IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
     Home      Products      Services & solutions      Support & downloads      My account     
  IBM Wikis > AIX > ... > AIXV53AdminBestPractice > AIXV53AdminBPFiles
AIX Log In | Sign Up   View a printable version of the current page.
AIXV53AdminBPFiles
 Browse Space
Added by Steve Pittman, last edited by Steve Pittman on May 29, 2008  (view change)
Labels: 
(None)

Files for AIX V5.3 system administration best practices

The contents of this web page solely reflect the personal views of the authors and do not necessarily represent the views, positions, strategies or opinions of IBM or IBM management. Please use the Add Comment link at the bottom of the page to provide feedback. Note: Until you sign up and log in (using links in the upper right corner of this web page), you will not see the Add Comment link and you can not add a comment.

Click here to download a compressed tarball containing all the files on this page. Use the commands zcat bestprac[1].tar.Z | tar -tvf- to list contents of the tarball after it is downloaded.

A installbp shell script within the tarball can be used to install the files delivered in the tarball while also implementing the Before manually editing any file in the / and /usr filesystems for the first time, save a copy of the file best practice.

A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/usr/local/README (set ownership & permissions to root.system & rw-r-r-):

-------------------------------------------------------------------------------

Please note:  Some files in / and /usr may have been changed.  Changed files
can be identified using the following shell script:

   #!/bin/ksh
   # Find and examine all files in / and /usr with *.orig suffix
   if [ $# = 0 ]
   then
     find / -name "*.orig" -xdev -exec $0 {} \;
     find /usr -name "*.orig" -xdev -exec $0 {} \;
     exit
   else
     oldname=${1%.orig}
     cmd="diff $oldname $1"
     echo $cmd
     $cmd
   fi

-------------------------------------------------------------------------------

Please note:  The mkuser command on AIX invokes /usr/lib/security/mkuser.sys to
create a new userid.  When a new user is created with ksh as the login shell,
mkuser.sys installs a copy of /etc/security/.profile in the new user's home
directory.

The mkuser.sys command on this AIX system has been tailored so that when a new
user is created with ksh as the login shell, mkuser.sys instead installs a copy
of /etc/security/.profile.ksh as .profile in the new user's home directory,
along with a copy of /etc/security/.kshrc. Such tailoring is suggested as an
AIX V5.3 best practice (at http://www-941.haw.ibm.com/collaboration/wiki/display/WikiPtype/AIXV53AdminBestPractice#AIXV53AdminBestPractice-mkuser.sys).

The /usr/lib/security/mkuser.sys command is delivered by the bos.rte fileset.
Installation of AIX software maintenance which updates bos.rte may update
mkuser.sys, thereby removing the local tailoring to mkuser.sys.  And upgrading
AIX to a new version or release will remove .profile.ksh and .kshrc from
/etc/security.

After installing AIX maintenance it is, therefore, IMPORTANT to check
mkuser.sys to confirm that it has not been updated.

The easiest way to check is:

   diff /usr/lib/security/mkuser.sys /usr/local/chgdfiles/mkuser.sys

If the files do not match, then the new /usr/lib/security/mkuser.sys must be
updated with the changes shown by:

   diff /usr/local/chgdfiles/mkuser.sys.orig /usr/local/chgdfiles/mkuser.sys

Before editing the new mkuser.sys, check the AIX V5.3 best practice web page
cited above to see if a new version of mkuser.sys (suitable for your AIX
Technology Level and Service Pack) has already been made available.

When upgrading to a new AIX version or release, the changes to mkuser.sys will
not be preserved and .profile.ksh and .kshrc will be removed from /etc/security,
so repairs must be made.

-------------------------------------------------------------------------------


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/etc/motd (set ownership & permissions to bin.bin & r-rr-):

*******************************************************************************
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*  SYSTEM ADMINISTRATORS: Please see /usr/local/README for very important     *
*  information regarding AIX customization which must be considered when      *
*  planning to install AIX software maintenance.                              *
*                                                                             *
*******************************************************************************


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/tmp/motd.orig (Not to be installed. To be used only to confirm that /etc/motd is as expected in the process of replacing it.):

*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************


The following file is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/.profile (set ownership & permissions to root.system & rwxr-----):

ENV=/.kshrc
export ENV

if [ $TERM = aixterm ]
# Display hostname & user name on X-window title bar
then print -n "\033]0;$(hostname -s):$USER\007"
fi

if [ $TERM = xterm ]
then
  # Set erase key so <-Backspace key (ASCII octal 177) works properly with PuTTY OpenSSH client
  stty erase $(print -n "\0177")
  # Display hostname & user name on PuTTY DOS window title bar
  print -n "\033]0;$(hostname -s):$USER\007"
fi

# Tell user's fortune if we can
if [ -x /usr/games/fortune ]
then echo ; echo ; echo ; /usr/games/fortune
fi

if [ -s "$MAIL" ]           # This is at Shell startup.  In normal
then echo "$MAILMSG"        # operation, the Shell checks
fi                          # periodically.


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/.kshrc (set ownership & permissions to root.system & rwxr-----):

set -o vi
PS1=$(hostname -s):'$PWD # '


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/usr/lib/security/mkuser.sys for Technology Levels below 7 (set ownership & permissions same as existing mkuser.sys.orig - root.security & rwxr-x---):

# @(#)18	1.9  src/bos/usr/lib/security/mkuser.sys.sh, cmdsuser, bos530 3/3/93 16:31:24
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos530 src/bos/usr/lib/security/mkuser.sys.sh 1.9
#
# Licensed Materials - Property of IBM
#
# (C) COPYRIGHT International Business Machines Corp. 1989,1993
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
#
#   COMPONENT_NAME: CMDSUSER
#
#   FUNCTIONS:
#
#   ORIGINS: 27
#
#
#   (C) COPYRIGHT International Business Machines Corp. 1989,1993
#   All Rights Reserved
#   Licensed Materials - Property of IBM
#   US Government Users Restricted Rights - Use, duplication or
#   disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#

#
# Check the number of arguments first
#
if [ $# -lt 4 ]
then
	exit 1
fi

#
# Create the named directory if it does not already exist
# and set the file ownership and permission
#
if [ ! -d $1 ]
then
	mkdir $1
	chgrp $3 $1
	chown $2 $1
fi

# Lines added by Steve Pittman (925-277-5080) of IBM on 9/5/2001 to handle Korn
# shell user as a special case.  Original mkuser.sys saved as mkuser.sys.orig.
if [ `basename $4` = "ksh" ] && [ ! -f $1/.profile ]
then
	cp -ip /etc/security/.profile.ksh $1/.profile
	if [ $? = 0 ]
	then
	  chmod u+rwx,go-w $1/.profile
	  chgrp $3 $1/.profile
	  chown $2 $1/.profile
	fi
	cp -ip /etc/security/.kshrc $1/.kshrc
	if [ $? = 0 ]
	then
	  chmod u+rwx,go-w $1/.kshrc
	  chgrp $3 $1/.kshrc
	  chown $2 $1/.kshrc
	fi
fi

#
# Copy the user's default .profile if it does not already
# exist and change the file ownership, etc.
#
if [ `basename $4` != "csh" ] && [ ! -f $1/.profile ]
then
	cp /etc/security/.profile $1/.profile
	chmod u+rwx,go-w $1/.profile
	chgrp $3 $1/.profile
	chown $2 $1/.profile

else
   if [ `basename $4` = "csh" ] && [ ! -f $1/.login ]
   then
	echo "#!/bin/csh" > "$1"/.login
	echo "set path = ( /usr/bin /etc /usr/sbin /usr/ucb \$HOME/bin /usr/bin/X11 /sbin . )" >> "$1"/.login
	echo "setenv MAIL \"/var/spool/mail/\$LOGNAME\"" >> "$1"/.login
	echo "setenv MAILMSG \"[YOU HAVE NEW MAIL]\"" >> "$1"/.login
	echo "if ( -f \"\$MAIL\" && ! -z \"\$MAIL\") then" >> "$1"/.login
        echo "	echo \"\$MAILMSG\"" >> "$1"/.login
	echo "endif" >> "$1"/.login
	chmod u+rwx,go-w $1/.login
	chgrp $3 $1/.login
	chown $2 $1/.login
   fi
fi


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/tmp/mkuser.sys.orig for Technology Levels below 7 (Not to be installed. To be used only to confirm that /usr/lib/security/mkuser.sys is as expected in the process of replacing it.):

# @(#)18	1.9  src/bos/usr/lib/security/mkuser.sys.sh, cmdsuser, bos530 3/3/93 16:31:24
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos530 src/bos/usr/lib/security/mkuser.sys.sh 1.9
#
# Licensed Materials - Property of IBM
#
# (C) COPYRIGHT International Business Machines Corp. 1989,1993
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
#
#   COMPONENT_NAME: CMDSUSER
#
#   FUNCTIONS:
#
#   ORIGINS: 27
#
#
#   (C) COPYRIGHT International Business Machines Corp. 1989,1993
#   All Rights Reserved
#   Licensed Materials - Property of IBM
#   US Government Users Restricted Rights - Use, duplication or
#   disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#

#
# Check the number of arguments first
#
if [ $# -lt 4 ]
then
	exit 1
fi

#
# Create the named directory if it does not already exist
# and set the file ownership and permission
#
if [ ! -d $1 ]
then
	mkdir $1
	chgrp $3 $1
	chown $2 $1
fi

#
# Copy the user's default .profile if it does not already
# exist and change the file ownership, etc.
#
if [ `basename $4` != "csh" ] && [ ! -f $1/.profile ]
then
	cp /etc/security/.profile $1/.profile
	chmod u+rwx,go-w $1/.profile
	chgrp $3 $1/.profile
	chown $2 $1/.profile

else
   if [ `basename $4` = "csh" ] && [ ! -f $1/.login ]
   then
	echo "#!/bin/csh" > "$1"/.login
	echo "set path = ( /usr/bin /etc /usr/sbin /usr/ucb \$HOME/bin /usr/bin/X11 /sbin . )" >> "$1"/.login
	echo "setenv MAIL \"/var/spool/mail/\$LOGNAME\"" >> "$1"/.login
	echo "setenv MAILMSG \"[YOU HAVE NEW MAIL]\"" >> "$1"/.login
	echo "if ( -f \"\$MAIL\" && ! -z \"\$MAIL\") then" >> "$1"/.login
        echo "	echo \"\$MAILMSG\"" >> "$1"/.login
	echo "endif" >> "$1"/.login
	chmod u+rwx,go-w $1/.login
	chgrp $3 $1/.login
	chown $2 $1/.login
   fi
fi


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/usr/lib/security/mkuser.sys for Technology Levels 7 or above (set ownership & permissions same as existing mkuser.sys.orig - root.security & rwxr-x---):

# @(#)18        1.9.1.1  src/bos/usr/lib/security/mkuser.sys.sh, cmdsuser, bos53L, l2007_25C0 6/20/07 16:36:47
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos53L src/bos/usr/lib/security/mkuser.sys.sh 1.9.1.1
#
# Licensed Materials - Property of IBM
#
# (C) COPYRIGHT International Business Machines Corp. 1989,1993
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
#
#   COMPONENT_NAME: CMDSUSER
#
#   FUNCTIONS:
#
#   ORIGINS: 27
#
#
#   (C) COPYRIGHT International Business Machines Corp. 1989,1993
#   All Rights Reserved
#   Licensed Materials - Property of IBM
#   US Government Users Restricted Rights - Use, duplication or
#   disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#

#
# Check the number of arguments first
#
if [ $# -ne 4 ]
then
        exit 1
fi

#
# Create the named directory if it does not already exist
# and set the file ownership and permission
#
if [ ! -d $1 ]
then
        mkdir $1
        chgrp $3 $1
        chown $2 $1
fi

# Lines added by Steve Pittman (925-277-5080) of IBM on 9/5/2001 to handle Korn
# shell user as a special case.  Original mkuser.sys saved as mkuser.sys.orig.
if [ `basename $4` = "ksh" ] && [ ! -f $1/.profile ]
then
        cp -ip /etc/security/.profile.ksh $1/.profile
        if [ $? = 0 ]
        then
          chmod u+rwx,go-w $1/.profile
          chgrp $3 $1/.profile
          chown $2 $1/.profile
        fi
        cp -ip /etc/security/.kshrc $1/.kshrc
        if [ $? = 0 ]
        then
          chmod u+rwx,go-w $1/.kshrc
          chgrp $3 $1/.kshrc
          chown $2 $1/.kshrc
        fi
fi

#
# Copy the user's default .profile if it does not already
# exist and change the file ownership, etc.
#
if [ `basename $4` != "csh" ] && [ ! -f $1/.profile ]
then
        cp /etc/security/.profile $1/.profile
        chmod u+rwx,go-w $1/.profile
        chgrp $3 $1/.profile
        chown $2 $1/.profile

else
   if [ `basename $4` = "csh" ] && [ ! -f $1/.login ]
   then
        echo "#!/bin/csh" > "$1"/.login
        echo "set path = ( /usr/bin /etc /usr/sbin /usr/ucb \$HOME/bin /usr/bin/X11 /sbin . )" >> "$1"/.login
        echo "setenv MAIL \"/var/spool/mail/\$LOGNAME\"" >> "$1"/.login
        echo "setenv MAILMSG \"[YOU HAVE NEW MAIL]\"" >> "$1"/.login
        echo "if ( -f \"\$MAIL\" && ! -z \"\$MAIL\") then" >> "$1"/.login
        echo "  echo \"\$MAILMSG\"" >> "$1"/.login
        echo "endif" >> "$1"/.login
        chmod u+rwx,go-w $1/.login
        chgrp $3 $1/.login
        chown $2 $1/.login
   fi
fi


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/tmp/mkuser.sys.orig for Technology Level 7 or above (Not to be installed. To be used only to confirm that /usr/lib/security/mkuser.sys is as expected in the process of replacing it.):

# @(#)18        1.9.1.1  src/bos/usr/lib/security/mkuser.sys.sh, cmdsuser, bos53L, l2007_25C0 6/20/07 16:36:47
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos53L src/bos/usr/lib/security/mkuser.sys.sh 1.9.1.1
#
# Licensed Materials - Property of IBM
#
# (C) COPYRIGHT International Business Machines Corp. 1989,1993
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
#
#   COMPONENT_NAME: CMDSUSER
#
#   FUNCTIONS:
#
#   ORIGINS: 27
#
#
#   (C) COPYRIGHT International Business Machines Corp. 1989,1993
#   All Rights Reserved
#   Licensed Materials - Property of IBM
#   US Government Users Restricted Rights - Use, duplication or
#   disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#

#
# Check the number of arguments first
#
if [ $# -ne 4 ]
then
        exit 1
fi

#
# Create the named directory if it does not already exist
# and set the file ownership and permission
#
if [ ! -d $1 ]
then
        mkdir $1
        chgrp $3 $1
        chown $2 $1
fi

#
# Copy the user's default .profile if it does not already
# exist and change the file ownership, etc.
#
if [ `basename $4` != "csh" ] && [ ! -f $1/.profile ]
then
        cp /etc/security/.profile $1/.profile
        chmod u+rwx,go-w $1/.profile
        chgrp $3 $1/.profile
        chown $2 $1/.profile

else
   if [ `basename $4` = "csh" ] && [ ! -f $1/.login ]
   then
        echo "#!/bin/csh" > "$1"/.login
        echo "set path = ( /usr/bin /etc /usr/sbin /usr/ucb \$HOME/bin /usr/bin/X11 /sbin . )" >> "$1"/.login
        echo "setenv MAIL \"/var/spool/mail/\$LOGNAME\"" >> "$1"/.login
        echo "setenv MAILMSG \"[YOU HAVE NEW MAIL]\"" >> "$1"/.login
        echo "if ( -f \"\$MAIL\" && ! -z \"\$MAIL\") then" >> "$1"/.login
        echo "  echo \"\$MAILMSG\"" >> "$1"/.login
        echo "endif" >> "$1"/.login
        chmod u+rwx,go-w $1/.login
        chgrp $3 $1/.login
        chown $2 $1/.login
   fi
fi


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/etc/security/.profile.ksh (set ownership & permissions same as /etc/security/.profile - root.security & rw-rw----):

ENV=$HOME/.kshrc
export ENV

if [ $TERM = aixterm ]
# Display hostname & user name on X-window title bar
then print -n "\033]0;$(hostname -s):$USER\007"
fi

if [ $TERM = xterm ]
then
  # Set erase key so <-Backspace key (ASCII octal 177) works properly with PuTTY OpenSSH client
  stty erase $(print -n "\0177")
  # Display hostname & user name on PuTTY DOS window title bar
  print -n "\033]0;$(hostname -s):$USER\007"
fi

# Tell user's fortune if we can
if [ -x /usr/games/fortune ]
then echo ; echo ; echo ; /usr/games/fortune
fi

if [ -s "$MAIL" ]           # This is at Shell startup.  In normal
then echo "$MAILMSG"        # operation, the Shell checks
fi                          # periodically.


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/etc/security/.kshrc (set ownership & permissions same as /etc/security/.profile - root.security & rw-rw----):

PATH=${PATH}:$HOME/bin:.
# If /usr/local/bin is not added to the path in /etc/environment, add it here
#PATH=${PATH}:$HOME/bin:.:/usr/local/bin
PS1=$(hostname -s):'$PWD $ '
set -o vi


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/usr/local/bin/ptree (set ownership & permissions to bin.bin & r-xr-xr-x):

#!/bin/ksh
#
# This shell script lists all children of a specified process
#
# Author: Steve Pittman - IBM - 2/12/1996
#
# Get name of this script and specified parent process
scrname=${0##*/}
if [ $# != 1 ]
then
  echo "Usage: $scrname <parent>"
  exit 1
fi
parent=$1

# If proctree executable is available, just use it
if [ -x /usr/bin/proctree ]
then
  /usr/bin/proctree $parent
  exit
fi

# Allow ps command to display up to 1024 characters per line
export COLUMNS=1024

# Define function to add a process' pid and all its descendents' pids to plist
children()
{
        parent=$1
        plist=$plist,$parent
        /bin/ps -eF pid=,ppid= | /bin/awk -v parent=$parent '{if ($2 == parent)
print $1}' | while read child
        do
          children $child
        done
}
plist=""
children $parent        # Build plist
ps -fp ${plist#,}       # Display processes after dumping leading comma from pli
st
telstar:/home/pittman/bestprac # cat ptree
#!/bin/ksh
#
# This shell script lists all children of a specified process
#
# Author: Steve Pittman - IBM - 2/12/1996
#
# Get name of this script and specified parent process
scrname=${0##*/}
if [ $# != 1 ]
then
  echo "Usage: $scrname <parent>"
  exit 1
fi
parent=$1

# If proctree executable is available, just use it
if [ -x /usr/bin/proctree ]
then
  /usr/bin/proctree $parent
  exit
fi

# Allow ps command to display up to 1024 characters per line
export COLUMNS=1024

# Define function to add a process' pid and all its descendents' pids to plist
children()
{
        parent=$1
        plist=$plist,$parent
        /bin/ps -eF pid=,ppid= | /bin/awk -v parent=$parent '{if ($2 == parent) print $1}' | while read child
        do
          children $child
        done
}
plist=""
children $parent        # Build plist
ps -fp ${plist#,}       # Display processes after dumping leading comma from plist


A tarball can be downloaded which contains the following file, which is referred to in (and can be used to implement) an AIX V5.3 System Administration best practice.

/usr/local/bin/stopcmd (set ownership & permissions to bin.bin & r-xr-xr-x):

#!/bin/ksh
#
# This shell script stops the process that is running the specified command.
#
# Author: Steve Pittman - IBM - 10/19/2001
#
# Get name of this script and specified command to kill
scrname=${0##*/}
if [ $# != 1 ]
then
  echo "Usage: $scrname <command>"
  exit 1
fi
command=$1

# Get our username and set flag for ps command appropriately
username=$(whoami)
if [ "$username" != root ]
then uflag="-u $username"
else uflag="-e"
fi

# Find ID of process that is running the specified commmand
/bin/ps $uflag -F pid=,comm= | /bin/awk -v command=$command '{if ($2 == command) print $1}' | while read pid
do
  if [ -n "$processid" ]
  then
    print -u2 "cmdname: Process $processid and $pid are both running $command!"
    exit 2
  else
    processid=$pid
  fi
done
if [ -n "$processid" ]
then
  echo kill $processid
  kill $processid
else
  print -u2 "cmdname: No process found running command $command!"
  exit 3
fi

Comments  (Hide)

Hi.

I am a certified AIX pSeries specialist. This material looks very good. Actually I need to check it out and implement it on a few installations.

I'll let you know about my progress.

Regards,

Alex

Posted by Alexander Zaretsky at Jan 07, 2008 19:28 | Permalink
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.2.10 Build:#528 Nov 29, 2006)
    About IBM      Privacy      Contact