Eric Wedaa’s notes on setting up centos 6.2

July 13, 2012

I just came across this page and thought i’d post it because it had some good content:

# Eric Wedaa's notes on setting up centos 6.2
# email wedaa@wedaa.com
#
# May 9-21, 2012
#
# In general, I used mozilla to download the files into
# /home/shepherd/Downloads
#
######################################################################
#
# date command for copying and chmoding files
# chmod does not work if you run cp command to close to midnight
#
# `date +%Y.%m.%d.%H.%M`
#
# you might want to set this
#
export LD_LIBRARY_PATH=/opt/csw/lib:/opt/csw/gcc4/lib:/usr/lib/:/usr/local/lib
#
######################################################################
#
# This MAY look like a shell script, but it isn't really.
#
# These are commands to cut/paste into your window. This is because
# there may be newer versions of the software, and because sometimes
# you really need to edit some of the configuration files by hand
# to make things work properly.
#
######################################################################
#
# Update CPAN because it ALWAYS needs updating
#

cpan CPAN
cpan YAML

######################################################################
#
# Update all the RPM Packages so that we are up to date with the
# latest patches
#

yum -y update

######################################################################
#
# Make sure iptables is configured and running
#
service iptables status

######################################################################
#
# Install OpenVAS
#

wget -q -O - http://www.atomicorp.com/installers/atomic |sh
yum install openvas
openvas-setup
/usr/sbin/openvas-adduser

# APPARENTLY NOT NEEDED /usr/sbin/openvas-mkcert

# BTW-You will have to rerun these next two commands to make
# sure that your signature files are up to date.
# Maybe you can add them to /etc/rc.local or to root's crontab file

/usr/sbin/openvas-nvt-sync
/usr/sbin/openvasmd --rebuild

#restarting takes a little bit. make sure to disable this at boot
#time if you don't use it every day.

service openvas-scanner restart

#Now that we're done setting up openvas, we want to make atomic repo
#an invalid source so we don't accidentally download rpms from there

mv /etc/yum.repos.d/atomic.repo /etc/yum.repos.d/atomic.repo.dont_use

#Disable openvas at startup, I don't need it running everyday
chkconfig openvas-administrator off
chkconfig openvas-manager off
chkconfig openvas-scanner off

######################################################################
#
# fix postfix security holes
# Also good for OpenVAS complaints
#

echo "disable_vrfy_command=yes" >> /etc/postfix/main.cf
vi /etc/postfix/main.cf
#search for and uncomment next line
#inet_interfaces = all
#search for and comment out the next line
#inet_interfaces = localhost
#
#find the mydomain line and add your domainname
#mydomain = wedaa.com
#

######################################################################
#
# fix apache security holes
# Also good for OpenVAS complaints

echo "TraceEnable Off" >> /etc/httpd/conf/httpd.conf
echo "Header unset ETag " >> /etc/httpd/conf/httpd.conf
echo "FileETag None " >> /etc/httpd/conf/httpd.conf

######################################################################
#
# Turn off unneeded services
# Also good for OpenVAS complaints
#

chkconfig cups off
chkconfig nfs off
chkconfig nfslock off

######################################################################
#
# Create local repo diretory
#

yum install createrepo
mkdir /home/shepherd/yum-stuff
cd /home/shepherd/yum-stuff
wget -nc -r http://centos.mirror.nac.net/6.2/updates/i386/Packages/

echo "STILL NEEDS configuration work so I can use it locally

######################################################################
#
# Install star (S-tar archiver)
#
yum install star

######################################################################
#
#Install telnet, but not the telnetd daemon (which is a security risk)
#

yum install telnet

######################################################################
#
#Yes, I know lftp is sometimes installed, but I like the simplicity
# of ftp sometimes
#

yum install lftp
yum install ftp

######################################################################
#
# Install all the named stuff
#
yum install bind
yum install bind-devel

cp named.iscdlv.key named.iscdlv.key.`date +%Y.%m.%d.%H.%M`
cp named.root.key named.root.key.orig.`date +%Y.%m.%d.%H.%M`
cp named.conf named.conf.orig.`date +%Y.%m.%d.%H.%M`
cp named.rfc1912.zones named.rfc1912.zones.`date +%Y.%m.%d.%H.%M`

chmod go-rwx named.iscdlv.key.`date +%Y.%m`*
chmod go-rwx named.root.key.orig.`date +%Y.%m`*
chmod go-rwx named.conf.orig.`date +%Y.%m`*
chmod go-rwx named.rfc1912.zones.`date +%Y.%m`*

#Get host2dns from http://seriss.com/people/erco/unixtools/hosts2dns/

cd /home/shepherd/Downloads
tar -xvf hosts2dns-0.95.tar.gz
cp hosts2dns /usr/local/sbin
chmod go-rwx /usr/local/sbin/hosts2dns

cp /etc/hosts /etc/hosts.`date +%Y.%m.%d.%H.%M`
chmodgo-rwx /etc/hosts.`date +%Y.%m.%d.%H.%M`

vi /etc/hosts #And follow the instructions on the website
#Sample below, pay attention to DNS lines
#!DNS:DOMAIN foo.x -- CHANGE THIS: SET TO YOUR DNS DOMAIN NAME
##!DNS:START -- Start of hosts to be added to DNS
#192.168.0.1 router ro -- eg. this will become router.foo.x
#192.168.0.2 howland ho how -- eg. this will become howland.foo.x
#192.168.0.12 havasu ha
##!DNS:END -- End of hosts to be added to DNS

/usr/local/sbin/hosts2dns -update

#This script contains a small bug which lists same
#REVERSE network twice.
vi /etc/named.conf #Remove the last one
service named start

# Add an MX record (make sure this is right path)
echo '@ IN MX 10 shepherd.wedaa.com'>> /var/named/fwd.wedaa.com

#Now restart named
service named restart

#Just like /etc/named.conf says, all the good files are in /var/named

#Edit /etc/resolv.conf to make domainname wedaa.com
cp /etc/resolv.conf /etc/resolv.conf.orig
echo "domain wedaa.com"> /etc/resolv.conf
echo "nameserver 127.0.0.1" >>/etc/resolv.conf
echo "nameserver 192.168.0.15" >>/etc/resolv.conf

#Anytime a change is made in /etc/hosts you need to run
#/usr/local/sbin/hosts2dns -update
#AND update the MX record for the domain
#echo '@ IN MX 10 shepherd.wedaa.com'>> fwd.wedaa.com
#Now restart named
service named restart

#DNS testing
#nslookup
#set q=mx
#us.ibm.com
#wedaa.com
#shepherd.wedaa.com

#NOTE: One of these days I'll edit hosts2dns to be able to
#figure out the MX entry and write it at the bottom of the fwd.wedaa.com
#file, but not today. If I used this more often I'd have added
#it already.

######################################################################
#
# How to get apache running on other than port 80 and 443
#
#http://danwalsh.livejournal.com/9275.html
#

#Show which ports under selinux http can access

semanage port -l | grep http

#http_cache_port_t tcp 3128, 8080, 8118, 8123, 10001-10010
#http_cache_port_t udp 3130
#http_port_t tcp 80, 443, 488, 8008, 8009, 8443
#pegasus_http_port_t tcp 5988
#pegasus_https_port_t tcp 5989
#So I can also listen to 8118
#set listen in httpd.conf to also listen to 8118
vi /etc/httpd/conf/httpd.conf
service httpd restart

#To add port 81 for http
#semanage port -a -t http_port_t -p tcp 81
#

######################################################################
#
# Download flash from http://get.adobe.com/flashplayer/
# get the tar.gz file
#
cd /usr/shepherd/Downloads
tar -xvf ../install_flash_player_11_linux.i386.tar.gz
cd /usr/lib/mozilla/plugins
cp ~shepherd/Downloads/libflashplayer.so .
cd ~shepherd/Downloads/
cp -r usr/* /usr

# start firefox, go to http://www.adobe.com/software/flash/about/
# and that will show if installed properly

######################################################################
#
# modify ssh stuff
#

# Edit config file so nobody else can login
# Also good for OpenVAS complaints

echo "AllowUsers ericw shepherd" >>/etc/ssh/sshd_config
service sshd restart

# If you want to be able to login without being prompted for
# a password, follow instructions from
# http://wiki.centos.org/HowTos/Network/SecuringSSH
#

#Block too many cracking attempts on ssh by using iptables

iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
service iptables restart

######################################################################
#
# setup sudo for me
#
cp /etc/sudoers /etc/sudoers.orig
echo "shepherd ALL=(ALL) ALL">>/etc/sudoers

######################################################################
#
# Make sure only I can run su command
#
usermod -G wheel shepherd

Find these lines in /etc/pam.d/su:

# Uncomment the following line to require a user to be in the “wheel” group.
# #auth required pam_wheel.so use_uid
#
# And change them (as suggested) to this:
#
# # Uncomment the following line to require a user to be in the “wheel” group.
# auth required pam_wheel.so use_uid

######################################################################
#
# enable/turn on NFS
#

modprobe nfs
service nfs start
echo "/home 192.168.0.0/24(rw)">>/etc/exports
exportfs -a
#Show that it was exported
exportfs

# Now turn it all off till we need it

chkconfig nfs off
chkconfig nfslock off

######################################################################
#
# Setup samba/cifs
#

# Now turn it all off till we need it

######################################################################
#
# Get imapd going
#

service saslauthd start
chkconfig saslauthd on
testsaslauthd -u username -p password
# Output should be "0: OK "Success."

passwd cyrus

yum install cyrus-sasl
yum install cyrus-imapd
chkconfig cyrus-imapd on
service cyrus-imapd restart

#Set password for user cyrus
saslpasswd2 cyrus

#Chown ownership so that cyrus utilities can read the darn file
chown cyrus /etc/sasldb2

#To create a user
# cyradm -user cyrus localhost
# it will prompt for password
# To create a user "spam"
#createmailbox user.spam
# to list mailboxes from inside cyradm
#lm

######################################################################
#
# Installing mySQL
# Get mysqld running
#

chkconfig mysqld on
service mysqld restart
#Setup stuff
/usr/bin/mysql_secure_installation

######################################################################
#
# Installing squirrelmail
# Requires mysql sasl, cyrus-imapd and other things
#
# Make sure you do the postfix setup from above
#
# Get lastest squirrelmail from http://squirrelmail.org/download.php
cd /var/www/html/
tar -xf /home/shepherd/Downloads/squi*tar.gz
mv squ* squirrel
cd squirrel

mkdir /var/squirrel
mkdir /var/squirrel/data
chmod 0730 /var/squirrel/data
mkdir /var/squirrel/attachment
chmod 0730 /var/squirrel/attachment
chown apache /var/squirrel /var/squirrel/data /var/squirrel/attachment

./config/conf.pl #NON TRIVIAL SETUP, READ THE INSTALL GUIDE

#As it says, plaintext authentication is disabled. Enable that on your
#IMAP server or set "$imap_auth_mech = 'cram-md5';" in SquirrelMail
# configuration file - /var/www/html/squirrel/config/config.php.

#Now we configure mailbox_transport in /etc/postfix/main.cf.
#Add this line to the bottom:

echo "mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp" >>/etc/postfix/main.cf
service postfix restart

# SEE THIS WEBPAGE FOR HELP
#http://nakedape.cc/info/Cyrus-IMAP-HOWTO/Cyrus-IMAP-HOWTO.html
#
## PROBLEM WITH SELINUX AND IMAPD, IMAP, squirrelmail
#type=AVC msg=audit(1337040367.783:114): avc: denied { name_connect } for pid=3823 comm="httpd" dest=143 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
#type=SYSCALL msg=audit(1337040367.783:114): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf9d8950 a2=208afcc a3=0 items=0 ppid=2724 pid=3823 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
#type=AVC msg=audit(1337040367.783:115): avc: denied { name_connect } for pid=3823 comm="httpd" dest=143 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
#type=SYSCALL msg=audit(1337040367.783:115): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf9d8950 a2=208afcc a3=0 items=0 ppid=2724 pid=3823 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
#
# Enable selinux httpd can connect to network services
setsebool -P httpd_can_network_connect=1

# There are LOTS of plugins available at
# http://squirrelmail.org/plugins.php
# like the ever popular address book and calendar

######################################################################
#
# Install Bugzilla
#
# download from http://www.bugzilla.org/download/
# Installation hints are from
# http://www.thegeekstuff.com/2010/05/install-bugzilla-on-linux/
#
cd /home/shepherd/Downloads
mkdir bugzilla
mv bug*gz bugzilla
cd bugzilla
su
cd /var/www/html
tar -xf /home/shepherd/Downloads/bugzilla/*gz
cd bugzilla-4.2.1
vi /etc/my.cnf #read instructions on setting max_allowd_packet=4m
service mysqld restart
./checksetup.pl
/usr/bin/perl install-module.pl --all #This is going to take a few minutes
yum install gd-devel
/usr/bin/perl install-module.pl GD
#Setup mysql per directions
vi localconfig #to setup password for mysql
./checksetup.pl

#aw geezzz, gotta setup mod_cgi and figure out how to configure this
#Add this to the bottom of /etc/httpd/conf/httpd.conf

AddHandler cgi-script .cgi
Options +Indexes +ExecCGI
DirectoryIndex index.cgi
AllowOverride Limit FileInfo Indexes

#
#THEN you still get to login to bugzilla and goto
#http://localhost/bugzilla/editparams.cgi
#to finish the setup (READ the docs)

######################################################################
#
# Install Snort 2.9.2.3-1
#
# from http://www.snort.org/snort-downloads
# I downloaded snort-mysql-2.9.2.3-1.RHEL6.i386.rpm
#
# Also requires
# 1:snort-mysql-2.9.2.3-1.i386 requires libsfbpf.so.0
# 1:snort-mysql-2.9.2.3-1.i386 requires snort = 1:2.9.2.3-1
# 1:snort-mysql-2.9.2.3-1.i386 requires libdnet.1
# What a cluster Fk
# The rpm will NOT install because the other libraries are not
# installed, but there are no CENTOS RPMs with those libraries.
#
# So I have to install everything from source code
#
# get libdnet from
# http://code.google.com/p/libdnet/downloads/detail?name=libdnet-1.12.tgz&can=2&q=
# Time to install from source
# got libpcap from www.tcpdump.org and installed
# got daq from http://www.snort.org/snort-downloads/
# got ERROR! Libpcre header not found.
# Get it from http://www.pcre.org
#
#Downloaded SOURCE for snort and ./configure; make; make install

#
# Now download and install/configure the plugin to modify iptables
# on the fly
#
# Please see docs at
# http://doc.emergingthreats.net/bin/view/Main/SnortSamDocumentation
#
# Warning, you must patch snort and recompile to use snortsam
#
#http://www.snortsam.net/

######################################################################
#
# Install Tripwire
#
# from http://sourceforge.net/projects/tripwire/
#
cd /home/shepherd/Downloads/
mkdir tripwire
mv tripwire*bz2 tripwire
cd tripwire/
tar -xf tripwire-2.4.2.2-src.tar.bz2
cd tripwire-2.4.2.2-src
./configure
make
su
make install
exit
# A clear-text version of the Tripwire policy file
# /usr/local/etc/twpol.txt
# has been preserved for your inspection. This implements
# a minimal policy, intended only to test essential
# Tripwire functionality. You should edit the policy file
# to describe your system, and then use twadmin to generate
# a new signed copy of the Tripwire policy.
su
cp /usr/local/etc/twpol.txt /usr/local/etc/twpol.txt.orig
# Edit the config file to comment out checking /home filesystem
# as that can take forever and IMHO isn't really needed
# (I'll take the chance)
vi /usr/local/etc/twpol.txt
twadmin -m P /usr/local/etc/twpol.txt
tripwire --test --email shepherd@localhost
#Now to initialize the datafile, this will take forever :-)
tripwire --init -v #-v for verbose, just so you can see it working :-)

#Add this script as /usr/localsbin/tripwire-update.sh
# #!/bin/sh
# This will update the tripwire database which is faster than
# recreating from scratch
# DIR=/usr/local/lib/tripwire/report
# HOST=`hostname -s`
# LAST_REPORT=`ls -1t $DIR/$HOST-*.twr | head -1`
# echo tripwire --update --twrfile "$LAST_REPORT"

######################################################################
#
# Install COPS (Old, but still finds stuff occasionally)
# Cops 1.04+ is the latest with minor bugfixes
#
# ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/cops/
#

cd /home/shepherd/Downloads
mkdir src
mkdir src/cops
mv cops*gz src/cops
cd src/cops
tar -xvf cops*gz

######################################################################
#
# Install Nagios
#

######################################################################
#
# Install TWIG (Just for giggles. It's dead but I want to take a
# look at it again and see if there's something still usefull about
# it.
#
# Found 2.8.3 at http://rpm.pbone.net/index.php3/stat/26/dist/66/size/1055046/name/twig-2.8.3-4mdv2009.0.src.rpm
#
# There WERE diffs all the way up to 2.8.7 but I can't find them anywhere :-(
#
# timestamp(14) is no longer valid, fix in mysql files
# http://bugs.mysql.com/bug.php?id=41510
# Also fixed bad default '0' bug (deprecated since last mysql release

yum install aspell
#really test with http://localhost/twig/test.php
# there is a bug on the line
# $aparse = TWIGMailParseAddresssList( "twig@informationgateway.org", $config["fromdomain"] );
# There is one too many "s" in AddressList
#
yum install php-imap
#
# Please see http://wedaa.com/eric/software/twig-stuff/
# For more details.

######################################################################
#
# Install LDAP (for passwords and address book)
#

######################################################################
#
# Install Avast Windows virus scanner
#
# http://www.avast.com/en-us/linux-home-edition
#
# See installation help at
# http://www.howtogeek.com/howto/14434/scan-a-windows-pc-for-viruses-from-a-ubuntu-live-cd/

######################################################################
#
# Install ClamAV Windows virus scanner
#
# http://www.clamav.net/lang/en/
#
adduser clamav
./configure
make #This takes a while
make install
vi /etc/clamd.conf
vi /usr/local/etc/clamd.conf
freshclam -d
clamscan -r -l scan.txt /home/shepherd/Downloads/clamav/clamav-0.97.4 |grep FOUND

######################################################################
#
# Install eScan mail and anti virus scanners
#
http://www.escanav.com/english/content/products/generic_mailScan/MailScan_gen.asp

######################################################################
#
# config spamassasin
#
# A lot of help came from
#
# http://www.akadia.com/services/postfix_spamassassin.html
# http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-Postfix-Configuration_Examples.html
#
# WHAT A PAIN IN THE A$$
#To create a user spam
# cyradm -user cyrus localhost
# it will prompt for password
# To create a user "spam"
#createmailbox user.spam
# to list mailboxes from inside cyradm
#lm
#Create a file /usr/local/bin/spamchk
#
##!/bin/sh
#
## -----------------------------------------------------------------
## File: spamchk
##
## Purpose: SPAMASSASIN shell-based filter
##
## Location: /usr/local/bin
##
## Usage: Call this script from master.cf (Postfix)
##
## Certified: GENTOO Linux, Spamassassin 3.0, Postfix
## -----------------------------------------------------------------
#
## Variables
#SENDMAIL="/usr/sbin/sendmail.postfix -i"
#EGREP=/bin/egrep
#
## Exit codes from
#EX_UNAVAILABLE=69
#
## Number of *'s in X-Spam-level header needed to sideline message:
## (Eg. Score of 5.5 = "*****" )
#SPAMLIMIT=10
#
## Clean up when done or when aborting.
#trap "rm -f /var/tmp/out.$$" 0 1 2 3 15
#
## Pipe message to spamc
#cat | /usr/bin/spamc --port=10000 -u filter | sed 's/^\.$/../' > /var/tmp/out.$$
#
## Are there more than $SPAMLIMIT stars in X-Spam-Level header? :
#if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" smtp inet n - n - - smtpd

#Edit /etc/postfix/main.cf
#Following changes may have been done already
[root@shepherd postfix]# diff main.cf main.cf.edited
75c75
myhostname = host.domain.tld
99c99
myorigin = $mydomain
252c252
mynetworks_style = subnet
266a267
> mynetworks = 192.168.0.0/28, 127.0.0.0/8

# This stuff MIGHT not be needed
groupadd -g 601 spamd
useradd -u 601 -g 601 -s /sbin/nologin -d /home/spamd spamd
groupadd -g 600 filter
useradd -u 600 -g 600 -d /home/filer -s /bin/false filter

######################################################################
#
# Install/run Nikto
# From http://cirt.net/nikto2
#
cd /home/shepherd/Downloads/
mkdir nikto
mv nikto-2.1.4.tar.gz nikto
cd nikto/
ls
tar -xvf nikto-2.1.4.tar.gz
cd nikto-2.1.4
#hmmm, no makefile so no make install
perl nikto.pl -update
./nikto.pl -host localhost
#There has to be more than this, it ran too fast

#

######################################################################
#
# Install/run nmap
#
##download from http://nmap.org/download.html
cd /home/shepherd/Downloads
mkdir nmap
mv nmap-*tgz nmap
cd nmap
tar -xf *
cd nmap-6.00
./configure
make
su
make install
export LD_LIBRARY_PATH=/opt/csw/lib:/opt/csw/gcc4/lib:/usr/lib/:/usr/local/lib
nmap -A 192.168.0.1-255

######################################################################
#
# Does smrsh still exist/is used/is used with postfix emailer?
#

######################################################################
#
# sleuthkit is a digital coroner/forensis tool for hacked machines
#
# http://www.sleuthkit.org/

######################################################################
#
# Get PAM working for passwords/ldap authentication
#

######################################################################
#
# Get John the ripper installed and working
#
# http://www.openwall.com/john/
#
## John the Ripper 1.7.9-jumbo-5 (Unix - sources, tar.gz, 1423 KB)
cd /home/shepherd/Downloads
mkdir john-the-ripper
mv john*gz john-the-ripper
cd john-the-ripper
tar -xf j*gz
cd john-1.7.9
cd src
make linux-x86-sse2
cd ../run
#NOTE: I made a test account user tina, password=tina to make sure
#the darn thing works
#I also encrypt passwords with sha512, goodbye crypt :-(
./john /etc/shadow
Loaded 5 password hashes with 5 different salts (generic crypt(3) [?/32])
tina (tina)

######################################################################
#
# Get samhain file integrity / host-based intrusion detection system
#
# http://www.la-samhna.de/samhain/s_download.html
#
# you also want beltane
# http://www.la-samhna.de/beltane/index.html
#
# I REALLY need to read the docs on this one, it is a VERY
# complicated version of tripwire that is good for PCI compliance

######################################################################
#
# Get apache tomcat
#
# http://tomcat.apache.org/
#

######################################################################
#
# setup RCS network repository
#
mkdir /home/shepherd/rcs-test
cd /home/shepherd/rcs-test
tar -cf - /etc/sysconfig |tar -xf -
cd /home/shepherd/rcs-test/etc
find . -type d ! -name RCS -print -exec mkdir '{}'/RCS \;
# Cool scripts at http://www.linuxdocs.org/HOWTOs/CVS-RCS-HOWTO-12.html

######################################################################
#
# setup CVS network repository
#
# http://subversion.apache.org/
#
http://comsci.liu.edu/~murali/cvs/pserver.htm

chkconfig cvs on
service xinetd restart
telnet localhost 2401
# OUTPUT #Trying 127.0.0.1...
# OUTPUT #Connected to localhost.
# OUTPUT #Escape character is '^]'.
# CSV is minimally working

cvs -d /var/cvs init
ls /var/cvs
# OUTPUT #CVSROOT
vi /var/cvs/CVSROOT/mkcvs-passwd
#Contents of file follows
#!/usr/bin/perl
#
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);

print "${crypttext}\n";

chmod u+rwx /var/cvs/CVSROOT/mkcvs-passwd

/var/cvs/CVSROOT/mkcvs-passwd > /var/cvs/CVSROOT/passwd
chmod 644 /var/cvs/CVSROOT/passwd
vi /var/cvs/CVSROOT/passwd
#make the last line look something like this
#username1:x$5itFdsw123:cvs
#
export CVSROOT=:pserver:shepherd@localhost:/home/cvs

cvs login
#[shepherd@shepherd cvs-test]$ cvs login
#Logging in to :pserver:shepherd@localhost:2401/var/cvs
#CVS password:
#[shepherd@shepherd cvs-test]$
#
cd /home/shepherd
mkdir cvs-test
cd cvs-test
su
tar -cf - /etc/sysconfig/|tar -xf -
chown -R shepherd /home/shepherd/cvs-test
cvs import -m "My initial project message" sysconfig mycompany start

#Now we look at it
#[root@shepherd cvs]# ls -l /var/cvs
#total 8
#drwxrwxr-x. 3 cvs cvs 4096 May 21 18:35 CVSROOT
#drwxrwxr-x. 3 cvs cvs 4096 May 21 18:42 sysconfig
#
##############################
##
# Now the problem is changing it from /var/cvs to /home/cvs
# changing /etc/xinetd.d/cvs from /var/cvs to /var/home
# service xinetd restart
# cvs login
# Gives the following output
# [shepherd@shepherd cvs]$ cvs login
# Logging in to :pserver:shepherd@localhost:2401/home/cvs
# CVS password:
# cvs [login aborted]: unrecognized auth response from localhost: cvs pserver: cannot open /home/cvs/CVSROOT/config: Permission denied
#
# doing an `echo 0 >/selinux/enforce`
# and then cvs login
# Gives the following output
# [shepherd@shepherd cvs]$ cvs login
# Logging in to :pserver:shepherd@localhost:2401/home/cvs
# CVS password:
# [shepherd@shepherd cvs]$
# which means selinux is causing the problem
#
# http://docs.fedoraproject.org/en-US//Fedora/13/html/Managing_Confined_Services/sect-Managing_Confined_Services-Concurrent_Versioning_System-Configuration_Examples-Setting_Up_CVS-Server-Setup.html
#
# THIS DOES NOT WORK AS ADVERTISED, problem still exists
# It actually works for /var/cvs and /cvs, just not under /home/cvs
# WEIRD
# [root@cvs-srv]# semanage fcontext -a -t cvs_data_t '/cvs(/.*)?'
# [root@cvs-srv]# restorecon -R -v /cvs
#
#
#

# This might explain it
# http://linux.derkeiler.com/Mailing-Lists/Fedora/2009-04/msg02339.html
#
# This works but is a hack but at least selinux is still running
# cp /var/log/audit/audit.log /var/log/audit/audit.log.bak
# cp /dev/null /var/log/audit/audit.log
# cvs login (yes, it will fail)
# cd /tmp
# cat /var/log/audit/audit.log | audit2allow -M local
# semodule -i local.pp
#
# This lets "something" read the cvs directory in your non-standard (/home)
# mount point
# The output is a binary file and a text file
# text file is local.te and looks like this
# module local 1.0;
#
# require {
#type cvs_t;
#type setfiles_t;
#class capability { dac_read_search dac_override };
#class dir relabelto;
#}
#
##============= cvs_t ==============
##!!!! This avc can be allowed using the boolean 'allow_cvs_read_shadow'
#
#allow cvs_t self:capability dac_override;
#allow cvs_t self:capability dac_read_search;
#
##============= setfiles_t ==============
#allow setfiles_t cvs_t:dir relabelto;
#
cvs login
cvs import -m "My initial project message" sysconfig mycompany start
#And this all works
#And I am willing to call it good for now.
#If somebody has a better answer or a
#better solution please let me know

######################################################################
#
# Get apache subversion
#
# http://subversion.apache.org/
#

######################################################################
#
# GPFS
#

######################################################################
#
# Membase
#

######################################################################
#
# Hadoop
#

######################################################################
#
# Cassandra
#

######################################################################
#
# Memcached
#

######################################################################
#
# ZooKeeper
#

######################################################################
#
# Ruby
#

######################################################################
#
# CFEngine
#

######################################################################
#
# Oprofile
#

######################################################################
#
# SystemTap
#

######################################################################
#
# GDB
#

######################################################################
#
# Valgrind
#

######################################################################
#
# websphere
#

######################################################################
#
# squid
#

######################################################################
#
# cacti
#

######################################################################
#
# JBoss
#

######################################################################
#
# Nagios
#
# follow the guide at
# http://nagios.sourceforge.net/docs/3_0/quickstart-fedora.html

# ALSO
# And this is not in the docs
# chcon -R -t httpd_sys_script_rw_t /usr/local/nagios/var/rw
# this was from
# http://www.linuxquestions.org/questions/linux-networking-3/nagios-config-429200/

#Edit /usr/local/nagios/etc/objects/commands.cfg to add new plugin commands
#Please note that not all the "included" checks are included in this
#file so you have to edit for your situation
#
#Edit /usr/local/nagios/etc/objects/localhost.cfg to add new checks
#Also, you can google for 'nagios pluginname' for examples of how
#to configure them

######################################################################
#
# Puppet
#

######################################################################
#
# git
#

######################################################################
#
# OSSEC
#

######################################################################
#
# filezilla
# From http://filezilla-project.org/download.php
#
# Hints on compile/install at
# http://wiki.filezilla-project.org/Client_Installation
#
#
cd /home/shepherd/Downloads

# silly thing needs wxWidges
# from http://www.wxwidgets.org/downloads/
mkdir wxWidgets
mv wxWidgets*gz wxWidgets
cd wxWidgets
tar -xf wxWidgets-2.8.12.tar.gz
cd wxWidgets-2.8.12
./configure --enable-unicode
make
su
make install #This can take a few minutes....
exit
#
# ------------------------------------------------------
#
# The installation of wxWidgets is finished. On certain
# platforms (e.g. Linux) you'll now have to run ldconfig
# if you installed a shared library and also modify the
# LD_LIBRARY_PATH (or equivalent) environment variable.
#

cd /home/shepherd/Downloads
mkdir filezilla
mv FileZilla* filezilla
cd filezilla
tar -xf *
cd filezilla-3.5.3
export LD_LIBRARY_PATH=/opt/csw/lib:/opt/csw/gcc4/lib:/usr/lib/:/usr/local/lib
./configure --with-tinyxml=builtin
make
su
make install
exit