#LinuxCBT SLES12 Edition#

#Install Desktop#
User: Server base and enable GNOME + Compiler tools

Tasks:
1. Update HOSTNAME via YaST

#SUSE Server - Network Installation #

via HTTPD Server (Ubuntu)

Tasks:
1. Ensure SLES12 ISO image is HTTP-accessible
a. 192.168.75.101 (Ubuntu|HTTPD)
b. 'cd /LinuxCBT && mount -t iso9660 -o loop /LinuxCBT/SLE-12-Server-DVD-x86_64-
GM-DVD1.iso /LinuxCBT/SUSE12'
c. 'df -h /LinuxCBT/SUSE12' - confirm mount

2. VMware ESXi - Setup GUEST

a. 1024MB, 20GB, 1-CPU, 1-NIC, SUSE Linux 11 64-bit - Reference SLES ISO image
3. Install using HTTP: http://192.168.75.101/SUSE12
NOTE: Default Net settings use DHCP - this simplifies Virtualization cloning
NOTE: Update post-installation | clone using: 'yast'
4. Find usable IP range for various nodes
a. 'nmap -v 192.168.75.140-142'

#SUSE Server - SSH-based Installation #

Features:
1. Network-based
2. Installed from remote client
3. Requires limited effort on the server-side (VMware ESXi)

Tasks:
1. Install via SSH
a. Provision an instance on HOST server (ESXi) - reference ISO boot image
a1. 'usessh=1 sshpassword=InstallSUSE12' - indicate at boot prompt
b. boot and obtain connection details: IP and instruction (yast.ssh)
c. Connect from client:
c1. 'ssh -X [email protected]' && 'yast.ssh' - launches TUI interface
NOTE; Default options will launch the server in GUI mode with: 2.5GB footprint
NOTE: YaST installer derived an address via DHCP to carry-out the installation,
however, we indicated the usage of a static address, which will be applied post-
reboot
NOTE: TUI interface is the default in the event of inability to write GUI to client
NOTE: In our case, TUI interface defaulted because we SSHed to the YaST installer
via a third-party HOST

#SUSE Server - VNC-based Installation #

Features:
1. Network-based
2. Installed from remote client
3. Requires limited effort on the server-side (VMware ESXi)
4. Uses VNC protocol as opposed to: SSH with X11

Tasks:
1. Provision GUEST on ESXi
a. Boot Prompt: 'vnc=1 vncpassword=InstallSUSE12'
b. set applicable options: i.e. HTTP source
 2. Connect via VNC client: i.e. 'vncviewer' (installed by default)
a. 'vncviewer' -> 192.168.75.28:1 -> supply password
b. continue installation

3. Fix broken VNC by altering 'systemd' target

a. 'yast' -> System Services -> Change Default Target to: Multi-User Graphical...
b. 'reboot' && test

#Clone Instance using ESXi #

Features:
1. Rapid provisioning of configured stacks (images)

Tasks:
1. Clone the Node
NOTE: Requires that the Node is shut
a. 'vmkfstools -i INPUT OUTPUT [-d thin]' - clones storage to target
b. 'ssh ESXi' and perform clone
b1. 'ssh [email protected]'
b2. 'mkdir ../linuxcbtsuse4'
b3. 'vmkfstools -i ./linuxcbtsuse3.vmdk ../linuxcbtsuse4/linuxcbtsuse4.vmdk -d
thin'
c. Create a new GUEST container and link it to the new 'linuxcbtsuse4.vmdk' file
NOTE: Usually, we clone the startup disk first
NOTE: However, you can clone any .vmdk file of interest: i.e. '/home', '/opt',
'/etc'
NOTE: Ensure unique network details (IP) prior to simultaneous instantation

# Basic Linux Skills #

Features:
1. Facilitate easy navigation and usage of *Nix systems

Tasks:
A. Explore Tools
1. Spawning a new $SHELL generates a new: pseudo-terminal (pts) device:
'/dev/pts[0..N]'
NOTE: The $SHELL-providing program works with the kernel to supply $SHELL (pts
device): i.e. SSH, Telnet, GNOME Terminal, etc.
a. 'tty' - reveals currently-connected TTY
NOTE: Applies to console-based TTYs as well: i.e. tty[1-7(GUI)]
2. 'whoami' - reveals per-TTY effective permissions
NOTE: $SHELLs attached to TTYs are independent
3. 'w' - reveals connected users to various TTYs
4. 'pwd' - reveals current working directory - relative to the '/' FS
5. 'ls'
a. 'ls -a' - reveals hidden entries: i.e. '.'(cwd), '..'one-level-up
b. 'ls -l' - long format - returns ownership, permissions, timestamp and data
c. 'ls -li' - all of above plus INODE data
6. 'find'
a. 'find ./ -name '*txt*' ' - descends the tree from the cwd to find content
NOTE: 'find' can search based on any metadata associated with files
7. 'touch' - creates || updates file timestamp data
a. 'touch test.txt' - creates an empty file IF NOT EXISTS, OR updates timestamp
8. 'cat' - concatenates content: i.e. aggregates various files into 1 output
stream (linear)
a. 'cat 1.txt 2.txt 3.txt' - aggregates the 3 files into 1 linear output stream
b. 'cat 1.txt 2.txt 3.txt > 1-3.txt'
9. 'mkdir' - creates directory
10. 'rmdir' - removes the directory recursively
11. 'rm -rf' - removes content recursively
NOTE: Be careful, as these tend to be 'generally' unrecoverable
12. 'echo' - dumps whatever you tell it to: STDOUT || file || elsewhere
13. 'history' - dumps a history of recently executed commands
NOTE: per-user based
NOTE: Each command is indexed, beginning with 1, and can be referenced using: '!
NUM': i.e. '!50' - executes command # 50 from your history
i.e. 'ls -la ~/.bash_history' - contains your history
14. 'wc' - counts words
a. 'wc -l' - counts lines
15. '>' - output redirection in clobber-mode(erases any target indicated)
a. 'cat 1.txt 2.txt 3.txt > 1-3.txt'
16. '>>' - append redirection - IF CONTENT EXISTS - ADD ELSE CREATE
b. ' cat 1.txt 2.txt 3.txt >> 1-3.txt'
16. '&&' - Command Chaining using LOGICAL AND
a. 'cat 1.txt 2.txt 3.txt >> 1-3.txt && ls -l'
17. '||' - Command Chaining using LOGICAL OR
a. 'cat 1.txt 2.txt 3.txt >> 1-3.txt || ls -l'
18. ';' - Command Chaining using LOGICAL INDEPENDENCE
a. 'cat 1.txt 2.txt 3.txt >> 1-3.txt ; ls -l' - run B regardless of exit status
of A
NOTE: This runs a series of commands

19. 'head' && 'tail' - reveal head || tail of content

a. 'sudo head /var/log/messages' - reveals first 10 entries
b. 'sudo tail /var/log/messages' - reveals last 10 entries
20. 'file' - reveals the type of content a file is: i.e. PDF, TXT, Binary, etc.
a. 'file FILE'
b. 'file `which file` ' - exposes that 'file' is of type binary
21. Command substitution using '`' || '$()'
a. 'file `which file`' - substitutes the output of 'which file' as the input to:
'file'
b. 'file $(which file)'
22. Set variable to the output of a command:
a. 'export TEST1=$(which file)' - sets TEST1 for the duration of a SINGLE $SHELL
23. Reveal $SHELL VARs and Details using:
a. 'env'
b. 'set'
24. 'dmesg' - dumps kernel boot messages
25. 'less' && 'more' - paginators - one pagefull of data per dump
26. 'top' - auto-refreshes key stats
a. Memory
b. CPU
c. Top programs running
d. uptime
e. load average
f. etc.

27. 'ps'
a. 'ps -ef | -aux' - returns PIDs, PPIDs, Users, Processes, TTYs, etc.
b. 'ps -ef | grep 36044' - shows ALL PIDs related to PID=36044
c. 'ps' - reveals the basics of processes launched in the current $SHELL

28. 'free' - reveals memory utilization

a. RAM
b. SWAP
29. 'df && mount' - mounted file systems and their related storage usage
a. 'df -h' - utilization information
b. 'mount' - reveals mounts and options associated
30. 'dd' - can duplicate ANY accessible data
a. 'dd if=/dev/zero of=1GB bs=1M count=1024'

# Compression | Archival Tools - Basic Linux Tools #

Features:
1. Compress - gzip | bzip2 | zip | etc.(7zip | rar)
2. Archive - tar

Tasks:
1. Gzip -> .gz(suffix)
a. 'gzip -c 1GB > 1GB.gz'
NOTE: 10**3 reduction in size: i.e. from 1GB -> ~1024K
'
c5041ae163cf0f65600acfe7f6a63f212101687d41a57a4e18ffd2a07a452cd8175b8f5a4868dd2330b
fe5ae123f18216bdbc9e0f80d131e64b94913a7b40bb5 1GB
'
b. 'gunzip 1GB.gz' - restores the original content
c. 'gzip -d 1GB.gz' - equivalent to 'gunzip...'

d. 'zcat gzip_CONTENT' - on-the-fly decompression of GZIP content without

exploding the file to disk: i.e. useful with LOG files

e. 'seq 10000000 > 10million.txt'

f. 'zcat 10million.txt.gz' - on-the-fly
g. 'less 10million.txt.gz' " " - in-built gzip decompression
NOTE: 'more 10million.txt.gz' - does NOT include GZIP on-the-fly decompression

2. Bzip2 -> .bz2(suffix)

a. 'bzip2 -c 1GB > 1GB.bz2'
b. 'bunzip2 1GB.bz2'
NOTE: This case is superior to its GZIP counterpart
NOTE: ALWAYS check checksums to mitigate data-corruption issues

3. Zip | Unzip -> .zip(suffix) - still predominant in the world of Windows

NOTE: zip stores archives similar to: 'tar'
a. 'zip TARGET SOURCE'
a1. 'zip 1GB.zip 1GB'

4. Tar - standard archival tool

a. 'tar -cvf TARGET SOURCE'
a1. 'tar -cvf temp.tar /home/linuxcbt/temp' - creates archive SANS compression
b. 'tar -cvzf temp.tar.gz /home/linuxcbt/temp'
c. 'tar -xvf temp.tar' - recreates(extracts) FULL tree in the CWD
d. 'tar -tvzf temp.tar.gz' - displays archive data
e. 'tar -xzvf temp.tar.gz' - extracts archive

# Client Utilities #
Features:
1. Discovery of HOSTs
2. Discovery of Services: i.e. SSH, HTTP, HTTPS, MySQL, etc.
3. Path between HOSTs - 'traceroute', 'mtr'
4. L2 Data -> 'arp'
5. Network Statistics -> 'netstat'
6. Name resolvers: 'dig', 'host', 'nslookup'

Tasks:
 1. Explore
a. 'ping' - ICMP (echo -> echo-reply sequences)
a1. 'ping -c 3 192.168.75.1'
a2. 'ping -I eth0 -c 2 192.168.75.1' - enforces the usage of: 'eth0'
a3. 'ping -i 2 -c 10 192.168.75.1' - interval shifts from 1-sec(default) to 2-
secs

b. 'netstat'
b1. 'netstat -rn' - reveals current routing table
'
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.75.1 0.0.0.0 UG 0 0 0 eth0
192.168.75.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
'
NOTE: Typically, a node with 1-NIC, connected to 1-VLAN, has a minimum of: 2-Routes
(as above): including: the default GW and the connected subnet
b2. 'netstat -i' - list available interfaces
b3. 'netstat -an[tu]' - lists (TCP|UDP) sockets in various states: i.e. 'LISTEN',
'ESTABLISHED', etc.
b4. 'netstat -ntl' - lists TCP LISTENERs (where State=LISTEN)

c. 'tracepath' - 'mtr', 'traceroute'-like tool for identifying the path between 2

nodes
c1. 'tracepath www.linuxcbt.com'

d. 'host' - basic(quick) name resolver - with few details

d1. 'host www.linuxcbt.com'
d2. 'host 136.243.10.214' - reverse lookup
e. 'nslookup' - more information than 'host'
e1. 'nslookup www.linuxcbt.com'
e2. 'nslookup' - enters interactive interface
e2a. 'server 192.168.75.101' - changes default server to NEW server
e2b. 'www.linuxcbt.com' - query is performed
f. 'dig' - provides the most information from basic DNS queries
f1. 'dig www.linuxcbt.com' - basic query that fails on our Net due to router
issue
f2. 'dig @192.168.75.101 www.linuxcbt.com' - redirects query to BIND instances
that works
f3. 'dig @192.168.75.101 -x 136.243.10.214 www.linuxcbt.com' - reverse query

g. 'telnet' - check if a TCP port is LISTENing

g1. 'telnet www.linuxcbt.com 3306' - check if MySQL is accessible

h. 'arp' - dumps L2 data - L3 -> L2 info

h1. 'arp [-n]' - dumps VLAN-connected nodes

# User | Group Management #

Features:
1. YaST (Easy)
2. $SHELL tools are alternatives to YaST: i.e. scripting

Tasks:
1. Use YaST to provision new $USER resources
a. 'sudo yast'
a1. create new user called: 'linuxcbt2'
b. Examine updated files: i.e. '/etc/{passwd,shadow,group}
b1. '/etc/passwd'
'
linuxcbt2:x:1001:100:LinuxCBT2:/home/linuxcbt2:/bin/bash
'
username:shadow_ref:uid:gid:Description:$HOME:$SHELL

b2. '/etc/shadow'
'
linuxcbt2:$6$ctRaQgRLMqxy$sUg66.fKY4tvB2S5xzrahEYMxFcHcrc9.4T50tukHjKiKCAFIeAPd6SYR
Ljqrn7uVpOz6x2cEKN2ERKGvxx3r.:0:3:45:5:::
'
username:SHA512Password:days_since_epoch_password_last_changed:Days_before_password
_may_be_changed:max_days_keep_password:
days_before_password_expires_warning_is_sent:Days_after_password_expires_account_is
_disabled:days_since_epoch_account_has_been_disabled:
reserved_field

b3. 'grep wwwrun /etc/passwd

wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false'

NOTE: Service accounts usually need NOT login to the system, thus:
$SHELL=/bin/false
b4. 'sudo grep wwwrun /etc/shadow'
'wwwrun:*:16357::::::'

b5. Add group=projectx using: 'yast'

b5a. join: 'linuxcbt', 'linuxcbt2' to group=projectx
NOTE: Currently-logged in TTYs will NOT reflect the new group membership: re-login
to update

c. $SHELL tools
c1. 'useradd'
c2. 'userdel'
c3. 'usermod'

# File Permissions #
Features:
1. Provides Discretionary Access Control (DAC)-based permissions
2. Provides changeable bits that impact permissions for the following sets:
a. Owner (Principal) of the object: i.e. file | directory
b. Group Owner
c. Everyone (catchall)
3. 10-bits describe the type of objects and the effective DAC on the object
a. leading bit: i.e. '-'(regular file), 'd'(directory), 'c'(char devs), 'b'(block
devs)
b. trailing 9-bits govern permissions (DAC) for the various sets:
b1. Owner: rwx=7
b2. Group Owner: rwx=7
b3. Everyone else: rwx=7
c. Each permission is equivalent to a different value, with a total sum of 7
c1. r=4
c2. w=2
c3. x=1
NOTE: If a permission bit is unset, its octal value = 0: i.e. r-x = 4+0+1 = 5 | |
i.e. --- = 0+0+0 = 0

NOTE: Permissions carry both: Symbolic(rwx) and Octal(0,4,2,1)

values
NOTE: Per object(i.e. file | directory), the octal values associated with
permissions are stored
 4. Common tools used to interact with Linux DAC permissions include:
a. GUI - Nautilus ore equivaled browser
b. 'chmod' - changes the Octal mode of a file object
b1. 'chmod 640 LinuxCBT_SLES12_Edition_Notes' - permits 'users' group privilege
to 'read' the file
b2. 'chmod o+r LinuxCBT_SLES12_Edition_Notes && stat
LinuxCBT_SLES12_Edition_Notes' = 0644
b3. 'chmod o+rw,g+rw LinuxCBT_SLES12_Edition_Notes && stat
LinuxCBT_SLES12_Edition_Notes' = 0666

c. 'chown' - changes the ownership of an object

c1. 'chown linuxcbt:projectx LinuxCBT_SLES12_Edition_Notes && stat
LinuxCBT_SLES12_Edition_Notes'

5. Various Leading bits that enable different behaviours on file objects

a. '0644' - leading bit= 0 = normal file | directory
b. '2664' - leading bit = 2 = SETGID - object will wear consistent permissions
for groups
NOTE: This is typically applied to a directory object so that files created within,
wear a consistent group permission
c. '4755' - leading bit = 4 = SETUID - object will execute usually as 'root' user
NOTE: SETUID elevates privileges for the executable
c1. 'find /usr/bin -perm 4755' - reveals various SETUID executables
d. '1777' - leading bit = 1 = STICKY BIT - i.e. '/tmp' - object will have content
that is mutable by owner (exception root) only

# Symbolic Links #
Features:
1. The ability to link to content in a variety of ways
a. Soft
b. Hard
2. Soft Link creates a shortcut in the 'Windows' sense (link to a named file
object)
NOTE: Caveat includes: failure in the original 'named' file breaks ALL outstanding
Soft Links
NOTE: Advantage includes the traversal of File Systems (FS)
NOTE: Soft Links do NOT update the link counter exposed via commands such as: 'ls
-l' && 'stat', etc. because, the link counter references the number of HARD links
related to the object
3. Hard Link creates a link to the underlying INODE that represents the file by
instantiating a NEW instance of the file sans duplication of data storage
requirements: i.e. FILE1 => 1GB, FILE1a => original 1GB
NOTE: Caveat is that Hard Links may not, by default, traverse File Systems (FS)

4. 'ln' - used to create both types of links

a. '-s' - creates a Soft SymLink
b. '' - no option - creates a Hard Link

Tasks:
1. Create some content and link to in a variety of ways - Soft Links
a. 'ln -s ~linuxcbt/temp/100MB ~linuxcbt/temp/100MB.1' - creates soft link
i.e. '
lrwxrwxrwx 1 linuxcbt users 5 Feb 12 08:37 100MB.1 -> 100MB
'
NOTE: Soft Links are flagged with: leading bit = 'l' and ALL bits enabled, however,
underlying Source File's permissions are effective (or dictate access control)
 2. Create some HARD Links
a. 'ln SOURCE DEST'
a. 'ln ~linuxcbt/temp/100MB ~linuxcbt/temp2/100MB'

3. Test content duplication when using HARD links

NOTE: Hard Links do NOT duplicate content

4. Change permissions on HARD LINK and examine behavior

a. 'chmod 777 ~linuxcbt/temp2/1GB.48 && ls -l ~linuxcbt/temp2'
NOTE: ALL FILES have the SAME perms as perms are sotred in the metadata area of the
INODE that represents the file and ALL HARD LINKS reference the same INODE and as a
consequence the same permissions

# System Scheduler #
Features:
1. Facility with which to schedule jobs (items to be executed: i.e. scripts,
binaries, etc.)
2. Implemented via 'cronie' RPM
3. Scans each minute for jobs to execute
NOTE: Thus, CRON is limited to per-minute frequencies as the smallest interval of
job-execution
4. Supports system-wide && per-user schedules
5. Use: '-' &&|| ',' to separate time intervals: 1,11,41,55 * * * * JOB.sh
10-25 0-5 * * * JOB.sh - runs 10th-25th minute in the 0th-5th hours

Tasks:
1. Explore CRON footprint
a. 'rpm -ql cronie'
a1. '/etc/cron.deny' - list of users who may NOT submit jobs to the system
scheduler
a2. '/etc/crontab' - system-wide cron table - jobs that maintain the system
a2a. various jobs that are to execute on various frequencies are indicated:
i.e. hourly,daily,weekly,monthly

2. Scheduling contraints (rules):

a: M(0-59) -> i.e. 0 * * * * JOB.sh -> job runs at the top of every hour
b: H(0-23) -> i.e. 0 0-5 * * * JOB.sh - job runs at the top of the 0-5th hours
(midnight - 5AM)
c: DOM(1-31) -> i.e. 0 0-5 25-28 * * JOB.sh - job runs at the top of the hour,
midnight-5AM, 25th-28th DOM
d: M(1-12) -> i.e. 0 0-5 25-28 6-9 * JOB.sh - """" Months=6-9
e. DOW(0-7||Sun,Mon,Tue) -> 0 0-5 25-28 6-9 Mon,Wed JOB.sh - "" "" If criteria
falls on Monday || Wednesday

3. Generate per-user simple JOB

a. 'uptime' - Capture output to file
NOTE: Prototype at $SHELL first and ensure EVERYTHING WORKS! Then schedule!

NOTE: The difference between: /etc/crontab && per-user cron is the reference of the
$USER in: /etc/crontab
NOTE: You may also sub-divide each time interval: i.e. */1 * * * * JOB.sh - runs
JOB every minute

# rsyslogd #
Features:
1. Logs daemon | device information to files and various targets as needed: i.e.
remote hosts | pipes | programs | etc.
2. Supports: Unix Domain Sockets (/dev/log)
 3. Ability to receive and log remotely using 3 protocols:
a. UDP:514 -> Lossful especially under heavier demands, but legacy and still
widely-supported
NOTE: Deprecate UDP:514 in favour of: TCP || RELP
a1. UDP logging entries are denoted as: 'facility.level @TARGET'
b. TCP:514 -> Loses less information that its: UDP:514 counterpart
b1. TDP logging entries are denoted as: 'facility.level @@TARGET'
c. RELP -> Lossless logging protocols that is supported by rsyslogd: >=v3.1.5
c1. RELP logging entries are denoted as: 'facility.level :omrelp:TARGET'
NOTE: 'TARGET' -> IP || HOSTNAME

NOTE: Default LOG location is LOCAL and so long as disk I/O and storage and energy
are sufficient, you should NOT lose data.
d. Default configuration does NOT connect to the Network and must be enabled on a
per-protocol (TCP|UDP|RELP) basis

Tasks:
1. Analyze default rules file: '/etc/rsyslog.conf'
a. Selectors - facilities.levels
NOTE: '*' => wildcard (ALL VALUES SUPPORTED)
a1. Facilities => Denote the source of information
a1a. Common Facilities: MAIL, AUTH, LOCAL0-7, Daemon, etc.
a2. Severity(Level)
a2a. Debug(0), Info(1), Notice(2), Warning(3), Error(4), Critical(5), Alert(6),
Emergency(7)
Note: Messages >= current level are logged
Note: Messages < current level are ignored
NOTE: This applies ONLY when Severity(Level) is specified, with catchall
exceptions: '*.emerg TARGET'
NOTE: 'FACILITY.none' - excepts the 'FACILITY' from being logged to the TARGET
defined on the righ-side of the rule

2. Setup 2 HOSTS are targets for TCP Syslog Messages

a. '/etc/rsyslog.d/remote.conf'
b. '/etc/sysconfig/syslog' => 'SYSLOG_REQUIRES_NETWORK=yes '
c. 'sudo systemctl restart rsyslog && netstat -ntlp | grep 514'

3. Configure client to send Syslog info via TCP:

a. '*.* @@192.168.75.140'
b. '*.* @@192.168.75.141'

# Log Rotation #
Features:
1. Rotates and optionally compresses logs based on rules: /etc/logrotate.d
2. Common Criteria include:
a. Time Frequencies including: Hourly, Daily, Weekly, Monthly, Annually
b. File Size: >= 1024k
3. Segments LOGs
4. Default Schedule: '/etc/cron.daily/logrotate' by Cron
NOTE: If Hourly execution is desired, move logrotate entry to cron.hourly schedule
5. Auto-checks existence in PROC table to avoid data-corruption
6. Maintains a state file of ALL rotated/examined/managed files in:
/var/lib/logrotate.status

Tasks:
1. '/etc/logrotate.conf' - houses defaults that scripts in: /etc/logrotate.d
inherit when NOT present or overridden
2. '/etc/logrotate.d' - look at various files: i.e. 'ntp'
Note: 'man logrotate.conf' - returns usable directives
Note: LOGS can be forced into rotation using the '-f' option on the CLI

3. Force rotation on existing files:

a. 'logrotate -v -f'
b. 'ls -l /var/log/' - examine

4. Create logrotate criteria for: /home/linuxcbt/*uptime*log

a. create rule
/home/linuxcbt/*uptime*log {
daily
compress
maxage 365
rotate 200
notifempty
missingok
nocreate
}
b. Execute 'logrotate -v /etc/logrotate.conf' - an examine that it refuses to
rotate the *uptime*log because a full day since the incorporation of the
*uptime*log files into the DB: /var/lib/logrotate.status has not elapsed

5. Force rotation of: *uptime*log files

a. 'sudo logrotate -v -f /etc/logrotate.conf'

NOTE: logrotate can be used with any file | set of files that may benefited from
log rotation management, NOT solely typical LOG files: i.e. I/O generated by your
scripts, processes, etc.

#SWAP Configuration #
Features:
1. Virtual Memory
2. Dedicated SWAP Partition
3. Existing Partition implemented as a file

Tasks:
1. Dedicated SWAP partitions and provision SWAP storage for each server
a. 'free -m' reveals SWAP usage
b. Provision virtual storage via ESXi
c. Confirm availability via: 'fdisk -l' (look for new disk: i.e. /dev/sdb)

2. Provision SWAP partition

a. 'sudo parted /dev/sdb mklabel gpt ; mkpart primary 1 100% ; print'
b. 'mkswap /dev/sdb1'
linuxcbtsuse1: UUID=7a937544-2883-4933-b335-b5d9075d5a3d
linuxcbtsuse2: UUID=a0d6ea5a-137b-4da1-b197-7de87bbcfac8
linuxcbtsuse3: UUID=307654b1-ef04-46e1-add3-e1236b4c4aef
3. Check | Enable SWAP
a. 'swapon -s' - lists current status | configuration
b. 'swapon -a /dev/sdb1' - enables the device as a kernel-managed SWAP device

4. Committ SWAP partitions to persistence: /etc/fstab

a. 'UUID=7a937544-2883-4933-b335-b5d9075d5a3d'
NOTE: with btrfs, FILE-based SWAP is discouraged, but supported via loop-mounting.

# BTRFS #
Features:
1. New - Default for SLES12
 2. YaST-Integrated
3. Copy-on-Write (COW) FS
4. 2**64 (16 EiB) of storage - i.e. partition, etc.
5. Snapshots:
a. Read-only
b. Writable
6. FS extension|reduction (currently unavailable in YaST)
7. Subvolume support
a. each subvolume managed as a distinct FS with its own: root '/'
b. Quota-support per sub-volume: sandbox capability
8. Checksums:
a. data
b. metadata
10. Compression
11. EXT[234] - Easy migration of content
12. Online FS Defrag
13. Various '*btrfs*' tools are included
14. Multi-Device support: ability to span FS across 1 or more physical|virtual
disks
FYI: https://btrfs.wiki.kernel.org/index.php/Main_Page

Tasks:
1. Explore Installation Defaults
a. 'df -h' - dumps various FSs
b. 'btrfs filesystem show /'

2. Create Subvolumes
Features: Abstract root mount point: i.e. '/projectx' of BTRFS volume into slices
that can wear distinct attributes
a. 'btrfs sub create /projectx/project3'
b. 'mount -o 'subvol=@/project3' UUID="4cbeb658-44d3-42a8-9d3a-72c5bb5e1aa0"
/projectx/project3 '
NOTE: This makes no visible user-space changes to the FS. BTRFS mount points simply
appear as plain-old directories beneath the ROOT volume (default subvolume by
default)
c. '/etc/fstab'
c1. 'UUID_OF_PARENT /projectx/project3 btrfs subvol=@/project3 0 0'

3. Add Device (extra storage) to existing BTRFS FS

a. provision extra block storage
a1. 'parted /dev/sdc print' - check for free blocks then allocated
a2. 'parted /dev/sdc "mkpart primary "8587MB 10587MB print" '
a3. 'mkfs.btrfs /dev/sdc2 && parted /dev/sdc print"
a4. 'btrfs device add /dev/sdc2 /projectx'
a5. 'btrfs device usage /projectx/' - also shows storage allocation across 1 or
more block DEVs

4. Snapshots (Linked Subvolumes)

NOTE: Initially, a snapshot doesn't cost extra storage.
NOTE: However, as data change, the snapshot will occupy new storage
a. 'btrfs sub snap /projectx /projectx' - creates a snapshot named: 'projectx'
in: /projectx
NOTE: Snapshots are writable (by default)
b. 'btrfs sub show /projectx/' - also shows outstanding snapshots

#Logical Volume Management (LVM) #

Features:
1. Storage aggregation
 a. Disparate storage resources lumped together into one or more volume groups
b. Volume Groups (VGs) can be abstracted to one or more Logical Volumes (LVs)
c. LVs are then overlayed with File Systems: i.e. BTRFS, XFS, EXT4, etc.
2. LVM Model (Framework)
a. Physical Volumes (PVs) - storage blocks: i.e. /dev/sdb[1-3], /dev/sdc[4-8]
a1. Administered using: 'pv*' command-set || YaST
b. Volume Group (VG) - Aggregates PVs
c. Logical Volume (LV) - Extract of VG

Tasks:
1. Provision LVM from recently added block storage: i.e. /dev/sd[b-d]
a. Using: 'YaST' GUI - provision LVM with: /dev/sdc
NOTE: Error when allocating 50% of the size of the VG to an LG
NOTE: Works after allocating 100% of the size of the VG to the LG

2. Volume Management from the CLI

a. Explore the current components
a1. 'sudo fdisk -l | grep '^Disk'' - dumps current disks known to the system
a2. 'parted /dev/sdc print' - prints disk configuration including: label and
partition(s)
a3. 'pvdisplay ' - dumps ALL LVM-allocated storage blocks
NOTE: 'pvdisplay' reflects discrepancies across the 2-disks: /dev/sd[cd]
a4. 'vgdisplay' - dumps ALL known LVM-managed VGs
a5. 'lvdisplay' ' dumps ALL known LVM-managed LVs
NOTE: this also reflects naming discrepancies

b. Clean-up configuration from CLI

b1. 'lvremove /dev/volgroup001/logvol001'
b2. 'vgremove /dev/volgroup001' - use GUI if neccessary
b3. 'pvremove /dev/sdc'
b4. 'lvdisplay && pvdisplay && vgdisplay' - ensure ALL objects are removed

c. Re-instate LVM via CLI - 6-steps

c1. 'parted /dev/sdc mklabel gpt set 1 lvm on'
c2. 'parted /dev/sdd mkpart primary 1 100% set 1 lvm on print'
c3. 'pvcreate /dev/sdc1 /dev/sdd1' - incorporates storage into LVM-management
c4. 'vgcreate volgroup001 /dev/sdc1' - allocates /dev/sdc1 to volgroup001
c5. 'lvcreate -L 5GB -n logvol001 volgroup001' - creates 50% abstraction of
volgroup001
c6. ' sudo mkfs.ext4 /dev/volgroup001/logvol001' - overlay file system
NOTE: Use 'btrfs' in lieu of 'ext4' if snapshot function is desirable
c7. 'mount UUID /projecty ' && update /etc/fstab

d. Extend VG (volgroup001)
d1. 'vgextend volgroup001 /dev/sdd1' - adds /dev/sdd1 to volgroup001
d2. 'vgdisplay' - confirm additional storage
e. Extend LV (logvol001)
e1. 'sudo lvextend -L 10GB /dev/volgroup001/logvol001 && sudo lvdisplay'
e2. 'sudo resize2fs /dev/volgroup001/logvol001'
e3. 'sudo resize2fs /dev/volgroup001/logvol001'
NOTE: upsizing usually works across FSs
NOTE: downsizing may NOT be supported by your FS
f. Extend LV from YaST GUI
NOTE: YaST GUI, committs ALL steps to resize both LV and underlying FS
g. Reduce (Shrink) LV and FS from YaST GUI

# Software Management #
Features:
 1. Package Management
2. Updates - Registration|Subscription
3. Repositories - locations of various packages
a. Default is the media used to install the OS: i.e. ISO image, DVD, CD, HTTP
4. Managed ALL from: YaST
5. RPM may also be used to manage packages
NOTE: Opt to use: YaST instead as it auto-resolves dependencies
6. Common packages are provided to simplify installation: i.e. GNOME, 32-bit,
Development, etc.

Tasks:
1. Basic RPM usage
a. 'rpm -qa ' dumps ALL installed RPM packages
b. 'rpm -qi package_name' - returns metadata
c. 'rpm -Uvh package_name' - installs package

2. YaST
a. Install: 'whois'
b. 'rpm -qa | grep whois'
c. 'rpm -qi whois'
d. 'which whois'
e. 'whois linuxcbt.com'

3. Install GNOME on target

a. Software Management - Patterns - GNOME...

NOTE: Create your internal respository using first ISO DVD and publish via HTTP or
otherwise and configure clients to reference the repo(s)

# Interface Configuration #
Features:
1. YaST
a. Static
b. Dynamic
c. Aliases
d. Routes
e. DNS
f. Hostname
g. etc.

Tasks:
1. Explore YaST for Interface configuration
a. 'sudo ifconfig' - dumps active interface(s) configuration: i.e. eth0, lo
NOTE: 'ifconfig' can be used to effect temporary changes to network config from the
$SHELL
NOTE: Use 'yast' to effect permanent changes
b. 'yast'

2. Configure DHCP and Static address

a. Add: 192.168.75.156 with DHCP
NOTE: 'ifconfig' now reflects that static address as the primary
b. 'ip addr' - reveals ALL addresses configured
c. 'ssh TARGET' - NOTE: new address: 192.168.75.156 has become the primary for
connections

3. Add route to: 192.168.1.0/24 Net

a. Test access to: 192.168.1.1

4. Configure multiple interfaces with static addresses

 a. 192.168.1.0/24
b. 192.168.75.0/24
c. Set DEFAULT GW to: 192.168.75.1 '-' interface (Kernel will determine
appropriate INT)
d. 'netstat -rn' - confirm routes
NOTE: Sometimes, reboots are needed to effect multiple network changes

# Network Time Protocol (NTP) #

Features:
1. Synchronizes clocks across systems using a network of systems
a. Peers
b. Servers
c. Clients
d. External time sources: i.e. GPS, Radio, etc.

Ideally, nodes that are within the same autonomous domain should trust each other
as peers or client/server relationship...

Tasks:
1. Configure ALL 3 servers as peers
NOTE: Peers may set each other's clocks
NOTE: Client/Server relationship allows the server to serve the client the current
time
NOTE: IF problems synching/restarting NTPD, toggle AppArmor status to: 'complain'
on NTPD instance as it is blocking...

#DHCP Server#
Features:
1. Dynamic IP configuration

Tasks:
1. Setup linuxcbtsuse3 as DHCP server and serve addresses to: linuxcbtsuse[12]

# DNS Server #
Features:
1. L4 (Names) -> L3 (IPs)
2. Glue of the Net
3. Forward
4. Reverse
5. Replication

Tasks:
1. Explore
2. Setup Master for zone: linuxcbt.internal on: linuxcbtsuse1
3. Replicate zone: linuxcbt.internal to: linuxcbtsuse[23]
4. Create reverse zone for: IPv4 -> 75.168.192.in-addr.arpa.
5. Replicate reverse zone to various nodes: .141-.142
6. Test:
a. 'dig @192.168.75.14[0-2] -x 192.168.75.3' - confirm reverse resolution

NOTE: DNS defaults to the catch-all: /var/log/messages to report problems |

successes

# File Transfer Protocol Services #

Features:
1. Standard file transfer services
2. NOTE: Caveat: Clear-text (Default)
3. Encryption is supported via SSL

Tasks:
1. Explore
2. Test anonymous
3. Enable anonymous upload
4. Jail authenticated users
NOTE: $USER must NOT be able to write to their $HOME directory as it becomes the
ROOT of the FTP jail: i.e. chown root.users /home/linuxcbt
5. Disable anonymous

# VNC Administration #
Features:
1. Remote Administration - GUI

Tasks:
1. Enable on each server node
NOTE: Enables: TCP:5[89]01

NOTE: Ensure that $HOME is writable by $USER

NOTE: This conflicts with VSFTPD CHROOT JAIL feature

# Software Repo - Internal - Setup #

Features:
1. Network-based Repo - shared by internal nodes

Tasks:
1. Connect ALL SUSE nodes to Ubuntu based Repo
NOTE: Repo HTTP server references ISO-mounted image: ensure ISO always mounts
(persists)

#Apache HTTPD Services#

Features:
1. De facto HTTPD server online
2. Modular
3. Serves all types of content

Tasks:
1. Setup HTTPD Server
NOTE:
DocumentRoot: http://192.168.75.140 (/srv/www/htdocs)
Alias /icons/ -> /usr/share/apache2/icons/ - escapes 'DocumentRoot'
ScriptAlias /cgi-bin/ -> /srv/www/cgi-bin

2. Check Setup
a. 'systemctl status apache2'

3. Virtual Hosts
Features:
a. IP-based - one-to-one mapping between site and IP
b. Host-Header Based - sites may share IPs

Tasks:
1. Create siteN.linuxcbt.internal: i.e. site[1-3].linuxcbt.internal - IP-based
 2. 'apache2ctl -S' - dumps VHost configuration

3. Host-Header Based
a.

#NMap - Network Mapper#

Features:
1. Determines avaialable:
a. Devices
b. Systems
c. Services
d. Versions of applications
2. Reconnaissance
3. Good for baselining the environment
4. Helps to spot abnormalities
a. Trojans
b. Backdoors
c. Unauthorized services

Tasks:
1. Install NMap
a. Done
2. Usage
a. non-privileged - limits to TCP:Connect and more revealing reconnaissance
a1. 'nmap -v localhost 192.168.75.6' - looks for discrepancies between loopback
and routed interface
a2. 'nmap -v -oN `date +%F`.nmap.001.scan localhost 192.168.75.6' - archives
scan to LOG
a3. 'nmap -v -sP localhost 192.168.75.6' - PING ONLY
a4. 'nmap -v -sP 192.168.75.0/24' - quickly finds nodes on the current subnet
a5. 'nmap -v -iL FILENAME' - sources targets from file

b. privileged - FULL access and leaves a smaller footprint

b1. 'nmap -v -oN `date +%F`.nmap.002.scan localhost 192.168.75.6' -
TCP:SYN(Half-Open) Scan
b2. 'nmap -v -oN `date +%F`.nmap.003.UDP.scan localhost 192.168.75.6' - UDP
Scan
NOTE: UDP and various scan types require 'root' access
b3. 'nmap -v -A -oN `date +%F`.nmap.FULL.scan 192.168.75.0/24' - FULL Scan

# GPG - GNU Privacy Guard #

Features:
1. PGP-compliant PKI toolkit
2. Encrypt [sign] and move data securely
3. Secures content @ rest
NOTE: SSH secures content in-motion

Tasks:
1. Setup keypair
a. 'gpg gen-key' - generates usage keys

2. Export/Import pub keys of 2 users

a. 'gpg --export -a' - dumps key in ASCI-armoured form - share this with
communicating parties (public)

b. 'gpg --export -a | ssh 192.168.75.6 "gpg --import" ' - via SSH exports and
imports the key
c. 'gpg --list-keys' - confirm both parties have keys
 3. Encrypt Notes File and send to recipient
a. 'gpg --encrypt -r KEY_ID FILE' - generates .asc || .gpg(binary) form
4. Decrypt ...
a. 'gpg -d FILE' - dumps to STDOUT

#TCPDump#
Features:
1. Packet Capturing
2. Analysis - Playback
3. Uses standard: libpcap : i.e. WireShark, Snort, TCPDump
4. Provides 3 Qualifiers to Filter traffic: both during and post-capture
a. Type - host|net|port
b. Direction - src, dst, src or dst, src and dst
c. Protocol - ip, tcp, udp, etc.
NOTE: Use qualifiers liberally during capture to reduce the overall footprint of
the capture file
NOTE: Promiscuous mode access to interface(s) is required to use TCPDump

Usage:
1. 'tcpdump -v' - dumps packets to STDOUT
a. Reveals tons of traffic pertaining:
a1. Other virtual hosts that share the same broadcast domain
a2. Unicast traffic: i.e. SSH session and other traffic to other nodes
a3. Broadcast traffic
NOTE: Returns TCP/IP header with name resolution where applicable
b. 'tcpdump -v -n' - disables name resolution

2. 'tcpdump -v -w `date +%F`.tcpdump.capture.001 ' - creates a TCPDump libpcap

file
NOTE: Does NOT dump packet info to: STDOUT
NOTE: Dumps the number of received (got NUM)

3. 'tcpdump -v -r `date +%F`.tcpdump.capture.001 ' - reads file and dumps packets

to STDOUT
4. 'tcpdump -D' - enumerates available interfaces including: 'any' (ALL
interfaces)
5. 'tcpdump -i eth0' - snifss on: eth0
6. 'tcpdump -c 250' - captures 250 packets and exits: output -> STDOUT
a. 'tcpdump -c 250 -w `date +%F`.tcpdump.capture.002 ' - same but output -> FILE
7. 'tcpdump -C 1 ...' - captures 1MB of data and exits
8. 'tcpdump -A ...' - dumps packet minus link-level header
9. 'tcpdump -Ae ..' - dumps link-level (L2) as well as application data
10. 'tcpdump -w `date +%F`.tcpdump.ftp.traffic.capture.001 tcp port 21'
11. 'tcpdump -w `date +%F`.tcpdump.ntp.traffic.capture.001 udp src or dst port 123'

# WireShark #
Features:
1. Capture
2. Graphical Analysis of captures
3. Libpcap (Default)
4. Supports multiple capture formats

Tasks:
1. Parse captures
a.

# SuSEFirewall2 #
Features:
1. IPTables (NetFilter) Front-End
2. Facilitates common zones:
a. INTERNAL
b. DMZ
c. EXTERNAL
NOTE: Zones are IPTables Chains

Tasks:
1. Explore current setup
a. LOCAL

# SSH PKI Setup #

Features:
1. Passwordless AUTH
2. More secure than Password-based AUTH
NOTE: As long as private key is secured, then it is superior because only 1 private
key can decrypt data encrypted with the corresponding key
NOTE: Passwords need not be unique: i.e. others may guess or share
3. Any user may communicate as any user via PKI identities: i.e. LOCAL(linuxcbt)
REMOTE(root)

Tasks:
1. Generate SSH usage keys per node
a. 'ssh-keygen ' - defaults to RSA in the: $HOME/.ssh/id_{[dr]sa,[dr]sa.pub}
NOTE: A usage password (to use the key pair) is optional, however, it makes the key
more secure in the event it is obtained by an unauthorized user

2. Propagate usage public key: ~/.ssh/id_rsa.pub to remote $USER's

$HOME/.ssh/authorized_keys
a. 'ssh-copy-id [email protected]'
b. 'ssh-copy-id [email protected]'

3. Restrict 'root' access to PKI

NOTE: This significantly improves security to 'root' account by thwarting
potentially ALL forms of password guessing
a. '/etc/ssh/sshd_config' - server configuration file

NOTE: After enabling PKI-only for 'root' user, subsequent keys will need to be
copied using other means: i.e. different account: i.e. 'linuxcbt', etc.

# Hardening #
Features:
1. Tightens policy for key areas
a. Password
b. accounts
c. etc.

Tasks:
1. Explore
2. Set tighter policy