Harden the server

Perform initial hardening to satisfy audit req (should be automatic or semiautomatic):

___ Delete redundant accounts:
- uucp
- ftp (unless you need anonymous ftp access; this account is often abused)
- games
- possibly wwwrun (unless you need a webserver on the box)
- Note: Do not delete news account or logrotate will stop working
___ Delete redundant groups
___ Modify /etc/issue & motd according to company standards
____ Configure syslog-ng to report to remote host if such infrastructure (central log server) exists in your company (it should !)
Enroll primary and secondary administrators into the wheel group and activate this group in sudo: \
- Edit /etc/group by appending primary and secondary administrators to wheel group (do not overcrowd the group)
- Edit /etc/sudoers and uncomment the line in the line
```
%wheel ALL=(ALL) NOPASSWD: ALL
```
Note: this is preferred method of controlling root access as linux does not have RBAC.
Install writable files checking script into cron
Verify correctness of home directories permissions
Populate all home directories and /root directory with .profile and .kshrc files (for bash users this is .bash_profile and .bashrc) and verify they are properly owned and have permissions 701
___ Important Check and if necessary disable test, guest and any other unused accounts if any were created during the installation.
Notes
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________

Notes
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________

Change monitor resolution if the server will be shipped to different location

If you plan to ship the server to other location change resolution to 800x600 and color depth to 16. Most older KVM switches do not support high resolution.

Create baseline

___ Create the baseline of key config files for the server and burn it to CD.
1. Adopt one of the scripts used in troubleshooting and run it after the installation just before giving the server to application people.
2. Copy all the critical config file to /root/baseline/date directory the way JASS does this on Solaris. Tar the directory, move it to your desktop and burn to CD.
___ Verify the /boot/grub/menu.lst is configured correctly.
Notes
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________

Additional installation steps that were missed

Notes
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________
- __________________________________________________________________________________

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Last modified: August 21, 2009