Note that many of these steps may be performed by the installer
anaconda for Red Hat / Fedora Linux),
but historically many installers don't do all these steps,
or don't do them in sensible or standard ways.
You should check all these items just to be sure they are
set the way you want.
(Note you may not know what all these items are.
they may not apply to your system.
You should just skip over (for now) the items you don't
understand, and hope the defaults are fine.)
If you find some step that wasn't done the way you like you can always change it, but think twice first since other installer software (and other administrators) may expect defaults and directory names to be the way the installer set them.
Note that many of these tasks are complicated and inter-related, and will be discussed at length later in the course.
Remember to record all changes in your journal!
timeoutvalues is zero you will not be able to interactively boot the system! Consider changing this to 2 or 3 seconds.
HOSTNAME(with static IP; rarely used with DHCP since names are associated with IP address not hosts. Avoid using Red Hat GUI tools for this; historically they haven't worked well.) You may also need to set the system
nodenameand host ID.
yumor non-Red Hat equivalent (for Solaris use
pca(preferred); for Debian use
apt-get dist-upgrade, but run
apt-setupfirst). This step may require you to configure networking first.
Warning: Do not physically connect computer to an untrusted network until this is done and a firewall is properly setup and configured! (Of course this could be a catch-22 situation.) Note that updating the kernel can be tricky.
ping. You may also have to configure PPP or PPPoE.
Fedora 10 uses the
NetworkManager service by
This doesn't support
static configuration and is not
suitable for a server.
network service supports both
DHCP and static configurations,
but the Fedora 10 installer doesn't seem to configure it.
To turn off
NetworkManager, first run
system-config-network (or otherwise setup
networking), then start
MANPATH. Make sure these point to the standard directories for your system, such as
/usr/usb, ..., for
MANPATH. Note the preformatted man page location varies; for Red Hat it is in
/var/cache/man. The unformatted (
raw) man pages are usually in either
/usr/share/man, and local man pages are usually put into
/usr/local/man. Other standard directories for some systems include
/opt/*/binand other places.
PATH setting rarely includes every directory
with applications in them.
For Solaris the default
Some commonly used
bin directories can be added to
but the order matters
since many systems ship with multiple versions of most utilities.
You should consider adding to the default
but the order matters!
Many *nix systems
support multiple versions of commands including platform
(i.e. hardware) specific versions.
Also (for Solaris) POSIX versions are in one place
/usr/xpg/bin), Gnu in another
/usr/sfw/bin), community software in another
/usr/opt/csw/bin), and so on.
filesystem(5) for a list.)
Here’s a sample
PATH for Solaris:
No one setting of
PATH will satisfy all
One way to deal with this is to have
listed first on the
PATH, and put symlinks in
there to the preferred versions of commands that wouldn’t
otherwise be found on the normal
/etc/timezoneshould be a copy or link from a file in
/usr/share/zoneinfo/*; see also the man page for
zicon Linux. On some Unixes you must set the environment variable
TZfor each user, for our time zone the proper setting is
(or an alias such as
). For Solaris x86 you set the timezone of the hardware clock in the file
Some changes to consider include setting the default
adding some standard aliases, functions, and environment variables,
and changing the default prompts.
The traditional prompt for users is
XXX can be
anything (pathname, user and host, etc.);
Don't forget to set the default locale
It is often set wrong and curly quote-marks and other
non-ASCII characters won't appear correctly,
in man pages for instance).
(For Red Hat systems look in
issue*files contain the prompts seen before the login prompt, and
Message Of The Day) is seen just after a successful login. The
motdis often used for legal notices, for example
Unauthorized use of this system...(but can also be used for notices to users such as
Company picnic on Friday!). This type of legal notice goes by different names such as AUP (Acceptable Use Policy) or UCC (User Code of Conduct).
issue* files identify the type and version
of your system.
This is a security hole and should be changed to a legal notice,
removed completely, or replaced with a simple
Welcome to the FooBar system message.
(Note: On some older versions of Red Hat Linux it is not
possible to edit the
issue* files directly as they get
recreated from a shell script on every reboot.
This should be fixed too.)
With these file you can also perform various cursor movements,
set colors and text attributes (underline, reverse-video, ...)
by embedding escape sequences.
The Linux (and most versions of Unix) console drivers support a
standard for this (ECMA-48).
Some of these codes are also supported by
such as PuTTY.
See the man page for
console_codes for details.
issue* files also support some backslash escapes
that get substituted for system information; see the various
*getty man pages (for Linux, see
for a list.
rootwhich should be sent to a real human, a system administrator. Many systems do not come configured with standard aliases, such as hostmaster, postmaster, webmaster, abuse, etc. Some of these are required by various standards.
/etc/fstab(whatever the name; Solaris calls this file
/etc/vfstab) and make sure it has entries for all your partitions including any Windows partitions (if the computer is dual-booted), NFS mounts, and removable media drives.
redhat-lsbin order to use various LSB commands.
slocateis the secure version of
locate, which (like
find) only shows stuff the user has permission to see. Use the
-eoption to exclude directories you don't want indexed (such as Windows partitions or the mount points for removable media). Verify these will run automatically from
cron. See crontab files in
umask. Create any needed groups such as
/etc/group. Other security tasks and files include configuring
/etc/fstabmount options (
/etc/pam.d/*), TCP Wrappers configuration (
/etc/hosts.deny), configure printer access (
/etc/cups/cupsd.conf), configure and verify the firewall (
iptableson Linux), and check the default permissions of standard directories and any added user accounts.
/etc/login.defson Linux or
/etc/default/loginon Solaris). Adjust the default values for grace period, expiration date, etc.). Add/remove/edit the files in
/etc/xinetd.d/*) control which daemons to run such as for ftp, telnet, ssh, databases (such as Oracle, MySQL, Postgres), etc. Turn off any you don't need and configure the rest individually (web, mail, ssh, ...) Use TCP Wrapper (
tcpd) for added security.
/deventries for your hardware. The installer should have auto-detected your hardware but it may not find all PCI devices (such as PCI modems) or ISA devices. You may have to configure
udevor some similar sub-system, instead of directly editing special files in
/devwhich can be done like this for example:
cd /dev ls -l ttyS* # This step tells the Major and minor numbers used below man mknod mknod ttyS4 c Major minor ln -s /dev/ttyS4 modem
modemconfig, etc. For Red Hat systems try
redhat-<tab><tab>(For Fedora try instead
system-<tab><tab>) to see lots of such tools.
/etcat least ).
logwatch) and intrusion detection systems (
tripwire). (You should try to protect all directories with IDS except for
/var, and all
periodic). See all the crontab files in