Chapter 13. Completing post-installation tasks

This section describes how to complete the following post-installation tasks:

  • Registering your system

    Note

    Depending on your requirements, there are several methods to register your system. Most of these methods are completed as part of post-installation tasks. However, the Red Hat Content Delivery Network (CDN) registers your system and attaches RHEL subscriptions before the installation process starts. See Registering and installing RHEL from the CDN for more information.

  • Securing your system

13.1. Registering your system using the command line

This section contains information about how to register your Red Hat Enterprise Linux 9 subscription using the command line.

Note

When auto-attaching a system, the subscription service checks if the system is physical or virtual, as well as how many sockets are on the system. A physical system usually consumes two entitlements, a virtual system usually consumes one. One entitlement is consumed per two sockets on a system.

Prerequisites

  • You have an active, non-evaluation Red Hat Enterprise Linux subscription.
  • Your Red Hat subscription status is verified.
  • You have not previously received a Red Hat Enterprise Linux 9 subscription.
  • You have activated your subscription before attempting to download entitlements from the Customer Portal. You need an entitlement for each instance that you plan to use. Red Hat Customer Service is available if you need help activating your subscription.
  • You have successfully installed Red Hat Enterprise Linux 9  and logged into the system as root.

Procedure

  1. Open a terminal window and register your Red Hat Enterprise Linux system using your Red Hat Customer Portal username and password:

    # subscription-manager register --username [username] --password [password]
  2. When the system is successfully registered, an output similar to the following is displayed:

    # The system has been registered with ID: 123456abcdef
    # The registered system name is: localhost.localdomain
  3. Set the role for the system, for example:

    # subscription-manager syspurpose role --set="Red Hat Enterprise Linux Server"
    Note

    Available roles depend on the subscriptions that have been purchased by the organization and the architecture of the Red Hat Enterprise Linux 9 system. Typical roles include: Red Hat Enterprise Linux Server, Red Hat Enterprise Linux Workstation, or Red Hat Enterprise Linux Compute Node. To see the available roles, use the command: # subscription-manager syspurpose role --list

  4. Set the service level for the system, for example:

    # subscription-manager syspurpose service-level --set="Premium"
    Note

    Available service-levels are tied to the subscriptions that have been purchased by the organization. Typical service-levels include: Self-Support, Standard, or Premium, To see the service-levels available, use the command: # subscription-manager syspurpose service-level --list

  5. Set the usage for the system, for example:

    # subscription-manager syspurpose usage --set="Production"
    Note

    Available usages are also dependent on the subscriptions that have been purchased by the organization. Typical usage includes: Production, Disaster Recovery, and Development/Test. To see the usage values available, use the command: # subscription-manager syspurpose usage --list

  6. Attach the system to an entitlement that matches the host system architecture:

    # subscription-manager attach --auto
  7. When a subscription is successfully attached, an output similar to the following is displayed:

    Installed Product Current Status:
    Product Name: Red Hat Enterprise Linux for x86_64
    Status: Subscribed
    Note

    An alternative method for registering your Red Hat Enterprise Linux 9 system is by logging in to the system as a root user and using the Subscription Manager graphical user interface.

13.2. Registering your system using the Subscription Manager User Interface

This section contains information about how to register your Red Hat Enterprise Linux 9 system using the Subscription Manager User Interface to receive updates and access package repositories.

Prerequisites

Procedure

  1. Log in to your system.
  2. From the top left-hand side of the window, click Activities.
  3. From the menu options, click the Show Applications icon.
  4. Click the Red Hat Subscription Manager icon, or enter Red Hat Subscription Manager in the search.
  5. Enter your administrator password in the Authentication Required dialog box.

    Note

    Authentication is required to perform privileged tasks on the system.

  6. The Subscriptions window opens, displaying the current status of Subscriptions, System Purpose, and installed products. Unregistered products display a red X.
  7. Click the Register button.
  8. The Register System dialog box opens. Enter your Customer Portal credentials and click the Register button.

The Register button in the Subscriptions window changes to Unregister and installed products display a green X. You can troubleshoot an unsuccessful registration from a terminal window using the subscription-manager status command.

Additional resources

13.3. Registration Assistant

Registration Assistant is designed to help you choose the most suitable registration option for your Red Hat Enterprise Linux environment. See https://access.redhat.com/labs/registrationassistant/ for more information.

13.4. Configuring System Purpose using the subscription-manager command-line tool

System Purpose is an optional but recommended feature of the Red Hat Enterprise Linux installation. You can use System Purpose to record the intended use of a Red Hat Enterprise Linux 9 system, and ensure that the entitlement server auto-attaches the most appropriate subscription to your system. If System Purpose was not configured during the installation process, you can use the subscription-manager syspurpose command-line tool after installation to set the required attributes.

Prerequisites

  • You installed and registered your Red Hat Enterprise Linux 9 system, but System Purpose is not configured.
  • You are logged in as a root user.

    Note

    If your system is registered but has subscriptions that do not satisfy the required purpose, you can run the subscription-manager remove --all command to remove attached subscriptions. You can then use the command-line subscription-manager syspurpose {role, usage, service-level} tools to set the required purpose attributes, and lastly run subscription-manager attach --auto to re-entitle the system with considerations for the updated attributes.

    Procedure

    Complete the steps in this procedure to configure System Purpose after installation using the subscription-manager syspurpose command-line tool. The selected values are used by the entitlement server to attach the most suitable subscription to your system.

    1. From a terminal window, run the following command to set the intended role of the system:

      # subscription-manager syspurpose role --set "VALUE"

      Replace VALUE with the role that you want to assign:

      • Red Hat Enterprise Linux Server
      • Red Hat Enterprise Linux Workstation
      • Red Hat Enterprise Linux Compute Node

      For example:

      # subscription-manager syspurpose role --set "Red Hat Enterprise Linux Server"
      1. Optional: Before setting a value, see the available roles supported by the subscriptions for your organization:

        # subscription-manager syspurpose role --list
      2. Optional: Run the following command to unset the role:

        # subscription-manager syspurpose role --unset
    2. Run the following command to set the intended Service Level Agreement (SLA) of the system:

      # subscription-manager syspurpose service-level --set "VALUE"

      Replace VALUE with the SLA that you want to assign:

      • Premium
      • Standard
      • Self-Support

      For example:

      # subscription-manager syspurpose service-level --set "Standard"
      1. Optional: Before setting a value, see the available service-levels supported by the subscriptions for your organization:

        # subscription-manager syspurpose service-level --list
      2. Optional: Run the following command to unset the SLA:

        # subscription-manager syspurpose service-level --unset
    3. Run the following command to set the intended usage of the system:

      # subscription-manager syspurpose usage --set "VALUE"

      Replace VALUE with the usage that you want to assign:

      • Production
      • Disaster Recovery
      • Development/Test

      For example:

      # subscription-manager syspurpose usage --set "Production"
      1. Optional: Before setting a value, see the available usages supported by the subscriptions for your organization:

        # subscription-manager syspurpose usage --list
      2. Optional: Run the following command to unset the usage:

        # subscription-manager syspurpose usage --unset
    4. Run the following command to show the current system purpose properties:

      # subscription-manager syspurpose --show
      1. Optional: For more detailed syntax information run the following command to access the subscription-manager man page and browse to the SYSPURPOSE OPTIONS:

        # man subscription-manager

Verification steps

  • To verify the system’s subscription status:

    # subscription-manager status
    +-------------------------------------------+
       System Status Details
    +-------------------------------------------+
    Overall Status: Current
    
    System Purpose Status: Matched
  • An overall status Current means that all of the installed products are covered by the subscription(s) attached and entitlements to access their content set repositories has been granted.
  • A system purpose status Matched means that all of the system purpose attributes (role, usage, service-level) that were set on the system are satisfied by the subscription(s) attached.
  • When the status information is not ideal, additional information is displayed to help the system administrator decide what corrections to make to the attached subscriptions to cover the installed products and intended system purpose.

13.5. Securing your system

Complete the following security-related steps immediately after you install Red Hat Enterprise Linux.

Prerequisites

  • You have completed the graphical installation.

Procedure

  1. To update your system, run the following command as root:

    # yum update
  2. Even though the firewall service, firewalld, is automatically enabled with the installation of Red Hat Enterprise Linux, there are scenarios where it might be explicitly disabled, for example in a Kickstart configuration. In that scenario, it is recommended that you re-enable the firewall.

    To start firewalld, run the following commands as root:

    # systemctl start firewalld
    # systemctl enable firewalld
  3. To enhance security, disable services that you do not need. For example, if your system has no printers installed, disable the cups service using the following command:

    # systemctl mask cups

    To review active services, run the following command:

    $ systemctl list-units | grep service

13.6. Deploying systems that are compliant with a security profile immediately after an installation

You can use the OpenSCAP suite to deploy RHEL systems that are compliant with a security profile, such as OSPP, PCI-DSS, and HIPAA profile, immediately after the installation process. Using this deployment method, you can apply specific rules that cannot be applied later using remediation scripts, for example, a rule for password strength and partitioning.

13.6.1. Deploying baseline-compliant RHEL systems using the graphical installation

Use this procedure to deploy a RHEL system that is aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).

Prerequisites

  • You have booted into the graphical installation program. Note that the OSCAP Anaconda Add-on does not support interactive text-only installation.
  • You have accessed the Installation Summary window.

Procedure

  1. From the Installation Summary window, click Software Selection. The Software Selection window opens.
  2. From the Base Environment pane, select the Server environment. You can select only one base environment.

    Warning

    Certain security profiles provided as part of the SCAP Security Guide are not compatible with the extended package set included in the Server with GUI base environment. Therefore, do not select Server with GUI when installing systems compliant with one of the following profiles:

    • CIS Server Level 1
    • CIS Server Level 2
    • CUI
    • OSPP
    • STIG (to install a RHEL system as a Server with GUI aligned with DISA STIG, you can use the DISA STIG with GUI profile).

    For more information, see, for example, BZ#1648162, BZ#1787156, BZ#1816199, or BZ#1970137.

  3. Click Done to apply the setting and return to the Installation Summary window.
  4. Click Security Policy. The Security Policy window opens.
  5. To enable security policies on the system, toggle the Apply security policy switch to ON.
  6. Select Protection Profile for General Purpose Operating Systems from the profile pane.
  7. Click Select Profile to confirm the selection.
  8. Confirm the changes in the Changes that were done or need to be done pane that is displayed at the bottom of the window. Complete any remaining manual changes.
  9. Because OSPP has strict partitioning requirements that must be met, create separate partitions for /boot, /home, /var, /var/log, /var/tmp, and /var/log/audit.
  10. Complete the graphical installation process.

    Note

    The graphical installation program automatically creates a corresponding Kickstart file after a successful installation. You can use the /root/anaconda-ks.cfg file to automatically install OSPP-compliant systems.

Verification

  • To check the current status of the system after installation is complete, reboot the system and start a new scan:

    # oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Additional resources

13.6.2. Deploying baseline-compliant RHEL systems using Kickstart

Use this procedure to deploy RHEL systems that are aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).

Prerequisites

  • The scap-security-guide package is installed on your RHEL 9 system.

Procedure

  1. Open the /usr/share/scap-security-guide/kickstart/ssg-rhel9-ospp-ks.cfg Kickstart file in an editor of your choice.
  2. Update the partitioning scheme to fit your configuration requirements. For OSPP compliance, the separate partitions for /boot, /home, /var, /var/log, /var/tmp, and /var/log/audit must be preserved, and you can only change the size of the partitions.

    Warning

    Because the OSCAP Anaconda Addon plugin does not support text-only installation, do not use the text option in your Kickstart file. For more information, see RHBZ#1674001.

  3. Start a Kickstart installation as described in Performing an automated installation using Kickstart.
Important

Passwords in the hash form cannot be checked for OSPP requirements.

Verification

  1. To check the current status of the system after installation is complete, reboot the system and start a new scan:

    # oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Additional resources

13.7. Next steps

When you have completed the required post-installation steps, you can configure basic system settings. For information about completing tasks such as installing software with yum, using systemd for service management, managing users, groups, and file permissions, using chrony to configure NTP, and working with Python 3, see the Configuring basic system settings document.