This guide explains how to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD.

• The first step is to verify that Apache HTTPD headers module is enabled. Check the following text in /etc/httpd/conf.modules.d/00-base.conf or /etc/httpd/conf/httpd.conf.

LoadModule headers_module modules/mod_headers.so

• Add the following text in /etc/httpd/conf.d/ssl.conf to <VirtualHost *:443> virtual host or for each SSL enabled virtual host.

Header always set Strict-Transport-Security "max-age=58099000; includeSubDomains"

• The final step is to redirect traffic from the non-encrypted virtual host to HTTPS as follows:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

• Restart HTTPD service as follows:

systemctl restart httpd

YUM command is used for installing, querying, deleting, and managing CentOS/AlmaLinux packages in local and remote repositories. Use the following YUM Cheat Sheet as a quick reference for commands and options.

Use the below command to find files above 200M in / or in /opt. You can specify certain file system on the command line replacing / or /opt/

# find / -xdev -size +200M

# find /opt -xdev -size +200M

You may need to find files with specific permissions in a Linux server for audit and security reasons. You can use the Linux find command to achieve this task.

• The following command can be used to find files with (group or other or both) writable permission and SET UID set.

# find / -perm /022 -and -perm -4000 -exec ls -ldb {} ;
                        ^^^^                       ^
                        | | | |                           |– So the SUID is 4
                        | | | |– Other is writable (2)
                        | | |–Group permission is writable (2)
                        | |– No owner permission mentioned (0)
                       |– As the logic is OR – group or other or both

• You can use the following command to list files with other writable excluding sticky bit sets.

# find / -perm -002 -and -perm -1000 -exec ls -ldb {} ;

• Use the following command to list files with other writable excluding sticky bit set.

# find / -perm -002 -not -perm -1000 -exec ls -ldb {} ;

• The following command can be used to list files with (group + other) writable and SET GID set.

# find / -perm -2022 -exec ls -ldb {} ;

• The Find command to list files with (group + other) writable permission and SET UID set.

# find / -perm -4022 -exec ls -ldb {} ;

• Command to list files with other writable and sticky bit sets.

# find / -perm -1002 -exec ls -ldb {} ;

• Command to list files with other writable excluding sticky bit set.

# find / -perm -002 -not -perm -1000 -exec ls -ldb {} ;

Use the du command to list firectories with largest disk space. Replace DIREC in the following commands with a starting directory (e.g; / or /etc)

# du -sh $DIREC/* | sort -r --human-numeric-sort | head -n10

In the above command, head -n10 option can be changed to list few or more results in the output.

Another example is given below.

# du -sh /* | sort -r --human-numeric-sort | head -n10

All numeric login names are not supported in AlmaLinux and CentOS. usernames that begin with a digit and also contain letters are not known to have any issue. However, in CentOS 7 version, some system tools can make varying assumptions.

In Almalinux 8 and future releases, ALL numeric usernames are not supported. For more details check the man page of useradd. An excerpt is given below:

Usernames may contain only lower and upper case letters, digits, underscores, or dashes. They can end with a dollar sign. Dashes are not allowed at the beginning of the username. Fully numeric usernames and usernames . or .. are also disallowed. It is not recommended to use
usernames beginning with . character as their home directories will be hidden in the ls output. In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?

In CentOS 7, user and group names consisting of only digits, while permitted by shadow-utils,  should best be avoided. OS tools, getent, setfacl, and chown can’t recognize ALL numeric login names. If you still want to create ALL numeric usernames shadow-utils will require the SHADOW_ALLOW_ALL_NUMERIC_USER environment variable to be set to any value so as to allow useradd to make ALL numeric usernames.

POSIX does not forbid ALL numeric user names but it can introduce certain issues. Some programs only manipulate a string or an integer but CLI tools get their input as strings. They have to decide whether 3OO1 should be treated as a string username or an integer UID. 

TCP throughput (SCP) from a remote host is slow. By looking at the trace, it is noticed that the CentOS server is waiting for up to 40ms before sending an ACK.

In CentOS releases before 7.2, delayed Acks can only be reduced by cannot be eliminated. In CentOS 7.2, quickacks are tunable on a per route basis. By enabling quickacks delayed, The kernel disables aCKs. You can allow quickacks by executing ip route change based on ip route show.

# ip route show
default via 192.168.1.254 dev ens1 proto static metric 100
192.168.1.0/24 dev ens1 proto kernel scope link src 192.168.1.112 metric 100

# ip route change default via 192.168.1.254 dev ens1 proto static metric 100 quickack 1

# ip route change 192.168.1.0/24 dev ens1 proto kernel scope link src 192.168.1.112 metric 100 quickack 1


# ip route show
default via 192.168.1.254 dev ens1 proto static metric 100 quickack 1
192.168.1.0/24 dev ens3 proto kernel scope link src 192.168.1.112 metric 100 quickack 1

You can verify if the FANOTIFY is enabled in the kernel by using the following command.

# cat /boot/config-$(uname -r) | grep FANOTIFY
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y

FANOTIFY is built in the kernel, so there is no need to load other modules. It is enabled by default in CentOS 7,8 and AlmaLinux 8.