Floodgap ANSwers: The AIX on ANS FAQ

Working knowledge of Unix is assumed!

• What's it like using AIX on the ANS?

  Pretty much like AIX 4 on anything else, except for the low-level system changes I talk about below. You can see some screenshots of AIX CDE grabbed directly on an ANS 500.

• What versions of AIX does the ANS support?

  Only 4.1.4 (4.1.4.0 and 4.1.4.1) and 4.1.5, and then only Apple-branded versions at that (so-called "Harpoon" AIX, after the operating system software's codename). If you have an IBM CD, it will not boot from it, and you probably should not try to install smit packages off it either. (If you don't know what smit is, read on.)

  IBM support for Apple ANS AIX is non-existent, and many BOS patches may kill! your installation. The only OS upgrade you can do is the Apple-branded CD to 4.1.5. At that point, there are only a few IBM-distributed OS patches you can safely apply -- though some userland hotfixes may still work, anything modifying the Base runtime is cruising for trouble. You're better off patching the operating system manually, which we will explain presently.

  At least one site (and our MacUser Review) makes reference to an AIX 4.1.2, but this appears to have only been used with pre-release models. I have also encountered an alleged copy of AIX 4.1.6 for the ANS, but sadly it is actually just a mislabeled 4.1.5.

• What's the difference between regular AIX 4.1 and ANS AIX?

  The differences are primarily at the low hardware-access level for handling OpenFirmware and dealing with the hardware differences in the Shiner architecture, along with some software emulation code for imitating different CPUs. However, at the higher levels, like libraries, programming and so on, ANS AIX is merely a highly compatible superset of standard IBM AIX, virtually identical but with value-added support for Macintosh clients and AppleTalk, and various ANS-specific utilities.

  So, this leads to the next question ...

• What AIX systems is ANS AIX compatible with?

  ANS AIX is binary-compatible with most 4.1.x RS/6000 AIX applications, and most applications before that (including 3.2.5). In fact, so far I've yet to find one that isn't.

  The situations that will get you in trouble are applications that use the POWER chipset or POWER2 architecture, which are not fully supported by the ANS (some instructions are emulated in software, but not all); and any IBM applications that depend on the presence of MicroChannel bus architecture, since the ANS is 100% PCI. Frankly, these situations are exceedingly uncommon. However, the thing that could likely burn people is drivers that do not cooperate with OpenFirmware -- this is something to watch out for when installing new hardware. See the main ANS FAQ.

• Should I upgrade to 4.1.5?

  YES!!

  Versions prior to 4.1.5 were affected by a nasty bug that caused a memory leak in the TCP sockets library. On very busy systems (such as my production ANS), this could cause you to insidiously run out of memory and ultimately out of swap -- AIX would try to save itself by killing off idle processes, but eventually would kernel panic. 4.1.5 does not have this problem.

  In addition, 4.1.5 is also a prerequisite for some software packages (in particular Ultimedia and some pre-compiled offerings), and also has several security upgrades including fixes for ping of death and SYN flood DoS. There are still some important security holes in 4.1.5 -- if you're in a hostile network environment, read the pertinent questions to securing your AIX ANS before putting one outside unprotected.

  Remember, you can only install Apple-branded AIX 4.1.5. IBM-branded 4.1.5 won't work, and may ruin your installation! The update was distributed as both a non-bootable upgrade CD and a bootable full system install; the latter is strongly preferred.

  You can read the complete 4.1.5 readme.

• Are there any other updates? (Related question: What happened to ftp.fixdist.apple.com?)

  There were (on ftp.fixdist.apple.com), but that server doesn't exist anymore, and IBM's support of 4.1.x is now very sparse also for the few APARs that could work on the ANS. In short, you'll be rolling your own.

• Is ANS AIX Y2K compliant?

  AIX 4.1 is technically not, but it only affects a few obscure utilities. I have not personally experienced any difficulty with my unit, and it has run flawlessly before and after. Despite any temptations you may have, DO NOT attempt to install the IBM AIX Y2K patches; you will corrupt your boot image and AIX will not start! (Don't ask me how I know this!)

  Of course, since the date on AIX is a 32-bit integer, there is a Y2038 problem. Such is life.

• Where can I get AIX software? (Related question: How do I get a C compiler?)

  You can thank IBM for their bone-headed licensing that gives you only cpp out of the box. Fortunately, for some period of time kind folks made AIX-installable binary packages of popular open-source utilities, and many of these would run on the Network Server. The biggest of these was AIXPDSLIB (r.i.p.), now decommissioned, formerly at the University of California Los Angeles. We host a limited mirror of some of these packages (see the Software page), including gcc so you can roll your own stuff. Note that the last version of gcc they had available for 4.1.x is 2.95.2.

  Most of the software I ran on this box was from AIXPDSLIB. You can use any of the executables offered for 3.2.5 and 4.1. Typically, to install one of these binary packages, you need to do the following steps:

  1. Download it. We offer our files over Gopher; until you get something like lynx installed, or you trust your network enough to run CDE and netscape, just grab it on something else and then use regular shell ftp to move it to your ANS (see the TCP/IP configuration question).

  2. su to root and move the file to the root directory /.

  3. uncompress the archive using uncompress(1). Both tar and uncompress are standard parts of AIX.

  4. tar tvf the remaining tarchive to look at its contents. These archives like to extract into ./usr/local (note the relative directory specification, which is why you need to be in /). Make sure that directory exists, including /usr/local/bin, /usr/local/man/man1 and any other dependent directories. On my systems, to make it easier for man to find manual pages, /usr/local/man is just a symlink to /usr/share/man. You can also use the MANPATH environment variable for a similar effect; read man catman for info.

  5. tar xpf the tarchive to extract it (yes, you need to use -p because of custom permissions some files require). Examine and adjust ownership on the executables and/or shared libraries it unpacks, if necessary.

  6. Run catman -w to update your whatis database, if you desire.

  7. Exit your root shell.

  Suggestions to install: lynx, gzip, tcsh, bash, bind, netcat, tcp_wrappers, bzip2, lsof, zip/unzip, perl, gcc/egcs, bison, (g)make, python, patch, ...

• Help! I have to boot from the AIX CD!

  Calm down; it's really easy. Make sure the AIX CD is in the CD-ROM drive, shut down as gracefully as you can, turn the front key switch to the leftmost position, and turn the server back on. The ANS will seek out the CD, and start AIX from there. Follow the prompts.

• What are those three digit numbers that flash on the ANS LCD while AIX loads? (Related question: Does the LCD screen do anything useful?)

  Besides being the hardware bootstrap monitor, the LCD also acts as a window onto the AIX bootloader, displaying mysterious three-digit code numbers as the loader configures hardware and filesystems. These numbers are codes representing the stage the bootloader is at, and can be found in any AIX reference manual, or see Apple tech note #24450 (a/k/a TA37399). You need only panic about these numbers if one starts flashing or halting (although some may hang around for some minutes, like 868, so have a little patience). You can write your own messages to the LCD; scroll down to the very end for how.

• How do I boot in maintenance mode?

  Boot from the AIX CD as above. Once you have defined the local console (almost always the monitor and ADB keyboard), from the Installation and Maintenance menu choose Start maintenance mode for system recovery, Access a Root Volume Group, choose your rootvg (on this system there's only one), choose your file system (probably /), and then Mount File System and Start Shell. You will have a root shell available to enter commands.

  You don't need to be in maintenance mode for most tasks, however, as smit will run just fine with the system up in normal operation.

• What's smit?

  smit is the System Management Interface Tool, a very helpful and effective way of doing system tasks. It works at both command line and X11, and delivers easy-to-follow and friendly (well, as friendly as system maintenance gets) methods of getting what you want done, done. Use it. As we say in the biz^tm, "smit happens."

  Most of this FAQ deals with talking to smit in some form or another. Modifying system files directly can be injurious to AIX's health, since it keeps an object database on hand as well for some items. Since smit keeps these in sync, better safe than sorry.

  To start smit, simply type smit. You will have to be root for most, if not all, operations. If you're in CDE, you get a nice GUI, but even at the TTY it's very user-friendly.

  Getting around in smit:

  • The arrow keys move you around from menu option to menu option.

  • Don't press ENTER until you're done with a screen!

  • If a '+' sign appears to the right, this represents a "drop down" menu. Press F4 to see your choices, use the arrow keys to pick one, and press ENTER to select it. (If your terminal program sends an F4 sequence that AIX doesn't like, an equivalent is to quickly press ESC and then 4. Don't hold down ESC; they are separate keypresses.)
  • If a response to a question is in braces "[" "]", this represents a text field. It will stretch to accommodate your response (use spaces to erase portions and they will be filtered out later).
  • If a response has neither, it is a default response you can't change.

  • When you're done selecting options, press ENTER to execute the action. You will see the output of the commands smit runs to implement your selection and can scroll through it with the arrow keys.

  • To cancel out of a screen at any time, or to back up when finished with viewing the output of an action, press F3. To quit smit altogether, press F10. (You can also quickly press ESC and then 3.)

• I'm missing some stuff I think should have been installed, and I want to install some new stuff, too. How?

  You will need the AIX CD for this. A very lucky few of you might already have the images on the HD. I don't. Insert the CD; you don't have to have it mounted.

  1. Start smit as root and go to Software Installation and Maintenance, Install and Update Software, Install/Update Selectable Software (Custom Install), Install Software Products at Latest Level, Install New Software Products at Latest Level. (Whew!)

  2. For the input device, press F4 for the list and select /dev/cd0. Press ENTER.

  3. Under SOFTWARE to install, press F4 for the list of available packages (there are more than you think!). A list of available packages appears. You are not given access to packages you don't have a license for (curse IBM), but fortunately there's plenty of free stuff on the CD to play with. Scroll about and select the packages you want with F7. (Already installed packages have an @ (at) sign.) Press ENTER when done.

  4. Adjust all the other options to your liking by entering yes or no, or pressing F4 to pick from the list.

  5. Press ENTER to begin the process. For a select few packages, a reboot may be necessary.

  6. Press F10 to exit smit or F3 to back up a level or two.

• I need to make /usr (etc.) bigger to install this hot stuff!

  This is an AIX-general question, but here's a short answer for enlarging a JFS logical volume (LV) on the default ANS hard disk. One of JFS' cool tricks is that it has soft partitions, allowing you to enlarge them without repartitioning or losing data. (You can also use the Mac OS Disk Administration utility, which may be easier. I'm not going to demonstrate that here.) Please note, if you are an AIX god, that later AIX versions may streamline this process considerably over AIX 4.1.

  1. If you don't know what filesystem corresponds to which logical volume, do a quick df before we start and save it somewhere. This will also show you the number of 512-blocks already occupied and the percentage in use.

  2. Start smit as root and go to System Storage Management, Logical Volume Manager.

  3. Get the partition size and number of physical partitions (PPs) available from Physical Volumes, List Contents of a Physical Volume. Select the physical volume, indicating the disk (almost always hdisk0; press F4 for a list if you're not sure), and status. Press ENTER/RETURN. The result looks something like this:

     PHYSICAL VOLUME:    hdisk0                   VOLUME GROUP:     rootvg
     PV IDENTIFIER:      003acfa285a5f96b         VG IDENTIFIER     003acfa2a1176b86
     PV STATE:           active
     STALE PARTITIONS:   0                        ALLOCATABLE:      yes
     PP SIZE:            32 megabyte(s)           LOGICAL VOLUMES:  9
     TOTAL PPs:          544 (17408 megabytes)    VG DESCRIPTORS:   2
     FREE PPs:           74 (2368 megabytes)
     USED PPs:           470 (15040 megabytes)
     FREE DISTRIBUTION:  01..73..00..00..00
     USED DISTRIBUTION:  108..36..108..109..109
     

     This particular physical volume thus has a 32MB PP size and has 74 PPs free. The PP size varies based on the total size of your physical SCSI disk. Write these numbers down!

  4. Back up to the Logical Volume Manager menu with F3 twice and go to Logical Volues, Set Characteristic of a Logical Volume, Increase the Size of a Logical Volume. Select the logical volume, using F4 for a list if necessary, and enter the number of additional logical partitions (LPs) to add (do not enter more LPs than you have free! what are you, the federal government?!). For this purpose we will assume that PPs and LPs are equivalent, which is usually true. If we entered two, in this example, we would increase the selected logical volume by 64MB. Press ENTER/RETURN and wait for it to complete. Write down the new total!

  5. Now we need to enlarge the filesystem as well. When complete, back up to System Storage Management and go to File Systems, Add / Change / Show / Delete File Systems, Journaled File Systems, Change / Show Characteristics of a Journaled File System. Select the filesystem this time and enter its new size in 512-blocks. Yes, you will have to do the math yourself! Take the new total number of LPs and multiply it by the PP size to get the size of the logical volume in megabytes. Convert megabytes to bytes (multiply by 1,048,576) and divide by 512 for the block size. Check your math! Cross your fingers, press ENTER/RETURN and wait for it to complete.

  6. Assuming your machine didn't explode, press F10 to exit smit and run df again to see that the total changed as you expected.

  There is no similar method for shrinking a filesystem, unfortunately, so increase only as you need to up to the space you actually require.

• How do I configure paging/swap space? (Related question: How much swap do I need?)

  Particularly if you are on AIX 4.1.4, you should have ample swap (at least three times physical RAM) because of the TCP memory leak, and you should always have at least twice physical RAM on any Network Server running any version of AIX. You can see the space available with lsps -a; there should be a single logical volume, usually hd6.

  You can add additional paging spaces, but the easiest way is simply to enlarge the existing paging LV. smit has a special dedicated means of doing so: System Storage Management, Logical Volume Manager, Paging Space, Change / Show Characteristics of a Paging Space, pick the paging space (usually hd6), and then enter the additional number of logical partitions to add. Alternatively, since the paging space is just a logical volume, you can use the same steps above but skipping the step for enlarging the filesystem, since there isn't one.

• AIX 4 gets daylight savings wrong.

  If you are in the United States, AIX 4 predates the 2007 daylight savings change and will get the time incorrect at certain parts of the year in some timezones. Fortunately you can hint the operating system with the TZ environment variable and an extra string. For Pacific timezone, which is where I am, I use PST8PDT,M3.2.0,M11.1.0 to tell it I'm on Pacific time, I use daylight savings, and I go off it on the second week of March and on it the first week of November. Adjust this for your own locale or timezone and put it into /etc/environment like so: TZ=PST8PDT,M3.2.0,M11.1.0

• How do I configure TCP/IP?

  This is an AIX-general question, but here's a short answer for a single network interface.

  1. Start smit as root and go to Communications Applications and Services, TCP/IP, Minimum Configuration and Startup.

  2. Select your desired network interface, which is normally en0 (the AAUI port).

  3. Configure your hostname, address, netmask, name server, gateway and media "CABLE" type (if applicable -- usually N/A is fine unless for some reason you are not using Cat5 cable of some kind). Use the arrow keys to move up and down from option to option, and simply type to change the default or previous responses (if any) in place. Don't hit ENTER yet!

  4. In the START Now box, press F4 for the list, and select Yes by pressing ENTER.

  5. Press ENTER again to run configuration, and F10 to exit smit if successful.

• Does ANS AIX support IPv6?

  No. AIX did not support IPv6 until AIX 5L.

• How do I configure AppleTalk? (Related question: Can I use AppleTalk to mount my ANS on my desktop Mac?)

  ANS AIX includes an AppleTalk stack, but it's not too useful out of the box as it does not include AFP support for file sharing. (We'll get to "AFP over TCP" in a moment.) The CD bundle that came with the ANS included a miniature version of the uShare AFP server, but speaking from personal experience it was clunky and an absolute pain to administer. ANS AppleTalk can also be used for printer sharing and AppleTalk routing, but these tasks are usually better handled by any number of hardware routers, most of which can be found very easily on the used market. Furthermore, in this age of OS 9 and now X, old-style non-TCP EtherTalk is just about non-existent.

  Nevertheless, if you want to explore its functions, you can access the AppleTalk smit menu under Communications Applications and Services, AppleTalk.

  The AppleTalk stack can also be used to remotely administer the ANS and use its resources for applications; see the Mac OS Services page for information. However, there is no administrative task it does that cannot be accomplished at the command line, and in my estimation it merely represents one more potential point of remote entry (albeit one requiring some skill to successfully manipulate, but possible). Your risk declines if you bind it to a trusted interface only, but weigh that risk carefully. In this day and age it is best considered a curiosity.

  ANS AIX 4.1.5 does include AFP over TCP support, but you must still run the main stack for it to be active, and it has limited configuration ability as far as ports it will bind, or permissions any more granular than what AIX already offers. Again, you should also be very careful that it does not bind an interface connected to a WAN, since it could easily route into the hands of naughty folks. Its configuration panel is located under ... AppleTalk, AppleTalk Advanced Features, Configure AFP over TCP.

  A better way to share files from your ANS might be to ditch AppleTalk altogether, especially if you are running Mac OS X where there are plenty of alternative file sharing methods, or (sigh) Windows. In particular, samba should be compatible with both, and is well-known, fairly well documented and still supported. AIXPDSLIB offers an older version for download, but newer versions should still compile without much work. As with AFP over TCP support, you would be well advised to make sure it doesn't bind a WAN interface either.

• Can I run X11 or AIXwindows?

  Although it only supports X11R5, ANS AIX's AIXwindows implementation comes with Common Desktop Enviroment, which IMHO is much more congenial than GNOME or KDE. It's also trés slicko. It's also trés insecure and has several known exploits. Run only in a test network or a 100% trusted and completely secured environment.

  1. First make sure that everything that needs to be installed for it, is. In general, a default install of ANS AIX should have the required libraries and executables already there, but make sure that everything under X11.motif, X11.Dt, X11.apps, and X11.base, and at least some fonts under X11.fnt, are installed. If not, install them now. You can, of course, install the entire X11.* set if you like -- setting up InfoExplorer would probably be a good idea, for example.

  2. In smit, go to System Environments, Select System User Interface. Press F4 for the list and select AIXwindows Desktop Environment.

  3. You could reboot now, but odds are the resolution is not the way you want it. Back on up to the first smit menu with F3, and select Devices, Graphic Displays, Select the Display Resolution and Refresh Rate. Select gda0 from the list.

  4. Press F4 to select your new screen resolution and refresh rate. All options are 8-bit colour depth only. Press ENTER to select it, and then press ENTER again to make the change.

  5. Exit smit with F10 and reboot the system with reboot. On startup, you will receive a CDE login screen instead.

• Wait, CDE expects three buttons but my ADB mouse has just one!

  Use the left and right arrow keys while simultaneously clicking the mouse button.

• How can I take a screenshot?

  AIX 4 comes with xwd. Most of the time you will want to do something like xwd -screen -root -out out.xwd, which will dump the entire screen to out.xwd (use xwd -icmap ... if you're trying to capture a game screen that is using a different X colourmap). A tool like GIMP or xv can open the resulting image, or you can use ImageMagick or Netpbm to convert it.

  You can see some examples of the results in our CDE screenshots.

• Can I upgrade X11 to X11R6?

  It's certainly possible to compile new X11 libraries, but there's no easy install that I know of. I never bothered to do this since my machine does not usually run CDE.

• I've heard of these cool games for AIX. Can I play them on an ANS? (Related question: Is the ANS compatible with Ultimedia?)

  Yes! ANS AIX 4.1.5 is more-or-less compatible with Ultimedia, IBM's relatively short-lived AIX multimedia platform. The smit packages from LCD4-0254-02 are known to be compatible (software product identifiers 5765-634 or 5765-393). This CD is labeled "Value Option for AIX 4.1.5" and is an IBM product. It may be the same as Ultimedia Services/6000 for AIX. Note that some of the utilities such as the video capture require hardware that was never available for the ANS, but the game updates should work with the exception of audio. Install them as you would any other smit package.

  Once Ultimedia is installed, you can then download the games from our Gopher server. IBM only ported two to AIX 4.1, namely id Software's Quake and Crack dot Com's Abuse. The versions offered are just the demo versions; you will still need full game files to play the full game (I used the Mac Quake retail package). Again, there is no sound. Because they require 256 colours, they will mess up the colours of other running CDE applications until you quit. I do not recommend full-screen or high resolutions as even a 200MHz ANS will not handle that well.

  Quake does allegedly have a non-Ultimedia build; see the documentation. Since I have an Ultimedia disc, I have never tried it. It may not run as well.

  CDE is definitely required, so you must have that installed and running. I don't know if Ultimedia works with AIX 4.1.4.1 and installing it may mess up your operating system; you really should upgrade to 4.1.5 first.

  The third and final game IBM ported was Quake 2, but it requires AIX 4.3 and won't run on the ANS. Ultimedia was ultimately (ahem) cancelled with the arrival of AIX 5L.

• How do I secure my box from attackers? (Related question: Is there a rootkit for my ANS running AIX?)

  No system is secure, and old code doubly so. Nevertheless, with a little work, you can get your AIX ANS system to production security standards. Based on my experiences since 1998 with my stable of Network Servers, I've compiled a fairly rigourous pathway for doing just that -- note most of these apply to securing any system, of course.

  Please note that even with this insurance, your system may still have theoretical vulnerabilities or vulnerabilities that are lurking but not yet apparent. While PPC AIX is not a big target, there are exploits in the wild for it, and I've had (alarmingly good) success with rootkits before. This seals most of the exploits I'm aware of and have personally managed to crack open, but any system you put out on an open network has the possibility of being 0wn3d, and if you choose to follow my guidelines, you do so at your own risk.

  1. If you're trying to secure a system that's already been tainted or in an environment where it could have been tainted, don't take chances. Unplug the LAN, boot off the CD, and wipe the hard drive for a full reinstall.

  2. Install 4.1.5 if you can get it -- a number of holes will disappear the minute you do this, and some can't be closed any other way.

  3. Purge the number of usernames valid for login down to a bare minimum. AIX adds a lot of chaff to /etc/passwd and /etc/security/passwd that can be edited and thrown away. This is particularly important as a number of attacks on AIX 4 can be accomplished by a local user, and not all of these attacks can be prevented (particularly on 4.1.4). No, I will not give out rootkits and don't E-mail me to request a rootkit. If you want one, I'm sure you can find one if you truly have a white hat.

  4. DO NOT RUN CDE or X. Unless you're in a very friendly network environment, you're absolutely asking for trouble, as there are numerous well-known remotely exploitable vulnerabilities in this version.

  5. Disable AppleTalk in smit (under Communications Applications and Services, AppleTalk, Stop AppleTalk and choose "now") unless you absolutely must have it on, as some administration features can be accessed over AppleTalk and thereby cause it to be another method of remote attack (in particular if you have only a single interface). If you must run AFP over TCP, be sure it binds a trusted interface and not a WAN.

  6. Go through /etc/inetd.conf and comment out everything. Then, go back and uncomment what you need to run, and run as little as possible. Very few people, for example, need to be running things like rexecd or uucpd. But, as you're doing that and enabling the services you *do* need to run, remember this next point: ...

  7. Out of the box, a large number of the network services AIX provides are vulnerable to some sort of remote exploit or denial of service attack. If you must run them, you will need to replace the AIX 4.1.x default talkd (4.1.5 fixes the original bug but it may still have other vulnerabilities), rlogind, sendmail, named, telnetd and ftpd with new versions or with equivalent applications. If this is not possible, either disable them or filter access to their ports to allow only trusted hosts to connect to them. A crude sort of TCP wrapper might also be an option, or you can get tcp_wrappers from AIXPDSLIB. You could also install xinetd in place of inetd and only bind the vulnerable services to an internal interface, if you have multiple NICs.

  8. Edit /etc/rc.tcpip next. Comment out any daemons you don't need. Usually, this means commenting out any of the lines beginning with the word start except for those referencing inetd and (maybe) sendmail, unless you're desperate for the other services started in that file. However, just about all of them are expendable, and in particular make sure to disable syslogd -- not only is this version fairly useless, but it's also painfully easy to spoof.

  9. Reboot your server. Now, install lsof (AIXPDSLIB has it) and look at what programs are left and which ones are listening to what sockets. You should not disturb these processes (they're innocuous and/or critical for function): /usr/sbin/syncd /usr/sbin/errdemon /usr/lpp/diagnostics/bin/diagd /usr/sbin/uprintfd /etc/init swapper kproc Other daemons, such as /usr/sbin/cron, may be expendable at your option. If you see sockets open that you're concerned about, or processes you would rather not be running, track down those applications and (blunt instrument method) chmod -x those files, or (surgical strike method) find the /etc/* file that kicked them off. Once you've cleaned up, consider rebooting again just to make sure things stay clean.

  10. Install some sort of ssh2 daemon and use that for all your logins. Unfortunately, AIXPDSLIB does not carry OpenSSH or F-Secure SSH, but you should be able to compile one or the other (I've heard more success from those trying to build F-Secure, if you're not sure which you like better). Stick it on a weird port number if you're really paranoid. To get it to autostart, either write it into /etc/rc.tcpip, or run it in inetd mode from /etc/inetd.conf.

  11. Some AIX programs have very promiscuous setuid bits by default (and IMHO have no business being run by anyone other than root if privileges are needed anyway) and have been popular targets of local exploits. An easy workaround is to run chmod -s on the following: /bin/host /usr/bin/host (may be symlinked or identical) /usr/sbin/mount /usr/sbin/lchangelv /usr/sbin/lquerylv and the following X11 apps, if you have X11 installed against my advice: /usr/dt/bin/dtaction /usr/dt/bin/dtterm /usr/bin/X11/xdat /usr/bin/X11/xlock

  12. Certain userland applications should just be totally disabled due to otherwise unpatchable vulnerabilities. chmod 600 the following: /usr/bin/vacation (If you really need vacation, install something like procmail and make an equivalent, or use the vacation that comes with most new versions of sendmail.)

  13. Disable smurfing attacks by turning off responses to broadcast pings. It should be disabled by default; check with /etc/no -o bcastping. If for some horrible reason it is on, run /etc/no -o bcastping=0 as root.

      Also, while we're on the subject, consider /etc/no -o clean_partial_conns=1 to help further protect against SYN attacks.

  14. Ensure that all third-party applications and executables are at their maximal patch level.

  15. Now that your system is clamped down as much as possible, keep it that way. Install some sort of monitoring utility to watch critical system files to ensure they are not being modified in secret (in particular the password files, major filesystem and file utilities, and network daemons). I wrote up my own custom job, but AIXPDSLIB offers the popular watcher tool, and there is also Tripwire if you want to compile and use that. It's normal for /etc/inittab to be modified during bootup, but nothing else should be changing unless someone (you?) is actively changing it. A cron job to spit out df -k and lsof will keep you abreast of strange use of disk space or processes suddenly listening on odd ports.

  16. Be careful out there.

• What tips and tricks do you have?

  Why, quite a few!

  • Write a message to the LCD screen: /usr/sbin/lcdstring "your message" (you must be root). A useful cron job I have running simply passes uptime to lcdstring every minute so that I have a continuous uptime display on the LCD (i.e., /usr/sbin/lcdstring "`/usr/bin/uptime`").

  • Improve your availability (if not your uptime): Have a cron job to reboot your ANS every two to four weeks. While 4.1.5 has much less memory leakage than 4.1.4, it is still subject to cruft accrual eventually (typically after hundreds of days of uptime, but still!). Your uptime will suffer from the occasional reboots, but the system will have better availability as it will be much less likely to unexpectedly freak out from a low memory situation progressing into a low swap panic.

  • Eject a floppy disk from the drive: It's a Mac, after all, so it has software eject control. /usr/sbin/fdeject (run as root)