Installing RHEL/CentOS 7

This topic explains how to install RHEL/CentOS 7 on a physical server or virtual machine. All steps are mandatory unless otherwise indicated.

1. Install a minimum configuration of RHEL/CentOS 7.

   1. Do not install any custom packages

   2. Select a minimum partition layout

      

   3. Set SELinux to disabled

2. After the installation is complete, run:

   [centos7]# systemctl stop firewalld
   [centos7]# systemctl disable firewalld
   [centos7]# yum clean all
   [centos7]# yum update -y

3. Reboot the system.

   [centos7]# reboot

4. After the system reboots, install the epel-release RPMs.

CentOS 7:

# yum install -y epel-release

RHEL 7

Follow the directions on the EPEL website to install the epel-release package appropriate to the RHEL version of the system.

5. Install Apache 2.46 with the required packages.

   # yum install -y apr-util-ldap httpd httpd-tools mod_ldap mod_ssl

6. Install the yum-utils package for managing the yum repositories.

yum install -y yum-utils

7. Install the PostgreSQL 11 packages.

1. Go to the PostgreSQLwebsite package download site http://yum.postgresql.org/repopackages.php and download the appropriate RPM:

• RHEL 7: Red Hat Enterprise Linux 7 - x86_64
• CentOS 7: CentOS 7 - x86_64

2. Install the downloaded PostgreSQL 11 RPMs.

   [centos7]# yum install postgresql11-contrib.x86_64 postgresql11-libs.x86_64 postgresql11-plpython.x86_64 postgresql11-server.x86_64 postgresql11.x86_64

8. Install the Remi release RPMs for PHP 7.4.

# rpm -Uvh https://rpms.remirepo.net/enterprise/remi-release-7.rpm

9. Enable only PHP 7.4 repository from all Remi repositories.

[centos7]# yum-config-manager --disable 'remi-php*'                     
[centos7]# yum-config-manager --enable remi-php74

10. Install PHP 7.4 with dependency packages.

yum --disablerepo="*" --enablerepo=epel --enablerepo=remi-php74 install -y libsodium php php-cli php-common php-json php-sodium

11. (Optional) Install Telnet.

    [centos7]# yum install telnet   

12. (Optional) For maximum security, Tufin recommends removing the following packages:

    [centos7]# yum remove -y alsa-firmware alsa-lib alsa-tools-firmware ivtv-firmware iwl1000-firmware iwl100-firmware iwl105-firmware iwl135-firmware iwl2000-firmware iwl2030-firmware iwl3160-firmware iwl3945-firmware iwl4965-firmware iwl5000-firmware iwl5150-firmware iwl6000-firmware iwl6000g2a-firmware iwl6000g2b-firmware iwl6050-firmware iwl7260-firmware iwl7265-firmwareh
    

13. Install compatibility arch support.

    [centos7]# yum --setopt=protected_multilib=false install -y elfutils-libs.i686 libcurl.i686 libgcc.i686 openssl-libs.i686 pam.i686 zlib.i686 libuuid.i686

Post-install Configurations

1. Add the host name of your server to the hosts file.

   1. Get the host name of your server.

   [centos7]# hostname

   2. Open the file /etc/hosts using an editing tool.

   3. Add a line with your IP address and hostname in the following format:

      <eth0_ip> <your_hostname>

2. Configure networking on the operating system.

   • See Configuring Network and DNS and Configuring a Network Interface on a VM.

   • Make sure that the host is routable from the administrator's computer via HTTPS, including opening ports as necessary on your network's firewalls. For more information, see SecureTrack Ports and Services and SecureChange Ports and Services.

3. Check if the audit package is installed correctly, and if necessary manually install the package.

   1. Check if the audit package is installed.

   [centos7]# rpm -q audit

   If the package is installed, the package name will be displayed. Otherwise a message will be displayed that the package is not installed

   2. If the audit package is installed, check that the audit rules file exists.

      [centos7]# ls -l /etc/audit/audit.rules

      If the file does not exist, the audit package is not installed correctly.

   3. If the audit package is not installed or not installed correctly, install it with the yum or rpm command.

      [centos7]# yum install audit

4. Review the audit backlog limit.

   1. View contents of file /etc/audit/audit.rules and locate the number following -b

      See example below.

   ## This file is automatically generated from /etc/audit/rules.d
   -D
   -b 4096
   -f 1-b 

   2. If the number following -b is less than 8192, modify it to 8192 and restart the service:

   [centos7]# sed -i 's/^[\t ]*-b[\t ]\+.*$/-b 8192/' /etc/audit/audit.rules
   [centos7]# systemctl restart auditd 

   3. When the service restarts, check the value has been updated:

   [centos7]# auditctl -s

   The output should include backlog_limit=8192.

   For example:

   [centos7]# auditctl -s
   AUDIT_STATUS: enabled=1 flag=1 pid=8794 rate_limit=0 backlog_limit=8192 lost=0 backlog=0

5. Review SSH daemon (SSHd) customizations.

   If you have customized any of the fields: AllowUsers, DenyUsers, AllowGroups or DenyGroups in the SSHd configuration file (/etc/ssh/sshd_config), make sure that the SecureTrack user st:

   • Included in AllowUsers and AllowGroups

   • Not included in DenyUsers and DenyGroups.

6. Review the authorized key files.

   If you customized the list of authorized key files, check that the following files are included:

   • /var/lib/pgsql/.ssh/
   • /root/st/.ssh/authorized_keys