Contents
1.Disabling SELinux
First, disable selinux. selinux is a feature that improves auditing and security in Linux, but when enabled, it places considerable restrictions on the behavior of services and on what can be configured. Therefore, it is basically disabled in many cases.
SELinux Operation Mode
Enforcing : SELinux functionality is enabled and access control is enabled
Permissive : SElinux will warn, but no access restrictions will be placed
disabled : Both SElinux function and access control are disabled
①Current SELinux status
1 2 |
# getenforce Enforcing |
②Switching to [permissive] mode
1 2 3 |
# setenforce 0 # getenforce Permissive |
③Switching to [enforcing] mode
1 2 3 |
# setenforce 1 # getenforce Enforcing |
④To completely disable SELinux, a reboot is required by adding selinux=0 to the kernel command line as follows
1 2 |
# grubby --update-kernel ALL --args selinux=0 # reboot |
※ To return SELinux to active, do the following (reboot after changes)
1 2 |
# grubby --update-kernel ALL --remove-args selinux # reboot |
2.Modernize the system
Package updates are performed as soon as possible immediately after OS installation.
However, when a dnf update is performed, a kernel update is also performed at the same time.
Performing a kernel update may require rebooting the system or stopping services, or worse, a kernel panic may occur and the system may not boot. It is wiser to exclude the kernel from the update.
By running dnf -y update with "--exclude=kernel*" behind it
kernel can be excluded from the update target.
1 |
# dnf -y update --exclude=kernel* |
3.Services to be stopped due to security measures
1 2 3 4 5 6 7 8 9 10 11 12 |
# systemctl stop atd.service # systemctl disable atd.service # systemctl stop kdump.service # systemctl disable kdump.service # systemctl stop lvm2-monitor.service # systemctl disable lvm2-monitor.service # systemctl stop mdmonitor.service # systemctl disable mdmonitor.service # systemctl stop smartd.service # systemctl disable smartd.service # systemctl stop dm-event.socket # systemctl disable dm-event.socket |
4.Adding Repositories
4.1 Add EPEL repository
1 2 |
# dnf config-manager --set-enabled crb # dnf -y install epel-release |
1 |
# vi /etc/yum.repos.d/epel.repo |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[epel] name=Extra Packages for Enterprise Linux $releasever - $basearch # It is much more secure to use the metalink, but if you wish to use a local mirror # place its address here. #baseurl=https://download.example/pub/epel/$releasever/Everything/$basearch/ metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir enabled=1 priority=10 # ← Specify priority in the range of 1~99 gpgcheck=1 countme=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever [epel-debuginfo] name=Extra Packages for Enterprise Linux $releasever - $basearch - Debug # It is much more secure to use the metalink, but if you wish to use a local mirror |
4.2 Add Remi's RPM repository
1 2 |
# dnf -y install https://rpms.remirepo.net/enterprise/remi-release-9.rpm # dnf -y config-manager --set-enabled remi |
1 |
# vi /etc/yum.repos.d/remi-safe.repo |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# This repository is safe to use with RHEL/CentOS base repository # it only provides additional packages for the PHP stack # all dependencies are in base repository or in EPEL [remi-safe] name=Safe Remi's RPM repository for Enterprise Linux 9 - $basearch #baseurl=http://rpms.remirepo.net/enterprise/9/safe/$basearch/ #mirrorlist=https://rpms.remirepo.net/enterprise/9/safe/$basearch/httpsmirror mirrorlist=http://cdn.remirepo.net/enterprise/9/safe/$basearch/mirror enabled=1 priority=10 # ← Specify priority in the range of 1~99 gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el9 [remi-safe-debuginfo] name=Remi's RPM repository for Enterprise Linux 9 - $basearch - debuginfo baseurl=http://rpms.remirepo.net/enterprise/9/debug-remi/$basearch/ enabled=0 gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el9 |
5.Network Settings(Set on command line)
5.1 Check network device name
1 2 3 4 |
# nmcli dev s DEVICE TYPE STATE CONNECTION ens160 ethernet connected ens160 lo loopback connected (externally) lo |
The network device name can be found as "ens160"
5.2 Host Name Change
Change the host name to Alma to try it out
1 2 3 4 |
# hostnamectl set-hostname Alma Log in again [huong@Alma:~]$ |
5.3 Static IPv4 address configuration
The name of the network interface is "ens160" from 5.1
In Almalinux8, this could be done by rewriting the ifcfg-xxx file in network-scripts, but in Almalinux9
However, in Almalinux9, the contents of the /etc/sysconfig/network-scripts/ directory are empty and this method cannot be used, so use the "nmcli" command to change it.
Change the static IPv4 address to "192.168.11.83".
①Change by "nmcli" command
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# Fixed IPv4 address setting # nmcli connection modify ens160 ipv4.addresses 192.168.11.83/24 # Gateway Settings # nmcli connection modify ens160 ipv4.gateway 192.168.11.1 # Referenced DNS settings # nmcli connection modify ens160 ipv4.dns 192.168.11.1 # DNS search base settings (own domain name) # nmcli connection modify ens160 ipv4.dns-search alma.korodes.com # Set to fixed IP address assignment # nmcli connection modify ens160 ipv4.method manual # Reboot interface to reflect settings # nmcli connection down ens160; nmcli connection up ens160 Connection 'ens160' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) Connection successfully activated (D-Bus acti2711kor korove path: /org/freedesktop/NetworkManager/ActiveConnection/2) |
➁Network Settings(Set by GUI)
1 |
# nmtui |
If the default setting is to obtain an IP address via DHCP during OS installation, change the network settings to a fixed IP address if necessary.
In this case, the network interface is named "ens160". Change the static IPv4 address to "192.168.11.83".
Change the address of the IPv4 configuration
5.4 Host Name Change
Change the host name to Lepard
6.Vim Settings
①Install Vim
1 |
# dnf -y install vim-enhanced |
②Apply and reflect Vim
1 2 3 |
# vi ~/.bashrc # Alias appended to the last line alias vi='vim' |
1 |
# source ~/.bashrc |
③Configure Vim as a user-specific environment
1 |
# vi ~/.vimrc |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
" Use vim's own extensions (not compatible with vi) set nocompatible " Specify character code set encoding=utf-8 " Specify file encoding (read from the beginning until success) set fileencodings=utf-8,iso-2022-jp,sjis,euc-jp " Specify the line feed code to be recognized automatically set fileformats=unix,dos " Get Backup set backup " Specify the directory from which to obtain backups set backupdir=~/backup " Number of generations to keep search history set history=50 " Do not distinguish between upper and lower case letters when searching set ignorecase " Mixing capital letters in search terms makes the search case sensitive set smartcase " Highlight words matching your search term set hlsearch " Use incremental search set incsearch " Display line numbers set number " Visualize line breaks ( $ ) and tabs ( ^I ) set list " Highlight corresponding parentheses when entering parentheses set showmatch " No newlines at the end of files set binary noeol " Enable automatic indentation set autoindent " Color-coded display by syntax syntax on " Change color of comment text in case of syntax on highlight Comment ctermfg=LightCyan " Wrap lines by window width set wrap |