©2009 HP Confidential 1 ©2010 HP / Intel / Red Hat restricted 1 Bruno CornecHP, Open Source Profession Lead Linux Security

Bruno Cornec 2 2 Introducing Myself ● Software engineering and Unices since 1988 ● Mostly Configuration Management Systems (CMS), Build systems, quality tools, on multiple commercial Unix systems ● Discover Open Source & Linux (OSL) & first contributions in 1993 ● Full time on OSL since 1995, first as HP reseller ● Currently : ● Master Technology Architect on OSL for the HP/Intel Solution Center, Grenoble ● OSL HP Advocate ● EMEA OSL HP Profession Lead ● Solutions Linux Conference and OWF board member ● MondoRescue, Dploy.org, Project-Builder.org project lead ● LinuxCOE, mrepo, tellico, rinse, fossology, collectl contributor ● FOSSBazaar and OSL Governance enthusiast ● Mandriva, Mageia, Fedora packager

©2009 HP Confidential 3 ©2010 HP / Intel / Red Hat restricted 3 Agenda

©2009 HP Confidential 4 ©2010 HP / Intel / Red Hat restricted 4 Objective and Agenda Objective: To describe how security is managed on Red Hat Enterprise Linux Clients with Intel based HP ProLiant servers Agenda: Definitions Automatic media deployment Automatic network deployment Automatic images deployment

©2009 HP Confidential 5 ©2010 HP / Intel / Red Hat restricted 5 Deployment definition The deployment consists of all the means (both software and hardware) to install and configure firmware, operating system and all needed applications on a computer or a set of computers, minimizing manual interactions and creating an homogeneous and reproduceable setup PXE (Intel): Pre-boot eXecution Environment Allows a PC to boot through the network iLO (hp):Integrated Lights Out Management Card Allows firmware update and management through a dedicated LAN interface Software tools: ether-wake/wol, DHCP server, TFTP server, NFS/FTP server, syslinux/isolinux/pxelinux, kickstart and Satellite (RHEL), MondoRescue

©2009 HP Confidential 6 ©2010 HP / Intel / Red Hat restricted 6 Deployment approaches Automatic system deployment: ● Hardware neutral ● Update process quick ● Distribution dependant ● Installation quick ● Excellent customisation System Images deployment : ● Distribution/OS neutral ● Installation quicker ● Update process longer ● Hardware dependant ● Good customization ● You need BOTH !!

©2009 HP Confidential 7 ©2010 HP / Intel / Red Hat restricted 7 Installation detailed ● PC power-on (POST) ● BIOS pass control to boot device (floppy / bootable CD) ● Most boot floopy use syslinux with a syslinux.cfg config file ● syslinux loads initrd and boots the kernel with params default linux prompt 1 timeout 600 display boot.msg label linux kernel vmlinuz append initrd=initrd.img lang= devfs=nomount ramdisk_size=7168 vga=788 label ks kernel vmlinuz append ks=floppy initrd=initrd.img lang= devfs=nomount ramdisk_size=7168 ● The kernel launch the install

©2009 HP Confidential 8 ©2010 HP / Intel / Red Hat restricted 8 Deployment detailed (step 1) ● PC power-on (POST) ● BIOS pass control to boot device (PXE firmware) ● DHCP request from PXE client ● DHCP server provides an IP configuration ● allow bootp; ● allow booting; ● subnet netmask { ● option routers ; ● option subnet-mask ; ● default-lease-time 21600; ● max-lease-time 43200; ● group { ● next-server ;# tftp server ● filename "pxelinux.0"; ● host test3 { ● hardware ethernet 00:01:02:06:25:F1; ● fixed-address ; ● }

©2009 HP Confidential 9 ©2010 HP / Intel / Red Hat restricted 9 Deployment detailed (step 2) ● PXE request from PXE client ● DHCP server provides boot file name and boot server ● TFTP request from PXE client ● pxelinux.0 loaded on client ● pxelinux reads its config file from pxelinux.cfg/ip-addr default ks Prompt 0 display boot.msg label ks kernel kernel/vmlinuz-rh7.2 append initrd=initrd/initrd-rh7.2.img devfs=nomount lang= ramdisk_size=7168 ks=nfs: :/tftpboot/ks/ks72.cfg label mdk81-auto kernel kernel/vmlinuz-mdk8.1 append initrd=initrd/initrd-mdk8.1.img ramdisk_size=32000 kickstart=floppy automatic=method:ftp,network:dhcp,server: ,directory:/pub/mandrake/8.1 auto_install=/pub/mandrake/auto_inst.pl

©2009 HP Confidential 1010 ©2010 HP / Intel / Red Hat restricted 1010 Deployment detailed (step 3) ● pxelinux loads initrd and boots the kernel with params ● default ks ● lang fr_FR ● langsupport --default fr_FR fr_FR en_US ● network --bootproto bootp --device eth0 ● url --url ftp:// /pub/rrhel/6/x86_64 ● keyboard "fr-latin1" ● zerombr yes ● clearpart --all ● part /boot --size 50 ● part swap --size 512 ● part / --size 1000 ● part /usr --size 3000 ● part /var --size 256 ● part /opt --size 512 ● part /home --size 1 --grow ● install ● mouse --device psaux genericps/2 --emulthree ● timezone Europe/Paris ● xconfig --monitor "HP D2807A Ultra VGA " ● rootpw linux1 ● auth --useshadow --enablemd5 ● lilo --location mbr ● Reboot ● %packages Server ● %post ● exec > /tmp/postinstall.log 2>&1 ● cat > /tmp/postinstall << FINI ● echo "End postinstall" ● FINI ● chmod 755 /tmp/postinstall ; /tmp/postinstall

©2009 HP Confidential1 ©2010 HP / Intel / Red Hat restricted1 Imaging deployment ● Install the distribution ● Apply updates, configure... ● Install mondo/mindi/mindi-busybox/afio/buffer ● Create ISO images of the installed system through NFS ● mondoarchive -d /images -E '/home|/tmp' -9 -s 4380m -n /home/ftp/images ● Integrate the content of the mondo restore image in the previous configuration label mondo kernel kernel/vmlinuz-mondo append initrd=initrd/initrd-mondo.img devfs=nomount ramdisk=23352 ramdisk_size=23352 expert_mode root=/dev/ram0 ● Details available in README.pxe

©2009 HP Confidential 1212 ©2010 HP / Intel / Red Hat restricted 1212 How to get in contact with us HP Linux Profession Lead EMEA Open Source Advocate Intel Account Manager for HP EMEA TSG/ISS Stefanie Schütze Red Hat Alliance Manager HP EMEA Michaela Weissensteiner +49 (0)

©2009 HP Confidential 1313 ©2010 HP / Intel / Red Hat restricted 1313 Thank you ! Q&A