Install a 'minimal' install from the pxeboot menu, with a 100M /boot, 2xRam Swap, 4GB LVM for /var and /tmp, and the remaining LVM space '/'.
The below commands are then run to setup, and secure the machine:
**** VERIFY HARDWARE OBJECT ****
rdate -s time.nist.gov
chkconfig --level 2345 xfs off
chkconfig --level 2345 rpcidmapd off
chkconfig --level 2345 rpcgssd off
chkconfig --level 2345 autofs off
chkconfig --level 2345 lm_sensors off
chkconfig --level 2345 pcmcia off
chkconfig --level 2345 mdmonitor off
chkconfig --level 2345 cups off
chkconfig --level 12345 cpuspeed off
chkconfig --level 2345 gpm off
chkconfig --level 2345 isdn off
chkconfig --level 2345 netfs off
chkconfig --level 2345 nfslock off
chkconfig --level 2345 portmap off
chkconfig --level 2345 nfs off
chkconfig --level 2345 iptables off
chkconfig --level 2345 xinetd off
/etc/init.d/xfs stop
/etc/init.d/autofs stop
/etc/init.d/lm_sensors stop
/etc/init.d/pcmcia stop
/etc/init.d/mdmonitor stop
/etc/init.d/cups stop
/etc/init.d/cpuspeed stop
/etc/init.d/gpm stop
/etc/init.d/isdn stop
/etc/init.d/netfs stop
/etc/init.d/nfslock stop
/etc/init.d/nfs stop
/etc/init.d/portmap stop
/etc/init.d/iptables stop
/etc/init.d/rpcgssd stop
/etc/init.d/rpcidmapd stop
/etc/init.d/xinetd stop
***********************************************************************
cd /etc/ssh/
vi sshd_config
Port 22
Protocol 2
PermitRootLogin no
X11Forwarding no
***************** SETUP RHN *****************
reboot # pickup updated kernel
up2date --configure
37. noReboot Yes
***************** SETUP MRTG MONITORING *****************
up2date net-snmp
chkconfig --add snmpd
chkconfig --level 345 snmpd on
vi /etc/snmp/snmpd.conf
rocommunity blahblahblah
/etc/init.d/snmpd start
***************** INSTALL NTP *****************
cd ~
up2date -i ntp
ntpdate ntp.server.com
vi /etc/ntp.conf
server ntp.server.com
server mail.server.com
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
/etc/init.d/ntpd start
chkconfig --level 345 ntpd on
*************** Setup sar *********************
up2date -i sysstat
In Root's Crontab:
0 8-18 * * 1-5 /usr/lib/sa/sa1 1200 3 &
5 19 * * 1-5 /usr/lib/sa/sa2 -A &
**************** Setup sudo *******************
visudo
**************** Setup su (wheel) *************
vi /etc/pam.d/su
**************** Setup mdadm **************
vi /etc/mdadm.conf
chkconfig --level 345 mdmonitor on
/etc/init.d/mdmonitor start
*************** Update db? ****************
vi /etc/updatedb.conf
*************** Forward root's mail **********
vi /etc/aliases
root: rootmail@wherever.com
newaliases
*************** Set to use spooling **********
In /etc/mail/sendmail.cf, set relay to
# "Smart" relay host (may be null)
DSmailserver.whatever.com
**************** Setup Backups *************
**************** Update everything ***********
(pdksh causes issues... remove it)
rpm -e pdksh
up2date -fu
shutdown -r +1 & logout
********** SE Linux *********************
up2date -i selinux-policy-targeted-sources
(winbind is only for samba active directory authentication)
Add this to /etc/selinux/targeted/src/policy/domains/misc/local.te
allow winbind_t etc_t:file write;
allow winbind_t tmp_t:dir search;
allow winbind_t tmp_t:file read;
allow winbind_t self:process setpgid;
allow ntpd_t file_t:file read;
allow winbind_t file_t:file { getattr read };
allow ntpd_t file_t:file { getattr read unlink };
allow snmpd_t file_t:file { append getattr read rename unlink };
allow winbind_t file_t:file { append getattr read rename };
allow winbind_t file_t:sock_file unlink;
allow winbind_t file_t:file rename;
cd /etc/selinux/targeted/src/policy
make && make load
******************** Log Rotation *********************************
These are the configs in /etc/logrotate.d/
acpid:
/var/log/acpid {
rotate 5
size=100M
missingok
notifempty
size=64k
postrotate
/etc/init.d/acpid condrestart >/dev/null || :
endscript
}
cups:
/var/log/cups/*_log {
rotate 5
missingok
notifempty
sharedscripts
size=10M
postrotate
/etc/init.d/cups condrestart >/dev/null 2>&1 || true
endscript
}
note: cupsd removed from build 20050731
httpd: (mkdir /var/log/httpd/oldfiles)
/var/log/httpd/*log {
rotate 3
size=100M
missingok
notifempty
olddir=oldfiles
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript
}
mgetty:
/var/log/mgetty.log.tty^. /var/log/mgetty.log.tty^.^. /var/log/mgetty.log.tty^.^.^. /var/log/mgetty.log.tty^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^.^.^.^. /var/log/mgetty.log.tty^.^.^.^.^.^.^.^.^.^. /var/log/mgetty.log.unknown /var/log/mgetty.callback {
rotate 5
size=10M
nocompress
missingok
}
mysqld:
/var/log/mysqld.log {
rotate 5
size=100M
missingok
create 0640 mysql mysql
prerotate
[ -e /var/lock/subsys/mysqld ] && /bin/kill -HUP `cat /var/run/mysqld/mysqld.pid 2> /dev/null ` || /bin/true
endscript
postrotate
[ -e /var/lock/subsys/mysqld ] && /bin/kill -HUP `cat /var/run/mysqld/mysqld.pid 2> /dev/null ` || /bin/true
endscript
}
ppp:
/var/log/ppp/connect-errors {
missingok
compress
notifempty
daily
rotate 5
create 0600 root root
}
(note: ppp - no changes required)
psacct:
/var/account/pacct {
compress
delaycompress
notifempty
daily
rotate 31
create 0600 root root
postrotate
/usr/sbin/accton /var/account/pacct
endscript
}
(note: pacct - no changes required)
rpm:
/var/log/rpmpkgs {
weekly
notifempty
missingok
}
(note: rpm - no changes required)
snmpd:
/var/log/snmpd.log {
rotate 5
size=10M
notifempty
missingok
postrotate
/sbin/service snmpd condrestart 2> /dev/null > /dev/null || true
endscript
}
syslog:
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
rotate 5
size=100M
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
up2date:
/var/log/up2date {
rotate 5
size=100M
missingok
}
vsftpd.log:
/var/log/xferlog {
nocompress
missingok
}
(note: vsftpd.log - no changes required)