Skip to content

Instantly share code, notes, and snippets.

@nntrn

nntrn/red_hat_enterprise_linux.json

Created May 10, 2022 03:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nntrn/aef8f595b49ff1fef891b259a7571b96 to your computer and use it in GitHub Desktop.
Save nntrn/aef8f595b49ff1fef891b259a7571b96 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
red_hat_enterprise_linux.json
[
{
"outerText": [
"Listing available system locale settings:",
"",
"$ localectl list-locales"
],
"runasroot": false
},
{
"outerText": [
"Displaying current status of the system locales settings:",
"",
"$ localectl status"
],
"runasroot": false
},
{
"outerText": [
"Setting or changing the default system locale settings:",
"",
"$ localectl set-locale LANG=locale"
],
"runasroot": true
},
{
"outerText": ["Listing available keymaps:", "", "$ localectl list-keymaps"],
"runasroot": false
},
{
"outerText": [
"Displaying current status of keymap settings:",
"",
"$ localectl status"
],
"runasroot": false
},
{
"outerText": [
"Setting or changing the default system keymap:",
"",
"$ localectl set-keymap"
],
"runasroot": true
},
{
"outerText": [
"Register your system:",
"",
"$ subscription-manager register",
"",
"The command will prompt you to enter your Red Hat Customer Portal user name and password."
],
"runasroot": true
},
{
"outerText": [
"Determine the pool ID of a subscription that you require:",
"",
"$ subscription-manager list --available",
"",
"This command displays all available subscriptions for your Red Hat account. For every subscription, various characteristics are displayed, including the pool ID."
],
"runasroot": true
},
{
"outerText": [
"Attach the appropriate subscription to your system by replacing pool_id with the pool ID determined in the previous step:",
"",
"$ subscription-manager attach --pool=pool_id"
],
"runasroot": true
},
{
"outerText": [
"Verify that EUS entitlements are available:",
"",
"$ subscription-manager list --available --matches=\"*Extended Update Support\"",
" +-------------------------------------------+",
" Available Subscriptions",
" +-------------------------------------------+",
" Subscription Name: Extended Update Support",
" Provides: Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux for x86_64 - Extended Update Support",
" Red Hat EUCJP Support (for RHEL Server) - Extended Update Support",
" RHEL for SAP - Extended Update Support",
" Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support",
" Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support",
" RHEL for SAP HANA - Extended Update Support",
" Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support",
" Oracle Java (for RHEL Server) - Extended Update Support",
" Red Hat S-JIS Support (for RHEL Server) - Extended Update Support",
" SKU: RH00030",
" Contract: 12069074",
" Pool ID: 8a99f9ac7238188b01723d9c8a8a06a9",
" Provides Management: No",
" Available: 8",
" Suggested: 0",
" Service Level: Layered",
" Service Type: L1-L3",
" Subscription Type: Instance Based",
" Starts: 05/22/2020",
" Ends: 05/21/2021",
" System Type: Physical"
],
"runasroot": true
},
{
"outerText": [
"Verify that EUS entitlements are available:",
"",
"$ subscription-manager list --available --matches=\"*Extended Update Support\"",
" +-------------------------------------------+",
" Available Subscriptions",
" +-------------------------------------------+",
" Subscription Name: Extended Update Support",
" Provides: Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux for x86_64 - Extended Update Support",
" Red Hat EUCJP Support (for RHEL Server) - Extended Update Support",
" RHEL for SAP - Extended Update Support",
" Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support",
" Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support",
" RHEL for SAP HANA - Extended Update Support",
" Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support",
" Oracle Java (for RHEL Server) - Extended Update Support",
" Red Hat S-JIS Support (for RHEL Server) - Extended Update Support",
" SKU: RH00030",
" Contract: 12069074",
" Pool ID: 8a99f9ac7238188b01723d9c8a8a06a9",
" Provides Management: No",
" Available: 8",
" Suggested: 0",
" Service Level: Layered",
" Service Type: L1-L3",
" Subscription Type: Instance Based",
" Starts: 05/22/2020",
" Ends: 05/21/2021",
" System Type: Physical"
],
"runasroot": true
},
{
"outerText": [
"Attach the applicable subscription using the Pool identifier:",
"",
"$ subscription-manager attach --pool 8a99f9ac7238188b01723d9c8a8a06a9"
],
"runasroot": true
},
{
"outerText": [
"Replace the default repositories enabled for the system with the EUS variants:",
"",
"$ subscription-manager repos --disable \\*"
],
"runasroot": true
},
{
"outerText": [
"Enable the repositories which represent the EUS content set for the RHEL revision in use:",
"",
"$ subscription-manager repos --enable rhel-7-server-eus-rpms"
],
"runasroot": true
},
{
"outerText": [
"Select the required and supported release for the end system:",
"",
"$ subscription-manager release --set 7.6"
],
"runasroot": true
},
{
"outerText": [
"Register your system using the following command:",
"",
"$ subscription-manager register"
],
"runasroot": true
},
{
"outerText": [
"Verify that E4S entitlements are available:",
"",
"$ subscription-manager list --available --matches=\"*Update Services for SAP Solutions*\"",
"+-------------------------------------------+",
" Available Subscriptions",
"+-------------------------------------------+",
"Subscription Name: Red Hat Enterprise Linux for SAP Solutions, Standard (Physical or Virtual Nodes)",
"Provides: dotNET on RHEL Beta (for RHEL Server)",
" Red Hat CodeReady Linux Builder for x86_64",
" Red Hat Enterprise Linux for SAP HANA for x86_64",
" Red Hat Ansible Engine",
" RHEL for SAP HANA - Update Services for SAP Solutions",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support",
" RHEL for SAP HANA - Extended Update Support",
" Red Hat Enterprise Linux Atomic Host Beta",
" Red Hat Beta",
" Red Hat EUCJP Support (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux High Availability for x86_64",
" Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support",
" dotNET on RHEL (for RHEL Server)",
" Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions",
" Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support",
" Oracle Java (for RHEL Server)",
" Red Hat Enterprise Linux Server - Update Services for SAP Solutions",
" Red Hat Software Collections (for RHEL Server)",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server)",
" Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support",
" RHEL for SAP - Update Services for SAP Solutions",
" Oracle Java (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux Atomic Host",
" Red Hat Developer Tools (for RHEL Server)",
" Red Hat Software Collections Beta (for RHEL Server)",
" Red Hat Enterprise Linux Server",
" Red Hat Enterprise Linux for SAP Applications for x86_64",
" Red Hat Developer Tools Beta (for RHEL Server)",
" Red Hat Enterprise Linux for x86_64",
" Red Hat Enterprise Linux for x86_64 - Extended Update Support",
" RHEL for SAP - Extended Update Support",
" Red Hat Developer Toolset (for RHEL Server)",
" Red Hat S-JIS Support (for RHEL Server) - Extended Update Support",
"SKU: RH00764",
"Contract: 11977725",
"Pool ID: 8a85f99c6c4825eb016c4a30d3493064",
"Provides Management: Yes",
"Available: 18",
"Suggested: 0",
"Service Level: Standard",
"Service Type: L1-L3",
"Subscription Type: Instance Based",
"Starts: 03/29/2020",
"Ends: 12/31/2021",
"System Type: Physical"
],
"runasroot": true
},
{
"outerText": [
"Verify that E4S entitlements are available:",
"",
"$ subscription-manager list --available --matches=\"*Update Services for SAP Solutions*\"",
"+-------------------------------------------+",
" Available Subscriptions",
"+-------------------------------------------+",
"Subscription Name: Red Hat Enterprise Linux for SAP Solutions, Standard (Physical or Virtual Nodes)",
"Provides: dotNET on RHEL Beta (for RHEL Server)",
" Red Hat CodeReady Linux Builder for x86_64",
" Red Hat Enterprise Linux for SAP HANA for x86_64",
" Red Hat Ansible Engine",
" RHEL for SAP HANA - Update Services for SAP Solutions",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support",
" RHEL for SAP HANA - Extended Update Support",
" Red Hat Enterprise Linux Atomic Host Beta",
" Red Hat Beta",
" Red Hat EUCJP Support (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux High Availability for x86_64",
" Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support",
" dotNET on RHEL (for RHEL Server)",
" Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions",
" Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support",
" Oracle Java (for RHEL Server)",
" Red Hat Enterprise Linux Server - Update Services for SAP Solutions",
" Red Hat Software Collections (for RHEL Server)",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server)",
" Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support",
" RHEL for SAP - Update Services for SAP Solutions",
" Oracle Java (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux Atomic Host",
" Red Hat Developer Tools (for RHEL Server)",
" Red Hat Software Collections Beta (for RHEL Server)",
" Red Hat Enterprise Linux Server",
" Red Hat Enterprise Linux for SAP Applications for x86_64",
" Red Hat Developer Tools Beta (for RHEL Server)",
" Red Hat Enterprise Linux for x86_64",
" Red Hat Enterprise Linux for x86_64 - Extended Update Support",
" RHEL for SAP - Extended Update Support",
" Red Hat Developer Toolset (for RHEL Server)",
" Red Hat S-JIS Support (for RHEL Server) - Extended Update Support",
"SKU: RH00764",
"Contract: 11977725",
"Pool ID: 8a85f99c6c4825eb016c4a30d3493064",
"Provides Management: Yes",
"Available: 18",
"Suggested: 0",
"Service Level: Standard",
"Service Type: L1-L3",
"Subscription Type: Instance Based",
"Starts: 03/29/2020",
"Ends: 12/31/2021",
"System Type: Physical"
],
"runasroot": true
},
{
"outerText": [
"Attach the applicable subscription using the Pool identifier:",
"",
"$ subscription-manager attach --pool=#################"
],
"runasroot": true
},
{
"outerText": [
"Replace the default repositories enabled for the system with the EUS variants:",
"",
"$ subscription-manager repos --disable=\"*\""
],
"runasroot": true
},
{
"outerText": [
"Enable the repositories which represent the E4S content set for the RHEL revision in use:",
"",
"$ subscription-manager --enable=rhel-7-server-e4s-rpms"
],
"runasroot": true
},
{
"outerText": [
"Clear the repository cache and release lock the system to a valid release for E4S which supports your SAP application:",
"",
"$ yum clean all && subscription-manager release --set=7.7"
],
"runasroot": true
},
{
"outerText": [
"Listing all available repositories:",
"",
"$ subscription-manager repos --list"
],
"runasroot": true
},
{
"outerText": [
"Listing all currently enabled repositories:",
"",
"$ yum repolist"
],
"runasroot": false
},
{
"outerText": [
"Enabling or disabling a repository:",
"",
"$ subscription-manager repos --enable repository",
"$ subscription-manager repos --disable repository"
],
"runasroot": true
},
{
"outerText": [
"Enabling or disabling a repository:",
"",
"$ subscription-manager repos --enable repository",
"$ subscription-manager repos --disable repository"
],
"runasroot": true
},
{
"outerText": [
"Searching for packages matching a specific string:",
"",
"$ yum search string"
],
"runasroot": false
},
{
"outerText": ["Installing a package:", "", "$ yum install package_name"],
"runasroot": true
},
{
"outerText": [
"Updating all packages and their dependencies:",
"",
"$ yum update"
],
"runasroot": true
},
{
"outerText": ["Updating a package:", "", "$ yum update package_name"],
"runasroot": true
},
{
"outerText": [
"Uninstalling a package and any packages that depend on it:",
"",
"$ yum remove package_name"
],
"runasroot": true
},
{
"outerText": [
"Listing information on all installed and available packages:",
"",
"$ yum list all"
],
"runasroot": false
},
{
"outerText": [
"Listing information on all installed packages:",
"",
"$ yum list installed"
],
"runasroot": false
},
{
"outerText": [
"Display the current SELinux mode in effect:",
"",
"$ getenforce"
],
"runasroot": false
},
{
"outerText": [
"To temporary switch to either enforcing or permissive mode:",
"",
"$ setenforce Enforcing",
"$ setenforce Permissive"
],
"runasroot": true
},
{
"outerText": [
"To temporary switch to either enforcing or permissive mode:",
"",
"$ setenforce Enforcing",
"$ setenforce Permissive"
],
"runasroot": true
},
{
"outerText": [
"To permanently set the SELinux mode, modify the SELINUX variable in the /etc/selinux/config configuration file.",
"",
"For example, to switch SELinux to enforcing mode:",
"",
"# This file controls the state of SELinux on the system.",
"# SELINUX= can take one of these three values:",
"# enforcing - SELinux security policy is enforced.",
"# permissive - SELinux prints warnings instead of enforcing.",
"# disabled - No SELinux policy is loaded.",
"SELINUX=enforcing"
],
"runasroot": false
},
{
"outerText": [
"Generate a public and a private key:",
"",
"$ ssh-keygen",
"",
"Both keys are stored in the ~/.ssh/ directory:",
"",
"~/.ssh/id_rsa.pub - public key",
"",
"~/.ssh/id_rsa - private key",
"",
"The public key does not need to be secret. It is used to verify the private key. The private key is secret. You can choose to protect the private key with the passphrase that you specify during the key generation process. With the passphrase, authentication is even more secure, but is no longer password-less. You can avoid this using the ssh-agent command. In this case, you will enter the passphrase only once - at the beginning of a session. For more information on ssh-agent configuration, see Section 12.2.4, “Using Key-based Authentication”."
],
"runasroot": false
},
{
"outerText": [
"Copy the most recently modified public key to a remote machine you want to log into:",
"",
"$ ssh-copy-id USER@hostname",
"",
"As a result, you are now able to enter the system in a secure way, but without entering a password."
],
"runasroot": true
},
{
"outerText": [
"Access the /etc/ssh/sshd_config file:",
"",
"$ vi /etc/ssh/sshd_config"
],
"runasroot": true
},
{
"outerText": [
"Change the line that reads #PermitRootLogin yes to:",
"",
"PermitRootLogin no"
],
"runasroot": false
},
{
"outerText": ["Restart the sshd service:", "", "$ systemctl restart sshd"],
"runasroot": true
},
{
"outerText": ["Displaying user and group IDs:", "", "$ id"],
"runasroot": false
},
{
"outerText": [
"Creating a new user account:",
"",
"$ useradd [options] user_name"
],
"runasroot": true
},
{
"outerText": [
"Assigning a new password to a user account belonging to username:",
"",
"$ passwd user_name"
],
"runasroot": true
},
{
"outerText": [
"Adding a user to a group:",
"",
"$ usermod -a -G group_name user_name"
],
"runasroot": true
},
{
"outerText": [
"To check whether kdump is installed on your system:",
"",
"$ rpm -q kexec-tools"
],
"runasroot": false
},
{
"outerText": [
"If not installed, to install kdump, enter as the root user:",
"",
"$ yum install kexec-tools"
],
"runasroot": true
},
{
"outerText": [
"To configure kdump:",
"",
"Use either the command line or graphical user interface.",
"",
"Both options are described in detail in Red Hat Enterprise Linux 7 Kernel Crash Dump Guide.",
"",
"If you need to install the graphical configuration tool:",
"",
"$ yum install system-config-kdump"
],
"runasroot": true
},
{
"outerText": [
"Modify the %post section of the Kickstart file:",
"",
"LANG=en_US",
"echo \"%_install_langs $LANG\" > /etc/rpm/macros.language-conf",
"",
"yum-config-manager --setopt=override_install_langs=$LANG --save"
],
"runasroot": false
},
{
"outerText": [
"Modify the %packages section of the Kickstart file:",
"",
"%packages",
"yum-utils*",
"%end"
],
"runasroot": false
},
{
"outerText": [
"Create the RPM configuration file at /etc/rpm/macros.language-conf with the following contents:",
"",
"%_install_langs LANG",
"",
"LANG is the value of the instLang option."
],
"runasroot": false
},
{
"outerText": [
"Update the /etc/yum.conf file with:",
"",
"override_install_langs=LANG"
],
"runasroot": false
},
{
"outerText": [
"Either you can set the hardware clock to the current system time by using this command:",
"",
"hwclock --systohc",
"",
"Note that if you use NTP, the hardware clock is automatically synchronized to the system clock every 11 minutes, and this command is useful only at boot time to get a reasonable initial system time."
],
"runasroot": false
},
{
"outerText": [
"Or, you can set the system time from the hardware clock by using the following command:",
"",
"hwclock --hctosys"
],
"runasroot": false
},
{
"outerText": [
"A new line for juan is created in /etc/passwd:",
"",
"juan:x:1001:1001::/home/juan:/bin/bash",
"",
"The line has the following characteristics:",
"",
"It begins with the user name juan.",
"There is an x for the password field indicating that the system is using shadow passwords.",
"A UID greater than 999 is created. Under Red Hat Enterprise Linux 7, UIDs below 1000 are reserved for system use and should not be assigned to users.",
"A GID greater than 999 is created. Under Red Hat Enterprise Linux 7, GIDs below 1000 are reserved for system use and should not be assigned to users.",
"The optional GECOS information is left blank. The GECOS field can be used to provide additional information about the user, such as their full name or phone number.",
"The home directory for juan is set to /home/juan/.",
"The default shell is set to /bin/bash."
],
"runasroot": false
},
{
"outerText": [
"A new line for juan is created in /etc/shadow:",
"",
"juan:!!:14798:0:99999:7:::",
"",
"The line has the following characteristics:",
"",
"It begins with the user name juan.",
"",
"Two exclamation marks (!!) appear in the password field of the /etc/shadow file, which locks the account.",
"",
"NOTE",
"",
"If an encrypted password is passed using the -p flag, it is placed in the /etc/shadow file on the new line for the user.",
"",
"The password is set to never expire."
],
"runasroot": false
},
{
"outerText": [
"A new line for a group named juan is created in /etc/group:",
"",
"juan:x:1001:",
"",
"A group with the same name as a user is called a user private group. For more information on user private groups, see Section 4.1.1, “User Private Groups”.",
"",
"The line created in /etc/group has the following characteristics:",
"",
"It begins with the group name juan.",
"An x appears in the password field indicating that the system is using shadow group passwords.",
"The GID matches the one listed for juan's primary group in /etc/passwd."
],
"runasroot": false
},
{
"outerText": [
"A new line for a group named juan is created in /etc/gshadow:",
"",
"juan:!::",
"",
"The line has the following characteristics:",
"",
"It begins with the group name juan.",
"An exclamation mark (!) appears in the password field of the /etc/gshadow file, which locks the group.",
"All other fields are blank."
],
"runasroot": false
},
{
"outerText": [
"A directory for user juan is created in the /home directory:",
"",
"$ ls -ld /home/juan",
"drwx------. 4 juan juan 4096 Mar 3 18:23 /home/juan",
"",
"This directory is owned by user juan and group juan. It has read, write, and execute privileges only for the user juan. All other permissions are denied."
],
"runasroot": true
},
{
"outerText": [
"The files within the /etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory:",
"",
"$ ls -la /home/juan",
"total 28",
"drwx------. 4 juan juan 4096 Mar 3 18:23 .",
"drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..",
"-rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout",
"-rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile",
"-rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc",
"drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla"
],
"runasroot": true
},
{
"outerText": [
"As root, create the /opt/myproject/ directory by typing the following at a shell prompt:",
"",
"mkdir /opt/myproject"
],
"runasroot": false
},
{
"outerText": [
"Add the myproject group to the system:",
"",
"groupadd myproject"
],
"runasroot": false
},
{
"outerText": [
"Associate the contents of the /opt/myproject/ directory with the myproject group:",
"",
"chown root:myproject /opt/myproject"
],
"runasroot": false
},
{
"outerText": [
"Allow users in the group to create files within the directory and set the setgid bit:",
"",
"chmod 2775 /opt/myproject",
"",
"At this point, all members of the myproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:",
"",
"$ ls -ld /opt/myproject",
"drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 /opt/myproject"
],
"runasroot": true
},
{
"outerText": [
"Allow users in the group to create files within the directory and set the setgid bit:",
"",
"chmod 2775 /opt/myproject",
"",
"At this point, all members of the myproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:",
"",
"$ ls -ld /opt/myproject",
"drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 /opt/myproject"
],
"runasroot": true
},
{
"outerText": [
"Add users to the myproject group:",
"",
"usermod -aG myproject username"
],
"runasroot": false
},
{
"outerText": [
"By default, sudo stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the /etc/sudoers file:",
"",
"Defaults timestamp_timeout=value",
"",
"where value is the desired timeout length in minutes. Setting the value to 0 causes sudo to require a password every time."
],
"runasroot": false
},
{
"outerText": [
"If an account is compromised, an attacker can use sudo to open a new shell with administrative privileges:",
"",
"sudo /bin/bash",
"",
"Opening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the /etc/sudoers file and never requiring the attacker to input a password for sudo again until the newly opened session is closed."
],
"runasroot": false
},
{
"outerText": [
"Run the following command to register your system. You will be prompted to enter your user name and password. Note that the user name and password are the same as your login credentials for Red Hat Customer Portal.",
"",
"subscription-manager register"
],
"runasroot": false
},
{
"outerText": [
"Determine the pool ID of a subscription that you require. To do so, type the following at a shell prompt to display a list of all subscriptions that are available for your system:",
"",
"subscription-manager list --available",
"",
"For each available subscription, this command displays its name, unique identifier, expiration date, and other details related to your subscription. To list subscriptions for all architectures, add the --all option. The pool ID is listed on a line beginning with Pool ID."
],
"runasroot": false
},
{
"outerText": [
"Attach the appropriate subscription to your system by entering a command as follows:",
"",
"subscription-manager attach --pool=pool_id",
"",
"Replace pool_id with the pool ID you determined in the previous step.",
"",
"To verify the list of subscriptions your system has currently attached, at any time, run:",
"",
"subscription-manager list --consumed"
],
"runasroot": false
},
{
"outerText": [
"Attach the appropriate subscription to your system by entering a command as follows:",
"",
"subscription-manager attach --pool=pool_id",
"",
"Replace pool_id with the pool ID you determined in the previous step.",
"",
"To verify the list of subscriptions your system has currently attached, at any time, run:",
"",
"subscription-manager list --consumed"
],
"runasroot": false
},
{
"outerText": [
"Determine the serial number of the subscription you want to remove by listing information about already attached subscriptions:",
"",
"subscription-manager list --consumed",
"",
"The serial number is the number listed as serial. For instance, 744993814251016831 in the example below:",
"",
"SKU: ES0113909",
"Contract: 01234567",
"Account: 1234567",
"Serial: 744993814251016831",
"Pool ID: 8a85f9894bba16dc014bccdd905a5e23",
"Active: False",
"Quantity Used: 1",
"Service Level: SELF-SUPPORT",
"Service Type: L1-L3",
"Status Details:",
"Subscription Type: Standard",
"Starts: 02/27/2015",
"Ends: 02/27/2016",
"System Type: Virtual"
],
"runasroot": false
},
{
"outerText": [
"Determine the serial number of the subscription you want to remove by listing information about already attached subscriptions:",
"",
"subscription-manager list --consumed",
"",
"The serial number is the number listed as serial. For instance, 744993814251016831 in the example below:",
"",
"SKU: ES0113909",
"Contract: 01234567",
"Account: 1234567",
"Serial: 744993814251016831",
"Pool ID: 8a85f9894bba16dc014bccdd905a5e23",
"Active: False",
"Quantity Used: 1",
"Service Level: SELF-SUPPORT",
"Service Type: L1-L3",
"Status Details:",
"Subscription Type: Standard",
"Starts: 02/27/2015",
"Ends: 02/27/2016",
"System Type: Virtual"
],
"runasroot": false
},
{
"outerText": [
"Enter a command as follows to remove the selected subscription:",
"",
"subscription-manager remove --serial=serial_number",
"",
"Replace serial_number with the serial number you determined in the previous step."
],
"runasroot": false
},
{
"outerText": [
"Start the tool by entering the following command:",
"",
"$ redhat-support-tool"
],
"runasroot": true
},
{
"outerText": [
"Enter your Red Hat Customer Portal user name:",
"",
"Command (? for help): config user username",
"",
"To save your user name to the global configuration file, add the -g option."
],
"runasroot": false
},
{
"outerText": [
"Enter your Red Hat Customer Portal password:",
"",
"Command (? for help): config password",
"Please enter the password for username:"
],
"runasroot": false
},
{
"outerText": [
"Start the tool by entering the following command:",
"",
"$ redhat-support-tool"
],
"runasroot": true
},
{
"outerText": [
"Enter the opencase command:",
"",
"Command (? for help): opencase"
],
"runasroot": false
},
{
"outerText": [
"Confirm you would still like to open the support case.",
"",
"Support case 0123456789 has successfully been opened"
],
"runasroot": false
},
{
"outerText": [
"Start the tool by entering the following command:",
"",
"$ redhat-support-tool"
],
"runasroot": true
},
{
"outerText": [
"Enter the getcase command:",
"",
"Command (? for help): getcase case-number",
"",
"Where case-number is the number of the case you want to view and update."
],
"runasroot": false
},
{
"outerText": [
"Start the tool by entering the following command:",
"",
"$ redhat-support-tool"
],
"runasroot": true
},
{
"outerText": [
"Enter the modifycase command:",
"",
"Command (? for help): modifycase case-number",
"",
"Where case-number is the number of the case you want to view and update."
],
"runasroot": false
},
{
"outerText": [
"The modify selection list appears:",
"",
"Type the number of the attribute to modify or 'e' to return to the previous menu.",
" 1 Modify Type",
" 2 Modify Severity",
" 3 Modify Status",
" 4 Modify Alternative-ID",
" 5 Modify Product",
" 6 Modify Version",
"End of options.",
"",
"Follow the on screen prompts to modify one or more of the options."
],
"runasroot": false
},
{
"outerText": [
"For example, to modify the status, enter 3:",
"",
"Selection: 3",
" 1 Waiting on Customer",
" 2 Waiting on Red Hat",
" 3 Closed",
"Please select a status (or 'q' to exit):"
],
"runasroot": false
},
{
"outerText": [
"Create a target directory to mount your ISO image. This directory is not automatically created when mounting, so create it before proceeding to the next step. As root, type:",
"",
"mkdir mount_dir",
"",
"Replace mount_dir with a path to the mount directory. Typically, users create it as a subdirectory in the /media directory."
],
"runasroot": false
},
{
"outerText": [
"Mount the Red Hat Enterprise Linux 7 installation ISO image to the previously created target directory. As root, type:",
"",
"mount -o loop iso_name mount_dir",
"",
"Replace iso_name with a path to your ISO image and mount_dir with a path to the target directory. Here, the -o loop option is required to mount the file as a block device."
],
"runasroot": false
},
{
"outerText": [
"Copy the media.repo file from the mount directory to the /etc/yum.repos.d/ directory. Note that configuration files in this directory must have the .repo extension to function properly.",
"",
"cp mount_dir/media.repo /etc/yum.repos.d/new.repo",
"",
"This creates a configuration file for the yum repository. Replace new.repo with the filename, for example rhel7.repo."
],
"runasroot": false
},
{
"outerText": [
"Edit the new configuration file so that it points to the Red Hat Enterprise Linux installation ISO. Add the following line into the /etc/yum.repos.d/new.repo file:",
"",
"baseurl=file:///mount_dir",
"",
"Replace mount_dir with a path to the mount point."
],
"runasroot": false
},
{
"outerText": [
"Update all yum repositories including /etc/yum.repos.d/new.repo created in previous steps. As root, type:",
"",
"yum update",
"",
"This upgrades your system to the version provided by the mounted ISO image."
],
"runasroot": false
},
{
"outerText": [
"After successful upgrade, you can unmount the ISO image. As root, type:",
"",
"umount mount_dir",
"",
"where mount_dir is a path to your mount directory. Also, you can remove the mount directory created in the first step. As root, type:",
"",
"rmdir mount_dir"
],
"runasroot": false
},
{
"outerText": [
"After successful upgrade, you can unmount the ISO image. As root, type:",
"",
"umount mount_dir",
"",
"where mount_dir is a path to your mount directory. Also, you can remove the mount directory created in the first step. As root, type:",
"",
"rmdir mount_dir"
],
"runasroot": false
},
{
"outerText": [
"If you will not use the previously created configuration file for another installation or update, you can remove it. As root, type:",
"",
"rm /etc/yum.repos.d/new.repo"
],
"runasroot": false
},
{
"outerText": [
"If a specific online repository requires basic HTTP authentication, you can specify your user name and password by prepending it to the URL as username:password@link. For example, if a repository on http://www.example.com/repo/ requires a user name of \"user\" and a password of \"password\", then the baseurl link could be specified as http://user:password@www.example.com/repo/.",
"",
"Usually this URL is an HTTP link, such as:",
"",
"baseurl=http://path/to/repo/releases/$releasever/server/$basearch/os/",
"",
"Note that yum always expands the $releasever, $arch, and $basearch variables in URLs. For more information about yum variables, see Section 9.5.3, “Using Yum Variables”."
],
"runasroot": false
},
{
"outerText": [
"Install the createrepo package:",
"",
"# yum install createrepo"
],
"runasroot": false
},
{
"outerText": [
"Copy all packages for your new repository into one directory, such as /tmp/local_repo/:",
"",
"cp /your/packages/*.rpm /tmp/local_repo/"
],
"runasroot": false
},
{
"outerText": [
"To create the repository run:",
"",
"createrepo /tmp/local_repo/",
"",
"This creates the necessary metadata for the yum repository and places metadata in a newly created subdirectory repodata.",
"",
"The repository is now ready to be consumed by yum. This repository can be shared over the HTTP or FTP protocol, or refered directly from the local machine. See the Section 9.5.2, “Setting [repository] Options” section for more details on how to configure a yum repository.",
"",
"NOTE",
"",
"When constructing the URL for a repository, refer to the /mnt/local_repo not to /mnt/local_repo/repodata, as this directory contains only metadata. Actual yum packages are in /mnt/local_repo."
],
"runasroot": false
},
{
"outerText": [
"Copy the new packages to your repository directory, such as /tmp/local_repo/:",
"",
"cp /your/packages/*.rpm /tmp/local_repo/"
],
"runasroot": false
},
{
"outerText": [
"To reflect the newly added packages in the metadata, run:",
"",
"createrepo --update /tmp/local_repo/"
],
"runasroot": false
},
{
"outerText": [
"Optional: If you have already used any yum command with newly updated repository, run:",
"",
"yum clean expire-cache"
],
"runasroot": false
},
{
"outerText": [
"In the [emitters] section, set the following option:",
"",
"emit_via = email"
],
"runasroot": false
},
{
"outerText": [
"Add the following option, which points to the newly created repository directory, at the end of the selected yum-cron configuration file:",
"",
"reposdir=/path/to/new/reposdir"
],
"runasroot": false
},
{
"outerText": [
"Set the random_sleep option in the selected configuration file as follows:",
"",
"random_sleep = 0"
],
"runasroot": false
},
{
"outerText": [
"Run the configuration files:",
"",
"# yum-cron /etc/yum/yum-cron.conf",
"# yum-cron /etc/yum/yum-cron-hourly.conf"
],
"runasroot": false
},
{
"outerText": [
"Set the following option in the [base] section of the configuration file:",
"",
"debuglevel = -4"
],
"runasroot": false
},
{
"outerText": [
"Create a shell script in the /etc/cron.daily/ directory containing:",
"",
"#!/bin/sh",
"yum clean all"
],
"runasroot": false
},
{
"outerText": [
"Make the script executable:",
"",
"# chmod +x /etc/cron.daily/script-name.sh"
],
"runasroot": false
},
{
"outerText": [
"Create a unit file in the /etc/systemd/system/ directory and make sure it has correct file permissions. Execute as root:",
"",
"touch /etc/systemd/system/name.service",
"chmod 664 /etc/systemd/system/name.service",
"",
"Replace name with a name of the service to be created. Note that file does not need to be executable."
],
"runasroot": false
},
{
"outerText": [
"Open the name.service file created in the previous step, and add the service configuration options. There is a variety of options that can be used depending on the type of service you wish to create, see Section 10.6.1, “Understanding the Unit File Structure”. The following is an example unit configuration for a network-related service:",
"",
"[Unit]",
"Description=service_description",
"After=network.target",
"",
"[Service]",
"ExecStart=path_to_executable",
"Type=forking",
"PIDFile=path_to_pidfile",
"",
"[Install]",
"WantedBy=default.target",
"",
"Where:",
"",
"service_description is an informative description that is displayed in journal log files and in the output of the systemctl status command.",
"the After setting ensures that the service is started only after the network is running. Add a space-separated list of other relevant services or targets.",
"path_to_executable stands for the path to the actual service executable.",
"Type=forking is used for daemons that make the fork system call. The main process of the service is created with the PID specified in path_to_pidfile. Find other startup types in Table 10.10, “Important [Service] Section Options”.",
"WantedBy states the target or targets that the service should be started under. Think of these targets as of a replacement of the older concept of runlevels, see Section 10.3, “Working with systemd Targets” for details."
],
"runasroot": false
},
{
"outerText": [
"Notify systemd that a new name.service file exists by executing the following command as root:",
"",
"systemctl daemon-reload",
"systemctl start name.service",
"WARNING",
"",
"Always run the systemctl daemon-reload command after creating new unit files or modifying existing unit files. Otherwise, the systemctl start or systemctl enable commands could fail due to a mismatch between states of systemd and actual service unit files on disk.",
"",
"The name.service unit can now be managed as any other system service with commands described in Section 10.2, “Managing System Services”."
],
"runasroot": false
},
{
"outerText": [
"Create a unit file in the /etc/systemd/system/ directory and make sure it has the correct file permissions. Execute as root:",
"",
"$ touch /etc/systemd/system/emacs.service",
"$ chmod 664 /etc/systemd/system/emacs.service"
],
"runasroot": true
},
{
"outerText": [
"Add the following content to the file:",
"",
"[Unit]",
"Description=Emacs: the extensible, self-documenting text editor",
"",
"[Service]",
"Type=forking",
"ExecStart=/usr/bin/emacs --daemon",
"ExecStop=/usr/bin/emacsclient --eval \"(kill-emacs)\"",
"Environment=SSH_AUTH_SOCK=%t/keyring/ssh",
"Restart=always",
"",
"[Install]",
"WantedBy=default.target",
"",
"With the above configuration, the /usr/bin/emacs executable is started in daemon mode on service start. The SSH_AUTH_SOCK environment variable is set using the \"%t\" unit specifier that stands for the runtime directory. The service also restarts the emacs process if it exits unexpectedly."
],
"runasroot": false
},
{
"outerText": [
"Execute the following commands to reload the configuration and start the custom service:",
"",
"$ systemctl daemon-reload",
"$ systemctl start emacs.service"
],
"runasroot": true
},
{
"outerText": [
"Create a copy of the sshd_config file that will be used by the second daemon:",
"",
"$ cp /etc/ssh/sshd{,-second}_config"
],
"runasroot": true
},
{
"outerText": [
"Edit the sshd-second_config file created in the previous step to assign a different port number and PID file to the second daemon:",
"",
"Port 22220",
"PidFile /var/run/sshd-second.pid",
"",
"See the sshd_config(5) manual page for more information on Port and PidFile options. Make sure the port you choose is not in use by any other service. The PID file does not have to exist before running the service, it is generated automatically on service start."
],
"runasroot": false
},
{
"outerText": [
"Create a copy of the systemd unit file for the sshd service:",
"",
"$ cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sshd-second.service"
],
"runasroot": true
},
{
"outerText": [
"Modify the Description option:",
"",
"Description=OpenSSH server second instance daemon"
],
"runasroot": false
},
{
"outerText": [
"Add sshd.service to services specified in the After option, so that the second instance starts only after the first one has already started:",
"",
"After=syslog.target network.target auditd.service sshd.service"
],
"runasroot": false
},
{
"outerText": [
"Add the -f /etc/ssh/sshd-second_config parameter to the sshd command, so that the alternative configuration file is used:",
"",
"ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS"
],
"runasroot": false
},
{
"outerText": [
"After the above modifications, the sshd-second.service should look as follows:",
"",
"[Unit]",
"Description=OpenSSH server second instance daemon",
"After=syslog.target network.target auditd.service sshd.service",
"",
"[Service]",
"EnvironmentFile=/etc/sysconfig/sshd",
"ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS",
"ExecReload=/bin/kill -HUP $MAINPID",
"KillMode=process",
"Restart=on-failure",
"RestartSec=42s",
"",
"[Install]",
"WantedBy=multi-user.target"
],
"runasroot": false
},
{
"outerText": [
"If using SELinux, add the port for the second instance of sshd to SSH ports, otherwise the second instance of sshd will be rejected to bind to the port:",
"",
"$ semanage port -a -t ssh_port_t -p tcp 22220"
],
"runasroot": true
},
{
"outerText": [
"Enable sshd-second.service, so that it starts automatically upon boot:",
"",
"$ systemctl enable sshd-second.service",
"",
"Verify if the sshd-second.service is running by using the systemctl status command. Also, verify if the port is enabled correctly by connecting to the service:",
"",
"$ ssh -p 22220 user@server",
"",
"If the firewall is in use, make sure that it is configured appropriately in order to allow connections to the second instance of sshd."
],
"runasroot": true
},
{
"outerText": [
"Enable sshd-second.service, so that it starts automatically upon boot:",
"",
"$ systemctl enable sshd-second.service",
"",
"Verify if the sshd-second.service is running by using the systemctl status command. Also, verify if the port is enabled correctly by connecting to the service:",
"",
"$ ssh -p 22220 user@server",
"",
"If the firewall is in use, make sure that it is configured appropriately in order to allow connections to the second instance of sshd."
],
"runasroot": true
},
{
"outerText": [
"Copy the httpd unit file to the /etc/systemd/system/ directory:",
"",
"cp /usr/lib/systemd/system/httpd.service /etc/systemd/system/httpd.service"
],
"runasroot": false
},
{
"outerText": [
"Open file /etc/systemd/system/httpd.service and specify the TimeoutStartUSec value in the [Service] section:",
"",
"...",
"[Service]",
"...",
"PrivateTmp=true",
"TimeoutStartSec=10",
"",
"[Install]",
"WantedBy=multi-user.target",
"..."
],
"runasroot": false
},
{
"outerText": ["Reload the systemd daemon:", "", "systemctl daemon-reload"],
"runasroot": false
},
{
"outerText": [
"Optional. Verify the new timeout value:",
"",
"systemctl show httpd -p TimeoutStartUSec"
],
"runasroot": false
},
{
"outerText": [
"To specify one or more individual users, list the users on the following line:",
"",
"api-parameters Auth=user:user_1, user_2, ... \t\t# Allow some local user"
],
"runasroot": false
},
{
"outerText": [
"To specify a user group, enter its name on the following line:",
"",
"api-parameters Auth=group:group\t\t# Allow some local group"
],
"runasroot": false
},
{
"outerText": [
"Create the /etc/brlapi.key file.",
"",
"$ mcookie > /etc/brlapi.key"
],
"runasroot": true
},
{
"outerText": [
"To specify an individual user:",
"",
"$ chown user_1 /etc/brlapi.key"
],
"runasroot": true
},
{
"outerText": ["To specify a group:", "", "$ chown group_1 /etc/brlapi.key"],
"runasroot": true
},
{
"outerText": [
"Adjust the content of /etc/brltty.conf to include this:",
"",
"api-parameters Auth=keyfile:/etc/brlapi.key"
],
"runasroot": false
},
{
"outerText": [
"If you want to use autodetection, leave braille driver specified to auto, which is the default option.",
"",
"braille-driver\tauto\t # autodetect",
"WARNING",
"",
"Autodetection tries all drivers. Therefore, it might take a long time or even fail. For this reason, setting up a particular braille driver is recommended."
],
"runasroot": false
},
{
"outerText": [
"If you do not want to use the autodetection, specify the identification code of the required braille driver in the braille-driver directive.",
"",
"Choose the identification code of required braille driver from the list provided in /etc/brltty.conf, for example:",
"",
"braille-driver\txw\t # XWindow",
"",
"You can also set multiple drivers, separated by commas, and autodetection is then performed among them."
],
"runasroot": false
},
{
"outerText": [
"If you want to use the autoselection, leave text-table specified to auto, which is the default option.",
"",
"text-table\tauto\t # locale-based autoselection",
"",
"This ensures that local-based autoselection with fallback to en-nabcc is performed."
],
"runasroot": false
},
{
"outerText": [
"If you do not want to use the autoselection, choose the required text-table from the list in /etc/brltty.conf.",
"",
"For example, to use the text table for American English:",
"",
"text-table\ten_US\t # English (United States)"
],
"runasroot": false
},
{
"outerText": [
"Install Festival:",
"",
"$ yum install festival festival-freebsoft-utils"
],
"runasroot": true
},
{
"outerText": [
"Create a new systemd unit file:",
"",
"Create a file in the /etc/systemd/system/ directory and make it executable.",
"",
"$ touch /etc/systemd/system/festival.service",
"$ chmod 664 /etc/systemd/system/festival.service"
],
"runasroot": true
},
{
"outerText": [
"Ensure that the script in the /usr/bin/festival_server file is used to run Festival. Add the following content to the /etc/systemd/system/festival.service file:",
"",
"[Unit]",
"Description=Festival speech synthesis server",
"[Service]",
"ExecStart=/usr/bin/festival_server",
"Type=simple"
],
"runasroot": false
},
{
"outerText": [
"Notify systemd that a new festival.service file exists:",
"",
"$ systemctl daemon-reload",
"$ systemctl start festival.service"
],
"runasroot": true
},
{
"outerText": [
"Enable festival.service:",
"",
"$ systemctl enable festival.service"
],
"runasroot": true
},
{
"outerText": [
"Generate an RSA key pair by typing the following at a shell prompt:",
"",
"$ ssh-keygen -t rsa",
"Generating public/private rsa key pair.",
"Enter file in which to save the key (/home/USER/.ssh/id_rsa):"
],
"runasroot": false
},
{
"outerText": [
"Enter a passphrase, and confirm it by entering it again when prompted to do so. For security reasons, avoid using the same password as you use to log in to your account.",
"",
"After this, you will be presented with a message similar to this:",
"",
"Your identification has been saved in /home/USER/.ssh/id_rsa.",
"Your public key has been saved in /home/USER/.ssh/id_rsa.pub.",
"The key fingerprint is:",
"SHA256:UNIgIT4wfhdQH/K7yqmjsbZnnyGDKiDviv492U5z78Y USER@penguin.example.com",
"The key's randomart image is:",
"+---[RSA 2048]----+",
"|o ..==o+. |",
"|.+ . .=oo |",
"| .o. ..o |",
"| ... .. |",
"| .S |",
"|o . . |",
"|o+ o .o+ .. |",
"|+.++=o*.o .E |",
"|BBBo+Bo. oo |",
"+----[SHA256]-----+",
"NOTE",
"",
"To get an MD5 key fingerprint, which was the default fingerprint in previous versions, use the ssh-keygen command with the -E md5 option."
],
"runasroot": false
},
{
"outerText": [
"By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only the USER can view the contents. If required, this can be confirmed with the following command:",
"",
"$ ls -ld ~/.ssh",
"drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/"
],
"runasroot": false
},
{
"outerText": [
"To copy the public key to a remote machine, issue a command in the following format:",
"",
" ssh-copy-id user@hostname",
"",
"This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name as follows:",
"",
"ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname",
"",
"This will copy the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the machine to which you want to connect. If the file already exists, the keys are appended to its end."
],
"runasroot": false
},
{
"outerText": [
"To copy the public key to a remote machine, issue a command in the following format:",
"",
" ssh-copy-id user@hostname",
"",
"This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name as follows:",
"",
"ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname",
"",
"This will copy the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the machine to which you want to connect. If the file already exists, the keys are appended to its end."
],
"runasroot": false
},
{
"outerText": [
"Generate an ECDSA key pair by typing the following at a shell prompt:",
"",
"$ ssh-keygen -t ecdsa",
"Generating public/private ecdsa key pair.",
"Enter file in which to save the key (/home/USER/.ssh/id_ecdsa):"
],
"runasroot": false
},
{
"outerText": [
"Enter a passphrase, and confirm it by entering it again when prompted to do so. For security reasons, avoid using the same password as you use to log in to your account.",
"",
"After this, you will be presented with a message similar to this:",
"",
"Your identification has been saved in /home/USER/.ssh/id_ecdsa.",
"Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub.",
"The key fingerprint is:",
"SHA256:8BhZageKrLXM99z5f/AM9aPo/KAUd8ZZFPcPFWqK6+M USER@penguin.example.com",
"The key's randomart image is:",
"+---[ECDSA 256]---+",
"| . . +=|",
"| . . . = o.o|",
"| + . * . o...|",
"| = . . * . + +..|",
"|. + . . So o * ..|",
"| . o . .+ = ..|",
"| o oo ..=. .|",
"| ooo...+ |",
"| .E++oo |",
"+----[SHA256]-----+"
],
"runasroot": false
},
{
"outerText": [
"By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only the USER can view the contents. If required, this can be confirmed with the following command:",
"",
"$ ls -ld ~/.ssh",
" $ ls -ld ~/.ssh/",
"drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/"
],
"runasroot": false
},
{
"outerText": [
"To copy the public key to a remote machine, issue a command in the following format:",
"",
"ssh-copy-id USER@hostname",
"",
"This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name as follows:",
"",
"ssh-copy-id -i ~/.ssh/id_ecdsa.pub USER@hostname",
"",
"This will copy the content of ~/.ssh/id_ecdsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect. If the file already exists, the keys are appended to its end."
],
"runasroot": false
},
{
"outerText": [
"To copy the public key to a remote machine, issue a command in the following format:",
"",
"ssh-copy-id USER@hostname",
"",
"This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name as follows:",
"",
"ssh-copy-id -i ~/.ssh/id_ecdsa.pub USER@hostname",
"",
"This will copy the content of ~/.ssh/id_ecdsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect. If the file already exists, the keys are appended to its end."
],
"runasroot": false
},
{
"outerText": [
"A configuration file named /etc/systemd/system/vncserver@.service is required. To create this file, copy the /usr/lib/systemd/system/vncserver@.service file as root:",
"",
"$ cp /usr/lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service",
"",
"There is no need to include the display number in the file name because systemd automatically creates the appropriately named instance in memory on demand, replacing '%i' in the service file by the display number. For a single user it is not necessary to rename the file. For multiple users, a uniquely named service file for each user is required, for example, by adding the user name to the file name in some way. See Section 13.1.2.1, “Configuring VNC Server for Two Users” for details."
],
"runasroot": true
},
{
"outerText": [
"Edit /etc/systemd/system/vncserver@.service, replacing USER with the actual user name. Leave the remaining lines of the file unmodified.",
"",
"ExecStart=/usr/bin/vncserver_wrapper <USER> %i",
"NOTE",
"",
"The default size of the VNC desktop is 1024x768.",
"",
"A user’s VNC session can be further configured using the ~/.vnc/config file.",
"",
"For example, to change the VNC window size, add the following line:",
"",
"geometry= <WIDTH> x <HEIGHT>"
],
"runasroot": false
},
{
"outerText": [
"To make the changes take effect immediately, issue the following command:",
"",
"$ systemctl daemon-reload"
],
"runasroot": true
},
{
"outerText": [
"Set the password for the user or users defined in the configuration file. Note that you need to switch from root to USER first.",
"",
"$ su - USER",
"$ vncpasswd",
"Password:",
"Verify:",
"IMPORTANT",
"",
"The stored password is not encrypted; anyone who has access to the password file can find the plain-text password."
],
"runasroot": true
},
{
"outerText": [
"Set passwords for both users:",
"",
"$ su - USER_1",
"$ vncpasswd",
"Password:",
"Verify:",
"$ su - USER_2",
"$ vncpasswd",
"Password:",
"Verify:"
],
"runasroot": false
},
{
"outerText": [
"Set up GDM to enable XDMCP by editing the /etc/gdm/custom.conf configuration file:",
"",
"[xdmcp]",
"Enable=true"
],
"runasroot": false
},
{
"outerText": [
"Create a file called /etc/xinetd.d/xvncserver with the following content:",
"",
"service service_name",
"{",
"disable = no",
"protocol = tcp",
"socket_type = stream",
"wait = no",
"user = nobody",
"server = /usr/bin/Xvnc",
"server_args = -inetd -query localhost -once -geometry selected_geometry -depth selected_depth securitytypes=none",
"}",
"",
"In the server_args section, the -query localhost option will make each Xvnc instance query localhost for an xdmcp session. The -depth option specifies the pixel depth (in bits) of the VNC desktop to be created. Acceptable values are 8, 15, 16 and 24 - any other values are likely to cause unpredictable behavior of applications."
],
"runasroot": false
},
{
"outerText": [
"Edit file /etc/services to have the service defined. To do this, append the following snippet to the /etc/services file:",
"",
"# VNC xinetd GDM base",
"service_name 5950/tcp"
],
"runasroot": false
},
{
"outerText": [
"To ensure that the configuration changes take effect, reboot the machine.",
"",
"Alternatively, you can run the following. Change init levels to 3 and back to 5 to force gdm to reload.",
"",
"# init 3",
"# init 5",
"",
"Verify that gdm is listening on UDP port 177.",
"",
"# netstat -anu|grep 177",
"udp 0 0 0.0.0.0:177 0.0.0.0:*",
"",
"Restart the xinetd service.",
"",
"$ systemctl restart xinetd.service",
"",
"Verify that the xinetd service has loaded the new services.",
"",
"# netstat -anpt|grep 595",
"tcp 0 0 :::5950 :::* LISTEN 3119/xinetd"
],
"runasroot": true
},
{
"outerText": [
"To ensure that the configuration changes take effect, reboot the machine.",
"",
"Alternatively, you can run the following. Change init levels to 3 and back to 5 to force gdm to reload.",
"",
"# init 3",
"# init 5",
"",
"Verify that gdm is listening on UDP port 177.",
"",
"# netstat -anu|grep 177",
"udp 0 0 0.0.0.0:177 0.0.0.0:*",
"",
"Restart the xinetd service.",
"",
"$ systemctl restart xinetd.service",
"",
"Verify that the xinetd service has loaded the new services.",
"",
"# netstat -anpt|grep 595",
"tcp 0 0 :::5950 :::* LISTEN 3119/xinetd"
],
"runasroot": true
},
{
"outerText": [
"To ensure that the configuration changes take effect, reboot the machine.",
"",
"Alternatively, you can run the following. Change init levels to 3 and back to 5 to force gdm to reload.",
"",
"# init 3",
"# init 5",
"",
"Verify that gdm is listening on UDP port 177.",
"",
"# netstat -anu|grep 177",
"udp 0 0 0.0.0.0:177 0.0.0.0:*",
"",
"Restart the xinetd service.",
"",
"$ systemctl restart xinetd.service",
"",
"Verify that the xinetd service has loaded the new services.",
"",
"# netstat -anpt|grep 595",
"tcp 0 0 :::5950 :::* LISTEN 3119/xinetd"
],
"runasroot": true
},
{
"outerText": [
"To ensure that the configuration changes take effect, reboot the machine.",
"",
"Alternatively, you can run the following. Change init levels to 3 and back to 5 to force gdm to reload.",
"",
"# init 3",
"# init 5",
"",
"Verify that gdm is listening on UDP port 177.",
"",
"# netstat -anu|grep 177",
"udp 0 0 0.0.0.0:177 0.0.0.0:*",
"",
"Restart the xinetd service.",
"",
"$ systemctl restart xinetd.service",
"",
"Verify that the xinetd service has loaded the new services.",
"",
"# netstat -anpt|grep 595",
"tcp 0 0 :::5950 :::* LISTEN 3119/xinetd"
],
"runasroot": true
},
{
"outerText": [
"Test the setup using a vncviewer command:",
"",
"# vncviewer localhost:5950",
"",
"The command will launch a VNC session to the localhost where no password is asked. You will see a GDM login screen, and you will be able to log in to any user account on the system with a valid user name and password. Then you can run the same test on remote connections."
],
"runasroot": false
},
{
"outerText": [
"Enter the following command as root",
"",
"$ yum install tigervnc-server"
],
"runasroot": true
},
{
"outerText": [
"Set the VNC password for the user:",
"",
"$ vncpasswd",
"Password:",
"Verify:"
],
"runasroot": false
},
{
"outerText": [
"Enter the following command as that user:",
"",
"$ x0vncserver -PasswordFile=.vnc/passwd -AlwaysShared=1"
],
"runasroot": false
},
{
"outerText": [
"Enter an address and display number to connect to:",
"",
"address:display_number"
],
"runasroot": false
},
{
"outerText": [
"Enter the viewer command with the address and display number as arguments:",
"",
"vncviewer address:display_number",
"",
"Where address is an IP address or host name."
],
"runasroot": false
},
{
"outerText": [
"Run the following command to see the information concerning firewalld settings:",
"",
"$ firewall-cmd --list-all"
],
"runasroot": false
},
{
"outerText": [
"To allow all VNC connections from a specific address, use a command as follows:",
"",
"$ firewall-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"192.168.122.116\" service name=vnc-server accept'",
"success",
"",
"Note that these changes will not persist after the next system start. To make permanent changes to the firewall, repeat the commands adding the --permanent option. See the Red Hat Enterprise Linux 7 Security Guide for more information on the use of firewall rich language commands."
],
"runasroot": true
},
{
"outerText": [
"To verify the above settings, use a command as follows:",
"",
"$ firewall-cmd --list-all",
"public (default, active)",
" interfaces: bond0 bond0.192",
" sources:",
" services: dhcpv6-client ssh",
" ports:",
" masquerade: no",
" forward-ports:",
" icmp-blocks:",
" rich rules:",
"\trule family=\"ipv4\" source address=\"192.168.122.116\" service name=\"vnc-server\" accept"
],
"runasroot": true
},
{
"outerText": [
"To open a port for TCP traffic in the public zone, issue a command as root as follows:",
"",
"$ firewall-cmd --zone=public --add-port=5904/tcp",
"success"
],
"runasroot": true
},
{
"outerText": [
"To view the ports that are currently open for the public zone, issue a command as follows:",
"",
"$ firewall-cmd --zone=public --list-ports",
"5904/tcp"
],
"runasroot": true
},
{
"outerText": [
"To connect to a VNC server using SSH, enter a command as follows:",
"",
"$ vncviewer -via USER_2@192.168.2.101:3"
],
"runasroot": false
},
{
"outerText": [
"A graceful stop is used by default when the service is stopped.",
"",
"The command:",
"",
"service httpd configtest",
"",
"is replaced by",
"",
"apachectl configtest"
],
"runasroot": false
},
{
"outerText": [
"A graceful stop is used by default when the service is stopped.",
"",
"The command:",
"",
"service httpd configtest",
"",
"is replaced by",
"",
"apachectl configtest"
],
"runasroot": false
},
{
"outerText": [
"To restart the service completely, enter the following command as root:",
"",
"$ systemctl restart httpd.service",
"",
"This stops the running httpd service and immediately starts it again. Use this command after installing or removing a dynamically loaded module such as PHP."
],
"runasroot": true
},
{
"outerText": [
"To only reload the configuration, as root, type:",
"",
"$ systemctl reload httpd.service",
"",
"This causes the running httpd service to reload its configuration file. Any requests currently being processed will be interrupted, which may cause a client browser to display an error message or render a partial page."
],
"runasroot": true
},
{
"outerText": [
"To reload the configuration without affecting active requests, enter the following command as root:",
"",
"$ apachectl graceful",
"",
"This causes the running httpd service to reload its configuration file. Any requests currently being processed will continue to use the old configuration."
],
"runasroot": true
},
{
"outerText": [
"As root, open the /etc/httpd/conf.d/ssl.conf file and search for all instances of the SSLProtocol directive. By default, the configuration file contains one section that looks as follows:",
"",
"$ vi /etc/httpd/conf.d/ssl.conf",
"# SSL Protocol support:",
"# List the enable protocol levels with which clients will be able to",
"# connect. Disable SSLv2 access by default:",
"SSLProtocol all -SSLv2",
"",
"This section is within the VirtualHost section."
],
"runasroot": true
},
{
"outerText": [
"Edit the SSLProtocol line as follows:",
"",
"# SSL Protocol support:",
"# List the enable protocol levels with which clients will be able to",
"# connect. Disable SSLv2 access by default:",
"SSLProtocol all -SSLv2 -SSLv3",
"",
"Repeat this action for all VirtualHost sections. Save and close the file."
],
"runasroot": false
},
{
"outerText": [
"Verify that all occurrences of the SSLProtocol directive have been changed as follows:",
"",
"$ grep SSLProtocol /etc/httpd/conf.d/ssl.conf",
"SSLProtocol all -SSLv2 -SSLv3",
"",
"This step is particularly important if you have more than the one default VirtualHost section."
],
"runasroot": true
},
{
"outerText": [
"Restart the Apache daemon as follows:",
"",
"$ systemctl restart httpd",
"",
"Note that any sessions will be interrupted."
],
"runasroot": true
},
{
"outerText": [
"As root, open the /etc/httpd/conf.d/ssl.conf file and search for all instances of SSLProtocol directive. By default the file contains one section that looks as follows:",
"",
"$ vi /etc/httpd/conf.d/ssl.conf",
"# SSL Protocol support:",
"# List the enable protocol levels with which clients will be able to",
"# connect. Disable SSLv2 access by default:",
"SSLProtocol all -SSLv2"
],
"runasroot": true
},
{
"outerText": [
"Edit the SSLProtocol line as follows:",
"",
"# SSL Protocol support:",
"# List the enable protocol levels with which clients will be able to",
"# connect. Disable SSLv2 access by default:",
"SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2",
"",
"Save and close the file."
],
"runasroot": false
},
{
"outerText": [
"Verify the change as follows:",
"",
"$ grep SSLProtocol /etc/httpd/conf.d/ssl.conf",
"SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2"
],
"runasroot": true
},
{
"outerText": [
"Restart the Apache daemon as follows:",
"",
"$ systemctl restart httpd",
"",
"Note that any sessions will be interrupted."
],
"runasroot": true
},
{
"outerText": [
"Install mod_nss as root:",
"",
"$ yum install mod_nss",
"",
"This will create the mod_nss configuration file at /etc/httpd/conf.d/nss.conf. The /etc/httpd/conf.d/ directory is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the httpd service as described in Section 14.1.3.3, “Restarting the Service”."
],
"runasroot": true
},
{
"outerText": [
"As root, open the /etc/httpd/conf.d/nss.conf file and search for all instances of the Listen directive.",
"",
"Edit the Listen 8443 line as follows:",
"",
"Listen 443",
"",
"Port 443 is the default port for HTTPS."
],
"runasroot": false
},
{
"outerText": [
"Edit the default VirtualHost default:8443 line as follows:",
"",
"VirtualHost default:443",
"",
"Edit any other non-default virtual host sections if they exist. Save and close the file."
],
"runasroot": false
},
{
"outerText": [
"Mozilla NSS stores certificates in a server certificate database indicated by the NSSCertificateDatabase directive in the /etc/httpd/conf.d/nss.conf file. By default the path is set to /etc/httpd/alias, the NSS database created during installation.",
"",
"To view the default NSS database, issue a command as follows:",
"",
"$ certutil -L -d /etc/httpd/alias",
"",
"Certificate Nickname Trust Attributes",
" SSL,S/MIME,JAR/XPI",
"",
"cacert CTu,Cu,Cu",
"Server-Cert u,u,u",
"alpha u,pu,u",
"",
"In the above command output, Server-Cert is the default NSSNickname. The -L option lists all the certificates, or displays information about a named certificate, in a certificate database. The -d option specifies the database directory containing the certificate and key database files. See the certutil(1) man page for more command line options."
],
"runasroot": true
},
{
"outerText": [
"To configure mod_nss to use another database, edit the NSSCertificateDatabase line in the /etc/httpd/conf.d/nss.conf file. The default file has the following lines within the VirtualHost section.",
"",
"# Server Certificate Database:",
"# The NSS security database directory that holds the certificates and",
"# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.",
"# Provide the directory that these files exist.",
"NSSCertificateDatabase /etc/httpd/alias",
"",
"In the above command output, alias is the default NSS database directory, /etc/httpd/alias/."
],
"runasroot": false
},
{
"outerText": [
"To apply a password to the default NSS certificate database, use the following command as root:",
"",
"$ certutil -W -d /etc/httpd/alias",
"Enter Password or Pin for \"NSS Certificate DB\":",
"Enter a password which will be used to encrypt your keys.",
"The password should be at least 8 characters long,",
"and should contain at least one non-alphabetic character.",
"",
"Enter new password:",
"Re-enter password:",
"Password changed successfully."
],
"runasroot": true
},
{
"outerText": [
"The certutil command is used to add a CA certificate to the NSS database files:",
"",
"certutil -d /etc/httpd/nss-db-directory/ -A -n \"CA_certificate\" -t CT,, -a -i certificate.pem",
"",
"The above command adds a CA certificate stored in a PEM-formatted file named certificate.pem. The -d option specifies the NSS database directory containing the certificate and key database files, the -n option sets a name for the certificate, -t CT,, means that the certificate is trusted to be used in TLS clients and servers. The -A option adds an existing certificate to a certificate database. If the database does not exist it will be created. The -a option allows the use of ASCII format for input or output, and the -i option passes the certificate.pem input file to the command.",
"",
"See the certutil(1) man page for more command line options."
],
"runasroot": false
},
{
"outerText": [
"The certutil tool can be used set a password for an NSS database as follows:",
"",
"certutil -W -d /etc/httpd/nss-db-directory/",
"",
"For example, for the default database, issue a command as root as follows:",
"",
"$ certutil -W -d /etc/httpd/alias",
"Enter Password or Pin for \"NSS Certificate DB\":",
"Enter a password which will be used to encrypt your keys.",
"The password should be at least 8 characters long,",
"and should contain at least one non-alphabetic character.",
"",
"Enter new password:",
"Re-enter password:",
"Password changed successfully."
],
"runasroot": true
},
{
"outerText": [
"The certutil tool can be used set a password for an NSS database as follows:",
"",
"certutil -W -d /etc/httpd/nss-db-directory/",
"",
"For example, for the default database, issue a command as root as follows:",
"",
"$ certutil -W -d /etc/httpd/alias",
"Enter Password or Pin for \"NSS Certificate DB\":",
"Enter a password which will be used to encrypt your keys.",
"The password should be at least 8 characters long,",
"and should contain at least one non-alphabetic character.",
"",
"Enter new password:",
"Re-enter password:",
"Password changed successfully."
],
"runasroot": true
},
{
"outerText": [
"Configure mod_nss to use the NSS internal software token by changing the line with the NSSPassPhraseDialog directive as follows:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSPassPhraseDialog file:/etc/httpd/password.conf",
"",
"This is to avoid manual password entry on system start. The software token exists in the NSS database but you can also have a physical token containing your certificates."
],
"runasroot": true
},
{
"outerText": [
"If the SSL Server Certificate contained in the NSS database is an RSA certificate, make certain that the NSSNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSNickname Server-Cert",
"",
"If the SSL Server Certificate contained in the NSS database is an ECC certificate, make certain that the NSSECCNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSECCNickname Server-Cert",
"",
"Make certain that the NSSCertificateDatabase parameter is uncommented and points to the NSS database directory displayed in step 4 or configured in step 5 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSCertificateDatabase /etc/httpd/alias",
"",
"Replace /etc/httpd/alias with the path to the certificate database to be used."
],
"runasroot": true
},
{
"outerText": [
"If the SSL Server Certificate contained in the NSS database is an RSA certificate, make certain that the NSSNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSNickname Server-Cert",
"",
"If the SSL Server Certificate contained in the NSS database is an ECC certificate, make certain that the NSSECCNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSECCNickname Server-Cert",
"",
"Make certain that the NSSCertificateDatabase parameter is uncommented and points to the NSS database directory displayed in step 4 or configured in step 5 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSCertificateDatabase /etc/httpd/alias",
"",
"Replace /etc/httpd/alias with the path to the certificate database to be used."
],
"runasroot": true
},
{
"outerText": [
"If the SSL Server Certificate contained in the NSS database is an RSA certificate, make certain that the NSSNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSNickname Server-Cert",
"",
"If the SSL Server Certificate contained in the NSS database is an ECC certificate, make certain that the NSSECCNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSECCNickname Server-Cert",
"",
"Make certain that the NSSCertificateDatabase parameter is uncommented and points to the NSS database directory displayed in step 4 or configured in step 5 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSCertificateDatabase /etc/httpd/alias",
"",
"Replace /etc/httpd/alias with the path to the certificate database to be used."
],
"runasroot": true
},
{
"outerText": [
"Create the /etc/httpd/password.conf file as root:",
"",
"$ vi /etc/httpd/password.conf",
"",
"Add a line with the following form:",
"",
"internal:password",
"",
"Replacing password with the password that was applied to the NSS security databases in step 6 above."
],
"runasroot": true
},
{
"outerText": [
"Create the /etc/httpd/password.conf file as root:",
"",
"$ vi /etc/httpd/password.conf",
"",
"Add a line with the following form:",
"",
"internal:password",
"",
"Replacing password with the password that was applied to the NSS security databases in step 6 above."
],
"runasroot": true
},
{
"outerText": [
"Apply the appropriate ownership and permissions to the /etc/httpd/password.conf file:",
"",
"$ chgrp apache /etc/httpd/password.conf",
"$ chmod 640 /etc/httpd/password.conf",
"$ ls -l /etc/httpd/password.conf",
"-rw-r-----. 1 root apache 10 Dec 4 17:13 /etc/httpd/password.conf"
],
"runasroot": true
},
{
"outerText": [
"To configure mod_nss to use the NSS the software token in /etc/httpd/password.conf, edit /etc/httpd/conf.d/nss.conf as follows:",
"",
"$ vi /etc/httpd/conf.d/nss.conf"
],
"runasroot": true
},
{
"outerText": [
"As root, open the /etc/httpd/conf.d/nss.conf file and search for all instances of the NSSProtocol directive. By default, the configuration file contains one section that looks as follows:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"# SSL Protocol:",
"output omitted",
"# Since all protocol ranges are completely inclusive, and no protocol in the",
"# middle of a range may be excluded, the entry \"NSSProtocol SSLv3,TLSv1.1\"",
"# is identical to the entry \"NSSProtocol SSLv3,TLSv1.0,TLSv1.1\".",
"NSSProtocol SSLv3,TLSv1.0,TLSv1.1",
"",
"This section is within the VirtualHost section."
],
"runasroot": true
},
{
"outerText": [
"Edit the NSSProtocol line as follows:",
"",
"# SSL Protocol:",
"NSSProtocol TLSv1.0,TLSv1.1",
"",
"Repeat this action for all VirtualHost sections."
],
"runasroot": false
},
{
"outerText": ["Edit the Listen 8443 line as follows:", "", "Listen 443"],
"runasroot": false
},
{
"outerText": [
"Edit the default VirtualHost default:8443 line as follows:",
"",
"VirtualHost default:443",
"",
"Edit any other non-default virtual host sections if they exist. Save and close the file."
],
"runasroot": false
},
{
"outerText": [
"Verify that all occurrences of the NSSProtocol directive have been changed as follows:",
"",
"$ grep NSSProtocol /etc/httpd/conf.d/nss.conf",
"# middle of a range may be excluded, the entry \"NSSProtocol SSLv3,TLSv1.1\"",
"# is identical to the entry \"NSSProtocol SSLv3,TLSv1.0,TLSv1.1\".",
"NSSProtocol TLSv1.0,TLSv1.1",
"",
"This step is particularly important if you have more than one VirtualHost section."
],
"runasroot": true
},
{
"outerText": [
"Restart the Apache daemon as follows:",
"",
"$ service httpd restart",
"",
"Note that any sessions will be interrupted."
],
"runasroot": true
},
{
"outerText": [
"http://localhost/manual/ — The official documentation for the Apache HTTP Server with the full description of its directives and available modules. Note that in order to access this documentation, you must have the httpd-manual package installed, and the web server must be running.",
"",
"Before accessing the documentation, issue the following commands as root:",
"",
"~] yum install httpd-manual ~] apachectl graceful"
],
"runasroot": false
},
{
"outerText": [
"Edit the /etc/dovecot/dovecot.conf configuration file to make sure the protocols variable is uncommented (remove the hash sign (#) at the beginning of the line) and contains the pop3 argument. For example:",
"",
"protocols = imap pop3 lmtp",
"",
"When the protocols variable is left commented out, dovecot will use the default values as described above."
],
"runasroot": false
},
{
"outerText": [
"Make the change operational for the current session by running the following command as root:",
"",
"$ systemctl restart dovecot"
],
"runasroot": true
},
{
"outerText": [
"Make the change operational after the next reboot by running the command:",
"",
"$ systemctl enable dovecot",
"Created symlink from /etc/systemd/system/multi-user.target.wants/dovecot.service to /usr/lib/systemd/system/dovecot.service.",
"NOTE",
"",
"Please note that dovecot only reports that it started the IMAP server, but also starts the POP3 server."
],
"runasroot": true
},
{
"outerText": [
"Edit the /etc/dovecot/conf.d/10-ssl.conf configuration to make sure the ssl_protocols variable is uncommented and contains the !SSLv2 !SSLv3 arguments:",
"",
"ssl_protocols = !SSLv2 !SSLv3",
"",
"These values ensure that dovecot avoids SSL versions 2 and also 3, which are both known to be insecure. This is due to the vulnerability described in POODLE: SSLv3 vulnerability (CVE-2014-3566). See Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot for details.",
"",
"Make sure that /etc/dovecot/conf.d/10-ssl.conf contains the following option:",
"",
" ssl=required"
],
"runasroot": false
},
{
"outerText": [
"Edit the /etc/dovecot/conf.d/10-ssl.conf configuration to make sure the ssl_protocols variable is uncommented and contains the !SSLv2 !SSLv3 arguments:",
"",
"ssl_protocols = !SSLv2 !SSLv3",
"",
"These values ensure that dovecot avoids SSL versions 2 and also 3, which are both known to be insecure. This is due to the vulnerability described in POODLE: SSLv3 vulnerability (CVE-2014-3566). See Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot for details.",
"",
"Make sure that /etc/dovecot/conf.d/10-ssl.conf contains the following option:",
"",
" ssl=required"
],
"runasroot": false
},
{
"outerText": [
"Execute the /usr/libexec/dovecot/mkcert.sh script which creates the dovecot self signed certificates. These certificates are copied in the /etc/pki/dovecot/certs and /etc/pki/dovecot/private directories. To implement the changes, restart dovecot by issuing the following command as root:",
"",
"$ systemctl restart dovecot"
],
"runasroot": true
},
{
"outerText": [
"INCLUDERC — Specifies additional rc files containing more recipes for messages to be checked against. This breaks up the Procmail recipe lists into individual files that fulfill different roles, such as blocking spam and managing email lists, that can then be turned off or on by using comment characters in the user’s ~/.procmailrc file.",
"",
"For example, lines in a user’s ~/.procmailrc file may look like this:",
"",
"MAILDIR=$HOME/Msgs",
"INCLUDERC=$MAILDIR/lists.rc",
"INCLUDERC=$MAILDIR/spam.rc",
"",
"To turn off Procmail filtering of email lists but leaving spam control in place, comment out the first INCLUDERC line with a hash sign (#). Note that it uses paths relative to the current directory."
],
"runasroot": false
},
{
"outerText": ["Install the samba package:", "", "$ yum install samba"],
"runasroot": true
},
{
"outerText": [
"Edit the /etc/samba/smb.conf file and set the following parameters:",
"",
"[global]",
"\tworkgroup = Example-WG",
"\tnetbios name = Server",
"\tsecurity = user",
"",
"\tlog file = /var/log/samba/%m.log",
"\tlog level = 1",
"",
"This configuration defines a standalone server named Server within the Example-WG work group. Additionally, this configuration enables logging on a minimal level (1) and log files will be stored in the /var/log/samba/ directory. Samba will expand the %m macro in the log file parameter to the NetBIOS name of connecting clients. This enables individual log files for each client.",
"",
"For further details, see the parameter descriptions in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Open the required ports and reload the firewall configuration by using the firewall-cmd utility:",
"",
"$ firewall-cmd --permanent --add-port={139/tcp,445/tcp}",
"$ firewall-cmd --reload"
],
"runasroot": true
},
{
"outerText": ["Start the smb service:", "", "$ systemctl start smb"],
"runasroot": true
},
{
"outerText": [
"Optionally, enable the smb service to start automatically when the system boots:",
"",
"$ systemctl enable smb"
],
"runasroot": true
},
{
"outerText": [
"Create the operating system account:",
"",
"$ useradd -M -s /sbin/nologin example",
"",
"The previous command adds the example account without creating a home directory. If the account is only used to authenticate to Samba, assign the /sbin/nologin command as shell to prevent the account from logging in locally."
],
"runasroot": true
},
{
"outerText": [
"Set a password to the operating system account to enable it:",
"",
"$ passwd example",
"Enter new UNIX password: password",
"Retype new UNIX password: password",
"passwd: password updated successfully",
"",
"Samba does not use the password set on the operating system account to authenticate. However, you need to set a password to enable the account. If an account is disabled, Samba denies access if this user connects."
],
"runasroot": true
},
{
"outerText": [
"Add the user to the Samba database and set a password to the account:",
"",
"$ smbpasswd -a example",
"New SMB password: password",
"Retype new SMB password: password",
"Added user example.",
"",
"Use this password to authenticate when using this account to connect to a Samba share."
],
"runasroot": true
},
{
"outerText": [
"Enable the Samba account:",
"",
"$ smbpasswd -e example",
"Enabled user example."
],
"runasroot": true
},
{
"outerText": [
"Install the following packages:",
"",
"$ yum install realmd oddjob-mkhomedir oddjob samba-winbind-clients \\",
" samba-winbind samba-common-tools"
],
"runasroot": true
},
{
"outerText": [
"To share directories or printers on the domain member, install the samba package:",
"",
"$ yum install samba"
],
"runasroot": true
},
{
"outerText": [
"If you join an AD, additionally install the samba-winbind-krb5-locator package:",
"",
"$ yum install samba-winbind-krb5-locator",
"",
"This plug-in enables Kerberos to locate the Key Distribution Center (KDC) based on AD sites using DNS service records."
],
"runasroot": true
},
{
"outerText": [
"Optionally, rename the existing /etc/samba/smb.conf Samba configuration file:",
"",
"$ mv /etc/samba/smb.conf /etc/samba/smb.conf.old"
],
"runasroot": true
},
{
"outerText": [
"Join the domain. For example, to join a domain named ad.example.com",
"",
"$ realm join --membership-software=samba --client-software=winbind ad.example.com",
"",
"Using the previous command, the realm utility automatically:",
"",
"Creates a /etc/samba/smb.conf file for a membership in the ad.example.com domain",
"Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file",
"Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/ directory",
"",
"Starts the winbind service and enables the service to start when the system boots",
"",
"For further details about the realm utility, see the realm(8) man page and the corresponding section in the Red Hat Windows Integration Guide."
],
"runasroot": true
},
{
"outerText": [
"Verify that the winbindd is running:",
"",
"$ systemctl status winbind",
"IMPORTANT",
"",
"To enable Samba to query domain user and group information, the winbindd service must be running before you start smbd."
],
"runasroot": true
},
{
"outerText": [
"If you installed the samba package to share directories and printers, start the smbd service:",
"",
"$ systemctl start smb"
],
"runasroot": true
},
{
"outerText": [
"To query the administrator account in the AD domain:",
"",
"$ getent passwd AD\\\\administrator",
"AD\\administrator:*:10000:10000::/home/administrator@AD:/bin/bash"
],
"runasroot": true
},
{
"outerText": [
"To query the members of the Domain Users group in the AD domain:",
"",
"$ getent group \"AD\\\\Domain Users\"",
"AD\\domain users:x:10000:user"
],
"runasroot": true
},
{
"outerText": [
"Obtain a ticket for the administrator@AD.EXAMPLE.COM principal:",
"",
"$ kinit administrator@AD.EXAMPLE.COM"
],
"runasroot": true
},
{
"outerText": [
"Display the cached Kerberos ticket:",
"",
"$ klist",
"Ticket cache: KEYRING:persistent:0:0",
"Default principal: administrator@AD.EXAMPLE.COM",
"",
"Valid starting Expires Service principal",
"11.09.2017 14:46:21 12.09.2017 00:46:21 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM",
"\trenew until 18.09.2017 14:46:19"
],
"runasroot": true
},
{
"outerText": [
"Add an ID mapping configuration for the default domain (*) if it does not exist. For example:",
"",
"idmap config * : backend = tdb",
"idmap config * : range = 10000-999999",
"",
"For further details about the default domain configuration, see Section 16.1.5.3.2, “The * Default Domain”."
],
"runasroot": false
},
{
"outerText": [
"Enable the ad ID mapping back end for the AD domain:",
"",
"idmap config DOMAIN : backend = ad"
],
"runasroot": false
},
{
"outerText": [
"Set the range of IDs that is assigned to users and groups in the AD domain. For example:",
"",
"idmap config DOMAIN : range = 2000000-2999999",
"IMPORTANT",
"",
"The range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”."
],
"runasroot": false
},
{
"outerText": [
"Set that Samba uses the RFC 2307 schema when reading attributes from AD:",
"",
"idmap config DOMAIN : schema_mode = rfc2307"
],
"runasroot": false
},
{
"outerText": [
"To enable Samba to read the login shell and the path to the users home directory from the corresponding AD attribute, set:",
"",
"idmap config DOMAIN : unix_nss_info = yes",
"",
"Alternatively, you can set a uniform domain-wide home directory path and login shell that is applied to all users. For example:",
"",
"template shell = /bin/bash",
"template homedir = /home/%U",
"",
"For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"To enable Samba to read the login shell and the path to the users home directory from the corresponding AD attribute, set:",
"",
"idmap config DOMAIN : unix_nss_info = yes",
"",
"Alternatively, you can set a uniform domain-wide home directory path and login shell that is applied to all users. For example:",
"",
"template shell = /bin/bash",
"template homedir = /home/%U",
"",
"For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"By default, Samba uses the primaryGroupID attribute of a user object as the user’s primary group on Linux. Alternatively, you can configure Samba to use the value set in the gidNumber attribute instead:",
"",
"idmap config DOMAIN : unix_primary_group = yes"
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Add an ID mapping configuration for the default domain (*) if it does not exist. For example:",
"",
"idmap config * : backend = tdb",
"idmap config * : range = 10000-999999",
"",
"For further details about the default domain configuration, see Section 16.1.5.3.2, “The * Default Domain”."
],
"runasroot": false
},
{
"outerText": [
"Enable the rid ID mapping back end for the domain:",
"",
"idmap config DOMAIN : backend = rid"
],
"runasroot": false
},
{
"outerText": [
"Set a range that is big enough to include all RIDs that will be assigned in the future. For example:",
"",
"idmap config DOMAIN : range = 2000000-2999999",
"",
"Samba ignores users and groups whose RIDs in this domain are not within the range.",
"",
"IMPORTANT",
"",
"The range must not overlap with any other domain configuration on this server. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”."
],
"runasroot": false
},
{
"outerText": [
"Set a shell and home directory path that will be assigned to all mapped users. For example:",
"",
"template shell = /bin/bash",
"template homedir = /home/%U",
"",
"For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Enable the autorid ID mapping back end for the * default domain:",
"",
"idmap config * : backend = autorid"
],
"runasroot": false
},
{
"outerText": [
"Set a range that is big enough to assign IDs for all existing and future objects. For example:",
"",
"idmap config * : range = 10000-999999",
"",
"Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the THE MAPPING FORMULAS section in the idmap_autorid(8) man page.",
"",
"WARNING",
"",
"After you set the range and Samba starts using it, you can only increase the upper limit of the range. Any other change to the range can result in new ID assignments, and thus in loosing file ownerships."
],
"runasroot": false
},
{
"outerText": [
"Optionally, set a range size. For example:",
"",
"idmap config * : rangesize = 200000",
"",
"Samba assigns this number of continuous IDs for each domain’s object until all IDs from the range set in the idmap config * : range parameter are taken. For further details, see the rangesize parameter description in the idmap_autorid(8) man page."
],
"runasroot": false
},
{
"outerText": [
"Set a shell and home directory path that will be assigned to all mapped users. For example:",
"",
"template shell = /bin/bash",
"template homedir = /home/%U",
"",
"For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Optionally, create the folder if it does not exist. For example:",
"",
"$ mkdir -p /srv/samba/example/"
],
"runasroot": true
},
{
"outerText": [
"If you run SELinux in enforcing mode, set the samba_share_t context on the directory:",
"",
"$ semanage fcontext -a -t samba_share_t \"/srv/samba/example(/.*)?\"",
"$ restorecon -Rv /srv/samba/example/"
],
"runasroot": true
},
{
"outerText": [
"Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-enabled:",
"",
"[example]",
"\tpath = /srv/samba/example/",
"\tread only = no",
"NOTE",
"",
"Regardless of the file system ACLs; if you do not set read only = no, Samba shares the directory in read-only mode."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Open the required ports and reload the firewall configuration using the firewall-cmd utility:",
"",
"$ firewall-cmd --permanent --add-service=samba",
"$ firewall-cmd --reload"
],
"runasroot": true
},
{
"outerText": ["Restart the smb service:", "", "$ systemctl restart smb"],
"runasroot": true
},
{
"outerText": [
"Optionally, enable the smb service to start automatically at boot time:",
"",
"$ systemctl enable smb"
],
"runasroot": true
},
{
"outerText": [
"Enable the following parameter in the share’s section in the /etc/samba/smb.conf file to enable ACL inheritance of extended ACLs:",
"",
"inherit acls = yes",
"",
"For details, see the parameter description in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": ["Restart the smb service:", "", "$ systemctl restart smb"],
"runasroot": true
},
{
"outerText": [
"Optionally, enable the smb service to start automatically at boot time:",
"",
"$ systemctl enable smb"
],
"runasroot": true
},
{
"outerText": [
"Disable auto-granting permissions to the primary group of user accounts:",
"",
"$ setfacl -m group::--- /srv/samba/example/",
"$ setfacl -m default:group::--- /srv/samba/example/",
"",
"The primary group of the directory is additionally mapped to the dynamic CREATOR GROUP principal. When you use extended POSIX ACLs on a Samba share, this principal is automatically added and you cannot remove it."
],
"runasroot": true
},
{
"outerText": [
"Grant read, write, and execute permissions to the Domain Admins group:",
"",
"$ setfacl -m group:\"DOMAIN\\Domain Admins\":rwx /srv/samba/example/"
],
"runasroot": true
},
{
"outerText": [
"Grant read and execute permissions to the Domain Users group:",
"",
"$ setfacl -m group:\"DOMAIN\\Domain Users\":r-x /srv/samba/example/"
],
"runasroot": true
},
{
"outerText": [
"Set permissions for the other ACL entry to deny access to users that do not match the other ACL entries:",
"",
"$ setfacl -R -m other::--- /srv/samba/example/",
"",
"These settings apply only to this directory. In Windows, these ACLs are mapped to the This folder only mode."
],
"runasroot": true
},
{
"outerText": [
"To enable the permissions set in the previous step to be inherited by new file system objects created in this directory:",
"",
"$ setfacl -m default:group:\"DOMAIN\\Domain Admins\":rwx /srv/samba/example/",
"$ setfacl -m default:group:\"DOMAIN\\Domain Users\":r-x /srv/samba/example/",
"$ setfacl -m default:other::--- /srv/samba/example/",
"",
"With these settings, the This folder only mode for the principals is now set to This folder, subfolders, and files."
],
"runasroot": true
},
{
"outerText": [
"Add the following parameters to the configuration of the share in the /etc/samba/smb.conf:",
"",
"hosts allow = 127.0.0.1 192.0.2.0/24 client1.example.com",
"hosts deny = client2.example.com"
],
"runasroot": false
},
{
"outerText": [
"Reload the Samba configuration",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Optionally, create the folder if it does not exists. For example:",
"",
"$ mkdir -p /srv/samba/example/"
],
"runasroot": true
},
{
"outerText": [
"If you run SELinux in enforcing mode, set the samba_share_t context on the directory:",
"",
"$ semanage fcontext -a -t samba_share_t \"/srv/samba/example(/.*)?\"",
"$ restorecon -Rv /srv/samba/example/"
],
"runasroot": true
},
{
"outerText": [
"Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-enabled:",
"",
"[example]",
"\tpath = /srv/samba/example/",
"\tread only = no",
"NOTE",
"",
"Regardless of the file system ACLs; if you do not set read only = no, Samba shares the directory in read-only mode."
],
"runasroot": false
},
{
"outerText": [
"If you have not enabled Windows ACL support in the [global] section for all shares, add the following parameters to the [example] section to enable this feature for this share:",
"",
"vfs objects = acl_xattr",
"map acl inherit = yes",
"store dos attributes = yes"
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Open the required ports and reload the firewall configuration using the firewall-cmd utility:",
"",
"$ firewall-cmd --permanent --add-service=samba",
"$ firewall-cmd --reload"
],
"runasroot": true
},
{
"outerText": ["Restart the smb service:", "", "$ systemctl restart smb"],
"runasroot": true
},
{
"outerText": [
"Optionally, enable the smb service to start automatically at boot time:",
"",
"$ systemctl enable smb"
],
"runasroot": true
},
{
"outerText": [
"Create the local example group, if it does not exist:",
"",
"$ groupadd example"
],
"runasroot": true
},
{
"outerText": [
"Create the directory:",
"",
"$ mkdir -p /var/lib/samba/usershares/"
],
"runasroot": true
},
{
"outerText": [
"Set write permissions for the example group:",
"",
"$ chgrp example /var/lib/samba/usershares/",
"$ chmod 1770 /var/lib/samba/usershares/",
"",
"Set the sticky bit to prevent users to rename or delete files stored by other users in this directory."
],
"runasroot": true
},
{
"outerText": [
"Set the path to the directory you configured to store the user share definitions. For example:",
"",
"usershare path = /var/lib/samba/usershares/"
],
"runasroot": false
},
{
"outerText": [
"Set how many user shares Samba allows to be created on this server. For example:",
"",
"usershare max shares = 100",
"",
"If you use the default of 0 for the usershare max shares parameter, user shares are disabled."
],
"runasroot": false
},
{
"outerText": [
"Optionally, set a list of absolute directory paths. For example, to configure that Samba only allows to share subdirectories of the /data and /srv directory to be shared, set:",
"",
"usershare prefix allow list = /data /srv",
"",
"For a list of further user share-related parameters you can set, see the USERSHARES section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Set map to guest = Bad User in the [global] section:",
"",
"[global]",
"\t...",
"\tmap to guest = Bad User",
"",
"With this setting, Samba rejects login attempts that use an incorrect password unless the user name does not exist. If the specified user name does not exist and guest access is enabled on a share, Samba treats the connection as a guest log in."
],
"runasroot": false
},
{
"outerText": [
"By default, Samba maps the guest account to the nobody account on Red Hat Enterprise Linux. Optionally, you can set a different account. For example:",
"",
"[global]",
"\t...",
"\tguest account = user_name",
"",
"The account set in this parameter must exist locally on the Samba server. For security reasons, Red Hat recommends using an account that does not have a valid shell assigned."
],
"runasroot": false
},
{
"outerText": [
"Add the guest ok = yes setting to the [example] section:",
"",
"[example]",
"\t...",
"\tguest ok = yes"
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Add the following parameters:",
"",
"rpc_server:spoolss = external",
"rpc_daemon:spoolssd = fork"
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": ["Restart the smb service:", "", "$ systemctl restart smb"],
"runasroot": true
},
{
"outerText": [
"If you want to enable the spoolssd service, add the following parameters to the [global] section:",
"",
"rpc_server:spoolss = external",
"rpc_daemon:spoolssd = fork",
"",
"For further details, see Section 16.1.7.1, “The Samba spoolssd Service”."
],
"runasroot": false
},
{
"outerText": [
"To configure the printing back end, add the [printers] section:",
"",
"[printers]",
"\tcomment = All Printers",
"\tpath = /var/tmp/",
"\tprintable = yes",
"\tcreate mask = 0600",
"IMPORTANT",
"",
"The printers share name is hard-coded and cannot be changed."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Open the required ports and reload the firewall configuration using the firewall-cmd utility:",
"",
"$ firewall-cmd --permanent --add-service=samba",
"$ firewall-cmd --reload"
],
"runasroot": true
},
{
"outerText": ["Restart the smb service:", "", "$ systemctl restart smb"],
"runasroot": true
},
{
"outerText": [
"In the [global] section, disable automatic printer sharing by setting:",
"",
"load printers = no"
],
"runasroot": false
},
{
"outerText": [
"Add a section for each printer you want to share. For example, to share the printer named example in the CUPS back end as Example-Printer in Samba, add the following section:",
"",
"[Example-Printer]",
"\tpath = /var/tmp/",
"\tprintable = yes",
"\tprinter name = example",
"",
"You do not need individual spool directories for each printer. You can set the same spool directory in the path parameter for the printer as you set in the [printers] section."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Add the [print$] section to the /etc/samba/smb.conf file:",
"",
"[print$]",
"\tpath = /var/lib/samba/drivers/",
"\tread only = no",
"\twrite list = @printadmin",
"\tforce group = @printadmin",
"\tcreate mask = 0664",
"\tdirectory mask = 2775",
"",
"Using these settings:",
"",
"Only members of the printadmin group can upload printer drivers to the share.",
"The group of new created files and directories will be set to printadmin.",
"The permissions of new files will be set to 664.",
"The permissions of new directories will be set to 2775."
],
"runasroot": false
},
{
"outerText": [
"To upload only 64-bit drivers for a printer, include this setting in the [global] section in the /etc/samba/smb.conf file:",
"",
"spoolss: architecture = Windows x64",
"",
"Without this setting, Windows only displays drivers for which you have uploaded at least the 32-bit version."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Create the printadmin group if it does not exists:",
"",
"$ groupadd printadmin"
],
"runasroot": true
},
{
"outerText": [
"Grant the SePrintOperatorPrivilege privilege to the printadmin group.",
"",
"$ net rpc rights grant \"printadmin\" SePrintOperatorPrivilege \\",
" -U \"DOMAIN\\administrator\"",
"Enter DOMAIN\\administrator's password:",
"Successfully granted rights.",
"",
"For further details, see Section 16.1.7.4.2, “Enabling Users to Upload and Preconfigure Drivers”."
],
"runasroot": true
},
{
"outerText": [
"If you run SELinux in enforcing mode, set the samba_share_t context on the directory:",
"",
"$ semanage fcontext -a -t samba_share_t \"/var/lib/samba/drivers(/.*)?\"",
"$ restorecon -Rv /var/lib/samba/drivers/"
],
"runasroot": true
},
{
"outerText": [
"If you use POSIX ACLs, set:",
"",
"$ chgrp -R \"printadmin\" /var/lib/samba/drivers/",
"$ chmod -R 2775 /var/lib/samba/drivers/"
],
"runasroot": true
},
{
"outerText": [
"Set the following parameters in the share’s section:",
"",
"case sensitive = true",
"default case = lower",
"preserve case = no",
"short preserve case = no",
"",
"For details about the parameters, see their descriptions in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"For an AD domain member:",
"",
"[global]",
"workgroup = domain_name",
"security = ads",
"passdb backend = tdbsam",
"realm = AD_REALM"
],
"runasroot": false
},
{
"outerText": [
"For an NT4 domain member:",
"",
"[global]",
"workgroup = domain_name",
"security = user",
"passdb backend = tdbsam"
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"To join an AD domain:",
"",
"$ net ads join -U \"DOMAINpass:quotes[administrator]\""
],
"runasroot": true
},
{
"outerText": [
"To join an NT4 domain:",
"",
"$ net rpc join -U \"DOMAINpass:quotes[administrator]\""
],
"runasroot": true
},
{
"outerText": [
"Append the winbind source to the passwd and group database entry in the /etc/nsswitch.conf file:",
"",
"passwd: files winbind",
"group: files winbind"
],
"runasroot": false
},
{
"outerText": [
"Enable and start the winbind service:",
"",
"$ systemctl enable winbind",
"$ systemctl start winbind"
],
"runasroot": true
},
{
"outerText": [
"Add the account:",
"",
"$ net user add user password -U \"DOMAIN\\administrator\"",
"User user added"
],
"runasroot": true
},
{
"outerText": [
"Optionally, use the remote procedure call (RPC) shell to enable the account on the AD DC or NT4 PDC. For example:",
"",
"$ net rpc shell -U DOMAIN\\administrator -S DC_or_PDC_name",
"Talking to domain DOMAIN (S-1-5-21-1424831554-512457234-5642315751)",
"",
"net rpc> user edit disabled user no",
"Set user's disabled flag from [yes] to [no]",
"",
"net rpc> exit"
],
"runasroot": true
},
{
"outerText": [
"$ rpcclient server_name -U \"DOMAINpass:quotes[administrator]\" \\",
" -c 'setdriver \"printer_name\" \"driver_name\"'",
"Enter DOMAINpass:quotes[administrator]s password:",
"Successfully set printer_name to driver driver_name."
],
"runasroot": true
},
{
"outerText": [
"$ rpcclient server_name -U \"DOMAINpass:quotes[administrator]\" -c 'netshareenum'",
"Enter DOMAINpass:quotes[administrator]s password:",
"netname: Example_Share",
"\tremark:",
"\tpath: C:\\srv\\samba\\example_share\\",
"\tpassword:",
"netname: Example_Printer",
"\tremark:",
"\tpath: C:\\var\\spool\\samba\\",
"\tpassword:"
],
"runasroot": true
},
{
"outerText": [
"$ rpcclient server_name -U \"DOMAINpass:quotes[administrator]\" -c 'enumdomusers'",
"Enter DOMAINpass:quotes[administrator]s password:",
"user:[user1] rid:[0x3e8]",
"user:[user2] rid:[0x3e9]"
],
"runasroot": true
},
{
"outerText": [
"Connect to the share:",
"",
"$ smbclient -U \"DOMAINpass:quotes[user_name]\" //server_name/share_name"
],
"runasroot": true
},
{
"outerText": [
"Change into the /example/ directory:",
"",
"smb: \\> cd /example/"
],
"runasroot": false
},
{
"outerText": [
"List the files in the directory:",
"",
"smb: \\example\\> ls",
" . D 0 Mon Sep 1 10:00:00 2017",
" .. D 0 Mon Sep 1 10:00:00 2017",
" example.txt N 1048576 Mon Sep 1 10:00:00 2017",
"",
" 9950208 blocks of size 1024. 8247144 blocks available"
],
"runasroot": false
},
{
"outerText": [
"Download the example.txt file:",
"",
"smb: \\example\\> get example.txt",
"getting file \\directory\\subdirectory\\example.txt of size 1048576 as example.txt (511975,0 KiloBytes/sec) (average 170666,7 KiloBytes/sec)"
],
"runasroot": false
},
{
"outerText": ["Disconnect from the share:", "", "smb: \\example\\> exit"],
"runasroot": false
},
{
"outerText": [
"Create a new user:",
"",
"[root@server $ smbpasswd -a user_name",
"New SMB password:",
"Retype new SMB password:",
"Added user user_name.",
"NOTE",
"",
"Before you can add a user to the Samba database, you must create the account in the local operating system. See Section 4.3.1, “Adding a New User”"
],
"runasroot": true
},
{
"outerText": [
"Enable a Samba user:",
"",
"[root@server $ smbpasswd -e user_name",
"Enabled user user_name."
],
"runasroot": true
},
{
"outerText": [
"Disable a Samba user:",
"",
"[root@server $ smbpasswd -x user_name",
"Disabled user user_name."
],
"runasroot": true
},
{
"outerText": [
"Delete a user:",
"",
"[root@server $ smbpasswd -x user_name",
"Deleted user user_name."
],
"runasroot": true
},
{
"outerText": [
"List domain users:",
"",
"$ wbinfo -u",
"AD\\administrator",
"AD\\guest",
"..."
],
"runasroot": true
},
{
"outerText": [
"List domain groups:",
"",
"$ wbinfo -g",
"AD\\domain computers",
"AD\\domain admins",
"AD\\domain users",
"..."
],
"runasroot": true
},
{
"outerText": [
"Display the SID of a user:",
"",
"$ wbinfo --name-to-sid=\"AD\\administrator\"",
"S-1-5-21-1762709870-351891212-3141221786-500 SID_USER (1)"
],
"runasroot": true
},
{
"outerText": [
"Display information about domains and trusts:",
"",
"$ wbinfo --trusted-domains --verbose",
"Domain Name DNS Domain Trust Type Transitive In Out",
"BUILTIN None Yes Yes Yes",
"server None Yes Yes Yes",
"DOMAIN1 domain1.example.com None Yes Yes Yes",
"DOMAIN2 domain2.example.com External No Yes Yes"
],
"runasroot": true
},
{
"outerText": [
"The Red Hat Samba packages include manual pages for all Samba commands and configuration files the package installs. For example, to display the man page of the /etc/samba/smb.conf file that explains all configuration parameters you can set in this file:",
"",
"$ man 5 smb.conf"
],
"runasroot": true
},
{
"outerText": [
"{blank}",
"vsftpd(8) — Describes available command-line options for vsftpd."
],
"runasroot": false
},
{
"outerText": [
"{blank}",
"vsftpd.conf(5) — Contains a detailed list of options available within the configuration file for vsftpd.",
"hosts_access(5) — Describes the format and options available within the TCP wrappers configuration files: hosts.allow and hosts.deny."
],
"runasroot": false
},
{
"outerText": [
"{blank}",
"ftpd_selinux(8) — Contains a description of the SELinux policy governing ftpd processes as well as an explanation of the way SELinux labels need to be assigned and Booleans set."
],
"runasroot": false
},
{
"outerText": [
"To start the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall and then press Enter. The Firewall Configuration window opens. You will be prompted for an administrator or root password.",
"",
"Alternatively, to start the graphical firewall configuration tool using the command line, enter the following command as root user:",
"",
"$ firewall-config",
"",
"The Firewall Configuration window opens.",
"",
"Look for the word \"Connected\" in the lower left corner. This indicates that the firewall-config tool is connected to the user space daemon, firewalld.",
"",
"To immediately change the current firewall settings, ensure the drop-down selection menu labeled Configuration is set to Runtime. Alternatively, to edit the settings to be applied at the next system start, or firewall reload, select Permanent from the drop-down list."
],
"runasroot": true
},
{
"outerText": [
"Ensure that the mariadb and mariadb-server packages are installed on the required server:",
"",
"$ yum install mariadb mariadb-server"
],
"runasroot": true
},
{
"outerText": [
"Start the mariadb service:",
"",
"$ systemctl start mariadb.service"
],
"runasroot": true
},
{
"outerText": [
"Enable the mariadb service to start at boot:",
"",
"$ systemctl enable mariadb.service"
],
"runasroot": true
},
{
"outerText": [
"Use this this command to grant access to an IPv4:",
"",
"allow 192.0.2.0/24"
],
"runasroot": false
},
{
"outerText": [
"Use this this command to grant access to an IPv6:",
"",
"allow 2001:0db8:85a3::8a2e:0370:7334"
],
"runasroot": false
},
{
"outerText": [
"Allow access from both IPv4 and IPv6 addresses by adding the following to the /etc/chrony.conf file:",
"",
"bindcmdaddress 0.0.0.0",
"",
"or",
"",
"bindcmdaddress :"
],
"runasroot": false
},
{
"outerText": [
"Allow access from both IPv4 and IPv6 addresses by adding the following to the /etc/chrony.conf file:",
"",
"bindcmdaddress 0.0.0.0",
"",
"or",
"",
"bindcmdaddress :"
],
"runasroot": false
},
{
"outerText": [
"Add the following content to the /etc/chrony.conf file:",
"",
"cmdallow 192.168.1.0/24"
],
"runasroot": false
},
{
"outerText": [
"Open port 323 in the firewall to connect from a remote system.",
"",
"$ firewall-cmd --zone=public --add-port=323/udp",
"",
"If you want to open port 323 permanently, use the --permanent.",
"",
"$ firewall-cmd --permanent --zone=public --add-port=323/udp"
],
"runasroot": true
},
{
"outerText": [
"Open port 323 in the firewall to connect from a remote system.",
"",
"$ firewall-cmd --zone=public --add-port=323/udp",
"",
"If you want to open port 323 permanently, use the --permanent.",
"",
"$ firewall-cmd --permanent --zone=public --add-port=323/udp"
],
"runasroot": true
},
{
"outerText": [
"The noquery option prevents ntpq and ntpdc queries, but not time queries, from being answered.",
"",
"IMPORTANT",
"",
"The ntpq and ntpdc queries can be used in amplification attacks, therefore do not remove the noquery option from the restrict default command on publicly accessible systems.",
"",
"See CVE-2013-5211 for more details.",
"",
"Addresses within the range 127.0.0.0/8 are sometimes required by various processes or applications. As the \"restrict default\" line above prevents access to everything not explicitly allowed, access to the standard loopback address for IPv4 and IPv6 is permitted by means of the following lines:",
"",
"# the administrative functions.",
"restrict 127.0.0.1",
"restrict ::1",
"",
"Addresses can be added underneath if specifically required by another application.",
"",
"Hosts on the local network are not permitted because of the \"restrict default\" line above. To change this, for example to allow hosts from the 192.0.2.0/24 network to query the time and statistics but nothing more, a line in the following format is required:",
"",
"restrict 192.0.2.0 mask 255.255.255.0 nomodify notrap nopeer",
"",
"To allow unrestricted access from a specific host, for example 192.0.2.250/32, a line in the following format is required:",
"",
"restrict 192.0.2.250",
"",
"A mask of 255.255.255.255 is applied if none is specified.",
"",
"The restrict commands are explained in the ntp_acc(5) man page."
],
"runasroot": false
},
{
"outerText": [
"The noquery option prevents ntpq and ntpdc queries, but not time queries, from being answered.",
"",
"IMPORTANT",
"",
"The ntpq and ntpdc queries can be used in amplification attacks, therefore do not remove the noquery option from the restrict default command on publicly accessible systems.",
"",
"See CVE-2013-5211 for more details.",
"",
"Addresses within the range 127.0.0.0/8 are sometimes required by various processes or applications. As the \"restrict default\" line above prevents access to everything not explicitly allowed, access to the standard loopback address for IPv4 and IPv6 is permitted by means of the following lines:",
"",
"# the administrative functions.",
"restrict 127.0.0.1",
"restrict ::1",
"",
"Addresses can be added underneath if specifically required by another application.",
"",
"Hosts on the local network are not permitted because of the \"restrict default\" line above. To change this, for example to allow hosts from the 192.0.2.0/24 network to query the time and statistics but nothing more, a line in the following format is required:",
"",
"restrict 192.0.2.0 mask 255.255.255.0 nomodify notrap nopeer",
"",
"To allow unrestricted access from a specific host, for example 192.0.2.250/32, a line in the following format is required:",
"",
"restrict 192.0.2.250",
"",
"A mask of 255.255.255.255 is applied if none is specified.",
"",
"The restrict commands are explained in the ntp_acc(5) man page."
],
"runasroot": false
},
{
"outerText": [
"The noquery option prevents ntpq and ntpdc queries, but not time queries, from being answered.",
"",
"IMPORTANT",
"",
"The ntpq and ntpdc queries can be used in amplification attacks, therefore do not remove the noquery option from the restrict default command on publicly accessible systems.",
"",
"See CVE-2013-5211 for more details.",
"",
"Addresses within the range 127.0.0.0/8 are sometimes required by various processes or applications. As the \"restrict default\" line above prevents access to everything not explicitly allowed, access to the standard loopback address for IPv4 and IPv6 is permitted by means of the following lines:",
"",
"# the administrative functions.",
"restrict 127.0.0.1",
"restrict ::1",
"",
"Addresses can be added underneath if specifically required by another application.",
"",
"Hosts on the local network are not permitted because of the \"restrict default\" line above. To change this, for example to allow hosts from the 192.0.2.0/24 network to query the time and statistics but nothing more, a line in the following format is required:",
"",
"restrict 192.0.2.0 mask 255.255.255.0 nomodify notrap nopeer",
"",
"To allow unrestricted access from a specific host, for example 192.0.2.250/32, a line in the following format is required:",
"",
"restrict 192.0.2.250",
"",
"A mask of 255.255.255.255 is applied if none is specified.",
"",
"The restrict commands are explained in the ntp_acc(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Add the following line to the /etc/sysconfig/ntpdate file:",
"",
"SYNC_HWCLOCK=yes"
],
"runasroot": false
},
{
"outerText": [
"Enable the ntpdate service as root:",
"",
"$ systemctl enable ntpdate.service",
"",
"Note that the ntpdate service uses the NTP servers defined in the /etc/ntp/step-tickers file.",
"",
"NOTE",
"",
"On virtual machines, the hardware clock will be updated on the next boot of the host machine, not of the virtual machine."
],
"runasroot": true
},
{
"outerText": [
"To change to loose mode filtering globally, enter the following commands as root:",
"",
"$ sysctl -w net.ipv4.conf.default.rp_filter=2",
"$ sysctl -w net.ipv4.conf.all.rp_filter=2"
],
"runasroot": true
},
{
"outerText": [
"To change the reverse path filtering mode per network interface, use the net.ipv4.interface.rp_filter command on all PTP interfaces. For example, for an interface with device name em1:",
"",
"$ sysctl -w net.ipv4.conf.em1.rp_filter=2"
],
"runasroot": true
},
{
"outerText": [
"To change the default configuration, open the /etc/timemaster.conf file for editing as root:",
"",
"$ vi /etc/timemaster.conf"
],
"runasroot": true
},
{
"outerText": [
"To add interfaces that should be used in a domain, edit the #[ptp_domain 0] section and add the interfaces. Create additional domains as required. For example:",
"",
"[ptp_domain 0]",
" interfaces eth0",
"",
" [ptp_domain 1]",
" interfaces eth1"
],
"runasroot": false
},
{
"outerText": [
"Save the configuration file and restart timemaster by issuing the following command as root:",
"",
"$ systemctl restart timemaster"
],
"runasroot": true
},
{
"outerText": [
"Install the tog-pegasus package by typing the following at a shell prompt as root:",
"",
"yum install tog-pegasus",
"",
"This command installs the OpenPegasus CIMOM and all its dependencies to the system and creates a user account for the pegasus user."
],
"runasroot": false
},
{
"outerText": [
"Install required CIM providers by running the following command as root:",
"",
"yum install openlmi-{storage,networking,service,account,powermanagement}",
"",
"This command installs the CIM providers for storage, network, service, account, and power management. For a complete list of CIM providers distributed with Red Hat Enterprise Linux 7, see Table 22.1, “Available CIM Providers”."
],
"runasroot": false
},
{
"outerText": [
"Edit the /etc/Pegasus/access.conf configuration file to customize the list of users that are allowed to connect to the OpenPegasus CIMOM. By default, only the pegasus user is allowed to access the CIMOM both remotely and locally. To activate this user account, run the following command as root to set the user’s password:",
"",
"passwd pegasus"
],
"runasroot": false
},
{
"outerText": [
"Start the OpenPegasus CIMOM by activating the tog-pegasus.service unit. To activate the tog-pegasus.service unit in the current session, type the following at a shell prompt as root:",
"",
"systemctl start tog-pegasus.service",
"",
"To configure the tog-pegasus.service unit to start automatically at boot time, type as root:",
"",
"systemctl enable tog-pegasus.service"
],
"runasroot": false
},
{
"outerText": [
"Start the OpenPegasus CIMOM by activating the tog-pegasus.service unit. To activate the tog-pegasus.service unit in the current session, type the following at a shell prompt as root:",
"",
"systemctl start tog-pegasus.service",
"",
"To configure the tog-pegasus.service unit to start automatically at boot time, type as root:",
"",
"systemctl enable tog-pegasus.service"
],
"runasroot": false
},
{
"outerText": [
"If you intend to interact with the managed system from a remote machine, enable TCP communication on port 5989 (wbem-https). To open this port in the current session, run the following command as root:",
"",
"firewall-cmd --add-port 5989/tcp",
"",
"To open port 5989 for TCP communication permanently, type as root:",
"",
"firewall-cmd --permanent --add-port 5989/tcp"
],
"runasroot": false
},
{
"outerText": [
"If you intend to interact with the managed system from a remote machine, enable TCP communication on port 5989 (wbem-https). To open this port in the current session, run the following command as root:",
"",
"firewall-cmd --add-port 5989/tcp",
"",
"To open port 5989 for TCP communication permanently, type as root:",
"",
"firewall-cmd --permanent --add-port 5989/tcp"
],
"runasroot": false
},
{
"outerText": [
"Install the openlmi-tools package by typing the following at a shell prompt as root:",
"",
"yum install openlmi-tools",
"",
"This command installs LMIShell, an interactive client and interpreter for accessing CIM objects provided by OpenPegasus, and all its dependencies to the system."
],
"runasroot": false
},
{
"outerText": [
"Copy the /etc/Pegasus/server.pem certificate from the managed system to the /etc/pki/ca-trust/source/anchors/ directory on the client system. To do so, type the following at a shell prompt as root:",
"",
"scp root@hostname:/etc/Pegasus/server.pem /etc/pki/ca-trust/source/anchors/pegasus-hostname.pem",
"",
"Replace hostname with the host name of the managed system. Note that this command only works if the sshd service is running on the managed system and is configured to allow the root user to log in to the system over the SSH protocol. For more information on how to install and configure the sshd service and use the scp command to transfer files over the SSH protocol, see Chapter 12, OpenSSH."
],
"runasroot": false
},
{
"outerText": [
"Verify the integrity of the certificate on the client system by comparing its check sum with the check sum of the original file. To calculate the check sum of the /etc/Pegasus/server.pem file on the managed system, run the following command as root on that system:",
"",
"sha1sum /etc/Pegasus/server.pem",
"",
"To calculate the check sum of the /etc/pki/ca-trust/source/anchors/pegasus-hostname.pem file on the client system, run the following command on this system:",
"",
"sha1sum /etc/pki/ca-trust/source/anchors/pegasus-hostname.pem",
"",
"Replace hostname with the host name of the managed system."
],
"runasroot": false
},
{
"outerText": [
"Verify the integrity of the certificate on the client system by comparing its check sum with the check sum of the original file. To calculate the check sum of the /etc/Pegasus/server.pem file on the managed system, run the following command as root on that system:",
"",
"sha1sum /etc/Pegasus/server.pem",
"",
"To calculate the check sum of the /etc/pki/ca-trust/source/anchors/pegasus-hostname.pem file on the client system, run the following command on this system:",
"",
"sha1sum /etc/pki/ca-trust/source/anchors/pegasus-hostname.pem",
"",
"Replace hostname with the host name of the managed system."
],
"runasroot": false
},
{
"outerText": [
"Update the trust store on the client system by running the following command as root:",
"",
"update-ca-trust extract"
],
"runasroot": false
},
{
"outerText": [
"Copy the Identity Management signing certificate to the trusted store by typing the following command as root:",
"",
"cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt"
],
"runasroot": false
},
{
"outerText": [
"Update the trust store by running the following command as root:",
"",
"update-ca-trust extract"
],
"runasroot": false
},
{
"outerText": [
"Register Pegasus as a service in the Identity Management domain by running the following command as a privileged domain user:",
"",
"ipa service-add CIMOM/hostname",
"",
"Replace hostname with the host name of the managed system.",
"",
"This command can be run from any system in the Identity Management domain that has the ipa-admintools package installed. It creates a service entry in Identity Management that can be used to generate signed SSL certificates."
],
"runasroot": false
},
{
"outerText": [
"Retrieve the signed certificate by running the following command as root:",
"",
"ipa-getcert request -f /etc/Pegasus/server.pem -k /etc/Pegasus/file.pem -N CN=hostname -K CIMOM/hostname",
"",
"Replace hostname with the host name of the managed system.",
"",
"The certificate and key files are now kept in proper locations. The certmonger daemon installed on the managed system by the ipa-client-install script ensures that the certificate is kept up-to-date and renewed as necessary.",
"",
"For more information, see the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide."
],
"runasroot": false
},
{
"outerText": [
"Copy the Identity Management signing certificate to the trusted store by typing the following command as root:",
"",
"cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt"
],
"runasroot": false
},
{
"outerText": [
"Update the trust store by running the following command as root:",
"",
"update-ca-trust extract"
],
"runasroot": false
},
{
"outerText": [
"Update the trust store by running the following command as root:",
"",
"update-ca-trust extract"
],
"runasroot": false
},
{
"outerText": [
"Copy the certificate to the trusted store by typing the following command as root:",
"",
"cp /path/to/ca.crt /etc/pki/ca-trust/source/anchors/ca.crt"
],
"runasroot": false
},
{
"outerText": [
"Update the trust store by running the following command as root:",
"",
"update-ca-trust extract"
],
"runasroot": false
},
{
"outerText": [
"Create a new SSL configuration file /etc/Pegasus/ssl.cnf to store information about the certificate. The contents of this file must be similar to the following example:",
"",
"[ req ]",
"distinguished_name = req_distinguished_name",
"prompt = no",
"[ req_distinguished_name ]",
"C = US",
"ST = Massachusetts",
"L = Westford",
"O = Fedora",
"OU = Fedora OpenLMI",
"CN = hostname",
"",
"Replace hostname with the fully qualified domain name of the managed system."
],
"runasroot": false
},
{
"outerText": [
"Generate a private key on the managed system by using the following command as root:",
"",
"openssl genrsa -out /etc/Pegasus/file.pem 1024"
],
"runasroot": false
},
{
"outerText": [
"Generate a certificate signing request (CSR) by running this command as root:",
"",
"openssl req -config /etc/Pegasus/ssl.cnf -new -key /etc/Pegasus/file.pem -out /etc/Pegasus/server.csr"
],
"runasroot": false
},
{
"outerText": [
"Copy the certificate of the trusted authority to the Pegasus trust store to make sure that Pegasus is capable of trusting its own certificate by running as root:",
"",
"cp /path/to/ca.crt /etc/Pegasus/client.pem"
],
"runasroot": false
},
{
"outerText": [
"The following are a few examples of simple facility/priority-based filters that can be specified in /etc/rsyslog.conf. To select all kernel syslog messages with any priority, add the following text into the configuration file:",
"",
"kern.*",
"",
"To select all mail syslog messages with priority crit and higher, use this form:",
"",
"mail.crit",
"",
"To select all cron syslog messages except those with the info or debug priority, set the configuration in the following form:",
"",
"cron.!info,!debug"
],
"runasroot": false
},
{
"outerText": [
"The following are a few examples of simple facility/priority-based filters that can be specified in /etc/rsyslog.conf. To select all kernel syslog messages with any priority, add the following text into the configuration file:",
"",
"kern.*",
"",
"To select all mail syslog messages with priority crit and higher, use this form:",
"",
"mail.crit",
"",
"To select all cron syslog messages except those with the info or debug priority, set the configuration in the following form:",
"",
"cron.!info,!debug"
],
"runasroot": false
},
{
"outerText": [
"The following are a few examples of simple facility/priority-based filters that can be specified in /etc/rsyslog.conf. To select all kernel syslog messages with any priority, add the following text into the configuration file:",
"",
"kern.*",
"",
"To select all mail syslog messages with priority crit and higher, use this form:",
"",
"mail.crit",
"",
"To select all cron syslog messages except those with the info or debug priority, set the configuration in the following form:",
"",
"cron.!info,!debug"
],
"runasroot": false
},
{
"outerText": [
"The following are a few examples of property-based filters that can be specified in /etc/rsyslog.conf. To select syslog messages which contain the string error in their message text, use:",
"",
":msg, contains, \"error\"",
"",
"The following filter selects syslog messages received from the host name host1:",
"",
":hostname, isequal, \"host1\"",
"",
"To select syslog messages which do not contain any mention of the words fatal and error with any or no text between them (for example, fatal lib error), type:",
"",
":msg, !regex, \"fatal .* error\""
],
"runasroot": false
},
{
"outerText": [
"The following are a few examples of property-based filters that can be specified in /etc/rsyslog.conf. To select syslog messages which contain the string error in their message text, use:",
"",
":msg, contains, \"error\"",
"",
"The following filter selects syslog messages received from the host name host1:",
"",
":hostname, isequal, \"host1\"",
"",
"To select syslog messages which do not contain any mention of the words fatal and error with any or no text between them (for example, fatal lib error), type:",
"",
":msg, !regex, \"fatal .* error\""
],
"runasroot": false
},
{
"outerText": [
"The following are a few examples of property-based filters that can be specified in /etc/rsyslog.conf. To select syslog messages which contain the string error in their message text, use:",
"",
":msg, contains, \"error\"",
"",
"The following filter selects syslog messages received from the host name host1:",
"",
":hostname, isequal, \"host1\"",
"",
"To select syslog messages which do not contain any mention of the words fatal and error with any or no text between them (for example, fatal lib error), type:",
"",
":msg, !regex, \"fatal .* error\""
],
"runasroot": false
},
{
"outerText": [
"The following expression contains two nested conditions. The log files created by a program called prog1 are split into two files based on the presence of the \"test\" string in the message.",
"",
"if $programname == 'prog1' then {",
" action(type=\"omfile\" file=\"/var/log/prog1.log\")",
" if $msg contains 'test' then",
" action(type=\"omfile\" file=\"/var/log/prog1test.log\")",
" else",
" action(type=\"omfile\" file=\"/var/log/prog1notest.log\")",
"}"
],
"runasroot": false
},
{
"outerText": [
"The following are some examples of actions that forward syslog messages over the network (note that all actions are preceded with a selector that selects all messages with any priority). To forward messages to 192.168.0.1 via the UDP protocol, type:",
"",
". @192.168.0.1",
"",
"To forward messages to \"example.com\" using port 6514 and the TCP protocol, use:",
"",
". @@example.com:6514",
"",
"The following compresses messages with zlib (level 9 compression) and forwards them to 2001:db8::1 using the UDP protocol",
"",
". @(z9)[2001:db8::1]"
],
"runasroot": false
},
{
"outerText": [
"The following are some examples of actions that forward syslog messages over the network (note that all actions are preceded with a selector that selects all messages with any priority). To forward messages to 192.168.0.1 via the UDP protocol, type:",
"",
". @192.168.0.1",
"",
"To forward messages to \"example.com\" using port 6514 and the TCP protocol, use:",
"",
". @@example.com:6514",
"",
"The following compresses messages with zlib (level 9 compression) and forwards them to 2001:db8::1 using the UDP protocol",
"",
". @(z9)[2001:db8::1]"
],
"runasroot": false
},
{
"outerText": [
"The following are some examples of actions that forward syslog messages over the network (note that all actions are preceded with a selector that selects all messages with any priority). To forward messages to 192.168.0.1 via the UDP protocol, type:",
"",
". @192.168.0.1",
"",
"To forward messages to \"example.com\" using port 6514 and the TCP protocol, use:",
"",
". @@example.com:6514",
"",
"The following compresses messages with zlib (level 9 compression) and forwards them to 2001:db8::1 using the UDP protocol",
"",
". @(z9)[2001:db8::1]"
],
"runasroot": false
},
{
"outerText": [
"The ACTION attribute specifies the action that is taken when the maximum size, defined in MAX_SIZE, is hit.",
"",
"To use the defined output channel as an action inside a rule, type:",
"",
"FILTER :omfile:$NAME",
"",
"Example 23.5. Output channel log rotation",
"",
"The following output shows a simple log rotation through the use of an output channel. First, the output channel is defined via the $outchannel directive:",
"",
" $outchannel log_rotation, /var/log/test_log.log, 104857600, /home/joe/log_rotation_script",
"",
"and then it is used in a rule that selects every syslog message with any priority and executes the previously-defined output channel on the acquired syslog messages:",
"",
". :omfile:$log_rotation",
"",
"Once the limit (in the example 100 MB) is hit, the /home/joe/log_rotation_script is executed. This script can contain anything from moving the file into a different folder, editing specific content out of it, or simply removing it."
],
"runasroot": false
},
{
"outerText": [
"The following output shows a simple log rotation through the use of an output channel. First, the output channel is defined via the $outchannel directive:",
"",
" $outchannel log_rotation, /var/log/test_log.log, 104857600, /home/joe/log_rotation_script",
"",
"and then it is used in a rule that selects every syslog message with any priority and executes the previously-defined output channel on the acquired syslog messages:",
"",
". :omfile:$log_rotation",
"",
"Once the limit (in the example 100 MB) is hit, the /home/joe/log_rotation_script is executed. This script can contain anything from moving the file into a different folder, editing specific content out of it, or simply removing it."
],
"runasroot": false
},
{
"outerText": [
"The following output shows a simple log rotation through the use of an output channel. First, the output channel is defined via the $outchannel directive:",
"",
" $outchannel log_rotation, /var/log/test_log.log, 104857600, /home/joe/log_rotation_script",
"",
"and then it is used in a rule that selects every syslog message with any priority and executes the previously-defined output channel on the acquired syslog messages:",
"",
". :omfile:$log_rotation",
"",
"Once the limit (in the example 100 MB) is hit, the /home/joe/log_rotation_script is executed. This script can contain anything from moving the file into a different folder, editing specific content out of it, or simply removing it."
],
"runasroot": false
},
{
"outerText": [
"Currently, rsyslog provides support for MySQL and PostgreSQL databases only. In order to use the MySQL and PostgreSQL database writer functionality, install the rsyslog-mysql and rsyslog-pgsql packages, respectively. Also, make sure you load the appropriate modules in your /etc/rsyslog.conf configuration file:",
"",
"module(load=”ommysql”) # Output module for MySQL support",
"module(load=”ompgsql”) # Output module for PostgreSQL support",
"",
"For more information on rsyslog modules, see Section 23.6, “Using Rsyslog Modules”.",
"",
"Alternatively, you may use a generic database interface provided by the omlibdb module (supports: Firebird/Interbase, MS SQL, Sybase, SQLLite, Ingres, Oracle, mSQL)."
],
"runasroot": false
},
{
"outerText": [
"The following property obtains the whole message text of a syslog message:",
"",
"%msg%"
],
"runasroot": false
},
{
"outerText": [
"The following property obtains the first two characters of the message text of a syslog message:",
"",
"%msg:1:2%"
],
"runasroot": false
},
{
"outerText": [
"The following property obtains the whole message text of a syslog message and drops its last line feed character:",
"",
"%msg:::drop-last-lf%"
],
"runasroot": false
},
{
"outerText": [
"The following property obtains the first 10 characters of the time stamp that is generated when the syslog message is received and formats it according to the RFC 3999 date standard.",
"",
"%timegenerated:1:10:date-rfc3339%"
],
"runasroot": false
},
{
"outerText": [
"Use the following configuration in /etc/rsyslog.conf or create a file with the following content in the /etc/rsyslog.d/ directory:",
"",
". action(type=”omfwd”",
"queue.type=”LinkedList”",
"queue.filename=”example_fwd”",
"action.resumeRetryCount=\"-1\"",
"queue.saveonshutdown=\"on\"",
"Target=\"example.com\" Port=\"6514\" Protocol=\"tcp\")",
"",
"Where:",
"",
"queue.type enables a LinkedList in-memory queue,",
"queue.filename defines a disk storage, in this case the backup files are created in the /var/lib/rsyslog/ directory with the example_fwd prefix,",
"the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,",
"enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,",
"",
"the last line forwards all received messages to the logging server using reliable TCP delivery, port specification is optional.",
"",
"With the above configuration, rsyslog keeps messages in memory if the remote server is not reachable. A file on disk is created only if rsyslog runs out of the configured memory queue space or needs to shut down, which benefits the system performance."
],
"runasroot": false
},
{
"outerText": [
"Each destination server requires a separate forwarding rule, action queue specification, and backup file on disk. For example, use the following configuration in /etc/rsyslog.conf or create a file with the following content in the /etc/rsyslog.d/ directory:",
"",
". action(type=”omfwd”",
" queue.type=”LinkedList”",
" queue.filename=”example_fwd1”",
" action.resumeRetryCount=\"-1\"",
" queue.saveonshutdown=\"on\"",
" Target=\"example1.com\" Protocol=\"tcp\")",
". action(type=”omfwd”",
" queue.type=”LinkedList”",
" queue.filename=”example_fwd2”",
" action.resumeRetryCount=\"-1\"",
" queue.saveonshutdown=\"on\"",
" Target=\"example2.com\" Protocol=\"tcp\")"
],
"runasroot": false
},
{
"outerText": [
"If required to use a different directory to store working files, create a directory as follows:",
"",
"$ mkdir /rsyslog"
],
"runasroot": true
},
{
"outerText": [
"Install utilities to manage SELinux policy:",
"",
"$ yum install policycoreutils-python"
],
"runasroot": true
},
{
"outerText": [
"Set the SELinux directory context type to be the same as the /var/lib/rsyslog/ directory:",
"",
"$ semanage fcontext -a -t syslogd_var_lib_t /rsyslog"
],
"runasroot": true
},
{
"outerText": [
"Apply the SELinux context:",
"",
"$ restorecon -R -v /rsyslog",
"restorecon reset /rsyslog context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:syslogd_var_lib_t:s0"
],
"runasroot": true
},
{
"outerText": [
"If required, check the SELinux context as follows:",
"",
"$ ls -Zd /rsyslog",
"drwxr-xr-x. root root system_u:object_r:syslogd_var_lib_t:s0 /rsyslog"
],
"runasroot": true
},
{
"outerText": [
"Create subdirectories as required. For example:",
"",
"$ mkdir /rsyslog/work/",
"",
"The subdirectories will be created with the same SELinux context as the parent directory."
],
"runasroot": true
},
{
"outerText": [
"Add the following line in /etc/rsyslog.conf immediately before it is required to take effect:",
"",
"global(workDirectory=”/rsyslog/work”)",
"",
"This setting will remain in effect until the next WorkDirectory directive is encountered while parsing the configuration files."
],
"runasroot": false
},
{
"outerText": [
"Run the semanage port command with the following parameters:",
"",
"$ semanage port -a -t syslogd_port_t -p tcp 10514"
],
"runasroot": true
},
{
"outerText": [
"Review the SELinux ports by entering the following command:",
"",
"$ semanage port -l | grep syslog"
],
"runasroot": true
},
{
"outerText": [
"If the new port was already configured in /etc/rsyslog.conf, restart rsyslog now for the change to take effect:",
"",
"$ service rsyslog restart"
],
"runasroot": true
},
{
"outerText": [
"Verify which ports rsyslog is now listening to:",
"",
"$ netstat -tnlp | grep rsyslog",
"tcp 0 0 0.0.0.0:10514 0.0.0.0:* LISTEN 2528/rsyslogd",
"tcp 0 0 :::10514 :::* LISTEN 2528/rsyslogd"
],
"runasroot": true
},
{
"outerText": [
"To verify the above settings, use a command as follows:",
"",
"$ firewall-cmd --list-all",
"public (default, active)",
" interfaces: eth0",
" sources:",
" services: dhcpv6-client ssh",
" ports: 10514/tcp",
" masquerade: no",
" forward-ports:",
" icmp-blocks:",
" rich rules:"
],
"runasroot": true
},
{
"outerText": [
"Add these lines below the modules section but above the Provides UDP syslog reception section:",
"",
"# Define templates before the rules that use them",
"",
"# Per-Host Templates for Remote Systems #",
"$template TmplAuthpriv, \"/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log\"",
"$template TmplMsg, \"/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log\""
],
"runasroot": false
},
{
"outerText": [
"Replace the default Provides TCP syslog reception section with the following:",
"",
"# Provides TCP syslog reception",
"$ModLoad imtcp",
"# Adding this ruleset to process remote messages",
"$RuleSet remote1",
"authpriv.* ?TmplAuthpriv",
"*.info;mail.none;authpriv.none;cron.none ?TmplMsg",
"$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set",
"$InputTCPServerBindRuleset remote1 #Define a new input and bind it to the \"remote1\" rule set",
"$InputTCPServerRun 10514",
"",
"Save the changes to the /etc/rsyslog.conf file."
],
"runasroot": false
},
{
"outerText": [
"Use the systemctl command to start the rsyslog service.",
"",
"$ systemctl start rsyslog"
],
"runasroot": true
},
{
"outerText": [
"To ensure the rsyslog service starts automatically in future, enter the following command as root:",
"",
"$ systemctl enable rsyslog"
],
"runasroot": true
},
{
"outerText": [
"Set the gtls netstream driver as the default driver:",
"",
"global(defaultnetstreamdriver=\"gtls\")"
],
"runasroot": false
},
{
"outerText": [
"Provide paths to certificate files:",
"",
"global(defaultnetstreamdrivercafile=\"path_ca.pem\"",
"defaultnetstreamdrivercertfile=\"path_cert.pem\"",
"defaultnetstreamdriverkeyfile=\"path_key.pem\")",
"",
"You can merge all global directives into single block if you prefer a less cluttered configuration file.",
"",
"Replace:",
"",
"path_ca.pem with a path to your public key",
"path_cert.pem with a path to the certificate file",
"path_key.pem with a path to the private key"
],
"runasroot": false
},
{
"outerText": [
"Load the imtcp moduleand set driver options:",
"",
"module(load=”imtcp”",
"StreamDriver.Mode=“number”",
"StreamDriver.AuthMode=”anon”)"
],
"runasroot": false
},
{
"outerText": [
"Start a server:",
"",
"input(type=\"imtcp\" port=\"port″)",
"",
"Replace:",
"",
"number to specify the driver mode. To enable TCP-only mode, use 1",
"",
"port with the port number at which to start a listener, for example 10514",
"",
"The anon setting means that the client is not authenticated."
],
"runasroot": false
},
{
"outerText": [
"Load the public key:",
"",
"global(defaultnetstreamdrivercafile=\"path_ca.pem\")",
"",
"Replace path_ca.pem with a path to the public key."
],
"runasroot": false
},
{
"outerText": [
"Set the gtls netstream driver as the default driver:",
"",
" global(defaultnetstreamdriver=\"gtls\")"
],
"runasroot": false
},
{
"outerText": [
"Configure the driver and specify what action will be performed:",
"",
"module(load=”imtcp”",
" streamdrivermode=”number”",
" streamdriverauthmode=”anon”)",
"input(type=”imtcp”",
" address=”server.net”",
" port=”port”)",
"",
"Replace number, anon, and port with the same values as on the server.",
"",
"On the last line in the above listing, an example action forwards messages from the server to the specified TCP port."
],
"runasroot": false
},
{
"outerText": [
"Put the following configuration in /etc/rsyslog.conf:",
"",
"$ModLoad imgssapi",
"",
"This directive loads the imgssapi module."
],
"runasroot": false
},
{
"outerText": [
"Specify the input as follows:",
"",
"$InputGSSServerServiceName name",
"$InputGSSServerPermitPlainTCP on",
"$InputGSSServerMaxSessions number",
"$InputGSSServerRun port",
"Replace name with the name of the GSS server.",
"Replace number to set the maximum number of sessions supported. This number is not limited by default.",
"",
"Replace port with a selected port on which you want to start a GSS server.",
"",
"The $InputGSSServerPermitPlainTCP on setting permits the server to receive also plain TCP messages on the same port. This is off by default."
],
"runasroot": false
},
{
"outerText": [
"Load the required modules:",
"",
"module(load=\"imuxsock\")",
"module(load=\"omrelp\")",
"module(load=\"imtcp\")"
],
"runasroot": false
},
{
"outerText": [
"Configure the TCP input as follows:",
"",
"input(type=\"imtcp\" port=\"port″)",
"",
"Replace port to start a listener at the required port."
],
"runasroot": false
},
{
"outerText": [
"Configure the transport settings:",
"",
"action(type=\"omrelp\" target=\"target_IP″ port=\"target_port″)",
"",
"Replace target_IP and target_port with the IP address and port that identify the target server."
],
"runasroot": false
},
{
"outerText": [
"Configure loading the module:",
"",
"module(load=\"imuxsock\")",
"module(load=\"imrelp\" ruleset=\"relp\")"
],
"runasroot": false
},
{
"outerText": [
"Configure the TCP input similarly to the client configuration:",
"",
"input(type=\"imrelp\" port=\"target_port″)",
"",
"Replace target_port with the same value as on the clients."
],
"runasroot": false
},
{
"outerText": [
"Configure the rules and choose an action to be performed. In the following example, log_path specifies the path for storing messages:",
"",
"ruleset (name=\"relp\") {",
"action(type=\"omfile\" file=\"log_path\")",
"}"
],
"runasroot": false
},
{
"outerText": [
"Load the required modules:",
"",
"module(load=\"imuxsock\")",
"module(load=\"omrelp\")",
"module(load=\"imtcp\")"
],
"runasroot": false
},
{
"outerText": [
"Configure the TCP input as follows:",
"",
"input(type=\"imtcp\" port=\"port″)",
"",
"Replace port to start a listener at the required port."
],
"runasroot": false
},
{
"outerText": [
"Configure the transport settings:",
"",
"action(type=\"omrelp\" target=\"target_IP″ port=\"target_port″ tls=\"on\"",
"tls.caCert=\"path_ca.pem\"",
"tls.myCert=\"path_cert.pem\"",
"tls.myPrivKey=\"path_key.pem\"",
"tls.authmode=\"mode\"",
"tls.permittedpeer=[\"peer_name\"]",
")",
"",
"Replace:",
"",
"target_IP and target_port with the IP address and port that identify the target server.",
"path_ca.pem, path_cert.pem, and path_key.pem with paths to the certification files",
"mode with the authentication mode for the transaction. Use either \"name\" or \"fingerprint\"",
"",
"peer_name with a certificate fingerprint of the permitted peer. If you specify this, tls.permittedpeer restricts connection to the selected group of peers.",
"",
"The tls=\"on\" setting enables the TLS protocol."
],
"runasroot": false
},
{
"outerText": [
"Configure loading the module:",
"",
"module(load=\"imuxsock\")",
"module(load=\"imrelp\" ruleset=\"relp\")"
],
"runasroot": false
},
{
"outerText": [
"Configure the TCP input similarly to the client configuration:",
"",
"input(type=\"imrelp\" port=\"target_port″ tls=\"on\"",
"tls.caCert=\"path_ca.pem\"",
"tls.myCert=\"path_cert.pem\"",
"tls.myPrivKey=\"path_key.pem\"",
"tls.authmode=\"name\"",
"tls.permittedpeer=[\"peer_name\",\"peer_name1\",\"peer_name2\"]",
")",
"",
"Replace the highlighted values with the same as on the client."
],
"runasroot": false
},
{
"outerText": [
"Configure the rules and choose an action to be performed. In the following example, log_path specifies the path for storing messages:",
"",
"ruleset (name=\"relp\") {",
"action(type=\"omfile\" file=\"log_path\")",
"}"
],
"runasroot": false
},
{
"outerText": ["Install the cronie package:", "", "$ yum install cronie"],
"runasroot": true
},
{
"outerText": [
"The crond service is enabled - made to start automatically at boot time - upon installation. If you disabled the service, enable it:",
"",
"$ systemctl enable crond.service"
],
"runasroot": true
},
{
"outerText": [
"Start the crond service for the current session:",
"",
"$ systemctl start crond.service"
],
"runasroot": true
},
{
"outerText": [
"Put the above specifications into a single line:",
"",
"0,10,20,30,40,50 17-20 15 Jun,Jul,Aug * root /usr/local/bin/my-script.sh"
],
"runasroot": false
},
{
"outerText": [
"From the user’s shell, run:",
"",
"[bob@localhost $ crontab -e",
"",
"This will start editing of the user’s own crontab file using the editor specified by the VISUAL or EDITOR environment variable."
],
"runasroot": false
},
{
"outerText": [
"Specify the job in the same way as in ???TITLE???, but leave out the field with user name. For example, instead of adding",
"",
"0,10,20,30,40,50 17-20 15 Jun,Jul,Aug * bob /home/bob/bin/script.sh",
"",
"add:",
"",
"0,10,20,30,40,50 17-20 15 Jun,Jul,Aug * /home/bob/bin/script.sh"
],
"runasroot": false
},
{
"outerText": [
"Specify the job in the same way as in ???TITLE???, but leave out the field with user name. For example, instead of adding",
"",
"0,10,20,30,40,50 17-20 15 Jun,Jul,Aug * bob /home/bob/bin/script.sh",
"",
"add:",
"",
"0,10,20,30,40,50 17-20 15 Jun,Jul,Aug * /home/bob/bin/script.sh"
],
"runasroot": false
},
{
"outerText": [
"(optional) To verify the new job, list the contents of the current user’s crontab file by running:",
"",
"[bob@localhost $ crontab -l",
"@daily /home/bob/bin/script.sh"
],
"runasroot": false
},
{
"outerText": [
"Verify that you have the cronie-anacron package installed:",
"",
"$ rpm -q cronie-anacron",
"",
"The cronie-anacron is likely to be installed already, because it is a sub-package of the cronie package. If it is not installed, use this command:",
"",
"$ yum install cronie-anacron"
],
"runasroot": true
},
{
"outerText": [
"Verify that you have the cronie-anacron package installed:",
"",
"$ rpm -q cronie-anacron",
"",
"The cronie-anacron is likely to be installed already, because it is a sub-package of the cronie package. If it is not installed, use this command:",
"",
"$ yum install cronie-anacron"
],
"runasroot": true
},
{
"outerText": [
"The crond service is enabled - made to start automatically at boot time - upon installation. If you disabled the service, enable it:",
"",
"$ systemctl enable crond.service"
],
"runasroot": true
},
{
"outerText": [
"Start the crond service for the current session:",
"",
"$ systemctl start crond.service"
],
"runasroot": true
},
{
"outerText": [
"The command to execute. For example, use /usr/local/bin/my-script.sh",
"",
"Combine the chosen values into the job specification. Here is an example specification:",
"",
"3 60 cron.daily /usr/local/bin/my-script.sh"
],
"runasroot": false
},
{
"outerText": ["Install the at package:", "", "$ yum install at"],
"runasroot": true
},
{
"outerText": [
"The atd service is enabled - made to start automatically at boot time - upon installation. If you disabled the service, enable it:",
"",
"$ systemctl enable atd.service"
],
"runasroot": true
},
{
"outerText": [
"Start the atd service for the current session:",
"",
"$ systemctl start atd.service"
],
"runasroot": true
},
{
"outerText": [
"A job is always run by some user. Log in as the desired user and run:",
"",
"$ at time",
"",
"Replace time with the time specification.",
"",
"For details on specifying time, see the at(1) manual page and the /usr/share/doc/at/timespec file.",
"",
"Example 24.1. Specifying Time for At",
"",
"To execute the job at 15:00, run:",
"",
"$ at 15:00",
"",
"If the specified time has passed, the job is executed at the same time the next day.",
"",
"To execute the job on August 20 2017, run:",
"",
"$ at August 20 2017",
"",
"or",
"",
"$ at 082017",
"",
"To execute the job 5 days from now, run:",
"",
"$ now + 5 days"
],
"runasroot": true
},
{
"outerText": [
"To execute the job at 15:00, run:",
"",
"$ at 15:00",
"",
"If the specified time has passed, the job is executed at the same time the next day.",
"",
"To execute the job on August 20 2017, run:",
"",
"$ at August 20 2017",
"",
"or",
"",
"$ at 082017",
"",
"To execute the job 5 days from now, run:",
"",
"$ now + 5 days"
],
"runasroot": true
},
{
"outerText": [
"To execute the job at 15:00, run:",
"",
"$ at 15:00",
"",
"If the specified time has passed, the job is executed at the same time the next day.",
"",
"To execute the job on August 20 2017, run:",
"",
"$ at August 20 2017",
"",
"or",
"",
"$ at 082017",
"",
"To execute the job 5 days from now, run:",
"",
"$ now + 5 days"
],
"runasroot": true
},
{
"outerText": [
"To execute the job at 15:00, run:",
"",
"$ at 15:00",
"",
"If the specified time has passed, the job is executed at the same time the next day.",
"",
"To execute the job on August 20 2017, run:",
"",
"$ at August 20 2017",
"",
"or",
"",
"$ at 082017",
"",
"To execute the job 5 days from now, run:",
"",
"$ now + 5 days"
],
"runasroot": true
},
{
"outerText": [
"To execute the job at 15:00, run:",
"",
"$ at 15:00",
"",
"If the specified time has passed, the job is executed at the same time the next day.",
"",
"To execute the job on August 20 2017, run:",
"",
"$ at August 20 2017",
"",
"or",
"",
"$ at 082017",
"",
"To execute the job 5 days from now, run:",
"",
"$ now + 5 days"
],
"runasroot": true
},
{
"outerText": [
"At the displayed at> prompt, enter the command to execute and press Enter:",
"",
"$ at 15:00",
"at> sh /usr/local/bin/my-script.sh",
"at>",
"",
"Repeat this step for every command you want to execute.",
"",
"NOTE",
"",
"The at> prompt shows which shell it will use:",
"",
"warning: commands will be executed using /bin/sh",
"",
"The at utility uses the shell set in user’s SHELL environment variable, or the user’s login shell, or /bin/sh, whichever is found first."
],
"runasroot": true
},
{
"outerText": [
"The at> prompt shows which shell it will use:",
"",
"warning: commands will be executed using /bin/sh",
"",
"The at utility uses the shell set in user’s SHELL environment variable, or the user’s login shell, or /bin/sh, whichever is found first."
],
"runasroot": false
},
{
"outerText": [
"List pending jobs with the atq command:",
"",
"$ atq",
"26 Thu Feb 23 15:00:00 2017 a root",
"28 Thu Feb 24 17:30:00 2017 a root"
],
"runasroot": true
},
{
"outerText": [
"Run the atrm command, specifying the job by its number:",
"",
"$ atrm 26"
],
"runasroot": true
},
{
"outerText": [
"A job is always run by some user. Log in as the desired user and run:",
"",
"$ batch"
],
"runasroot": true
},
{
"outerText": [
"At the displayed at> prompt, enter the command to execute and press Enter:",
"",
"$ batch",
"at> sh /usr/local/bin/my-script.sh",
"",
"Repeat this step for every command you want to execute.",
"",
"NOTE",
"",
"The at> prompt shows which shell it will use:",
"",
"warning: commands will be executed using /bin/sh",
"",
"The batch utility uses the shell set in user’s SHELL environment variable, or the user’s login shell, or /bin/sh, whichever is found first."
],
"runasroot": true
},
{
"outerText": [
"The at> prompt shows which shell it will use:",
"",
"warning: commands will be executed using /bin/sh",
"",
"The batch utility uses the shell set in user’s SHELL environment variable, or the user’s login shell, or /bin/sh, whichever is found first."
],
"runasroot": false
},
{
"outerText": [
"To the /etc/sysconfig/atd file, add this line:",
"",
"OPTS='-l x'",
"",
"Substitute x with the new load average. For example:",
"",
"OPTS='-l 0.5'"
],
"runasroot": false
},
{
"outerText": [
"To the /etc/sysconfig/atd file, add this line:",
"",
"OPTS='-l x'",
"",
"Substitute x with the new load average. For example:",
"",
"OPTS='-l 0.5'"
],
"runasroot": false
},
{
"outerText": ["Restart the atq service:", "", "# systemctl restart atq"],
"runasroot": false
},
{
"outerText": [
"Create the systemd unit file that specifies at which stage of the boot process to run the script. This example shows a unit file with a reasonable set of Wants= and After= dependencies:",
"",
"$ cat /etc/systemd/system/one-time.service",
"[Unit]",
"# The script needs to execute after:",
"# network interfaces are configured",
"Wants=network-online.target",
"After=network-online.target",
"# all remote filesystems (NFS/_netdev) are mounted",
"After=remote-fs.target",
"# name (DNS) and user resolution from remote databases (AD/LDAP) are available",
"After=nss-user-lookup.target nss-lookup.target",
"# the system clock has synchronized",
"After=time-sync.target",
"",
"[Service]",
"Type=oneshot",
"ExecStart=/usr/local/bin/foobar.sh",
"",
"[Install]",
"WantedBy=multi-user.target",
"",
"If you use this example:",
"",
"substitute /usr/local/bin/foobar.sh with the name of your script",
"",
"modify the set of After= entries if necessary",
"",
"For information on specifying the stage of boot, see Section 10.6, “Creating and Modifying systemd Unit Files”."
],
"runasroot": true
},
{
"outerText": [
"If you want the systemd service to stay active after executing the script, add the RemainAfterExit=yes line to the [Service] section:",
"",
"[Service]",
"Type=oneshot",
"RemainAfterExit=yes",
"ExecStart=/usr/local/bin/foobar.sh"
],
"runasroot": false
},
{
"outerText": ["Reload the systemddaemon:", "", "$ systemctl daemon-reload"],
"runasroot": true
},
{
"outerText": [
"Enable the systemd service:",
"",
"$ systemctl enable one-time.service"
],
"runasroot": true
},
{
"outerText": [
"Create the script to execute:",
"",
"$ cat /usr/local/bin/foobar.sh",
"#!/bin/bash",
"",
"touch /root/test_file"
],
"runasroot": true
},
{
"outerText": [
"If you want the script to run during the next boot only, and not on every boot, add a line that disables the systemd unit:",
"",
"#!/bin/bash",
"",
"touch /root/test_file",
"systemctl disable one-time.service"
],
"runasroot": false
},
{
"outerText": [
"Make the script executable:",
"",
"$ chmod +x /usr/local/bin/foobar.sh"
],
"runasroot": true
},
{
"outerText": [
"Edit the kernel parameters as required. For example, to run the system in emergency mode, add the emergency parameter at the end of the linux16 line:",
"",
"linux16 /vmlinuz-3.10.0-0.rc4.59.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb quiet emergency",
"",
"The rhgb and quiet parameters can be removed in order to enable system messages.",
"",
"These settings are not persistent and apply only for a single boot. To make persistent changes to a menu entry on a system, use the grubby tool. See the section called “Adding and Removing Arguments from a GRUB 2 Menu Entry” for more information on using grubby."
],
"runasroot": false
},
{
"outerText": [
"On BIOS-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/grub2/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"On UEFI-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"On BIOS-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/grub2/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"On UEFI-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"From the content put into the /etc/grub.d/40_custom file, only the menuentry blocks are needed to create the custom menu. The /boot/grub2/grub.cfg and /boot/efi/EFI/redhat/grub.cfg files might contain function specifications and other content above and below the menuentry blocks. If you put these unnecessary lines into the 40_custom file in the previous step, erase them.",
"",
"This is an example of a custom 40_custom script:",
"",
"#!/bin/sh",
"exec tail -n +3 $0",
"# This file provides an easy way to add custom menu entries. Simply type the",
"# menu entries you want to add after this comment. Be careful not to change",
"# the 'exec tail' line above.",
"",
"menuentry 'First custom entry' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.10.0-67.el7.x86_64-advanced-32782dd0-4b47-4d56-a740-2076ab5e5976' {",
" load_video",
" set gfxpayload=keep",
" insmod gzio",
" insmod part_msdos",
" insmod xfs",
" set root='hd0,msdos1'",
" if [ x$feature_platform_search_hint = xy ]; then",
" search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 7885bba1-8aa7-4e5d-a7ad-821f4f52170a",
" else",
" search --no-floppy --fs-uuid --set=root 7885bba1-8aa7-4e5d-a7ad-821f4f52170a",
" fi",
" linux16 /vmlinuz-3.10.0-67.el7.x86_64 root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/root vconsole.font=latarcyrheb-sun16 rd.lvm.lv=rhel/swap vconsole.keymap=us crashkernel=auto rhgb quiet LANG=en_US.UTF-8",
" initrd16 /initramfs-3.10.0-67.el7.x86_64.img",
"}",
"menuentry 'Second custom entry' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c-advanced-32782dd0-4b47-4d56-a740-2076ab5e5976' {",
" load_video",
" insmod gzio",
" insmod part_msdos",
" insmod xfs",
" set root='hd0,msdos1'",
" if [ x$feature_platform_search_hint = xy ]; then",
" search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 7885bba1-8aa7-4e5d-a7ad-821f4f52170a",
" else",
" search --no-floppy --fs-uuid --set=root 7885bba1-8aa7-4e5d-a7ad-821f4f52170a",
" fi",
" linux16 /vmlinuz-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/root vconsole.font=latarcyrheb-sun16 rd.lvm.lv=rhel/swap vconsole.keymap=us crashkernel=auto rhgb quiet",
" initrd16 /initramfs-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c.img",
"}"
],
"runasroot": false
},
{
"outerText": [
"On BIOS-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/grub2/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"On UEFI-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"Run the grub2-setpassword command as root:",
"",
"$ grub2-setpassword"
],
"runasroot": true
},
{
"outerText": [
"Enter and confirm the password:",
"",
"Enter password:",
"Confirm password:"
],
"runasroot": false
},
{
"outerText": [
"Delete the --unrestricted parameter from the menu entry block, for example:",
"",
"[file contents truncated]",
"menuentry 'Red Hat Enterprise Linux Server (3.10.0-327.18.2.rt56.223.el7_2.x86_64) 7.2 (Maipo)' --class red --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-c109825c-de2f-4340-a0ef-4f47d19fe4bf' {",
" load_video",
" set gfxpayload=keep",
"[file contents truncated]"
],
"runasroot": false
},
{
"outerText": [
"For EFI systems only, run the following command:",
"",
"$ yum reinstall grub2-efi shim grub2-tools"
],
"runasroot": true
},
{
"outerText": [
"For BIOS and EFI systems, run this command:",
"",
"$ yum reinstall grub2-tools"
],
"runasroot": true
},
{
"outerText": [
"On BIOS-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/grub2/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"On UEFI-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"Ensure that the GRUB Legacy package has been uninstalled by the Red Hat Upgrade Tool:",
"",
"$ yum remove grub",
"NOTE",
"",
"Uninstalling the grub2 package does not affect the installed GRUB Legacy bootloader."
],
"runasroot": true
},
{
"outerText": [
"Make sure that the grub2 package has been installed. If grub2 is not on the system after the upgrade to RHEL 7, you can install it manually by running:",
"",
"$ yum install grub2"
],
"runasroot": true
},
{
"outerText": [
"If the system boots using EFI, install the following packages if they are missing:",
"",
"$ yum install grub2-efi-x64 shim-x64"
],
"runasroot": true
},
{
"outerText": [
"If the system boots using the legacy BIOS, install GRUB 2 specifing the install device:",
"",
"$ grub2-install /dev/<DEVICE_NAME> --grub-setup=/bin/true",
"",
"The grub2-install command installs GRUB images into the /boot/grub target directory.",
"",
"The --grub-setup=/bin/true option ensures that the old GRUB Legacy configuration is not deleted."
],
"runasroot": true
},
{
"outerText": [
"If the system boots using EFI, create a boot entry for the shim bootloader and change the BootOrder variable to make the firmware boot GRUB 2 through shim:",
"",
"$ efibootmgr -c -L 'Red Hat Enterprise Linux 7' -d /dev/device_name -p 1 -l '\\EFI\\redhat\\shimx64.efi'",
"",
"Substitute /dev/device_name with the bootable device file."
],
"runasroot": true
},
{
"outerText": [
"If the system uses the legacy BIOS:",
"",
"$ grub2-mkconfig -o /boot/grub2/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"If the system uses EFI:",
"",
"$ grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"Add a new section into /boot/grub/grub.conf.",
"",
"For systems with a separate /boot partition, use:",
"",
"title GRUB 2 Test",
"\troot (hd0,0)",
"\tkernel /grub2/i386-pc/core.img",
"\tboot",
"",
"Substitute (hd0,0) with the GRUB Legacy bootable device designation.",
"",
"For systems without a separate /boot partition, use:",
"",
"title GRUB 2 Test",
"\troot (hd0,0)",
"\tkernel /boot/grub2/i386-pc/core.img",
"\tboot",
"",
"Substitute (hd0,0) with the GRUB Legacy bootable device designation."
],
"runasroot": false
},
{
"outerText": [
"Add a new section into /boot/grub/grub.conf.",
"",
"For systems with a separate /boot partition, use:",
"",
"title GRUB 2 Test",
"\troot (hd0,0)",
"\tkernel /grub2/i386-pc/core.img",
"\tboot",
"",
"Substitute (hd0,0) with the GRUB Legacy bootable device designation.",
"",
"For systems without a separate /boot partition, use:",
"",
"title GRUB 2 Test",
"\troot (hd0,0)",
"\tkernel /boot/grub2/i386-pc/core.img",
"\tboot",
"",
"Substitute (hd0,0) with the GRUB Legacy bootable device designation."
],
"runasroot": false
},
{
"outerText": [
"Replace the GRUB Legacy bootloader with the GRUB 2 bootloader:",
"",
"$ grub2-install /dev/sdX"
],
"runasroot": true
},
{
"outerText": [
"Remove the old GRUB Legacy configuration file:",
"",
"$ rm /boot/grub/grub.conf"
],
"runasroot": true
},
{
"outerText": ["Reboot the system:", "", "$ reboot"],
"runasroot": true
},
{
"outerText": [
"Check the content of the /boot/efi/EFI/redhat/ directory and remove obsoleted files related only to the Legacy GRUB:",
"",
"$ rm /boot/efi/EFI/redhat/grub.efi",
"$ rm /boot/efi/EFI/redhat/grub.conf"
],
"runasroot": true
},
{
"outerText": [
"If you performed an in-place upgrade from RHEL 6 to RHEL 7 using the Preupgrade Assistant and Red Hat Upgrade Tool utilities, remove also backup copies of the files mentioned above that end with the .preupg suffix:",
"",
"$ rm /boot/efi/EFI/redhat/*.preupg"
],
"runasroot": true
},
{
"outerText": [
"Find the old boot entry that refers to the \\EFI\\redhat\\grub.efi file using the efibootmgr command:",
"",
"$ efibootmgr -v | grep '\\\\EFI\\\\redhat\\\\grub.efi'",
"",
"Example output:",
"",
"Boot0001* Linux HD(1,GPT,542e410f-cbf2-4cce-9f5d-61c4764a5d54,0x800,0x64000)/File(\\EFI\\redhat\\grub.efi)",
"",
"The entry number in this case is 0001."
],
"runasroot": true
},
{
"outerText": [
"Find the old boot entry that refers to the \\EFI\\redhat\\grub.efi file using the efibootmgr command:",
"",
"$ efibootmgr -v | grep '\\\\EFI\\\\redhat\\\\grub.efi'",
"",
"Example output:",
"",
"Boot0001* Linux HD(1,GPT,542e410f-cbf2-4cce-9f5d-61c4764a5d54,0x800,0x64000)/File(\\EFI\\redhat\\grub.efi)",
"",
"The entry number in this case is 0001."
],
"runasroot": true
},
{
"outerText": [
"Remove the identified boot entry. The following command removes the boot entry from the example above:",
"",
"$ efibootmgr -Bb 0001",
"",
"If you have more than one such boot entry, remove all identified old boot entries."
],
"runasroot": true
},
{
"outerText": [
"On BIOS-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/grub2/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"On UEFI-based machines, issue the following command as root:",
"",
"$ grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg"
],
"runasroot": true
},
{
"outerText": [
"Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:",
"",
"systemd.unit=rescue.target",
"",
"Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.",
"",
"Note that equivalent parameters, 1, s, and single, can be passed to the kernel as well."
],
"runasroot": false
},
{
"outerText": [
"Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:",
"",
"systemd.unit=emergency.target",
"",
"Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.",
"",
"Note that equivalent parameters, emergency and -b, can be passed to the kernel as well."
],
"runasroot": false
},
{
"outerText": [
"Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:",
"",
"systemd.debug-shell",
"",
"Optionally add the debug option.",
"",
"Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work."
],
"runasroot": false
},
{
"outerText": [
"If required, to verify you are in the debug shell, enter a command as follows:",
"",
"/]# systemctl status $$",
"● debug-shell.service - Early root shell on /dev/tty9 FOR DEBUGGING ONLY",
" Loaded: loaded (/usr/lib/systemd/system/debug-shell.service; disabled; vendor preset: disabled)",
" Active: active (running) since Wed 2015-08-05 11:01:48 EDT; 2min ago",
" Docs: man:sushell(8)",
" Main PID: 450 (bash)",
" CGroup: /system.slice/debug-shell.service",
" ├─ 450 /bin/bash",
" └─1791 systemctl status 450"
],
"runasroot": false
},
{
"outerText": [
"Change the file system root as follows:",
"",
"sh-4.2# chroot /mnt/sysimage"
],
"runasroot": false
},
{
"outerText": [
"Remove the autorelable file to prevent a time consuming SELinux relabel of the disk:",
"",
"sh-4.2# rm -f /.autorelabel"
],
"runasroot": false
},
{
"outerText": [
"Add the following parameters at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:",
"",
"rd.break enforcing=0",
"",
"Adding the enforcing=0 option enables omitting the time consuming SELinux relabeling process.",
"",
"The initramfs will stop before passing control to the Linux kernel, enabling you to work with the root file system.",
"",
"Note that the initramfs prompt will appear on the last console specified on the Linux line."
],
"runasroot": false
},
{
"outerText": [
"The file system is mounted read-only on /sysroot/. You will not be allowed to change the password if the file system is not writable.",
"",
"Remount the file system as writable:",
"",
"switch_root:/# mount -o remount,rw /sysroot"
],
"runasroot": false
},
{
"outerText": [
"The file system is remounted with write enabled.",
"",
"Change the file system’s root as follows:",
"",
"switch_root:/# chroot /sysroot",
"",
"The prompt changes to sh-4.2#."
],
"runasroot": false
},
{
"outerText": [
"Enter the passwd command and follow the instructions displayed on the command line to change the root password.",
"",
"Note that if the system is not writable, the passwd tool fails with the following error:",
"",
"Authentication token manipulation error"
],
"runasroot": false
},
{
"outerText": [
"Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:",
"",
"sh-4.2# touch /.autorelabel",
"",
"Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the enforcing=0 option in step 3."
],
"runasroot": false
},
{
"outerText": [
"Remount the file system as read only:",
"",
"sh-4.2# mount -o remount,ro /"
],
"runasroot": false
},
{
"outerText": [
"If you added the enforcing=0 option in step 3 and omitted the touch /.autorelabel command in step 8, enter the following command to restore the /etc/shadow file’s SELinux security context:",
"",
"$ restorecon /etc/shadow",
"",
"Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:",
"",
"$ setenforce 1",
"$ getenforce",
"Enforcing"
],
"runasroot": true
},
{
"outerText": [
"If you added the enforcing=0 option in step 3 and omitted the touch /.autorelabel command in step 8, enter the following command to restore the /etc/shadow file’s SELinux security context:",
"",
"$ restorecon /etc/shadow",
"",
"Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:",
"",
"$ setenforce 1",
"$ getenforce",
"Enforcing"
],
"runasroot": true
},
{
"outerText": [
"/usr/share/doc/kernel-doc-kernel_version/Documentation/serial-console.txt — This file, which is provided by the kernel-doc package, contains information on the serial console. Before accessing the kernel documentation, you must run the following command as root:",
"",
"$ yum install kernel-doc"
],
"runasroot": true
},
{
"outerText": [
"In this example, the backup file is a tar archive created per instructions in Section 27.2.1.1, “Configuring the Internal Backup Method”. First, copy the archive from its storage, then unpack the files into /mnt/local/, then delete the archive:",
"",
"$ scp root@192.168.122.7:/srv/backup/rhel7/backup.tar.gz /mnt/local/",
"$ tar xf /mnt/local/backup.tar.gz -C /mnt/local/",
"$ rm -f /mnt/local/backup.tar.gz",
"",
"The new storage has to have enough space both for the archive and the extracted files."
],
"runasroot": true
},
{
"outerText": [
"Verify that the files have been restored:",
"",
"$ ls /mnt/local/",
"",
"Figure 27.4. Rescue system: restoring user and system files from the backup"
],
"runasroot": true
},
{
"outerText": [
"Ensure that SELinux relabels the files on the next boot:",
"",
"$ touch /mnt/local/.autorelabel",
"",
"Otherwise you may be unable to log in the system, because the /etc/passwd file may have the incorrect SELinux context."
],
"runasroot": true
},
{
"outerText": [
"To keep old backup archives when new ones are created, add this line:",
"",
"NETFS_KEEP_OLD_BACKUP_COPY=y"
],
"runasroot": false
},
{
"outerText": [
"By default, ReaR creates a full backup on each run. To make the backups incremental, meaning that only the changed files are backed up on each run, add this line:",
"",
"BACKUP_TYPE=incremental",
"",
"This automatically sets NETFS_KEEP_OLD_BACKUP_COPY to y."
],
"runasroot": false
},
{
"outerText": [
"To ensure that a full backup is done regularly in addition to incremental backups, add this line:",
"",
"FULLBACKUPDAY=\"Day\"",
"",
"Substitute \"Day\" with one of the \"Mon\", \"Tue\", \"Wed\", \"Thu\". \"Fri\", \"Sat\", \"Sun\"."
],
"runasroot": false
},
{
"outerText": [
"ReaR can also include both the rescue system and the backup in the ISO image. To achieve this, set the BACKUP_URL directive to iso:///backup/:",
"",
"BACKUP_URL=iso:///backup/",
"",
"This is the simplest method of full-system backup, because the rescue system does not need the user to fetch the backup during recovery. However, it needs more storage. Also, single-ISO backups cannot be incremental.",
"",
"Example 27.5. Configuring Single-ISO Rescue System and Backups",
"",
"This configuration creates a rescue system and a backup file as a single ISO image and puts it into the /srv/backup/ directory:",
"",
"OUTPUT=ISO",
"OUTPUT_URL=file:///srv/backup/",
"BACKUP=NETFS",
"BACKUP_URL=iso:///backup/",
"NOTE",
"",
"The ISO image might be large in this scenario. Therefore, Red Hat recommends creating only one ISO image, not two. For details, see the section called “ISO-specific Configuration”."
],
"runasroot": false
},
{
"outerText": [
"This configuration creates a rescue system and a backup file as a single ISO image and puts it into the /srv/backup/ directory:",
"",
"OUTPUT=ISO",
"OUTPUT_URL=file:///srv/backup/",
"BACKUP=NETFS",
"BACKUP_URL=iso:///backup/"
],
"runasroot": false
},
{
"outerText": [
"To use rsync instead of tar, add this line:",
"",
"BACKUP_PROG=rsync",
"",
"Note that incremental backups are only supported when using tar."
],
"runasroot": false
},
{
"outerText": ["To create a rescue system only, run:", "", "rear mkrescue"],
"runasroot": false
},
{
"outerText": ["To create a backup only, run:", "", "rear mkbackuponly"],
"runasroot": false
},
{
"outerText": [
"To create a rescue system and a backup, run:",
"",
"rear mkbackup"
],
"runasroot": false
},
{
"outerText": [
"Create the ReaR recovery system ISO image together with a backup of the files of the basic system:",
"",
" $ rear -C basic_system mkbackup"
],
"runasroot": true
},
{
"outerText": [
"Back the files up in the /home directories:",
"",
" $ rear -C home_backup mkbackuponly"
],
"runasroot": true
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment