Startup Scripts and Profiles

Startup Scripts

1. In /etc/rc.local
   set some protective network options:

   			# set network options to improve performance and security
   			# protection against SYN flood attacks
   			/usr/sbin/no -o clean_partial_conns=1
   			# protection against ICMP redirects
   			/usr/sbin/no -o ipignoreredirects=1
   			# protection against illegal access via source routing
   			/usr/sbin/no -o ipsendredirects=0
   			/usr/sbin/no -o ipsrcroutesend=0
   			/usr/sbin/no -o ipsrcrouteforward=0
   			/usr/sbin/no -o ip6srcrouteforward=0
   			/usr/sbin/no -o tcp_pmtu_discover=0
   			/usr/sbin/no -o udp_pmtu_discover=0
   

2. In /etc/rc.local enable ssh related startups (check/verify also prngd, ssh)

      startsrc -s prngd # not necessary for AIX >= 5.2 or if installed via Toolbox
      startsrc -s sshd  # not necessary for AIX >= 5.2 or if installed via Toolbox
   

3. In /etc/inittab the line for local services must be present:

     diagd:2:once:/usr/lpp/diagnostics/bin/diagd >/dev/console 2>&1
     rclocal:2:once:/etc/rc.local # starting local services
     dt:2:wait:/etc/rc.dt
   

   Note that /etc/rc.local must have execute permissions:

      chmod g+x /etc/rc.local
      chmod u+x /etc/rc.local
   

4. If "unsecure" services like rsh, ftp, et al, must be enabled, use at least monitoring tcp_wrappers, in /etc/inetd.conf:

   ftp     stream  tcp6    nowait  root    /opt/bin/tcpd       ftpd -l -u077
   shell   stream  tcp6    nowait  root    /opt/bin/tcpd       rshd
   telnet  stream  tcp6    nowait  root    /opt/bin/tcpd       telnetd       # AIX 3.2
   telnet  stream  tcp6    nowait  root    /opt/bin/tcpd       telnetd -a    # AIX > 3.2, better performance
   login   stream  tcp6    nowait  root    /opt/bin/tcpd       rlogind
   

   Where /opt/bin/tcpd is the actual TCP wrapper, installed as extra freeware.
   For AIX >= 5.3, TCP wrapper comes as netsec fileset and the daemon resides in /usr/sbin/tcpd. In this case, do not forget to configure the /etc/hosts.* files.
   Use

   refresh -s inetd
   

   to activate changes made in /etc/inetd.conf.
   With wrappers active, root access may be allowed via /.rhosts, the general format is

   <machine>.<domain> root
   <machine>          root
   

   This list should be restricted to an absolute minimum, for admin purposes only.

Profiles

• /opt/bin/.kshrc for ksh customization (cursor key definitions et al.). I have moved it into the OS script collection.
• /etc/profile will be executed during ksh login and should contain

  if [ -x /opt/bin/.profile ]
  then
    . /opt/bin/.profile
  fi
  

  to allow for local definitions at login time.
• /opt/bin/.profile contains local machine specific definitions, e.g. PATH, LIBPATH, MANPATH, ENV, which are set for all ksh users at login time. I have moved it into the OS script collection.
• for AIX versions >=4, which run CDE:
  /etc/dt/config/sys.dtprofile is derived from /usr/dt/config/sys.dtprofile and should contain

  DTSOURCEPROFILE=true
  

  so that .profile's can be executed during CDE login.
• Although the terminal definition file /etc/termcap is somewhat obsolete for AIX versions >4, some apps might still use it. Add the dt terminal definition, e.g.:

  Id|dtterm|IBM dtterm Terminal:\
          :kD=\E[3~:kI=\E[2~:kN=\E[6~:kP=\E[5~:\
          :tc=hft:
  

• /etc/security/limits might still define somewhat obsolete upper limits. Modify for example

          fsize = 12582911
          data = 524288
  

  to allow 6GB files to be written and 512MB of heap in foreground.