Introduction

Since the DAS servers are absolutely critical to the security and smooth operation of all of the client systems on the network, we must carefully protect them. This includes a number of tasks:

Instructions for Securing DAS Servers

Step 1: Make sure that you have upgraded all critical packages

You should focus on packages like ntpd, sshd, Kerberos daemons, the portmapper, NIS daemons, C libraries, and anything related to TCP/IP networking or buffer overflows. Use the rpm -Uvh command to upgrade packages, and keep a log of your upgrades.

Step 2: Disable all Unnecessary Services and Ports

Use the chkconfig command to configure which services are started automatically. These are the only services I configured to run automatically:

[root@das-m root]# chkconfig --list | grep :on
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
random          0:off   1:off   2:on    3:on    4:on    5:on    6:off
rawdevices      0:off   1:off   2:off   3:on    4:on    5:on    6:off
keytable        0:off   1:on    2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ypbind          0:off   1:off   2:off   3:on    4:on    5:on    6:off
xfs             0:off   1:off   2:off   3:on    4:on    5:on    6:off
ntpd            0:off   1:off   2:off   3:on    4:on    5:on    6:off
kadmin          0:off   1:off   2:off   3:on    4:on    5:on    6:off
krb5kdc         0:off   1:off   2:off   3:on    4:on    5:on    6:off
ypserv          0:off   1:off   2:off   3:on    4:on    5:on    6:off
ypxfrd          0:off   1:off   2:off   3:on    4:on    5:on    6:off

The netstat command will let you see what services are listening for connections:

[root@das-m root]# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:777             0.0.0.0:*               LISTEN      23492/ypbind
tcp        0      0 0.0.0.0:749             0.0.0.0:*               LISTEN      18219/kadmind
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      19607/sshd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      22763/
tcp        0      0 0.0.0.0:888             0.0.0.0:*               LISTEN      23534/ypserv
tcp        0      0 0.0.0.0:889             0.0.0.0:*               LISTEN      24375/rpc.ypxfrd
udp        0      0 0.0.0.0:774             0.0.0.0:*                           23492/ypbind
udp        0      0 0.0.0.0:677             0.0.0.0:*                           23492/ypbind
udp        0      0 0.0.0.0:464             0.0.0.0:*                           18219/kadmind
udp        0      0 10.10.22.42:88          0.0.0.0:*                           18190/krb5kdc
udp        0      0 0.0.0.0:111             0.0.0.0:*                           22763/
udp        0      0 0.0.0.0:888             0.0.0.0:*                           23534/ypserv
udp        0      0 0.0.0.0:889             0.0.0.0:*                           24375/rpc.ypxfrd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           1135/

Step 3: Configure the iptables firewall on each server:

Make a directory /root/FW for the scripts, then use the following scripts as a guide:

/root/FW/das-fw.sh:

# DAS iptables config (DAS-M)
# Version 7
# Date 2003-10-29
 
echo "Starting IPTABLES firewall... "
 
# Load connection tracking modules:
modprobe ip_conntrack
modprobe ip_conntrack_ftp
 
# Flush all chains, delete user-defined chains, and zero all counters
iptables -F
iptables -X
iptables -Z
 
#-----------------------------------------------------------------------------
# Default action if packets match no rules in chain
iptables -P INPUT DROP
 
# ----------------------------------------------------------------------------
# Increase security on host IP stack
 
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 
# Make sure that IP forwarding is turned off.  We only want this for a multi-homed host.
echo 0 > /proc/sys/net/ipv4/ip_forward
 
# Enable IP spoofing protection
    # turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done
 
    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done
 
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f
    done
 
    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done
 
    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
    done
# ----------------------------------------------------------------------------
# LOOPBACK
 
 # Unlimited traffic on the loopback interface.
 iptables -A INPUT -i lo  -j ACCEPT
    
 
#-----------------------------------------------------------------------------
# Define IP addresses for source address restriction
 
# Your IP address
IPADDR="10.10.22.42"
 
# DAS-S IP address
DAS_S="10.10.22.40/32"
 
# Your physical interface
IFACE="eth0"
 
# Network allowed to connect to LDAP or NTP services
DASNET="10.10.22.0/24"
 
# Upstream NTP server here
NTPSRV="10.10.20.111/32"
 
# LAB Network
LABNET="10.10.0.0/16"
 
# Our DNS servers are:
NS1="10.10.20.250/32"
NS2="10.10.19.250/32"
NS3="4.2.2.3/32"
 
# Other Definitions
BROADCAST="10.10.22.255"
ALLBROAD="255.255.255.255"
MULTICAST="224.0.0.0/4"
LOOPBACK="127.0.0.0/8"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
 
#------------------------------------------------------------
# The actual firewall config:
 
# Make sure that NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
 
# Allow hosts on the LAB network to PING the DAS. Outbound PING is allowed via
# connection tracking, and traceroute works as well.
iptables -A INPUT -s $LABNET -d $IPADDR -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s any/0 -d $IPADDR -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -s any/0 -d $IPADDR -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow inbound TCP port for non-standard SSH connection
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 2222 -j ACCEPT
 
# Allow NTP clients and traffic with upstream NTP server
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 123 -j ACCEPT
iptables -A INPUT -s $NTPSRV -d $IPADDR -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
 
# Allow traffic to and from DNS servers
iptables -A INPUT -s $NS1 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s $NS2 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s $NS3 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 
#Allow inbound connections to the Keberos 5 KDC, KADMIN server
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 749 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 88  -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 464 -j ACCEPT
 
# Allow inbound TCP and UDP port for the Port Mapper (needed for NIS)
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 111 -j ACCEPT
# Supports BSD NIS clients, which need UDP broadcasts
#iptables -A INPUT -s $DASNET -d $BROADCAST -p udp --dport 111 -j ACCEPT
 
# Allow inbound UDP and TCP ports for NIS ypserv on 888
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 888 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 888 -j ACCEPT
 
# Allow inbound UDP and TCP port 889 for NIS ypxfrd from DAS-S
iptables -A INPUT -s $DAS_S -d $IPADDR -p tcp --dport 889 -j ACCEPT
iptables -A INPUT -s $DAS_S -d $IPADDR -p udp --dport 889 -j ACCEPT
 
# Allow NIS-related RPC activity between DAS-S and DAS-M for map transfer callback
iptables -A INPUT -s $DAS_S -d $IPADDR -p udp --sport 1:1023 --dport 1:1023 -j ACCEPT
 
# Connection Tracking - Allow TCP connections initiated by server
iptables -A INPUT -s any/0 -d $IPADDR -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
 
#-----------------------------------------------------------------------------
# LOGGING and REJECTING/DROPPING all remaining packets
 
# Drop any TCP or UDP broadcasts without logging.  I don't want to see lots of
# entries in the log for Microsoft client broadcasts, or DHCP traffic!
iptables -A INPUT -d $BROADCAST -p tcp -j DROP
iptables -A INPUT -d $ALLBROAD  -p tcp -j DROP
iptables -A INPUT -d $BROADCAST -p udp -j DROP
iptables -A INPUT -d $ALLBROAD  -p udp -j DROP
 
# Drop any TCP port 135 scans from M$ hosts infected with worms.  These are SO common, they
# fill up the logs with garbage!!!
iptables -A INPUT -d $IPADDR -p tcp --dport 135 -j DROP
 
# Drop Multicast traffic.  Otherwise, all router IGMP stuff will be logged.  I don't
# want to see this.
iptables -A INPUT -d $MULTICAST -j DROP
 
# Any UDP not already allowed is logged, then dropped
iptables -A INPUT -p udp -j LOG --log-level info --log-prefix "FW UDP: "
iptables -A INPUT -p udp -j DROP
 
# Any TCP not already allowed is logged, then rejected
iptables -A INPUT -p tcp -j LOG --log-level info --log-prefix "FW TCP: "
iptables -A INPUT -p tcp -j REJECT
 
# Any ICMP not already allowed is logged, then dropped
iptables -A INPUT -p icmp -j LOG --log-level info --log-prefix "FW ICMP: "
iptables -A INPUT -p icmp -j DROP
 
# All other protocols and packets will be logged, then dropped
iptables -A INPUT -j LOG --log-level info --log-prefix "FW Prot-X: "
iptables -A INPUT -j DROP
 
#-----------------------------------------------------------------------------
echo "done"
                                                                                                                                                             
exit 0

/root/FW/das-fw-disable.sh:

# DAS iptables disable script (DAS-M)
# Version 1
# Date 2003-10-27
 
echo "Removing IPTABLES firewall... "
 
# Flush all chains, delete user-defined chains, and zero all counters
iptables -F
iptables -X
iptables -Z
 
iptables -P INPUT ACCEPT
 
echo "done"
 
exit 0

Don't forget to make the scripts executable!

For convenience, we can also add the following symlinks to /usr/local/sbin:

[root@das-m sbin]# ls -al /usr/local/sbin/fw*
lrwxrwxrwx    1 root     root           26 Oct 27 14:28 /usr/local/sbin/fwoff -> /root/FW/das-fw-disable.sh
lrwxrwxrwx    1 root     root           18 Oct 27 14:24 /usr/local/sbin/fwon -> /root/FW/das-fw.sh

Then you can use the fwon and fwoff commands to enable and disable the firewall.

In order to run the firewall script automatically on boot, use chkconfig to disable the "iptables" service and place this in the /etc/rc.local file:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
 
touch /var/lock/subsys/local
 
# Add firewall support
/root/FW/das-fw.sh

Here is the Iptables firewall script from DAS-S:

# DAS-S iptables config
# Version 7
# Date 2003-10-29
                                                                                                                                                             
echo "Starting IPTABLES firewall... "
                                                                                                                                                             
# Load connection tracking modules:
modprobe ip_conntrack
modprobe ip_conntrack_ftp
                                                                                                                                                             
# Flush all chains, delete user-defined chains, and zero all counters
iptables -F
iptables -X
iptables -Z
                                                                                                                                                             
#-----------------------------------------------------------------------------
# Default action if packets match no rules in chain
iptables -P INPUT DROP
                                                                                                                                                             
# ----------------------------------------------------------------------------
# Increase security on host IP stack
                                                                                                                                                             
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
                                                                                                                                                             
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
                                                                                                                                                             
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
                                                                                                                                                             
# Make sure that IP forwarding is turned off.  We only want this for a multi-homed host.
echo 0 > /proc/sys/net/ipv4/ip_forward
                                                                                                                                                             
# Enable IP spoofing protection
    # turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done
                                                                                                                                                             
    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done
 
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f
    done
 
    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done
 
    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
    done
# ----------------------------------------------------------------------------
# LOOPBACK
 
 # Unlimited traffic on the loopback interface.
 iptables -A INPUT -i lo  -j ACCEPT
    
#-----------------------------------------------------------------------------
# Define IP addresses for source address restriction
 
# Your IP address
IPADDR="10.10.22.40"
 
# Your physical interface
IFACE="eth0"
 
# Network allowed to connect to LDAP or NTP services
DASNET="10.10.22.0/24"
 
# LDAP/Kerb5 KDC Primary
DASM="10.10.22.42/32"
 
# Upstream NTP server here
NTPSRV="10.10.20.111/32"
 
# LAB/Software Development Network
LABNET="10.10.0.0/16"
 
# Our DNS servers are:
NS1="10.10.20.250/32"
NS2="10.10.19.250/32"
NS3="4.2.2.3/32"
 
# Other Definitions
BROADCAST="10.10.22.255"
ALLBROAD="255.255.255.255"
MULTICAST="224.0.0.0/4"
LOOPBACK="127.0.0.0/8"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
 
#------------------------------------------------------------
# The actual firewall config:
 
# Make sure that NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
 
# Allow hosts on the LAB network to PING the DAS. Outbound PING is allowed via
# connection tracking, and traceroute works as well.
iptables -A INPUT -s $LABNET -d $IPADDR -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s any/0 -d $IPADDR -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -s any/0 -d $IPADDR -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow inbound TCP port for non-standard SSH connection
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 2222 -j ACCEPT
 
# Allow NTP clients and traffic with upstream NTP server
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 123 -j ACCEPT
iptables -A INPUT -s $NTPSRV -d $IPADDR -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
 
# Allow traffic to and from DNS servers
iptables -A INPUT -s $NS1 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s $NS2 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s $NS3 -d $IPADDR -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 
# Allow inbound TCP port for Kerb5 replication from DAS-M
iptables -A INPUT -s $DASM -d $IPADDR -p tcp --dport 754 -j ACCEPT
 
# Allow inbound UDP port for Kerb5 authentication from DASNET
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 88 -j ACCEPT
 
# Allow UDP Kerb5 query replies from DAS-M
iptables -A INPUT -s $DASM -d $IPADDR -p udp --sport 88 -m state --state ESTABLISHED -j ACCEPT
 
# Allow inbound TCP and UDP port for the Port Mapper (needed for NIS)
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 111 -j ACCEPT
# Allow FreeBSD NIS clients, which use UDP broadcasts
#iptables -A INPUT -s $DASNET -d $BROADCAST -p udp --dport 111 -j ACCEPT
 
# Allow inbound TCP and UDP ports for NIS ypserv on 888
iptables -A INPUT -s $DASNET -d $IPADDR -p tcp --dport 888 -j ACCEPT
iptables -A INPUT -s $DASNET -d $IPADDR -p udp --dport 888 -j ACCEPT
 
# Allow NIS-related RPC activity from this server to DAS-M (udp connection tracking)
iptables -A INPUT -s $DASM -d $IPADDR -p udp --sport 1:1023 -m state --state ESTABLISHED -j ACCEPT
 
# Connection Tracking - Allow TCP connections initiated by server
iptables -A INPUT -s any/0 -d $IPADDR -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
 
#-----------------------------------------------------------------------------
# LOGGING and REJECTING/DROPPING all remaining packets
 
# Drop any TCP or UDP broadcasts without logging.  I don't want to see lots of
# entries in the log for Microsoft client broadcasts, or DHCP traffic!
iptables -A INPUT -d $BROADCAST -p tcp -j DROP
iptables -A INPUT -d $ALLBROAD  -p tcp -j DROP
iptables -A INPUT -d $BROADCAST -p udp -j DROP
iptables -A INPUT -d $ALLBROAD  -p udp -j DROP
 
# Drop any TCP port 135 scans from worm-infested M$ hosts.  These are so common that
# they fill up the logs with garbage!!!
iptables -A INPUT -d $IPADDR -p tcp --dport 135 -j DROP
 
# Drop Multicast traffic.  Otherwise, all router IGMP stuff will be logged.  I don't
# want to see this.
iptables -A INPUT -d $MULTICAST -j DROP
 
# Any UDP not already allowed is logged, then dropped
iptables -A INPUT -p udp -j LOG --log-level info --log-prefix "FW UDP: "
iptables -A INPUT -p udp -j DROP
 
# Any TCP not already allowed is logged, then rejected
iptables -A INPUT -p tcp -j LOG --log-level info --log-prefix "FW TCP: "
iptables -A INPUT -p tcp -j REJECT
 
# Any ICMP not already allowed is logged, then dropped
iptables -A INPUT -p icmp -j LOG --log-level info --log-prefix "FW ICMP: "
iptables -A INPUT -p icmp -j DROP
 
# All other protocols and packets will be logged, then dropped
iptables -A INPUT -j LOG --log-level info --log-prefix "FW Prot-X: "
iptables -A INPUT -j DROP
 
#-----------------------------------------------------------------------------
echo "done"
 
exit 0

The /root/FW/das-fw-disable.sh script is the same as the one on DAS-M. Don't forget to symlink the fwon and fwoff commands if you want to use them, as well as setting up your /etc/rc.local file.

Step 4: Add host-based intrusion detection capabilities

For added protection, you may want to download and install tripwire and chkrootkit. Tripwire is a program that keeps an encrypted database of the cryptographic hashes of important system binaries. It periodically checks to see if any of those system binaries have been tampered with or replaced, and alerts the administrator. Chkrootkit is a simple program that checks for the presence of commonly available rootkits.

Why do we bother with this? Because the DAS servers are the key to the security of the entire DAS network. Any compromise of the DAS servers would allow access to other shared resources and data in the lab.

To install tripwire, download and install the RPM from Red Hat. Then install like this:

[root@das-m RPM]# rpm -Uvh tripwire-2.3.1-17.i386.rpm
warning: tripwire-2.3.1-17.i386.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing...                ########################################### [100%]
   1:tripwire               ########################################### [100%]

Instructions for configuring tripwire can be found here at RedHat.Com and at the Tripwire home page. Configuration of tripwire is beyond the scope of this document.

To install chkrootkit, just visit the chkrootkit homepage and download the source code. Follow the instructions and execute the code.

[root@das-m Tarball]# gunzip chkrootkit-0.42b.tar.gz
[root@das-m Tarball]# tar xvf chkrootkit-0.42b.tar
chkrootkit-0.42b/
chkrootkit-0.42b/ACKNOWLEDGMENTS
chkrootkit-0.42b/chkproc.c
chkrootkit-0.42b/README
chkrootkit-0.42b/chklastlog.c
chkrootkit-0.42b/README.chkwtmp
chkrootkit-0.42b/COPYRIGHT
chkrootkit-0.42b/Makefile
chkrootkit-0.42b/check_wtmpx.c
chkrootkit-0.42b/strings.c
chkrootkit-0.42b/ifpromisc.c
chkrootkit-0.42b/chkdirs.c
chkrootkit-0.42b/chkrootkit.lsm
chkrootkit-0.42b/chkwtmp.c
chkrootkit-0.42b/chkrootkit
chkrootkit-0.42b/README.chklastlog
[root@das-m Tarball]# cd chkrootkit-0.42b

Now read the README file and follow the directions.

Step 5: Securing the Server itself

Assuming that your server is in a physically secured room, there are still some other items to attend to:

Configuring the server's BIOS:  You will want to prevent intruders from booting from a floppy or CD-ROM and then accessing the DAS server's hard disks. Start by configuring the BIOS to only boot from harddrive. CD-ROM, floppy, or network boots should not be allowed. Then configure your BIOS to require a password before BIOS can be configured.

Since the BIOS can be cleared via microswitch, battery removal, or solder-point shorting, a good locking case for your server is recommended.

Bootloader password:  If you did not configure a GRUB password during the base OS installation, you should do that now. There are instructions for that in the Red Hat 9 documentation. Unrestricted access to GRUB can compromise the DAS server.

Modifying /etc/inittab:  There are several security enhancements that can be made by modifying the inittab config file. In our case, we want to disallow Ctrl-Alt-Del rebooting, and we also want to require the root password when booting into Single User mode. The modifications are highlighted:

id:3:initdefault:
 
# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit
 
l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6
 
# Sulogin required when entering single user mode
~~:S:wait:/sbin/sulogin
 
# Trap CTRL-ALT-DELETE
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
 
# When our UPS tells us power has failed, assume we have a few minutes
# of power left.  Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
 
# If power was restored before the shutdown kicked in, cancel it.
pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
 
 
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
 
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon

In order to activate the new /etc/inittab config, you do not need to reboot. You can simply enter the following command:

[root@das-m root]# init q

References

Tripwire Home Page
Red Hat Tripwire Manual
Chkrootkit Home Page