Deploying a Spacewalk Server

/, Linux, Management, Monitoring, Scripts, Security/Deploying a Spacewalk Server
This article is about how to deploy a Spacewalk Server v2.7 from scratch.

If you work at an enterprise-level company where IT infrastructure contains a lot of Linux machines, you definitely encounter with the questions: how to manage all Linux systems centrally, be aware of the current state of the entire infrastructure, provide the high level of security, and reduce maintenance efforts. The most common day-to-day tasks in server maintenance are software updates and the flexible management of a unified configuration.

The main supported Linux distributions by most software vendors for Enterprise are Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), CentOS, Oracle Linux, Debian, and Ubuntu.

Unfortunately, a native centralised patch management system for Debian and its derivatives does not exist, therefore you should consider replacing all those systems with Red Hat or its derivatives before deploying management systems. Despite the fact that the listed below management systems formally support Debian and Ubuntu clients to be registered with and managed, there are a lot of limitations and additional efforts to make them work properly, so they can not be considered as native solutions for Debian systems.

Product Highlights
SUSE Manager
  • $10,000 per year for Unlimited Managed Linux Instances / $2,500 for proxy
  • Best suitable for SUSE, RHEL, CentOS, Oracle Linux, etc.
  • Provides integration with Microsoft SCCM
Red Hat Satellite
  • $10,000 per year for Unlimited Managed Linux Instances / $2,500 for proxy
  • Best suitable for RHEL, CentOS, Oracle Linux, etc.
  • Does not officially support SLES
Spacewalk
  • Free & Open Source Systems Management
  • Community version of Red Hat Satellite
  • Best suitable for CentOS, Oracle Linux, etc.
  • Does not officially support RHEL and SLES
Features
Satellite Overview
  • Systems Inventory (Hardware and Software)
  • System Software Installation and Updates
  • Collation and Distribution of Custom Software Packages into Manageable Groups
  • System provisioning (via Kickstart)
  • Management and deployment of configuration files
  • Provision of virtual Guests
  • Start/Stop/Configuration of virtual guests
  • OpenSCAP Auditing of client systems
  • Options for geographically remote proxy servers

Note: All of the above-mentioned systems are based on the same engine and the distinction only in the WebGUI and a set of additional features. In addition, the installation and configuration process is almost the same.

Index

Fresh Installation of CentOS

The following virtual server configuration was used for this article: CPU 2×2 (4 cores) / RAM 24GB / HDD 150GB x 2.

  1. Download the last version of CentOS using official CentOS download page.
  2. Start your server and wait for the CentOS installation menu to appear:
    CentOS Installation Menu
  3. Press the ESCAPE button to start unattended installation:
    boot: linux ks=http://192.168.100.10/rksw.php?v=r7&h=spacewalk
    
  4. After completing the installation (takes up to 10 minutes), log in on the server using a terminal client (for example, ssh, PuTTy, MobaXTerm, etc.) and check current disk space:
    [root@spacewalk ~]# df -h | grep map
    /dev/mapper/vg00-lv_root  2.0G  1.1G  725M  61% /
    /dev/mapper/vg00-lv_var   9.8G  101M  9.2G   2% /var
    /dev/mapper/vg00-lv_tmp   488M  840K  452M   1% /tmp
    /dev/mapper/vg00-lv_home  976M  2.6M  907M   1% /home
    
    [root@spacewalk ~]# vgs
      VG   #PV #LV #SN Attr   VSize    VFree
      vg00   1   5   0 wz--n- <149.51g <132.01g
    
    [root@spacewalk ~]# fdisk -l | grep sd
    Disk /dev/sda: 161.1 GB, 161061273600 bytes, 314572800 sectors
    /dev/sda1   *        2048     1026047      512000   83  Linux
    /dev/sda2         1026048   314572799   156773376   8e  Linux LVM
    Disk /dev/sdb: 161.1 GB, 161061273600 bytes, 314572800 sectors
    [root@spacewalk ~]#
    
  5. Extend current partitions and mount the second disk for storing repositories:
    ### Extend current partitions
    lvextend -L+3.1G /dev/vg00/lv_root
    lvextend -L+40.2G /dev/vg00/lv_var
    resize2fs /dev/vg00/lv_root
    resize2fs /dev/vg00/lv_var
    
    ### Rescan for new SCSI controllers (after adding a new 150GB disk to the virtual machine)
    echo "1" > /sys/bus/pci/rescan
    
    ### Rescan SCSI bus for new disks
    for i in $(ls /sys/class/scsi_host/); do echo "- - -" > /sys/class/scsi_host/$i/scan; done
    
    ### Create a partition for LVM
    echo -e "n\np\n1\n\n\nt\n8e\nw\n" | fdisk /dev/sdb
    
    ### Create a new volume group/logical volume
    pvcreate /dev/sdb1
    vgcreate vg01 /dev/sdb1
    lvcreate -L120G -n lv_satellite vg01
    mkfs.xfs /dev/vg01/lv_satellite
    mkdir -p /var/satellite
    chmod 777 /var/satellite
    NL="/dev/mapper/vg01-lv_satellite /var/satellite           xfs     defaults        1 2"
    sed -i "/swap/i $NL" /etc/fstab
    mount -a
    

    Check what you have now:

    [root@spacewalk ~]# df -h | grep map
    /dev/mapper/vg00-lv_root       5.0G  1.1G  3.7G  23% /
    /dev/mapper/vg00-lv_var         50G  117M   48G   1% /var
    /dev/mapper/vg00-lv_tmp        488M  840K  452M   1% /tmp
    /dev/mapper/vg00-lv_home       976M  2.6M  907M   1% /home
    /dev/mapper/vg01-lv_satellite  120G   33M  120G   1% /var/satellite
    
    [root@spacewalk ~]# vgs
      VG   #PV #LV #SN Attr   VSize    VFree
      vg00   1   5   0 wz--n- <149.51g  88.70g
      vg01   1   1   0 wz--n- <150.00g <30.00g
    
  6. Set the static network settings and the FQDN (replace values with yours):
    ### Static IP
    F=/etc/sysconfig/network-scripts/ifcfg-ens160
    sed -i 's/BOOTPROTO.*/BOOTPROTO="static"/' ${F}
    cat >> ${F} <<EOF
    IPADDR=192.168.100.30
    PREFIX=24
    GATEWAY=192.168.100.254
    PEERDNS=no
    DNS1=192.168.100.1
    DNS2=192.168.100.2
    ZONE=public
    EOF
    
    ### FQDN
    echo 'spacewalk.svelab.local' > /etc/hostname
    echo '192.168.100.30   spacewalk.svelab.local spacewalk' >> /etc/hosts
    
  7. Apply all available patches, disable IPv6, and reboot the server:
    yum -y update && yum upgrade
    echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/noipv6.conf
    reboot
    

Spacewalk Installation

  1. Set up Spacewalk repositories:
    rpm -Uvh http://yum.spacewalkproject.org/2.7/RHEL/7/x86_64/spacewalk-repo-2.7-2.el7.noarch.rpm
    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/g/spacewalkproject/java-packages/repo/epel-7/group_spacewalkproject-java-packages-epel-7.repo)
    
    yum clean all
    rm -rf /var/cache/yum
    yum repolist
    
  2. Install PostgreSQL and Spacewalk
    yum -y install spacewalk-setup-postgresql spacewalk-postgresql spacewalk-utils
    
    ### workaround for a bug in spacewalk 2.7: https://bugzilla.redhat.com/show_bug.cgi?id=1524221#c4
    rpm -Uvh https://copr-be.cloud.fedoraproject.org/results/@spacewalkproject/nightly/epel-7-x86_64/00688037-spacewalk-admin/spacewalk-admin-2.8.3-1.el7.centos.noarch.rpm
    

    Initial settings (replace values with yours):

    [root@spacewalk ~]# spacewalk-setup
    * Setting up SELinux..
    ** Database: Setting up database connection for PostgreSQL backend.
    ** Database: Installing the database:
    ** Database: This is a long process that is logged in:
    ** Database:   /var/log/rhn/install_db.log
    *** Progress: ##
    ** Database: Installation complete.
    ** Database: Populating database.
    *** Progress: ##########################
    * Configuring tomcat.
    * Setting up users and groups.
    ** GPG: Initializing GPG and importing key.
    ** GPG: Creating /root/.gnupg directory
    You must enter an email address.
    Admin Email Address? admin@svelab.com
    * Performing initial configuration.
    * Configuring apache SSL virtual host.
    Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]? Y
    ** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave
    * Configuring jabberd.
    * Creating SSL certificates.
    CA certificate password? pa$$w0rd
    Re-enter CA certificate password? pa$$w0rd
    Cname alias of the machine (comma seperated)? spacewalk
    Organization? SVELAB
    Organization Unit [spacewalk.svelab.local]? IT
    Email Address [admin@svelab.com]? admin@svelab.com
    City? Sydney
    State? NSW
    Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? AU
    ** SSL: Generating CA certificate.
    ** SSL: Deploying CA certificate.
    ** SSL: Generating server certificate.
    ** SSL: Storing SSL certificates.
    * Deploying configuration files.
    * Update configuration in database.
    * Setting up Cobbler..
    Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y]? N
    * Restarting services.
    Tomcat failed to start properly or the installer ran out of tries.  Please check /var/log/tomcat6/catalina.out or /var/log/tomcat/catalina.$(date +%Y-%m-%d).log for errors.
    

    Note: Ignore the tomcat error message, because this is the result of minor errors in the Spacewalk installation scripts. In fact, Tomcat is up and running.

  3. Configure the firewall:
    firewall-cmd --permanent --add-service=http
    firewall-cmd --permanent --add-service=https
    firewall-cmd --permanent --add-port=5222/tcp
    firewall-cmd --permanent --add-port=5269/tcp
    firewall-cmd --reload
    

    Check:

    [root@spacewalk ~]# firewall-cmd --permanent --list-all | grep -E '(services| ports)'
      services: ssh dhcpv6-client http https
      ports: 5222/tcp 5269/tcp
    
  4. Create organization and the local administrator account. Go to https://spacewalk.svelab.local:
    Spacewalk Initial Setup
  5. Configure proxy settings if your Spacewalk instance does not have direct Internet access:
    Spacewalk Setup - Proxy

Replace self-signed certificates

  1. Backup existing keys/certificates:
    cd /root
    tar -zcvf SSL_configs_$(date +"%Y%m%d").tgz /etc/httpd/conf/ssl.* /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build /var/www/html/pub 
    
  2. Get the Certificate Signing Request (CSR):
    [root@spacewalk ~]# cat /root/ssl-build/$(hostname -s)/server.csr | awk '/BEGIN/ {seen=1} seen {print}'
    -----BEGIN CERTIFICATE REQUEST-----
    MIIDJzCCAg8CAQAwgYoxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNV
    BAcMBlN5ZG5leTEPMA0GA1UECgwGU1ZFTEFCMQswCQYDVQQLDAJJVDEfMB0GA1UE
    AwwWc3BhY2V3YWxrLnN2ZWxhYi5sb2NhbDEdMBsGCSqGSIb3DQEJARYOcm9vdEBs
    b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOvcr2YDV+
    F35X+ChoEHihemI8dRqRBDjHezJuScIVacaI7CiZQgiGS5DZxEOHzDwAGBYMSaNg
    AGQBPDrpEIJLThRa2jz+/UMABgczblwrD9dXbHnAe0PS/LyuPBo6QmA96uRJTxyJ
    79cAkA0fee+zKjlV+YF686eIwxNUoL107Oz1OEKjd2TIf5/PbmLhPDiYBoG6gUv1
    p69QGrEU9HVKa6Y2wfsNROtLS4CZ2BtDmInuWBs3DOwSE4xNJ9tonAYQ988yCPup
    Wpqw2yEwosGSFm+Cdf1DiRTfF5kv0eG/9Fjul4TljcsYjfCHOQY6f+orOEUhd/EG
    Er9KIQIot6v1AgMBAAGgVzBVBgkqhkiG9w0BCQ4xSDBGMAkGA1UdEwQCMAAwCwYD
    VR0PBAQDAgXgMCwGA1UdEQQlMCOCFnNwYWNld2Fsay5zdmVsYWIubG9jYWyCCXNw
    YWNld2FsazANBgkqhkiG9w0BAQsFAAOCAQEAl3QKURLQ2l7xz6Wu4JNPcnQDixFb
    QvcAs033bIsqUaQc3Nmm8SwZ4k7O8eAzBKCKnGKJ0xbGF/yMNYaClmR7T51zn57f
    OtAIdQb/K6eLLL3og5nU5UZZA4g8PQU7G+c+I/2e/fxz7RUb0T0yf5xVdBvlscrv
    qG9v9hWbmxnWX6SvZst5GUNYJgHUi8CckNmKm+mQI0gxORKNa6/atcMeOptMUr1g
    JXej3RS1E1112GoNXWe1nIMYdKs2q+tC9pxPg0pJWGH51cfIs1+fO0rTI5CrYxgF
    Ua3aMTmCasiWCaxGz5L4/00HAFqc8u30nARzPw4v0DdyIUHH3/MdsAe69w==
    -----END CERTIFICATE REQUEST-----
    
  3. Sign the CSR with your local Microsoft Certificate Authority:
    Spacewalk SSL CertSubmit the request and download the certificate chain in the Base64 encoded format (the filename will be certnew.p7b):
    Spacewalk - Download SSL Cert
  4. Upload the saved certificate chain (certnew.p7b) onto the server in /tmp and replace the self-signed one:
    ### replace the current certificate
    cat /tmp/certnew.p7b | openssl pkcs7 -print_certs > /root/ssl-build/$(hostname -s)/server.crt
    ### remove the ^M symbol
    sed -i -e 's/\r//' /root/ssl-build/$(hostname -s)/server.crt
    
  5. Combine all third-party root and intermediate CA certificates (replace values in bold with yours):
    wget --no-proxy --no-check-certificate --user=sve --ask-password 'https://labdc01.svelab.local/certsrv/certnew.p7b?ReqID=CACert&Renewal=0&Enc=b64' -O /root/certs/local_root_ca.p7b
    sed -i -e 's/\r//' /root/certs/local_root_ca.p7b
    cat /root/certs/local_root_ca.p7b | openssl pkcs7 -print_certs > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    

    Verify:

    [root@spacewalk tmp]# openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/$(hostname -s)/server.crt
    /root/ssl-build/spacewalk/server.crt: OK
    
  6. Create an RPM package with SSL certificates:
    cd /root
    rhn-ssl-tool --gen-server --rpm-only
    rpm -Uvh /root/ssl-build/$(hostname -s)/$(grep noarch /root/ssl-build/$(hostname -s)/latest.txt)
    rhn-ssl-dbstore -vvv --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    
  7. Update the rhn-org-trusted-ssl-cert rpm:
    cat /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    rhn-ssl-tool --gen-ca --dir /root/ssl-build/ --rpm-only
    cp $(ls /root/ssl-build/rhn-org-trusted-ssl-cert*.noarch.rpm | sort | tail -n1) /var/www/html/pub/
    
  8. Update the Jabber server.pem file:
    cat /root/ssl-build/$(hostname -s)/server.pem > /etc/pki/spacewalk/jabberd/server.pem
    chown jabber.jabber /etc/pki/spacewalk/jabberd/server.pem
    chmod 600 /etc/pki/spacewalk/jabberd/server.pem
    update-ca-trust
    

    Verify:

    ### certificates
    [root@spacewalk ~]# md5sum /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build/$(hostname -s)/server.pem
    832074c7295049e71ed0293ee6134afe  /etc/pki/spacewalk/jabberd/server.pem
    832074c7295049e71ed0293ee6134afe  /root/ssl-build/spacewalk/server.pem
    [root@spacewalk ~]# md5sum /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    4cc24e4ac95401c2837dae3e26535869  /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    4cc24e4ac95401c2837dae3e26535869  /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    
    ### configs
    [root@spacewalk ~]# grep require-starttls /etc/jabberd/c2s.xml | grep pemfile
        <id require-starttls="false" pemfile="/etc/pki/spacewalk/jabberd/server.pem" realm="" register-enable="true">spacewalk.svelab.local</id>
    
    [root@spacewalk ~]# grep '<id>' /etc/jabberd/sm.xml
      <id>spacewalk.svelab.local</id>
        <id>spacewalk.svelab.local</id>
        <id>localhost.localdomain</id>
        <id>vhost1.localdomain</id>
        <id>vhost2.localdomain</id>
    
    [root@spacewalk ~]# grep osa-dispatcher /etc/rhn/rhn.conf
    osa-dispatcher.jabber_server = spacewalk.svelab.local
    osa-dispatcher.osa_ssl_cert = /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    
  9. Restart Spacewalk:
    [root@spacewalk ~]# spacewalk-service restart
    Shutting down spacewalk services...
    Done.
    Starting spacewalk services...
    Done.
    

    Check (you should get the similar output as below):

    [root@spacewalk ~]# systemctl status osa-dispatcher | tail -n2
    Jan 14 20:44:42 spacewalk.svelab.local systemd[1]: Starting OSA Dispatcher daemon...
    Jan 14 20:44:43 spacewalk.svelab.local systemd[1]: Started OSA Dispatcher daemon.
    
    [root@spacewalk ~]# tail -n3 /var/log/rhn/osa-dispatcher.log
    2018/01/14 20:44:43 +11:00 52542 0.0.0.0: osad/jabber_lib.__init__
    2018/01/14 20:44:43 +11:00 52542 0.0.0.0: osad/jabber_lib.setup_connection('Connected to jabber server', 'spacewalk.svelab.local')
    2018/01/14 20:44:43 +11:00 52542 0.0.0.0: osad/jabber_lib.process_forever
    

    Now the connection to Spacewalk is ‘green’ (secure):
    Spacewalk - Trusted SSL Cert

  10. Put the /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT of Spacewalk into the GPG config channel to update certificates on target systems.
     
  11. If you want to regenerate SSL keys and CA certificates (for example, if you forget the CA password):

    Output
    cd /root
    tar -zcvf SSL_configs_$(date +"%Y%m%d").tgz /etc/httpd/conf/ssl.* /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build /var/www/html/pub
    rm -fR /root/ssl-build/
    mkdir /root/ssl-build/
    rhn-ssl-tool --gen-ca
    rm -f /var/www/html/pub/{RHN-ORG-TRUSTED-SSL-CERT,rhn-org-trusted-ssl-cert-1.0-*.noarch.rpm}
    cp ssl-build/{RHN-ORG-TRUSTED-SSL-CERT,rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm} /var/www/html/pub/
    rhn-ssl-dbstore --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    rhn-ssl-tool --gen-server --set-hostname=$(hostname -f) --set-country=AU --set-state=NSW \
    --set-city=Sydney --set-org=SVELAB --set-org-unit=IT --set-email=admin@svelab.com
    rpm -e rhn-org-httpd-ssl-key-pair-$(hostname -s)
    rpm -Uvh /root/ssl-build/$(hostname -s)/$(grep noarch /root/ssl-build/$(hostname -s)/latest.txt)
    
    ### repeat steps 1-10
    

Active Directory Integration

  1. Install required packages:
    yum -y install samba samba-common samba-client samba-libs samba-winbind samba-winbind-clients krb5-workstation pam_krb5
    
  2. Generate the configs by copying and pasting the text below into the console (replace values in bold with yours):

    File /etc/samba/smb.conf

    myhost=$(hostname -s)
    dc_netbios="SVELAB"
    dc_domain="svelab.local"
    dc_realm=$(printf "%s" ${dc_domain} | tr '[a-z]' '[A-Z]')
    
    cat > /etc/samba/smb.conf <<EOF
    # testparm
    #======================= Global Settings =======================
    [global]
        ### General ###
        workgroup = ${dc_netbios}
        netbios name = ${myhost}
        server string = %h SMB Server
        local master = no
        prefered master = no
        domain master = no
        os level = 0
        machine password timeout = 0
    
        ### Active Directory Integration ###
        password server = *
        realm = ${dc_realm}
        security = ads
        idmap config ${dc_netbios} : backend = rid
        idmap config ${dc_netbios} : range = 10000000-33554431
        idmap config * : backend = tdb
        idmap config * : range = 1000000000-1999999999
    
        encrypt passwords = yes
        winbind use default domain = yes
        winbind offline logon = no
        winbind enum groups = yes
        winbind enum users = yes
        winbind nested groups = yes
        #winbind separator = \\\\
        #winbind cache time = 3600
    
        ### Misc ###
        wins support = no
        dns proxy = no
    
        #### Networking ####
        #interfaces = 127.0.0.0/8 eth0
        #bind interfaces only = yes
    
        #### Debugging/Accounting ####
        log file = /var/log/samba/samba.log
        log level = 1
        max log size = 1024
        panic action = /usr/share/samba/panic-action %d
    
        ### Authentication ###
        passdb backend = tdbsam
        obey pam restrictions = yes
        map to guest = bad user
        guest account = nobody
        restrict anonymous = 2
        server signing = auto
    
        ### misc ###
        usershare path =
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        create mask = 0777
        directory mask = 0777
    EOF
    

    File /etc/krb5.conf

    cat > /etc/krb5.conf <<EOF
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = ${dc_realm}
     default_ccache_name = KEYRING:persistent:%{uid}
     dns_lookup_realm = true
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     rdns = false
    
    [realms]
     ${dc_realm} = {
        kdc = labdc01.${dc_domain}
        kdc = labdc02.${dc_domain}
        #admin_server = kerberos.example.com
        default_domain = ${dc_domain}
    }
    
    [domain_realm]
        .${dc_domain} = ${dc_realm}
        ${dc_domain} = ${dc_realm}
    EOF
    
  3. Join to Active Directory (your domain account must have Domain Admin privileges):
    [root@spacewalk ~]# net ads join -S labdc01.svelab.local -U sve createcomputer="Computers"
    Enter sve's password:
    Using short domain name -- SVELAB
    Joined 'SPACEWALK' to dns domain 'svelab.local'
    
    [root@spacewalk ~]# wbinfo -t
    checking the trust secret for domain SVELAB via RPC calls succeeded
    

    Enable/disable autorun:

    systemctl enable winbind
    systemctl disable smb
    systemctl disable nmb
    systemctl start winbind
    
  4. Enable Winbind as PAM:
    ### reconfigure
    F="/etc/nsswitch.conf"
    chk=$(grep -Esn '^(passwd|group|shadow)' "${F}" | grep -v 'winbind')
    if [ "${chk}" != '' ]; then
        while read -r line; do
    	IFS=':' read -r -a cfg_oldval <<< "${line}"
        	cfg_newval="${cfg_oldval[1]}:${cfg_oldval[2]} winbind"
        	sed -i "${cfg_oldval[0]}s/.*/${cfg_newval}/" "${F}"
        done <<< "{chk}"
    fi
    
    ### restart Winbind
    systemctl restart winbind
    

    Verify (you should see Active Directory users and groups in the output):

    wbinfo -t
    wbinfo -g
    wbinfo -u
    getent passwd
    getent group
    
  5. Set up Spacewalk to use PAM:
    ### configure PAM for Spacewalk
    cat > /etc/pam.d/rhn-spacewalk <<EOF
    auth        required      pam_env.so
    auth        sufficient    pam_krb5.so no_user_check
    auth        required      pam_deny.so
    account     required      pam_krb5.so no_user_check
    EOF
    
    ### activate PAM in Spacewalk
    cat >> /etc/rhn/rhn.conf <<EOF
    
    ### Active Directory Integration
    pam_auth_service = rhn-spacewalk
    EOF
    
    ### restart Spacewalk
    spacewalk-service restart
    
  6. Create an account in Active Directory for Spacewalk and grant admin permissions to it:
    Spacewalk - AD user
    Spacewalk - Users
    Spacewalk - OrgAdmin
    Spacewalk - Admin

Hardening and tuning

  1. Apache

    Disable all SSL protocols except TLSv1.2:

    cat > /etc/httpd/conf.d/zz-ssl-strong.conf <<EOF
    SSLProtocol +TLSv1.2
    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    SSLHonorCipherOrder on
    EOF
    

    Adjust timeouts:

    sed -i 's/ProxyTimeout 210/ProxyTimeout 300/' /etc/httpd/conf.d/zz-spacewalk-www.conf
    cat > /etc/httpd/conf.d/zz-timeouts.conf <<EOF
    Timeout 600
    ProxyTimeout 600
    MaxKeepAliveRequests 300
    KeepAlive On
    KeepAliveTimeout 30
    EOF
    

    Adjust Apache Multi-Processing Module (MPM):

    cat >> /etc/httpd/conf.modules.d/00-mpm.conf <<EOF
    StartServers            8
    MinSpareServers         6
    MaxSpareServers         32
    ServerLimit             512
    MaxClients              512
    MaxRequestsPerChild     4000
    EOF
    
  2. Tomcat

    Allocate more RAM:

    sed -i 's/wrapper.java.maxmemory=1024/wrapper.java.maxmemory=4096/' /usr/share/rhn/config-defaults/rhn_taskomatic_daemon.conf
    sed -i 's/-Xmx256m/-Xmx1024m/' /etc/sysconfig/tomcat
    
  3. IPv6 (optional)

    If you did not disable IPv6 before installing Spacewalk, execute the following commands to do it now:

    echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/noipv6.conf
    sysctl -p /etc/sysctl.d/noipv6.conf
    sed -i 's#::1#127.0.0.1#' /etc/jabberd/c2s.xml
    sed -i 's#::1#127.0.0.1#' /etc/jabberd/s2s.xml
    sed -i 's#::1#127.0.0.1#' /etc/jabberd/sm.xml
    sed -i 's#::#0.0.0.0#' /etc/jabberd/c2s.xml
    sed -i 's#::#0.0.0.0#' /etc/jabberd/s2s.xml
    sed -i 's#::#0.0.0.0#' /etc/jabberd/router.xml
    
  4. Restart Spacewalk:
    [root@spacewalk ~]# spacewalk-service restart
  5. Checks:
    ps aux | grep -Esio '(Xmx.[0-9]*)m'
    nmap -sV --script ssl-enum-ciphers -p 443 localhost
    
    Output
    [root@spacewalk ~]# ps aux | grep -Esio '(Xmx.[0-9]*)m'
    Xmx1024m
    Xmx4096m
    
    [root@spacewalk ~]# nmap -sV --script ssl-enum-ciphers -p 443 localhost
    Starting Nmap 6.40 ( http://nmap.org ) at 2018-01-17 21:12 AEDT
    Nmap scan report for localhost (127.0.0.1)
    Host is up (-980s latency).
    Other addresses for localhost (not scanned): 127.0.0.1
    PORT    STATE SERVICE  VERSION
    443/tcp open  ssl/http Apache httpd
    | ssl-enum-ciphers:
    |   SSLv3: No supported ciphers found
    |   TLSv1.2:
    |     ciphers:
    |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
    |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_RSA_WITH_RC4_128_SHA - strong
    |     compressors:
    |       NULL
    |_  least strength: strong
    
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 12.16 seconds
    

Configure Software Channels

  1. Display the list of predefined channels:
    spacewalk-common-channels --list | grep -E '(centos7|epel)'
    Output
    [root@spacewalk ~]# spacewalk-common-channels --list | grep -E '(centos7|epel)'
     centos7:             x86_64
     centos7-atomic:      x86_64
     centos7-centosplus:  x86_64
     centos7-cloud:       x86_64
     centos7-cr:          x86_64
     centos7-extras:      x86_64
     centos7-fasttrack:   x86_64
     centos7-opstools:    x86_64
     centos7-paas:        x86_64
     centos7-rt:          x86_64
     centos7-scio:        x86_64
     centos7-storage:     x86_64
     centos7-updates:     x86_64
     centos7-virt:        x86_64
     epel6:               i386, x86_64, ppc64
     epel7:               x86_64, ppc64
     spacewalk-nightly-client-centos7: i386, x86_64
     spacewalk-nightly-server-centos7: i386, x86_64
     spacewalk25-client-centos7: i386, x86_64
     spacewalk25-server-centos7: i386, x86_64
     spacewalk26-client-centos7: i386, x86_64
     spacewalk26-server-centos7: i386, x86_64
     spacewalk27-client-centos7: i386, x86_64
     spacewalk27-server-centos7: i386, x86_64
    

  2. Create channels for CentOS 7 (replace credentials with yours):
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'centos7'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'centos7-updates'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'centos7-extras'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'epel7'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'spacewalk27-client-centos7'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'spacewalk27-server-centos7'
    

    Spacewalk - Software Channels

  3. Synchronise channels with external repositories (also select a daily schedule):
    Spacewalk - Channels sync

    Repeat this task for all new channels/sub-channels. First synchronisation may take a few hours, next ones will take a few minutes. To see the current progress:

    root@spacewalk ~]# cd /var/log/rhn/reposync/
    [root@spacewalk reposync]# tail -n1 *
    2018/01/16 22:34:54 +11:00 1273/9591 : dyninst-devel-9.3.1-1.el7.x86_64.rpm
    
  4. Create an additional repository/channel via the WebGUI (this one is needed for registering Spacewalk itself).

    Get the system details:

    [root@spacewalk ~]# python -c 'import yum, pprint; yb = yum.YumBase(); pprint.pprint(yb.conf.yumvar, width=1)'
    Loaded plugins: fastestmirror, langpacks, rhnplugin
    This system is receiving updates from RHN Classic or Red Hat Satellite.
    {'arch': 'ia32e',
     'basearch': 'x86_64',
     'infra': 'stock',
     'releasever': '7',
     'uuid': 'ee6529fc-2ad0-4e39-963b-24be897b8482'}
    

    Get the repository details:

    [root@spacewalk ~]# cat /etc/yum.repos.d/group_spacewalkproject-java-packages-epel-7.repo
    [group_spacewalkproject-java-packages]
    name=Copr repo for java-packages owned by @spacewalkproject
    baseurl=https://copr-be.cloud.fedoraproject.org/results/@spacewalkproject/java-packages/epel-7-$basearch/
    type=rpm-md
    skip_if_unavailable=True
    gpgcheck=1
    gpgkey=https://copr-be.cloud.fedoraproject.org/results/@spacewalkproject/java-packages/pubkey.gpg
    repo_gpgcheck=0
    enabled=0
    enabled_metadata=1
    

    Now you can add a new repository and create a new channel using obtained details:


    Spacewalk - Add extra channel
    Spacewalk - Assign repo

  5. Errata for CentOS

    As you can see, general CentOS repositories do not contain errata data, however, it can be extracted from the CentOS-Announce mailing list by using a third-party script.

    Spacewalk - Channels synced

    1. Install required packages:
      yum -y install perl-Text-Unidecode perl-Frontier-RPC perl-XML-Simple perl-Net-SSLeay perl-Crypt-SSLeay
      
    2. Create the script (replace values with yours):
      cat > /root/scripts/centos-errata.sh <<EOF
      #! /bin/bash
      
      ### https://cefs.steve-meier.de/
      export SPACEWALK_USER='spacewalk_admin'
      export SPACEWALK_PASS='SpacePa!!w0rd'
      
      logfile='/var/log/rhn/reposync/centos-errata.log'
      servername='spacewalk.svelab.local'
      workdir='/var/linuxmanager/centos-errata'
      
      # no spaces or tabs
      errata_channels='centos7-x86_64,centos7-x86_64-updates,centos7-x86_64-extras,spacewalk27-client-centos7-x86_64,
      spacewalk27-server-centos7-x86_64,spacewalk-java-c7'
      
      mkdir -p "\${workdir}"
      cd \${workdir}
      
      # 0. remove all current dbs
      rm -f \${workdir}/*
      # 1. download the latest errata XML file
      wget -q -c https://cefs.steve-meier.de/errata.latest.xml -O \${workdir}/errata.latest.xml
      # 2. download the latest RedHat OVAL file
      wget -q -c https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml -O \${workdir}/com.redhat.rhsa-all.xml
      # 3. download the latest errata-import.tar script
      wget -q -c https://github.com/stevemeier/cefs/raw/master/errata-import.pl -O \${workdir}/errata-import.pl
      chmod +x \${workdir}/errata-import.pl
      # 4. run the parser
      ./errata-import.pl --server \${servername} --errata \${workdir}/errata.latest.xml  \
      --include-channels=\$(printf "%s" "\${errata_channels}" | tr -d '\n') \
      --publish --rhsa-oval /usr/local/centos/com.redhat.rhsa-RHEL7.xml > \${logfile}
      EOF
      
      Source code

    3. Add the cron job:
      cat > /etc/cron.d/rhn-errata <<EOF
      SHELL=/bin/bash
      PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
      
      # .---------------- minute (0 - 59)
      # |   .------------- hour (0 - 23)
      # |   |   .---------- day of month (1 - 31)
      # |   |   |   .------- month (1 - 12) OR jan,feb,mar,apr ...
      # |   |   |   |  .----- day of week (0 - 7) (Sunday=0 or 7)  OR sun,mon,tue,wed,thu,fri,sat
      # |   |   |   |  |
      # *   *   *   *  *  command to be executed
      #
      
      ### CentOS Errata Parsing
      0 4 * * * root /root/scripts/centos-errata.sh
      EOF
      
    4. Reload crond and start the script manually:
      chmod 750 /root/scripts/centos-errata.sh
      systemctl reload crond
      /root/scripts/centos-errata.sh
      

      Spacewalk - Errata

    5. Configuration Channels

      1. Create a new config channel:
        Spacewalk - ConfigsSpacewalk - New Config Channel
      2. Create the configuration file that will contain the parameters below (for example):
        net.ipv6.conf.all.disable_ipv6 = 1
        vm.swappiness = 10
        

        Note: configs and scripts should not contain the ^M symbol, especially cron jobs

        Spacewalk - Common Configs

      3. Create a new config channel with GPG keys of all repositories.

        For example, put the GPG key of the Spacewalk Java Packages repository into the channel:
        Spacewalk - RPM GPG Key
        To import GPG keys on target systems you can execute the following command via the Spacewalk Remote Command Execution feature:
        Spacewalk - Remote Commands

        To check which GPG keys are installed in the system:

        [root@spacewalk ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
        gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>)
        gpg-pubkey-352c64e5-52ae6884    gpg(Fedora EPEL (7) <epel@fedoraproject.org>)
        gpg-pubkey-b8002de1-553126bd    gpg(Spacewalk <spacewalk-devel@redhat.com>)
        gpg-pubkey-e8e1716a-58d0f953    gpg(@spacewalkproject_java-packages (None) <@spacewalkproject#java-packages@copr.fedorahosted.org>)
        gpg-pubkey-0608b895-4bd22942    gpg(EPEL (6) <epel@fedoraproject.org>)
        gpg-pubkey-b6792c39-53c4fbdd    gpg(CentOS-7 Debug (CentOS-7 Debuginfo RPMS) <security@centos.org>)
        gpg-pubkey-8fae34bd-538f1e51    gpg(CentOS-7 Testing (CentOS 7 Testing content) <security@centos.org>)
        
      4. Create a new activation key:
        Spacewalk - New Key
      5. Assign default software channels:
        Spacewalk - Assign Channels
      6. Subscribe to configuration channels:
        Spacewalk - Subscribe to Configs
      7. Configure automated deployment of configs:
        Spacewalk - Automated Deployment of Configs

      Security Audit with OpenSCAP

      1. Install packages:
        yum -y install spacewalk-oscap openscap-utils scap-security-guide
      2. Download OpenSCAP remote resources:
        wget -q https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 -O /var/www/html/pub/com.redhat.rhsa-RHEL7.xml.bz2
        wget -q https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml -O /var/www/html/pub/Red_Hat_Enterprise_Linux_6.xml
        
      3. Add the cron job:
        cat > /etc/cron.d/rhn-oscap-update-db <<EOF
        ### Update OpenSCAP database
        30 3 * * * root /usr/bin/wget -q https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 -O /var/www/html/pub/com.redhat.rhsa-RHEL7.xml.bz2
        35 3 * * * root /usr/bin/wget -q https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml -O /var/www/html/pub/Red_Hat_Enterprise_Linux_6.xml
        EOF
        systemctl reload crond
        
      4. Apply the workaround for CentOS 6 because it does not contain these files:
        ln -s /usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml /var/www/html/pub/ssg-centos6-ds.xml
        ln -s /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml /var/www/html/pub/ssg-centos6-xccdf.xml
        ln -s /usr/share/xml/scap/ssg/content/ssg-rhel6-ocil.xml /var/www/html/pub/ssg-rhel6-ocil.xml
        
      5. Re-point remote resources links to local ones (replace values with yours):
        sed -i "s@https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2@http://spacewalk.svelab.local/pub/com.redhat.rhsa-RHEL7.xml.bz2@" /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
        sed -i "s@https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml@http://spacewalk.svelab.local/pub/Red_Hat_Enterprise_Linux_6.xml@" /usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml
        
      6. Reduce the retention period of OpenSCAP reports:
        Spacewalk - OpenSCAP Retention Period
      7. Get the list of available OpenSCAP profiles:
        oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
        Output
        [root@spacewalk ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
        Document type: Source Data Stream
        Imported: 2018-01-21T12:41:08
        
        Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
        Generated: (null)
        Version: 1.2
        Checklists:
                Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
                        Status: draft
                        Generated: 2017-10-19
                        Resolved: true
                        Profiles:
                                xccdf_org.ssgproject.content_profile_standard
                                xccdf_org.ssgproject.content_profile_pci-dss
                                xccdf_org.ssgproject.content_profile_C2S
                                xccdf_org.ssgproject.content_profile_rht-ccp
                                xccdf_org.ssgproject.content_profile_common
                                xccdf_org.ssgproject.content_profile_stig-rhel7-disa
                                xccdf_org.ssgproject.content_profile_stig-rhevh-upstream
                                xccdf_org.ssgproject.content_profile_ospp-rhel7
                                xccdf_org.ssgproject.content_profile_cjis-rhel7-server
                                xccdf_org.ssgproject.content_profile_docker-host
                                xccdf_org.ssgproject.content_profile_nist-800-171-cui
                        Referenced check files:
                                ssg-rhel7-oval.xml
                                        system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                                ssg-rhel7-ocil.xml
                                        system: http://scap.nist.gov/schema/ocil/2
                                http://spacewalk.svelab.local/pub/com.redhat.rhsa-RHEL7.xml.bz2
                                        system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                Ref-Id: scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
                        Status: draft
                        Generated: 2017-10-19
                        Resolved: true
                        Profiles:
                                xccdf_org.ssgproject.content_profile_pci-dss_centric
                        Referenced check files:
                                ssg-rhel7-oval.xml
                                        system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                                ssg-rhel7-ocil.xml
                                        system: http://scap.nist.gov/schema/ocil/2
                                http://spacewalk.svelab.local/pub/com.redhat.rhsa-RHEL7.xml.bz2
                                        system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        Checks:
                Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
                Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml
                Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml
                Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml000
                Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml000
        Dictionaries:
                Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-dictionary.xml
        

      8. Add scripts into a configuration channel for target systems:

        Upload the rhn-oscap-check-db.zip script into the Common configuration channel and create the cron job:

        Spacewalk - OpenSCAP Check DB

        Cron job:

        ##### THIS FILE IS MANAGED BY SPACEWALK
        40 3 * * * root /root/scripts/rhn-oscap-check-db.sh
        

        Spacewalk - OpenSCAP Cron

      9. Start the system audit on a target system using OpenSCAP via Spacewalk:
        CentOS 7CentOS 6Oracle Linux 7
        Command-line Arguments: --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig-rhevh-upstream
        Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
        
        Command-line Arguments: --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream
        Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml
        
        Command-line Arguments: --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa
        Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
        

        Spacewalk - OpenSCAP Audit
        Spacewalk - OpenSCAP Report
        Spacewalk - OpenSCAP Details

        Note: Do not worry if you see this error in the OpenSCAP Scans tab:

        Downloading: http://spacewalk.svelab.local/pub/com.redhat.rhsa-RHEL7.xml.bz2 ... ok
        xccdf_eval: oscap tool returned 2

        Explanation(from man oscap):
        Normally, the exit status is 0 when operation finished successfully and 1 otherwise. In cases when oscap performs evaluation of the system it may return 2 indicating success of the operation but incompliance of the assessed system.

      Register Clients

      1. Upload required files onto Spacewalk:
        cd /var/www/html/pub/
        wget -q http://yum.spacewalkproject.org/2.7-client/RHEL/7/x86_64/spacewalk-client-repo-2.7-2.el7.noarch.rpm
        wget -q http://yum.spacewalkproject.org/2.7-client/RHEL/6/x86_64/spacewalk-client-repo-2.7-2.el6.noarch.rpm
        wget -q http://mirrors.kernel.org/fedora-epel/RPM-GPG-KEY-EPEL-7 -O RPM-GPG-KEY-EPEL-7
        wget -q http://mirrors.kernel.org/fedora-epel/RPM-GPG-KEY-EPEL-6 -O RPM-GPG-KEY-EPEL-6
        wget -q http://yum.spacewalkproject.org/RPM-GPG-KEY-spacewalk-2015 -O RPM-GPG-KEY-spacewalk-2015
        
      2. Download and install the script below:
        cd /tmp
        wget https://svelab.com/download/linman-centos.zip
        unzip /tmp/linman-centos.zip -d /var/www/html/pub/
        rm -f /tmp/linman-centos.zip
        
        Source code

        Important: Replace the values of LINMAN_SITES and LINMAN_SITES_MENU variables in the script with yours.

      3. Register itself (Spacewalk server):
        bash /var/www/html/pub/linman-centos.sh
        Output
        [root@spacewalk ~]# bash /var/www/html/pub/linman-centos.sh
         Spacewalk Registrator for CentOS 6/7 and Oracle Linux 7 v0.3 (21-Dec-2017)
        
        [1]   Importing GPG keys
        
        gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>)
        gpg-pubkey-352c64e5-52ae6884    gpg(Fedora EPEL (7) <epel@fedoraproject.org>)
        gpg-pubkey-b8002de1-553126bd    gpg(Spacewalk <spacewalk-devel@redhat.com>)
        gpg-pubkey-e8e1716a-58d0f953    gpg(@spacewalkproject_java-packages (None) <@spacewalkproject#java-packages@copr.fedorahosted.org>)
        gpg-pubkey-0608b895-4bd22942    gpg(EPEL (6) <epel@fedoraproject.org>)
        
        [2]   Installing packages for registering this box with Spacewalk / SUSE Manager
        
        Package deltarpm-3.6-3.el7.x86_64 already installed and latest version
        Package epel-release-7-11.noarch already installed and latest version
        Package yum-utils-1.1.31-42.el7.noarch already installed and latest version
        Warning: RPMDB altered outside of yum.
        warning: /etc/sysconfig/rhn/rhnsd created as /etc/sysconfig/rhn/rhnsd.rpmnew
        
        [3]   Disabling all external repositories
        Repositories to be disabled:
        
        Loaded plugins: fastestmirror, langpacks
        Loading mirror speeds from cached hostfile
         * base: mirror.ventraip.net.au
         * epel: epel.mirror.digitalpacific.com.au
         * extras: mirror.ventraip.net.au
         * updates: mirror.ventraip.net.au
        repo id                                                                            repo name                                                                                     status
        base/7/x86_64                                                                      CentOS-7 - Base                                                                                9,591
        epel/x86_64                                                                        Extra Packages for Enterprise Linux 7 - x86_64                                                12,219
        extras/7/x86_64                                                                    CentOS-7 - Extras                                                                                329
        group_spacewalkproject-java-packages/x86_64                                        Copr repo for java-packages owned by @spacewalkproject                                           211
        spacewalk/x86_64                                                                   Spacewalk                                                                                        117
        spacewalk-client/x86_64                                                            Spacewalk Client Tools                                                                            25
        updates/7/x86_64                                                                   CentOS-7 - Updates                                                                             1,698
        repolist: 24,190
        
        [4]   Registering this system with Spacewalk / SUSE Manager
        
        [5]   This system is now subscribed to the following channels:
        
        spacewalk27-client-centos7-x86_64
        epel7-centos7-x86_64
        centos7-x86_64-updates
        centos7-x86_64-extras
        centos7-x86_64
        
        [6]   Installing and configuring Remote Command Execution
        
        deploy is enabled
        diff is enabled
        upload is enabled
        mtime_upload is enabled
        run is enabled
        
        [7]   Installing and configuring OSAD for enabling Push to Clients
        
        Created symlink from /etc/systemd/system/multi-user.target.wants/osad.service to /usr/lib/systemd/system/osad.service.
        
        [8]   Installing and configuring OpenSCAP
        
        [9]   Pulling all configs/scripts from Spacewalk / SUSE Manager
        
        Client health:
         [OK] Spacewalk client (rhnsd)
         [OK] Push to Client feature (osad)
         [OK] Remote Command feature (rhncfg-actions-control)
         [OK] OpenSCAP utility (oscap)
         [OK] OpenSCAP datastreams (xml files)
         [OK] Config management client (rhncfg-client)
        
        Subscription to config channels:
        Using server name spacewalk.svelab.local
        Config channels:
        Label                           Name
        -----                           ----
        common-configs                  Common Configs
        
        Subscription to software channels:
        spacewalk27-client-centos7-x86_64
        epel7-centos7-x86_64
        centos7-x86_64-updates
        centos7-x86_64-extras
        centos7-x86_64
        
        DONE
        

        Spacewalk - Register Clients

      4. Subscribe this system to additional software channels:
        Spacewalk - Subscribe to channels
      5. Start the OpenSCAP audit (see the Security Audit with OpenSCAP section).
      6. Execute the following commands on target systems to register them to Spacewalk (replace values with yours):
        wget --no-proxy http://spacewalk.svelab.local/pub/linman-centos.sh -O /usr/sbin/linman-centos.sh
        chmod +x /usr/sbin/linman-centos.sh
        linman-centos.sh
        

      Unregister clients

      1. Delete a system from Spacewalk:
        Spacewalk - Unregister clients
      2. Disable the Spacewalk agent on a target system:
        rm -f /etc/sysconfig/rhn/systemid
        sed -i 's/enabled = 1/enabled = 0/' /etc/yum/pluginconf.d/rhnplugin.conf
        systemctl disable rhnsd
        systemctl disable osad
        systemctl stop rhnsd
        systemctl stop osad
        
      3. Enable external repositories:
        yum-config-manager -q --enable base extras updates epel >> /dev/null 2>&1
        

      See also

      Deploying a Spacewalk Proxy
      Unattended Linux Installation
      Official Spacewalk Website
      Official Spacewalk Installation Instructions
      Spacewalk and RHN Satellite – Getting Started Guide
      How to use a certificate from a third party Certificate Authority (CA)
      How to regenerate SSL keys and CA certificates
      Push to Clients Troubleshooting (server side)
      Push to Clients Troubleshooting (client side)
      YUM Command Cheat Sheet

      Contact us

      Please, feel free to contact us if you have any questions or suggestions. Post a comment below if you want to report a bug.

By |2018-04-28T21:42:42+00:00December 9th, 2017|How To, Linux, Management, Monitoring, Scripts, Security|0 Comments

Leave A Comment