FLRTVC - Fix Level Recommendation Tool Vulnerability Checker

FLRTVC Script and Documentation

The Fix Level Recommendation Tool Vulnerability Checker Script (FLRTVC) provides security and HIPER (High Impact PERvasive) reports based on the inventory of your system. FLRTVC Script is a ksh script which uses FLRT security and HIPER data (CSV file) to compare the installed filesets and interim fixes against known vulnerabilities and HIPER issues.

FLRTVC exists as a standalone ksh script which may be downloaded by the link below. FLRTVC uses HIPER/Security data from FLRT (aparCSV) to compare against the installed filesets (lslpp -Lcq) and interim fixes (emgr -lv3) to report your risks.

This webpage was developed based on feedback received from customers at Edge2015. We welcome your feedback on this tool and ways to improve it!

Download

To download, click the download link below and save to a folder. It is packaged as a ZIP file with the FLRTVC.ksh script and LICENSE.txt file.

Download: FLRTVC (0.8.8)

Note:The script requires ksh93 to use. If you are receiving errors when running the script, you may execute the script using "ksh93 flrtvc.ksh". As of v0.7, only non-fixed vulnerabilities will be showed by default. Use -a to show all.

Changelog

Please read the latest changelog to see important changes to FLRTVC.

  • 02/20/2024 - v0.8.8
    - Fixed Java JRE download URL issue
    - Displays APARs based on AIX or VIOS's lslpp file. The ios.cli.rte fileset identifies the vios lslpp file.
  • 10/23/2023 - v0.8.7
    - Fixed false reporting of other apars like curl advisories (curl7791a 32221a)
  • 07/20/2023 - v0.8.6
    - Updated the FLRTVC Script to use secured FTP, which is a mandate for IBM. For more information, on Secured FTP click here.
  • 03/21/2022 - v0.8.5
    - Fixed warning that appeared when apar.csv has single space in column for CVSS
  • 03/01/2022 - v0.8.4
    - Fixed Last Update not showing correctly and updated aparCSV download to new FLRT link at https://esupport.ibm.com/customercare/flrt/doc?page=aparCSV.
  • 1/18/2019 - v0.8.1
    - Fixed bug with fileset names getting out of sync with upper/lowercase in FLRTVC variables.
  • 11/29/2018 - v0.8.0
    - Fixed a major bug blocking filesets being checked. Added support for running on MacOS ksh. Improved wget/curl/ftp selection.
  • 11/16/2018 - v0.7.7
    - Fixed an obscure bug with not reading bos.rte version correctly from lslpp output.
  • 9/28/2018 - v0.7.6
    - Updated HTTP download URL for HIPER/Security CSV. (Proxy issues)
  • 9/21/2018 - v0.7.5
    - Added -p flag. Converts FTP protocol to HTTP for bulletin and efix URL links
    - Added exit codes for when script stops execution:
        0 = No vulnerabilities,
        1 = Error running script,
        2 = Vulnerabilities found
  • 5/2/2017 - v0.7.3
    - Fixed issue with the CVSS Score displayed in report.
  • 2/7/2017 - v0.7.2
    - Fixed fileset name comparing method, which affected AIX 7.2.
  • 11/11/2016 - v0.7.1
    - Fixed ksh syntax issues with some versions of AIX 6.1.

License

The FLRTVC script is licensed under IBM Public License Version 1.0.
You may read the license here: http://opensource.org/licenses/IPL-1.0

Secured FTP

IBM changed the public IP addresses for the IBM download servers that host files such as IBM Enhanced HOLDDATA and the IBM Product Information File to ensure uninterrupted downloads. As part of this, the public FTP URL has been changed from ftp.software.ibm.com to public.dhe.ibm.com.

The FTP server will respond with a port number in the range 65024-65535, so please make sure that the ports in the range 65024-65535 kept open to receive the response from FTP server.

Note: For more information on FTPS IP Addresses and Ports Used, click here.

Documentation

The FLRTVC script works by downloading an "apar.csv" file from the FLRT website using CURL or WGET, whichever your machine has installed. Then, it uses the commands "emgr -lv3" for interim fixes and "lslpp -Lcq" for installed filesets, and compares to the vulnerabilities reported in the apar.csv file. FLRTVC will report any findings using one of two formats: Compact and Full (verbose). Compact is preferable for scripting purposes, and full reporting is for a more human-readable format that may be piped to an e-mail address.

Please see below for the flags and different usages:

Flags

-d = Change delimiter for compact reporting
-f = File selection for *.csv file
-q = Quiet mode, hide compact reporting header
-s = Skip download, use default apar.csv file
-v = Verbose, full report (for piping to email)
-g = Grep for filesets with phrase, useful for verbose mode
-t = Type of APAR [hiper | sec]
-l = Enter a custom LSLPP output file, must match lslpp -Lqc
-e = Enter a custom EMGR output file, must match emgr -lv3
-x = Skip EFix processing
-a = Show all fixed and non-fixed HIPER/Security vulnerabilities
-p = Convert FTP protocol to HTTP for bulletin and efix download links

Examples

Verbose Formatting   Compact formatting is the default
# ./flrtvc.ksh -v

Set a custom CSV file
# ./flrtvc.ksh -f myfile.csv

Report on a specific fileset in verbose mode
# ./flrtvc.ksh -vg printers

Show only hiper results
# ./flrtvc.ksh -t hiper

Custom lslpp and emgr outputs, for reporting on other systems
# ./flrtvc.ksh -l lslpp.txt -e emgr.txt

Grouping flags together
# ./flrtvc.ksh -vf myfile.csv -g printers
# ./flrtvc.ksh -vsg printers