Note that many of these steps may be performed by the installer
(anaconda
for Red Hat / Fedora Linux),
but historically many installers don't do all these steps,
or don't do them in sensible or standard ways.
You should check all these items just to be sure they are
set the way you want.
(Note you may not know what all these items are.
they may not apply to your system.
You should just skip over (for now) the items you don't
understand, and hope the defaults are fine.)
If you find some step that wasn't done the way you like you can always change it, but think twice first since other installer software (and other administrators) may expect defaults and directory names to be the way the installer set them.
Note that many of these tasks are complicated and inter-related, and will be discussed at length later in the course.
Remember to record all changes in your journal!
timeout
values is zero you will
not be able to interactively boot the system!
Consider changing this to 2 or 3 seconds. HOSTNAME
(with static IP;
rarely used with DHCP since names are associated
with IP address not hosts.
Avoid using Red Hat GUI tools for this;
historically they haven't worked well.)
You may also need to set the system nodename
and host ID. yum
or non-Red Hat equivalent
(for Solaris use AutoPatch
, smpatch
,
or pca
(preferred);
for Debian use apt-get dist-upgrade
,
but run apt-setup
first).
This step may require you to configure networking first.
Warning: Do not physically connect computer to an untrusted network until this is done and a firewall is properly setup and configured! (Of course this could be a catch-22 situation.) Note that updating the kernel can be tricky.
ifconfig
, route
,
netstat
, andping
.
You may also have to configure
PPP or
PPPoE.
Fedora 10 uses the NetworkManager
service by
default.
This doesn't support static
configuration and is not
suitable for a server.
The older network
service supports both
DHCP and static configurations,
but the Fedora 10 installer doesn't seem to configure it.
To turn off NetworkManager
, first run
system-config-network
(or otherwise setup
networking), then start network
.
extrasoftware:
/usr/local/{bin,lib,man,etc,src}
(or better, /opt
, /etc/opt
, etc.). PATH
,
MANPATH
.
Make sure these point to the standard directories for your system,
such as /usr/local
, /opt/*/bin
,
/usr/usb
, ..., for PATH
and /usr/dt/share/man
,
/usr/openwin/share/man
, and
/usr/sfw/share/man
for MANPATH
.
Note the preformatted man page location varies; for Red Hat it is
in /var/cache/man
.
The unformatted (raw) man pages are usually in either
/usr/man
or /usr/share/man
, and
local man pages are usually put into
/usr/local/man
.
Other standard directories for some systems include
/opt/*/bin
and other places.
The default PATH
setting rarely includes every directory
with applications in them.
For Solaris the default PATH
is
/bin:/usr/bin
.
Some commonly used bin
directories can be added to
the PATH
.
but the order matters
since many systems ship with multiple versions of most utilities.
You should consider adding to the default PATH
but the order matters!
Many *nix systems
support multiple versions of commands including platform
(i.e. hardware) specific versions.
Also (for Solaris) POSIX versions are in one place
(/usr/xpg[46]/bin
), Gnu in another
(/usr/sfw/bin
), community software in another
(/usr/opt/csw/bin
), and so on.
(See filesystem(5)
for a list.)
Here's a sample PATH
for Solaris:
PATH=~/bin:/usr/local/bin:/usr/xpg4/bin:/bin:/usr/sfw/bin:\
/opt/SUNWspro/bin:/usr/bin:/opt/csw/bin:/usr/ccs/bin:/usr/X11/bin:\
/usr/dt/bin:/usr/openwin/bin
No one setting of PATH
will satisfy all
users' needs!
One way to deal with this is to have ~/bin
(and/or /usr/local/bin
or /opt/bin
)
listed first on the PATH
, and put symlinks in
there to the preferred versions of commands that wouldn't
otherwise be found on the normal PATH
.
/etc/localtime
should be a copy
(or preferably, a link) from a file in /usr/share/zoneinfo/*
;
see also the man page for zic
on Linux.
(On some Unixes you must set the environment variable
TZ
for each user; for our time zone the proper setting is
EST5EDT
(or an alias such as
America/New_York
).
For Solaris x86 you set the timezone of the hardware clock in the
file /etc/rtc_config
.)
/etc/login
, /etc/bashrc
,
/etc/profile
, /etc/profile.d/*
, and
/etc/default/*
.
Some changes to consider include setting the default
umask
, un-colorizing ls
,
adding some standard aliases, functions, and environment variables,
and changing the default prompts.
The traditional prompt for users is XXX>
or XXX$
, where XXX
can be
anything (pathname, user and host, etc.);
root gets XXX#
instead.
Don't forget to set the default locale
(the LANG
variable).
It is often set wrong and curly quote-marks and other
non-ASCII characters won't appear correctly,
in man pages for instance).
(For Red Hat systems look in /etc/sysconfig/i18n
.)
/etc/motd
, /etc/issue
,
and /etc/issue.net
.
The issue*
files contain the prompts seen before the
login prompt, and motd
(Message Of The Day) is seen just after a successful login. The
motd
is often used for legal notices, for example
Unauthorized use of this system...(but can also be used for notices to users such as
Company picnic on Friday!). This type of legal notice goes by different names such as AUP (Acceptable Use Policy) or UCC (User Code of Conduct).
The default issue*
files identify the type and version
of your system.
This is a security hole and should be changed to a legal notice,
removed completely, or replaced with a simple
Welcome to the FooBar system
message.
(Note: On some older versions of Red Hat Linux it is not
possible to edit the issue*
files directly as they get
recreated from a shell script on every reboot.
This should be fixed too.)
With these file you can also perform various cursor movements,
set colors and text attributes (underline, reverse-video, ...)
by embedding escape sequences.
The Linux (and most versions of Unix) console drivers support a
standard for this (ECMA-48).
Some of these codes are also supported by xterm
tools
such as PuTTY.
See the man page for console_codes
for details.
The issue*
files also support some backslash escapes
that get substituted for system information; see the various
*getty
man pages (for Linux, see mingetty
)
for a list.
root
which should be sent to a real human,
a system administrator.
Many systems do not come configured with standard aliases, such as
hostmaster, postmaster, webmaster, abuse, etc.
Some of these are required by various standards. /etc/fstab
(whatever the name; Solaris calls this file /etc/vfstab
)
and make sure it has entries for all your partitions including
any Windows partitions (if the computer is dual-booted),
NFS mounts, and removable media drives.
redhat-lsb
in order to use various
LSB commands. makewhatis
and [s]locate -u
.
slocate
is the secure version of locate
,
which (like find
) only shows stuff the user has
permission to see.
Use the -e
option to exclude directories you don't want
indexed (such as Windows partitions or the mount points for
removable media).
Verify these will run automatically from cron
.
See crontab files in /etc/cron*
.
umask
.
Create any needed groups such as webauthors
in
/etc/group
.
Other security tasks and files include
configuring /etc/fstab
mount options
(nodev
, nosuid
, ...),
PAM
setup (/etc/security/*
,
/etc/pam.d/*
), TCP Wrappers
configuration (/etc/hosts.allow
,
/etc/hosts.deny
), configure printer
access (/etc/hosts.lpd
,
/etc/lpd.perms
, or /etc/cups/cupsd.conf
),
configure and verify the firewall
(iptables
on Linux), and
check the default permissions of standard
directories and any added user accounts. /etc/selinux/config
and change
SELINUX=enforcing
to
SELINUX=permissive
.)
/etc/login.defs
on Linux or
/etc/default/login
on Solaris).
Adjust the default values for grace period, expiration date,
etc.).
Add/remove/edit the files in /etc/skel
.
ssh
and sftp
and disable
telnet
and ftp
servers. /etc/inetd.conf
(or /etc/xinetd.d/*
) control which daemons to run
such as for ftp, telnet, ssh, databases
(such as Oracle, MySQL, Postgres), etc.
Turn off any you don't need and configure the rest individually
(web, mail, ssh, ...)
Use TCP Wrapper (tcpd
)
for added security. /dev
entries for your
hardware.
The installer should have auto-detected your hardware
but it may not find all PCI devices (such as
PCI modems) or ISA devices.
You may have to configure udev
or some similar
sub-system, instead of directly editing special files in
/dev
which can be done like this for example:
cd /dev ls -l ttyS* # This step tells the Major and minor numbers used below man mknod mknod ttyS4 c Major minor ln -s /dev/ttyS4 modem
sndconfig
, netconfig
,
modemconfig
, etc.
For Red Hat systems try redhat-<tab><tab>
(For Fedora try instead system-<tab><tab>
)
to see lots of such tools. /etc/syslogd.conf
). /tmp
or /root
). /etc
at least ). logwatch
)
and intrusion detection systems (tripwire
).
(You should try to protect all directories with IDS except for
/home
, /var
, and all tmp
directories.) crontab
and
anacrontab
(or periodic
).
See all the crontab files in /etc/*cron*
.