Linux Post-Installation Configuration and Secure Baseline
You will take a raw Linux install and turn it into a consistent, patched, secure baseline every other server inherits. By the end the host is fully updated, time-synced, and managed through a non-root sudo account.
Learning Objectives
- Patch the system and enable automatic security updates.
- Set hostname, timezone, and time synchronization.
- Create a non-root administrative user.
- Time: ~1 hour · Difficulty: Beginner · Prereqs: a fresh VM with sudo access.
Architecture Overview
Environment Setup
You will need: the VM from the install lab with internet access and sudo.
Before you begin: confirm time and date are roughly correct so package signatures validate.
Step-by-Step Execution
Patching first closes known vulnerabilities before the host does anything else.
sudo apt update && sudo apt full-upgrade -yUnattended-upgrades applies security patches without manual intervention, shrinking your exposure window.
sudo apt install -y unattended-upgrades && sudo dpkg-reconfigure -plow unattended-upgradesConsistent identity and accurate time are prerequisites for correlating logs across hosts.
sudo hostnamectl set-hostname srv01 && sudo timedatectl set-timezone America/Toronto && sudo timedatectl set-ntp trueDaily work should never use root directly; a sudo user gives auditable, revocable elevation.
Progress So Far
Testing & Validation
Run this final check:
timedatectl status && id taki && systemctl is-enabled unattended-upgradesYou should see NTP active, the user in the sudo group, and auto-updates enabled. If all checks pass, your baseline is ready.
Troubleshooting
- apt update fails with signature errors: the clock is wrong; set time with
sudo timedatectl set-ntp trueand retry. - sudo: user not in sudoers: re-run
usermod -aG sudo takiand start a fresh login. - Held-back packages: run
sudo apt full-upgraderather than plain upgrade.
Extension Ideas
- Harden remote access with SSH Hardening.
- Centralize logs in Log Management & Analysis.
- Automate this baseline with Ansible across many hosts.
Key Results
- Brought a fresh host to a fully patched state in one pass.
- Enabled automatic security updates, reducing the patch gap to under 24 hours.
- Replaced direct root use with an auditable sudo account.
- Standardized hostname, timezone, and NTP for log correlation.