Red Hat Enterprise Linux

Installation
After booting from the DVD ISO image:
 * Language = English (United States)
 * Keyborad = Swiss German
 * Network = ...
 * Time = Europe/Zürich -> ntp
 * Kdump = Disabled, auto
 * Security Policy = None, DISA STIG, OSPP or PCI-DSS
 * System Purpose = Role: Server, Service Level Agreement: Standard
 * Software = Minimal Installation
 * Partition = Custom

Partitioning
Example of LVM-based partitioning:

Disk /dev/sda: 1 GiB   (dedicated to boot) Disk /dev/sdb: 40 GiB  (LVM)

Filesystem                       Size  Mounted on /dev/sda1                         200M   /dev/sda2                        800M  /boot /dev/mapper/system-root          4.0G  / /dev/mapper/system-swap          4.0G /dev/mapper/system-home          2.0G  /home /dev/mapper/system-tmp           2.0G  /tmp /dev/mapper/system-var           1.0G  /var /dev/mapper/system-crash         2.0G  /var/crash /dev/mapper/system-cache_yum     3.0G  /var/cache/yum /dev/mapper/system-var_log       3.0G  /var/log /dev/mapper/system-var_log_audit 1.0G  /var/log/audit /dev/mapper/system-opt           4.0G  /opt

Post-installation
.

Registration
Register a server: subscription-manager register --type=system subscription-manager refresh

Attach a subscription: subscription-manager attach --auto

Enable common repositories: subscription-manager repos --enable rhel-7-server-extras subscription-manager repos --enable rhel-7-server-optional-rpms subscription-manager repos --enable rhel-7-server-supplementary-rpms subscription-manager repos --enable rhel-7-server-thirdparty-oracle-java-rpms

To check the available components: subscription-manager list --consumed subscription-manager list --installed

To check the available repositories: yum repolist all yum repolist enabled

To unregister a server: subscription-manager remove --all subscription-manager unregister subscription-manager clean

Red Hat Insights
yum install -y openscap-scanner scap-security-guide insights-client insights-client --register
 * Install the insights-client tool:
 * Register the server to Red Hat Insights:

Service Pack Installation
To update the system to the last SP: if [ -x "/usr/bin/package-cleanup" ]; then package-cleanup -y --oldkernels --count=1 fi yum -y clean all rm -rf /var/cache/yum/* yum -y check-update yum -y update yum -y clean all shutdown -r now

EPEL - Extra Packages for Enterprise Linux
VER=$(rpm --eval %{rhel}) yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-${VER}.noarch.rpm rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-${VER}

IUS - Inline with Upstream Stable
VER=$(rpm --eval %{rhel}) yum -y install https://repo.ius.io/ius-release-el${VER}.rpm rpm --import /etc/pki/rpm-gpg/IUS-COMMUNITY-GPG-KEY yum -y install yum-plugin-replace
 * 1) yum replace php --replace-with php73u

RHEL6 to RHEL7
This is the procedure to upgrade from RHEL6 to RHEL7:

yum update -y
 * Get the latest packages:

subscription-manager repos --enable rhel-6-server-extras subscription-manager repos --enable rhel-6-server-optional-rpms
 * Enable the Extras and Optional repositories:

yum install -y preupgrade-assistant preupgrade-assistant-el6toel7 redhat-upgrade-tool yum-utils
 * Install upgrade tools:

preupg
 * Identify potential upgrade problems before upgrade:

redhat-upgrade-tool --network 7.6 --instrepo https://www.example.com/pub/rhel76/
 * Start the upgrade:

shutdown -r now
 * Reboot the system:

subscription-manager repos --enable rhel-7-server-extras-rpms subscription-manager repos --enable rhel-7-server-supplementary-rpms subscription-manager repos --enable rhel-7-server-optional-rpms
 * Subscribe to default repos:

yum remove -y ConsoleKit-libs ConsoleKit-x11 MAKEDEV PyXML atmel-firmware b43-fwcutter b43-openfwwf busybox cas cloog-ppl compat-xcb-util dash dmz-cursor-themes fakeroot fakeroot-libs gnome-themes gtk2-engines hal-info hal-libs ipw2100-firmware ipw2200-firmware lcms-libs libc-client libertas-usb8388-firmware libgcj libgssglue libmcpp libnih libwnck mcpp mesa-dri1-drivers pcmciautils plymouth-theme-rings ppl python-crypto python-iwlib python-simplejson pyxf86config subscription-manager-firstboot system-config-network-tui system-gnome-theme system-icon-theme wacomexpresskeys wdaemon wireless-tools xorg-x11-drv-acecad xorg-x11-drv-aiptek xorg-x11-drv-ast xorg-x11-drv-cirrus xorg-x11-drv-fpit xorg-x11-drv-hyperpen xorg-x11-drv-mga xorg-x11-drv-mutouch xorg-x11-drv-penmount zd1211-firmware
 * Remove unsupported packages:

yum check dependencies
 * Check dependencies problems:

yum update -y
 * Get the latest packages:

yum remove -y grub yum install -y grub2 if [ ! -f "/etc/default/grub" ]; then cat > /etc/default/grub <<\EOF GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="rhgb quiet" GRUB_DISABLE_RECOVERY="true" EOF GRUB_LVM=$(cat /proc/cmdline | tr ' ' '\n' | grep "^rd.lvm.lv=" | tr '\n' ' ') if [ -n "${GRUB_LVM}" ]; then sed -i "s/^GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"${GRUB_LVM} /g" /etc/default/grub fi fi if [ -f "/boot/efi/EFI/redhat/grub.cfg" ]; then grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg else grub2-mkconfig -o /boot/grub2/grub.cfg fi grub2-install /dev/sda
 * Upgrade GRUB Legacy to GRUB 2:

shutdown -r now
 * Reboot the system:

RHEL7 to RHEL8
This is the procedure to upgrade from RHEL7 to RHEL8:

yum update -y
 * Get the latest packages:

subscription-manager repos --enable rhel-7-server-extras-rpms subscription-manager repos --enable rhel-7-server-optional-rpms
 * Enable the Extras and Optional repositories:

yum install -y leapp leapp-repository
 * Install leapp utility:

leapp preupgrade
 * Identify potential upgrade problems before upgrade:

leapp upgrade
 * Start the upgrade:

shutdown -r now
 * Reboot the system:

Convert CentOS to RHEL
This is the procedure to convert a CentOS 7 to RHEL7:

yum update -y
 * Get the latest packages:

yum check dependencies
 * check dependencies problems:

yum remove -y abrt python3-devel
 * Remove conflicting packages:

mount -t iso9660 -o ro /dev/cdrom /mnt echo '[rhel-dvd] name=Red Hat Enterprise Linux $releasever - $basearch - DVD baseurl=file:///mnt/ enabled=1 gpgcheck=0' > /etc/yum.repos.d/rhel-dvd.repo yum clean all
 * Add RHEL DVD as repository:

yum install -y convert2rhel
 * Install convert2rhel utility:

convert2rhel --variant=Server --disable-submgr --disablerepo "*" --enablerepo rhel-dvd --no-rpm-va
 * Start the convertion:

yum distro-sync #--skip-broken
 * If the conversion fails, run the following command:

if [ -d "/boot/efi/EFI/centos" ]; then mv /boot/efi/EFI/centos/grub* /boot/efi/EFI/redhat/ rmdir /boot/efi/EFI/centos cp -pr /boot/efi/EFI/redhat /boot/efi/EFI/centos fi
 * Fix EFI boot:

shutdown -r now
 * Reboot the system:

mount -t iso9660 -o ro /dev/cdrom /mnt yum install -y subscription-manager subscription-manager register subscription-manager refresh
 * Register the system:

subscription-manager attach --auto
 * Attach a subscription:

subscription-manager repos --enable rhel-7-server-extras subscription-manager repos --enable rhel-7-server-optional-rpms subscription-manager repos --enable rhel-7-server-supplementary-rpms subscription-manager repos --enable rhel-7-server-thirdparty-oracle-java-rpms yum repolist
 * Enable common repositories:

umount /mnt rm -f /etc/yum.repos.d/rhel-dvd.repo yum clean all
 * Remove the DVD repository:

yum install -y abrt abrt-tui #python3-devel
 * Reinstall the previously removed packages:

yum check dependencies
 * check dependencies problems:

yum update -y
 * Get the latest packages:

shutdown -r now
 * Reboot the system:

SELinux
To view the context of a file or directory: ls -dZ PATH

To reset the context of a file or directory: restorecon -RF "PATH"

To view all defined contexts: semanage fcontext -l

To define a new context: semanage fcontext -a -t TYPE_t "PATH(/.*)?"

To display the SELinux "booleans": getsebool -a

To set a SELinux "booleans": setsebool -P BOOLEAN 1

To view all defined ports: semanage port -l

To check what is blocked by SELinux: ausearch --interpret --success no

To verify the need to create policy rules: cat /var/log/audit/audit.log | audit2why

To create a module containing policy rules: mkdir -p /etc/semodules cd /etc/semodules grep PROBLEM /var/log/audit/audit.log | audit2allow -M PROBLEM semodule -i /etc/semodules/PROBLEM.pp

Compliance
To list the available profiles: VER=$(rpm --eval %{rhel}) oscap info /usr/share/xml/scap/ssg/content/ssg-rhel${VER}-ds.xml | egrep "Title: |_profile_"

Title: Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_stig Title: Australian Cyber Security Centre (ACSC) Essential Eight Id: xccdf_org.ssgproject.content_profile_e8

To evaluate a profile (eg.PCI-DSS): VER=$(rpm --eval %{rhel}) oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_pci-dss \ --results /tmp/pci-scan-xccdf-results_$(hostname -s).xml \ --report /tmp/pci-scan-xccdf-results_$(hostname -s).html \ --fetch-remote-resources \ /usr/share/xml/scap/ssg/content/ssg-rhel${VER}-ds.xml

Links

 * Product Documentation for Red Hat Enterprise Linux
 * Red Hat Product Downloads
 * Red Hat Subscription Management
 * Red Hat Insights
 * Red Hat CVE Database
 * Anaconda's documentation