Unix/Linux Post Install Task List

Note that many of these steps may be performed by the installer (anaconda for Red Hat / Fedora Linux), but historically many installers don't do all these steps, or don't do them in sensible or standard ways.  You should check all these items just to be sure they are set the way you want.  (Note you may not know what all these items are.  they may not apply to your system.  You should just skip over (for now) the items you don't understand, and hope the defaults are fine.)

If you find some step that wasn't done the way you like you can always change it, but think twice first since other installer software (and other administrators) may expect defaults and directory names to be the way the installer set them.

Note that many of these tasks are complicated and inter-related, and will be discussed at length later in the course.

Remember to record all changes in your journal!

• Read the release notes that accompany your system.  Perform any configuration tasks required.  In addition note any changed/removed/added systems; you may need to update your system procedures documents as well as any system documentation.
• Configure the boot loader.  You will likely want to add or remove kernel parameters.  Most boot loaders (including grub) have an adjustable timeout for displaying a boot menu.  On systems where this timeout values is zero you will not be able to interactively boot the system!  Consider changing this to 2 or 3 seconds.
• Set HOSTNAME (with static IP; rarely used with DHCP since names are associated with IP address not hosts.  Avoid using Red Hat GUI tools for this; historically they haven't worked well.)  You may also need to set the system nodename and host ID.
• Setup and run yum or non-Red Hat equivalent (for Solaris use AutoPatch, smpatch, or pca (preferred); for Debian use apt-get dist-upgrade, but run apt-setup first).  This step may require you to configure networking first.

  Warning:  Do not physically connect computer to an untrusted network until this is done and a firewall is properly setup and configured!  (Of course this could be a catch-22 situation.)  Note that updating the kernel can be tricky.

• Setup and verify networking.  Verify networking using such tools as ifconfig, route, netstat, andping.  You may also have to configure PPP or PPPoE.

  Fedora 10 uses the NetworkManager service by default.  This doesn't support static configuration and is not suitable for a server.  The older network service supports both DHCP and static configurations, but the Fedora 10 installer doesn't seem to configure it.  To turn off NetworkManager, first run system-config-network (or otherwise setup networking), then start network.

• Create the directory hierarchy for locally installed extra software:  /usr/local/{bin,lib,man,etc,src} (or better, /opt, /etc/opt, etc.).
• Set PATH, MANPATH.  Make sure these point to the standard directories for your system, such as /usr/local, /opt/*/bin, /usr/usb, ..., for PATH and /usr/dt/share/man, /usr/openwin/share/man, and /usr/sfw/share/man for MANPATH.  Note the preformatted man page location varies; for Red Hat it is in /var/cache/man.  The unformatted (raw) man pages are usually in either /usr/man or /usr/share/man, and local man pages are usually put into /usr/local/man.  Other standard directories for some systems include /opt/*/bin and other places.

  The default PATH setting rarely includes every directory with applications in them.  For Solaris the default PATH is /bin:/usr/bin.  Some commonly used bin directories can be added to the PATH. but the order matters since many systems ship with multiple versions of most utilities.

  You should consider adding to the default PATH but the order matters!  Many *nix systems support multiple versions of commands including platform (i.e. hardware) specific versions.  Also (for Solaris) POSIX versions are in one place (/usr/xpg[46]/bin), Gnu in another (/usr/sfw/bin), community software in another (/usr/opt/csw/bin), and so on.  (See filesystem(5) for a list.)

  Here's a sample PATH for Solaris:
  PATH=~/bin:/usr/local/bin:/usr/xpg4/bin:/bin:/usr/sfw/bin:\
/opt/SUNWspro/bin:/usr/bin:/opt/csw/bin:/usr/ccs/bin:/usr/X11/bin:\
/usr/dt/bin:/usr/openwin/bin

  No one setting of PATH will satisfy all users' needs!  One way to deal with this is to have ~/bin (and/or /usr/local/bin or /opt/bin) listed first on the PATH, and put symlinks in there to the preferred versions of commands that wouldn't otherwise be found on the normal PATH.

• Set the default time zone.  For Linux /etc/localtime should be a copy (or preferably, a link) from a file in /usr/share/zoneinfo/*; see also the man page for zic on Linux.  (On some Unixes you must set the environment variable TZ for each user; for our time zone the proper setting is EST5EDT (or an alias such as America/New_York).  For Solaris x86 you set the timezone of the hardware clock in the file /etc/rtc_config.)
• Make changes to the default environment.  These must be put into the system-wide login scripts for each shell.  Check and possibly modify /etc/login, /etc/bashrc, /etc/profile, /etc/profile.d/*, and /etc/default/*.

  Some changes to consider include setting the default umask, un-colorizing ls, adding some standard aliases, functions, and environment variables, and changing the default prompts.  The traditional prompt for users is XXX> or XXX$, where XXX can be anything (pathname, user and host, etc.); root gets XXX# instead.  Don't forget to set the default locale (the LANG variable).  It is often set wrong and curly quote-marks and other non-ASCII characters won't appear correctly, in man pages for instance).  (For Red Hat systems look in /etc/sysconfig/i18n.)

• Edit /etc/motd, /etc/issue, and /etc/issue.net.  The issue* files contain the prompts seen before the login prompt, and motd (Message Of The Day) is seen just after a successful login.  The motd is often used for legal notices, for example Unauthorized use of this system... (but can also be used for notices to users such as Company picnic on Friday!).  This type of legal notice goes by different names such as AUP (Acceptable Use Policy) or UCC (User Code of Conduct). 

  The default issue* files identify the type and version of your system.  This is a security hole and should be changed to a legal notice, removed completely, or replaced with a simple Welcome to the FooBar system message.  (Note:  On some older versions of Red Hat Linux it is not possible to edit the issue* files directly as they get recreated from a shell script on every reboot.  This should be fixed too.)

  With these file you can also perform various cursor movements, set colors and text attributes (underline, reverse-video, ...) by embedding escape sequences.  The Linux (and most versions of Unix) console drivers support a standard for this (ECMA-48).  Some of these codes are also supported by xterm tools such as PuTTY.  See the man page for console_codes for details.

  The issue* files also support some backslash escapes that get substituted for system information; see the various *getty man pages (for Linux, see mingetty) for a list.

• Configure email aliases, especially for root which should be sent to a real human, a system administrator.  Many systems do not come configured with standard aliases, such as hostmaster, postmaster, webmaster, abuse, etc.  Some of these are required by various standards.
• Edit /etc/fstab (whatever the name; Solaris calls this file /etc/vfstab) and make sure it has entries for all your partitions including any Windows partitions (if the computer is dual-booted), NFS mounts, and removable media drives.
• Install and configure extra software  including Sun Java, the Adobe Flash plug-in ( www.adobe.com/go/getflashplayer), Audio/Video codecs (www.xiph.org), etc.  This may require you to configure additional software repositories such as rpmfusion.  You may need to install various packages to perform some tasks.  For example, install redhat-lsb in order to use various LSB commands.
• After installing the system and the updates and additional software, build or rebuild indexes with makewhatis and [s]locate -u.  slocate is the secure version of locate, which (like find) only shows stuff the user has permission to see.  Use the -e option to exclude directories you don't want indexed (such as Windows partitions or the mount points for removable media).  Verify these will run automatically from cron.  See crontab files in /etc/cron*.
• Setup security:  Set a system-wide default umask.  Create any needed groups such as webauthors in /etc/group.  Other security tasks and files include configuring /etc/fstab mount options (nodev, nosuid, ...), PAM setup (/etc/security/*, /etc/pam.d/*), TCP Wrappers configuration (/etc/hosts.allow, /etc/hosts.deny), configure printer access (/etc/hosts.lpd, /etc/lpd.perms, or /etc/cups/cupsd.conf), configure and verify the firewall (iptables on Linux), and check the default permissions of standard directories and any added user accounts.
• Configure SELinux (or Solaris zones).  (For now, edit /etc/selinux/config and change SELINUX=enforcing to SELINUX=permissive.)
• Set root (and other admin) passwords.  Any passwords you create or change must be recorded.  However the system journal is not the place for that!  (It is not a secure document.)  The common solution is to put passwords in a sealed envelope.  Only the officers of the company can open this envelope, which is usually kept in a safe deposit box at a local bank.
• Adjust user account defaults (/etc/login.defs on Linux or /etc/default/login on Solaris).  Adjust the default values for grace period, expiration date, etc.).  Add/remove/edit the files in /etc/skel.
• Setup ssh and sftp and disable telnet and ftp servers.
• Turn off unused services.  The files /etc/inetd.conf (or /etc/xinetd.d/*) control which daemons to run such as for ftp, telnet, ssh, databases (such as Oracle, MySQL, Postgres), etc.  Turn off any you don't need and configure the rest individually (web, mail, ssh, ...)  Use TCP Wrapper (tcpd) for added security.
• Verifying and set up /dev entries for your hardware.  The installer should have auto-detected your hardware but it may not find all PCI devices (such as PCI modems) or ISA devices.  You may have to configure udev or some similar sub-system, instead of directly editing special files in /dev which can be done like this for example:

  cd /dev
  ls -l ttyS* # This step tells the Major and minor numbers used below
  man mknod
  mknod ttyS4 c Major minor 
  ln -s /dev/ttyS4 modem

• Hardware may need configuration and usually there are tools to do this.  Look for tools such as sndconfig, netconfig, modemconfig, etc.  For Red Hat systems try redhat-<tab><tab> (For Fedora try instead system-<tab><tab>) to see lots of such tools.
• Configure the mtools package to map drive letters for your disk, CD-ROM, flash, etc., drives
• Create additional user accounts as needed.
• Configure servers:  web, mail, etc.
• Create and initialize any required databases.
• Configure logging (/etc/syslogd.conf).
• Copy the install log (often found in /tmp or /root).
• Backup the working configuration (all of /etc at least ).
• Setup and configure additional security measures such as log file monitoring (logwatch) and intrusion detection systems (tripwire).  (You should try to protect all directories with IDS except for /home, /var, and all tmp directories.)
• Configure crontab and anacrontab (or periodic).  See all the crontab files in /etc/*cron*.
• Any other tasks as you think of them.