Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Purpose:
For reducing time and provide elaborate documentation of a new Linux server installation in Infra setup. This
document provides details and procedure of installation, configuration, hardening of a Linux server along with
Cacti and NMON installation.
Scope:
Since Linux Installation and Hardening is a frequent activity in Infra support this document will help while new
server Installation and handover.
Responsible Unit:
Process Owner:
Tata Communications
Md. Shamim
Document:
Confidentiality Status:
SOP
Identity number:
Document Status :
Internal
Effective Date:
24-Jul-2013
Draft
Rvision:
1.0
Original Langage:
English
This document and its contents are the property of Tata Communications or its subsidiaries. This document contains confidential proprietary information. The reproduction, distribution,
utilization or the communication of this document or any part thereof, without express authorization is strictly prohibited. Offenders will be held liable for the payment of damages.
2008, Tata Communications or its subsidiaries. All rights reserved.
Translated By:
Name / Function
Translation Languages:
Name / Function
Revision Log
Revision
Date
Prepared By
Description of Changes
(yyyy-mm-dd)
1.0
2013-07-24
Anshu Makkar
First Version
Approval Log
Revision
Date
Document Owner
(yyyy-mm-dd)
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 2 of 35
Table of Content
1 INTRODUCTION................................................................................................................................................ 5
2 LINUX INSTALLATION...................................................................................................................................... 5
2.1 Download Red Hat Enterprise Linux ISO .............5
2.2 Burn ISO on DVD ................................................................................6
2.3 Linux Installation ...................................................6
3 LINUX HARDENING........................................................................................................................................ 20
3.1 Remove unwanted File systems..............................................20
3.2 Remove unwanted services.........................20
3.3 Remove unwanted packages..............................21
3.4 Change default run level..............................21
3.5 /etc/sysconfig/network file............................................................................................................. 21
3.6 Ntp client configuration............................21
3.7 Relay server configuration.............................................21
3.8 Network Firewall configuration...................................................22
3.9 Logging parameter .............23
3.10 System log security...................................................23
3.11 Cron Restrications..........................................................................24
3.12 Secure ssh service...............................25
3.13 Pam Configuration .........................................................................25
3.13.2 System authentication parameter change.......................................25
3.13.2 System wide parameter change......................................25
3.14 Lock unwanted user account..................27
3.15 Remove login shell from unwanted user account........................27
3.16 Change login account defaults.............................27
3.17 Change messages for login..........................................................................27
4 USER CREATION ON SERVER ..................................................................................................................... 28
4.1 System User grout creation......................28
4.2 System Admin users creation..........................................................28
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 3 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 4 of 35
1. INTRODUCTION
Linux installation is a request frequently. Any Linux installation and configuration must adhere TCL
standards and security policies. While Linux installation and configuration we might miss some configuration
or contradict standard TCL configuration standards. This document will help while installing and configuring
Linux for any request of OS reinstall or new server configuration
TCL has defined strict guidelines for OS hardening. Every server must gone through hardening process and
qualify this defined criteria of hardening before going live in production. All vulnerabilities must be closed in
hardening along with removal of unwanted packages, file systems and services. This document also
contains hardening procedure defined and approved by TCL. This document will also help us while
hardening a new OS or checking hardening status of a server yet to be handed over.
We spend a good amount of our time in monitoring the servers. At our infra support we use 2 tools Nmon
and cacti to capture state of server at any point of time. These tools help us monitor and study the system
state and pattern of usage with the help of graph. This tools are very helpful while analysing the issue
related to server performance. Last part of this document will provide steps to install Cacti and NMON on
installed and hardened server.
2. LINUX INSTALLATION
The below are steps to install Linux on bare metal or already created VM on ESX host.
2.1 Download Red hat Enterprise Linux ISO
https://rhn.redhat.com/rhn/software/downloads/SupportedISOs.do
Red hat support login required to download the ISO.
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 5 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 6 of 35
Fig 1:
Fig1:First Installation screen
Select Install or upgrade an existing system
Select Install or upgrade and existing system.
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 7 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 8 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 9 of 35
Fig 7: Hostname
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 10 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 11 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 12 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 13 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 14 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 15 of 35
As per TCL policy Linux file systems should be on LVM except /boot.
/boot should be 200-500 MB standard partition.
Rest of the space should be divided in 2 LVM physical Volume for OS partitions and application
partitions.
TCL Recommended OS partition and size
/bootvg_root
vg_root
(As per application requirement)
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 16 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 17 of 35
Page 18 of 35
Install boot loader on disk (first disk in case of more than one disk)
Boot loader password can also be used to increase security.
Note: We do not change boot loader location or use password for boot loader.
Page 19 of 35
If you are not sure what is required packages use basic server and customize later.(set up yum after
installation and install required packages)
After this step all packages will be installed. Ideally it should take 20-25 minutes.
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 20 of 35
3. HARDENING
IMP: Take backup of all files you change while hardening with below command.
cp p <file_name> <file_name>.befhard
Page 21 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 22 of 35
accepted.
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.route.flush=1
Page 23 of 35
net.ipv4.conf.default.secure_redirects=0
net.ipv4.route.flush=1
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 24 of 35
/var/log/messages
kern.*
/var/log/kern.log
daemon.*
/var/log/daemon.log
syslog.*
/var/log/syslog
lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.*
/var/log/unused.log
####################################
/var/log/messages
/var/log/kern.log
/var/log/daemon.log
/var/log/syslog
/var/log/kern.log
/var/log/daemon.log
/var/log/syslog
/var/log/messages
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 25 of 35
Port 5522
Protocol 2
LogLevel VERBOSE
PermitRootLogin no
MaxAuthTries 3
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 26 of 35
PermitUserEnvironment no
ClientAliveInterval 900
ClientAliveCountMax 0
Banner /etc/issue
password requisite
ocredit=-2 difok=3
password
sufficient
authconfig is run.
auth
required
pam_env.so
auth
sufficient
pam_fprintd.so
auth
sufficient
pam_unix.so nullok
try_first_pass
auth
requisite
500 quiet
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 27 of 35
auth
required
pam_tally2.so deny=4
no_magic_root reset
auth
required
pam_deny.so
account
required
pam_unix.so
account
sufficient
pam_localuser.so
account
sufficient
required
pam_permit.so
500 quiet
account
password
requisite
pam_cracklib.so
sufficient
required
pam_deny.so
session
optional
pam_keyinit.so revoke
session
required
pam_limits.so
session
[success=1 default=ignore]
required
pam_unix.so
EOF
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 28 of 35
3.15.
awk -F: '($3>0 && $3<500){print $1}' /etc/passwd| grep -v sync | grep -v shutdown | grep -v halt
Lock found accounts
awk -F: '($3>0 && $3<500){print $1}' /etc/passwd| grep -v sync | grep -v shutdown | grep -v halt
PASS_MAX_DAYS 28
PASS_MIN_DAYS 7
PASS_MIN_LEN
PASS_WARN_AGE 7
cp /etc/motd /etc/issue
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 29 of 35
cp /etc/issue /etc/issue.net
for i in mewalal santosh senthild hashim yogesh jitendra yogeshd pap rimakwan dtiwari amakkar anilmaur
sudreddy rsaki gokul shafiq gyadav arvind jude rajesh sudhakar dajwani sijo shegisht parmar krishnan rkoli
surchoud sneha deven
do
/usr/sbin/useradd -c "System Admin" -g 116 $i ; echo "TAta12#$" | passwd $i --stdin
done
for i in dinesh rkyadav aravindk kmanoj
do
/usr/sbin/useradd -g 117 -c "System Admin" $i ; echo "TAta12#$" | passwd $i --stdin
done
for i in bbclient
do
/usr/sbin/useradd -g 115 -c "System Admin" $i
done
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 30 of 35
5. CACTI INSTALLATION
The following steps needs to be followed for configuring the server in CACTI with the templates required for
the Operating Systems used in Tata Communications.
a. deploy.sh script is the file which installs the snmp package on the client server .
this snmp agent on client server communicates with the Cacti server (hostname : ipass)
b. Get the net-snmp-5.4.1.tar.gz package in the same folder from where the deploy.sh script needs to
be executed. Kindly note that the deploy.sh script by itself extracts the net-snmp file.
c.
Ensure make and gcc package is installed , if it is not installed then install it
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 31 of 35
After the 2.2 step completes confirm that the snmp deamon is started
$ps -ef | grep snmp
root 220
1 0 18:24:18 ?
0:00 /usr/local/sbin/snmpd
a.
Ensure the snmpd.conf file contains the entries of Cacti server (ipass) ip
Edit the /usr/local/share/snmp/snmpd.conf on client
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 32 of 35
c.
After completion of 2.4 and 2.5 ensure that the cacti server(ipass) is able to get the resolution
By the below mentioned command.
ipass$ snmpget -v 2c -c operations 172.16.142.77 sysName.0
Page 33 of 35
6. NMON INSTALLATION
Page 34 of 35
Confidential and Proprietary 2010 Tata Communications, Ltd. All Rights Reserved
Page 35 of 35