These followings is the checklist to build a Linux VM for the INTRANET:
1. Find available IP address in /etc/hosts on shelley, and
|
a. Checkout /etc/hosts (co -l /etc/hosts)
b. Edit /etc/hosts. Make sure to put a descriptive comment.
c. Check in /etc/hosts (ci -u -w{username} /etc/hosts)
d. cd /var/yp; make hosts
NOTE: If system is a randcorp.org address, add to /etc/hosts as a COMMENT - not as a real entry.
|
2. Add entry to /etc/netgroup on shelley/oso/byron (same process for checkin/checkout as step 1 but with /etc/netgroup)
3. If necessary, add entry to /etc/auto.direct on shelley/oso/byron for exported filesystems (same process for checkin/checkout as step 1 but with /etc/auto.direct)
4. Start vcenter
| |
a. Web Client:
* Bring up IE (run as administrator, use etoken account)
* Go to vcenter.rand.org
b. Desktop Client:
* Start vSphere client (run as administrator, use etoken account)
c. In vcenter:
* If using a template, find the right template and choose deploy new VM.
* Customize the options appropriately - including the correct VLAN and storage devices.
* Make sure VLAN is set to connected in the VM's settings.
d. If no template, create VM and boot off of an ISO file and install system. Use an existing system as a template for security configuration.
|
5. Launch console in vcenter.
6. Update the /etc/sysconfig/network-scripts/ifcfg-eth0 file to have appropriate values. Use an existing system as a guide.
7. Update the /etc/sysconfig/network file to have appropriate values.
8. Remove all entries from /etc/udev/rules.d/70-persistent-net.rules and then reboot the machine.
9. In vcenter, choose install vmware tools, select Mount and do the following:
| |
a. mount /dev/cdrom /media
b. cd /tmp
c. tar xvpf /media/VMware*.tar*
d. cd to /tmp/vmware-tools-distrib.
e. Run ./vmware-install.pl and answer the prompts.
f. unmount /media and reboot.
|
10. In vcenter, go under: VM Options->VMware tools and select check and upgrade VMware tools before each power on.
11. Fix the timezone on the host by doing the following:
| |
a. rm /etc/localtime
b. ln -s /usr/share/zoneinfo/US/{Eastern/Pacific} /etc/localtime
|
12. Edit the /etc/resolv.conf to have proper values (use another system as a guide).
13. Run yum update to get the system up to date. Make sure proper repos are in /etc/yum.repos.d directory first (get from another system).
14. Send Request to Craig Harrington or James McGowan for a DNS Entry to be added.
15. Centrify the machine, if on the intranet
| |
a. Install Centrify packages yum install CentrifyDC and yum install CentrifyDC-samba.
b. Add system to appropriate zones by typing: adjoin -u {adminid} -s {sm/pgh/dc}dc1.rand.org -n {systemname} -z {zone} rand.org.
c. Start Access Manager (run as administrator, use etoken account) and verify the system is in the proper zone(s). It might take a few refreshes before it shows up.
|
16. IF CENTRIFIED, setup NIS
| |
a. Make sure /etc/nsswitch.conf is set up correctly (look at another machine)
b. Make sure /etc/yp.conf is set up correctly (look at another machine)
c. Make sure ypbind is chkconfig-ed to start on boot. Make sure it is running.
|
17. IF CENTRIFIED, setup automounter
| |
a. Make sure /etc/auto.master is correct (look at another machine).
b. Make sure autofs is chkconfig-ed to start on boot. Make sure it is running.
c. Make sure no local /home is mounted. Comment out of /etc/fstab. Use the file system for something else.
|
18. Set up tripwire.
| |
a. Uninstall teagent and TWeagent if they're installed.
b. Go to /tmp/te_agent* directory.
d. Run the te_agent.bin installer that is in the tripwire directory tree.
e. smtrip1(10.1.9.125) is the tripwire server, RanD53c is the password. Take defaults for other options in the installer.
f. Run /etc/init.d/twdaemon start
g. ps -ef grep tripwire to make sure tripwire java program is running.
|
19. If configuring a second partition
| |
a. Add a new harddisk in vcenter
b. Use parted (mkpart) to create a partition.
c. Set start to 0% and end to 100%.
1) Make sure xfsprogs is installed yum install xfsprogs if you want to make an xfs file system
2) Use: parted /dev/sd{c/d}
i. mklabel msdos
ii. print
iii. mkpart primary {xfs/ext4}
iv. print
3) mkfs -t {xfs/ext4} /dev/sd{c/d}1
4) use blkid to determine the UUID for the new filesystem
5) Create an entry in /etc/fstab for the new filesystem that looks like this:
UUID={UUID#} /{mountpoint} {xfs/ext4} defaults 0 0
6) Make sure the mountpoint exists and type mount -a to verify the filesystem mounts.
7) Repeat steps a through f for additional file systems.
|
20. Update sshd_config to block Root logins and allow Nessie exception.
| |
PermitRootLogin yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
AllowTcpForwarding no
UseDNS no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
Macs hmac-sha1,hmac-ripemd160
DenyUsers anonymous guest
# Disable Nessus scanner password auth so only PubKey will work.
Match User nessie
PasswordAuthentication no
|
21. Update the /etc/sudoers file to allow Nessie to run root commands.
22. Make sure the Nessie account is set to never expire in /etc/shadow (99999 for expire date).
23. Run setup and disable/enable unnecessary services.
24. Install any additional software that customer requested.
25. MAKE A SNAPSHOT IN VCENTER!
26. If required, run Nessus scan, fix system as per the information in the Nessus report, rinse and repeat until satisfactory.
| |
a. Determine the appropriate IP address for running Nessus scan.
b. Go to https://awclab2.rand.org/dana-na/auth/url_32/welcome.cgi and login using RSA credentials (must be IE, not Firefox).
c. Press Start.
d. Open another tab in IE, go to https://10.101.3.45
e. Find the right test scan, make sure to edit it to use the correct IP chosen in step a.
f. In vSphere/vcenter:
i. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file and change settings for IPADDR, GATEWAY, and NETWORK to proper values based on IP address chosen in step a.
ii. Power down the VM and migrate the VM to the proper host and/or datastore if necessary.
iii. Make sure the VLAN setting for the VM is correct based on IP address from step a.
iv. Reboot the VM.
g. Launch the test scan
h. Once the test scan completes:
i. Verify the results of the scan by choosing Scanning -> Scan Results.
ii. Select the scan and choose Browse.
iii. Choose Edit Filters and uncheck the Info box under Vulnerability Severity
iv. Examine and correct all issues.
v. Go back to step g above until the scan results are satisfactory.
vi. In the dropdown menu, select Detailed Vulnerability List.
vii. Choose More and then Create Report.
viii. Check the box that says Display all Results, name the report, and click Submit.
ix. Under Reporting -> Report Results will be the report. Download it for sending to InfoSec.
i. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file again and change the values back to their proper settings.
j. Power down the VM and migrate it back to the proper host and/or datastore.
|
27. Configure system for Nagios.
| |
a. Make sure net-snmp is installed and running and chkconfig-ed on.
b. Make sure you have a good /etc/snmp/snmpd.conf file (get from another host) and restart snmpd.
c. Go to nagios.rand.org/monitor.
d. Go to home->configuration and choose Host wizard or Clone wizard.
e. Follow prompts
f. Make sure contact list is correct, and make sure it is in right host and service groups.
g. Make sure to do Control -> pre-flight test
h. Control -> commit
|
28. Verify with Rick Morehead that system backs up to legato properly.
29. Verify with Damien Thomas or Jason Lingel that system is in tripwire.
30. Send email to SysAdmins asking for one of them to vet the system.
31. SysAdmin has completed vetting the system.
32. Make sure the proper root password is set.
33. Verify with customer that everything is correct on the system.
34. Update as much information in KASM as possible for the profile of the server.
35. Verify that it is in the appropriate patch group (contact Dean Falcione).
36. Verify that the BESClient is installed and that the system is in the appropriate groups in IEM (contact Falcione or Fuentes)
37. Turn the system over to the customer
|
Support Docs