Internal notes on my personal preferences for Fedora on desktop. You can use this as a guide, or not. It's your choice, really.
System Applications
For system applications that aren't packaged as Flatpacks, run the following command: sudo dnf install <package a> <package b>
Example packages I like to obtain are fish bmon etherape nethogs htop
.
We then recommend enabling the community distribution :sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm
Followed by None-Free software:
sudo rpm -Uvh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
From here, you can also use the Software Store to install applications. A great tool to use is the dnf group
, which when queried should return a list of available options for you to use:
[nank@fedora ~]$ dnf group list
Last metadata expiration check: 0:00:11 ago on Sat 14 Aug 2021 16:50:18.
Available Environment Groups:
Fedora Custom Operating System
Minimal Install
Fedora Server Edition
Fedora Cloud Server
KDE Plasma Workspaces
Xfce Desktop
LXDE Desktop
LXQt Desktop
Cinnamon Desktop
MATE Desktop
Sugar Desktop Environment
Deepin Desktop
Development and Creative Workstation
Web Server
Infrastructure Server
Basic Desktop
i3 desktop
Installed Environment Groups:
Fedora Workstation
Installed Groups:
Container Management
LibreOffice
Available Groups:
3D Printing
Administration Tools
Audio Production
Authoring and Publishing
C Development Tools and Libraries
Cloud Infrastructure
Cloud Management Tools
Compiz
D Development Tools and Libraries
Design Suite
Development Tools
Domain Membership
Fedora Eclipse
Editors
Educational Software
Electronic Lab
Engineering and Scientific
FreeIPA Server
Games and Entertainment
Headless Management
MATE Applications
Milkymist
Network Servers
Neuron Modelling Simulators
Office/Productivity
Pantheon Desktop
Python Classroom
Python Science
Robotics
RPM Development Tools
Security Lab
Sound and Video
System Tools
Text-based Internet
Window Managers
For me, the following were of use:
sudo dnf group install 'System Tools'
sudo dnf group install 'Cloud Infrastructure'
sudo dnf group install 'Cloud Management Tools'
sudo dnf group install 'Security Lab'
sudo dnf group install 'Office/Productivity'
These applications will then be pushed into your standard update process for dnf
.
Enabling "Flathub" Repository
The first process is to enable FlatHub for FlatPak
installations. From a shell, perform the following command:flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
From here, depending on the application requirement, you may need to add external directories to your applications access. To perform this, run:
flatpak override <package_name_here> --filesystem=<path_here>
DNF Automatic Updates
DNF supports a method (similar to apt-autoupdate
) to automatically update your packages. Fedora has never let me down, so I am not concerned with allowing the system to perform patches daily. To enable this, firstly, you must install the module via sudo dnf install dnf-automatic -y
.
From here, edit the configuration file using sudo vi /etc/dnf/automatic.cfg
and change install = no
to be install = yes
to apply updates. Lastly, begin the service with the systemctl
command: systemctl enable --now dnf-automatic.timer
In some cases you will still be prompted to "Install Updates" when logging back into the system; this is simply due to dnf
performing a refresh prior to dnf-automatic
running. You can manually run the updates if you desire, or let the process perform it on the next sync.
You can also set the "login" process for your shell to run sudo dnf update -f
but this will run each time you launch a shell; inefficient, but reliable method.
Changing Default Sell
There are many shells out there, I tend to use both xterm
and fish
for different tasks.
First, return a list of all the supports shells on your system:cat /etc/shells
Then, apply fish
, the only shell to use if you're a man; chsh -s /bin/fish
(and if you do not have it sudo dnf install fish -y
)!
Fish is the most verbose, streamlined, and efficient shell I have come across, and is multi-platform orientated. There are some annoyances between syntax (such as set path
) but for the most part, there are no issues with this shell compatibility.
Configuring xterm
First, install xterm
using: sudo dnf install xterm
. From here you can edit the layout and theme to suit your needs:
xterm*font: terminus-14
xterm*boldFont: terminus-14
xterm*loginShell: true
xterm*vt100*geometry: 80x50
xterm*saveLines: 2000
xterm*charClass: 33:48,35:48,37:48,43:48,45-47:48,64:48,95:48,126:48
xterm*termName: xterm-color
xterm*eightBitInput: false
xterm*foreground: rgb:a8/a8/a8
xterm*background: rgb:00/00/00
xterm*color0: rgb:00/00/00
xterm*color1: rgb:a8/00/00
xterm*color2: rgb:00/a8/00
xterm*color3: rgb:a8/54/00
xterm*color4: rgb:00/00/a8
xterm*color5: rgb:a8/00/a8
xterm*color6: rgb:00/a8/a8
xterm*color7: rgb:a8/a8/a8
xterm*color8: rgb:54/54/54
xterm*color9: rgb:fc/54/54
xterm*color10: rgb:54/fc/54
xterm*color11: rgb:fc/fc/54
xterm*color12: rgb:54/54/fc
xterm*color13: rgb:fc/54/fc
xterm*color14: rgb:54/fc/fc
xterm*color15: rgb:fc/fc/fc
xterm*boldMode: false
xterm*colorBDMode: true
xterm*colorBD: rgb:fc/fc/fc
Then merge the configuration into production:
xrdb -merge ~/.Xresources
Configuring Fish
To configure the shell, simply run config_shell
and it will open a temporary HMTL file to allow you to configure it.
- Theme: Old School
- Prompt: Arrow
Additionally, go into System Settings
--> Keyboard
and select Custom
. Bind ctrl + alt + t
to fish (or gnome-terminal
).
Lastly, add your paths:mkdir -p /home/$USER/.local/bin
set -Ua fish_user_paths /home/$USER/.local/bin
DNF Thread Allowance
DNF is slow (well, supposedly). You can amend it with the following:
sudo echo "max_parallel_downloads=10" >> /etc/dnf/dnf.conf
Get really cheeky and add:
fastestmirror=true
deltarpm=true
This will allow faster (and concurrent) downloads and also allow for minor-change packages to be downloaded.
From here, you can also tweak yum
with the same configurational changes if need be. Personally, I've no issue with the default dnf
configuration and do not stress about making this change.
System Management Tools
For system management, there is an array of tools. Many of the nicer tools are Github projects, such as linux-dash
, stacer
and other third party tools. I am yet to do satisfactory testing on Fedora 34 to recommend installing any.
Generic System Changes
To make some basic system changes, install fedy
for system tweaking:
sudo dnf copr enable kwizart/fedy
sudo dnf install fedy -y
This will then allow you to install a bunch of non-included software and drivers. THe most useful functions are the SQL drivers, and other non-standard implementations for NVidia and AMD. This tool removes the requirements of cli-fu, but isn't a 1:1 replacement.
From here, the next step was to setup a custom hostname with:
➜ ~ hostnamectl set-hostname 'theageian'
From here, ensure your locale is correctly defined (this is done during installation):
➜ ~ localectl status
System Locale: LANG=en_AU.UTF-8
VC Keymap: us
X11 Layout: au
Then, perform the same for NTP:
➜ ~ timedatectl
Local time: Fri 2021-08-20 22:56:21 AEST
Universal time: Fri 2021-08-20 12:56:21 UTC
RTC time: Fri 2021-08-20 22:56:21
Time zone: Australia/Brisbane (AEST, +1000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: yes
Once done, do an upgrade and reboot to make all changes:sudo dnf upgrade --refresh
sudo dnf check
sudo dnf autoremove
sudo fwupdmgr get-devices
sudo fwupdmgr refresh --force
sudo fwupdmgr get-updates
sudo fwupdmgr update
sudo reboot now
Mounting File Systems
To mount a file system you could use the mount
or fstab
method, but I recommend doing it all the very hard way (and by that, I mean the easy way).
First, pop open gparted
and wipe them (unless they have data). From here, you can find their IDs and add them to your fstab
using fdisk -l
and blkid
. An example outcome of fdisk -l
tells me on my 3TB HDD:
Disk /dev/sdb: 3.64 TiB, 4000787030016 bytes, 7814037168 sectors
Disk model: TOSHIBA MD03ACA4
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 1C0D7575-EEC9-4134-B061-9FD0BAA46F89
Device Start End Sectors Size Type
/dev/sdb1 2048 7814035455 7814033408 3.6T Microsoft basic data
Now that it's deleted, we can safely mount that clean, free drive. We can now go about and auto-mount them as needed.
For example, we can create a mount point for Steam as follows:
- Create an EXT4 partition via GParted
- Get the UUID of the drive via
sudo blkid
- Create a new directory with
sudo mkdir /media/SteamGames
- Take ownership of the drive with
sudo chown nank:nank SteamGames/
- Give modification access with
sudo chmod 700 SteamGames/
From here, create the mount point in your FSTab as a normal user:
# This is for my steam games:
UUID=88b19ca5-4a83-4281-8b87-690c0033791f /media/SteamGames ext4 rw,users,exec,auto 0 0
From here, re-mount and perform steps 3 and 4 again.
Creating System Backups
Testing the use of TimeShift for full backups to a local destination. This -- of course -- can be extended when you mount a local NAS as your repository. There is no need to go through the setup steps; just remember to configure this application on a fresh install.
Security Audits
Many tools rely on you using more /var/log/audit/audit.log | grep
for syntax - but the better tool is Lynis. My preferred method of installation is:
1) Change to the location you want to install it to: cd /usr/local
2) Clone the latest repository for Lynis: git clone https://github.com/CISOfy/lynis
3) Change to the location: cd /lynis
To perform an audit, run lynis audit system
(it is recommended to add the full path to your bashrc
). It is recommended to do audits both as a user and root; some tests require this access; sudo
will handle this natively.
Example outputs of a system audit are:
- thermald.service: [ UNSAFE ]
- udisks2.service: [ UNSAFE ]
- upower.service: [ PROTECTED ]
- uresourced.service: [ EXPOSED ]
- user@1000.service: [ UNSAFE ]
- vboxservice.service: [ UNSAFE ]
- vgauthd.service: [ UNSAFE ]
- virtlockd.service: [ UNSAFE ]
- virtlogd.service: [ UNSAFE ]
- vmtoolsd.service: [ UNSAFE ]
- wpa_supplicant.service: [ UNSAFE ]
A nice trick is to yum install python-ansi2html
to allow you to export the reports from text to HTML: lynis audit system | ansi2html -la > report.html
In conjunction with system audits, AVs (like ClamAV) and other tools should be introduced; SELinux is the last resort (due to complexities).
ClamAV
First, download the latest version from the website. The first process is to update the database via sudo freshclam
Then to perform a scan, run clamscan -r --bell -i /home/nank
. This can be done via a Cronjob for automated scanning on the system as well.
Firewall Policies
sudo firewall-cmd --state
Fedora currently ships with firewalld as their solution. The first thing to do is ensure that it is running, with the following command:
This should return running
as the status. To configure firewalld
, run firewall-config
and launch the GUI. The most important changes are denying 22
inbound, and setting up Deny Logging
to be All
for reporting.
SysLog Policies
This section is being researched. There are many Github pages utilizing the inbuilt tools for verbose error handling, so there isn't a need to look into this much on an endpoint.
SELinux Policies
SELinux is enabled by default on Fedora 34. You can view the status of the configuration:
➜ ~ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
There are Fedora documents outlining the best configurations for your use case and should be looked at on a case-by-case basis.
System Backups
All system configuration should be backed up to a git repository, or a NAS onsite.
Appearance and Behavior Preference
Because I have an NVIDIA card, it is recommended I run:
modinfo -F version nvidia
sudo dnf update -y # and reboot if you are not on the latest kernel
sudo dnf install -y akmod-nvidia # rhel/centos users can use kmod-nvidia instead
sudo dnf install -y xorg-x11-drv-nvidia-cuda #optional for cuda/nvdec/nvenc support
sudo dnf install -y xorg-x11-drv-nvidia-cuda-libs
sudo dnf install -y vdpauinfo libva-vdpau-driver libva-utils
sudo dnf install -y vulkan
modinfo -F version nvidia
This will install newer drivers and their required dependencies.