- Published on
RHEL 8 Auto Installation
- Authors
- Name
- Jackson Chen
#!/bin/bash
#
# Purpose:
# Red Hat 8.x Configuration
#
# Note:
# Remove carriage return
# sed -i -e 's/\r$//' /tmp/rhel_8_automated_installlation.sh
#
# Ensure run script as root
if [[ $EUID -ne 0 ]]
then
echo -e "Warning: You need to run this script as root"
exit 1
fi
#
# Mount RHEL 8 CD to /mnt/cdrom
#
echo -e "\n******************************************************************* "
echo " Mount RHEL 8 CD to /media/cdrom "
echo -e "******************************************************************* \n"
# Create /mnt/cdrom
if [ ! -d /media/cdrom ]
then
sudo sh -c "mkdir -p /media/cdrom"
echo "create directory /media/cdrom"
else
echo " /media/cdrom already exist."
fi
# umount /media/cdrom if mounted
sudo sh -c "umount /media/cdrom"
# mount /dev/sr0 to /media/cdrom
# Alternative command:
# sudo sh -c "mount -t iso9660 -o ro /dev/sr0 /media/cdrom"
#
sudo sh -c "mount /dev/sr0 /media/cdrom"
ls -l /media/cdrom
#
# Create RHEL 8 local repo
#
MediaRepo="/media/cdrom/media.repo"
RHEL8Repo="/etc/yum.repos.d/rhel8.repo"
echo -e "\nCreate /etc/yum.repos.d/rhel8.repo"
sudo cp -f ${MediaRepo} ${RHEL8Repo}
sudo sh -c "chmod 644 $RHEL8Repo"
#
# Update RHEL repo content
#
echo "[local-base]" > $RHEL8Repo
echo "name=Local Base" >> $RHEL8Repo
echo "baseurl=file:///media/cdrom/BaseOS" >> $RHEL8Repo
echo "enabled=1" >> $RHEL8Repo
echo "gpgcheck=1" >> $RHEL8Repo
echo "gpgkey=file:///media/cdrom/RPM-GPG-KEY-redhat-release" >> $RHEL8Repo
echo "" >> $RHEL8Repo
echo "[local-appstream]" >> $RHEL8Repo
echo "name=Local AppStream" >> $RHEL8Repo
echo "baseurl=file:///media/cdrom/AppStream" >> $RHEL8Repo
echo "enabled=1" >> $RHEL8Repo
echo "gpgcheck=1" >> $RHEL8Repo
echo "gpgkey=file:///media/cdrom/RPM-GPG-KEY-redhat-release" >> $RHEL8Repo
echo ""
# verify the newly created rhel8.repo file
if [ -f "${RHEL8Repo}" ]
then
sudo sh -c "cat ${RHEL8Repo}"
else
echo "${RHEL8Repo} does not exist"
fi
#
# Verify RHEL 8 repo content
#
echo -e "\nList RHEL 8 Repo Packages\n"
yum repolist -v
echo ""
#
# Install required software packages
#
echo -e "\n******************************************************************* "
echo " Install required software packages "
echo -e "******************************************************************* \n"
yum -y install nc net-tools bind-utils chrony net-snmp tcpdump mlocate oddjob-mkhomedir xinetd yum-utils policycoreutils-python-utils sssd realmd adcli samba-common samba-common-tools krb5-workstation openldap-clients postfix
#
# Remove iptables-services
#
echo -e "\n******************************************************************* "
echo " Remove iptables-services "
echo -e "******************************************************************* \n"
yum remove -y iptables-services
#
# Enable required services
#
echo -e "\n******************************************************************* "
echo " Enable required services "
echo -e "******************************************************************* \n"
echo "Enable xinetd service"
sudo sh -c "systemctl enable xinetd --now"
sleep 2
echo "Enable chronyd service"
sudo sh -c "systemctl enable chronyd --now"
sleep 2
echo "Enable snmpd service"
sudo sh -c "systemctl enable snmpd --now"
sleep 2
echo "Enable auditd service"
sudo sh -c "systemctl enable auditd --now"
sleep 2
echo "Enable postfix service"
sudo sh -c "systemctl enable postfix --now"
sleep 2
echo "Enable firewalld service"
sudo sh -c "systemctl enable firewalld --now"
sleep 2
echo ""
#
# Remove cockpit & dhcpv6-client from firewalld
#
echo -e "\n******************************************************************* "
echo " Remove not required firewall services "
echo -e "******************************************************************* \n"
echo "Remove cockpit from firewall-cmd"
firewall-cmd --remove-service="cockpit" --permanent
echo "Remove dhcpv6-client from firewall-cmd"
firewall-cmd --remove-service="dhcpv6-client" --permanent
#
# Join Active Directory Domain
#
echo -e "\n******************************************************************* "
echo " Join Test.Local Domain "
echo -e "******************************************************************* \n"
sssdConf=/etc/sssd/sssd.conf
localDomain="local.net"
LinuxOU="ou=Linux,ou=_Servers,dc=test,dc=local"
domainAdminsGroup="Domain Admins"
LinuxAdmins="ROLp_LinuxAdmins"
pingDomain=$( ping -c 1 $localDomain)
# if [ "$pingDomain" == "" ]
if [ "$?" = 0 ]
then
echo "Successfully ping $localDomain"
if [ -f "$sssdConf" ]
then
# Verify whether system have been joined to local.net domain
if grep -q "ad_domain = local.net" ${sssdConf}
then
echo -e "\nSystem already join to domain: $localDomain\n"
sudo realm list
else
echo -e "Please verify system domain join status, and fix realm join issue."
fi
else
# Join the system to local.net domain if the system not yet domain join
echo -e "\nPlease enter the privilege user name to join to domain: $localDomain"
read user
if [ "$user" != "" ]
then
realm join --user="$user" "$localDomain" --computer-ou="ou=Linux,ou=_Servers,dc=test,dc=local"
# Wait system to join Active Directory
sleep 3
if [ $? -eq 0 ]
then
# Authorize AD groups realm accces
echo -e "\nGrant Domain Admins and Linux_Admins realm access"
# Need to include $domainAdminsGroup in double quote "", as it has space in the group name
sudo realm permit --groups "$domainAdminsGroup"
sudo realm permit --groups "$LinuxAdmins"
# Verify realm status
echo -e "\n******** Verify realm status, ensure Domain Admins and Linux_Admins are in Permitted-groups ********\n"
sudo realm list
else
echo -e "\n\tFail to join computer to domain: $(localDomain)\n\tPlease manually join the computer the domain again."
fi
else
echo -e "\n ******** No valid admin user name enter, please run the automated script again with valid admin user credential. *******"
fi
fi
else
echo -e "Warning: No able to ping domain: $localDomain\nPlease join domain manually."
fi
# Debug
echo -e "\nPause for user to press ENTER to continue"
read user
#
# Update /etc/sudoers
# /a append
# -i insert a line permanently
#
echo -e "\n******************************************************************* "
echo " Update /etc/sudoers "
echo -e "******************************************************************* \n"
sudoersFile=/etc/sudoers
sudoersTmpFile=/tmp/sudoers.bak
# cp will retain file permission
sudo cp -f ${sudoersFile} ${sudoersTmpFile}
if ! grep -q "%Domain Admins" ${sudoersFile}
then
sudo sed -i '/^%wheel/a "%Domain Admins" ALL=(ALL) ALL\n"%LinuxAdmins" ALL=(ALL) ALL' ${sudoersTmpFile}
fi
#
# Verify the update & commit
#
echo "Verify /tmp/sudoers.bak and ensure "%Domain Admins" and "%ROLp-LinuxAdmins" have been added."
grep "%Domain" ${sudoersTmpFile}
grep "%ROLp" ${sudoersTmpFile}
sudo visudo -cf ${sudoersTmpFile}
if [ $? -eq 0 ]
then
# Replace the sudoers file with the new only if the syntax is correct
sudo cp -f ${sudoersTmpFile} ${sudoersFile}
echo "$sudoersFile has been updated."
else
echo "Error: Could not modify /etc/sudoers file, please update this manually."
fi
# Debug
# echo -e "\nDebug: Pause for user to press ENTER"
# read user
# ***************************************************************************
# Important:
# /etc/sssd/sssd.conf only be created after realm domain join
#***************************************************************************
#
# Update /etc/sssd/sssd.conf
# -i insert permanently
# s substitute or replace
#
echo -e "\n******************************************************************* "
echo " Update /etc/sssd/sssd.conf "
echo -e "******************************************************************* \n"
sssdConf=/etc/sssd/sssd.conf
sssdConfTmp=/tmp/sssd.conf.bak
if [ -f "$sssdConf" ]
then
sudo cp -f ${sssdConf} ${sssdConfTmp}
# Replace the whole line
sudo sed -i '/fallback_homedir/c\fallback_homedir = /home/%u' ${sssdConfTmp}
# Substitute or replace the value on the right side of " = "
sudo sed -i 's/\(use_fully_qualified_names\).*/\1 = False/g' ${sssdConfTmp}
sudo sed -i 's/\(cache_credentials\).*/\1 = False/g' ${sssdConfTmp}
sudo sed -i 's/\(krb5_store_password_if_offline\).*/\1 = False/g' ${sssdConfTmp}
sudo sed -i 's/\(ldap_id_mapping\).*/\1 = True/g' ${sssdConfTmp}
#
# Verify
#
echo "Verify: Ensure /etc/sssd/sssd.conf has been updated"
grep "use_fully_qualified_names" ${sssdConfTmp}
grep "fallback_homedir" ${sssdConfTmp}
grep "cache_credentials" ${sssdConfTmp}
grep "krb5_store_password_if_offline" ${sssdConfTmp}
grep "ldap_id_mapping" ${sssdConfTmp}
# Update /etc/sssd/sssd.conf and restart sssd service
sudo cp -f ${sssdConfTmp} ${sssdConf}
echo ""
echo -e "\nPlease wait: restarting sssd service"
sudo systemctl restart sssd
else
echo "Error: Not able to locate /etc/sssd/sssd.conf file, please verify the file and update manaully."
fi
#
# Update /etc/postfix/main.cf
# -i insert permanently
# s substitute or replace
#
echo -e "\n******************************************************************* "
echo " Update /etc/postfix/main.cf "
echo -e "******************************************************************* \n"
PostfixFile=/etc/postfix/main.cf
PostfixTmpFile=/tmp/main.cf.bak
sudo cp -f ${PostfixFile} ${PostfixTmpFile}
# Update the inet_protocols value to "ipv4"
sudo sed -i 's/^\(inet_protocols\).*/\1 = ipv4/g' ${PostfixTmpFile}
# Verify update
echo "Verify: ensure inet_protocols has set to ipv4"
grep "inet_protocols" ${PostfixTmpFile}
# Update main.cf and restart postfix service
sudo cp -f ${PostfixTmpFile} ${PostfixFile}
echo -e "\nPlease wait: restart postfix service"
sudo systemctl restart postfix
#
# Update /etc/chrony.conf
# -i insert permanently
# s substitute or replace
#
echo -e "\n******************************************************************* "
echo " Update /etc/chrony.conf "
echo -e "******************************************************************* \n"
ChronyFile=/etc/chrony.conf
ChronyTmpFile=/tmp/chrony.conf.bak
sudo cp -f ${ChronyFile} ${ChronyTmpFile}
if ! grep -q "pool time iburst" ${ChronyFile}
then
sudo sed -i '/^# Use public servers /i \
pool time iburst' ${ChronyTmpFile}
fi
# Verify update
echo "Verify: ensure chrony.conf has been updated"
grep "pool time iburst" ${ChronyTmpFile}
# Update chrony.conf and restart chronyd service
sudo cp ${ChronyTmpFile} ${ChronyFile}
echo -e "\nPlease wait: restart chronyd service\n"
sudo systemctl restart chronyd
#
# Update /etc/logrotate.conf
# -i insert permanently
# s substitute or replace
#
echo -e "\n******************************************************************* "
echo " Update /etc/logrotate.conf "
echo -e "******************************************************************* \n"
LogrotateFile=/etc/logrotate.conf
LogrotateTmpFile=/tmp/logrotate.conf.bak
sudo cp -f ${LogrotateFile} ${LogrotateTmpFile}
# Set rotation 8 & uncomment "compress"
echo -e "Change rotate to 8 & uncomment compress"
sudo sed -i '/^rotate/c\rotate 8' ${LogrotateTmpFile}
sudo sed -i '/^#compress/c\compress' ${LogrotateTmpFile}
# Verify update
echo -e "\nVerify: ensure chrony.conf has been updated"
grep "^rotate" ${LogrotateTmpFile}
grep "^compress" ${LogrotateTmpFile}
# Update chrony.conf and restart chronyd service
sudo cp -f ${LogrotateTmpFile} ${LogrotateFile}
# debug only
# sudo logrotate -v -f ${LogrotateFile}
#
# Update /etc/issue
#
echo -e "\n******************************************************************* "
echo " Update /etc/issue "
echo -e "******************************************************************* \n"
IssueFile=/etc/issue
IssueTmpFile=/tmp/issue.bak
sudo cp -f ${IssueFile} ${IssueTmpFile}
# Update issue file
HeaderTxt=" ***SECURITY WARNING*** "
BodyTxt="This is a private computer system and is for the use of authorised users only."
echo "${HeaderTxt}" > ${IssueTmpFile}
echo "${BodyTxt}" >> ${IssueTmpFile}
# Verify issue file content
cat ${IssueTmpFile}
# Update /etc/issue
sudo cp -f ${IssueTmpFile} ${IssueFile}
#
# Configure and enable audit
# Note: This files only valid for RHEL 8.x
#
echo -e "\n******************************************************************* "
echo " Configure and enable audits "
echo -e "******************************************************************* \n"
echo -e "Create /etc/audit/rules.d\nCreate /etc/audit/rules.d\nCreate /etc/audit/rules.d"
cp -f /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d
cp -f /usr/share/audit/sample-rules/30-stig.rules /etc/audit/rules.d
cp -f /usr/share/audit/sample-rules/99-finalize.rules /etc/audit/rules.d
#
# Update /etc/audit/rules.d/99-finalize.rules
#
finalizeFile=/etc/audit/rules.d/99-finalize.rules
finalizeTmpFile=/tmp/99-finalize.rules.bak
# Update 99-finalize.rules.bak by uncomment the –e 2 line
sudo cp -f ${finalizeFile} ${finalizeTmpFile}
# Uncomment "-e 2" line
sudo sed -i '/^#-e 2/c\-e 2' ${finalizeTmpFile}
# Verify and commit changes
echo -e "\nVerify 99-finalize.rules update"
grep "-e 2" ${finalizeTmpFile}
sudo cp -f ${finalizeTmpFile} ${finalizeFile}
#
# Enable and configuring application whitelisting
# NoEnable and configuring application whitelistingte: This files only valid for RHEL 8.x
#
echo -e "\n******************************************************************* "
echo " Enable and configuring application whitelisting "
echo -e "******************************************************************* \n"
echo -e "Install fapolicyd\n"
dnf -y install fapolicyd
# Create fapolicyd.mounts file
echo "Create /etc/fapolicyd/fapolicyd.mounts"
# Update file content if /etc/fapolicyd/fapolicyd.mounts file exists
sudo mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' > /etc/fapolicyd/fapolicyd.mounts
# Enable fapolicyd service
echo -e "Enable fapolicyd\n"
sudo systemctl enable --now fapolicyd
#
# Configure /etc/ssh/sshd_config
#
echo -e "\n******************************************************************* "
echo " Configure /etc/ssh/sshd_config "
echo -e "******************************************************************* \n"
sshdConfig=/etc/ssh/sshd_config
sshdConfigTmp=/tmp/sshd_config.bak
# Update sssh.config.bak configuration
# Note: copy to a backup file to subpress the output
sudo cp -f ${sshdConfig} ${sshdConfigTmp}
# Update sshd_config configuration
#
# Note:
# a. Set "PermitRootLogin yes" during the initial installation
# b. After verification to ensure the new RHEL server has been fully configured, then
# c. Run "disable_root_ssh.sh" to disable root ssh access
#
sudo sed -i '/PermitRootLogin yes/c\PermitRootLogin yes' ${sshdConfigTmp}
sudo sed -i '/^#AllowAgentForwarding/c\AllowAgentForwarding no' ${sshdConfigTmp}
sudo sed -i '/^#AllowTcpForwarding/c\AllowTcpForwarding no' ${sshdConfigTmp}
sudo sed -i '/^X11Forwarding/c\X11Forwarding no' ${sshdConfigTmp}
sudo sed -i '/^#ClientAliveInterval/c\ClientAliveInterval 30' ${sshdConfigTmp}
sudo sed -i '/^#ClientAliveCountMax /c\ClientAliveCountMax 3' ${sshdConfigTmp}
# Update sshd_config file with required content, where
# contents are variables by using double quote "" to expand variables
bannerTxt="Banner /etc/issue"
MACsTxt="MACs hmac-sha2-512,hmac-sha2-256"
CiphersTxt="Ciphers aes256-ctr,aes192-ctr,aes128-ctr"
KexAlgorithmsTxt="KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"
if ! grep -q "/etc/issue" ${sshdConfigTmp}
then
sudo sed -i "/^#Banner/a $bannerTxt\n$MACsTxt\n$CiphersTxt\n$KexAlgorithmsTxt" ${sshdConfigTmp}
fi
# Verify sshd_config update
echo -e "Verify: ensure sshd_config has been updated\n"
grep "^PermitRootLogin" ${sshdConfigTmp}
grep "^AllowAgentForwarding" ${sshdConfigTmp}
grep "^AllowTcpForwarding" ${sshdConfigTmp}
grep "^X11Forwarding" ${sshdConfigTmp}
grep "^ClientAliveInterval" ${sshdConfigTmp}
grep "^ClientAliveCountMax" ${sshdConfigTmp}
grep "^Banner" ${sshdConfigTmp}
grep "^MACs" ${sshdConfigTmp}
grep "^Ciphers" ${sshdConfigTmp}
grep "^KexAlgorithms" ${sshdConfigTmp}
# Update /etc/ssh/sshd_config
sudo cp -f ${sshdConfigTmp} ${sshdConfig}
echo -e "\nPlease wait: restart sssd service"
sudo systemctl restart sssd
#
# Update /etc/snmp/snmpd.conf
#
echo -e "\n******************************************************************* "
echo " Update /etc/snmp/snmpd.conf "
echo -e "******************************************************************* \n"
snmpdConfig=/etc/snmp/snmpd.conf
snmpdConfigTmp=/tmp/snmpd.conf.bak
sudo cp -f ${snmpdConfig} ${snmpdConfigTmp}
if ! grep -q "LinuxAdmins" ${snmpdConfigTmp}
then
echo -e "\nrouser LinuxAdmins" >> ${snmpdConfigTmp}
fi
# Verify snmpd.conf update
echo "Verify snmpd.conf update"
grep "LinuxAdmins" ${snmpdConfigTmp}
# Update /etc/snmp/snmpd.conf
sudo cp -f ${snmpdConfigTmp} ${snmpdConfig}
#
# Important
#
#
echo -e "\n******************************************************************* "
echo " !!!! Danger and Important !!!! "
echo " !!!! You are changing /etc/fstab !!!! "
echo " !!!! System Could Become Unusable !!!! "
echo -e "******************************************************************* \n"
fstabConfig=/etc/fstab
fstabConfigTmp=/tmp/fstab.bak
fstabConfVerify=/tmp/fstab.verify
backupDate=`date +%M-%d-%m-%Y`
computerName=`hostname -s`
# optionTxt="noexec,nosuid,nodev"
#
# Important
# Backup /etc/fstab
#
if [ ! -d "/root/fstab_backup" ]
then
sudo mkdir /root/fstab_backup
fi
cat ${fstabConfig} > /root/fstab_backup/fstab.${backupDate}.backup
# Update fstab
sudo cp -f ${fstabConfig} ${fstabConfigTmp}
awk '
(NF==6)&&($2=="/home") {$4="noexec,nosuid,nodev"}
(NF==6)&&($2=="/tmp") {$4="noexec,nosuid,nodev"}
(NF==6)&&($2=="/var") {$4="noexec,nosuid,nodev"}
(NF==6)&&($2=="/var/log") {$4="noexec,nosuid,nodev"}
(NF==6)&&($2=="/var/log/audit") {$4="noexec,nosuid,nodev"}
{print}
' ${fstabConfig} > ${fstabConfigTmp}
# Verify fstab changes
echo -e "Vefify: Verify /etc/fstab update\n"
grep "/home" ${fstabConfigTmp}
grep "/tmp" ${fstabConfigTmp}
grep "/var" ${fstabConfigTmp}
# Verify mount filesystem
echo -e "\nVerify: Verify mount filesystems"
sudo mount -fav
# Ask for confirmation
echo -e "\n*************** Ask your for confirmation of /etc/fstab update ***************"
echo -e "\n ----- Press ENTER to continue update /etc/fstab ------ "
echo -e "\n !!!!! Press ANY other key to cancel update /etc/fstab !!!!! \n"
echo -e "*******************************************************************************\n"
read user
if [ "$user" != "" ]
then
echo -e "*************** Please update /etc/fstab manually. *************************\n"
else
sudo cat ${fstabConfigTmp} > ${fstabConfig}
echo -e "Updating /etc/fstab\n"
sudo systemctl daemon-reload
sudo mount -a
fi
#
# Create /etc/sysctl.d/10-black.conf file
#
echo -e "\n******************************************************************* "
echo " Create /etc/sysctl.d/10-black.conf "
echo -e "******************************************************************* \n"
BLACK10CONF=/etc/sysctl.d/10-black.conf
if [ -f "${BLACK10CONF}" ]
then
echo "Info: /etc/sysctl.d/10-black.conf file already exist. The content will be overrided."
else
# Create the file if it does not exist
sudo sh -c "touch /etc/sysctl.d/10-black.conf"
fi
# Update file 10-black.conf file content
echo "Update file content - /etc/sysctl.d/10-black.conf"
echo "net.ipv4.ip_forward = 0" > ${BLACK10CONF}
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> ${BLACK10CONF}
echo "net.ipv4.conf.all.accept_source_route = 0" >> ${BLACK10CONF}
echo "net.ipv4.conf.default.accept_source_route = 0" >> ${BLACK10CONF}
echo "net.ipv4.conf.default.accept_redirects = 0" >> ${BLACK10CONF}
echo "net.ipv4.conf.all.accept_redirects = 0" >> ${BLACK10CONF}
echo "net.ipv4.conf.default.send_redirects = 0" >> ${BLACK10CONF}
echo "net.ipv4.conf.all.send_redirects = 0" >> ${BLACK10CONF}
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> ${BLACK10CONF}
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> ${BLACK10CONF}
#
# Configure certificate
#
echo -e "\n******************************************************************* "
echo " Install root CA and Issuing CA SSL certificate "
echo -e "******************************************************************* \n"
localRCA=/mnt/scripts/local_RCA.cer
localICA=/mnt/scripts/local_ICA.cer
anchorsDir=/etc/pki/ca-trust/source/anchors
RCAinAnchors="$anchorsDir/local_RCA.cer"
ICAinAnchors="$anchorsDir/local_ICA.cer"
# Upload local.net Root CA certificate
if [ -f "$RCAinAnchors" ]
then
echo "local.net Root Certificate already been added to certificate store: $RCAinAnchors"
else
if [ -f "$localRCA" ]
then
echo -e "\nUpdate local.net root CA SSL certificate to $anchorsDir"
sudo cp $localRCA $anchorsDir
else
echo -e "\nWarning: local.net Root CA certificate does not exist, please manually upload to $anchorsDir"
fi
fi
# Upload local.net Issuing CA certificate
if [ -f "$ICAinAnchors" ]
then
echo "local.net Intermediate Certificate already been added to certificate store: $RCAinAnchors"
else
if [ -f "$localICA" ]
then
echo -e "\nUpdate local.net Issuing CA SSL certificate to $anchorsDir"
sudo cp $localICA $anchorsDir
else
echo -e "\nWarning: local.net Issuing CA certificate does not exist, please manually upload to $anchorsDir"
fi
fi
# Verify local root and issuing CA certificates have been successfully uploaded
echo -e "\nVerify system certificate store $anchorsDir\nEnsure both root certificate and intermediate certificate exist."
find /etc/pki/ca-trust/source/anchors/ -name "local_RCA.cer"
find /etc/pki/ca-trust/source/anchors/ -name "local_ICA.cer"
#
# Finish
#
echo -e "\n\n--------------------------------------------------------------------------\n"
echo -e "\n !!!! The required tasks have been completed. !!!! "
echo -e "\n !!!!! Press ENTER to RESTART Computer !!!!! "
echo -e " OR "
echo -e " !!!!! Press ANY other Key to Manually Reboot Computer !!!!! "
echo -e "-----------------------------------------------------------------------------\n"
read user
if [ "$user" == "" ]
then
echo -e "Please wait: Rebooting System...."
sleep 3
sudo shutdown -r now
else
exit 1
fi
Faile to Run bash script
When try to run the bash script and getting the following error
Bash script and /bin/bash^M: bad interpreter: No such file or directory
How to fix the issue
# Run following command in terminal
sed -i -e 's/\r$//' scriptname.sh
# Then try to run the script again
./scriptname.sh
Disable root SSH login
#!/bin/bash
#
# Purpose:
# Disable root ssh permission
# Ensure run script as root
if [[ $EUID -ne 0 ]]
then
echo -e "Warning: You need to run this script as root"
exit 1
fi
#
# Configure /etc/ssh/sshd_config
#
echo -e "\n******************************************************************* "
echo " Configure /etc/ssh/sshd_config "
echo -e "******************************************************************* \n"
sshdConfig=/etc/ssh/sshd_config
sshdConfigTmp=/tmp/sshd_config.bak
# Update sssh.config.bak configuration
# Note: copy to a backup file to subpress the output
sudo cp -f $sshdConfig $sshdConfigTmp
# Process /etc/fstab input file and redirect the output to /tmp/sshd_config.bak
awk '
$1=="PermitRootLogin" {$2="no"}
{print}
' $sshdConfig > $sshdConfigTmp
# Verify sshd_config update
echo -e "\nVerify: ensure sshd_config has been updated"
grep "^PermitRootLogin" $sshdConfigTmp
# Update /etc/ssh/sshd_config
sudo cp -f $sshdConfigTmp $sshdConfig
echo -e "\nPlease wait: restart the system for final verification.\nPlease verify login after system reboot."
sudo systemctl restart sssd
sleep 2
sudo reboot
#
# realm commands to add and remove permitted groups
#
realm permit --groups "<group name>" # Permit group
realm permit --withdraw --groups "<group name>" # Remove group from permitted group list