Tunnel VNC over SSH with Putty Example

Start vncserver on your linux server and assign a password

Default first port the server will listen to is 5901

Go to Putty and create a new session with the following options:

obviously replace testserver with the name of your unix server running vncserver

Add the settings above and open the connection with putty to establish the session, then:
Open up ultravnc viewer and enter 127.0.0.1:1 as the target and you will get the remote server

AIX Tips

You can use the prtconf command to list your AIX hardware configuration. including CPU's, memory, adapters, disk and network. The prtconf command is available the current version of AIX 4.3.3**, and on AIX 5. For those running older versions of AIX, here's a list of commands that provide the same information.

General

prtconf - list system configuration
lscfg [-v] - devices (-v = verbose for microcode levels, etc)
lscfg -v - devices verbose (microcode level, firmware, etc)
lsdev -Cc adapter - adapter cards
lsdev -Cc disk - disks
lsdev -Cc processor - CPU's
lsattr -El sys0 - serial number, model number, memory

AIX

oslevel - AIX OS level
instfix -i |grep ML - AIX maintenance level
lslpp -l - installed SW and levels

Logs

alog -L      		#  List the defined log types alog -o -t boot		#  View the boot log alog -o -t console	#  View the console log

Disk

lsvg -o - active volume groups
lsvg -p vgname - disk drives in VG
lsvg -l vgname - LV's in VG
lslv lvname - LV detail
lslv -l lvname - LV disk location
lspv - disks
lspv -l hdisk# - LV's residing on a disk

Network

lsdev -Cc if -List network interfaces
netstat -rn -List network gateways

Services

stopsrc -s sshd # replace sshd with servicename you want to stop or start
startsrc -s sshd



Powered by ScribeFire.

Subversion Setup on RedHat

Installing the SVN Server

Download and install svn approved version from YUM repository with:

yum -c http://yumserver/repository/patch/current/rhel4-i386.conf -y install subversion*

Configure Apache by adding the following to httpd.conf:

    LoadModule dav_module         modules/mod_dav.so

        LoadModule dav_fs_module      modules/mod_dav_fs.so

        LoadModule dav_svn_module     modules/mod_dav_svn.so

LoadModule authz_svn_module modules/mod_authz_svn.so

Verify modules listed above exist in /usr/lib/httpd/modules/, if not move them there

Create directory /SVN then add the following to /etc/httpd/conf/httpd.conf:

<Location /svn>

DAV svn

SVNPath /SVN

</Location>

Restart Apache with:

service httpd restart

Example Add of Puppet data to SVN repository:

svn import -m "New puppet config import" etc/puppet http://svnserver/svn/puppetmaster/conf

svn import -m "New puppet dist files import" dist http://svnserver/svn/puppetmaster/dist

Try network checkout using the unix client:

svn co http://localhost/svn/puppetmaster wc

Checkout code with TortoiseSVN:

http://localhost/svn/puppetmaster



Powered by ScribeFire.

Nagios Client Configuration

On Unix Systems:

Installation

su - bb

wget http://pvalentino.pvalentino.lan/install/nagios/nagiosclient.tgz

cd to ~bb

tar zxvpf nagiosclient.tgz

chown bb.bb nagios/*

create symbolic links as follows:

ln -s /lib/libcrypto.so.0.9.7a /lib/libcrypto.so.0.9.7

ln -s /lib/libssl.so.0.9.7a /lib/libssl.so.0.9.7

To test, from server run:

the nagios user requires the ssh keys from bb so that it can issue ssh commands

ssh bb@hostname must work!!!

su - nagios

cd /usr/local/groundwork/nagios/libexec

./check_by_ssh -H 10.3.17.183 -C "libexec/check_mem.pl -f -c 2 -w 3"

./check_by_ssh -H 10.3.17.183 -t 30 -l bb -C "libexec/check_load -w 15,10,5 -c 30,25,20"

On Windows Systems:

Installation

Copy \pvalentinofs02libraryappsnagiosclient to C:

Open a command prompt:

cd nagiosclient

pnsclient.exe /install

Double click Nsclient.reg and click OK to accept the registry change

Back at command prompt type:

net start nsclient

For W2K3 Servers with DEP enabled:

Right Click "My Computer"

Select "Properties"

Click "Advanced"

Click "Settings" under Performance section

Select the "Data Execution Prevention" tab and click "Add"

Browse to c:nagiosclientpNsclient.exe

Windows servers do not require a reboot unless they have DEP enabled.



Powered by ScribeFire.

Groundworks Monitor Installation

Install Prerequisite Packages

Disable SELinux so that it does not interfere with installation:

Edit the /etc/selinux/config file so that it looks like:

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - SELinux is fully disabled.

SELINUX=disabled

# SELINUXTYPE= type of policy in use. Possible values are:

# targeted - Only targeted network daemons are protected.

# strict - Full SELinux protection.

# SELINUXTYPE=targeted

MySQL

mysql-server-5.0.44-1.el4s1.1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mysql-server

mysqlclient14-4.1.22-1.el4s1.1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mysqlclient

mysql-5.0.44-1.el4s1.1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mysql

mysql-libs-5.0.44-1.el4s1.1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mysql-libs

mod_auth_mysql-3.0.0-2.el4s1.3

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mod_auth_mysql

php-mysql-5.1.6-3.el4s1.7

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install php-mysql

Set MySQL to automatically start:

chkconfig mysqld on

Start the MySQL server daemon:

service mysqld start

Remove any non SUN Microsystems Java versions

Query for existing Java packages:

rpm -qa | grep -i java

Remove the RPMs: rpm –e

Example Java packages:

java-1.4.2-gcj-compat-1.4.2.0-27jpp

gcc-java-3.4.6-3

Reboot the machine (to make sure the cache is cleared)

Install java version "1.5.0_11" from http://pvalentino/install/jboss/java.tar.gz

Add the following to the users .bash_profile files:

JAVA_HOME=/apps/java/default

PATH=$JAVA_HOME/bin:$PATH

export JAVA_HOME PATH

Run: source ~/.bash_profile

Install Perl-DBI

perl-DBI-1.54-1.el4s1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install perl-DBI*

MySQL uses the localhost entry in /etc/hosts. Make sure that the localhost entry looks like the example below.

Also, make sure that localhost is first after the IP address followed by localhost.localdomain. Example:

bigbrother.pvalentino.org is the fully qualified domain name where the GroundWork Monitor server is

installed.

Also, make sure TCP port 3306 is not blocked by your firewall rules. This port is for communication to the MySQL server.

127.0.0.1 localhost localhost.localdomain

10.3.17.79 bigbrother bigbrother.pvalentino.org bigbrother.pvalentino.lan

Downloading the GroundWork Monitor RPMs

wget http://pvalentino/install/nagios/groundwork-foundation-pro-1.6.1-67.noarch.rpm

wget http://pvalentino/install/nagios/groundwork-monitor-core-5.1.3-32.rhel4.i386.rpm

Note: To install the product successfully, the following 2 RPM commands must be performed separately, do not combine.

Foundation RPM. This will install the GroundWork Foundation components:

rpm -Uvh groundwork-foundation-pro-1.6.y-yyy.noarch.rpm

Core RPM. This will install GroundWork Monitor components:

rpm -Uvh groundwork-monitor-core-5.1.y-yyy.zzzz.zzzz.rpm

Verifying and Completing Configuration

Step 1 - Checking the User Interface as an Administrator

An Administrator can define Users, Groups, Roles, and Packages. The Administrator role also provides access to the Configuration option, which allows you to configure the Nagios monitoring system.

1. Go to the URL http://bigbrother/.

2. Login as an Administrator with the User ID admin and Password admin.

3. Reference the Bookshelf within GroundWork Monitor Professional for additional advice and instructions.

4. When finished exploring Admin options, continue with Step 2 below.

Step 2 - Checking the User Interface as an Operator

An Operator role is pre-defined for you. The Operator role provides access to GroundWork Monitor Professional applications such as Status, Reports, and Bookshelf.

1. Log out as an Administrator.

2. Log into GroundWork Monitor Professional as an Operator with the User ID joe and Password joe.

3. Click the Application Launcher and select the Status option.

4. Review the Overview status page.

5. Expand the tree (left Panel) and Navigate to Hosts and Services.

6. Select Host and Service information. Check that the status information is correct.

Step 3 - Checking the connection between Nagios and GroundWork Foundation

1. From a command shell (open as root), if the Status Viewer status and Nagios Service detail do not match, check

the following:

􀂃 Check to see if the nagios2collage_status.pl is executing with the following command:

ps -ef | grep nagios2collage

􀂃 If this process is not running, restart gwservices with the following command:

/etc/init.d/gwservices restart

2. If the Console events do not appear, check the following:

􀂃 Check to see if the nagios2collage_event.pl is executing with the following command:

ps -ef | grep nagios2collage

􀂃 If this process is not running, restart gwservices with the following command:

/etc/init.d/gwservices restart

Installing Plugins:

copy downloaded plugins to:

/usr/local/groundwork/nagios/libexec

chmod a+x <plugin executable>

Try to run some commands, i.e. for check_jmx try:

/usr/local/groundwork/nagios/libexec/check_jmx -U service:jmx:rmi:///jndi/rmi://epicapp:1999/jmxrmi -O java.lang:type=Memory -A HeapMemoryUsage -K used -I HeapMemoryUsage -j used -vvvv -w 400000000 -c 500000000

APPENDIX A - BACKUPS

Back up custom changes you may have made to your GroundWork Monitor system:

􀂃 Plugins:

/usr/local/groundwork/nagios/libexec

􀂃 CGI Graphs:

/usr/local/groundwork/apache2/cgi-bin/graphs

􀂃 Eventhandlers:

/usr/local/groundwork/nagios/eventhandlers

Back up existing RRD files and your current Nagios configuration. This will create three TAR files in the current

directory.

􀂃 tar cfz GWMON-xxx-rrd.tar.gz /usr/local/groundwork/rrd

􀂃 tar cfz GWMON-xxx-nagios.tar.gz /usr/local/groundwork/nagios/etc

􀂃 tar cfz GWMON-xxx-users.tar.gz /usr/local/groundwork/users

Database Back Up

GroundWork recommends that all MySQL databases be backed up before upgrading. The upgrade procedure will

migrate the databases to the latest version of GroundWork Monitor. Create a back up directory (e.g.

/usr/local/backup-gwmon/) and enter the following commands to create the back ups:

􀂃 Monarch (Configuration):

mysqldump -uroot monarch > /usr/local/backup-gwmon/monarch.sql

􀂃 Guava (Framework):

mysqldump -uroot guava > /usr/local/backup-gwmon/guava.sql

􀂃 Foundation (Monitor Data):

mysqldump -uroot GWCollageDB > /usr/local/backup-gwmon/GWCollageDB.sql

GroundWork Configuration Files Back Up

􀂃 Monarch Back Up

Back up the following files and folders before removing GroundWork Monitor and restore after the 5.1

installation.

tar cfz GWMON-xxx-monarchbackup.tar.gz

/usr/local/groundwork/monarch/backup

tar cfz GWMON-xxx-performance_views.tar.gz

/usr/local/groundwork/performance/performance_views

􀂃 If you have done custom work to these files back up the following: Note: This does not apply to GWMON

4.0 to GWMON-PRO 5.1 upgrade.

tar cfz GWMON-xxx-monarchcallout.tar.gz /usr/local/groundwork/monarch/lib/MonarchCallOut.pm

tar cfz GWMON-xxx-monarchexternals.tar.gz

/usr/local/groundwork/monarch/lib/MonarchExternals.pm

􀂃 If you have configured Apache for secure SSL authentication any HTTPS certificates need to be preserved

(the directory of the HTTPS certificates may differ from the example below):

tar cfz ssl-keys.tar.gz /usr/local/groundwork/apache2/conf/ssl.key

Powered by ScribeFire.

VMWare Tips

vmware -v # determine vmware build

vmware-cmd -l # list vm's

esxtop #vmware top tool

service mgmt-vmware restart # restart the mgmt services

vm-support # generate a support log for vmware support



Powered by ScribeFire.

Wedding Playlist - Aug. 25, 2007

Nothing Like You and I - The Perishers
You're Beautiful - James Blunt
Angel - Sarah McLachlan
Amie - Pure Prairie League
Time In A Bottle - Jim Croce
Silvio - Bob Dylan
Sway - The Perishers
Tones of Home - Blind Melon
Still Crazy After All These Years - Paul Simon
Belief - John Mayer
Proud Mary - CCR
Knockin' on Heaven's Door - Bob Dylan
She Will Be Loved - Maroon 5
Layla - Eric Clapton
Remedy - Seether
Nobody Does It Better - Me First and The Gimme Gimmes
Let There Be Morning - The Perishers
Gravity - John Mayer
I Only Want To Be With You - Me First and The Gimme Gimmes
Right Here - Staind
I'll Be Your Baby Tonight - Bob Dylan
Is It My Body - Alice Cooper
WHEN I'M 64 - THE BEATLES
DON'T KNOW WHY - NORAH JONES
EVERYTHING CHANGES - STAIND
I WANT YOU - BOB DYLAN
EVERY BREATH YOU TAKE - STING
A WHISPER - COLDPLAY
WONDER - NATALIE MERCHANT
CONSTANT CRAVING - KD LANG
NOTHING COMPARES 2 U - ME FIRST AND THE GIMME GIMMES
HIGH - JAMES BLUNT
GREEN EYES - COLDPLAY
JOHNNY B. GOODE - BO DIDDLEY
YOU DON'T MESS AROUND WITH JIM - JIM CROCE
TRUE FINE LOVE - STEVE MILLER BAND
THE GIFT - SEETHER
TEARS AND RAIN - JAMES BLUNT
AT THE ZOO - SIMON & GARFUNKEL
SO COLD (ACOUSTIC) - BREAKING BENJAMIN
DESIRE - U2
BOTHER - STONE SOUR
SUMMER OF 69 - BRYAN ADAMS
SHE'S GOT A WAY - BILLY JOEL
CARNIVAL - NATALIE MERCHANT
I WANNA BE SEDATED - THE RAMONES
I AM THE HIGHWAY - AUDIOSLAVE
NO RAIN - BLIND MELON
SWEET EMOTION - AEROSMITH
CITY OF NEW ORLEANS - ARLO GUTHRIE
RUNAWAY TRAIN - SOUL ASYLUM
SAY IT AIN'T SO - WEEZER
SISTER GOLDEN HAIR - AMERICA
IT'S THE END OF THE WORLD AS WE KNOW IT - REM
PRIDE - U2
HARDER TO BREATHE - MAROON 5

JAZZ PORTION - PLAYED BEFORE THE CEREMONY AND AT THE END OF THE EVENING
JUST THE TWO OF US - GROVER WASHINGTON JR. AND BILL WITHERS
GIANT STEPS - JOHN COLTRANE QUARTET
THEY CAN'T TAKE THAT AWAY FROM ME - SARAH VAUGHAN & HER TRIO
TAKE FIVE - DAVE BRUBECK QUARTET
GROOVIN' HIGH - CHARLIE PARKER; DIZZY GILLESPIE SEXTET
BLUE RONDO A LA TURK - DAVE BRUBECK QUARTET
WHAT A LITTLE MOONLIGHT CAN DO - BILLIE HOLIDAY
STRAIGHT, NO CHASER - THELONIOUS MONK
DOODLIN' - ART BLAKEY & THE JAZZ MESSENGERS
BITTERSWEET - SPYRO GYRA
ST LOUIS BLUES - LOUIS ARMSTRONG
PICK UP STICKS - DAVE BRUBECK QUARTET
BEGIN THE BEGUINE - ARTIE SHAW & HIS ORCHESTRA
WAVE - ROSEMARY CLOONEY
THE VERY THOUGHT OF YOU - BILLIE HOLIDAY
DEAR OLD SOUTHLAND - NOBLE AND HIS ORCHESTRA SISSLE
THE MOOCHE - DUKE ELLINGTON & HIS ORCHESTRA
KATHY'S WALTZ - DAVE BRUBECK QUARTET
GOD BLESS THE CHILD BILLIE HOLIDAY
COTTON TAIL - DUKE ELLINGTON
ONE NOTE SAMBA - ROSEMARY CLOONEY
JUMPIN' AT THE WOODSIDE - COUNT BASIE
MEDITATION - ROSEMARY CLOONEY
SUMMERTIME - BILLIE HOLIDAY

Powered by ScribeFire.

VMWare Tips

vmware -v # determine vmware build

vmware-cmd -l # list vm's

esxtop #vmware top tool

service mgmt-vmware restart # restart the mgmt services

vm-support # generate a support log for vmware support

Groundworks Monitor Installation

Install Prerequisite Packages

Disable SELinux so that it does not interfere with installation:

Edit the /etc/selinux/config file so that it looks like:

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - SELinux is fully disabled.

SELINUX=disabled

# SELINUXTYPE= type of policy in use. Possible values are:

# targeted - Only targeted network daemons are protected.

# strict - Full SELinux protection.

# SELINUXTYPE=targeted

MySQL

mysql-server-5.0.44-1.el4s1.1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mysql-server

mysqlclient14-4.1.22-1.el4s1.1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mysqlclient

mysql-5.0.44-1.el4s1.1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mysql

mysql-libs-5.0.44-1.el4s1.1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mysql-libs

mod_auth_mysql-3.0.0-2.el4s1.3

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install mod_auth_mysql

php-mysql-5.1.6-3.el4s1.7

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install php-mysql

Set MySQL to automatically start:

chkconfig mysqld on

Start the MySQL server daemon:

service mysqld start

Remove any non SUN Microsystems Java versions

Query for existing Java packages:

rpm -qa | grep -i java

Remove the RPMs: rpm –e

Example Java packages:

java-1.4.2-gcj-compat-1.4.2.0-27jpp

gcc-java-3.4.6-3

Reboot the machine (to make sure the cache is cleared)

Install java version "1.5.0_11" from http://pvalentino/install/jboss/java.tar.gz

Add the following to the users .bash_profile files:

JAVA_HOME=/apps/java/default

PATH=$JAVA_HOME/bin:$PATH

export JAVA_HOME PATH

Run: source ~/.bash_profile

Install Perl-DBI

perl-DBI-1.54-1.el4s1

yum -c http://pvalentino/repository/patch/current/rhel4-i386.conf -y install perl-DBI*

MySQL uses the localhost entry in /etc/hosts. Make sure that the localhost entry looks like the example below.

Also, make sure that localhost is first after the IP address followed by localhost.localdomain. Example:

bigbrother.pvalentino.org is the fully qualified domain name where the GroundWork Monitor server is

installed.

Also, make sure TCP port 3306 is not blocked by your firewall rules. This port is for communication to the MySQL server.

127.0.0.1 localhost localhost.localdomain

10.3.17.79 bigbrother bigbrother.pvalentino.org bigbrother.pvalentino.lan

Downloading the GroundWork Monitor RPMs

wget http://pvalentino/install/nagios/groundwork-foundation-pro-1.6.1-67.noarch.rpm

wget http://pvalentino/install/nagios/groundwork-monitor-core-5.1.3-32.rhel4.i386.rpm

Note: To install the product successfully, the following 2 RPM commands must be performed separately, do not combine.

Foundation RPM. This will install the GroundWork Foundation components:

rpm -Uvh groundwork-foundation-pro-1.6.y-yyy.noarch.rpm

Core RPM. This will install GroundWork Monitor components:

rpm -Uvh groundwork-monitor-core-5.1.y-yyy.zzzz.zzzz.rpm

Verifying and Completing Configuration

Step 1 - Checking the User Interface as an Administrator

An Administrator can define Users, Groups, Roles, and Packages. The Administrator role also provides access to the Configuration option, which allows you to configure the Nagios monitoring system.

1. Go to the URL http://bigbrother/.

2. Login as an Administrator with the User ID admin and Password admin.

3. Reference the Bookshelf within GroundWork Monitor Professional for additional advice and instructions.

4. When finished exploring Admin options, continue with Step 2 below.

Step 2 - Checking the User Interface as an Operator

An Operator role is pre-defined for you. The Operator role provides access to GroundWork Monitor Professional applications such as Status, Reports, and Bookshelf.

1. Log out as an Administrator.

2. Log into GroundWork Monitor Professional as an Operator with the User ID joe and Password joe.

3. Click the Application Launcher and select the Status option.

4. Review the Overview status page.

5. Expand the tree (left Panel) and Navigate to Hosts and Services.

6. Select Host and Service information. Check that the status information is correct.

Step 3 - Checking the connection between Nagios and GroundWork Foundation

1. From a command shell (open as root), if the Status Viewer status and Nagios Service detail do not match, check

the following:

􀂃 Check to see if the nagios2collage_status.pl is executing with the following command:

ps -ef | grep nagios2collage

􀂃 If this process is not running, restart gwservices with the following command:

/etc/init.d/gwservices restart

2. If the Console events do not appear, check the following:

􀂃 Check to see if the nagios2collage_event.pl is executing with the following command:

ps -ef | grep nagios2collage

􀂃 If this process is not running, restart gwservices with the following command:

/etc/init.d/gwservices restart

Installing Plugins:

copy downloaded plugins to:

/usr/local/groundwork/nagios/libexec

chmod a+x <plugin executable>

Try to run some commands, i.e. for check_jmx try:

/usr/local/groundwork/nagios/libexec/check_jmx -U service:jmx:rmi:///jndi/rmi://epicapp:1999/jmxrmi -O java.lang:type=Memory -A HeapMemoryUsage -K used -I HeapMemoryUsage -j used -vvvv -w 400000000 -c 500000000

APPENDIX A - BACKUPS

Back up custom changes you may have made to your GroundWork Monitor system:

􀂃 Plugins:

/usr/local/groundwork/nagios/libexec

􀂃 CGI Graphs:

/usr/local/groundwork/apache2/cgi-bin/graphs

􀂃 Eventhandlers:

/usr/local/groundwork/nagios/eventhandlers

Back up existing RRD files and your current Nagios configuration. This will create three TAR files in the current

directory.

􀂃 tar cfz GWMON-xxx-rrd.tar.gz /usr/local/groundwork/rrd

􀂃 tar cfz GWMON-xxx-nagios.tar.gz /usr/local/groundwork/nagios/etc

􀂃 tar cfz GWMON-xxx-users.tar.gz /usr/local/groundwork/users

Database Back Up

GroundWork recommends that all MySQL databases be backed up before upgrading. The upgrade procedure will

migrate the databases to the latest version of GroundWork Monitor. Create a back up directory (e.g.

/usr/local/backup-gwmon/) and enter the following commands to create the back ups:

􀂃 Monarch (Configuration):

mysqldump -uroot monarch > /usr/local/backup-gwmon/monarch.sql

􀂃 Guava (Framework):

mysqldump -uroot guava > /usr/local/backup-gwmon/guava.sql

􀂃 Foundation (Monitor Data):

mysqldump -uroot GWCollageDB > /usr/local/backup-gwmon/GWCollageDB.sql

GroundWork Configuration Files Back Up

􀂃 Monarch Back Up

Back up the following files and folders before removing GroundWork Monitor and restore after the 5.1

installation.

tar cfz GWMON-xxx-monarchbackup.tar.gz

/usr/local/groundwork/monarch/backup

tar cfz GWMON-xxx-performance_views.tar.gz

/usr/local/groundwork/performance/performance_views

􀂃 If you have done custom work to these files back up the following: Note: This does not apply to GWMON

4.0 to GWMON-PRO 5.1 upgrade.

tar cfz GWMON-xxx-monarchcallout.tar.gz /usr/local/groundwork/monarch/lib/MonarchCallOut.pm

tar cfz GWMON-xxx-monarchexternals.tar.gz

/usr/local/groundwork/monarch/lib/MonarchExternals.pm

􀂃 If you have configured Apache for secure SSL authentication any HTTPS certificates need to be preserved

(the directory of the HTTPS certificates may differ from the example below):

tar cfz ssl-keys.tar.gz /usr/local/groundwork/apache2/conf/ssl.key

Nagios Client Installation

On Unix Systems:

Installation

su - bb

wget http://pvalentino.pvalentino.lan/install/nagios/nagiosclient.tgz

cd to ~bb

tar zxvpf nagiosclient.tgz

chown bb.bb nagios/*

create symbolic links as follows:

ln -s /lib/libcrypto.so.0.9.7a /lib/libcrypto.so.0.9.7

ln -s /lib/libssl.so.0.9.7a /lib/libssl.so.0.9.7

To test, from server run:

the nagios user requires the ssh keys from bb so that it can issue ssh commands

ssh bb@hostname must work!!!

su - nagios

cd /usr/local/groundwork/nagios/libexec

./check_by_ssh -H 10.3.17.183 -C "libexec/check_mem.pl -f -c 2 -w 3"

./check_by_ssh -H 10.3.17.183 -t 30 -l bb -C "libexec/check_load -w 15,10,5 -c 30,25,20"

On Windows Systems:

Installation

Copy \pvalentinofs02libraryappsnagiosclient to C:

Open a command prompt:

cd nagiosclient

pnsclient.exe /install

Double click Nsclient.reg and click OK to accept the registry change

Back at command prompt type:

net start nsclient

For W2K3 Servers with DEP enabled:

Right Click "My Computer"

Select "Properties"

Click "Advanced"

Click "Settings" under Performance section

Select the "Data Execution Prevention" tab and click "Add"

Browse to c:nagiosclientpNsclient.exe

Windows servers do not require a reboot unless they have DEP enabled.

Subversion Server Setup on RedHat AS 4

Installing the SVN Server

Download and install svn approved version from YUM repository with:

yum -c http://yumserver/repository/patch/current/rhel4-i386.conf -y install subversion*

Configure Apache by adding the following to httpd.conf:

    LoadModule dav_module         modules/mod_dav.so

        LoadModule dav_fs_module      modules/mod_dav_fs.so

        LoadModule dav_svn_module     modules/mod_dav_svn.so

LoadModule authz_svn_module modules/mod_authz_svn.so

Verify modules listed above exist in /usr/lib/httpd/modules/, if not move them there

Create directory /SVN then add the following to /etc/httpd/conf/httpd.conf:

<Location /svn>

DAV svn

SVNPath /SVN

</Location>

Restart Apache with:

service httpd restart

Example Add of Puppet data to SVN repository:

svn import -m "New puppet config import" etc/puppet http://svnserver/svn/puppetmaster/conf

svn import -m "New puppet dist files import" dist http://svnserver/svn/puppetmaster/dist

Try network checkout using the unix client:

svn co http://localhost/svn/puppetmaster wc

Checkout code with TortoiseSVN:

http://localhost/svn/puppetmaster

On the puppet server:

install facter-1.3.7.tgz and puppet-0.23.2.tgz

if necessary install ruby

copy the following init script to /etc/init.d and chmod +x

#!/bin/bash
# puppetmaster This shell script enables the puppetmaster server.
#
# Author: Duane Griffin <d.griffin@psenterprise.com>
#
# chkconfig: - 65 45
#
# description: Server for the puppet system management tool.
# processname: puppetmaster

PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH

lockfile=/var/lock/subsys/puppetmaster

# Source function library.
. /etc/rc.d/init.d/functions

if [ -f /etc/sysconfig/puppetmaster ]; then
. /etc/sysconfig/puppetmaster
fi

PUPPETMASTER_OPTS=""
[ -n "$PUPPETMASTER_MANIFEST" ] && PUPPETMASTER_OPTS="--manifest=${PUPPETMASTER_MANIFEST}"
[ -n "$PUPPETMASTER_LOG" ] && PUPPETMASTER_OPTS="${PUPPETMASTER_OPTS} --logdest=${PUPPETMASTER_LOG}"
PUPPETMASTER_OPTS="${PUPPETMASTER_OPTS}
${PUPPETMASTER_EXTRA_OPTS}"

RETVAL=0

prog=puppetmasterd
PUPPETMASTER=/usr/bin/$prog

start() {
echo -n $"Starting puppetmaster: "

# Confirm the manifest exists
if [ -r $PUPPETMASTER_MANIFEST ]; then
daemon $PUPPETMASTER $PUPPETMASTER_OPTS
RETVAL=$?
else
failure $"Manifest does not exist: $PUPPETMASTER_MANIFEST"
echo
return 1
fi
[ $RETVAL -eq 0 ] && touch "$lockfile"
echo
return $RETVAL
}

stop() {
echo -n $"Stopping puppetmaster: "
killproc $PUPPETMASTER
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f "$lockfile"
return $RETVAL
}

restart() {
stop
start
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload|force-reload)
restart
;;
condrestart)
[ -f "$lockfile" ] && restart
;;
status)
status $PUPPETMASTER
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}"
exit 1
esac

exit $RETVAL

##############################################

Copy the following into /etc/sysconfig/puppetmaster

# Location of the main manifest
PUPPETMASTER_MANIFEST=/etc/puppet/manifests/site.pp

# Where to log general messages to.
# Specify syslog to send log messages to the system log.
PUPPETMASTER_LOG=syslog

# You may specify other parameters to the puppetmaster here
#PUPPETMASTER_EXTRA_OPTS=--noca

###############################################

Copy the following into /etc/puppet/fileserver.conf

# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom

# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
# [files]
# path /var/lib/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[dist]
path /dist
allow *

[private]
path /dist/private/%h
allow *

###############################################

Copy the following into /etc/puppet/manifests/site.pp

# site.pp

# import functions
import "functions.pp"

# import all of the os classes, like redhat.pp
#import "os/*"

# import all of the server classes, like webserver.pp
import "classes/*"

node default {
include sudo
}

###############################################

Create folders /etc/puppet/manifests/classes and
/etc/puppet/manifests/os

################################################

Copy the following into /etc/puppet/manifests/functions.pp

# functions.pp

define remotefile($owner = root, $server = santa, $group = root, $mode, $source, $backup = false, $recurse = false) {
file {
$name:
mode => $mode,
owner => $owner,
group => $group,
backup => $backup,
source => "puppet://$server/dist/$source"
}
}

###############################################

Start the server with:

service puppet start

or for testing:
puppetmasterd --verbose

###############################################
###############################################
###############################################

On the puppet client:

install facter-1.3.7.tgz and puppet-0.23.2.tgz from http://santa/install/puppet

Copy the following into /etc/init.d/puppet

#!/bin/bash
# puppet Init script for running the puppet client daemon
#
# Author: Duane Griffin <d.griffin@psenterprise.com>
# David Lutterkort <dlutter@redhat.com>
#
# chkconfig: - 98 02
#
# description: Enables periodic system configuration checks through puppet.
# processname: puppet
# config: /etc/sysconfig/puppet

PATH=/usr/bin:/sbin:/bin:/usr/sbin:/apps/ruby/ruby-1.8.5/bin/puppetd
export PATH

[ -f /etc/sysconfig/puppet ] && . /etc/sysconfig/puppet
lockfile=${LOCKFILE-/var/lock/subsys/puppet}
pidfile=${PIDFILE-/var/run/puppet/puppet.pid}
puppetd=${PUPPETD-/apps/ruby/ruby-1.8.5/bin/puppetd}
RETVAL=0

# Source function library.
. /etc/rc.d/init.d/functions

PUPPET_OPTS=""
[ -n "${PUPPET_SERVER}" ] && PUPPET_OPTS="--server=${PUPPET_SERVER}"
[ -n "$PUPPET_LOG" ] && PUPPET_OPTS="${PUPPET_OPTS} --logdest=${PUPPET_LOG}"
[ -n "$PUPPET_PORT" ] && PUPPET_OPTS="${PUPPET_OPTS} --port=${PUPPET_PORT}"

# Figure out if the system just booted. Let's assume
# boot doesn't take longer than 5 minutes
## Not used for now
##[ -n "$INIT_VERSION" ] && PUPPET_OPTS="${PUPPET_OPTS} --fullrun"

start() {
echo -n $"Starting puppet: "
daemon $puppetd ${PUPPET_OPTS} ${PUPPET_EXTRA_OPTS}
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}

stop() {
echo -n $"Stopping puppet: "
killproc $puppetd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}

reload() {
echo -n $"Restarting puppet: "
killproc $puppetd -HUP
RETVAL=$?
echo
return $RETVAL
}

restart() {
stop
start
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload|force-reload)
reload
;;
condrestart|try-restart)
[ -f "$pidfile" ] && restart
;;
status)
status $puppetd
RETVAL=$?
;;
once)
shift
$puppetd -o ${PUPPET_OPTS} ${PUPPET_EXTRA_OPTS} $@
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart|once}"
exit 1
esac

exit $RETVAL

###############################################

Copy the following into /etc/sysconfig/puppet

# The puppetmaster server
PUPPET_SERVER=puppet.pvalentino.lan

# If you wish to specify the port to connect to do so here
#PUPPET_PORT=8140

# Where to log to. Specify syslog to send log messages to the system log.
PUPPET_LOG=/var/log/puppet/puppet.log

# You may specify other parameters to the puppet client here
#PUPPET_EXTRA_OPTS=--waitforcert=500

###############################################

Copy the following int /etc/logrotate.d/puppet

/var/log/puppet/*log {
missingok
create 0644 puppet puppet
postrotate
[ -e /etc/init.d/puppetmaster ] && /etc/init.d/puppetmaster condrestart >/dev/null 2>&1 || true
[ -e /etc/init.d/puppet ] && /etc/init.d/puppet reload > /dev/null 2>&1 || true
endscript
}

###############################################

Start the client with:

puppetd --waitforcert 30 --server puppet.pvalentino.lan -v


Back on server for first client connect to issue and sign client certificate:
puppetca --list
puppetca --sign clientname.pvalentino.lan

###############################################

In the /etc/puppet/manifests/classes folder create the following files:

sudo.pp containing:

class sudo {
file { sudoers:
path => $operatingsystem ? {
solaris => "/usr/local/etc/sudoers",
default => "/etc/sudoers"
},
owner => "root",
group => "root",
mode => 644,
source => "puppet://puppet.pvalentino.lan/dist/apps/sudo/sudoers"
}
}


-----------------------------------------
crontab.pp containing:

# /etc/puppet/manifests/classes/crontab.pp

class sudo {
file { "/etc/crontab":
owner => "root",
group => "root",
mode => 600,
}
}

------------------------------------------

# /etc/puppet/manifests/classes/login.pp

class sudo {
file { "/etc/login.defs":
owner => "root",
group => "root",
mode => 640,
}
}
-------------------------------------------
# /etc/puppet/manifests/classes/xinetd.pp

class sudo {
file { "/etc/xinetd.conf":
owner => "root",
group => "root",
mode => 640,
}
}

Weblogic Thread Dumps

example:

add the following to the weblogic startup and restart the Managed Server:

-Dweblogic.Stderr="instancename.stderr.log"

java -cp /usr/bea/jdk131_06/lib/tools.jar:/usr/bea/weblogic700/server:/usr/bea/weblogic700/server/lib/weblogic_sp.jar:/usr/bea/weblogic700/server/lib/weblogic.jar:${CLASSPATH}" weblogic.Admin -url server:8089 -username weblogic -password weblogic THREAD_DUMP

look in "instancename.stderr.log" file to see the thread dump

On RedHat 8:

Modified startup script with bold entries :

$JAVA_HOME/bin/java -classpath "$CLASSPATH" $JAVA_VM $ManagedMemory $JavaOptions -verbose:gc -Dweblogic.Name=$ManagedName -Dweblogic.management.username=$WLUSER -Dweblogic.management.password=$WLPASSWORD -Dweblogic.management.server=$AdminURL -Djava.security.policy=$WLPOL weblogic.Server >> $LOGFILE.weblogic.log 2>&1 &

Restarted the managed server.

Ran:

ps -efHl --cols 5000 |grep "I put the value for weblogic.Name here to find my managed server"

i.e.

ps -efHl --cols 5000 |grep 'internetapp:<port>'

Make note of the PID

Ran:

kill -3 <pid>

Open your $LOGFILE.weblogic.log file to view the thread dump. In my case $LOGFILE is defined in the startup so it maps to the managed servers name.

Drag and drop log into samurai tool

http://yusuke.homeip.net/samurai/?english#content_1_0

Standard Redhat RHEL 4 AS Server Build

The Standard Linux Server build was designed around the RHEL 4 release to document all processes related to installing Linux AS4 server software, securing the system, setting up monitoring, setting up backups and verifying that all required services are operational in accordance with best practices.

Installation 3

Remove Unneeded Pacakges 5

Disable Services 5

Network Configuration 6

Install Package Management and Patch the System 6

Install xinetd 7

Install Other Packages 7

Install and Configure NTP 8

Install VMWare Tools 9

Security and Configuration Standards 9

Security Banners 9

IPTables Configuration 10

Kernel Parameters 11

Process and File Handle Limits 11

Inittab Setting 12

Default Password Expiration 12

Restrict Root Access 12

Create User Account(s) 12

Configure Sendmail 13

Limit Failed Logins 13

Register System with Redhat 14

Create Standard Mountpoints 14

Reboot the System 14

Install Netbackup 14

Configure Big Brother 15

Installation

  • Boot the system from Redhat Enterprise Linux 4 disc 1.
  • When prompted, press enter to start the install in graphical mode.
  • Skip the media check (unless you want to spend an hour having it scan the disc for errors.)
  • Welcome Screen: Click “Next”
  • Language Selection: English should be selected. Click “Next”.
  • Keyboard Configuration: U.S. English should be selected. Click “Next”.
  • Disk Partitioning: Select “Manually partition with Disk Druid” and click “Next”.

If it says that the partition table was unreadable and asks if you want to destroy all data on the drive, click “Yes”. Using the interface, set up the following partitions with at least as much disk space as is listed:

To Create LVM Volumes:

Chose your structure based upon server type while keeping in mind that it's always good to separate out your /var /tmp and any logging filesystems so you don't fill up / and bring your system to a halt..... Also, if it's a file server with /home directories for users you will definately want a separate mount point for /home, preferably an LVM so you can grow the filesystem when necessary.

o Make a new, ext3 for “/boot” of at least 150MB – Click on New. In the Add Partition dialog box, change the file system type to ext3. Set size to 150MB and select Fixed size as well as option to force to be a primary partition.

o Make a new, LVM PV – Click on New. In the Add Partition dialog box, change the file system type to physical volume (LVM). Make the size such that you have a substantial amount of space to accommodate “swap”, “/” and “/var” plus 64MB for partition overhead. The size will be a minimum of 18496MB in our case. Be sure not to check the option force to be a primary partition and Fixed Size.

o Now click on LVM. In the Make LVM Volume Group dialog box, we’re going to add three logical volumes. First add the swap space (file system type = swap) of size 2048, and then add mount point “/” (type ext3) and give it 18000MB, and finally add mount point “/var” (type ext3) and give it 4096MB.

o If the partitioning gets confused in some way, just click back, and then click “Next” to start the partitioning over again.

Mount Point

Filesystem Type

Size (MB)

Options

/

ext3

18000 +

8192 for smaller systems

/boot

ext3

150

/tmp

ext3

4096

/var

ext3

4096 +

/apps

ext3

8192

Dependent on available disk

/u01

ext3

Remainder

All space left

(none)

swap

2048

This is optional (you don't want this on some database servers, i.e. use 14MB on Oracle server)

Click “Next” when you are done with partitioning.

  • Boot Loader Configuration: Accept the defaults, and click “Next”.
  • Network Configuration: Configure the settings as needed, and click “Next”.
  • Firewall Configuration: Enable the firewall, and select to only allow SSH and FTP access. Change 'Enable SELinux?' to 'Warn'. Click “Next”.
  • Additional Language Support: Click “Next”.
  • Time Zone Select: Enable 'System clock uses UTC'. Select 'America/Chicago' for the location. Click “Next”.
  • Set Root Password: Enter the current root password twice, and click “Next”.
  • Package Installation Defaults: Select 'Customize software packages to be installed' and click “Next”.
  • Package Group Selection (Also review Appendix A kickstart file): Select Minimal Install
  • About to Install: Click “Next”, and then click Continue at the popup window.

The system will now partition the hard disk, format the file systems, and install the software. It will ask to switch discs: do so and click OK. When the install is finished, remove the CD from the drive and click the Reboot button.

Remove Unneeded Pacakges

The first thing we need to do is remove some packages that contain unnecessary software that carries serious security risks. Run the following command as root:

rpm --erase rsh rdate talk rdist tog-pegasus-devel tog-pegasus redhat-lsb-3.0-8.EL.i386 redhat-lsb-3.0-8.EL.x86_64 redhat-lsb

Next, we need to remove some packages that are generally only useful for desktop systems, and not used on our servers. Run the following command (if you encounter errors you must go back and run one command at a time and resolve errors as you proceed i.e. rpm –e wvdial by itself followed by the next package until all have been removed):

rpm --erase wvdial rp-pppoe ppp isdn4k-utils irda-utils anacron redhat-lsb at pcmcia-cs lftp bluez-utils bluez-bluefw bluez-hcidump bluez-libs NetworkManager-gnome NetworkManager wireless-tools vconfig lksctp-tools lksctp-tools-devel OpenIPMI OpenIPMI-libs lha

64 bit:

If you get error: "bluez-libs" specifies multiple packages

rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH} \n" | grep bluez-libs |sort

returns:

bluez-libs-2.10.i386

bluez-libs-2.10.x86_64

Then run:

rpm –e bluez-libs-2.10.i386 bluez-libs-2.10.x86_64

If you get error: Failed dependencies: libbluetooth.so.1()(64bit) is needed by (installed) bluez-pin 0.23-3.x86_64

Then remove the dependency with:

rpm –e bluez-pin

Then return to previous command to remove the primary package/s

Disable Services

To disable a service, use the command:

chkconfig --levels 123456 [servicename] off

Where [servicename] is the name of the service.

The following are the services that should be disabled:

Service name(s)

Description

apmd

This is an older power-management system. Disable on VMWare hosts.

cups
cups-config-daemon

Only required if you are printing from this server.

cpuspeed

This throttles CPU speed to save power. You MUST disable this on VMware clients, otherwise it plays havoc with the system's timekeeping.

gpm

Console mouse service. Marginally useful at best.

smartd

Disk monitoring for IDE. Disable on VMWare hosts and on servers that are using SCSI disks.

netfs

Mounts network filesystems (NFS, Samba, etc.) Not needed if you are not mounting network filesystems.

rawdevices

Only useful if you have applications that want to use raw disk space (like Oracle)

rpcidmapd portmap nfslock rpcgssd

These are only needed if you are using the system as an NFS server.

Network Configuration

Configure any additional network settings on the system that were not configured, or incorrectly configured, during the installation. The interface configuration files can be found in /etc/sysconfig/network-scripts

For example (ifcfg-eth0):

DEVICE=eth0

BOOTPROTO=static

BROADCAST=10.10.1.255 ##### set to correct Broadcast

HWADDR= ##### leave as is

ONBOOT=yes

TYPE=Ethernet

NETMASK=255.255.255.0 ##### set to correct SM

IPADDR=10.10.1.169 ##### set to correct IP

GATEWAY=10.10.1.1 ##### set correct GW

Make sure that /etc/hosts looks like the following:

127.0.0.1 localhost localhost.localdomain

10.10.1.169 server-new ##### set correct hostname and IP here

Make sure that /etc/resolv.conf looks like the following:

search pvalentino.lan pvalentino.org

nameserver 10.10.1.22

nameserver 10.10.1.33

Make sure /etc/sysconfig/network has the hostname


Make sure you can access the network, and resolve any problems before continuing, as the following steps require network access.

Install Package Management and Patch the System

Refer to my other document regarding Centralized YUM setup to use these settings, otherwise just point your yum.conf to the appropriate internet based repository for your build.

Run the following as root to install YUM, the package management system:

mkdir /root/yum ; cd /root/yum

For 32 bit systems:

wget http://patch.pvalentino.org/repository/yum/yum-rhel4-i386.tar.gz

tar xzf yum-rhel4-i386.tar.gz

tar zxvf yum-rhel4-i386.tar.gz

rpm -ivh *.rpm

cd /root

rm -rf yum

For 64 bit systems:

wget http://patch.pvalentino.org/repository/yum/yum-rhel4-x86_64.tar

tar xvf yum-rhel4-x86_64.tar

cd yum_install

rpm -ivh *.rpm

cd /root

rm -rf yum

Now, run the following to patch the system to the latest patch revisions:

32 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y update

64 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y update

After the patching is completed, reboot the system.

Install xinetd

This doesn't get installed in some cases. It is needed for having Netbackup installed. Run the following:

32 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf install xinetd

64 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf install xinetd

Then run:

service xinetd start

Install Other Packages

Run the following to ensure we didn’t miss any required packages:

On 32 bit systems:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install openldap-clients emacs mkisofs net-snmp net-snmp-libs net-snmp-utils

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install compat-libgcc-296 compat-glibc compat-libstdc++-33 compat-libstdc++-296 gcc-c++ dev86

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install samba samba-client

Or for 64 bit systems:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install openldap-clients emacs mkisofs net-snmp net-snmp-libs net-snmp-utils

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install compat-libgcc-296 compat-glibc compat-libstdc++-33 compat-libstdc++-296 gcc-c++ dev86

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install samba samba-client

Install and Configure NTP

Run the following to install the NTP service:

32 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf install ntp

64 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install ntp

Run the following to configure NTP:

cat <<EOF > /etc/ntp.conf

restrict 10.20.0.1 mask 255.255.255.255

server 10.20.0.1

driftfile /var/lib/ntp/drift

broadcastdelay 0.008

authenticate yes

keys /etc/ntp/keys

EOF

echo "10.20.0.1" > /etc/ntp/step-tickers

echo "10.20.0.1" > /etc/ntp/ntpservers

For ESX…

Run the following command. This opens the appropriate ports and enables the NTP daemon to talk with the external server.

esxcfg-firewall --enableService ntpClient

Restart the NTP service…

service ntpd restart

To enable the NTP daemon to autostart when the server is rebooted, run:

chkconfig --level 345 ntpd on

Monitor the NTP service as desired:
To see the offset (in seconds) between the local clock and the source clock, run:

ntpdate -q 10.2.0.1

sync. the Hardware Clock with ESX system.
hwclock --systohc

If you are running a VMWare host, you will also want to edit /etc/grub.conf and add "clock=pit" to the end of the first entry's "kernel" line, like such:

kernel /vmlinuz-2.6.9-42.0.10.ELsmp ro root=LABEL=/ clock=pit

This will set the kernel to use a different method for counting clock ticks which is more compatible with running under the VMWare environment.

Install VMWare Tools

If the server is a VMWare host, you will need to install the VMWare tools package.

Open the console for the system, and log in as root. You MUST do this from the console, and not from a SSH session.

Select "Install VMWare Tools..." from the "VM" menu on the console window. On the system, do the following:

  • mount /media/cdrom
  • cd /root
  • tar xvzf /media/cdrom/VMwareTools*tar.gz
  • umount /media/cdrom
  • cd vmware-tools-distrib
  • ./vmware-install.pl
  • Accept all the defaults
  • Reboot the system after the install finishes.

Security and Configuration Standards

Security Banners

Run the following to set the standard pvalentino security banner:

cat <<EOF > /etc/issue

*******************************************************************************

* pvalentino's systems must only be used for conducting pvalentino's *

* business or for purposes authorized by pvalentino. *

* *

*******************************************************************************

* *

* Use is subject to audit at any time by pvalentino. *

* *

*******************************************************************************

EOF

/bin/cp -f /etc/issue /etc/issue.net

/bin/cp -f /etc/issue /etc/motd

IPTables Configuration

Edit /etc/sysconfig/iptables to contain the following:

cp /etc/sysconfig/iptables iptables.bak

cat <<EOF > /etc/sysconfig/iptables

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

:NETBACKUP - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#### ENABLE THESE ON ORACLE ONLY

#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT

#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT

#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT

#### END OF ORACLE ENTRIES

# Netbackup ports get filtered to the NETBACKUP chain

-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13701 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13711 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13720:13724 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13782:13783 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13701 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13711 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13720:13724 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13782:13783 -j NETBACKUP

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

##### End of RH-Firewall-1-INPUT definitions #####

# Netbackup chain -- only allow netbackup ports to/from netbackup servers

-A NETBACKUP -s 10.30.1.30 -j ACCEPT

-A NETBACKUP -s 10.40.1.20 -j ACCEPT

-A NETBACKUP -d 10.30.1.30 -j ACCEPT

-A NETBACKUP -d 10.40.1.20 -j ACCEPT

-A NETBACKUP -j REJECT --reject-with icmp-port-unreachable

COMMIT

EOF

And then restart IPTables:

service iptables restart

Kernel Parameters

Run the following:

cat <<EOF >> /etc/sysctl.conf

kernel.shmmax = 2147483648

kernel.shmmni = 4096

kernel.shmall = 2097152

kernel.sem = 250 32000 100 128

fs.file-max = 104032

net.ipv4.ip_local_port_range = 1024 65000

net.core.rmem_default = 1048576

net.core.rmem_max = 1048576

net.core.wmem_default = 262144

net.core.wmem_max = 262144

EOF

then run sysctl -p

For Oracle:

# replace kernel.shmmax from above with the following parameters for ORACLE db server

kernel.shmmax = 4294967296

You will need to reboot the system to properly affect these changes -- the system will be rebooted in a later step of this document.

Process and File Handle Limits

Add the following lines to /etc/security/limits.conf:

* hard nproc 8192

* hard nofile 8192

Oracle specific:

/etc/sysctl.conf

file-max = 65536

/etc/sercurity/limits.conf modifications:
Open file descriptors - system wide <nofile> 65536Max procs for a single user - system wide <nproc> 16384
oracle soft nproc 15360
oracle hard nproc 16384
oracle soft nofile 64512
oracle hard nofile 65536

Add this line to /etc/pam.d/login if it doesn't already exist:
session required pam_limits.so

Inittab Setting

/etc/inittab needs to be modified to ensure that the system boots to runlevel 3. Edit /etc/inittab and look for the line that has the word initdefault in the third colon-delimited field, like this:

id:3:initdefault:

If the number in the second field is not 3, change it.

Default Password Expiration

pvalentino standard is that passwords should expire after 90 days, and must be at least 7 characters in length. Edit /etc/login.defs and update the following lines:

PASS_MAX_DAYS 90

PASS_MIN_DAYS 0

PASS_MIN_LEN 7

PASS_WARN_AGE 7

Create User Account(s)

Since root access is limited to the console, you will need to add a personal account in order to ssh into the system and su to root. Run the following:

To create an oracle user (only required on an Oracle server):

groupadd -g 502 oinstall ; useradd –m -u 500 -g oinstall oracle ; passwd oracle

To create a standard user:

useradd -m -u 701 [username] ; passwd [username]

# replace [username] with the appropriate username

NOTE! Be sure to su – username to a standard user before changing the following settings

Restrict Root Access and Enable Public Key Authentication

Root access should only be done via the system console.

Edit /etc/ssh/sshd_config and look for the line that reads:

#PermitRootLogin yes

Change that to read:

PermitRootLogin no

Remove comment markers from beginning of the following two lines.

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

Save the file and exit the editor. Then run the following:

service sshd restart

Configure Sendmail

Sendmail must be configured to send out email. Edit /etc/mail/sendmail.cf and find the lines that read:

# "Smart" relay host (may be null)

DS

Change it to read:

# "Smart" relay host (may be null)

DSmail.pvalentino.org

Save and exit. Then run:

service sendmail restart

Limit Failed Logins

Through use of the Pluggable Authentication Modules (PAM), we can lock out multiple failed login attempts. To install, first run:

touch /var/log/faillog

Edit /etc/pam.d/system-auth and add to the top of the auth lines:

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root

Add to the bottom of the account lines:

account required /lib/security/$ISA/pam_tally.so deny=3 reset no_magic_root

Save and quit.

To see who currently has failed login attempts, run the command:

/sbin/pam_tally

To unlock an account, run:

/sbin/pam_tally --user username --reset

Lockdown SU and SUDO Access

Add users that require access to root to the wheel group:


usermod -G wheel <username>

Add following line to /etc/pam.d/su


auth required /lib/security/$ISA/pam_wheel.so use_uid

cp /etc/pam.d/su /etc/pam.d/su.bak

cat <<EOF > /etc/pam.d/su

#%PAM-1.0

auth sufficient /lib/security/$ISA/pam_rootok.so

auth required /lib/security/$ISA/pam_wheel.so use_uid

# Uncomment the following line to implicitly trust users in the "wheel" group.

#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid

# Uncomment the following line to require a user to be in the "wheel" group.

#auth required /lib/security/$ISA/pam_wheel.so use_uid

auth required /lib/security/$ISA/pam_stack.so service=system-auth

account required /lib/security/$ISA/pam_stack.so service=system-auth

password required /lib/security/$ISA/pam_stack.so service=system-auth

session required /lib/security/$ISA/pam_stack.so service=system-auth

session optional /lib/security/$ISA/pam_xauth.so

EOF

using visudo command add entries as follows:


# for full admin
username ALL=(ALL) ALL

Register System with Redhat

The system should be registered with Redhat for monitoring and support purposes. First, import Redhat's GPG key into the RPM system with the following command:

rpm --import /usr/share/rhn/RPM-GPG-KEY

Then run the following to register the system:

up2date --register

Select '“Next”' until you get to 'Step 2: Register a User Account'. Enter the Educational Credit RHN username, enter the password in both password fields, and enter your email address. You will need to do this even if you already have an account. Select '“Next”'.

Use the system's name for the profile name, and make sure the 'Include the following information about hardware and network' checkbox is checked. Select '“Next”'.

Make sure the 'Include RPM packages installed on this system in my System Profile' checkbox is checked, and select '“Next”'. Select '“Next”' again to finish the registration process, and then click 'Finish' to leave the program.

If you run into an error when trying to register a system, we may not have any available licenses from Redhat. Licenses will either need to be reclaimed from dead systems, or more licenses will need to be purchased.

Create Standard Mountpoints

Run the following to create the standard mountpoints on the system:

for i in apps data log export auto; do mkdir /${i}; done

Reboot the System

After making all of the above changes, you must reboot the system to make sure all the configuration changes take effect. Run the following command on the system as root:

shutdown -r now or init 6

Install Netbackup

Submit a ticket to the Backup group to have the Netbackup client installed onto the system, and configured to back up the critical filesystems.

cd /tmp

wget http://patch/install/Netbackup5.1/linuxclient.tar

tar xvpf linuxclient.tar

/bin/sh /tmp/bp/bin/client_config

edit /usr/openv/netbackup/bp.conf with appropriate server and client settings

Configure Big Brother

Add bigbrother user and then add server public key to the authorized_keys file on this client:

useradd –m bigbrother; passwd bigbrother

su – bigbrother

mkdir .ssh; chmod 755 .ssh; cd .ssh; touch authorized_keys; chmod 644 auth*

vi auth*

paste the current keys for the bigbrother server into the file making sure not to add any whitespace or extra characters

Log into system ‘bigbrother’ as user 'bigbrother', and add a line like the following into the appropriate section of /home/bigbrother/bb/etc/bb-hosts

ip.address.y.z hostname.pvalentino.tld # svcs cpu disk msgs procs

Restart Big Brother with the following command:

Version 1.9:

cd /home/bigbrother/bb ; ./runbb.sh restart

Version 3.2:

service bigbrother restart