Chapter 11. Completing post-installation tasks

This section describes how to complete the following post-installation tasks:

  • Completing initial setup
  • Registering your system

    Note

    Depending on your requirements, there are several methods to register your system. Most of these methods are completed as part of post-installation tasks. However, a registered system is authorized to access protected content repositories for subscribed products through the Red Hat Content Delivery Network (CDN) before the installation process starts.

    See Registering and installing RHEL from the CDN for more information.

  • Securing your system

11.1. Completing initial setup

This section contains information about how to complete initial setup on a Red Hat Enterprise Linux 8 system.

Important
  • If you selected the Server with GUI base environment during installation, the Initial Setup window opens the first time you reboot your system after the installation process is complete.
  • If you registered and installed RHEL from the CDN, the Subscription Manager option displays a note that all installed products are covered by valid entitlements.

The information displayed in the Initial Setup window might vary depending on what was configured during installation. At a minimum, the Licensing and Subscription Manager options are displayed.

Prerequisites

Procedure

  1. From the Initial Setup window, select Licensing Information.

    The License Agreement window opens and displays the licensing terms for Red Hat Enterprise Linux.

  2. Review the license agreement and select the I accept the license agreement checkbox.

    Note

    You must accept the license agreement. Exiting Initial Setup without completing this step causes a system restart. When the restart process is complete, you are prompted to accept the license agreement again.

  3. Click Done to apply the settings and return to the Initial Setup window.

    Note

    If you did not configure network settings, you cannot register your system immediately. In this case, click Finish Configuration. Red Hat Enterprise Linux 8 starts and you can login, activate access to the network, and register your system. See Subscription manager post installation for more information. If you configured network settings, as described in Network hostname, you can register your system immediately, as shown in the following steps:

  4. From the Initial Setup window, select Subscription Manager.

    Important

    If you registered and installed RHEL from the CDN, the Subscription Manager option displays a note that all installed products are covered by valid entitlements.

  5. The Subscription Manager graphical interface opens and displays the option you are going to register, which is: subscription.rhsm.redhat.com.
  6. Click Next.
  7. Enter your Login and Password details and click Register.
  8. Confirm the Subscription details and click Attach. You must receive the following confirmation message: Registration with Red Hat Subscription Management is Done!
  9. Click Done. The Initial Setup window opens.
  10. Click Finish Configuration. The login window opens.
  11. Configure your system. See the Configuring basic system settings document for more information.

Additional resources

Depending on your requirements, there are five methods to register your system:

  • Using the Red Hat Content Delivery Network (CDN) to register your system, attach RHEL subscriptions, and install Red Hat Enterprise Linux. See Register and install from CDN using GUI for more information.
  • During installation using Initial Setup.
  • After installation using the command line.
  • After installation using the Subscription Manager user interface. See Subscription manager post install UI for more information.
  • After installation using Registration Assistant. Registration Assistant is designed to help you choose the most suitable registration option for your Red Hat Enterprise Linux environment. See https://access.redhat.com/labs/registrationassistant/ for more information.

11.2. The value of registering your RHEL system to Red Hat

Registration establishes an authorized connection between your system and Red Hat. Red Hat issues the registered system, whether a physical or virtual machine, a certificate that identifies and authenticates the system so that it can receive protected content, software updates, security patches, support, and managed services from Red Hat.

With a valid subscription, you can register a Red Hat Enterprise Linux (RHEL) system in the following ways:

  • During the installation process, using an installer graphical user interface (GUI) or text user interface (TUI)
  • After installation, using the command line interface (CLI)
  • Automatically, during or after installation, using a kickstart script or an activation key.

The specific steps to register your system depend on the version of RHEL that you are using and the registration method that you choose.

Registering your system to Red Hat enables features and capabilities that you can use to manage your system and report data. For example, a registered system is authorized to access protected content repositories for subscribed products through the Red Hat Content Delivery Network (CDN) or a Red Hat Satellite Server. These content repositories contain Red Hat software packages and updates that are available only to customers with an active subscription. These packages and updates include security patches, bug fixes, and new features for RHEL and other Red Hat products.

Important

The entitlement-based subscription model is deprecated and will be retired in the future. Simple content access is now the default subscription model. It provides an improved subscription experience that eliminates the need to attach a subscription to a system before you can access Red Hat subscription content on that system. If your Red Hat account uses the entitlement-based subscription model, contact your Red hat account team, for example, a technical account manager (TAM) or solution architect (SA) to prepare for migration to simple content access. For more information, see Transition of subscription services to the hybrid cloud.

11.3. Registering your system using the Subscription Manager User Interface

This section contains information about how to register your Red Hat Enterprise Linux 8 system using the Subscription Manager User Interface to receive updates and access package repositories.

Prerequisites

Procedure

  1. Log in to your system.
  2. Go to Activities.
  3. From the menu options, click the Show Applications icon.
  4. Click the Red Hat Subscription Manager icon, or enter Red Hat Subscription Manager in the search.
  5. Enter your administrator password in the Authentication Required dialog box.

    Note

    Authentication is required to perform privileged tasks on the system.

    The Subscriptions window opens, displaying the current status of Subscriptions, System Purpose, and installed products. Installed products displayed with a red X are not supported by the currently attached subscriptions.

  6. Click Register. The Register System dialog box opens.
  7. Enter your Customer Portal credentials and click Register.

The Register button in the Subscriptions window changes to Unregister and installed products display a green X. You can verify the successful registration from a terminal window using the subscription-manager status command. Additionally refer the /var/log/rhsm/rhsm.log files for additional information. When the org/account is operated in simple content access mode, the overall compliance status of the system will be marked Disabled.

11.4. Registering RHEL 8 using the installer GUI

Use the following steps to register a Red Hat Enterprise Linux 8 using the RHEL installer GUI.

Prerequisites

  • You have a valid user account on the Red Hat Customer Portal. See the Create a Red Hat Login page.
  • You have a valid Activation Key and Organization id.

Procedure

  1. From the Installation Summary screen, under Software, click Connect to Red Hat.
  2. Authenticate your Red Hat account using the Account or Activation Key option.
  3. Optional: In the Set System Purpose field select the Role, SLA, and Usage attribute that you want to set from the drop-down menu.

    At this point, your Red Hat Enterprise Linux 8 system has been successfully registered.

11.5. Registration Assistant

Registration Assistant is designed to help you choose the most suitable registration option for your Red Hat Enterprise Linux environment.

Additional resources

  • For assistance with using a username and password to register RHEL with the Subscription Manager client, see the RHEL registration assistant on the Customer Portal.
  • For assistance with registering your RHEL system to Red Hat Insights, see the Insights registration assistant on the Hybrid Cloud Console.

11.6. Registering your system using the command line

This section contains information about how to register your Red Hat Enterprise Linux 8 subscription using the command line.

Note

For an improved and simplified experience registering your hosts to Red Hat, use remote host configuration (RHC). The RHC client registers your system to Red Hat making your system ready for Insights data collection and enabling direct issue remediation from Insights for Red Hat Enterprise Linux. For more information, see RHC registration.

Prerequisites

  • You have an active, non-evaluation Red Hat Enterprise Linux subscription.
  • Your Red Hat subscription status is verified.
  • You have not previously received a Red Hat Enterprise Linux 8 subscription.
  • You have successfully installed Red Hat Enterprise Linux 8  and logged into the system as root.

Procedure

  1. Open a terminal window as a root user.
  2. Register your Red Hat Enterprise Linux system by using the activation key:

    # subscription-manager register --activationkey=<activation_key_name> --org=<organization_ID>

    When the system is successfully registered, an output similar to the following is displayed:

    The system has been registered with id:
    62edc0f8-855b-4184-b1b8-72a9dc793b96

11.7. Configuring System Purpose using the subscription-manager command-line tool

System purpose is a feature of the Red Hat Enterprise Linux installation to help RHEL customers get the benefit of our subscription experience and services offered in the Red Hat Hybrid Cloud Console, a dashboard-based, Software-as-a-Service (SaaS) application that enables you to view subscription usage in your Red Hat account.

You can configure system purpose attributes either on the activation keys or by using the subscription manager tool. While it is recommended to configure system purpose on the activation key, you can also configure it by using the subscription-manager syspurpose command-line tool after installation to set the required attributes.

Prerequisites

  • You have installed and registered your Red Hat Enterprise Linux 8 system, but system purpose is not configured.
  • You are logged in as a root user.

    Note

    In the entitlement mode, if your system is registered but has subscriptions that do not satisfy the required purpose, you can run the subscription-manager remove --all command to remove attached subscriptions. You can then use the command-line subscription-manager syspurpose {role, usage, service-level} tools to set the required purpose attributes, and lastly run subscription-manager attach --auto to re-entitle the system with considerations for the updated attributes. Whereas, in the SCA enabled account, you can directly update the system purpose details post registration without making an update to the subscriptions in the system.

Procedure

  1. From a terminal window, run the following command to set the intended role of the system:

    # subscription-manager syspurpose role --set "VALUE"

    Replace VALUE with the role that you want to assign:

    • Red Hat Enterprise Linux Server
    • Red Hat Enterprise Linux Workstation
    • Red Hat Enterprise Linux Compute Node

    For example:

    # subscription-manager syspurpose role --set "Red Hat Enterprise Linux Server"
    1. Optional: Before setting a value, see the available roles supported by the subscriptions for your organization:

      # subscription-manager syspurpose role --list
    2. Optional: Run the following command to unset the role:

      # subscription-manager syspurpose role --unset
  2. Run the following command to set the intended Service Level Agreement (SLA) of the system:

    # subscription-manager syspurpose service-level --set "VALUE"

    Replace VALUE with the SLA that you want to assign:

    • Premium
    • Standard
    • Self-Support

    For example:

    # subscription-manager syspurpose service-level --set "Standard"
    1. Optional: Before setting a value, see the available service-levels supported by the subscriptions for your organization:

      # subscription-manager syspurpose service-level --list
    2. Optional: Run the following command to unset the SLA:

      # subscription-manager syspurpose service-level --unset
  3. Run the following command to set the intended usage of the system:

    # subscription-manager syspurpose usage --set "VALUE"

    Replace VALUE with the usage that you want to assign:

    • Production
    • Disaster Recovery
    • Development/Test

    For example:

    # subscription-manager syspurpose usage --set "Production"
    1. Optional: Before setting a value, see the available usages supported by the subscriptions for your organization:

      # subscription-manager syspurpose usage --list
    2. Optional: Run the following command to unset the usage:

      # subscription-manager syspurpose usage --unset
  4. Run the following command to show the current system purpose properties:

    # subscription-manager syspurpose --show
    1. Optional: For more detailed syntax information run the following command to access the subscription-manager man page and browse to the SYSPURPOSE OPTIONS:

      # man subscription-manager

Verification steps

  • To verify the system’s subscription status in a system registered with an account having entitlement mode enabled:

    # subscription-manager status
    +-------------------------------------------+
       System Status Details
    +-------------------------------------------+
    Overall Status: Current
    
    System Purpose Status: Matched
    • An overall status Current means that all of the installed products are covered by the subscription(s) attached and entitlements to access their content set repositories has been granted.
    • A system purpose status Matched means that all of the system purpose attributes (role, usage, service-level) that were set on the system are satisfied by the subscription(s) attached.
    • When the status information is not ideal, additional information is displayed to help the system administrator decide what corrections to make to the attached subscriptions to cover the installed products and intended system purpose.
  • To verify the system’s subscription status in a system registered with an account having SCA mode enabled:

    # subscription-manager status
    +-------------------------------------------+
       System Status Details
    +-------------------------------------------+
    Overall Status: Disabled
    Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.
    System Purpose Status: Disabled
    • In SCA mode, ​​subscriptions are no longer required to be attached to individual systems. Hence, both the overall status and system purpose status are displayed as Disabled . However, the technical, business, and operational use cases supplied by system purpose attributes are important to the subscriptions service. Without these attributes, the subscriptions service data is less accurate.

Additional resources

11.8. Securing your system

Complete the following security-related steps immediately after you install Red Hat Enterprise Linux.

Prerequisites

  • You have completed the graphical installation.

Procedure

  1. To update your system, run the following command as root:

    # yum update
  2. Even though the firewall service, firewalld, is automatically enabled with the installation of Red Hat Enterprise Linux, there are scenarios where it might be explicitly disabled, for example in a Kickstart configuration. In that scenario, it is recommended that you re-enable the firewall.

    To start firewalld, run the following commands as root:

    # systemctl start firewalld
    # systemctl enable firewalld
  3. To enhance security, disable services that you do not need. For example, if your system has no printers installed, disable the cups service using the following command:

    # systemctl mask cups

    To review active services, run the following command:

    $ systemctl list-units | grep service

11.9. Deploying systems that are compliant with a security profile immediately after an installation

You can use the OpenSCAP suite to deploy RHEL systems that are compliant with a security profile, such as OSPP, PCI-DSS, and HIPAA profile, immediately after the installation process. Using this deployment method, you can apply specific rules that cannot be applied later using remediation scripts, for example, a rule for password strength and partitioning.

11.9.1. Profiles not compatible with Server with GUI

Certain security profiles provided as part of the SCAP Security Guide are not compatible with the extended package set included in the Server with GUI base environment. Therefore, do not select Server with GUI when installing systems compliant with one of the following profiles:

Table 11.1. Profiles not compatible with Server with GUI

Profile nameProfile IDJustificationNotes

CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

Packages xorg-x11-server-Xorg, xorg-x11-server-common, xorg-x11-server-utils, and xorg-x11-server-Xwayland are part of the Server with GUI package set, but the policy requires their removal.

 

CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

Packages xorg-x11-server-Xorg, xorg-x11-server-common, xorg-x11-server-utils, and xorg-x11-server-Xwayland are part of the Server with GUI package set, but the policy requires their removal.

 

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

xccdf_org.ssgproject.content_profile_cui

The nfs-utils package is part of the Server with GUI package set, but the policy requires its removal.

 

Protection Profile for General Purpose Operating Systems

xccdf_org.ssgproject.content_profile_ospp

The nfs-utils package is part of the Server with GUI package set, but the policy requires its removal.

 

DISA STIG for Red Hat Enterprise Linux 8

xccdf_org.ssgproject.content_profile_stig

Packages xorg-x11-server-Xorg, xorg-x11-server-common, xorg-x11-server-utils, and xorg-x11-server-Xwayland are part of the Server with GUI package set, but the policy requires their removal.

To install a RHEL system as a Server with GUI aligned with DISA STIG in RHEL version 8.4 and later, you can use the DISA STIG with GUI profile.

11.9.2. Deploying baseline-compliant RHEL systems using the graphical installation

Use this procedure to deploy a RHEL system that is aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).

Warning

Certain security profiles provided as part of the SCAP Security Guide are not compatible with the extended package set included in the Server with GUI base environment. For additional details, see Profiles not compatible with a GUI server.

Prerequisites

  • You have booted into the graphical installation program. Note that the OSCAP Anaconda Add-on does not support interactive text-only installation.
  • You have accessed the Installation Summary window.

Procedure

  1. From the Installation Summary window, click Software Selection. The Software Selection window opens.
  2. From the Base Environment pane, select the Server environment. You can select only one base environment.
  3. Click Done to apply the setting and return to the Installation Summary window.
  4. Because OSPP has strict partitioning requirements that must be met, create separate partitions for /boot, /home, /var, /tmp, /var/log, /var/tmp, and /var/log/audit.
  5. Click Security Policy. The Security Policy window opens.
  6. To enable security policies on the system, toggle the Apply security policy switch to ON.
  7. Select Protection Profile for General Purpose Operating Systems from the profile pane.
  8. Click Select Profile to confirm the selection.
  9. Confirm the changes in the Changes that were done or need to be done pane that is displayed at the bottom of the window. Complete any remaining manual changes.
  10. Complete the graphical installation process.

    Note

    The graphical installation program automatically creates a corresponding Kickstart file after a successful installation. You can use the /root/anaconda-ks.cfg file to automatically install OSPP-compliant systems.

Verification

  • To check the current status of the system after installation is complete, reboot the system and start a new scan:

    # oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

11.9.3. Deploying baseline-compliant RHEL systems using Kickstart

Use this procedure to deploy RHEL systems that are aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).

Prerequisites

  • The scap-security-guide package is installed on your RHEL 8 system.

Procedure

  1. Open the /usr/share/scap-security-guide/kickstart/ssg-rhel8-ospp-ks.cfg Kickstart file in an editor of your choice.
  2. Update the partitioning scheme to fit your configuration requirements. For OSPP compliance, the separate partitions for /boot, /home, /var, /tmp, /var/log, /var/tmp, and /var/log/audit must be preserved, and you can only change the size of the partitions.
  3. Start a Kickstart installation as described in Performing an automated installation using Kickstart.
Important

Passwords in Kickstart files are not checked for OSPP requirements.

Verification

  1. To check the current status of the system after installation is complete, reboot the system and start a new scan:

    # oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Additional resources

11.10. Next steps

When you have completed the required post-installation steps, you can configure basic system settings. For information about completing tasks such as installing software with yum, using systemd for service management, managing users, groups, and file permissions, using chrony to configure NTP, and working with Python 3, see the Configuring basic system settings document.