Patching AIX

Edit online

Concert supports AIX iFix detection as part of the IBM Power assessment. This capability ensures accurate vulnerability reporting by identifying when an AIX interim fix (iFix) is already installed on the host.

AIX iFix detection during IBM Power assessments

Concert detects missing and installed AIX iFixes during the Power Inventory and Advisory jobs.
  • If an AIX iFix required to remediate a CVE is already installed, the CVE is excluded from the assessment results.
  • If the iFix is missing, the CVE continues to appear as an open exposure and a remediation action is generated for the affected AIX host.
AIX iFix remediation is executed through the IBM Power Auto Remediation workflows.
Note: AIX remediation requires correctly configured AIX VM SSH authentication (vmConfig) in the IBM Power workflows.

About AIX iFix patching

An AIX iFix is an incremental fix package that updates specific filesets to remediate targeted vulnerabilities. Similar to VIOS, AIX iFixes follow strict dependency rules:
  • Some iFixes require earlier iFixes (base iFix) to be installed first.
  • A later iFix cannot be applied without selecting its required prerequisites.
Concert automates:
  • Dependency sequencing
  • Validation of prerequisite iFix selections
  • Parallel installation of independent fixes
  • Real-time status tracking during remediation
Table 1. Remediation states
Status Meaning
Completed All selected iFixes installed successfully.
Partially processed At least one iFix installed successfully and one or more dependent iFixes failed. Dependent iFixes are skipped and marked as Ignored.
Failed All iFixes failed or the action was aborted.

Review AIX iFix patches

When missing AIX iFixes are detected, Concert generates a patch remediation action for the affected AIX VM.

Follow these steps to review the patch details:
  1. Go to Dimensions > IBM Power.
  2. Select the System or Stand-alone VM for which you want to see the action.
  3. Click Actions.
  4. Click Review and approve.
  5. Open the iFixes tab.
    Figure 1. iFixes
    Screenshot of the iFixes tab.
    This panel lists:
    • Available AIX iFixes
    • Associated file sets
    • Whether a reboot is required
  6. Clear the selection for any iFixes you do not want to apply.

    By default, all iFixes are selected for both AIX and VIOS.

  7. Click Save.
  8. Click Approve.
  9. Provide a schedule and confirm by clicking Approve in the approval window.

After approval, Concert installs the selected iFixes sequentially. Each iFix addresses specific CVEs and behaves similarly to applying a targeted package fix rather than performing a full version update.

Apply AIX iFix patches

When the remediation action is approved, Concert performs the following steps:
  • Downloads the required iFix packages from configured sources
  • Validates package checksums
  • Applies the iFixes in dependency order
  • Updates the system and records remediation status

If any iFix requires a system reboot, this is indicated in the action details. Review the reboot requirement before approval to plan maintenance windows appropriately.

Partial success handling

If one or more AIX iFixes fails:
  • All dependent iFixes are skipped.
  • Skipped iFixes are marked as Ignored.
  • Successfully applied iFixes remain installed.
  • The overall action status is set to Partially processed.

This behavior prevents dependency-chain errors and ensures the system remains in a valid state.