AIX Security Basics

Patch the System in a Timely Manner

Chapter 2 | AIX eCourse

Timely patching is critical for maintaining the availability, confidentiality, and integrity of your systems. New patches can be released frequently, sometimes even daily, so it can be very difficult for even experienced administrators to keep up with all the new available patches across every package. When a new weakness in an operating system or application is discovered, patches are usually made available by the vendor to resolve those problems.

You can determine your AIX system’s current software revision by running:

# oslevel -s 

The following example breaks down what the individual numbers mean:

With this information, you can find the appropriate patches that apply to your system through your vendor.

You can confirm which patches have already been installed by running:

# /usr/sbin/instfix -i | more:

If you fail to install the most recent security patches and updates, unauthorized users, either internal or external, can compromise your environment using the weaknesses present in that unpatched system software.

It is worth noting that sometimes a vendor declines to fix an issue for a variety of reasons. It might be part of a core piece of a product that cannot be changed without losing the value of that product or it might be that the vendor is going to release a fix only for the latest version, requiring you to upgrade to obtain that file. In that case, you will have to evaluate the risk versus reward. Is the risk of running older, unpatched software greater than the risk of upgrading to newer, fully patched and supported software? You will have to weigh this into your calculations and identify the better option. 

Before updating to new technology levels or service packs, it is highly recommended to have at least one backup method available to you in case you need to restore a system because something unexpected happened while you were patching. Recommended backup methods can include:

  • mksysb / mksysb restore - Enables you to restore your root volume group disks
  • sysback/ sysback restore – Permits you to backup different levels of your environment, 
    from specific directories or files to the full, comprehensive system
  • rootvg clones – Allows you to store a cloned version of the root volume group 
    in an alternate location
  • multibos– Creates multiple instances of AIX on one root volume group, allowing you 
    to have a standby backup operating system

For more  information on each of these different backup methods, as well as a list of the different patches available to you, check the IBM Knowledge Center site.

Make sure your system is secure between patches.

Powertech Antivirus detects and removes viruses, worms, ransomware, and more so you can sleep without fear of unwelcome system visitors. Powertech Antivirus offers the most comprehensive sets of virus signatures available on any platform.