Originally posted by: MatthewO

Please port OpenSCAP to AIX.  It is a very useful tool in secure enviroments.

Source and info can be found at: https://www.open-scap.org/

Support my RFE: http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=105635

 

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: sanket

Hi Matthew,

We will add this request to our list and look into it.

Have you tried porting this by your self ?

Do you see any issue ? We would like to have an environment where people should be able to port open source packages by themselves.

If you see any issue in porting and finds some tools are missing for porting then we would like to hear that. 

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: MatthewO

I have not tried and do not have access to a build environment.  Also, it is best if packages come from ibm.com.

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: U68G_laurent_NOE

Hi Sanket, Hi Matthew,

 

I'm actually trying to port OpenScap to AIX and in the mean time, I'm trying to improve the whole openscap code portability by making it the less GCC specific and the most ISO C99 compliant.

 

Unfortunately, I don't have access to recent AIX distro (i.e. 72, 7.1 or 6.1) and so I do this on an old (unsupported and very slow :-)) AIX 5.3 32 bit 43P150 machine with XLC 10.1 (since more recent versions of XLC are not compatible with AIX 5.3). For most of the generic parts of the code, AIX 5.3 is sufficient but for specific parts (mainly some probes), it will probably be complicated to do the port without access to AIX >= 6.1 systems.

 

Anyway, I'm at the beginning of this task and have already published a couple of patches on https://github.com/OpenSCAP/openscap for AIX as well as fixes for non C99 issues.

But there is quite a lot of work to do to make the whole openscap code fully AIX aware.

And there are some pieces of code (mainly some probes like system_info, runlevel, process58, routingtable, interface,...) for which I would probably need some help from both the openscap team and from AIX development experts.

 

Best regards,

Jean-Louis Charton

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: sanket

Hi Jean,

 

This is great. We want everyone to participate in porting open source packages on AIX and contribute to community.

Please let us know if you face any issue with AIX.

Thanks

Sanket

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: dieter_mosbach

I have an AIX Compile-LPAR with AIX 7.1 and XLC 13.

I'm trying to compile samba4, nmap7 and icinga2.

I could do some tests for you.

 

#AIXOpenSource
#AIX-Open-Source-Software

Originally posted by: dieter_mosbach

checking for pthread_attr_init in -lpthread... no
checking for pthread_attr_init in -lpthreads... no
configure: error: in `/tmp/openscap':
configure: error: pthread library is missing

 

but pthreads is installed:

 

lslpp -w /usr/ccs/lib/libpthreads.a
  File                                        Fileset               Type
  ----------------------------------------------------------------------------
  /usr/ccs/lib/libpthreads.a                  bos.rte.libpthreads   File

 

#AIXOpenSource
#AIX-Open-Source-Software

Originally posted by: U68G_laurent_NOE

Hi Dieter,

Actually, the configure stuff is broken for AIX.

You have to modify configure to make it work correctly and don't fail on libpthread detection.

Also remove all the GCC specific compiler flags in configure.

I use this: CFLAGS="$CFLAGS -D_GNU_SOURCE -DOSCAP_THREAD_SAFE"

 

Could it be possible for you to give me an access to your LPAR (as a non privileged user of course :-)) so that I could compile and fix the openscap code on a much more recent AIX than the one I have?

 

Best regards,

Jean-Louis Charton

#AIXOpenSource
#AIX-Open-Source-Software

Originally posted by: dieter_mosbach

Sorry, access to the LPAR ist not possible,

it's not my personal machine, it's a  LPAR in my company.

 

GIve me a recipe what to to do and I can do it for you.

 

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: sanket

 

Hi Jean,

 

Have you made more progress on OpenSCAP on AIX ?

Could you please share OpenSCAP current status on AIX with us.

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: AyappanP

Seems to be something wrong in your AIX machine. I could see the below in my machine. 

# ls -l /usr/lib | grep pthread
lrwxrwxrwx 1 bin   bin            22 May 17 15:43 libpthread.a -> /usr/lib/libpthreads.a
lrwxrwxrwx 1 bin   bin            26 May 17 15:43 libpthreads.a -> /usr/ccs/lib/libpthreads.a
lrwxrwxrwx 1 bin   bin            33 May 17 15:43 libpthreads_compat.a -> /usr/ccs/lib/libpthreads_compat.a

Check whether the libraries are there in /usr/lib. Also make sure you are not messing up the build with improper LDFLAGS. 

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: dieter_mosbach

I have the same:

root@sps81401:/tmp/openscap#  ls -l /usr/lib | grep pthread
lrwxrwxrwx    1 bin      bin              22 May 04 2016  libpthread.a -> /usr/lib/libpthreads.a
lrwxrwxrwx    1 bin      bin              26 May 04 2016  libpthreads.a -> /usr/ccs/lib/libpthreads.a
lrwxrwxrwx    1 bin      bin              33 May 04 2016  libpthreads_compat.a -> /usr/ccs/lib/libpthreads_compat.a

 

 echo $LDFLAGS
-L/opt/freeware/lib -Wl,-blibpath:/opt/freeware/lib64:/opt/freeware/lib:/usr/lib:/lib -Wl,-bmaxdata:0x80000000

 

configure:28040: checking for pthread_attr_init in -lpthread
configure:28065: xlc -o conftest -D_LARGE_FILES=1 -qcpluscmt -qtune=pwr7 -qarch=pwr7 -qmaxmem=16384 -DSYSV -D_AIX -D_AIX32 -D_AIX41 -D_AIX43 -D_AIX51 -D_AIX52 -D_AIX53 -D_AIX61 -D_AIX71 -D_ALL_SOURCE -DFUNCPROTO=15 -O -I/opt/freeware/include -I/opt/freeware/include/python2.7 -L/opt/freeware/lib -pipe -std=c99 -W -Wall -Wnonnull -Wshadow -Wformat -Wundef -Wno-unused-parameter -Wmissing-prototypes -Wno-unknown-pragmas -D_GNU_SOURCE -DOSCAP_THREAD_SAFE -D_POSIX_C_SOURCE=200112L  -L/opt/freeware/lib:/usr/lib:/lib -Wl,-blibpath:/opt/freeware/lib:/usr/lib:/lib -Wl,-bmaxdata:0x80000000 conftest.c -lpthread   >&5
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -W was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -Wall was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -Wnonnull was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -Wshadow was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -Wformat was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -Wundef was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -Wno-unused-parameter was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -Wmissing-prototypes was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-289 (W) Option -Wno-unknown-pragmas was incorrectly specified. The option will be ignored.
/opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-208 (S) command option e is missing a subargument
configure:28065: $? = 40

 

#AIX-Open-Source-Software
#AIXOpenSource

Originally posted by: AyappanP

The error is due to the "-pipe" flag. This flag ( and also "-std=c99") will not be recognized by xlc compiler. I would suggest you to use gcc compiler here.

#AIXOpenSource
#AIX-Open-Source-Software

Originally posted by: U68G_laurent_NOE

Hi Ayappan,

 

I do not really agree with your suggestion to use GCC.

I think XLC/C++ is a much better choice to compile softwares for AIX since it's the "native" C compiler for AIX.

And same thing apply to Solaris: the Oracle Developer Studio is a better choice than GCC in my opinion.

The problem here is just to make the whole "configure stuff" correct when XLC/C++ compiler is detected.

Fixing a couple of problems in configure, I've been able to make it work.

I use this XLC/C++ compiler options : -O2 -qlanglvl=extc99 -qro -qroconst -DNDEBUG -D_LINUX_SOURCE_COMPAT -D_LARGE_FILES -D_LARGE_FILE_API -D__PRETTY_FUNCTION__=__func__.

However, there are a lot of other problems in the C code itself (non portable C syntax, GCC specific stuff, missing headers, missing functions, unimplemented peaces of code, bugs, ...).

I have posted on openscap github several patches for AIX and also for Solaris but I still have many patches to publish.

Currently, I've been able to compile the whole code without fatal compiler errors (but still several warnings) on Solaris 10 and AIX 5.3 !

But I know that there are still many places in the code that needs to be fix for both OSes and also some probes that needs to be ported.

 

BTW, I'm looking for an implementation of the acl_trivial() function (or equivalent) for AIX capable of handling AIXC and NFS4 acl.

I know the entry point to do this is the aclx_get() AIX function but if someone has already written such a function, I would appreciate his help :-)

 

     int acl_trivial(char *path);

DESCRIPTION
     The acl_trivial() function is used to  determine  whether  a
     file has a trivial ACL. Whether an ACL is trivial depends on
     the type of the ACL. A POSIX draft ACL is nontrivial  if  it
     has  greater than MIN_ACL_ENTRIES. An NFSv4/ZFS-style ACL is
     nontrivial if it  either  has  entries  other  than  owner@,
     group@,  and everyone@, has inheritance flags set, or is not
     ordered in a manner that meets POSIX access control require-
     ments.

RETURN VALUES
     Upon successful completion, acl_trivial() returns 0  if  the
     file's  ACL  is  trivial  and  1  if  the  file's ACL is not
     trivial. If it could not be determined whether a file's  ACL
     is  trivial, -1 is returned and errno is set to indicate the
     error.

 

I also need an implementation of getifaddrs() function or something equivalent.

 

Best regards,

Jean-Louis Charton

#AIX-Open-Source-Software
#AIXOpenSource