Linux - Management and Monitoring Service Implementation
- 17 Feb 2021
- DarkLight
Linux - Management and Monitoring Service Implementation
- Updated on 17 Feb 2021
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
MANAGEMENT
Operating system health and availability will be maintained by the Operations Support Center (OSC). The Operations Support Center is available to assist with OS management questions and issues.
PATCHING
Please refer to Expedient’s patching policy for more details: “Managed Linux/Unix OS Patching Policy”
MONITORING
Operating system resource monitoring with Cacti
The cacti service stores historic monitoring of the system resources including network, uptime, CPU, memory, load average and Disk I/O. This data is available on https://mynetwork.expdient.com and is viewed in graph form by default. The data is stored for up to one year.
Health, Service, Process and Log Monitoring
Secretagentmon
The Secretagentmon monitoring agent can monitor and alert on load average, running processes, log keywords, disk space and memory usage.
ISM
ISM provides protocol monitoring for any monitored server which includes DNS, HTTP, HTTPS, ICMP, SMTP, IMAP, POP3, FTP.
MANAGED LINUX & UNIX OS STANDARDS
The following are listed as Expedient requirements for servers subscribed to “Premium Management and Monitoring – Unix/Linux”, SKU 85 and 91:
- Root account restrictions
- SUDO for privileged access
- Remote console access
- System partitioning standards
- GUI Desktop Installation
- Software installation
- Software updates
Root account restrictions
To increase response time and the ability to address critical alerts, Expedient must have access to the root account password. The credentials will be stored, managed, and documented in the Expedient password management system with full logging and auditing capability for all requests and retrievals. Root account privileges are necessary for automated security response, patching, and compliance checks. All other operational management and monitoring activity is conducted by individual named accounts with proper authorization and permissions as defined in sudo. Remote sessions via SSH with root password is strictly prohibited.
SUDO for privileged access
Privileged access by customers and Expedient will be provided by the sudo command. The commands and actions will be logged accordingly. Elevation to root, shell execution and negation of passwords are not permitted via sudo. All other commands and groups of commands can be delegated to system users and groups.
Remote console access
Access to the remote console must be permitted when SSH access is lost to a system. The use of remote console to troubleshoot the issue is necessary for VMware vSphere vCenter for virtual systems or out of band management interfaces such as a Dell DRAC for physical systems.
System partitioning standards
The standard partitioning layout segregates OS, application, and user data onto dedicated Logical Volumes preventing the application and/or user data from encroaching on the root partition. By default, the following directories have dedicated Logical Volumes:
Mount | Minimum LV Size | Description |
|---|---|---|
| / | 5 GB | Root - OS Data |
| /boot | 512 MB | Non LVM /boot partition |
| /home | 1 GB | Home – User Data |
| /srv | 1 GB | Srv – Application Data |
| /tmp | 2 GB | Temp – OS Data/volatile storage |
| /var | 5 GB | Var – OS/Log Data |
The following directories are bind mounted from /var to /srv for common user applications. These are provided by default but can be removed if not used.
Default | Bind Mount |
|---|---|
| /var/www | /srv/www |
| /var/lib/mysql | /srv/lib/mysql |
Logical Volumes can be expanded on a per system/per volume basis to accommodate specific application needs.
GUI Desktop Installation
Expedient’s standard is to not install the GUI user environment as part of the Linux OS build. A server with a GUI inhibits direct access to the console and has been the cause of stability issues within multiple distributions of Linux. The presence of a GUI desktop or X windows system increases the likelihood of exploiting a known vulnerability within in the OS, which is not covered under Expedient patch management processes.
Software installation
Software installation is supported through distribution specific package managers (yum, apt-get). Expedient will support software installations from official distribution repositories. Installation of software from Third party repositories are not covered under the SLA due to package dependency conflicts.
Software Updates (Patching)
Systems are periodically updated to apply security fixes. Some security updates are required to be applied. Expedient does not apply updates from third party repositories. Please review Expedient’s patching guide for more details.
SELinux
We disable SELinux by default unless specifically requested. We do not support SELinux for third party applications.
Expedient Access
By default, each server will be joined to an Active Directory domain for Expedient access to the system
Was this article helpful?