|
Linux Localization Checklist
CU Generic Localization Checklist for Linux - Redhat 5.2 Specific (Linux)
MACHINENAME:
UnixOps support type (check all that apply):
[ ] No support - one time localization only
[ ] NET support
[ ] FULL support (includes first 3 and user support)
[ ] GATE support (host has >1 network interface and subnet)
[ ] DUMPS backups
To use this checklist:
Place your LOGIN NAME inside each brace after the task is completed.
Place NA (Not Applicable) if the task doesn't apply here.
--- THIS CHECKLIST IS MEANT TO BE DONE IN ORDER! ---
VERIFY EVERYTHING. GET SOMEONE ELSE TO DO IT IF YOU CAN'T!
**************************** GENERIC SECTION **************************
[ ] All parts have arrived, final location known,
wiring asked to make any necessary connections
[ ] Has a valid CU-Boulder Internet address and all host
attributes are in addhost database.
[ ] Install base OS
[ ] Move this file to hostname:/Localization and continue
to update it there.
[ ] move all files from /root to /
rmdir /root
[ ] Change root's login shell to be /bin/csh
Change root's home directory to be /
[ ] Create /.rhosts (mode 600, owner root) and make it
contain *only* machines it gets its files from. (FQDNs only)
[ ] Create /etc/resolv.conf with the appropriate entries.
[ ] Edit /etc/nsswitch.conf; add 'dns' before 'files' on
the hosts line. remove all mention of nis, nisplus.
[ ] Make sure that the following files have the correct
information:
/etc/sysconfig/network:
NETMASK=255.255.255.0
HOSTNAME=(NFQHN)hostname
GATEWAY=the correct gateway
/etc/sysconfig/mouse:
XEMU3=yes
[ ] Move the file /etc/securetty to /etc/securetty-
NOTE: This is for your convenience while
localizing ONLY! (this file contains the tty's that
root is permitted to login from)
[ ] Move the file /etc/securetty- back to /etc/securetty
and ensure that it only contains the following:
tty1
tty2
[ ] use shadow password file
/usr/sbin/pwconv
[ ] Comment out unneeded services from /etc/inetd.conf
include: gopher, pop, imap, uucp, tftp, bootps, finger,
netstat, time, talk, ntalk, linuxconf, etc.
[ ] run control-panel and look in the Runlevel Editor
to ensure that no unnecessary processes are running at
runlevel 3 (ex. rwhod, smb), Be sure to turn off
linuxconf, innd and amd.
[ ] remove any unneeded cron jobs from /etc/crontab
rm /etc/cron.hourly/inn-cron-nntpsend
rm /etc/cron.daily/inn-cron-expire
rm /etc/cron.daily/inn-cron-rnews
rm /etc/logrotate.d/apache
(make sure news daemon is turned off! - see previous step)
[ ] Install all vendor specific patches!!!!
Check http://www.redhat.com/support for current patch rpms.
DO NOT CONTINUE with this checklist until the patch
installation has begun!
[ ] Change /etc/rc.d/rc.local to obfuscate system
identity do this after rebulding the kernel in the
previous step (eg:
echo "Unix(r) System V Release 4.0 (`hostname`)" >> /etc/issue
[ ] This host has valid routing. Check the file
/etc/rc2.d/S69inet. See if the processes called
are running. If there is no such file, acquire
one from a similar machine then reboot and check
again. A machine with a single network interface should
run "in.routed -q" or "in.rdisc -s (prefered)"
[ ] remove /.tcshrc
ensure /.cshrc exists or copy from a like machine
[ ] Create /core by soft-linking to /dev/null
ln -s /dev/null /core
[ ] Remove system versions of rdist
rm /usr/bin/rdist /usr/sbin/rdistd
[ ] Configure machine to be rdisted to by distribution
host (has /usr/local/etc in root's path, has
/usr/local/etc/rdistd, and distrib host is in
/.rhosts).
or
has grabfiles installed. Make sure that "telnet machinename
grabfiles" causes grabfiles to run. (Grabfiles is only used
by machines that are not on UnixOps support)
[ ] Set up /usr/local/etc/hourlydist if this machine is a server
which will be sharing passwd, group, sudoers, etc. with
clients.
[ ] If you are distributing /etc/group from a non-linux server
do this at your own risk.
[ ] Create /etc/motd.local, include any messages specfic to this
machine or lab
[ ] Create /etc/shells and include all shells expected to be
on the system. (This will save much confusion as ftp will
not allow people to ftp in if their shell is not in
this list).
[ ] Has valid tech.alias, trouble.alias, admin.alias, and
wiring.alias in /usr/local/adm/unixops. chmod to 644.
[ ] Make the following directory and links
mkdir /var/adm
ln -s /var/log /usr/local/adm/logs
ln -s /var/log /var/adm/log
[ ] Create diary file in /var/adm/log/diary, mode 4664, owner
nobody, group mail ^^^^
[ ] Create /var/adm/log/connect.log, mode 600
[ ] Create /var/adm/log/sudo.log, mode 600
[ ] Localized syslog.conf - copied from localized system of
same OS and class config.
only authpriv.* goes to /var/log/secure
other secure lines go to /var/adm/log/connect.log
[ ] killall -1 syslogd
[ ] /usr/bin/quota is replaced with link to /bin/true unless
quotas will be used.
[ ] This host has blessing to mount NFS partitions. add
remote partitons to mount to /etc/fstab OR to :
/etc/auto.master (but not both).
[ ] Make sure /etc/auto.misc contains up-to-date information
[ ] If it is the NFS server, edit /etc/exports to include the
partitions to be exported. Run "exportfs" to push out
the mount permissions.
IF it is an NFS client, blessed mounts are setup in
: /etc/fstab with rw,bg. if mounting
/var/spool/mail via NFS, use rw,bg,actimeo=0 as
mount options. Create mount points. Run "mount -a".
or:
blessed mounts are setup in /etc/auto.master with
-rw,nosuid,intr,soft,grpid.
create mount points, mount.
[ ] check /etc/exports on machine and make sure no
partitions are mountable by only authorized machines.
[ ] run exportfs -r
[ ] Political/technical OK to join Club UniqUID
[ ] If in Club UniqUID, install adduser - be sure to
configure /usr/local/lib/adduser/adduser.conf to the
customer's specifications. Make sure there are a good
set of user dot files in /usr/local/lib/adduser/homedir
or
if in Club UniqUID and this machine is to be part of a CNS
lab, install durm - configure /usr/local/durm/lib/type_db
to the customer's specifications. Make sure there are a
good set of user dot files in /usr/local/durm/skel
[ ] If in Club UniqUID, install passport and have it
run as a cron job once a month (1st, 2nd, or 15th).
[ ] Any specific kernel changes are made to kernel source
in /usr/src/linux
[ ] Setup /etc/sudoers to include FTEs, yourself, and any local
admins for this machine
[ ] Make the links:
ln -s /usr/X11 /usr/local/X11
ln -s /bin/tcsh /usr/local/bin/tcsh
ln -s /bin/bash /usr/local/gnu/bin/bash
[ ] create links:
ln -s /sbin/dump /etc/dump
ln -s /sbin/rdump /etc/rdump
ln -s /sbin/restore /etc/restore
ln -s /sbin/rrestore /etc/rrestore
ln -s /bin/tar /usr/local/gnu/bin/tar
[ ] Run control-panel as root to add printers or edit
/etc/printcap by hand.
Install jetadmin if it will be a print server.
[ ] After patch installation is complete, install tcp wrappers,
identd, and log daemons.
Binaries are located via anonymous ftp from boulder.
[ ] Do a "makewhatis -w" to build whatis database
rdist [ ] install Secure Shell package, including ssh and sshd.
configure sshd to start at boot time. Package is
available via anon FTP from boulder.
************************** END GENERIC SECTION **************************
*************************** SENDMAIL SECTION ****************************
[ ] Remove any aliases.* files from /etc, /etc/mail, and
/usr/lib, especially if they're .dir and .pag files.
rdist [ ] Install latest version of sendmail chmod 4711 owner root.
rdist [ ] Put our aliases file in /usr/lib/aliases.
[ ] Create links:
ln -s /usr/lib/aliases /etc/aliases
ln -s /usr/lib/aliases.db /etc/aliases.db
ln -s /usr/lib/aliases /etc/mail/aliases
ln -s /usr/lib/aliases.db /etc/mail/aliases.db
[ ] Install /etc/sendmail.cf. Remove or rename
any other files in /etc/mail and /usr/lib are named
sendmail.cf.
[ ] create link:
ln -s /etc/sendmail.cf /etc/mail/sendmail.cf
[ ] run newaliases.
[ ] start sendmail:
/usr/lib/sendmail -bd -q1h
[ ] verify that /etc/rc.d/init.d/sendmail exists and
that /etc/rc.d/rc3.d/S80sendmail is a link to it.
Copy from another machine of the same OS if not there.
[ ] Verify the mail system works completely
by sending test messages to/from users that live on this
host. Also telnet to port 25. Test the sendmail by
'expn your.name', 'expn diary', and any other alias
that might cause sendmail to choke.
************************ END SENDMAIL SECTION *************************
*************************** AMANDA SECTION ****************************
!!!! DO THIS ONLY IF THIS MACHINE WILL BE DUMPED BY UnixOPS !!!!
[ ] Machine has operator login with correct operator
password. NOTE: most of the AMANDA install steps below
can be done by simply disting the appropriate package
from distrib host, after operator login has been created.
[ ] AMANDA master host is in ~operator/.rhosts, and
~operator/.rhosts is mode 600, owned by operator
[ ] Machine has group operator (and the user operator is in
group operator).
rdist [ ] AMANDA utilities `senddump' and `sendsize' are installed
in /usr/local/amanda/libexec [most of the amanda install
process is automated if the amanda package is specfied to
be rdisted to this host by the central distrib host]
rdist [ ] AMANDA services added to /etc/services:
amsendsize 10069/udp
amsenddump 10070/tcp
rdist [ ] AMANDA services added to /etc/inetd.conf (send a HUP
to inetd after changing this file):
amsendsize dgram udp wait operator \
/usr/local/amanda/libexec/sendsize sendsize
amsenddump stream tcp nowait operator \
/usr/local/amanda/libexec/senddump senddump
rdist [ ] All raw disk devices are mode 640, group operator
[ ] /etc/dumpdates is mode 664, group operator
[ ] Add partitions to be dumped to the amanda
master.disklist. USE CHECKOUT!
[ ] If machine will be dumping Fat16 and Fat32 partitons
recompile gnu tar with the amanda gnu tar patch.
***************************** END AMANDA SECTION ************************
********************** FREE SOFTWARE PACKAGES SECTION *****************
Verify that these packages are installed. Most of these can be copied
from a machine of the same OS and architecture. Otherwise, source code
is in the source tree.
rdist [ ] sudo, visudo
[ ] mailhome (if in Uniquid)
[ ] ntpdate This should be installed in cron as
ntpdate -s boulder
rdist [ ] da
rdist [ ] webster
[ ] serial file transfer protocols - sz, rz, kermit, xmodem.
[ ] scrub
[ ] spacegripe
***************** END FREE SOFTWARE PACKAGES SECTION ******************
********************* EXTRA SOFTWARE PACKAGES SECTION *****************
!!! If customer has a full-service agreement with UnixOps, install any/all
!!! of these at no extra charge. If customer has only net support, this is a
!!! one-time localization, or this is time and materials work, let them
!!! know about the charges marked beside the packages. be sure to inform
!!! billing about which packages you installed.
$100 [ ] TeX / detex / latex /culogo font for tex
$50 [ ] RAND MH
******************* END EXTRA SOFTWARE PACKAGES SECTION ***************
**************************** FINAL SECTION ****************************
[ ] All FTEs have accounts on this machine with
sudo (and know about it)
[ ] If UnixOps supported, update the /usr/local/adm/unixops/
system.list file - make sure any changes in OS are
reflected.
[ ] Do a localization level 0 backup of the system as soon
as the localization is completed (or at any time the
pain threshold is higher for going thru this list than
doing a restore).
[ ] Notify billing about any charges.
[ ] Make sure that hardware configuration is correct. Either
boot -r or touch /reconfigure and reboot
[ ] This host has a nametag plastered on it and all its
peripherals including proper disk labeling with the
partition table. (use mklabels)
[ ] root password is what it should be
[ ] Mail this checklist to diary@hostname
************************** END FINAL SECTION **************************
*********************** SOFTWARE PROCEDURES SECTION *******************
|
|
