/bin/date date # Create a .profile in the user's home directory and set the PATH environment variable to # a directory containing all of the commands you want the user to be able to run export PATH=/usr/bin/restricted ``` ##### Core dump ```shell # 解析 core file dbx -C ./core (dbx) corefile (dbx) dump (dbx) quit ``` ##### System dump errpt: ``` 67145A39 0413095315 U S SYSDUMP SYSTEM DUMP ``` Copy the dump from the dump device to a file using the `savecore` command: ``` savecore . ``` > Yes, the period is necessary. It indicates you want the dump copied to your current directory savecore will copy the dump to your current directory, and name it: ``` vmcore.0.BZ ``` Uncompress the dump using the dmpuncompress command: ``` dmpuncompress vmcore.0.BZ ``` Lastly, format the dump: ``` /usr/lib/ras/dmprtns/dmpfmt -c vmcore.0 ``` Reading a Dump ``` kdb vmcore.0 vmunix.0 ``` ##### 系統效能 Memory - svmon ```shell # For a summary of the top 15 processes using memory on the system svmon -Pt15 | perl -e 'while(<>){print if($.==2||$&&&!$s++);$.=0 if(/^-+$/)}' ``` ``` ------------------------------------------------------------------------------- Pid Command Inuse Pin Pgsp Virtual 64-bit Mthrd 16MB 18547096 db2sysc 3956861 12944 282407 4007901 Y Y N 19333470 db2sysc 690873 12944 26772 688572 Y Y N 19726694 db2sysc 271696 12944 6198 287133 Y Y N 13500914 db2sysc 263458 12943 18957 285159 Y Y N 1966448 shlap64 109377 12900 3432 122071 Y N N 13631924 db2vend 105589 12900 597 115784 Y N N 19005734 db2sysc 105082 12902 409 114965 Y Y N 20709798 db2sysc 105071 12900 409 114953 Y N N 20119938 db2sysc 105071 12900 409 114953 Y N N 20185458 db2sysc 105071 12900 408 114953 Y N N 15597848 db2vend 104222 12900 1771 115608 Y N N 21430722 db2sysc 103728 12900 1576 114777 Y N N 21037528 db2sysc 103724 12902 1576 114773 Y Y N 14025064 db2sysc 103696 12900 1608 114777 Y N N 18350424 db2sysc 103696 12900 1608 114777 Y N N ``` Sar - [sar 指令 - IBM 說明文件](https://www.ibm.com/docs/zh-tw/aix/7.3?topic=s-sar-command) > 如果出現 sar: 0551-201 Cannot open /var/adm/sa/sa09,修復請執行 `sar -o /var/adm/sa/sa09 10 ` ```bash # CPU sar -u 2 10 # Mmeory sar -r 2 10 # I/O sar -b 2 10 ``` iostat ```bash iostat 2 10 ``` ##### Perl 應用 快速檢查特定模組安裝 ```bash perl -e "use LWP::UserAgent;" perl -e "use DBI;" ``` HTTP GET request ```perl use LWP::UserAgent; my $ua = LWP::UserAgent->new; my $server_endpoint = "http://192.168.1.1:8000/service"; # set custom HTTP request header fields my $req = HTTP::Request->new(GET => $server_endpoint); $req->header('content-type' => 'application/json'); $req->header('x-auth-token' => 'kfksj48sdfj4jd9d'); my $resp = $ua->request($req); if ($resp->is_success) { my $message = $resp->decoded_content; print "Received reply: $messagen"; } else { print "HTTP GET error code: ", $resp->code, "n"; print "HTTP GET error message: ", $resp->message, "n"; } ``` HTTP POST request ```perl use LWP::UserAgent; my $ua = LWP::UserAgent->new; my $server_endpoint = "http://192.168.1.1:8000/service"; # set custom HTTP request header fields my $req = HTTP::Request->new(POST => $server_endpoint); $req->header('content-type' => 'application/json'); $req->header('x-auth-token' => 'kfksj48sdfj4jd9d'); # add POST data to HTTP request body my $post_data = '{ "name": "Dan", "address": "NY" }'; $req->content($post_data); my $resp = $ua->request($req); if ($resp->is_success) { my $message = $resp->decoded_content; print "Received reply: $messagen"; } else { print "HTTP POST error code: ", $resp->code, "n"; print "HTTP POST error message: ", $resp->message, "n"; } ``` ##### NFS ```bash # List NFS mount-points that were configured in /etc/filesystems root@aixvm:> lsnfsmnt -l Name Nodename Mount Pt VFS Size Options Auto Accounting /dataVol/aix_nfs fedoravm /mnt/nfs nfs -- bg,hard,intr,retry=3,timeo=30,sec=sys yes no ``` ##### 開機磁區 bootinfo ```bash # 目前開機磁區 bootinfo -v # 目前開機磁碟 bootinfo -b ``` bosboot ```bash # 建立可開機的映像檔 bosboot -ad hdisk0 ``` bootlist ```bash # 檢視 normal/service 模式的開機清單 bootlist -m normal -o bootlist -m service -o # 設定 normal/service 模式的開機清單 bootlist -m normal hdisk0 hdisk1 bootlist -m service cd0 hdisk1 ``` ##### System Infomation `oslevel -s` ``` 7200-05-06-2320 ``` `prtconf` ``` System Model: IBM pSeries (emulated by qemu) Machine Serial Number: Not Available Processor Type: PowerPC_POWER8 Processor Implementation Mode: POWER 8 Processor Version: PV_8_Compat Number Of Processors: 2 Processor Clock Speed: 1000 MHz CPU Type: 64-bit Kernel Type: 64-bit LPAR Info: 0 aix_on_kvm Memory Size: 4096 MB Good Memory Size: 4096 MB Platform Firmware level: Not Available Firmware Version: SLOF,HEAD Console Login: enable Auto Restart: true Full Core: false NX Crypto Acceleration: Not Capable In-Core Crypto Acceleration: Capable, but not Enabled ... INSTALLED RESOURCE LIST The following resources are installed on the machine. +/- = Added or deleted from Resource List. * = Diagnostic support not available. Model Architecture: chrp Model Implementation: Uni-Processor, PCI bus + sys0 System Object + sysplanar0 System Planar * vio0 Virtual I/O Bus * ent0 Virtual I/O Ethernet Adapter (l-lan) * vsa0 LPAR Virtual Serial Adapter * vty0 Asynchronous Terminal * pci0 PCI Bus * scsi0 qemu_virtio-scsi-pci:0000:00:02.0 Virtio SCSI Client Adapter (f41a0800) * hdisk4 qemu_virtio-scsi-pci:0000:00:02.0-LW_0 MPIO Other Virtio SCSI Disk Drive * hdisk5 qemu_virtio-scsi-pci:0000:00:02.0-LW_0 MPIO Other Virtio SCSI Disk Drive + L2cache0 L2 Cache + mem0 Memory + proc0 Processor + proc1 Processor ``` `lparstat -i` ``` Node Name : aixvm Partition Name : aix_on_kvm Partition Number : 0 Type : Shared Mode : Capped Entitled Capacity : 2.00 Partition Group-ID : 1 Shared Pool ID : 1 Online Virtual CPUs : 2 Maximum Virtual CPUs : 2 Minimum Virtual CPUs : 2 Online Memory : 4096 MB Maximum Memory : 4096 MB Minimum Memory : 4096 MB Variable Capacity Weight : 128 Minimum Capacity : 2.00 ... ``` `uname -L` ``` 0 aix_on_kvm ``` ##### inittab 管理 ```bash # List all items lsitab -a # Remove an item rmitab nim ``` ##### 服務管理 ```bash # List all services lssrc -a lssrc -a | grep active # Check the service inetd lssrc -s inetd lssrc -ls inetd # Start/Reload/Stop the service startsrc -s xntpd refresh -s xntpd stopsrc -s xntpd ``` ##### LPAR Check ```bash # Lists details on the LPAR configuration lparstat -i ``` ##### UAK Check (Update Access Key) ```bash # Check UAK (Update Access Key) Expiration lparstat -u ``` ##### UTF-8 locales Check the current locale environment variables. ``` root@aixvm:> locale LANG=en_US LC_COLLATE="en_US" LC_CTYPE="en_US" LC_MONETARY="en_US" LC_NUMERIC="en_US" LC_TIME="en_US" LC_MESSAGES="en_US" LC_ALL= root@aixvm:> locale -a C POSIX en_US.8859-15 en_US.IBM-858 en_US.ISO8859-1 en_US root@aixvm:> lslpp -L bos.loc.* Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- bos.loc.iso.en_US 7.2.5.0 A F Base System Locale ISO Code Set - U.S. English ``` Install the file set for en\_US.UTF-8 from AIX Installer ISO - file set: `bos.loc.utf.EN_US` ```bash installp -qaXgY -d bos.loc.utf.EN_US ``` With smitty ```bash smitty install_all # Press F4 to select the INPUT device / directory for software # Press F4 to select the SOFTWARE to install # Use the "/" key to search for the fileset name ``` Applying the locale ```bash root@aixvm:> locale -a C POSIX EN_US.UTF-8 EN_US en_US.8859-15 en_US.IBM-858 en_US.ISO8859-1 en_US.UTF-8 en_US root@aixvm:> chlang -m EN_US.UTF-8 EN_US.UTF-8 # Relogin root@aixvm:> locale LANG=EN_US.UTF-8 LC_COLLATE="EN_US.UTF-8" LC_CTYPE="EN_US.UTF-8" LC_MONETARY="EN_US.UTF-8" LC_NUMERIC="EN_US.UTF-8" LC_TIME="EN_US.UTF-8" LC_MESSAGES="EN_US.UTF-8" LC_ALL= ```