Why and How to hard the RHEL OS

 Why ?

In Linux Red-hat OS system in order to comply to the certain policies you will need to configure the password in certain levels , in RHCSA it doesn’t covered all kind of these aspects to reach all kind of hardening , below are the main password things I think you may be need to set all required aspects in the matter.

How ?

Below are commands in CLI to configure the:

1- To check telnet server is not installed ( only client is allowed) :

rpm -qa telnet

telnet-0.17-73.el8_1.1.x86_64

 2- To disable the Root SSH login directly (change or check) parameter “PermitRootLogin” is no:

# vim /etc/ssh/sshd_config

PermitRootLogin no

 3- To set the SSH maximum concurrent sessions for all and specific user , for example all users 2 maximum and admin 5 sessions  :

# vim /etc/security/limits.conf

*                -       maxlogins       2

admin            -       maxlogins       5

 

4- To set the password’s strength against a set of rules, Red-hat have the “pam_pwquality” module to be used for this matter, the PAM-aware (Pluggable Authentication Modules) will affect passwd command while user change the password.

 

To set minimum length of password as example :

Length not less than 8 + have upper case + lowercase + other character

minlen = minum length of password

dcredit = credit for having required digits in password

ucredit =  credit for having uppercase characters in password .

lcredit = credit for having lowercase characters in password

# vim /etc/security/pwquality.conf

# The new password is rejected if it fails the check and the value is not 0.

enforcing = 1

ucredit = -1

lcredit = -1

minlen = 8

dcredit = -1

 

5- To setup the lock account after 6 failed tried and unlock it after 30 minutes or success login rest these number as below :

 

vi /etc/pam.d/system-auth

## After this line :

auth        [default=1 ignore=ignore success=ok]         pam_localuser.so

 

auth        required      pam_faillock.so preauth silent unlock_time=1800 deny=6

auth        sufficient                                   pam_unix.so  try_first_pass

auth        [default=die] pam_faillock.so authfail unlock_time=1800 deny=6

auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular

# make sure to pam_faillok.so

account     required      pam_faillock.so

account     required                                     pam_unix.so

## to remember password last 4 times:

password    requisite                                    pam_pwquality.so try_first_pass local_users_only

password    requisite                                    pam_pwhistory.so remember=4 use_authtok

password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok remember=4

## another file is :

vi /etc/pam.d/password-auth

auth        required      pam_faillock.so preauth silent unlock_time=1800 deny=6

auth        sufficient                                   pam_unix.so  try_first_pass

auth        [default=die] pam_faillock.so authfail unlock_time=1800 deny=6

auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular

auth        sufficient                                   pam_sss.so forward_pass

auth        required                                     pam_deny.so

 

account     required      pam_faillock.so

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required                                     pam_permit.so

 

password    requisite                                    pam_pwquality.so try_first_pass local_users_only

password    requisite                                    pam_pwhistory.so remember=4 use_authtok

password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok remember=4

6- If you use 8.2 and above use the new recommended approach as per RHEL article as below (from RHEL article) :

1. List available profiles:

# authselect list

2. List current profile and features enabled:

# authselect current

3. Backup the current profile/changes:

# authselect apply-changes -b --backup=sssd.backup

4. Create new custom profile name password-policy copied from existing profile sssd:

#  authselect create-profile password-policy -b sssd

Newly created profile will be available at location: /etc/authselect/custom/password-policy/

5. Set new custom profile as current profile:

# authselect select custom/password-policy

# authselect current

6. To enable features for example, to create home directory on user login if not already present and to enable account lockout using faillock, run these commands:

# authselect enable-feature with-mkhomedir

# authselect enable-feature with-faillock

7. Make desired/custom changes in global PAM config files system-auth and password-auth available under custom profile directory /etc/authselect/custom/password-policy/. Once changes are made apply them with command:

# authselect apply-changes

Confirm if changes are written to the files.

1. Keep history of used passwords (the number of previous passwords which cannot be reused).

• Insert the following line in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files (after pam_pwquality.so line:

password    requisite     pam_pwhistory.so remember=5 use_authtok

2. Enforce root for password complexity.

• Insert/append the following option in pam_pwquality.so line under password section in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files:

enforce_for_root

Note: After making the changes, authselect apply-changes needs to be run so that changes can take effect.

SHOW PARAMTER columns format in SQLPLUS

 

Why ?

In SQL-Plus utility you may have a values listed in short two lines and while you try the normal set linesize xxx or set pagesize xxx then the column name format axx with name , type or value column of the show parameter , it doesn’t affected , this is because these column names is differ from what you see in screen. Below is the default value in oracle sqlplus :

- Defaults for SHOW PARAMETERS
COLUMN name_col_plus_show_param FORMAT a36 HEADING NAME
COLUMN value_col_plus_show_param FORMAT a30 HEADING VALUE

How ?

Below are commands in sqlplus to edit the name , type or value of show parameter for sga as example  :

1- to check the value of sga:

SQL> show parameter sga

NAME                           TYPE

------------------------------ ------------------------------

VALUE------------------------------

lock_sga                       boolean

FALSE

pre_page_sga                   boolean

FALSE

sga_max_size                   big integer

300M

sga_target                     big integer0

 2- To set the parameter column format as below (change the number as needed) :

SQL> column NAME_COL_PLUS_SHOW_PARAM format A20

SQL> column TYPE format A20

SQL> column VALUE_COL_PLUS_SHOW_PARAM format A20

 3- check the format layout after that :

SQL> show parameter sga

NAME                 TYPE                 VALUE

-------------------- -------------------- --------------------

lock_sga             boolean              FALSE

pre_page_sga         boolean              FALSE

sga_max_size         big integer          300M

sga_target           big integer          0

Why and How to Monitoring user DBSNMP will expire in xx hours

 

 Why ?

Each user in oracle is assigned with a password and password has a lot of details, these details may be configured in profile, this profile can be link with function if needed to fulfill all complexity required. One of these is lifetime limit, if you have a limit in profile assigned to your user then you will be prompted in OEM that user xxx will be expired in xxx hour, this is based on your OEM configuration. To renew this time limit you can just re-enter the password or you may create new profile to unlimited or new time period as needed.

How ?

Below are commands in sqlplus to check and update the password for dbsnmp user for example  :

1- to check the user expiration date use:

SQL> set linesize 200

SQL> col username format a30

SQL> select USERNAME,EXPIRY_DATE from dba_users where username="DBSNMP" ;

2- you can renew the password age by re-enter a same or new password as below :

alter user dbsnmp identified by ‘password’ ;

Why and How to copy file from ASM to filesystem and from filesystem to ASM

 

 Why ?

If you are using oracle ASM filesystem you will need to copy files from non ASM ( normal filesystem) to ASM file system, ASM will be used in RAC GRID and RAC one node DB. Revert is true as well .

How ?

Below are commands to copy files from ASM to filesystem and from filesystem to ASM  :

1- To copy files from ASM to filesystem use the below:

ASMCMD> cp +DATA/ORCL/FILE /path/to/filesytem/orcl_xyz.dbf_tmp                                       

copying +DATA/ORCL/FILE /path/to/filesytem/orcl_xyz.dbf_tmp

2- To copy file from filesystem to ASM use the below:

ASMCMD> cp /path/to/filesytem/orcl_xyz.dbf_tmp '+DATA/ORCL/FILE'

copying /path/to/filesytem/orcl_xyz.dbf_tmp +DATA/ORCL/FILE

Why and How to install/update tomcat 9 in Linux

 

** This is applicable in Linux environment (red hat , Centos , Amazon linux ..etc) .

 Why ?

Tomcat will allow you to run a web server and Servlet container. So, if you have an application needs to run in this platform and a free web server needed , you will go to install tomcat as a most common in this matter.

How ?

Below are most brief commands you may need to use in install tomcat 9 in Redhat / Centos 7 & 8  :

1- download tomcat files from tomcat website (you may use “wget” if interned open in server) and upload it to your server and create a tomcat service user as below:

groupadd -g 53 -r tomcat
useradd -c "tomcat" -u 53 -g tomcat -s /bin/sh -r tomcat

 2- unzip/untar the file to your installation path, I will use
(/app/tomcat) and setup permissions:

mkdir -p /app/tomcat

tar -xf apache-tomcat-9.0.40.tar.gz -C /app/tomcat

chown -R tomcat:tomcat /app/tomcat/

chmod -R u+X /app/tomcat/

3- Check/Install and configured whether java 11 or java 8

java -version

yum install java-11-openjdk

alternatives --config java

4- Create systemd service to manage tomcat9 (sample configuraiont)

 vim /etc/systemd/system/tomcat9.service

[Unit]

Description=Tomcat 9 servlet container

After=network.target

[Service]

Type=forking

User=tomcat

Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"

# you may need to set below if application use the below

# import java.security.SecureRandom;

Environment="JAVA_OPTS=-Djava.security.egd=file:/dev/./urandom"

Environment="CATALINA_BASE=/app/tomcat"

Environment="CATALINA_HOME=/app/tomcat"

Environment="CATALINA_PID=/app/tomcat/temp/tomcat.pid"

Environment="CATALINA_OPTS=-Xms512M -Xmx2048M -server -XX:+UseParallelGC"

ExecStart=/app/tomcat/bin/startup.sh

ExecStop=/app/tomcat/bin/shutdown.sh

[Install]

WantedBy=multi-user.target

---------

systemctl daemon-reload

systemctl enable --now tomcat9

5- configure your tomcat 9 :

/app/tomcat/conf (server.xml , web.xml ..etc)

/app/tomcat/webapps # (put your application files)

systemctl restart tomcat9.service

systemctl status tomcat9.service