Documentation for Linux Installation and hardening

Documentation for Linux Installation and hardening

Purpose:

For reducing time and provide elaborate documentation of a new Linux server installation in Infra setup. This document provides details and procedure of installation, configuration, hardening of a Linux server along with Cacti and NMON installation.

Scope:

Since Linux Installation and Hardening is a frequent activity in Infra support this document will help while new server Installation and handover.

Responsible Unit:Process Owner:Document:Confidentiality Status:Document Status :

Tata CommunicationsMd. ShamimSOP InternalDraft

Identity number:Effective Date: Rvision:Original Langage:

24-Jul-20131.0English

This document and its contents are the property of Tata Communications or its subsidiaries. This document contains confidential proprietary information. The reproduction, distribution, utilization or the communication of this document or any part thereof, without express authorization is strictly prohibited. Offenders will be held liable for the payment of damages. 2008, Tata Communications or its subsidiaries. All rights reserved.

Translated By: Translation Approved By:Translation Languages:

Name / FunctionName / Function

INFORMATION TECHNOLOGY

Revision LogRevisionDate(yyyy-mm-dd)Prepared ByDescription of Changes

1.02013-07-24Anshu MakkarFirst Version

Approval LogRevisionDate(yyyy-mm-dd)Document OwnerApproval E-mail Reply

Table of Content1 INTRODUCTION52 LINUX INSTALLATION52.1 Download Red Hat Enterprise Linux ISO ...52.2 Burn ISO on DVD ..62.3 Linux Installation ...63 LINUX HARDENING203.1 Remove unwanted File systems203.2 Remove unwanted services203.3 Remove unwanted packages.213.4 Change default run level213.5 /etc/sysconfig/network file213.6 Ntp client configuration213.7 Relay server configuration....................................213.8 Network Firewall configuration..223.9 Logging parameter ....233.10 System log security.233.11 Cron Restrications..243.12 Secure ssh service...253.13 Pam Configuration ..253.13.2 System authentication parameter change.......................................253.13.2 System wide parameter change......................................253.14 Lock unwanted user account..273.15 Remove login shell from unwanted user account...273.16 Change login account defaults...273.17 Change messages for login.274 USER CREATION ON SERVER 284.1 System User grout creation..........284.2 System Admin users creation..285 CACTI INSTALLATION ................................285.1 Prerequisite before running the deploy.sh ...285.2 Agent Installation ..285.1 Checking snmp on client ...295.2 Configuring snmp on client..305.3 Checking the resolution from CACTI server..316 NMON installation...................................................................................................316.1 Nmon directory creation ...316.2 Create ksh shell script for nmon execution ..316.3 Change permission of script ...316.4 Install RPM..326.5 Crontab Entry..32

1. INTRODUCTIONLinux installation is a request frequently. Any Linux installation and configuration must adhere TCL standards and security policies. While Linux installation and configuration we might miss some configuration or contradict standard TCL configuration standards. This document will help while installing and configuring Linux for any request of OS reinstall or new server configuration

TCL has defined strict guidelines for OS hardening. Every server must gone through hardening process and qualify this defined criteria of hardening before going live in production. All vulnerabilities must be closed in hardening along with removal of unwanted packages, file systems and services. This document also contains hardening procedure defined and approved by TCL. This document will also help us while hardening a new OS or checking hardening status of a server yet to be handed over.

We spend a good amount of our time in monitoring the servers. At our infra support we use 2 tools Nmon and cacti to capture state of server at any point of time. These tools help us monitor and study the system state and pattern of usage with the help of graph. This tools are very helpful while analysing the issue related to server performance. Last part of this document will provide steps to install Cacti and NMON on installed and hardened server.

2. Linux installationThe below are steps to install Linux on bare metal or already created VM on ESX host.2.1 Download Red hat Enterprise Linux ISOhttps://rhn.redhat.com/rhn/software/downloads/SupportedISOs.do

Red hat support login required to download the ISO.

Note: - We user 64 bit OS for servers.Click on x86_64 bit version of RHEL.

Download Binary DVD for installation.2.2 Burn ISO on DVD2.3 Linux installationInsert DVD in the server and reboot the server.

Fig 1: Fig1:First Installation screen

Select Install or upgrade an existing systemSelect Install or upgrade and existing system.

Fig 2: Media Check

Skip disk check (If you are not sure DVD has scratch you can run media test)

Fig 3: RHEL logo

Click next to start installation

Fig 4: Language option

Select U.S. English has language.

Fig 5: Storage Devices

Select Basic Storage Devices to install RHEL on local disk.Select specialized storage Devices to install RHEL on Storage LUN.

Fig 6: Installation Type

Select Fresh installation for New RHEL installation.Select Upgrade to upgrade older RHEL OS to newer version.

Fig 7: Hostname

Add hostname for the server.

Fig 8: Network configuration

Fig 9: Add/Edit network connection

Click on Configure connection and edit network connection to add IP, route etc.

Fig 10: IP Configuration

Fig 11: IP Configuration

Go to IPv4 tab and select Manual method for IP assignment.Click on Add in addresses to add the IP.Assign DNS server and Search domain for DNS resolution.You can also add Routes with routes button.

Fig 12: Time zone selection

Select time zone Asia/Kolkata from drop down menu or click on Kolkata.

Fig 13: Root Password

Enter root password. As per TCL security policy root password length should be at least 8 character which should consist 2 be Upper case character, 2 lower case character, 2 digit and 2 special character.

Fig 14: Week password warning popup

If you do not adhere to TCL security policy and choose a dictionary based word Installation setup will prompt you a warning. You can go ahead with that password and change the password during OS hardening.

Fig 15: File system layout

Choose file system creation option Create Custom Layout to install Linux as per TCL policy.

Fig 16: Physical partition creation

As per TCL policy Linux file systems should be on LVM except /boot.

/boot should be 200-500 MB standard partition.Rest of the space should be divided in 2 LVM physical Volume for OS partitions and application partitions.

TCL Recommended OS partition and size

/boot-500MB (Standard Partition),

vg_root(LVM physical Partition)/-5G,/home-10G,/tmp-5G,/usr-10G,/opt-5G,/var-8G,/usr/openv-6G,(Required for backup)/kdump-105% of Physical Memory size

vg_root(As per application requirement)

Fig 17: LVM creation

We have a file system and partition naming convention.According to that convention Volume group name should be vg_ABC and Logical volume should be lv_XYZ.

Fig 18: Final Layout

Final layout for Disk should be like above snapshot. (Here in above snapshot app_vg is not created)

Fig 19: Disk configurations write warning popup

You can change or reset file system layout before clicking Write changes to disk button. Once this button is clicked all configurations is written on the disk.

Fig 20: Boot loader Install location

Install boot loader on disk (first disk in case of more than one disk)Boot loader password can also be used to increase security.

Note: We do not change boot loader location or use password for boot loader.

Fig 21: Choose Installation bundleChoose Server Installation bundle as per requirement.If you are not sure what is required packages use basic server and customize later.(set up yum after installation and install required packages)

Fig 22: Packages installation

After this step all packages will be installed. Ideally it should take 20-25 minutes.

Fig 23: Installation completion

After installation completion and above screen will be displayed. Click on reboot to reboot the server.After reboot server will come up and you will get login prompt.

3. HardeningIMP: Take backup of all files you change while hardening with below command.cp p .befhard

3.1. Remove unwanted file systemsCreate Hardening_tcl file in /etc/modprobecat > /etc/modprobe.d/Hardening_tcl.conf /etc/sysctl.conf /etc/at.allowecho root>>/etc/cron.allow

3.12. Secure ssh serviceChange below parameters in /etc/ssh/sshd_config

Port 5522Protocol 2LogLevel VERBOSEPermitRootLogin noMaxAuthTries 3HostbasedAuthentication noIgnoreRhosts yesPermitEmptyPasswords noAllowTcpForwarding noGatewayPorts noX11Forwarding noPermitUserEnvironment noClientAliveInterval 900ClientAliveCountMax 0Banner /etc/issue

3.13. Pam Configuration

3.13.1. system authentication parameter changeChange below lines in /etc/pam.d/system-auth-ac file

password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2 difok=3password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

3.13.2. System wide parameter changeReplace /etc/pam.d/system-auth file with below command

cat > /etc/pam.d/system-auth