documentation for linux installation and hardening
DESCRIPTION
Documentation for Linux Installation and HardeningTRANSCRIPT
Documentation for Linux Installation and hardening
Documentation for Linux Installation and hardening
Purpose:
For reducing time and provide elaborate documentation of a new Linux server installation in Infra setup. This document provides details and procedure of installation, configuration, hardening of a Linux server along with Cacti and NMON installation.
Scope:
Since Linux Installation and Hardening is a frequent activity in Infra support this document will help while new server Installation and handover.
Responsible Unit:Process Owner:Document:Confidentiality Status:Document Status :
Tata CommunicationsMd. ShamimSOP InternalDraft
Identity number:Effective Date: Rvision:Original Langage:
24-Jul-20131.0English
This document and its contents are the property of Tata Communications or its subsidiaries. This document contains confidential proprietary information. The reproduction, distribution, utilization or the communication of this document or any part thereof, without express authorization is strictly prohibited. Offenders will be held liable for the payment of damages. 2008, Tata Communications or its subsidiaries. All rights reserved.
Translated By: Translation Approved By:Translation Languages:
Name / FunctionName / Function
INFORMATION TECHNOLOGY
Revision LogRevisionDate(yyyy-mm-dd)Prepared ByDescription of Changes
1.02013-07-24Anshu MakkarFirst Version
Approval LogRevisionDate(yyyy-mm-dd)Document OwnerApproval E-mail Reply
Table of Content1 INTRODUCTION52 LINUX INSTALLATION52.1 Download Red Hat Enterprise Linux ISO ...52.2 Burn ISO on DVD ..62.3 Linux Installation ...63 LINUX HARDENING203.1 Remove unwanted File systems203.2 Remove unwanted services203.3 Remove unwanted packages.213.4 Change default run level213.5 /etc/sysconfig/network file213.6 Ntp client configuration213.7 Relay server configuration....................................213.8 Network Firewall configuration..223.9 Logging parameter ....233.10 System log security.233.11 Cron Restrications..243.12 Secure ssh service...253.13 Pam Configuration ..253.13.2 System authentication parameter change.......................................253.13.2 System wide parameter change......................................253.14 Lock unwanted user account..273.15 Remove login shell from unwanted user account...273.16 Change login account defaults...273.17 Change messages for login.274 USER CREATION ON SERVER 284.1 System User grout creation..........284.2 System Admin users creation..285 CACTI INSTALLATION ................................285.1 Prerequisite before running the deploy.sh ...285.2 Agent Installation ..285.1 Checking snmp on client ...295.2 Configuring snmp on client..305.3 Checking the resolution from CACTI server..316 NMON installation...................................................................................................316.1 Nmon directory creation ...316.2 Create ksh shell script for nmon execution ..316.3 Change permission of script ...316.4 Install RPM..326.5 Crontab Entry..32
1. INTRODUCTIONLinux installation is a request frequently. Any Linux installation and configuration must adhere TCL standards and security policies. While Linux installation and configuration we might miss some configuration or contradict standard TCL configuration standards. This document will help while installing and configuring Linux for any request of OS reinstall or new server configuration
TCL has defined strict guidelines for OS hardening. Every server must gone through hardening process and qualify this defined criteria of hardening before going live in production. All vulnerabilities must be closed in hardening along with removal of unwanted packages, file systems and services. This document also contains hardening procedure defined and approved by TCL. This document will also help us while hardening a new OS or checking hardening status of a server yet to be handed over.
We spend a good amount of our time in monitoring the servers. At our infra support we use 2 tools Nmon and cacti to capture state of server at any point of time. These tools help us monitor and study the system state and pattern of usage with the help of graph. This tools are very helpful while analysing the issue related to server performance. Last part of this document will provide steps to install Cacti and NMON on installed and hardened server.
2. Linux installationThe below are steps to install Linux on bare metal or already created VM on ESX host.2.1 Download Red hat Enterprise Linux ISOhttps://rhn.redhat.com/rhn/software/downloads/SupportedISOs.do
Red hat support login required to download the ISO.
Note: - We user 64 bit OS for servers.Click on x86_64 bit version of RHEL.
Download Binary DVD for installation.2.2 Burn ISO on DVD2.3 Linux installationInsert DVD in the server and reboot the server.
Fig 1: Fig1:First Installation screen
Select Install or upgrade an existing systemSelect Install or upgrade and existing system.
Fig 2: Media Check
Skip disk check (If you are not sure DVD has scratch you can run media test)
Fig 3: RHEL logo
Click next to start installation
Fig 4: Language option
Select U.S. English has language.
Fig 5: Storage Devices
Select Basic Storage Devices to install RHEL on local disk.Select specialized storage Devices to install RHEL on Storage LUN.
Fig 6: Installation Type
Select Fresh installation for New RHEL installation.Select Upgrade to upgrade older RHEL OS to newer version.
Fig 7: Hostname
Add hostname for the server.
Fig 8: Network configuration
Fig 9: Add/Edit network connection
Click on Configure connection and edit network connection to add IP, route etc.
Fig 10: IP Configuration
Fig 11: IP Configuration
Go to IPv4 tab and select Manual method for IP assignment.Click on Add in addresses to add the IP.Assign DNS server and Search domain for DNS resolution.You can also add Routes with routes button.
Fig 12: Time zone selection
Select time zone Asia/Kolkata from drop down menu or click on Kolkata.
Fig 13: Root Password
Enter root password. As per TCL security policy root password length should be at least 8 character which should consist 2 be Upper case character, 2 lower case character, 2 digit and 2 special character.
Fig 14: Week password warning popup
If you do not adhere to TCL security policy and choose a dictionary based word Installation setup will prompt you a warning. You can go ahead with that password and change the password during OS hardening.
Fig 15: File system layout
Choose file system creation option Create Custom Layout to install Linux as per TCL policy.
Fig 16: Physical partition creation
As per TCL policy Linux file systems should be on LVM except /boot.
/boot should be 200-500 MB standard partition.Rest of the space should be divided in 2 LVM physical Volume for OS partitions and application partitions.
TCL Recommended OS partition and size
/boot-500MB (Standard Partition),
vg_root(LVM physical Partition)/-5G,/home-10G,/tmp-5G,/usr-10G,/opt-5G,/var-8G,/usr/openv-6G,(Required for backup)/kdump-105% of Physical Memory size
vg_root(As per application requirement)
Fig 17: LVM creation
We have a file system and partition naming convention.According to that convention Volume group name should be vg_ABC and Logical volume should be lv_XYZ.
Fig 18: Final Layout
Final layout for Disk should be like above snapshot. (Here in above snapshot app_vg is not created)
Fig 19: Disk configurations write warning popup
You can change or reset file system layout before clicking Write changes to disk button. Once this button is clicked all configurations is written on the disk.
Fig 20: Boot loader Install location
Install boot loader on disk (first disk in case of more than one disk)Boot loader password can also be used to increase security.
Note: We do not change boot loader location or use password for boot loader.
Fig 21: Choose Installation bundleChoose Server Installation bundle as per requirement.If you are not sure what is required packages use basic server and customize later.(set up yum after installation and install required packages)
Fig 22: Packages installation
After this step all packages will be installed. Ideally it should take 20-25 minutes.
Fig 23: Installation completion
After installation completion and above screen will be displayed. Click on reboot to reboot the server.After reboot server will come up and you will get login prompt.
3. HardeningIMP: Take backup of all files you change while hardening with below command.cp p .befhard
3.1. Remove unwanted file systemsCreate Hardening_tcl file in /etc/modprobecat > /etc/modprobe.d/Hardening_tcl.conf /etc/sysctl.conf /etc/at.allowecho root>>/etc/cron.allow
3.12. Secure ssh serviceChange below parameters in /etc/ssh/sshd_config
Port 5522Protocol 2LogLevel VERBOSEPermitRootLogin noMaxAuthTries 3HostbasedAuthentication noIgnoreRhosts yesPermitEmptyPasswords noAllowTcpForwarding noGatewayPorts noX11Forwarding noPermitUserEnvironment noClientAliveInterval 900ClientAliveCountMax 0Banner /etc/issue
3.13. Pam Configuration
3.13.1. system authentication parameter changeChange below lines in /etc/pam.d/system-auth-ac file
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2 difok=3password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
3.13.2. System wide parameter changeReplace /etc/pam.d/system-auth file with below command
cat > /etc/pam.d/system-auth