| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| AIX release support | PASS | low | 7300-04-00-2546 — no announced end of support | This AIX release is in active support and still receives security fixes. Fix: n/a |
| Technology Level currency | PASS | low | 7300-04 (latest: 7300-04) | This Technology Level is current for its release. Fix: n/a |
| System firmware level | PASS | low | (VL950_168) | Firmware carries its own security and stability fixes, separate from AIX. Fix: compare this level against IBM FLRT for your machine type at your next maintenance window. |
| Hardware generation | WARN | med | 9009-22A (POWER9) — hardware support ended 2026-01-31 (fully-virtual LPAR) | This hardware generation is past IBM support, but this LPAR has no physical I/O adapters — the hardware is the host provider's to maintain (PowerVS or your VIOS estate). Confirm whose problem this is. Fix: confirm who owns the hardware (IBM on PowerVS; your team on-prem) — no action is possible inside this LPAR. |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Installed build age | PASS | low | built week 2546 (~7 months ago) | The installed build is reasonably current. Fix: n/a |
| Fileset consistency | PASS | low | 698 filesets, 0 broken | All installed filesets are in a consistent state. Fix: n/a |
| Interim fixes (ifixes) | PASS | low | none installed | No interim fixes — updates will not be blocked by leftover efixes. Fix: n/a |
| Tracked security APARs | PASS | low | none tracked for 7300-04 (data vintage 2026-07-01) | No bundled security APARs apply to this exact level — this does not mean no exposure exists. Fix: review IBM PSIRT bulletins for this level; new checks ship with each aixray update. |
| OpenSSH / OpenSSL levels | PASS | low | openssh 9.9.3015.2000, openssl 3.0.16.1000 | The OpenSSL 3.x line is current for AIX; keep both current via security bulletins. Fix: n/a |
| IBM SDK Java lifecycle | PASS | low | Java 8 installed (Java8_64.jre 8.0.0.851, Java8_64.sdk 8.0.0.851) | Java 8 is the last IBM SDK on AIX — track its service window (standard support ended 2025-04-30; extended runs to 2030-12-31 with an AIX SWMA contract). Fix: n/a |
| FLRT APAR exposure scan | PASS | low | no FLRT data supplied | No FLRT data supplied — download apar.csv from IBM FLRT and re-run with --apar-csv for the full exposure scan. The embedded security-APAR seed still runs above. Fix: download apar.csv from IBM FLRTVC and re-run: aixray-aix.sh --apar-csv apar.csv. |
| Reference data freshness | PASS | low | reference data 2 day(s) old | reference data 2 day(s) old — EOS dates, APARs and firmware levels reflect IBM data as of 2026-07-01. Fix: n/a |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Filesystem / | PASS | low | 56% used | Healthy free space. Fix: n/a |
| Filesystem /var | PASS | low | 37% used | Healthy free space. Fix: n/a |
| Filesystem /tmp | PASS | low | 1% used | Healthy free space. Fix: n/a |
| Other filesystems | FAIL | med | /opt 94%; repo (informational): /usr/sys/inst.images 100% | One or more non-system filesystems are critically full. Fix: free space or extend them; add monitoring. |
| Inode usage (JFS2) | PASS | low | no filesystem above 90% inodes | JFS2 inode usage has headroom on every filesystem. Fix: n/a |
| Paging space | PASS | low | 1 space(s), 2% used | Memory pressure is low. Fix: n/a |
| LV mirror sync | PASS | low | no stale partitions | All logical volume copies are in sync. Fix: n/a |
| Volume group disks | PASS | low | all PVs active | Every volume group disk is present and active. Fix: n/a |
| Volume group free space | PASS | low | worst: rootvg 10% free | Every online volume group has room to extend a filesystem. Fix: n/a |
| MPIO path health | PASS | low | 8 paths / 1 disks, all enabled | Full path redundancy. Fix: n/a |
| Fibre Channel adapter errors | PASS | low | fcs0: counters not reported (virtual FC); fcs1: counters not reported (virtual FC); fcs2: counters not reported (virtual FC); fcs3: counters not reported (virtual FC) | Virtual FC adapters do not expose error counters inside the LPAR — check path health on the VIOS side. Fix: n/a |
| Volume group geometry | PASS | low | rootvg 32MB PP, 639 PP/disk | Physical-partition geometry is sane on every online VG — the PP size fits the VG size, so the allocation map is neither bloated (tiny PP) nor wasteful (huge PP). Fix: n/a |
| LV mirror placement | PASS | low | no mirrored LVs | No logical volume is mirrored in-LPAR — single-copy LVs here rely on the SAN/VIOS for redundancy (in-LPAR mirroring is separate and not configured). Fix: n/a |
| Filesystem vs LV sizing | PASS | low | no filesystem lags its LV by 512MB+ | Every JFS2 filesystem is grown into the logical volume it sits on — no allocated-but-unusable slack between the LV and the filesystem. Fix: n/a |
| Legacy JFS filesystems | PASS | low | all filesystems are JFS2 | No legacy JFS filesystems — everything is JFS2, the current AIX filesystem. Fix: n/a |
| Mount options | PASS | low | /tmp separate; 9 jfs2 mount(s), all logged; 9 using default atime | Mount hygiene is sound: /tmp is its own filesystem and every JFS2 mount has a log. Performance options (noatime for read-heavy mounts, cio/dio for databases, rbrw) are workload-specific and left to the app owner — atime-on is the AIX default and fine unless a mount is known read-heavy. Fix: n/a |
| Paging space layout | PASS | low | 1 paging space(s), no single-disk contention Total paging 512MB vs 2048MB RAM. | Paging-space placement is fine — no two paging spaces share a disk, and there is no cross-VG contention to relieve. (Utilisation is checked separately under Paging space.) Fix: n/a |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| LPAR CPU entitlement | PASS | low | shared Uncapped, ent 0.25, physc 0.01 (4.6% entc), 1 VP SMT-8, idle 99.5% | Shared-pool CPU entitlement looks reasonable for this sample: consuming 4.6% of the 0.25-core guarantee, uncapped so it can burst. A small entitlement plus uncapped is efficient design. Snapshot, not a trend. Fix: n/a |
| Memory composition | WARN | med | computational 94%, file/numperm 5.4%, 48MB avail (2%), 1820MB pinned of 2048MB | Nearly all memory is computational (working) pages, not file cache (numperm 5.4%) — this is genuine in-use memory the VMM cannot reclaim, so the tight look is real, not just cache. Only 48MB is available. Whether it is actually hurting depends on the paging-activity check; composition alone says there is little slack. Fix: if the working set grows, add RAM or trim the top consumers ('svmon -P -O unit=MB | head'); reclaimable file cache is already at its floor, so there is nothing to give back. |
| VMM cache tuning | PASS | low | minperm 3% / maxperm 90% / maxclient 90% (AIX defaults); numperm 5.4% | VMM cache tuning is at AIX defaults and the file cache is not pinned at its ceiling. Fix: n/a |
| JFS2 filesystem-buffer blocking | WARN | med | blocked since boot: jfs2 fsbuf 1656, external-pager 518, client 0 | Filesystem I/O has been blocked waiting for JFS2 filesystem buffers (fsbuf) 2174 time(s) since boot — the buffer pool ran dry under I/O load and requests had to wait, adding latency that CPU/memory graphs never reveal. The count is cumulative since boot. Fix: re-read 'vmstat -v' after a busy period: if the number is still climbing, raise JFS2 buffers with 'ioo -p -o j2_dynamicBufferPreallocation=<n>' (default 16, in 16KB units) and/or 'ioo -p -o numfsbufs=<n>'; a static non-zero count from a past burst is usually benign. |
| LVM/paging buffer blocking | PASS | low | 0 pbuf and 0 psbuf blocks | No LVM pbuf or paging psbuf starvation since boot — buffer pools have kept up with disk and paging I/O. Fix: n/a |
| I/O pacing (maxpout/minpout) | PASS | low | maxpout=8193, minpout=4096 (paced) | System-wide I/O pacing is configured, so a runaway writer cannot monopolize a disk and starve interactive I/O. Fix: n/a |
| CPU headroom (snapshot) | PASS | low | idle 99%, physc 0.01, run queue r=1 vs 8 logical CPUs | CPU has headroom in this sample: idle 99% with a short run queue for 8 logical CPUs (point-in-time snapshot, not a trend). Fix: n/a |
| Paging activity (snapshot) | PASS | low | pi=0, po=0 in this sample | No active paging in this sample — memory demand is being met from RAM (this is the activity read; paging-space capacity is checked separately under storage). Fix: n/a |
| Adapter health | PASS | low | en0 20000Mb(virt) 0err; en1 20000Mb(virt) 0err | All ethernet interfaces are up with zero transmit/receive/CRC/buffer errors (counters cumulative since boot). Fix: n/a |
| Process limits (maxuproc) | PASS | low | busiest user 'root' 40 procs vs maxuproc 128 (31%) | Per-user process headroom is fine — the busiest user is well under the maxuproc fork ceiling. Fix: n/a |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Error log (7 days) | WARN | med | 2 error entries (11 informational ignored) | Errors are the box telling you something — read them before they escalate. Fix: review 'errpt -a' for these entries; fix or explain each recurring one. |
| Permanent hardware errors (30 days) | PASS | high | none | No permanent hardware errors logged. Fix: n/a |
| System dump device | PASS | low | primary: /dev/lg_dumplv | A panic here can be diagnosed. Fix: n/a |
| Recent crash evidence | PASS | low | none in 30 days | No recent crash dumps found. Fix: n/a |
| Error-logging daemon | PASS | low | errdemon running; errlog 1048576 bytes, duplicate-removal true | The error-logging daemon is up and the errlog is at or above the 1 MB default, so errors are captured with a reasonable history window. (The errlog is a fixed-size circular file — once full it overwrites the oldest entries, it never stops logging.) Fix: n/a |
| Decoded error labels | PASS | low | 3 non-informational error(s); most frequent: ERRLOG_ON x1; none match a known-critical label | There are non-informational errors, but none decode to a known-critical hardware or LVM label — most are software or operator events. (Counts and triage are under 'Error log' above; this check is the label decode.) Fix: n/a |
| Pre-failure signatures | PASS | high | none in 7 days | None of the classic pre-failure patterns a veteran hunts for — disk/adapter errors, SAN/SCSI path faults, EPOW power or thermal events, memory ECC errors, LVM disk loss, or dump-device faults — appear in the error log for the last 7 days. Fix: n/a |
| Error notification methods | WARN | low | default errnotify only (diagela call-home present, no site paging) | The default diagela stanzas forward hardware errors to the diagnostics / Service Focal Point path (call-home, if enabled on the HMC/service processor), but no stanza runs a site alert script — nothing pages or mails your on-call on a critical or disk error. Fix: add an errnotify ODM stanza (odmadd) whose en_method pages/mails on class=H PERM and disk labels (e.g. SC_DISK_ERR*, LVM_SA_QUORCLOSE). |
| System dump history | PASS | low | no system dump ever recorded | The dump device has never captured a dump — expected on a box that has not panicked. It does mean the dump path is configured but unproven; only a real dump proves it works. (Whether a device is configured at all is checked separately under 'System dump device'.) Fix: n/a |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| OS backup (mksysb) evidence | FAIL | high | /image.data older than 90 days | No recent OS backup evidence on this box — a rootvg loss means rebuild-from-scratch. (Local evidence only; confirm where mksysb lands and when it last ran.) Fix: run a mksysb now; schedule it; verify the target is itself backed up. |
| rootvg redundancy | WARN | high | 1 disk, unmirrored | The OS lives on one disk — a single point of failure unless the backing storage is RAID/SAN-protected. Verify which. Fix: mirror rootvg (mirrorvg + bosboot + bootlist) or document the storage-level protection. |
| Dump device sizing | PASS | low | device 4096 MB covers estimated dump 1241 MB | The primary dump device (lg_dumplv, 4096 MB) is comfortably larger than the estimated dump for this LPAR (1241 MB), so a panic can capture a complete image. Re-check 'sysdumpdev -e' after any memory increase — the estimate tracks RAM. Fix: n/a |
| Dump copy directory | WARN | med | copy dir /var/adm/ras has 102 MB free, estimated dump 1241 MB | The dump device can capture the dump, but the copy directory (/var/adm/ras, 102 MB free) is too small to hold a dump of the estimated size (1241 MB). On reboot the copy off the device fails, so the image is lost before anyone can analyze it — the same forensic loss as an undersized device, one step later. Fix: free space in /var/adm/ras or point the copy directory at a filesystem with room for the dump ('sysdumpdev -D <dir>'), sized to 'sysdumpdev -e'. |
| Boot image currency | PASS | low | booted Jul 02, after kernel bos.mp64 install 11/21/25 | The system last booted AFTER the running kernel (bos.mp64) was installed, so the running kernel matches what is on disk and no kernel-update reboot is outstanding. (AIXray is read-only: it cannot inspect the hd5 boot image directly, so this compares the kernel install date to the last boot as a proxy for boot-image currency.) Fix: n/a |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| SSH ciphers | PASS | high | aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com | sshd offers only strong ciphers. Fix: n/a |
| SSH root login | FAIL | high | permitrootlogin yes | Direct SSH root login is open — a single brute-forceable credential with no accountability. Fix: set 'PermitRootLogin no' (or prohibit-password) in sshd_config and restart sshd. |
| Default password policy | WARN | high | weak: loginretries=0 | The default password rules are weaker than any standard requires — every new account inherits them. Fix: tighten the /etc/security/user default stanza (maxage 1-13wk, minlen>=8, loginretries>0, histsize>0). |
| UID 0 accounts | PASS | med | root only | root is the only UID 0 account. Fix: n/a |
| Failed login attempts | PASS | low | no log — 0 recorded | /etc/security/failedlogin does not exist, which means no failed login has ever been recorded here. Fix: n/a |
| Cleartext inetd services | PASS | med | none enabled | No cleartext remote-access services are enabled in inetd. Fix: n/a |
| Trust files (.rhosts) | PASS | low | none present | No .rhosts or hosts.equiv trust files present. Fix: n/a |
| World-writable files | PASS | low | none in /etc, /usr/local/bin | No world-writable files in the scanned directories (scope bounded to /etc and /usr/local/bin). Fix: n/a |
| SNMP community strings | FAIL | med | default community in use | SNMP uses a default community string (public/private) — anyone on the network can read, or write, system data. Fix: replace public/private with a strong community in /etc/snmpd.conf and refresh snmpd. |
| Audit subsystem | WARN | high | auditing off | No audit trail — you cannot answer 'who did what' after an incident. Fix: configure and start audit ('audit start'; set it to start at boot). |
| Trusted Execution | WARN | low | TE=OFF | Trusted Execution is off (informational) — no runtime binary-integrity enforcement. Fix: consider enabling TE ('trustchk -p TE=ON') if your change control supports it. |
| Login banner | WARN | low | no herald set | No legal login banner is set — auditors ask for one and it deters casual access. Fix: set a herald in the /etc/security/login.cfg default stanza (chsec -a herald=...). |
| Account password aging | PASS | low | no non-system account with maxage=0 (1 locked) | Every non-system account has password aging set. Fix: n/a |
| Unexpected setuid/setgid files | PASS | low | none in /home /tmp /var/tmp /usr/local | No setuid/setgid files outside the system paths. Fix: n/a |
| Listening network sockets | PASS | low | 10 listening socket(s) | Each listening socket is attack surface — review anything you do not recognize. Fix: n/a |
| root account controls | FAIL | high | rlogin=true + sugroups=ALL (root wide open) | root can log in directly over the network (rlogin=true) AND any user may attempt su to root (sugroups=ALL) — the classic 'root wide open' pair. Either alone is a gap; together, root is one guessed password away from a network login with no accountability. This is the OS account gate in /etc/security/user, separate from sshd's PermitRootLogin. Fix: restrict both: 'chsec -f /etc/security/user -s root -a rlogin=false' (admins log in as themselves and su/sudo to root) and '-a sugroups=<sysadmin-group>' so only a named group may su to root. |
| Stale privileged accounts | PASS | low | 1 privileged account(s), none stale | Every privileged account has been used within 90 days (or is locked); no dormant standing-privilege accounts with non-expiring passwords. Fix: n/a |
| Privilege delegation (sudo/RBAC) | PASS | low | sudo not installed; RBAC roles assigned to a group: 0 | sudo is not installed — privilege delegation here is native AIX su plus RBAC roles (0 role(s) assigned to a group). There is no sudoers file, so no NOPASSWD backdoor to audit; delegation is otherwise all-or-nothing su to root. Informational. Fix: n/a |
| Network exposure vs filtering | WARN | med | 10 external listener(s) on ports 22,25,111,199,657,1334,32768,32769 +1 more; host IP filtering INACTIVE | 10 services listen on non-loopback addresses (reachable from the network) and AIX host packet filtering (IP Security) is not active — the box relies entirely on the upstream network/firewall. One perimeter mistake, VLAN change, or misrouted subnet exposes every one of these ports directly. Fix: reduce the surface first (stop services you do not need — see the listeners and cleartext-inetd checks), then, if the box must self-defend, define rules with 'genfilt'/'mkfilt' and activate host filtering with 'mkfilt -v4 -u'. |
| STIG file permissions | PASS | med | 11 of 11 rules compliant, 0 not applicable | Every applicable STIG file-permission/ownership rule (DISA STIG for IBM AIX 7.x) passes on this box — the mandated files are no more permissive than required. Fix: n/a |
| STIG account policy | FAIL | high | 5 of 12 rules compliant, 1 n/a; failing: V-215171 loginretries=0 (needs le 3), V-215220 mindiff=0 (needs ge 8), V-215223 maxage=13 (needs le 8), V-215224 histsize=4 (needs ge 5), V-215226 minlen=10 (needs ge 15), +2 more | One or more account/password-policy attributes in /etc/security are weaker than the DISA STIG for IBM AIX 7.x mandates — each is a documented hardening gap an auditor will flag, and it applies to every account inheriting the default stanza. Fix: tighten the failing attributes with chsec (chsec -f <file> -s default -a <attr>=<value>); the compliance report lists every rule, the required value, and the observed value. |
| STIG network tunables | FAIL | high | 3 of 4 rules compliant, 0 n/a; failing: V-215399 clean_partial_conns=0 (needs eq 1) | One or more kernel network options are set to a value the DISA STIG for IBM AIX 7.x flags — e.g. IP forwarding on a non-router, or TCP half-open connection cleanup disabled. Each is a documented hardening gap an auditor will flag. Fix: set the failing tunables with 'no -p -o <tunable>=<value>' (nfso for NFS options) so the change persists across reboot; the compliance report lists every rule, the required value, and the observed value. |
| STIG disabled services | FAIL | high | 34 of 37 rules compliant, 0 n/a; failing: V-215353 sendmail, V-215354 snmpd, V-215365 snmpmibd | One or more legacy network services the DISA STIG for IBM AIX 7.x requires disabled are still enabled or running — each is an unneeded, often unauthenticated, network-facing daemon an auditor will flag. Fix: comment the service out of /etc/inetd.conf and 'refresh -s inetd' (inetd services), or 'stopsrc -s <subsystem>' and disable it at boot (SRC subsystems); the compliance report lists every rule and its evidence. |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Time synchronization (NTP) | FAIL | med | xntpd inoperative, 0 server(s) | No working time sync — clock drift breaks log correlation, Kerberos and TLS. Fix: configure /etc/ntp.conf with a server and start xntpd ('startsrc -s xntpd'; enable at boot). |
| DNS resolver | PASS | low | 1 nameserver(s) | At least one DNS resolver is configured. Fix: n/a |
| Default route | PASS | low | default route present | A default route is configured. Fix: n/a |
| Kernel tunables (nextboot) | WARN | low | 1 changed tunable line(s) | Kernel tunables are changed from default for next boot — deliberate tuning or archaeology? document each. Fix: review /etc/tunables/nextboot; record why each change exists, or revert to default. |
| Timezone (TZ) | PASS | low | TZ=CST6CDT | The system timezone is set explicitly. Fix: n/a |
| Host self-resolution | WARN | low | does not resolve | Tools and certs misbehave when the box can't resolve itself. Fix: add this host to DNS or /etc/hosts. |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Monitoring agent | WARN | high | none detected | Nothing is watching this box — every finding in this report goes unnoticed until someone runs it again. Fix: install and point a monitoring agent (Zabbix/NRPE/Datadog/njmon) at this LPAR. |
| Error notification | PASS | low | 26 errnotify stanzas | Custom error-notification methods exist beyond the defaults — errors can page a human. Fix: n/a |
| Remote syslog | WARN | low | no remote target | No remote syslog target — logs die with the box, exactly when you need them. Fix: add an '@loghost' line to /etc/syslog.conf and 'refresh -s syslogd'. |
| Performance history | PASS | low | collector running | A performance-history collector is running — sizing and incident forensics have data to work from. Fix: n/a |
| Scheduled backup job | WARN | med | no backup in crontab | No scheduled backup in root's crontab — where does the mksysb come from? Fix: schedule mksysb/savevg in root's crontab, or confirm NIM/central backup owns it. |