redhat installation guide-v0.2

7/31/2019 Redhat Installation Guide-V0.2

1/20

Redhat ES 3 Build Document v.0.2 06/04/04

1. Overview

The following document provides an example of how to install Redhat as standard. All

basic packages are included, they should not all necessarily be turned on by default.

2. Intallation !roce

The installation process comprises several components:

Disk artitioning Recommendations

!ardware RA"D

#ase "nstallation of Redhat

Registering server with the Red!at$etwork %www.rhn.com&

"nstalling recommended upgrades to packages

'erver (ockdown

)onitoring

#ackups

Anti*+irus 'oftware

'ecurity Audit

A

2.1. Di" !artition

#ased on the following standard disks the following is a suggested disk partitioning

Assumption: - x /0# disks basic

/dev/cciss/c0d0p6 512Mb /

/dev/cciss/c0d0p1 512Mb /boot

/dev/cciss/c0d0p7 2Gb /home

/dev/cciss/c0d0p2 5Gb /tmp

/dev/cciss/c0d0p9 4.5Gb /usr

/dev/cciss/c0d0p11 15.5Gb /var

'wap

1dev1cciss1c2d2p partition -23455- 2 *5

1dev1cciss1c2d2p6 partition 52425/ 2 *-

1dev1cciss1c2d2p7 partition -23423/ 2 *

1dev1cciss1c2d2p52 partition -23423/ 2 *8

'ub!eading!ere


2/20

2.2. #ardware Raid

"t is recommended that a minimum of - disks are used and configured as a RA"D5 pair.

"f additional disk space is re9uired it is recommended to increase the number of disks.

2.3. BIOS $on%i&uration '#!/$O(!)*+

or ! servers, ensure #";' is set to (inux, not


3/20

The screen will look similar to the above picture.

hoose 0RC# to be installed on )#R %default&

5.4 0RC# asswordCnnecessary, 'kip

5.7 $etwork >onfigurationou can configure the network interface. The screen will look like the picture below:

'ub!eading!ere age


4/20

5.3 irewall >onfiguration>hoose @$o firewall and click etto continue. The server will be behind the =duserv

firewalls which will allow certain connections to the server according to the specs.

5.52 (anguage 'upport 'election>hoose =nglish C? , deselect =nglish C'A, and press etto continue.

5.55 Time Eone 'election>hoose (ondon 0reenwich

5.5- Account >onfiguration=nter the root password and confirm it, press etto continue.

5.5 ackage 0roup 'election

'ub!eading!ere age 8


5/20



6/20

'ub!eading!ere age /


7/20



8/20



9/20

5.58 "nstalling ackages

At this point the system will install the ;' packagesF it will ask for the other >Ds of the

distribution.

After this you will be asked for #oot disk creation which can be ignored. "f graphical mode

has been chosen, G configuration will follow.

D from the >D*R;) Drive and press =nter, the system will

reboot and you will get a login prompt.

2.. Re&iterin& with the Redhat etwor"

The folloi!" shos ho to re"ister #$ ith the #edhat %etor&

2.1



10/20

'!ce the i!stallatio! is complete a!d the s(stem is successfull( !etor&ed e ca!

re"ister it to the #$% provided that there is a #$% lice!se available.

)s root ru!*

+ rh!,re"ister -for #$ 2.1

+ up2date re"ister -for #$ 3

This ill ta&e (ou throu"h a series of id"ets that eve!tuall( ill add the

s(stem to #$%.

More specificall(*

+ up2date re"ister

0. debu" %o

1. rh!uuid 61c4eec60b3a11d27daf52a26036

2. isatt( es

3. sho)vailable8ac&a %o

4. retrieve'!l( %o

5. e!able#ollbac&s %o

6. !oerver:# http*//;mlrpc.rh!.redhat.com/?rootClocalhost?A

10. !oDootoader %o

11. server:# https*//;mlrpc.rh!.redhat.com/A

13. versio!'verride

14. ssl=)=ert /usr/share/rh!/#$%=)=#T

15. !o#eplace=o!fi" es

16. use%oEor8ac&a"e %o

17. s(stemFd8ath /etc/s(sco!fi"/rh!/s(stemid

1. e!able8ro;()uth %o

19. retrieveource %o

20. disallo=o!f=ha!"e >?!o#eboot? ?ssl=)=ert? ?use%oEor8ac&a"es? ?!oe

21. headerEetch=ou!t 10

22. !etoretries 5

23. p&"sToF!stall%ot:p >?&er!el? ?&er!elmodules?A

24. e!able8ro;( %o

25. pro;(8assord

26. update:p2date es

27. &eep)fterF!stall %o

2. pro;(:ser

29. remove&ipist >?&er!el@?A

30. useG8G es

31. "p"He(#i!" /etc/s(sco!fi"/rh!/up2date&e(ri!"."p"

32. http8ro;(

33. header=acheiIe 40

34. forceF!stall %o

35. !o#eboot %o

!ter !umber of item to edit Jretur! to e;it K to Kuit ithout savi!"L*



11/20

Ff e press return

our G8G &e(ri!" does !ot co!tai! the #ed $at F!c. public &e(.

ithout it (ou ill be u!able to verif( that pac&a"es :pdate )"e!t do!loads

are securel( si"!ed b( #ed $at.

our :pdate )"e!t optio!s specif( that (ou a!t to use G8G.

To i!stall the &e( ru! the folloi!" as root*

rpm import /usr/share/rh!/#8MG8GH

run

+ rpm import /usr/share/rh!/#8MG8GH

+ up2date re"ister

a!d e "et a id"et similar to the o!e belo*

#ed $at %etor& #e"istratio! -c 20002001 #ed $at F!c.

NNNNNNNNNNNNNNNNNNNNNNO #e"ister ith #ed $at %etor& NNNNNNNNNNNNNNNNNNNNNNN

N N

N %o for the first time ever i!formatio! updates a!d services + N

N that e!ha!ce the securit( a!d reliabilit( of (our #ed $at i!u; N N

N s(stems are available to (ou i! o!e place #ed $at %etor&. N N

N =hec& out these be!efits* N N

N N N

N #ed $at i!u; i!formatio! updates a!d services specific to N N

N (our s(stems N N

N East access a!d proactive deliver( of updates -securit( errata N N

N bu" fi;es e!ha!ceme!ts N N

N The latest !es from #ed $at he! !e products a!d services N N

N are available N N

N N N

N N

N NNNNNNNN NNNNNNNNNN N

N N %e;t N N =a!cel N N

N NNNNNNNN NNNNNNNNNN N

N N

N N

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

JTabL/J)ltTabL betee! eleme!ts P JpaceL selects P JE12L !e;t scree!

Next


NNNNNNNNNNNNNNNO tep 1* #evie the #ed $at 8rivac( tateme!t NNNNNNNNNNNNNNN

N N

N e thi!& our customers u!dersta!d better tha! a!(o!e else ho #ed + N



12/20

N $at ca! most effectivel( serve their !eeds. Decause of this #ed N N

N $at ma&es ever( effort to allo our customers to defi!e the N N

N relatio!ship the( ill have ith us. e as& customers ho the( N N

N ould li&e #ed $at to commu!icate ith them if at all. e disclose N N

N ho e ill be usi!" our customers? i!formatio! throu"h docume!ts N N

N li&e this o!e or b( a!seri!" i!dividual Kuestio!s customers ma( N N

N as&. 'ur polic( is !ot to sell or provide to others our customers? N N

N i!formatio! ithout ma&i!" it clear that e i!te!d to do to i! this N N

N stateme!t or at the time the i!formatio! is collected. %ote that N N

N he! (ou purchase a product or service from us e ma( !eed to N N

N co!tact (ou to follo up o! the product or service. $oever our N N

N N

N NNNNNNNN NNNNNNNN NNNNNNNNNN N

N N %e;t N N Dac& N N =a!cel N N


N N

N N

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN


Next


NNNNNNNNNNNNO tep 2* #e"ister a :ser )ccou!t NNNNNNNNNNNNN

N N

N )re (ou alread( re"istered ith redhat.comQ N

N es* !ter (our curre!t user !ame a!d passord belo. N

N %o* =hoose a !e user a!d passord a!d e!ter it belo. N

N N

N :ser !ame* d&Ceduserv,,,,,,,,,, N

N 8assord* @@@@@@,,,,,,,,,,,,,, N

N )"ai! for verificatio!* @@@@@@,,,,,,,,,,,,,, N

N N

N mail address* rhaC!iss.ac.u&,,,,,,,,,,,,,,,,,,,,,, N

N N




N N

N N

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN


'ub!eading!ere age 5-


13/20

Next


NNNNNNNNNNNNO tep 3* #e"ister a (stem 8rofile $ardare NNNNNNNNNNNNN

N N

N ) 8rofile %ame is a descriptive !ame that (ou choose to ide!tif( N

N this (stem 8rofile o! the #ed $at %etor& eb pa"es. 'ptio!all( N

N i!clude a computer serial or ide!tificatio! !umber. N

N 8rofile !ame* rh!elh1,,,,,,,,,,, N

N N

N >@A F!clude the folloi!" i!formatio! about hardare a!d !etor&* N

N N

N Rersio!* 3 =8: model* F!tel-# @A F!clude #8M pac&a"es i!stalled o! this s(stem i! m( (stem 8rofile N

N N

N ou ma( deselect i!dividual pac&a"es b( u!chec&i!" them belo. N

N >@A 4uite0.11.114 + N

N >@A lectricEe!ce2.2.215 N N

N >@A G=o!f22.2.11 N N

N >@A M)HBR3.3.1 N N

N >@A '#Dit22.6.21 N N

N >@A 'm!i0.7.24 N N

N >@A 'm!ifoomatic0.7.24 N N

N >@A 8(


14/20




N N

N N

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN


Next


NNNNNNNNNNNNNNNNO e!d 8rofile F!formatio! to #ed $at %etor& NNNNNNNNNNNNNNNN

N N

N e are fi!ished collecti!" i!formatio! for the (stem 8rofile. N

N N

N 8ress S%e;tS to se!d this (stem 8rofile to #ed $at %etor&. =lic& N

N S=a!celS a!d !o i!formatio! ill be se!t. ou ca! ru! the re"istratio! N

N pro"ram later b( t(pi!" up2date re"ister at the comma!d li!e. N

N N




N N

N N

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN



NNNNO e!di!" 8rofile to #ed $at %etor& NNNN

N N

N 0U N

N N

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN



15/20



NNNNNNNNNNNNNNNNNNNNNNNNNNNO #e"istratio! Ei!ished NNNNNNNNNNNNNNNNNNNNNNNNNN

N N

N ou have successfull( re"istered this (stem 8rofile o! #ed $at %etor&. N

N N

N 8lease visit http*//.redhat.com/!etor& to lo"i! a!d access (our #ed N

N $at %etor& be!efits. N

N N

N To up"rade (our s(stem ith the latest product updates bu" fi;es a!d N

N securit( e!ha!ceme!ts ru! up2date at the comma!d li!e or choose N

N S:pdate )"e!tS from the pa!el. N

N N

N NNNNNNNNNN N

N N Ei!ish N N

N NNNNNNNNNN N

N N

N N

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN


!o i! theor( if e co!!ect to #$% https*//rh!.redhat.com/ a!d provided that e

have e!ou"h lice!ses e should be able to see the s(stem i! the list of s(stems

that appear if e select the s(stems tab.

The s(stem ill detect the cha!!el it belo!"s to automaticall( accordi!" to the

' versio! itVs ru!!i!". e ca! add the s(stem to "roups this "roupi!" is do!e

purel( for ma&i!" the admi!istratio! easier.

2.6. )dditional $omment on R# $on%i&uration

"n R!$ as the user IeduservI place the server within three groupsJ one for each of the

https://rhn.redhat.com/https://rhn.redhat.com/


16/20

following

customer hardware ;'

This is re9uired not only for sensible grouping but servers need to be in groups so thatordinary R!$ users can administer them.

or R!=( , also subscribe the server to R!=( extras channel. %This is re9uired to installcertain Knon*standardK but supported packages like mys9l&.

lace information about the location of the machine in the roperties section.

2.. Intallin& recommended u,&rade to ,ac"a&e

The folloi!" comma!d should be ru! to up"rade all i!stalled pac&a"es to the

latest versio!.

as root ru!*

+up2date co!fi"

+up2date u

+up2date


17/20

radevices

apmd

cro!d

a!acro!!tpd

;i!etd

rh!sd

sshd

irKbala!ce

snmpd

!etdumpserver 0*off 1*off 2*off 3*off 4*off 5*off 6*of

&udIu 0*off 1*off 2*off 3*o! 4*o! 5*o! 6*of

!etfs 0*off 1*off 2*off 3*off 4*off 5*off 6*of

!etor& 0*off 1*off 2*o! 3*o! 4*o! 5*o! 6*of

ra!dom 0*off 1*off 2*o! 3*o! 4*o! 5*o! 6*of

radevices 0*off 1*off 2*off 3*o! 4*o! 5*o! 6*of

pcmcia 0*off 1*off 2*off 3*off 4*off 5*off 6*of

apmd 0*off 1*off 2*o! 3*o! 4*o! 5*o! 6*of

ipchai!s 0*off 1*off 2*off 3*off 4*off 5*off 6*of

iptables 0*off 1*off 2*off 3*off 4*off 5*off 6*of

smb 0*off 1*off 2*off 3*off 4*off 5*off 6*of

cro!d 0*off 1*off 2*o! 3*o! 4*o! 5*o! 6*of

a!acro! 0*off 1*off 2*o! 3*o! 4*o! 5*o! 6*of

;i!etd 0*off 1*off 2*off 3*o! 4*o! 5*o! 6*of

portmap 0*off 1*off 2*off 3*off 4*off 5*off 6*of

rstatd 0*off 1*off 2*off 3*off 4*off 5*off 6*of

rusersd 0*off 1*off 2*off 3*off 4*off 5*off 6*of

autofs 0*off 1*off 2*off 3*o! 4*o! 5*o! 6*of

!fs 0*off 1*off 2*off 3*off 4*off 5*off 6*of

!fsloc& 0*off 1*off 2*off 3*off 4*off 5*off 6*of

!scd 0*off 1*off 2*off 3*off 4*off 5*off 6*of

!etdump 0*off 1*off 2*off 3*off 4*off 5*off 6*of

ide!td 0*off 1*off 2*off 3*off 4*off 5*off 6*of

radvd 0*off 1*off 2*off 3*off 4*off 5*off 6*of

rh!sd 0*off 1*off 2*off 3*o! 4*o! 5*o! 6*of

(pbi!d 0*off 1*off 2*off 3*off 4*off 5*off 6*of

sshd 0*off 1*off 2*o! 3*o! 4*o! 5*o! 6*of

(ppassdd 0*off 1*off 2*off 3*off 4*off 5*off 6*of

ralld 0*off 1*off 2*off 3*off 4*off 5*off 6*of

proftpd 0*off 1*off 2*off 3*off 4*off 5*off 6*of

(pserv 0*off 1*off 2*off 3*off 4*off 5*off 6*of

(p;frd 0*off 1*off 2*off 3*off 4*off 5*off 6*of

!tpd 0*off 1*off 2*off 3*o! 4*o! 5*o! 6*of

e;im 0*off 1*off 2*off 3*off 4*off 5*off 6*of

2..2 '+Inetd ervice

The following services should be set in G"$=TD

bpcd

v!etd

vopied

bpWavamsvc

xinetd based services:

chargen*udp: off

rexec: off

rlogin: off

rsh: off

chargen: off

daytime*udp: off

daytime: off

echo*udp: off

echo: off



18/20

time*udp: off

time: off

services: off

telnet: off

finger: off

ntalk: off

talk: off

bpcd: on

servers: off

vopied: on

bpSava*msvc: on

3. )dditional $on%i&uration

3.1. (onitorin&

To monitor the server the $agios lugin needs to be installed, configured and monitoring

enabled on the $agios )onitoring 'ervers.

Refer to knowledge base

3.2. Bac"u,

The $etbackup client needs to be installed

)um,tionyou have a user account and can ftp to the target server

Co# 'ervers +.8

ssh to sparerib.niss.ac.uk

cd 1usr1openv1netbackup1client1(inux1Red!at-.8

.1ftptoclient PclientQ PuserQ

A! 'ervers +8.6

ssh to chin.niss.ac.uk

cd 1usr1openv1netbackup1client1(inux1Red!at-.8

.1ftptoclient PclientQ PuserQ

"n addition the $etbackup server needs to have the client set up in order to perform

backups, refer to separate documentation.



19/20

3.3. )dditional Securit5

3.3.1 7Scan Intallation

RHES 2.1 and RHES3 both require Compat-stdlibc++ libraryUcat vlnx858l.tar.E tar Mxf M

.1install*uvscan

vi 1usr1local1bin1uvscan.sh

add

LV1sbin1sh

DAT=WXdate BYdYmYX

C+'>A$W1usr1local1bin1uvscan

CARA$T"$=W1usr1uvscan19uarantine

TAR0=TW1data

=G>(CD=W1usr1local1bin1excludescan

(;0W1var1log1scanresults

1usr1bin1nice *53 ZC+'>A$ *r *cm ZCARA$T"$= **exclude Z=G>(CD= *p ZTAR0=T

1opt1bin1pmail.pl virus[niss.ac.uk

export =D"T;RWvi

crontab Me

add

2 5 \ \ \ 1usr1local1bin1uvscan.sh

2 2 \ \ \ 1usr1local1uvscan1datupdate.sh

3.3.2 eu Scan

Although not covered in this document it is recommended that a $essus scan is

performed on the server once the server has been installed.

$essus scan results should then be discussed with the 'ecurity ;fficer and 'enior

'ytems Analysts as to the appropriateness of any vulnerabilities that may be identified.

$essus is installed on 9ah*nagios5 and on uob*nagios5

4. *ualit5 )urance

After the basic installation has occurred the server needs to be Aed by a peer prior to

being handed over for A testing

mailto:[email protected]:[email protected]


20/20

. 8uture Build

redhat installation guide-v0.2

Documents