Red Hat Enterprise Linux

Installation
After booting from the DVD ISO image:
 * Language Suppport = English (United States)
 * Keyborad = Swiss German
 * Network & Host Name = ...
 * Time & Date = Europe/Z&uuml;rich -> ntp
 * Software Selection = Minimal Installation
 * KDUMP = Disabled, auto
 * Security Profile = None, DISA STIG, OSPP or PCI-DSS
 * Installation Destination = Custom

Partitioning
Example of LVM-based partitioning:

Disk /dev/sda: 1 GiB   (dedicated to boot) Disk /dev/sdb: 40 GiB  (LVM)

Filesystem                       Size  Mounted on /dev/sda1                         200M   /dev/sda2                        800M  /boot /dev/mapper/system-root          5.0G  / /dev/mapper/system-swap          4.0G /dev/mapper/system-home          2.0G  /home /dev/mapper/system-tmp           2.0G  /tmp /dev/mapper/system-var           4.0G  /var /dev/mapper/system-cache_dnf     4.0G  /var/cache/dnf /dev/mapper/system-var_log       3.0G  /var/log /dev/mapper/system-var_log_audit 2.0G  /var/log/audit /dev/mapper/system-opt           4.0G  /opt

Post-installation
.

Registration
Register a server: subscription-manager clean subscription-manager register --type=syste

Attach a subscription: subscription-manager attach --auto

Enable common repositories: VER=$(rpm --eval %{rhel}) subscription-manager repos --enable rhel-${VER}-for-x86_64-supplementary-rpms subscription-manager repos --enable codeready-builder-for-rhel-${VER}-x86_64-rpms

To check the available components: subscription-manager list --consumed subscription-manager list --installed

To check the available repositories: yum repolist all yum repolist enabled

To unregister a server: subscription-manager remove --all subscription-manager unregister subscription-manager clean

Red Hat Insights
yum install -y openscap-scanner scap-security-guide insights-client rm -f /etc/insights-client/machine-id insights-client --register
 * Install the insights-client tool:
 * To register a server to Red Hat Insights:

insights-client --unregister rm -f /etc/insights-client/machine-id
 * To unregister a server:

Patches Installation
To update the system to the latest release and patches: yum -y check-update yum -y upgrade yum clean packages shutdown -r now

EPEL - Extra Packages for Enterprise Linux
VER=$(rpm --eval %{rhel}) yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-${VER}.noarch.rpm

Remi's RPM repository
VER=$(rpm --eval %{rhel}) yum install -y https://rpms.remirepo.net/enterprise/remi-release-${VER}.rpm yum module list php yum -y module reset php yum -y module enable php:remi-8.1 yum -y install php81

RHEL6 to RHEL7
This is the procedure to upgrade from RHEL6 to RHEL7:

yum update -y
 * Get the latest packages:

subscription-manager repos --enable rhel-6-server-extras subscription-manager repos --enable rhel-6-server-optional-rpms
 * Enable the Extras and Optional repositories:

yum install -y preupgrade-assistant preupgrade-assistant-el6toel7 redhat-upgrade-tool yum-utils
 * Install upgrade tools:

preupg
 * Identify potential upgrade problems before upgrade:

redhat-upgrade-tool --network 7.9 --instrepo https://www.example.com/pub/rhel79/
 * Start the upgrade:

shutdown -r now
 * Reboot the system:

yum remove -y epel-release-* rm -f /etc/yum.repos.d/epel.repo.rpmsave yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum clean all
 * Update repos:

subscription-manager repos --enable rhel-7-server-extras-rpms subscription-manager repos --enable rhel-7-server-supplementary-rpms subscription-manager repos --enable rhel-7-server-optional-rpms
 * Subscribe to default repos:

yum check dependencies
 * Check dependencies problems:

yum check dependencies | grep requires | cut -d' ' -f1 | sort -u | sed -e 's/-[0-9]\..*//g' -e 's/^[0-9]://g' | while read PKG; do yum upgrade -y $PKG; done yum check dependencies | grep requires | cut -d' ' -f1 | sort -u | sed -e 's/-[0-9]\..*//g' -e 's/^[0-9]://g' yum check dependencies
 * Update / Remove problematic packages
 * 1) yum remove -y ...

rpm -qa | grep el6 | sort | sed -e 's/-[0-9]\..*//g' -e 's/^[0-9]://g' | while read PKG; do yum upgrade -y $PKG; done rpm -qa | grep el6 | sort | sed -e 's/-[0-9]\..*//g' -e 's/^[0-9]://g'
 * Remove unsupported packages:
 * 1) yum remove -y ...

yum update -y
 * Get the latest packages:

yum remove -y grub yum install -y grub2 if [ ! -f "/etc/default/grub" ]; then cat > /etc/default/grub <<\EOF GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="rhgb quiet" GRUB_DISABLE_RECOVERY="true" EOF GRUB_LVM=$(cat /proc/cmdline | tr ' ' '\n' | grep "^rd.lvm.lv=" | tr '\n' ' ') if [ -n "${GRUB_LVM}" ]; then sed -i "s/^GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"${GRUB_LVM} /g" /etc/default/grub fi fi if [ -f "/boot/efi/EFI/redhat/grub.cfg" ]; then grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg else grub2-mkconfig -o /boot/grub2/grub.cfg fi grub2-install /dev/sda
 * Upgrade GRUB Legacy to GRUB 2:

shutdown -r now
 * Reboot the system:

RHEL7 to RHEL8
This is the procedure to upgrade from RHEL7 to RHEL8:

which docker
 * Check for the presence of docker, because during an in-place upgrade the docker package is removed without a warning:

getenforce
 * Check the status of SELinux before proceeding, because during the in-place upgrade process the Leapp utility sets SELinux mode to permissive:

systemctl is-enabled firewalld
 * Check the status of firewalld before proceeding:

yum check dependencies
 * Check dependencies problems:


 * Turn off the antivirus

subscription-manager repos --enable rhel-7-server-rpms subscription-manager repos --enable rhel-7-server-extras-rpms yum repolist
 * Enable the Base and Extras repositories:

yum update -y
 * Get the latest packages:

package-cleanup -y --oldkernels --count=1
 * Keep only one kernel version:

rmmod pata_acpi yum -y remove pam_pkcs11
 * Remove unsupported packages and modules:

yum install -y leapp-upgrade
 * Install leapp utility:

leapp preupgrade
 * Perform the pre-upgrade phase:

leapp answer --section question_section.confirm=answer
 * Execute the leapp answer command:
 * 1) vim /var/log/leapp/answerfile

less /var/log/leapp/leapp-report.txt
 * Examine the report:

leapp upgrade
 * Start the upgrade:

shutdown -r now
 * Reboot the system:

yum remove -y epel-release-* rm -f /etc/yum.repos.d/epel.repo.rpmsave yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm yum clean all
 * Update repos:

subscription-manager repos --enable "rhel-8-for-x86_64-supplementary-rpms" subscription-manager repos --enable "codeready-builder-for-rhel-8-x86_64-rpms" yum repolist
 * Subscribe to default repos:

subscription-manager release --unset
 * Receive updates for the latest released:

alternatives --set python /usr/bin/python3
 * Set Python version

dnf config-manager --save --setopt exclude='' yum remove -y leapp leapp-upgrade-el7toel8
 * Remove Leapp packages:

rpm -qa | grep -e '\.el[67]' | grep -vE '^(gpg-pubkey|libmodulemd|katello-ca-consumer)' | sort
 * Locate remaining RHEL 7 packages and remove them:

cd /lib/modules && ls -1d *.el7* | while read KERNEL do    [ -x /usr/sbin/weak-modules ] && /usr/sbin/weak-modules --remove-kernel ${KERNEL} /bin/kernel-install remove ${KERNEL} /lib/modules/${KERNEL}/vmlinuz done rmdir *.el7*
 * Locate remaining RHEL 7 kernels and remove them:

yum check dependencies
 * Check dependencies problems:

yum update -y
 * Get the latest packages:

updatedb && locate *.rpmnew
 * Update config files as needed:

vim /etc/selinux/config
 * Re-enable SELinux if it was before the upgrade:
 * 1) SELINUX=enforcing

RHEL8 to RHEL9
This is the procedure to upgrade from RHEL8 to RHEL9:

getenforce
 * Check the status of SELinux before proceeding, because during the in-place upgrade process the Leapp utility sets SELinux mode to permissive:

systemctl is-enabled firewalld
 * Check the status of firewalld before proceeding:

yum check dependencies
 * Check dependencies problems:


 * Turn off the antivirus

subscription-manager repos --enable rhel-8-for-x86_64-baseos-rpms subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms yum repolist
 * Enable the Base and Extras repositories:

yum update -y
 * Get the latest packages:


 * Remove unsupported packages and modules:

rm -rf /root/tmp_leapp_py3 yum install -y leapp-upgrade
 * Install leapp utility:

leapp preupgrade
 * Perform the pre-upgrade phase:

leapp answer --section question_section.confirm=answer
 * Execute the leapp answer command:
 * 1) vim /var/log/leapp/answerfile

less /var/log/leapp/leapp-report.txt
 * Examine the report:

leapp upgrade
 * Start the upgrade:

shutdown -r now
 * Reboot the system:

yum remove -y epel-release-* rm -f /etc/yum.repos.d/epel.repo.rpmsave yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm yum clean all
 * Update repos:

subscription-manager repos --enable "rhel-9-for-x86_64-supplementary-rpms" subscription-manager repos --enable "codeready-builder-for-rhel-9-x86_64-rpms" yum repolist
 * Subscribe to default repos:

subscription-manager release --unset
 * Receive updates for the latest released:

dnf config-manager --save --setopt exclude='' yum remove -y leapp leapp-upgrade-el8toel9
 * Remove Leapp packages:

rpm -qa | grep -e '\.el[78]' | grep -vE '^(gpg-pubkey|libmodulemd|katello-ca-consumer)' | sort
 * Locate remaining RHEL 8 packages and remove them:

cd /lib/modules && ls -1d *.el8* | while read KERNEL do    [ -x /usr/sbin/weak-modules ] && /usr/sbin/weak-modules --remove-kernel ${KERNEL} /bin/kernel-install remove ${KERNEL} /lib/modules/${KERNEL}/vmlinuz done rmdir *.el8*
 * Locate remaining RHEL 7 kernels and remove them:

yum check dependencies
 * Check dependencies problems:

yum update -y
 * Get the latest packages:

updatedb && locate *.rpmnew
 * Update config files as needed:

vim /etc/selinux/config
 * Re-enable SELinux if it was before the upgrade:
 * 1) SELINUX=enforcing

Convert CentOS to RHEL
This is the procedure to convert a CentOS 7 to RHEL7:

yum update -y
 * Get the latest packages:

yum check dependencies
 * check dependencies problems:

yum remove -y abrt python3-devel
 * Remove conflicting packages:

mount -t iso9660 -o ro /dev/cdrom /mnt echo '[rhel-dvd] name=Red Hat Enterprise Linux $releasever - $basearch - DVD baseurl=file:///mnt/ enabled=1 gpgcheck=0' > /etc/yum.repos.d/rhel-dvd.repo yum clean all
 * Add RHEL DVD as repository:

yum install -y convert2rhel
 * Install convert2rhel utility:

convert2rhel --variant=Server --disable-submgr --disablerepo "*" --enablerepo rhel-dvd --no-rpm-va
 * Start the convertion:

yum distro-sync #--skip-broken
 * If the conversion fails, run the following command:

if [ -d "/boot/efi/EFI/centos" ]; then mv /boot/efi/EFI/centos/grub* /boot/efi/EFI/redhat/ rmdir /boot/efi/EFI/centos cp -pr /boot/efi/EFI/redhat /boot/efi/EFI/centos fi
 * Fix EFI boot:

shutdown -r now
 * Reboot the system:

mount -t iso9660 -o ro /dev/cdrom /mnt yum install -y subscription-manager subscription-manager register subscription-manager refresh
 * Register the system:

subscription-manager attach --auto
 * Attach a subscription:

subscription-manager repos --enable rhel-7-server-extras subscription-manager repos --enable rhel-7-server-optional-rpms subscription-manager repos --enable rhel-7-server-supplementary-rpms subscription-manager repos --enable rhel-7-server-thirdparty-oracle-java-rpms yum repolist
 * Enable common repositories:

umount /mnt rm -f /etc/yum.repos.d/rhel-dvd.repo yum clean all
 * Remove the DVD repository:

yum install -y abrt abrt-tui #python3-devel
 * Reinstall the previously removed packages:

yum check dependencies
 * check dependencies problems:

yum update -y
 * Get the latest packages:

shutdown -r now
 * Reboot the system:

SELinux
To view the context of a file or directory: ls -dZ PATH

To reset the context of a file or directory: restorecon -RF "PATH"

To view all defined contexts: semanage fcontext -l

To define a new context: semanage fcontext -a -t TYPE_t "PATH(/.*)?"

To display the SELinux "booleans": getsebool -a

To set a SELinux "booleans": setsebool -P BOOLEAN 1

To view all defined ports: semanage port -l

To check what is blocked by SELinux: yum install setroubleshoot-server journalctl -t setroubleshoot -S today

To verify the need to create policy rules: ausearch --raw --start today | audit2why

To create a module containing policy rules: mkdir -p /etc/semodules cd /etc/semodules ausearch -c PROBLEM --raw --start today | audit2allow -M PROBLEM semodule -X 300 -i /etc/semodules/PROBLEM.pp

Compliance
To list the available profiles: VER=$(rpm --eval %{rhel}) oscap info /usr/share/xml/scap/ssg/content/ssg-rhel${VER}-ds.xml | egrep "Title: |_profile_"

Title: Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_stig Title: Australian Cyber Security Centre (ACSC) Essential Eight Id: xccdf_org.ssgproject.content_profile_e8

To evaluate a profile (eg.PCI-DSS): VER=$(rpm --eval %{rhel}) oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_pci-dss \ --results /tmp/pci-scan-xccdf-results_$(hostname -s).xml \ --report /tmp/pci-scan-xccdf-results_$(hostname -s).html \ --fetch-remote-resources \ /usr/share/xml/scap/ssg/content/ssg-rhel${VER}-ds.xml

Links

 * Product Documentation for Red Hat Enterprise Linux
 * Red Hat Product Downloads
 * Red Hat Subscription Management
 * Red Hat Insights
 * Red Hat CVE Database
 * Anaconda's documentation
 * Red Hat Enterprise Linux Life Cycle