Chapter 5. Completing post-installation tasks
This section describes how to complete the following post-installation tasks:
- Completing initial setup
Registering your system
NoteDepending on your requirements, there are several methods to register your system. Most of these methods are completed as part of post-installation tasks. However, the Red Hat Content Delivery Network (CDN) registers your system and attaches RHEL subscriptions before the installation process starts. See Section 3.3.2, “Registering and installing RHEL from the CDN” for more information.
- Securing your system
5.1. Completing initial setup
This section contains information about how to complete initial setup on a Red Hat Enterprise Linux 8 system.
- If you selected the Server with GUI base environment during installation, the Initial Setup window opens the first time you reboot your system after the installation process is complete.
- If you registered and installed RHEL from the CDN, the Subscription Manager option displays a note that all installed products are covered by valid entitlements.
The information displayed in the Initial Setup window might vary depending on what was configured during installation. At a minimum, the Licensing and Subscription Manager options are displayed.
Prerequisites
- You have completed the graphical installation according to the recommended workflow described on Section 3.2, “Installing RHEL using an ISO image from the Customer Portal”.
- You have an active, non-evaluation Red Hat Enterprise Linux subscription.
Procedure
From the Initial Setup window, select Licensing Information.
The License Agreement window opens and displays the licensing terms for Red Hat Enterprise Linux.
Review the license agreement and select the I accept the license agreement checkbox.
NoteYou must accept the license agreement. Exiting Initial Setup without completing this step causes a system restart. When the restart process is complete, you are prompted to accept the license agreement again.
Click Initial Setup window.
to apply the settings and return to theNoteIf you did not configure network settings, you cannot register your system immediately. In this case, click Section 5.3, “Registering your system using the Subscription Manager User Interface” for more information. If you configured network settings, as described in Section 4.3.3, “Configuring network and host name options”, you can register your system immediately, as shown in the following steps:
. Red Hat Enterprise Linux 8 starts and you can login, activate access to the network, and register your system. SeeFrom the Initial Setup window, select Subscription Manager.
ImportantIf you registered and installed RHEL from the CDN, the Subscription Manager option displays a note that all installed products are covered by valid entitlements.
- The Subscription Manager graphical interface opens and displays the option you are going to register, which is: subscription.rhsm.redhat.com.
- Click .
- Enter your Login and Password details and click .
- Confirm the Subscription details and click Registration with Red Hat Subscription Management is Done! . You must receive the following confirmation message:
- Click Initial Setup window opens. . The
- Click . The login window opens.
- Configure your system. See the Configuring basic system settings document for more information.
Additional resources
Depending on your requirements, there are five methods to register your system:
- Using the Red Hat Content Delivery Network (CDN) to register your system, attach RHEL subscriptions, and install Red Hat Enterprise Linux. See Section 3.3.2, “Registering and installing RHEL from the CDN” for more information.
- During installation using Initial Setup.
- After installation using the command line. See Section 5.2, “Registering your system using the command line” for more information.
- After installation using the Subscription Manager user interface. See Section 5.3, “Registering your system using the Subscription Manager User Interface” for more information.
- After installation using Registration Assistant. Registration Assistant is designed to help you choose the most suitable registration option for your Red Hat Enterprise Linux environment. See https://access.redhat.com/labs/registrationassistant/ for more information.
5.2. Registering your system using the command line
This section contains information about how to register your Red Hat Enterprise Linux 8 system using the command line.
When auto-attaching a system, the subscription service checks if the system is physical or virtual, as well as how many sockets are on the system. A physical system usually consumes two entitlements, a virtual system usually consumes one. One entitlement is consumed per two sockets on a system.
Prerequisites
- You have an active, non-evaluation Red Hat Enterprise Linux subscription.
- Your Red Hat subscription status is verified.
- You have not previously received a Red Hat Enterprise Linux 8 subscription.
- You have activated your subscription before attempting to download entitlements from the Customer Portal. You need an entitlement for each instance that you plan to use. Red Hat Customer Service is available if you need help activating your subscription.
- You have successfully installed Red Hat Enterprise Linux 8 and logged into the system.
Procedure
Open a terminal window and register a subscription using your Red Hat Customer Portal username and password:
# subscription-manager register --username [username] --password [password]
When the subscription is successfully registered, an output similar to the following is displayed:
# The system has been registered with ID: 123456abcdef # The registered system name is: localhost.localdomain
Set the role for the system, for example:
# subscription-manager role --set="Red Hat Enterprise Linux Server"
NoteAvailable roles depend on the subscriptions that have been purchased by the organization and the architecture of the RHEL 8 system. You can set one of the following roles:
Red Hat Enterprise Linux Server
,Red Hat Enterprise Linux Workstation
, orRed Hat Enterprise Linux Compute Node
.Set the service level for the system, for example:
# subscription-manager service-level --set="Premium"
Set the usage for the system, for example:
# subscription-manager usage --set="Production"
Attach the system to an entitlement that matches the host system architecture:
# subscription-manager attach
When the subscription is successfully attached, an output similar to the following is displayed:
Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed
NoteYou can also register Red Hat Enterprise Linux 8 by logging in to the system as a
root
user and using the Subscription Manager graphical user interface.
5.3. Registering your system using the Subscription Manager User Interface
This section contains information about how to register your Red Hat Enterprise Linux 8 system using the Subscription Manager User Interface to receive updates and access package repositories.
Prerequisites
- You have completed the graphical installation as per the recommended workflow described on Section 3.2, “Installing RHEL using an ISO image from the Customer Portal”.
- You have an active, non-evaluation Red Hat Enterprise Linux subscription.
- Your Red Hat subscription status is verified.
Procedure
- Log in to your system.
- From the top left-hand side of the window, click Activities.
- From the menu options, click the Show Applications icon.
- Click the Red Hat Subscription Manager icon, or enter Red Hat Subscription Manager in the search.
Enter your administrator password in the Authentication Required dialog box.
NoteAuthentication is required to perform privileged tasks on the system.
- The Subscriptions window opens, displaying the current status of Subscriptions, System Purpose, and installed products. Unregistered products display a red X.
- Click the button.
- The Register System dialog box opens. Enter your Customer Portal credentials and click the button.
The Register button in the Subscriptions window changes to Unregister and installed products display a green X. You can troubleshoot an unsuccessful registration using the subscription-manager status
command.
Additional resources
- For more information about using and configuring Subscription Manager, see the Using and Configuring Red Hat Subscription Manager document.
- For information about preparing subscriptions in Subscription Management, configuring virt-who, and registering virtual machines so that they inherit a subscription from their hypervisor, see the Configuring Virtual Machine Subscriptions in Red Hat Subscription Management document.
5.4. Registration Assistant
Registration Assistant is designed to help you choose the most suitable registration option for your Red Hat Enterprise Linux environment. See https://access.redhat.com/labs/registrationassistant/ for more information.
5.5. Configuring System Purpose using the syspurpose command-line tool
System Purpose is an optional but recommended feature of the Red Hat Enterprise Linux installation. You use System Purpose to record the intended use of a Red Hat Enterprise Linux 8 system, and ensure that the entitlement server auto-attaches the most appropriate subscription to your system. The syspurpose
command-line tool is part of the python3_syspurpose.rpm
package. If System Purpose was not configured during the installation process, you can use the syspurpose
command-line tool after installation to set the required attributes.
Prerequisites
- You installed and registered your Red Hat Enterprise Linux 8 system, but System Purpose is not configured.
-
You are logged in as a
root
user. The
python3_syspurpose.rpm
package is available on your system.NoteIf your system is registered but has subscriptions that do not satisfy the required purpose, you can run the
subscription-manager remove --all
command to remove attached subscriptions. You can then use thesyspurpose
command-line tool to set the required purpose attributes, and runsubscription-manager attach --auto
to entitle the system with the updated attributes.Procedure
Complete the steps in this procedure to configure System Purpose after installation using the
syspurpose
command-line tool. The selected values are used by the entitlement server to attach the most suitable subscription to your system.From a terminal window, run the following command to set the intended role of the system:
# syspurpose set-role "VALUE"
Replace
VALUE
with the role that you want to assign:-
Red Hat Enterprise Linux Server
-
Red Hat Enterprise Linux Workstation
-
Red Hat Enterprise Linux Compute Node
For example:
# syspurpose set-role "Red Hat Enterprise Linux Server"
Optional: Run the following command to unset the role:
# syspurpose unset-role
-
Run the following command to set the intended Service Level Agreement (SLA) of the system:
# syspurpose set-sla "VALUE"
Replace
VALUE
with the SLA that you want to assign:-
Premium
-
Standard
-
Self-Support
For example:
# syspurpose set-sla "Standard"
Optional: Run the following command to unset the SLA:
# syspurpose unset-sla
-
Run the following command to set the intended usage of the system:
# syspurpose set-usage "VALUE"
Replace
VALUE
with the usage that you want to assign:-
Production
-
Disaster Recovery
-
Development/Test
For example:
# syspurpose set-usage "Production"
Optional: Run the following command to unset the usage:
# syspurpose unset-usage
-
Run the following command to show the current system purpose properties:
# syspurpose show
Optional: Run the following command to access the
syspurpose
man page:# man syspurpose
5.6. Securing your system
Complete the following security-related steps immediately after you install Red Hat Enterprise Linux.
Prerequisites
- You have completed the graphical installation according to the recommended workflow described in Section 3.2, “Installing RHEL using an ISO image from the Customer Portal”.
Procedure
To update your system, run the following command as root:
# yum update
Even though the firewall service,
firewalld
, is automatically enabled with the installation of Red Hat Enterprise Linux, there are scenarios where it might be explicitly disabled, for example in a Kickstart configuration. In that scenario, it is recommended that you re-enable the firewall.To start
firewalld
, run the following commands as root:# systemctl start firewalld # systemctl enable firewalld
To enhance security, disable services that you do not need. For example, if your system has no printers installed, disable the cups service using the following command:
# systemctl mask cups
To review active services, run the following command:
$ systemctl list-units | grep service
5.7. Deploying systems that are compliant with a security profile immediately after an installation
You can use the OpenSCAP suite to deploy RHEL systems that are compliant with a security profile, such as OSPP or PCI-DSS, immediately after the installation process. Using this deployment method, you can apply specific rules that cannot be applied later using remediation scripts, for example, a rule for password strength and partitioning.
5.7.1. Deploying baseline-compliant RHEL systems using the graphical installation
Use this procedure to deploy a RHEL system that is aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).
Prerequisites
-
You have booted into the
graphical
installation program. Note that the OSCAP Anaconda Add-on does not support text-only installation. -
You have accessed the
Installation Summary
window.
Procedure
-
From the
Installation Summary
window, clickSoftware Selection
. TheSoftware Selection
window opens. From the
Base Environment
pane, select theServer
environment. You can select only one base environment.WarningDo not use the
Server with GUI
base environment if you want to deploy a compliant system. Security profiles provided as part of the SCAP Security Guide may not be compatible with the extended package set ofServer with GUI
. For more information, see, for example, BZ#1648162, BZ#1787156, or BZ#1816199.-
Click
Done
to apply the setting and return to theInstallation Summary
window. -
Click
Security Policy
. TheSecurity Policy
window opens. -
To enable security policies on the system, toggle the
Apply security policy
switch toON
. -
Select
Protection Profile for General Purpose Operating Systems
from the profile pane. -
Click
Select Profile
to confirm the selection. -
Confirm the changes in the
Changes that were done or need to be done
pane that is displayed at the bottom of the window. Complete any remaining manual changes. -
Because OSPP has strict partitioning requirements that must be met, create separate partitions for
/boot
,/home
,/var
,/var/log
,/var/tmp
, and/var/log/audit
. Complete the graphical installation process.
NoteThe graphical installation program automatically creates a corresponding Kickstart file after a successful installation. You can use the
/root/anaconda-ks.cfg
file to automatically install OSPP-compliant systems.
Verification steps
To check the current status of the system after installation is complete, reboot the system and start a new scan:
# oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Additional resources
- For more details on partitioning, see Configuring manual partitioning.
5.7.2. Deploying baseline-compliant RHEL systems using Kickstart
Use this procedure to deploy RHEL systems that are aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).
Prerequisites
-
The
scap-security-guide
package is installed on your RHEL 8 system.
Procedure
-
Open the
/usr/share/scap-security-guide/kickstart/ssg-rhel8-ospp-ks.cfg
Kickstart file in an editor of your choice. Update the partitioning scheme to fit your configuration requirements. For OSPP compliance, the separate partitions for
/boot
,/home
,/var
,/var/log
,/var/tmp
, and/var/log/audit
must be preserved, and you can only change the size of the partitions.WarningBecause the
OSCAP Anaconda Addon
plugin does not support text-only installation, do not use thetext
option in your Kickstart file. For more information, see RHBZ#1674001.- Start a Kickstart installation as described in Performing an automated installation using Kickstart.
Passwords in the hash form cannot be checked for OSPP requirements.
Verification steps
To check the current status of the system after installation is complete, reboot the system and start a new scan:
# oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Additional resources
- For more details, see the OSCAP Anaconda Addon project page.
5.8. Next steps
When you have completed the required post-installation steps, you can configure basic system settings. For information about completing tasks such as installing software with yum, using systemd for service management, managing users, groups, and file permissions, using chrony to configure NTP, and working with Python 3, see the Configuring basic system settings document.