OpenRHCE Slides
OpenRHCE Slides
Introductions: Online Information Introductions: Classroom Infrastructure Red Hat Enterprise Linux The Red Hat Certification Landscape Exercise 1-1: Install RHEL6 on a Virtual Machine RHCSA Objectives RHCSA Objectives: Understand & Use Essential Tools RHCSA: Operate Running Systems RHCSA: Configure Local Storage RHCSA: Create and Configure File Systems RHCSA: Deploy, Configure & Maintain RHCSA: Manage Users and Groups RHCSA: Manage Security RHCE Objectives RHCE: System Configuration and Management RHCE: Network Services RHCE: HTTP/HTTPS Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
37 38 39 40 42 43 44 45 46 47 48 49 50 51 52 53 54
RHCE: DNS RHCE: FTP RHCE: NFS RHCE: SMB RHCE: SMTP RHCE: SSH RHCE: NTP Operating a System Boot, Reboot, Shutdown Runlevels Single User Mode Exercise 1-2: Use Single-user mode to recover a root password Exercise 1-3: Boot into runlevel 3 Log Files Exercise 1-4: View Logs from an x-term and a virtual terminal Start/Stop Virtual Machines Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
Virtual Machine Consoles Virtual Machine Text Console Virtual Machine Text Console Caveat Start, stop, and check the status of network services Exercise 1-5: Manipulate the cups service Modify the system bootloader Supplemental Reading Supplemental Exercises Reading Session 2 User Mgmt, Storage, and filesystems User Administration with Config Files Structure of /etc/passwd Structure of /etc/shadow Structure of /etc/group Structure of /etc/gshadow User Admin with CLI tools User Admin with GUI tools Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
User environment Common Contents: System-wide Shell Config Files User-configurable Environment Files Exercise 2-1: Configure Users and Groups "Filesystem" - Disambiguation Linux Filesystem Hierarchy Disk and Filesystem tools Working with Partitions Exercise 2-2: Work with Basic Partitions Working with Logical Volume Management Removing Logical Volume structures Exercise 2-3: Work with Logical Volume Management Commands to Know Working with LUKS encrypted storage Persistent mounting of LUKS devices Working with SWAP Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
Using a file for SWAP Mounting Using UUIDs and Filesystem Labels Local Storage: Adding New Storage File systems: Working with Common Linux Filesystems Filesystem Permissions: Basic Permissions Three Sets of Permissions: Three Types of Permissions: Three Extended Attributes: Viewing Permissions Setting Permissions Setting Permissions with Numeric Options Setting Extended Attributes with Numeric Options Setting Extended Attributes with Symbolic Values: Extended Attributes in Directory Listings Umask Umask Examples SGID and Stickybit Use Case -- Collaborative Directories Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121
File Access Control Lists getfacl Working with CIFS network file systems Working with NFS file systems iSCSI Devices Accessing iSCSI Devices Disconnecting from iSCSI Devices Additional References Reading Labs Session 3 Managing software, processes, kernel attributes, and users and groups The Red Hat Network (RHN) RHN Subscription Activation 3rd Party Yum Repositories Yum Repository Mandatory Configuration Items Yum Repository Common Optional Configuration Items Managing Software: Using yum Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
Yum-related man pages RPM Architecture RPM Package Naming Package Naming Example Installing and Upgrading Packages Upgrading a Kernel RPM and Modified Config Files Uninstalling RPM over a Network Common RPM Queries RPM Verification Validate Package Signatures RPM Checksig Sample Output Verify Installed Files Change Codes from rpm --verify RPM Verify Sample Output Identifying Installed Packages Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156
Managing Software: Building RPMs Inside an RPM package Main contents of a .spec file Preamble directives Required Spec file sections Package Building Tools Setting up a Build Environment Viewing the Build Environment Building the RPM RPM Building Exercise Signing Your RPMs Create a Repo with your files RPM Packaging, Other Documentation: Manage Processes and Services Persistent Configuration of Services Manage Processes and Services: Configure systems to boot into a specific runlevel automatically Monitoring Processes Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
157 158 159 160 162 163 164 165 166 167 171 175 176 177 178 179 180
Killing Processes Prioritizing Processes nice and renice commands Manage system performance Session 4 Networking and Routing Network Configuration and Troubleshooting IP Address and Subnet Mask Routing and Default Gateway Hostname Name Resolution Two Controlling Services Switching between Controlling Services Network Configuration Files Reference Future (Near!) Network Device Naming Scheme Session 5 Firewalls and SELinux Firewalling in RHEL6 Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197
iptables Built-in Chains iptables Targets Connection Tracking States Iptables Command Options Matching packets Iptables Tips SELinux SELinux in Action SELinux Enforcement Modes Important SELinux Filesystem locations Related Packages Useful Commands Additional Documentation Setting the SELinux Enforcement Mode SELinux Policy Types SELinux Contexts Setting SELinux file contexts Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
198 199 200 201 202 204 205 206 207 208 209 210 211 212 213 214 215
SELinux Booleans Modifying SELinux Booleans Help for SELinux with regard to specific services Monitor SELinux Violations Session 6 Virtualization Virtualization Terms RHEL6 KVM requirements KVM Virtualization Components Installing Virtualization Capabilities Virsh Commands Creating Virtual Machines with Virt-Manager Creating Virtual Machines with virt-install SELinux considerations Session 7 Logging and remote access RHEL 6 Logging with Rsyslog Accepting Remote Logs Rsyslog Configuration: Message Selection Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
216 217 218 219 220 221 222 223 224 225 227 228 229 230 231 232 233
Rsyslog Configuration: Actions Practice Remote Access via SSH Investigate SELinux implications for SSH SSH key-based authentication SSH Security Considerations Remote Access via VNC Configuring a VNC remote display Investigate SELinux implications for VNC Session 8 Network Time Protocol and System Performance Reports NTP Overview NTP Packages NTP Documentation Installing, Starting, and Configuring Persistence Defining NTP Terms Configuration of NTP NTP "restrict" options Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250
Configure as a Client Configure as a Server Configure as a Peer Investigate SELinux implications for NTP Investigate Firewall Implications for NTP Reporting on System Performance Tools for System Utilization Reporting Session 9 HTTP and FTP Apache Web Server Installation and Basic Configuration Installing a Signed SSL Certificate Virtual Host Configuration Name Virtual Host Configuration Example Virtual Host Configuration Configuring for CGI-BIN scripts Apache Access Control Host Based Security directive formats Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267
Access Control with .htaccess files User Based Security with htpasswd flat file Configuring Passwords User Based Security with LDAP authentication SELinux Implications for HTTP Important SELinux Contexts Firewall and SELinux for httpd Very Secure File Transfer Protocol Daemon Installation and Basic Configuration FTP Documentation Investigate SELinux implications for FTP Investigate Firewall Implications for FTP Configuring a Secure "Drop-box" for Anon Upload Session 10 NFS and Samba Network File System (NFS) Packages Configuration Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
268 269 270 271 272 273 274 275 276 277 278 279 280 282 283 284 285
Configuring an NFS server (Network File System) /etc/exports Commands SELinux Mounting Automounter Auto.master Auto.* Understanding Automount Samba Accessing SMB/CIFS Shares Samba Packages: SELinux Services /etc/samba/smb.conf (Global) /etc/samba/smb.conf Security Types Samba Users and Passwords Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
286 287 288 289 290 291 292 293 294 295 296 298 299 300 301 302 303
/etc/samba/smb.conf (Shares) Testing Configuration Samba Firewalling Considerations HowTo: Enable Home Directory sharing via Samba HowTo: Configure a Group Share Session 11 DNS and SMTP Types of DNS servers Included DNS Servers BIND Packages Installing and enabling Bind Useful Commands Configuration Files Enabling caching-only for localhost Allowing queries from other systems Enabling Forwarding Firewall Considerations SELinux Considerations Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320
Email TLAs: MTA, MUA, MDA Red Hat's New Default MTA: Postfix Postfix configuration tool Reading Mail Session 12 Finish uncompleted topics, Review, or Practice Exam Supplemental Topics Manage Processes and Services: Schedule tasks using cron Cron Format of a crontab file Controlling Cron at Jobs Securing cron and at User Admin with Config Files Structure of /etc/passwd Structure of /etc/shadow Sample Contents Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336
Structure of /etc/group Sample Contents Structure of /etc/gshadow Sample Contents User Admin with CLI tools User Admin with GUI tools User environment Common Contents: System-wide Shell Config Files User-configurable Environment Files CUPS Printing System Controlling Jobs from the Command Line CUPS Web-Based Interface Troubleshooting Booting Booting - (MBR) Booting - GRUB Stage 1.5 (Driver to read filesystem) Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353
Booting - GRUB Stage 2 (Menu) Booting - Kernel Booting - initrd (initial ramdisk) Booting - init process Booting - inittab Booting - rc.sysinit Booting - services Networking X TCP_Wrappers Which Services are Protected? Identifying Protected Services Hosts Access Files Syntax Source Repository
354 355 356 357 358 359 360 361 362 363 364 365 366 367
Qualifications:
RHCSA, RHCE #110-008-877 (RHEL6) Also: CTT+, CLA, CLP, CNI, LPIC1, Linux+ Curriculum Developer and Trainer for a major computer manufacturer for going on 11 years Linux Enthusiast since 2000
Personal:
Husband, father, disciple and Fun: Part-time Balloon Entertainer
Course Goals
Primary Goal: Preparation to Pass the RHCE Exam (assumes passage of the RHCSA Exam) Secondary Goal: Preparation to Pass the RHCSA Exam Tertiary Goal: Acquiring high-level Enterprise-oriented Linux skills NOT a Goal of this course: Acquiring basic or user-oriented Linux skills. These are assumed as prerequisite for this course.
Caution
You may be unable to practice a few of the objectives (those related to virtualization) in this scenario.
Certificates of Expertise COEs are incremental credentials demonstrating skills and knowledge in specialized areas. They are worthy credentials in their own right, but also the building blocks of the upper level credentials. Overview of COEs RHCSS, RHCDS, RHCA These upper level credentials recognize those who have achieved expertise in several related specialized areas. Each one requires multiple COEs.
RHCSA Objectives
RHCE Objectives
RHCE: HTTP/HTTPS
Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service Configure a virtual host Configure private directories Deploy a basic CGI application Configure group-managed content
RHCE: DNS
Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service Configure a caching-only name server Configure a caching-only name server to forward DNS queries Note: Candidates are not expected to configure master or slave name servers
RHCE: FTP
Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service Configure anonymous-only download
RHCE: NFS
Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service Provide network shares to specific clients Provide network shares suitable for group collaboration
RHCE: SMB
Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service Provide network shares to specific clients Provide network shares suitable for group collaboration
RHCE: SMTP
Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service Configure a mail transfer agent (MTA) to accept inbound email from other systems Configure an MTA to forward (relay) email through a smart host
RHCE: SSH
Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service Configure key-based authentication Configure additional options described in documentation
RHCE: NTP
Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service Synchronize time using other NTP peers
Operating a System
Runlevels
Default From GRUB Menu
Log Files
/var/log/* /root/install.log /root/anaconda-ks.cfg View with cat, less or other tools Search with grep
Supplemental Reading
Jang, Chapters 1-3
Supplemental Exercises
Setup a practice environment following instructions in Jang, Ch 1.
Reading
Topics from this class: Jang, Chapters 1-3 Topics for next class: Jang 4,6,8
Structure of /etc/passwd
Name:Password:UID:GID:Comments:Homedir:Shell Sample Contents
$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin scott:x:500:500:Scott Purcell:/home/scott:/bin/bash
Structure of /etc/shadow
Name:Password:Lstchg:May:Must:Warn:Disable:Expire Sample Contents # cat /etc/shadow root:$1$IyApEyOS$dZ5SMuC7Yw9/PDMyWi1H11:14373:0:99999:7::: sshd:!!:14373:0:99999:7::: ntp:!!:14373:0:99999:7::: gdm:!!:14373:0:99999:7::: scott:$1${...}:14374:0:99999:7::: bob:$1${...}:14398:7:30:7:7:14457:
Structure of /etc/group
Name:Password:GID:Users Sample Contents # cat /etc/group root:x:0:root scott:x:500: bob:x:501: mary:x:502: sales:x:503:bob,mary training:x:504:scott
Structure of /etc/gshadow
Name:Password:Admins:Members Sample Contents ** # cat /etc/gshadow root:::root scott:!!:: bob:!:: mary:!:: sales:!::bob,mary training:!::scott
User environment
Home directories /home/{user}/ or /root/ /etc/skel Contents copied to home directory of each new user.
Common Contents:
.bashrc .bash_logout .bash_profile
"Filesystem" - Disambiguation
Several meanings for the term: The way files are physically written to storage devices, as in the ext3, Fat-32, NTFS filesystems, or etc. The unified directory structure which logically organizes files The standard which defines how directories should be structured and utilized in Linux
The directory structure of a Linux system is standardized through the Filesystem Hierarchy Standard (explained at http://www.pathname.com/fhs) The Linux Manual system has an abbreviated reference: $ man 7 hier Red Hat has a more complete description, along with RedHat-specific implementation decisions in their Deployment Guide at http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deploym
Commands to Know
fdisk Always use -u and -c for best compatibility with newer storage devices Can't create partitions >= 2TB, use parted with GPT instead mkfs Used to create filesystems on devices Front-end for mkfs.<fstype>) blkid Shows device name, Fileystem Labels, and UUID of detected block devices. May not show block devices until a filesystem is created on them. May not show block devices used in non-standard ways (for example, a filesystem on a whole disk instead of on a partition) mount used to make a new filesystem available other filesystem-specific tools (usually named
If the password field is "none" or left blank, the system will prompt for a password. Create an entry in /etc/fstab
Note
At reboot, the password prompt goes only to the default console. If console redirection is enabled, as it might be in the case of enabling a virtual machine to accessible through virsh console <name>, then the only place where the prompt is seen and the passphrase can be entered is at that redirected console.
Viewing Permissions
Permissions are displayed with positions 2-10 of a "long" filelisting:
Setting Permissions
The chmod command is used to set permissions on both files and directories. It has two modes -- one using symbolic options and one using octal numbers. chmod [option] [ugoa...][+-=][rwxst] filename where ugo are user, group, other, or all and rwxst are read, write, execute, s{u/g}id, stickybit. chmod [option] XXXX filename where XXXX is a number representing the complete permissions on the file.
Umask
The umask value determines the permissions that will be applied to newly created files and directories. As a "mask" it is subtractive -- representing the value of the permissions you DO NOT want to grant. Execute rights are automatically withheld (w/o regard for the umask) for files but not for directories. Extended attributes are not addressed -- even though a umask is four characters. The default umask value is set in /etc/bashrc and can be modified (non-persistently!) with the bash built-in command umask.
Umask Examples
Umask of 0002 yields permissions of 0775 on new directories and 0664 on new files Umask of 0022 yields permissions of 0755 on new directories and 0644 on new files
getfacl
Example of "getfacl acldir" # file: acldir # owner: frank # group: frank user::rwx user:bob:-wx user:mary:rwgroup::rwx mask::rwx other::r-x Example of ls -l acldir: drwxrwxr-x+ 2 frank frank 4096 2009-05-27 14:15 acldir
iSCSI Devices
Package: iscsi-initiator-utils Allows a system to access remote storage devices with SCSI commands as though it were a local hard disk. Terms: iSCSI initiator: A client requesting access to storage iSCSI target: Remote storage device presented from an iSCSI server or "target portal" iSCSI target portal: A server providing targets to the initiator IQN: "iSCSI Qualified Name" -- a unique name. Both the initiator and target need such a name to be assigned
Important
Be certain to use UUIDs or labels for persistent mounts in /etc/fstab. Also, provide _netdev as a mount option so that this device will not be mounted until the network is already up. Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
Additional References
4 of the Storage Administration Guide for dhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guid e of parted. Man pages for fdisk(8), fstab(5), mkfs(8), blkid(8), partprobe(8), mount(8), parted(8), cryptsetup(8), and crypttab(5)
Reading
Topics from this class: Jang, Chapters 4,6,8 Topics for next class: Jang Ch 7,9,12,17
Labs
Add Storage Add a disk to the virtual machine Add Swap Add a partition Add space to a VG Add a LUKS-encrypted filesystem Enlarge an LV Add an iSCSI device Create a partition for collaboration Create File ACLs
Session 3 Managing software, processes, kernel attributes, and users and groups
yum update Updates an installed package for which a newer version is available.
RPM Architecture
rpm executable RPM packages -- Files to install + SPEC file (metadata) Local RPM database -- retains metadata from all installed packages Database is kept in /var/lib/rpm
This package starts with version 3.2 of bash (from ftp.gnu.org/gnu/bash), applies a RH patch identified as 24.el5 to it, and is then built to run on an Intel/AMD 64 bit processor.
Upgrading a Kernel
Always use #rpm -i ... This leaves the previously installed kernel on the system and in the GRUB menu as a fall-back in case the new version has problems.
Uninstalling
# rpm -e name[-ver][-rel] Package removal is never verbose, never shows progress ( -v, -h have not effect) Package removal only needs the name (or when multiple versions of the same package are installed, sometimes the version or release) but not the architecture or the .rpm extension.
rpm -q{c|d|i|l|R}p /path/to/packagename-ver-rel-arch.rpm Reports the same info as above, but pulls info from the .rpm file instead of the rpm database.
RPM Verification
The RPM system satisfies two types of security concerns: 1. Is this package authentic? How do I know it came from Red Hat? 2. Has this package retained integrity? How do I know they haven't been modified? Authenticity and integrity of packages can be confirmed prior to installation with GPG signing and MD5 checksums of the RPM packages. Integrity of files can be confirmed after installation with verification of installed files against the recorded metadata in the package.
As of this writing, Red Hat is pointing users to the following RPM Guide from the Fedora project for more information on RPM creation: http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM
The package is defined by a "build specification file" or spec file. A good example of a spec file can be obtained from the source rpm for redhat-release. ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/redhat
Tip
Open .spec files in vim for color highlighting
Preamble directives
Name Name of the package Version Version identifier Release Indicates incremental changes within a version. Group The package group that should include this package. This can come from the list at /usr/share/doc/rpm-*/GROUPS or can be unique to you. Not related to yum package groups. License Short License Identifier as described at http://fedoraproject.org/wiki/Packaging/LicensingGuidelines Summary Short (<=50 chars) one-line description. Source The file to be used as the source code. Add'l sources can be specified as Source0, Source1, etc.
BuildArch Arch to use when building. Defaults to the existing system arch. May also be "noarch" for arch-independent packages. Requires Requirements that this package needs to run. Can be in the form of files or other packages BuildRequires Requirements needed to build this package.
$ rpmdev-setuptree Move the tarball to the SOURCES directory Create a .spec file in the SPECS directory: $ vim pkgname.spec or: $ rpmdev-newspec -o pkgname.spec Insert a name (Match the pkgname on the tarball and direcotory) Insert a version (Match the version) Leave the release alone Insert a summary (one line) Insert a group (package group) Insert a license Insert a URL or delete the line Insert on the Source0 line, the name of your tarball Leave the BuildRoot line alone Unless your package has prerequisites needed before it can be compiled, delete the BuildRequires line Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
Unless your package has prerequisites needed before it can work, delete the Requires line On a blank line below %description, insert a brief description of your package Leave the %prep and %setup lines alone If your package does not need to be "built" (compiled), delete the %build, %configure, and make lines. Leave the %install section header alone. Under the %install section, leave the rm line alone. If your package does not need to be built, modify the make install line to something like this: install -D myfile $RPM_BUILD_ROOT/path/to/install/dest/myfile Leave the %clean and the rm -rf lines alone. Under %files, use the following syntax to list each of the files your package will place on the target system: %attr(770,owner,group)/path/to/file Use the following syntax to list each of the directories you package will place on the target system:
Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Scott Purcell Email address: [email protected] Comment: You selected this USER-ID: "Scott Purcell <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key B9AED1DE marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/B9AED1DE 2011-02-22
uid sub
Key fingerprint = 9987 B276 A24A 1210 13A7 4D05 9F3F 8934 B9AE D1DE Scott Purcell <[email protected]> 2048R/0DA4CCE9 2011-02-22
[scott@Client1 rhel6]$
The key ID can be seen in the output above, or can be found with gpg --fingerprint Export the key to a file:
$ gpg --armor --output ~/RPM-GPG-KEY-ScottPurcell --export B9AED1DE
[scott@Client1 ~]$ cat RPM-GPG-KEY-ScottPurcell -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.14 (GNU/Linux) mQENBE1jVagBCADVDTOvRl3Z5xPZb6AAl2D3bM/H4kEhyJ+yk1pbVPmu8yu0Cbsl . . . R+J9rjvN8rNpQwm40Gx6RpM7qtP/LodzD46dNfbr87lJ4F+4A3U= =f4Gq -----END PGP PUBLIC KEY BLOCK----Configure rpm-related tools to use your signature: $ echo '%_gpg_name Scott Purcell'>> ~/.rpmmacros or: $ echo '%_gpg_name B9AED1DE'>> ~/.rpmmacros Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
Now packages can be created and signed at the same time with rpmbuild using the --sign option. Or existing packages can be retroactively signed with rpm using the --addsign or --resign options. With a signed package in place, the user intending to install it now needs to import the key: # rpm --import /home/scott/RPM-GPG-KEY-ScottPurcell And with the key imported, the package can be verified:
$ rpm -K rpmbuild/RPMS/x86_64/rhel6rhce-0.5-1.el6.x86_64.rpm rpmbuild/RPMS/x86_64/rhel6rhce-0.5-1.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
Manage Processes and Services: Configure systems to boot into a specific runlevel automatically
/etc/inittab
Monitoring Processes
ps Highly configurable command to list running processes top Command to provide realtime reports of the most active running processes
Killing Processes
kill kills a process by PID. Optionally sends "signals" other than "kill". kill-all Kills a process by name. Use care not to match names you don't intend to kill. pkill Also kills processes by name. Use care not to match names you don't intend to kill. pgrep Searches processes by name. Useful for verifying which processes would be killed by pkill.
Prioritizing Processes
The kernel calculates the priority of each process through a variety of factors. One input into that calculation is a user-modifiable value called "niceness". A process with higher niceness has lower priority and is thus more willing to share resources with other processes. niceness can range from -20 (highest priority) to 19 (lowest priority).
Hostname
Verifying configuration Changing configuration
Name Resolution
Verifying configuration Changing configuration
Note
/etc/sysconfig/networking/ is used by system-config-network and should not be manually edited.
Reference
/usr/share/doc/initscripts-9.03.17/sysconfig.txt
http://linux.dell.com/files/whitepapers/consistent_network_device_naming_in_l
Firewalling in RHEL6
RHEL6 implements a packet filtering firewall called iptables. You should know several key terms: rule A one-line rule defining a packet type and how it should be handled. chain A list of rules. table A list of rules aggregating all of the chains and rules taking a particular path through the network stack. policy A default rule that applies in the absence of other rules.
iptables Targets
ACCEPT Allows the packet to proceed to its destination. DROP Silently drop the packet. REJECT Drop the packet with a rejection message LOG Log the packet and move to next rule in the chain (which may then accept, drop, or reject)
Matching packets
A source IP or network: -s 192.0.2.0/24 A destination IP or network: -d 10.0.0.1 UDP/TCP and ports: -p udp --sport 68 --dport 67 ICMP and types: -p icmp --icmp-type echo-reply Inbound network interface: -i ETH0 Outbound network interface: Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
Iptables Tips
Use system-config-firewall to enable and select FTP and SSH to generate a sample set of rules and load the connection tracking module. Show connections being accepted or rejected in realtime: # watch -d -n 2 `iptables -nvL`
SELinux
SELinux is a set of security rules that determine which processes can access which files, directories, ports, and other system resources. Purposes: Provide another method of securing a system. Implement Mandatory Access Control policies (required in some institutional contexts). Protect the system and its data from system services that have been compromised.
SELinux in Action
httpd allows remote anonymous access. This allows the possibility of attempts to compromise the httpd daemon with security exploits. httpd runs with the identity of the user "apache" and the group "apache" -- a successful exploit gains system access with the permissions granted to that user and group. In addition to the filesystem areas needed to run a webserver, the apache user and group also have access to other "world-readable" and "world-writeable" location such as /tmp. SELinux ensures that a compromised service cannot gain access to these filesystem location where it should not need access in the normal course of events.
messages
when
Related Packages
coreutils Always installed. Provides some default elements of SELinux. policycoreutils Provides restorecon, secon, setfiles, et al. libselinux-utils Provides getenforce, setenforce, getsebool, setsebool, et al. policycoreutils-gui Provides system-config-selinux and sepolgen, et al. policycoreutils-python Provides semanage, audit2allow, audit2why, et al. setroubleshoot Provides seapplet setroubleshoot-server Provides sealert, sedispatch, setroubleshootd, et al.
Useful Commands
sestatus Displays information about the current SELinux parameters. chcon Changes context labels on files (but non-persistently! Use with semanage for persistent changes. semanage Modifies SELinux contexts persistently.
Additional Documentation
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-
SELinux Contexts
When SELinux is not disabled, every file, directory, and process has an SELinux context label. These labels are used to determine which protected service(s) can operate in this location. View SELinux contexts of processes: ps -eZ, ps -axZ, ps -Zc <process name>, etc. View SELinux contexts of files and directories: ls -Zd /path/to/dir/, ls -Z /path/to/file, etc. View SELinux contexts of users: id -Z
In these rules the regular expression (/.*)? is a match for the preceding directory and everything within it, recursively. Add/delete/modify rules with: #semanage fcontext -[a|d|m] -f <ftype> -t <context> '<regex>'
SELinux Booleans
SELinux uses a collection of boolean variables to allow users to change SELinux policy in pre-defined ways without the need to reload or recompile SELinux policies. Show all booleans and their current values: # getsebool -a Show all booleans with current values and meanings: # semanage boolean -l Show a specific boolean value: # getsebool <boolean-name>
Session 6 Virtualization
Virtualization Terms
Physical Machine The actual physical machine with RAM, disk space, etc. Virtual Machine A logical construct provided by hardware and/or software capabilities that can run an independent OS and perform work as though it were a physical machine. Hypervisor A specialized OS that provides virtual machines. Xen A hypervisor previously available on Red Hat operating systems that was implemented as a modified version of the Linux kernel. KVM Kernel Virtual Machine, the hypervisor Red Hat currently supports on RHEL6. It is implemented within (as a set of kernel modules) the mainstream Linux kernel. Guest The operating system that runs on a virtual machine. Host The operating system that runs on a physical machine hosting virtual machines (i.e. the hypervisor). Copyright 2011, Scott Purcell, CC BY-NC-SA 3.0
Virsh Commands
Power on a virtual machine: virsh start <vm name> Gracefully shut down a virtual machine: virsh shutdown <vm name or id> Power off a virtual machine: virsh destroy <vm name or id> Connect to a virtual machine console (requires guest configuration): virsh console <vm name or id> Disconnect from a console of a virtual machine: ^] ( "ctrl + ]" )
SELinux considerations
SELinux expects file-based guest images to be stored in /var/lib/libvirt/images/. Use of other locations with SELinux enforcing will require adding the location to the SELinux policies. 1. Find the context applied to the expected location: # ll -Z /var/lib/libvirt/ drwx--x--x. root root system_u:object_r:virt_image_t:s0 images 2. Add a new context policy: # semanage fcontext -a -t virt_image_t "/virtstorage(/.*)?" 3. Set the context to match the newly created policy: # restorecon -R -v /virtstorage/ restorecon reset /virtstorage context unconfined_u:object_r: default_t:s0->system_u:object_r:virt_image_t:s0
facility One of: auth, authpriv, cron, daemon, kern, lpr, mail, news, syslog, user, uucp, local0-7, or "*" priority One of (in ascending priority): debug, info, notice, warning (warn), err (error), crit, alert, emerg (panic), none, or "*" Multiple facilities can be specified with the same priority with the use of a comma. uucp,news.crit /var/log/spooler
Multiple selectors (facility/priority pairs) can be specified for the same action with the use of a semicolon.
*.info;mail.none;authpriv.none;cron.none /var/log/messages
Practice
Configure one system to receive remote log messages. Configure the other to log only a particular facility or priority to the remote syslog server. Use logger to generate test messages. Remember to investigate firewall and SELinux considerations.
NTP Overview
NTP (Network Time Protocol) provides a standardized way for systems to provide and obtain correct time over the network. This service is increasingly critical for today's networking environments. Synchronized time information is required for accurate handling of email, for clustering, for cloud computing, and for virtualization (just to name a few).
NTP Packages
ntp Provides the daemon and utilities system-config-date Provides a graphical interface for changing the time and configuring an NTP client. ntpdate Provides a command line utility for setting the date and time with NTP
NTP Documentation
Many man pages: ntp.conf (5) ntp_misc (5) ntp_acc (5) ntp_auth (5) ntp_clock (5) ntp_mon (5) ntpd (8)
Configuration of NTP
Configured in /etc/ntp.conf restrict lines Define the access to be allowed or restricted for other hosts that communicate with this service. Each server or peer configured must be included in a restrict line. server lines Define a host to be queried as a more authoritative time source. peer lines Define a host to be queried as an equally authoritative time source. broadcast or multicast lines Define ways to obtain or provide time information apart from unicast queries.
Configure as a Client
1. Include at least one server (three are preferred) in /etc/ntp.conf: server <server1 IP> iburst server <server2 IP> iburst 2. With the ntp service stopped, synchronize time with ntpdate: # ntpdate -v <IP of ntp server> 3. Start the ntp service. 4. Verify that the service sees the configured servers (this may take a few minutes): # ntpq -p
Configure as a Server
1. Follow the steps for Client Configuration. 2. Add one or more restrict lines to allow appropriate access from those systems that will be clients (or peers): restrict 10.37.112.0 mask 255.255.240.0 nomodify notrap restrict 10.37.112.13 3. Restart the service after making changes.
Configure as a Peer
1. Follow the steps for Client Configuration 2. Add one or more restrict lines to allow appropriate access from those systems that will be clients (or peers): restrict 10.37.112.0 mask 255.255.240.0 nomodify notrap restrict 10.37.112.13 3. Add one or more peer lines: peer <peer IP or hostname> [options] 4. Restart the service after making changes. 5. Verify that the service sees the configured peers and servers (this may take a few minutes): # ntpq -p
Configuring Passwords
htpasswd -cm /etc/httpd/.htpasswd good_user htpasswd -m /etc/httpd/.htpasswd another_user
FTP Documentation
Man Pages: vsftpd.conf (5) ftpd_selinux (8)
anonymous_enable=YES local_enable=NO write_enable=YES anon_upload_enable=YES chown_uploads=YES chown_username=daemon anon_umask = 077 4. Modify iptables for inbound ftp in /etc/sysconfig/iptables-config: IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp" Set rules:
# iptables -A INPUT -p tcp --dport 21 -j ALLOW # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ALLOW
Packages
Group: nfs-file-server Packages: nfs-utils nfs4-acl-tools
Configuration
/etc/sysconfig/nfs /etc/exports
/etc/exports
/home 192.168.0.0/24(rw,root_squash) server1.example.com(rw,no_root_squash) /pub *(ro,root_squash)
Note: There is no space between the host or subnet and the options defined between the parentheses (). If you put a space between them, then you will get a global export.
Commands
exportfs -a exportfs -r exportfs -u showmount -e server
SELinux
Mounting
mount nfsserv:/home /mnt/homes
Automounter
Automatically mounts a directory when it is accessed. Unmounts the directory after a specified idle time. Autofs service controls this behavior. A master configuration file called. /etc/auto.master Sub configuration files Usually called /etc/auto.*
Auto.master
Specifies directories to mount under when accessed. Specifies the auto.* file to use for the directories. Example: /etc/auto.master /etc/auto.misc /misc /etc/auto.data /data When a directory under /misc is accessed, the /etc/auto.misc file indicates how to mount it. When a directory under /data is accessed, the /etc/auto.data file indicates how to mount it.
Auto.*
Specifies directory name. Specifies options to use when mounting. Specifies what to mount. Example: /etc/auto.data pictures -rw,soft,intr nfs.example.com:/export/pics mp3s -ro /dev/sdd1 When the /data/pictures directory is accessed, the system will mount the nfs export /export/pics on nfs.example.com. When the /data/mp3s directory is accessed, the system will mount the local partition /dev/sdd1.
Understanding Automount
You must access the destination directory in order for it to automount. If nothing is automounted and you run "ls /data" then you will get no files listed. If you run "ls /data/mpp3", you will get a listing. You can now run "ls /data" and you will see the mp3s directory listed. At least until the idle timeout is reached. Some commands will cause the directory to be mounted when ran but they do not produce any results. In this case, you may need to run the command a second time.
Samba
Samba is a project providing software capable of utilizing the SMB (Server Message Block) and CIFS (Common Internet File System) protocols to interoperate with systems using MS-Windows-style file and printer sharing. Linux systems can use Samba to: Act as a client to SMB/CIFS servers Provide file and printer sharing services to clients Provide domain controller functionality in a limited subset of possible configurations.
domain=<domainname>
Samba Packages:
samba samba-client samba-common samba-windbind samba-domainjoin-gui (Optional Repository)
SELinux
SELinux notes are at the top of the config file (/etc/samba/smb.conf) and the man page samba_selinux (8). SELinux Port Settings for Samba: # semanage port -l smbd_port_t |grep smb tcp 137-139, 445
Services
service smb start chkconfig smb on
/etc/samba/smb.conf (Global)
workgroup Specifies a shared Windows Workgroup or Domain name. server string Provides a description of the server. netbios name Specifies a name for the server for in implementations where NetBIOS is still used. Interfaces Used to bind the service only to particular network adapters or IP addresses. Hosts Allow Used for host-based access control.
/etc/samba/smb.conf (Shares)
[public] comment = Public Share path = /var/ftp/public browsable = yes writable = yes Path must have appropriate filesystem permissions.
Testing Configuration
Syntax of the smb.conf file can be tested before restarting the service: # testparm
BIND Packages
bind The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) bind-utils Utilities for querying DNS name servers bind-chroot A chroot runtime environment for the ISC BIND DNS server, bind-devel Header files and libraries needed for BIND DNS development bind-libs Libraries used by the BIND DNS packages bind-sdb BIND server with database backends and DLZ support
Useful Commands
rndc Interface to BIND. host Queries for DNS resolution. Uses /etc/nsswitch and /etc/resolv.conf. dig Queries a DNS server directly. By-passing local config files if you want. dig www.dell.com Gets dns server from resolv.conf dig @dns_server www.dell.com Queries DNS server directly.
Configuration Files
Enabling Forwarding
Firewall Considerations
SELinux Considerations
Reading Mail
mail mutt
Supplemental Topics
Cron
Scheduler man 5 crontab anacron crond /etc/cron.* /var/spool/cron
Controlling Cron
cron cron cron cron -u username -l -r -e
at Jobs
Runs job once at specified time. Understands now, midnight, noon, teatime, minutes, hours, day, week Examples: echo "/sbin/init 6" | at now + 10 minutes or at now + 10 minutes at> /sbin/init 6 at> <CTRL-D> atq atrm
Structure of /etc/passwd
Name:Password:UID:GID:Comments:Homedir:Shell Sample Contents ________________________________________________$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin scott:x:500:500:Scott Purcell:/home/scott:/bin/bash
Structure of /etc/shadow
Name:Password:Lstchg:May:Must:Warn:Disable:Expire
Sample Contents
# cat /etc/shadow root:$1$IyApEyOS$dZ5SMuC7Yw9/PDMyWi1H11:14373:0:99999:7::: sshd:!!:14373:0:99999:7::: ntp:!!:14373:0:99999:7::: gdm:!!:14373:0:99999:7::: scott:$1${...}:14374:0:99999:7::: bob:$1${...}:14398:7:30:7:7:14457:
Structure of /etc/group
Name:Password:GID:Users
Sample Contents
# cat /etc/group root:x:0:root scott:x:500: bob:x:501: mary:x:502: sales:x:503:bob,mary training:x:504:scott
Structure of /etc/gshadow
Name:Password:Admins:Members
Sample Contents
# cat /etc/gshadow root:::root scott:!!:: bob:!:: mary:!:: sales:!::bob,mary training:!::scott
User environment
Home directories /home/{user}/ or /root/ /etc/skel Contents copied to home directory of each new user.
Common Contents:
.bashrc .bash_logout .bash_profile
Troubleshooting
Read the entire error or message and read it carefully. Pay attention to what it says. Look at the logs. /var/log/messages /var/log/secure Look for typos in the command line or configuration file. A simple missing semicolon (;) or a dot (.) instead of a dash (-) could be the issue. Break the problem down into smaller parts and troubleshoot them.
Booting
Think about the boot process and at which point you are failing. MBR (GRUB Stage 1) GRUB Stage 1.5 (Driver to read filesystem) GRUB Stage 2 (Menu) Kernel initrd (initial ramdisk) init process inittab rc.sysinit services
Booting - (MBR)
The MBR boots the system and loads the next GRUB Stage. If MBR is on a partition, is it marked bootable according to fdisk ?
Booting - Kernel
Be careful to not create a typo when specifying the kernel. A common typo is a dash instead of a period. Make sure the "root=" specifies the correct locatation of the device containing root (/).
Booting - inittab
This is inits configuration file. It calls rc.sysinit. It runs services for the appropriate run levels. This is a very important and very easy file to corrupt. If you get "Process spawning too rapidly" during boot, check this file or check to see if the commands it calls are there.
Booting - rc.sysinit
Sets hostname Runs filesystem checks if needed Mounts file systems in fstab remounts / as read/write
Booting - services
Maybe the boot issue is caused by a service. Boot into run level 1 and see if it boots. Run level 1 runs rc.sysinit and a couple of services. Boot into runlevel S. Run level S does not start any services and does not run rc.sysinit.
Networking
/etc/resolv.conf dns resolution /etc/nsswitch /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-eth*
X
system-config-display --reconfig --noui
TCP_Wrappers
tcp_wrappers is an easy-to-configure security mechanism that protects some (but not all!) services using the hosts access files, /etc/hosts.allow and /etc/hosts.deny. hosts.allow is processed first, then hosts.deny. Each file is read from top down and the first matching rule is applied -all subsequent rules are ignored. If no matching rule is found, access is granted! Changes take immediate effect -- no services need restarting.
Source Repository
Info: Author: Date: See <https://github.com/texastwister/OpenRHCE> for the latest version of this doc. Scott Purcell <[email protected]> December 12, 2011