-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path00_prep_system.sh
94 lines (66 loc) · 2.36 KB
/
00_prep_system.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/bin/sh
# Starting
source ./install.config;
echo "Starting system prep..";
# Completely optional but I was reverting my VM for testing and this fixed any rhel repo issues
# Refresh RHEL repo subscription
subscription-manager refresh;
# Clean up and update packages
dnf clean all;
rm -r /var/cache/dnf;
dnf -y upgrade;
# Before we do anything ensure FIPS is on
if [[ $(update-crypto-policies --show) != 'FIPS' ]] ; then
echo "FIPS Mode is not enabled..";
fips-mode-setup --enable
update-crypto-policies --set FIPS
echo "Setting FIPS mode. Requires reboot to continue."
exit 1;
fi
if [[ $(fips-mode-setup --check) != 'FIPS mode is enabled.' ]] ; then
echo "FIPS Mode is not enabled..";
fips-mode-setup --enable
update-crypto-policies --set FIPS
echo "Setting FIPS mode. Requires reboot to continue."
exit 1;
fi
# Install RHEL codeready-builder repo (needed for EPEL)
CODEREADY_REPO="codeready-builder-for-rhel-8-$(/bin/arch)-rpms"
if [[ $(dnf repolist --enabled | awk '{print $1}' | grep codeready-builder) != $CODEREADY_REPO ]] ; then
echo "Codeready-builder repo missing. Installing..";
subscription-manager repos --enable "${CODEREADY_REPO}";
fi
# Install EPEL repo
if [[ $(dnf repolist --enabled | awk '{print $1}' | grep '^epel$') != "epel" ]] ; then
echo "EPEL repo missing. Installing..";
# Import Fedora gpg keys
rpm --import https://getfedora.org/static/fedora.gpg;
# Add EPEL repo
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm;
fi
# Haveged gives VM's extra entropy when generating crypto keys
if [[ $(which haveged) != '' ]] ; then
echo "Haveged is not installed. Exiting.";
# Requires EPEL repo
dnf -y install haveged;
fi
if [[ $(systemctl is-enabled haveged) != 'enabled' ]] ; then
echo "Enabling haveged daemon.";
systemctl enable --now haveged;
fi
if [[ $(systemctl is-active haveged) != 'active' ]] ; then
echo "Starting haveged daemon.";
systemctl start haveged;
fi
# SELINUX
setsebool -P httpd_can_network_connect on;
## For Debugging SELinux issues
# semanage fcontext -l
# https://access.redhat.com/articles/2191331
# https://fedoraproject.org/wiki/SELinux/apache
# yum -y install setroubleshoot-server
# ausearch -m AVC,USER_AVC -ts recent
# sealert -a /var/log/audit/audit.log
# Exiting
echo "Finished system prep..";
exit 0;