IBM Fix Level Recommendation Tool Vulnerability Checker - FLRTVC Usage Overview
esupport 060000D5Y9 Visits (10128)
The FLRTVC tool was developed to allow System Admins and Auditors to generate vulnerability reports for AIX systems based on HIPER and Security Bulletins published by the AIX Security team. The tool is written in the KornShell 93 language to simplify the deployment to any AIX server. The script will generate a report that lists each vulnerability and any fixes installed for that vulnerability. The report will also list Security Bulletin URLs, that provide instructions on how to install the fixes for each vulnerability.
In some cases, many vulnerabilities may be fixed by simply upgrading the AIX Technology or Service Pack level, but this may require long periods of time for certification. This tool may be used to help keep your AIX systems patched between certifications.
FLRTVC currently does not perform any recommendations for upgrading your AIX’s Technology or Service Pack level, however, it may include this feature in the future.
FLRTVC script is available for download from our FLRT website at:
FLRTVC Online is also available on FLRT to generate reports using your “lslpp” and “emgr” outputs.
In order to use on VIOS, you must elevate to AIX 6.1 using the “oem_setup_env” command.
How FLRTVC discovers vulnerabilities
Step 1) Download FLRT’s HIPER and Security CSV data file from IBM.
For your convenience, the data file is automatically downloaded upon script execution using wget, cURL, or FTP, whichever is available. It may also be manually loaded into the script by downloading it from our FTP location at ftp:
Step 2) Discover system filesets and fixes using “lslpp -Lcq” and “emgr -lv3”.
The next stage will run the “lslpp” and “emgr” commands listed above to retrieve a listing of all filesets and relevant installed fixes. The “emgr” command requires sudo or root access to execute in order for the report to list the fixed vulnerabilities.
Step 3) Cross-reference system filesets and fix information against FLRT HIPER and Security CSV data.
The CSV data is produced in conjunction with the AIX Security teams that publish both HIPER and Security bulletins. The FLRTVC script will compare the fileset’s version to the affected range of each vulnerability that matches the AIX version. If the fileset is vulnerable, the script then checks for any relevant installed fixes that may have patched the vulnerability and will catalog both results.
Step 4) Reporting vulnerable filesets and installed fixes in Verbose or CSV format.
The Verbose format generates a human-readable report that can be easily analyzed by users. It is recommended to redirect the output of the FLRTVC script to a text file or to an e-mail address for log purposes.
The CSV format may be used for 3rd party scripting purposes to analyze and process the results as necessary or to generate a CSV file of the results. The default separator character is the pipe “|” character, but may be changed using the “-d” option with the new delimiter in quotes, for example: ./flrtvc.ksh -d “^”. This will change the delimiter to the ^ symbol. You may also disable showing the header titles using the “-q” option with no arguments.
Both formats will display the vulnerabilities for each fileset that was detected as well as any installed fixes that were patched for the specific vulnerability.
FLRTVC Script Usage
To execute the script, you must use one of the following commands:
As always, we value your feedback! Please use our feedback tool to submit a feature request, bug report, or suggestion directly to the developers at: ibm.
FLRTVC Script: http
FLRTVC Online: http
FLRT developerWorks Community Forum: http
The FLRT and FLRTVC team
Joel Ruiz is an IBM Electronic Support developer in Austin, TX. He had a great time writing FLRTVC and welcomes your feedback.
Morgan Tong joined IBM in 1998. During his 17+ years with IBM, he has worked in many of the IBM divisions and product teams as a software engineer.
Ron Theriault is the primary developer of FLRT and some other support tools. He has spent many years in academia, developing software on various Unix/Posix platforms, and has been using Java since 1995.