rhce mike conigliaro s wiki

8/8/2019 Rhce Mike Conigliaro s Wiki

1/26

T h i s d o c u m e n t a t t e m p t s t o p r o v i d e a n s w e r s t o a l l s t u d y p o i n t s o n t h e R H C E a n d R H C T E x a m P r e p a r a t i o n G u i d e[ h t t p : / / w w w . r e d h a t . c o m / c e r t i f i c a t i o n / r h c e / p r e p _ g u i d e / ] i n a s i n g l e - p a g e ( a n d t h u s , p r i n t a b l e ) f o r m a t . T h i s i s n o t a b r a i n d u m p o r a na t t e m p t t o c h e a t t h e R H 3 0 2 [ h t t p s : / / w w w . r e d h a t . c o m / c o u r s e s / r h 3 0 2 _ r h c e _ e x a m / ] e x a m i n a n y w a y . T h e s e a r e j u s t m y s e l f - s t u d yn o t e s . U s e t h e m a t y o u r o w n r i s k . N o t e : S t u d y p o i n t s l a s t u p d a t e d o n 2 0 0 9 - 0 8 - 1 1 . T h i s l i s t m a y b e c o m e o u t o f d a t e w i t h o u t n o t i c e ( e s p e c i a l l y a f t e r Ip a s s t h e t e s t ) .i n s t a l l g u e s t a d d i t i o n s :yum install gcc kernel-develsh /media/VBOXADDITIONS*/VBoxLinuxAdditions-x86.runreboot

C a n d i d a t e s s h o u l d p o s s e s s t h e f o l l o w i n g s k i l l s , a s t h e y m a y b e n e c e s s a r y i n o r d e r t o f u l f i l l r e q u i r e m e n t s o f t h e R H C T a n dR H C E e x a m s :u s e s t a n d a r d c o m m a n d l i n e t o o l s ( e . g . , l s , c p , m v , r m , t a i l , c a t , e t c . ) t o c r e a t e , r e m o v e ,v i e w , a n d i n v e s t i g a t e f i l e s a n d d i r e c t o r i e su s e g r e p , s e d , a n d a w k t o p r o c e s s t e x t s t r e a m s a n d f i l e su s e a t e r m i n a l - b a s e d t e x t e d i t o r , s u c h a s v i m o r n a n o , t o m o d i f y t e x t f i l e su s e i n p u t / o u t p u t r e d i r e c t i o no p e r a t o r d e s c r i p t i o n> r e d i r e c t S T D O U T t o a f i l e2 > r e d i r e c t S T D E R R t o a f i l e& > r e d i r e c t a l l o u t p u t t o a f i l e2 > & 1 r e d i r e c t a l l o u t p u t t o a p i p eu s e t o a p p e n d i n s t e a d o f o v e r w r i t eu n d e r s t a n d b a s i c p r i n c i p l e s o f T C P / I P n e t w o r k i n g , i n c l u d i n g I P a d d r e s s e s , n e t m a s k s , a n dg a t e w a y s f o r I P v 4 a n d I P v 6u s e s u t o s w i t c h u s e r a c c o u n t ssu - u s e p a s s w d t o s e t p a s s w o r d s

hce [Mike Conigliaro's Wiki] http://conigliaro.org/wiki/r

of 26 10/16/09 0


2/26

passwd u s e t a r , g z i p , a n d b z i p 2# compress (tar/gzip)tar cvzf .tgz # extract (tar/gzip)tar xvzf .tgz# compress (tar/bzip)tar cvjf .tbz # extract (tar/bzip)tar xvjf .tbzc o n f i g u r e a n e m a i l c l i e n t o n R e d H a t E n t e r p r i s e L i n u xecho "message" | mail -s "subject"mail -s "subject" < u s e t e x t a n d / o r g r a p h i c a l b r o w s e r t o a c c e s s H T T P / H T T P S U R L se l i n k sl y n xu s e l f t p t o a c c e s s F T P U R L sT r o u b l e s h o o t i n g a n d S y s t e m M a i n t e n a n c eR H C T s s h o u l d b e a b l e t o :b o o t s y s t e m s i n t o d i f f e r e n t r u n l e v e l s f o r t r o u b l e s h o o t i n g a n d s y s t e m m a i n t e n a n c ea p p e n d t h e d e s i r e d r u n l e v e l t o g r u b ' s k e r n e l l i n e :1 - 5 r u n s a p p r o p r i a t e r c a n d i n i t s c r i p t ss i n g l e o n l y r u n s r c . s y s i n i te m e r g e n c y s k i p s a l l r c a n d i n i t s c r i p t sd i a g n o s e a n d c o r r e c t m i s c o n f i g u r e d n e t w o r k i n gc h e c k / e t c / s y s c o n f i g / n e t w o r k1 . c h e c k / e t c / s y s c o n f i g / n e t w o r k - s c r i p t s / i f c f g - < i n t e r f a c e >2 . s e r v i c e n e t w o r k r e s t a r t3 . c h k c o n f i g n e t w o r k o n4 . i f c o n f i g5 . p i n g < l o c a l h o s t i p >6 . n e t s t a t - r7 . p i n g < d e f a u l t g a t e w a y >8 .


2 of 26 10/16/09 0


3/26

p i n g 4 . 2 . 2 . 29 .r e d h a t n e t w o r k c o n f i g t o o l :system-config-networkd i a g n o s e a n d c o r r e c t h o s t n a m e r e s o l u t i o n p r o b l e m sc h e c k / e t c / n s s w i t c h . c o n f1 . c h e c k / e t c / r e s o l v . c o n f2 . c h e c k / e t c / h o s t s3 . d i g @ < d n s s e r v e r > g o o g l e . c o m4 .r e d h a t n e t w o r k c o n f i g t o o l :system-config-networkc o n f i g u r e t h e X W i n d o w S y s t e m a n d a d e s k t o p e n v i r o n m e n ti n s t a l l x :yum groupinstall "x window system"i n i t r e s p a w n s / e t c / X 1 1 / p r e f d m - n o d a e m o n t o k e e p x r u n n i n g i n r u n l e v e l 5s t a r t x t o s t a r t m a n u a l l yx f s i s s u p p o s e d l y r e q u i r e d f o r x w i n d o w s ( e v e n t h o u g h i c a n r u n x f i n e w i t h o u t i t ) :service xfs onchkconfig xfs onx e n v i r o n m e n t c o n f i g :/ e t c / s y s c o n f i g / d e s k t o p/ e t c / X 1 1 / x i n i t / x i n i t r c/ e t c / X 1 1 / x i n i t / X c l i e n t s~ / . x i n i t r c~ . / X c l i e n t sr e d h a t d i s p l a y c o n f i g t o o l :system-config-display [--reconfig]i n s t a l l g n o m e d e s k t o p :yum groupinstall "gnome desktop environment"s w i t c h d e s k a l l o w s y o u t o c h a n g e y o u r d e s k t o p e n v i r o n m e n t :yum install switchdeskswitchdeski f s w i t c h d e s k i s n o t a v a i l a b l e , e d i t / e t c / s y s c o n f i g / d e s k t o p :DISPLAYMANAGER=DESKTOP=


3 of 26 10/16/09 0


4/26

a d d n e w p a r t i t i o n s , f i l e s y s t e m s , a n d s w a p t o e x i s t i n g s y s t e m sp a r t i t i o n sm a n a g e p a r t i t i o n s :fdisk partprobef i l e s y s t e m sm a k e f i l e s y s t e m s :mkfs.l a b e l f i l e s y s t e m s :e2label blkidm a n a g e f i l e s y s t e m s e t t i n g s :tune2fs dumpe2fs s w a pn o t e t h a t i t ' s p o s s i b l e t o c r e a t e a s w a p f i l e i n s t e a d o f a p a r t i t i o n :dd if=/dev/zero of= bs=1024 count=f o r m a t t h e f i l e / p a r t i t i o n :mkswap nano -w /etc/fstabswapon -vacat /proc/swapsu s e s t a n d a r d c o m m a n d - l i n e t o o l s t o a n a l y z e p r o b l e m s a n d c o n f i g u r e s y s t e mc h e c k f o r f u l l f i l e s y s t e m s , q u o t a sI n s t a l l a t i o n a n d C o n f i g u r a t i o nR H C T s m u s t b e a b l e t o :p e r f o r m n e t w o r k O S i n s t a l l a t i o na t b o o t p r o m p t :linux askmethodi m p l e m e n t a c u s t o m p a r t i t i o n i n g s c h e m ec o n f i g u r e p r i n t i n g


4 of 26 10/16/09 0


5/26

p r i n t i n g s u p p o r t i s p r o v i d e d b y c u p s :service cups startchkconfig cups onr e d h a t p r i n t e r c o n f i g t o o l :system-config-printerw e b c o n f i g t o o l :http://localhost:631p r i n t i n g v i a c o m m a n d l i n e :# printlpr # view print queuelpq# remove print joblprm c o n f i g u r e t h e s c h e d u l i n g o f t a s k s u s i n g c r o n a n d a tc r o nm a k e s u r e v i x i e c r o n i s i n s t a l l e d a n d r u n n i n g :yum install vixie-cronservice crond startchkconfig crond oni f / e t c / c r o n . a l l o w e x i s t s , o n l y t h e s e u s e r s a r e a l l o w e d ( / e t c / c r o n . d e n y i s i g n o r e d )1 . i f / e t c / c r o n . a l l o w d o e s n o t e x i s t , e v e r y o n e a l l o w e d e x c e p t u s e r s i n / e t c / c r o n . d e n y2 . i f n e i t h e r e x i s t s , o n l y r o o t a l l o w e d3 . e m p t y / e t c / c r o n . d e n y m e a n s a l l u s e r s a l l o w e d ( d e f a u l t )4 .e d i t y o u r c r o n j o b s :crontab -ec r o n t a b f o r m a t : / e t c / c r o n t a b h a s a d d i t i o n a l u s e r f i e l d b e f o r e c o m m a n d .a t / b a t c hm a k e s u r e a t i s i n s t a l l e d a n d r u n n i n g :yum install atservice atd startchkconfig atd oni f / e t c / a t . a l l o w e x i s t s , o n l y t h e s e u s e r s a r e a l l o w e d ( / e t c / a t . d e n y i s i g n o r e d )1 . i f / e t c / a t . a l l o w d o e s n o t e x i s t , e v e r y o n e a l l o w e d e x c e p t u s e r s i n / e t c / a t . d e n y2 . i f n e i t h e r e x i s t s , o n l y r o o t a l l o w e d3 .


5 of 26 10/16/09 0


6/26

e m p t y / e t c / a t . d e n y m e a n s a l l u s e r s a l l o w e d ( d e f a u l t )4 .# add jobsat now + 1 hourat> at 09:00 2009-07-23at> batchat>

# list jobsatq

remove jobsatrm a t t a c h s y s t e m t o a n e t w o r k d i r e c t o r y s e r v i c e , s u c h a s N I S o r L D A Pr e d h a t c o n f i g t o o l s :system-config-authentication

authconfig-tuir e q u i r e d p a c k a g e s f o r n i s :yum install ypbind portmapr e q u i r e d p a c k a g e s f o r l d a p :yum install nss-ldap openldapc o n f i g u r e a u t o f sm a k e s u r e t h e a u t o f s s e r v i c e i s r u n n i n g :service autofs startchkconfig autofs one n s u r e t h e f o l l o w i n g l i n e i n / e t c / n s s w i t c h . c o n f :automount: files nisd e f i n e a n a u t o f s - c o n t r o l l e d m o u n t p o i n t c a l l e d t e s t b y a d d i n g t h e f o l l o w i n g t o / e t c / a u t o . m a s t e r :/test /etc/auto.testc r e a t e / e t c / a u t o . t e s t :blah example.com:/pub/something* example:/home/&l o c a l / t e s t / b l a h r e m o t e e x a m p l e . c o m : / p u b / s o m e t h i n g1 . l o c a l / t e s t / u s e r r e m o t e e x a m p l e : / h o m e / u s e r ( t h i s m e t h o d c a n b e u s e d t o a u t o m o u n t h o m e d i r e c t o r i e s )2 .t e s t a u t o m o u n t i n g :ls /test/blah


6 of 26 10/16/09 0


7/26

ls /test/user# redhat defaultsls /net/ls /misc/cda d d a n d m a n a g e u s e r s , g r o u p s , q u o t a s , a n d F i l e A c c e s s C o n t r o l L i s t sr e d h a t u s e r / g r o u p c o n f i g t o o l :system-config-usersu s e r s/ e t c / p a s s w d f i l e f o r m a t :username:password:uid:gid:gecos:homedir:shell/ e t c / s h a d o w f i l e f o r m a t :username:password:lastpwchange:minpwchange:maxpwage:pwchangewarn:inactive:expirec o m m a n d l i n e u s e r m a n a g e m e n t :useradd usermod chage userdel pwck d e f a u l t a c c o u n t e x p i r a t i o n s e t t i n g s i n / e t c / l o g i n . d e f sg r o u p s/ e t c / g r o u p f i l e f o r m a t :groupname:password:gid:membersc o m m a n d l i n e g r o u p m a n a g e m e n t :groups groupadd groupmod groupdel grpckq u o t a si n s t a l l q u o t a p a c k a g eyum install quotaa d d f s o p t i o n s t o / e t c / f s t a b :usrquota,grpquotar e m o u n t d e v i c emount -o remount


7 of 26 10/16/09 0


8/26

i n i t q u o t a d a t a b a s e :quotacheck -cugm e n a b l e / d i s a b l e q u o t a squotaon quotaoff e d i t q u o t a sedquota -u edquota -g e d i t g r a c e t i m eedquota -ut edquota -gt c h e c k / r e p o r t q u o t a squota

repquota -augA c c e s s C o n t r o l L i s t si n s t a l l a c l p a c k a g eyum install acla d d f s o p t i o n s t o / e t c / f s t a b :aclr e m o u n t d e v i c e :mount -o remount m a n a g e a c l s :# set aclssetfacl -m [d:]u:: setfacl -m [d:]g:: # get aclsgetfacl # remove aclssetfacl -x u: setfacl -x g: setfacl --remove-all setfacl --remove-default c o n f i g u r e f i l e s y s t e m p e r m i s s i o n s f o r c o l l a b o r a t i o nc r e a t e n e w g r o u p1 . a d d u s e r s t o g r o u p2 . c h o w n f o l d e r t o r o o t . < g r o u p >3 . c h m o d f o l d e r t o 2 7 7 0 ( g + s )4 .


8 of 26 10/16/09 0


9/26

i n s t a l l a n d u p d a t e p a c k a g e s u s i n g r p m# installrpm -ivh .rpm# updaterpm -Uvh .rpm# freshen

rpm -Fvh .rpm# removerpm -e # query by file namerpm -qf # verify a filerpm -Vf > # verify status of all packagesrpm -Va > /tmp/rpmverify w h i l e i n s i d e t h e r e s c u e e n v i r o n m e n t , u s e t h e r o o t o p t i o n t o s p e c i f y t h e r e a l l o c a t i o n o f y o u r r o o t f i l e s y s t e m ( e . g . r o o t = / m n t / s y s i m a g e ) .p r o p e r l y u p d a t e t h e k e r n e l p a c k a g ea l w a y s d o a n i n s t a l l ( i . e . r p m - i v h < k e r n e l p a c k a g e > ) r a t h e r t h a n a n u p d a t e1 . c h e c k / b o o t / g r u b / g r u b . c o n f f o r p r o p e r c o n f i g u r a t i o n2 .c o n f i g u r e t h e s y s t e m t o u p d a t e / i n s t a l l p a c k a g e s f r o m r e m o t e r e p o s i t o r i e s u s i n g y u m o r p u py u m c o n f i g g o e s i n / e t c / y u m . r e p o s . d /[id]name=my repobaseurl=http://example.com/centos/

enabled=1m o d i f y t h e s y s t e m b o o t l o a d e rp r o d u c t i o n c o n f i g i s i n / b o o t / g r u b / g r u b . c o n fs e e e x a m p l e s i n / u s r / s h a r e / d o c / g r u b - * / m e n u . l s ti m p l e m e n t s o f t w a r e R A I D a t i n s t a l l - t i m e a n d r u n - t i m et o s t a r t , w e n e e d a t l e a s t t w o d e v i c e s / p a r t i t i o n s o f t y p e l i n u x r a i d a u t o d e t e c t ( u s e f d i s k t o s e t p a r t i t i o n t y p e t o f d )c r e a t e r a i d d e v i c e :mdadm --create /dev/md0 --level= --raid-devices= f a i l d i s k i n a r r a y :mdadm /dev/md0 -f r e m o v e d i s k f r o m a r r a y :mdadm /dev/md0 -r


9 of 26 10/16/09 0


10/26

a d d d i s k t o a r r a y :mdadm /dev/md0 -a s t o p a r r a y :mdadm --stop /dev/md0c h e c k r a i d s t a t u s :mdadm --detail /dev/md0cat /proc/mdstatf o r m a t w o r k s a s u s u a l :mkfs.ext3 /dev/md0 d o n ' t f o r g e t t o c o n f i g u r e / e t c / f s t a b a p p r o p r i a t e l y .u s e / p r o c / s y s a n d s y s c t l t o m o d i f y a n d s e t k e r n e l r u n - t i m e p a r a m e t e r sc o n f i g i s i n / e t c / s y s c t l . c o n f# search through parameterssysctl -a | grep # apply changes from config file immediatelysysctl -pu s e s c r i p t i n g t o a u t o m a t e s y s t e m m a i n t e n a n c e t a s k sc o n f i g u r e N T P f o r t i m e s y n c h r o n i z a t i o n w i t h a h i g h e r - s t r a t u m s e r v e rr e d h a t c o n f i g t o o l :system-config-datec o n f i g i s i n / e t c / n t p . c o n fs y n c h r o n i z a t i o n c o n f i g u r a t i o n e x a m p l e :server 0.pool.ntp.orgserver 1.pool.ntp.orgserver 2.pool.ntp.orga p p l y c h a n g e s :service ntpd restartchkconfig ntpd onv e r i f y c h a n g e s :ntpq -p


0 of 26 10/16/09 0


11/26

T r o u b l e s h o o t i n g a n d S y s t e m M a i n t e n a n c eR H C E s m u s t d e m o n s t r a t e t h e R H C T s k i l l s l i s t e d a b o v e , a n d s h o u l d b e a b l e t o :u s e t h e r e s c u e e n v i r o n m e n t p r o v i d e d b y f i r s t i n s t a l l a t i o n C Dlinux rescuew h e n w o r k i n g i n n o n - c h r o o t e d r e s c u e m o d e :m o u n t / d e v / h d c / m n t / s o u r c e ( t o a c c e s s i n s t a l l f i l e s o n t h e c d / d v d )r p m c o m m a n d s s h o u l d u s e t h e r o o t = / m n t / s y s i m a g e o p t i o nm a n u a l l y m a k e / d e v a n d / p r o c a v a i l a b l e i n c h r o o t e d m o d e :mount -o bind /dev /mnt/sysimage/devmount -o bind /proc /mnt/sysimage/procd i a g n o s e a n d c o r r e c t b o o t f a i l u r e s a r i s i n g f r o m b o o t l o a d e r , m o d u l e , a n d f i l e s y s t e m e r r o r sc h e c k i n o r d e r :m b r1 . / b o o t / g r u b / g r u b . c o n f2 . / e t c / f s t a b3 . / e t c / i n i t t a b4 . / e t c / r c . d / r c . s y s i n i t5 . / e t c / r c . d / r c * . d6 . / e t c / r c . d / i n i t . d / *7 . / e t c / r c . d / r c . l o c a l8 .g r u b e r r o r si n g e n e r a l , u s e t h e l a s t l i n e b e f o r e t h e e r r o r m e s s a g e t o s e e w h e r e g r u b e r r o r ' d o u tt o f i n d c o r r e c t v a l u e f o r r o o t o p t i o n , t y p e f i n d / g r u b / s t a g e 1 a t t h e g r u b c o m m a n d l i n e ( r e m e m b e r t h a t a l l f i l en a m e s i n g r u b . c o n f a r e r e l a t i v e t o t h e r o o t o p t i o n )c h e c k f o r m i s s i n g f i l e s i n k e r n e l a n d / o r i n i t r d l i n e sk e r n e l e r r o r sm i s s i n g / c o r r u p t i n i t r d f i l e r e s u l t s i n : k e r n e l p a n i c - n o t s y n c i n g : v f s : u n a b l e t o m o u n t r o o t f s o nu n k n o w n - b l o c ki n v a l i d r o o t p a r a m e t e r f o r k e r n e l r e s u l t s i n : s e t u p r o o t : e r r o r m o u n t i n g / p r o c : N o s u c h f i l e o r d i r e c t o r yr e i n s t a l l g r u b t o m b r :grub-install r e c r e a t e i n i t r d :mkinitrd f i x c o r r u p t f i l e s y s t e m :fsck


1 of 26 10/16/09 0


12/26

i f f s c k i s u n a b l e t o l o c a t e a s u p e r b l o c k , y o u c a n s p e c i f y a n a l t e r n a t i v e o n e :dumpe2fs fsck -b d i a g n o s e a n d c o r r e c t p r o b l e m s w i t h n e t w o r k s e r v i c e s ( s e e I n s t a l l a t i o n a n d C o n f i g u r a t i o n b e l o w f o r al i s t o f t h e s e s e r v i c e s )s e e w h a t ' s l i s t e n i n g o n w h a t p o r t :netstat -ntaupea d d , r e m o v e , a n d r e s i z e l o g i c a l v o l u m e sr e d h a t l v m c o n f i g t o o l :yum install system-config-lvmsystem-config-lvmc r e a t e p h y s i c a l v o l u m e :pvcreate c r e a t e v o l u m e g r o u p :vgcreate [pv device]e x t e n d v o l u m e g r o u p :vgextend c r e a t e l o g i c a l v o l u m e :lvcreate --size M --name e x t e n d l o g i c a l v o l u m e :lvextend --size M resize2fs s h r i n k l o g i c a l v o l u m e :resize2fs Mlvreduce --size M r e m o v e l o g i c a l v o l u m e :lvremove d i a g n o s e a n d c o r r e c t n e t w o r k i n g s e r v i c e s p r o b l e m s w h e r e S E L i n u x c o n t e x t s a r e i n t e r f e r i n g w i t hp r o p e r o p e r a t i o n .e n a b l e / d i s a b l e s e l i n u x i n / e t c / s y s c o n f i g / s e l i n u x :SELINUX=enforcingSELINUXTYPE=targeted


2 of 26 10/16/09 0


13/26

i n s t a l l s e l i n u x t r o u b l e s h o o t e r :yum install setroubleshootservice setroubleshoot startchkconfig setroubleshoot oni n s t a l l s e l i n u x m a n a g e m e n t t o o l :yum install policycoreutils-guil i s t s e l i n u x e r r o r s :sealert -a /var/log/audit/audit.log | lessl a u n c h g u i b r o w s e r :sealert -bl i s t s e l i n u x b o o l e a n s :getsebool -as e t s e l i n u x b o o l e a n :setsebool -P = l i s t s e c u r i t y c o n t e x t s :ls -Z c h a n g e s e c u r i t y c o n t e x t s :# using reference (copy contexts from existing known-good file)chcon -R --reference # manual

chcon -R -u chcon -R -t I n s t a l l a t i o n a n d C o n f i g u r a t i o nR H C E s m u s t d e m o n s t r a t e t h e R H C T - l e v e l s k i l l s l i s t e d a b o v e , a n d t h e y m u s t b e c a p a b l e o f c o n f i g u r i n g t h e f o l l o w i n gn e t w o r k s e r v i c e s . F o r e a c h o f t h e s e s e r v i c e s , R H C E s m u s t b e a b l e t o :i n s t a l l t h e p a c k a g e s n e e d e d t o p r o v i d e t h e s e r v i c ec o n f i g u r e S E L i n u x t o s u p p o r t t h e s e r v i c ec o n f i g u r e t h e s e r v i c e t o s t a r t w h e n t h e s y s t e m i s b o o t e dc o n f i g u r e t h e s e r v i c e f o r b a s i c o p e r a t i o nC o n f i g u r e h o s t - b a s e d a n d u s e r - b a s e d s e c u r i t y f o r t h e s e r v i c eH T T P / H T T P Si n s t a l lyum install httpd mod_ssls e l i n u x


3 of 26 10/16/09 0


14/26

m a k e n e w D o c u m e n t R o o t m a t c h d e f a u l t D o c u m e n t R o o t ( t h i s a p p l i e s t o a n y d i r e c t o r y t h a t a p a c h e w i l l s e r v e f i l e sf r o m ) :chcon -R --reference /var/www /wwws t a r t a t b o o tchkconfig httpd onb a s i c c o n f i gr e q u i r e m e n t s f o r ~ u s e r / d i r e c t o r i e s :U s e r D i r d i r e c t i v ec h m o d 7 0 1 t h e u s e r ' s h o m e d i r e c t o r yc h a n g e s e c u r i t y c o n t e x t o n t h e u s e r ' s U s e r D i rr e q u i r e m e n t s f o r . h t a c c e s s f i l e u s a g e :A l l o w O v e r r i d e A l l d i r e c t i v er e q u i r e m e n t s f o r n a m e - b a s e d v i r t u a l h o s t s :N a m e V i r t u a l H o s t * : 8 0 a n d N a m e V i r t u a l H o s t * : 4 4 3 d i r e c t i v e se a c h v i r t u a l h o s t r e q u i r e s a p p r o p r i a t e S e r v e r N a m e a n d S e r v e r A l i a s d i r e c t i v e s a s i n g l e v i r t u a l h o s t c a n n o t s p a n m u l t i p l e p o r t s ( i . e . 8 0 a n d 4 4 3 ) . t w o s e p a r a t e V i r t u a l H o s t * : < p o r t >s e c t i o n s a r e n e e d e d t o d o t h i s .s e l f - s i g n e d s s l c e r t :cd /etc/pki/tls/certsrm localhost.crtmake testcertc h e c k v i r t u a l h o s t c o n f i g :httpd -D DUMP_VHOSTSh o s t - b a s e d s e c u r i t yf i r e w a l l c o n f i g :p r o t o c o l p o r t st c p 8 0 , 4 4 3h o s t s a r e a l l o w e d b y d e f a u l t a n d m u s t b e e x p l i c i t l y d e n i e d :

Order deny,allowDeny from 192.168.0.0/255.255.255.0Deny from badguys.example.com

h o s t s a r e d e n i e d b y d e f a u l t a n d m u s t b e e x p l i c i t l y a l l o w e d :Order allow,denyAllow from 192.168.0.0/255.255.255.0Allow from goodguys.example.com


4 of 26 10/16/09 0


15/26

u s e r - b a s e d s e c u r i t yc r e a t e w e b p a s s w o r d f i l e :htpasswd -c /etc/httpd/webusers testuser1htpasswd /etc/httpd/webusers testuser2c r e a t e w e b g r o u p f i l e ( / e t c / h t t p d / w e b g r o u p s ) :testgroup: testuser1 testuser2a l l o w a c c e s s b y g r o u p :AuthType BasicAuthName "top secret area"

AuthUserFile /etc/httpd/webusersAuthGroupFile /etc/httpd/webgroupsRequire group testgroup

v e r i f y s e r v i c e f u n c t i o n a l i t yt e s t h t t p / h t t p s :elinks :///[path]S M Bi n s t a l lyum install samba samba-clients e l i n u xa l l o w s a m b a t o s h a r e h o m e d i r e c t o r i e s :setsebool -P samba_enable_home_dirs=1m a r k a d i r e c t o r y a s s h a r a b l e w i t h s a m b a :chcon -R -T samba_share_t s t a r t a t b o o tchkconfig smb onb a s i c c o n f i gr e d h a t s a m b a c o n f i g t o o l :yum install system-config-sambasystem-config-sambas e t w o r k g r o u p / d o m a i n :workgroup =


5 of 26 10/16/09 0


16/26

s e c u r i t y m o d e s :# connections check local pwdb (default)security = user

# member server on a domain, uses pwdb on a dcsecurity = domainworkgroup = EXAMPLE

# member server on an ad domain using kerberos, uses pwdb on a dc

security = adsrealm = EXAMPLE.COMpassword server = kerberos.example.com

# used when samba was not capable of being a domain member server (DO NOT USE)security = serverencrypt passwords = yespassword server =

# each share requires a password (DO NOT USE)security = shares h a r e o p t i o n s :[]# path for share

path =

# share is visiblebrowseable =

# rw enabledwriteable =

# this is a shared printerprintable =

# all users connecting to this share use as their primary groupgroup = j o i n d o m a i n :net rpc join -U rootf s t a b e x a m p l e :/// cifs user=,pass= 0 0m o u n t . c i f s a n d u m o u n t . c i f s n e e d t o b e c h m o d ' e d u + s i n o r d e r t o b e u s e d b y n o n - r o o t u s e r sh o s t - b a s e d s e c u r i t yf i r e w a l l c o n f i g :p r o t o c o l p o r t st c p 1 3 9 , 4 4 5u d p 1 3 7 , 1 3 8h o s t s a l l o w / d e n y c a n b e u s e d p e r - s e r v e r o r p e r - s h a r e :hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24hosts deny = 0.0.0.0/0u s e r - b a s e d s e c u r i t y


6 of 26 10/16/09 0


17/26

a c c o u n t m a i n t e n a n c e :# add account (local linux account must exist first, or be translated via /etc/samba/smbusers):smbpasswd -a # enable/disable account:smbpasswd -e smbpasswd -d # remove account:

smbpasswd -x s e r v i c e s m b r e l o a d m a y b e n e e d e d a f t e r a c c o u n t c h a n g e ss h a r e a c c e s s :valid users = @s h a r e a c c e s s i s a l s o c o n t r o l l e d b y u n i x f i l e p e r m i s s i o n sv e r i f y s e r v i c e f u n c t i o n a l i t yl i s t s h a r e s :smbclient -L -U b r o w s e s h a r e s :smbclient /// -U t e s t a l l o w / d e n y s t a t e m e n t s f o r a h o s t :testparm /etc/samba/smb.conf N F Si n s t a l lyum install portmap nfs-utilss t a r t a t b o o tchkconfig portmap onchkconfig nfs onchkconfig nfslock onchkconfig netfs onb a s i c c o n f i gr e d h a t c o n f i g t o o l :yum install system-config-nfssystem-config-nfsf o r m a t o f / e t c / e x p o r t s : () [() ...]a c t i v a t e n e w e x p o r t s :


7 of 26 10/16/09 0


18/26

/etc/init.d/nfs restarth o s t - b a s e d s e c u r i t y e d i t / e t c / s y s c o n f i g / n f s a n d r e s t a r t n f s t o s e t s t a t i c p o r t sf i r e w a l l c o n f i g :# see portsrpcinfo -ph o s t b a s e d s e c u r i t y i s i n t r i n s i c t o t h e f o r m a t o f t h e e x p o r t s f i l eu s e r - b a s e d s e c u r i t yu s e s t a n d a r d f i l e p e r m i s s i o n sv e r i f y s e r v i c e f u n c t i o n a l i t yl i s t e x p o r t s :showmount -e F T Pi n s t a l lyum install vsftpds e l i n u xa l l o w l o c a l u s e r s t o l o g i n a n d c d i n t o h o m e d i r e c t o r i e s :setsebool -P ftp_home_dir=1s t a r t a t b o o tchkconfig vsftpd onb a s i c c o n f i gh o s t - b a s e d s e c u r i t yu s e i p c h a i n s w i t h - [ ! ] s o p t i o nf i r e w a l l c o n f i g :p r o t o c o l p o r t st c p 2 1 f t p d a t a t r a n s f e r s w i l l n o t w o r k u n l e s s i p _ c o n n t r a c k _ f t p i s a d d e d t o I P T A B L E S _ M O D U L E S i n / e t c / s y s c o n f i g/ i p t a b l e s - c o n f i gt c p _ w r a p p e r s e x a m p l e :vsftpd : 192.168.0.


8 of 26 10/16/09 0


19/26

u s e r - b a s e d s e c u r i t ya l l o w / d e n y c o n t r o l l e d v i a / e t c / v s f t p d / u s e r _ l i s t ( u s e r s i n / e t c / v s f t p d / f t p u s e r s a r e a l w a y s d e n i e d v i a p a m )d e f a u l t a l l o w / d e n y i s c o n f i g u r e d b y u s e r l i s t _ d e n y s t a t e m e n t i n v s f t p d . c o n fv e r i f y s e r v i c e f u n c t i o n a l i t yt e s t f t p :ftp W e b p r o x yi n s t a l lyum install squids e l i n u xa l l o w s q u i d t o c o n n e c t t o t h e n e t w o r k ( t h i s i s r e c o m m e n d e d , b u t w a s n o t n e e d e d i n m y t e s t i n g ) :setsebool -P squid_connect_any=1s t a r t a t b o o tchkconfig squid onh o s t - b a s e d s e c u r i t yf i r e w a l l c o n f i g :p r o t o c o l p o r t st c p 3 1 2 8a l l o w a c c e s s f r o m l o c a l n e t w o r k s :acl our_networks src 192.168.1.0/24 192.168.2.0/23http_access allow our_networksu s e r - b a s e d s e c u r i t yv e r i f y s e r v i c e f u n c t i o n a l i t yt e s t p r o x y :HTTP_PROXY=:3128 elinksS M T Pi n s t a l lyum install postfixalternatives --config mtaservice sendmail stop


9 of 26 10/16/09 0


20/26

s t a r t a t b o o tchkconfig postfix onb a s i c c o n f i gl i s t e n o n p u b l i c i n t e r f a c e s :inet_interfaces = alls p e c i f y a l l d e s t i n a t i o n h o s t n a m e s / d o m a i n s :mydestination = , , ...s p e c i f y o r i g i n d o m a i n :myorigin = $mydomainl o c a l a l i a s e s i n / e t c / a l i a s e s ( d o n t f o r g e t t o r u n n e w a l i a s e s t o a p p l y c h a n g e s ) :: [, user2]v i r t u a l a l i a s e s i n / e t c / p o s t f i x / v i r t u a l ( d o n t f o r g e t t o r u n p o s t m a p / e t c / p o s t f i x / v i r t u a l t o a p p l y c h a n g e s ) :: e n a b l e v i r t u a l a l i a s e s :virtual_alias_maps = hash:/etc/postfix/virtualo u t b o u n d a d d r e s s r e w r i t i n g i n / e t c / p o s t f i x / g e n e r i c ( d o n t f o r g e t t o r u n p o s t m a p / e t c / p o s t f i x / g e n e r i c t o a p p l yc h a n g e s ) :: e n a b l e o u t b o u n d a l i a s e s :smtp_generic_maps = hash:/etc/postfix/generich o s t - b a s e d s e c u r i t yu s e i p c h a i n s w i t h - [ ! ] s o p t i o nf i r e w a l l c o n f i g :p r o t o c o l p o r t st c p 2 5u s e r - b a s e d s e c u r i t y u s e s m t p a u t h ?v e r i f y s e r v i c e f u n c t i o n a l i t yt e s t s m t p :telnet 25


20 of 26 10/16/09 0


21/26

I M A P , I M A P S , a n d P O P 3i n s t a l lyum install dovecots t a r t a t b o o tchkconfig dovecot onb a s i c c o n f i ge n a b l e p r o t o c o l s :protocols = c r e a t e c u s t o m s s l c e r t :nano -w /etc/pki/dovecot/dovecot-openssl.cnf/usr/share/doc/dovecot-*/examples/mkcert.shservice dovecot restarth o s t - b a s e d s e c u r i t yu s e i p c h a i n s w i t h - [ ! ] s o p t i o np r o t o c o l p o r t st c p 1 4 3 , 1 1 0 , 9 9 5 , 9 9 3u s e r - b a s e d s e c u r i t yu s e p a m _ l i s t f i l e i n / e t c / p a m . d / d o v e c o tv e r i f y s e r v i c e f u n c t i o n a l i t yt e s t m a i l b o x a c e s s :mutt -f ://@S S Hi n s t a l lyum install openssh-servers t a r t a t b o o tchkconfig sshd onu s e r - b a s e d s e c u r i t ya l l o w / d e n y u s e r a c c e s s :AllowUsers user1 user2 [email protected] user4 user5 [email protected] o s t - b a s e d s e c u r i t y


21 of 26 10/16/09 0


22/26

u s e i p c h a i n s w i t h - [ ! ] s o p t i o nf i r e w a l l c o n f i g :p r o t o c o l p o r t st c p 2 2t c p _ w r a p p e r s e x a m p l e :sshd : 192.168.0.v e r i f y s e r v i c e f u n c t i o n a l i t yt e s t l o g g i n g i n :ssh @D N S ( c a c h i n g n a m e s e r v e r , s l a v e n a m e s e r v e r )i n s t a l lyum install bind-chroot caching-nameservers t a r t a t b o o tchkconfig named onb a s i c c o n f i gc o p y s a m p l e c o n f i g :cp -a /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.confc a c h i n g - o n l y n a m e s e r v e r :e d i t l i s t e n - o n d i r e c t i v e s ( c o m m e n t o u t t o l i s t e n o n a l l i n t e r f a c e s )e d i t a l l o w - q u e r y d i r e c t i v e s ( c o m m e n t o u t a l l o w q u e r i e s f r o m e v e r y o n e )e d i t m a t c h - c l i e n t s a n d m a t c h - d e s t i n a t i o n s d i r e c t i v e s t o a l l o w r e c u r s i v e q u e r i e s f r o m o t h e r h o s t ss l a v e n a m e s e r v e r :g e t s l a v e e x a m p l e f r o m / u s r / s h a r e / d o c / b i n d - * / s a m p l e / e t c / n a m e d . c o n fh o s t - b a s e d s e c u r i t yf i r e w a l l c o n f i g :p r o t o c o l p o r t st c p 5 3u d p 5 3a l l o w - q u e r y e x a m p l e :allow-query { 192.168.0.0/16; localnets; };u s e r - b a s e d s e c u r i t y


22 of 26 10/16/09 0


23/26

N / Av e r i f y s e r v i c e f u n c t i o n a l i t yt e s t q u e r y :dig @ t e s t z o n e t r a n s f e r :dig @ axfrN T Pi n s t a l lyum install ntps t a r t a t b o o tchkconfig ntpd onh o s t - b a s e d s e c u r i t yf i r e w a l l c o n f i g :p r o t o c o l p o r t su d p 1 2 3a l l o w o t h e r s e r v e r s t o s y n c w i t h u s :restrict 192.168.1.0 mask 255.255.255.0 nomodify notrapu s e r - b a s e d s e c u r i t yN / Av e r i f y s e r v i c e f u n c t i o n a l i t ys h o w p e e r s :ntpq -pR H C E s m u s t a l s o b e a b l e t o :c o n f i g u r e h a n d s - f r e e i n s t a l l a t i o n u s i n g K i c k s t a r tyum install system-config-kickstartm a k e i n s t a l l a t i o n t r e e a v a i l a b l e1 . c r e a t e k i c k s t a r t f i l e ( u s e s y s t e m - c o n f i g - k i c k s t a r t t o c r e a t e k s . c f g ) a n d v a l i d a t e ( u s i n g k s v a l i d a t o r )2 . v a l i d a t e k i c k s t a r t f i l e3 . m a k e k i c k s t a r t f i l e a v a i l a b l eb o o t a b l e d i s k e t t e ( p l a c e i n t o p l e v e l d i r e c t o r y )b o o t a b l e c d r o m ( p l a c e i n t o p l e v e l d i r e c t o r y )4 .


23 of 26 10/16/09 0


24/26

n e t w o r k ( h t t p , f t p , n f s )u s e b o o t a b l e m e d i a a n d s u p p l y a p p r o p r i a t e k e r n e l p a r a m e t e r5 .ks=floppy:/ks.cfgks=cdrom:/ks.cfgks=http://example.com/ks.cfgks=nfs:example.com:/ks.cfgi m p l e m e n t l o g i c a l v o l u m e s a t i n s t a l l - t i m eu s e i p t a b l e s t o i m p l e m e n t p a c k e t f i l t e r i n g a n d / o r N A T d o n o t u s e s y s t e m - c o n f i g - s e c u r i t y l e v e l , a s i t w i l l o v e r w r i t e y o u r c u s t o m i p t a b l e s r u l e s . t h e f o l l o w i n g m e t h o d s e e m s t ob e t h e b e s t w a y t o g o :m a k e c h a n g e s i n / e t c / s y s c o n f i g / i p t a b l e s1 . r u n / e t c / i n i t . d / i p t a b l e s r e s t a r t t o a p p l y c h a n g e s2 .p a c k e t f i l t e r i n gp a c k e t f i l t e r i n g e x a m p l e :-A -p -m [-s[!] ] --dport -j ACCEPTN A Te n a b l e i p f o r w a r d i n g i n / e t c / s y s c t l . c o n f :net.ipv4.ip_forward = 1t o t e s t f r o m a n o t h e r m a c h i n e :ip route replace default via i n b o u n d d n a t :iptables -t nat -A PREROUTING -p --dport -j DNAT --to-dest :o u t b o u n d d n a t :iptables -t nat -A OUTPUT -p --dport -j DNAT --to-dest :m a s q u e r a d i n g :iptables -t nat -A POSTROUTING -o -j MASQUERADEs n a t :iptables -t nat -A POSTROUTING -j SNAT --to-source :u s e P A M t o i m p l e m e n t u s e r - l e v e l r e s t r i c t i o n sm o d u l e d o c u m e n t a t i o n


24 of 26 10/16/09 0


25/26

/ u s r / s h a r e / d o c / p a m - * / t x t sm o d u l e c o n f i g u r a t i o n/ e t c / p a m . d/ e t c / s e c u r i t y m o d u l e i n t e r f a c e d e s c r i p t i o na u t h u s e r a u t h e n t i c a t i o n ( e . g . v e r i f i e s p a s s w o r d , s e t g r o u p m e m b e r s h i p o r k e r b e r o s t i c k e t s , e t c . )a c c o u n t v e r i f i e s t h a t a c c e s s i s a l l o w e d ( e . g . e x p i r e d a c c o u n t ? , c h e c k g r o u p m e m b e r s h i p , e t c . )p a s s w o r d h a n d l e s p a s s w o r d c h a n g e ss e s s i o n m a n a g e s u s e r s e s s i o n s ( e . g . m o u n t h o m e d i r , c r e a t e m a i l b o x , l o g g i n g , e t c . )c o n t r o l f l a g d e s c r i p t i o nr e q u i r e d m u s t p a s s , c o n t i n u e t e s t i n g o n f a i l u r er e q u i s i t e m u s t p a s s , s t o p t e s t i n g o n f a i l u r es u f f i c i e n t f a i l u r e i s i g n o r e d , b u t i f p a s s i n g s o f a r , r e t u r n s u c c e s s a t t h i s p o i n to p t i o n a l p a s s o r f a i l u r e i s i r r e l e v a n ti n c l u d e i n c l u d e a n o t h e r f i l ep a m _ l i s t f i l e . s o e x a m p l ea l l o w / d e n y u s e r s i f l i s t e d i n / e t c / s p e c i a l :auth required pam_listfile.so onerr=success item=user sense= file=/etc/specialt c p _ w r a p p e r sf i l e f o r m a t : : [except ] [: ]s e a r c h o r d e r :/ e t c / h o s t s . a l l o w1 . / e t c / h o s t s . d e n y2 . a l l o w b y d e f a u l t3 . s e a r c h i n g s t o p s o n f i r s t m a t c hT r o u b l e s h o o t i n gu n a b l e t o l o g i np a s s w o r d w r o n g o r e x p i r e d ?a c c o u n t l o c k e d ?s h e l l s e t t o / s b i n / n o l o g i n , / b i n / f a l s e , e t c . ?r o o t u s e r a n d P e r m i t R o o t L o g i n n o i n / e t c / s s h / s s h d _ c o n f i g ?r o o t u s e r a n d t e r m i n a l n o t l i s t e d i n / e t c / s e c u r e t t y ?


25 of 26 10/16/09 0


26/26

n o n - r o o t u s e r a n d / e t c / n o l o g i n e x i s t s ?c h e c k p a m _ l i s t f i l e r e s t r i c t i o n s r h c e . t x t L a s t m o d i f i e d : 2 0 0 9 / 0 8 / 2 5 0 9 : 4 4 b y a d m i nE x c e p t w h e r e o t h e r w i s e n o t e d , c o n t e n t o n t h i s w i k i i s l i c e n s e d u n d e r t h e f o l l o w i n g l i c e n s e : C C A t t r i b u t i o n -N o n c o m m e r c i a l - S h a r e A l i k e 3 . 0 U n p o r t e d [ h t t p : / / c r e a t i v e c o m m o n s . o r g / l i c e n s e s / b y - n c - s a / 3 . 0 / ]hce [Mike Conigliaro's Wiki] http://conigliaro.org/wiki/r

rhce mike conigliaro s wiki

Documents