FedoraCore3 Appendix
From Rivalug Wiki
Back to HowToList
This document is used in conjuction with FedoraCore3_Hard
Also see FedoraCore3_Hardened_Evaluation
Changes to default files will appear in bold.
Contents |
harddisks
/etc/sysconfig/harddisks
# These options are used to tune the hard drives - # read the hdparm man page for more information
# Set this to 1 to enable DMA. This might cause some # data corruption on certain chipset / hard drive # combinations. This is used with the "-d" option
USE_DMA=1
# Multiple sector I/O. a feature of most modern IDE hard drives, # permitting the transfer of multiple sectors per I/O interrupt, # rather than the usual one sector per interrupt. When this feature # is enabled, it typically reduces operating system overhead for disk # I/O by 30-50%. On many systems, it also provides increased data # throughput of anywhere from 5% to 50%. Some drives, however (most # notably the WD Caviar series), seem to run slower with multiple mode # enabled. Under rare circumstances, such failures can result in # massive filesystem corruption. USE WITH CAUTION AND BACKUP. # This is the sector count for multiple sector I/O - the "-m" option # MULTIPLE_IO=16
# (E)IDE 32-bit I/O support (to interface card) # EIDE_32BIT=3
# Enable drive read-lookahead # # LOOKAHEAD=1
# Add extra parameters here if wanted # On reasonably new hardware, you may want to try -X66, -X67 or -X68 # Other flags you might want to experiment with are -u1, -a and -m # See the hdparm manpage (man hdparm) for details and more options. # EXTRA_PARAMS=
yum.conf
These files are located in /etc/yum.repos.d
fedora.repo
[base] name=Fedora Core $releasever - $basearch - Base baseurl=http://mirror.vcu.edu/pub/linux/fedora/$releasever/$basearch/os/ http://fedora.gtlib.cc.gatech.edu/pub/fedora.redhat/linux/core/$releasever/$basearch/os http://ftp.ussg.iu.edu/linux/fedora/linux/core/$releasever/$basearch/os/ http://ftp.ndlug.nd.edu/pub/fedora/linux/core/$releasever/$basearch/os/ http://download.fedora.redhat.com/pub/fedora/linux/core/$releasever/$basearch/os/ failovermethod=priority #mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-core-$releasever.us.east enabled=1 gpgcheck=1 gpgkey=http://download.fedora.redhat.com/pub/fedora/linux/core/$releasever/$basearch/os/RPM-GPG-KEY-fedora
fedora-updates.reop
[updates-released] name=Fedora Core $releasever - $basearch - Released Updates baseurl=http://mirror.vcu.edu/pub/linux/fedora/updates/$releasever/$basearch/ http://fedora.gtlib.cc.gatech.edu/pub/fedora.redhat/linux/core/updates/$releasever/$basearch/ http://ftp.ussg.iu.edu/linux/fedora/linux/core/updates/$releasever/$basearch/ http://ftp.ndlug.nd.edu/pub/fedora/linux/core/updates/$releasever/$basearch/ http://download.fedora.redhat.com/pub/fedora/linux/core/updates/$releasever/$basearch/ failovermethod=priority #mirrorlist=http://fedora.redhat.com/download/mirrors/updates-released-fc$releasever.us.east enabled=1 gpgcheck=1 gpgkey=http://download.fedora.redhat.com/pub/fedora/linux/core/$releasever/$basearch/os/RPM-GPG-KEY-fedora
fedora-extras.repo
[extras] name=Fedora Extras baseurl=http://mirror.vcu.edu/pub/linux/fedora/extras/$releasever/$basearch/ http://download.fedora.redhat.com/pub/fedora/linux/extras/$releasever/$basearch/ enabled=1 gpgcheck=1 gpgkey=http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras
kickstart
original kickstart file
/root/anaconda-ks.cfg
# Kickstart file automatically generated by anaconda.
install cdrom lang en_US.UTF-8 langsupport --default=en_US.UTF-8 en_US.UTF-8 keyboard us xconfig --card "ATI Rage 128" --videoram 16384 --hsync 31.5-37.9 --vsync 50-70 --resolution 800x600 --depth 16 network --device eth0 --bootproto static --ip 192.168.5.252 --netmask 255.255.255.0 --gateway 192.168.5.254 --nameserver 192.168.5.254 --hostname fc3-hardened rootpw --iscrypted $1$gRr5GCjO$Y2SvibIRL4cPbV33Od5i61 firewall --enabled --port=22:tcp selinux --permissive authconfig --enableshadow --enablemd5 timezone --utc America/New_York bootloader --location=mbr # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work #clearpart --linux #part /boot --fstype "ext3" --size=75 --ondisk=hda --asprimary #part /var --fstype "ext3" --size=1000 --ondisk=hda #part /usr --fstype "ext3" --size=1000 --ondisk=hda #part / --fstype "ext3" --size=512 --ondisk=hda --asprimary #part /tmp --fstype "ext3" --size=256 --ondisk=hda #part /usr/local --fstype "ext3" --size=256 --ondisk=hda #part swap --size=256 --ondisk=hda --asprimary #part /home --fstype "ext3" --size=100 --grow --ondisk=hda
%packages e2fsprogs grub
%post
banners
rc.local
#!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. # Write issue and motd
if [ -f /etc/redhat-release ]; then
R=$(cat /etc/redhat-release)
arch=$(uname -m)
a="a"
case "_$arch" in
_a*) a="an";;
_i*) a="an";;
esac
NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
if [ "$NUMPROC" -gt "1" ]; then
SMP="$NUMPROC-processor "
if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
a="an"
else
a="a"
fi
fi
fi
# This will overwrite /etc/issue at every boot. So, make any changes you # want to make to /etc/issue here or you will lose them when you reboot.
/bin/cat >/etc/issue <<ISSUE
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
****************************************************************************
ISSUE # This will overwrite /etc/motd at every boot. So, make any changes you # want to make to /etc/motd here or you will lose them when you reboot.
/bin/cp -f /etc/issue /etc/motd /bin/cp -f /etc/issue /etc/issue.net
echo "$(hostname)" >> /etc/motd echo "$R" >> /etc/motd echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/motd echo " " >> /etc/motd echo " " >> /etc/motd
touch /var/lock/subsys/local
nologin.txt
/etc/nologin.txt
Authorized Users Only. All activity may be monitored and reported.
prototype
/etc/banners/prototype
Authorized Users Only. All activity may be monitored and reported.
tcpwrappers
hosts.allow
/etc/hosts.allow
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
ALL: LOCAL : banners /etc/banners ALL: 127.0.0.1 : banners /etc/banners sshd: ALL
hosts.deny
/etc/hosts.deny
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
ALL: ALL : spawn (/bin/echo -e `/bin/date` "\n%c attempted connection to %s and was denied"\ | /bin/mail -s "Connection attempt to %s" root) &
secure shell
sshd_config
/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.
#Port 22 #Protocol 2,1
Protocol 2
#ListenAddress 0.0.0.0 #ListenAddress ::
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768
# Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
# Authentication:
#LoginGraceTime 2m #PermitRootLogin yes
PermitRootLogin no
#StrictModes yes #MaxAuthTries 6
#RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes
# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no
# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no
# GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no ###X11Forwarding yes
X11Forwarding no
#X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #ShowPatchLevel no
# no default banner path #Banner /some/path
Banner /etc/issue.net
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
#AllowUsers joeuser
ssh_config
/etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
# This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line.
# Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Host *
GSSAPIAuthentication yes
Protocol 2
# If this option is set to yes then the remote X11 clients will have full access
# to the local X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
sysctl.conf
/etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.
# Controls IP packet forwarding ##net.ipv4.ip_forward = 0
# Controls source route verification ##net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1
# the following section added due to CIS Benchmark 4.1 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1
# the following section added due to CIS Benchmark 4.2 #do not perform below if system is firewall or gateway. net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
inittab
/etc/inittab
# # inittab This file describes how the INIT process should set up # the system in a certain run-level. # # Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org> # Modified for RHS Linux by Marc Ewing and Donnie Barnes #
# Default runlevel. The runlevels used by RHS are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this) # ##id:5:initdefault: id:3:initdefault:
#Require root to log into single user mode ~~:S:wait:/sbin/sulogin
# System initialization. si::sysinit:/etc/rc.d/rc.sysinit
l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 # Trap CTRL-ALT-DELETE ##ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes # of power left. Schedule a shutdown for 2 minutes from now. # This does, of course, assume you have powerd installed and your # UPS connected and working correctly. pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it. pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 # Disable gettys not being used ##2:2345:respawn:/sbin/mingetty tty2 ##3:2345:respawn:/sbin/mingetty tty3 ##4:2345:respawn:/sbin/mingetty tty4 ##5:2345:respawn:/sbin/mingetty tty5 ##6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5 x:5:respawn:/etc/X11/prefdm -nodaemon
securetty
/etc/securetty
console tty1
grub.conf
/boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda2
# initrd /initrd-version.img
#boot=/dev/hda
default=1
timeout=5
##splashimage=(hd0,0)/grub/splash.xpm.gz
##hiddenmenu
password password
title Fedora Core (2.6.12-2.3.legacy_FC3)
root (hd0,0)
kernel /vmlinuz-2.6.12-2.3.legacy_FC3 ro root=LABEL=/
initrd /initrd-2.6.12-2.3.legacy_FC3.img
title Fedora Core-up (2.6.9-1.667)
root (hd0,0)
kernel /vmlinuz-2.6.9-1.667 ro root=LABEL=/
initrd /initrd-2.6.9-1.667.img
fstab
/etc/fstab
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 nodev 1 2 none /dev/pts devpts gid=5,mode=620 0 0 LABEL=/extra /home ext3 nosuid,nodev 1 2 none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 LABEL=/usr /usr ext3 ro,nodev 1 2 LABEL=/var /var ext3 nodev 1 2 /dev/hda7 swap swap defaults 0 0 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,nosuid,nodev,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,nosuid,nodev 0 0
console.perms
/etc/security/console.perms
# /etc/security/console.perms # # This file determines the permissions that will be given to priviledged # users of the console at login time, and the permissions to which to # revert when the users log out.
# format is: # <class>=list of regexps specifying consoles or globs specifying files # file-glob|<class> perm dev-regex|<dev-class> \ # revert-mode revert-owner[.revert-group] # the revert-mode, revert-owner, and revert-group are optional, and default # to 0600, root, and root, respectively. # # For more information: # man 5 console.perms
# file classes -- these are regular expressions <console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] <xconsole>=:[0-9]\.[0-9] :[0-9]
# device classes -- these are shell-style globs
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<pilot>=/dev/pilot
<jaz>=/mnt/jaz*
<zip>=/mnt/pocketzip* /mnt/zip*
<ls120>=/dev/ls120 /mnt/ls120*
<scanner>=/dev/scanner /dev/usb/scanner*
<rio500>=/dev/usb/rio500
<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
<memstick>=/mnt/memstick*
<flash>=/mnt/flash*
<diskonkey>=/mnt/diskonkey*
<rem_ide>=/mnt/microdrive*
<fb>=/dev/fb /dev/fb[0-9]* \
/dev/fb/*
<kbd>=/dev/kbd
<joystick>=/dev/js[0-9]*
<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
/dev/video/*
<gpm>=/dev/gpmctl
<dri>=/dev/nvidia* /dev/3dfx*
<mainboard>=/dev/apm_bios
# permission definitions ##<console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0600 root ##<console> 0600 <cdrom> 0660 root.disk ##<console> 0600 <pilot> 0660 root.uucp ##<console> 0600 <jaz> 0660 root.disk ##<console> 0600 <zip> 0660 root.disk ##<console> 0600 <ls120> 0660 root.disk <console> 0600 <scanner> 0600 root ##<console> 0600 <camera> 0600 root ##<console> 0600 <memstick> 0600 root ##<console> 0600 <flash> 0600 root ##<console> 0600 <diskonkey> 0660 root.disk ##<console> 0600 <rem_ide> 0660 root.disk <console> 0600 <fb> 0600 root <console> 0600 <kbd> 0600 root <console> 0600 <joystick> 0600 root <console> 0600 <v4l> 0600 root <console> 0700 <gpm> 0700 root <console> 0600 <mainboard> 0600 root ##<console> 0600 <rio500> 0600 root
<xconsole> 0600 /dev/console 0600 root.root <xconsole> 0600 <dri> 0600 root
login.defs
/etc/login.defs
# *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail
# Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # ##PASS_MAX_DAYS 99999
PASS_MAX_DAYS 90
##PASS_MIN_DAYS 0 PASS_MIN_DAYS 7
##PASS_MIN_LEN 5 PASS_MIN_LEN 6
##PASS_WARN_AGE 7 PASS_WARN_AGE 28
# # Min/max values for automatic uid selection in useradd # UID_MIN 500 UID_MAX 60000
# # Min/max values for automatic gid selection in groupadd # GID_MIN 500 GID_MAX 60000
# # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local
# # If useradd should create home directories for users by default # On RH systems, we do. This option is ORed with the -m flag on # useradd command line. # CREATE_HOME yes
functions
head /etc/rc.d/init.d/functions
# -*-Shell-script-*- # # functions This file contains functions to be used by most or all # shell scripts in the /etc/init.d directory. #
TEXTDOMAIN=initscripts
# Make sure umask is sane umask 027
limits.conf
/etc/security/limits.conf
# /etc/security/limits.conf # #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> # #Where: #<domain> can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # #<item> can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit # - maxlogins - max number of logins for this user # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # #<domain> <type> <item> <value> #
#* soft core 0 * soft core 0
#* hard rss 10000 * hard core 0
#@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4
# End of file
su
/etc/pam.d/su
#%PAM-1.0 auth sufficient /lib/security/$ISA/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so close must be first session rule session required /lib/security/$ISA/pam_selinux.so close session required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so open and pam_xauth must be last two session rules session required /lib/security/$ISA/pam_selinux.so open multiple session optional /lib/security/$ISA/pam_xauth.so
sudoer
/etc/sudoers edit only with visudo program
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. #
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
# Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
# Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
syslog.conf
/etc/syslog.conf
#If you have a remote logging host, uncomment the lines corresponding to #the types of messages you want to forward to it. Replace this string #loghost with the IP address of your central logging server. #kern.* @loghost #authpriv,auth.* @loghost #mail.* @loghost # or to send everything #*.* @loghost ################
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console kern.* /dev/console
#Send kernel messages to a separate file. Note this will #include messages generated by iptables about blocked #network traffic. kern.* /var/log/kernel
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! ##*.info;mail.none;authpriv.none;cron.none /var/log/messages *.info;authpriv,auth,mail,cron,kern,local7.none /var/log/messages
# The authpriv file has restricted access. ##authpriv.* /var/log/secure # capture auth messages also auth,authpriv.* /var/log/secure
# Log all the mail messages in one place. mail.* /var/log/maillog
# Log cron stuff cron.* /var/log/cron
# Everybody gets emergency messages *.emerg *
# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log local7.* /var/log/boot.log
logrotate
logrotate.conf
/etc/logrotate.conf
# rotate log files weekly ##weekly monthly
# keep 4 weeks worth of backlogs #rotate 4 rotate 12
# uncomment this if you want your log files compressed #compress compress
# RPM packages drop log rotation information into this directory include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
syslog
/etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/kernel {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
This page has been accessed 3597 times. This page was last modified 21:59, 2 Apr 2006.
