0

Apologies if this is not the appropriate place to post!

I am designing a minimal Linux system to test on an industrial PC. The ultimate goal is security. The hardware of the PC is known and will not change, so I have quite a bit to strip down from my starting point, CentOS 6. In the end, I will be building up instead of stripping down.

(Cue the barrage of questions)

What would be the best way to begin the strip-down process? Would ldd be best for finding and removing unused libraries? And what about drivers?

For the build-up, what is a good starting point? The kernel must be compatible with a TPM chip, and SE Linux will be used. Would Damn Small Linux be recommended? Should I write my own init?

Thanks!

SamTheSammich
  • 45

1 Answers1

1

What would be the best way to begin the strip-down process?

Build the initial machine as minimal as you can with only the packages that you need.

Next check out all of the modules that you have and remove one at a time if you are unsure. Check out http://www.cyberciti.biz/faq/add-remove-list-linux-kernel-modules/

Once built first make a backup of then check out the /root/anaconda-ks.cfg file.

Under packages you will see what all is installed. You can read more about it here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/sn-automating-installation.html

For the kernel, use what's recommended for your application. Newest isn't always the best for your environment.

You can use this anaconda script to install on your other machines.

%packages

@base

@client-mgmt-tools

@core

@debugging

@basic-desktop

@desktop-debugging

@desktop-platform

@directory-client

@fonts

@general-desktop

@graphical-admin-tools

@input-methods

@internet-browser

@java-platform

@legacy-x

@network-file-system-client

@perl-runtime

@print-client

@remote-desktop-clients

@server-platform

@server-policy

@x11

@my_group_id

pax

python-dmidecode

oddjob

wodim

sgpio

genisoimage

mtools

When you are all done, enable selinux, check out https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html

If you need to deploy this on a regular basis

You might want to consider building a PXE boot server to push the installs across the network. Check out https://www.dalemacartney.com/2012/09/20/creating-a-pxe-deployment-server-with-red-hat-enterprise-linux-6/

Community
  • 1
Brad
  • 250