Pau Lo
asked on
aix ibm patch level and remaining support lifecycle
Can anyone explain how out of date the following software levels for AIX IBM are:
5.3.0.0 (returned from oslevel –s)
6.1.0.0 (returned from oslevel –s)
Also is it the same as MS software whereby products are only patched if at a certain release level or service pack level, subsequently, are these products still under support, and for how long, or if they are out of support, when did they go out of support? Especially interested for the older version (5.3) which I think is now about 10 years old since it was first released…
5.3.0.0 (returned from oslevel –s)
6.1.0.0 (returned from oslevel –s)
Also is it the same as MS software whereby products are only patched if at a certain release level or service pack level, subsequently, are these products still under support, and for how long, or if they are out of support, when did they go out of support? Especially interested for the older version (5.3) which I think is now about 10 years old since it was first released…
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
or could the ".0.0" indicate no service packs have ever been applied since the server was provisioned? Are service packs the same as microsoft, or do they essentially represent "bundles" of patches, because on MS you have say 2/3 service packs per lifecycle, but endless security patches in between those service packs.
>> the ".0.0" indicate no service packs have ever been applied <<
Yes, if that's indeed the output of oslevel -s then there wasn't any maintenance level (let alone service pack) applied ever.
Moreover, you're on a level which didn't yet know about build dates or service packs. This was the case with AIX 5.3 before maintenance level 1, means: with the very, very first 5.3 shipment. As far as I know this shipment was accompanied by a second CD set containing required maintenance (i.e. ML 1). Seems you didn't even install this accompanying service (a real malpractice, by the way).
You can check with
instfix -i | grep AIX_ML
if your system knows about any maintenance levels besides "5.3.0.0", but I really don't think so.
Run
instfix -i | grep "SP "
to check for service packs.
>> you could say its missing 2 service packs and endless security patches. <<
No need to ponder on this. It's not missing some selected service packs, it's missing all service packs!
To get this system to a somewhat reliable state you will have to install all MLs/TLs, from "1" to let's say "12" - one after the other with no intervening gaps allowed (remember, MLs/TLs are not cumulative!)
Your 6.1 doesn't look any better. It's also the initial release. Here, too, we had a "required maintenance" CD in the shipment (TL 0 !), which had to be applied immediately after
installation (thus the term "required maintenance").
Didn't you ever use your machines for production?
What Microsoft call "Service Pack" is a "Technology Level" in AIX. Intermediate patches are bundled to "Service Packs", and urgent security fixes are called "Emergency Fix" and are handled separately (There is a selection option for these in Fix Central).
Yes, if that's indeed the output of oslevel -s then there wasn't any maintenance level (let alone service pack) applied ever.
Moreover, you're on a level which didn't yet know about build dates or service packs. This was the case with AIX 5.3 before maintenance level 1, means: with the very, very first 5.3 shipment. As far as I know this shipment was accompanied by a second CD set containing required maintenance (i.e. ML 1). Seems you didn't even install this accompanying service (a real malpractice, by the way).
You can check with
instfix -i | grep AIX_ML
if your system knows about any maintenance levels besides "5.3.0.0", but I really don't think so.
Run
instfix -i | grep "SP "
to check for service packs.
>> you could say its missing 2 service packs and endless security patches. <<
No need to ponder on this. It's not missing some selected service packs, it's missing all service packs!
To get this system to a somewhat reliable state you will have to install all MLs/TLs, from "1" to let's say "12" - one after the other with no intervening gaps allowed (remember, MLs/TLs are not cumulative!)
Your 6.1 doesn't look any better. It's also the initial release. Here, too, we had a "required maintenance" CD in the shipment (TL 0 !), which had to be applied immediately after
installation (thus the term "required maintenance").
Didn't you ever use your machines for production?
What Microsoft call "Service Pack" is a "Technology Level" in AIX. Intermediate patches are bundled to "Service Packs", and urgent security fixes are called "Emergency Fix" and are handled separately (There is a selection option for these in Fix Central).
Addendum:
"instfix -i | grep AIX_ML" on a "recent" AIX 5.3 must look like this:
Right?
"instfix -i | grep AIX_ML" on a "recent" AIX 5.3 must look like this:
All filesets for 5.3.0.0_AIX_ML were found.I assume your system will show
All filesets for 5300-01_AIX_ML were found.
All filesets for 5300-02_AIX_ML were found.
All filesets for 5300-03_AIX_ML were found.
All filesets for 5300-04_AIX_ML were found.
All filesets for 5300-05_AIX_ML were found.
All filesets for 5300-06_AIX_ML were found.
All filesets for 5300-07_AIX_ML were found.
All filesets for 5300-08_AIX_ML were found.
All filesets for 5300-09_AIX_ML were found.
All filesets for 5300-10_AIX_ML were found.
All filesets for 5300-11_AIX_ML were found.
All filesets for 5300-12_AIX_ML were found.
All filesets for 5.3.0.0_AIX_ML were found."instfix -i | grep AIX_ML" on a "recent" AIX 6.1 must look like this:
All filesets for 6100-00_AIX_ML were found.I assume your system will show
All filesets for 6100-01_AIX_ML were found.
All filesets for 6100-02_AIX_ML were found.
All filesets for 6100-03_AIX_ML were found.
All filesets for 6100-04_AIX_ML were found.
All filesets for 6100-05_AIX_ML were found.
All filesets for 6100-06_AIX_ML were found.
All filesets for 6100-07_AIX_ML were found.
All filesets for 6100-08_AIX_ML were found.
All filesets for 6100-09_AIX_ML were found.
All filesets for 6.1.0.0_AIX_ML were found.
All filesets for 6.1.0.0_AIX_ML were found.
Right?
ASKER
thanks again. Aside from the obvious security related issues in not applying service packs and technology levels, what other risks are posed by not keeping the system up to date? We work in risk as opposed to IT but some examples of risks posed by not applying updates would be most useful in trying to convince IT to review their current procedures in this area.
ASKER
i'll try those commands tomorrow
ASKER
and do IBM only release patches to AIX IBM systems if they are at a given technology level? And if so where can you see which technology level is supported. for example older service packs of windows server wont be eligible for new patches, therefore staying on an old SP is a security issue in itself.
AIX TLs usually contain new features, performance or usability improvements - why forego something you paid for?
Some examples of risks?
Well, no software is error free. "Every non trivial program has at least one bug" (Murphy's computer law #8).
I saw an AIX 5.3 run for months until all of a sudden the init process began to eat up all CPU. I saw a memory leak in syncd, which didn't show up before the process had run for half a year. I saw NFS mounts break due to some (allowed) change in the network - consequence of an OS bug.
There are many such more or less important bugs in every OS, where some people never get punched with and some people get affected immediately or maybe after months - it's all a matter of fine-grain configuration/workload/inf
Better stay on the bright side and apply at least the TL updates.
Apply SPs if you're directed by IBM to do so in order to fix an issue on your side, or if new software requires a certain SP level - or if there's spare time, of course.
Stay informed on the availability of security patches, apply them if you think you're affected.
IBM have a notification system for security bulletins, but also for regular updates, hints and tips and more:
http://www-01.ibm.com/software/support/einfo.html
https://www-947.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=listAvailableSubscriptions
(IBM ID required)
Try it, you'll be astonished at the amount of activity shown at good ol' Big Blue.
Some examples of risks?
Well, no software is error free. "Every non trivial program has at least one bug" (Murphy's computer law #8).
I saw an AIX 5.3 run for months until all of a sudden the init process began to eat up all CPU. I saw a memory leak in syncd, which didn't show up before the process had run for half a year. I saw NFS mounts break due to some (allowed) change in the network - consequence of an OS bug.
There are many such more or less important bugs in every OS, where some people never get punched with and some people get affected immediately or maybe after months - it's all a matter of fine-grain configuration/workload/inf
Better stay on the bright side and apply at least the TL updates.
Apply SPs if you're directed by IBM to do so in order to fix an issue on your side, or if new software requires a certain SP level - or if there's spare time, of course.
Stay informed on the availability of security patches, apply them if you think you're affected.
IBM have a notification system for security bulletins, but also for regular updates, hints and tips and more:
http://www-01.ibm.com/software/support/einfo.html
https://www-947.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=listAvailableSubscriptions
(IBM ID required)
Try it, you'll be astonished at the amount of activity shown at good ol' Big Blue.
To your last question:
>> do IBM only release patches to AIX IBM systems if they are at a given technology level? <<
Well, I tried to explain just such things above, but it seems that I can't phrase them clearly enough, sorry.
So I'd really be glad if you could actually study the publications about IBM's service/update strategy whose links I posted.
They're really informative and maybe you'll find more and better answers there.
But, of course, don't hesitate to ask for more assistance if the mentioned information doesn't seem sufficient anyway.
>> do IBM only release patches to AIX IBM systems if they are at a given technology level? <<
Well, I tried to explain just such things above, but it seems that I can't phrase them clearly enough, sorry.
So I'd really be glad if you could actually study the publications about IBM's service/update strategy whose links I posted.
They're really informative and maybe you'll find more and better answers there.
But, of course, don't hesitate to ask for more assistance if the mentioned information doesn't seem sufficient anyway.
ASKER
just to wrap up, if your version says 6.1.0.0.. is this build completely irrelevant of security patches? or would security patches be included in the service packs, therefore if SP's are missing, your missing security patches?
Both.
There are emergency fixes which would fit into several levels. There is no way around reading the patch descriptions in such a case.
SPs belong to a particular TL. So if you're on TL 0 (i.e. no TL applied) you can only install SPs for TL 0, if you're on TL 1 you can only install SPs for TL 1, if you're on TL 2 you can only install SPs for TL 2 ...
Moreover, if you just went to let's say TL 2 and want to install an SP for this level but you have already installed an SP while still on TL 1 with a higher build date than the one for TL 2 you cannot install this SP for TL 2, to avoid possible regressions. This is a rare case, but it happens. And in almost every case there is already a higher SP available which you can use.
If SPs are missing you're missing security patches - yes, at least in most cases. I can't remember an SP which didn't contain security patches, but it's a remote possibility nonetheless.
There are emergency fixes which would fit into several levels. There is no way around reading the patch descriptions in such a case.
SPs belong to a particular TL. So if you're on TL 0 (i.e. no TL applied) you can only install SPs for TL 0, if you're on TL 1 you can only install SPs for TL 1, if you're on TL 2 you can only install SPs for TL 2 ...
Moreover, if you just went to let's say TL 2 and want to install an SP for this level but you have already installed an SP while still on TL 1 with a higher build date than the one for TL 2 you cannot install this SP for TL 2, to avoid possible regressions. This is a rare case, but it happens. And in almost every case there is already a higher SP available which you can use.
If SPs are missing you're missing security patches - yes, at least in most cases. I can't remember an SP which didn't contain security patches, but it's a remote possibility nonetheless.
Did you notice that the link posted by "trappa01" points to one of my EE contributions, which, moreover, was an answer to one of your previous questions?
Rating my solution as "assisted" hence seems a bit strange, to say the least.
Rating my solution as "assisted" hence seems a bit strange, to say the least.
As much as I appreciate the points, I must admit that woolmilkpork is right.
Having said that, I have spent ages helping other people out only to find that the points were given to somebody else that merely repeated what I said.
If there is a way to redistribute, then I have no qualms about losing the points I gained on this question.
Having said that, I have spent ages helping other people out only to find that the points were given to somebody else that merely repeated what I said.
If there is a way to redistribute, then I have no qualms about losing the points I gained on this question.
@trappa01,
I don't care too much for the points, but I think "assisted" is just an inappropriate rating here.
Let's wait a bit, perhaps pma111 has something to say ...
I don't care too much for the points, but I think "assisted" is just an inappropriate rating here.
Let's wait a bit, perhaps pma111 has something to say ...
ASKER
sorry geniune mistake, how can I reassign the points?
Please click "Request Attention" and explain your concern!
ASKER
I was hoping from the build numbers provided you could say its missing 2 service packs and endless security patches.