RHCE Studyguide

May 29, 2012

Prerequisite skills for RHCT and RHCE

Candidates should possess the following skills, as they may be necessary in order to fulfill requirements of the RHCT and RHCE exams:

use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view, and investigate files and directories

use grep, sed, and awk to process text streams and files

use a terminal-based text editor, such as vim or nano, to modify text files

use input/output redirection

operator description
> redirect STDOUT to a file
2> redirect STDERR to a file
&> redirect all output to a file
2>&1 redirect all output to a pipe
  • use » to append instead of overwrite

understand basic principles of TCP/IP networking, including IP addresses, netmasks, and gateways for IPv4 and IPv6

use su to switch user accounts

su - 

use passwd to set passwords

passwd 

use tar, gzip, and bzip2

# compress (tar/gzip)
tar cvzf .tgz 

# extract (tar/gzip)
tar xvzf .tgz

# compress (tar/bzip)
tar cvjf .tbz 

# extract (tar/bzip)
tar xvjf .tbz

configure an email client on Red Hat Enterprise Linux

echo "message" | mail  -s "subject"
mail  -s "subject" < 

use text and/or graphical browser to access HTTP/HTTPS URLs

  • elinks
  • lynx

use lftp to access FTP URLs

RHCT Skills Required

Troubleshooting and Maintenance

boot systems into different run levels for troubleshooting and system maintenance

Requirements for RHCT skills

Grub Boot loader

grub commands

a = append command
c = command line
b = boot into listed kernel
d = delete the current line
e = edit line
o = create next empty line
O = create empty line above

appending runlevel to grub command

Runlevel Description
0 Halts the system
1 Activates SELinux; runs /etc/rc.sysinit, which checks and mounts filesystems; executes all scripts in the /etc/rc1.d directory
single Single-user mode; activates SELinux; runs /etc/rc.sysinit, which checks and mounts filesystems
emergency Emergency boot mode; activates SELinux; mounts only the root (/) filesystem
init=/bin/sh Emergency boot mode; mounts only the root (/) filesystem
2 Multiuser mode with some networking; does not include some NFS functions, the automounter, or CUPS
3 Multiuser mode with networking; boots into a text login console
4 Generally unused; however, the defaults support near-identical settings to runlevel 3
5 Multiuser mode with the X Window; boots into an X-based login screen
6 Reboots the system

Incase init ramdisk missing of deleted

mkinitrd /boot/initrd-`uname -r`.img `uname -r`

troubleshooting boot problems with grub: to find boot loader file

 find /grub/stage1
(hd0,0)
root
(hd0,0): Filesystem type is ext3

diagnose and correct misconfigured networking

  1. check /etc/sysconfig/network
  2. check /etc/sysconfig/network-scripts/ifcfg-eth?
  3. service network restart
  4. chkconfig network on
  5. ifconfig -a
  6. ping
  7. netstat -nr
  8. ping
  9. ping
system-config-network

diagnose and correct hostname resolution problems

  1. check /etc/nsswitch.conf
  2. check /etc/resolv.conf
  3. check /etc/hosts
  4. dig @server google.com
system-config-network

configure the X Window System and a desktop environment

install X:

yum groupinstall "x window system"

install gnome:

yum groupinstall "gnome desktop environment"

To start from console / init 3:

startx

init respawn /etc/X11/prefdm -nodaemon to keep X running in runlevel 5

X configuration:

  • /etc/sysconfig/desktop
  • /etc/X11/xinit/xinitrc
  • /etc/X11/xinit/Xclients
  • ~/.xinitrc
  • ~./Xclients

configuring display:

system-config-display [--reconfig]

configuring display (text mode):

Xorg -configure
Xorg -probeonly

(X Font Server) xfs is required:

service xfs start
chkconfig xfs on

For xfs error messages, check:

~/.xsession-errors or /var/log/messages
make sure /tmp and /home are not full

To change desktop environment:

yum install switchdesk
switchdesk 

if switchdesk is not available, edit /etc/sysconfig/desktop:

DISPLAYMANAGER=
DESKTOP=

To stop X without a reboot: Drop out to console

init 3
init 5

problems starting xclients, make sure DISPLAY vairable is correct:

 export DISPLAY=localhost:0.0

add new partitions, filesystems, and swap to existing systems

manage partitions
fdisk 
fdisk -l 
partprobe (for system to reread partition table after fdisk writes)

filesystems

make filesystems:

mkfs. 

label filesystems:

e2label /dev/sda6 /usr/local

find device from label:

findfs LABEL=

check/print filesystem info:

blkid

manage filesystem settings:

tune2fs 

to print details:

dumpe2fs 

add swap

add swap partition through fdisk (id 82), then

partprobe
mkswap 
# add partition into /etc/fstab
swapon -va

create swap file:

dd if=/dev/zero of= bs=1024 count=
mkswap 
swapon -va
cat /proc/swaps

use standard command-line tools to analyze problems and configure system

df -hT
du -hs 
quotacheck 

Installation and Configuration

RHCTs must be able to:

perform network OS installation

at the installation boot:

linux askmethod
linux ks=::/ks.cfg
linux ks=http://someserver/ks.cfg
linux ks=nfs:server:/ks.cfg
linux ks=ftp://server/ks.cfg

implement a custom partitioning scheme

configure printing

yum groupintall "Printing Support"
service cups start
chkconfig cups on

config: /etc/cups/cupsd.conf

Gui tool:

system-config-printer

web config (classes):

http://localhost:631

command line tools:

# print file
lpr 
# list job queue
lpq
# remove job
lprm 
# list network printers
lpstat -a
# send job to remote printer
lpr -P  

configure the scheduling of tasks using cron and at

cron

installing:

yum install vixie-cron
service crond start
chkconfig crond on
  1. if /etc/cron.allow exists, only these users are allowed (/etc/cron.deny is ignored)
  2. if /etc/cron.allow does not exist, everyone allowed except users in /etc/cron.deny
  3. if neither exists, only root allowed
  4. empty /etc/cron.deny means all users allowed (default)

edit user cron:

crontab -e

cron format:
:!: System crontab (/etc/crontab) has additional User field before command

at/batch

installing:

yum install at
service atd start
chkconfig atd on
  1. if /etc/at.allow exists, only these users are allowed (/etc/at.deny is ignored)
  2. if /etc/at.allow does not exist, everyone allowed except users in /etc/at.deny
  3. if neither exists, only root allowed
  4. empty /etc/at.deny means all users allowed (default)
# add jobs
at now + 1 hour
at> 

at 09:00 2009-07-23
at> 

batch
at> 

# list jobs
atq

remove jobs
atrm 

attach system to a network directory service, such as NIS or LDAP

redhat configuration tools:

system-config-authentication
authconfig-tui (commandline util)

NIS

installing:

yum install ypbind portmap
service ypbind start
chkconfig ypbind on

selinux – enable ypbind daemon to run with NIS:

setsebool -P allow_ypbind=1

to configure client, add the following to /etc/yp.conf:

domain nisdomain server 

:!: Remember to add the NISDOMAIN=domain variable into /etc/sysconfig/network

and verify the /etc/nsswitch.conf looks like:

password:    files nis
shadow:   files nis
group:   files nis

manage nis passwords:

yppasswd

OpenLDAP

installing:

yum install nss_ldap openldap openldap-clients

configuration: set the following in:

# /etc/ldap.conf
host 127.0.0.1
base dc=example,dc=com
ssl start_tls
pam_password
nss_init, groups_ignoreusers root, ldap
# /etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldap://127.0.0.1

verify settings in /etc/nsswitch.conf:

password:    files ldap
shadow:   files ldap
group:   files ldap

configure autofs

verify service is running:

service autofs start
chkconfig autofs on

verify the following line exists in /etc/nsswitch.conf:

automount: files nisplus

define an autofs-controlled mountpoint called test by adding the following to /etc/auto.master:

/test /etc/auto.test

create /etc/auto.test:

vi /etc/auto.test
 :/

reload autofs:

service autofs restart

try accessing:

ls /test/

# redhat defaults
ls /net/
ls /misc/cd

add and manage users, groups, quotas, and File Access Control Lists

:!: If the /etc/nologin file exists, regular users are not allowed to log into the local console. Any regular user that tries to log in gets to read the contents of /etc/nologin as a message

redhat user/group configuration tool:

system-config-users

manage users

/etc/passwd file format:

username:password:uid:gid:gecos:homedir:shell

/etc/shadow file format:

username:password:lastpwchange:minpwchange:maxpwage:pwchangewarn:inactive:expire

command line user management:

useradd 
userdel -r 
usermod 
chage 
pwck
  • default account expiration settings in /etc/login.defs

manage groups

/etc/groups file format:

groupname:password:gid:members

command line group management:

groups 
groupadd 
groupmod 
groupdel 
grpck

quotas

installing:

yum install quota

check quotas enabled in kernel:

grep "QUOTA" /boot/config-`uname -r`

add filesystem options to /etc/fstab:

usrquota,grpquota

remounting mount points after editing fstab:

mount -o remount 

initiate quota db:
quotacheck -cugm 

enable/disable quotas:

quotaon 
quotaoff 

edit quotas:

edquota -u 
edquota -g 

:!: Remember quota limit in 1KB blocks

grace times:

edquota -ut
edquota -gt

check / reports:

quota 
repquota -aug

enable quotas for all users with copied template from me:

edquota -p spun `awk -F: '$3 > 499 {print $1}' /etc/passwd'

access control lists

installing:

yum install acl

check default mount options on block:

dumpe2fs /dev/sda2 | grep acl

apply acl to block:

tune2fs -o acl /dev/sda2

:!: Partitions created on install automatically mounted with acl

edit fstab to add fs option:

acl

remount device:

mount -o remount 

on home dirs:

chmod 701 /home/
setfacl -m mask: 

manage acls:

# set acls
setfacl -m [d:]u:: 
setfacl -m [d:]g:: 

# get acls
getfacl 

# remove acls
setfacl -x u: 
setfacl -x g: 
setfacl --remove-all 
setfacl --remove-default 

configure filesystem permissions for collaboration

create group:

groupadd -g # 

add users to group:

usermod -g  

chown dir:

chown root: 

chmod dir SGID:

chmod <2770|g+s> 

install and update packages using rpm

install:

rpm -ivh 

update:

rpm -Uvh 

freshen:

rpm -Fvh 

remove:

rpm -e 

query by filename:

rpm -qf /path/to/file

verify file:

rpm -Vf /path/to/file

query all installed:

rpm -qa

Find out what files have been modified since package install

rpm -qf /etc/inittab
rpm -V -p init-scripts*.rpm

query all files associated

rpm -ql squid | grep ncsa

:!: while inside the rescue environment, use the –-root option to specify the real location of your root file system (e.g. –-root=/mnt/sysimage).

properly update the kernel package

install new kernel:

yum install kernel
rpm -ivh 

check grub conf has been updated:

less /boot/grub/grub.conf

configure the system to update/install packages from remote repositories using yum or pup

edit the yum repo conf /etc/yum.repos.d/:

[id]
name=the name of your repo
baseurl=http://locationofyourrepo.example/repo
enabled=1
gpgcheck=0

modify the system bootloader

  • Main configuration is in /boot/grub/grub.conf
  • see examples in /usr/share/doc/grub-*/menu.lst
  • /boot/grub/grub.conf = default=0 (references system kernel to boot into)

to create new init ram disk:

mkinitrd /boot/initrd-`uname -r`.img `uname -r`

implement software RAID at install-time and run-time

to use software raid, we need two devices/partitions set to “linux raid autodetect”, use fdisk and set partition type to “fd”

create a raid device:

mdadm --create /dev/md0 -a yes --level=<0|1|4|5|6||10> --raid-devices=2 /dev/sda7 /dev/sda8

:!: Watch the -a yes for udev to create device file on reboot

format raid device:

mkfs.ext3 /dev/md0

remove disk from array:

mdadm /dev/md0 --remove 

add disk to array:

mdadm /dev/md0 --add 

fail a disk:

mdadm /dev/md0 --fail 

stop array:

mdadm --stop /dev/md0

check status:

mdadm --detail /dev/md0
cat /proc/mdstat

:!: Remember to add raid device into /etc/fstab and check mounting device

use /proc/sys and sysctl to modify and set kernel run-time parameters

config in /etc/sysctl.conf

# search for options
sysctl -a | grep 

use scripting to automate system maintenance tasks

:!: Need to look into what is reqired here ?

configure NTP for time synchronization with a higher-stratum server

Redhat config tool:

system-config-date

config file locate /etc/ntp.conf

configuration server example:

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

apply changes after config change:

service ntpd restart
chkconfig ntpd on

verify changes:

ntpq -p

RHCE Skills Required

Troubleshooting and System Maintenance

use the rescue environment provided by first installation CD

boot into rescue mode:

linux rescue
  • when working in non-chrooted environment:
    • mount /dev/hdc /mnt/cdrom to access install dvd
    • rpm commands require -root=/mnt/sysimage

manually make /dev and /proc available in chrooted mode:

mount -o bind /dev /mnt/sysimage/dev
mount -o bind /proc /mnt/sysimage/proc

diagnose and correct boot failures arising from bootloader, module, and filesystem errors

check the following in order:

  • MBR
  • /boot/grub/grub.conf
  • /etc/fstab
  • /etc/inittab
  • /etc/rc.d/rc.sysinit
  • /etc/rc.d/rc?.d
  • /etc/rc.d/init.d/*
  • /etc/rc.d/rc.local

grub errors

  • in general, use the last line before the error message to see where grub error'd out
  • to find correct value for root option, type find /grub/stage1 at the grub command line (:!: remember that all file names in grub.conf are relative to the root option)
  • check for missing files in kernel and/or initrd lines

kernel errors

  • missing/corrupt initrd file results in: kernel panic - not syncing: vfs: unable to mount root fs on unknown-block
  • invalid root parameter for kernel results in: setuproot: error mounting /proc: No such file or directory

reinstall grub on MBR:

grub-install 

new initrd:

mkinitrd /boot/initrd-`uname -r`.img `uname -r`

corrupt filesystem:

fsck 

if fsck is unable to locate a superblock, you can specify an alternative one: :

dumpe2fs 
fsck -b  

diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)

check which process on listening on what port:

netstat -ntaupe | grep LIST

add, remove, and resize logical volumes

redhat lvm tool:

system-config-lvm

create physical volume partition:

fdisk 
Command (m for help) : t
Partition number (1-4)
2
Partition ID (L to list options): 8e
Command (m for help) : w

create physical volume:

pvcreate 

create volume group:

vgcreate  

extend volume group:

vgextend  

create logical volume:

lvcreate --size 10G --name  
mkfs.ext3 /dev//
# add to /etc/fstab

extend logical volume:

lvextend --size 12G /dev//
resize2fs /dev//

shrink logical volume:

resize2fs  M
lvreduce --size M 

remove logical volume:

lvremove 

display volumegroup info:

vgdisplay 

diagnose and correct networking services problems where SELinux contexts are interfering with proper operation

enable/disable SELinux in /etc/sysconfig/selinux:

SELINUX=enforcing
SELINUXTYPE=targeted

install setroubleshoot:

yum install setroubleshoot
service setroubleshoot start
chkconfig setroubleshoot on

install selinux management tool:

yum install policycoreutils-gui

redhat selinux management tool:

system-config-selinux

change selinux status:

setenforce 

launch setroubleshoot gui browser:

sealert -b

list selinux booleans:

getsebool -a

list selinux errors:

sealert -a /var/log/ | less

set selinux boolean:

setsebool -P  = <0|1>

list security contexts:

ls -Z 

change security contexts:

# using reference (copy contexts from existing known-good file)
chcon -R --reference  

# manual
chcon -R -u  
chcon -R -t  

Installation and Configuration

Apache HTTP/HTTPS

install

yum install httpd mod_ssl
chkconfig httpd on

start/stop apache:

apachectl start/stop/graceful/restart

selinux

chcon -R -u system_u 
chcon -R -t httpd_sys_context_t 
chcon -R --reference /var/www 

certificates

cd /etc/pki/tls/certs
make httpd.crt ## include passphrase

#decrypt key
openssl rsa -in httpd.key -out decrypted.key
mv decrypted.key ../private/httpd.key

basic config

  • ~user/ requirements
    • UserDir directive
    • chmod 701 homedir
    • change security context on user homedir
    • chmod 705 /home/user/public_html
  • .htaccess requirements
    • AllowOverride All directive
  • NameBasedVitual Hosts requirements
    • NameVirtualHost *:80 NameVirtualHost *:443 to be specified in /etc/httpd/conf/httpd.conf
    • Each virtual host needs = ServerAdmin / DocumentRoot / ServerName / ErrorLog / CustomLog
    • logs are in logs/
httpd -S
httpd -t
httpd -D DUMP_VHOSTS

host-based security

Ports: 80/443 TCP

Firewall Edit:

system-config-securitylevel

hosts are allowed by default and will need to be explicitly denied:

>
     Order deny,allow
     Deny from 192.168.1.0/255.255.255.0
     Deny from somedomain.com

hosts are denied by default and need to be allowed:

>
     Order allow,deny
     Allow from 192.168.1.0/255.255.255.0
     Allow from somedomain.com

user-based security

Web Password file

htpasswd -c /path/to/file 
htpasswd /path/to/file 

Web group file /path/to/groupfile: testgroup: user1 user2

Access configuration users

>
     AuthType basic
     AuthName "locked site"
     AuthUserFile /path/to/userfile
     Require user user1

Access configuration groups

>
     AuthType basic
     AuthName "locked site"
     AuthUserFile /path/to/userfile
     AuthGroupFile /path/to/groupfile
     Require group testgroup

verify service functionality

elinks ://address

SMB

install

yum install samba samba-client
service smb start
chkconfig smb on

selinux

Enable shared home dirs:

setsebool -P samba_enable_home_dirs=1

Mark directory sharable with samba:

chcon -R -t samba_share_t 

basic config

Redhat samba configuration tool:

yum install system-config-samba
system-config-samba

Set samba workgroup/domain:

workgroup = 

if no wins server available, enable:

wins support = yes

security modes:

# check the local pwdb (default)
security = user

# member server of a domain (uses DC as pwdb)
security = domain
password server = 
workgroup = 

# member of active directory domain
security = ads
password server = kerberos.domain.com
realm = EXAMPLE.COM

# use pwdb on another server thats not a DC
security = 

share options:

[]
# path for share
path =  

# share is visible 
browseable = 

# rw enabled
writeable = 

# this is a shared printer
printable = 

# all users connecting to this share use  as their primary group
group = 

join domain:

net rpc join -U root

fstab example:

///     cifs    user=,pass=    0 0

mount commands:

# root only
mount -o username= "//server/share" 
# users mount command
/sbin/mount.cifs //server/share  -o username=

:!: /sbin.mount.cifs & /sbin/umount.cifs require a chmod u+s to allow to be used by non-root users

host-based security

firewall:

protocol port
tcp 139,445
udp 137,138

hosts allow/deny can be used per-server or per-share:

hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0

user-based security

account maintenance:

# add account (local linux account must exist first, or be translated via /etc/samba/smbusers):
smbpasswd -a 

# enable/disable account:
smbpasswd -e 
smbpasswd -d 

# remove account:
smbpasswd -x 

:!: service smb reload may be needed after account changes

verify service functionality

list shares:

smbclient -L  -U 

browse shares:

smbclient /// -U 

test allow/deny statements for a host:

testparm /etc/samba/smb.conf  

NFS

install

yum install portmap nfs-utils
service nfs start
chkconfig portmap on
chkconfig nfs on
chkconfig nfslock on
chkconfig netfs on

selinux

Support for read-write access:

setsebool -P nfs_export_all_rw=1

basic config

redhat tool:

yum install system-config-nfs
system-config-nfs

/etc/exportfs format:

 () [() ...]

activate exports:

service nfs restart

host-based security

  • edit /etc/sysconfig/nfs to set static ports, and restart
  • set host / network restrictions per export in /etc/exports

Add the following to /etc/hosts.allow:

portmap: 
mountd:
rpc.statd:

firewall config:

# see ports (include ALL tcp-udp ports)
rpcinfo -p

user-based security

use normal file permissions

verify service functionality

list exports:

showmount -e 

FTP

install

yum install vsftpd
service vsftpd start
chkconfig vsftpd on

selinux

allow local users to login to ftp and access local home dir:

setsebool -P ftp_home_dir=1

Configure non-standard directory for ftp ro/rw:

#read-only
chcon -R -t public_content_t 
#read-write
chcon -R -t public_content_rw_t 

To enable write access for anonymous users, set directory with the following, and enable the following boolean:

chcon -R -t public_content_rw_t 
setsebool -P allow_ftpd_anon_write=1

host-based security

  • use iptables -s !

    to block hosts
protocol port
tcp 21

:!: ftp data transfers will not work unless ip_conntrack_ftp is added to IPTABLES_MODULES in /etc/sysconfig/iptables-config

tcp_wrappers:

vsftpd : 192.168.1.

user-based security

  • allow/deny controlled via /etc/vsftpd/user_list (:!: users in /etc/vsftpd/ftpusers are always denied via pam)
  • default allow/deny is configured by userlist_deny statement in vsftpd.conf

verify service functionality

lftp 

Squid Proxy

install

yum install squid
chkconfig squid on

basic config

vi /etc/squid/squid.conf

visible_hostname 

# deny sites
acl baddomains dstdomain .microsoft.com
acl baddomains dstdomain .hotmail.com

acl our_network src 192.168.1.0/24

http_access deny baddomains
http_access allow out_networks

selinux

Allow squid daemon to connect to the network:

setsebool -P squid_connect_any=1

host-based security

firewall config:

protocol ports
tcp 3128

to configure NAT to listen on port 8080:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT --to-ports 3128

allow access from local networks:

acl our_networks src 192.168.1.0/24 192.168.2.0/23
http_access allow our_networks

user-based security

The following requires a web browser to test

edit the configuration /etc/squid/squid.conf:

# enable the following auth_param options
auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# change the acl to reflect auth_param
acl  proxy_auth REQUIRED

# finally edit the http_access line
http_access allow 

Allow squid to read htpasswd file:

chmod o+s /usr/etc/passwd

verify service functionality

squid -z
service squid start
HTTP_PROXY=hostname:port elinks

SMTP

install

yum install postfix
service sendmail stop
chkconfig sendmail off
alternatives --config mta
service postfix start
chkconfig postfix on

basic config

enable the following in /etc/postfix/main.cf

myhostname = 
mydomain = 
myorigin = $mydomain
inet_interfaces = all
mynetworks = 192.168.1.0/24, 127.0.0.1/8

mail aliases /etc/aliases:

: ,

:!: Remember to run newaliases command

vitual aliases hash:/etc/postfix/virtual:

: ,
# enable virtual aliases in main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual

:!: Remember to postmap hash:/etc/postfix/virtual

outbound address rewriting in hash:/etc/postfix/generic:

@ @
# enable outbound rewriting in main.cf
smtp_generic_maps = hash:/etc/postfix/generic

:!: Remember to postmap hash:/etc/postfix/generic

host-based security

  • use iptables -s !

    to block hosts
protocol port
tcp 25

user-based security

copy postfix configuration from doc example /usr/share/doc/postfix-*/README_SASL*, and make sure MECH=PAM is configured in /etc/sysconfig/saslauthd

enable saslauthd:

service saslauthd start
chkconfig saslauthd on

restart postfix:

postfix reload

verify service functionality

test smtp:

telnet  25
ehlo me
# check for 250-AUTH ... info

IMAP,IMAPS/POP3

install

yum install dovecot
service dovecot start
chkconfig dovecot on

config

enable which protocols are to be used:

protocols = "list of protocols"

create the ssl certificate:

# edit cert settings
vi /etc/pki/dovecot/dovecot-openssl.cnf
/usr/share/doc/dovecot-*/examples/mkcert.sh
service dovecot restart

host-based security

  • use iptables -s !

    to block hosts
protocol port
tcp 143,110,995,993

user-based security

use pam_listfile in /etc/pam.d/dovecot

verify service functionality

test mailbox access:

mutt -f ://@

SSH

install

yum install openssh-server
chkconfig sshd on

host-based security

enable only local network through firewall (iptables):

# first we need to remove last reject rule
cat /etc/sysconfig/iptables
# Copy bottom reject rule to clipboard
iptables -D 
iptables -A  -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A 
service iptables save

firewall config:

protocol ports
tcp 22

tcp_wrappers example:

sshd : 192.168.0.

user-based security

allow/deny user access:

AllowUsers user1 user2 [email protected]
DenyUsers user4 user5 [email protected]

verify service functionality

test logging in:

ssh @

DNS

install

yum install bind-chroot caching-nameserver
service named start
chkconfig named on

basic config

copy sample config:

cp -a /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.conf

caching-only nameserver:

  • edit listen-on directives (comment out to listen on all interfaces)
  • edit allow-query directives (comment out allow queries from everyone)
  • edit match-clients and match-destinations directives to allow recursive queries from other hosts

slave nameserver:

  • get slave example from /usr/share/doc/bind-*/sample/etc/named.conf

allow named to write in working directory:

setsebool -P named_write_master_zones=1
-host-based security

firewall config:

protocol ports
tcp 53
udp 53

allow-query example:

allow-query { 192.168.0.0/16; localnets; };

user-based security

N/A

verify service functionality

test query:

dig @ 

test zone transfer:

dig @  axfr

NTP

install

yum install ntp
service ntpd start
chkconfig ntpd on

basic config

host based security

firewall config:

system-config-securitylevel
protocal port
udp 123

allow others to sync with us:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

user-based security

N/A

verify service

show peers:

ntpq -p

Additional Study Notes

RHCEs must also be able to:

configure hands-free installation using Kickstart

yum install system-config-kickstart
  1. make installation tree available
  2. create kickstart file (use system-config-kickstart to create ks.cfg) and validate (using ksvalidator)
  3. validate kickstart file
  4. make kickstart file available
    • bootable diskette (place in top level directory)
    • bootable cdrom (place in top level directory)
    • network (http, ftp, nfs)
  5. use bootable media and supply appropriate kernel parameter
ks=floppy:/ks.cfg
ks=cdrom:/ks.cfg
ks=http://example.com/ks.cfg
ks=nfs:example.com:/ks.cfg

implement logical volumes at install-time

use iptables to implement packet filtering and/or NAT

:!: do not use system-config-securitylevel, as it will overwrite your custom iptables rules. the following method seems to be the best way to go:

  1. make changes in /etc/sysconfig/iptables
  2. run /etc/init.d/iptables restart to apply changes

packet filtering

packet filtering example:

-A  -p  -m  [-s[!] ] --dport  -j ACCEPT

NAT

enable ip forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

to test from another machine:

ip route replace default via 

inbound dnat:

iptables -t nat -A PREROUTING -p  --dport  -j DNAT --to-dest :

outbound dnat:

iptables -t nat -A OUTPUT -p  --dport  -j DNAT --to-dest :

masquerading:

iptables -t nat -A POSTROUTING -o  -j MASQUERADE

snat:

iptables -t nat -A POSTROUTING -j SNAT --to-source :

FIXME

use PAM to implement user-level restrictions

module documentation

  • /usr/share/doc/pam-*/txts

module configuration

  • /etc/pam.d
  • /etc/security
   
module interface description
auth user authentication (e.g. verifies password, set group membership or kerberos tickets, etc.)
account verifies that access is allowed (e.g. expired account?, check group membership, etc.)
password handles password changes
session manages user sessions (e.g. mount home dir, create mailbox, logging, etc.)
control flag description
required must pass, continue testing on failure
requisite must pass, stop testing on failure
sufficient failure is ignored, but if passing so far, return success at this point
optional pass or failure is irrelevant
include include another file

pam_listfile.so example

allow/deny users if listed in /etc/special:

auth required pam_listfile.so onerr=success item=user sense= file=/etc/special

tcp_wrappers

file format:

 :  [except ] [: 

search order:

  1. /etc/hosts.allow
  2. /etc/hosts.deny
  3. allow by default

:!: searching stops on first match

:!: Make sure to append “ALL: ALL” into /etc/hosts.deny

installation consoles

Shortcut Console
CTRL-ALT-F1 Text installation display; if you're running in graphical mode, it includes the basic commands to start graphics drivers
CTRL-ALT-F2 Accesses a bash shell prompt; available after the first few installation steps
CTRL-ALT-F3 Lists the log of installation messages; if network problems occur, you may see related messages here
CTRL-ALT-F4 Displays all kernel messages, including detected hardware and drivers
CTRL-ALT-F5 Installation displays partition formatting; nothing is shown here until Anaconda formats the actual partitions
CTRL-ALT-F6 Graphical installation display; active only if you're running the installation program in graphical mode (was formerly available from
CTRL-ALT-F7 Naturally, if you're installing in text mode, nothing is shown in this console

Troubleshooting

unable to log in

  • password wrong or expired?
  • account locked?
  • shell set to /sbin/nologin, /bin/false, etc.?
  • user and PermitRootLogin no in /etc/ssh/sshd_config?
  • root user and terminal not listed in /etc/securetty?
  • non-root user and /etc/nologin exists?
  • check pam_listfile restrictions

source: http://wiki.unixjournal.org/doku.php?id=rhce