Security :: RHEL 6 - Minimal Install Image To Be Used As Generic Node
May 3, 2011
I'm playing around with the RHEL 6 install so as to create a minimal install image to be used as a generic node for a cloud. I posted this in the security section as reducing the number of services etc seems like a security activity, i.e. reducing the running processes to minimize the attack surface.
Anyways, looking through linux from scratch etc, and the NSA hardening list I'm a bit overwhelmed. Anyone have hints on any good documentation saying what is really needed for a basic system with network/ip/arp/eb rules? The RHEL 6 minimal basic puts in a c/c++ compiler along with other things. that seems unnecessary to me for a basic minimal install.
I for some reason now have attempted to install RHEL 6 x86_64 from the DVD .iso and keep getting useless packages I don't want and or need like:
- Postfix - SQLite - MySQL-libs
I was wondering what is causing something 'Postfix' to be installed? I'm trying to get this server up and running with a specific set of packages installed but I can't understand the RHEL dependencies. Since this server will be managed on a DoD network and our Postfix server is authorized but on our accredited DMZ network. This server isn't authorized to have Postfix installed. I know I can remove it manually but this leaves a trail of users and orphaned packages.
I like to do a minimal install, and then run some of my own scripts to install the rest of the packages I need, so to keep a lean system. When installing F14 with a partitioning scheme as follows:
Everything works fine and the encryption works with no problem. However, as a friend pointed out to me, if you partition as follows:
Code: /boot - 100MB/ - Rest of filesystem - Encrypted You are not able to boot the system when doing a minimal install. Meaning: you get up to the point to where you need to enter your password to decrypt the filesystem, and then nothing but..., well, nothing. However, and here it gets interesting, if you use the same partition layout, and you install the "Graphical Desktop", everything works fine. As I can not understand why this happens, I am currently testing a partition setup like so:
Code: /boot - 100MB LVM - Encrypted - / - Rest of filesystem Just to see if that works.
Anyhow: to make a long story short: It seems that the minimal install "forgets" to add some packages which are needed to decrypt the filesystem. Does anyone know which package this could be or why this occurs, so it can be added as part of the minimal install?
i cant download and install anything. it appears i need to install linux-image-2.6.31-21-generic (version 2.6.31-21.59) but when i try to i get You have 1 broken package on your system! Use the "Broken" filter to locate it. can someone tell me how to fix a broken package
We need to create a "golden" or generic image as a template to VMWare so we can deploy test servers quickly. I can create a template in VMWare but it's a duplicate of the system I made it from. How do I "unconfigure" the template system so that it goes to the installation screen to input things like host name, I/P address and so on?
what I do I can't seem to be able to USB boot the minimal image of Ubuntu. No matter what program I use (Ubootnetin/Universal USB Installer/Etc) I always get a blank screen when selecting anything from the menu Install/Command-line Install)
My normal update/upgrade of packages on a LAMP server (Ubuntu 10.04) for my business has resulted in the following error:
Code: Examining /etc/kernel/postinst.d. run-parts: executing /etc/kernel/postinst.d/nvidia-common 2.6.32-24-generic-pae /boot/vmlinuz-2.6.32-24-generic-pae run-parts: /etc/kernel/postinst.d/nvidia-common exited with return code 10 Failed to process /etc/kernel/postinst.d at /var/lib/dpkg/info/linux-image-2.6.32-24-generic-pae.postinst line 1003.
1. Installed Ubuntu minimal 2. Download and installed ATI/AMD drivers (via envy) 3. Primary display DELL 2007FPb (SVGA cable) cloned with secondary display PANASONIC TH-42PV80PA (DVI/HDMI cable) 4. PANASONIC TH-42PV80PA have black borders, the image is underscanned (left, right, top, bottom) 5. In Full install of ubuntu 9.10 (not MINIMAL) in Gnome when run amdcccle the solution was very simple. Just drag the slider to the maximum and image was overscanned to the full surface of the screen.
How to do point 5. from shell in UBUNTU MINIMAL (the light version without gnome)? Tried already from shell: Code: sudo amdcccle but the Catalyst control Panel doesn't start. Say something bad about x server. aticonfig? xrandr? xorg.conf?
I did the following command while I had my partition mounted and was not able to restart until i pulled the power. sudo dpkg-reconfigure linux-image-2.6.32-21-generic. Everything seems to be working okay now but before I start getting into 10.04 i wanna make sure i just didn't screw anything up.
I've set up DRBD on 2 machines, 1 of them is the master, another is the slave.
After each bootup, I need to run the following on the master machine:
Code: drbdadm -- --overwrite-data-of-peer primary all
Do we need to specify which machine should be the primary node every time? Is there any method to make the machine "know" it's itself the primary node?
I have created a simple menu driven script for our Operations to take care of the basic monitoring and managing of our production application from the back-end. Now, the script when tested in UAT environment was fine, but when deployed to production it kind of behaved oddly.hen the Operator chooses an option from the menu he is given the output and at the end is prompted to return to the main menu by using ctrl+c. In production, this return does not occur for some strange reason and the program just sits there.The session becomes unresponsive after that and I'm forced to terminated it by closing the PuTTY.I tried enabling the debug mode too (set -x) and still was not able to find any useful hints/trails as to why.
I am familiar with windows 2008 cluster servers, and I just started testing with centos cluster. I am creating a simple 2-node cluster, for a simple ping test.
So far, I can ping a virtual ip, and manually relocate it between the nodes, but I didn't figure out, how to do this automatically. So this is my question: How can I setup the cluster, to it automatically failover the a service to another node case one node fails?
I don't have much experience in clustering. And I'm deploying a cluster system on CentOS.But I don't know how long a node failover and another node take over those resouces to continue running service is good, fast or slow? 1s, 10s or
I was given a forensic Image which I now know is a DD image of the drive (Vista) and am trying to mount the image or extract the image to another drive. I'm not sure of the extention type or if the image is a partition or the entire drive. I think it is the entire drive.
Is it possible to mount a DD image to a device. If I can't do that I just want to extract the files to run some programs against the drive. Can I view the files under Ubuntu or do I have to remove the drive and stick it into a Vista computer.
I purchased a second drive today and was hoping the command line would be something simple.
Or am I on the wrong track, should I be doing this all in a windows environment. The reason I picked ubuntu was because of the reporting tools.
I've read and re-read everything I can find about AppArmor, to no avail. On the whole, AppArmor isn't for me. However, rather than give up on it completely, I have an idea: create a profile that I could use as a template for any untrusted application, with the aim of 1) blocking it from network access and 2) blocking it from installing other applications. I've got as far as creating an empty profile:
Code: # Generic AppArmor Profile for UntrustedApplication #include <tunables/global> /usr/sbin/UntrustedApplication { #include <abstractions/base> } What do I need to add to make this profile 100% permissive, except for the two exceptions stated above?
There is a bug in the upgrade from 9.04 to 9.10. I have repeated it three times. During the "installing the upgrades" section, the upgrade always stops or freezes in the same place. The Terminal message stops at "Configuring linux-image-2.6.31-21-generic". "update-initramfs: Generating /boot/initrd.img-2.6.31-21-generic". I have a new DELL laptop computer that came with Ubuntu 9.04 pre-installed. I am using the Update Manager and have previously updated all files for 9.04 before clicking on upgrading to 9.10.
i use the command to get the infomation of my linux kernel; sudo dpkg --get-selections|grep linux use this cmd to delete the old kernel sudo apt-get remove linux-image-2.6.32-29-generic but i forget --purge that cause zhe following item show like this linux-image-2.6.32-28-generic deinstall
After a long time I tried ubuntu(9.10) again on my fileserver, I have some remarks; why does a minimal server installation include X/openoffice? I don't need document conversion on a fileserver and I bet a lot of people don't. Wouldn't it be better to create a new server package and leave minimal minimal? low memory installs (64mb) don't work unless you configure swap by hand in between things, 64mb ram is a lot in my eyes. I mean, not to be rude but if I wanted all this I could've better installed Solaris.
That said it's stable and running fine. Since it's my home fileserver I tried to convert my previously created raid10 mirror on an adaptec 1200 card to a softraid 5 solution. This is wat I did:
dear sirs, i have taken image of 1 machine using acronis ver9.0 which has3gb swap /sda1 25gb /slash /sda2108gb /oracle /sda3so on another machine when i restore everything restore and data i can see, but boot, MBR not working.it just come written on screen "GRUB"i try to reinstall grub not workingbooth rhel cdthen type >linux rescue> chroot /mnt/sysimage>/sbin/grub-install /dev/sda2it give me error does not work and i reboot the machine.can someone teach or guide how to restore,repair, or fixed MBR
is possible to edited the default RHEL CD to have it automatically install RHEL based off of a kickstart file that I will store locally on the CD. My plan would be to put a cd in a server and have the OS automatically being installed.
I have worked on Xen which is being shipped with RHEL 5.4, Is it possible to install Xen hypervisor directly on bare metal, so that we can save resources. I searched in Xen Official site, but could not recognize the product that can be directly installed on bare metal like VMware ESX.
I have RHEL 3 and Win XP Installed in my P.C?I want to uninstall RHEL 3 and install RHEL 9 without affecting XP.how can i do this and also where can i download free RHEL 9 version or any other latest linux distribution for free?
I run a compute cluster with only a few users. Occasionally a user will accidently run a job on the master node that runs out RAM/swaps then hanges up for a while.In /etc/security/limits.conf I have set memlock to 7.5GB (master has 8GB RAM) and maybe that is what lets the machine come back rather than hanging completely? Is this the right setting to physocally limit a single user from asking for more RAM than the system has and bringing down the system? Should I set this to 2GB or so or is there something else I can do??
Tried to install Gnome after the minimal server (console based) install.I would like to install a graphical GUI now What to do? wich packages? tried zypper gnome-desktop (or something similar) but it wasn't enough.
I was given task to install redhat linux os on one of the compute node on server which doesn't have cd/dvd drive or usb port.I have installation media as well ISO image. This server is on network, so I can access it via my PC which is running window 7.I think, I have 2 choice to install:1. Copy iso image to head node on server and then install linux os on compute node via nfs.r2. Use my PC dvd drive to install linux on compute node via network.But I don't know how to do it.
Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking.
I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in [URL] Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However .... To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-
Quote:
[code]....
/proc/uid/maps gives me some information but not the base address ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address. Intrestingly ... when a run ldd with aslr on for over (about) 100 times and checked the start point of libc I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed and bits 12-21 were randomized with bits 11-0 fixed. Although even that doesnt define the boundaries observed correctly.
Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my .ac.uk email address as verification.
I just installed a minimal version of Ubuntu 10.10 (with Openbox) over 10.04. Mainly everything's ok, but I have three problems:
1. When shutting down or rebooting, my speakers make a loud pop. Upon googling around, I found this topic on the Arch forums. Running
Code:
Before rebooting/shutting down works. I, however, would like to have this permanently fixed so I don't have to run these commands every time before rebooting/shutting down.
2. I can't install the ATi video card drivers. I downloaded the correct driver (10.9) from the ATi website and made sure I had the packages found here installed. I also made it executable by running
Code:
When I run the installer, using
Code:
I get this output:
Code:
3. When booting, I get a message saying something like "intel_ips can't find i915 symbols, so graphics turbo is disabled". When googling for this, I see this is a kernel related issue. Since I don't have any understandings of kernels, I thought this is a little too high up for me. What does it mean and how can I fix it, as it slows my boot down quite a bit?
