This section describes how to install Linux and the components needed for NAC.
The steps involved in preparing the Linux servers are:
Once Linux is installed, the FreeNAC software needs to be installed, and the Linux components & FreeNAC configured.
The exact name of required packages is distribution specific. The following is the required package list for FreeNAC, extracted from the Ubuntu package. Look for the equivalencies to those packages according to your distribution.
libwrap0, apache2, mysql-client-5.0, libapache2-mod-php5, apache2.2-common, apache2-utils, php5-common, ucf, libaprutil1, php5-mysql, libdbi-perl, libmysqlclient15off, libplrpc-perl, mysql-server, libdbd-mysql-perl, mysql-server-5.0, libnet-daemon-perl, libapr1, libexpat1, libxml2, libpcre3, libpq5, apache2-mpm-prefork, mysql-common, flex, python-dev, apt-file, libsnmp-base, libsnmp9-dev, mailx, nmap, openssh-server, zip, unzip, ncurses-dev, libfreetype6-dev, libjpeg-dev, libpng12-dev, apache2-prefork-dev, php-pear, php5-snmp, libxml2-dev, graphviz, subversion, php5-sybase
Basically you need LAMP, some graphics libraries for the Web GUI and SNMP.
For 802.1x support Samba and Freeradius is needed.
For connections to MS-SQL DBs, such as ePO or Wsus, FreeTDS is needed.
This section describes Suse (version 9.3) specific commands.
Packages to install: rcs xntp sharutils tcpdump iptraf whois nmap automake gcc ethereal rsync lynx links pin scanlogd rsync uudeview ltrace smartmontools zip unzip pcre net-snmp ntop arpwatch perl-dbi flex pytn python-dev
a) via the nework
Yast -> Network services -> proxy
http://YOUR.PROXY.COM:80/
Set Patch source 9.x in Switzerland
http://mirror.switch.ch/ftp/mirror/SuSE/suse/
Install source 9.x:
http://sunsite.cnlab-switch.ch//ftp/mirror/suse/suse/i386/9.3/
sunsite.cnlab-switch.ch /ftp/mirror/suse/suse/i386/9.3/
yast -i
yast online_update
b) or, if you have no internet access,
by downloading the Suse 9.3 ISO images to /opt/install/suse9.3
and then mounting/unmounting a CD as needed:
umount /mnt/cd
mount -o loop -t iso9660 /opt/install/suse9.3/cd1.iso /mnt/cd
In Yast, set the install source to the local directory "/mnt/cd".
Create /etc/mods (documentation of system changes) and "chmod 600" it
/etc/hosts : timehost, loghost, mailhost
rcSuSEfirewall2 stop
chkconfig SuSEfirewall2 off
chkconfig SuSEfirewall2_init off
chkconfig SuSEfirewall2_setup off
rcportmap stop
chkconfig nfs off
chkconfig nfsboot off
chkconfig portmap off
chkconfig mdnsd off
rcmdnsd stop
## optional
vi /etc/snmpd.conf [enable a read-only community if you want SNMP monitoring]
rcsnmpd start
chkconfig snmpd on
Disable powersaving on servers and especially VMs:
/etc/sysconfig/powersave/cpufreq
POWERSAVE_CPUFREQD_MODULE="off"
Email
Yast -> Network services -> mail transfer agent
Outgoing mail server = [YOUR_OUTBOUND_SERVER]
vi /etc/aliases, and set "root" alias to the sysadmin
newaliases
Test email:
echo test | mailx -s "test" root
Time sync
cp /etc/localtime /etc/localtime.orig
cp /usr/share/zoneinfo/Europe/Zurich /etc/localtime [Switzerland]
cron:
0,30 7-20 * * 1-5 /usr/sbin/ntpdate -s A.B.C.D X.Y.Z.Z; /sbin/hwclock --systohc
Setup syslog for centralised logging to the master server:
In /etc/hosts, add an entry for each NAC server
XX vmps1
YY vmps2
On the Master, enable the syslog server:
vi /etc/syslog-ng/syslog-ng.conf.in
# uncomment to process log messages from network:
#
udp(ip("0.0.0.0") port(514));
SuSEconfig
rcsyslog restart
Slave: syslog client:
/etc/syslog-ng/syslog-ng.conf.in
## Forward *.info to loghost
filter f_info { level(info) ; };
destination network { udp("loghost" port(514)); };
log { source(src); filter(f_info); destination(network); };
add loghost to the vmps2 line in /etc/hosts
SuSEconfig
rcsyslog restart
change the root GECOS field in /etc/passwd to "root MACHINE"
Also check: /root/.ssh/authorized_keys
naming:
vi /etc/resolv.conf
If you use DNS domains with ".local", then replace dns library since Suse
does not like domains ending int ".local". Backup libresolv.so.2 and create a new /lib/libresolv.so.2.orig that is not so brain dead:
cd /lib cp libresolv.so.2 libresolv.so.2.orig
cat libresolv.so.2.orig |sed 's/local/lokal/g' > libresolv.so.2.NO_LOCAL
cp libresolv.so.2.NO_LOCAL libresolv.so.2
If SSH logins seem very slow, you might have to replace LOCAL with 127.0.0.1 in /etc/hosts.allow for the sshd entry.
create /secure check_disk, monitor_processes, secure.conf
ln -s /usr/bin/perl /bin/perl
Environment
copy /etc/profile.local from another machine
. /etc/profile.local
Setup filewatch
mkdir -p /var/filewatcher/archive
copy /usr/local/bin/filewatcher from another machine
copy /etc/filewatcher.conf from another machine
filewatcher -c /etc/filewatcher.conf
Setup Cron entry:
2 6-18 * * 1-5 /usr/local/bin/filewatcher -c /etc/filewatcher.conf
check_disk in root cron
*/3 * * * * /secure/check_disk 90 800
There is a Ubuntu package which takes care of all dependency packages. You don't need to install or compile any other package.
Install Ubuntu, enable the SSH server, ensure that the network connectivity is OK and update with the latest patches.
Login via SSH, and do an sudo to root. If you do not have a root shell, then all commands in the installation will need to be prefixed with 'sudo'.
Note -if you are using the FreeNAC virtual machine: The password sudo will ask for is the password of the logged on user, in the case of the VM - freenac.
Modify the installation sources by un-commenting the lines starting with deb from the /etc/apt/sources.list file and comment out the lines with deb cdrom.
vi /etc/apt/sources.list
apt-get update
Get the package from the downloads section.
Since the package is a simple deb and not embedded in a repository, dependency handling can not be done by apt. The dependency list must be extracted from the deb and fed to apt manually to install all needed packages.
NOTE: Even if you want to get FreeNAC from Subversion, rather than installing the Ubuntu package, the package can still be used to nicely install all dependencies.
$ sudo dpkg -f freenac_*deb depends | sed -e 's/,//g' | xargs sudo apt-get -qy install
That command installed MySQL and all other packages you need. Nice!
Now install the freenac package:
$ sudo dpkg -i freenac_*deb
There are several packages that may be useful for system administration, these are not required for FreeNAC though: see also the Packages section below.
$ sudo apt-get install rcs iptraf whois links uudeview arpwatch screen zip unzip
Finally, insure that the latest version of package are installed:
$ sudo apt-get upgrade
You may now skip to the next chapter in the Installation Guide.
From the installation, you should have set your time zone properly. In case you haven't, copy from the /usr/share/zoneinfo directory the file that best suits your timezone.
In our case:
sudo cp /etc/localtime /etc/localtime.orig ; #create a backup of the original timezone
sudo cp /usr/share/zoneinfo/Europe/Zurich /etc/localtime ; # timezone of Switzerland
As part of the FreeNAC installation, the following packages are required, (see also ./contrib/package_files/control):.
libwrap0, apache2, mysql-client-5.0, libapache2-mod-php5, apache2.2-common, apache2-utils, php5-common, ucf, libaprutil1, php5-mysql, libdbi-perl, libmysqlclient15off, libplrpc-perl, mysql-server, libdbd-mysql-perl, mysql-server-5.0, libnet-daemon-perl, libapr1, libexpat1, libxml2, libpcre3, libpq5, apache2-mpm-prefork, mysql-common, flex, python-dev, apt-file, libsnmp-base, libsnmp9-dev, mailx, nmap, openssh-server, zip, unzip, ncurses-dev, libfreetype6-dev, libjpeg-dev, libpng12-dev, apache2-prefork-dev, php-pear, php5-snmp, libxml2-dev, graphviz, subversion, php5-sybase
The following packages, are recommended:
The following packages, are optional:
This document explains how to compile key components from source, if needed. It is recommended to use the packages that are included with your distribution if possible, since automated updates will be easier.
It was last updated in Mar'07, and refers to versions available on that date.
You'll need to download the packages, always use the latest releases, the following are example URLs.
http://mirror.switch.ch/ftp/mirror/apache/dist/httpd/httpd-2.2.2.tar.gz
http://mirror.switch.ch/ftp/mirror/mysql/Downloads/MySQL-5.0/mysql-5.0.2...
ftp://fr.rpmfind.net/pub/libxml/libxml2-2.6.23.tar.gz
http://www.ibiblio.org/pub/Linux/ALPHA/freetds/stable/release_candidates...
http://ch2.php.net/get/php-5.2.0.tar.bz2/from/this/mirror
cd /opt/install
tar xvzf httpd-2.2.2.tar.gz
cd httpd-2.2.2
./configure --prefix=/usr/local/apache2 --enable-so
make install
ln -s /usr/local/apache2 /usr/local/apache
ln -s /usr/local/apache2/bin/apachectl /etc/init.d/apache2
ln -s /usr/local/apache2/bin/apachectl /sbin/rcapache2
# Actually start apache if you intend using the web interfaces, see below:
chkconfig apache2 on
/etc/init.d/apache2 start
Prerequisites: ncurses-devel gcc-c++
cd /opt/install
tar xvzf mysql-5.0.27.tar.gz
cd mysql-5.0.27
./configure --prefix=/usr/local/mysql-5.0.27 --localstatedir=/mysqldata --with-unix-socket-path=/var/lib/mysql/mysql.sock
make install
cd /usr/local
mv mysql mysql.$$ [in case you have a link already]
ln -s mysql-5.0.27 mysql
ln -s /usr/local/mysql/bin/mysqld_safe /usr/local/mysql/bin/mysql
Create a mysql user:
groupadd mysql
useradd -g mysql mysql
Create an empty database:
cd /usr/local/mysql
bin/mysql_install_db --user=mysql
mv data /var/lib/mysql
ln -s /var/lib/mysql data
ln -s /var/lib/mysql /mysqldata
ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock
Set permissions:
chown -R mysql:mysql /mysqldata /var/lib/mysql
cd /opt/install
tar xvzf libxml2-2.6.24.tar.gz
cd libxml2-2.6.24/
./configure --prefix=/opt/libxml2 && make install
If you need to access MS-SQL or Sybase Enterprise databases.
cd /opt/install
wget http://www.ibiblio.org/pub/Linux/ALPHA/freetds/stable/release_candidates...
tar xvzf freetds-0.64RC2.tar.gz
cd freetds-0.64RC2
./configure --prefix=/opt/freetds --enable-msdblib
make install
vi /opt/freetds/etc/freetds.conf and add a definition to a DB to test:
[sms] <-- alias name
host = MyServer.mydomain.com <-- sever name/IP
port = 1433
tds version = 4.2
dump file = /var/log/freetds.log
dump file append = yes
#debug level = 10
debug level = 3
Try connectivity:
/opt/freetds/bin/tsql -S [alias] -U [user] -P [password]
Install first the prerequisites packages, PHP is built with many options enabled: gd-devel freetype2-devel zlib-devel libpng-devel libjpeg-devel
net-snmp net-snmp-devel tcpd-devel rpm-devel
openssl openssl-devel openldap2-devel graphviz
cd /opt/install;
tar xBf php-5.2.0.tar.bz2
cd php-5.2.0
## If you need MS-SQL (its best to assume you do - FreeTDS was compiled above)
./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql=/usr/local/mysql --with-mysql-sock=/var/lib/mysql/mysql.sock --prefix=/opt/php-5.2.0 --with-xml --with-libxml-dir=/opt/libxml2 --enable-pcntl --enable-force-cgi-redirect --with-mssql=/opt/freetds --with-gd --with-zlib-dir --with-ttf --with-freetype-dir --with-snmp=/usr --enable-ucd-snmp-hack --with-ldap
make install
Disable any current php binaries, and enable the new ones:
mv /usr/bin/php /usr/bin/php.$$
mv /opt/php5 /opt/php5.$$
ln -s /opt/php-5.2.0 /opt/php5
ln -s /opt/php5/bin/php /usr/bin/php
Test PHP:
php -v
Note:
Enable PHP in apache:
Edit your httpd.conf (e.g. /usr/local/apache/conf/httpd.conf) to load the PHP module
LoadModule php5_module modules/libphp5.so
The path on the right hand side of the LoadModule statement must point to the path of the PHP module on your system. Then "make install" from above may have already added this for you, but be sure to check. Also, tell Apache to parse certain extensions as PHP in httpd.conf
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps