netras
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
netras [2007/08/27 20:29] 75.132.107.251 |
netras [2007/09/10 11:08] (current) 167.206.189.3 |
||
|---|---|---|---|
| Line 100: | Line 100: | ||
| This will further lock down services, set PermitRootLogin to "No" in SSH, harden the FTP server configuration, tighten permissions, configure log rotation, set up TCP wrappers, enforce password complexity rules, and generally do Useful Things to keep the system secure. JASS does a couple of overly-secure things, like restrict SSH logins to machines on the local domain, so in /etc/hosts.allow, we'll need to change the sshd line to read "all". | This will further lock down services, set PermitRootLogin to "No" in SSH, harden the FTP server configuration, tighten permissions, configure log rotation, set up TCP wrappers, enforce password complexity rules, and generally do Useful Things to keep the system secure. JASS does a couple of overly-secure things, like restrict SSH logins to machines on the local domain, so in /etc/hosts.allow, we'll need to change the sshd line to read "all". | ||
| - | ==Enable Binary Auditing== | ||
| - | Edit /etc/security/audit_control to read: | ||
| - | |||
| - | dir:/var/audit | ||
| - | flags:lo,ap,ss,ua,am,pc | ||
| - | minfree:20 | ||
| - | naflags:lo,ap,ss,ua.am,pc | ||
| - | |||
| - | Then run: | ||
| - | |||
| - | /etc/security/bsmconv | ||
| - | |||
| - | and reboot. Binary logs (similar to pacct logs) will now be written to /var/audit and will be readable via praudit(1). | ||
| - | |||
| - | Once rebooted, run | ||
| - | |||
| - | auditconfig -setpolicy +argv | ||
| - | |||
| - | which will enable recording of process arguments. | ||
| Line 207: | Line 188: | ||
| ok> boot net - install | ok> boot net - install | ||
| + | |||
| + | When the install finishes, be sure to reset the firewall and turn off the extra services required by jumpstart. | ||
| + | |||
| + | ===Racking=== | ||
| + | |||
| + | After racking and cabling the servers, you'll need to copy a resolv.conf off of bud (removing the "127.0.0.1" entry and un-commenting our other name servers). You'll also need to install a new nsswitch.conf: | ||
| + | |||
| + | # cd /etc | ||
| + | # mv nsswitch.conf nsswitch.conf.orig | ||
| + | # cp nsswitch.dns nsswitch.conf | ||
netras.1188264586.txt.gz ยท Last modified: 2007/08/27 20:29 by 75.132.107.251
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
