This blog is meant for AIX system administrators and explains more in detail what this tool is and what is changed after the last update of the tool FLRTVC.ksh
See below the change log of FLRTVC:
CHANGED in last version (very good news!)
Since 05/23/2025 IBM changed the following:
05/23/2025 - v0.8.12 on this moment of writing the latest version.
- Added support for proxy in wget/curl
- Added support to provide last update date of apar.csv
- Informs about new flrtvc version availability as part of the report
What is FLRTVC
FLRTVC (stolen form the web side):
IBM - FLRT Fix Level Recommendation Tool
The FLRTVC provides security and HIPER (High Impact PERvasive) reports based on the inventory of your system.
First a little explanation what this tools is and why it is in my opinion a crucial tool for maintaining AIX security fixes.
We system administrators like to know when are security and HIPER (High Impact PERvasive) become available. Most ideal we get every day a report from all the LPARS we are running if fixes are needed and what is the urgency of a specific fix.
For this purpose IBM created a tool in the form of a script called FLRTVC (Fix Level Recommendation Tool Vulnerability Checker Script) ksh93 flrtvc.ksh
FLRTVC can also be used to generate reports on regular basis to prove to our auditors that we are compliant with the latest security fixes. Especially with the latest improvements this tool it is now very easy to generate a complete report for this purpose.
Maintenance of the tool itself:
The tool which consist of a very nice and very well maintained script freely delivered by IBM needs a few (three) input files to run. And now with the newest version v0.8.12 the tool reports if there is an new version of the script available. GREAT thanks IBM very useful.
Example of the output report:
FLRTVC Script executed on Fri Jun 6 15:44:04 CEST 2025 using Version: v0.8.12
Needed input files:
1) AparCSV: this is a comma separated file that contains all the latest security fixes and hypers that are available.
2) Output of every LPAR with installed efixes stored in a input file:
For example:
emgr -lv3 > /tmp/emgr.txt
Note that verbose level 3 is needed, so also combo fixes are reported.
Most of the third party tools forget this (v3) imported flag, so that combo fixes are NOT checked, FLRTVC does!
3) Output of installed installp filesets on a LPAR:
lslpp -Lcq > /tmp/lslpp.txt
Explanation of the aparCSV file:
First and most important one is a csv file that contains all the security fixes and hypers that came out for every release of AIX, that is maintained by IBM.
https://esupport.ibm.com/customercare/flrt/doc?page=aparCSV
So you can image that we like to have always the latested version of the csv file. But also we like to know when fixes came available, for usage of reports and automatic downloads.
Before <Version: v0.8.12. There was no timestamp available in the csv file so we downloaded every night the csv file and did a compare with the one of the night before. If it was a newer one we saved it with a timestamp in the file name.
This mechanism is still a good habid, but now there is a timestamp available in the csv file. This is a big inprovement because, now we have the official date of the csv file, and it’s reported also on the output as: “This report is based on APAR file dated : 2025.06.04” for example.
See below a picture that explains how we downloaded the csv file every night and store them on an NFS4 server. LPARS using the NFS4 automount (ro) feature to use the csv imput file.
Added support for proxy in wget/curl
This option makes it possible to download the csv file via a proxy, good news for those customers who have LPARS that are allowed to download via a proxy server.
In our case we do not have this option on an regular LPAR. Therefore we use only one LPAR that has proxy access and share the aparcsv file via an NFS4 read only file share.
Running FLRTVC script:
I like to explain first how this tool works before I explain how it can be used for a complete patch strategy.
From the web page, you first have to download it an transfer it to the LPAR you like to investigate, see below some basic documentation and the flags that can be used.
Download the tool FLRTVC.ksh
To download, click the download link below and save to a folder. It is packaged as a ZIP file with the FLRTVC.ksh script and LICENSE.txt file.
Download: FLRTVC (0.8.12)
Note:The script requires ksh93 to use. If you are receiving errors when running the script, you may execute the script using "ksh93 flrtvc.ksh". As of v0.7, only non-fixed vulnerabilities will be showed by default. Use -a to show all.
possible options and flags:
-d = Change delimiter for compact reporting
-f = File selection for *.csv file
-q = Quiet mode, hide compact reporting header
-s = Skip download, use default apar.csv file
-v = Verbose, full report (for piping to email)
-g = Grep for filesets with phrase, useful for verbose mode
-t = Type of APAR [hiper | sec]
-l = Enter a custom LSLPP output file, must match lslpp -Lqc
-e = Enter a custom EMGR output file, must match emgr -lv3
-x = Skip EFix processing
-a = Show all fixed and non-fixed HIPER/Security vulnerabilities
-p = Convert FTP protocol to HTTP for bulletin and efix download links
-r = Enter PROXY URL to be used by wget or curl, the same can be provided through HTTP_PROXY environment variable. This option value takes precedence over environment variable. Ex: http://user:password@hostIPorName:port or http://hostIPorName:port
Proxy URL argument or environment variable
# ./flrtvc.ksh -v -l lslpp.txt -e emgr.txt -r "http://somehost:12001"
# ./flrtvc.ksh -v -l lslpp.txt -e emgr.txt -r "http://flrtUser:flrtpassword@somehost:13001"
# export HTTP_PROXY="http://somehost:12001"
# ./flrtvc.ksh -v -l lslpp.txt -e emgr.txt
Gathering all the ingredients:
Transfer the script flrtvc.ksh to an LPAR and store it some ware in you path.
Also you can use again a shared NFS mount for this.
Next step is to create (gather) the input files of the state of your LPAR.
For example:
emgr -lv3 > /tmp/emgr.txt
lslpp -Lcq > /tmp/lslpp.txt
And that’s all it needs to generate the report.
Running the script:
/path_to_script/flrtvc.ksh -a -l /tmp/lslpp.txt -e /tmp/emgr.txt -f /path_to_aparcsv/shared_data/APAR.csv
The output you get is the following:
# FLRTVC Script executed on Fri Jun 6 15:40:33 CEST 2025 using Version: v0.8.12
# This report is based on APAR file dated : 2025.06.04
Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required|Last Update|Fixed In
bos.rte.control|7.2.5.204|sec||NOT FIXED - Multiple vulnerabilities in libxml2 affect AIX|7.2.5.0-7.2.5.204|IJ54679 / CVE-2024-56171 / CVE-2025-24928 / CVE-2025-27113 / CVE-2025-32415|https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory8.asc|https://aix.software.ibm.com/aix/efixes/security/libxml2_fix8.tar|CVE-2024-56171:7.8 CVE-2025-24928:7.8 CVE-2025-27113:7.5 CVE-2025-32415:7.5|NO|06/04/2025|7200-05-10
note: with -a flag show all fixed and not fixed
As you can see in the above example it show in the first two lines now what version is used of the script, and if there is a new version it will report this also.
And it show the date of the used APAR file.
Using the output:
One simple way to create a nice readable report is import this output in a excel spreadsheet. Use the “|” as field separator while import the file.
See below a few snapshots of an example excel sheet:
Using the output as input for automatic downloads of the efixes.
Once we have this generated output of an LPAR (or ALL our LPARS) we can create a script that via a proxy server automatically downloads all the fixes that were reported.
Note for efixes you can use emgr_download_ifix, but see my IBM idea https://ideas.ibm.com/ideas/AIX-I-741 download via proxy is planned for future release.
We created a curl script that uses the IBM certificates to download the available fixes automatically.
Using the output as part of a patch management strategy.
If you using AIX in a secure environment you need to prove at any time that your LPARS are safe and patched with the latest available fixes.
For example we can generate a reports for all our LPARS that every month that they are compliant and patched with the latest available fixes.
We use a baseline reports for this and use FLRTVC are report generator for this strategy.
For those people who attended last year on TechXchange (LasVegas) my session you maybe remember how I explained how we use this tool every day automatically. But below a short recap:
We created a script that does the following:
• Download every night the aparCSV file and compare if this csv is newer than the last downloaded
• If the file is newer then saved with date timestamp.
• If it’s the last saved file of the month then save it as baseline (symlink).
See example of the download csv directory:
Baselines:
We create a baseline for every month, and create a baseline report for every LPAR.
We report if an LPAR is complaint or not e.g. it contains the latest fixes of past month.
And in case of a fail we know what need to be done (fixed) to become compliant again.
We also can run report if last night new fixes became available by running checking the ifixes.baseline.latest APARcsv file.
Of course you can have a different strategy for this but, I just liked to show you that this is a very reliable way of:
· Knowing that there are new fixes available.
· Knowing the LPAR in your environment that are running behind.
· Knowing the fixes that need to be installed to be complained again.
Of course there are many other ways to use this very reliable and easy to use tool.
I know that one other IBM customer Markus Burkhardt even created a nice web report via this tool.
My intention for this blog was, showing you the advantage of using this tool, and getting you inspired to use it!
Thank word:
I ready appreciate the effort and maintenance IBM put into this awesome tool (script).
Thank you Authors: Joel Ruiz, Viachaslau Rakhmanko, Ashutosh Agarwal
And keeping on doing the good work!
Last notes:
As many of you already knowing, this subject has aways my attention so any discussions and commands on this are very welcome.