SPY HILL Research

Poughkeepsie, New York [DIR] [UP]

Red Hat Linux Installation/Upgrade Checklist

Here are the main things you need to check and/or change before and after installing or upgrading Red Hat Linux. Installation is easy -- customizing the configuration is the most work.
Last updated on 11 August 2003

Preparation Installation Configuration Customization

This is a checklist, which means it lists what you need to check, but it doesn't necessarily tell you exactly what you need to do. I am assuming you know a little bit about Unix and Linux and about your existing installation.

Local customization is by far the most time consuming task. The install/upgrade is the easiest part.

These instructions were originally written for Red Hat Linux 6.x, but have been upgraded to apply to Red Hat 7.x as well. Some of the information is old, most still applies.

Be sure to update any software package which has changed since the installation CD was created, or you will be hacked very quickly. We currently see portscans for known vulnerabilities in NFS and wu-ftpd almost every day. The best way to update packages is to use autorpm or the up2date package from Red Hat.

A collection of system administration scripts which can make things easier, such as the Tara and Ivan scripts mentioned below, can be obtained from ftp://noether.vassar.edu/pub/myers/src/adm/

Tasks which can be performed using rdist (or rsync or something similar) to push files from a central server are marked with the "" symbol. Tasks which apply to an upgrade rather than a fresh install may be marked with the "" symbol.


Your machine will be easier to maintain and the installation and configuration will be easier if you consider the following points before you install or upgrade your version of Linux:

  1. Network information:  You'll need to know the name you will give to the computer (for guidelines see RFC 1178) and basic network configuration info (IP address, gateway, netmask, etc...) as detailed in this TCP/IP Network Configuration Form.

  2. Hardware info:  Note the following for the computer you are working on, if you can get this information:
    Memory size
    (To determine swap size)
    Ethernet Card:
    Video Card:
    Monitor hsync/vsync:
    Disk Geometry C/H/S:
    More than 1024 cyl?)
    You may need some or all of these when you install or reconfigure X and networking if the installation system is not able to determine these quantities automatically. In general, the Red Hat installation program does a better job of recognizing older hardware.

  3.   Save configuration files:  For an upgrade, save all configuration files (using Tara). Be sure to copy the tarball off to a floppy disk or to a different machine. For a fresh install you might want to use Tara to copy the configuration files from a machine known to be working and well configured.

  4.   Backups:  For an upgrade, run a level 0 backup (at least of /home), and/or make a tar backup of important user files. The upgrade process is not supposed to change user files, but it always pays to be careful.

  5.   Existing disk partitions:  For an upgrade, print a copy of the output from the `df` command so that you will know which partition is which. During the installation when you run fdisk or disk druid you may not be able to recognize the partitions by their mount points, only their device names.

    In the past you might have wanted to print the file /etc/fstab, but that file now lists many partitions via mount point not device name, and the point of this is to have something that works even when you and Linux can't otherwise figure out the mountpoint

  6.   Partitioning I:  If there is an existing Red Hat Linux installation and it is on a single filesystem then you should seriously consider doing a fresh install rather than an upgrade so that you can create separate partitions for /usr, /var, /home etc... If there is room, you can use the existing single partition for /home and thus preserve your users' files, along with a backup copy of your configuration files. You will need extra space for the new partitions (see the table below).

  7. Software Packages and Desktop:  Determine which desktop system you wish to use (Gnome, KDE, or "Classic" X11) and which software packages you know you will want to use or you know you won't want. If you have enough disk space you can just install everything, but that is wasteful if you don't have lots of disk available or want to use it conservatively.

  8. Partitioning II:  If you already have separate partitions you will need to be sure that they are large enough for the current version of the OS.

    The table below lists suggested partitions and their sizes for Red Hat 6.x and 7.x.

    Filesystem Minimum Size Red Hat 6.x Red Hat 7.x Planned Size Partition
    swap 1 × Memory 2 × Memory 2 × Memory   
    / 256MB 512 MB 512 MB    
    /usr 1024 MB 1536 MB 2048 MB    
    /tmp 128 MB 512 MB 512 MB    
    /var 128 MB 256 MB 512 MB    
    /usr/local 512 MB 1024 MB 2048 MB    
    /home whatever 2048 MB 2048 MB    
    /scr0 whatever whatever whatever    
    /C: 1024 MB 2048 MB 4096 MB    

    The scratch partition /scr0 is for temporary work which will not be backed up. It is also extra space that can be turned into a larger /usr or /usr/local partition in the future, or even used by Windows.

    It is much better to leave unused partition space which can be turned into a partition later, than to assign unused space to a large partition that cannot be used for some other purpose. Take what you need, use what you take, and leave the rest for later.

    On some laptops, such as the Sony VAIO or the IBM Thinkpad, you can make a partition of type 0xA0 for "hibernate" mode. My 128MB Vaio required about 169MB for hibernation (i.e. you probably need a little bit more than just your memory size, but not much).


Installing Red Hat Linux is the easy part:

Post-Installation Configuration

Here are things to check after Red Hat Linux has been installed or upgraded. Items which are very specific to our local installation have been listed separately at the end.

  1. Kill sendmail:  Immediately kill sendmail after booting, so that you don't receive e-mail until you are ready for it. One quick way to do this is `service sendmail stop`.

  2. Disable logins:  If you need to keep users off the system while you work, put a message to that effect in /etc/nologin.

  3. Fix host table:  Red Hat's installation scripts put the host name in the host table /etc/hosts on the "loop-back" device, This is wrong and will cause you grief. The correct entry for the loopback device is simply the line    localhost.localdomain   localhost loopback 
    You may, if you wish, also add a line for your machine with it's correct ethernet address, like so:   noether.vassar.edu   noether  
    If you choose to do this the first item after the IP address should be the Fully Qualified Domain Name (FQDN) of the host. Any number shorter "alias" nicknames may follow, but the FQDN should be first.

  4. Host name:  If you need to set or change the name of the machine, do so in /etc/sysconfig/network. The Red Hat startup scripts will set /etc/HOSTNAME, which I think is annoying (the BSD tradition was to use whatever was in /etc/HOSTNAME to set the host name), but that is how they do it.

    Just use the "short" name of the machine, there is no need for the Fully Qualified Domain Name (FQDN). (The FQDN should be the first name in the list in /etc/hosts.)

  5. Update packages:  Update software packages by getting anything that has changed since the CD was published. There are several ways to do this:

    1. Use the package autorpm to automatically update your system. This does not come with Red Hat, you will have to get the package separately from: http://www.autorpm.org/ The configuration files are a bit complicated, and you will need to edit the default configuration file autorpm.conf file in /etc/autorpm.d to enable updating from Red Hat.

      You will also want to edit the file redhad-updates.conf to enable dependency following and to not automatically install new packages (just automatically install updated packages) or even report that they exist.

      Sample configuration and pool files for autorpm can be found at ftp://noether.vassar.edu/pub/myers/src/adm/autorpm.d/

    2. Use Red Hat's "up2date" tool. With the Gnome GUI this is very easy, though not done automatically.

    3. Get a copy of the "Lucky 13" CD, which contains updated rpm's for Red Hat 7.3, (and 7.2 and 6.2), along with some other useful tools, including an RPM of autorpm.

    4. OLD! Use rpmwatcher to get the latest updates for your system. This is a quick and easy thing to do if you have this program (it's also on the Lucky 13 CD), though autorpm is now prefered, as rpmwatcher is getting old. Still, it can get you updated quickly, and then you can switch to something else later.

  6. rc.local:  Red Hat's upgrade procedure will overwrite /etc/rc.d/rc.local (I consider this an error), or it will create a file called rc.local.rpmnew, which will also be executed at boot time. Either way causes problems, since this overwrites /etc/motd, /etc/issue and /etc/issue.net. Restore the local version of that file if necessary and get rid of the Red Hat version.

  7.   Configuration files:  Restore the important configuration files, either from the backup copy, the old root partition, the tarball saved by Tara, or via rdist. Here is a list of the important ones:
          /etc/shadow       (if it exists)
          /root/.??*        (root's "dot" files)
          /etc/ssh/ssh_config       (might be /etc/ssh_config )
          /etc/ssh/sshd_config      (might be /etc/sshd_config )
          /etc/csh.cshrc            (if it's changed)
          /etc/csh.login                         "
          /etc/sudoers                (if it's changed)
          /etc/news/inn.conf            (if it exits)
          /usr/local/lib/kbd/ctrl.map   (if you are using it)
    Some of these are also discussed in more detail below.

  8. Boot message:  Update/restore /boot/boot.txt. Edit /etc/lilo.conf to use boot.txt and other options you want, but be sure to get the right kernel. Then say

  9. Emergency boot disk:  Make sure you have an up-to-date emergency bootdisk. If you didn't make one during the install/upgrade you can always make one with the command
    mkbootdisk kernel-version
    To get the kernel-version say `uname -r` or `ls /lib/modules`.

    Note that with the 2.2.x and later kernels you won't be using a rescue disk anymore (and the RH6.1 CD doesn't include rescue.img, even though the manual says it does). Intead, you simply give the parameter "single" to the LILO boot prompt to boot into single user mode, like so:

         LILO:  linux single     
    This is similar to booting old BSD systems to single user mode with the "-s" flag.

  10.   Superuser account:  Restore root's dot files (if you've not done so already).

    If you like, change the GCOS field (the user name) for the root account so that e-mail from root is distinguishable rather than just being from 'root'.

  11.   crontab:  Restore root's cron table by restoring the file /var/spool/cron/root. Also edit /etc/crontab to disable the hourly and nightly jobs (at least), unless you really want them.

  12. Superuser's e-mail:  Verify that root's e-mail is forwarded to a real person, either by adding their address to /root/.forward or an alias in /etc/aliases. Run `newaliases` in any case, just to be sure.

  13. Get SSH running:  Red Hat 7.x comes with OpenSSH so you don't need to do anything special to install it except install the ssh packages. You will still need to make sure the configuration is correct. The location of the configuration files has changed from /etc to /etc/ssh.

    Here are important things to check/do for SSH, especially if you are upgrading:

    • If you are going to allow ssh logins then you need to be sure to install the openssh-server package in addition to the client packages, and then turn the service on both now and in the future with the commands:
           #  service sshd start
           #  chkconfig sshd on

      If instead you compile sshd from source, then include libwrap support with

      	   ./configure --with-libwrap

    • If necessary, restore root's directory /root/.ssh.

    • If root does not have an SSH key, create one by running `ssh-keygen`.

    • Also, you can put a copy of the RSA key for the root user of the network administration machine (in our case noether.vassar.edu) in /root/.ssh/authorized_keys (create this file if it doesn't exist) and then root@noether can log in or copy files to the local machine without a password. More details on how this works can be found here.

    • In the past it was useful to enable SSH Protocol 1, to be able to accept connections from older ssh1 clients. Now that there is a known security flaw in SSH Protocol 1 you should not do this. Instead, require all clients to use SSH Protocol 2 by editing /etc/ssh/sshd_config and changing the protocol line to read just:
              Protocol 2
      (Not "Protocol 2,1".)

    Finally, try it from another host to verify that it works.

  14. System logs:  Restore the previous /etc/syslog.conf file, or edit the current one to your liking. Here is an example called sample.syslog.conf.

    It is a good idea to add logging to another host (a "loghost"). UM Physics OCS currently provides loghost services for the UM Physics department. Vassar CIS could (should?) provide the same service for Vassar someday. To add logging to a remote host just add this line to the config file:

    *.notice;auth.info;authpriv.notice  @loghost.physics.lsa.umich.edu
    (You MUST use tabs, not spaces, between the two items above.) Change the name of the loghost as appropriate.

    When you have made the appropriate changes to syslog.conf don't forget to HUP the daemon.

  15. Dæmon Services:  Disable daemons and startup scripts you don't want and turn on services you do want. Red Hat Linux uses the SYSV init script scheme for starting services at boot time. The start/stop scripts are in /etc/rc.d/init.d/, with appropriate soft links made to these from the separate directories /etc/rc.d/rc?.d/ for different run levels. Here ? is a digit from 0 to 5 for the run level:

    Run level 5 is multi-user with windowing.
    Run level 3 is multi-user without windowing.
    Run level 1 is single-user mode.
    Run level 0 is a shutdown. (Run level 6 is a reboot.)

    ON OFFMaybe?

    • Make sure /etc/ntpd.conf has the correct time servers listed. See this list.

    • Make sure gpm is turned on for runlevel 3 but turned off for runlevel 5 (unless you are using /dev/gpmdata as the mouse device). (Failure to do this may or may not cause problems. See the BUGS section of the gpm man page if you have problems using the muse with X11.)

    • Runlevel 4 is supposed to be unused, yet Red Hat puts startup scripts in it. Just delete everything in /etc/rc.d/rc4.d. Go ahead, wipe it all out. It feels good, doesn't it?

  16. xinetd / inetd:  Disable all unused network services in /etc/xinetd.d (Red Hat 7.x) or /etc/inetd.conf (Red Hat 6.x and any other Unix). Be sure you are not running telnetd, imapd, popper, gopher, exec, etc. Seriously consider disabling ftpd unless you really need it (only for an anonymous ftp server -- otherwise use ssh/scp or sftp). To disable any xinetd service simply add the line
    	disable = yes     
    to the file for that service in /etc/xinetd.d/

    As a general rule, disable anything that you don't need or that you don't understand, at least until you understand it. If you don't need any services provided by (x)inetd then don't start the daemon at boot time.

  17. Disable or fix sendmail:  Do you really need sendmail? You don't need to start the daemon if you don't want to receive incoming mail (it can still be used to send outgoing mail). And it's better for users to use the central campus e-mail service than to run sendmail on each desktop. Consider adding an MX record in DNS to redirect e-mail for this host. To turn off sendmail for good give the command `chkconfig sendmail off`.

    If you are going to run sendmail as a daemon then you need to know of a problem created by Red Hat in verison 8.11.6. They have set up the file /etc/sendmail.cf to act as a daemon only on the loopback interface, not via ethernet (for security). You should therfore edit this file and change the line

         O DaemonPortOptions=Port=smtp,Addr=, Name=MTA      
    to read instead as:
         O DaemonPortOptions=Port=smtp,Addr=, Name=MTA
    You should also add your host name to the file /etc/mail/local-host-names

  18. NFS mounts:  Get explicit NFS mounts working, especially /usr/local/src, by adding them to /etc/fstab. It's better to mount things "soft", interruptable, and in the background, like so:
         noether:/usr/local/src  /usr/local/src  nfs  exec,dev,suid,rw,bg,soft,intr  0 0
    Be sure to create the mount points if they don't already exist, then mount with
         mount -a -t nfs     
    Make sure NFS mounting is started at the right run level (S25netfs).

  19. Automounter:  Verify that the automounter is started correctly at boot (I put it at S72amd). Remove any explicit mount points from /etc/fstab for filesystems mounted by the automounter.

    The amd automounter is in the package am-utils which is probably not installed automatically unless you specifically asked for it.

  20. NFS exports:  Get NFS exports working, by restoring or creating /etc/exports and then saying `exportfs`. Be sure to add all hosts in the cluster to this list, or at least all the ones you want to interact with.

    You can see what is being exported with `showmount -e`, and this is a simple test that the server is working.

    If NFS is not started at boot time then add it to the boot sequence. (I now put it at S60nfs.)

    Add this machine to the export lists /etc/exports on the other machines and re-export. The automounter will not be able to mount them until it is restarted.

  21. Windows partition:  On a dual boot system, make an explicit mount point for the Windows filesystem. Because Linux support for NTFS is still experimental you should only mount NTFS partitions read-only. But "DOS" partitions (vfat or msdos) can be mounted read-write. I often mount DOS partitions as "/C:" (the colon is a valid character in a filename) and NTFS partitions as /ntfs or /win2k

    First, create the mount point:

         mkdir /ntfs      
    Then add an entry to /etc/fstab:
         /dev/hda1    /ntfs        ntfs    noauto,rw,user  0 0      
    To mount NTFS filesystems you will have to have the NTFS support module compiled. It does not come with the default kernel/libraries. Support for vfat is usually included in the default kernel.

  22. NIS (yp):  Add the host to the NIS cluster, by doing the following:
    • Add the domainname to /etc/sysconfig/network.
    • Set the domainname this once with the domainname command. (On future reboots it will be set by rc.sysinit.)
    • Start ypbind.
    • Add the startup of ypbind to the initialization sequence (I use S87ypbind).

  23. Local software:  Build and install any local software packages under /usr/local/src/ (which you may have to mount via NFS from another machine, if that is where you have it already). A checklist of candidate local packages is given later, but some of this stuff may need to be done now. You decide.

  24. inttab Shutdown:  Fix /etc/inittab so that CTRL-ALT-DELETE causes a shutdown, not a reboot. Edit the file and change the relevant line to
         # Trap CTRL-ALT-DELETE
         ca::ctrlaltdel:/sbin/shutdown -t3 -h now      
    (change the -r to -h).

    If you really want to reboot, first press CTRL-ALT-DELETE to shutdown, then press it again to boot from the BIOS supervisor.

  25. Reboot?:  At this point you might want to reboot to get everything new working and verify that it's all okay. You don't have to reboot (this is Linux, after all) but it might make it easier to catch mistakes if you did a reboot now. It will also make the inittab change take effect, and you can verify that the automounter is doing it's job.

    If you do reboot, BE SURE TO TURN OFF SENDMAIL AGAIN immediately. Why don't you just disable it and get your e-mail on a different machine?


  26.   Local files:  Copy or restore files under /usr/local, specifically the following directories:
    Verify that the ownerships and permissions match local customs.

    An alternative is to mount /usr/local or subdirectories via NFS or AFS.

  27. Config files:  Update the following files - you may need to merge changes from your previous versions with changes made by Red Hat
         /etc/services	(probably have to add the "hacker" ports)
         /etc/group		(add local groups)
         /etc/motd		(change OS version?  Or remove it!)

  28.   printer queues:  Restore the existing print queues by restoring /var/spool/lpd/* and the file /etc/printcap. Or just create the printer queues that you need using printtool.

    In Red Hat 7.x you have to tell the lpd daemon to use the configuration file /etc/printcap by editing the file /etc/lpd.conf and changing the appropriate line to read:

         default lpd_printcap_path= /etc/printcap     
    Otherwise it will try to use /etc/lpd_printcap. You will also need to edit /etc/lpd.perms if you want to share your printer with other machines.

    Also note that the file /etc/printcap is automatically generated by printtool or printconf-gui, but you can still add entries "by hand" by putting them in the file /etc/printcap.local. Entries you add to /etc/printconf may get munged or lost when you run printtool.

  29. Anonymous ftp:  Verify that anonymous ftp is not on, by removing the ftp user from /etc/passwd.

    Or, if you want to enable anonymous ftp then configure it correctly now.

  30. Web server:  Verify that you are not running httpd (the web server), unless you really want it. And if you really want a web server, configure it correctly now.

  31. Sound:  Configure sound (unless kudzu aready did it for you at the first reboot) by running

  32. Documentation index:  Rebuild the man page index with the command
         makewhatis & 
    and the locate/slocate index with the command
         updatedb & 

  33. Samba:  Verify that Samba is working correctly, if you want to use Samba. Note that for Red Hat 7.x the location of the configuration file has moved from /etc/smb.conf to /etc/samba/smb.conf. Also note that Windows and Mac computers can now do Unix style "Internet Printing", so you don't need to enable Samba for printing to a Unix printer.

  34. Regular Software Updates:  Set up some system for regularly updating software packages. Installing autorpm will include automatic nightly updates, but you should check the configuration files.

    Red Hat's up2date tool should also work for regular updates but I've not tried it. (Relying on a user to do this via GUI is not acceptable -- they will forget!)

  35. X windowing system:  Get X working (again):
    • Try `startx` to see if X works.
    • You can either restore the file /etc/X11/XF86config or run `XF86Setup` to create a new one. (Red Hat uses Xconfigurator but that is not as powerful.)
    • Verify that the default is at least 16 bit colors, not 8.
    • Run `xvidtune` to adjust screen (XF86Setup will give you the option to do so).
    • When comfortable that X works, you can make the default runlevel "5" in /etc/inittab. But you might just want to try it first by saying `telinit 5`.

    Red Hat 7.1 uses XFree86 4.0.3, while Red Hat 6.2 uses version 3.3.6. The configuration file XF86Config has changed both format and location in the newer version. Further notes on this will follow when I figure out what's going on. Jim Liu says that the file /etc/X11/xdm/Xsession goes missing after an upgrade.

  36. root xauth:  Give root the proper key to display on the X console on your central administration machine. On that machine:
         xauth extract X-key $DISPLAY      
    Copy the file X-key to the upgraded machine, and as root say
         xauth merge X-key      
    Test it with xeyes.

  37. Screensaver:  To get the screen saver working for xdm, install custom versions of Xsetup_0 and Xsession in /usr/lib/X11/xdm.

  38. Verify rpm's:  Verify all installed RPM packages by running the Rupert script. Verify that things you want are there and things you don't want are not there.

    To remove a package you don't want the command is:

         rpm -e packagename

  39.   User directories:  Restore /home, either from backup tapes or tar, or make sure that it's mounted correctly.

  40.   Outbound e-mail:  Restore outgoing e-mail by restoring /var/spool/mqueue/
    (only if there was something there).

  41.   Inbound e-mail:  If you are going to continue running sendmail (try to avoid it if you can) then restore incoming e-mail by restoring /var/spool/mail/. Now you can start sendmail, like so:
         /usr/lib/sendmail -bd -q1h        
    or you can use the startup script
         /etc/rc.d/init.d/sendmail start	
    or shorhand for that is the command
         service sendmail start

    A better idea would be to request an MX record in DNS for this host to have e-mail delivered elsewhere.

  42. Enable logins:  Let users back on the system by deleting /etc/nologin.

    You might want to reboot again at this point to get a clean start and to verify that runlevel 5 is okay, but it's not required.

Local Customization

These are things that are specific to the installation and system administration practices in the U-M Particle Theory Group and the Vassar LIGO group. Many of these files are easily updated using rdist (or rsync) as indicated by the "" symbol.

  1. If this machine will dial in to the campus network via ppp then obtain a copy of the customized ppp scripts from ftp://noether.vassar.edu/pub/myers/src/ppp/ and install them in /etc/ppp.

    These files are currently for dialing in to the University of Michigan ITD dial-in service, not Vassar.

    Edit the scripts to set the correct modem device, to turn on/off the sounds, turn off ntpdate or sendmail, etc.

    The best way to enable any user to initiate a ppp connection is by use of the sudo program, which you will have to compile and install separately. A sample entry for the /etc/sudoers file is included with the ppp scripts mentioned above.

  2. Restore the keyboard map /usr/local/lib/kbd/ctrl.map and make sure that it is invoked in rc.local. This gets the control key back where the Unix gods intended it to be.

  3. Populate /etc/skel with your own versions of user's startup scripts. Set the default shell to tcsh with
         useradd -D -g 100 -s /bin/tcsh

  4. Restore system messages by restoring /var/spool/msgs/, and verify that it all works as it should by posting a message.

    If msgs was not configured before, do so now.

    • Compile and install the executable. I use /var/spool/msgs/ as the spool directory and since that it non-standard I have to edit msgs.h accordingly.
    • Add the line
           msgs: "|/usr/local/bin/msgs -s"       
      to /etc/aliases and run `newaliases`.
    • Make a link under /etc/smrsh/ to the msgs program.

  5. While you are at it, make a link to procmail under /etc/smrsh/ too, and then procmail will work. (Older installations may have used /var/adm/sm.bin but this is no longer true.)

  6. Restore the local system administration tools in /usr/local/adm/ if you have not already done so.

  7. Build any local software that is still not on the system, or copy executables, man pages and config files from a previous installation:

    • mush
    • PGP
    • tripwire
    • deltools
    • printing tools
    • TeXsis, REVTEX
    • ipw, cpm
    • StarOffice
    • uufiles
    • form
    • Mathematica, matlab
    • Acrobat
    • Anything else...?

  8. Fix the dvips config file /usr/share/texmf/dvips/config/config.ps. The default config.ps uses A4 paper, not Letter, which causes text to begin higher than it should. Making Letter the first papersize in the file fixes this.

    An alternate way you might fix this problem is to run


  9. (Obscure.) Inspect the file /etc/ld.so.preload and remove the entry for /lib/libregframe.so. If this is the only entry (very likely) then simply remove the file.

    These files were needed to get the SUSE X server for the Rage128 card to work under Red Hat 5.2. But they are not needed under Red Hat 6.x and in fact they seem to cause Acrobat Reader to crash with a segment fault. So remove them if you can so that Reader can be used.

  10. Check user's .emacs files for a problem in switching over from emacs version 19 to version 20. Specifically, say
         grep "C-x\\ "  /home/*/.emacs        
    and if anybody has such a line in their .emacs file then change it to
         (global-set-key "\C-x " 'call-last-kbd-macro)    ; ^X-SPC      executes macro      
    (that is, delete the extra backslash). If you don't do this then C-x won't work under emacs version 20, which is a huge problem.

  11. Get backups working (again):

    • Create /var/adm/ and /var/adm/dumpdir/, and fill the latter with the dodump scrip and dodump.options, and restore any old logs or dumpTOC files.

    • Change ownership and protections on dumpdir
      	   chgrp -R disk /var/adm/dumpdir
      	   chmod g+ws  /var/adm/dumpdir
      	   chmod g+w   /var/adm/dumpdir/*
    • Change ownership and protections on dump and restore, like so:
      	   chgrp disk /sbin/dump  /sbin/restore
      	   chmod u+s  /sbin/dump  /sbin/restore
    • Change ownership and protections on /etc/dumpdates and DUMPDATE like so:
      	   chgrp disk /etc/dumpdates	/var/adm/dumpdir/DUMPDATE
      	   chmod g+w  /etc/dumpdates	/var/adm/dumpdir/DUMPDATE
    • Make a link
      	   ln -s /var/adm/dumpdir /usr/local/adm/dumpdir
    • Edit dodump.options for this host, and also the other dump scripts. Pay particular attention to the number of partitions being dumped at different dump levels.
    • Add the host to the access list on the machine with the tape drive. Until rmt can use ssh rather than rexec this will have to be in the .rhosts file. As a result, don't trust this host as much as you would otherwise.
    • Add users who will be dump "operators" to group disk.

  12. If /home contains system files from the previous OS version (e.g. you upgraded to several partitions and /home was the single partition of the previous OS) then you probably want to turn off the suid-root bit on files that have it set. Assuming the files are under /home/OLD you can use the Unix find command as follows:
         find /home/OLD -user root -perm -4000 -exec chmod -s {} \;

    Similarly, you can make any world-writeable files in the old partition no longer world-writeable with the command:

         chmod -R o-w /home/OLD

  13. Run Ivan to conduct a security inventory and construct a list of suid root files. Deal with any problems reported by Ivan.

  14. Run Nigel -reset to reset the nightly tripwire.

  15. Install or restore the tripwire configuration file tw.config and (re)build the tripwire database for this system.

  16. Run Tara to make a copy of all your current configuration files.


  Copyright © 2008 by Spy Hill Research http://www.Spy-Hill.com/~myers/linux/RedHatChecklist.html (served by Islay.spy-hill.com) Last modified: 04 September 2008