Adams Systems Consultancy (Posts about AIX)

SAN LUNs in SMS

Russell Adams — Thu, 12 May 2022 11:33:24 GMT

I previously discussed how important it is to verify LUN IDs before writing over them in AIX. What about before AIX is booted in SMS? How can you verify your LUNs in SMS?

Properly identifying SAN LUNs

Russell Adams — Tue, 22 Mar 2022 19:30:26 GMT

I frequently work in large SAN environments, and I always want to verify the identity of any SAN disks (LUNs) which I receive before I write data to them. The rule is trust but verify, as it is disastrous to accidentally overwrite critical data in a shared storage environment.

Generating Passwords

Russell Adams — Tue, 16 Feb 2021 11:37:16 GMT

I've recently been using hash generated passwords with customers as a more secure alternative to weak "default" passwords.

Using a Yubikey for AIX SSH login

Russell Adams — Fri, 15 Jan 2021 14:05:57 GMT

Yubikeys offer a highly secure method for managing your SSH key for logging into AIX. SSH keys are much stronger than passwords, but like passwords they must be protected. A Yubikey provides a superior method to securely store SSH private key material in a physical token and can mitigate common attacks on SSH agents.

Using SSH instead of su and sudo

Russell Adams — Tue, 29 Dec 2020 12:10:19 GMT

There are several ways to become root or another user in AIX. The most common is via su, and the second is via the open source sudo program. I recommend a third method, SSH to localhost.

AIX SFTP Best Practices

Russell Adams — Tue, 29 Dec 2020 11:30:59 GMT

SFTP is a functional part of SSH which replaces the behavior of FTP in a secure fashion. This is great on AIX for transferring files, batch job uploads and downloads, and much more secure using SSL on the wire and with a variety of authentication options.

Unfortunately when left in the default configuration, the SSH server on AIX allows all users to use SFTP to access any files on the system (subject to filesystem permissions). It's common to see my customers be surprised when an unprivileged application account can SFTP in with WINSCP and browse their entire systems.

AIX SSH Best Practices

Russell Adams — Tue, 22 Dec 2020 20:31:08 GMT

In recent years insecure and unencrypted protocols have been deprecated because they pose an unacceptable security risk on any network.

For daily usage systems administrators should use SSH to connect to AIX. SSH is encrypted on the wire and supports additional options for using secure keys instead of simple passwords. It completely replaces telnet and ftp, and all of the rsh tools.

IBM ships and supports their own OpenSSH compiled for AIX. I intend to review settings which should be configured in order to be secure.

AIX User Security Best Practices

Russell Adams — Tue, 22 Dec 2020 19:09:11 GMT

Did you know that the original AIX crypt implementation [1] only allows 8 character passwords? That's really unacceptable by today's standards. AIX now supports several modern hashing algorithms for password storage and default crypt should no longer be used.

I recommend using SHA512, which is the strongest currently supported. With SHA512 password hashing, passwords up to 255 characters long are supported. That means your important root password should now be 32 characters long or more!

Working with Snap files

Russell Adams — Thu, 26 May 2016 14:34:19 GMT

I frequently work with customer systems where I need a systems inventory. This could be for troubleshooting or just to save the final state of a system for later reference.

I have worked with many consultants who have an inventory script they give customers but I have found that I prefer to use the tools native to the platform when they are available. On AIX I use IBM's native snap command. If you've ever been on the phone with IBM support before, you know they barely wait to ask your name before they ask for you to upload a snap.

IBM has created an excellent tool for troubleshooting AIX in the snap utility which is distributed as part of the OS. In my experience it captures about 90% of what I need to know about a system, including:

Installed software

Devices and attributes

LVM details and disk layout

Network statistics and configuration data

Rather than ask a customer to run commands for me and capture the output, or ask them to run a script from an untrusted source as root on their production server, I always ask for a snap.