%post
### ### create the fstab file ### cat > /etc/fstab << EOF LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 rw,nosuid 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /proc proc defaults 0 0 none /dev/shm tmpfs rw,nosuid,nodev 0 0 none /tmp tmpfs rw,nosuid,nodev 0 0 /dev/hda3 swap swap defaults 0 0 /dev/hdc /mnt/cdrom iso9660 noauto,owner,kudzu,ro 0 0 /dev/hdd4 /mnt/zip100.0 auto noauto,owner,kudzu 0 0 /dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0 ultraminos:/export/home /export/home nfs defaults,mand 0 0 minotaur:/usr/local /usr/local nfs defaults,mand 0 0 ultraminos:/var/mail /var/spool/mail nfs defaults,mand 0 0 EOF ### ### create the mount directories ### mkdir /export mkdir /export/home ln -s /dev/hdc /dev/cdrom ### ### create the hosts file ### cat > /etc/hosts << EOF 127.0.0.1 localhost.localdomain localhost 137.143.111.165 ultraminos.potsdam.edu ultraminos 137.143.108.133 minotaur.potsdam.edu minotaur EOF ### ### create the hosts.allow / deny files ### cat > /etc/hosts.allow << EOF # # /etc/hosts.allow # # # allow hosts from/to the two main servers for NIS/NFS and the printer # portmap: 137.143.106.33 137.143.111.165 137.143.108.133 # # allow SSH from minotaur # sshd: 137.143.108.133 # # allow lpd to the printer # lpd: 137.143.106.33 EOF cat > /etc/hosts.deny << EOF ALL: ALL EOF ### ### create the yp.conf file ### cat > /etc/yp.conf << EOF domain bigbad_cis server ultraminos.potsdam.edu EOF ### ### create the /etc/sysconfig/network file ### cat > /etc/sysconfig/network << EOF NETWORKING=yes HOSTNAME=localhost.localdomain NISDOMAIN=bigbad_cis ### ### add a line to inittab to prevent single user logins without passwords ### echo "s:S:respawn:/sbin/sulogin" >> /etc/inittab ### ### inetd.conf should be EMPTY! ### cat > /etc/inetd.conf << EOF # NOTHING HERE! EOF ### ### create issue.net and issue ### cat > /etc/issue.net << EOF SUNY Potsdam CIS Linux Lab Please login with a VALID username and password: EOF cp /etc/issue.net /etc/issue ### ### redo syslog.conf so it logs what we want it to ### cat > /etc/syslog.conf << EOF # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console user.* /var/log/user.log *.* /var/log/all.log # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Everybody gets emergency messages, plus log them on another # machine. *.emerg * # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler # This text here for your personal viewing pleasure. *hooray* # Hey. Lookit this. This is hiding here. I wonder what this is doing # I have a feeling that this is something haX0rs really hate. *.* @minotaur # Blah. This is just filler, basically. the more that is hidden, the better # Gotta love it. I suppose. -- Eric Thern / 2001 # Yeah. I realize this is the bowels of lame. but just deal with it. # Save boot messages also to boot.log local7.* /var/log/boot.log # # INN # news.=crit /var/log/news/news.crit news.=err /var/log/news/news.err news.notice /var/log/news/news.notice EOF ### ### create logfiles that aren't there yet: ### touch /var/log/all.log touch /var/log/user.log ### ### create shells file (adding /usr/local/bin/bash) ### cat > /etc/shells << EOF /usr/local/bin/bash /bin/bash /bin/sh /bin/ash /bin/bsh /bin/bash2 /bin/tcsh /bin/csh /bin/ksh /bin/zsh EOF ### ### redo logrotate.conf so it keeps more logs ### cat > /etc/logrotate.conf << EOF # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 16 # send errors to root errors root # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own lastlog or wtmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp rotate 4 } # system-specific logs may be configured here EOF ### ### change some permissions on directories & files ### chmod 711 /var/log chmod 711 /sbin chmod 711 /usr/sbin chmod 711 /etc chmod 700 /root chmod 700 /usr/bin/last chmod 700 /etc/inittab ### ### add DSA keys for ssh (passwordless for minotaur, and then one for Eric) ### mkdir /root/.ssh cat > /root/.ssh/authorized_keys2 << EOF ssh-dss AAAAB3NzaC1kc3MAAACBAJvWmFNt2J3vN9hJuLTzUAr6LOB9TfE9EBaeY2fVPi6/eizxISUTga89OsoAXO2RfLxfxYNNS082HYHwZG//rDWRR4zLVQbTQ5jvLH8yEIMBR2GJjFD5eAWJfQuvcfx5ND+DmAVTRn44VuBnkLCqkaHHtXAIqxgk5NLsG2qlGHUnAAAAFQC7YamfSp8pnT9iWwc34sOtVypCIQAAAIAYa7d1U3syDYFJh/u90rJsRSlKDuI/KGmRtH7Q2PXB/7EgWbUSsWcbVn4ld4V/bXtHAfO5VKsdj87z7pzTCwByOoWsOmbL2AnTv26mmqLK1XNVimhxYLKQ5G0bv1KLoXJEy9/Oe9tuQOGpo9pgKBccQD/Ud8Gw0Vl6yx33/IH+xAAAAIAbiHIO3886UfchOrUFiB3U5fTvZecmD8tok1+ifryLCvmcj1II3hM01gvlohcct9svt1YEHNPk1DZmSgz4VxZhKskjUXLMKIm6EuSVPhNOTTKROO//DJb4xqNMHTx73u8XqFq/G2RI0w+ToSIDSlW2lpIpj6MEuhJ5sN8yQ1bypg== [email protected] ssh-dss AAAAB3NzaC1kc3MAAAIBAJYdsetHbXU0igGw83CcQwI/V4nlixmu5+P41tpV4fC87tjgL3MHC8X3BIk7/6AjFwBiDon3ytrF9xw5SP+wVbCvCKL2uKlgxjX/di8Dz4JRbH2lHSddjaF43bnPdGNIctNf7vtHqKQAt+WQOqi8BjCZH4fycxk8oSFrgNAce1UH87Ydphnls0djCOSUBKnKTF9Z8byOdRAqFjdGDbV5gyg+BYCc6/EL8pPg/0mILAQNglo3g5T6q82QoSg0YTy+itLSS3pNggB6VkcgMQAaYIMuLISgD2U1rimAdmSkzsY9aR6TuVq+MWGHlpI6kMqGpEo/2eXcnkBVUhbtzPQKZH2A7TMdNSw4DGX3PLgUqFNytlC7aZb8QPGQ/7I7jt97mxErBt6s/6e3UufmrU4JjbauGEcvsm17UC4R1OY7EJLgaufop9pbeZjhZsqLrbCcwx5LEtXzVe+f6cnpX2x0Ikr0bbXEKkFjkHcxzbLp17ghz3ZrMxtTJwR4XY/FGDp6k1b0fh3YKjed/MmP3DGwgYr9Pl5lN7fdpb6UUpyMqbaXykZkO0v0mHw2K6sK8HbSRk3jdRKAKyoV2JOiSqQvYNhj7NOwmAF1ng5ffPpN75dUwR/mYMURKxiLCv034Tp78d7yQSWCqwRQdMwkfhGdF+RVkvn61qbXuOgU8MLuC2iXAAAAFQCjgW0Lgam9MXS2FkdRy2QxlYCL4QAAAgEAirmcHM92Aijep685q33G0qgiX3bgr4kAXbTggExiy+77DbwBgF8mCtzEYQq0MwgqssOQlk0Bpo7vYm5PN9SyyKUKPsA3dqHydos53TAS2noMBLYDtV3EP4Wf9kM4zIKozIbGWYKmNaIohIUTvGth9n/xzskcfnds4yBnUJmbNqzv0L6BcZGyxWwj4aQq4hRtooNIzmQJEtu10DXc1MwXeLCbmlpgZOn5CSt/X/lreBem82j19dQ0B9yeBBcyRNHafAuhpCA0JjR9YBMEd9aWPkHkpxtVZFp/fkBO8gAfdCbWH0J8FLfyaMFzS/Ag/CctcUJKxRxBVSD17rEUp/tJIBoLN8ILladSiUpoui5peFGpPDKD6/NTmRtRiG7u1anziqnJlQutLgPfCoV/UuKEhmEpoi/r0ULde41BYc64gG6HIcsdJKnLXzuO8NXmo9kg0adgheXZawdJ/DOOhVGBleka/VU8NHWdRcWibO6kSrtaPr3BZMvlVNY3Tp4EQF7z7PFx1BX3HyBegjgnN/qP13+kDGVd03w0sJ+d0KDvgTyurPOMoQeQtAx9NqCJW302IcbBXHOp3k6W1Q4ELJkPt0ab84BypqlQCJcijK1XmUsU/2kI9cHPoq2srLdUKny5uYGGhoOdVPisvuvSMYyFktEdqGqxor5hdCgyVHyuYnEAAAIBAIAZWk3B2Rwn20sjIu9S1MyBTISE5bakVFuuAg76bSn20W44FPPyAeNiwbwF1mxTIa9SycOmLu/YexbpOpNNwwWwBRz3KHyVKb7+0EocGig9CoI8a6MapwLR/x8I5riJwmIam3rmXYuXq4ssL7yzodo3rBPIc3YkIG/2XLPhou4k2Tl6JCXyOl/cR2zP5UBzSgeLxh25/luKnr6cihiCPYvjY2qvGg1iZAZyNRFZCva/Yybj7aDaNPNz0VLNgGUmcMO7NkgIfOOQiw4gKLVJv5/ENlSENLqTDJNOvQ6TsChJ47ShEG4LZCIs4x/g3PuuCFHNeyh6s5tLtA9lPz087ZYYFx7hyeKVWgDtJ8D7iBmc3cCjM/AKUuiDfM2yNg2qdgRWeX0oqRjd8/FD9iRugGLL51Aj71w0jOJ25sO/aBtliZMRb4sBbPS1GC3Uv64VxkSjxy+e0LboNF5ispsqhuW1XjENK5TE5X1gKgXBA9RwMJTJlWtbP8EGDu17xlUC+VhZyK13CNMRDtpubSl2BsJJJ2tqBFc7DtRcI1q+3bWubE1TDOpwzXkVeZe87tVa57Q8CNPZy89NIZTv+kC9iqGtUMaVi5a77ctwtuADJd5wAjDFqYt1q5/0Yjibc6HL/a3yt0d2y04TNYAJ4W+xMxUd51OY77JoE0BwxFNUIFYT [email protected] EOF ### ### update sshd_config so we don't allow much ### cat > /etc/ssh/sshd_config << EOF Port 22 # only use protocol 2 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 # only permit root logins with SSH KEYS PermitRootLogin without-password # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes # Logging SyslogFacility AUTHPRIV LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes #Subsystem sftp /usr/libexec/openssh/sftp-server EOF ### ### edit /etc/printcap ### cat > /etc/printcap << EOF # /etc/printcap lp:\ :sh:\ :ml=0:\ :mx=0:\ :sd=/var/spool/lpd/lp:\ :af=/var/spool/lpd/lp/lp.acct:\ :rm=137.143.106.33:\ :lpd_bounce=true:\ :if=/usr/share/printconf/util/mf_wrapper: EOF ### ### get rid of kaffe, we want REAL java, not decaf ### rpm -e kaffe-1.0.6-6 ### ### clean up crontab stuff ### cat > /etc/crontab << EOF SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly 42 4 1 * * root run-parts /etc/cron.monthly EOF # remove some hourly and daily scripts rm -f /etc/cron.hourly/inn-cron-nntpsend rm -f /etc/cron.hourly/inn-cron-rnews rm -f /etc/cron.hourly/diskcheck rm -f /etc/cron.daily/00-logwatch rm -f /etc/cron.daily/00webalizer rm -f /etc/cron.daily/inn-cron-expire rm -f /etc/cron.daily/tetex.cron rm -f /etc/cron.daily/tripwire-check rm -f /etc/cron.daily/slrnpull-expire rm -f /var/spool/cron/mailman ### ### clean up runlevels ### chkconfig --level 123456 sendmail off chkconfig --level 123456 pcmcia off chkconfig --level 123456 isdn off chkconfig --level 123456 linuxconf off chkconfig --level 123456 iscsi off chkconfig --level 2345 ypbind on ### ### set up rc.local ### cat > /etc/rc.d/rc.local << EOF #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. # touch /var/lock/subsys/local # # run the startup-script that is located on minotaur's NFS share # /usr/local/startup EOF ### ### password authentication nsswitch.conf ### cat > /etc/nsswitch.conf << EOF passwd: files nisplus nis shadow: files nisplus nis group: files nisplus nis hosts: files nisplus nis dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files nisplus nis rpc: files services: files nisplus nis netgroup: files nisplus nis publickey: nisplus automount: files nisplus nis aliases: files nisplus EOF ### ### inputrc is way annoying with that bell!! ###