Forum OpenACS Q&A: Response to Any contributions to a RH HowTo?

Collapse
33: Response to Any contributions to a RH HowTo? (response to 1)
Posted by S. Y. on 04/25/01 08:09 PM
David,

Sorry that my tone came across wrong, but I'm not discouraging people from learning Linux/OpenACS/security and I apologize if I've misquoted Jon. My point is simply that for a *production* box, I personally would never consider someone with little/no experience to harden UNIX/Linux.

I said "a couple of years" because that's probably how long it took me to learn UNIX to the point where I might stick it on a resume; I admit that a moron. I'm certainly no programmer and I'm not a very good sysadmin anymore.

Over the past few years, I have encouraged people to contribute documentation to places where it was lacking. I see no point in creating a Reader's Guide version of the Oracle Installation Guide, but folks seem to be happy when they find concise notes about A.) when the provided documents are unclear or wrong, B.) how to work around problems in an undocumented environment (e.g., Oracle8i glibc2.2 issue on Red Hat 7.0), and C.) offering verbatim copies of working configuration files.

Attempting to educate Linux newcomers to the myriad issues concerning security is a very, very tall task. I wish you the best of luck, and no doubt lots of people will find the proposed document a helpful tutorial.

In addition to Jon's docs, I suggest that you base your article from the O'Reilly UNIX sysadmin book (Aeleen Frisch), other O'Reilly Linux books and the security related documents at: http://www.kernel.org/LDP/ particularly the longer guides (although they are now aging quickly) at http://www.kernel.org/LDP/guides.html

Re: RH 7.0

Like Jon, I too have been using RH 7.0 since it came out, also with the ReiserFS patches (as a matter of fact, the only ext2 partition I have is /boot). I've already ordered RH 7.1 which I'll install as soon as it arrives, but I'm not running Linux production servers anymore (I was boldly using kernel 2.4.3 on the last one). Annoyingly, Red Hat chose to go with an experimental compiler (gcc 2.96) with Red Hat 7.x, but you can simply move it aside and use "kgcc" (which is a renamed egcs).

Different versions of kernel have different ways of modifying/tuning. For example, the shared memory parameters file moved between kernel 2.2 and 2.4 and you can use sysctl to change certain kernel parameters without recompiling.

Things also change with different versions of RH. I used to get updates with the Red Hat updater, then moved to the Helixcode updater (which has undergone a name change to Ximian). I'm currently using Red Carpet. As Red Hat versions are released, additional services are added that probably need to be turned off, but added security functionality is added (e.g., openssh) so it would certainly be easier to write a security document based on a baseline standard Linux distribution.

RH 7.0 has been pretty good to me, so that plus updated RPMs, plus kernel 2.2.19 is my suggestion for a document.