AIX 管理技巧
Install package lsof
Where to download the lsof, bind, rsyslog, openssh, openssl, etc packages?
lsof_4.892.tar
tar xf lsof_4.892.tar
cd lsof_4.892
installp -acgXYd . lsof.base lsof.license lsof.man.en_US
lsof -vtar xf lsof_4.892.tar
cd lsof_4.892
smitty installp
# Install Software
# INPUT device / directory for software [.] << Input a dot
# SOFTWARE to install [_all_latest] << Esc + 4, Esc + 7
# ACCEPT new license agreements? yes
User & Group
# Create a new user
mkuser admin="false" pgrp="staff" gecos="Test User" test3
mkuser admin="false" pgrp="staff" groups="sshusers" gecos="Test User" test3
# Remove a user
rmuser -p <user-name>Network
Check the interface
lsdev -Cc if
lsdev -Cc adapter
lscfg -vpl ent0
lsattr -El ent0
lsattr -El en0Configure the network
# Set the ip/netmask/gateway
/usr/sbin/mktcpip -h'aixvm' -a'192.168.99.100' -m'255.255.255.0' -i'en0' -g'192.168.99.1' -A'no' -t'N/A'
# Set the DNS server addr
echo "nameserver 1.1.1.1" > /etc/resolv.confCheck the port opened
netstat -Aan資安相關指令
# Login Failed
who /etc/security/failedlogin | tail -50
# Check the number of previous unsucessful logins for the account to confirm it is blocked
lsuser -a account_locked unsuccessful_login_count {ALL|user_name}
# To check with particular user’s last password changed
pwdadm -q {user_name}
lssec -f /etc/security/passwd -a lastupdate -s {user_name}
lsuser -a lastupdate {user_name}
## Convert the EPOCH-TIME
perl -le 'print scalar localtime $ARGV[0]' {epochtime}
# Reset unsucessful login counter
chsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s {user_name}
# Unlock the locked account
chuser account_locked=false {user_name}
# Lock account
chuser account_locked=true {user_name}
# List the locked accounts
lsuser ALL | sed -n '/account_locked=true/p' | sed '/sshd/d' | awk '{print $1}'登入失敗後自動鎖定
- 可指定帳號或全域設定
- 注意:retry 的次數是累計制,登入成功一次,計數不會歸零
- 解鎖方式是歸零登入失敗的計數
chuser loginretries=5 <username>
lsuser -a loginretries <username>系統密碼算法
檢查目前系統設置: /etc/security/login.cfg,預設不會有 pwd_algorithm 這項
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
pwd_algorithm = ssha256檢查系統有支援的密碼算法
/etc/security/pwdalg.cfg,預設有 smd5, ssha1, ssha256, ssha512 這幾項。
變更密碼算法:執行以下指令
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512
Mount CD-ROM & ISO
# Mount CD-ROM
mount -V cdrfs -o ro /dev/cd0 /mnt
# Mount/Umount ISO file
loopmount -i aix61_dvd.iso -o "-V cdrfs -o ro" -m /mnt
loopumount -l loop0 -m /mnt解封 HMC root
Restrictd users to switch to root
# Create a group sysadm
mkgroup sysadm
# Add the user1 that is allowed to su to root into the group sysadm
chgrpmem -m + user1 sysadm
lsgroup sysadm
chsec -f /etc/security/user -s root -a sugroups=sysadm
# Reset to the default, sugroups=ALL
# Alternatively
smitty user
# Change / Show Characteristics of a User
# User Name [root]
# SU GROUPS [sysadm]
Restricted Shell
針對指定帳號限制登入後的預設 Shell 環境的執行權限
教學:
Defaul Shell:
# Change the default shell for the user to the restricted shell such as rksh or Rsh.
chuser shell=/usr/bin/rksh <user-name>
# OR
chsh <user-name> /usr/bin/rksh.profile:
# Add the commands that are allowd to run by the user into the directory.
mkdir /usr/bin/restricted
cd /usr/bin/restricted
ln -s /usr/bin/date date
# Create a .profile in the user's home directory and set the PATH environment variable to
# a directory containing all of the commands you want the user to be able to run
export PATH=/usr/bin/restrictedCore dump
# 解析 core file
dbx -C ./core
(dbx) corefile
(dbx) dump
(dbx) quitSystem dump
errpt:
67145A39 0413095315 U S SYSDUMP SYSTEM DUMPCopy the dump from the dump device to a file using the savecore command:
savecore .Yes, the period is necessary. It indicates you want the dump copied to your current directory
savecore will copy the dump to your current directory, and name it:
vmcore.0.BZUncompress the dump using the dmpuncompress command:
dmpuncompress vmcore.0.BZLastly, format the dump:
/usr/lib/ras/dmprtns/dmpfmt -c vmcore.0Reading a Dump
kdb vmcore.0 vmunix.0系統效能
Memory - svmon
# For a summary of the top 15 processes using memory on the system
svmon -Pt15 | perl -e 'while(<>){print if($.==2||$&&&!$s++);$.=0 if(/^-+$/)}'-------------------------------------------------------------------------------
Pid Command Inuse Pin Pgsp Virtual 64-bit Mthrd 16MB
18547096 db2sysc 3956861 12944 282407 4007901 Y Y N
19333470 db2sysc 690873 12944 26772 688572 Y Y N
19726694 db2sysc 271696 12944 6198 287133 Y Y N
13500914 db2sysc 263458 12943 18957 285159 Y Y N
1966448 shlap64 109377 12900 3432 122071 Y N N
13631924 db2vend 105589 12900 597 115784 Y N N
19005734 db2sysc 105082 12902 409 114965 Y Y N
20709798 db2sysc 105071 12900 409 114953 Y N N
20119938 db2sysc 105071 12900 409 114953 Y N N
20185458 db2sysc 105071 12900 408 114953 Y N N
15597848 db2vend 104222 12900 1771 115608 Y N N
21430722 db2sysc 103728 12900 1576 114777 Y N N
21037528 db2sysc 103724 12902 1576 114773 Y Y N
14025064 db2sysc 103696 12900 1608 114777 Y N N
18350424 db2sysc 103696 12900 1608 114777 Y N NSar
如果出現 sar: 0551-201 Cannot open /var/adm/sa/sa09,修復請執行 sar -o /var/adm/sa/sa09 10
# CPU
sar -u 2 10
# Mmeory
sar -r 2 10
# I/O
sar -b 2 10iostat
iostat 2 10Perl 應用
快速檢查特定模組安裝
perl -e "use LWP::UserAgent;"
perl -e "use DBI;"HTTP GET request
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $server_endpoint = "http://192.168.1.1:8000/service";
# set custom HTTP request header fields
my $req = HTTP::Request->new(GET => $server_endpoint);
$req->header('content-type' => 'application/json');
$req->header('x-auth-token' => 'kfksj48sdfj4jd9d');
my $resp = $ua->request($req);
if ($resp->is_success) {
my $message = $resp->decoded_content;
print "Received reply: $messagen";
}
else {
print "HTTP GET error code: ", $resp->code, "n";
print "HTTP GET error message: ", $resp->message, "n";
}HTTP POST request
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $server_endpoint = "http://192.168.1.1:8000/service";
# set custom HTTP request header fields
my $req = HTTP::Request->new(POST => $server_endpoint);
$req->header('content-type' => 'application/json');
$req->header('x-auth-token' => 'kfksj48sdfj4jd9d');
# add POST data to HTTP request body
my $post_data = '{ "name": "Dan", "address": "NY" }';
$req->content($post_data);
my $resp = $ua->request($req);
if ($resp->is_success) {
my $message = $resp->decoded_content;
print "Received reply: $messagen";
}
else {
print "HTTP POST error code: ", $resp->code, "n";
print "HTTP POST error message: ", $resp->message, "n";
}NFS
# List NFS mount-points that were configured in /etc/filesystems
root@aixvm:> lsnfsmnt -l
Name Nodename Mount Pt VFS Size Options Auto Accounting
/dataVol/aix_nfs fedoravm /mnt/nfs nfs -- bg,hard,intr,retry=3,timeo=30,sec=sys yes no開機磁區
bootinfo
# 目前開機磁區
bootinfo -v
# 目前開機磁碟
bootinfo -bbosboot
# 建立可開機的映像檔
bosboot -ad hdisk0bootlist
# 檢視 normal/service 模式的開機清單
bootlist -m normal -o
bootlist -m service -o
# 設定 normal/service 模式的開機清單
bootlist -m normal hdisk0 hdisk1
bootlist -m service cd0 hdisk1System Infomation
oslevel -s
7200-05-06-2320prtconf
System Model: IBM pSeries (emulated by qemu)
Machine Serial Number: Not Available
Processor Type: PowerPC_POWER8
Processor Implementation Mode: POWER 8
Processor Version: PV_8_Compat
Number Of Processors: 2
Processor Clock Speed: 1000 MHz
CPU Type: 64-bit
Kernel Type: 64-bit
LPAR Info: 0 aix_on_kvm
Memory Size: 4096 MB
Good Memory Size: 4096 MB
Platform Firmware level: Not Available
Firmware Version: SLOF,HEAD
Console Login: enable
Auto Restart: true
Full Core: false
NX Crypto Acceleration: Not Capable
In-Core Crypto Acceleration: Capable, but not Enabled
...
INSTALLED RESOURCE LIST
The following resources are installed on the machine.
+/- = Added or deleted from Resource List.
* = Diagnostic support not available.
Model Architecture: chrp
Model Implementation: Uni-Processor, PCI bus
+ sys0 System Object
+ sysplanar0 System Planar
* vio0 Virtual I/O Bus
* ent0 Virtual I/O Ethernet Adapter (l-lan)
* vsa0 LPAR Virtual Serial Adapter
* vty0 Asynchronous Terminal
* pci0 PCI Bus
* scsi0 qemu_virtio-scsi-pci:0000:00:02.0 Virtio SCSI Client Adapter (f41a0800)
* hdisk4 qemu_virtio-scsi-pci:0000:00:02.0-LW_0 MPIO Other Virtio SCSI Disk Drive
* hdisk5 qemu_virtio-scsi-pci:0000:00:02.0-LW_0 MPIO Other Virtio SCSI Disk Drive
+ L2cache0 L2 Cache
+ mem0 Memory
+ proc0 Processor
+ proc1 Processorlparstat -i
Node Name : aixvm
Partition Name : aix_on_kvm
Partition Number : 0
Type : Shared
Mode : Capped
Entitled Capacity : 2.00
Partition Group-ID : 1
Shared Pool ID : 1
Online Virtual CPUs : 2
Maximum Virtual CPUs : 2
Minimum Virtual CPUs : 2
Online Memory : 4096 MB
Maximum Memory : 4096 MB
Minimum Memory : 4096 MB
Variable Capacity Weight : 128
Minimum Capacity : 2.00
...uname -L
0 aix_on_kvminittab 管理
# List all items
lsitab -a
# Remove an item
rmitab nim服務管理
# List all services
lssrc -a
lssrc -a | grep active
# Check the service inetd
lssrc -s inetd
lssrc -ls inetd
# Start/Reload/Stop the service
startsrc -s xntpd
refresh -s xntpd
stopsrc -s xntpdLPAR Check
# Lists details on the LPAR configuration
lparstat -iUAK Check (Update Access Key)
# Check UAK (Update Access Key) Expiration
lparstat -uUTF-8 locales
Check the current locale environment variables.
root@aixvm:> locale
LANG=en_US
LC_COLLATE="en_US"
LC_CTYPE="en_US"
LC_MONETARY="en_US"
LC_NUMERIC="en_US"
LC_TIME="en_US"
LC_MESSAGES="en_US"
LC_ALL=
root@aixvm:> locale -a
C
POSIX
en_US.8859-15
en_US.IBM-858
en_US.ISO8859-1
en_US
root@aixvm:> lslpp -L bos.loc.*
Fileset Level State Type Description (Uninstaller)
----------------------------------------------------------------------------
bos.loc.iso.en_US 7.2.5.0 A F Base System Locale ISO Code
Set - U.S. EnglishInstall the file set for en_US.UTF-8 from AIX Installer ISO
- file set:
bos.loc.utf.EN_US
installp -qaXgY -d <path of install images> bos.loc.utf.EN_USWith smitty
smitty install_all
# Press F4 to select the INPUT device / directory for software
# Press F4 to select the SOFTWARE to install
# Use the "/" key to search for the fileset name Applying the locale
root@aixvm:> locale -a
C
POSIX
EN_US.UTF-8
EN_US
en_US.8859-15
en_US.IBM-858
en_US.ISO8859-1
en_US.UTF-8
en_US
root@aixvm:> chlang -m EN_US.UTF-8 EN_US.UTF-8
# Relogin
root@aixvm:> locale
LANG=EN_US.UTF-8
LC_COLLATE="EN_US.UTF-8"
LC_CTYPE="EN_US.UTF-8"
LC_MONETARY="EN_US.UTF-8"
LC_NUMERIC="EN_US.UTF-8"
LC_TIME="EN_US.UTF-8"
LC_MESSAGES="EN_US.UTF-8"
LC_ALL=