3232 Exam

Linux (RHEL6) Notes
To complete:
secure grub with password
gpg Encryption and Decryption
Useful files
/etc/inittab
has run level definitions
Useful commands
#ifconfig
#ping desktop15.example.com
#host <ipaddress>
#hostname
#dig -x <ipaddress>
#nslookup <ipaddress>
#nsloopup <DNS Name>

to get ipaddress
Gives DNS Name
Gives the host name of the machine you are logged in
Has Question / Answer / Authority / Additional sections
It gives hostname and ip address
#man -k ftp | less

#man 8 mount
Search man pages for ftp

go to 8th section of man help for mount command
#which ls
#rpm -qf /bin/ls
from where ls is getting executed

finds the package in which ls is
#cp -pvrf <source> <dest>

overwrite if exist
#du -h <filename>
#du -h <directory>
#du -sh <directory>
p for preserve, v for verbose, r for recursive and f for force
disk usage for file

disk usage for individual files in the directory
disk usage summary for the directory
#ln -s <source with path name> <link name> to create soft links
#who -r
#runlevel
for current system runlevel

for current system runlevel
#uname -a
#uname -r
for more details about the system

for current kernel version
#cat /proc/cpuinfo
#cat /proc/meminfo
#cat /proc/partitions
to see if CPU supports VMX

to see RAM size to set swap size
after running partx command
#ps
#ps -a
#ps -aux | less
processes with in your current terminal

all processes in all terminals
a for all, u for user, x for executing
does not indicate parent process
#ps -ef | less
Shows parent process
Page#1 of
22
Linux (RHEL6) Notes

#kill -l
#kill -9 <pid>
#kill -15 <parent pid>
no Zombie processes
#kill -1 <pid>
To see kill signals

Signal Kill. Children become Zombie "Z" processes
Singal Term. Kill children and then the parent so that there are
#top
more flexibility
#parted /dev/sda
#partx -d /dev/sda
#partx -a /dev/sda
edit partition table. type help for commands that can be used
Singal hup.
Restarting i.e., stopping and starting services
#fdisk -cu /dev/sda

m for help
n for new partition
p for print partitions
t to change partition system id
d for deleting partition
w for write table to disk and quit
q for quitting without saving
#fdisk -l | less
Shows info about partitions
#mkfs -t ext4 /dev/sda5

or
#mkfs.ext4 /dev/sda5
or
#mkfs.ext4 -L "mydisk1" /dev/sda5 L gives label while formatting
#e2label /dev/sda5
#e2label /dev/sda5 "mydisk2"
to display label
to change label
#findfs LABEL="mydisk2"
gives output /dev/sda5
#file <fileName>
to know type of file,
#stat <fileName>
to know more details about file,
if a file is tar file, zipped or not etc.

access time, modify time, change time etc.
User Related
#useradd user1
#useradd -u 10001 -g ftp -G adm,apache -d /var/user123 -c "Comment" -s /bin/bash user123
g => Primary Group
G => Secondary Groups
d => Home directory
c => Comment
s => Login shell
#vim /etc/default/useradd
Page#2 of
22
defaults for useradd
Linux (RHEL6) Notes
#id <userid>
to see the details about the user
#groups <userid>
list all groups belonging to a userid
#usermod
#usermod
#usermod
#usermod
group

-s /sbin/nologin user123
-L user123
-aG adm,ftp,student user123
-G student user123
to change login shell for user

lock user
to add secondary groups
to replace all secondary groups with this one secondary
#gpasswd -a u1 ftp
#gpasswd -M u1,u2,u3,u4 apache
#gpasswd -d u1 apache
add user to group

add user to multiple groups
delete user from apache group
#userdel -r u2
recursively delete all user info for u2
List Aging parameters for userid

#chage -l <userid>
#chage -m 0 -M 90 -W 7 -I 14 <userid>
#vim /etc/login.defs
has the default values
#chown <newOwner> <resource>
#chgrp <newGroup> <file/directory>
#chown <newOwner>:<newGroup> <resource>
#chown -R <newOwner> <directory>
recursively change ownership
#chgrp -R <newGroup> <directory>
#chown <newOwner>:<newGroup> <directory>
#chmod g+rwx <file/directory>
#chmod -R a+rwx <directory>
Recursively change ownership
Setting password for user (4 ways)

#passwd <userid>
#echo "<password>" | passwd --stdin <userName>
#useradd -p "<password>" <userName>
#usermod -p "<password>" <userName>
Resetting root password if you dont know it

If you are already logged into the system
#init 1
Interrupt Linux boot process (press F12)

Then enter the following
e
1
to get into single user mode. It asks root access without password
You can also user s or S instead of 1 for getting into
single user mode
go back
b
to continue to boot
Page#3 of
22
Linux (RHEL6) Notes
#runlevel
or
#who r
to see runlevel
to see runlevel
This will not work because SELinux is in enforcing mode

#passwd root
#setenforce 0
or
#setenforce Permissive Now, the password can be changed
#passwd root
set gid (Numeric value is 2)

#mkdir /mydata
#ls -ld /mydata
#groupadd grp
#chgrp grp /mydata
#ls -ld /mydata
#chmod g+w /mydata
#ls -ld /mydata
#chmod g+s /mydata
/mydata is owned by root root

new group that needs to own /mydata
to make sure any user in grp group can write to /mydata
so that if any body belonging to grp group creates a file
in /mydata, it will have grp group (inherited from the
directory)
Sticky bit (Numeric value is 1)

If you set sticky bit, only the owners of the file can delete a file,
even if the other users are in the same group as the owner and also
the group has write permissions
#chmod o+t /mydata
to set sticky bit
ACL
#tune2fs -l /dev/sda5 | grep -i default
Look for default mount options
If defualt mount option is none, need to change to ACL for the partition
#tune2fs -o acl,user_xattr /dev/sda5
#mount /dev/sda5 /mnt
#cd /mnt
#getfacl /mnt
#setfacl -m u:<userid>:rwx <file/directory>
#setfacl -m g:<group>:rwx <file/directory>
#getfacl <file/directory>
#setfacl -x u:<userid> <file/directory>
#setfacl -x g:<group> <file/directory>
Disk Quotas
Page#4 of
22
Change it for the partition

getfacle for mount point
to modify acl
to modify acl
to remove from acl
to remove from acl
Linux (RHEL6) Notes

Create an ext4 partition and mount it as /quotadir in fstab as follows
#vim /etc/fstab
/dev/sda5
/quotadir
ext4
defaults,usrquota,grpquota 0 0 Note usrquota, grpquota
#mount -a
It will list the usrquota attribute for /quotadir mount point
#mount
#quotacheck -cuv /quotadir to be done on mount point
c => Create
u => User Quota
v => Verbose
Creates quota.user file in /quotadir
#quotacheck -cgv /quotadir to be done on mount point
c => Create
u => Grop Quota
v => Verbose
Creates quota.grop file in /quotadir
#quotaon /quotadir
#quotaon -p /quotadir
#quota -v
#quota -uv <userid>
#repquota /quotadir
or
#repquota /dev/sda5

#edquota -u <userid>
to set quota for the user in vim editor.
#edquota -t
to set grace period
Activate quota on filesystem. Need to use mount point

Print state of all file systems if quotas are turned on or off
verbose file systems where quotas are turned on
verbose quota for specific userid
Set soft and hard blocks. hard blocks is the max limit.
Soft blocks is from where user gets waring
sudo
#visudo
to edit /etc/sudoers file in vim editor (:wq for saving the file)
#visudo -c After adding entries compile the file to make sure no errors
Groups in the file are always preceded by %
Ex: peter,bob,%mygroup ALL= NOPASSWD: ALL
users peter and bob, group mygroup on all servers, (since there is no list in paranthesis
after ALL=, all users can sudo as root) can execute all commands without requiring password
Ex: peter,bob,%mygroup ALL= NOPASSWD: /sbin/fdisk
users peter and bob, group mygroup on all servers, (since there is no list in paranthesis
after ALL=, all users can sudo as root) can execute only fdisk command without requiring password.
All other commands require password.
Creating LVM
1. Create two LVM type partition /dev/sda5 and /dev/sda6
2. Create PVs
Page#5 of
22
Linux (RHEL6) Notes

3.
4.
5.
6.
7.
8.
Create Volume Group using the PVs

Create LVMs with in the Volume Group
ext4 formatting
mount LVM file system
Check if mounted
Make mounts permanent
#fdisk -cu /dev/sda

#pvcreate /dev/sda5
#pvcreate /dev/sda6
#vgcreate -s 8 myVG /dev/sda5 /dev/sda6 s is PE size
#vgdisplay myVG
#lvcreate -l 10 -n mylv1 myVG
or
#lvcreate -L 80M -n mylv2 myVG
10 extents
80M size
#mkfs.ext4 /dev/myVG/mylv1
or
#mkfs.ext4 /dev/mapper/myVG-mylv1
#mkdir -p /mnt/mylv1
#mount /dev/myVG/mylv1 /mnt/mylv1
or
#mount /dev/mapper/myVG-mylv1 /mnt/mylv1
#df -h
#vim /etc/fstab
/dev/myVG/mylv1 /mnt/mylv1 ext4 defaults 0 0
Reducing LVM
1.
2.
3.
4.
5.
6.
Make sure that there are no users connected to the mount

Unmount the mount point
Defrag the LVM
Resize the LVM
Reduce the LVM
Mount the LVM
#fuser -vm /home

#fuser -km /home
#umount /home
#df -h
to see the free space
#e2fsck -f /dev/vg10/lv_home
#df -h
#resize2fs /dev/vg10/lv_home 256M
#lvreduce -L 256M /dev/vg20/lv_home
#df -h
#mount -a to mount all mount points from fstab
Page#6 of
22
Linux (RHEL6) Notes
Extending LVM
Can be done onine.
No unmounting is needed
#df -h
#lvextend -L +256M /dev/vg10/lv_home Add additional 256M to lv_home
#df -h
Does not show the increased size, yet
#resize2fs /dev/vg10/lv_home
#df -h
Removing LVM
#lvscan
#lvchange -an /dev/myVG/lv_test to make lvm inactive
Should show lv_test inactive
#lvscan
#lvremove /dev/myVG/lv_test
#lvscan
Reducing VG (by removing PV)

#vgs
#pvmove /dev/sda5
#vgreduce myVG /dev/sda5
#vgs
moves data from /dev/sda5 to next available PV
Extending VG (by adding PV)

#pvs
#fdisk -cu /dev/sda
#partx -a /dev/sda
#vgextend myVG /dev/sda6
#vgs
#pvs
add a new LVM partition (8e)
Removing VG
1. Deactivate all LVMs in the VG
2. Remove all LVMs in the VG
3. Remove VG
#vgremove myVG
Encrypting Partitions / LVMs using LUKS

LUKS - Linux Unique Key Setup
Steps
=====
1. Create partition, partx -a /dev/sda
2. cryptsetup luksFormat <partition>
3. cryptsetup luksOpen
<partition> <cryptLogicalName>
Page#7 of
22
Linux (RHEL6) Notes

4.
5.
6.
7.
8.
mkfs.ext4 /dev/mapper/<cryptLogicalName>
cryptsetup luksClose <crptLogicalName>
mount /dev/mapper/<cryptLogicalName>
Make an entry in /etc/fstab
Make an entry in /etc/crypttab
#fidsk -cu /dev/sda

create a new partition sda5
#partx -a /dev/sda
#cryptsetup luksFormat /dev/sda5 asks for data overwriting. say YES
#cryptsetup luksOpen /dev/sda5 cryptdata
List all the volumes managed by device mapper
#dmsetup table
#mkfs.ext4 /dev/mapper/cryptdata
#mkdir /mnt/cryptdata
#mount /dev/mappper/cryptdata /mnt/cryptdata
#df -h
#umount /mnt/cryptdata
#blkid /dev/mapper/cryptdata
get the UUID
#vim /etc/fstab
Add a new line
UUID="<from blkid command>" /mnt/cryptdata ext4 defaults 0 0
#df -h
#vim /etc/crypttab
when you reboot, system will ask for passphrase
for sda5 Add a new line
instead of none, give passphrase
cryptdata /dev/sda5 none
Networking concepts
Important files are
Local resolver
Domain Name, DNS Server ip address must
Global config file. NETWORKING should be YES,
/etc/hosts
/etc/resolv.conf
/etc/sysconfig/network
HOSTNAME, GATEWAY must
/etc/sysconfig/network-scripts/ifcfg-eth0 interface specific file

#service NetworkManager restart
#service network restart
#ifcfg
#mii-tool
#setup
#mii-link
#ifdown eth0
#ifup eth0
ssh -
Takes you to network setup
Data Encryption
#ssh [email protected]
After login, you will see /root/.ssh/known_hosts in the source
system for root user
#ssh -X [email protected] for X forwarding
Page#8 of
22
Linux (RHEL6) Notes

after above login will display in X window
#system-config-date
ssh - Key based Authentication

#ssh-keygen -t rsa
At source generate rsa key pair

private key in /root/.ssh/id_rsa
public key in /root/.ssh/id_rsa.pub
#ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]

This copies public key from source to destination to root/.ssh/authorized_keys
No password required after copying the key. This is user specific
swap
If
If
If
If
RAM
RAM
RAM
RAM
is
is
is
is
0
4
8
16
4GB,
8GB,
16GB,
64GB,
then
then
then
then
swap
swap
swap
swap
=
=
=
=
2
4
8
16
+
+
+
+
(0.5
(0.5
(0.5
(0.5
of
of
of
of
RAM)
RAM)
RAM)
RAM)
Partition based Swap

#mkswap /dev/sda6
#swapon /dev/sda6
#swapoff /dev/sda6
#swapon -s
#vim /etc/fstab
/dev/sda6 swap swap defaults 0 0
#swapon -a

Swap file system

Activate swap
Deactivate swap
Show swap summary
Permanent swap
Activate all swaps from /etc/fstab
File based Swap

#dd if=/dev/zero of=/swapfile bs=1M count=500
#du -sh /swapfile
#dd if=/dev/zero of=/swapfile-thin bs=1M count=1 seek=1000
#du -sh /swapfile-thin
#mkswap /swapfile
#swapon /swapfile
#swapoff /swapfile
#vim /etc/fstab
/swapfile swap swap defaults 0 0
#swapon -a
Securing grub with password
Kernel install
#lftp 192.168.0.254/updates
#mget kernel*
#rpm -qRp <Kernel Package Name>
Page#9 of
22
to get dependencies
Linux (RHEL6) Notes

#rpm -U <kernel>
DO NOT use this. This will overwrite existing kernel
#rpm -ivh <Kernel firmware package> Always use i option to install new kernel
#rpm -ivh <Kernel package>
you will see new kernel here.
#vim /etc/grub.conf
If you installed a kernel newer than existing kernel, new kernel will become the default
If you installed a kernel older than existing kernel, existing kernel remains as default
at
Query to see if one off jobs are scheduled
#atq
#at 3:08
at>/sbin/reboot
at>ctrl+d
#atq
shows the above job
#atrm <jobid from atq command> to remove a job

to make sure that the job is gone
#atq
crontab
edit crontab for current user
edit crontab for specified user
#crontab -e
#crontab -eu <userid>
Look in /etc/crontab for the exact format for writing cron entries
Make sure to use which command to get complete path of commands to be
executed as these need to go into crontab.
Ex: for echo command you need to use /bin/echo
add users in this file to stop them from editing crontab
add users in this file to allow them to edit crontab
#vim /etc/cron.deny
#vim /etc/cron.allow
If a user exists in both files, cron.allow takes precedence over cron.deny.

#service crond restart
#chkconfig crond on
list crontab for specified user
#crontab -lu <userid>
rpm
#rpm
#rpm
#rpm
#rpm
#rpm
#rpm
-qa
-qa | wc -l
-q <packageName>
-qRp <packageName>
-qR <packageName>
-qlp <packageName>
Page#10 of
22
Query all packages installed in the system

to check if package already exists or not

Lists depenedencies
Query installed package
List all the files included in the package
Linux (RHEL6) Notes

#rpm -qldp <packageName> Displays only document files
#rmp -qlcp <packageName> Displays only config files
#rpm -qlsp <packageName> Displays only script files
#rpm -ql vsftpd
#rpm -ivh <packageName>
#rpm -Uvh <packageName>
#rpm -e <packageName>
i for install, v for verbose, h for percentage completion

U for update
to uninstall package. Dependencies are not removed
yum - Yellowdog Update Manager

#yum
#yum
#yum
#yum
#yum
#yum
#yum
list all
list installed
list available
serach vsftpd
install vsftpd* -y
remove vsftpd* -y
deplist vsftpd*
#which date
#yum provides /bin/date
#yum grouplist
to list group packages installed in the system
#yum localinstall <packagename> --nogpgcheck
Setting up Local yum

#mount -o loop,ro /home/rhel6.iso /mnt
#cp -pvrf /mnt/* /var/ftp/pub
#vim /etc/yum.repos.d/local.repo
Add the following lines
[rhel6-64bit-local]
name=rhel6 local packages
baseurl=file:///var/ftp/pub
enabled=1
gpgcheck=0
#vim /etc/yum.repos.d/rhel6.repo
Add the following lines
[rhel6-64bit-server]
name=rhel6 server packages
baseurl=ftp://192.168.0.254/pub/rhel6/dvd
enabled=1
gpgcheck=0
#vim /etc/vsftpd/vsftpd.conf
Make sure that anonymous can login because yum uses anonymous login
#service vsftpd restart
#chkconfig vsftpd on
Page#11 of
22
Linux (RHEL6) Notes
#yum clean all

#yum list all
to clean repodata cache on the client

to see the packages available
NFS Sharing (server side - 192.168.0.254) - Share Resources

package is nfs-utils
#yum install nfs* -y

#mkdir /kickstart
#vim /etc/exports
/kickstart 192.168.0.0/24(ro,sync,no_root_squash) Share to ips from 192.168.0.0 to 192.168.0.24
r for re-export and v for verbose
#exportfs -rv
#service nfs restart
#chkconfig nfs on
NFS is done thru nfsnobody user
NFS Sharing (client side) - NFS mount shared resources

#showmount -e <ipaddress of NFS Server>
#mkdir /mnt/nfs
#mount -t nfs 192.168.0.254:/kickstart /mnt/nfs
#umount /mnt/nfs
#df -h
#vim fstab
192.168.0.254:/kickstart /mnt/nfs nfs defauts 0 0
#mount -a
as any user, you can also perform the following without
mounting
#cd /net/192.168.0.254
#ls
You will see kickstart
Samba Server
#yum install samba* -y
#which smbd
#which nmbd
#ldd /usr/sbin/smbd | grep -i libwrap Nothing found.
there for samba
#vim /etc/samba/smb.conf
So, tcp_wrappers support is NOT
Samba Main config file
In Global Settings section, you may need to change the workgroup

In Shared Settings section, add the following
Page#12 of
22
Linux (RHEL6) Notes
[myshare]
comment
path
writeable
valid user
browseable
=
=
=
=
=
public stuff
/share
yes
u5
yes
you can put in read only = yes
#useradd u5
#smbpasswd -a u5
#smbpasswd -d u5
#smbpasswd -x u5
a for adding password

d for deactivating password entry
x for deleting the password entry
#pdbedit -L -w
list users that have samba passwords
#mkdir /share
#getenforce
#ls -ldZ /share
If SELinux is Enforcing, then need to
change the context for /share directory
#chcon -t samba_share_t /share

#ls -ldZ /share
#cd /share
#touch file1
#service smb restart
Logs are in /var/log/samba
CIFS Sharing (client side) - Samba mount shared resources

#smbclient -L //192.168.0.254 | less
From the list we can only use "Disk" or "Print" type shares only
Sharename that is shown in the list may have a totally different name on the host.
share name hides the inside directory name on the server.
Basically,
#mkdir -p /mnt/cifs
#mount -t cifs //192.168.0.254/myshare /mnt/cifs -o username=u5,password=<sambaPassword>
#df -h
#vim /etc/fstab
Add the following entry
//192.168.0.254/myshare
/mnt/cifs cifs defaults,username=u5,password=<sambaPassword> 0 0
#umount /mnt/cifs
#df -h
#mount -a
#df -h
#smbclient //192.168.0.254/myshare -U u5
Page#13 of
22
Linux (RHEL6) Notes

shows file1 created above
smb>ls
tcp_wrappers
#which vsftpd
gives /usr/sbin/vsftpd
#ldd /usr/sbin/vsftpd | grep -i libwrap shows a line. It means tcp_wrappers are supported
#which httpd
#ldd /usr/sbin/httpd | grep -i libwrap
supported
gives /usr/sbin/httpd
Does not show a line. It means tcp_wrappers are NOT
#which sshd
#ldd /usr/sbin/sshd
gives /usr/sbin/sshd
shows a line. It means tcp_wrappers are supported
| grep -i libwrap
tcp_wrapper Access control is done thru

/etc/hosts.deny
/etc/hosts.allow
No need to restart services if you change these files
#vim /etc/hosts.deny
vsftpd: desktop20.example.com
desktop20 is not allowed to FTP to this server
vsftpd: ALL .example.com
.example.com domain is not allowed to FTP to this server
vsftpd: ALL EXCEPT .example.com Any other domain other than .example.com is not allowed to
FTP to this server
sshd: .example.com
sshd: 192.168.0.
sshd: ALL EXCEPT .example.com
.example.com domain is not allowed to SSH to this server

192.168.0. domain is not allowed to SSH to this server
Any other domain other than .example.com is not allowed to
SSH to this server
#vim /etc/hosts.allow
vsftpd: desktop20.example.com
desktop20 is allowed to FTP to this server though it is
prevented in hosts.deny
LDAP
#system-config-authentication
or
on Desktop --> System --> Administration --> Authentication
Select LDAP
DN - dc=example,dc=com
LDAP Server - ldap://instructor.example.com
Check TLS to encrypt connections
Certificate link - http://192.168.0.254/pub/EXAMPLE-CA-CERT
Authentication Method - LDAP Password
Click Apply
On VMs
- Look for sssd service
On Desktops - Look for nslcd servive
Page#14 of
22
Linux (RHEL6) Notes
#service sssd status

#chkconfig --list sssd
#getent passwd <ldapuserid>
#su - ldapuser1
Based on the settings in /etc/nsswitch.conf, system will look in
local users and then goes for LDAP. look for
passwd: files sss
autofs (NFS mount) - No fstab entries needed

No need to install autofs.
It comes in with base install
#vim /etc/sysconfig/autofs You can specify autofs parameters like timeout.

TIMEOUT 300
Timout can also be specified in auto.master
#vim /etc/auto.master
Put in your own directory name and the file that
contains mount information
/remote /etc/auto.remote
These can have any name
#vim /etc/auto.remote
kick -rw,fstype=nfs 192.168.0.254:/kickstart
restart will not work
#service autofs stop
#service autofs start
#chkconfig autofs on
#cd /remote/kick
#df -h
#cd
to go to your home directory, wait for the timeout period
#df -h
you will not see /remote/kick mount point
autofs (Local mount) - No fstab entries needed

Create a partition /dev/sda5 and mount as /local/disk1

Create an LVM /dev/vg00/lv01 and mount as /local/lv1
/local /etc/auto.local
#vim /etc/auto.local
disk1 -fstype=ext4 :/dev/sda5
lv1
-fstype=ext4 :/dev/vg00/lv01
#df -h
#cd /local
#df -h
#cd lv1
#df -h
Page#15 of
22
Linux (RHEL6) Notes

autofs for ldapusers - No fstab entries required
#showmount -e 192.168.0.254
If /home/guests is the directory shared on 192.168.0.254 and if this has home directories for
ldap users
/home/guests /etc/auto.ldap
#vim /etc/auto.ldap
ldapuser1 -rw,fstype=nfs 192.168.0.254:/home/guests/ldapuser1 for single user
* -rw,fstype=nfs 192.168.0.254:/home/guests/&
generic for multiple users
autofs for samba - No fstab entries required

#vim /etc/sysconfig/autofs You can specify autofs parameters like timeout.

TIMEOUT 300
Timout can also be specified in auto.master
Put in your own directory name and the file that contains mount
information
These can have any name
/cifs /etc/auto.cifs
#vim /etc/auto.cifs
cifsshare -rw,fstype=cifs,username=u5,password=<sambaPassword> ://192.168.0.254/myshare
#cd /cifs/cifsshare
#df -h
#cd
to go to your home directory, wait for the timeout period
#df -h
you will not see /cifs/cifsshare mount point
SELinux
#yum install setroubleshoot* -y
#vim /etc/sysconfig/selinux
#getenforce
#setenforce 0
#setenforce Permissive
#setenforce 1
#setenforce Enforcing
Config file for selinux
#semanage fcontext -l
displays registry of resource contexts
Permissive
Enforcing
Security context is#service tgtd stop applied to resources

#ls -lZ
to view the security context for all files / directories
#ps -Z
to view the process security context
#chcon -u <newUserContext> <resourceName>
#chcon -r <newRoleContext> <resourceName>
#chcon -t <newTypeContext> <resourceName>
Page#16 of
22
Linux (RHEL6) Notes
cp (copy) a file to a destination will inherit destination context

mv (move) a file to a destination will NOT inherit destination context
#semanage fcontext -a -t public_contents_rw_t "var/ftp/dropbox(/.*)?" add a new entry
into the registry
#restorecon -R -v /var/ftp/dropbox R for recursive for all files in the directory and v for
verbose
#chcon -Rt public_contents_rw_t /var/ftp/dropbox
#ls -ldZ /ver/ftp/dropbox
Get process booleans
#getsebool -a | less
#setsebool allow_ftpd_anon_write=1 Set process booleans
For troubleshooting and error messages
so that you can use sealrt command
#yum install setroubleshoot* -y
#sealert -a /var/log/audit/audit.log
#cat /var/log/messages | grep setroubleshoot
#sealert -l <alert copied above>
copy alert from here
FTP Client
#yum install ftp* -y
#yum install lftp* -y
#ftp 192.168.0.254
#lftp 192.168.0.254
enter userid and password

does not ask for userid and password
FTP Server - vsftpd (Very Secure FTP)

#yum remove vsftpd* -y
#yum install vsftpd* -y
#vim /etc/vsftpd/vsftpd.conf config file.
You can change log file
location here, if needed.
#vim /etc/vsftpd/ftpusers
#vim /etc/vsftpd/user_list
Userids that are NOT allowed to login thru FTP

please look at userlist_deny parameter in
/etc/vsftpd/vsftpd.conf
If userlist_deny=NO, allows only users listed in the user_list file

If userlist_deny=YES, NEVER allows any users listed in the user_list file. For this case,
from the client side when you are trying to login as a user mentioned in the user_list file,
no login prompt is given.
If a user exists in both files, ftpusers file takes precedence.
If you change any of the above files, make sure to restart ftp service
#service vsftpd status
Page#17 of
22
Linux (RHEL6) Notes

To check messages for FTP
#tail -f /var/log/messages
To track the packets, you can install wireshark
#yum install wire* -y
To stop ftp connections coming into your server
#vim hosts.deny
edit this file
Uploadable FTP Server using SELinux

1.
2.
3.
4.
Create directory /var/ftp/dropbox

Change the group ownership from root to ftp group
Make sure that ftp group can write to that directory
If SELinux is enforced, make sure that context for dropbox directory is same
as ftp directory
5. Set process boolean for anonymous write
6. Make sure vsftp config file for anonymous write and upload
7. Restart FTP service
#mkdir -p /var/ftp/dropbox
created and owned by root
#chgrp ftp /var/ftp/dropbox

#chmod g+rwx /var/ftp/dropbox
#getenforce
Make sure it is SELinux enforcing
#cd /var
to see the context for ftp directory
#ls -ldZ /var/ftp
#ls -ldZ /var/ftp/dropbox
to see the context for dropbox directory
#restorecon -R -v /var/ftp/dropbox
or
#chcon -Rt public_content_rw_t /var/ftp/dropbox
look for allow_ftpd_anon_write
#getsebool -a | grep ftpd
#setsebool -P allow_ftpd_anon_write=1 P implies persistent setting
#vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anon_nkdir_write_enable=YES
#service vsftpd status
HTTP/Apache server
#rpm -qa | grep httpd
#yum install http* -y
Page#18 of
22
to see if apache is installed or not
Linux (RHEL6) Notes
Default port is 80
Document root is /var/www/html
User is apache
Group is apache
All logs are in the following directories
/etc/httpd/logs
/var/log/httpd
to see configuration files for httpd
#rpm -qc httpd*

httpd startup parameters are in
#vim /etc/sysconfig/httpd.conf
/etc/httpd is the main directory
#vim /etc/httpd/conf/httpd.conf
main config file for httpd.

You can change log file location
here, if needed
DirectoryIndex index.html index.html.var
After making changes, please make sure to restart the service

#service httpd restart
#chkconfig httpd on
In browser, use the following URLs
http://localhost
looks for index.html file in /var/www/html
http://127.0.0.1
looks for index.html file in /var/www/html
http://<ipaddress of http server> looks for index.html file in /var/www/html
#yum install elinks* -y
#elinks --dump localhost
#elinks --dump <ip address of http server>
This worked for me and the above two URLs did not
#elinks 192.168.11.3
Name based and port based Virtual Hosting

(with restricting access to host for one of the sites)
(with user based authentication for one of the sites)
Step 1 (Server)
---------------#mkdir -p /var/www/virtual
#cd /var/www/virtual
#mkdir google
In this
#mkdir yahoo
In this
#mkdir facebook
In this
#mkdir twitter
In this
directory,
directory,
directory,
directory,
create
create
create
create
Step 2 (Server)
---------------#vim /etc/httpd/conf/httpd.conf
make sure that the following entries exist
Page#19 of
22
google.html.
yahoo.html.
facebook.html.
twitter.html.
Put
Put
Put
Put
in
in
in
in
some
some
some
some
text
text
text
text
Linux (RHEL6) Notes
NameVirtualHost 192.168.0.250:80
NameVirtualHost 192.168.0.250:8080
DirectoryIndex
DirectoryIndex
DirectoryIndex
DirectoryIndex
DirectoryIndex
index.html
google.html
yahoo.html
facebook.html
twitter.html
index.html.var
google.html.var
yahoo.html.var
facebook.html.var
twitter.html.var
Listen 80
Listen 8080
<VirtualHost 192.168.0.250:80>
ServerAdmin [email protected]
DocumentRoot /var/www/vrtual/google
Serverame
google.example.com
</VirtualHost>
#<Directory "/var/www/virtual/google">
#
AllowOverride None
#
Options
None
#
Order
allow,deny
Allow and then deny all others
#
Allow from all
#</Directory>
<Directory "/var/www/virtual/google">
AllowOverride None
Options
None
Order
allow,deny
Allow desktop3.example.com Allow google site only from desktop3.example.com.
Deny all others
</Directory>
<VirtualHost 192.168.0.250:80>
DocumentRoot /var/www/vrtual/yahoo
Serverame
yahoo.example.com
</VirtualHost>
<VirtualHost 192.168.0.250:8080>
DocumentRoot /var/www/vrtual/facebook
Serverame
facebook.example.com
</VirtualHost>
<VirtualHost 192.168.0.250:8080>
DocumentRoot /var/www/vrtual/twitter
Serverame
twitter.example.com
</VirtualHost>
<Directory "/var/www/virtual/twitter">
AuthType
basic
Page#20 of
22
Linux (RHEL6) Notes

AuthName
"This is for user based Authentication"
AuthUserFile
/etc/httpd/.htpasswd
Require user1 user2
</Directory>
Step 3 (Server)
---------------#service httpd configtest
#httpd -t
#httpd -S
Syntax check
virtual host syntax check
Step 4a (Server)
----------------#useradd user1
#useradd user2
#htpasswd -cm /etc/httpd/.htpasswd user1 c for create and m for add md5 encryption password
for user1
#htpasswd -m /etc/httpd/.htpasswd user2 Since file already exists, no c needed.
Add md5 encryption password for user2
Step 4b (Server)
---------------#vim /etc/hosts
Add the following entries
192.168.0.250 google.example.com
192.168.0.250 yahoo.example.com
192.168.0.250 facebook.example.com
192.168.0.250 twitter.example.com
Step 5 (Server)
---------------#service httpd restart
#chkconfig httpd on
Step 6 (Server)
---------------#tail -f /var/log/httpd/access_log
Step 7 (Client)
---------------In browser
http://google.exmaple.com
http://yahoo.exmaple.com
http://facebook.exmaple.com:8080
http://twitter.exmaple.com:8080
Step 8 (Server)
---------------#elinks --dump google.example.com
#elinks --dump yahoo.example.com
#elinks --dump facebook.example.com
#elinks --dump twitter.example.com
Page#21 of
22
to see the hits on the apache server
only allowed from desktop3.example.com

asks for userid and password.
or user2 and their http password
Need to enter user1
only allowed from desktop3.example.com

asks for userid and password.
Need to enter user1
Linux (RHEL6) Notes

or user2 and their http password
Monitoring a website
ab command is used to perform realtime performance testing on a website
#ab http://demo.example.com
You will see various things.
#ab -n 200 -c 10 http://demo.example.com
200 requests from 10 users.
one of them is response time

The response time increases
#ab -n 1000 -c 20 http://demo.example.com 1000 requests from 20 users.
The response time further increases
iSCSI - Server side

#yum install scsi-target-utils* -y
#vim /etc/tgt/targets.conf
Add the following entries
<target iqn.2011-12.com.example:server1.desktop16.disk1>
backing-store /dev/sda5
initiator-address 192.168.0.16
</target>
<target iqn.2011-12.com.example:server1.server17.disk1>
backing-store /dev/sda6
initiator-address 192.168.0.117
</target>
#service tgtd stop
#service tgtd start
#chkconfig tgtd on
Default port for tgtd is 3260
Make sure that the port is open by issuing the following command
#netstat -ntlp | less
iSCSI - Client side

Go to one of the clients mentioned in the server's /etc/tgt/targets.conf file
#yum install iscsi-initiator-utils* -y
#iscsiadm -m discovery -t st -p 192.168.0.1
This is to get iqn number of the iscsi drive
shared for the client by the server
m => mode
t => type
st => send targets
Page#22 of
22
Linux (RHEL6) Notes

p => portal
ip address of server that is sharing the disk
#iscsiadm -m node -T iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -l
T => Target iqn number
l => login
If you get success message then the disk is attached.
To check if the disk is attached
#tail /var/log/messages | less

#fdisk -l | less
Show /dev/sdb attached.
You can now partition it
#fdisk -cu /dev/sdb Add new partitions

#partx -d /dev/sdb
#partx -a /dev/sdb
#cat /proc/partitions
#mkfs.ext4 /dev/sdb1
For mounting always use blkid.
#mkdir /mnt/iscsi
#blkid /dev/sdb1
Do not use /dev/sdb1
get UUID
#vim /etc/fstab
Add the following entry
UUID="......." /mnt/iscsi ext4 _netdev 0 0
#mount -a
#iscsiadm -m node -T iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -u -o delete
u => logout
o => cache it to delete it. No data is deleted
File Searching (examples)

#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
-name snow.png
/ -name '*.txt'
/etc -name '*pass*'
/home -user joe -group joe
/home -user joe -not -group joe
/home -user joe -o -user jane
/home -not\(-user joe -o -user jane)
/ -user joe -o -uid 500
/ -perm 755
/ -perm +222
/ -perm -222
/ -perm -002
/ -size 10M
/ -size +10M
/ -size -10M
/tmp -ctime +10
Page#23 of
22

files
files
files
files
files
files
files
files
files
files
files
files
files
owned by user joe and group joe

owned by user joe and not by group joe
owned by user joe or user jane
NOT owned by user joe or user jane
owned by user joe or user with uid 500
that have 755 permissions
that anyone can write
that every one can write
that others can write
exactly 10M in size
> 10M in size
< 10M in size
changed more than 10 days ago
Linux (RHEL6) Notes
#find -size +100M -ok mv {} /tmp/largefiles/ \;
files that are more than 100M size are
moved to a different directory
Prompts
for each file move
#find -size -100M -exec mv {} /tmp/smallfiles/ \; files that are less than 100M size are
moved to a different directory
NO
PROMPT
#find / -type f -group ftp -not -user root -exec cp -p {} /tmp/ftpfiles/ \;
#find / -type f -perm -002 -exec chmod o-w {} \;
#find / -not -perm +111 -name '*.sh' -ok chmod 755 {} \;
Virtual Machine
#virsh destroy <vserverName>
#virsh undefine <vserverName>
to launch Virtual Machine Manager
#virt-manager
tar and compression

Order of compression.
#tar -cvf etc.tar
#du -h etc.tar
/etc
to see how much space it occupies
#tar -czvf etc.tar.gz /etc

#du -h etc.tar.gz
#tar -cjvf etc.tar.bz /etc

#du -h etc.tar.bz
#tar -cJvf etc.tar.xz /etc

#du -h etc.tar.xz
c
v
f
z
j
=>
=>
=>
=>
=>
Create
verbose
file tar
gzip
bzip2
tar is the only command where destination is given first and source later.
iptables
#iptables
#iptables
#iptables
#iptables
-F
-t filter -F
-t nat -F
-t mangle -F
Page#24 of
22

Flush
Flush
Flush
Flush
default iptables.
filter tables
nat tables
mangle tables
Default are filter tables
Linux (RHEL6) Notes
#service
#service
#service
#service
iptables
iptables
iptables
iptables
save
Save the iptables
stop
start
restart
VNC Server and Viewer

Did not look into it.
Is it covered in the exam?
gpg GNU Privacy Guard
Page#25 of
22

3232 Exam

Uploaded by

Copyright:

Available Formats

3232 Exam

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3232 Exam

Uploaded by

Copyright:

Available Formats

Linux (RHEL6) Notes

has run level definitions

It gives hostname and ip address

#man -k ftp | less

Search man pages for ftp

from where ls is getting executed

#cp -pvrf <source> <dest>

p for preserve, v for verbose, r for recursive and f for force

disk usage for file

for current system runlevel

for more details about the system

to see if CPU supports VMX

processes with in your current terminal

#ps -ef | less

Shows parent process

Linux (RHEL6) Notes

To see kill signals

Restarting i.e., stopping and starting services

#fdisk -cu /dev/sda

Shows info about partitions

#mkfs -t ext4 /dev/sda5

gives output /dev/sda5

to know type of file,

to know more details about file,

if a file is tar file, zipped or not etc.

defaults for useradd

Linux (RHEL6) Notes

to see the details about the user

list all groups belonging to a userid

to change login shell for user

add user to group

recursively delete all user info for u2

List Aging parameters for userid

Recursively change ownership

Setting password for user (4 ways)

Resetting root password if you dont know it

Interrupt Linux boot process (press F12)

Linux (RHEL6) Notes

This will not work because SELinux is in enforcing mode

set gid (Numeric value is 2)

/mydata is owned by root root

Sticky bit (Numeric value is 1)

to set sticky bit

Look for default mount options

Change it for the partition

Linux (RHEL6) Notes

to set quota for the user in vim editor.

to set grace period

Activate quota on filesystem. Need to use mount point

Linux (RHEL6) Notes

Create Volume Group using the PVs

#fdisk -cu /dev/sda

Make sure that there are no users connected to the mount

#fuser -vm /home

Linux (RHEL6) Notes

Reducing VG (by removing PV)

moves data from /dev/sda5 to next available PV

Extending VG (by adding PV)