Post-installation

De Wiki de Jordan LE NUFF
Sauter à la navigation Sauter à la recherche
Ligne 1 : Ligne 1 :
Page à l'état de brouillon
+
=== Ajout de l'autorité de certification interne ===
 +
Initialisation des certificats d'autorité racine :
 +
update-ca-trust enable
 +
 
 +
Dépôt du certificat de l'autorité de certification de l'entreprise dans le dossier <code>/etc/pki/ca-trust/source/anchors</code>
 +
 
 +
Import du certificat précédemment déposé avec la commande :
 +
update-ca-trust extract
 +
 
 +
=== Ajout du dépôt EPEL ===
 
<pre>
 
<pre>
 +
yum -y install epel-release
 
yum makecache
 
yum makecache
 
yum update
 
yum update
yum install yum-utils bind-utils yum-cron wget bash-completion
+
yum install yum-utils bind-utils yum-cron wget bash-completion lsof nmon net-tools dos2unix deltarpm vim sg3_utils open-vm-tools sysstat samba-client samba zip
# Umask hardening
+
init 6
sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/bashrc
+
</pre>
sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/csh.cshrc
+
 
sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/profile
+
===Préparation de la configuration Samba===
sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/init.d/functions
+
cp /etc/samba/smb.conf /etc/samba/smb.conf.default
# Driver unused
+
sed -i -e 's/^\([^#].*\)/#\1/g' /etc/samba/smb.conf
yum remove alsa-* ivtv-* iwl*firmware aic94xx-firmware
+
sed -i -e 's/^#\[global\]/[global]\n\tguest account = www\n\tmap to guest = Bad User/' /etc/samba/smb.conf
# Disable radio
+
 
nmcli radio all off
+
===Modification du umask===
# Disable IPv6
+
<pre>
 +
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/bashrc
 +
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/csh.cshrc
 +
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/profile
 +
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/init.d/functions
 +
sed -i -e 's@Subsystem\tsftp\t/usr/libexec/openssh/sftp-server@\#Subsystem\tsftp\t/usr/libexec/openssh/sftp-server\nSubsystem\tsftp\tinternal-sftp -u 0007@g' /etc/ssh/sshd_config
 +
systemctl restart sshd
 +
</pre>
 +
Modification du umask par défaut pour la crontab
 +
<pre>
 +
mkdir /etc/systemd/system/crond.service.d
 +
chmod 755 /etc/systemd/system/crond.service.d
 +
cat <<EOF > /etc/systemd/system/crond.service.d/override.conf
 +
[Service]
 +
UMask=0007
 +
EOF
 +
chmod 644 /etc/systemd/system/crond.service.d/override.conf
 +
systemctl daemon-reload
 +
systemctl restart crond
 +
</pre>
 +
 
 +
===Suppression des pilotes inutiles===
 +
yum remove alsa-* ivtv-* iwl*firmware aic94xx-firmware
 +
 
 +
===Désactivation de la wifi===
 +
nmcli radio all off
 +
 
 +
===Désactivation de l'IPv6===
 +
<pre>
 
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
 
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
 
echo "IPV6INIT=no" >> /etc/sysconfig/network
 
echo "IPV6INIT=no" >> /etc/sysconfig/network
# Disable SELINUX
+
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
setenforce 0
+
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
+
sysctl -p
# Delete unused users
+
sed -i 's/#AddressFamily any/AddressFamily inet/g' /etc/ssh/sshd_config
 +
systemctl restart sshd
 +
sed -i 's/OPTIONS=""/OPTIONS="-4"/g' /etc/sysconfig/chronyd
 +
systemctl restart chronyd
 +
</pre>
 +
 
 +
===Désactivation du selinux===
 +
setenforce 0
 +
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
 +
 
 +
===Suppression des utilisateurs inutiles===
 +
<pre>
 
userdel -r adm
 
userdel -r adm
 
userdel -r ftp
 
userdel -r ftp
Ligne 25 : Ligne 74 :
 
userdel -r lp
 
userdel -r lp
 
groupdel games
 
groupdel games
# Augmenter l'historique des commandes de 1000 à 5000 lignes
+
</pre>
sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile
+
 
# Ajout du dépôt EPEL
+
===Augmenter l'historique des commandes de 1000 à 5000 lignes===
yum -y install epel-release
+
sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile
yum makecache
 
# Ajout de l'option "clean_requirements_on_remove=1" pour supprimer automatiquement les dépendances non-utilisées lors de la désinstallation d'un paquet
 
yum-config-manager --setopt=clean_requirements_on_remove=1 --save
 
# Installation de msmtp
 
yum install msmtp mailx
 
vi /etc/msmtprc
 
# If it exists, it usually defines a default account.
 
# This allows msmtp to be used like /usr/sbin/sendmail.
 
account default
 
  
# The SMTP smarthost
+
===Ajout de l'option "clean_requirements_on_remove=1" pour supprimer automatiquement les dépendances non-utilisées lors de la désinstallation d'un paquet===
host smtp.groupegdb.local
+
yum-config-manager --setopt=clean_requirements_on_remove=1 --save
  
# Use TLS on port 465
+
===Installation de msmtp===
port 25
+
<pre>
tls off
+
yum install msmtp mailx
tls_starttls off
+
/etc/msmtprc
 +
chmod o+r /etc/msmtprc
 +
</pre>
  
# Construct envelope-from addresses of the form "user@oursite.example"
+
===Paramétrage NTP===
from %U@%H
+
yum -y install ntpdate && ntpdate ntp.myntpserver.com && systemctl enable ntpdate.service
  
# Syslog logging with facility LOG_MAIL instead of the default LOG_USER
+
===Ajout d'alias complémentaires===
syslog LOG_MAIL
+
<pre>
 +
echo "alias vi='vim'" >> /etc/profile.d/sh.local
 +
</pre>
  
mkdir -p /local/exploit
+
===Préparation à la compilation===
scp -r 172.18.20.177:/home/tools/bin /local/exploit
+
mkdir /data/builds
echo "export PATH=\$PATH:/local/exploit/bin" >> /etc/profile.d/sh.local
+
yum install -y gcc glibc-devel glibc-headers kernel-headers libmpc mpfr autoconf
 +
yum install -y pcre-devel
 +
yum install -y expat-devel
 +
yum install -y systemd-devel
  
mkdir /local/builds
+
===Ajout du groupe www et des dossiers /data/www /data/logs ===
yum install gcc
+
useradd www -m
glibc-devel   
+
  mkdir -p /data/{www,logs}
glibc-headers  
+
chown www:www /data/{www,logs}
kernel-headers
+
chmod 770 /data/{www,logs}
libmpc       
 
mpfr         
 
yum install pcre-devel
 
yum install expat-devel
 
yum install systemd-devel
 
groupadd www
 
mkdir /data/www
 
chown :www /data/www
 
  
mkdir -p /local/httpd/httpd-2.4.43
+
===Compilation et installation d'Apache===
ln -s httpd-2.4.43 /local/httpd/current
+
<pre>
 +
useradd -r apache
 +
usermod -aG www apache
 +
mkdir -p /opt/httpd/httpd-2.4.43
 +
ln -s httpd-2.4.43 /opt/httpd/current
 
wget https://mirror.ibcp.fr/pub/apache//httpd/httpd-2.4.43.tar.gz
 
wget https://mirror.ibcp.fr/pub/apache//httpd/httpd-2.4.43.tar.gz
tar -zxf httpd-2.4.43.tar.gz -C /local/builds
+
tar -zxf httpd-2.4.43.tar.gz -C /data/builds
 
wget http://mirrors.standaloneinstaller.com/apache//apr/apr-1.7.0.tar.gz
 
wget http://mirrors.standaloneinstaller.com/apache//apr/apr-1.7.0.tar.gz
 
tar -zxf apr-1.7.0.tar.gz
 
tar -zxf apr-1.7.0.tar.gz
mv apr-1.7.0 /local/builds/httpd-2.4.43/srclib/apr
+
mv apr-1.7.0 /data/builds/httpd-2.4.43/srclib/apr
 
wget http://mirrors.standaloneinstaller.com/apache//apr/apr-util-1.6.1.tar.gz
 
wget http://mirrors.standaloneinstaller.com/apache//apr/apr-util-1.6.1.tar.gz
 
tar -zxf apr-util-1.6.1.tar.gz
 
tar -zxf apr-util-1.6.1.tar.gz
mv apr-util-1.6.1 /local/builds/httpd-2.4.43/srclib/apr-util
+
mv apr-util-1.6.1 /data/builds/httpd-2.4.43/srclib/apr-util
cd /local/builds/httpd-2.4.43
+
cd /data/builds/httpd-2.4.43
 
./configure \
 
./configure \
--prefix=/local/httpd/current \
+
--prefix=/opt/httpd/current \
--sysconfdir=/local/httpd/conf \
+
--sysconfdir=/opt/httpd/conf \
 
--enable-proxy \
 
--enable-proxy \
 
--enable-proxy-http \
 
--enable-proxy-http \
Ligne 96 : Ligne 139 :
 
--enable-status \
 
--enable-status \
 
--enable-systemd \
 
--enable-systemd \
--enable-mods-static="proxy rewrite authz-core authz-host log-config alias dir unixd mime remoteip status systemd" \
+
--enable-setenvif \
 +
--enable-headers \
 +
--enable-mods-static="proxy rewrite authz-core authz-host log-config alias dir unixd mime remoteip status systemd setenvif headers" \
 
--disable-so \
 
--disable-so \
 
--disable-proxy-connect \
 
--disable-proxy-connect \
Ligne 118 : Ligne 163 :
 
--disable-filter \
 
--disable-filter \
 
--disable-reqtimeout \
 
--disable-reqtimeout \
--disable-setenvif \
 
 
--disable-version \
 
--disable-version \
 
--disable-authn-dbm \
 
--disable-authn-dbm \
Ligne 132 : Ligne 176 :
 
--disable-cache \
 
--disable-cache \
 
--disable-file-cache \
 
--disable-file-cache \
--disable-headers \
 
 
--disable-cache-disk \
 
--disable-cache-disk \
 
--disable-cache-socache \
 
--disable-cache-socache \
Ligne 138 : Ligne 181 :
 
--disable-socache-memcache \
 
--disable-socache-memcache \
 
--disable-socache-redis \
 
--disable-socache-redis \
--disable-socache-shmcb
+
--disable-socache-shmcb \
make -j
+
&& make -j && make install
make install
+
chown -R root:apache /opt/httpd
cd
+
echo "export PATH=\$PATH:/opt/httpd/current/bin" >> /etc/profile.d/sh.local
useradd -r apache
+
echo "[Unit]" >> /usr/lib/systemd/system/http.service
usermod -aG www apache
+
echo "Description=The Apache HTTP Server" >> /usr/lib/systemd/system/http.service
chown -R root:apache /local/httpd
+
echo "After=network.target" >> /usr/lib/systemd/system/http.service
echo "export PATH=\$PATH:/local/httpd/current/bin" >> /etc/profile.d/sh.local
+
echo "" >> /usr/lib/systemd/system/http.service
vi /usr/lib/systemd/system/http.service
+
echo "[Service]" >> /usr/lib/systemd/system/http.service
[Unit]
+
echo "Type=notify" >> /usr/lib/systemd/system/http.service
Description=The Apache HTTP Server
+
echo "ExecStart=/opt/httpd/current/bin/httpd -D FOREGROUND -k start" >> /usr/lib/systemd/system/http.service
After=network.target
+
echo "ExecReload=/opt/httpd/current/bin/httpd -k graceful" >> /usr/lib/systemd/system/http.service
 
+
echo "ExecStop=/opt/httpd/current/bin/httpd -k stop" >> /usr/lib/systemd/system/http.service
[Service]
+
echo "KillMode=mixed" >> /usr/lib/systemd/system/http.service
Type=notify
+
echo "TimeoutStopSec=60" >> /usr/lib/systemd/system/http.service
ExecStart=/local/httpd/current/bin/httpd -D FOREGROUND -k start
+
echo "" >> /usr/lib/systemd/system/http.service
ExecReload=/local/httpd/current/bin/httpd -k graceful
+
echo "[Install]" >> /usr/lib/systemd/system/http.service
KillMode=mixed
+
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/http.service
TimeoutStopSec=60
+
chmod o+r /usr/lib/systemd/system/http.service
 
 
[Install]
 
WantedBy=multi-user.target
 
 
systemctl daemon-reload
 
systemctl daemon-reload
systemctl enable http
+
systemctl start http.service
systemctl start http
+
systemctl enable http.service
 
firewall-cmd --add-service=http
 
firewall-cmd --add-service=http
 
firewall-cmd --add-service=http --permanent
 
firewall-cmd --add-service=http --permanent
mkdir -p /data/logs/{localhost,vmwcentos7}
+
mkdir -p /data/logs/{localhost,$(hostname -s)}
 
chmod o+rx /data
 
chmod o+rx /data
 +
chown www:www /data/logs/localhost
 +
chmod 770 /data/logs/localhost
 
touch /data/logs/localhost/localhost_http_{error,access}.log
 
touch /data/logs/localhost/localhost_http_{error,access}.log
touch /data/logs/vmwcentos7/vmwcentos7_http_{error,access}.log
+
touch /data/logs/$(hostname -s)/$(hostname -s)_http_{error,access}.log
mkdir /local/httpd/conf/vhosts
+
mkdir /opt/httpd/conf/vhosts
 +
</pre>
  
 +
===Compilation et installation de CMake===
 +
<pre>
 
cd
 
cd
 
yum install openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libkadm5 libselinux-devel libsepol-devel libverto-devel     
 
yum install openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libkadm5 libselinux-devel libsepol-devel libverto-devel     
mkdir /local/cmake
+
mkdir /opt/cmake
 
wget https://github.com/Kitware/CMake/releases/download/v3.18.0-rc3/cmake-3.18.0-rc3.tar.gz
 
wget https://github.com/Kitware/CMake/releases/download/v3.18.0-rc3/cmake-3.18.0-rc3.tar.gz
tar -zxf cmake-3.18.0-rc3.tar.gz -C /local/builds
+
tar -zxf cmake-3.18.0-rc3.tar.gz -C /data/builds
cd /local/builds/cmake-3.18.0-rc3
+
cd /data/builds/cmake-3.18.0-rc3
./bootstrap --prefix=/local/cmake/cmake-3.18.0-rc3
+
./bootstrap --prefix=/opt/cmake/cmake-3.18.0-rc3
 
make
 
make
 
make install
 
make install
ln -s cmake-3.18.0-rc3 /local/cmake/current
+
ln -s cmake-3.18.0-rc3 /opt/cmake/current
echo "export PATH=\$PATH:/local/cmake/current/bin" >> /etc/profile.d/sh.local
+
echo "export PATH=\$PATH:/opt/cmake/current/bin" >> /etc/profile.d/sh.local
 +
</pre>
  
 +
===Compilation et installation de libzip===
 +
<pre>
 
cd
 
cd
 
wget https://libzip.org/download/libzip-1.7.1.tar.gz
 
wget https://libzip.org/download/libzip-1.7.1.tar.gz
tar -zxf libzip-1.7.1.tar.gz -C /local/builds
+
tar -zxf libzip-1.7.1.tar.gz -C /data/builds
mkdir /local/builds/libzip-1.7.1/build
+
mkdir /data/builds/libzip-1.7.1/build
cd /local/builds/libzip-1.7.1/build
+
cd /data/builds/libzip-1.7.1/build
 
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
 
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
 
make
 
make
 
make install
 
make install
 +
</pre>
 +
 +
===Installation des paquets nécessaires à la compilation de PHP===
 +
<pre>
 +
yum -y install zlib-devel
 +
yum -y install bzip2-devel
 +
yum -y install libcurl-devel
 +
yum -y install libpng-devel
 +
yum -y install libicu-devel libicu
 +
yum -y install gcc-c++ libstdc++-devel
 +
yum -y install openldap-devel cyrus-sasl cyrus-sasl-devel
 +
yum -y install oniguruma-devel oniguruma
 +
yum -y install libxml2-devel xz-devel
 +
yum -y install unixODBC unixODBC-devel
 +
</pre>
  
yum install zlib-devel
+
===Création du user/groupe pour PHP-FPM===
yum install bzip2-devel
+
useradd -r php-fpm
yum install libcurl-devel
+
usermod -g www -G php-fpm php-fpm
yum install libpng-devel
 
yum install libicu-devel libicu
 
yum install gcc-c++ libstdc++-devel
 
yum install openldap-devel cyrus-sasl cyrus-sasl-devel
 
yum install oniguruma-devel oniguruma
 
yum install libxml2-devel xz-devel
 
  
 +
===Compilation et installation de PHP 7.4.7 avec FPM===
 +
<pre>
 
cd
 
cd
useradd -r php-fpm
+
mkdir -p /opt/php/php-7.4.7
usermod -aG www php-fpm
 
mkdir -p /local/php/php-7.4.7
 
ln -s php-7.4.7 /local/php/current
 
echo "export PATH=\$PATH:/local/php/current/bin" >> /etc/profile.d/sh.local
 
 
wget https://www.php.net/distributions/php-7.4.7.tar.gz
 
wget https://www.php.net/distributions/php-7.4.7.tar.gz
tar -zxf php-7.4.7.tar.gz -C /local/builds
+
tar -zxf php-7.4.7.tar.gz -C /data/builds
cd /local/builds/php-7.4.7
+
cd /data/builds/php-7.4.7
 
./configure \
 
./configure \
--prefix=/local/php/php-7.4.7 \
+
--prefix=/opt/php/php-7.4.7 \
--with-config-file-path=/local/php/php-7.4.7 \
+
--with-config-file-path=/opt/php/php-7.4.7 \
 
--disable-all \
 
--disable-all \
 
--enable-static \
 
--enable-static \
Ligne 229 : Ligne 284 :
 
--enable-gd \
 
--enable-gd \
 
--enable-intl \
 
--enable-intl \
--disable-json \
 
 
--with-ldap \
 
--with-ldap \
 
--enable-mbstring \
 
--enable-mbstring \
Ligne 237 : Ligne 291 :
 
--enable-phar \
 
--enable-phar \
 
--with-libxml \
 
--with-libxml \
 +
--with-iconv \
 +
--enable-dom \
 +
--enable-filter \
 +
--enable-tokenizer \
 +
--enable-json \
 +
--enable-session \
 
--enable-xml \
 
--enable-xml \
 
--enable-xmlreader \
 
--enable-xmlreader \
 
--enable-xmlwriter \
 
--enable-xmlwriter \
 
--enable-opcache \
 
--enable-opcache \
 +
--enable-fileinfo \
 +
--enable-simplexml \
 +
--enable-soap \
 +
--enable-ftp \
 
--with-zip \
 
--with-zip \
 
--with-pear \
 
--with-pear \
--with-libdir=lib64
+
--with-openssl \
make -j
+
--with-libdir=lib64 \
make install
+
--with-mysqli \
 +
&& make -j && make install
 +
cp /opt/php/php-7.4.7/etc/php-fpm.conf.default /opt/php/php-7.4.7/etc/php-fpm.conf
 +
cp /data/builds/php-7.4.7/php.ini-production /opt/php/php-7.4.7/php.ini
 +
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/localhost/localhost_php-7.4.7.log@g' /opt/php/php-7.4.7/php.ini
 +
sed -i -e 's@;sendmail_path =@sendmail_path = "/usr/bin/msmtp -t"@g' /opt/php/php-7.4.7/php.ini
 +
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-7.4.7/php.ini
 +
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension=/opt/php/php-7.4.7/lib/php/extensions/no-debug-non-zts-20190902/opcache.so@g' /opt/php/php-7.4.7/php.ini
 +
/opt/php/php-7.4.7/bin/pear config-set php_ini /opt/php/php-7.4.7/php.ini system
 +
/opt/php/php-7.4.7/bin/pecl config-set php_ini /opt/php/php-7.4.7/php.ini system
 +
echo "[localhost]" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "listen = /opt/php/sockets/php-7.4.7_\$pool.sock" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "listen.owner = php-fpm" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "listen.group = www" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "listen.mode = 0660" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "pm = dynamic" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "pm.max_children = 5" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "pm.start_servers = 2" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "pm.min_spare_servers = 1" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "pm.max_spare_servers = 3" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "pm.status_path = /php-fpm-status" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "ping.path = /php-fpm-ping" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "access.log = /data/logs/\$pool/\$pool_php-7.4.7.access.log" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "slowlog = /data/logs/\$pool/\$pool_php-7.4.7.log.slow" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-7.4.7.log" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_flag[log_errors] = on" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[error_reporting] = E_ALL" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[session.save_path] = \"/opt/php/sessions/\$pool/\"" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
echo "php_value[session.save_path] = \"/opt/php/\$pool/\"" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
 +
mkdir -p /opt/php/sockets
 +
mkdir -p /opt/php/sessions
 +
chown -R php-fpm:www /opt/php
 +
cp /data/builds/php-7.4.7/sapi/fpm/php-fpm.service /usr/lib/systemd/system/php-fpm-7.4.7.service
 +
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-7.4.7.service
 +
chmod o+r /usr/lib/systemd/system/php-fpm-7.4.7.service
 +
</pre>
 +
 
 +
Suppression dans le fichier <code>/usr/lib/systemd/system/php-fpm-7.4.7.service</code> des sections surlignées suivantes :
 +
<syntaxhighlight lang="ini" highlight="28-48,53-55">
 +
# It's not recommended to modify this file in-place, because it
 +
# will be overwritten during upgrades.  If you want to customize,
 +
# the best way is to use the "systemctl edit" command.
 +
 
 +
[Unit]
 +
Description=The PHP FastCGI Process Manager
 +
After=network.target
 +
 
 +
[Service]
 +
Type=notify
 +
PIDFile=/opt/php/php-7.4.7/var/run/php-fpm.pid
 +
ExecStart=/opt/php/php-7.4.7/sbin/php-fpm --nodaemonize --fpm-config /opt/php/php-7.4.7/etc/php-fpm.conf
 +
ExecReload=/bin/kill -USR2 $MAINPID
 +
 
 +
# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
 +
# so this service cannot access the global directories and other processes cannot
 +
# access this service's directories.
 +
PrivateTmp=true
 +
 
 +
# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
 +
ProtectSystem=full
 +
 
 +
# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
 +
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
 +
# but no physical devices such as /dev/sda.
 +
PrivateDevices=true
 +
 
 +
# Explicit module loading will be denied. This allows to turn off module load and unload
 +
# operations on modular kernels. It is recommended to turn this on for most services that
 +
# do not need special file systems or extra kernel modules to work.
 +
ProtectKernelModules=true
 +
 
 +
# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
 +
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
 +
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
 +
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
 +
# recommended to turn this on for most services.
 +
ProtectKernelTunables=true
 +
 
 +
# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
 +
# made read-only to all processes of the unit. Except for container managers no services should
 +
# require write access to the control groups hierarchies; it is hence recommended to turn this on
 +
# for most services
 +
ProtectControlGroups=true
 +
 
 +
# Any attempts to enable realtime scheduling in a process of the unit are refused.
 +
RestrictRealtime=true
 +
 
 +
# Restricts the set of socket address families accessible to the processes of this unit.
 +
# Protects against vulnerabilities such as CVE-2016-8655
 +
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 +
 
 +
# Takes away the ability to create or manage any kind of namespace
 +
RestrictNamespaces=true
 +
 
 +
[Install]
 +
WantedBy=multi-user.target
 +
</syntaxhighlight>
 +
 
 +
Prise en compte des modifications :
 +
<pre>
 +
systemctl daemon-reload
 +
systemctl start php-fpm-7.4.7.service
 +
systemctl enable php-fpm-7.4.7.service
 +
</pre>
 +
 
 +
===Compilation et installation de PHP 5.6.40 avec FPM===
 +
<pre>
 +
cd
 +
mkdir -p /opt/php/php-5.6.40
 +
wget https://www.php.net/distributions/php-5.6.40.tar.gz
 +
tar -zxf php-5.6.40.tar.gz -C /data/builds
 +
cd /data/builds/php-5.6.40
 +
./configure \
 +
--prefix=/opt/php/php-5.6.40 \
 +
--with-config-file-path=/opt/php/php-5.6.40 \
 +
--disable-all \
 +
--enable-static \
 +
--enable-fpm \
 +
--with-fpm-user=php-fpm \
 +
--with-fpm-group=php-fpm \
 +
--with-fpm-systemd \
 +
--disable-ipv6 \
 +
--enable-cli \
 +
--with-zlib \
 +
--with-bz2 \
 +
--enable-calendar \
 +
--enable-ctype \
 +
--with-curl \
 +
--with-gd \
 +
--enable-intl \
 +
--enable-filter \
 +
--enable-hash \
 +
--enable-json \
 +
--with-ldap \
 +
--enable-mbstring \
 +
--enable-pdo \
 +
--with-pdo-mysql \
 +
--with-pdo-odbc=unixODBC,/usr \
 +
--enable-shared=pdo-mysql \
 +
--enable-phar \
 +
--enable-libxml \
 +
--enable-xml \
 +
--enable-xmlreader \
 +
--enable-xmlwriter \
 +
--enable-opcache \
 +
--enable-zip \
 +
--enable-soap \
 +
--with-pear \
 +
--with-openssl \
 +
--with-libdir=lib64 \
 +
--with-mysqli \
 +
--enable-dom \
 +
--with-iconv \
 +
--enable-simplexml \
 +
--enable-tokenizer \
 +
--enable-session \
 +
&& make -j && make install
 +
cp /opt/php/php-5.6.40/etc/php-fpm.conf.default /opt/php/php-5.6.40/etc/php-fpm.conf
 +
cp /data/builds/php-5.6.40/php.ini-production /opt/php/php-5.6.40/php.ini
 +
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/localhost/localhost_php-5.6.40.log@g' /opt/php/php-5.6.40/php.ini
 +
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-5.6.40/php.ini
 +
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension=/opt/php/php-5.6.40/lib/php/extensions/no-debug-non-zts-20131226/opcache.so@g' /opt/php/php-5.6.40/php.ini
 +
/opt/php/php-5.6.40/bin/pear config-set php_ini /opt/php/php-5.6.40/php.ini system
 +
/opt/php/php-5.6.40/bin/pecl config-set php_ini /opt/php/php-5.6.40/php.ini system
 +
mkdir /opt/php/php-5.6.40/etc/php-fpm.d
 +
echo "[localhost]" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "user = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "group = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "listen = /opt/php/sockets/php-5.6.40_\$pool.sock" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "listen.owner = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "listen.group = www" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "listen.mode = 0660" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm = dynamic" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.max_children = 5" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.start_servers = 2" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.min_spare_servers = 1" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.max_spare_servers = 3" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.status_path = /php-fpm-status" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "ping.path = /php-fpm-ping" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "access.log = /data/logs/\$pool/\$pool_php-5.6.40.access.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "slowlog = /data/logs/\$pool/\$pool_php-5.6.40.log.slow" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-5.6.40.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_flag[log_errors] = on" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[error_reporting] = E_ALL" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[session.save_path] = \"/opt/php/sessions/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_value[session.save_path] = \"/opt/php/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
mkdir -p /opt/php/sockets
 +
chown -R php-fpm:www /opt/php
 +
cp /usr/lib/systemd/system/php-fpm-7.4.7.service /usr/lib/systemd/system/php-fpm-5.6.40.service
 +
sed -i -e 's/7.4.7/5.6.40/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
 +
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
 +
chmod o+r /usr/lib/systemd/system/php-fpm-5.6.40.service
 +
</pre>
 +
 
 +
Suppression dans le fichier <code>/usr/lib/systemd/system/php-fpm-5.6.40.service</code> des sections surlignées suivantes :
 +
<syntaxhighlight lang="ini" highlight="28-48,53-55">
 +
# It's not recommended to modify this file in-place, because it
 +
# will be overwritten during upgrades.  If you want to customize,
 +
# the best way is to use the "systemctl edit" command.
 +
 
 +
[Unit]
 +
Description=The PHP FastCGI Process Manager
 +
After=network.target
 +
 
 +
[Service]
 +
Type=notify
 +
PIDFile=/opt/php/php-5.6.40/var/run/php-fpm.pid
 +
ExecStart=/opt/php/php-5.6.40/sbin/php-fpm --nodaemonize --fpm-config /opt/php/php-5.6.40/etc/php-fpm.conf
 +
ExecReload=/bin/kill -USR2 $MAINPID
 +
 
 +
# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
 +
# so this service cannot access the global directories and other processes cannot
 +
# access this service's directories.
 +
PrivateTmp=true
 +
 
 +
# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
 +
ProtectSystem=full
 +
 
 +
# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
 +
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
 +
# but no physical devices such as /dev/sda.
 +
PrivateDevices=true
 +
 
 +
# Explicit module loading will be denied. This allows to turn off module load and unload
 +
# operations on modular kernels. It is recommended to turn this on for most services that
 +
# do not need special file systems or extra kernel modules to work.
 +
ProtectKernelModules=true
 +
 
 +
# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
 +
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
 +
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
 +
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
 +
# recommended to turn this on for most services.
 +
ProtectKernelTunables=true
 +
 
 +
# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
 +
# made read-only to all processes of the unit. Except for container managers no services should
 +
# require write access to the control groups hierarchies; it is hence recommended to turn this on
 +
# for most services
 +
ProtectControlGroups=true
 +
 
 +
# Any attempts to enable realtime scheduling in a process of the unit are refused.
 +
RestrictRealtime=true
 +
 
 +
# Restricts the set of socket address families accessible to the processes of this unit.
 +
# Protects against vulnerabilities such as CVE-2016-8655
 +
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 +
 
 +
# Takes away the ability to create or manage any kind of namespace
 +
RestrictNamespaces=true
 +
 
 +
[Install]
 +
WantedBy=multi-user.target
 +
</syntaxhighlight>
 +
 
 +
Prise en compte des modifications :
 +
<pre>
 +
systemctl daemon-reload
 +
systemctl start php-fpm-5.6.40.service
 +
systemctl enable php-fpm-5.6.40.service
 +
</pre>
 +
 
 +
===Installation de Webmin===
 +
<pre>
 +
cd
 +
echo "[Webmin]" >> /etc/yum.repos.d/webmin.repo
 +
echo "name=Webmin Distribution Neutral" >> /etc/yum.repos.d/webmin.repo
 +
echo "#baseurl=https://download.webmin.com/download/yum" >> /etc/yum.repos.d/webmin.repo
 +
echo "mirrorlist=https://download.webmin.com/download/yum/mirrorlist" >> /etc/yum.repos.d/webmin.repo
 +
echo "enabled=1" >> /etc/yum.repos.d/webmin.repo
 +
wget https://download.webmin.com/jcameron-key.asc
 +
rpm --import jcameron-key.asc
 +
yum install webmin perl-Authen-PAM
 +
/etc/rc.d/init.d/webmin stop
 +
find /etc -type l -name *webmin -exec unlink {} \;
 +
echo "[Unit]" >> /usr/lib/systemd/system/webmin.service
 +
echo "Description=Webmin" >> /usr/lib/systemd/system/webmin.service
 +
echo "Requires=local-fs.target" >> /usr/lib/systemd/system/webmin.service
 +
echo "After=basic.target" >> /usr/lib/systemd/system/webmin.service
 +
echo "Conflicts=shutdown.target" >> /usr/lib/systemd/system/webmin.service
 +
echo "" >> /usr/lib/systemd/system/webmin.service
 +
echo "[Service]" >> /usr/lib/systemd/system/webmin.service
 +
echo "Type=oneshot" >> /usr/lib/systemd/system/webmin.service
 +
echo "RemainAfterExit=yes" >> /usr/lib/systemd/system/webmin.service
 +
echo "ExecStart=/etc/webmin/start" >> /usr/lib/systemd/system/webmin.service
 +
echo "ExecStop=/etc/webmin/stop" >> /usr/lib/systemd/system/webmin.service
 +
echo "ExecReload=/etc/webmin/reload" >> /usr/lib/systemd/system/webmin.service
 +
echo "" >> /usr/lib/systemd/system/webmin.service
 +
echo "[Install]" >> /usr/lib/systemd/system/webmin.service
 +
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/webmin.service
 +
chmod o+r /usr/lib/systemd/system/webmin.service
 +
systemctl daemon-reload
 +
sed -i -e 's/ssl=1/ssl=0/g' /etc/webmin/miniserv.conf
 +
sed -i -e 's/ipv6=1/ipv6=0/g' /etc/webmin/miniserv.conf
 +
echo "cookiepath=/webmin" >> /etc/webmin/miniserv.conf
 +
echo "webprefix=/webmin" >> /etc/webmin/config
 +
echo "webprefixnoredir=1" >> /etc/webmin/config
 +
echo "referer=1" >> /etc/webmin/config
 +
systemctl start webmin.service
 +
systemctl enable webmin.service
 +
# Ajout des lignes ci-dessous dans la configuration du vhost local /opt/httpd/conf/vhosts/$(hostname -s).conf
 +
# Configuration Webmin
 +
ProxyPass /webmin http://localhost:10000
 +
ProxyPassReverse /webmin http://localhost:10000
 +
# Fin de configuration Webmin
 +
httpd -k graceful
 +
</pre>
 +
 
 +
===Configuration Shinken===
 +
<pre>
 +
useradd shinken -U -d /home/shinken -m
 +
passwd shinken
 +
mkdir /home/shinken/.ssh
 +
chmod 700 /home/shinken/.ssh
 +
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@oneserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
 +
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@anotherserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
 +
chmod 600 /home/shinken/.ssh/authorized_keys
 +
chown -R shinken:shinken /home/shinken/.ssh
 +
</pre>
 +
 
 +
===Installation de Oracle Instant Client===
 +
<pre>
 +
wget https://yum.oracle.com/RPM-GPG-KEY-oracle-ol7 -O /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
 +
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
 +
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
 +
echo "[ol7_latest]" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "name=Oracle Linux \$releasever Latest ($basearch)" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "baseurl=https://yum.oracle.com/repo/OracleLinux/OL7/latest/\$basearch/" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "gpgcheck=1" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "enabled=1" >> /etc/yum.repos.d/ol7-temp.repo
 +
yum install oraclelinux-release-el7
 +
mv /etc/yum.repos.d/ol7-temp.repo /etc/yum.repos.d/ol7-temp.repo.disabled
 +
yum install oracle-release-el7
 +
yum install oracle-instantclient19.6
 +
mv /etc/yum.repos.d/oracle-linux-ol7.repo{,.disabled}
 +
mv /etc/yum.repos.d/oracle-ol7.repo{,.disabled}
 +
mv /etc/yum.repos.d/uek-ol7.repo{,.disabled}
 +
rm -rf /var/cache/yum/x86_64/7/ol7_*
 +
yum clean all
 +
yum makecache
 +
</pre>
 +
 
 +
===Installation de l'extension oci8 pour PHP 7.4.7===
 +
/opt/php/php-7.4.7/bin/pecl channel-update pecl.php.net
 +
/opt/php/php-7.4.7/bin/pecl install oci8
 +
 
 +
===Installation de l'extension oci8 pour PHP 5.6.40===
 +
/opt/php/php-5.6.40/bin/pecl channel-update pecl.php.net
 +
/opt/php/php-5.6.40/bin/pecl install oci8-2.0.12
 +
 
 +
===Installation du pilote ODBC pour MSSQL===
 +
curl https://packages.microsoft.com/config/rhel/7/prod.repo > /etc/yum.repos.d/mssql-release.repo
 +
ACCEPT_EULA=Y yum install msodbcsql17
 +
 
 +
===Installation de l'extension pdo_sqlsrv pour PHP 7.4.7===
 +
/opt/php/php-7.4.7/bin/pecl install pdo_sqlsrv
 +
 
 +
===Programme set_php_version===
 +
Contenu du programme <code>/opt/php/set_php_version</code> :
 +
<syntaxhighlight lang="bash">
 +
#!/bin/bash
 +
# Ce programme doit être sourcé pour modifier le PATH
 +
# . set_php_version
 +
declare -A versions
 +
declare -A bin_dirs
 +
 
 +
get_bin_dirs() {
 +
i=1
 +
for bin_dir in $(find /opt/php -type d -name bin 2> /dev/null);
 +
do
 +
version="$($bin_dir/php -v|head -1|awk '{print $2}')"
 +
versions[$i]=$version
 +
bin_dirs[$version]=$bin_dir
 +
((i++))
 +
done
 +
}
 +
 
 +
pathremove () {
 +
        local IFS=':'
 +
        local NEWPATH
 +
        local DIR
 +
        local PATHVARIABLE=${2:-PATH}
 +
        for DIR in ${!PATHVARIABLE} ; do
 +
                if [ "$DIR" != "$1" ] ; then
 +
                  NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
 +
                fi
 +
        done
 +
        export ${PATHVARIABLE}="$NEWPATH"
 +
}
 +
 
 +
pathprepend () {
 +
        pathremove $1 $2
 +
        local PATHVARIABLE=${2:-PATH}
 +
        export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
 +
}
 +
 
 +
pathappend () {
 +
        pathremove $1 $2
 +
        local PATHVARIABLE=${2:-PATH}
 +
        export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
 +
}
 +
 
 +
 
 +
if [ "$#" -eq 0 ];
 +
then
 +
## Récupération des différents dossiers hébergeant les binaires PHP
 +
#########################
 +
get_bin_dirs
 +
 
 +
## Choix de version PHP
 +
#########################
 +
echo -e "Veuillez choisir une version de PHP à utiliser :\n"
 +
i=1
 +
 
 +
# On parcourt le tableau des applications
 +
for version in "${versions[@]}"
 +
do
 +
# On affiche une liste numérotéé des versions
 +
echo "$i) $version"
 +
((i++))
 +
done
 +
echo ""
 +
read -p "Choix : " version_choice
 +
echo ""
 +
 
 +
if [[ $version_choice != "" ]]
 +
then
 +
# On peut choisir la version par son numéro
 +
if [[ $version_choice =~ ^[[:digit:]]+$ ]]
 +
then
 +
if [[ ! -z ${versions[$version_choice]} ]]
 +
then
 +
str_bindir=${bin_dirs[${versions[$version_choice]}]}
 +
str_version=${versions[$version_choice]}
 +
fi
 +
# Ou par la version directement
 +
elif [[ ! -z ${bin_dirs[$version_choice]} ]]
 +
then
 +
str_bindir=${bin_dirs[$version_choice]}
 +
str_version=${version_choice}
 +
fi
 +
fi
 +
elif [ "$#" -eq 1 ];
 +
then
 +
## Récupération des dossifférents dossiers hébergeant les binaires PHP
 +
#########################
 +
get_bin_dirs
 +
 
 +
if [[ ! -z ${bin_dirs[$1]} ]]
 +
then
 +
str_bindir=${bin_dirs[$1]}
 +
str_version=$1
 +
elif [[ $1 == "reset" ]]
 +
then
 +
echo "Reset du PATH sans les binaires PHP"
 +
for dir in ${bin_dirs[*]}
 +
do
 +
pathremove "${dir}"
 +
done
 +
if [[ ! -z $oldPS1 ]]
 +
then
 +
PS1=$oldPS1
 +
unset oldPS1
 +
else
 +
PS1="[\u@\h \W]\\$ "
 +
fi
 +
fi
 +
else
 +
echo "Nombre de paramètres attendus : 1"
 +
fi
 +
 
 +
if [[ -z $str_bindir ]]
 +
then
 +
if [[ $1 != "reset" ]]
 +
then
 +
echo "Choix de version invalide !"
 +
get_bin_dirs
 +
echo "Versions disponibles : "${!bin_dirs[*]}
 +
fi
 +
else
 +
echo -e "Version de PHP : $str_version. Path : $str_bindir"
 +
echo -e "Pour retirer les binaires PHP du PATH, utiliser la commande « set_php_version reset »"
 +
for dir in ${bin_dirs[*]}
 +
do
 +
pathremove "${dir}"
 +
done
 +
 
 +
pathprepend ${str_bindir}
 +
 
 +
if [[ -z $oldPS1 ]]
 +
then
 +
oldPS1=$PS1
 +
fi
 +
export PS1="[\u@\h \W|\[\033[0;31m\]PHP ${str_version}\[\033[0m\]]\\$ "
 +
fi
 +
 
 +
unset version versions str_bindir bin_dir bin_dirs pathremove pathprepend pathappend get_bin_dirs version_choice str_version
 +
</syntaxhighlight>
 +
 
 +
Changement des droits d'accès
 +
chmod 555 /opt/php/set_php_version
 +
 
 +
Ajout de l'alias dans le profile par défaut :
 +
echo "alias set_php_version='. /opt/php/set_php_version'" >> /etc/profile.d/sh.local
 +
 
 +
===Installation Zabbix===
 +
====Installation de l'agent====
 +
<pre>
 +
rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
 +
rpm -import http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591
 +
yum install zabbix-agent
 +
sed -i -e 's/Server=127.0.0.1/Server=myzabbixserver/g' -e 's/ServerActive=127.0.0.1/ServerActive=myzabbixserver/g' -e 's/Hostname=Zabbix server/Hostname=$(hostname -s)/g' -e 's@PidFile=/var/run/zabbix/zabbix_agentd.pid@PidFile=/run/zabbix/zabbix_agentd.pid@g' /etc/zabbix/zabbix_agentd.conf
 +
</pre>
  
 +
====Ajout du service dans le pare-feu====
 +
<pre>
 +
firewall-cmd --permanent --new-service=zabbixclient
 +
firewall-cmd --permanent --service=zabbixclient --set-description="Zabbix Client Service"
 +
firewall-cmd --permanent --service=zabbixclient --set-short=zabbixclient
 +
firewall-cmd --permanent --service=zabbixclient --add-port=10050/tcp
 +
firewall-cmd --reload
 
</pre>
 
</pre>
 +
 +
====Installation du template PHP-FPM====
 +
Installation des prérequis :
 +
yum -y install grep gawk lsof jq fcgi unzip bc
 +
 +
Téléchargement de la dernière version :
 +
curl -L $(curl -s https://api.github.com/repos/rvalitov/zabbix-php-fpm/releases/latest | grep 'zipball_' | cut -d\" -f4) --output /tmp/zabbix-php-fpm.zip
 +
 +
Extraction des fichiers :
 +
unzip -j /tmp/zabbix-php-fpm.zip "*/zabbix/*" "*/ispconfig/*" -d /tmp/zabbix-php-fpm
 +
 +
Copie des fichiers dans la configuration Zabbix :
 +
cp /tmp/zabbix-php-fpm/userparameter_php_fpm.conf $(find /etc/zabbix/ -name zabbix_agentd*.d -type d | head -n1)
 +
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_discovery.sh /etc/zabbix/
 +
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_status.sh /etc/zabbix/
 +
 +
Ajout du droit d’exécution sur les scripts :
 +
chown zabbix /etc/zabbix/zabbix_agentd.d/userparameter_php_fpm.conf
 +
chmod +x /etc/zabbix/zabbix_php_fpm_discovery.sh
 +
chmod +x /etc/zabbix/zabbix_php_fpm_status.sh
 +
 +
Ajouter les droits nécessaires dans sudoers pour Zabbix :
 +
echo 'zabbix ALL = NOPASSWD: /etc/zabbix/zabbix_php_fpm_discovery.sh,/etc/zabbix/zabbix_php_fpm_status.sh' | EDITOR='tee -a' visudo -f /etc/sudoers.d/sudo_zabbix
 +
 +
Augmentation du seuil de connexion par socket sur le serveur :
 +
echo "net.core.somaxconn=1024" | tee -a /etc/sysctl.conf
 +
sysctl -p
 +
 +
Supprimer les fichiers temporaires :
 +
rm /tmp/zabbix-php-fpm.zip
 +
rm -rf /tmp/zabbix-php-fpm
 +
 +
===Ajout de l'outil cachetool===
 +
====Pour PHP 7====
 +
curl -sLO https://github.com/gordalina/cachetool/releases/latest/download/cachetool.phar
 +
chmod o+rx cachetool.phar
 +
mv cachetool.phar /usr/local/bin/cachetool
 +
 +
====Pour PHP 5====
 +
curl -sLO https://gordalina.github.io/cachetool/downloads/cachetool-3.2.2.phar
 +
chmod o+rx cachetool-3.2.2.phar
 +
mv cachetool-3.2.2.phar /usr/local/bin/cachetool_for_PHP5
 +
 +
[[Category:Apache]]
 +
[[Category:Apache 2.4]]
 +
[[Category:Apache 2.4.43]]
 +
[[Category:Webmin]]
 +
[[Category:Shinken]]
 +
[[Category:Zabbix]]
 +
[[Category:PHP]]
 +
[[Category:PHP 5]]
 +
[[Category:PHP 5.6.40]]
 +
[[Category:PHP 7]]
 +
[[Category:PHP 7.4.7]]
 +
[[Category:PHP-FPM]]
 +
[[Category:CentOS]]
 +
[[Category:CentOS 7]]

Version du 22 mars 2021 à 14:45

Sommaire

Ajout de l'autorité de certification interne

Initialisation des certificats d'autorité racine : 

update-ca-trust enable

Dépôt du certificat de l'autorité de certification de l'entreprise dans le dossier /etc/pki/ca-trust/source/anchors

Import du certificat précédemment déposé avec la commande : 

update-ca-trust extract

Ajout du dépôt EPEL

yum -y install epel-release
yum makecache
yum update
yum install yum-utils bind-utils yum-cron wget bash-completion lsof nmon net-tools dos2unix deltarpm vim sg3_utils open-vm-tools sysstat samba-client samba zip
init 6

Préparation de la configuration Samba

cp /etc/samba/smb.conf /etc/samba/smb.conf.default
sed -i -e 's/^\([^#].*\)/#\1/g' /etc/samba/smb.conf
sed -i -e 's/^#\[global\]/[global]\n\tguest account = www\n\tmap to guest = Bad User/' /etc/samba/smb.conf

Modification du umask

sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/bashrc
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/csh.cshrc
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/profile
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/init.d/functions
sed -i -e 's@Subsystem\tsftp\t/usr/libexec/openssh/sftp-server@\#Subsystem\tsftp\t/usr/libexec/openssh/sftp-server\nSubsystem\tsftp\tinternal-sftp -u 0007@g' /etc/ssh/sshd_config
systemctl restart sshd

Modification du umask par défaut pour la crontab 

mkdir /etc/systemd/system/crond.service.d
chmod 755 /etc/systemd/system/crond.service.d
cat <<EOF > /etc/systemd/system/crond.service.d/override.conf
[Service]
UMask=0007
EOF
chmod 644 /etc/systemd/system/crond.service.d/override.conf
systemctl daemon-reload
systemctl restart crond

Suppression des pilotes inutiles

yum remove alsa-* ivtv-* iwl*firmware aic94xx-firmware

Désactivation de la wifi

nmcli radio all off

Désactivation de l'IPv6

echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
echo "IPV6INIT=no" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
sed -i 's/#AddressFamily any/AddressFamily inet/g' /etc/ssh/sshd_config
systemctl restart sshd
sed -i 's/OPTIONS=""/OPTIONS="-4"/g' /etc/sysconfig/chronyd
systemctl restart chronyd

Désactivation du selinux

setenforce 0
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

Suppression des utilisateurs inutiles

userdel -r adm
userdel -r ftp
userdel -r games
userdel -r lp
groupdel games

Augmenter l'historique des commandes de 1000 à 5000 lignes

sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile

Ajout de l'option "clean_requirements_on_remove=1" pour supprimer automatiquement les dépendances non-utilisées lors de la désinstallation d'un paquet

yum-config-manager --setopt=clean_requirements_on_remove=1 --save

Installation de msmtp

yum install msmtp mailx
/etc/msmtprc
chmod o+r /etc/msmtprc

Paramétrage NTP

yum -y install ntpdate && ntpdate ntp.myntpserver.com && systemctl enable ntpdate.service

Ajout d'alias complémentaires

echo "alias vi='vim'" >> /etc/profile.d/sh.local

Préparation à la compilation

mkdir /data/builds
yum install -y gcc glibc-devel glibc-headers kernel-headers libmpc mpfr autoconf
yum install -y pcre-devel
yum install -y expat-devel
yum install -y systemd-devel

Ajout du groupe www et des dossiers /data/www /data/logs

useradd www -m
mkdir -p /data/{www,logs}
chown www:www /data/{www,logs}
chmod 770 /data/{www,logs}

Compilation et installation d'Apache

useradd -r apache
usermod -aG www apache
mkdir -p /opt/httpd/httpd-2.4.43
ln -s httpd-2.4.43 /opt/httpd/current
wget https://mirror.ibcp.fr/pub/apache//httpd/httpd-2.4.43.tar.gz
tar -zxf httpd-2.4.43.tar.gz -C /data/builds
wget http://mirrors.standaloneinstaller.com/apache//apr/apr-1.7.0.tar.gz
tar -zxf apr-1.7.0.tar.gz
mv apr-1.7.0 /data/builds/httpd-2.4.43/srclib/apr
wget http://mirrors.standaloneinstaller.com/apache//apr/apr-util-1.6.1.tar.gz
tar -zxf apr-util-1.6.1.tar.gz
mv apr-util-1.6.1 /data/builds/httpd-2.4.43/srclib/apr-util
cd /data/builds/httpd-2.4.43
./configure \
--prefix=/opt/httpd/current \
--sysconfdir=/opt/httpd/conf \
--enable-proxy \
--enable-proxy-http \
--enable-proxy-wstunnel \
--enable-proxy-fcgi \
--enable-rewrite \
--enable-authz-host \
--enable-mime \
--enable-static-support \
--enable-remoteip \
--enable-status \
--enable-systemd \
--enable-setenvif \
--enable-headers \
--enable-mods-static="proxy rewrite authz-core authz-host log-config alias dir unixd mime remoteip status systemd setenvif headers" \
--disable-so \
--disable-proxy-connect \
--disable-proxy-ftp \
--disable-proxy-scgi \
--disable-proxy-uwsgi \
--disable-proxy-fdpass \
--disable-proxy-ajp \
--disable-proxy-balancer \
--disable-proxy-express \
--disable-proxy-hcheck \
--disable-access-compat \
--disable-auth \
--disable-auth-basic \
--disable-authn-core \
--disable-authn-file \
--disable-authz-groupfile \
--disable-authz-user \
--disable-autoindex \
--disable-env \
--disable-filter \
--disable-reqtimeout \
--disable-version \
--disable-authn-dbm \
--disable-authn-anon \
--disable-authn-dbd \
--disable-authn-socache \
--disable-authz-dbm \
--disable-authz-owner \
--disable-authz-dbd \
--disable-auth-form \
--disable-auth-digest \
--disable-allowmethods \
--disable-cache \
--disable-file-cache \
--disable-cache-disk \
--disable-cache-socache \
--disable-socache-dbm \
--disable-socache-memcache \
--disable-socache-redis \
--disable-socache-shmcb \
&& make -j && make install
chown -R root:apache /opt/httpd
echo "export PATH=\$PATH:/opt/httpd/current/bin" >> /etc/profile.d/sh.local
echo "[Unit]" >> /usr/lib/systemd/system/http.service
echo "Description=The Apache HTTP Server" >> /usr/lib/systemd/system/http.service
echo "After=network.target" >> /usr/lib/systemd/system/http.service
echo "" >> /usr/lib/systemd/system/http.service
echo "[Service]" >> /usr/lib/systemd/system/http.service
echo "Type=notify" >> /usr/lib/systemd/system/http.service
echo "ExecStart=/opt/httpd/current/bin/httpd -D FOREGROUND -k start" >> /usr/lib/systemd/system/http.service
echo "ExecReload=/opt/httpd/current/bin/httpd -k graceful" >> /usr/lib/systemd/system/http.service
echo "ExecStop=/opt/httpd/current/bin/httpd -k stop" >> /usr/lib/systemd/system/http.service
echo "KillMode=mixed" >> /usr/lib/systemd/system/http.service
echo "TimeoutStopSec=60" >> /usr/lib/systemd/system/http.service
echo "" >> /usr/lib/systemd/system/http.service
echo "[Install]" >> /usr/lib/systemd/system/http.service
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/http.service
chmod o+r /usr/lib/systemd/system/http.service
systemctl daemon-reload
systemctl start http.service
systemctl enable http.service
firewall-cmd --add-service=http
firewall-cmd --add-service=http --permanent
mkdir -p /data/logs/{localhost,$(hostname -s)}
chmod o+rx /data
chown www:www /data/logs/localhost
chmod 770 /data/logs/localhost
touch /data/logs/localhost/localhost_http_{error,access}.log
touch /data/logs/$(hostname -s)/$(hostname -s)_http_{error,access}.log
mkdir /opt/httpd/conf/vhosts

Compilation et installation de CMake

cd
yum install openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libkadm5 libselinux-devel libsepol-devel libverto-devel     
mkdir /opt/cmake
wget https://github.com/Kitware/CMake/releases/download/v3.18.0-rc3/cmake-3.18.0-rc3.tar.gz
tar -zxf cmake-3.18.0-rc3.tar.gz -C /data/builds
cd /data/builds/cmake-3.18.0-rc3
./bootstrap --prefix=/opt/cmake/cmake-3.18.0-rc3
make
make install
ln -s cmake-3.18.0-rc3 /opt/cmake/current
echo "export PATH=\$PATH:/opt/cmake/current/bin" >> /etc/profile.d/sh.local

Compilation et installation de libzip

cd
wget https://libzip.org/download/libzip-1.7.1.tar.gz
tar -zxf libzip-1.7.1.tar.gz -C /data/builds
mkdir /data/builds/libzip-1.7.1/build
cd /data/builds/libzip-1.7.1/build
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
make
make install

Installation des paquets nécessaires à la compilation de PHP

yum -y install zlib-devel
yum -y install bzip2-devel
yum -y install libcurl-devel
yum -y install libpng-devel
yum -y install libicu-devel libicu
yum -y install gcc-c++ libstdc++-devel
yum -y install openldap-devel cyrus-sasl cyrus-sasl-devel
yum -y install oniguruma-devel oniguruma
yum -y install libxml2-devel xz-devel
yum -y install unixODBC unixODBC-devel

Création du user/groupe pour PHP-FPM

useradd -r php-fpm
usermod -g www -G php-fpm php-fpm

Compilation et installation de PHP 7.4.7 avec FPM

cd
mkdir -p /opt/php/php-7.4.7
wget https://www.php.net/distributions/php-7.4.7.tar.gz
tar -zxf php-7.4.7.tar.gz -C /data/builds
cd /data/builds/php-7.4.7
./configure \
--prefix=/opt/php/php-7.4.7 \
--with-config-file-path=/opt/php/php-7.4.7 \
--disable-all \
--enable-static \
--enable-fpm \
--with-fpm-user=php-fpm \
--with-fpm-group=php-fpm \
--with-fpm-systemd \
--disable-ipv6 \
--enable-cli \
--with-zlib \
--with-bz2 \
--enable-calendar \
--enable-ctype \
--with-curl \
--enable-gd \
--enable-intl \
--with-ldap \
--enable-mbstring \
--enable-pdo \
--with-pdo-mysql \
--enable-shared=pdo-mysql \
--enable-phar \
--with-libxml \
--with-iconv \
--enable-dom \
--enable-filter \
--enable-tokenizer \
--enable-json \
--enable-session \
--enable-xml \
--enable-xmlreader \
--enable-xmlwriter \
--enable-opcache \
--enable-fileinfo \
--enable-simplexml \
--enable-soap \
--enable-ftp \
--with-zip \
--with-pear \
--with-openssl \
--with-libdir=lib64 \
--with-mysqli \
&& make -j && make install
cp /opt/php/php-7.4.7/etc/php-fpm.conf.default /opt/php/php-7.4.7/etc/php-fpm.conf
cp /data/builds/php-7.4.7/php.ini-production /opt/php/php-7.4.7/php.ini
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/localhost/localhost_php-7.4.7.log@g' /opt/php/php-7.4.7/php.ini
sed -i -e 's@;sendmail_path =@sendmail_path = "/usr/bin/msmtp -t"@g' /opt/php/php-7.4.7/php.ini
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-7.4.7/php.ini
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension=/opt/php/php-7.4.7/lib/php/extensions/no-debug-non-zts-20190902/opcache.so@g' /opt/php/php-7.4.7/php.ini
/opt/php/php-7.4.7/bin/pear config-set php_ini /opt/php/php-7.4.7/php.ini system
/opt/php/php-7.4.7/bin/pecl config-set php_ini /opt/php/php-7.4.7/php.ini system
echo "[localhost]" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "listen = /opt/php/sockets/php-7.4.7_\$pool.sock" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "listen.owner = php-fpm" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "listen.group = www" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "listen.mode = 0660" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "pm = dynamic" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "pm.max_children = 5" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "pm.start_servers = 2" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "pm.min_spare_servers = 1" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "pm.max_spare_servers = 3" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "pm.status_path = /php-fpm-status" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "ping.path = /php-fpm-ping" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "access.log = /data/logs/\$pool/\$pool_php-7.4.7.access.log" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "slowlog = /data/logs/\$pool/\$pool_php-7.4.7.log.slow" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-7.4.7.log" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "php_admin_flag[log_errors] = on" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_reporting] = E_ALL" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "php_admin_value[session.save_path] = \"/opt/php/sessions/\$pool/\"" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
echo "php_value[session.save_path] = \"/opt/php/\$pool/\"" >> /opt/php/php-7.4.7/etc/php-fpm.d/localhost.conf
mkdir -p /opt/php/sockets
mkdir -p /opt/php/sessions
chown -R php-fpm:www /opt/php
cp /data/builds/php-7.4.7/sapi/fpm/php-fpm.service /usr/lib/systemd/system/php-fpm-7.4.7.service
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-7.4.7.service
chmod o+r /usr/lib/systemd/system/php-fpm-7.4.7.service

Suppression dans le fichier /usr/lib/systemd/system/php-fpm-7.4.7.service des sections surlignées suivantes : 

# It's not recommended to modify this file in-place, because it
# will be overwritten during upgrades.  If you want to customize,
# the best way is to use the "systemctl edit" command.

[Unit]
Description=The PHP FastCGI Process Manager
After=network.target

[Service]
Type=notify
PIDFile=/opt/php/php-7.4.7/var/run/php-fpm.pid
ExecStart=/opt/php/php-7.4.7/sbin/php-fpm --nodaemonize --fpm-config /opt/php/php-7.4.7/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID

# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
# so this service cannot access the global directories and other processes cannot
# access this service's directories.
PrivateTmp=true

# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
ProtectSystem=full

# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
PrivateDevices=true

# Explicit module loading will be denied. This allows to turn off module load and unload
# operations on modular kernels. It is recommended to turn this on for most services that
# do not need special file systems or extra kernel modules to work.
ProtectKernelModules=true

# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true

# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
# made read-only to all processes of the unit. Except for container managers no services should
# require write access to the control groups hierarchies; it is hence recommended to turn this on
# for most services
ProtectControlGroups=true

# Any attempts to enable realtime scheduling in a process of the unit are refused.
RestrictRealtime=true

# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX

# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true

[Install]
WantedBy=multi-user.target

Prise en compte des modifications : 

systemctl daemon-reload
systemctl start php-fpm-7.4.7.service
systemctl enable php-fpm-7.4.7.service

Compilation et installation de PHP 5.6.40 avec FPM

cd
mkdir -p /opt/php/php-5.6.40
wget https://www.php.net/distributions/php-5.6.40.tar.gz
tar -zxf php-5.6.40.tar.gz -C /data/builds
cd /data/builds/php-5.6.40
./configure \
--prefix=/opt/php/php-5.6.40 \
--with-config-file-path=/opt/php/php-5.6.40 \
--disable-all \
--enable-static \
--enable-fpm \
--with-fpm-user=php-fpm \
--with-fpm-group=php-fpm \
--with-fpm-systemd \
--disable-ipv6 \
--enable-cli \
--with-zlib \
--with-bz2 \
--enable-calendar \
--enable-ctype \
--with-curl \
--with-gd \
--enable-intl \
--enable-filter \
--enable-hash \
--enable-json \
--with-ldap \
--enable-mbstring \
--enable-pdo \
--with-pdo-mysql \
--with-pdo-odbc=unixODBC,/usr \
--enable-shared=pdo-mysql \
--enable-phar \
--enable-libxml \
--enable-xml \
--enable-xmlreader \
--enable-xmlwriter \
--enable-opcache \
--enable-zip \
--enable-soap \
--with-pear \
--with-openssl \
--with-libdir=lib64 \
--with-mysqli \
--enable-dom \
--with-iconv \
--enable-simplexml \
--enable-tokenizer \
--enable-session \
&& make -j && make install
cp /opt/php/php-5.6.40/etc/php-fpm.conf.default /opt/php/php-5.6.40/etc/php-fpm.conf
cp /data/builds/php-5.6.40/php.ini-production /opt/php/php-5.6.40/php.ini
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/localhost/localhost_php-5.6.40.log@g' /opt/php/php-5.6.40/php.ini
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-5.6.40/php.ini
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension=/opt/php/php-5.6.40/lib/php/extensions/no-debug-non-zts-20131226/opcache.so@g' /opt/php/php-5.6.40/php.ini
/opt/php/php-5.6.40/bin/pear config-set php_ini /opt/php/php-5.6.40/php.ini system
/opt/php/php-5.6.40/bin/pecl config-set php_ini /opt/php/php-5.6.40/php.ini system
mkdir /opt/php/php-5.6.40/etc/php-fpm.d
echo "[localhost]" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "user = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "group = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen = /opt/php/sockets/php-5.6.40_\$pool.sock" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.owner = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.group = www" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.mode = 0660" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm = dynamic" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.max_children = 5" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.start_servers = 2" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.min_spare_servers = 1" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.max_spare_servers = 3" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.status_path = /php-fpm-status" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "ping.path = /php-fpm-ping" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "access.log = /data/logs/\$pool/\$pool_php-5.6.40.access.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "slowlog = /data/logs/\$pool/\$pool_php-5.6.40.log.slow" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-5.6.40.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_flag[log_errors] = on" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_reporting] = E_ALL" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[session.save_path] = \"/opt/php/sessions/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_value[session.save_path] = \"/opt/php/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
mkdir -p /opt/php/sockets
chown -R php-fpm:www /opt/php
cp /usr/lib/systemd/system/php-fpm-7.4.7.service /usr/lib/systemd/system/php-fpm-5.6.40.service
sed -i -e 's/7.4.7/5.6.40/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
chmod o+r /usr/lib/systemd/system/php-fpm-5.6.40.service

Suppression dans le fichier /usr/lib/systemd/system/php-fpm-5.6.40.service des sections surlignées suivantes : 

# It's not recommended to modify this file in-place, because it
# will be overwritten during upgrades.  If you want to customize,
# the best way is to use the "systemctl edit" command.

[Unit]
Description=The PHP FastCGI Process Manager
After=network.target

[Service]
Type=notify
PIDFile=/opt/php/php-5.6.40/var/run/php-fpm.pid
ExecStart=/opt/php/php-5.6.40/sbin/php-fpm --nodaemonize --fpm-config /opt/php/php-5.6.40/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID

# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
# so this service cannot access the global directories and other processes cannot
# access this service's directories.
PrivateTmp=true

# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
ProtectSystem=full

# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
PrivateDevices=true

# Explicit module loading will be denied. This allows to turn off module load and unload
# operations on modular kernels. It is recommended to turn this on for most services that
# do not need special file systems or extra kernel modules to work.
ProtectKernelModules=true

# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true

# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
# made read-only to all processes of the unit. Except for container managers no services should
# require write access to the control groups hierarchies; it is hence recommended to turn this on
# for most services
ProtectControlGroups=true

# Any attempts to enable realtime scheduling in a process of the unit are refused.
RestrictRealtime=true

# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX

# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true

[Install]
WantedBy=multi-user.target

Prise en compte des modifications : 

systemctl daemon-reload
systemctl start php-fpm-5.6.40.service
systemctl enable php-fpm-5.6.40.service

Installation de Webmin

cd
echo "[Webmin]" >> /etc/yum.repos.d/webmin.repo
echo "name=Webmin Distribution Neutral" >> /etc/yum.repos.d/webmin.repo
echo "#baseurl=https://download.webmin.com/download/yum" >> /etc/yum.repos.d/webmin.repo
echo "mirrorlist=https://download.webmin.com/download/yum/mirrorlist" >> /etc/yum.repos.d/webmin.repo
echo "enabled=1" >> /etc/yum.repos.d/webmin.repo
wget https://download.webmin.com/jcameron-key.asc
rpm --import jcameron-key.asc
yum install webmin perl-Authen-PAM
/etc/rc.d/init.d/webmin stop
find /etc -type l -name *webmin -exec unlink {} \;
echo "[Unit]" >> /usr/lib/systemd/system/webmin.service
echo "Description=Webmin" >> /usr/lib/systemd/system/webmin.service
echo "Requires=local-fs.target" >> /usr/lib/systemd/system/webmin.service
echo "After=basic.target" >> /usr/lib/systemd/system/webmin.service
echo "Conflicts=shutdown.target" >> /usr/lib/systemd/system/webmin.service
echo "" >> /usr/lib/systemd/system/webmin.service
echo "[Service]" >> /usr/lib/systemd/system/webmin.service
echo "Type=oneshot" >> /usr/lib/systemd/system/webmin.service
echo "RemainAfterExit=yes" >> /usr/lib/systemd/system/webmin.service
echo "ExecStart=/etc/webmin/start" >> /usr/lib/systemd/system/webmin.service
echo "ExecStop=/etc/webmin/stop" >> /usr/lib/systemd/system/webmin.service
echo "ExecReload=/etc/webmin/reload" >> /usr/lib/systemd/system/webmin.service
echo "" >> /usr/lib/systemd/system/webmin.service
echo "[Install]" >> /usr/lib/systemd/system/webmin.service
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/webmin.service
chmod o+r /usr/lib/systemd/system/webmin.service
systemctl daemon-reload
sed -i -e 's/ssl=1/ssl=0/g' /etc/webmin/miniserv.conf
sed -i -e 's/ipv6=1/ipv6=0/g' /etc/webmin/miniserv.conf
echo "cookiepath=/webmin" >> /etc/webmin/miniserv.conf
echo "webprefix=/webmin" >> /etc/webmin/config
echo "webprefixnoredir=1" >> /etc/webmin/config
echo "referer=1" >> /etc/webmin/config
systemctl start webmin.service
systemctl enable webmin.service
# Ajout des lignes ci-dessous dans la configuration du vhost local /opt/httpd/conf/vhosts/$(hostname -s).conf
	# Configuration Webmin
	ProxyPass /webmin http://localhost:10000
	ProxyPassReverse /webmin http://localhost:10000
	# Fin de configuration Webmin
httpd -k graceful

Configuration Shinken

useradd shinken -U -d /home/shinken -m
passwd shinken
mkdir /home/shinken/.ssh
chmod 700 /home/shinken/.ssh
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@oneserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@anotherserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
chmod 600 /home/shinken/.ssh/authorized_keys
chown -R shinken:shinken /home/shinken/.ssh

Installation de Oracle Instant Client

wget https://yum.oracle.com/RPM-GPG-KEY-oracle-ol7 -O /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
echo "[ol7_latest]" >> /etc/yum.repos.d/ol7-temp.repo
echo "name=Oracle Linux \$releasever Latest ($basearch)" >> /etc/yum.repos.d/ol7-temp.repo
echo "baseurl=https://yum.oracle.com/repo/OracleLinux/OL7/latest/\$basearch/" >> /etc/yum.repos.d/ol7-temp.repo
echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" >> /etc/yum.repos.d/ol7-temp.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/ol7-temp.repo
echo "enabled=1" >> /etc/yum.repos.d/ol7-temp.repo
yum install oraclelinux-release-el7
mv /etc/yum.repos.d/ol7-temp.repo /etc/yum.repos.d/ol7-temp.repo.disabled
yum install oracle-release-el7
yum install oracle-instantclient19.6
mv /etc/yum.repos.d/oracle-linux-ol7.repo{,.disabled}
mv /etc/yum.repos.d/oracle-ol7.repo{,.disabled}
mv /etc/yum.repos.d/uek-ol7.repo{,.disabled}
rm -rf /var/cache/yum/x86_64/7/ol7_*
yum clean all
yum makecache

Installation de l'extension oci8 pour PHP 7.4.7

/opt/php/php-7.4.7/bin/pecl channel-update pecl.php.net
/opt/php/php-7.4.7/bin/pecl install oci8

Installation de l'extension oci8 pour PHP 5.6.40

/opt/php/php-5.6.40/bin/pecl channel-update pecl.php.net
/opt/php/php-5.6.40/bin/pecl install oci8-2.0.12

Installation du pilote ODBC pour MSSQL

curl https://packages.microsoft.com/config/rhel/7/prod.repo > /etc/yum.repos.d/mssql-release.repo
ACCEPT_EULA=Y yum install msodbcsql17

Installation de l'extension pdo_sqlsrv pour PHP 7.4.7

/opt/php/php-7.4.7/bin/pecl install pdo_sqlsrv

Programme set_php_version

Contenu du programme /opt/php/set_php_version : 

#!/bin/bash
# Ce programme doit être sourcé pour modifier le PATH
# . set_php_version
declare -A versions
declare -A bin_dirs

get_bin_dirs() {
	i=1
	for bin_dir in $(find /opt/php -type d -name bin 2> /dev/null);
	do
		version="$($bin_dir/php -v|head -1|awk '{print $2}')"
		versions[$i]=$version
		bin_dirs[$version]=$bin_dir
		((i++))
	done
}

pathremove () {
        local IFS=':'
        local NEWPATH
        local DIR
        local PATHVARIABLE=${2:-PATH}
        for DIR in ${!PATHVARIABLE} ; do
                if [ "$DIR" != "$1" ] ; then
                  NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
                fi
        done
        export ${PATHVARIABLE}="$NEWPATH"
}

pathprepend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}
        export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
}

pathappend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}
        export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
}


if [ "$#" -eq 0 ];
then
	## Récupération des différents dossiers hébergeant les binaires PHP
	#########################
	get_bin_dirs

	## Choix de version PHP
	#########################
	echo -e "Veuillez choisir une version de PHP à utiliser :\n"
	i=1

	# On parcourt le tableau des applications
	for version in "${versions[@]}"
	do
		# On affiche une liste numérotéé des versions
		echo "$i) $version"
		((i++))
	done
	echo ""
	read -p "Choix : " version_choice
	echo ""

	if [[ $version_choice != "" ]]
	then
		# On peut choisir la version par son numéro
		if [[ $version_choice =~ ^[[:digit:]]+$ ]]
		then
			if [[ ! -z ${versions[$version_choice]} ]]
			then
				str_bindir=${bin_dirs[${versions[$version_choice]}]}
				str_version=${versions[$version_choice]}
			fi
		# Ou par la version directement
		elif [[ ! -z ${bin_dirs[$version_choice]} ]]
		then
			str_bindir=${bin_dirs[$version_choice]}
			str_version=${version_choice}
		fi
	fi
elif [ "$#" -eq 1 ];
then
	## Récupération des dossifférents dossiers hébergeant les binaires PHP
	#########################
	get_bin_dirs

	if [[ ! -z ${bin_dirs[$1]} ]]
	then
		str_bindir=${bin_dirs[$1]}
		str_version=$1
	elif [[ $1 == "reset" ]]
	then
		echo "Reset du PATH sans les binaires PHP"
		for dir in ${bin_dirs[*]}
		do
			pathremove "${dir}"
		done
		if [[ ! -z $oldPS1 ]]
		then
			PS1=$oldPS1
			unset oldPS1
		else
			PS1="[\u@\h \W]\\$ "
		fi
	fi
else
	echo "Nombre de paramètres attendus : 1"
fi

if [[ -z $str_bindir ]]
then
	if [[ $1 != "reset" ]]
	then
		echo "Choix de version invalide !"
		get_bin_dirs
		echo "Versions disponibles : "${!bin_dirs[*]}
	fi
else
	echo -e "Version de PHP : $str_version. Path : $str_bindir"
	echo -e "Pour retirer les binaires PHP du PATH, utiliser la commande « set_php_version reset »"
	for dir in ${bin_dirs[*]}
	do
		pathremove "${dir}"
	done

	pathprepend ${str_bindir}

	if [[ -z $oldPS1 ]]
	then
		oldPS1=$PS1
	fi
	export PS1="[\u@\h \W|\[\033[0;31m\]PHP ${str_version}\[\033[0m\]]\\$ "
fi

unset version versions str_bindir bin_dir bin_dirs pathremove pathprepend pathappend get_bin_dirs version_choice str_version

Changement des droits d'accès 

chmod 555 /opt/php/set_php_version

Ajout de l'alias dans le profile par défaut : 

echo "alias set_php_version='. /opt/php/set_php_version'" >> /etc/profile.d/sh.local

Installation Zabbix

Installation de l'agent

rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
rpm -import http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591
yum install zabbix-agent
sed -i -e 's/Server=127.0.0.1/Server=myzabbixserver/g' -e 's/ServerActive=127.0.0.1/ServerActive=myzabbixserver/g' -e 's/Hostname=Zabbix server/Hostname=$(hostname -s)/g' -e 's@PidFile=/var/run/zabbix/zabbix_agentd.pid@PidFile=/run/zabbix/zabbix_agentd.pid@g' /etc/zabbix/zabbix_agentd.conf

Ajout du service dans le pare-feu

firewall-cmd --permanent --new-service=zabbixclient
firewall-cmd --permanent --service=zabbixclient --set-description="Zabbix Client Service"
firewall-cmd --permanent --service=zabbixclient --set-short=zabbixclient
firewall-cmd --permanent --service=zabbixclient --add-port=10050/tcp
firewall-cmd --reload

Installation du template PHP-FPM

Installation des prérequis : 

yum -y install grep gawk lsof jq fcgi unzip bc

Téléchargement de la dernière version : 

curl -L $(curl -s https://api.github.com/repos/rvalitov/zabbix-php-fpm/releases/latest | grep 'zipball_' | cut -d\" -f4) --output /tmp/zabbix-php-fpm.zip

Extraction des fichiers : 

unzip -j /tmp/zabbix-php-fpm.zip "*/zabbix/*" "*/ispconfig/*" -d /tmp/zabbix-php-fpm

Copie des fichiers dans la configuration Zabbix : 

cp /tmp/zabbix-php-fpm/userparameter_php_fpm.conf $(find /etc/zabbix/ -name zabbix_agentd*.d -type d | head -n1)
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_discovery.sh /etc/zabbix/
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_status.sh /etc/zabbix/

Ajout du droit d’exécution sur les scripts : 

chown zabbix /etc/zabbix/zabbix_agentd.d/userparameter_php_fpm.conf
chmod +x /etc/zabbix/zabbix_php_fpm_discovery.sh
chmod +x /etc/zabbix/zabbix_php_fpm_status.sh

Ajouter les droits nécessaires dans sudoers pour Zabbix : 

echo 'zabbix ALL = NOPASSWD: /etc/zabbix/zabbix_php_fpm_discovery.sh,/etc/zabbix/zabbix_php_fpm_status.sh' | EDITOR='tee -a' visudo -f /etc/sudoers.d/sudo_zabbix

Augmentation du seuil de connexion par socket sur le serveur : 

echo "net.core.somaxconn=1024" | tee -a /etc/sysctl.conf
sysctl -p

Supprimer les fichiers temporaires : 

rm /tmp/zabbix-php-fpm.zip
rm -rf /tmp/zabbix-php-fpm

Ajout de l'outil cachetool

Pour PHP 7

curl -sLO https://github.com/gordalina/cachetool/releases/latest/download/cachetool.phar
chmod o+rx cachetool.phar
mv cachetool.phar /usr/local/bin/cachetool

Pour PHP 5

curl -sLO https://gordalina.github.io/cachetool/downloads/cachetool-3.2.2.phar
chmod o+rx cachetool-3.2.2.phar
mv cachetool-3.2.2.phar /usr/local/bin/cachetool_for_PHP5
Récupérée de « https://wiki.jordan-lenuff.com/index.php?title=Technique/Systèmes_d%27exploitation/CentOS/Installer_CentOS_7/Post-installation&oldid=874 »