RHEL4 Manual Build Lockdown

Install a 'minimal' install from the pxeboot menu, with a 100M /boot, 2xRam Swap, 4GB LVM for /var and /tmp, and the remaining LVM space '/'.

The below commands are then run to setup, and secure the machine:

**** VERIFY HARDWARE OBJECT ****

rdate -s time.nist.gov

chkconfig --level 2345 xfs off
chkconfig --level 2345 rpcidmapd off
chkconfig --level 2345 rpcgssd off
chkconfig --level 2345 autofs off
chkconfig --level 2345 lm_sensors off
chkconfig --level 2345 pcmcia off
chkconfig --level 2345 mdmonitor off
chkconfig --level 2345 cups off
chkconfig --level 12345 cpuspeed off
chkconfig --level 2345 gpm off
chkconfig --level 2345 isdn off
chkconfig --level 2345 netfs off
chkconfig --level 2345 nfslock off
chkconfig --level 2345 portmap off
chkconfig --level 2345 nfs off
chkconfig --level 2345 iptables off
chkconfig --level 2345 xinetd off

/etc/init.d/xfs stop
/etc/init.d/autofs stop
/etc/init.d/lm_sensors stop
/etc/init.d/pcmcia stop
/etc/init.d/mdmonitor stop
/etc/init.d/cups stop
/etc/init.d/cpuspeed stop
/etc/init.d/gpm stop
/etc/init.d/isdn stop
/etc/init.d/netfs stop
/etc/init.d/nfslock stop
/etc/init.d/nfs stop
/etc/init.d/portmap stop
/etc/init.d/iptables stop
/etc/init.d/rpcgssd stop
/etc/init.d/rpcidmapd stop
/etc/init.d/xinetd stop

***********************************************************************

cd /etc/ssh/
vi sshd_config

Port 22
Protocol 2

PermitRootLogin no
X11Forwarding no

***************** SETUP RHN *****************

reboot # pickup updated kernel

up2date --configure
37. noReboot Yes

***************** SETUP MRTG MONITORING *****************
up2date net-snmp
chkconfig --add snmpd
chkconfig --level 345 snmpd on
vi /etc/snmp/snmpd.conf
rocommunity blahblahblah
/etc/init.d/snmpd start

***************** INSTALL NTP *****************
cd ~
up2date -i ntp
ntpdate ntp.server.com
vi /etc/ntp.conf

server ntp.server.com
server mail.server.com
driftfile /var/lib/ntp/drift
broadcastdelay 0.008

/etc/init.d/ntpd start
chkconfig --level 345 ntpd on

*************** Setup sar *********************
up2date -i sysstat
In Root's Crontab:
0 8-18 * * 1-5 /usr/lib/sa/sa1 1200 3 &
5 19 * * 1-5 /usr/lib/sa/sa2 -A &

**************** Setup sudo *******************
visudo

**************** Setup su (wheel) *************
vi /etc/pam.d/su

**************** Setup mdadm **************
vi /etc/mdadm.conf
chkconfig --level 345 mdmonitor on
/etc/init.d/mdmonitor start

*************** Update db? ****************
vi /etc/updatedb.conf

*************** Forward root's mail **********
vi /etc/aliases
root: rootmail@wherever.com

newaliases

*************** Set to use spooling **********
In /etc/mail/sendmail.cf, set relay to

# "Smart" relay host (may be null)
DSmailserver.whatever.com

**************** Setup Backups *************

**************** Update everything ***********
(pdksh causes issues... remove it)
rpm -e pdksh
up2date -fu
shutdown -r +1 & logout

********** SE Linux *********************
up2date -i selinux-policy-targeted-sources
(winbind is only for samba active directory authentication)
Add this to /etc/selinux/targeted/src/policy/domains/misc/local.te

allow winbind_t etc_t:file write;
allow winbind_t tmp_t:dir search;
allow winbind_t tmp_t:file read;
allow winbind_t self:process setpgid;
allow ntpd_t file_t:file read;
allow winbind_t file_t:file { getattr read };
allow ntpd_t file_t:file { getattr read unlink };
allow snmpd_t file_t:file { append getattr read rename unlink };
allow winbind_t file_t:file { append getattr read rename };
allow winbind_t file_t:sock_file unlink;
allow winbind_t file_t:file rename;

cd /etc/selinux/targeted/src/policy
make && make load

******************** Log Rotation *********************************
These are the configs in /etc/logrotate.d/

acpid:

/var/log/acpid {

rotate 5
size=100M
missingok
notifempty
size=64k
postrotate
/etc/init.d/acpid condrestart >/dev/null || :
endscript

}

cups:

/var/log/cups/*_log {

rotate 5
missingok
notifempty
sharedscripts
size=10M
postrotate
/etc/init.d/cups condrestart >/dev/null 2>&1 || true
endscript

}

note: cupsd removed from build 20050731

httpd: (mkdir /var/log/httpd/oldfiles)

/var/log/httpd/*log {

rotate 3
size=100M
missingok
notifempty
olddir=oldfiles
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript

}

mgetty:

/var/log/mgetty.log.tty^. /var/log/mgetty.log.tty^.^. /var/log/mgetty.log.tty^.^.^. /var/log/mgetty.log.tty^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^.^.^.^.^. /var/log/mgetty.log.unknown /var/log/mgetty.callback {

rotate 5
size=10M
nocompress
missingok

}

mysqld:

/var/log/mysqld.log {

rotate 5
size=100M
missingok
create 0640 mysql mysql
prerotate
[ -e /var/lock/subsys/mysqld ] && /bin/kill -HUP `cat /var/run/mysqld/mysqld.pid 2> /dev/null ` || /bin/true
endscript
postrotate
[ -e /var/lock/subsys/mysqld ] && /bin/kill -HUP `cat /var/run/mysqld/mysqld.pid 2> /dev/null ` || /bin/true
endscript

}

ppp:

/var/log/ppp/connect-errors {

missingok
compress
notifempty
daily
rotate 5
create 0600 root root

}

(note: ppp - no changes required)

psacct:

/var/account/pacct {

compress
delaycompress
notifempty
daily
rotate 31
create 0600 root root
postrotate
/usr/sbin/accton /var/account/pacct
endscript

}

(note: pacct - no changes required)

rpm:

/var/log/rpmpkgs {

weekly
notifempty
missingok

}

(note: rpm - no changes required)

snmpd:

/var/log/snmpd.log {

rotate 5
size=10M
notifempty
missingok
postrotate
/sbin/service snmpd condrestart 2> /dev/null > /dev/null || true
endscript

}

syslog:

/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {

rotate 5
size=100M
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript

}

up2date:

/var/log/up2date {

rotate 5
size=100M
missingok

}

vsftpd.log:

/var/log/xferlog {

nocompress
missingok

}

(note: vsftpd.log - no changes required)