Monday, May 21, 2012

RHCSA "Cheat Sheet"

I've got the RHCSA scheduled for June 8th.Originally, I was scheduled to take the exam back in early April, but I had two classes cancelled on me. As it turns out, if the RH200 5 day class isn't booked by at least 4 people, the class and exam are cancelled. Consequently, it's best to call and book over the phone in order to see which classes are "GTR" or guaranteed to run.

In my final preperation for the RHCSA I've gone through and found some good references for a "cheat sheet," pulling from Michael Jang's RHCSA/RHCE study guide as well as this fantastic wiki: http://rhce.co/rhel6/Main_Page for those seeking their RHCSA.The RHCE portion is incomplete, but the RHCSA part is complete and only slightly outdated. It is a fantastic resource.

Between those two sources, notes from Tommasino's Hands-on Guide to the RHCSA/RHCE, and my personal knowledge, I put together this study guide based on the RE200 exam objectives as of 2012 05 15.


Objectives:

Understand and use essential tools

  • Access a shell prompt and issue commands with correct syntax.
    • Change TTY
      • ctrl+alt+F1 
        • F1-F7 are available
    • Icon on top of left of GUI
    • -Menu/Applications/System Tools/Terminal

  • Use input-output redirection (>, >>, |, 2>, etc.).
    • > overwright
    • < send into a command or file
    • >> append
    • << append into a command or file
      • cat >> hoge.txt << _end
        • cat the file
        • enter text in tot he file until _end has been met 
    • | funnel into
    • 2> redirect errors
    • 2>&1 redirect errors to std out

  • Use grep and regular expressions to analyze text.
    • grep for nocase 
      • # grep -i
    • egrep ‘^(wheel|root)’ /etc/group
    • less file | [e]grep string
    • inverted search with grep and egrep
      • grep -v ^# /etc/nsswitch.conf
        egrep -v ^# /etc/nsswitch.conf

  • Access remote systems using ssh and VNC.
    • SSH user_name@host
    • ssh with x windows pass through
      • SSH host -lX user_name
    • vncviewer remote_host

  • Log in and switch users in multiuser runlevels.
    • Runlevels 2, 3, 5
    • su - username

  • Archive, compress, unpack, and uncompress files using tar, star, gzip, and bzip2.
    • # gzip big.jpg
      # bzip2 big.jpg
      # gzip -d big.jpg.gz
      # bzip2 -d big.jpg.bz2
      # tar czvf home.tar.gz /home
      # tar xzvf home.tar.gz /home
      yum install star
      # star -xattr -H=exustar -c -f=home.star /home/
      # star -x -f=home.star

  • Create and edit text files.
    • touch filename
    • vi filename

  • Create, delete, copy, and move files and directories.
    • touch, rm, rmdir, rm -fr, cp, mv -r, mv

  • Create hard and soft links.
    • ln source destination ## hard link
    •  ln -s source dest, 

  • List, set, and change standard ugo/rwx permissions.
    • ls -l
    • chmod +x +w +r, 
    • chmod 755 ##folders default
    • chown user.group
    • chgrp

  • Locate, read, and use system documentation including man, info, and files in /usr/share/doc.
    • man command_name
    • man -k command_name
    • search for command in the doc directory
    • ls -l /usr/share/doc | grep httpd

Note: Red Hat may use applications during the exam that are not included in Red Hat Enterprise Linux for the purpose of evaluating candidate's abilities to meet this objective.


Operate running systems

  • Boot, reboot, and shut down a system normally.
    • su - exec reboot
    • sudo shutdown -r now
    • sudo init 0
    • shutdown -h now
    • halt -p

  • Boot systems into different runlevels manually.
    • shows current run level
      • runlevel
    • switches runlevel
      • init [number]
    • change /etc/inittab
      • id:3:initdefault:
    • Enter GRUB, press "a" to access kernel
    • Or press "e" to edit the kernel
    • add runlevel number to end of line
    • Press enter to boot with runlevel

  • Use single-user mode to gain access to a system.
    • Enter GRUB, press "a" to access kernel
      • add "s" to end of line
      • press enter to boot into single user mode
    • Enter GRUB, press "e" to edit kernel parameteres
      • add "single" to end of line
      • press enter to boot into single user mode
    • NOTE: for Red Hat Enterprise Linux 6.0 there is a bug that will prevent you from changing your root password in single user mode. This is a result of SELinux. For this situation you would want to temporarily disable SELinux. check it. #setenforce 0

  • Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes.
    • # ps -efHly | grep process_name
      • kill process ID
    • # top 
      • press "k" enter process ID and press enter
    • ps -axZ ## for selinux information on processes
    • ps -U username -u username
    • renice -20 highest - 20 lowest, 0 is default -
      • # renice -10 1234
          • ^ process ID

  • Locate and interpret system log files.
    • # cat /var/log/messages | grep Failed | less
      • an example of searching through system 
      • logs with interpretation

  • Access a virtual machine's console.
    • launch under a GUI or X shell
      • #virt-manager
    •  
  • Start and stop virtual machines.
    • use the GUI (virt-manager)
      • click on connect if not connected.
    • List VMs on the system
      • # virsh list
    • Start a VM
      • # virsh create /etc/libvert/qemu/vm_file_name.xml
    • Kill a VM
      • shutsdown without notification
        • #virsh destroy domain-id
    • Shutdown a VM
      • shutdown down with notification
        • #virsh shutdown domain-id
  • Start, stop, and check the status of network services.
  • /etc/init.d/service_name start, stop, status, restart, reload
  • service service_name start, stop, status, restart, reload
  • chkconfig --list | grep service_name
  • chkconfig service_name on
  • chkconfig service_name --level 2345 off | on



Configure local storage

  • List, create, delete, and set partition type for primary, extended, and logical partitions.
    • fdisk -l ## list partitions
    • fdisk /dev/sdb ##create a new partition
      • Command (m for help): n
      • Command action
           e   extended
           p   primary partition (1-4) 
        
        p
      • Partition number (1-4, default 1): 1 First sector (2048-1860816, default 2048): Using default value 2048 Last sector, +sectors or +size{K,M,G} (2048-1860816, default 1860816): +180m
      • Command (m for help): w
      • # part probe
    • fdisk /dev/sdb ##delete a partition
      • Command (m for help): d
        Partition number (1-5): 2
        
      • Command (m for help): w
      • # partprobe
    • fdisk /dev/sdb ##set a partition type
      • Command (m for help): t
      • Selected partition 1
      • Hex code (type L to list codes): L
      • Hex code (type L to list codes): 83
      • Command (m for help): w 
        
        The partition table has been altered

    • See the next section - "Create and remove physical volumes, assign physical volumes to volume groups, and create and delete logical volumes."
      • The extended partition is only a container for the logical drivesA volume is a generic name for a formatted segment of space
      • that can be useto contain data. Volumes can be partitions, 
      • RAID arrays, or those logical volumes 
      • associated with Logical Volume Management (LVM)

  • Create and remove physical volumes, assign physical volumes to volume groups, and create and delete logical volumes.
        • copyright Red Hat Inc.
    • LVM theory
      • format the disk with Fdisk
        • change the type to LVM
          • A Physical Volume is a partition configured with the LVM type.
          • PVs are made up of Physical Extensions.
      • add the new volume (physical volume) to a volume group
      • Allocate a portion or all of the volume group for a logical volume.
      • label the partition as a Logical Volume (i.e., lv0)
      • The LV can then be formatted with a linux file system and mounted.
    • Open the LVM GUI if executed from a GUI shell
      • #system-config-lvm 
    • to create an LV system you need to create a new PV
      • use pvcreate
        • #pvcreat /dev/sdd ##creates a physical volume Physical volume "/dev/sdb" successfully created
      • assign the space from one or more PVs to a VG
        • use vgcreate or vgextend
          • # vgcreate volumegroup /dev/sda1 /dev/sda2
          • # vgextend volumegroup /dev/sdb1 /devsdb2
            • Physical volume "/dev/sdc" successfully created
              Volume group "MyVolGroup" successfully extended
      •  and allocate the space from some part of available VGs to an LV
        •  use lvcreate or lvextend
          • # lvcreate -L 100M MyVolGroup
            • Logical volume "lvol0" created
    • To Resize A Logical Volume
      • An assumption is made that there is a newly formatted PV to add to the VG that is to be expanded.
      • Unmount the partition (LV) which is to be expanded
        • # umount /home
      • Extend the VG to include new partition.
        • # vgextend vg_01 /dev/sde1
      • Verify the new partition has been added to the VG
        • # vgdisplay vg_00
      • Extend the unmounted LV
        • # lvextend -L 2G /dev/vg_01/lv_00
      • Resize the formatted volume
        • For the whole LV
          • # resize2fs /dev/vg_01/lv_00
        • For a fraction of the LV specify the new total size
          • # resize2fs /dev/vg_01/lv_00 6500M
      • If desired reformat the LV
        • # mkfs -t ext4 /dev/vg_01/lv_00
      • Remount the new LV
        • # mount /dev/vg_01/lv_00 /home


  • Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot.
    • Create a partition
      • # fdisk /dev/sdb
    • fill the disk with random data
      • # dd if=/dev/urandom of=/dev/sdb1 bs=1m  
      • ***Don't do this on the exam, unless instructed too!!! 
        • it just takes too much time.
    • encrypt the partition with LUKS
      • # cyptsetup luksFormat /dev sdb1
    • Give the encrypted volume a label
      • # cyprtsetup luksOpen /dev/sdb1 new_name
    • disk is now available in /dev/mapper
      • ls -l /dev/mapper
        • new_name
    • now create an FS and add it to crypt tab
      • # mkfs.ext4 /dev/mapper/new_name
      • # vi /etc/crypttab
        • new_name  /dev/sdb1
    • make a new directory for it
      • # mkdir /mnt/new_name_dir
    • edit fstab
      • vi /etc/fstab
      • /dev/mapper/mynew_data      /mynew_data      ext4      defaults
    • and finally mount it!
      • # mount -a      1 2
  • Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label.
    • Run blkid to get block ID for a device
      • # blkid
        • /dev/sdb1: UUID="12301560s-3s054df5s40d-sd5f40s6d0f4s6-sdf650sd4f65s0" TYPE="EXT4"
    • edit fstab
      • # vi /etc/fstab
        • UUID=12301560s-3s054df5s40d-sd5f40s6d0f4s6-sdf650sd4f65s0 /new_dir_name ext4  defaults  1  2
    • remount everything
      • mount -alvcreate -L 28M -n LogVol1 MyNewVolGroup
    • or mount it via label
      • # vi /etc/fstab
        • LABEL=luksdrive      /mynew_data   ext4    defaults  1 2
    • remount everything
      • mount -a

  • Add new partitions and logical volumes, and swap to a system non-destructively.
    • Add a new partition to a disk
      • fdisk /dev/sdb
      • print the partitions to see if there is one currently and what is available
        • Command (m for help): p
          • Print the current partitions
      • create a new partition
        • Command (m for help): n
          Command action   
          e   extended
          p   primary partition (1-4) p
          Partition number (1-4): 1
          First sector (2048-4194303, default 2048):  
          Using default value 2048
          Last sector, +sectors or +size{K,M,G} 
          (2048-4194303, default 4194303): +50M
    • Add a new logical volume
      • Add a new partition to a disk
        • fdisk /dev/sdd
        • print with "p"
        • n for new
        • p/e for primary or extended
        • 1-4 for partition number
        • t partition id change
        • 1-4 for partition
        • enter hex code
      • create a physical volume with the previous made partition with the pvcreate command
        • # pvcreate /dev/sdd volume_name
          • show PVs
            • # pvdisplay
      • Now create the volume group and add the PV to it
        • #vgcreate volgroup_name /dev/sdd
      • Create a logical volume to reside in the volume group
        • # lvcreate -L size_in_mb -n name_of_vol
          • ex. lvcreate -L 28M -n LogVol1 MyNewVolGroup
      • format the LV with mkfs.ext4
        • # mkfs -t ext4 /LogVol1
    • Add a swap partition
      • create a new partition with fdisk
        • change the type to swap
          • use "t" partition id change
            • 1-4 for partition
            • enter hex code (82)
      • turn on the swap partition
        • # swapon -v /dev/sdb2
      • confirm swap was added
        • #swapon -s

Create and configure file systems

  • Create, mount, unmount, and use ext2, ext3, and ext4 file systems.
    • use mkfs.file_system to format partitions
      • # mkfs.ext4 /dev/sdc1
    • mount a file system
      • # mkdir /new_mount_point
      • # mount -o rw -t ext4 /dev/sdc1 /new_mount_point/
    • run mount command to see if mounts are done correctly
      • # mount
        • This is not persistent ensure you edit the /etc/fstab file for persistent mounts
    • unmount a file system
      • # umount /new_mount_point

  • Mount, unmount, and use LUKS-encrypted file systems
    • Create a LUKS encrypted file system
      • # cryptsetup luksFormat /dev/sdc1
        • enter a passphrase
    • Open the encrypted partition with the passphrase
      • # cryptsetup luksOpen /dev/sdc1 newlukspart
    •  Create a ext4 filesystem on the partition
      • # mkfs.ext4 /dev/mapper/newlukspart
    • Create a new mount point and mount the encrypted file system
      •  # mkdir /lukspart
      • # mount -o rw -t ext4 /dev/mapper/newlukspart /lukspart
    • Verify the partition is mounted correctly
      • # mount
    • Finally, unmount the LUKS encrypted partition
      • # umount /lukspart

  • Mount and unmount CIFS and NFS network file systems.
    • Mount a CIFS share
      • # mount -t cifs //server/share /mnt --verbose -o user=username
    • mount a cifs share persistently
      • vi /etc/fstab
        • //server/directory /localsharedir cifs rw,username=user,password=pass, 0 0
    • Unmount a  CIFS share
      • # umount /mnt
    • Mount an NFS share
      • # mount -o rw -t nfs hostname:/mountpoint /mnt
    • Mount a nfs share persistently
      • vi /etc/fstab
        • servername:/path/to/dir    /localdir       nfs       rw,intr   0   0
    • Unmount an NFS share
      • # umount /mnt
    •  
  • Configure systems to mount ext4, LUKS-encrypted, and network file systems automatically.
    • Create a partition to use with LUKS
      • # fdisk -cu /dev/sdb
    • Write random data to the partition
      • # dd if=/dev/urandom of=/dev/sdb1 bs=1m
    • Encrypt the partition with LUKS format
      • # cryptsetup luksFormat /dev/sdb1
        • enter passphrase
    • Open the partition and label it (the label can be found under /dev/mapper)
      • # cryptsetup luksOpen /dev/sdb1 mynew_data
    • Create a file system on the LUKS formatted partition
      • # mkfs.ext4 /dev/mapper/mynew_data
    • Add the partition to the /etc/crypttab file
      • # vi /etcrypttab
        • Add the name of the device and path to the file
          • mynew_data      /dev/sdb1
      • Create the directory
        • # mkdir /mynew_data
    • Add the encrypted partition to the /etc/fstabfile
      • # vi /etc/fstab
      • Add the name of the encrypted device with the new mount point directory
        • /dev/mapper/mynew_data     /mynew_data     ext4     defaults     1 2
      • Run the mount command to mount the system and checks
        • # mount -a

  • Extend existing unencrypted ext4-formatted logical volumes.
    • Display currently Logical Volumes
      • # lvdisplay
    • Unmount any LVs which we would like to extend
      • umount /dev/MyNewVolgroup1/MyNewLogVol1
    • Extend the LV by adding 100 MiB
      • # lvextend -L +100M /dev/MyNewVolgroup1/MyNewLogVol1
    • Extend the Volume itself to be 400MiB by specifying the end size
      • # lvextend -L 400M /dev/MyNewVolgroup1/MyNewLogVol1
        • (no + sign)

  • Create and configure set-GID directories for collaboration.
    • Change a folder to be owned by a certain group
      • # chgrp -R sharegroup /share
    • Apply set-GID bit to the directory for group access - it's the 2 in 2755
      • # chmod 2755 share/
        • or
      • # chmod g+s share/
    • The file now has an "s" where the x is in group priv.
      • [root@rhel-01 /]# ls -l | grep share
        • drwxr-sr-x.   2 root it-group    4096 May  8 1:08 share

  • Create and manage Access Control Lists (ACLs).
    • Enable ACLs in fstab
      • /dev/mapper/vg_rhel01-lv_root /                       ext4    defaults,acl        1 1
  • Mount the file system again for the ACL to take effect
    • # mount -o remount /
  • Check to see what's mounted
    • # mount
    • /dev/mapper/vg_rhel01-lv_root on / type ext4 (rw,acl)
  • check ACLs on a file or directory with getfacl
    • # getfacl install.log
  • use the setfacl to apply an ACL to a file
    • # setfacl -m u:user2:rw install.log
  • Apply an ACL to a file for a group
    • in this case we use the "g" option instead of "u"
      • # setfacl -m g:it:rwx install.log

  • Diagnose and correct file permission problems.
    • Run an ls -l to show file permissions in order to find errors
      • $ ls -l somefile 
    • search for a file in the local dir with errors via grep
      • #ls -al | grep "^-rw-x" 



Deploy, configure, and maintain systems

  • Configure networking and hostname resolution statically or dynamically.
    • configure the hostname in the /etc/sysconfig/network file
      • # vi /etc/sysconfig/network
        NETWORKING=yes
        HOSTNAME=rhel-01
    • Configure the eth0 file in /etc/sysconfig/network-scripts/ifcfg-
      • DEVICE=eth0
        BOOTPROTO=static
        HWADDR=00:23:AE:75:60:62
        IPADDR=192.168.0.17
        NETMASK=255.255.255.0
        NETWORK=192.168.0.0
      • GATEWAY=192.168.0.1
        ONBOOT=yes
    • Configure the /etc/resolv.conf file
      • domain somedomain_name
        nameserver 192.168.0.200
    • Configure the /etc/hosts file
      • 127.0.0.1 localhost.localdomain localhost
      • 192.168.122.50 server1.example.com
    • Configure the /etc/nsswitch.conf file
      • hosts: files dns
    • Configure network with system-config
      • stop the network manager
        •  # /etc/init.d/networkmanager stop
      •  run the system-config tool
        •  # system-config-network
      • configure the nic of choice 

  • Schedule tasks using cron.
    • Ensure Cron is installed
      • # rpm -qa | grep cron
    • Have a look at the man page
      • man 5 crontab
    • note the format for job timming
      • *    *    *    *    *  command to be executed
        -    -    -    -    -
        |    |    |    |    |
        |    |    |    |    |
        |    |    |    |    +----- day of week (0 - 6) (Sunday=0)
        |    |    |    +---------- month (1 - 12)
        |    |    +--------------- day of month (1 - 31)
        |    +-------------------- hour (0 - 23)
        +------------------------- min (0 - 59)
        
    • An example would be to run a job weekly at 3:30pm on Sunday
      • 30 15 * * 0 /bin/echo "another job" >> echo.log

  • Configure systems to boot into a specific runlevel automatically.
    • Configure the /etc/inittab file
      • # Default runlevel. The runlevels used are:
        #   0 - halt (Do NOT set initdefault to this)
        #   1 - Single user mode
        #   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
        #   3 - Full multiuser mode
        #   4 - unused
        #   5 - X11
        #   6 - reboot (Do NOT set initdefault to this)
        #
        id:5:initdefault:
      •     ^ run level
  • Install Red Hat Enterprise Linux automatically using Kickstart.
    • kickstart files can be found
      • /root/anaconda-ks.cfg
      • # system-config-kickstart (requires installing this application) 
    • Boot from media (cd or iso)
      • select the first boot option and press 'Tab'
    • Append the ks config to the directives (add it last)
      • ks=ftp://192.168.122.1/pub/ks.cfg
      • or
      • linux ks=http://192.168.111.23/pub/ks/redhat6.kfg append ip=192.168.111.222 netmask=255.255.255.0
      • or
      • ks=nfs:192.168.122.1/ks.cfg
    • press esc and then b

  • Configure a physical machine to host virtual guests.
    • Virtualization is installed by default, if not
      • # yum groupinfo "Virtualization"
      • # yum groupinstall "Virtualization"

  • Install Red Hat Enterprise Linux systems as virtual guests.
    • Setup and Install via virt-manager
      • more information here:
      • http://virt-manager.et.redhat.com/screenshots/install.html

  • Configure systems to launch virtual machines at boot.
    • The fastest way is to use virsh
      • # virsh autostart machninename01
    • The GUI can be used as well
  • Configure network services to start automatically at boot.
    • Check the see the services current state
      • # chkconfig --list | grep httpd
    • Start the service on multiuser runlevels
      • # chkconfig httpd on
    • Configure only specific runlevels to start
      • # chkconfig --level 345 httpd on

  • Configure a system to run a default configuration HTTP server.
    • Install Apache via YUM
      • # yum install httpd
    • Start the service
      • # /etc/init.d/httpd start
    • Ensure the service runs at boot
      • # chkconfig httpd on
    • Add an entry into IPtables
      • # iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      • # /etc/init.d iptables save
    • or use the one of the GUIs (may not be installed, by default)
      • # system-config-firewall

  • Configure a system to run a default configuration FTP server.
    • Install vsftp via YUM
      • # yum install vsftpd
    • Start the service
      • # /etc/init.d/vsftpd start
    • Ensure the service runs at boot
      • # chkconfig vsftpd on
    • Add an entry into IPtables
      • # iptables -I INPUT 5 -p tcp -m tcp --dport 20 -j ACCEPT
      • # iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT
      • # /etc/init.d iptables save
    • or use the one of the GUIs (may not be installed, by default)
      • # system-config-firewall
    • Configure SELinux permissions for FTP
      • search for man pages on the Daemon and SELinux
        • # man -k _selinux
      • Have a look at the man page
        • # man ftpd_selinux
      • To make a ftp server's content available run the following: 
        • # semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
        • # restorecon -F -R -v /var/ftp

  • Install and update software packages from Red Hat Network, a remote repository, or from the local file system.
    • Register for the RHN
      • # rhn_register
      • follow the steps
    • Connect to a remote repository
      • Create a file in /etc/yum/repos.d/ with the .repo extension
        • vi /etc/yum/repos.d/remote.repo 
      • and add the following directives
        • [myremote]
          name=myremote
          baseurl=http://myremote.com/repo/i386/
          enabled=1
          gpgcheck=0
    • Configure a local repository with a disk
      • mount the disk and copy the packages into another directory
      • Install package createrepo
        • # createrepo .
      • Create the .repo file in /etc/yum/repos.d
        • vi localrepo.repo
        • [mylocalrepo]
          name=mylocalrepo
          baseurl=file:///directory/path/to/repodir
          enabled=1
          gpgcheck=0
      • Check the repos with a yum search
        • # yum search vsftpd

  • Update the kernel package appropriately to ensure a bootable system.
    • Update the Kernel via yum
      • # yum update kernel
    • Check /boot/grub/grub.conf for the new config and all is set correctly
    • # less /boot/grub/grub.conf

  • Modify the system bootloader.
    • Edit the grub.conf file located in /boot/grub/ or /etc/
      • # grub.conf generated by anaconda
        #
        # Note that you do not have to rerun grub after making changes to this file
        # NOTICE:  You have a /boot partition.  This means that
        #          all kernel and initrd paths are relative to /boot/, eg.
        #          root (hd0,0)
        #          kernel /vmlinuz-version ro root=/dev/mapper/vg0-root
        #          initrd /initrd-[generic-]version.img
        #boot=/dev/sda
        default=0
        timeout=5
        splashimage=(hd0,0)/grub/splash.xpm.gz
        hiddenmenu
        title Scientific Linux (2.6.32-220.13.1.el6.x86_64)
             root (hd0,0)
             kernel /vmlinuz-2.6.32-220.13.1.el6.x86_64 ro root=/dev/mapper/vg0-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg0/swap rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_NO_DM  KEYBOARDTYPE=pc KEYTABLE=us rd_LVM_LV=vg0/root
             initrd /initramfs-2.6.32-220.13.1.el6.x86_64.img
        title Scientific Linux (2.6.32-220.el6.x86_64)
             root (hd0,0)
             kernel /vmlinuz-2.6.32-220.el6.x86_64 ro root=/dev/mapper/vg0-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg0/swap rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_NO_DM  KEYBOARDTYPE=pc KEYTABLE=us rd_LVM_LV=vg0/root
             initrd /initramfs-2.6.32-220.el6.x86_64.img


Manage users and groups

  • Create, delete, and modify local user accounts.
    • Edit users via the GUI
      • # yum install system-config-users
    • run the tool
      • # system-config-users
    • Add users
      • # useradd -u 502 -G wheel -s /bin/bash -d /home/somename/ somename
        • -u UID
        • -g GID or -G group name
        • -s shell 
        • -d home directory
    • modify a user
      • # usermod -a -G somenewgroup someuser
    • change users password
      • #passwd someuser
    • delete a user
      • # userdel -f someuser
        • -f force (remove home dir / mail too)
    •  
  • Change passwords and adjust password aging for local user accounts.
    • Edit the password expiration via the GUI
      •  
    • Use the chage command to edit the password aging
      • -m <days      minimum days between expiration (0 doesn't expire)
        -M <days>      Maximum valid days. Combine with a -d number less than -M, the pass must be changed.
        -d <days>      days since 1/1/1970 when password was last changed.
        -I <days>     number of days after expiration before account lockout. if a 0 value, account doesn't lock.
        -E <date>      account lockout date format YYYY-MM-DD. The number of days since January 1, 1970 can also be used.
        -W <days>   warning days, before password expires   
      • List the users password expiration info
        • # chage --list username
      • Password expires based on minimum number of valid days
        • # chage -M 120 username
      • password can only be changed every 10 days
        • # chage -m 10 username
      • expire immediatly
        • # chage -d 0 username

  • Create, delete, and modify local groups and group memberships.
    • Configuration with the GUI is available under the system config
      • # system-config-users
    • add a group
      • # groupadd sales
    • remove a group
      • groupdel sales
    • modify a group name
      • # groupmod -n salesforce sales
        • syntax # groupmod -n  newname oldname
    • Modify a group's GID
      • # groupmod -g 215 salesforce
    • delete a group
      • # groupdel salesforce
    • add user bob to sales
      • # gropumems -g sales -a bob

  • Configure a system to use an existing LDAP directory service for user and group information.
    • use setup tool
      • # setup
        • select "authentication configuration" and click run tool
          • select "use LDAP" and "use LDAP authentication"
            • enter TLS if security is used
          • enter LDAP server address
            • ldap://ldap
            • enter dc=domainbase,dc=com
    • Use authentication GUI
      • # yum -y install openldap-clients system-config-authentication
        • # system-config-authentication
        • select LDAP from user authentication database
        • go through steps


Manage security

  • Configure firewall settings using system-config-firewall or iptables.
    • use IPtables GUI
      • # system-config-firewall
  • Set enforcing and permissive modes for SELinux.
    • check current SELinux status
      • # getenforce
    • change SELinux mode persistently
      • # vi /etc/selinux/config
        • SELINUX=permissive
    • Temporary (non persistant change)
      • # setenforce permissive

  • List and identify SELinux file and process context.
    • run ps -Z to see SELinux context on a process
      • # ps -Z
        LABEL                             PID TTY          TIME CMD
        unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 15802 pts/21 00:00:00 bash
        unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 15908 pts/21 00:00:00 ps
    • run ls -lZ to see SELinux context on files/dir
      • # ls -lZ
        -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 httpd.conf
        -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 magic


  • Restore default file contexts.
    • Refer to the man page for a specific process' syntax
      • # man -k _selinux
        • look for process
    • Check the context type of the file
      • Note the file has the generic context type, not apache
        • # ls -laZ /www/testsite/
        • -rw-r--r--. root      root      unconfined_u:object_r:default_t:s0 index.html
    • Change the context type of the containing directory with semanage
      • # semanage fcontext -a -t httpd_sys_content_t "/www/testsite(/.*)?"
    • Now, restore context recursively
      • # restorecon -F -R -v /www/testsite
        • restorecon reset /var/www/html/ks/ks-cent.cfg context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_content_t:s0
    • If errors occur, check that policycoreutils-selinux is installed
      • # rpm -qa | grep policycore
      • # yum install policycoreutils-python

  • Use boolean settings to modify system SELinux settings.
    • If issues arise with SELinux blocking an application (look in /var/log/audit/audit.log) and file context are correct, check selinux .booleans.
    • Check booleans for a specific process with getsebool
      • # getsebool -a | grep httpd
        • allow_httpd_anon_write --> off
          allow_httpd_bugzilla_script_anon_write --> off
          allow_httpd_cvs_script_anon_write --> off
        • ...
    • Set a boolean setting with setsebool
      • # setsebool -P httpd_enable_cgi off
      • -P is to make change persistant
    • Or you can use toggleboolean which toggles on or off
      • # togglesebool httpd_enable_cgi
      • httpd_enable_cgi: active
      • # togglesebool httpd_enable_cgi
      • httpd_enable_cgi: inactive

  • Diagnose and address routine SELinux policy violations.
    • Troubleshoot a service like apache
      • check UGO, ownership, etc.
      • Next look at the audit.log file for httpd/selinux errors
        • cat /var/log/audit/audit.log | grep httpd
        • or 
        • less /var/log/audit/audit.log and search for httpd errors

          • type=AVC msg=audit(1323618414.869:508): avc:  denied  { read } for  pid=23407 comm="httpd" name=".htaccess" dev=dm-2 ino=1966097 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
            type=SYSCALL msg=audit(1323618414.869:508): arch=c000003e syscall=2 success=no exit=-13 a0=7fa80ef2f358 a1=80000 a2=1b6 a3=7469672f7777772f items=0 ppid=1345 pid=23407 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
      • Check SELinux contexts of the files in question
        • ls -laZ /www/test/public
          • -rw-rw-r--. apache apache unconfined_u:object_r:user_home_t:s0 .htaccess
      •  look at the ftpd man page, which has the best example to reset contexts
        • # man ftpd_selinux
          • semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
            • restorecon -F -R -v /var/ftp
      • Restore the contexts of the files in question
        • semanage fcontext -a -t httpd_sys_content_t "/www/test/public_html(/.*)?"
        • restorecon -F -R -v /www/test/public_html
      • Check the contexts again to ensure they are correct
        • # ls -laZ /www/test/public_html
          • -rw-rw-r--. apache apache system_u:object_r:httpd_sys_content_t:s0 .htaccess
      • .


  • /Done.

6 comments: