unixadmin.free.fr Handy Unix Plumbing Tips and Tricks

11avr/14

AIX OpenSSL Heartbleed Vulnerability CVE-2014-0160

Title: Security Bulletin: AIX is affected by a vulnerability in OpenSSL (CVE-2014-0160)

Summary: A security vulnerability has been discovered in OpenSSL.

Vulnerability Details

CVE-ID: CVE-2014-0160

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can affect the confidentially, but not integrity or availability.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.
Affected Products and Versions
OpenSSL version 1.0.1.500 and above in the following AIX/VIOS releases:
AIX: 5.3, 6.1, 7.1 and VIOS 2.2.3.*

Remediation/Fixes

Product
AIX 5.3, 6.1, 7.1, VIOS 2.2.3.*
APAR
OpenSSL versions greater or equal to 1.0.1.500 N/a
Remediation / First Fix
ftp://aix.software.ibm.com/aix/efixes/security/openssl_ifix7.tar
(ifix: 0160_ifix.140409.epkg.Z)

This ifix disables the OpenSSL heartbeat option by compiling with
-DOPENSSL_NO_HEARTBEATS.

Note: AIX OpenSSL v0.9.8.xxxx and 12.9.8.xxxx are not vulnerable to this security vulnerability.

After applying the fix, additional instructions are needed for CVE-2014-0160

1) Replace your SSL Certificates.
You need to revoke existing SSL certificates and reissue new certificates. You need to be sure not to generate the new certificates using the old private key and create a new private key (ie using "openssl genrsa") and use that new private key to create the new certificate signing request (CSR).

2) Reset User Credentials
Users of network facing applications protected by a vulnerable version of OpenSSL should be forced to reset their passwords and should revoke any authentication or session related cookies set prior to the time OpenSSL was upgraded and force the user to re-authenticate.

Warning: Your environment may require additional fixes for other products, including non-IBM products. Please replace the SSL certificates and reset the user credentials after applying the necessary fixes to your environment.

Workarounds and Mitigations
None known

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc

Remplis sous: AIX Aucun commentaire
7août/13

File Times in AIX

This technote discusses timestamps associated with files in filesystems on AIX.

In AIX each file has three different timestamps associated with it. These can be seen in the system include file /usr/include/sys/stat.h :

st_atime Time when file data was last accessed.
st_mtime Time when file data was last modified.
st_ctime Time when the file metadata was last changed.

All times recorded are in seconds since the Unix epoch. (Note for completeness there are also counters for these in nanoseconds)

Access Time (atime)
This is a timestamp recorded in the filesystem when the file was last opened for reading. The timestamp reflects when the open() on the file was performed, not necessarily when data was last read from it.

The access time can be viewed via ls using the -u flag.

Modification Time (mtime)
This denotes when the content of the file was most recently changed.

The modification time is what ls -l reports by default.

Change time (ctime)
This marks when a file's metadata was changed, such as permissions or ownership.

This time cannot be seen with the 'ls' command.

Other Notes
Some operating systems also include a "file creation" time, but AIX does not.

These times can be seen via commands such as 'ls' or 'find' with the appropriate arguments given to print out the value desired.

An easy way to view all three simultaneously is with the /usr/bin/istat command:

$ istat p.out
Inode 263 on device 10/8        File
Protection: rw-r--r--
Owner: 0(root)          Group: 0(system)
Link count:   1         Length 14682 bytes

Last updated:   Tue Sep 15 10:50:15 PDT 2009
Last modified:  Tue Sep 15 10:50:15 PDT 2009
Last accessed:  Tue Nov  3 12:01:12 PST 2009

So this file had its contents modified on Sep 15, and that is also the time the metadata for the file was changed. The file was read last on Nov 3.

Some utilities such as tar specifically modify a file's time values to record a different time than would normally be present. For example, the default behavior of tar when restoring a file is to create the file, then set the modification time back to what it was set to in the tar archive.

Mount Option to Not Update Access Time
For filesystems with a high rate of file access, performance can be improved by disabling the update of the access time stamp. This option can be added to a filesystem by using the "-o noatime" mount option, or permanently set using "chfs -a options=noatime".

SOURCE: 1012054

Remplis sous: AIX Aucun commentaire
28juil/13

EMC VNX Snapview not supported with AIX MPIO

I found that some customers uses SnapView on CX or VNX Flare with AIX native MPIO driver on VIOS or AIX.

Already in 2008, EMC wrote a technical note specifying that software layered like Snapview was not supported with AIX MPIO.

Technote: 300-008-486_aix_native_mpio_clariion_1108

Today, this technote has disappeared but EMC support write a EMC primus "emc75601" specify that it is still not supported with VNX software layered.

Driver Example :

EMC.CLARiiON.aix.rte       5.3.0.8    C     F    EMC CLARiiON AIX Support
EMC.CLARiiON.fcp.MPIO.rte  5.3.0.8    C     F    EMC CLARiiON FCP MPIO Support
devices.common.IBM.mpio.rte 6.1.7.15    C     F    MPIO Disk Path Control Module

EMC primus case "emc75601"

VNX storage-system layered applications
EMC Layered software such as SnapView, MirrorView/Asynchronous, MirrorView/Synchronous,
EMC SAN Copy, etc., are not supported with hosts running AIX Native MPIO

So if it is imperative to use Snapview, then install EMC PowerPath.

22juil/13

Device Configuration Database Lock Service Timed Out Message

Every process that changes the ODM first locks the ODM to prevent other processes from making changes simultaneously. When you see this message displayed, it means another process has already obtained the lock.

Wait a few minutes and retry the process. If the system continually displays the message, Check what process is holding the lock.

To check, use the following command:

fuser -ux /etc/objrepos/config_lock

The system displays the process ID currently holding the lock. Verify the process holding the lock is not hung.

If the process holding the lock is hung, determine whether the process is required. If the process isn’t required, then send a signal to either try to awaken the process or kill the process.

Remplis sous: AIX Aucun commentaire
16juin/13

Java process sending IPV6 DNS queries

Question

How to stop Java process from sending IPV6 DNS queries

Answer

Please place the next line as is in /etc/environment( Do not add any double quotes etc)
IBM_JAVA_OPTIONS=-Djava.net.preferIPv4Stack=true

Reboot the system( so that all processes get restarted). This environment variable will only affect Java processes.

Remplis sous: AIX Aucun commentaire
15fév/13

Simple AIX ipv4 filtering configuration – memo

In this example :
- One server with IP address (10.0.0.1) configured on en0 logical interface
IPSEC Rules :
- PERMIT SSH request to server (10.0.0.1) from only one client (10.0.0.2)
- DENY and "LOG" all other SSH connections
- DENY ALL packets

Prerequisites

To start firewall in AIX you need few packages to be installed:

- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib

Recommandations
- Use TTY or VTY connections for the first AIX filtering configuration.
- add client hostname in /etc/hosts server
- Use hostname in genfilt rules for this example.

- check IP host resolution

# host server
server is 10.0.0.1

# host client
client is 10.0.0.2

Prepared syslog to record logs of rejected packets

# echo "local4.debug /var/adm/ipsec.log rotate size 100k files 4" >> /etc/syslog.conf
# touch /var/adm/ipsec.log
# refresh -s syslogd

Backup old rules

# lsfilt -v4 >> /tmp/lsfilt.bkp

Example of IPSec rules script

#!/usr/bin/ksh

# Remove all user rules
rmfilt -v 4 -n all

# Activate rules
mkfilt -v 4 -u

# Stop ipv4 LOG
mkfilt -v 4 -g stop

# DENY ALL
mkfilt -v 4 -u -z D

# PERMIT SSH request from client to server on en0 interface
genfilt -v 4 -a P -s client -d server -g N -c tcp -o gt -p 1023 -O eq -P 22 -r L -w I -l N -f Y -i en0

# PERMIT SSH  answer from server to client on en0 interface
genfilt -v 4 -a P -s server -d client -g N -c tcp/ack -o eq -p 22 -O gt -P 1023 -r L -w O -l N -f Y -i en0

# DENY and LOG all other SSH request on en0 interface
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g N -c tcp -O eq -P 22 -r L -w I -l Y -f Y -i en0

# Activate rules
mkfilt -v 4 -u

# start ipv4 LOG to /var/adm/ipsec.log
mkfilt -v4 -g start

# Display Rules list
lsfilt -v4 -O

In ipsec.log trace below you can see that 10.0.0.5 is not authorised to request SSH server.

#tail -f /var/adm/ipsec.log

Feb 15 16:16:57 server local4:notice ipsec_logd: Filter logging daemon ipsec_logd (level 2.20) initialized at 16:16:57 on 02/15/13
Feb 15 16:17:10 server local4:info ipsec_logd: #:4 R:d  I:10.0.0.1 S:10.0.0.5 D:10.0.0.1 P:tcp/ack SP:34804 DP:22 R:l I:en0 F:n T:0 L:44

Source:

http://www.ibm.com/developerworks/aix/library/au-aixfiltering/index.html

http://it.toolbox.com/blogs/unix-swing/sample-firewall-in-aix-48146

Taggé comme: Aucun commentaire
12fév/13

AIX “From Strength to Strength”


IBM AIX “From Strength to Strength”
A summary of upgrade benefits for each release of AIX
February, 2013 Edition

Download

Remplis sous: AIX Aucun commentaire
20jan/13

Steps to unlock a volume group

Question

This document describes how to unlock a volume group with an error like:

0516-1201 lsvg: Warning: Volume group <VG Name> is locked.

Answer

Here are some steps to find out why the volume group is locked and/or unlock it.

  • Run "chvg -u <VG Name>" to try to unlock it.
  • Check the complete ps -ef output for LVM processes such as chlv, chvg, mklv that would modify something in LVM and therefore lock the vg.

If you find any query commands like lsvg or lslv with/without flags as such:

# ps -ef | grep vg

---------------------------------------------------
UID PID PPID C STIME TTY TIME CMD
---------------------------------------------------
root 14942378 19988506 0 Oct 16 - 0:00 lsvg -p rootvg
root 15597578 12189770 0 23:55:05 - 0:00 lsvg -p rootvg
root 4850006 15532252 0 13:45:05 pts/3 0:00 /usr/sbin/lsvg -l

Then it is safe to kill those process (14942378, 15597578, and 4850006 in the case above) since they only query information about the volume group then retry step 1

  • Check for maragent or navisphere process running. This is an EMC product and older versions have been known to lock volume groups illegally.

We can check using:

# ps -ef | grep -Ei 'maragent|navisphere'

---------------------------------------------------
UID PID PPID C STIME TTY TIME CMD
---------------------------------------------------
root 6881442 17957332 0 06:44:16 pts/5 0:00 maragent

Then try killing the process (6881442) and try step 1 to unlock the volume group

  • Check if you are experiencing a full filesystem
# df -g
Filesystem GB blocks Free %Used Iused %Iused Mounted on
/dev/hd4 1.28 0.81 97% 10080 56% /
/dev/hd2 3.81 1.99 48% 42906 9% /usr
/dev/hd9var 0.69 0.38 85% 6701 67% /var
/dev/hd3 0.12 0.12 6% 142 1% /tmp
/dev/hd1 0.03 0.03 2% 25 1% /home
/dev/hd11admin 0.12 0.12 1% 5 1% /admin
/dev/hd10opt 0.28 0.10 64% 7032 23% /opt
/dev/livedump 0.12 0.12 1% 4 1% /var/adm/ras/livedump

The lines in bold may pose an issue since the system gets chocked resulting in the volume getting locked.

To resolve this issue, you would to increase the size of the filesystem by running:

# chfs -a size=+1G /filesystem

Which will extend the filesystem by 1G

  • Check /etc/vg directory for lock file.

THIS EXAMPLE:

# odmget -q "name=rootvg and attribute=vgserial_id" CuAt
CuAt:

name= "vg name"
attribute= "vgserial_id"
value ="0007b47c00004c000000013b717a0988"
type = "R"
generic = "D"
rep = "n"
nls_index = 637

The value above (0007b47c00004c000000013b717a0988) is the serial of the volume group.

You would then run:

# fuser -f /etc/vg/vgXX

Where XX will be the upper-case of the value you got from the odmget command, in this example you would run:

# fuser -f /etc/vg/vg0007B47C00004C000000013B717A0988

If there is a process running locking the vg we will see a line similar to the one below:

/etc/vg/vg0007B47C00004C000000013B717A0988: 9895958

Which we can then identify:

# ps -fp 9895958

---------------------------------------------------
UID PID PPID C STIME TTY TIME CMD
---------------------------------------------------
root 9895958 9896034 1 20:07:53 pts/0 0:00 lmigratelv -l 0007b47c00004c000000013b717a0988 -s 50 /tmp/mig_map198

So in this case, we identified that the process that was locking up the volume group is the lmigratelv command, however, you may see a different process running against the volume group. To unlock the volume group, you need to troubleshoot that process (in the case above, I would wait till the migration has completed)

If you find a process that points to a third party application you could contact the vendor for assistance on why it is locking the volume group)

  • check the ODM
# odmget -q "name=VGname and attribute=lock" CuAt
CuAt:

name= "vg name"
attribute= "lock"
value ="24892"
type = "R"
generic = ""
rep = "l"

The value above (24892) is the PID for the process that has the vg locked. So you can then look at the processes table and find out the process name (i.e ps -fp 24892).

Once we get the process id, we would troubleshoot the process that is running against the volume group like we have done in step 4.

If there is no process, there may be a lock left behind in the ODM. The low-level command "putlvodm" can be used to clear this:

$ VGID=$(getlvodm -v NAME_OF_LOCKED_VG)
$ putlvodm -K ${VGID}
  • Check errpt -a for any disk issues or vscsi adapter mapping from the vio server failing. Hung I/O from disks will cause LVM processes to hang waiting for the I/O to complete, and some of these processes will lock the vg.
  • If you are running HACMP, there has been a previous defect against LVM and HACMP that will leave a lock behind if an LVM cmd has been killed. Check APARs for this or other lock related issues.
  • If none of these work force a dump on the system and send it in for analysis. On the other hand, if a root cause analysis (RCA) or problem source identification(PSI) is not needed then rebooting may solve the locked volume group.

Source: IBM Technote

Remplis sous: AIX Aucun commentaire
27juil/12

Virtual I/O Server migration with NIM

Download VIOS DVD migration 2.1.3.10 via IBM FIX CENTRAL
or download ISO image

SERVEUR NIM : AIX 7100-01-04-1216

monter l'image ISO du DVD de migration VIOS 2.1.3.10

# loopmount -i /export/images/VIOS_2.1.3.10.iso -o "-V cdrfs -o ro" -m /mnt

Copier le contenu du répertoire installp du DVD de migration dans le filesystem lpp_source

# cp -pr /mnt/installp /export/lpp_source/lppsrc_vios_21310

Définition du lpp_source lpp_src_vios_21310

nim -o define -t lpp_source -a server=master -a location=/export/lpp_source/lpp_src_vios_21310 lpp_src_vios_21310

Définition du spot spot_vios_21310 à partir du lpp_source lpp_src_vios_21310

nim -o define -t spot -a server=master -a location=/export/spot -a source=lpp_src_vios_21310 -a installp_flags=-aQg spot_vios_21310

VIRTUAL I/O SERVER : IOSLEVEL 1.5.2.6-FP-11.1 SP-02

1. Paramétrer l'interface Ethernet pour l'installation NIM via le menu SMS.

***********************************************************************************

          Welcome to Base Operating System
                      Installation and Maintenance

Type the number of your choice and press Enter. Choice is indicated by >>>.

>>> 1 Start Install Now with Default Settings

    2 Change/Show Installation Settings and Install

    3 Start Maintenance Mode for System Recovery

    4 Configure Network Disks (iSCSI)

    5 Select Storage Adapters


    88  Help ?
    99  Previous Menu

>>> Choice [1]:1
***********************************************************************************
                          VIOS Migration Installation Summary

Disks:  hdisk1...

>>> 1   Continue with Install
                       +-----------------------------------------------------
    88  Help ?         |  WARNING: Base Operating System Installation will
    99  Previous Menu  |destroy or impair recovery of SOME data on the
                       |destination disk hdisk1.
>>> Choice [1]:1
***********************************************************************************
Migration menu preparation in progress.

        Please wait...


        Approximate     Elapsed time
     % tasks complete   (in minutes)


          0               0
***********************************************************************************
       Migration Confirmation

  Either type 0 and press Enter to continue the installation, or type the
  number of your choice and press Enter.

    1  List the saved Base System configuration files which will not be
       merged into the system.  These files are saved in /tmp/bos.
    2  List the filesets which will be removed and not replaced.
    3  List directories which will have all current contents removed.
    4  Reboot without migrating.

    Acceptance of license agreements is required before using system.
    You will be prompted to accept after the system reboots.

>>> 0  Continue with the migration.
   88  Help ?

+---------------------------------------------------------------------------
  WARNING: Selected files, directories, and filesets (installable options)
    from the Base System will be removed.  Choose 2 or 3 for more information.


>>> Choice[0]:0
***********************************************************************************

MIGRATION en cours .......

$ ioslevel
2.1.3.10-FP23
20juil/12

Update IBM HTTP Server 6.0.2 on AIX

Configuration:
AIX 64-bits et HTTP Server 6.0.2.0 32-bits

Installation du fixpack 6.0.2.43

Depuis le fixpack 6.0.2.21 l'Updateinstaller n'est plus fournit avec le service pack. Vous devez le télécharger.

Updateinstaller 7.0.0.23
ftp://public.dhe.ibm.com/software/websphere/appserv/support/tools/UpdateInstaller/7.0.x/AixPPC32/7.0.0.23-WS-UPDI-AixPPC32.tar.gz

32-bit Power PC IBM HTTP Server FIXPACK 6.0.2.43
ftp://ftp.software.ibm.com/software/websphere/appserv/support/fixpacks/was60/refreshpack2/cumulative/cf60243/AixPPC32/6.0.2-WS-WASIHS-AixPPC32-FP00000043.pak

Arrêt du serveur HTTP

# /app/ihs/bin/apachectl stop

Updateinstaller 7.0.0.23
Déposer Updateinstaller 7.0.0.23 dans /tmp/IHStmpo

# export DISPLAY=Xwindows:0.0
# mkdir /tmp/IHStempo
# cd  /tmp/IHStempo
# gunzip < 7.0.0.23-WS-UPDI-AixPPC32.tar.gz | tar -xf -
# cd UpdateInstaller
# ./install

- Installer l'Updateinstaller dans /app/ihs/Updateinstaller
- Décocher "Lauch Updateinstaller"
- Finish

- IBM HTTP Server FIXPACK 6.0.2.43

Déposer le fixpack 6.0.2-WS-WASIHS-AixPPC32-FP00000043.pak dans le répertoire /app/ihs/UpdateInstaller/maintenance et lancer l'UpdateInstaller.

# cd  /app/ihs/UpdateInstaller/
# ./update.sh

- Répertoire du produit /app/ihs
- Installer la maintenance 6.0.2.43

Vérifier la mise à jour:

# lslpp -L gskta.rte
  Fileset                      Level  State  Type  Description (Uninstaller)
  ----------------------------------------------------------------------------
  gskta.rte                 7.0.4.28    C     F    AIX Certificate and SSL Base
                                                   Runtime ACME Toolkit


# /app/ihs/bin/apachectl -v
Server version: IBM_HTTP_Server/6.0.2.43 Apache/2.0.47
Server built:   Jul 20 2010 22:53:03
Remplis sous: AIX Aucun commentaire