Viraj Alankar
| Version | Date | Comment |
| 1.2 | 10/04/2002 | Fixed ed bug in grub.conf updating |
| Fixed grub.conf to not include -dumb serial option | ||
| Fixed grub.conf to update smp serial console lines | ||
| Added -nodeps to rpm updates | ||
| 1.1 | 05/31/2002 | Fixed a bug in grub.conf updating |
| 1.0 | 05/30/2002 | Initial version |
The aim of this document is to set out a standard policy for installations of Redhat Linux 7.3 servers within our company. Though this document is tailored for Redhat Linux 7.3, many of the ideas can be changed to apply to other versions of Redhat Linux and UNIX in general.
Security is an ongoing process. This document cannot teach you how to keep your systems secure, but it is a starting point. Stock installations of Redhat Linux are too wide open to attacks, so some effort must be made to secure the system after the initial installation. This document will try to cover most of those aspects and provide some recommendations for keeping the system secure.
Once all of the security related aspects of a Linux installation are understood, it is highly recommended that this be automated with Kickstart for future installations. Doing everything by hand is very prone to errors. Our company provides a Kickstart server for Redhat Linux 7.3 which apply all of the guidelines mentioned in this document and it is recommended that you use it. See Appendix C for more information.
Automation of the below tasks can be done very easily, and Appendix A provides example scripts that can be used.
The specifics of initially installing Redhat Linux are not important, and depending on the scenario you may need to do special partitioning and selection of packages based on what the system will be doing. The following are guidelines you should follow.
Select ALL packages if installing on a drive larger than 5 gigabytes. One reason for this is convenience. There may be a package you will need later and it is much better to have this readily available than to install it from RPMs later. Security related changes in regards to SUID binaries and listening services will be one of the first things taken care of, so installing all packages does not mean they will be kept enabled.
Another reason for this is to avoid installing RPMs after you have secured the system that basically undo what you have done, for example creating new SUID binaries that you are unaware of, or starting a new service listening on a TCP port.
A good rule of thumb is to use multiply the physical memory by 1.5 or 2.
The simplest filesystem layout is to create a very large / (root) partition. The main argument against this is a rogue logfile can eat up all of the filesystem. I found that this rarely happens, and when you are monitoring disk usage on your systems it does not become a problem. Redhat Linux 7.3 defaults to the ext3 filesystem, which has journaling capabilities and reduces the fsck times on bootup. Use of the ext3 filesystem is recommended. If you are not using ext3, do not make the / partition larger than 9 or 10 gigabytes because fsck times can take very long.
Redhat Linux 7.3 has introduced the concept of firewall security settings at initial install such as medium, high, etc. Though this is a good concept, I believe it will cause more frustration than it actually solves. Properly disabling services that you do not need is a better route than firewalling them off. It is recommended that you disable this option.
This is not to say that firewalling is useless on the local system. There are many cases where you may want to employ local firewalling, for example when running a local MySQL server that shouldn't be accessed from the outside it may be easier to just firewall the port instead of reconfiguring MySQL to not listen for TCP connections. However to do this the firewalling functions (iptables) should be understood fully.
Since this document is in regards to servers, you should not attempt to configure X Windows. There is no reason a server should be running a GUI, and all administration should be done only via console (serial or otherwise) or SSH.
A non priveleged user with the name admin should be created with the default company admin password. This user should be used for all administrative tasks by su'ing to root. You should avoid ever logging in to the system as the root user.
Once the system is installed, all patches and updates should be applied. It is important to do this before making any other changes because many RPMs can undo your changes. Depending on the package being upgraded, this may be a complicated process, especially when dealing with kernel RPMs. See Appendix A.1 for information on how to install these.
The patches are supplied by Redhat and listed on
http://www.redhat.com/support/errata/rh73-errata.html.
Note that the ordering of patch installation is somewhat important.
They should all be installed with:
rpm -Fvh --nodeps filename
Once the system is installed, the first thing to do is disable unneeded or unknown services. The startup of daemons are made by S* scripts in /etc/rc.d/rc*.d. Redhat provides a standard way to disable these scripts with the command /sbin/chkconfig. The command should be used as follows:
/sbin/chkconfig --level 235 service off
This will disable service for all of the major runlevels (2, 3, and 5). It is important that all of these runlevels are specified because the service may startup when you accidentally go to the wrong runlevel.
The following is a list of services that should be disabled and a brief explanation of what they are and why you should disable them. Note that you may actually need some of these services. If that is case you should enable the ones you need afterwards and fully understading any implications.
If you will need to run any of the above services, there should be a clear and understood reason why.
Reboot the system so the changes from above take affect. At this point you should check what ports are being listened on by running the following command as root.
netstat -nlp --inet
The output should have NO MORE than the following:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 655/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 698/sendmail: ac
You may also see sshd listening on a port above 6000. This is fine and is for the X tunneling. Note that sendmail is also accepting connections but only on the localhost interface. There should be no other ports listening at this point. The process listing should also be very minimal and look like the following:
[root@localhost /]# ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 1 13:58 ? 00:00:03 init root 2 1 0 13:58 ? 00:00:00 [keventd] root 3 1 0 13:58 ? 00:00:00 [kapmd] root 4 1 0 13:58 ? 00:00:00 [ksoftirqd_CPU0] root 5 1 0 13:58 ? 00:00:00 [kswapd] root 6 1 0 13:58 ? 00:00:00 [bdflush] root 7 1 0 13:58 ? 00:00:00 [kupdated] root 8 1 0 13:58 ? 00:00:00 [mdrecoveryd] root 16 1 0 13:58 ? 00:00:00 [kjournald] root 95 1 0 13:58 ? 00:00:00 [khubd] root 538 1 0 13:58 ? 00:00:00 syslogd -m 0 root 543 1 0 13:58 ? 00:00:00 klogd -x root 655 1 0 13:58 ? 00:00:00 /usr/sbin/sshd root 698 1 0 13:58 ? 00:00:00 sendmail: accepting root 717 1 0 13:58 ? 00:00:00 crond root 742 1 0 13:58 tty1 00:00:00 /sbin/mingetty tty1 root 743 1 0 13:58 tty2 00:00:00 /sbin/mingetty tty2 root 744 1 0 13:58 tty3 00:00:00 /sbin/mingetty tty3 root 745 1 0 13:58 tty4 00:00:00 /sbin/mingetty tty4 root 746 1 0 13:58 tty5 00:00:00 /sbin/mingetty tty5 root 747 1 0 13:58 tty6 00:00:00 /sbin/mingetty tty6 root 761 655 0 14:00 ? 00:00:00 /usr/sbin/sshd root 763 761 0 14:00 pts/0 00:00:00 -bash root 838 763 0 14:04 pts/0 00:00:00 ps -ef
Verify that there is nothing else running. If other processes and ports are listed, find out which startup script or process is starting this service and disable it. Repeat the reboots until you have disabled everything properly. Note that process names surrounded by [] are normally kernel processes.
SUID binaries are programs that run as the user ID who owns the file. Likewise, SGID binaries are programs that run as the group ID that owns the file. Many of them can be exploited to gain root access, so you should be cautious of these binaries and be able to provide a reason why you have left them with these permissions. If you cannot, you should disable them. Use the following command to find such binaries:
find / -type f -perm -u+s -ls > /suidprogs
find / -type f -perm -g+s -ls > /guidprogs
Look at the /suidprogs and /guidprogs files and determine what should be kept as is and what should be modified.
Remove SUID permissions with the following command:
chmod u-s filename
Remove GUID permissions with the following command:
chmod g-s filename
The following are recommended for SUID permission removal:
/usr/bin/chage /usr/bin/gpasswd /usr/bin/at /usr/bin/chfn /usr/bin/chsh /usr/bin/lppasswd /usr/bin/kcheckpass /usr/bin/rcp /usr/bin/rlogin /usr/bin/rsh /usr/bin/inndstart /usr/bin/rnews /usr/bin/startinnfeed /usr/bin/nwsfind /usr/bin/suidperl /usr/bin/sperl5.6.1 /usr/bin/cu /usr/bin/uucp /usr/bin/uuname /usr/bin/uustat /usr/bin/uux /usr/lib/mc/bin/cons.saver /usr/lib/amanda/calcsize /usr/lib/amanda/killpgrp /usr/lib/amanda/rundump /usr/lib/amanda/runtar /usr/lib/amanda/dumper /usr/lib/amanda/planner /usr/sbin/ping6 /usr/sbin/traceroute6 /usr/sbin/userhelper /usr/sbin/usernetctl /usr/sbin/userisdnctl /usr/sbin/amcheck /usr/sbin/uucico /usr/sbin/uuxqt /usr/X11R6/bin/XFree86 /bin/mount /bin/umount
The following are recommended for GUID permission removal:
/usr/bin/slocate /usr/bin/kdesud /usr/bin/gnome-stones /usr/bin/gataxx /usr/bin/glines /usr/bin/gnibbles /usr/bin/gnobots2 /usr/bin/gnotravex /usr/bin/gnomine /usr/bin/mahjongg /usr/bin/gnotski /usr/bin/gtali /usr/bin/iagno /usr/bin/same-gnome /usr/bin/slrnpull /usr/bin/cu /usr/bin/uuname /usr/sbin/gnome-pty-helper /usr/sbin/uucico /usr/sbin/uuxqt /usr/X11R6/bin/xbill /sbin/netreport
The default Apache CGI binaries should be restricted from being accessed. Also the installed index.html file should be made unreadable. Use the following command to remove the permissions on these files:
chmod 000 /var/www/cgi-bin/* chmod 000 /var/www/nut-cgi-bin/* chmod 000 /var/www/html/index.html
Once the basic security changes have been made, certain system and daemon configuration files should be modified to further secure the system.
Normally, 6 getty's, or console logins, are started. On a server, this is unnecessary and you should not need more than 2. Comment out the extra ones in /etc/inittab:
1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 #3:2345:respawn:/sbin/mingetty tty3 #4:2345:respawn:/sbin/mingetty tty4 #5:2345:respawn:/sbin/mingetty tty5 #6:2345:respawn:/sbin/mingetty tty6
Configuring a serial console will allow remote administration to be done much easier. Enabling this option changes the way Redhat Linux will boot on a normal VGA and keyboard console. The main difference is you will not see the Redhat startup scripts running on the VGA monitor, so it may appear the system is hung after the kernel loads. The output of these scripts are sent to the serial console only. Once the scripts are finished running you should see a login: prompt on the VGA console as well as the serial. The main problem with this is if a startup script hangs, such as when network interfaces are being brought up, you will not know unless you have serial console connected. If you think this may be happening and you do not have serial console, one option you have is to select the second boot image at the boot loader stage, which will not be configured for serial console. Everything will go to the VGA console for that image and you can diagnose any problems at that point.
One other difference after applying these changes is that the boot loader will show the text Press any key to continue for 10 seconds to both the serial console and VGA console. If no key is pressed on the VGA console, you will not see or be able to control the boot loader from the VGA console. You will only see when the kernel starts booting.
In order to setup serial console on the machine, you will need to install the getty_ps RPM. This can be found in the Redhat contrib directory as:
getty_ps-2.0.7j-3.i386.rpm
A getty should be started on the first serial port. Add the following to /etc/inittab:
# Serial Console S2:12345:respawn:/sbin/getty ttyS0 DT9600 vt100
You will need to allow root login on this serial console. Add the following to /etc/securetty:
ttyS0
The next step is to modify /etc/grub.conf to make the boot loader use the serial console as well. You will need to comment out the splashimage line and add the following before it:
serial --unit=0 --speed=9600 terminal --timeout=10 serial console
Finally, add console=tty0 console=ttyS0 to the first uncommented kernel line in the file. The following is an example /etc/grub.conf file with all necessary changes:
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You do not have a /boot partition. This means that
# all kernel and initrd paths are relative to /, eg.
# root (hd0,0)
# kernel /boot/vmlinuz-version ro root=/dev/sda1
# initrd /boot/initrd-version.img
#boot=/dev/sda
default=0
timeout=10
serial --unit=0 --speed=9600
terminal --timeout=10 serial console
#splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title Red Hat Linux (2.4.9-13smp)
root (hd0,0)
kernel /boot/vmlinuz-2.4.9-13smp ro root=/dev/sda1 console=tty0 console=ttyS0
initrd /boot/initrd-2.4.9-13smp.img
title Red Hat Linux (2.4.9-13debug)
root (hd0,0)
kernel /boot/vmlinuz-2.4.9-13debug ro root=/dev/sda1
initrd /boot/initrd-2.4.9-13debug.img
title Red Hat Linux (2.4.9-13)
root (hd0,0)
kernel /boot/vmlinuz-2.4.9-13 ro root=/dev/sda1 console=tty0 console=ttyS0
initrd /boot/initrd-2.4.9-13.img
Login banners give away important information on the system, such as Redhat Linux logos and other things useful to attackers. The following commands should be performed to remove these banners:
rm -f /etc/motd cat /dev/null > /etc/issue cat /dev/null > /etc/issue.net
/etc/resolv.conf should be verified to contain the correct information and only contain what is necessary. The following are the recommended contents:
search ourcompany.bogus nameserver 1.2.3.4 nameserver 5.6.7.8
Our company's time server is tick.ourcompany.bogus. You will need to setup scripts to sync up time and also set the hardware clock to the system clock.
Save the following script to /etc/cron.hourly/time_sync.pl with permission 755 to sync time every hour:
#!/usr/bin/perl
$MAX_SLEEP = 60;
$RDATE = "/usr/bin/rdate -s";
$TIMEHOST = "tick.ourcompany.bogus";
$sleep_time = rand($MAX_SLEEP);
sleep($sleep_time);
system("$RDATE $TIMEHOST >& /dev/null");
Save the following script to /etc/cron.daily/sethwclock.sh to set the hardware clock every day:
#!/bin/sh /usr/sbin/setclock
Syslog should be setup to send messages to a centralized syslog server. The following is recommended to be added commented to /etc/syslog.conf. It should be left commented until your system's IP address has been entered into our company's DNS server.
#*.info @syslog0.ourcompany.bogus
The full installation of Redhat Linux 7.3 also installs the mailman mailing list manager. This package runs a queue process every minute, and if the system is not going to be running mailing lists it is a waste of resources. To disable this, edit /var/spool/cron/mailman and make every line commented.
MRTG is also run via /etc/crontab. Comment this out unless you need it.
By default, Apache is configured to be too descriptive in HEAD
requests and server error pages. The following line should be modified in
/etc/httpd/conf/httpd.conf to remove the Apache version information
from error pages:
ServerSignature off
The following line should be added to /etc/httpd/conf/httpd.conf to make HEAD requests less descriptive:
ServerTokens Prod
wu-ftpd is known for security holes. By default FTP is disabled, but to prevent problems if you enable FTP, disable anonymous FTP access by removing the anonftp package from the system with the following command:
rpm -e anonftp
Tripwire requires lots of configuration to run properly. Remove the package unless you need it:
rpm -e tripwire
The logwatch program mails root with various system information daily and has been known to have security problems. Remove this package with the below command.
rpm -e logwatch
You should configure sendmail to use a smart host to relay mail through and also not give away version information in its banners. The smart host should be a mail server that you can relay through. It is recommended you make these changes to the mc rather than the cf file directly.
For example, if mail.ourcompany.bogus will be your mail relay, add the following to the end of /etc/mail/sendmail.mc:
define(`SMART_HOST', `mail.ourcompany.bogus') define(`confSMTP_LOGIN_MSG', `$j Postfix')dnl
Then regenerate the cf file with the following command:
mv /etc/sendmail.cf{,.orig}
cd /etc/mail
m4 sendmail.mc > /etc/sendmail.cf
If you are configuring the system to be able to recieve mail, i.e. it will be listening on port 25, you must check if your system is an open relay. The easiest way is to run the following command from the system:
telnet relay-test.mail-abuse.org
This will go through a sequence of relay tests on your machine. If any fail you must resolve the issue and not leave the mail services running.
SSHD configuration should be modified to disallow root logins. The following line should be modified in /etc/ssh/sshd_config:
PermitRootLogin no
This section is not finished.
You can get the system to single user mode from the GRUB boot loader. At bootup, hit any key to display the GRUB menu. Press 'a' to modify kernel parameters. If you are not on serial console, remove the 'console=ttyS0' option.
This section contains scripts that may help in automating the tasks mentioned previously. They are taken directly from our Kickstart setup. They are not meant to be used as is, but instead just give an idea of how to automate these tasks. They should be applied in the order that they appear in this section. All whitespace at the beginning of lines are TABs and will not work in some cases with spaces.
This script makes some assumptions on the locations of RPMs.
#!/bin/sh
# Package updates
DIR=/usr/src/redhat/RPMS/Company
# Redhat Updates
rpm -Fv --nodeps $DIR/updates/i686/*.rpm
rpm -Fv --nodeps $DIR/updates/i386/*.rpm
rpm -Uv $DIR/addons/getty_ps-2.0.7j-3.i386.rpm
cp $DIR/addons/vortex-diag /usr/local/bin/
chmod 700 /usr/local/bin/vortex-diag
# Addition of users
grep -q '^admin:' /etc/passwd
if [ "$?" != "0" ]; then
/usr/sbin/useradd -m admin
/usr/sbin/usermod -p '$1$mypass' admin
fi
# Disable gettys 3-6
ed -s /etc/inittab <<-EOF
,s/^\([3-6].*tty[3-6]\)/#\1/g
w
q
EOF
# Add serial console
grep -q ttyS0 /etc/inittab
if [ "$?" != "0" ] && [ -f /sbin/getty ]; then
echo >> /etc/inittab
echo "# Serial Console" >> /etc/inittab
echo "S2:12345:respawn:/sbin/getty ttyS0 DT9600 vt100" >> /etc/inittab
ed -s /etc/grub.conf <<-EOF
/^splash/i
serial --unit=0 --speed=9600
terminal --timeout=10 serial console
.
/^[^#].*[0-9] ro .*/s/\(.*\)/\1 console=tty0 console=ttyS0
,s/^\(splash.*\)/#\1/g
w
q
EOF
# ed will fail if any operation fails, so need to separate this
ed -s /etc/grub.conf <<-EOF
/^[^#].*[0-9]smp ro .*/s/\(.*\)/\1 console=tty0 console=ttyS0
w
q
EOF
fi
# Allow ttyS0 to login as root
grep -q ttyS0 /etc/securetty
if [ "$?" != "0" ]; then
echo ttyS0 >> /etc/securetty
fi
# Zap issue
cat /dev/null > /etc/issue
cat /dev/null > /etc/issue.net
# Setup syslog
grep -q syslog0 /etc/syslog.conf
if [ "$?" != "0" ]; then
echo "# *.info @syslog0.mycompany.com" >> /etc/syslog.conf
fi
# Disable root logins via SSH
ed -s /etc/ssh/sshd_config <<-EOF
,s/^#.*\(PermitRootLogin\).*/\1 no/g
w
q
EOF
# Setup resolv.conf
grep -q mycompany /etc/resolv.conf
if [ "$?" != "0" ]; then
echo "search mycompany.com" > /etc/resolv.conf
echo "nameserver 1.2.3.3" >> /etc/resolv.conf
echo "nameserver 1.2.7.200" >> /etc/resolv.conf
fi
# Make apache less descriptive
if [ -e /etc/httpd/conf/httpd.conf ]; then
ed -s /etc/httpd/conf/httpd.conf <<-EOF
,s/^\(ServerSignature\).*/\1 off/g
w
q
EOF
grep -q "^ServerTokens" /etc/httpd/conf/httpd.conf
if [ "$?" != "0" ]; then
echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
fi
fi
# Remove mailman crontabs
ed -s /var/spool/cron/mailman <<-EOF
,s/^\([^#]\)/#\1/g
w
q
EOF
# Remove MRTG crontab
ed -s /etc/crontab <<-EOF
,s/\(.*mrtg.*\)/# \1/g
w
q
EOF
# Define smarthost and remove sendmail banners
grep -q 'SMART_HOST.*mail.mycompany.com' /etc/mail/sendmail.mc
if [ "$?" != "0" ] && [ -f /etc/mail/sendmail.mc ]; then
ed -s /etc/mail/sendmail.mc <<-EOF
a
define(\`SMART_HOST', \`mail.mycompany.com')
define(\`confSMTP_LOGIN_MSG', \`\$j Postfix')dnl
.
w
q
EOF
mv /etc/sendmail.cf{,.orig}
OLDDIR=`pwd`
cd /etc/mail
m4 sendmail.mc > /etc/sendmail.cf
cd $OLDDIR
fi
# Time sync
cp $DIR/addons/sethwclock.sh /etc/cron.daily/
chmod 755 /etc/cron.daily/sethwclock.sh
cp $DIR/addons/time_sync.pl /etc/cron.hourly/
chmod 755 /etc/cron.hourly/time_sync.pl
# Disable services
/sbin/chkconfig --level 235 kudzu off
/sbin/chkconfig --level 235 ipchains off
/sbin/chkconfig --level 235 iptables off
/sbin/chkconfig --level 235 ip6tables off
/sbin/chkconfig --level 235 isdn off
/sbin/chkconfig --level 235 portmap off
/sbin/chkconfig --level 235 nfslock off
/sbin/chkconfig --level 235 apmd off
/sbin/chkconfig --level 235 pcmcia off
/sbin/chkconfig --level 235 autofs off
/sbin/chkconfig --level 235 sgi_fam off
/sbin/chkconfig --level 235 xinetd off
/sbin/chkconfig --level 235 lpd off
/sbin/chkconfig --level 235 sendmail off
/sbin/chkconfig --level 235 gpm off
/sbin/chkconfig --level 235 xfs off
/sbin/chkconfig --level 235 atd off
/sbin/chkconfig --level 235 rhnsd off
/sbin/chkconfig --level 235 wine off
# Remove logwatch package because it has holes and sends mail to root
rpm -e logwatch
# Remove anonymous ftp user
rpm -e anonftp
# Remove tripwire
rpm -e tripwire
# Suid progs
chmod u-s /usr/bin/chage
chmod u-s /usr/bin/gpasswd
chmod u-s /usr/bin/at
chmod u-s /usr/bin/chfn
chmod u-s /usr/bin/chsh
chmod u-s /usr/bin/lppasswd
chmod u-s /usr/bin/kcheckpass
chmod u-s /usr/bin/rcp
chmod u-s /usr/bin/rlogin
chmod u-s /usr/bin/rsh
chmod u-s /usr/bin/inndstart
chmod u-s /usr/bin/rnews
chmod u-s /usr/bin/startinnfeed
chmod u-s /usr/bin/nwsfind
chmod u-s /usr/bin/suidperl
chmod u-s /usr/bin/sperl5.6.1
chmod u-s /usr/bin/cu
chmod u-s /usr/bin/uucp
chmod u-s /usr/bin/uuname
chmod u-s /usr/bin/uustat
chmod u-s /usr/bin/uux
chmod u-s /usr/lib/mc/bin/cons.saver
chmod u-s /usr/lib/amanda/calcsize
chmod u-s /usr/lib/amanda/killpgrp
chmod u-s /usr/lib/amanda/rundump
chmod u-s /usr/lib/amanda/runtar
chmod u-s /usr/lib/amanda/dumper
chmod u-s /usr/lib/amanda/planner
chmod u-s /usr/sbin/ping6
chmod u-s /usr/sbin/traceroute6
chmod u-s /usr/sbin/userhelper
chmod u-s /usr/sbin/usernetctl
chmod u-s /usr/sbin/userisdnctl
chmod u-s /usr/sbin/amcheck
chmod u-s /usr/sbin/uucico
chmod u-s /usr/sbin/uuxqt
chmod u-s /usr/X11R6/bin/XFree86
chmod u-s /bin/mount
chmod u-s /bin/umount
# setGUID progs
chmod g-s /usr/bin/slocate
chmod g-s /usr/bin/kdesud
chmod g-s /usr/bin/gnome-stones
chmod g-s /usr/bin/gataxx
chmod g-s /usr/bin/glines
chmod g-s /usr/bin/gnibbles
chmod g-s /usr/bin/gnobots2
chmod g-s /usr/bin/gnotravex
chmod g-s /usr/bin/gnomine
chmod g-s /usr/bin/mahjongg
chmod g-s /usr/bin/gnotski
chmod g-s /usr/bin/gtali
chmod g-s /usr/bin/iagno
chmod g-s /usr/bin/same-gnome
chmod g-s /usr/bin/slrnpull
chmod g-s /usr/bin/cu
chmod g-s /usr/bin/uuname
chmod g-s /usr/sbin/gnome-pty-helper
chmod g-s /usr/sbin/uucico
chmod g-s /usr/sbin/uuxqt
chmod g-s /usr/X11R6/bin/xbill
chmod g-s /sbin/netreport
# Apache
chmod 000 /var/www/cgi-bin/*
chmod 000 /var/www/nut-cgi-bin/*
chmod 000 /var/www/html/index.html
Company post installation setup is now done via an RPM called:
Company_7.3_update
This is a very big package (currently 125megs) that contains all of the patches necessary to make the system up to date with this document. There will be versioning in the RPM database that will help keep track of what 'security revision' the system is in. The Company Kickstart install will automatically apply this RPM, but if you need to do it manually on a system, you can get it here:
http://x.x.x.x/rh7.3up/Company_7.3_update.rpm
Note that if you apply this RPM manually, please follow the directions given after the RPM install.
A Company Kickstart install will perform all that is described in this document and work as is on generic Intel Pentium or higher machines with SCSI drives. If the machine does not fit this criteria you will need to setup a customized Kickstart install. The installation process can take up to a few hours over a slow link. It is also normal that the screen will show nothing during the post installation steps. You should just wait or check the other virtual terminals with ALT-F1 through F5. Once the installation is finished it will reboot the machine.
This installation is performed over HTTP. The system you are setting up must be able to make TCP port 80 connections to the outside.
There is currently 1 Company Kickstart 7.3 boot disk image. The standard one is:
http://x.x.x.x/rh7.3up/boot.img
Write the image to a floppy with the following command on a Linux machine:
dd if=boot.img of=/dev/fd0 bs=1k
Mount this floppy and edit the file ks.cfg to set the IP address of the machine you will be installing. The following is an example for IP 1.2.3.4, netmask 255.255.255.0, gateway 5.6.7.8, and nameserver 9.10.11.12:
# Network Configuration
# Use this for DHCP
# network --bootproto dhcp
# Use this for static IP
network --bootproto static --ip 1.2.3.4 --netmask 255.255.255.0 \
--gateway 5.6.7.8 --nameserver 9.10.11.12
# Note the 'network' line above should be one full line.
# The \ and newline were added to make it fit on the page.
Boot the floppy and just hit enter at the boot prompt.
If you are prompted for any information, it may mean that your network settings are incorrect or that you cannot access x.x.x.x TCP port 80 (http).
Once the system starts installing packages,, remove the floppy from the system or at reboot it will install again.
If the machine you are installing does not have a floppy, you can use the Company Kickstart 7.3 CD. Using this method requires there be a DHCP server on the local network.
An ISO image of this CD is available here:
http://x.x.x.x/rh7.3up/cdimage/bootcd.iso
Once the system starts installing packages, remove the CD or at reboot it will install again.
This document was generated using the LaTeX2HTML translator Version 2002-1 (1.69)
Copyright © 1993, 1994, 1995, 1996,
Nikos Drakos,
Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999,
Ross Moore,
Mathematics Department, Macquarie University, Sydney.
The command line arguments were:
latex2html -split 0 -toc_depth 5 -show_section_numbers -local_icons linux_sec.tex
The translation was initiated by on 2002-10-04