====== Linux CentOS - Redhat Installation Best practice ======
https://www.microlinux.fr/serveur-lan-centos-7/
http://www.certdepot.net/
===== Partitioning =====
By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.
Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted /etc/fstab file is below:
Disk OS with LVM (required)
Disks data with LVM (required)
^ ^type^name^size^mount point^
|disk 1 (18GB)|static|/dev/sda1|512M|/boot|
| |LVM|/dev/mapper/rootvg-root|2G|/|
| |LVM|/dev/mapper/rootvg-usr|6G|/usr|
| |LVM|/dev/mapper/rootvg-var|2G|/var|
| |LVM|/dev/mapper/rootvg-opt|1G|/opt|
| |LVM|/dev/mapper/rootvg-tmp|2G|/tmp|
| |LVM|/dev/mapper/rootvg-home|2G|/home|
| |LVM|/dev/mapper/rootvg-swap|2G|swap|
|disk2|LVM|/dev/mapper/datavg-data|10G|/data|
==== Modifying fstab ====
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible.
**An example of a decently restricted /etc/fstab file is below:**
/dev/mapper/rootvg-root / ext4 defaults 1 1
/dev/sda1 /boot ext4 defaults,nosuid,noexec,nodev 1 2
/dev/mapper/rootvg-home /home ext4 defaults,nosuid,nodev 1 2
/dev/mapper/rootvg-opt /opt ext4 defaults 1 2
/dev/mapper/rootvg-tmp /tmp ext4 defaults,nosuid,noexec,nodev 1 2
/dev/mapper/rootvg-usr /usr ext4 defaults 1 2
/dev/mapper/rootvg-var /var ext4 defaults,nosuid 1 2
/dev/mapper/rootvg-swap swap swap defaults 0 0
/dev/mapper/reposvg-reposlv /repos ext4 defaults 1 2
/dev/mapper/reposvg-repcentoslv /repos/CentOS ext4 defaults 1 2
/dev/mapper/reposvg-weblv /var/www ext4 defaults,nosuid,nodev 1 2
===== Customize profile =====
Add into /etc/profile
HISTSIZE=10000
EXTENDED_HISTORY=ON
HISTTIMEFORMAT="%F %T "
export HISTSIZE EXTENDED_HISTORY HISTTIMEFORMAT
===== Install additional packages =====
Some alternatives commands exists natively
tracepath ==> traceroute
Adapt the yum repositories in /etc/yum.repos.d/ to be able to reach the right repositories\\
Add ntp and net-tools (for ifconfig command), and other utilities
yum -y install chrony
yum -y install gdisk
yum -y install psmisc # (fuser, killall, pstree...)
yum -y install yum-utils #(needs-restarting)
yum -y install telnet #(client only to debug)
yum -y install net-tools #(ifconfig, arp, netstat)
yum -y install lsof
yum -y install mlocate #(locate)
yum -y install bind-utils #(host, nslookup)
yum -y install open-vm-tools #(VMware Tools)
yum -y install sg3_utils #(scsi-rescan, alias for rescan-scsi-bus.sh)
yum -y install cpulimit #(limit CPU usage per process)
yum -y install nmap-ncat # nc command
yum -y install system-storage-manager #ssm list
yum -y install dosfstools # to mount USB keys in vfat, extfat
yum -y install gmp # copy/paste using mouse (in terminal)
yum -y install screen # start a terminal in background (in terminal)
yum -y install cloud-utils-growpart # growpart
Also for NTFS USB keys you can download and install **ntfs-3g** package from EPEL
http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/n/
===== List and remove unused services =====
On Redhat and CentOS 7, some services are replaced by their new version:
NetworkManager.service (network service) instead of **network.service**\\
chronyd.service (NTP service) instead of **ntpd.service**\\
firewalld.service (firewall service) instead of **iptable.service** and //ip6tables.services//
[root@centos7 ~]# systemctl list-unit-files | egrep -i "firew|Network|chrony|postfix|tables|bluetooth"
chrony-wait.service disabled
chronyd.service enabled
firewalld.service disabled
NetworkManager-dispatcher.service active
NetworkManager-wait-online.service active
NetworkManager.service running
postfix.service disabled
network-online.target static
network.target static
iptables.service disabled
ip6tables.service disabled
bluetooth.service disabled
bluetooth.target static
==== Disable unused services ====
If not required for security purpose, you can disable **SELINUX** and then reboot. Selinux will prevent many action like automatic connection for user using ssh public keys...(you can also use it and enable each part you require)
[root@centos7 ~]# vi /etc/selinux/config
SELINUX=disabled
Reboot now.
Example of disable/enable services:
[root@centos7 ~]# for i in postfix.service firewalld.service bluetooth.service
do
systemctl disable $i
systemctl stop $i
done
For info postfix is required to forward email
==== Enable some services ====
chronyd.service
[root@centos7 ~]# yum -y install ntp
[root@centos7 ~]# for i in chronyd.service
do
systemctl enable $i
systemctl start $i
done
Enable additional useful services if needed
[root@centos7 scripts]# systemctl enable httpd.service
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@centos7 scripts]# systemctl start httpd.service
==== Remove services that are in LISTEN state ====
In this example, you could disable the rpcbind.service
[root@centos7 ~]# netstat -an | grep LIST
tcp 0 0 0.0.0.0:51579 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 192.168.22.136:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
unix 2 [ ACC ] STREAM LISTENING 14412 @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 10242 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 16930 @/tmp/dbus-wEGN6K01Pn
unix 2 [ ACC ] STREAM LISTENING 16307 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 17599 /tmp/.ICE-unix/1146
unix 2 [ ACC ] SEQPACKET LISTENING 10256 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 15164 /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 15166 /var/run/lsm/ipc/simc
unix 2 [ ACC ] STREAM LISTENING 14413 @ISCSID_UIP_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 14414 /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 14417 /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 16306 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 8042 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 18796 /run/user/42/pulse/native
unix 2 [ ACC ] STREAM LISTENING 1388 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 17778 /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 14458 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 18556 /var/run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 18558 /var/run/libvirt/libvirt-sock-ro
unix 2 [ ACC ] STREAM LISTENING 17598 @/tmp/.ICE-unix/1146
unix 2 [ ACC ] STREAM LISTENING 16036 /var/run/abrt/abrt.socket
unix 2 [ ACC ] STREAM LISTENING 17418 @/tmp/dbus-0PYMRpYu
unix 2 [ ACC ] STREAM LISTENING 16892 @/tmp/dbus-bKDTQeVf
unix 2 [ ACC ] STREAM LISTENING 16893 @/tmp/dbus-Skwj1TBB
unix 2 [ ACC ] STREAM LISTENING 17543 @/tmp/dbus-qVKMoS2bff
unix 2 [ ACC ] STREAM LISTENING 18410 @/tmp/dbus-V9cHUqaM
unix 2 [ ACC ] STREAM LISTENING 17419 @/tmp/dbus-9XjDfCN8
[root@centos7 ~]# lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1243 rpc 7u IPv4 17780 0t0 UDP *:sunrpc
rpcbind 1243 rpc 9u IPv4 17782 0t0 TCP *:sunrpc (LISTEN)
[root@lstor2rrd ~]# systemctl list-unit-files | egrep -i "rpc"
var-lib-nfs-rpc_pipefs.mount static
rpcbind.service enabled
rpcgssd.service disabled
rpcidmapd.service disabled
rpcsvcgssd.service disabled
rpcbind.socket enabled
rpcbind.target static
[root@centos7 ~]# systemctl list-units | egrep -i "rpc"
proc-fs-nfsd.mount loaded active mounted RPC Pipe File System
var-lib-nfs-rpc_pipefs.mount loaded active mounted RPC Pipe File System
rpcbind.service loaded active running RPC bind service
rpcbind.socket loaded active running RPCbind Server Activation Socket
===== Configure the network =====
Use **nmcli** command to configure the network, install it if required, partof NetworkManager.
Check your IP config and routes
[root@centos7 sysctl.d]# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eno16780032: mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:83:33:1e brd ff:ff:ff:ff:ff:ff
inet 192.168.21.194/24 brd 192.168.21.255 scope global eno16780032
valid_lft forever preferred_lft forever
[root@lproxymail sysctl.d]# ip route
default via 192.168.21.250 dev eno16780032
169.254.0.0/16 dev eno16780032 scope link metric 1002
192.168.21.0/24 dev eno16780032 proto kernel scope link src 192.168.21.194
**For information**
Due to new network adapter naming convention, you 'll find network interface called enp6s0 or enp4s2f0 doesn’t satisfy everybody.\\
Ex:
[root@centos7 ~]# dmesg | grep NIC
[ 2.318327] VMware vmxnet3 virtual NIC driver - version 1.1.30.0-k-NAPI
[ 2.333886] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[ 3.373209] vmxnet3 0000:0b:00.0 eno16780032: NIC Link is Up 10000 Mbps
You can switch to the old naming convention eth0, eth1... by changing boot parameters (optional):
grubby --update-kernel=ALL --args="net.ifnames=0 biosdevname=0"
===== Remove interface vibr0 =====
If not using libvirtd service then you may stop that service.
[root@centos7 ~]# systemctl stop libvirtd.service
[root@centos7 ~]# systemctl disable libvirtd.service
===== Stop IPV6 best practice =====
==== Disable IPV6 on network adapter ====
On most current OS, IPV6 is activate by default. It wouldn't be a good practice to completely unload the kernel module, but better disable it for most applications. You have to know that some application, like SELINUX will load IPV6 module if needed!
Create a file /etc/sysctl.d/98-disable_ipv6.conf
[root@centos7 ~]# cat /etc/sysctl.d/98-disable_ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
To disable in the running system:
[root@centos7 ~]# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
[root@lstor2rrd ~]# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
or
[root@centos7 ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
[root@lstor2rrd ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
==== Disable IPV6 on SSH server ====
If problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:
(1) Change the line
#AddressFamily any
to
AddressFamily inet
(inet is ipv4 only; inet6 is ipv6 only)
or
(2) Remove the hash mark (#) in front of the line
#ListenAddress 0.0.0.0
Then restart ssh.
systemctl restart sshd.service
==== Disable IPV6 on postfix ====
If problems with starting postfix are encountered on systems with IPv6 disabled, either
edit /etc/postfix/main.cf and comment out the localhost part of the config and use ipv4 loopback.
#inet_interfaces = localhost
inet_interfaces = 127.0.0.1
==== Disable IPV6 on NTP client ====
Edit the file /etc/ntp.conf, and comment the line related to IPV6
# restrict ::1
==== Disable IPV6 on RPCBIND ====
To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in **/etc/netconfig**:
udp tpi_clts v inet udp - -
tcp tpi_cots_ord v inet tcp - -
#udp6 tpi_clts v inet6 udp - -
#tcp6 tpi_cots_ord v inet6 tcp - -
rawip tpi_raw - inet - - -
local tpi_cots_ord - loopback - - -
unix tpi_cots_ord - loopback - - -
==== Chrony stop IPV6 ====
If you'd prefer chrony instead of ntpd, then create the file chronyd and restart the related systemd deamon:
[root@fedora22 sysconfig]# cat /etc/sysconfig/chronyd
OPTIONS= -4
===== List or set a Time Zone =====
List the current TimeZone:
[root@fedora22 ~]# timedatectl
Local time: mar. 2015-10-27 14:12:13 CET
Universal time: mar. 2015-10-27 13:12:13 UTC
RTC time: mar. 2015-10-27 13:12:14
Time zone: Europe/Luxembourg (CET, +0100)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: no
Last DST change: DST ended at
dim. 2015-10-25 02:59:59 CEST
dim. 2015-10-25 02:00:00 CET
Next DST change: DST begins (the clock jumps one hour forward) at dim. 2016-03-27 01:59:59 CET
dim. 2016-03-27 03:00:00 CEST
List available TimeZones:
[root@dlp ~]# timedatectl list-timezones
...
Pacific/Rarotonga
Pacific/Saipan
Pacific/Tahiti
Pacific/Tarawa
Pacific/Tongatapu
Pacific/Wake
Pacific/Wallis
Change the current TimeZone:
[root@dlp ~]# timedatectl set-timezone Pacific/Wallis
====== Custom ======
[root@rhlnx01 ~]# fdisk /dev/mapper/mpathi -l
Disk /dev/mapper/mpathi: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 32768 bytes / 32768 bytes
Disklabel type: dos
Disk identifier: 0xdd417826
Device Boot Start End Sectors Size Id Type
/dev/mapper/mpathi1 * 2048 22527 20480 10M 41 PPC PReP Boot
/dev/mapper/mpathi2 22528 2080767 2058240 1005M 83 Linux
/dev/mapper/mpathi3 2080768 83886079 81805312 39G 8e Linux LVM
[root@rhlnx01 ~]# vgs
VG #PV #LV #SN Attr VSize VFree
rootvg 1 7 0 wz--n- 39.00g 24.00g
[root@rhlnx01 ~]# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
home rootvg -wi-ao---- 1.00g
root rootvg -wi-ao---- 3.00g
swap rootvg -wi-ao---- 2.00g
tmp rootvg -wi-ao---- 1.00g
usr rootvg -wi-ao---- 4.00g
var rootvg -wi-ao---- 3.00g
====== Linux x86 installation --> Use deployment via with VCenter ======
All isos for installation are located in IsoScratch Datastore in VCenter:
* Navigate to ISO>LINUX>rhel-8.6-x86_64-dvd.iso.
===== Base linux installation =====
* For installation target select a disk and choose either LVM, or BTRFS.
* Installation with GUI will be prefered instead of minimal which has very few number of packages.
===== Nework configuration =====
NMCLI to update network parameters, if not configured:
[root@localhost ~]# nmcli general hostname
localhost
[root@localhost ~]# nmcli general hostname rhlnx01
[root@rhlnx01 ~]# nmcli device status
DEVICE TYPE STATE CONNECTION
eth0 ethernet disconnected --
lo loopback unmanaged --
[root@rhlnx01 ~]# nmcli con show
NAME UUID TYPE DEVICE
eth0 3d89591d-bc03-4299-80cf-645b97ce1812 802-3-ethernet --
[root@rhlnx01 ~]# nmcli con mod eth0 ipv4.addresses 10.10.10.10/16 ipv4.gateway 10.10.10.100
[root@rhlnx01 ~]# nmcli con mod eth0 connection.autoconnect yes
[root@rhlnx01 ~]# nmcli con mod eth0 ipv4.dns 10.10.10.2,10.10.10.1 ipv4.dns-search "mydom.local"
[root@rhlnx01 ~]# nmcli con mod eth0 ipv4.method manual
[root@rhlnx01 ~]# nmcli con up eth0 ifname eth0
[root@rhlnx01 ~]# nmcli -p con show eth0
===============================================================================
Connection profile details (eth0)
===============================================================================
connection.id: eth0
connection.uuid: 0fd0c630-a54e-4f01-a9fc-4d1c3c42921e
connection.interface-name: eth0
connection.type: 802-3-ethernet
connection.autoconnect: yes
connection.autoconnect-priority: 0
connection.timestamp: 1464786900
connection.read-only: no
....
-------------------------------------------------------------------------------
ipv4.method: manual
ipv4.dns:
ipv4.dns-search:
ipv4.addresses: 10.10.10.10/16
ipv4.gateway: 10.10.10.100
ipv4.routes:
....
Add entry in /etc/hosts:
[root@rhlnx01 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.10 rhlnx01
Update the time servers and start the chronyd demon if not enable
[root@rhlnx01 ~]# cat /etc/chrony.conf
# This loadbalancer server is defined in the installation:
server ntp-server.local iburst
...
Enable/Start Chrony service:
[root@rhlnx01 ~]# systemctl enable chronyd
[root@rhlnx01 ~]# systemctl start chronyd
[root@rhlnx01 ~]# systemctl status chronyd
Check if Chrony service is synchronized:
[root@rhlnx01 ~]# chronyc tracking
Reference ID : 00000000 ()
Stratum : 0
Ref time (UTC) : Thu Jan 01 00:00:00 1970
System time : 0.000000000 seconds fast of NTP time
Last offset : +0.000000000 seconds
RMS offset : 0.000000000 seconds
Frequency : 0.000 ppm slow
Residual freq : +0.000 ppm
Skew : 0.000 ppm
Root delay : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status : Not synchronised #Means that it's not synchronised where as Normal would mean that everything is ok
Time zone
[root@rhlnx01 ~]# timedatectl set-timezone Europe/Luxembourg
[root@rhlnx01 ~]# timedatectl
Local time: mar. 2015-10-27 14:12:13 CET
Universal time: mar. 2015-10-27 13:12:13 UTC
RTC time: mar. 2015-10-27 13:12:14
Time zone: Europe/Luxembourg (CET, +0100)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: no
Last DST change: DST ended at
dim. 2015-10-25 02:59:59 CEST
dim. 2015-10-25 02:00:00 CET
Next DST change: DST begins (the clock jumps one hour forward) at dim. 2016-03-27 01:59:59 CET
dim. 2016-03-27 03:00:00 CEST
===== Firewall and SElinux =====
==== If the firewall is required ====
Minimum ports to open:
8162/tcp (lpar2rrd agent)
657/tcp and 657/udp (HMC dynamic LPAR)
List firewall rules
[root@rhlnx01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 wlan0
sources:
services: dhcpv6-client ms-wbt
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Check the firewall status
[root@rhlnx01 ~]# firewall-cmd --state
running
Add a rule
[root@rhlnx01 ~]# firewall-cmd --add-service=http --zone=public --permanent
[root@rhlnx01 ~]# firewall-cmd --add-port=1600/tcp --zone=public --permanent
[root@rhlnx01 ~]# firewall-cmd --reload
Example of minimum ports
firewall-cmd --list-all
firewall-cmd --add-port=10050/tcp --zone=public --permanent # Zabbix
firewall-cmd --add-port=8162/tcp --zone=public --permanent # LPAR2RRD
firewall-cmd --add-port=657/tcp --zone=public --permanent # HMC dynamic LPAR
firewall-cmd --add-port=657/udp --zone=public --permanent # HMC dynamic LPAR
firewall-cmd --add-port=5666/tcp --zone=public --permanent # nagios
firewall-cmd --reload
==== If no firewall is required ====
Disable the firewall and SELINUX, if not required:
systemctl stop firewalld
systemctl disable firewalld
==== Disable SElinux ====
[root@rhlnx01 ~]# cat /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
[root@rhlnx01 ~]# reboot
===== Change YUM repository =====
On server, change the repository files to use repository from reposerver:
[root@rhlnx01 ~]# cd /etc/yum.repos.d
[root@rhlnx01 ~]# cat CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
baseurl=http://reposerver/linux/altarch/7.6.1810/os/ppc64le/Packages/
enabled=1
gpgcheck=0
#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=http://reposerver/linux/altarch/7.6.1810/updates/ppc64le/Packages/
enabled=1
gpgcheck=0
[root@lnxb082 yum.repos.d]# cat ibmtools.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[ibmtools]
name=CentOS-$releasever - IBMtools
baseurl=http://reposerver/linux/ibmtools/centos/ppc64le
enabled=1
gpgcheck=0
Then update using the new defined repository
[root@rhlnx01 ~]# dnf update
===== Additionnal packages to install =====
dnf -y install mailx
dnf -y install ksh
dnf -y install rear #Relax-and-Recover like mksysb
dnf -y install nfs-utils
dnf -y install lshw
dnf -y install psmisc #(pstree,fuser)
dnf -y install chrony #replacement for ntpd
dnf -y install telnet #(client only useful to debug)
dnf -y install net-tools #(ifconfig, arp, netstat)
dnf -y install lsof
dnf -y install mlocate #(locate)
dnf -y install bind-utils #(host, nslookup)
dnf -y install sg3_utils #(scsi-rescan)
dnf -y install nmap-ncat # nc command
dnf -y install nmon # perf tool command line
dnf -y install lpar2rrd-agent # perf tool LPAR2RRD
dnf -y install yum-utils # needs-restarting, reposync
dnf -y install cloud-utils-growpart # growpart utility to increase partitions size
Check if reboot is needed after packages installation:
needs-restarting
===== Creating Users =====
Keep a reference table ID for user and group to use always the same on each server !!! Very important on UNIX/Linux
groupadd -g 600 nagios
groupadd -g 601 nrpe
useradd -u 600 -c "Nagios User" -g nagios -d /var/spool/nagios -s /sbin/nologin nagios
useradd -u 601 -c "NRPE user" -d /var/run/nrpe -g nrpe -G nagios -s /sbin/nologin nrpe
Create a user
useradd -u 4000 -c 'My first user' -g users -G users,admin user01
Change all files owner for a user or group
You can change user ID and group ID directly into /etc/passwd and /etc/group
find / -user 1000 -exec chown user01 {} \;
find / -group 1000 -exec chgrp users {} \;