======OS - Linux - Distributions - CentOS - Notes======
=====/etc/tmux.conf======
// Tested with tmux-1.8-4.el7.x86_64. //
Default /etc/tmux.conf for CentOS 7 to:
* Not use the current full pathname ($PS1) in the window title.
* Not use the working directory from the active window when creating a new window. (This is verry annoying when you had a man page open in the active window.)
set-option -g allow-rename off
set-option -g default-path ~/
Sources:
* [[https://stackoverflow.com/questions/34596827/tmux-window-namew-shows-long-path-in-windows-status-format|stackoverflow - tmux window_name(#W) shows long path in windows-status-format]]
* man tmux
=====Restore alternatives links to PostgreSQL from postgresql.org=====
// Tested on CentOS 8 with CentOS' version of PostgreSQL 10.14 and PostgreSQL 12.4 from postgresql.org RPM repository. //
When installing a PostgreSQL version from the YUM repository at https://yum.postgresql.org/repopackages/ next to an existing PostgreSQL version from the CentOS official repositories the following warnings appear:
failed to link /usr/bin/psql -> /etc/alternatives/pgsql-psql: /usr/bin/psql exists and it is not a symlink
failed to link /usr/bin/clusterdb -> /etc/alternatives/pgsql-clusterdb: /usr/bin/clusterdb exists and it is not a symlink
failed to link /usr/bin/createdb -> /etc/alternatives/pgsql-createdb: /usr/bin/createdb exists and it is not a symlink
failed to link /usr/bin/createuser -> /etc/alternatives/pgsql-createuser: /usr/bin/createuser exists and it is not a symlink
failed to link /usr/bin/dropdb -> /etc/alternatives/pgsql-dropdb: /usr/bin/dropdb exists and it is not a symlink
failed to link /usr/bin/dropuser -> /etc/alternatives/pgsql-dropuser: /usr/bin/dropuser exists and it is not a symlink
failed to link /usr/bin/pg_basebackup -> /etc/alternatives/pgsql-pg_basebackup: /usr/bin/pg_basebackup exists and it is not a symlink
failed to link /usr/bin/pg_dump -> /etc/alternatives/pgsql-pg_dump: /usr/bin/pg_dump exists and it is not a symlink
failed to link /usr/bin/pg_dumpall -> /etc/alternatives/pgsql-pg_dumpall: /usr/bin/pg_dumpall exists and it is not a symlink
failed to link /usr/bin/pg_restore -> /etc/alternatives/pgsql-pg_restore: /usr/bin/pg_restore exists and it is not a symlink
failed to link /usr/bin/reindexdb -> /etc/alternatives/pgsql-reindexdb: /usr/bin/reindexdb exists and it is not a symlink
failed to link /usr/bin/vacuumdb -> /etc/alternatives/pgsql-vacuumdb: /usr/bin/vacuumdb exists and it is not a symlink
This is fine during a migration, but afterwards when the PostgreSQL version from the CentOS repositories is removed you are left with no PostgreSQL binaries in the path.
To create all pgsql-* alternatives symlinks for PostgreSQL run the following as root:
alternatives --list | grep ^pgsql | awk '{print $1}' | xargs -n 1 alternatives --auto
More info: [[https://www.redhat.com/sysadmin/alternatives-command|Red Hat - Enable Sysadmin - Introduction to the alternatives command in Linux]]
=====Disable specific ciphers in sshd======
// Tested on CentOS 8.4.2105. //
When your vulnerability scanner (e.g. [[https://www.greenbone.net/|GVM]]) complains that the SSH service on your CentOS/RHEL 8 server supports the weak aes128-cbc and aes256-cbc ciphers something more than just setting the Ciphers in sshd_config is required.
CentOS/RHEL 8 applies "system-wide cryptographic policies". This means that by default the Ciphers setting in sshd_config is ignored.
To make sshd use a Ciphers setting in sshd_config we'll disable cryptographic policy support for sshd and set the Ciphers:
- Open /etc/sysconfig/sshd in a text editor:vi /etc/sysconfig/sshd
- Change the lines:
# System-wide crypto policy:
# To opt-out, uncomment the following line
# CRYPTO_POLICY=
- To:
# System-wide crypto policy:
# To opt-out, uncomment the following line
CRYPTO_POLICY=
- Open /etc/ssh/sshd_config in a text editor:vi /etc/ssh/sshd_config
- Add or change the Ciphers option with comma-separated, without spaces, with a "-" prefix, the ciphers to disable:Ciphers -aes128-cbc,-aes256-cbc
- Restart the sshd service:systemctl restart sshd
- Check the status of sshd:systemctl status sshd
- Test the connection with a disabled cipher:ssh -c aes256-cbc localhost
- That should now fail:Unable to negotiate with ::1 port 22: no matching cipher found. Their offer: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Sources:
* [[https://www.ins3cure.com/disabling-weak-ciphers-rhel8/|ins3cure.com - Disabling weak ciphers in SSH (RHEL8)]]
* [[https://access.redhat.com/articles/3666211|Red Hat - System-wide crypto policies in RHEL 8]]
* [[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening|Red Hat - Red Hat Enterprise Linux 8 - Security hardening - Chapter 4. Using system-wide cryptographic policies]]
=====Store systemd-journald logs permanently=====
By default CentOS 8 stores journald logs in memory (/run/log/journal/) if /var/log/journal/ does not exist, and /var/log/journal/ does not exist by default. \\
This means that after a reboot the logs from before that reboot are lost.
To set systemd-journald to preserve logs across reboots by storing them on disk:
- Install psmisc for 'killall':dnf install psmisc
- Create the directory:mkdir /var/log/journal
- Let systemd-tmpfiles set the permissions:systemd-tmpfiles --create --prefix /var/log/journal
- Send journald a SIGUSR1 to preserve current log message in memory:killall -s SIGUSR1 systemd-journald
Sources:
* [[https://blog.khmersite.net/2020/08/how-to-enable-persistent-logging-for-systemd-journal/|Kenno's Open Note - How to Enable Persistent Logging for Systemd Journal]]
* [[https://www.thegeeksearch.com/how-to-configure-the-system-journal-to-preserve-the-record-of-events-when-a-server-is-rebooted-centos-rhel/|The Geek Search - How to configure the system journal to preserve the record of events when a server is rebooted (CentOS/RHEL)]]