RRD Setup Example 1

Here is what I did to get the web control units to report back to RRDTool

First create the database:


# rrdtool create office_temp.rrd -s 300 DS:temp:GAUGE:900:-55:125 RRA:AVERAGE:0.5:1:576 RRA:AVERAGE:0.5:6:672 RRA:AVERAGE:0.5:24:732 RRA:AVERAGE:0.5:144:1460


Then the script to pull the data:



# get the EPOCH date


DATE=$(/bin/date +%s)


# get temp. Change this to correct location probably /etc/temperatures/


TEMP=$(/bin/cat /etc/temperature/buildings/office/office_temp.txt)


# get to the right directory this is most likely the directory above


cd /etc/temperature/buildings/office/


# get the date from the web control unit for sensor 1.


wget --http-user=office --http-password=1qazxsw2


# cat it to a file


cat gett1.cgi > office_temp


# get rid of everything but the numbers


cat office_temp | sed 's/[A-Za-z%]*//g' > office_temp.txt


# remove the original file


rm -f gett1.cgi


# get it into rrd


rrdtool update ../office_temp.rrd $DATE:$TEMP


# create Daily graph


rrdtool graph /var/www/html/temperatures/buildings/office_temp_day.png -s -1day DEF:shop=../office_temp.rrd:temp:AVERAGE LINE1:shop#FF9900 -h 400 -w 600 -y1:2 --color GRID#dddddd --color MGRID#aaaaaa


# create Weekly graph


rrdtool graph /var/www/html/temperatures/buildings/office_temp_week.png -s -1week DEF:shop=../office_temp.rrd:temp:AVERAGE LINE1:shop#FF9900 -h 400 -w 600 -y1:2 --color GRID#dddddd --color MGRID#aaaaaa


# create monthly graph


rrdtool graph /var/www/html/temperatures/buildings/office_temp_month.png -s -1month DEF:shop=../office_temp.rrd:temp:AVERAGE LINE1:shop#FF9900 -h 400 -w 600 -y1:2 --color GRID#dddddd --color MGRID#aaaaaa


# create Yearly graph


rrdtool graph /var/www/html/temperatures/buildings/office_temp_year.png -s -1year DEF:shop=../office_temp.rrd:temp:AVERAGE LINE1:shop#FF9900 -h 400 -w 600 -y1:2 --color GRID#dddddd --color MGRID#aaaaaa


Then Create the web page:


<!DOCTYPE html>



<meta http-equiv=”refresh” content=”120″>

<p><b>Office Temperature Daily Graph.</b></p>

<IMG SRC=”buildings/office_temp_day.png” ALT=”Daily Office Humidity Graph” WIDTH=600 HEIGH=400>




Maintenance Stuff


To remove drops or spikes first dump the databae to XML:


sudo rrdtool dump shop_temp.rrd shop_temp.xml


Then Edit out the bad data:


sudo vi shop_temp.xml


Save off the original database:


sudo mv shop_temp.rrd shop_temp.rrd.evo


Last restore the database:


sudo rrdtool restore shop_temp.xml shop_temp.rrd

Nagios / NRPE

##Install NRPE and Plugins make sure you have access to EPEL if RHEL/CentOS

sudo yum install nrpe nagios-plugins-all
sudo apt-get install nagios-nrpe-server nagios-plugins

##Then vi /etc/nagios/nrpe.cfg to point to our server:


##I had to comment out the server address


##Make sure our commands look like this to begin with

command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_root]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/mapper/vg_mul4-lv_root
command[check_boot]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/sda1
command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 220 -c 320
command[check_swap]=/usr/lib64/nagios/plugins/check_swap -w 20 -c 10
command[check_ntp_time]=/usr/lib64/nagios/plugins/check_ntp_time -H 0.centos.pool.ntp.org -w 0.5 -c 1

##Check your config

sudo nagios -v /etc/nagios/nagios.cfg

##Open Firewall

sudo firewall-cmd --zone=public --add-port=5666/tcp --permanent

##Restart Firewall

sudo systemctl restart firewalld.service

## Set SELinux

sudo /sbin/restorecon -v /etc/nagios/nrpe.cfg

##Start the service and enable it

sudo systemctl start nrpe
sudo systemctl enable nrpe


## For Custom Command ##


##Copy the below to /usr/lib64/nagios/plugins/check_mcafee:

#Get to the right directory
#Set a couple variables
REPO=$(curl -ls http://vscl-repo.aac.va.gov/vscl/ | grep zip | cut -d"-" -f2 | cut -d"." -f1)
SYSTEM=$(/usr/local/bin/uvscan --VERSION | grep Dat | cut -d":" -f2 | cut -d" " -f2)

#Find the difference

case $MATH in
echo "OK - $REPO Mcafee is Current."
exit 0
echo "WARNING - Mcafee is $MATH version behind. Current Installed Version $SYSTEM. $REPO Avaliable"
exit 1
echo "CRITICAL - Mcafee is $MATH versions behind. Current Installed Version $SYSTEM. $REPO Avaliable"
exit 2
echo "UNKNOWN - Mcafee is $MATH versions behind. Current Installed Version $SYSTEM."
exit 3

##Make root the owner

chown root.root /usr/lib64/nagios/plugins/check_mcafee

##Make it executable

chmod 755 /usr/lib64/nagios/plugins/check_mcafee

##in host /etc/nagios/nrpe.cfg add to the command section:


##test by running

OK - 7730 Mcafee is Current.

##set up nagios to receive

##Define new command in /etc/nagios/objects/commands.cfg

define command{
        command_name    check_mcafee
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_mcafee

##To change an individual service check interval add the ‘normal_check_interval’ and ‘notification_interval’ to the service.cfg file. The interval is in minutes, in the below example it is 720 which is 12 hours.

##In the service.cfg file:

#check McAfee##

define service {
        use                         generic-service
        host_name                   vaauslbe126
        service_description         Check McAfee Anti Virus
        check_command               check_nrpe!check_mcafee
        normal_check_interval       720
        notification_interval       720



##What I had to do to get it installed:

##Make Sure the /etc/hosts is right          mul72.hohenfels.com mul72 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1                mul72.hohenfels.com mul72 localhost localhost.localdomain localhost6 localhost6.localdomain6       mul72.hohenfels.com mul72

##Made Sure everything was updated

sudo yum update

##Ran the Installer: Made sure under capsule (4) that TFTP was set to TRUE and that the DNS settings are correct.

sudo katello-installer -i
Welcome to the Kafo installer!

This wizard will gather all required information. You can change any parameter
to your needs.

Ready to start? (y/n)

Main Config Menu
1. [?] Configure certs
2. [?] Configure katello
3. [?] Configure foreman
4. [?] Configure capsule
5. [?] Configure foreman_plugin_bootdisk
6. [?] Configure foreman_plugin_discovery
7. [?] Configure foreman_plugin_hooks
8. [?] Configure foreman_plugin_tasks
9. [?] Configure foreman_plugin_chef
10. [?] Configure foreman_plugin_default_hostgroup
11. [?] Configure foreman_plugin_puppetdb
12. [?] Configure foreman_plugin_setup
13. [?] Configure foreman_plugin_templates
14. Display current config
15. Save and run
16. Cancel run without Saving

Chance all to a check and change 1

15 to go

##To get LibVirt/KVM going as a Compute Resource:

To provision systems on KVM using Red Hat Satellite 6 follow the below steps
  • Create a .ssh directory under /usr/share/foreman and assign permissions as below.
[user@satellite ~]# sudo mkdir /usr/share/foreman/.ssh
[user@satellite ~]# sudo chmod 700 /usr/share/foreman/.ssh
[user@satellite ~]# sudo chown foreman:foreman /usr/share/foreman/.ssh
  • Create ssh keys for foreman user to login to the KVM host.
[user@satellite ~]# sudo su - foreman -s /bin/bash

bash-4.1$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/usr/share/foreman/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /usr/share/foreman/.ssh/id_rsa.
Your public key has been saved in /usr/share/foreman/.ssh/id_rsa.pub.
The key fingerprint is:
48:d2:f5:5b:2a:63:7e:ae:a3:c6:31:54:d2:33:21:25 foreman@satellite.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|      Eo+.       |
|     ..+=.       |
|    . oo o. .    |
|     o..   +     |
|     .. S o      |
|      oo o       |
|     . o. .      |
|      o .o       |
|     ....o.      |

bash-4.1$ ssh-copy-id root@kvm.example.com
The authenticity of host 'kvm.example.com (' can't be established.
RSA key fingerprint is b8:4c:bf:8a:df:70:e1:2b:71:a1:6f:0a:d2:f9:2f:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kvm.example.com' (RSA) to the list of known hosts.
root@kvm.example.com's password: 
Now try logging into the machine, with "ssh 'root@kvm.example.com'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

bash-4.1$ ssh root@kvm.example.com
Last login: Fri Dec  5 23:34:35 2014 from host.example.com

[root@kvm ~]# exit
  • If SELinux is in enforcing mode, then restore the SELinux context for /usr/share/foreman/.ssh/ folder.
[user@satellite ~]# sudo restorecon -Rv /usr/share/foreman/.ssh/
  • Make sure that KVM packages are installed on the KVM host and libvirtd service is running.
[user@kvm ~]# sudo service libvirtd status   -----> On RHEL 6
[user@kvm ~]# sudo systemctl status libvirtd.service   -----> On RHEL 7

Note: If KVM is not installed, install the packages as below on the KVM host

[user@kvm ~]#sudo yum install qemu-kvm libvirt virt-install bridge-utils virt-manager -y
  • Start the libvirtd service as below
[user@kvm ~]#sudo service libvirtd start   -----> on RHEL 6
[user@kvm ~]#sudo systemctl start libvirtd.service   -----> on RHEL 7
  • Enable the libvirtd service on boot
[user@kvm ~]#sudo chkconfig libvirtd on    ---> on RHEL 6
[user@kvm ~]#sudo systemctl enable libvirtd.service ---> on RHEL 7
  • On satellite 6 webUI —–> Infrastructure —–> Compute resources —> Click on New Compute Resource
    Specify Name —–> My KVM Host
    Select Provider —–> Libvirt
    Specify URL —–> qemu+ssh://root@kvm.example.com/system
    Click Test Connection
  • Finally provision a host using the above created Libvirt compute resource.


##Setting up HammerCLI

##Create the Directories

mkdir ~/.hammer
chmod 700 ~/.hammer

##Create a cli_config.yml file in the new directory

vi ~/.hammer/cli_config.yml
       :host: 'https://xxx'
       :username: 'admin'
       :password: 'xxx'

##Run it:

hammer shell

##I was getting a pulp-admin ssl error

 pulp-admin -u erik -p password tasks cancel --task-id "7aa48f52-a6be-4c08-9810-16dd3a06d930"
WARNING: The server's SSL certificate is untrusted!

The server's SSL certificate was not signed by a trusted authority. This could
be due to a man-in-the-middle attack, or it could be that the Pulp server needs
to have its certificate signed by a trusted authority. If you are willing to
accept the associated risks, you can set verify_ssl to False in the client
config's [server] section to disable this check.

Here is how I fixed it – Not Secure:

Pulp has a setting called verify_ssl in these files: /etc/pulp/admin/admin.conf, /etc/pulp/consumer/consumer.conf, /etc/pulp/nodes.conf, and /etc/pulp/repo_auth.conf. If you configure these settings to false, the respective Pulp components will no longer validate the Pulp server's certificate signature.

REF: https://github.com/pulp/pulp/blob/master/docs/user-guide/installation.rst


Satellite – Spacewalk Info

## To get the boot strap working on a pre-installed server I added the below to the bootstrap file ##

For RHEL/CentOS7:

yum -y install
yum -y install http://fedora-epel.mirror.lstn.net/7/x86_64/e/epel-release-7-2.noarch.rpm
yum -y install rhn-setup rhn-client-tools

For RHEL/CentOS6:

yum -y install
yum -y install http://fedora-epel.mirror.lstn.net/6/x86_64/epel-release-6-8.noarch.rpm
yum -y install rhn-setup rhn-client-tools

Adding common channels the easy way:

spacewalk-common-channels -v -n -u satadmin -p password -a x86_64 'spacewalk*'

Get a list of common channels available:

spacewalk-common-channels -l

Creating a bootable ISO with Cobbler

##First List Cobbler Profiles##

sudo cobbler list profiles






##Then build the ISO##

sudo cobbler buildiso --profiles=Hohenfels_Basic_7:1:SpacewalkDefaultOrganization --iso=output_dir_here

##For Multiple Profiles##

sudo cobbler buildiso --profiles="Hohenfels_Basic_7:1:SpacewalkDefaultOrganization, Hohenfels_Default_7:1:SpacewalkDefaultOrganization"

#To Clean Up the DB

sudo spacewalk-data-fsck -r -v

vacuumdb -aef (su - postgres)

##To delete a server from using Spacewalk

##Delete the server from the WebGUI

##On the Client:

sudo vi /etc/yum/pluginconf.d/rhnplugin.conf

##And change:

enabled = 1


enabled = 0


sudo rm -rf /etc/sysconfig/rhn/systemid

##Remove the spacewalk repos if they are there:

sudo rm /etc/yum.repos.d/spacewalk-client*

# How to remove Channels from the Sat

/usr/bin/spacewalk-remove-channel -c channel_name




##Setting up Centralized Logging:


##The Only things I changed:

#Did not want to install to many packages

sudo yum install rsyslog-mysql

#URL to the latest:

wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.6.tar.gz

 #To stop excessive logging

#For snmp I created a file called snmp.conf located in /etc/rsyslog.d/

:msg, contains, "Connection from UDP" stop 
:programname, contains, "snmpd" -/var/log/snmpd.log
& stop

#Dont Log any messages that contain “Connection from UDP”

:msg, contains, "Connection from UDP" stop

#The rest of messages created by the program snmpd put in its own log

:programname, contains, "snmpd" -/var/log/snmpd.log
& stop

On RHEL CentOS 6 put the same info directly in /etc/rsyslog.conf and replace ‘stop’ with ~

:msg, contains, "Connection from UDP" ~ 
:programname, contains, "snmpd" -/var/log/snmpd.log
& ~


Could not reliably determine the server’s fully qualified domain name

I had a sever that every I restarted the httpd service I got “Could not reliably determine the server’s fully qualified domain name” To fix it I created a file called fqdn.conf in /etc/httpd/conf.d/

$sudo vi /etc/httpd/conf.d/fqdn.conf

and add:

ServerName mul1.hohenfels.com


$sudo service httpd restart

$sudo systemctl restart httpd

And everything should come back up clean

Setting up https on RHEL and CentOS 6 and 7

Here is how to get HTTPS/SSL working on Red Hat/CentOS 6 and 7

$ sudo yum install mod_ssl openssl

Now let’s generate our own self signed Certificate:

Generate private key

$sudo openssl genrsa -out ca.key 2048 


Generate CSR

$sudo openssl req -new -key ca.key -out ca.csr


Generate Self Signed Key


$sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt


Copy the files to the correct locations

$sudo cp ca.crt /etc/pki/tls/certs$sudo cp ca.key /etc/pki/tls/private/ca.key

$sudo cp ca.csr /etc/pki/tls/private/ca.csr


Next up, modify the ssl.conf file:

$sudo vi /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored. If you’ve used the method above it will be:

 SSLCertificateFile /etc/pki/tls/certs/ca.crt

Then set the correct path for the Certificate Key File a few lines below. If you’ve followed the instructions above it is:

 SSLCertificateKeyFile /etc/pki/tls/private/ca.key

While we are in there let’s take care of the latest Poodle Vulnerability: (if needed)

 SSLProtocol all -SSLv2 -SSLv3

 Restart web service:

$sudo service httpd restart

$sudo systemctl restart httpd


General Linux Items / Commands II

##How Create a Boot ISO##

isolinux is used for booting the Red Hat Enterprise Linux installation CD. To create your own CD-ROM to boot the installation program, use the following instructions:

Copy the isolinux/ directory from the Red Hat Enterprise Linux CD #1 into a temporary directory (referred to here as <path-to-workspace>) using the following command:

cp -r <path-to-cd>/isolinux/<path-to-workspace>

Change directories to the <path-to-workspace> directory you have created:

cd <path-to-workspace>

Make sure the files you have copied have appropriate permissions:

chmod u+w isolinux/*

Finally, issue the following command to create the ISO image file:

mkisofs -o file.iso -b isolinux.bin -c boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -R -J -v -T isolinux/


The above command was split into two lines for printing purposes only. When you execute this command, be sure to type it as a single command, all on the same line.

Burn the resulting ISO image (named file.iso and located in <path-to-workspace>) to a CD-ROM as you normally would.

Burn the iso image you just created to a CD any way you like.

Drop the CD into the computer you want to install, and reboot the machine. When the boot prompt comes up type linux ks=cdrom:filename.cfg

Watch your machine install!

##How Create a Repo##

To install the RPM, you’ll need to type this command:

# yum install createrepo

Create a directory on a web server.

#  mkdir /var/www/html/repo/5/x86_64/

Copy your rpm’s to the directory you just created and run this command to create all the metadata required:

# createrepo /var/www/html/repo/5/x86_64/

Your local YUM repository has been created. Whenever you put in any new RPMs, you’ll have to run the above command, so that the new repository metadata gets updated.

Creating gpg keys for your new repo

# mkdir ~/.gnupg

You might get the error ‘mkdir: cannot create directory `/root/.gnupg’: File exists’

No problem, just means it is already there

# gpg --gen-key

gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

under certain conditions. See the file COPYING for details.

Please select what kind of key you want:

(1) DSA and Elgamal (default)

(2) DSA (sign only)

(5) RSA (sign only)

Your selection?

Select 1

Your selection? 1

DSA keypair will have 1024 bits.

ELG-E keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048)

Press Enter

Requested keysize is 2048 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0)

Press Enter

Key does not expire at all

Is this correct? (y/N)

Press y and enter

You need a user ID to identify your key; the software constructs the user ID

from the Real Name, Comment and Email Address in this form:

“Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>”

Real name:

As an example I used John Doe

Press Enter

Real name: John Doe

Email address:

Enter the maintainers email address. Example: john.doe@hq38.hohenfels.com

Real name: John Doe

Email address: John.doe@hq38.hohenfels.com


Enter “Signing Key for Project Name” replace Project Name with the name of your project.
Press enter

You selected this USER-ID:

John Doe (Signing Key for Project Name) <john.doe@hq38.hohenfels.com>

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

If it is all OK, Press O
Press Enter
Enter passphrase:
Enter your passphrase, you will need to remember this!
Press Enter
Repeat passphrase:
Enter the same passphrase again
Press Enter

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.


Not enough random bytes available. Please do some other work to give

the OS a chance to collect more entropy! (Need 284 more bytes)

gpg: key 10D9424E marked as ultimately trusted

public and secret key created and signed.

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u

pub 1024D/10D9424E 2011-05-12

Key fingerprint = A5CD 97A1 6EA6 DC01 CCC3 0A7B DEA6 CD67 10D9 424E

uid Enoch Root <root@vaausmul1.aac.va.gov>

sub 2048g/93C388B3 2011-05-12

# gpg --export --armor 10D9424E > /tmp/RPM-GPG-KEY-(Project abbreviation)
Example Project Abbreviations: PRE or SLC

Copy your new key to your new repo

# cp /tmp/ RPM-GPG-KEY-(Project abbreviation) /var/www/html/repo/5/x86_64/
# vi /root/.rpmmacros
and insert this at the top %_signature gpg

It should look like this:

%_signature gpg

%_gpg_name John Doe <john.doe.va.gov> (This will be your maintainers name and email address)

If it is not there, create a new file with the above info.

Then you can start resigning your custom channel rpm’s

#rpm –resign /var/www/html/repo/5/x86_64/putty-0.60-6.20100910svn.el5.1.x86_64.rpm

Enter pass phrase:


To Sync with the Nat Sat we will need the Pub ID marked in red above and the Key fingerprint marked in purple above as well as the URL to your key.



A5CD 97A1 6EA6 DC01 CCC3 0A7B DEA6 CD67 10D9 424E


#Resizing images

mogrify -resize 800x600 *.jpg

General Linux Items / Commands

##How to remount the file system read write (rw) In maintenance mode##

mount -o remount, rw /

##How to unencrypt PDF documents##


gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=/home/erik/Destination.pdf -c .setpdfwrite -f /home/erik/source.pdf

##How to reindex spacewalk postgres database##

I was getting all kinds of weird spacewalk errors that all seemed to point to the database.

$sudo  su postgres
$reindexdb --all

At the end I got the following eror:

NOTICE:  table "rhnpackagedeltaelement" was reindexed
reindexdb: reindexing of database "rhnschema" failed: ERROR:  could not create unique index "rhnchecksum_chsum_uq"
DETAIL:  Table contains duplicated values.

I ended up restoring a backed up VM

##To Find directories and sizes##

du -sch .[!.]* * |sort -h

 ##Removing Old Kernels##

$ sudo yum install yum-utils
$ sudo package-cleanup --oldkernels --count=2

Edit /etc/yum.conf and set installonly_limit:


##Piping a command through mail##

| mail -s "Clam Scan %D" erik@hq38.hohenfels.com

 ##Get a list of rpm’s off a web page for a script##

http://linux.dell.com/repo/hardware/Linux_Repository_14.12.00/platform_independent/rh60_64/srvadmin-x86_64/ | egrep -o "http:.*rpm" |cut -d "/" -f10

##To delete a server from using Spacewalk

##Delete the server from the WebGUI

##On the Client:

sudo vi /etc/yum/pluginconf.d/rhnplugin.conf

##And change:

enabled = 1


enabled = 0


sudo rm -rf /etc/sysconfig/rhn/systemid

##Remove the spacewalk repos if they are there:

sudo rm /etc/yum.repos.d/spacewalk-client*

##SELinux Love

##First install the trouble shooter

sudo yum install setroubleshoot-server setroubleshoot setools

##Then Search the logs:

sudo cat /var/log/messages | grep sealert (CentOS 6)


sudo sealert -a /var/log/audit/audit.log (CentOS 7)

You are going to see something like this:

docker setroubleshoot: SELinux is preventing /usr/bin/bash from ioctl access on the file /usr/bin/distro. For complete SELinux messages. run sealert -l f4eed2fe-d681-412f-ab31-55f704a7cf46

##Do what it says, Bolded above

sudo sealert -l f4eed2fe-d681-412f-ab31-55f704a7cf46

##At the top of the output you will see:

If you believe that bash should be allowed ioctl access on the distro file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep distro /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

##Again, do what it says

sudo grep distro /var/log/audit/audit.log | audit2allow -M mypol


sudo semodule -i mypol.pp

## Grub Edit ##


Make the modifications you want:

$ sudo vi /etc/default/grub

After you edit the above file you need to run:

$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg


##Installing RootKit Hunter



Here is the conf file location.

sudo vi /etc/rkhunter.conf


##RootKit Check
/usr/bin/rkhunter --update
/usr/bin/rkhunter --checkall

##Firewall Commands


##Add Port:

sudo firewall-cmd --zone=public --add-port=161/udp --permanent

##Add Know Service

sudo firewall-cmd --permanent --zone public --add-service samba


sudo systemctl restart firewalld.service


##Install Logwatch


##Install the package

sudo yum install logwatch

##Edit the conf file:

sudo vi /usr/share/logwatch/default.conf/logwatch.conf

##Change to High

Detail = High

##Set to send an email

Output = mail


1 – Install EPEL 7

After you’ve successfully installed your operating system and applied all the updates. You can install the EPEL 7 repository by running this command:

sudo yum install epel-release

2 – Install and configure the ClamAV packages

sudo yum install clamav clamav-scanner-systemd

Yes, it’s enough. When installing these packages all needed packages will be installed by dependency.

Correct a “bad” file path probably written during the compilation by creating a link to the correct file:

sudo ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

Edit the configuration installed by the clamd-scanner package:

sudo vi /etc/clamd.d/scan.conf

Comment the example line:


Uncomment the LocalSocket config line to enable it:

LocalSocket /var/run/clamd.scan/clamd.sock

Save and quit the text editor.

3 – Turn on the SELinux boolean for antivirus

sudo setsebool -P antivirus_can_scan_system 1

4 – Start the service and enable it at boot

sudo systemctl start clamd@scan
sudo systemctl enable clamd@scan

5 – Install and configure the ClamAV updater

To automatically get the latest virus updates, you need to install the binary used for this task:

sudo yum install clamav-update

Edit the configuration file:

sudo vi /etc/freshclam.conf

Comment the example line:


Save and quit the text editor and run the command “freshclam” to update the virus database. If needed you can add a crontab to execute it regularly.

6 – Test your installation

sudo clamdscan --fdpass /var/log/*

Always use the –fdpass to give the correct permission to scan the files with clamdscan binary. In some case the first check mays fail after the installation, a simple reboot can solve this issue.

REF: https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/