Skip to content

Instantly share code, notes, and snippets.

@nntrn

nntrn/red_hat_enterprise_linux.json

Created May 10, 2022 03:13
Show Gist options
  • Save nntrn/aef8f595b49ff1fef891b259a7571b96 to your computer and use it in GitHub Desktop.
Save nntrn/aef8f595b49ff1fef891b259a7571b96 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
red_hat_enterprise_linux.json
[
{
"outerText": [
"Listing available system locale settings:",
"",
"$ localectl list-locales"
],
"runasroot": false
},
{
"outerText": [
"Displaying current status of the system locales settings:",
"",
"$ localectl status"
],
"runasroot": false
},
{
"outerText": [
"Setting or changing the default system locale settings:",
"",
"$ localectl set-locale LANG=locale"
],
"runasroot": true
},
{
"outerText": ["Listing available keymaps:", "", "$ localectl list-keymaps"],
"runasroot": false
},
{
"outerText": [
"Displaying current status of keymap settings:",
"",
"$ localectl status"
],
"runasroot": false
},
{
"outerText": [
"Setting or changing the default system keymap:",
"",
"$ localectl set-keymap"
],
"runasroot": true
},
{
"outerText": [
"Register your system:",
"",
"$ subscription-manager register",
"",
"The command will prompt you to enter your Red Hat Customer Portal user name and password."
],
"runasroot": true
},
{
"outerText": [
"Determine the pool ID of a subscription that you require:",
"",
"$ subscription-manager list --available",
"",
"This command displays all available subscriptions for your Red Hat account. For every subscription, various characteristics are displayed, including the pool ID."
],
"runasroot": true
},
{
"outerText": [
"Attach the appropriate subscription to your system by replacing pool_id with the pool ID determined in the previous step:",
"",
"$ subscription-manager attach --pool=pool_id"
],
"runasroot": true
},
{
"outerText": [
"Verify that EUS entitlements are available:",
"",
"$ subscription-manager list --available --matches=\"*Extended Update Support\"",
" +-------------------------------------------+",
" Available Subscriptions",
" +-------------------------------------------+",
" Subscription Name: Extended Update Support",
" Provides: Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux for x86_64 - Extended Update Support",
" Red Hat EUCJP Support (for RHEL Server) - Extended Update Support",
" RHEL for SAP - Extended Update Support",
" Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support",
" Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support",
" RHEL for SAP HANA - Extended Update Support",
" Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support",
" Oracle Java (for RHEL Server) - Extended Update Support",
" Red Hat S-JIS Support (for RHEL Server) - Extended Update Support",
" SKU: RH00030",
" Contract: 12069074",
" Pool ID: 8a99f9ac7238188b01723d9c8a8a06a9",
" Provides Management: No",
" Available: 8",
" Suggested: 0",
" Service Level: Layered",
" Service Type: L1-L3",
" Subscription Type: Instance Based",
" Starts: 05/22/2020",
" Ends: 05/21/2021",
" System Type: Physical"
],
"runasroot": true
},
{
"outerText": [
"Verify that EUS entitlements are available:",
"",
"$ subscription-manager list --available --matches=\"*Extended Update Support\"",
" +-------------------------------------------+",
" Available Subscriptions",
" +-------------------------------------------+",
" Subscription Name: Extended Update Support",
" Provides: Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux for x86_64 - Extended Update Support",
" Red Hat EUCJP Support (for RHEL Server) - Extended Update Support",
" RHEL for SAP - Extended Update Support",
" Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support",
" Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support",
" RHEL for SAP HANA - Extended Update Support",
" Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support",
" Oracle Java (for RHEL Server) - Extended Update Support",
" Red Hat S-JIS Support (for RHEL Server) - Extended Update Support",
" SKU: RH00030",
" Contract: 12069074",
" Pool ID: 8a99f9ac7238188b01723d9c8a8a06a9",
" Provides Management: No",
" Available: 8",
" Suggested: 0",
" Service Level: Layered",
" Service Type: L1-L3",
" Subscription Type: Instance Based",
" Starts: 05/22/2020",
" Ends: 05/21/2021",
" System Type: Physical"
],
"runasroot": true
},
{
"outerText": [
"Attach the applicable subscription using the Pool identifier:",
"",
"$ subscription-manager attach --pool 8a99f9ac7238188b01723d9c8a8a06a9"
],
"runasroot": true
},
{
"outerText": [
"Replace the default repositories enabled for the system with the EUS variants:",
"",
"$ subscription-manager repos --disable \\*"
],
"runasroot": true
},
{
"outerText": [
"Enable the repositories which represent the EUS content set for the RHEL revision in use:",
"",
"$ subscription-manager repos --enable rhel-7-server-eus-rpms"
],
"runasroot": true
},
{
"outerText": [
"Select the required and supported release for the end system:",
"",
"$ subscription-manager release --set 7.6"
],
"runasroot": true
},
{
"outerText": [
"Register your system using the following command:",
"",
"$ subscription-manager register"
],
"runasroot": true
},
{
"outerText": [
"Verify that E4S entitlements are available:",
"",
"$ subscription-manager list --available --matches=\"*Update Services for SAP Solutions*\"",
"+-------------------------------------------+",
" Available Subscriptions",
"+-------------------------------------------+",
"Subscription Name: Red Hat Enterprise Linux for SAP Solutions, Standard (Physical or Virtual Nodes)",
"Provides: dotNET on RHEL Beta (for RHEL Server)",
" Red Hat CodeReady Linux Builder for x86_64",
" Red Hat Enterprise Linux for SAP HANA for x86_64",
" Red Hat Ansible Engine",
" RHEL for SAP HANA - Update Services for SAP Solutions",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support",
" RHEL for SAP HANA - Extended Update Support",
" Red Hat Enterprise Linux Atomic Host Beta",
" Red Hat Beta",
" Red Hat EUCJP Support (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux High Availability for x86_64",
" Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support",
" dotNET on RHEL (for RHEL Server)",
" Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions",
" Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support",
" Oracle Java (for RHEL Server)",
" Red Hat Enterprise Linux Server - Update Services for SAP Solutions",
" Red Hat Software Collections (for RHEL Server)",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server)",
" Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support",
" RHEL for SAP - Update Services for SAP Solutions",
" Oracle Java (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux Atomic Host",
" Red Hat Developer Tools (for RHEL Server)",
" Red Hat Software Collections Beta (for RHEL Server)",
" Red Hat Enterprise Linux Server",
" Red Hat Enterprise Linux for SAP Applications for x86_64",
" Red Hat Developer Tools Beta (for RHEL Server)",
" Red Hat Enterprise Linux for x86_64",
" Red Hat Enterprise Linux for x86_64 - Extended Update Support",
" RHEL for SAP - Extended Update Support",
" Red Hat Developer Toolset (for RHEL Server)",
" Red Hat S-JIS Support (for RHEL Server) - Extended Update Support",
"SKU: RH00764",
"Contract: 11977725",
"Pool ID: 8a85f99c6c4825eb016c4a30d3493064",
"Provides Management: Yes",
"Available: 18",
"Suggested: 0",
"Service Level: Standard",
"Service Type: L1-L3",
"Subscription Type: Instance Based",
"Starts: 03/29/2020",
"Ends: 12/31/2021",
"System Type: Physical"
],
"runasroot": true
},
{
"outerText": [
"Verify that E4S entitlements are available:",
"",
"$ subscription-manager list --available --matches=\"*Update Services for SAP Solutions*\"",
"+-------------------------------------------+",
" Available Subscriptions",
"+-------------------------------------------+",
"Subscription Name: Red Hat Enterprise Linux for SAP Solutions, Standard (Physical or Virtual Nodes)",
"Provides: dotNET on RHEL Beta (for RHEL Server)",
" Red Hat CodeReady Linux Builder for x86_64",
" Red Hat Enterprise Linux for SAP HANA for x86_64",
" Red Hat Ansible Engine",
" RHEL for SAP HANA - Update Services for SAP Solutions",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support",
" RHEL for SAP HANA - Extended Update Support",
" Red Hat Enterprise Linux Atomic Host Beta",
" Red Hat Beta",
" Red Hat EUCJP Support (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux High Availability for x86_64",
" Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support",
" dotNET on RHEL (for RHEL Server)",
" Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux High Availability - Update Services for SAP Solutions",
" Red Hat Enterprise Linux Resilient Storage for x86_64 - Extended Update Support",
" Red Hat Enterprise Linux High Availability for x86_64 - Extended Update Support",
" Oracle Java (for RHEL Server)",
" Red Hat Enterprise Linux Server - Update Services for SAP Solutions",
" Red Hat Software Collections (for RHEL Server)",
" Red Hat Enterprise Linux Scalable File System (for RHEL Server)",
" Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support",
" RHEL for SAP - Update Services for SAP Solutions",
" Oracle Java (for RHEL Server) - Extended Update Support",
" Red Hat Enterprise Linux Atomic Host",
" Red Hat Developer Tools (for RHEL Server)",
" Red Hat Software Collections Beta (for RHEL Server)",
" Red Hat Enterprise Linux Server",
" Red Hat Enterprise Linux for SAP Applications for x86_64",
" Red Hat Developer Tools Beta (for RHEL Server)",
" Red Hat Enterprise Linux for x86_64",
" Red Hat Enterprise Linux for x86_64 - Extended Update Support",
" RHEL for SAP - Extended Update Support",
" Red Hat Developer Toolset (for RHEL Server)",
" Red Hat S-JIS Support (for RHEL Server) - Extended Update Support",
"SKU: RH00764",
"Contract: 11977725",
"Pool ID: 8a85f99c6c4825eb016c4a30d3493064",
"Provides Management: Yes",
"Available: 18",
"Suggested: 0",
"Service Level: Standard",
"Service Type: L1-L3",
"Subscription Type: Instance Based",
"Starts: 03/29/2020",
"Ends: 12/31/2021",
"System Type: Physical"
],
"runasroot": true
},
{
"outerText": [
"Attach the applicable subscription using the Pool identifier:",
"",
"$ subscription-manager attach --pool=#################"
],
"runasroot": true
},
{
"outerText": [
"Replace the default repositories enabled for the system with the EUS variants:",
"",
"$ subscription-manager repos --disable=\"*\""
],
"runasroot": true
},
{
"outerText": [
"Enable the repositories which represent the E4S content set for the RHEL revision in use:",
"",
"$ subscription-manager --enable=rhel-7-server-e4s-rpms"
],
"runasroot": true
},
{
"outerText": [
"Clear the repository cache and release lock the system to a valid release for E4S which supports your SAP application:",
"",
"$ yum clean all && subscription-manager release --set=7.7"
],
"runasroot": true
},
{
"outerText": [
"Listing all available repositories:",
"",
"$ subscription-manager repos --list"
],
"runasroot": true
},
{
"outerText": [
"Listing all currently enabled repositories:",
"",
"$ yum repolist"
],
"runasroot": false
},
{
"outerText": [
"Enabling or disabling a repository:",
"",
"$ subscription-manager repos --enable repository",
"$ subscription-manager repos --disable repository"
],
"runasroot": true
},
{
"outerText": [
"Enabling or disabling a repository:",
"",
"$ subscription-manager repos --enable repository",
"$ subscription-manager repos --disable repository"
],
"runasroot": true
},
{
"outerText": [
"Searching for packages matching a specific string:",
"",
"$ yum search string"
],
"runasroot": false
},
{
"outerText": ["Installing a package:", "", "$ yum install package_name"],
"runasroot": true
},
{
"outerText": [
"Updating all packages and their dependencies:",
"",
"$ yum update"
],
"runasroot": true
},
{
"outerText": ["Updating a package:", "", "$ yum update package_name"],
"runasroot": true
},
{
"outerText": [
"Uninstalling a package and any packages that depend on it:",
"",
"$ yum remove package_name"
],
"runasroot": true
},
{
"outerText": [
"Listing information on all installed and available packages:",
"",
"$ yum list all"
],
"runasroot": false
},
{
"outerText": [
"Listing information on all installed packages:",
"",
"$ yum list installed"
],
"runasroot": false
},
{
"outerText": [
"Display the current SELinux mode in effect:",
"",
"$ getenforce"
],
"runasroot": false
},
{
"outerText": [
"To temporary switch to either enforcing or permissive mode:",
"",
"$ setenforce Enforcing",
"$ setenforce Permissive"
],
"runasroot": true
},
{
"outerText": [
"To temporary switch to either enforcing or permissive mode:",
"",
"$ setenforce Enforcing",
"$ setenforce Permissive"
],
"runasroot": true
},
{
"outerText": [
"To permanently set the SELinux mode, modify the SELINUX variable in the /etc/selinux/config configuration file.",
"",
"For example, to switch SELinux to enforcing mode:",
"",
"# This file controls the state of SELinux on the system.",
"# SELINUX= can take one of these three values:",
"# enforcing - SELinux security policy is enforced.",
"# permissive - SELinux prints warnings instead of enforcing.",
"# disabled - No SELinux policy is loaded.",
"SELINUX=enforcing"
],
"runasroot": false
},
{
"outerText": [
"Generate a public and a private key:",
"",
"$ ssh-keygen",
"",
"Both keys are stored in the ~/.ssh/ directory:",
"",
"~/.ssh/id_rsa.pub - public key",
"",
"~/.ssh/id_rsa - private key",
"",
"The public key does not need to be secret. It is used to verify the private key. The private key is secret. You can choose to protect the private key with the passphrase that you specify during the key generation process. With the passphrase, authentication is even more secure, but is no longer password-less. You can avoid this using the ssh-agent command. In this case, you will enter the passphrase only once - at the beginning of a session. For more information on ssh-agent configuration, see Section 12.2.4, “Using Key-based Authentication”."
],
"runasroot": false
},
{
"outerText": [
"Copy the most recently modified public key to a remote machine you want to log into:",
"",
"$ ssh-copy-id USER@hostname",
"",
"As a result, you are now able to enter the system in a secure way, but without entering a password."
],
"runasroot": true
},
{
"outerText": [
"Access the /etc/ssh/sshd_config file:",
"",
"$ vi /etc/ssh/sshd_config"
],
"runasroot": true
},
{
"outerText": [
"Change the line that reads #PermitRootLogin yes to:",
"",
"PermitRootLogin no"
],
"runasroot": false
},
{
"outerText": ["Restart the sshd service:", "", "$ systemctl restart sshd"],
"runasroot": true
},
{
"outerText": ["Displaying user and group IDs:", "", "$ id"],
"runasroot": false
},
{
"outerText": [
"Creating a new user account:",
"",
"$ useradd [options] user_name"
],
"runasroot": true
},
{
"outerText": [
"Assigning a new password to a user account belonging to username:",
"",
"$ passwd user_name"
],
"runasroot": true
},
{
"outerText": [
"Adding a user to a group:",
"",
"$ usermod -a -G group_name user_name"
],
"runasroot": true
},
{
"outerText": [
"To check whether kdump is installed on your system:",
"",
"$ rpm -q kexec-tools"
],
"runasroot": false
},
{
"outerText": [
"If not installed, to install kdump, enter as the root user:",
"",
"$ yum install kexec-tools"
],
"runasroot": true
},
{
"outerText": [
"To configure kdump:",
"",
"Use either the command line or graphical user interface.",
"",
"Both options are described in detail in Red Hat Enterprise Linux 7 Kernel Crash Dump Guide.",
"",
"If you need to install the graphical configuration tool:",
"",
"$ yum install system-config-kdump"
],
"runasroot": true
},
{
"outerText": [
"Modify the %post section of the Kickstart file:",
"",
"LANG=en_US",
"echo \"%_install_langs $LANG\" > /etc/rpm/macros.language-conf",
"",
"yum-config-manager --setopt=override_install_langs=$LANG --save"
],
"runasroot": false
},
{
"outerText": [
"Modify the %packages section of the Kickstart file:",
"",
"%packages",
"yum-utils*",
"%end"
],
"runasroot": false
},
{
"outerText": [
"Create the RPM configuration file at /etc/rpm/macros.language-conf with the following contents:",
"",
"%_install_langs LANG",
"",
"LANG is the value of the instLang option."
],
"runasroot": false
},
{
"outerText": [
"Update the /etc/yum.conf file with:",
"",
"override_install_langs=LANG"
],
"runasroot": false
},
{
"outerText": [
"Either you can set the hardware clock to the current system time by using this command:",
"",
"hwclock --systohc",
"",
"Note that if you use NTP, the hardware clock is automatically synchronized to the system clock every 11 minutes, and this command is useful only at boot time to get a reasonable initial system time."
],
"runasroot": false
},
{
"outerText": [
"Or, you can set the system time from the hardware clock by using the following command:",
"",
"hwclock --hctosys"
],
"runasroot": false
},
{
"outerText": [
"A new line for juan is created in /etc/passwd:",
"",
"juan:x:1001:1001::/home/juan:/bin/bash",
"",
"The line has the following characteristics:",
"",
"It begins with the user name juan.",
"There is an x for the password field indicating that the system is using shadow passwords.",
"A UID greater than 999 is created. Under Red Hat Enterprise Linux 7, UIDs below 1000 are reserved for system use and should not be assigned to users.",
"A GID greater than 999 is created. Under Red Hat Enterprise Linux 7, GIDs below 1000 are reserved for system use and should not be assigned to users.",
"The optional GECOS information is left blank. The GECOS field can be used to provide additional information about the user, such as their full name or phone number.",
"The home directory for juan is set to /home/juan/.",
"The default shell is set to /bin/bash."
],
"runasroot": false
},
{
"outerText": [
"A new line for juan is created in /etc/shadow:",
"",
"juan:!!:14798:0:99999:7:::",
"",
"The line has the following characteristics:",
"",
"It begins with the user name juan.",
"",
"Two exclamation marks (!!) appear in the password field of the /etc/shadow file, which locks the account.",
"",
"NOTE",
"",
"If an encrypted password is passed using the -p flag, it is placed in the /etc/shadow file on the new line for the user.",
"",
"The password is set to never expire."
],
"runasroot": false
},
{
"outerText": [
"A new line for a group named juan is created in /etc/group:",
"",
"juan:x:1001:",
"",
"A group with the same name as a user is called a user private group. For more information on user private groups, see Section 4.1.1, “User Private Groups”.",
"",
"The line created in /etc/group has the following characteristics:",
"",
"It begins with the group name juan.",
"An x appears in the password field indicating that the system is using shadow group passwords.",
"The GID matches the one listed for juan's primary group in /etc/passwd."
],
"runasroot": false
},
{
"outerText": [
"A new line for a group named juan is created in /etc/gshadow:",
"",
"juan:!::",
"",
"The line has the following characteristics:",
"",
"It begins with the group name juan.",
"An exclamation mark (!) appears in the password field of the /etc/gshadow file, which locks the group.",
"All other fields are blank."
],
"runasroot": false
},
{
"outerText": [
"A directory for user juan is created in the /home directory:",
"",
"$ ls -ld /home/juan",
"drwx------. 4 juan juan 4096 Mar 3 18:23 /home/juan",
"",
"This directory is owned by user juan and group juan. It has read, write, and execute privileges only for the user juan. All other permissions are denied."
],
"runasroot": true
},
{
"outerText": [
"The files within the /etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory:",
"",
"$ ls -la /home/juan",
"total 28",
"drwx------. 4 juan juan 4096 Mar 3 18:23 .",
"drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..",
"-rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout",
"-rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile",
"-rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc",
"drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla"
],
"runasroot": true
},
{
"outerText": [
"As root, create the /opt/myproject/ directory by typing the following at a shell prompt:",
"",
"mkdir /opt/myproject"
],
"runasroot": false
},
{
"outerText": [
"Add the myproject group to the system:",
"",
"groupadd myproject"
],
"runasroot": false
},
{
"outerText": [
"Associate the contents of the /opt/myproject/ directory with the myproject group:",
"",
"chown root:myproject /opt/myproject"
],
"runasroot": false
},
{
"outerText": [
"Allow users in the group to create files within the directory and set the setgid bit:",
"",
"chmod 2775 /opt/myproject",
"",
"At this point, all members of the myproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:",
"",
"$ ls -ld /opt/myproject",
"drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 /opt/myproject"
],
"runasroot": true
},
{
"outerText": [
"Allow users in the group to create files within the directory and set the setgid bit:",
"",
"chmod 2775 /opt/myproject",
"",
"At this point, all members of the myproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:",
"",
"$ ls -ld /opt/myproject",
"drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 /opt/myproject"
],
"runasroot": true
},
{
"outerText": [
"Add users to the myproject group:",
"",
"usermod -aG myproject username"
],
"runasroot": false
},
{
"outerText": [
"By default, sudo stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the /etc/sudoers file:",
"",
"Defaults timestamp_timeout=value",
"",
"where value is the desired timeout length in minutes. Setting the value to 0 causes sudo to require a password every time."
],
"runasroot": false
},
{
"outerText": [
"If an account is compromised, an attacker can use sudo to open a new shell with administrative privileges:",
"",
"sudo /bin/bash",
"",
"Opening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the /etc/sudoers file and never requiring the attacker to input a password for sudo again until the newly opened session is closed."
],
"runasroot": false
},
{
"outerText": [
"Run the following command to register your system. You will be prompted to enter your user name and password. Note that the user name and password are the same as your login credentials for Red Hat Customer Portal.",
"",
"subscription-manager register"
],
"runasroot": false
},
{
"outerText": [
"Determine the pool ID of a subscription that you require. To do so, type the following at a shell prompt to display a list of all subscriptions that are available for your system:",
"",
"subscription-manager list --available",
"",
"For each available subscription, this command displays its name, unique identifier, expiration date, and other details related to your subscription. To list subscriptions for all architectures, add the --all option. The pool ID is listed on a line beginning with Pool ID."
],
"runasroot": false
},
{
"outerText": [
"Attach the appropriate subscription to your system by entering a command as follows:",
"",
"subscription-manager attach --pool=pool_id",
"",
"Replace pool_id with the pool ID you determined in the previous step.",
"",
"To verify the list of subscriptions your system has currently attached, at any time, run:",
"",
"subscription-manager list --consumed"
],
"runasroot": false
},
{
"outerText": [
"Attach the appropriate subscription to your system by entering a command as follows:",
"",
"subscription-manager attach --pool=pool_id",
"",
"Replace pool_id with the pool ID you determined in the previous step.",
"",
"To verify the list of subscriptions your system has currently attached, at any time, run:",
"",
"subscription-manager list --consumed"
],
"runasroot": false
},
{
"outerText": [
"Determine the serial number of the subscription you want to remove by listing information about already attached subscriptions:",
"",
"subscription-manager list --consumed",
"",
"The serial number is the number listed as serial. For instance, 744993814251016831 in the example below:",
"",
"SKU: ES0113909",
"Contract: 01234567",
"Account: 1234567",
"Serial: 744993814251016831",
"Pool ID: 8a85f9894bba16dc014bccdd905a5e23",
"Active: False",
"Quantity Used: 1",
"Service Level: SELF-SUPPORT",
"Service Type: L1-L3",
"Status Details:",
"Subscription Type: Standard",
"Starts: 02/27/2015",
"Ends: 02/27/2016",
"System Type: Virtual"
],
"runasroot": false
},
{
"outerText": [
"Determine the serial number of the subscription you want to remove by listing information about already attached subscriptions:",
"",
"subscription-manager list --consumed",
"",
"The serial number is the number listed as serial. For instance, 744993814251016831 in the example below:",
"",
"SKU: ES0113909",
"Contract: 01234567",
"Account: 1234567",
"Serial: 744993814251016831",
"Pool ID: 8a85f9894bba16dc014bccdd905a5e23",
"Active: False",
"Quantity Used: 1",
"Service Level: SELF-SUPPORT",
"Service Type: L1-L3",
"Status Details:",
"Subscription Type: Standard",
"Starts: 02/27/2015",
"Ends: 02/27/2016",
"System Type: Virtual"
],
"runasroot": false
},
{
"outerText": [
"Enter a command as follows to remove the selected subscription:",
"",
"subscription-manager remove --serial=serial_number",
"",
"Replace serial_number with the serial number you determined in the previous step."
],
"runasroot": false
},
{
"outerText": [
"Start the tool by entering the following command:",
"",
"$ redhat-support-tool"
],
"runasroot": true
},
{
"outerText": [
"Enter your Red Hat Customer Portal user name:",
"",
"Command (? for help): config user username",
"",
"To save your user name to the global configuration file, add the -g option."
],
"runasroot": false
},
{
"outerText": [
"Enter your Red Hat Customer Portal password:",
"",
"Command (? for help): config password",
"Please enter the password for username:"
],
"runasroot": false
},
{
"outerText": [
"Start the tool by entering the following command:",
"",
"$ redhat-support-tool"
],
"runasroot": true
},
{
"outerText": [
"Enter the opencase command:",
"",
"Command (? for help): opencase"
],
"runasroot": false
},
{
"outerText": [
"Confirm you would still like to open the support case.",
"",
"Support case 0123456789 has successfully been opened"
],
"runasroot": false
},
{
"outerText": [
"Start the tool by entering the following command:",
"",
"$ redhat-support-tool"
],
"runasroot": true
},
{
"outerText": [
"Enter the getcase command:",
"",
"Command (? for help): getcase case-number",
"",
"Where case-number is the number of the case you want to view and update."
],
"runasroot": false
},
{
"outerText": [
"Start the tool by entering the following command:",
"",
"$ redhat-support-tool"
],
"runasroot": true
},
{
"outerText": [
"Enter the modifycase command:",
"",
"Command (? for help): modifycase case-number",
"",
"Where case-number is the number of the case you want to view and update."
],
"runasroot": false
},
{
"outerText": [
"The modify selection list appears:",
"",
"Type the number of the attribute to modify or 'e' to return to the previous menu.",
" 1 Modify Type",
" 2 Modify Severity",
" 3 Modify Status",
" 4 Modify Alternative-ID",
" 5 Modify Product",
" 6 Modify Version",
"End of options.",
"",
"Follow the on screen prompts to modify one or more of the options."
],
"runasroot": false
},
{
"outerText": [
"For example, to modify the status, enter 3:",
"",
"Selection: 3",
" 1 Waiting on Customer",
" 2 Waiting on Red Hat",
" 3 Closed",
"Please select a status (or 'q' to exit):"
],
"runasroot": false
},
{
"outerText": [
"Create a target directory to mount your ISO image. This directory is not automatically created when mounting, so create it before proceeding to the next step. As root, type:",
"",
"mkdir mount_dir",
"",
"Replace mount_dir with a path to the mount directory. Typically, users create it as a subdirectory in the /media directory."
],
"runasroot": false
},
{
"outerText": [
"Mount the Red Hat Enterprise Linux 7 installation ISO image to the previously created target directory. As root, type:",
"",
"mount -o loop iso_name mount_dir",
"",
"Replace iso_name with a path to your ISO image and mount_dir with a path to the target directory. Here, the -o loop option is required to mount the file as a block device."
],
"runasroot": false
},
{
"outerText": [
"Copy the media.repo file from the mount directory to the /etc/yum.repos.d/ directory. Note that configuration files in this directory must have the .repo extension to function properly.",
"",
"cp mount_dir/media.repo /etc/yum.repos.d/new.repo",
"",
"This creates a configuration file for the yum repository. Replace new.repo with the filename, for example rhel7.repo."
],
"runasroot": false
},
{
"outerText": [
"Edit the new configuration file so that it points to the Red Hat Enterprise Linux installation ISO. Add the following line into the /etc/yum.repos.d/new.repo file:",
"",
"baseurl=file:///mount_dir",
"",
"Replace mount_dir with a path to the mount point."
],
"runasroot": false
},
{
"outerText": [
"Update all yum repositories including /etc/yum.repos.d/new.repo created in previous steps. As root, type:",
"",
"yum update",
"",
"This upgrades your system to the version provided by the mounted ISO image."
],
"runasroot": false
},
{
"outerText": [
"After successful upgrade, you can unmount the ISO image. As root, type:",
"",
"umount mount_dir",
"",
"where mount_dir is a path to your mount directory. Also, you can remove the mount directory created in the first step. As root, type:",
"",
"rmdir mount_dir"
],
"runasroot": false
},
{
"outerText": [
"After successful upgrade, you can unmount the ISO image. As root, type:",
"",
"umount mount_dir",
"",
"where mount_dir is a path to your mount directory. Also, you can remove the mount directory created in the first step. As root, type:",
"",
"rmdir mount_dir"
],
"runasroot": false
},
{
"outerText": [
"If you will not use the previously created configuration file for another installation or update, you can remove it. As root, type:",
"",
"rm /etc/yum.repos.d/new.repo"
],
"runasroot": false
},
{
"outerText": [
"If a specific online repository requires basic HTTP authentication, you can specify your user name and password by prepending it to the URL as username:password@link. For example, if a repository on http://www.example.com/repo/ requires a user name of \"user\" and a password of \"password\", then the baseurl link could be specified as http://user:password@www.example.com/repo/.",
"",
"Usually this URL is an HTTP link, such as:",
"",
"baseurl=http://path/to/repo/releases/$releasever/server/$basearch/os/",
"",
"Note that yum always expands the $releasever, $arch, and $basearch variables in URLs. For more information about yum variables, see Section 9.5.3, “Using Yum Variables”."
],
"runasroot": false
},
{
"outerText": [
"Install the createrepo package:",
"",
"# yum install createrepo"
],
"runasroot": false
},
{
"outerText": [
"Copy all packages for your new repository into one directory, such as /tmp/local_repo/:",
"",
"cp /your/packages/*.rpm /tmp/local_repo/"
],
"runasroot": false
},
{
"outerText": [
"To create the repository run:",
"",
"createrepo /tmp/local_repo/",
"",
"This creates the necessary metadata for the yum repository and places metadata in a newly created subdirectory repodata.",
"",
"The repository is now ready to be consumed by yum. This repository can be shared over the HTTP or FTP protocol, or refered directly from the local machine. See the Section 9.5.2, “Setting [repository] Options” section for more details on how to configure a yum repository.",
"",
"NOTE",
"",
"When constructing the URL for a repository, refer to the /mnt/local_repo not to /mnt/local_repo/repodata, as this directory contains only metadata. Actual yum packages are in /mnt/local_repo."
],
"runasroot": false
},
{
"outerText": [
"Copy the new packages to your repository directory, such as /tmp/local_repo/:",
"",
"cp /your/packages/*.rpm /tmp/local_repo/"
],
"runasroot": false
},
{
"outerText": [
"To reflect the newly added packages in the metadata, run:",
"",
"createrepo --update /tmp/local_repo/"
],
"runasroot": false
},
{
"outerText": [
"Optional: If you have already used any yum command with newly updated repository, run:",
"",
"yum clean expire-cache"
],
"runasroot": false
},
{
"outerText": [
"In the [emitters] section, set the following option:",
"",
"emit_via = email"
],
"runasroot": false
},
{
"outerText": [
"Add the following option, which points to the newly created repository directory, at the end of the selected yum-cron configuration file:",
"",
"reposdir=/path/to/new/reposdir"
],
"runasroot": false
},
{
"outerText": [
"Set the random_sleep option in the selected configuration file as follows:",
"",
"random_sleep = 0"
],
"runasroot": false
},
{
"outerText": [
"Run the configuration files:",
"",
"# yum-cron /etc/yum/yum-cron.conf",
"# yum-cron /etc/yum/yum-cron-hourly.conf"
],
"runasroot": false
},
{
"outerText": [
"Set the following option in the [base] section of the configuration file:",
"",
"debuglevel = -4"
],
"runasroot": false
},
{
"outerText": [
"Create a shell script in the /etc/cron.daily/ directory containing:",
"",
"#!/bin/sh",
"yum clean all"
],
"runasroot": false
},
{
"outerText": [
"Make the script executable:",
"",
"# chmod +x /etc/cron.daily/script-name.sh"
],
"runasroot": false
},
{
"outerText": [
"Create a unit file in the /etc/systemd/system/ directory and make sure it has correct file permissions. Execute as root:",
"",
"touch /etc/systemd/system/name.service",
"chmod 664 /etc/systemd/system/name.service",
"",
"Replace name with a name of the service to be created. Note that file does not need to be executable."
],
"runasroot": false
},
{
"outerText": [
"Open the name.service file created in the previous step, and add the service configuration options. There is a variety of options that can be used depending on the type of service you wish to create, see Section 10.6.1, “Understanding the Unit File Structure”. The following is an example unit configuration for a network-related service:",
"",
"[Unit]",
"Description=service_description",
"After=network.target",
"",
"[Service]",
"ExecStart=path_to_executable",
"Type=forking",
"PIDFile=path_to_pidfile",
"",
"[Install]",
"WantedBy=default.target",
"",
"Where:",
"",
"service_description is an informative description that is displayed in journal log files and in the output of the systemctl status command.",
"the After setting ensures that the service is started only after the network is running. Add a space-separated list of other relevant services or targets.",
"path_to_executable stands for the path to the actual service executable.",
"Type=forking is used for daemons that make the fork system call. The main process of the service is created with the PID specified in path_to_pidfile. Find other startup types in Table 10.10, “Important [Service] Section Options”.",
"WantedBy states the target or targets that the service should be started under. Think of these targets as of a replacement of the older concept of runlevels, see Section 10.3, “Working with systemd Targets” for details."
],
"runasroot": false
},
{
"outerText": [
"Notify systemd that a new name.service file exists by executing the following command as root:",
"",
"systemctl daemon-reload",
"systemctl start name.service",
"WARNING",
"",
"Always run the systemctl daemon-reload command after creating new unit files or modifying existing unit files. Otherwise, the systemctl start or systemctl enable commands could fail due to a mismatch between states of systemd and actual service unit files on disk.",
"",
"The name.service unit can now be managed as any other system service with commands described in Section 10.2, “Managing System Services”."
],
"runasroot": false
},
{
"outerText": [
"Create a unit file in the /etc/systemd/system/ directory and make sure it has the correct file permissions. Execute as root:",
"",
"$ touch /etc/systemd/system/emacs.service",
"$ chmod 664 /etc/systemd/system/emacs.service"
],
"runasroot": true
},
{
"outerText": [
"Add the following content to the file:",
"",
"[Unit]",
"Description=Emacs: the extensible, self-documenting text editor",
"",
"[Service]",
"Type=forking",
"ExecStart=/usr/bin/emacs --daemon",
"ExecStop=/usr/bin/emacsclient --eval \"(kill-emacs)\"",
"Environment=SSH_AUTH_SOCK=%t/keyring/ssh",
"Restart=always",
"",
"[Install]",
"WantedBy=default.target",
"",
"With the above configuration, the /usr/bin/emacs executable is started in daemon mode on service start. The SSH_AUTH_SOCK environment variable is set using the \"%t\" unit specifier that stands for the runtime directory. The service also restarts the emacs process if it exits unexpectedly."
],
"runasroot": false
},
{
"outerText": [
"Execute the following commands to reload the configuration and start the custom service:",
"",
"$ systemctl daemon-reload",
"$ systemctl start emacs.service"
],
"runasroot": true
},
{
"outerText": [
"Create a copy of the sshd_config file that will be used by the second daemon:",
"",
"$ cp /etc/ssh/sshd{,-second}_config"
],
"runasroot": true
},
{
"outerText": [
"Edit the sshd-second_config file created in the previous step to assign a different port number and PID file to the second daemon:",
"",
"Port 22220",
"PidFile /var/run/sshd-second.pid",
"",
"See the sshd_config(5) manual page for more information on Port and PidFile options. Make sure the port you choose is not in use by any other service. The PID file does not have to exist before running the service, it is generated automatically on service start."
],
"runasroot": false
},
{
"outerText": [
"Create a copy of the systemd unit file for the sshd service:",
"",
"$ cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sshd-second.service"
],
"runasroot": true
},
{
"outerText": [
"Modify the Description option:",
"",
"Description=OpenSSH server second instance daemon"
],
"runasroot": false
},
{
"outerText": [
"Add sshd.service to services specified in the After option, so that the second instance starts only after the first one has already started:",
"",
"After=syslog.target network.target auditd.service sshd.service"
],
"runasroot": false
},
{
"outerText": [
"Add the -f /etc/ssh/sshd-second_config parameter to the sshd command, so that the alternative configuration file is used:",
"",
"ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS"
],
"runasroot": false
},
{
"outerText": [
"After the above modifications, the sshd-second.service should look as follows:",
"",
"[Unit]",
"Description=OpenSSH server second instance daemon",
"After=syslog.target network.target auditd.service sshd.service",
"",
"[Service]",
"EnvironmentFile=/etc/sysconfig/sshd",
"ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS",
"ExecReload=/bin/kill -HUP $MAINPID",
"KillMode=process",
"Restart=on-failure",
"RestartSec=42s",
"",
"[Install]",
"WantedBy=multi-user.target"
],
"runasroot": false
},
{
"outerText": [
"If using SELinux, add the port for the second instance of sshd to SSH ports, otherwise the second instance of sshd will be rejected to bind to the port:",
"",
"$ semanage port -a -t ssh_port_t -p tcp 22220"
],
"runasroot": true
},
{
"outerText": [
"Enable sshd-second.service, so that it starts automatically upon boot:",
"",
"$ systemctl enable sshd-second.service",
"",
"Verify if the sshd-second.service is running by using the systemctl status command. Also, verify if the port is enabled correctly by connecting to the service:",
"",
"$ ssh -p 22220 user@server",
"",
"If the firewall is in use, make sure that it is configured appropriately in order to allow connections to the second instance of sshd."
],
"runasroot": true
},
{
"outerText": [
"Enable sshd-second.service, so that it starts automatically upon boot:",
"",
"$ systemctl enable sshd-second.service",
"",
"Verify if the sshd-second.service is running by using the systemctl status command. Also, verify if the port is enabled correctly by connecting to the service:",
"",
"$ ssh -p 22220 user@server",
"",
"If the firewall is in use, make sure that it is configured appropriately in order to allow connections to the second instance of sshd."
],
"runasroot": true
},
{
"outerText": [
"Copy the httpd unit file to the /etc/systemd/system/ directory:",
"",
"cp /usr/lib/systemd/system/httpd.service /etc/systemd/system/httpd.service"
],
"runasroot": false
},
{
"outerText": [
"Open file /etc/systemd/system/httpd.service and specify the TimeoutStartUSec value in the [Service] section:",
"",
"...",
"[Service]",
"...",
"PrivateTmp=true",
"TimeoutStartSec=10",
"",
"[Install]",
"WantedBy=multi-user.target",
"..."
],
"runasroot": false
},
{
"outerText": ["Reload the systemd daemon:", "", "systemctl daemon-reload"],
"runasroot": false
},
{
"outerText": [
"Optional. Verify the new timeout value:",
"",
"systemctl show httpd -p TimeoutStartUSec"
],
"runasroot": false
},
{
"outerText": [
"To specify one or more individual users, list the users on the following line:",
"",
"api-parameters Auth=user:user_1, user_2, ... \t\t# Allow some local user"
],
"runasroot": false
},
{
"outerText": [
"To specify a user group, enter its name on the following line:",
"",
"api-parameters Auth=group:group\t\t# Allow some local group"
],
"runasroot": false
},
{
"outerText": [
"Create the /etc/brlapi.key file.",
"",
"$ mcookie > /etc/brlapi.key"
],
"runasroot": true
},
{
"outerText": [
"To specify an individual user:",
"",
"$ chown user_1 /etc/brlapi.key"
],
"runasroot": true
},
{
"outerText": ["To specify a group:", "", "$ chown group_1 /etc/brlapi.key"],
"runasroot": true
},
{
"outerText": [
"Adjust the content of /etc/brltty.conf to include this:",
"",
"api-parameters Auth=keyfile:/etc/brlapi.key"
],
"runasroot": false
},
{
"outerText": [
"If you want to use autodetection, leave braille driver specified to auto, which is the default option.",
"",
"braille-driver\tauto\t # autodetect",
"WARNING",
"",
"Autodetection tries all drivers. Therefore, it might take a long time or even fail. For this reason, setting up a particular braille driver is recommended."
],
"runasroot": false
},
{
"outerText": [
"If you do not want to use the autodetection, specify the identification code of the required braille driver in the braille-driver directive.",
"",
"Choose the identification code of required braille driver from the list provided in /etc/brltty.conf, for example:",
"",
"braille-driver\txw\t # XWindow",
"",
"You can also set multiple drivers, separated by commas, and autodetection is then performed among them."
],
"runasroot": false
},
{
"outerText": [
"If you want to use the autoselection, leave text-table specified to auto, which is the default option.",
"",
"text-table\tauto\t # locale-based autoselection",
"",
"This ensures that local-based autoselection with fallback to en-nabcc is performed."
],
"runasroot": false
},
{
"outerText": [
"If you do not want to use the autoselection, choose the required text-table from the list in /etc/brltty.conf.",
"",
"For example, to use the text table for American English:",
"",
"text-table\ten_US\t # English (United States)"
],
"runasroot": false
},
{
"outerText": [
"Install Festival:",
"",
"$ yum install festival festival-freebsoft-utils"
],
"runasroot": true
},
{
"outerText": [
"Create a new systemd unit file:",
"",
"Create a file in the /etc/systemd/system/ directory and make it executable.",
"",
"$ touch /etc/systemd/system/festival.service",
"$ chmod 664 /etc/systemd/system/festival.service"
],
"runasroot": true
},
{
"outerText": [
"Ensure that the script in the /usr/bin/festival_server file is used to run Festival. Add the following content to the /etc/systemd/system/festival.service file:",
"",
"[Unit]",
"Description=Festival speech synthesis server",
"[Service]",
"ExecStart=/usr/bin/festival_server",
"Type=simple"
],
"runasroot": false
},
{
"outerText": [
"Notify systemd that a new festival.service file exists:",
"",
"$ systemctl daemon-reload",
"$ systemctl start festival.service"
],
"runasroot": true
},
{
"outerText": [
"Enable festival.service:",
"",
"$ systemctl enable festival.service"
],
"runasroot": true
},
{
"outerText": [
"Generate an RSA key pair by typing the following at a shell prompt:",
"",
"$ ssh-keygen -t rsa",
"Generating public/private rsa key pair.",
"Enter file in which to save the key (/home/USER/.ssh/id_rsa):"
],
"runasroot": false
},
{
"outerText": [
"Enter a passphrase, and confirm it by entering it again when prompted to do so. For security reasons, avoid using the same password as you use to log in to your account.",
"",
"After this, you will be presented with a message similar to this:",
"",
"Your identification has been saved in /home/USER/.ssh/id_rsa.",
"Your public key has been saved in /home/USER/.ssh/id_rsa.pub.",
"The key fingerprint is:",
"SHA256:UNIgIT4wfhdQH/K7yqmjsbZnnyGDKiDviv492U5z78Y USER@penguin.example.com",
"The key's randomart image is:",
"+---[RSA 2048]----+",
"|o ..==o+. |",
"|.+ . .=oo |",
"| .o. ..o |",
"| ... .. |",
"| .S |",
"|o . . |",
"|o+ o .o+ .. |",
"|+.++=o*.o .E |",
"|BBBo+Bo. oo |",
"+----[SHA256]-----+",
"NOTE",
"",
"To get an MD5 key fingerprint, which was the default fingerprint in previous versions, use the ssh-keygen command with the -E md5 option."
],
"runasroot": false
},
{
"outerText": [
"By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only the USER can view the contents. If required, this can be confirmed with the following command:",
"",
"$ ls -ld ~/.ssh",
"drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/"
],
"runasroot": false
},
{
"outerText": [
"To copy the public key to a remote machine, issue a command in the following format:",
"",
" ssh-copy-id user@hostname",
"",
"This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name as follows:",
"",
"ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname",
"",
"This will copy the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the machine to which you want to connect. If the file already exists, the keys are appended to its end."
],
"runasroot": false
},
{
"outerText": [
"To copy the public key to a remote machine, issue a command in the following format:",
"",
" ssh-copy-id user@hostname",
"",
"This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name as follows:",
"",
"ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname",
"",
"This will copy the content of ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys file on the machine to which you want to connect. If the file already exists, the keys are appended to its end."
],
"runasroot": false
},
{
"outerText": [
"Generate an ECDSA key pair by typing the following at a shell prompt:",
"",
"$ ssh-keygen -t ecdsa",
"Generating public/private ecdsa key pair.",
"Enter file in which to save the key (/home/USER/.ssh/id_ecdsa):"
],
"runasroot": false
},
{
"outerText": [
"Enter a passphrase, and confirm it by entering it again when prompted to do so. For security reasons, avoid using the same password as you use to log in to your account.",
"",
"After this, you will be presented with a message similar to this:",
"",
"Your identification has been saved in /home/USER/.ssh/id_ecdsa.",
"Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub.",
"The key fingerprint is:",
"SHA256:8BhZageKrLXM99z5f/AM9aPo/KAUd8ZZFPcPFWqK6+M USER@penguin.example.com",
"The key's randomart image is:",
"+---[ECDSA 256]---+",
"| . . +=|",
"| . . . = o.o|",
"| + . * . o...|",
"| = . . * . + +..|",
"|. + . . So o * ..|",
"| . o . .+ = ..|",
"| o oo ..=. .|",
"| ooo...+ |",
"| .E++oo |",
"+----[SHA256]-----+"
],
"runasroot": false
},
{
"outerText": [
"By default, the permissions of the ~/.ssh/ directory are set to rwx------ or 700 expressed in octal notation. This is to ensure that only the USER can view the contents. If required, this can be confirmed with the following command:",
"",
"$ ls -ld ~/.ssh",
" $ ls -ld ~/.ssh/",
"drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/"
],
"runasroot": false
},
{
"outerText": [
"To copy the public key to a remote machine, issue a command in the following format:",
"",
"ssh-copy-id USER@hostname",
"",
"This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name as follows:",
"",
"ssh-copy-id -i ~/.ssh/id_ecdsa.pub USER@hostname",
"",
"This will copy the content of ~/.ssh/id_ecdsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect. If the file already exists, the keys are appended to its end."
],
"runasroot": false
},
{
"outerText": [
"To copy the public key to a remote machine, issue a command in the following format:",
"",
"ssh-copy-id USER@hostname",
"",
"This will copy the most recently modified ~/.ssh/id*.pub public key if it is not yet installed. Alternatively, specify the public key’s file name as follows:",
"",
"ssh-copy-id -i ~/.ssh/id_ecdsa.pub USER@hostname",
"",
"This will copy the content of ~/.ssh/id_ecdsa.pub into the ~/.ssh/authorized_keys on the machine to which you want to connect. If the file already exists, the keys are appended to its end."
],
"runasroot": false
},
{
"outerText": [
"A configuration file named /etc/systemd/system/vncserver@.service is required. To create this file, copy the /usr/lib/systemd/system/vncserver@.service file as root:",
"",
"$ cp /usr/lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@.service",
"",
"There is no need to include the display number in the file name because systemd automatically creates the appropriately named instance in memory on demand, replacing '%i' in the service file by the display number. For a single user it is not necessary to rename the file. For multiple users, a uniquely named service file for each user is required, for example, by adding the user name to the file name in some way. See Section 13.1.2.1, “Configuring VNC Server for Two Users” for details."
],
"runasroot": true
},
{
"outerText": [
"Edit /etc/systemd/system/vncserver@.service, replacing USER with the actual user name. Leave the remaining lines of the file unmodified.",
"",
"ExecStart=/usr/bin/vncserver_wrapper <USER> %i",
"NOTE",
"",
"The default size of the VNC desktop is 1024x768.",
"",
"A user’s VNC session can be further configured using the ~/.vnc/config file.",
"",
"For example, to change the VNC window size, add the following line:",
"",
"geometry= <WIDTH> x <HEIGHT>"
],
"runasroot": false
},
{
"outerText": [
"To make the changes take effect immediately, issue the following command:",
"",
"$ systemctl daemon-reload"
],
"runasroot": true
},
{
"outerText": [
"Set the password for the user or users defined in the configuration file. Note that you need to switch from root to USER first.",
"",
"$ su - USER",
"$ vncpasswd",
"Password:",
"Verify:",
"IMPORTANT",
"",
"The stored password is not encrypted; anyone who has access to the password file can find the plain-text password."
],
"runasroot": true
},
{
"outerText": [
"Set passwords for both users:",
"",
"$ su - USER_1",
"$ vncpasswd",
"Password:",
"Verify:",
"$ su - USER_2",
"$ vncpasswd",
"Password:",
"Verify:"
],
"runasroot": false
},
{
"outerText": [
"Set up GDM to enable XDMCP by editing the /etc/gdm/custom.conf configuration file:",
"",
"[xdmcp]",
"Enable=true"
],
"runasroot": false
},
{
"outerText": [
"Create a file called /etc/xinetd.d/xvncserver with the following content:",
"",
"service service_name",
"{",
"disable = no",
"protocol = tcp",
"socket_type = stream",
"wait = no",
"user = nobody",
"server = /usr/bin/Xvnc",
"server_args = -inetd -query localhost -once -geometry selected_geometry -depth selected_depth securitytypes=none",
"}",
"",
"In the server_args section, the -query localhost option will make each Xvnc instance query localhost for an xdmcp session. The -depth option specifies the pixel depth (in bits) of the VNC desktop to be created. Acceptable values are 8, 15, 16 and 24 - any other values are likely to cause unpredictable behavior of applications."
],
"runasroot": false
},
{
"outerText": [
"Edit file /etc/services to have the service defined. To do this, append the following snippet to the /etc/services file:",
"",
"# VNC xinetd GDM base",
"service_name 5950/tcp"
],
"runasroot": false
},
{
"outerText": [
"To ensure that the configuration changes take effect, reboot the machine.",
"",
"Alternatively, you can run the following. Change init levels to 3 and back to 5 to force gdm to reload.",
"",
"# init 3",
"# init 5",
"",
"Verify that gdm is listening on UDP port 177.",
"",
"# netstat -anu|grep 177",
"udp 0 0 0.0.0.0:177 0.0.0.0:*",
"",
"Restart the xinetd service.",
"",
"$ systemctl restart xinetd.service",
"",
"Verify that the xinetd service has loaded the new services.",
"",
"# netstat -anpt|grep 595",
"tcp 0 0 :::5950 :::* LISTEN 3119/xinetd"
],
"runasroot": true
},
{
"outerText": [
"To ensure that the configuration changes take effect, reboot the machine.",
"",
"Alternatively, you can run the following. Change init levels to 3 and back to 5 to force gdm to reload.",
"",
"# init 3",
"# init 5",
"",
"Verify that gdm is listening on UDP port 177.",
"",
"# netstat -anu|grep 177",
"udp 0 0 0.0.0.0:177 0.0.0.0:*",
"",
"Restart the xinetd service.",
"",
"$ systemctl restart xinetd.service",
"",
"Verify that the xinetd service has loaded the new services.",
"",
"# netstat -anpt|grep 595",
"tcp 0 0 :::5950 :::* LISTEN 3119/xinetd"
],
"runasroot": true
},
{
"outerText": [
"To ensure that the configuration changes take effect, reboot the machine.",
"",
"Alternatively, you can run the following. Change init levels to 3 and back to 5 to force gdm to reload.",
"",
"# init 3",
"# init 5",
"",
"Verify that gdm is listening on UDP port 177.",
"",
"# netstat -anu|grep 177",
"udp 0 0 0.0.0.0:177 0.0.0.0:*",
"",
"Restart the xinetd service.",
"",
"$ systemctl restart xinetd.service",
"",
"Verify that the xinetd service has loaded the new services.",
"",
"# netstat -anpt|grep 595",
"tcp 0 0 :::5950 :::* LISTEN 3119/xinetd"
],
"runasroot": true
},
{
"outerText": [
"To ensure that the configuration changes take effect, reboot the machine.",
"",
"Alternatively, you can run the following. Change init levels to 3 and back to 5 to force gdm to reload.",
"",
"# init 3",
"# init 5",
"",
"Verify that gdm is listening on UDP port 177.",
"",
"# netstat -anu|grep 177",
"udp 0 0 0.0.0.0:177 0.0.0.0:*",
"",
"Restart the xinetd service.",
"",
"$ systemctl restart xinetd.service",
"",
"Verify that the xinetd service has loaded the new services.",
"",
"# netstat -anpt|grep 595",
"tcp 0 0 :::5950 :::* LISTEN 3119/xinetd"
],
"runasroot": true
},
{
"outerText": [
"Test the setup using a vncviewer command:",
"",
"# vncviewer localhost:5950",
"",
"The command will launch a VNC session to the localhost where no password is asked. You will see a GDM login screen, and you will be able to log in to any user account on the system with a valid user name and password. Then you can run the same test on remote connections."
],
"runasroot": false
},
{
"outerText": [
"Enter the following command as root",
"",
"$ yum install tigervnc-server"
],
"runasroot": true
},
{
"outerText": [
"Set the VNC password for the user:",
"",
"$ vncpasswd",
"Password:",
"Verify:"
],
"runasroot": false
},
{
"outerText": [
"Enter the following command as that user:",
"",
"$ x0vncserver -PasswordFile=.vnc/passwd -AlwaysShared=1"
],
"runasroot": false
},
{
"outerText": [
"Enter an address and display number to connect to:",
"",
"address:display_number"
],
"runasroot": false
},
{
"outerText": [
"Enter the viewer command with the address and display number as arguments:",
"",
"vncviewer address:display_number",
"",
"Where address is an IP address or host name."
],
"runasroot": false
},
{
"outerText": [
"Run the following command to see the information concerning firewalld settings:",
"",
"$ firewall-cmd --list-all"
],
"runasroot": false
},
{
"outerText": [
"To allow all VNC connections from a specific address, use a command as follows:",
"",
"$ firewall-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"192.168.122.116\" service name=vnc-server accept'",
"success",
"",
"Note that these changes will not persist after the next system start. To make permanent changes to the firewall, repeat the commands adding the --permanent option. See the Red Hat Enterprise Linux 7 Security Guide for more information on the use of firewall rich language commands."
],
"runasroot": true
},
{
"outerText": [
"To verify the above settings, use a command as follows:",
"",
"$ firewall-cmd --list-all",
"public (default, active)",
" interfaces: bond0 bond0.192",
" sources:",
" services: dhcpv6-client ssh",
" ports:",
" masquerade: no",
" forward-ports:",
" icmp-blocks:",
" rich rules:",
"\trule family=\"ipv4\" source address=\"192.168.122.116\" service name=\"vnc-server\" accept"
],
"runasroot": true
},
{
"outerText": [
"To open a port for TCP traffic in the public zone, issue a command as root as follows:",
"",
"$ firewall-cmd --zone=public --add-port=5904/tcp",
"success"
],
"runasroot": true
},
{
"outerText": [
"To view the ports that are currently open for the public zone, issue a command as follows:",
"",
"$ firewall-cmd --zone=public --list-ports",
"5904/tcp"
],
"runasroot": true
},
{
"outerText": [
"To connect to a VNC server using SSH, enter a command as follows:",
"",
"$ vncviewer -via USER_2@192.168.2.101:3"
],
"runasroot": false
},
{
"outerText": [
"A graceful stop is used by default when the service is stopped.",
"",
"The command:",
"",
"service httpd configtest",
"",
"is replaced by",
"",
"apachectl configtest"
],
"runasroot": false
},
{
"outerText": [
"A graceful stop is used by default when the service is stopped.",
"",
"The command:",
"",
"service httpd configtest",
"",
"is replaced by",
"",
"apachectl configtest"
],
"runasroot": false
},
{
"outerText": [
"To restart the service completely, enter the following command as root:",
"",
"$ systemctl restart httpd.service",
"",
"This stops the running httpd service and immediately starts it again. Use this command after installing or removing a dynamically loaded module such as PHP."
],
"runasroot": true
},
{
"outerText": [
"To only reload the configuration, as root, type:",
"",
"$ systemctl reload httpd.service",
"",
"This causes the running httpd service to reload its configuration file. Any requests currently being processed will be interrupted, which may cause a client browser to display an error message or render a partial page."
],
"runasroot": true
},
{
"outerText": [
"To reload the configuration without affecting active requests, enter the following command as root:",
"",
"$ apachectl graceful",
"",
"This causes the running httpd service to reload its configuration file. Any requests currently being processed will continue to use the old configuration."
],
"runasroot": true
},
{
"outerText": [
"As root, open the /etc/httpd/conf.d/ssl.conf file and search for all instances of the SSLProtocol directive. By default, the configuration file contains one section that looks as follows:",
"",
"$ vi /etc/httpd/conf.d/ssl.conf",
"# SSL Protocol support:",
"# List the enable protocol levels with which clients will be able to",
"# connect. Disable SSLv2 access by default:",
"SSLProtocol all -SSLv2",
"",
"This section is within the VirtualHost section."
],
"runasroot": true
},
{
"outerText": [
"Edit the SSLProtocol line as follows:",
"",
"# SSL Protocol support:",
"# List the enable protocol levels with which clients will be able to",
"# connect. Disable SSLv2 access by default:",
"SSLProtocol all -SSLv2 -SSLv3",
"",
"Repeat this action for all VirtualHost sections. Save and close the file."
],
"runasroot": false
},
{
"outerText": [
"Verify that all occurrences of the SSLProtocol directive have been changed as follows:",
"",
"$ grep SSLProtocol /etc/httpd/conf.d/ssl.conf",
"SSLProtocol all -SSLv2 -SSLv3",
"",
"This step is particularly important if you have more than the one default VirtualHost section."
],
"runasroot": true
},
{
"outerText": [
"Restart the Apache daemon as follows:",
"",
"$ systemctl restart httpd",
"",
"Note that any sessions will be interrupted."
],
"runasroot": true
},
{
"outerText": [
"As root, open the /etc/httpd/conf.d/ssl.conf file and search for all instances of SSLProtocol directive. By default the file contains one section that looks as follows:",
"",
"$ vi /etc/httpd/conf.d/ssl.conf",
"# SSL Protocol support:",
"# List the enable protocol levels with which clients will be able to",
"# connect. Disable SSLv2 access by default:",
"SSLProtocol all -SSLv2"
],
"runasroot": true
},
{
"outerText": [
"Edit the SSLProtocol line as follows:",
"",
"# SSL Protocol support:",
"# List the enable protocol levels with which clients will be able to",
"# connect. Disable SSLv2 access by default:",
"SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2",
"",
"Save and close the file."
],
"runasroot": false
},
{
"outerText": [
"Verify the change as follows:",
"",
"$ grep SSLProtocol /etc/httpd/conf.d/ssl.conf",
"SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2"
],
"runasroot": true
},
{
"outerText": [
"Restart the Apache daemon as follows:",
"",
"$ systemctl restart httpd",
"",
"Note that any sessions will be interrupted."
],
"runasroot": true
},
{
"outerText": [
"Install mod_nss as root:",
"",
"$ yum install mod_nss",
"",
"This will create the mod_nss configuration file at /etc/httpd/conf.d/nss.conf. The /etc/httpd/conf.d/ directory is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the httpd service as described in Section 14.1.3.3, “Restarting the Service”."
],
"runasroot": true
},
{
"outerText": [
"As root, open the /etc/httpd/conf.d/nss.conf file and search for all instances of the Listen directive.",
"",
"Edit the Listen 8443 line as follows:",
"",
"Listen 443",
"",
"Port 443 is the default port for HTTPS."
],
"runasroot": false
},
{
"outerText": [
"Edit the default VirtualHost default:8443 line as follows:",
"",
"VirtualHost default:443",
"",
"Edit any other non-default virtual host sections if they exist. Save and close the file."
],
"runasroot": false
},
{
"outerText": [
"Mozilla NSS stores certificates in a server certificate database indicated by the NSSCertificateDatabase directive in the /etc/httpd/conf.d/nss.conf file. By default the path is set to /etc/httpd/alias, the NSS database created during installation.",
"",
"To view the default NSS database, issue a command as follows:",
"",
"$ certutil -L -d /etc/httpd/alias",
"",
"Certificate Nickname Trust Attributes",
" SSL,S/MIME,JAR/XPI",
"",
"cacert CTu,Cu,Cu",
"Server-Cert u,u,u",
"alpha u,pu,u",
"",
"In the above command output, Server-Cert is the default NSSNickname. The -L option lists all the certificates, or displays information about a named certificate, in a certificate database. The -d option specifies the database directory containing the certificate and key database files. See the certutil(1) man page for more command line options."
],
"runasroot": true
},
{
"outerText": [
"To configure mod_nss to use another database, edit the NSSCertificateDatabase line in the /etc/httpd/conf.d/nss.conf file. The default file has the following lines within the VirtualHost section.",
"",
"# Server Certificate Database:",
"# The NSS security database directory that holds the certificates and",
"# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.",
"# Provide the directory that these files exist.",
"NSSCertificateDatabase /etc/httpd/alias",
"",
"In the above command output, alias is the default NSS database directory, /etc/httpd/alias/."
],
"runasroot": false
},
{
"outerText": [
"To apply a password to the default NSS certificate database, use the following command as root:",
"",
"$ certutil -W -d /etc/httpd/alias",
"Enter Password or Pin for \"NSS Certificate DB\":",
"Enter a password which will be used to encrypt your keys.",
"The password should be at least 8 characters long,",
"and should contain at least one non-alphabetic character.",
"",
"Enter new password:",
"Re-enter password:",
"Password changed successfully."
],
"runasroot": true
},
{
"outerText": [
"The certutil command is used to add a CA certificate to the NSS database files:",
"",
"certutil -d /etc/httpd/nss-db-directory/ -A -n \"CA_certificate\" -t CT,, -a -i certificate.pem",
"",
"The above command adds a CA certificate stored in a PEM-formatted file named certificate.pem. The -d option specifies the NSS database directory containing the certificate and key database files, the -n option sets a name for the certificate, -t CT,, means that the certificate is trusted to be used in TLS clients and servers. The -A option adds an existing certificate to a certificate database. If the database does not exist it will be created. The -a option allows the use of ASCII format for input or output, and the -i option passes the certificate.pem input file to the command.",
"",
"See the certutil(1) man page for more command line options."
],
"runasroot": false
},
{
"outerText": [
"The certutil tool can be used set a password for an NSS database as follows:",
"",
"certutil -W -d /etc/httpd/nss-db-directory/",
"",
"For example, for the default database, issue a command as root as follows:",
"",
"$ certutil -W -d /etc/httpd/alias",
"Enter Password or Pin for \"NSS Certificate DB\":",
"Enter a password which will be used to encrypt your keys.",
"The password should be at least 8 characters long,",
"and should contain at least one non-alphabetic character.",
"",
"Enter new password:",
"Re-enter password:",
"Password changed successfully."
],
"runasroot": true
},
{
"outerText": [
"The certutil tool can be used set a password for an NSS database as follows:",
"",
"certutil -W -d /etc/httpd/nss-db-directory/",
"",
"For example, for the default database, issue a command as root as follows:",
"",
"$ certutil -W -d /etc/httpd/alias",
"Enter Password or Pin for \"NSS Certificate DB\":",
"Enter a password which will be used to encrypt your keys.",
"The password should be at least 8 characters long,",
"and should contain at least one non-alphabetic character.",
"",
"Enter new password:",
"Re-enter password:",
"Password changed successfully."
],
"runasroot": true
},
{
"outerText": [
"Configure mod_nss to use the NSS internal software token by changing the line with the NSSPassPhraseDialog directive as follows:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSPassPhraseDialog file:/etc/httpd/password.conf",
"",
"This is to avoid manual password entry on system start. The software token exists in the NSS database but you can also have a physical token containing your certificates."
],
"runasroot": true
},
{
"outerText": [
"If the SSL Server Certificate contained in the NSS database is an RSA certificate, make certain that the NSSNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSNickname Server-Cert",
"",
"If the SSL Server Certificate contained in the NSS database is an ECC certificate, make certain that the NSSECCNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSECCNickname Server-Cert",
"",
"Make certain that the NSSCertificateDatabase parameter is uncommented and points to the NSS database directory displayed in step 4 or configured in step 5 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSCertificateDatabase /etc/httpd/alias",
"",
"Replace /etc/httpd/alias with the path to the certificate database to be used."
],
"runasroot": true
},
{
"outerText": [
"If the SSL Server Certificate contained in the NSS database is an RSA certificate, make certain that the NSSNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSNickname Server-Cert",
"",
"If the SSL Server Certificate contained in the NSS database is an ECC certificate, make certain that the NSSECCNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSECCNickname Server-Cert",
"",
"Make certain that the NSSCertificateDatabase parameter is uncommented and points to the NSS database directory displayed in step 4 or configured in step 5 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSCertificateDatabase /etc/httpd/alias",
"",
"Replace /etc/httpd/alias with the path to the certificate database to be used."
],
"runasroot": true
},
{
"outerText": [
"If the SSL Server Certificate contained in the NSS database is an RSA certificate, make certain that the NSSNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSNickname Server-Cert",
"",
"If the SSL Server Certificate contained in the NSS database is an ECC certificate, make certain that the NSSECCNickname parameter is uncommented and matches the nickname displayed in step 4 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSECCNickname Server-Cert",
"",
"Make certain that the NSSCertificateDatabase parameter is uncommented and points to the NSS database directory displayed in step 4 or configured in step 5 above:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"NSSCertificateDatabase /etc/httpd/alias",
"",
"Replace /etc/httpd/alias with the path to the certificate database to be used."
],
"runasroot": true
},
{
"outerText": [
"Create the /etc/httpd/password.conf file as root:",
"",
"$ vi /etc/httpd/password.conf",
"",
"Add a line with the following form:",
"",
"internal:password",
"",
"Replacing password with the password that was applied to the NSS security databases in step 6 above."
],
"runasroot": true
},
{
"outerText": [
"Create the /etc/httpd/password.conf file as root:",
"",
"$ vi /etc/httpd/password.conf",
"",
"Add a line with the following form:",
"",
"internal:password",
"",
"Replacing password with the password that was applied to the NSS security databases in step 6 above."
],
"runasroot": true
},
{
"outerText": [
"Apply the appropriate ownership and permissions to the /etc/httpd/password.conf file:",
"",
"$ chgrp apache /etc/httpd/password.conf",
"$ chmod 640 /etc/httpd/password.conf",
"$ ls -l /etc/httpd/password.conf",
"-rw-r-----. 1 root apache 10 Dec 4 17:13 /etc/httpd/password.conf"
],
"runasroot": true
},
{
"outerText": [
"To configure mod_nss to use the NSS the software token in /etc/httpd/password.conf, edit /etc/httpd/conf.d/nss.conf as follows:",
"",
"$ vi /etc/httpd/conf.d/nss.conf"
],
"runasroot": true
},
{
"outerText": [
"As root, open the /etc/httpd/conf.d/nss.conf file and search for all instances of the NSSProtocol directive. By default, the configuration file contains one section that looks as follows:",
"",
"$ vi /etc/httpd/conf.d/nss.conf",
"# SSL Protocol:",
"output omitted",
"# Since all protocol ranges are completely inclusive, and no protocol in the",
"# middle of a range may be excluded, the entry \"NSSProtocol SSLv3,TLSv1.1\"",
"# is identical to the entry \"NSSProtocol SSLv3,TLSv1.0,TLSv1.1\".",
"NSSProtocol SSLv3,TLSv1.0,TLSv1.1",
"",
"This section is within the VirtualHost section."
],
"runasroot": true
},
{
"outerText": [
"Edit the NSSProtocol line as follows:",
"",
"# SSL Protocol:",
"NSSProtocol TLSv1.0,TLSv1.1",
"",
"Repeat this action for all VirtualHost sections."
],
"runasroot": false
},
{
"outerText": ["Edit the Listen 8443 line as follows:", "", "Listen 443"],
"runasroot": false
},
{
"outerText": [
"Edit the default VirtualHost default:8443 line as follows:",
"",
"VirtualHost default:443",
"",
"Edit any other non-default virtual host sections if they exist. Save and close the file."
],
"runasroot": false
},
{
"outerText": [
"Verify that all occurrences of the NSSProtocol directive have been changed as follows:",
"",
"$ grep NSSProtocol /etc/httpd/conf.d/nss.conf",
"# middle of a range may be excluded, the entry \"NSSProtocol SSLv3,TLSv1.1\"",
"# is identical to the entry \"NSSProtocol SSLv3,TLSv1.0,TLSv1.1\".",
"NSSProtocol TLSv1.0,TLSv1.1",
"",
"This step is particularly important if you have more than one VirtualHost section."
],
"runasroot": true
},
{
"outerText": [
"Restart the Apache daemon as follows:",
"",
"$ service httpd restart",
"",
"Note that any sessions will be interrupted."
],
"runasroot": true
},
{
"outerText": [
"http://localhost/manual/ — The official documentation for the Apache HTTP Server with the full description of its directives and available modules. Note that in order to access this documentation, you must have the httpd-manual package installed, and the web server must be running.",
"",
"Before accessing the documentation, issue the following commands as root:",
"",
"~] yum install httpd-manual ~] apachectl graceful"
],
"runasroot": false
},
{
"outerText": [
"Edit the /etc/dovecot/dovecot.conf configuration file to make sure the protocols variable is uncommented (remove the hash sign (#) at the beginning of the line) and contains the pop3 argument. For example:",
"",
"protocols = imap pop3 lmtp",
"",
"When the protocols variable is left commented out, dovecot will use the default values as described above."
],
"runasroot": false
},
{
"outerText": [
"Make the change operational for the current session by running the following command as root:",
"",
"$ systemctl restart dovecot"
],
"runasroot": true
},
{
"outerText": [
"Make the change operational after the next reboot by running the command:",
"",
"$ systemctl enable dovecot",
"Created symlink from /etc/systemd/system/multi-user.target.wants/dovecot.service to /usr/lib/systemd/system/dovecot.service.",
"NOTE",
"",
"Please note that dovecot only reports that it started the IMAP server, but also starts the POP3 server."
],
"runasroot": true
},
{
"outerText": [
"Edit the /etc/dovecot/conf.d/10-ssl.conf configuration to make sure the ssl_protocols variable is uncommented and contains the !SSLv2 !SSLv3 arguments:",
"",
"ssl_protocols = !SSLv2 !SSLv3",
"",
"These values ensure that dovecot avoids SSL versions 2 and also 3, which are both known to be insecure. This is due to the vulnerability described in POODLE: SSLv3 vulnerability (CVE-2014-3566). See Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot for details.",
"",
"Make sure that /etc/dovecot/conf.d/10-ssl.conf contains the following option:",
"",
" ssl=required"
],
"runasroot": false
},
{
"outerText": [
"Edit the /etc/dovecot/conf.d/10-ssl.conf configuration to make sure the ssl_protocols variable is uncommented and contains the !SSLv2 !SSLv3 arguments:",
"",
"ssl_protocols = !SSLv2 !SSLv3",
"",
"These values ensure that dovecot avoids SSL versions 2 and also 3, which are both known to be insecure. This is due to the vulnerability described in POODLE: SSLv3 vulnerability (CVE-2014-3566). See Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot for details.",
"",
"Make sure that /etc/dovecot/conf.d/10-ssl.conf contains the following option:",
"",
" ssl=required"
],
"runasroot": false
},
{
"outerText": [
"Execute the /usr/libexec/dovecot/mkcert.sh script which creates the dovecot self signed certificates. These certificates are copied in the /etc/pki/dovecot/certs and /etc/pki/dovecot/private directories. To implement the changes, restart dovecot by issuing the following command as root:",
"",
"$ systemctl restart dovecot"
],
"runasroot": true
},
{
"outerText": [
"INCLUDERC — Specifies additional rc files containing more recipes for messages to be checked against. This breaks up the Procmail recipe lists into individual files that fulfill different roles, such as blocking spam and managing email lists, that can then be turned off or on by using comment characters in the user’s ~/.procmailrc file.",
"",
"For example, lines in a user’s ~/.procmailrc file may look like this:",
"",
"MAILDIR=$HOME/Msgs",
"INCLUDERC=$MAILDIR/lists.rc",
"INCLUDERC=$MAILDIR/spam.rc",
"",
"To turn off Procmail filtering of email lists but leaving spam control in place, comment out the first INCLUDERC line with a hash sign (#). Note that it uses paths relative to the current directory."
],
"runasroot": false
},
{
"outerText": ["Install the samba package:", "", "$ yum install samba"],
"runasroot": true
},
{
"outerText": [
"Edit the /etc/samba/smb.conf file and set the following parameters:",
"",
"[global]",
"\tworkgroup = Example-WG",
"\tnetbios name = Server",
"\tsecurity = user",
"",
"\tlog file = /var/log/samba/%m.log",
"\tlog level = 1",
"",
"This configuration defines a standalone server named Server within the Example-WG work group. Additionally, this configuration enables logging on a minimal level (1) and log files will be stored in the /var/log/samba/ directory. Samba will expand the %m macro in the log file parameter to the NetBIOS name of connecting clients. This enables individual log files for each client.",
"",
"For further details, see the parameter descriptions in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Open the required ports and reload the firewall configuration by using the firewall-cmd utility:",
"",
"$ firewall-cmd --permanent --add-port={139/tcp,445/tcp}",
"$ firewall-cmd --reload"
],
"runasroot": true
},
{
"outerText": ["Start the smb service:", "", "$ systemctl start smb"],
"runasroot": true
},
{
"outerText": [
"Optionally, enable the smb service to start automatically when the system boots:",
"",
"$ systemctl enable smb"
],
"runasroot": true
},
{
"outerText": [
"Create the operating system account:",
"",
"$ useradd -M -s /sbin/nologin example",
"",
"The previous command adds the example account without creating a home directory. If the account is only used to authenticate to Samba, assign the /sbin/nologin command as shell to prevent the account from logging in locally."
],
"runasroot": true
},
{
"outerText": [
"Set a password to the operating system account to enable it:",
"",
"$ passwd example",
"Enter new UNIX password: password",
"Retype new UNIX password: password",
"passwd: password updated successfully",
"",
"Samba does not use the password set on the operating system account to authenticate. However, you need to set a password to enable the account. If an account is disabled, Samba denies access if this user connects."
],
"runasroot": true
},
{
"outerText": [
"Add the user to the Samba database and set a password to the account:",
"",
"$ smbpasswd -a example",
"New SMB password: password",
"Retype new SMB password: password",
"Added user example.",
"",
"Use this password to authenticate when using this account to connect to a Samba share."
],
"runasroot": true
},
{
"outerText": [
"Enable the Samba account:",
"",
"$ smbpasswd -e example",
"Enabled user example."
],
"runasroot": true
},
{
"outerText": [
"Install the following packages:",
"",
"$ yum install realmd oddjob-mkhomedir oddjob samba-winbind-clients \\",
" samba-winbind samba-common-tools"
],
"runasroot": true
},
{
"outerText": [
"To share directories or printers on the domain member, install the samba package:",
"",
"$ yum install samba"
],
"runasroot": true
},
{
"outerText": [
"If you join an AD, additionally install the samba-winbind-krb5-locator package:",
"",
"$ yum install samba-winbind-krb5-locator",
"",
"This plug-in enables Kerberos to locate the Key Distribution Center (KDC) based on AD sites using DNS service records."
],
"runasroot": true
},
{
"outerText": [
"Optionally, rename the existing /etc/samba/smb.conf Samba configuration file:",
"",
"$ mv /etc/samba/smb.conf /etc/samba/smb.conf.old"
],
"runasroot": true
},
{
"outerText": [
"Join the domain. For example, to join a domain named ad.example.com",
"",
"$ realm join --membership-software=samba --client-software=winbind ad.example.com",
"",
"Using the previous command, the realm utility automatically:",
"",
"Creates a /etc/samba/smb.conf file for a membership in the ad.example.com domain",
"Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file",
"Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/ directory",
"",
"Starts the winbind service and enables the service to start when the system boots",
"",
"For further details about the realm utility, see the realm(8) man page and the corresponding section in the Red Hat Windows Integration Guide."
],
"runasroot": true
},
{
"outerText": [
"Verify that the winbindd is running:",
"",
"$ systemctl status winbind",
"IMPORTANT",
"",
"To enable Samba to query domain user and group information, the winbindd service must be running before you start smbd."
],
"runasroot": true
},
{
"outerText": [
"If you installed the samba package to share directories and printers, start the smbd service:",
"",
"$ systemctl start smb"
],
"runasroot": true
},
{
"outerText": [
"To query the administrator account in the AD domain:",
"",
"$ getent passwd AD\\\\administrator",
"AD\\administrator:*:10000:10000::/home/administrator@AD:/bin/bash"
],
"runasroot": true
},
{
"outerText": [
"To query the members of the Domain Users group in the AD domain:",
"",
"$ getent group \"AD\\\\Domain Users\"",
"AD\\domain users:x:10000:user"
],
"runasroot": true
},
{
"outerText": [
"Obtain a ticket for the administrator@AD.EXAMPLE.COM principal:",
"",
"$ kinit administrator@AD.EXAMPLE.COM"
],
"runasroot": true
},
{
"outerText": [
"Display the cached Kerberos ticket:",
"",
"$ klist",
"Ticket cache: KEYRING:persistent:0:0",
"Default principal: administrator@AD.EXAMPLE.COM",
"",
"Valid starting Expires Service principal",
"11.09.2017 14:46:21 12.09.2017 00:46:21 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM",
"\trenew until 18.09.2017 14:46:19"
],
"runasroot": true
},
{
"outerText": [
"Add an ID mapping configuration for the default domain (*) if it does not exist. For example:",
"",
"idmap config * : backend = tdb",
"idmap config * : range = 10000-999999",
"",
"For further details about the default domain configuration, see Section 16.1.5.3.2, “The * Default Domain”."
],
"runasroot": false
},
{
"outerText": [
"Enable the ad ID mapping back end for the AD domain:",
"",
"idmap config DOMAIN : backend = ad"
],
"runasroot": false
},
{
"outerText": [
"Set the range of IDs that is assigned to users and groups in the AD domain. For example:",
"",
"idmap config DOMAIN : range = 2000000-2999999",
"IMPORTANT",
"",
"The range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”."
],
"runasroot": false
},
{
"outerText": [
"Set that Samba uses the RFC 2307 schema when reading attributes from AD:",
"",
"idmap config DOMAIN : schema_mode = rfc2307"
],
"runasroot": false
},
{
"outerText": [
"To enable Samba to read the login shell and the path to the users home directory from the corresponding AD attribute, set:",
"",
"idmap config DOMAIN : unix_nss_info = yes",
"",
"Alternatively, you can set a uniform domain-wide home directory path and login shell that is applied to all users. For example:",
"",
"template shell = /bin/bash",
"template homedir = /home/%U",
"",
"For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"To enable Samba to read the login shell and the path to the users home directory from the corresponding AD attribute, set:",
"",
"idmap config DOMAIN : unix_nss_info = yes",
"",
"Alternatively, you can set a uniform domain-wide home directory path and login shell that is applied to all users. For example:",
"",
"template shell = /bin/bash",
"template homedir = /home/%U",
"",
"For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"By default, Samba uses the primaryGroupID attribute of a user object as the user’s primary group on Linux. Alternatively, you can configure Samba to use the value set in the gidNumber attribute instead:",
"",
"idmap config DOMAIN : unix_primary_group = yes"
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Add an ID mapping configuration for the default domain (*) if it does not exist. For example:",
"",
"idmap config * : backend = tdb",
"idmap config * : range = 10000-999999",
"",
"For further details about the default domain configuration, see Section 16.1.5.3.2, “The * Default Domain”."
],
"runasroot": false
},
{
"outerText": [
"Enable the rid ID mapping back end for the domain:",
"",
"idmap config DOMAIN : backend = rid"
],
"runasroot": false
},
{
"outerText": [
"Set a range that is big enough to include all RIDs that will be assigned in the future. For example:",
"",
"idmap config DOMAIN : range = 2000000-2999999",
"",
"Samba ignores users and groups whose RIDs in this domain are not within the range.",
"",
"IMPORTANT",
"",
"The range must not overlap with any other domain configuration on this server. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”."
],
"runasroot": false
},
{
"outerText": [
"Set a shell and home directory path that will be assigned to all mapped users. For example:",
"",
"template shell = /bin/bash",
"template homedir = /home/%U",
"",
"For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{
"outerText": [
"Enable the autorid ID mapping back end for the * default domain:",
"",
"idmap config * : backend = autorid"
],
"runasroot": false
},
{
"outerText": [
"Set a range that is big enough to assign IDs for all existing and future objects. For example:",
"",
"idmap config * : range = 10000-999999",
"",
"Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the THE MAPPING FORMULAS section in the idmap_autorid(8) man page.",
"",
"WARNING",
"",
"After you set the range and Samba starts using it, you can only increase the upper limit of the range. Any other change to the range can result in new ID assignments, and thus in loosing file ownerships."
],
"runasroot": false
},
{
"outerText": [
"Optionally, set a range size. For example:",
"",
"idmap config * : rangesize = 200000",
"",
"Samba assigns this number of continuous IDs for each domain’s object until all IDs from the range set in the idmap config * : range parameter are taken. For further details, see the rangesize parameter description in the idmap_autorid(8) man page."
],
"runasroot": false
},
{
"outerText": [
"Set a shell and home directory path that will be assigned to all mapped users. For example:",
"",
"template shell = /bin/bash",
"template homedir = /home/%U",
"",
"For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page."
],
"runasroot": false
},
{
"outerText": [
"Verify the /etc/samba/smb.conf file:",
"",
"$ testparm",
"",
"For details, see Section 16.1.2, “Verifying the smb.conf File by Using the testparm Utility”."
],
"runasroot": true
},
{
"outerText": [
"Reload the Samba configuration:",
"",
"$ smbcontrol all reload-config"
],
"runasroot": true
},
{