Friday, 17 April 2020

AIX - One Stale PP fix

AIX - One Stale PP fix

Lets begin by braking the mirror first
rmlvcopy hd9var 1 hdisk0

reduce the size of the hd9var to free the problem pp from hdisk1
chfs -a size=-128M /var

verify that the hd9var does not use the hdisk1 disks pp number 132
readvgda -d hdisk1

create badpplv.map file containing the following line only
hdisk1:132

Now create lv to occupy the bad pp so that there's no allocation done for that pp .
mklv -m badppv.map -t jfs -y badpplv rootvg

Now lets resize the hd9var to original size
chfs -a size=+128M /var

Now lets create the mirror
mklvcopy hd9var 2 hdisk0
Now sync the vg.
syncvg -l hd9var

Posted by at No comments:

Saturday, 19 October 2019

NIMADM limitations

1>The client's hardware and software must support the AIX(R) level that is being migrated to and meet all other conventional
migration requirements.

2>The application servers, such as DB2 and LDAP, must be stopped before you runn the clone rootvg command. Otherwise, the
application servers do not start normally after the clone rootvg command has finished processing.       

3>If the client's rootvg has TCB turned on, you must either disable it (permanently), use the disk caching option (-j ), or perform
a conventional migration. (This limitation exists because TCB needs to access file metadata which is not visible over NFS).

4>All NIM resources used by the nimadm command must be local to the NIM master.

5>Although there is almost no interference with the client's active rootvg during the migration, the client may experience minor
reduction in performance due to increased disk input/output, biod activity, and some CPU usage associated with alt_disk_install
cloning.

6>NFS tuning may be required to optimize nimadm performance.

7>The nimadm command is not supported with the multibos command when there is a bos_hd5 logical volume.
Posted by at No comments:

NIMADM Migration Process - 12 Phases

NIMADM Migration Process - 12 Phases

The nimadm command performs migration in 12 phases. Each phase can be executed individually using the -P flag. The nimadm phases are as follows:

1    The master issues an alt_disk_install command to the client which makes a copy of the rootvg to the target disks (coincidentally
     this is Phase 1 of the alt_disk_install process). In this phase altinst_rootvg (alternate rootvg) is created. If a target mksysb
     has been specified, the mksysb is used to create a rootvg using local disk caching on the NIM master.

2    The master runs remote client commands to export all of the /alt_inst file systems to the master. The file systems are exported
     as read/write with root access to the master. If a target mksysb has been specified, the cache file systems are created based on
     the image data from the mksysb.

3    The master NFS mounts the file systems exported in Phase 2. If a target mksysb has been specified, the mksysb archive is restored
     in the cache file systems that were created in phase 2.

4    If a pre-migration script resource has been specified, it is executed at this time.

5    System configuration files are saved. Initial migration space is calculated and appropriate file system expansions are made.
     "bos" is restored and the device database is merged (similar to a conventional migration). All of the migration merge methods are
     executed and some miscellaneous processing takes place.

6    All system filesets are migrated using installp. Any required RPM images are also installed during this phase.

7    If a post-migration script resource has been specified, it is executed at this time.

8    bosboot is executed to create a client boot image, which is written out to the client's boot logical volume (hd5).

9    All mounts made on the master in phase 3 are removed.

10   All client exports created in phase 2 are removed.

11   The alt_disk_install is called again (phase 3 of alt_disk_install) to make final adjustments and put altinst_rootvg to sleep. The
     bootlist is set to the target disk (unless the -B flag is used). If an output mksysb has been specified, the cache is archived
     into a mksysb file and made into a NIM mksysb resource.

12   Cleanup is executed to end the migration. The client is rebooted, if the -r flag is specified.  Note: The nimadm command supports
     migrating several clients simultaneous.


Posted by at No comments:

Tuesday, 22 January 2019

HA


HA

LOGMON_HACMPALARM_nodeDownPN0_LOGErrorLvl
LOGMON_HACMP-EventErrorPN0_LOGErrorLvl
LOGMON_HACMP-clverifyFAILPN0_LOGErrorLvl
LOGMON_HACMP_AdapterSwapPN0_LOGErrorLvl
LOGMON_HACMP_SecondaryDownPN0_LOGErrorLvl
LOGMON_HACMP_TakeoverPN0_LOGErrorLvl


Found log "EVENT START:node_down_remote" in /local/logs/hacmp/hacmp.out
Found log "EVENT COMPLETED: event_error" in /local/logs/hacmp/hacmp.out
Found FAILED in /var/hacmp/clverify/clverify.log
Found log "EVENT START: swap_adapter" in /var/adm/cluster.log
Found log "EVENT START: node_down_local" in /local/logs/hacmp/hacmp.out
Found log "EVENT COMPLETED:acquire_takeover_addr" in /local/logs/hacmp/hacmp.out
Posted by at No comments:

Tuesday, 31 July 2018

itcs check script

#!/bin/ksh
#Script name:itcs_chk.ksh


DT=$(date +%d.%m.%Y.%H.%M.%S)
OP_LOG=/tmp/`hostname`_itcs.out.$DT
SUM_LOG=/tmp/`hostname`_itcs.sumary.out.$DT


echo "%%%%%%%%%%%%%% Script $0 started: `date` %%%%%%%%%%%%%%" >> $OP_LOG
echo "%%%%%%%%%%%%%% Script $0 started: `date` %%%%%%%%%%%%%%" >> $SUM_LOG

echo " ==========================================" >> $SUM_LOG
echo " Summary Report         "  >> $SUM_LOG
echo " ==========================================" >> $SUM_LOG

###########
#Functions
###########

#1.Passwd Non-Expiry ID Check
non_expiry_passwd_chk () {
echo "\n ################### [1]Passwd Non-Expiry ID Check started ################### " >> $OP_LOG
echo "\n ################### [1]Summary of Passwd Non-Expiry ID Check ################### " >> $SUM_LOG

>/tmp/opt_a
>/tmp/opt_b
>/tmp/opt_c
>/tmp/opt_d

echo "*********** List of Passwd Non-Expiry ID on `hostname` ***********" >> /tmp/opt_a
lsuser -a maxage ALL|grep "=0"  >> /tmp/opt_a

>/tmp/non_expi_passwds.txt
lsuser -a maxage ALL|grep "=0" |awk '{print $1}' > /tmp/non_expi_passwds.txt

echo "*********** ITCS Option A check started *********** " >> /tmp/opt_a
for USER in `cat /tmp/non_expi_passwds.txt`
do
lsuser -a login $USER |grep "login=false" > /dev/null 2>&1
        if [ $? != 0 ]
        then
lsuser -a login $USER >> /tmp/opt_a
echo "Non Compliant:Option A not set for $USER" >> /tmp/opt_a
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_a
else
lsuser -a rlogin $USER |grep "rlogin=false" > /dev/null 2>&1
if [ $? != 0 ]
then
lsuser -a rlogin $USER >> /tmp/opt_a
echo "Non Compliant:Option A not set for $USER " >> /tmp/opt_a
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_a
else
cat /etc/ftpusers |grep $USER > /dev/null 2>&1
if [ $? != 0 ]
then
echo "No entry of $USER in /etc/ftpusers file" >> /tmp/opt_a
cat /etc/ftpusers |grep $USER >> /tmp/opt_a
echo "Non Compliant:Option A not set for $USER" >> /tmp/opt_a
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_a
else
"lsuser -a login rlogin $USER" >> /tmp/opt_a
echo "Entry of $USER found in /etc/ftpusers file" >> /tmp/opt_a
cat /etc/ftpusers |grep $USER  >> /tmp/opt_a
echo "Compliant:Option A is set for $USER" >> /tmp/opt_a
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_a
fi
fi
fi
done
echo "*********** ITCS Option A check completed ***********" >> /tmp/opt_a


echo "*********** ITCS Option B check started ***********" >> /tmp/opt_b
for USER in `cat /tmp/non_expi_passwds.txt`
do
awk -F: '{ print $1 " "  $2 }' /etc/passwd|grep -w "*"|grep $USER > /dev/null 2>&1
if [ $? != 0 ]
then
echo "1st and 2nd column of /etc/passwd file" >> /tmp/opt_b
awk -F: '{ print $1 " "  $2 }' /etc/passwd|grep $USER >> /tmp/opt_b
echo "Non Compliant:Option B not set for $USER" >> /tmp/opt_b
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_b
else
echo "1st and 2nd column of /etc/passwd file" >> /tmp/opt_b
awk -F: '{ print $1 " "  $2 }' /etc/passwd|grep -w "*"|grep $USER >> /tmp/opt_b
echo "Compliant:Option B is set for $USER" >> /tmp/opt_b
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_b
fi
done
echo "*********** ITCS Option B check completed ***********" >> /tmp/opt_b


echo "*********** ITCS Option C check started ***********" >> /tmp/opt_c
for USER in `cat /tmp/non_expi_passwds.txt`
do
grep -p "*" /etc/security/passwd|grep $USER > /dev/null 2>&1
if [ $? != 0 ]
then
grep -p $USER /etc/security/passwd >> /tmp/opt_c
echo "Non Compliant:Option C not set for $USER" >> /tmp/opt_c
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_c
else
grep -p "*" /etc/security/passwd|grep $USER >> /tmp/opt_c
echo "Compliant:Option C is set for $USER" >> /tmp/opt_c
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_c
fi
done
echo "*********** ITCS Option C check completed ***********" >> /tmp/opt_c

echo "*********** ITCS Option D check started ***********" >> /tmp/opt_d
for USER in `cat /tmp/non_expi_passwds.txt`
do
awk -F: '{ print $1 " " $7}' /etc/passwd|grep $USER|grep "/bin/false" > /dev/null 2>&1
if [ $? != 0 ]
then
awk -F: '{ print $1 " " $7}' /etc/passwd|grep $USER >> /tmp/opt_d
echo "Non Compliant:Option D is not set for $USER" >> /tmp/opt_d
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_d
else
cat /etc/ftpusers |grep $USER > /dev/null 2>&1
if [ $? != 0 ]
then
cat /etc/ftpusers |grep $USER >> /tmp/opt_d
echo "No entry of $USER in /etc/ftpusers file" >> /tmp/opt_d
echo "Non Compliant:Option D is not set for $USER" >> /tmp/opt_d
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_d
else
awk -F: '{ print $1 " " $7}' /etc/passwd|grep $USER >> /tmp/opt_d
echo "Entry of $USER found in /etc/ftpusers file" >> /tmp/opt_d
cat /etc/ftpusers |grep $USER
echo "Compliant:Option D is set for $USER" >> /tmp/opt_d
echo "+++++++++++++++++++++++++++++++++++++++++++++" >> /tmp/opt_d
fi
fi
done
echo "*********** ITCS Option D check completed ***********" >> /tmp/opt_d

>/tmp/tot_opt
>/tmp/sum_op

cat /tmp/opt_a > /tmp/tot_opt;cat /tmp/opt_b >> /tmp/tot_opt;cat /tmp/opt_c >> /tmp/tot_opt;cat /tmp/opt_d >> /tmp/tot_opt

cat /tmp/tot_opt >> $OP_LOG

for USER in `cat /tmp/non_expi_passwds.txt`
do
cat /tmp/tot_opt|grep Option|grep "Non Compliant"|grep $USER > /tmp/q1
U1=0
U2=4
U1=`cat /tmp/q1|wc -l`
if (( $U1 < $U2 ))
then
echo "ITCS104 compliant:$USER satisfies atleast one of 4 non-expiry passwd exemption options" >> /tmp/sum_op
else
echo "ITCS104 Non compliant:$USER doesnt satisfy any of 4 non-expiry passwd exemption options" >> /tmp/sum_op
fi
done

echo "" >> $SUM_LOG
echo "ITCS104 Non compliant users for Non-Expiry Password Exemption" >> $SUM_LOG
echo "=======================================================" >> $SUM_LOG
cat /tmp/sum_op |grep "ITCS104 Non compliant" >> $SUM_LOG
echo "" >> $SUM_LOG
echo "ITCS104 compliant users for Non-Expiry Password Exemption" >> $SUM_LOG
echo "=======================================================" >> $SUM_LOG
cat /tmp/sum_op |grep -v "ITCS104 Non compliant" >> $SUM_LOG
echo "" >> $SUM_LOG

echo "\n ###################  [1]Passwd Non-Expiry ID Check completed ################### " >> $OP_LOG
echo "\n ################### [1]Summary of Passwd Non-Expiry ID Check ################### " >> $SUM_LOG

}


#2.ITCS104:Reusable Passwd attributes Check
reuse_passwd_attri_chk () {
echo "\n ################### [2]ITCS104:Reusable Passwd attributes Check started ################### " >> $OP_LOG
echo "\n ################### [2]ITCS104:Reusable Passwd attributes Check completed ################### " >> $SUM_LOG
>/tmp/reuspass.out

echo "-----------------------------------------------" >> /tmp/reuspass.out

for usrname in `lsuser -a id ALL |awk '{print $1}'`
do
grep -wp $usrname /etc/security/passwd|grep "lastupdate" > /dev/null 2>&1
if [ $? != 0 ]
then
echo "-----------------------------------------------" >> /tmp/reuspass.out
echo " $usrname " >> /tmp/reuspass.out
echo "Password not set for $usrname" >> /tmp/reuspass.out
echo "-----------------------------------------------" >> /tmp/reuspass.out
else
echo "-----------------------------------------------" >> /tmp/reuspass.out
echo " $usrname " >> /tmp/reuspass.out
echo "Password is set for $usrname" >> /tmp/reuspass.out
minlen=`lsuser -a minlen $usrname | tr '=' ' ' |awk '{print $3}'`
minlen_def=8
if [ $minlen -ne $minlen_def ]
then
echo "ITCS104 Not Compliant: minlen is not set properly for $usrname" >> /tmp/reuspass.out
else
echo "ITCS104 Compliant: minlen is set properly for $usrname" >> /tmp/reuspass.out
fi
minalpha=`lsuser -a minalpha $usrname | tr '=' ' ' |awk '{print $3}'`
minalpha_def=1
if [ $minalpha -ne $minalpha_def ]
then
echo "ITCS104 Not Compliant: minalpha is not set properly for $usrname" >> /tmp/reuspass.out
else
echo "ITCS104 Compliant: minalpha is set properly for $usrname" >> /tmp/reuspass.out
fi
minother=`lsuser -a minother $usrname | tr '=' ' ' |awk '{print $3}'`
minother_def=1
if [ $minother -ne $minother_def ]
then
echo "ITCS104 Not Compliant: minother is not set properly for $usrname" >> /tmp/reuspass.out
else
echo "ITCS104 Compliant: minother is set properly for $usrname" >> /tmp/reuspass.out
fi
maxage=`lsuser -a maxage $usrname | tr '=' ' ' |awk '{print $3}'`
maxage_def=13
if [ $maxage -ne $maxage_def ]
then
echo "ITCS104 Not Compliant: maxage is not set properly for $usrname" >> /tmp/reuspass.out
else
echo "ITCS104 Compliant: maxage is set properly for $usrname" >> /tmp/reuspass.out
fi
minage=`lsuser -a minage $usrname | tr '=' ' ' |awk '{print $3}'`
minage_def=1
if [ $minage -ne $minage_def ]
then
echo "ITCS104 Not Compliant: minage is not set properly for $usrname" >> /tmp/reuspass.out
else
echo "ITCS104 Compliant: minage is set properly for $usrname" >> /tmp/reuspass.out
fi
histsize=`lsuser -a histsize $usrname | tr '=' ' ' |awk '{print $3}'`
histsize_def=8
if [ $histsize -ne $histsize_def ]
then
echo "ITCS104 Not Compliant: histsize is not set properly for $usrname" >> /tmp/reuspass.out
else
echo "ITCS104 Compliant: histsize is set properly for $usrname" >> /tmp/reuspass.out
fi

echo "-----------------------------------------------" >> /tmp/reuspass.out
fi
done
cat /tmp/reuspass.out >> $OP_LOG


cat /tmp/reuspass.out |grep "Not Compliant" > /dev/null
if [ $? = 0 ]
then
cat /tmp/reuspass.out |grep "Non Compliant" >>  /tmp/reuspass_sum.out
else
cat /tmp/sec_log.out |grep -v "Non Compliant" >>  /tmp/reuspass_sum.out
fi

echo "" >> $SUM_LOG
echo "Details of Non Compliant Reusable Passwd attributes with users" >> $SUM_LOG
echo "==============================================================" >> $SUM_LOG
cat /tmp/reuspass.out |grep "Not Compliant" >> $SUM_LOG
if [ $? != 0 ]
        then
        echo "No Non Compliant Reusable Passwd attributes set for users" >> $SUM_LOG
        fi
echo "" >> $SUM_LOG

echo "\n ################### [2]ITCS104:Reusable Passwd attributes Check completed ################### " >> $OP_LOG
echo "\n ################### [2]ITCS104:Reusable Passwd attributes Check completed ################### " >> $SUM_LOG
}


############
#Main
############
non_expiry_passwd_chk
reuse_passwd_attri_chk




echo "%%%%%%%%%%%%%% Script $0 completed: `date` %%%%%%%%%%%%%%" >> $OP_LOG
echo "" >> $SUM_LOG
echo "Refer $OP_LOG for more details" >> $SUM_LOG
echo "" >> $SUM_LOG
echo "%%%%%%%%%%%%%% Script $0 completed: `date` %%%%%%%%%%%%%%" >> $SUM_LOG

exit 0


Posted by at No comments:

Monday, 17 October 2016

Colour code is implemention to servers.

Colour code is implemention to servers.

Edit /.profile  file of root user with “echo ‘\033[41;97m’” =>Red background with white foreground.
Posted by at No comments:

Scope of SSH key usage additional controls and restrictions


==================================================
Scope of SSH key usage additional controls and restrictions:

A) Additional controls in usage of SSH keys in our managed environments.
The directive has mandated that SSH key use be limited and controlled to meet all regulations and compliance.
This should also ensure approved and monitored access to shared and/or privileged userIDs.
Scan all systems.

==================================================
B) Review of existing SSH keys, removing keys which are deemed no longer necessary, labelling SSH keys (as per regulations and

compliance std) that are required to be retained and ensuring control restrictions are in-place on all keys.

Priority:
1) Internet
2) Intranet

1. Review all in-scope SSH keys
Review all SSH keys (private/public) across all in-scope servers.
a) If SSH key(s) are no longer required, remove/delete these (follow any account specific change management processes if required)


b) If SSH key(s) are required to be retained, you are required to label these and provide additional control restrictions on the key

(see steps below).
b.1) Identify ownership and label keys
Each public key must be assessed to determine ownership and labelled according to firm standards.
This label must be in the comment field of the public key, and it must be in gecos label format, starting and ending with the

characters "!!".
Example: rest-of-key...9MOT2QZw== !!Owner name and id!!
b.2) RSA - 1024-bit minimum key length is acceptable however transition to 2048-bit minimum key length is recommended. Where the

substantial extra computational burden of 2048 bits is significant or prohibitive, consider modulus sizes of 1280 or 1536.
Example: ssh-keygen -t rsa -b 1024 -f id_rsa

CASE A: Individual owned SSH keys
 SSH keys owned by an individual, must have their key pair re-generated with a pass-phrase.
Individually owned SSH keys must not exist without a passphrase.
(Passphrases must have a minimum number of 5 words each of minimum length of 4 characters and are exempt from the syntax rule for mix

alphabetic and non-alphabetic characters. All other password rules are applicable.)

NOTE: Before creating new keys ensure you have determined all the endpoints where you will have to distribute the new public key and

where required follow any account specific change management processes.

CASE B: Non-individual owned SSH keys
 SSH keys which are functional/system/non-individual, must have both the FROM and COMMAND options specified within the public key to

restrict/define access proprieties of the key pair.
1)Add the "from" option to the beginning of your public key entry in the authorized_keys file.
from="xxx.xxx.xxx.xxx" (where xxx.xxx.xxx.xxx is the IP address of the host you are allowing to access this server with the private

key)
2)Also add the "command" option to the beginning of your public key entry in the authorized_keys file.
command="/path of command" (this will for any access to only run the given command)
Example: from="10.10.1.10",command="/usr/bin/script" ssh-dss AZDAAAB3NzaC1kc3MAAACB/xIe.....9MOT2QZRWd== !!Owner name and id!!
   

CASE C: Customer owned SSH keys
 SSH keys which are owned by the customer, must be labelled accordingly as customer owned.
All customer owned IDs will be consolidated and communicated through to each customer with a risk communication.
==================================================

Posted by at No comments:
Subscribe to: Posts (Atom)