CentOS/RedHat Tips

停用不必要的服務 
 CentOS 7/8: secure-linux.sh 
 #!/usr/bin/env bash
# Author: A.Lang(alang.hsu[AT]gmail.com)
# File: secure-linux.sh
# Created by 2019/3/1
#
#
SVC_LIST="
############# Start #############
#
## bluetooth services
bluetooth

## SELinux
auditd

## Disk Monitoring
smartd

## Linux Virtualization with KVM
libvirtd

## ABRT - Automatic Bug Reporting Tool
abrtd
abrt-ccpp

## More Services
firewalld
avahi-daemon
#chronyd
cups
autofs
#
#
############# End #############
"

# function report_result <service name> <status>
report_result() {
 printf "%20s ..................%s\n" "$1" "[$2]"
}

## Main program
#echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d'
echo
echo "The following services will be disabled:"
echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d' | while read name
do
 chkconfig $line off 2>/dev/null
 systemctl disable $name 2>/dev/null
 if [ $? -eq 0 ]; then
 report_result $name "OK"
 else
 report_result $name "**"
 fi
done

## Disable SELinux
SVC="SELinux"
sed -i 's/SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>/dev/null
if [ $? -eq 0 ]; then
 report_result $SVC "OK"
else
 report_result $SVC "**"
fi

echo "All done, please reboot NOW." 
 CentOS 6: secure-linux.sh 
 #!/usr/bin/env bash
# Author: A.Lang(alang.hsu[AT]gmail.com)
# File: secure-linux.sh
# Created by 2011-11-27
# Updated by 2016-11-2
#
SVC_LIST="
############# Start #############
#
## Disable if the system is ACPI capable
apmd

## bluetooth services
bluetooth
hidd

## IR device
irda

## only needed the first time a system is configured
firstboot
readahead_early

## SELinux
auditd
setroubleshoot

## Disk Monitoring
smartd

## More Services
anacron
avahi-daemon
avahi-daemon
cups
isdn
ip6tables
iptables
iscsi
iscsid
mcstrans
pcscd
autofs
yum-updatesd
NetworkManager
#
#
############# End #############
"

# function report_result <service name> <status>
report_result() {
 printf "%20s ..................%s\n" "$1" "[$2]"
}

## Main program
#echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d'
echo
echo "The following services will be disabled:"
echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d' | while read line
do
 chkconfig $line off 2>/dev/null
 if [ $? -eq 0 ]; then
 report_result $line "OK"
 else
 report_result $line "**"
 fi
done

## Disable SELinux
SVC="SELinux"
sed -i 's/SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>/dev/null
if [ $? -eq 0 ]; then
 report_result $SVC "OK"
else
 report_result $SVC "**"
fi

echo "All done, please reboot NOW." 
 Remove virbr0 network interface 
 Case 1: Not using libvirtd service and virbr0 interface 
 # Stop and Disable the service
systemctl stop libvirtd.service
systemctl disable libvirtd.service

# Reboot the host to remove the virbr0 interface
systemctl reboot 
 Case 2: Using libvirtd and dont want "virbr0" 
 # List the default network set-up for the virtual machines
virsh net-list

Name State Autostart Persistent
----------------------------------------------------------
default active yes yes

# Destroy the network default.
virsh net-destroy default

Network default destroyed

# Permanently remove the default vitual network from the configuration.
virsh net-undefine default

Network default has been undefined

# The interface virbr0 is now gone. You can verify it in the ifconfig or ip command output.
ifconfig virbr0

virbr0: error fetching interface information: Device not found 
 Case 3: Removing virbr0 interface on running machines ( non-persistence across reboots ) 
 # First, list out the virtual bridge interfaces available on the system using the below command.
brctl show

bridge name bridge id STP enabled interfaces
virbr0 8000.5254003008b6 yes virbr0-nic

# Make the bridge interface down before removal.
ip link set virbr0 down

# Now, remove the bridge
brctl delbr virbr0

# check if the bridge is removed
brctl show

bridge name bridge id STP enabled interfaces 
 Removing lxcbr0 interface 
 # change the below line in /etc/sysconfig/lxc. This will be effective after reboot. change the line from

USE_LXC_BRIDGE="true"
# to
USE_LXC_BRIDGE="false"

# remove the lxcbr0 bridge interface for the running system
brctl show
ip link set lxcbr0 down
brctl delbr lxcbr0
brctl show 
 New Changes to RedHat 9 
 Official: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_security_considerations-in-adopting-rhel-9   
 
 SSH from RHEL 9 to RHEL 6 systems does not work 
 The following algorithms are disabled in the LEGACY, DEFAULT and FUTURE crypto policies provided with RHEL 9:
 
 TLS older than version 1.2 (since RHEL 9, was < 1.0 in RHEL 8) 
 DTLS older than version 1.2 (since RHEL 9, was < 1.0 in RHEL 8) 
 DH with parameters < 2048 bits (since RHEL 9, was < 1024 bits in RHEL 8) 
 RSA with key size < 2048 bits (since RHEL 9, was < 1024 bits in RHEL 8) 
 DSA (since RHEL 9, was < 1024 bits in RHEL 8) 
 3DES (since RHEL 9) 
 RC4 (since RHEL 9) 
 FFDHE-1024 (since RHEL 9) 
 DHE-DSS (since RHEL 9) 
 Camellia (since RHEL 9) 
 ARIA 
 SEED 
 IDEA 
 Integrity-only cipher suites 
 TLS CBC mode cipher suites using SHA-384 HMAC 
 AES-CCM8 
 All ECC curves incompatible with TLS 1.3, including secp256k1 
 IKEv1 (since RHEL 8) 
 
 
 SCP not supported in RHEL 9 
 OpenSSH root password login disabled by default 
 GnuTLS no longer supports TPM 1.2 
 Support for disabling SELinux through /etc/selinux/config has been removed. If your scenario requires disabling SELinux, add the selinux=0 parameter to your kernel command line. 
 Network teams are deprecated 
 RHEL 9 does not contain the network-scripts package that provided the deprecated legacy network scripts in RHEL 8. To configure network connections in RHEL 9, use NetworkManager . 
 
 sosreport 系統診斷工具 
 Redhat/CentOS 從 4.6 以後版本，都內建這個指令，一旦系統需要故障排除時，可以透過這指令蒐集系統的各項資訊，然後提供給專家做分析用。 
 基本用法： 
 # 安裝 sosreport 如果沒安裝時
yum install sos

# 蒐集系統資訊
#sosreport
# NOTE: 過程中會耗時幾分鐘時間，而且會使用到目錄 /tmp，指令完成後會產生一個 sosreport-*.tar.bz2 檔案。
# Updated by 2023/2/1
# 從 RHEL 8 起，以下指令取代了 sosreport，而且輸出位置改成 /var/tmp。
sos report

# 指定暫存檔目錄，某些情況預設的 /tmp 空間不足時可改用此指令
sos report --tmp-dir /path/to/directory

## 進階用法
# 列出所有支援的 plugins
sos report -l

# 排除特定 plugins 不蒐集
sos report -n kvm,amd 
 
 sosreport 更多用法可以參閱 https://access.redhat.com/solutions/3592 。 
 
 專家：如何分析這個資訊 
 
 解開檔案後，目錄 sos_reports 內有一個 sosreport.html 網頁，開啟後可以透過網頁搜尋方式，快速找到各項的系統資訊。 
 xsos - Github 的專案 
 
 RedHat Linux 原機升級 
 
 What are RHEL in-place upgrades? (redhat.com) 
 
 FAQ 
 setlocale error 
 
 -bash: warning: setlocale: LC_CTYPE: cannot change locale (zh_TW.big5): No such file or directory -bash: warning: setlocale: LC_CTYPE: cannot change locale (zh_TW.big5): No such file or directory 
 
 檢查系統是否已支援語系 zh_TW.big5 
 locale -a | grep zh_TW.big5 
 如果沒有，安裝以下套件 
 yum install glibc-all-langpacks.x86_64 
 驗證時帳號需登出再登入。 
 RHEL8: Stopping the message when ssh login to the host 
 
 Activate the web console with: systemctl enable --now cockpit.socket 
 
 Solution: 
 ln -sfn /dev/null /etc/motd.d/cockpit 
 Systemd messages: Created slice, Starting Session 
 新裝的系統 /var/log/messages 會出現大量的以下日誌： 
 Jul 24 08:50:01 example.com systemd: Created slice user-0.slice. Jul 24 08:50:01 example.com systemd: Starting Session 150 of user root. Jul 24 08:50:01 example.com systemd: Started Session 150 of user root. Jul 24 09:00:01 example.com systemd: Created slice user-0.slice. Jul 24 09:00:02 example.com systemd: Starting Session 151 of user root. Jul 24 09:00:02 example.com systemd: Started Session 151 of user root.  
 原因：這些訊息是正常現象。只要任何帳號登入或有 Cron job 被執行就會有類似的日誌。官方文件： Logs flooded with systemd messages: Created slice, Starting Session - Red Hat Customer Portal 
 解決：如果想抑制(suppress)這類訊息，有很多方法可以達到，其中之一是使用 rsyslog，步驟如下： 
 echo 'if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop' >/etc/rsyslog.d/ignore-systemd-session-slice.conf

systemctl restart rsyslog 
 useradd errors 
 執行 useradd 時，雖然帳號新增成功但會出現告警： 
 [sss_cache] [sysdb_domain_cache_connect] (0x0010): DB version too old [0.23], expected [0.24] for domain implicit_files! Higher version of database is expected! In order to upgrade the database, you must run SSSD. Removing cache files in /var/lib/sss/db should fix the issue, but note that removing cache files will also remove all of your cached credentials. Could not open available domains 
 Solution: 
 
 KB: https://access.redhat.com/solutions/7031304   
 
 systemctl stop sssd ; rm -f /var/lib/sss/db/* ; systemctl start sssd