Nancarrow Consulting
Changes to Fedora
Home/Internal Articles / Changes to Fedora
Changes to Fedora
admin
March 2, 2023
6:54 pm

Internal notes on my personal preferences for Fedora on desktop. You can use this as a guide, or not. It's your choice, really.

System Applications

For system applications that aren't packaged as Flatpacks, run the following command: sudo dnf install <package a> <package b>

Example packages I like to obtain are fish bmon etherape nethogs htop.

We then recommend enabling the community distribution :
sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm

Followed by None-Free software:

sudo rpm -Uvh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

From here, you can also use the Software Store to install applications. A great tool to use is the dnf group, which when queried should return a list of available options for you to use:

[nank@fedora ~]$ dnf group list
Last metadata expiration check: 0:00:11 ago on Sat 14 Aug 2021 16:50:18.
Available Environment Groups:
   Fedora Custom Operating System
   Minimal Install
   Fedora Server Edition
   Fedora Cloud Server
   KDE Plasma Workspaces
   Xfce Desktop
   LXDE Desktop
   LXQt Desktop
   Cinnamon Desktop
   MATE Desktop
   Sugar Desktop Environment
   Deepin Desktop
   Development and Creative Workstation
   Web Server
   Infrastructure Server
   Basic Desktop
   i3 desktop
Installed Environment Groups:
   Fedora Workstation
Installed Groups:
   Container Management
   LibreOffice
Available Groups:
   3D Printing
   Administration Tools
   Audio Production
   Authoring and Publishing
   C Development Tools and Libraries
   Cloud Infrastructure
   Cloud Management Tools
   Compiz
   D Development Tools and Libraries
   Design Suite
   Development Tools
   Domain Membership
   Fedora Eclipse
   Editors
   Educational Software
   Electronic Lab
   Engineering and Scientific
   FreeIPA Server
   Games and Entertainment
   Headless Management
   MATE Applications
   Milkymist
   Network Servers
   Neuron Modelling Simulators
   Office/Productivity
   Pantheon Desktop
   Python Classroom
   Python Science
   Robotics
   RPM Development Tools
   Security Lab
   Sound and Video
   System Tools
   Text-based Internet
   Window Managers

For me, the following were of use:

  • sudo dnf group install 'System Tools'
  • sudo dnf group install 'Cloud Infrastructure'
  • sudo dnf group install 'Cloud Management Tools'
  • sudo dnf group install 'Security Lab'
  • sudo dnf group install 'Office/Productivity'

These applications will then be pushed into your standard update process for dnf.

Enabling "Flathub" Repository

The first process is to enable FlatHub for FlatPak installations. From a shell, perform the following command:

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

From here, depending on the application requirement, you may need to add external directories to your applications access. To perform this, run:

flatpak override <package_name_here> --filesystem=<path_here>

DNF Automatic Updates

DNF supports a method (similar to apt-autoupdate) to automatically update your packages. Fedora has never let me down, so I am not concerned with allowing the system to perform patches daily. To enable this, firstly, you must install the module via sudo dnf install dnf-automatic -y.

From here, edit the configuration file using sudo vi /etc/dnf/automatic.cfg and change install = no to be install = yes to apply updates. Lastly, begin the service with the systemctl command: systemctl enable --now dnf-automatic.timer

In some cases you will still be prompted to "Install Updates" when logging back into the system; this is simply due to dnf performing a refresh prior to dnf-automatic running. You can manually run the updates if you desire, or let the process perform it on the next sync.

You can also set the "login" process for your shell to run sudo dnf update -f but this will run each time you launch a shell; inefficient, but reliable method.

Changing Default Sell

There are many shells out there, I tend to use both xterm and fish for different tasks.

First, return a list of all the supports shells on your system:
cat /etc/shells

Then, apply fish, the only shell to use if you're a man; chsh -s /bin/fish (and if you do not have it sudo dnf install fish -y)!

Fish is the most verbose, streamlined, and efficient shell I have come across, and is multi-platform orientated. There are some annoyances between syntax (such as set path) but for the most part, there are no issues with this shell compatibility.

Configuring xterm

First, install xterm using: sudo dnf install xterm. From here you can edit the layout and theme to suit your needs:

xterm*font: terminus-14
xterm*boldFont: terminus-14
xterm*loginShell: true
xterm*vt100*geometry: 80x50
xterm*saveLines: 2000
xterm*charClass: 33:48,35:48,37:48,43:48,45-47:48,64:48,95:48,126:48
xterm*termName: xterm-color
xterm*eightBitInput: false
xterm*foreground: rgb:a8/a8/a8
xterm*background: rgb:00/00/00
xterm*color0: rgb:00/00/00
xterm*color1: rgb:a8/00/00
xterm*color2: rgb:00/a8/00
xterm*color3: rgb:a8/54/00
xterm*color4: rgb:00/00/a8
xterm*color5: rgb:a8/00/a8
xterm*color6: rgb:00/a8/a8
xterm*color7: rgb:a8/a8/a8
xterm*color8: rgb:54/54/54
xterm*color9: rgb:fc/54/54
xterm*color10: rgb:54/fc/54
xterm*color11: rgb:fc/fc/54
xterm*color12: rgb:54/54/fc
xterm*color13: rgb:fc/54/fc
xterm*color14: rgb:54/fc/fc
xterm*color15: rgb:fc/fc/fc
xterm*boldMode: false
xterm*colorBDMode: true
xterm*colorBD: rgb:fc/fc/fc

Then merge the configuration into production:

xrdb -merge ~/.Xresources

Configuring Fish

To configure the shell, simply run config_shell and it will open a temporary HMTL file to allow you to configure it.

  • Theme: Old School
  • Prompt: Arrow

Additionally, go into System Settings --> Keyboard and select Custom. Bind ctrl + alt + t to fish (or gnome-terminal).

Lastly, add your paths:
mkdir -p /home/$USER/.local/bin
set -Ua fish_user_paths /home/$USER/.local/bin

DNF Thread Allowance

DNF is slow (well, supposedly). You can amend it with the following:

sudo echo "max_parallel_downloads=10" >> /etc/dnf/dnf.conf

Get really cheeky and add:

fastestmirror=true
deltarpm=true

This will allow faster (and concurrent) downloads and also allow for minor-change packages to be downloaded.

From here, you can also tweak yum with the same configurational changes if need be. Personally, I've no issue with the default dnf configuration and do not stress about making this change.

System Management Tools

For system management, there is an array of tools. Many of the nicer tools are Github projects, such as linux-dash, stacer and other third party tools. I am yet to do satisfactory testing on Fedora 34 to recommend installing any.

Generic System Changes

To make some basic system changes, install fedy for system tweaking:

sudo dnf copr enable kwizart/fedy  
sudo dnf install fedy -y

This will then allow you to install a bunch of non-included software and drivers. THe most useful functions are the SQL drivers, and other non-standard implementations for NVidia and AMD. This tool removes the requirements of cli-fu, but isn't a 1:1 replacement.

From here, the next step was to setup a custom hostname with:

➜  ~ hostnamectl set-hostname 'theageian'

From here, ensure your locale is correctly defined (this is done during installation):

➜  ~ localectl status
   System Locale: LANG=en_AU.UTF-8
       VC Keymap: us
      X11 Layout: au

Then, perform the same for NTP:

➜  ~ timedatectl 
               Local time: Fri 2021-08-20 22:56:21 AEST
           Universal time: Fri 2021-08-20 12:56:21 UTC
                 RTC time: Fri 2021-08-20 22:56:21
                Time zone: Australia/Brisbane (AEST, +1000)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: yes

Once done, do an upgrade and reboot to make all changes:

sudo dnf upgrade --refresh
sudo dnf check
sudo dnf autoremove
sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates
sudo fwupdmgr update
sudo reboot now

Mounting File Systems

To mount a file system you could use the mount or fstab method, but I recommend doing it all the very hard way (and by that, I mean the easy way).

First, pop open gparted and wipe them (unless they have data). From here, you can find their IDs and add them to your fstab using fdisk -l and blkid. An example outcome of fdisk -l tells me on my 3TB HDD:

Disk /dev/sdb: 3.64 TiB, 4000787030016 bytes, 7814037168 sectors
Disk model: TOSHIBA MD03ACA4
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 1C0D7575-EEC9-4134-B061-9FD0BAA46F89

Device     Start        End    Sectors  Size Type
/dev/sdb1   2048 7814035455 7814033408  3.6T Microsoft basic data

Now that it's deleted, we can safely mount that clean, free drive. We can now go about and auto-mount them as needed.

For example, we can create a mount point for Steam as follows:

  1. Create an EXT4 partition via GParted
  2. Get the UUID of the drive via sudo blkid
  3. Create a new directory with sudo mkdir /media/SteamGames
  4. Take ownership of the drive with sudo chown nank:nank SteamGames/
  5. Give modification access with sudo chmod 700 SteamGames/

From here, create the mount point in your FSTab as a normal user:

# This is for my steam games: 
UUID=88b19ca5-4a83-4281-8b87-690c0033791f       /media/SteamGames       ext4    rw,users,exec,auto      0       0

From here, re-mount and perform steps 3 and 4 again.

Creating System Backups

Testing the use of TimeShift for full backups to a local destination. This -- of course -- can be extended when you mount a local NAS as your repository. There is no need to go through the setup steps; just remember to configure this application on a fresh install.

Security Audits

Many tools rely on you using more /var/log/audit/audit.log | grep for syntax - but the better tool is Lynis. My preferred method of installation is:

1) Change to the location you want to install it to: cd /usr/local
2) Clone the latest repository for Lynis: git clone https://github.com/CISOfy/lynis
3) Change to the location: cd /lynis

To perform an audit, run lynis audit system (it is recommended to add the full path to your bashrc). It is recommended to do audits both as a user and root; some tests require this access; sudo will handle this natively.

Example outputs of a system audit are:

        - thermald.service:                                   [ UNSAFE ]
        - udisks2.service:                                    [ UNSAFE ]
        - upower.service:                                     [ PROTECTED ]
        - uresourced.service:                                 [ EXPOSED ]
        - user@1000.service:                                  [ UNSAFE ]
        - vboxservice.service:                                [ UNSAFE ]
        - vgauthd.service:                                    [ UNSAFE ]
        - virtlockd.service:                                  [ UNSAFE ]
        - virtlogd.service:                                   [ UNSAFE ]
        - vmtoolsd.service:                                   [ UNSAFE ]
        - wpa_supplicant.service:                             [ UNSAFE ]

A nice trick is to yum install python-ansi2html to allow you to export the reports from text to HTML: lynis audit system | ansi2html -la > report.html

In conjunction with system audits, AVs (like ClamAV) and other tools should be introduced; SELinux is the last resort (due to complexities).

ClamAV

First, download the latest version from the website. The first process is to update the database via sudo freshclam

Then to perform a scan, run clamscan -r --bell -i /home/nank. This can be done via a Cronjob for automated scanning on the system as well.

Firewall Policies

sudo firewall-cmd --state

Fedora currently ships with firewalld as their solution. The first thing to do is ensure that it is running, with the following command:

This should return running as the status. To configure firewalld, run firewall-config and launch the GUI. The most important changes are denying 22 inbound, and setting up Deny Logging to be All for reporting.

SysLog Policies

This section is being researched. There are many Github pages utilizing the inbuilt tools for verbose error handling, so there isn't a need to look into this much on an endpoint.

SELinux Policies

SELinux is enabled by default on Fedora 34. You can view the status of the configuration:

➜  ~ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

There are Fedora documents outlining the best configurations for your use case and should be looked at on a case-by-case basis.

System Backups

All system configuration should be backed up to a git repository, or a NAS onsite.

Appearance and Behavior Preference

Because I have an NVIDIA card, it is recommended I run:

modinfo -F version nvidia
sudo dnf update -y # and reboot if you are not on the latest kernel
sudo dnf install -y akmod-nvidia # rhel/centos users can use kmod-nvidia instead
sudo dnf install -y xorg-x11-drv-nvidia-cuda #optional for cuda/nvdec/nvenc support
sudo dnf install -y xorg-x11-drv-nvidia-cuda-libs
sudo dnf install -y vdpauinfo libva-vdpau-driver libva-utils
sudo dnf install -y vulkan
modinfo -F version nvidia

This will install newer drivers and their required dependencies.

Category : Internal Articles