How to check for Unlabeled Device Files
Device files are used for communication with important system resources. SELinux contexts should exist for these. If a device file is not labeled, then misconfiguration is likely.
To check for unlabeled device files, run the following command:
# ls -Z | grep unlabeled_t
It should produce no output in a well-configured system.
Restrict Console Device Access
The default system configuration grants the console user enhanced privileges
normally reserved for the root user, including temporary ownership of most system devices.
If not necessary, these privileges should be removed and restricted to root only.
Restrict device ownership to root only.
Edit /etc/security/console.perms.d/50-default.perms and locate the section prefaced by the following comment:
# permission definitions
Prepend a # symbol to comment out each line in that section which starts with [console] or [xconsole]
Edit /etc/security/console.perms and make the following changes:
[console]=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
[xconsole]=:0\.[0-9] :0
Support for device identification using WWIDs during installation
Fibre Channel and Serial Attach SCSI (SAS) devices can be now specified by a World Wide Name (WWN) or a World Wide Identifier (WWID) for unattended installations. WWN is part of the IEEE standard which makes it easier to identify storage devices during installation for users utilizing Storage Area Networks (SAN) and other advanced network topologies. When a storage device is attached to a server using multiple physical paths for redundancy or improved performance, WWN for any of these paths is sufficient to identify the device.
Hard Drives going bad, how to get SATA/ATA device information.
# hdparm -tT /dev/sda
/dev/sda:
Timing cached reads: 582 MB in 2.00 seconds = 290.60 MB/sec
Timing buffered disk reads: 96 MB in 3.05 seconds = 31.49 MB/sec
Harddrives come in three kinds: Sata, Ide, and Scsi. Many type of hardware error will how up under linux if you use the command “dmesg”. In fact, almost any type of hardware error or information will show up there.
If you think your drive may be sub par, or you want to test it, then hdparm is a good command.
[~]# hdparm -tT /dev/sda
/dev/sda:
Timing cached reads: 270 MB in 2.01 seconds = 134.60 MB/sec
Timing buffered disk reads: 80 MB in 3.07 seconds = 26.10 MB/sec
If the second measurement is under 40MB/sec then you shoud change the drive for your server.
Below is the measurement for a new server.
[~]# hdparm -tT /dev/sda
/dev/sda:
Timing cached reads: 12252 MB in 2.00 seconds = 6135.69 MB/sec
Timing buffered disk reads: 212 MB in 3.01 seconds = 70.51 MB/sec
Note: SMART allows you to have a good degree of prediction on when the drive will reach its end of life.
major and minor device number
Linux creates special files, called nodes, for each device on the system. All communication with the device is performed through the device node. Each node has a unique number pair that identifies it to the Linux kernel. The number pair includes a major and a minor device number. Similar devices are grouped into the same major device number. The minor device number is used to identify a specific device within the major device group. This is an example of a few device files on a Linux server:
root@dell:/dev# ls -al sda* ttyS*
brw-rw—- 1 root disk 8, 0 Feb 8 07:12 sda
brw-rw—- 1 root disk 8, 1 Feb 8 07:12 sda1
brw-rw—- 1 root disk 8, 2 Feb 8 07:12 sda2
crw-rw—- 1 root dialout 4, 64 Feb 8 07:12 ttyS0
crw-rw—- 1 root dialout 4, 65 Feb 8 07:12 ttyS1
crw-rw—- 1 root dialout 4, 66 Feb 8 07:12 ttyS2
crw-rw—- 1 root dialout 4, 67 Feb 8 07:12 ttyS3
The fifth column is the major device node number. Notice that all of the sda devices have the same major device node, 8, while all of the ttyS devices use 4. The sixth column is the minor device node number. Each device within a major number has its own unique minor device node number.
The first column indicates the permissions for the device file. The first character of the permissions indicates the type of file. Notice that the SCSI hard drive files are all marked as block (b) device, while the COM port device files are marked as character (c) devices.