EXAMPLE REPORT — real, unedited output (hostname sanitized) · AIX 7.3← all reports
AIXray
by PowerTrue Systems · AIX · IBM Power · VIOS · Linux
System Health Check

Posture snapshot — aixdemo01

Host: aixdemo01  ·  Generated: 2026-07-03  ·  Reference data: 2026-07-01  ·  READ-ONLY — nothing was changed
70%
Pass rate
61
Pass
17
Warn
9
Fail
A. Lifecycle & supportAMBER 3 pass · 1 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
AIX release supportPASSlow7300-04-00-2546 — no announced end of supportThis AIX release is in active support and still receives security fixes.
Fix: n/a
Technology Level currencyPASSlow7300-04 (latest: 7300-04)This Technology Level is current for its release.
Fix: n/a
System firmware levelPASSlow(VL950_168)Firmware carries its own security and stability fixes, separate from AIX.
Fix: compare this level against IBM FLRT for your machine type at your next maintenance window.
Hardware generationWARNmed9009-22A (POWER9) — hardware support ended 2026-01-31 (fully-virtual LPAR)This hardware generation is past IBM support, but this LPAR has no physical I/O adapters — the hardware is the host provider's to maintain (PowerVS or your VIOS estate). Confirm whose problem this is.
Fix: confirm who owns the hardware (IBM on PowerVS; your team on-prem) — no action is possible inside this LPAR.
B. Patch & vulnerability currencyGREEN 8 pass · 0 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Installed build agePASSlowbuilt week 2546 (~7 months ago)The installed build is reasonably current.
Fix: n/a
Fileset consistencyPASSlow698 filesets, 0 brokenAll installed filesets are in a consistent state.
Fix: n/a
Interim fixes (ifixes)PASSlownone installedNo interim fixes — updates will not be blocked by leftover efixes.
Fix: n/a
Tracked security APARsPASSlownone tracked for 7300-04 (data vintage 2026-07-01)No bundled security APARs apply to this exact level — this does not mean no exposure exists.
Fix: review IBM PSIRT bulletins for this level; new checks ship with each aixray update.
OpenSSH / OpenSSL levelsPASSlowopenssh 9.9.3015.2000, openssl 3.0.16.1000The OpenSSL 3.x line is current for AIX; keep both current via security bulletins.
Fix: n/a
IBM SDK Java lifecyclePASSlowJava 8 installed (Java8_64.jre 8.0.0.851, Java8_64.sdk 8.0.0.851)Java 8 is the last IBM SDK on AIX — track its service window (standard support ended 2025-04-30; extended runs to 2030-12-31 with an AIX SWMA contract).
Fix: n/a
FLRT APAR exposure scanPASSlowno FLRT data suppliedNo FLRT data supplied — download apar.csv from IBM FLRT and re-run with --apar-csv for the full exposure scan. The embedded security-APAR seed still runs above.
Fix: download apar.csv from IBM FLRTVC and re-run: aixray-aix.sh --apar-csv apar.csv.
Reference data freshnessPASSlowreference data 2 day(s) oldreference data 2 day(s) old — EOS dates, APARs and firmware levels reflect IBM data as of 2026-07-01.
Fix: n/a
C. Storage & capacityRED 16 pass · 0 warn · 1 fail
CheckStatusSevObservedWhat it means & how to fix
Filesystem /PASSlow56% usedHealthy free space.
Fix: n/a
Filesystem /varPASSlow37% usedHealthy free space.
Fix: n/a
Filesystem /tmpPASSlow1% usedHealthy free space.
Fix: n/a
Other filesystemsFAILmed/opt 94%; repo (informational): /usr/sys/inst.images 100%One or more non-system filesystems are critically full.
Fix: free space or extend them; add monitoring.
Inode usage (JFS2)PASSlowno filesystem above 90% inodesJFS2 inode usage has headroom on every filesystem.
Fix: n/a
Paging spacePASSlow1 space(s), 2% usedMemory pressure is low.
Fix: n/a
LV mirror syncPASSlowno stale partitionsAll logical volume copies are in sync.
Fix: n/a
Volume group disksPASSlowall PVs activeEvery volume group disk is present and active.
Fix: n/a
Volume group free spacePASSlowworst: rootvg 10% freeEvery online volume group has room to extend a filesystem.
Fix: n/a
MPIO path healthPASSlow8 paths / 1 disks, all enabledFull path redundancy.
Fix: n/a
Fibre Channel adapter errorsPASSlowfcs0: counters not reported (virtual FC); fcs1: counters not reported (virtual FC); fcs2: counters not reported (virtual FC); fcs3: counters not reported (virtual FC)Virtual FC adapters do not expose error counters inside the LPAR — check path health on the VIOS side.
Fix: n/a
Volume group geometryPASSlowrootvg 32MB PP, 639 PP/diskPhysical-partition geometry is sane on every online VG — the PP size fits the VG size, so the allocation map is neither bloated (tiny PP) nor wasteful (huge PP).
Fix: n/a
LV mirror placementPASSlowno mirrored LVsNo logical volume is mirrored in-LPAR — single-copy LVs here rely on the SAN/VIOS for redundancy (in-LPAR mirroring is separate and not configured).
Fix: n/a
Filesystem vs LV sizingPASSlowno filesystem lags its LV by 512MB+Every JFS2 filesystem is grown into the logical volume it sits on — no allocated-but-unusable slack between the LV and the filesystem.
Fix: n/a
Legacy JFS filesystemsPASSlowall filesystems are JFS2No legacy JFS filesystems — everything is JFS2, the current AIX filesystem.
Fix: n/a
Mount optionsPASSlow/tmp separate; 9 jfs2 mount(s), all logged; 9 using default atimeMount hygiene is sound: /tmp is its own filesystem and every JFS2 mount has a log. Performance options (noatime for read-heavy mounts, cio/dio for databases, rbrw) are workload-specific and left to the app owner — atime-on is the AIX default and fine unless a mount is known read-heavy.
Fix: n/a
Paging space layoutPASSlow1 paging space(s), no single-disk contention Total paging 512MB vs 2048MB RAM.Paging-space placement is fine — no two paging spaces share a disk, and there is no cross-VG contention to relieve. (Utilisation is checked separately under Paging space.)
Fix: n/a
D. Performance & sizingAMBER 8 pass · 2 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
LPAR CPU entitlementPASSlowshared Uncapped, ent 0.25, physc 0.01 (4.6% entc), 1 VP SMT-8, idle 99.5%Shared-pool CPU entitlement looks reasonable for this sample: consuming 4.6% of the 0.25-core guarantee, uncapped so it can burst. A small entitlement plus uncapped is efficient design. Snapshot, not a trend.
Fix: n/a
Memory compositionWARNmedcomputational 94%, file/numperm 5.4%, 48MB avail (2%), 1820MB pinned of 2048MBNearly all memory is computational (working) pages, not file cache (numperm 5.4%) — this is genuine in-use memory the VMM cannot reclaim, so the tight look is real, not just cache. Only 48MB is available. Whether it is actually hurting depends on the paging-activity check; composition alone says there is little slack.
Fix: if the working set grows, add RAM or trim the top consumers ('svmon -P -O unit=MB | head'); reclaimable file cache is already at its floor, so there is nothing to give back.
VMM cache tuningPASSlowminperm 3% / maxperm 90% / maxclient 90% (AIX defaults); numperm 5.4%VMM cache tuning is at AIX defaults and the file cache is not pinned at its ceiling.
Fix: n/a
JFS2 filesystem-buffer blockingWARNmedblocked since boot: jfs2 fsbuf 1656, external-pager 518, client 0Filesystem I/O has been blocked waiting for JFS2 filesystem buffers (fsbuf) 2174 time(s) since boot — the buffer pool ran dry under I/O load and requests had to wait, adding latency that CPU/memory graphs never reveal. The count is cumulative since boot.
Fix: re-read 'vmstat -v' after a busy period: if the number is still climbing, raise JFS2 buffers with 'ioo -p -o j2_dynamicBufferPreallocation=<n>' (default 16, in 16KB units) and/or 'ioo -p -o numfsbufs=<n>'; a static non-zero count from a past burst is usually benign.
LVM/paging buffer blockingPASSlow0 pbuf and 0 psbuf blocksNo LVM pbuf or paging psbuf starvation since boot — buffer pools have kept up with disk and paging I/O.
Fix: n/a
I/O pacing (maxpout/minpout)PASSlowmaxpout=8193, minpout=4096 (paced)System-wide I/O pacing is configured, so a runaway writer cannot monopolize a disk and starve interactive I/O.
Fix: n/a
CPU headroom (snapshot)PASSlowidle 99%, physc 0.01, run queue r=1 vs 8 logical CPUsCPU has headroom in this sample: idle 99% with a short run queue for 8 logical CPUs (point-in-time snapshot, not a trend).
Fix: n/a
Paging activity (snapshot)PASSlowpi=0, po=0 in this sampleNo active paging in this sample — memory demand is being met from RAM (this is the activity read; paging-space capacity is checked separately under storage).
Fix: n/a
Adapter healthPASSlowen0 20000Mb(virt) 0err; en1 20000Mb(virt) 0errAll ethernet interfaces are up with zero transmit/receive/CRC/buffer errors (counters cumulative since boot).
Fix: n/a
Process limits (maxuproc)PASSlowbusiest user 'root' 40 procs vs maxuproc 128 (31%)Per-user process headroom is fine — the busiest user is well under the maxuproc fork ceiling.
Fix: n/a
E. Errors & eventsAMBER 7 pass · 2 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Error log (7 days)WARNmed2 error entries (11 informational ignored)Errors are the box telling you something — read them before they escalate.
Fix: review 'errpt -a' for these entries; fix or explain each recurring one.
Permanent hardware errors (30 days)PASShighnoneNo permanent hardware errors logged.
Fix: n/a
System dump devicePASSlowprimary: /dev/lg_dumplvA panic here can be diagnosed.
Fix: n/a
Recent crash evidencePASSlownone in 30 daysNo recent crash dumps found.
Fix: n/a
Error-logging daemonPASSlowerrdemon running; errlog 1048576 bytes, duplicate-removal trueThe error-logging daemon is up and the errlog is at or above the 1 MB default, so errors are captured with a reasonable history window. (The errlog is a fixed-size circular file — once full it overwrites the oldest entries, it never stops logging.)
Fix: n/a
Decoded error labelsPASSlow3 non-informational error(s); most frequent: ERRLOG_ON x1; none match a known-critical labelThere are non-informational errors, but none decode to a known-critical hardware or LVM label — most are software or operator events. (Counts and triage are under 'Error log' above; this check is the label decode.)
Fix: n/a
Pre-failure signaturesPASShighnone in 7 daysNone of the classic pre-failure patterns a veteran hunts for — disk/adapter errors, SAN/SCSI path faults, EPOW power or thermal events, memory ECC errors, LVM disk loss, or dump-device faults — appear in the error log for the last 7 days.
Fix: n/a
Error notification methodsWARNlowdefault errnotify only (diagela call-home present, no site paging)The default diagela stanzas forward hardware errors to the diagnostics / Service Focal Point path (call-home, if enabled on the HMC/service processor), but no stanza runs a site alert script — nothing pages or mails your on-call on a critical or disk error.
Fix: add an errnotify ODM stanza (odmadd) whose en_method pages/mails on class=H PERM and disk labels (e.g. SC_DISK_ERR*, LVM_SA_QUORCLOSE).
System dump historyPASSlowno system dump ever recordedThe dump device has never captured a dump — expected on a box that has not panicked. It does mean the dump path is configured but unproven; only a real dump proves it works. (Whether a device is configured at all is checked separately under 'System dump device'.)
Fix: n/a
F. Availability & resilienceRED 2 pass · 2 warn · 1 fail
CheckStatusSevObservedWhat it means & how to fix
OS backup (mksysb) evidenceFAILhigh/image.data older than 90 daysNo recent OS backup evidence on this box — a rootvg loss means rebuild-from-scratch. (Local evidence only; confirm where mksysb lands and when it last ran.)
Fix: run a mksysb now; schedule it; verify the target is itself backed up.
rootvg redundancyWARNhigh1 disk, unmirroredThe OS lives on one disk — a single point of failure unless the backing storage is RAID/SAN-protected. Verify which.
Fix: mirror rootvg (mirrorvg + bosboot + bootlist) or document the storage-level protection.
Dump device sizingPASSlowdevice 4096 MB covers estimated dump 1241 MBThe primary dump device (lg_dumplv, 4096 MB) is comfortably larger than the estimated dump for this LPAR (1241 MB), so a panic can capture a complete image. Re-check 'sysdumpdev -e' after any memory increase — the estimate tracks RAM.
Fix: n/a
Dump copy directoryWARNmedcopy dir /var/adm/ras has 102 MB free, estimated dump 1241 MBThe dump device can capture the dump, but the copy directory (/var/adm/ras, 102 MB free) is too small to hold a dump of the estimated size (1241 MB). On reboot the copy off the device fails, so the image is lost before anyone can analyze it — the same forensic loss as an undersized device, one step later.
Fix: free space in /var/adm/ras or point the copy directory at a filesystem with room for the dump ('sysdumpdev -D <dir>'), sized to 'sysdumpdev -e'.
Boot image currencyPASSlowbooted Jul 02, after kernel bos.mp64 install 11/21/25The system last booted AFTER the running kernel (bos.mp64) was installed, so the running kernel matches what is on disk and no kernel-update reboot is outstanding. (AIXray is read-only: it cannot inspect the hd5 boot image directly, so this compares the kernel install date to the last boot as a proxy for boot-image currency.)
Fix: n/a
G. Security & hardeningRED 12 pass · 5 warn · 6 fail
CheckStatusSevObservedWhat it means & how to fix
SSH ciphersPASShighaes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.comsshd offers only strong ciphers.
Fix: n/a
SSH root loginFAILhighpermitrootlogin yesDirect SSH root login is open — a single brute-forceable credential with no accountability.
Fix: set 'PermitRootLogin no' (or prohibit-password) in sshd_config and restart sshd.
Default password policyWARNhighweak: loginretries=0The default password rules are weaker than any standard requires — every new account inherits them.
Fix: tighten the /etc/security/user default stanza (maxage 1-13wk, minlen>=8, loginretries>0, histsize>0).
UID 0 accountsPASSmedroot onlyroot is the only UID 0 account.
Fix: n/a
Failed login attemptsPASSlowno log — 0 recorded/etc/security/failedlogin does not exist, which means no failed login has ever been recorded here.
Fix: n/a
Cleartext inetd servicesPASSmednone enabledNo cleartext remote-access services are enabled in inetd.
Fix: n/a
Trust files (.rhosts)PASSlownone presentNo .rhosts or hosts.equiv trust files present.
Fix: n/a
World-writable filesPASSlownone in /etc, /usr/local/binNo world-writable files in the scanned directories (scope bounded to /etc and /usr/local/bin).
Fix: n/a
SNMP community stringsFAILmeddefault community in useSNMP uses a default community string (public/private) — anyone on the network can read, or write, system data.
Fix: replace public/private with a strong community in /etc/snmpd.conf and refresh snmpd.
Audit subsystemWARNhighauditing offNo audit trail — you cannot answer 'who did what' after an incident.
Fix: configure and start audit ('audit start'; set it to start at boot).
Trusted ExecutionWARNlowTE=OFFTrusted Execution is off (informational) — no runtime binary-integrity enforcement.
Fix: consider enabling TE ('trustchk -p TE=ON') if your change control supports it.
Login bannerWARNlowno herald setNo legal login banner is set — auditors ask for one and it deters casual access.
Fix: set a herald in the /etc/security/login.cfg default stanza (chsec -a herald=...).
Account password agingPASSlowno non-system account with maxage=0 (1 locked)Every non-system account has password aging set.
Fix: n/a
Unexpected setuid/setgid filesPASSlownone in /home /tmp /var/tmp /usr/localNo setuid/setgid files outside the system paths.
Fix: n/a
Listening network socketsPASSlow10 listening socket(s)Each listening socket is attack surface — review anything you do not recognize.
Fix: n/a
root account controlsFAILhighrlogin=true + sugroups=ALL (root wide open)root can log in directly over the network (rlogin=true) AND any user may attempt su to root (sugroups=ALL) — the classic 'root wide open' pair. Either alone is a gap; together, root is one guessed password away from a network login with no accountability. This is the OS account gate in /etc/security/user, separate from sshd's PermitRootLogin.
Fix: restrict both: 'chsec -f /etc/security/user -s root -a rlogin=false' (admins log in as themselves and su/sudo to root) and '-a sugroups=<sysadmin-group>' so only a named group may su to root.
Stale privileged accountsPASSlow1 privileged account(s), none staleEvery privileged account has been used within 90 days (or is locked); no dormant standing-privilege accounts with non-expiring passwords.
Fix: n/a
Privilege delegation (sudo/RBAC)PASSlowsudo not installed; RBAC roles assigned to a group: 0sudo is not installed — privilege delegation here is native AIX su plus RBAC roles (0 role(s) assigned to a group). There is no sudoers file, so no NOPASSWD backdoor to audit; delegation is otherwise all-or-nothing su to root. Informational.
Fix: n/a
Network exposure vs filteringWARNmed10 external listener(s) on ports 22,25,111,199,657,1334,32768,32769 +1 more; host IP filtering INACTIVE10 services listen on non-loopback addresses (reachable from the network) and AIX host packet filtering (IP Security) is not active — the box relies entirely on the upstream network/firewall. One perimeter mistake, VLAN change, or misrouted subnet exposes every one of these ports directly.
Fix: reduce the surface first (stop services you do not need — see the listeners and cleartext-inetd checks), then, if the box must self-defend, define rules with 'genfilt'/'mkfilt' and activate host filtering with 'mkfilt -v4 -u'.
STIG file permissionsPASSmed11 of 11 rules compliant, 0 not applicableEvery applicable STIG file-permission/ownership rule (DISA STIG for IBM AIX 7.x) passes on this box — the mandated files are no more permissive than required.
Fix: n/a
STIG account policyFAILhigh5 of 12 rules compliant, 1 n/a; failing: V-215171 loginretries=0 (needs le 3), V-215220 mindiff=0 (needs ge 8), V-215223 maxage=13 (needs le 8), V-215224 histsize=4 (needs ge 5), V-215226 minlen=10 (needs ge 15), +2 moreOne or more account/password-policy attributes in /etc/security are weaker than the DISA STIG for IBM AIX 7.x mandates — each is a documented hardening gap an auditor will flag, and it applies to every account inheriting the default stanza.
Fix: tighten the failing attributes with chsec (chsec -f <file> -s default -a <attr>=<value>); the compliance report lists every rule, the required value, and the observed value.
STIG network tunablesFAILhigh3 of 4 rules compliant, 0 n/a; failing: V-215399 clean_partial_conns=0 (needs eq 1)One or more kernel network options are set to a value the DISA STIG for IBM AIX 7.x flags — e.g. IP forwarding on a non-router, or TCP half-open connection cleanup disabled. Each is a documented hardening gap an auditor will flag.
Fix: set the failing tunables with 'no -p -o <tunable>=<value>' (nfso for NFS options) so the change persists across reboot; the compliance report lists every rule, the required value, and the observed value.
STIG disabled servicesFAILhigh34 of 37 rules compliant, 0 n/a; failing: V-215353 sendmail, V-215354 snmpd, V-215365 snmpmibdOne or more legacy network services the DISA STIG for IBM AIX 7.x requires disabled are still enabled or running — each is an unneeded, often unauthenticated, network-facing daemon an auditor will flag.
Fix: comment the service out of /etc/inetd.conf and 'refresh -s inetd' (inetd services), or 'stopsrc -s <subsystem>' and disable it at boot (SRC subsystems); the compliance report lists every rule and its evidence.
H. Config hygieneRED 3 pass · 2 warn · 1 fail
CheckStatusSevObservedWhat it means & how to fix
Time synchronization (NTP)FAILmedxntpd inoperative, 0 server(s)No working time sync — clock drift breaks log correlation, Kerberos and TLS.
Fix: configure /etc/ntp.conf with a server and start xntpd ('startsrc -s xntpd'; enable at boot).
DNS resolverPASSlow1 nameserver(s)At least one DNS resolver is configured.
Fix: n/a
Default routePASSlowdefault route presentA default route is configured.
Fix: n/a
Kernel tunables (nextboot)WARNlow1 changed tunable line(s)Kernel tunables are changed from default for next boot — deliberate tuning or archaeology? document each.
Fix: review /etc/tunables/nextboot; record why each change exists, or revert to default.
Timezone (TZ)PASSlowTZ=CST6CDTThe system timezone is set explicitly.
Fix: n/a
Host self-resolutionWARNlowdoes not resolveTools and certs misbehave when the box can't resolve itself.
Fix: add this host to DNS or /etc/hosts.
I. Monitoring & operational readinessAMBER 2 pass · 3 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Monitoring agentWARNhighnone detectedNothing is watching this box — every finding in this report goes unnoticed until someone runs it again.
Fix: install and point a monitoring agent (Zabbix/NRPE/Datadog/njmon) at this LPAR.
Error notificationPASSlow26 errnotify stanzasCustom error-notification methods exist beyond the defaults — errors can page a human.
Fix: n/a
Remote syslogWARNlowno remote targetNo remote syslog target — logs die with the box, exactly when you need them.
Fix: add an '@loghost' line to /etc/syslog.conf and 'refresh -s syslogd'.
Performance historyPASSlowcollector runningA performance-history collector is running — sizing and incident forensics have data to work from.
Fix: n/a
Scheduled backup jobWARNmedno backup in crontabNo scheduled backup in root's crontab — where does the mksysb come from?
Fix: schedule mksysb/savevg in root's crontab, or confirm NIM/central backup owns it.
You don't have to run this yourself. This is what we do, on systems like yours, every day — and we watch them so the next finding never becomes an outage. Walk these results with an engineer (free, no obligation): powertruesystems.com.   New CVE checks ship regularly — get notified: powertruesystems.com/updates.