Documentation For Linux Installation and Hardening

INFORMATION TECHNOLOGY
DOCUMENTATION FOR LINUX INSTALLATION AND

HARDENING
Purpose:
For reducing time and provide elaborate documentation of a new Linux server installation in Infra setup. This
document provides details and procedure of installation, configuration, hardening of a Linux server along with
Cacti and NMON installation.
Scope:
Since Linux Installation and Hardening is a frequent activity in Infra support this document will help while new
server Installation and handover.
Responsible Unit:
Process Owner:
Tata Communications
Md. Shamim
Document:
Confidentiality Status:
SOP
Identity number:
Document Status :
Internal
Effective Date:
24-Jul-2013
Draft
Rvision:
1.0
Original Langage:
English
This document and its contents are the property of Tata Communications or its subsidiaries. This document contains confidential proprietary information. The reproduction, distribution,
utilization or the communication of this document or any part thereof, without express authorization is strictly prohibited. Offenders will be held liable for the payment of damages.
2008, Tata Communications or its subsidiaries. All rights reserved.
Translated By:
Translation Approved By:
Name / Function
Translation Languages:
Name / Function
DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING
Revision Log
Revision
Date
Prepared By
Description of Changes
(yyyy-mm-dd)
1.0
2013-07-24
Anshu Makkar
First Version
Approval Log
Revision
Date
Document Owner
Approval E-mail Reply
(yyyy-mm-dd)
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 2 of 35
Table of Content
1 INTRODUCTION................................................................................................................................................ 5
2 LINUX INSTALLATION...................................................................................................................................... 5
2.1 Download Red Hat Enterprise Linux ISO .............5
2.2 Burn ISO on DVD ................................................................................6
2.3 Linux Installation ...................................................6
3 LINUX HARDENING........................................................................................................................................ 20
3.1 Remove unwanted File systems..............................................20
3.2 Remove unwanted services.........................20
3.3 Remove unwanted packages..............................21
3.4 Change default run level..............................21
3.5 /etc/sysconfig/network file............................................................................................................. 21
3.6 Ntp client configuration............................21
3.7 Relay server configuration.............................................21
3.8 Network Firewall configuration...................................................22
3.9 Logging parameter .............23
3.10 System log security...................................................23
3.11 Cron Restrications..........................................................................24
3.12 Secure ssh service...............................25
3.13 Pam Configuration .........................................................................25
3.13.2 System authentication parameter change.......................................25
3.13.2 System wide parameter change......................................25
3.14 Lock unwanted user account..................27
3.15 Remove login shell from unwanted user account........................27
3.16 Change login account defaults.............................27
3.17 Change messages for login..........................................................................27
4 USER CREATION ON SERVER ..................................................................................................................... 28
4.1 System User grout creation......................28
4.2 System Admin users creation..........................................................28
Page 3 of 35
5 CACTI INSTALLATION ..............................................28

5.1 Prerequisite before running the deploy.sh .............................28
5.2 Agent Installation .............................................................................28
5.1 Checking snmp on client .....................29
5.2 Configuring snmp on client..............................................................30
5.3 Checking the resolution from CACTI server...................................31
6 NMON installation...........................................................................................................................................31
6.1 Nmon directory creation ..........................................................31
6.2 Create ksh shell script for nmon execution .......................................31
6.3 Change permission of script .........................31
6.4 Install RPM.........................................................................................32
6.5 Crontab Entry........................................................................................
Page 4 of 35
1. INTRODUCTION
Linux installation is a request frequently. Any Linux installation and configuration must adhere TCL
standards and security policies. While Linux installation and configuration we might miss some configuration
or contradict standard TCL configuration standards. This document will help while installing and configuring
Linux for any request of OS reinstall or new server configuration
TCL has defined strict guidelines for OS hardening. Every server must gone through hardening process and
qualify this defined criteria of hardening before going live in production. All vulnerabilities must be closed in
hardening along with removal of unwanted packages, file systems and services. This document also
contains hardening procedure defined and approved by TCL. This document will also help us while
hardening a new OS or checking hardening status of a server yet to be handed over.
We spend a good amount of our time in monitoring the servers. At our infra support we use 2 tools Nmon
and cacti to capture state of server at any point of time. These tools help us monitor and study the system
state and pattern of usage with the help of graph. This tools are very helpful while analysing the issue
related to server performance. Last part of this document will provide steps to install Cacti and NMON on
installed and hardened server.
2. LINUX INSTALLATION
The below are steps to install Linux on bare metal or already created VM on ESX host.
2.1 Download Red hat Enterprise Linux ISO
https://rhn.redhat.com/rhn/software/downloads/SupportedISOs.do
Red hat support login required to download the ISO.
Page 5 of 35
Note: - We user 64 bit OS for servers.

Click on x86_64 bit version of RHEL.
Download Binary DVD for installation.

2.2 Burn ISO on DVD
Page 6 of 35
2.3 Linux installation

Insert DVD in the server and reboot the server.
Fig 1:
Fig1:First Installation screen
Select Install or upgrade an existing system
Select Install or upgrade and existing system.
Page 7 of 35
Fig 2: Media Check

Skip disk check (If you are not sure DVD has scratch you can run media test)
Page 8 of 35
Fig 3: RHEL logo

Click next to start installation
Fig 4: Language option

Select U.S. English has language.
Page 9 of 35
Fig 5: Storage Devices

Select Basic Storage Devices to install RHEL on local disk.
Select specialized storage Devices to install RHEL on Storage LUN.
Fig 6: Installation Type
Select Fresh installation for New RHEL installation.

Select Upgrade to upgrade older RHEL OS to newer version.
Fig 7: Hostname
Page 10 of 35
Add hostname for the server.
Fig 8: Network configuration
Fig 9: Add/Edit network connection

Click on Configure connection and edit network connection to add IP, route etc.
Page 11 of 35
Fig 10: IP Configuration
Page 12 of 35
Fig 11: IP Configuration

Go to IPv4 tab and select Manual method for IP assignment.
Click on Add in addresses to add the IP.
Assign DNS server and Search domain for DNS resolution.
You can also add Routes with routes button.
Page 13 of 35
Fig 12: Time zone selection

Select time zone Asia/Kolkata from drop down menu or click on Kolkata.
Fig 13: Root Password

Enter root password. As per TCL security policy root password length should be at least 8 character
which should consist 2 be Upper case character, 2 lower case character, 2 digit and 2 special character.
Page 14 of 35
Fig 14: Week password warning popup

If you do not adhere to TCL security policy and choose a dictionary based word Installation setup will
prompt you a warning. You can go ahead with that password and change the password during OS
hardening.
Fig 15: File system layout

Choose file system creation option Create Custom Layout to install Linux as per TCL policy.
Page 15 of 35
Fig 16: Physical partition creation
As per TCL policy Linux file systems should be on LVM except /boot.
/boot should be 200-500 MB standard partition.
Rest of the space should be divided in 2 LVM physical Volume for OS partitions and application
partitions.
TCL Recommended OS partition and size
/bootvg_root
500MB (Standard Partition),

(LVM physical Partition)
/5G,
/home10G,
/tmp5G,
/usr10G,
/opt5G,
/var8G,
/usr/openv6G, (Required for backup)
/kdump105% of Physical Memory size
vg_root
(As per application requirement)
Page 16 of 35
Fig 17: LVM creation

We have a file system and partition naming convention.
According to that convention Volume group name should be vg_ABC and Logical volume should be
lv_XYZ.
Page 17 of 35
Fig 18: Final Layout

Final layout for Disk should be like above snapshot. (Here in above snapshot app_vg is not created)
Fig 19: Disk configurations write warning popup

You can change or reset file system layout before clicking Write changes to disk button. Once this button
is clicked all configurations is written on the disk.
Fig 20: Boot loader Install location

Page 18 of 35
Install boot loader on disk (first disk in case of more than one disk)
Boot loader password can also be used to increase security.
Note: We do not change boot loader location or use password for boot loader.
Fig 21: Choose Installation bundle

Choose Server Installation bundle as per requirement.
.
Page 19 of 35
If you are not sure what is required packages use basic server and customize later.(set up yum after
installation and install required packages)
Fig 22: Packages installation
After this step all packages will be installed. Ideally it should take 20-25 minutes.
Fig 23: Installation completion

After installation completion and above screen will be displayed. Click on reboot to reboot the server.
After reboot server will come up and you will get login prompt.
Page 20 of 35
3. HARDENING
IMP: Take backup of all files you change while hardening with below command.
cp p <file_name> <file_name>.befhard
3.1. Remove unwanted file systems

Create Hardening_tcl file in /etc/modprobe
cat > /etc/modprobe.d/Hardening_tcl.conf <<EOF
## Disabling Unused FS
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
EOF
3.2. Remove unwanted services

/sbin/chkconfig telnet off
/sbin/chkconfig ftp off
/sbin/chkconfig auditd off
/sbin/chkconfig nfslock off
/sbin/chkconfig rpcgssd off
/sbin/chkconfig rpcidmapd off
/sbin/chkconfig rpcbind off
/sbin/chkconfig --list rhnsd
/sbin/chkconfig rhnsd off
/sbin/chkconfig avahi-daemon off
/sbin/chkconfig cups off
/sbin/chkconfig autofs off
/sbin/chkconfig bluetooth off
/sbin/chkconfig iptables off
/sbin/chkconfig ip6tables off
/sbin/chkconfig atd off
/sbin/chkconfig autofs off
/sbin/chkconfig cachefilesd off
/sbin/chkconfig haldaemon off
/sbin/chkconfig iscsi off
Page 21 of 35
/sbin/chkconfig iscsid off

/sbin/chkconfig lldpad off
/sbin/chkconfig mdmonitor off
/sbin/chkconfig messagebus off
/sbin/chkconfig netfs off
/sbin/chkconfig nfslock off
/sbin/chkconfig ntpd off
/sbin/chkconfig qpidd off
/sbin/chkconfig rpcbind off
/sbin/chkconfig rpcgssd off
/sbin/chkconfig rpcidmapd off
/sbin/chkconfig stap-server off
/sbin/chkconfig xinetd off
/sbin/chkconfig cupsd off
3.3. Remove unwanted packages

yum erase ypbind
yum groupremove "X Window System"
yum erase httpd
yum erase mrtg
3.4. Change default run level

Change default runlevel to 3 in /etc/inittab
id:3:initdefault:
3.5. Verify hostname entry in /etc/sysconfig/network file
3.6. Ntp client configuration

Add below lines in /etc/ntp.conf file.
########## Entries for TCL #########################
server <IP_first_NTP_server>
server <IP_second_NTP_server>
####################################################
Page 22 of 35
3.7. Relay server configuration

Add mail relay server hostname or IP in /etc/mail/submit.cf file
#grep Ds /etc/mail/submit.cf
DS[115.114.148.230]
3.8. Network Firewall configuration
Replace /etc/sysctl.conf file with below command.
cat >> /etc/sysctl.conf <<EOF
#### CIS Benchmarks
net.ipv4.route.flush = 1
#### Disable Send packet redirects

net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.send_redirects=0
net.ipv4.route.flush=1
#### Disable source routing packets from being
accepted.
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
#### Disable ICMP Redirect acceptance

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
#### Disable Secure ICMP Redirect acceptance

net.ipv4.conf.all.secure_redirects=0
Page 23 of 35
net.ipv4.conf.default.secure_redirects=0
#### Log suspicious packets

net.ipv4.conf.all.log_martians=1
#### Enable Ignore Broadcasts

net.ipv4.icmp_echo_ignore_broadcasts=1
#### Enable Bad error message protection

net.ipv4.icmp_ignore_bogus_error_responses=1
#### Enable Source route validation

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
#### Enable TCP SYN cookies

net.ipv4.tcp_syncookies=1
#### Disable ipv6 router advertisements

net.ipv6.conf.default.accept_ra=0
#### Disable IPV6 redirect acceptance

net.ipv6.conf.default.accept_redirects=0
###################################################
EOF
Page 24 of 35
3.9. Logging parameter

Add below lines in /etc/syslog.conf file
################# CIS Benchmarks

auth,user.*
/var/log/messages
kern.*
/var/log/kern.log
daemon.*
/var/log/daemon.log
syslog.*
/var/log/syslog
lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*
/var/log/unused.log
####################################
3.10. System log security

Create and change permission and ownership of system log files
touch /var/log/messages /var/log/kern.log /var/log/daemon.log /var/log/syslog /var/log/unused.log
Change ownership of log files

chown
root:root
/var/log/unused.log
/var/log/messages
/var/log/kern.log
/var/log/daemon.log
/var/log/syslog
/var/log/kern.log
/var/log/daemon.log
/var/log/syslog
Change permission of log files

chmod
og-rwx
/var/log/unused.log
/var/log/messages
Restart syslog service

service rsyslog restart
Page 25 of 35
3.11. Cron Restrications
Remove cron,deny and at.deny file

rm /etc/at.deny /etc/cron.deny
Create cron.allow and at.allow file

touch /etc/at.allow /etc/cron.allow
Change ownership and permissions

Add root in cron.allow and at.allow

echo root>>/etc/at.allow
echo root>>/etc/cron.allow
3.12.Secure ssh service

Change below parameters in /etc/ssh/sshd_config
Port 5522
Protocol 2
LogLevel VERBOSE
PermitRootLogin no
MaxAuthTries 3
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
Page 26 of 35
PermitUserEnvironment no
ClientAliveInterval 900
ClientAliveCountMax 0
Banner /etc/issue
3.13. Pam Configuration
3.13.1. system authentication parameter change

Change below lines in /etc/pam.d/system-auth-ac file
password requisite
ocredit=-2 difok=3
password
pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-2 ucredit=-2 dcredit=-2
sufficient
pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
3.13.2. System wide parameter change

Replace /etc/pam.d/system-auth file with below command
cat > /etc/pam.d/system-auth <<EOF

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time
authconfig is run.
auth
required
pam_env.so
auth
sufficient
pam_fprintd.so
auth
sufficient
pam_unix.so nullok
try_first_pass
auth
requisite
pam_succeed_if.so uid >=
500 quiet
Page 27 of 35
auth
required
pam_tally2.so deny=4
no_magic_root reset
auth
required
pam_deny.so
account
required
pam_unix.so
account
sufficient
pam_localuser.so
account
sufficient
pam_succeed_if.so uid <
required
pam_permit.so
500 quiet
account
password
requisite
pam_cracklib.so
try_first_pass retry=3 minlen=8 lcredit=-2
ucredit=-2 dcredit=-2 ocredit=-2 difok=3

password
sufficient
pam_unix.so sha512 shadow
nullok try_first_pass use_authtok remember=5

password
required
pam_deny.so
session
optional
pam_keyinit.so revoke
session
required
pam_limits.so
session
[success=1 default=ignore]
pam_succeed_if.so service in crond quiet use_uid

session
required
pam_unix.so
EOF
Page 28 of 35
3.14.Lock unwanted user account
Verify user account between id 3 to 500

awk -F: '($3>0 && $3<500){print $1}' /etc/passwd
Lock found accounts
awk -F: '($3>0 && $3<500){print $1}' /etc/passwd| xargs -t -i usermod -L {}
3.15.
Remove login shell from unwanted user account
Verify user account between id 3 to 500 expect sync, shutdown, halt
awk -F: '($3>0 && $3<500){print $1}' /etc/passwd| grep -v sync | grep -v shutdown | grep -v halt
Lock found accounts
awk -F: '($3>0 && $3<500){print $1}' /etc/passwd| grep -v sync | grep -v shutdown | grep -v halt
3.16.Change login account defaults
Configure below parameter in /etc/login.defs
PASS_MAX_DAYS 28
PASS_MIN_DAYS 7
PASS_MIN_LEN
PASS_WARN_AGE 7
3.17.Change messages for login

Copy files
cp /etc/motd /etc/issue
Page 29 of 35
cp /etc/issue /etc/issue.net
Change ownership and permissions
chown root:root /etc/issue /etc/issue.net /etc/motd

chmod 644 /etc/issue /etc/issue.net /etc/motd
4. USER CREATION ON SERVER

4.1 System User grout creation
groupadd -g 116 l2admin

groupadd -g 117 l1admin
groupadd -g 115 bb
4.2 System Admin users creation
for i in mewalal santosh senthild hashim yogesh jitendra yogeshd pap rimakwan dtiwari amakkar anilmaur
sudreddy rsaki gokul shafiq gyadav arvind jude rajesh sudhakar dajwani sijo shegisht parmar krishnan rkoli
surchoud sneha deven
do
/usr/sbin/useradd -c "System Admin" -g 116 $i ; echo "TAta12#$" | passwd $i --stdin
done
for i in dinesh rkyadav aravindk kmanoj
do
/usr/sbin/useradd -g 117 -c "System Admin" $i ; echo "TAta12#$" | passwd $i --stdin
done
for i in bbclient
do
/usr/sbin/useradd -g 115 -c "System Admin" $i
done
Page 30 of 35
5. CACTI INSTALLATION
The following steps needs to be followed for configuring the server in CACTI with the templates required for
the Operating Systems used in Tata Communications.
5.1. Prerequisite before running the deploy.sh installation script
a. deploy.sh script is the file which installs the snmp package on the client server .
this snmp agent on client server communicates with the Cacti server (hostname : ipass)
b. Get the net-snmp-5.4.1.tar.gz package in the same folder from where the deploy.sh script needs to
be executed. Kindly note that the deploy.sh script by itself extracts the net-snmp file.
c.
Ensure make and gcc package is installed , if it is not installed then install it
5.2. Agent Installation
a. Download the latest net-snmp package.

b. Run the deploy.sh script. This script is available in bkpstg-vashi under
i. /export/home/scripts/cacti/sun for Sun servers
ii. /export/home/scripts/cacti/aix for AIX servers.
iii. For HPUX, directly install the net-snmp depot files.
Page 31 of 35
5.3. Checking snmp on client
After the 2.2 step completes confirm that the snmp deamon is started
$ps -ef | grep snmp
root 220
1 0 18:24:18 ?
0:00 /usr/local/sbin/snmpd
5.4. Configuring snmp on client
a.
Ensure the snmpd.conf file contains the entries of Cacti server (ipass) ip
Edit the /usr/local/share/snmp/snmpd.conf on client
Add the below mentioned entries if they are not present

rocommunity operations 127.0.0.1
Page 32 of 35
After editing the /usr/local/share/snmp/snmpd.conf file restart the snmpd deamon

$ /usr/bin/pkill -HUP snmpd
c.
Confirm that the path LD_LIBRARY_PATH=/usr/local/ssl/lib is set on client
d. After configuring the snmpd.conf file check the ping response.

If the two way ping is not happening i:e from Client to ipass and from ipass to client then we
need to add the relevant route on the client and on the ipass server.
Ensure the connectivity from both the end.
5.5. Checking the resolution from CACTI server

a.
After completion of 2.4 and 2.5 ensure that the cacti server(ipass) is able to get the resolution
By the below mentioned command.
ipass$ snmpget -v 2c -c operations 172.16.142.77 sysName.0
The output of this command will be

.
Page 33 of 35
SNMPv2-MIB::sysName.0 = STRING: dnsIPv6-S1

Where 172.16.142.77 is the client ip address and dnsIPv6-S1 is the client hostname.
6. NMON INSTALLATION
6.1. Nmon directory creation

Create directories for Nmon
sudo mkdir -m 744 /home/scripts
sudo mkdir -m 744 /home/scripts/nmon-data
6.2. Create ksh shell script for nmon execution

Create /home/scripts/nmon-data.ksh file and add below lines
sudo vi /home/scripts/nmon-data.ksh
####Add below lines######
mymydate=`date "+%d%m%y"`
hname=`hostname`
fname="nmon."$hname"."$mydate".nmon"
/usr/bin/nmon -tF /home/scripts/nmon-data/$fname -s 600 -c 144
/bin/chmod 644 /home/scripts/nmon-data/$fname
6.3. Change permission of script

sudo chmod 744 /home/scripts/nmon-data.ksh
6.4. Install RPM
sudo rpm -Uvh nmon-14g-1.el6.rf.x86_64.rpm
6.5. Crontab Entry

Edit crontab and add below entry.
sudo crontab e
5 0 * * * /home/scripts/nmon-data.ksh
Page 34 of 35
6.6 Nmon output will be generated in /home/scripts/nmon-data/
Page 35 of 35

Documentation For Linux Installation and Hardening

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Documentation For Linux Installation and Hardening

Caricato da

Copyright:

Formati disponibili

INFORMATION TECHNOLOGY

DOCUMENTATION FOR LINUX INSTALLATION AND

Translation Approved By:

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Approval E-mail Reply

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

5 CACTI INSTALLATION ..............................................28

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Note: - We user 64 bit OS for servers.

Download Binary DVD for installation.

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

2.3 Linux installation

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 2: Media Check

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 3: RHEL logo

Fig 4: Language option

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 5: Storage Devices

Fig 6: Installation Type

Select Fresh installation for New RHEL installation.

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Add hostname for the server.

Fig 8: Network configuration

Fig 9: Add/Edit network connection

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 10: IP Configuration

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 11: IP Configuration

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 12: Time zone selection

Fig 13: Root Password

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 14: Week password warning popup

Fig 15: File system layout

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 16: Physical partition creation

500MB (Standard Partition),

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 17: LVM creation

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 18: Final Layout

Fig 19: Disk configurations write warning popup

Fig 20: Boot loader Install location

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 21: Choose Installation bundle

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

Fig 22: Packages installation

Fig 23: Installation completion

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

3.1. Remove unwanted file systems

3.2. Remove unwanted services

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

/sbin/chkconfig iscsid off

3.3. Remove unwanted packages

3.4. Change default run level

3.5. Verify hostname entry in /etc/sysconfig/network file

3.6. Ntp client configuration

DOCUMENTATION FOR LINUX INSTALLATION AND HARDENING

3.7. Relay server configuration

#### Disable Send packet redirects