2.3 :: Securing the DAS Servers |
| Prev | Next | Index | |
Since the DAS servers are absolutely critical to the security and smooth operation of all of the client systems on the network, we must carefully protect them. This includes a number of tasks:
You should focus on packages like ntpd, sshd, Kerberos daemons, the portmapper, NIS daemons, C libraries, and anything related to TCP/IP networking or buffer overflows. Use the rpm -Uvh command to upgrade packages, and keep a log of your upgrades.
Use the chkconfig command to configure which services are started automatically. These are the only services I configured to run automatically:
[root@das-m root]# chkconfig --list | grep :on kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off ypbind 0:off 1:off 2:off 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off kadmin 0:off 1:off 2:off 3:on 4:on 5:on 6:off krb5kdc 0:off 1:off 2:off 3:on 4:on 5:on 6:off ypserv 0:off 1:off 2:off 3:on 4:on 5:on 6:off ypxfrd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
The netstat command will let you see what services are listening for connections:
[root@das-m root]# netstat -tunap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:777 0.0.0.0:* LISTEN 23492/ypbind tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 18219/kadmind tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 19607/sshd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 22763/ tcp 0 0 0.0.0.0:888 0.0.0.0:* LISTEN 23534/ypserv tcp 0 0 0.0.0.0:889 0.0.0.0:* LISTEN 24375/rpc.ypxfrd udp 0 0 0.0.0.0:774 0.0.0.0:* 23492/ypbind udp 0 0 0.0.0.0:677 0.0.0.0:* 23492/ypbind udp 0 0 0.0.0.0:464 0.0.0.0:* 18219/kadmind udp 0 0 10.10.22.42:88 0.0.0.0:* 18190/krb5kdc udp 0 0 0.0.0.0:111 0.0.0.0:* 22763/ udp 0 0 0.0.0.0:888 0.0.0.0:* 23534/ypserv udp 0 0 0.0.0.0:889 0.0.0.0:* 24375/rpc.ypxfrd udp 0 0 0.0.0.0:123 0.0.0.0:* 1135/
Make a directory /root/FW for the scripts, then use the following scripts as a guide:
/root/FW/das-fw.sh:
# DAS iptables config (DAS-M)
# Version 7
# Date 2003-10-29
echo "Starting IPTABLES firewall... "
# Load connection tracking modules:
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Flush all chains, delete user-defined chains, and zero all counters
iptables -F
iptables -X
iptables -Z
#-----------------------------------------------------------------------------
# Default action if packets match no rules in chain
iptables -P INPUT DROP
# ----------------------------------------------------------------------------
# Increase security on host IP stack
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.
echo 0 > /proc/sys/net/ipv4/ip_forward
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
#-----------------------------------------------------------------------------
# Define IP addresses for source address restriction
# Your IP address
IPADDR="10.10.22.42"
# DAS-S IP address
DAS_S="10.10.22.40/32"
# Your physical interface
IFACE="eth0"
# Network allowed to connect to LDAP or NTP services
DASNET="10.10.22.0/24"
# Upstream NTP server here
NTPSRV="10.10.20.111/32"
# LAB Network
LABNET="10.10.0.0/16"
# Our DNS servers are:
NS1="10.10.20.250/32"
NS2="10.10.19.250/32"
NS3="4.2.2.3/32"
# Other Definitions
BROADCAST="10.10.22.255"
ALLBROAD="255.255.255.255"
MULTICAST="224.0.0.0/4"
LOOPBACK="127.0.0.0/8"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
#------------------------------------------------------------
# The actual firewall config:
# Make sure that NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
# Allow hosts on the LAB network to PING the DAS. Outbound PING is allowed via
# connection tracking, and traceroute works as well.
iptables -A INPUT -s $LABNET -d $IPADDR -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s any/0 -d $IPADDR -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -s any/0 -d $IPADDR -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow inbound TCP port for non-standard SSH connection
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 2222 -j ACCEPT
# Allow NTP clients and traffic with upstream NTP server
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 123 -j ACCEPT
iptables -A INPUT -s $NTPSRV -d $IPADDR -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
# Allow traffic to and from DNS servers
iptables -A INPUT -s $NS1 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s $NS2 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s $NS3 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
#Allow inbound connections to the Keberos 5 KDC, KADMIN server
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 749 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 88 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 464 -j ACCEPT
# Allow inbound TCP and UDP port for the Port Mapper (needed for NIS)
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 111 -j ACCEPT
# Supports BSD NIS clients, which need UDP broadcasts
#iptables -A INPUT -s $DASNET -d $BROADCAST -p udp --dport 111 -j ACCEPT
# Allow inbound UDP and TCP ports for NIS ypserv on 888
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 888 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 888 -j ACCEPT
# Allow inbound UDP and TCP port 889 for NIS ypxfrd from DAS-S
iptables -A INPUT -s $DAS_S -d $IPADDR -p tcp --dport 889 -j ACCEPT
iptables -A INPUT -s $DAS_S -d $IPADDR -p udp --dport 889 -j ACCEPT
# Allow NIS-related RPC activity between DAS-S and DAS-M for map transfer callback
iptables -A INPUT -s $DAS_S -d $IPADDR -p udp --sport 1:1023 --dport 1:1023 -j ACCEPT
# Connection Tracking - Allow TCP connections initiated by server
iptables -A INPUT -s any/0 -d $IPADDR -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#-----------------------------------------------------------------------------
# LOGGING and REJECTING/DROPPING all remaining packets
# Drop any TCP or UDP broadcasts without logging. I don't want to see lots of
# entries in the log for Microsoft client broadcasts, or DHCP traffic!
iptables -A INPUT -d $BROADCAST -p tcp -j DROP
iptables -A INPUT -d $ALLBROAD -p tcp -j DROP
iptables -A INPUT -d $BROADCAST -p udp -j DROP
iptables -A INPUT -d $ALLBROAD -p udp -j DROP
# Drop any TCP port 135 scans from M$ hosts infected with worms. These are SO common, they
# fill up the logs with garbage!!!
iptables -A INPUT -d $IPADDR -p tcp --dport 135 -j DROP
# Drop Multicast traffic. Otherwise, all router IGMP stuff will be logged. I don't
# want to see this.
iptables -A INPUT -d $MULTICAST -j DROP
# Any UDP not already allowed is logged, then dropped
iptables -A INPUT -p udp -j LOG --log-level info --log-prefix "FW UDP: "
iptables -A INPUT -p udp -j DROP
# Any TCP not already allowed is logged, then rejected
iptables -A INPUT -p tcp -j LOG --log-level info --log-prefix "FW TCP: "
iptables -A INPUT -p tcp -j REJECT
# Any ICMP not already allowed is logged, then dropped
iptables -A INPUT -p icmp -j LOG --log-level info --log-prefix "FW ICMP: "
iptables -A INPUT -p icmp -j DROP
# All other protocols and packets will be logged, then dropped
iptables -A INPUT -j LOG --log-level info --log-prefix "FW Prot-X: "
iptables -A INPUT -j DROP
#-----------------------------------------------------------------------------
echo "done"
exit 0
/root/FW/das-fw-disable.sh:
# DAS iptables disable script (DAS-M) # Version 1 # Date 2003-10-27 echo "Removing IPTABLES firewall... " # Flush all chains, delete user-defined chains, and zero all counters iptables -F iptables -X iptables -Z iptables -P INPUT ACCEPT echo "done" exit 0
Don't forget to make the scripts executable!
For convenience, we can also add the following symlinks to /usr/local/sbin:
[root@das-m sbin]# ls -al /usr/local/sbin/fw* lrwxrwxrwx 1 root root 26 Oct 27 14:28 /usr/local/sbin/fwoff -> /root/FW/das-fw-disable.sh lrwxrwxrwx 1 root root 18 Oct 27 14:24 /usr/local/sbin/fwon -> /root/FW/das-fw.sh
Then you can use the fwon and fwoff commands to enable and disable the firewall.
In order to run the firewall script automatically on boot, use chkconfig to disable the "iptables" service and place this in the /etc/rc.local file:
#!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local # Add firewall support /root/FW/das-fw.sh
Here is the Iptables firewall script from DAS-S:
# DAS-S iptables config
# Version 7
# Date 2003-10-29
echo "Starting IPTABLES firewall... "
# Load connection tracking modules:
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Flush all chains, delete user-defined chains, and zero all counters
iptables -F
iptables -X
iptables -Z
#-----------------------------------------------------------------------------
# Default action if packets match no rules in chain
iptables -P INPUT DROP
# ----------------------------------------------------------------------------
# Increase security on host IP stack
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.
echo 0 > /proc/sys/net/ipv4/ip_forward
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
#-----------------------------------------------------------------------------
# Define IP addresses for source address restriction
# Your IP address
IPADDR="10.10.22.40"
# Your physical interface
IFACE="eth0"
# Network allowed to connect to LDAP or NTP services
DASNET="10.10.22.0/24"
# LDAP/Kerb5 KDC Primary
DASM="10.10.22.42/32"
# Upstream NTP server here
NTPSRV="10.10.20.111/32"
# LAB/Software Development Network
LABNET="10.10.0.0/16"
# Our DNS servers are:
NS1="10.10.20.250/32"
NS2="10.10.19.250/32"
NS3="4.2.2.3/32"
# Other Definitions
BROADCAST="10.10.22.255"
ALLBROAD="255.255.255.255"
MULTICAST="224.0.0.0/4"
LOOPBACK="127.0.0.0/8"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
#------------------------------------------------------------
# The actual firewall config:
# Make sure that NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
# Allow hosts on the LAB network to PING the DAS. Outbound PING is allowed via
# connection tracking, and traceroute works as well.
iptables -A INPUT -s $LABNET -d $IPADDR -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s any/0 -d $IPADDR -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -s any/0 -d $IPADDR -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow inbound TCP port for non-standard SSH connection
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 2222 -j ACCEPT
# Allow NTP clients and traffic with upstream NTP server
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 123 -j ACCEPT
iptables -A INPUT -s $NTPSRV -d $IPADDR -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
# Allow traffic to and from DNS servers
iptables -A INPUT -s $NS1 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s $NS2 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s $NS3 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound TCP port for Kerb5 replication from DAS-M
iptables -A INPUT -s $DASM -d $IPADDR -p tcp --dport 754 -j ACCEPT
# Allow inbound UDP port for Kerb5 authentication from DASNET
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 88 -j ACCEPT
# Allow UDP Kerb5 query replies from DAS-M
iptables -A INPUT -s $DASM -d $IPADDR -p udp --sport 88 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound TCP and UDP port for the Port Mapper (needed for NIS)
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 111 -j ACCEPT
# Allow FreeBSD NIS clients, which use UDP broadcasts
#iptables -A INPUT -s $DASNET -d $BROADCAST -p udp --dport 111 -j ACCEPT
# Allow inbound TCP and UDP ports for NIS ypserv on 888
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 888 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 888 -j ACCEPT
# Allow NIS-related RPC activity from this server to DAS-M (udp connection tracking)
iptables -A INPUT -s $DASM -d $IPADDR -p udp --sport 1:1023 -m state --state ESTABLISHED -j ACCEPT
# Connection Tracking - Allow TCP connections initiated by server
iptables -A INPUT -s any/0 -d $IPADDR -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#-----------------------------------------------------------------------------
# LOGGING and REJECTING/DROPPING all remaining packets
# Drop any TCP or UDP broadcasts without logging. I don't want to see lots of
# entries in the log for Microsoft client broadcasts, or DHCP traffic!
iptables -A INPUT -d $BROADCAST -p tcp -j DROP
iptables -A INPUT -d $ALLBROAD -p tcp -j DROP
iptables -A INPUT -d $BROADCAST -p udp -j DROP
iptables -A INPUT -d $ALLBROAD -p udp -j DROP
# Drop any TCP port 135 scans from worm-infested M$ hosts. These are so common that
# they fill up the logs with garbage!!!
iptables -A INPUT -d $IPADDR -p tcp --dport 135 -j DROP
# Drop Multicast traffic. Otherwise, all router IGMP stuff will be logged. I don't
# want to see this.
iptables -A INPUT -d $MULTICAST -j DROP
# Any UDP not already allowed is logged, then dropped
iptables -A INPUT -p udp -j LOG --log-level info --log-prefix "FW UDP: "
iptables -A INPUT -p udp -j DROP
# Any TCP not already allowed is logged, then rejected
iptables -A INPUT -p tcp -j LOG --log-level info --log-prefix "FW TCP: "
iptables -A INPUT -p tcp -j REJECT
# Any ICMP not already allowed is logged, then dropped
iptables -A INPUT -p icmp -j LOG --log-level info --log-prefix "FW ICMP: "
iptables -A INPUT -p icmp -j DROP
# All other protocols and packets will be logged, then dropped
iptables -A INPUT -j LOG --log-level info --log-prefix "FW Prot-X: "
iptables -A INPUT -j DROP
#-----------------------------------------------------------------------------
echo "done"
exit 0
The /root/FW/das-fw-disable.sh script is the same as the one on DAS-M. Don't forget to symlink the fwon and fwoff commands if you want to use them, as well as setting up your /etc/rc.local file.
For added protection, you may want to download and install tripwire and chkrootkit. Tripwire is a program that keeps an encrypted database of the cryptographic hashes of important system binaries. It periodically checks to see if any of those system binaries have been tampered with or replaced, and alerts the administrator. Chkrootkit is a simple program that checks for the presence of commonly available rootkits.
Why do we bother with this? Because the DAS servers are the key to the security of the entire DAS network. Any compromise of the DAS servers would allow access to other shared resources and data in the lab.
To install tripwire, download and install the RPM from Red Hat. Then install like this:
[root@das-m RPM]# rpm -Uvh tripwire-2.3.1-17.i386.rpm warning: tripwire-2.3.1-17.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e Preparing... ########################################### [100%] 1:tripwire ########################################### [100%]
Instructions for configuring tripwire can be found here at RedHat.Com and at the Tripwire home page. Configuration of tripwire is beyond the scope of this document.
To install chkrootkit, just visit the chkrootkit homepage and download the source code. Follow the instructions and execute the code.
[root@das-m Tarball]# gunzip chkrootkit-0.42b.tar.gz [root@das-m Tarball]# tar xvf chkrootkit-0.42b.tar chkrootkit-0.42b/ chkrootkit-0.42b/ACKNOWLEDGMENTS chkrootkit-0.42b/chkproc.c chkrootkit-0.42b/README chkrootkit-0.42b/chklastlog.c chkrootkit-0.42b/README.chkwtmp chkrootkit-0.42b/COPYRIGHT chkrootkit-0.42b/Makefile chkrootkit-0.42b/check_wtmpx.c chkrootkit-0.42b/strings.c chkrootkit-0.42b/ifpromisc.c chkrootkit-0.42b/chkdirs.c chkrootkit-0.42b/chkrootkit.lsm chkrootkit-0.42b/chkwtmp.c chkrootkit-0.42b/chkrootkit chkrootkit-0.42b/README.chklastlog [root@das-m Tarball]# cd chkrootkit-0.42b
Now read the README file and follow the directions.
Assuming that your server is in a physically secured room, there are still some other items to attend to:
Configuring the server's BIOS: You will want to prevent intruders from booting from a floppy or CD-ROM and then accessing the DAS server's hard disks. Start by configuring the BIOS to only boot from harddrive. CD-ROM, floppy, or network boots should not be allowed. Then configure your BIOS to require a password before BIOS can be configured.
Since the BIOS can be cleared via microswitch, battery removal, or solder-point shorting, a good locking case for your server is recommended.
Bootloader password: If you did not configure a GRUB password during the base OS installation, you should do that now. There are instructions for that in the Red Hat 9 documentation. Unrestricted access to GRUB can compromise the DAS server.
Modifying /etc/inittab: There are several security enhancements that can be made by modifying the inittab config file. In our case, we want to disallow Ctrl-Alt-Del rebooting, and we also want to require the root password when booting into Single User mode. The modifications are highlighted:
id:3:initdefault: # System initialization. si::sysinit:/etc/rc.d/rc.sysinit l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 # Sulogin required when entering single user mode ~~:S:wait:/sbin/sulogin # Trap CTRL-ALT-DELETE #ca::ctrlaltdel:/sbin/shutdown -t3 -r now # When our UPS tells us power has failed, assume we have a few minutes # of power left. Schedule a shutdown for 2 minutes from now. # This does, of course, assume you have powerd installed and your # UPS connected and working correctly. pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down" # If power was restored before the shutdown kicked in, cancel it. pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled" # Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6 # Run xdm in runlevel 5 x:5:respawn:/etc/X11/prefdm -nodaemon
In order to activate the new /etc/inittab config, you do not need to reboot. You can simply enter the following command:
[root@das-m root]# init q
Tripwire Home Page
Red Hat Tripwire Manual
Chkrootkit Home Page
2.3 :: Securing the DAS Servers |
| Prev | Next | Index | |