OSIS Lab Golden Client Setup Prabhaker Mateti

1. Introduction

This page describes the setup of the OSIS (Operating Systems and Internet Security) Lab.

1. The PCs are located in 429 RC.
2. On each PC, there are several OS installed. The exact number/ list varies from term to term depending on the needs of the courses using the lab.
3. Note that CEG 429 has the highest priority in the lab. During the Network Security lab sessions (lasting a few hours at a time), some PCs (about 10) will be accessible only to CEG 429 students. These students need special distributions of Linux, such as Knoppix Live, Auditor Live, BackTrac Live.
4. There is a server (osisServer == osis111, 130.108.17.111, and 192.168.17.111) for the Lab that does multiple duties. It is a: firewall, router, NFS server, dhcp server, etc. The osisServer is located in 429-A RC (the "closet" inside 429 RC).

Policies

1. The lab is accessible to students enrolled in CEG 233, 429 (Internet Security), 433, 434, 730 and CEG 830.
2. We have near-zero man-power support for the lab. It is setup and run by volunteer faculty and students.
3. Student Accounts: Students have individual accounts, but with NO archival of their files. They are expected to store their files either on removable media or sftp them to other machines.
4. It was a goal of ours that each PC be usable as a typical Unix workstation even when the LAN is down. A side-effect is that your login+passwd are separately maintained each machine. Because of zero sys admin support, passwd changing is disabled.
5. Access to the lab PCs via modems or Internet is not planned.
6. Connections originating within the Lab are not firewalled in any way. But, connections originating outside the Lab are blocked.

Reports of Bugs, Glitches, broken URLs, ...

The OSIS Lab runs with near-zero sys admin support. We hope this situation will improve. Even so, we like to hear of every problem you are having, and suggestions for improvement on every aspect of the lab. We are also starved for appreciation.

Send your comments, suggestions, and problem reports (with as complete a description as possible) to prabhaker.mateti@wright.edu who is currently the janitor/caretaker, and who is, of course, never grouchy ;-)

2. Disk Partitions

As of Nov 2009, the lab PCs have the following partitions.

Disk /dev/sda: 80.0 GB, 80000000000 bytes
255 heads, 63 sectors/track, 9726 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000080

TBD Table

Device	Start	End	Blocks	Id	FS	System
/dev/sda1*	1	2550	20482843+	7	HPFS/NTFS	XP 64 Professional
/dev/sda2	2551	9725	57633187+	f	W95 Extd(LBA)
/dev/sda5	2551	5100	20482843+	7	HPFS/NTFS	Vista 64 Enterprise
/dev/sda6	5101	7650	20482843+	83	Linux	Linux Ubuntu Intrepid 8.10
/dev/sda7	7651	7912	2104483+	82	Linux swap
/dev/sda8	7913	9725	14562891	7	HPFS/NTFS	Unused

/boot/grub/menu.lst

# /boot/grub/menu.lst
# pmateti@wright.edu Not upto-date

timeout 30
default 3

color white/blue black/light-gray

title Booting via Grub on /dev/sda7/boot/grub/ 20080402
kernel (hd0,7)/boot/memtest86+.bin
boot

title For ALL classes: Windows-XP-64-Professional/Vista-64-Enterprise
root (hd0,0)
makeactive
chainloader +1

title For ALL classes: Linux-Debian-Ubuntu-64-bit-NFS-home-dirs
kernel (hd0,7)/boot/vmlinuz root=/dev/hda2 ro splash
initrd (hd0,7)/boot/initrd.img

title For ALL classes: Linux-Debian-Knoppix-431-LiveDVDimage-dhcp-no-NFS
kernel (hd0,7)/Knoppix/boot/isolinux/linux knoppix_dir=/Knoppix/KNOPPIX ramdisk_size=100000 myconfig=scan lang=us acpi=on screen=1280x1024
initrd (hd0,7)/Knoppix/boot/isolinux/minirt.gz

title Only-for-CEG429: Linux-Auditor-LiveCDimage-nodhcp
kernel (hd0,7)/Auditor/isolinux/vmlinuz  knoppix_dir=/Auditor/KNOPPIX ramdisk_size=100000 myconfig=scan lang=us acpi=on dma hdc=ide-cd nodhcp screen=1280x1024
initrd (hd0,7)/Auditor/isolinux/miniroot.gz

title Only-for-CEG429: Linux-BackTrack3-LiveCDimage-nodhcp
kernel (hd0,7)/Auditor/isolinux/vmlinuz  knoppix_dir=/Auditor/KNOPPIX ramdisk_size=100000 myconfig=scan lang=us acpi=on dma hdc=ide-cd nodhcp screen=1280x1024
initrd (hd0,7)/Auditor/isolinux/miniroot.gz

# -eof-

3. Linux

1. Our current choice of Linux distributions is Ubuntu based on KDE. It has zillion .deb packages. And, very important to us, will guaranteedly remain open source and free of cost.
2. We install "almost everything". The complete list of packages installed, if we were to list it here, is too large. See the Must Have Packages below.
3. We disable a number of services.
4. We uninstall some packages that conflict with others we must have.
5. We adjust the menus, login screen, home pages for browsers, etc.; we are yet to systematically document the above.

3.1 Must Have Packages

1. KDE, Gnome, and other desktops
2. GNU Emacs Snapshot
3. TeX and LaTeX
4. Xfig and related
5. InkScape
6. DDD, kdbg, xgdb and other debuggers
7. Program Development: Eclipse, build-essential, module-assistant, Kdevelop, Anjuta
8. Sun JDK, http://java.sun.com/ Enterprise Edition *and* Standard Edition
9. Office: OpenOffice complete suite, Koffice complete suite, AbiWord, Acrobat Reader for Linux http://www.adobe.com
10. Web: PHP, Amaya editor http://www.w3.org/Amaya/, Web browsers: firefox, Opera, etc.
11. FTP clients: filezilla, kbear, gftp,
12. Top 50 security tools from insecure.org
13. The Network Simulator ns2 http://www.isi.edu/nsnam/ns/
    
14. OMNeT++ http://www.omnetpp.org/
15. Clustering tools. See Quantian Live CD.

4. Windows

After installing Windows, we install the following.

5. Network Setup

All the IP addresses for the NICs are assigned from the private range: 192.168.*.*. The 192.168.*.* address range is IANA officially reserved for private networks.

1. The host names of the PCs are those of the past ACM Turing Award Winners.
2. The Lab forms a LAN 192.168.17.0. 100 Mbps. The subnet 17 was chosen simply to mirror the 130.108.17.* subnet that was pre-existing on the 4-th floor Russ.
3. Switches
   1. PCs 192.168.17.11 - .18 connect to switch S1.
   2. PCs 192.168.17.19 - .26 connect to switch S2.
   3. PCs 192.168.17.27 - .30 connect to switch S3.
   4. PCs 192.168.17.31 - .36 connect to switch S4.
   5. Switch S1 connects through the wall to switch S5 in the Outer Closet.
   6. Switch S2 connects to S3.
   7. Switch S3 connects through the wall to switch S5 in the Outer Closet.
   8. Switch S4 connects through the wall to switch S5 in the Outer Closet.
   9. osisServer connects through the wall to switch S5 in the Outer Closet.
4. osisServer connects through the wall to 130.108.17.0 network

5.1 Router

The router (osisServer ) is 192.168.17.111. This machine has another NIC with IP address 130.108.17.111. This machine physically sits in the small locked room 429A. We run a few simple filtering rules and NAT all traffic leaving the lab on to the Internet as originating from 130.108.17.111.

Some faculty machines are permitted to remote login via ssh into OSISserver; see /etc/hosts.allow.

5.2 File Server

Currently (Dec 2008), the machine named osisServer is a file server for the Lab. It NFS exports /home directories which are mounted on name sake directories by the clients.

# /etc/exports on osis111

/home 192.168.17.0/255.255.255.0(rw,sync,root_squash,no_auth_nlm,no_subtree_check)
/var/ISO 192.168.17.0/255.255.255.0(ro,sync,no_subtree_check)
# -eof-

6. Updates/Maintenance

We (try to) do the following at the beginning of every term.

1. Make a CD out of the previous terms content of /home of osisServer for cheating-prevention.
2. Clear out /tmp and /home/ on osisServer.
3. Generate accounts for classes. See the scripts below.
4. /etc/passwd and /etc/shadow are rsync-ed to all the machines from osisServer. /etc/groups does not change.
5. Printable Labels

dpkg-reconfigure --all

7. Various Scripts

Various script file contents are shown below just to give a feel for how they operate. The files are located on the OSIS server in ~pmateti/SysAdmin directory.

We have automated the assignment of host names and IP addresses upon the very first boot of an OS. All machine IP addresses are statically assigned. In this lab, we need a good + easy way to track network traffic.

A primary requirement: Our machines often boot without being connected to a LAN.

FirstBoot/firstBoot.pl

This is a quick script we developed. But it serves well its purpose: Given that the NIC modules are loaded, determine the IP addresses and host names. This is run by Linux on first boot after having been cloned.

Note that for simplicity and ease, we do NOT use dhcp. Note also that our machines often boot without being connected to the LAN.

/etc/sysconfig/MACtoIPtbl.txt # text file of pairs: MAC IPaddress. Read by firstBoot.pl

#!/usr/bin/perl

# After each Ghost image cast, rc.local (rc.firstBoot) invokes this file upon the
# first boot.  

# We write the $OSIS/etc/IPADDRESS and $OSIS/etc/HOSTNAME so that they are unique in the LAN.
# We create the /etc/sysconfig/network-scripts/ifcfg-eth? files.  
# We assume that modules for the NICs installed are already loaded.

# pmateti@cs.wright.edu; vpothams@cs.wright.edu

$OSIS = "/root/SysAdmin/OSIS/";
$MACtoIP = "$OSIS/MACtoIPtable.txt"; # text file of pairs: MAC IPaddress

# Given: IP address.  Get hostname by looking for it in /etc/hosts.

sub getHostName			# (inetAddress)
  {
    my $inetaddr = shift(@_);
    my $hostname = "unnamedHost";
    open fp,"< /etc/hosts";
    while (< fp >)
      {
	if (m/$inetaddr/)
	  {	    
	    @elements = split /\s+/,$_ ;
	    if ($elements[3])
	      {$hostname = $elements[3]}
	    else
	      {$hostname = $elements[2]}
	    last;
	  }
      }
    close(fp); 
    return $hostname;
  }

# Given: Ethernet Card address.  Get IPaddress by looking for it in
# our little data base file $MACtoIP.

sub getIPaddr			# (mac)
  {
    my $hwaddr = shift(@_);
    open ipHwtable,"< $MACtoIP";
    while ()
      {	 		
	if (m/$hwaddr/)
	  {
	    @elements = split /\s+/,$_;
	    close(ipHwtable);
	    return $elements[1];
	  }
      }
  }

sub findCards
  {
    my $TCom509 = "3c509";
    my $TCom59x = "3c59x";
    my $Acenic = "acenic";
    my $NE2000 = "ne";
    system("cat /proc/modules > /tmp/modules.txt");
    open modFileptr, "< /tmp/modules.txt";
    while() {
      # order of this testing, unfortunately, is important
      # I do not how to determine if eth0 is this/that card
      # short of scanning log/messages.
	if(m/$TCom59x/)
	  {push(@cardsa,"3c59x");}
	if(m/$TCom509/)
	  {push(@cardsa,"3c509");}
	if(m/$Acenic/)
	  {push(@cardsa,"acenic");}
	if(m/$NE2000/)
	  {push(@cardsa,"ne");}	
      }
   close(modFileptr);
   return @cardsa;
  }


sub updateNetScripts
  {
    my $cards = @_;
    my $ifcfgFile0 = "$OSIS/etc/sysconfig/network-scripts/ifcfg-eth";
    system("cat /etc/modules.conf > /tmp/modulesconf.txt");
    my $i = 0;
    foreach $card (@cards) {	
	my $hwaddr = findInfo("HWaddr", $i);
	my $inetaddr = getIPaddr($hwaddr);
	@elements = split /\./,$inetaddr;
	$firstThreeBytes = $elements[0] . "." .
	  $elements[1] . "." .
	  $elements[2] . "." ;

	$broadcastAddr = $firstThreeBytes . "255";
	$netAddr = $firstThreeBytes . "0";
	$ifcfgFile = $ifcfgFile0.$i;

	system (
	  "(" .
	       "echo \"DEVICE=eth$i\";".
	       "echo \"IPADDR=$inetaddr\";".
	       "echo \"NETMASK=255.255.255.0\";".
	       "echo \"NETWORK=$netAddr\";".
	       "echo \"BROADCAST=$broadcastAddr\";".
	       "echo \"ONBOOT=yes\";" .
	       ") > $ifcfgFile " );

	system("cp /tmp/modulesconf.txt /tmp/m0.txt;" .
	       "sed -e /eth$i/d < /tmp/m0.txt > /tmp/modulesconf.txt;" .
	       "echo alias eth$i $card >> /tmp/modulesconf.txt"
	      );
	# Should also write the io addr, etc options for some cards.

	$i++;
	$netNum++;
      }        
    system("mv -f /tmp/modulesconf.txt $OSIS/etc/modules.conf");    

    my $hwaddr = findInfo("HWaddr", 0);
    my $inetaddr = getIPaddr($hwaddr);
    my $hostname = getHostName($inetaddr);


   system("(echo \"NETWORKING=yes\";" .
	  "echo \"FORWARD_IPV4=yes\";" .
	  "echo \"HOSTNAME=$hostname.cs.wright.edu\";" .
	  "echo \"DOMAINNAME=osis.cs.wright.edu\";" .
	  "echo \"GATEWAY=192.168.17.111\";" .
	  "echo \"GATEWAYDEV=eth0\")" .
	  " > $OSIS/etc/sysconfig/network");
  }


# Examine the "ifconfig eth?" output.  And give the information
# according to the argument: hwaddr,inetaddr,mtu,int,ioaddr;

sub findInfo			# (attribute, cardNumber )
  {    
    my $answer = "notFound";
    my $arg = shift(@_);
    my $cardn = shift(@_);

    system("ifconfig eth". $cardn . "> /tmp/ifconfig$cardn.txt");
    open tmpfileptr, "< /tmp/ifconfig$cardn.txt";
    while ()
      {
	if (m/$arg/)
	  {
	    @elements = split /\s+/,$_;
	  SWITCH:
	    {
	      if($arg eq "HWaddr")
		{
		  $answer = $elements[4];
		  last;
		}
	      if($arg eq "inet addr")
		{		  
		  @elements2 = split/:/,$elements[2];
		  $answer = $elements2[1];
		  last;
		}
	      if($arg eq "Interrupt")
		{		  
		  @elements2 = split/:/,$elements[1];
		  $answer = $elements2[1];
		  last;
		}
	      if($arg eq "Base address")
		{		  
		  @elements2 = split/:/,$elements[3];
		  $answer = $elements2[1];
		  last;
		}
	    }
	  }		
      }
    
    close(tmpfileptr);
    return $answer;
  }

sub main {
  $hwaddr = findInfo("HWaddr", 0);
  $inetaddr = getIPaddr($hwaddr);
  $hostname = getHostName($inetaddr);

  system(
  "echo $hostname > $OSIS/etc/HOSTNAME;" .
    "echo $inetaddr > $OSIS/etc/IPADDRESS");

  @cards = findCards();
  updateNetScripts(@cards);
}

main;
exit;

rc.firstBoot

Most Linux distributions needlessly create /etc/issue* files on each boot. Our overall philosophy is that except for files in /var and /home all other directories should remain as unchanged as possible.

#!/bin/bash

# This script rc.firstBoot (copied to /etc/rc.d/rc.local) will be
# executed *after* all the other init scripts. 
# this is the firstBoot after new OS image copy
# pmateti@cs.wright.edu

fixBootSector() {
 # fix the boot sector, if necessary, after Ghost6 image copy
 mkdir -p /var/wFAT 
 mount -n -o remount,rw  -t vfat /dev/hda1 /var/wFAT
 echo /sbin/lilo; /sbin/lilo
 dd if=/dev/hda2 bs=512 count=1 of=/var/wFAT/bootsect/mdksmp2.217
 mount -n -o remount,ro  -t vfat /dev/hda1 /var/wFAT
 sync
}


# start of first boot initialization

cd /root/SysAdmin/OSIS

# Create issue and issue.net files
/bin/cat << EOFISSUE > etc/issue

Operating Systems and Internet Security Lab at WSU

EOFISSUE

/bin/cp -f etc/issue etc/issue.net

# check for one or more NICs are present
/sbin/modprobe 3c509 >& /dev/null
/sbin/modprobe acenic >& /dev/null
/sbin/modprobe ne >& /dev/null

# firstBoot.pl depends on the ifconfig -a output
/usr/bin/perl FirstBoot/firstBoot.pl

cp -fr etc /
chmod +x /etc/rc.d/rc.local

fixBootSector

/sbin/reboot

# -eof-

Windows First Boot

NTFirstBoot.pl is a Windows perl script similar the one above for Linux.

# cygwin bash script; run prior to cloning image of Windows
rm -fr //F/TMP/* //F/TEMP/* //F/WINNT/*.txt  //F/WINNT/*.BAK  //F/WINNT/*.tmp
rm -fr //L/DownLoads/* //L/LOGS/*
rm -fr //G/TEMP/*

cd U:
cd \HOME\root\SysAdmin
regedit /s runOnceNTFirstBoot.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"firstBoot"="perl U:\\HOME\\root\\SysAdmin\\PerlFiles\\NTFirstBoot.pl"

regedit /s computername.reg \
  tcpipparams.reg mcafeealert.reg winlogon.reg 3com509tcpip.reg 

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"Domain"=""
"Hostname"="minsky.osis.cs.wright.edu"
"NameServer"="130.108.2.10,130.108.1.20"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName]
"ComputerName"="minsky.osis.cs.wright.edu"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName]
"ComputerName"="minsky.osis.cs.wright.edu"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\El90x1\Parameters\Tcpip]
"IPAddress"=hex(7):31,39,32,2e,31,36,38,2e,31,37,2e,32,28,00,00
"DefaultGateway"=hex(7):31,39,32,2e,31,36,38,2e,31,37,2e,31,31,32,00,00
"SubnetMask"=hex(7):32,35,35,2e,32,35,35,2e,32,35,35,2e,30,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="minsky.osis.cs.wright.edu"

History

1. This lab was originally funded by Mateti's NSF DUE-9951380 and WSU in matching funds.
2. Enormous number of hours have been spent by Prabhaker Mateti and several students (see acknowledgements). Doubtless there are problems. Doubtless there are conveniences you miss. Prior to this lab, there was no Linux teaching lab at WSU.