Download - 48468259 RHCE Cheat Sheet
RHCE "Cheat Sheet"This document attempts to provide answers to all study points on the RHCE and RHCT Exam Preparation Guide in a single-page (and thus, printable) format. This is not a “brain dump” or an attempt to cheat the RH302 exam in any way. These are just my self-study notes. Use them at your own risk.
Note: Study points last updated on 2009-08-11. This list may become out of date without notice (especially after I pass the test ).
updated by Dino Conti on 2010-06-25
Table of ContentsRHCE "Cheat Sheet"............................................................................................................................1
Testing Environment with Sun VirtualBox......................................................................................4Prerequisite skills for RHCT and RHCE.........................................................................................4
use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view, and investigate files and directories............................................................................................4use grep, sed, and awk to process text streams and files.............................................................4use a terminal-based text editor, such as vim or nano, to modify text files................................4use input/output redirection........................................................................................................4understand basic principles of TCP/IP networking, including IP addresses, netmasks, and gateways for IPv4 and IPv6........................................................................................................5use su to switch user accounts.....................................................................................................5use passwd to set passwords.......................................................................................................5use tar, gzip, and bzip2................................................................................................................5configure an email client on Red Hat Enterprise Linux..............................................................5use text and/or graphical browser to access HTTP/HTTPS URLs.............................................5use lftp to access FTP URLs.......................................................................................................5HELP in RHEL5.........................................................................................................................5
RHCT skills.....................................................................................................................................6Troubleshooting and System Maintenance.................................................................................6
boot systems into different run levels for troubleshooting and system maintenance.............6diagnose and correct misconfigured networking....................................................................6diagnose and correct hostname resolution problems..............................................................6configure the X Window System and a desktop environment...............................................6add new partitions, filesystems, and swap to existing systems..............................................7
partitions............................................................................................................................7filesystems.........................................................................................................................7swap...................................................................................................................................8
use standard command-line tools to analyze problems and configure system.......................8Installation and Configuration....................................................................................................8
perform network OS installation............................................................................................8implement a custom partitioning scheme...............................................................................8configure printing...................................................................................................................8configure the scheduling of tasks using cron and at...............................................................9
cron....................................................................................................................................9at/batch...............................................................................................................................9
attach system to a network directory service, such as NIS or LDAP...................................10configure autofs....................................................................................................................10
add and manage users, groups, quotas, and File Access Control Lists................................10users......................................................................................................................................11groups...................................................................................................................................11
quotas...............................................................................................................................11Access Control Lists........................................................................................................12
configure filesystem permissions for collaboration.............................................................12install and update packages using rpm.................................................................................12properly update the kernel package......................................................................................13configure the system to update/install packages from remote repositories using yum or pup..............................................................................................................................................13
create yum repository from installation DVD.................................................................13modify the system bootloader..............................................................................................14implement software RAID at install-time and run-time.......................................................14use /proc/sys and sysctl to modify and set kernel run-time parameters...............................14use scripting to automate system maintenance tasks............................................................15configure NTP for time synchronization with a higher-stratum server................................15
RHCE skills...................................................................................................................................15Troubleshooting and System Maintenance...............................................................................15
use the rescue environment provided by first installation CD.............................................15diagnose and correct boot failures arising from bootloader, module, and filesystem errors15
grub errors........................................................................................................................16kernel errors.....................................................................................................................16
diagnose and correct problems with network services (see Installation and Configuration below for a list of these services).........................................................................................16add, remove, and resize logical volumes..............................................................................17diagnose and correct networking services problems where SELinux contexts are interfering with proper operation...........................................................................................................17
Installation and Configuration..................................................................................................18HTTP/HTTPS.......................................................................................................................19
install...............................................................................................................................19selinux..............................................................................................................................19start at boot......................................................................................................................19basic config......................................................................................................................19host-based security...........................................................................................................20user-based security...........................................................................................................20verify service functionality..............................................................................................20
SMB......................................................................................................................................20install...............................................................................................................................20selinux..............................................................................................................................21start at boot......................................................................................................................21basic config......................................................................................................................21host-based security...........................................................................................................22user-based security...........................................................................................................22verify service functionality..............................................................................................22
NFS.......................................................................................................................................23install...............................................................................................................................23start at boot......................................................................................................................23basic config......................................................................................................................23host-based security...........................................................................................................23user-based security...........................................................................................................23verify service functionality..............................................................................................23
FTP.......................................................................................................................................24
install...............................................................................................................................24selinux..............................................................................................................................24start at boot......................................................................................................................24basic config......................................................................................................................24host-based security...........................................................................................................24user-based security...........................................................................................................24verify service functionality..............................................................................................24
Web proxy............................................................................................................................24install...............................................................................................................................24selinux..............................................................................................................................24start at boot......................................................................................................................25host-based security...........................................................................................................25parental control with blocklist.........................................................................................25user-based security...........................................................................................................25verify service functionality..............................................................................................25
SMTP....................................................................................................................................26to enable masquerading in sendmail................................................................................26install...............................................................................................................................27start at boot......................................................................................................................27basic config......................................................................................................................27host-based security...........................................................................................................28user-based security...........................................................................................................28verify service functionality..............................................................................................28
IMAP, IMAPS, and POP3....................................................................................................28install...............................................................................................................................28start at boot......................................................................................................................28basic config......................................................................................................................28create custom ssl cert: .....................................................................................................28host-based security...........................................................................................................28user-based security...........................................................................................................29verify service functionality..............................................................................................29
SSH.......................................................................................................................................29install...............................................................................................................................29start at boot......................................................................................................................29Generate Public / Private key pair...................................................................................29user-based security...........................................................................................................29host-based security...........................................................................................................29verify service functionality..............................................................................................29
DNS (caching name server, slave name server)...................................................................30install...............................................................................................................................30start at boot......................................................................................................................30basic config......................................................................................................................30host-based security...........................................................................................................31user-based security...........................................................................................................31verify service functionality..............................................................................................31
NTP......................................................................................................................................31install...............................................................................................................................31start at boot......................................................................................................................31host-based security...........................................................................................................31user-based security...........................................................................................................31verify service functionality..............................................................................................31
configure hands-free installation using Kickstart.................................................................32
implement logical volumes at install-time...........................................................................32use iptables to implement packet filtering and/or NAT........................................................32
packet filtering.................................................................................................................32NAT.................................................................................................................................32setup for router to internet...............................................................................................33
use PAM to implement user-level restrictions......................................................................33module documentation.....................................................................................................33module configuration.......................................................................................................33pam_listfile.so example...................................................................................................34
Additional Notes............................................................................................................................34tcp_wrappers.............................................................................................................................34Troubleshooting........................................................................................................................34
unable to log in.....................................................................................................................34
Testing Environment with Sun VirtualBoxinstall guest additions:
yum install gcc kernel-develsh /media/VBOXADDITIONS*/VBoxLinuxAdditions-x86.runreboot
Prerequisite skills for RHCT and RHCECandidates should possess the following skills, as they may be necessary in order to fulfill requirements of the RHCT and RHCE exams:
use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view, and investigate files and directories
use grep, sed, and awk to process text streams and files
use a terminal-based text editor, such as vim or nano, to modify text files
use input/output redirection
operator description > redirect STDOUT to a file 2> redirect STDERR to a file &> redirect all output to a file 2>&1 redirect all output to a pipe
• use » to append instead of overwrite
understand basic principles of TCP/IP networking, including IP addresses, netmasks, and gateways for IPv4 and IPv6
use su to switch user accountssu - <user>
use passwd to set passwordspasswd <user>
use tar, gzip, and bzip2# compress (tar/gzip)tar cvzf <file>.tgz <directory>
# extract (tar/gzip)tar xvzf <file>.tgz
# compress (tar/bzip)tar cvjf <file>.tbz <directory>
# extract (tar/bzip)tar xvjf <file>.tbz
configure an email client on Red Hat Enterprise Linuxecho "message" | mail <email> -s "subject"mail <email> -s "subject" < <file>
use text and/or graphical browser to access HTTP/HTTPS URLs
• elinks• lynx
use lftp to access FTP URLs
HELP in RHEL5man <command>
man -k <command> search for specific word in manuals
makewhatis create manuals database
command --info
/usr/share/doc/<service or package> installed documentation
/usr/share/doc/Deployment-Guide all the manual
System > Documentation > Deployment Guide
elinks /var/www/manual/ Apache Documentation
RHCT skills
Troubleshooting and System Maintenance
RHCTs should be able to:
boot systems into different run levels for troubleshooting and system maintenance
append the desired runlevel to grub's kernel line:
• 1-5 runs appropriate rc and init scripts• single only runs rc.sysinit• emergency skips all rc and init scripts
diagnose and correct misconfigured networking
1. check /etc/sysconfig/network2. check /etc/sysconfig/network-scripts/ifcfg-<interface>3. service network restart4. chkconfig network on5. ifconfig6. ping <localhost ip>7. netstat -r8. ping <default gateway>9. ping 4.2.2.2
redhat network config tool:
system-config-network
diagnose and correct hostname resolution problems
1. check /etc/nsswitch.conf2. check /etc/resolv.conf3. check /etc/hosts4. dig @<dns server> google.com
redhat network config tool:
system-config-network
configure the X Window System and a desktop environment
install x:
yum groupinstall "x window system"
• init respawns /etc/X11/prefdm -nodaemon to keep x running in runlevel 5• startx to start manually
xfs is supposedly required for x windows (even though i can run x fine without it…):
service xfs onchkconfig xfs on
x environment config:
• /etc/sysconfig/desktop• /etc/X11/xinit/xinitrc• /etc/X11/xinit/Xclients• ~/.xinitrc• ~./Xclients
redhat display config tool:
system-config-display [--reconfig]
install gnome desktop:
yum groupinstall "gnome desktop environment"
switchdesk allows you to change your desktop environment:
yum install switchdeskswitchdesk
if switchdesk is not available, edit /etc/sysconfig/desktop:
DISPLAYMANAGER=<GNOME|KDE|XDM>DESKTOP=<GNOME|KDE>
add new partitions, filesystems, and swap to existing systems
partitions
manage partitions:
fdisk <device>n new partitionm menup print partition tablet toggle partition typed delete partition w write changes to diskq quit
partprobe make kernel aware of new partitions
( try also partprobe /dev/sda )
filesystems
make filesystems:
mkfs.<ext2|ext3> mkfs -t ext3 /dev/sda5
mkfs -t ext3 -L home-drive /dev/sda5
label filesystems:
e2label <partition> <label>blkid list UUID and Labels of partitions
manage filesystem settings:
tune2fs <partition>dumpe2fs <partition>
mkdir /test
mount -t ext3 /dev/sda5 /test
mount -o acl /dev/sda5 /test mount with ACL support user created filesystems
edit /etc/fstab to make mount permanent
/dev/sda5 /test ext3 defaults 0 0
check fstab with mount -a command
if recovering /etc/fstab during recovery operation you need to mount read/write:
mount -o remount,rw /
swap
note that it's possible to create a swap file instead of a partition:
dd if=/dev/zero of=<file> bs=1024 count=<size>
format the file/partition:
mkswap <partition|file>nano -w /etc/fstabswapon -vacat /proc/swaps
use standard command-line tools to analyze problems and configure system
• check for full filesystems, quotas
Installation and Configuration
RHCTs must be able to:
perform network OS installation
at boot prompt:
linux askmethod
implement a custom partitioning scheme
configure printing
printing support is provided by cups:
service cups startchkconfig cups on
redhat printer config tool: system-config-printer
web config tool: http://localhost:631
printing via command line:
# printlpr <file># view print queuelpq# remove print joblprm <job number>
configure the scheduling of tasks using cron and at
cron
make sure vixie cron is installed and running:
yum install vixie-cronservice crond startchkconfig crond on
1. if /etc/cron.allow exists, only these users are allowed (/etc/cron.deny is ignored)2. if /etc/cron.allow does not exist, everyone allowed except users in /etc/cron.deny3. if neither exists, only root allowed4. empty /etc/cron.deny means all users allowed (default)
edit your cron jobs:
crontab -e
crontab format:
<minute> <hour> <day of month> <month> <day of week> <command>
24 13 * * * /home/user/script
/etc/crontab has additional user field before command.
at/batch
make sure at is installed and running:
yum install atservice atd startchkconfig atd on
1. if /etc/at.allow exists, only these users are allowed (/etc/at.deny is ignored)2. if /etc/at.allow does not exist, everyone allowed except users in /etc/at.deny3. if neither exists, only root allowed4. empty /etc/at.deny means all users allowed (default)
# add jobsat now + 1 hourat> <command>
at 09:00 2009-07-23at> <command>
batchat> <command>
# list jobsatq
remove jobsatrm <job>
attach system to a network directory service, such as NIS or LDAP
redhat config tools: system-config-authentication
authconfig-tui
required packages for nis: yum install ypbind portmap
required packages for ldap: yum install nss-ldap openldap
configure autofs
make sure the autofs service is running:
service autofs startchkconfig autofs on
ensure the following line in /etc/nsswitch.conf:
automount: files nis
define an autofs-controlled mountpoint called test by adding the following to /etc/auto.master:
/test /etc/auto.test
create /etc/auto.test:
blah example.com:/pub/something* example:/home/&
1. local /test/blah remote ⇒ example.com:/pub/something2. local /test/user remote ⇒ example:/home/user ( this method can be used to automount
home directories)
test automounting:
ls /test/blahls /test/user
# redhat defaultsls /net/<hostname>ls /misc/cd
add and manage users, groups, quotas, and File Access Control Lists
redhat user/group config tool: system-config-users
users
/etc/passwd file format:
username:password:uid:gid:gecos:homedir:shell
/etc/shadow file format:
username:password:lastpwchange:minpwchange:maxpwage:pwchangewarn:inactive:expire
command line user management:
useradd <user>usermod <user>usermod -aG accounts <username> add user to group and keep all
other group memberships
chage <user>chage -M 30 user set password to expire in 30 days
userdel <user>pwck
• default account expiration settings in /etc/login.defs
groups
/etc/group file format:
groupname:password:gid:members
command line group management:
groups <user>groupadd <user>groupmod <user>groupdel <user> grpck
gpasswd -a group <user>
quotas
install quota package :
yum install quota
add fs options to /etc/fstab:
usrquota,grpquota
remount device
mount -o remount <mount point>
init quota database:
quotacheck -cugm <device>
enable/disable quotas
quotaon <device>quotaoff <device>
edit quotas
edquota -u <user>edquota -g <group>
edit grace time
edquota -ut <user>edquota -gt <group>
check/report quotas
quota <user>repquota -aug
Access Control Lists
install acl package
yum install acl
add fs options to /etc/fstab:
acl
remount device:
mount -o remount,acl <mount point>
manage acls:
# set aclssetfacl -m [d:]u:<user>:<r|w|x|-> <file>setfacl -m [d:]g:<group>:<r|w|x|-> <file>
setfacl -m u:user:--- /shared/to/secret-file remove all access to file
# get aclsgetfacl <file>
# remove aclssetfacl -x u:<user> <file>setfacl -x g:<user> <file>setfacl --remove-all <file>setfacl --remove-default <file>
configure filesystem permissions for collaboration
1. create new group2. add users to group3. chown folder to root.<group>4. chmod folder to 2770 (g+s) this is also required for Samba Group shares
install and update packages using rpm
# installrpm -ivh <package>.rpm
# updaterpm -Uvh <package>.rpm
# freshen rpm -Fvh <package>.rpm
# removerpm -e <package>
# query by file namerpm -qf <full path to file>
# verify a filerpm -Vf > <full path of file>
# verify status of all packagesrpm -Va > /tmp/rpmverify
rpm -qi package get info on installed package
while inside the rescue environment, use the –root option to specify the real location of your root file system (e.g. –root=/mnt/sysimage).
properly update the kernel package
1. always do an install (i.e. rpm -ivh <kernel package>) rather than an update2. check /boot/grub/grub.conf for proper configuration
configure the system to update/install packages from remote repositories using yum or pup
yum config goes in /etc/yum.repos.d/
[id]name=my repobaseurl=http://example.com/centos/enabled=1
create yum repository from installation DVD
umount /media/RHEL_5.4\ i386\ DVD/
[root@mail ~]# mkdir /mnt/cdrom
[root@mail ~]# mount /dev/cdrom /mnt/cdrom/
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@mail ~]# cd /mnt/cdrom/Server/repodata
[root@mail yum.repos.d]# cat rhel-cd.repo
[rhel-cd] name=Red Hat Enterprise Linux $releasever - $basearch - Debug baseurl=file:/mnt/cdrom/Server/ #baseurl=file:///media/RHEL_5.4\ i386\ DVD/Server/
enabled=1 gpgcheck=0 #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
yum search nmap
system-config-packages ( this will now display package groups available during installation )
modify the system bootloader
• production config is in /boot/grub/grub.conf• see examples in /usr/share/doc/grub-*/menu.lst
implement software RAID at install-time and run-time
to start, we need at least two devices/partitions of type “linux raid autodetect” (use fdisk to set partition type to “fd”)
create raid device:
mdadm --create /dev/md0 --level=<0|1|4|5|6|10> --raid-devices=<num> <device list>
fail disk in array:
mdadm /dev/md0 -f <device>
remove disk from array:
mdadm /dev/md0 -r <device>
add disk to array:
mdadm /dev/md0 -a <device>
stop array:
mdadm --stop /dev/md0
check raid status:
mdadm --detail /dev/md0
cat /proc/mdstat
format works as usual:
mkfs.ext3 /dev/md0
don't forget to configure /etc/fstab appropriately.
use /proc/sys and sysctl to modify and set kernel run-time parameters
config is in /etc/sysctl.conf
# search through parameterssysctl -a | grep <whatever># apply changes from config file immediately
sysctl -p
use scripting to automate system maintenance tasks
configure NTP for time synchronization with a higher-stratum server
redhat config tool:
system-config-date
• config is in /etc/ntp.conf
synchronization configuration example:
server 0.pool.ntp.orgserver 1.pool.ntp.orgserver 2.pool.ntp.org
apply changes:
service ntpd restartchkconfig ntpd on
verify changes:
ntpq -p
RHCE skills
Troubleshooting and System Maintenance
RHCEs must demonstrate the RHCT skills listed above, and should be able to:
use the rescue environment provided by first installation CD
linux rescue
• when working in non-chrooted rescue mode:• mount /dev/hdc /mnt/source (to access install files on the cd/dvd)• rpm commands should use the –root=/mnt/sysimage option
manually make /dev and /proc available in chrooted mode:
mount -o bind /dev /mnt/sysimage/devmount -o bind /proc /mnt/sysimage/proc
diagnose and correct boot failures arising from bootloader, module, and filesystem errors
check in order:
1. mbr2. /boot/grub/grub.conf3. /etc/fstab4. /etc/inittab5. /etc/rc.d/rc.sysinit6. /etc/rc.d/rc*.d
7. /etc/rc.d/init.d/*8. /etc/rc.d/rc.local
grub errors
• in general, use the last line before the error message to see where grub error'd out• to find correct value for root option, type find /grub/stage1 at the grub command line (
remember that all file names in grub.conf are relative to the root option)• check for missing files in kernel and/or initrd lines
kernel errors
• missing/corrupt initrd file results in: kernel panic - not syncing: vfs: unable to mount root fs on unknown-block
• invalid root parameter for kernel results in: setuproot: error mounting /proc: No such file or directory
reinstall grub to mbr:
grub-install <device>
or
grubgrub> find /grub/stage1grub> root (hd0,0)grub> setup (hd0)grub> quit
to password protect grub :
grub-md5-crypt to create md5 password hash
copy and paste this into /boot/grub/grub.conf ( 2 options – protect editing of GRUB during boot or protect selection of kernel image – for testing )
recreate initrd:
mkinitrd <filename> <kernel version>
fix corrupt filesystem:
fsck <partition>
if fsck is unable to locate a superblock, you can specify an alternative one:
dumpe2fs <partition>fsck -b <block#> <partition>
diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)
see what's listening on what port:
netstat -ntaupe
add, remove, and resize logical volumes
redhat lvm config tool:
yum install system-config-lvmsystem-config-lvm
create physical volume:
pvcreate <device>
create volume group:
vgcreate <name> <pv device> [pv device]
extend volume group:
vgextend <name> <pv device>
create logical volume:
lvcreate --size <size>M --name <lv name> <vg name>
extend logical volume:
lvextend --size <size>M <device>resize2fs <device>
shrink logical volume:
resize2fs <device> <size>Mlvreduce --size <size>M <device>
remove logical volume:
lvremove <device>
lvm vgchange -ay activate lvm Volume Groups in Rescue Modelvm lvs use these commands to check lvm in rescue mode
lvm vgslvm pvslvm vgsanlvm pvscanlvm lvscan
mkdir /mnt/sysimage
mount /dev/VolGroup00/LogVol00 /mnt/sysimage mount root partitionmount /dev/sda1 /mnt/sysimage/boot mount boot partition
from here you can resize LVM partitions or reinstall grub
diagnose and correct networking services problems where SELinux contexts are interfering with proper operation.
enable/disable selinux in /etc/sysconfig/selinux:
SELINUX=enforcingSELINUXTYPE=targeted
install selinux troubleshooter:
yum install setroubleshootservice setroubleshoot startchkconfig setroubleshoot on
install selinux management tool:
yum install policycoreutils-gui
list selinux errors:
sealert -a /var/log/audit/audit.log | less
launch gui browser:
sealert -b
list selinux booleans:
getsebool -a
set selinux boolean:
setsebool -P <boolean> = <0|1> make persistent SELinux changes
(check ftp, nfs, http, smb for such problems )
list security contexts:
ls -Z <file>
change security contexts:
# using reference (copy contexts from existing known-good file)chcon -R --reference <old file> <new file>
# manualchcon -R -u <user> <file>chcon -R -t <type> <file>
use semanage fcontext to survive a relabel of filesystem ( especially when changing SELinux from ON to OFF to ON )
semanage fcontext -a -t public_content_t '/www/data/html(/.*)?'
restorecon -vvFR /www/data/html restore default context
Installation and Configuration
RHCEs must demonstrate the RHCT-level skills listed above, and they must be capable of configuring the following network services. For each of these services, RHCEs must be able to:
• install the packages needed to provide the service• configure SELinux to support the service• configure the service to start when the system is booted• configure the service for basic operation• Configure host-based and user-based security for the service
HTTP/HTTPS
install
yum install httpd mod_ssl httpd-manual
selinux
make new DocumentRoot match default DocumentRoot ( this applies to any directory that apache will serve files from):
chcon -R --reference /var/www /www
start at boot
chkconfig httpd on
basic config
• requirements for ~user/ directories:• UserDir directive• chmod 701 the user's home directory• change security context on the user's UserDir
• requirements for .htaccess file usage:• AllowOverride All directive
• requirements for name-based virtual hosts:• NameVirtualHost *:80 and NameVirtualHost *:443 directives• each virtual host requires appropriate ServerName and ServerAlias directives• a single virtual host cannot span multiple ports (i.e. 80 and 443). two separate
VirtualHost *:<port> sections are needed to do this.
self-signed ssl cert:
cd /etc/pki/tls/certsrm localhost.crtmake testcert.pem
edit /etc/httpd/conf.d/ssl.conf
change following lines to point to new certificate :
SSLCertificateFile /etc/pki/tls/certs/dino.pem #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/pki/tls/certs/dino.pem #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
check virtual host config:
httpd -D DUMP_VHOSTS
host-based security
firewall config:
protocol ports tcp 80, 443 hosts are allowed by default and must be explicitly denied:
<Directory /var/www/html> Order deny,allow Deny from 192.168.0.0/255.255.255.0 Deny from badguys.example.com</Directory>
hosts are denied by default and must be explicitly allowed:
<Directory /var/www/html> Order allow,deny Allow from 192.168.0.0/255.255.255.0 Allow from goodguys.example.com</Directory>
user-based security
create web password file:
htpasswd -c /etc/httpd/webusers testuser1htpasswd /etc/httpd/webusers testuser2
create web group file (/etc/httpd/webgroups):
testgroup: testuser1 testuser2
allow access by group:
<Directory /var/www/html> AuthType Basic AuthName "top secret area" AuthUserFile /etc/httpd/webusers AuthGroupFile /etc/httpd/webgroups Require group testgroup</Directory>
verify service functionality
test http/https:
elinks <http|https>://<hostname>/[path]
SMB
install
yum install samba samba-client
selinux
allow samba to share home directories:
setsebool -P samba_enable_home_dirs=1
mark a directory as shareble with samba:
chcon -R -T samba_share_t <directory>
start at boot
chkconfig smb on
basic config
redhat samba config tool:
yum install system-config-sambasystem-config-samba
set workgroup/domain:
workgroup = <workgroup>
security modes:
# connections check local pwdb (default)security = user
# member server on a domain, uses pwdb on a dcsecurity = domainworkgroup = EXAMPLE
# member server on an ad domain using kerberos, uses pwdb on a dcsecurity = adsrealm = EXAMPLE.COMpassword server = kerberos.example.com
# used when samba was not capable of being a domain member server (DO NOT USE)security = serverencrypt passwords = yespassword server = <netbios name of dc>
# each share requires a password (DO NOT USE)security = share
share options:
[<share name>]# path for sharepath = <path>
# share is visible browseable = <yes|no>
# rw enabledwriteable = <yes|no>
# this is a shared printerprintable = <yes|no>
# all users connecting to this share use <group> as their primary groupgroup = <group name>
join domain:
net rpc join -U root
mount -t cifs 192.168.0.200:shared-folder /mnt/share -o user=<user>
fstab example:
//<hostname>/<share> <mountpoint> cifs user=<username>,pass=<password> 0 0
mount.cifs and umount.cifs need to be chmod'ed u+s in order to be used by non-root users
host-based security
firewall config:
protocol ports tcp 139, 445 udp 137, 138 hosts allow/deny can be used per-server or per-share:
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24hosts deny = 0.0.0.0/0
user-based security
account maintenance:
# add account (local linux account must exist first, or be translated via /etc/samba/smbusers):smbpasswd -a <username>
# enable/disable account:smbpasswd -e <username>smbpasswd -d <username>
# remove account:smbpasswd -x <username>
service smb reload may be needed after account changes
share access:
valid users = <user1> @<group1>
• share access is also controlled by unix file permissions
verify service functionality
list shares:
smbclient -L <hostname> -U <username>
browse shares:
smbclient //<hostname>/<share> -U <username>
test allow/deny statements for a host:
testparm /etc/samba/smb.conf <hostname> <ip address>
NFS
install
yum install portmap nfs-utils
start at boot
chkconfig portmap onchkconfig nfs onchkconfig nfslock onchkconfig netfs on
basic config
redhat config tool:
yum install system-config-nfssystem-config-nfs
format of /etc/exports:
<mountpoint> <host>(<options>) [<host>(<options>) ...]
activate new exports:
/etc/init.d/nfs restart
host-based security
edit /etc/sysconfig/nfs and restart nfs to set static ports
firewall config:
# see ports rpcinfo -p
open ports 111, 2049 and rpc ports defined in /etc/sysconfig/nfs
host based security is intrinsic to the format of the exports file
user-based security
use standard file permissions
verify service functionality
list exports:
showmount -e <host>
FTP
install
yum install vsftpd
selinux
allow local users to log in and cd into home directories:
setsebool -P ftp_home_dir=1
start at boot
chkconfig vsftpd on
basic config
host-based security
• use iptables with -[!]s option
firewall config:
protocol ports tcp 21
ftp data transfers will not work unless ip_conntrack_ftp is added to IPTABLES_MODULES in /etc/sysconfig/iptables-config
tcp_wrappers example:
vsftpd : 192.168.0.
user-based security
• allow/deny controlled via /etc/vsftpd/user_list ( users in /etc/vsftpd/ftpusers are always denied via pam)
• default allow/deny is configured by userlist_deny statement in vsftpd.conf
verify service functionality
test ftp:
ftp <server>
Web proxy
install
yum install squid
selinux
allow squid to connect to the network (this is recommended, but was not needed in my testing):
setsebool -P squid_connect_any=1
start at boot
chkconfig squid on
host-based security
firewall config:
protocol ports tcp 3128
Edit /etc/squid/squid.conf
visible_hostname www.quake.lan
allow access from local networks:
acl our_networks src 192.168.1.0/24 192.168.2.0/23http_access allow our_networks
parental control with blocklist
acl our_networks src 192.168.1.0/24 192.168.2.0/23acl block-sites dstdomain .yahoo.com .hotmail.com acl block-words url_regex sex cunt penis movieshttp_access deny block-sites http_access deny block-words http_access allow our_networks
user-based security
Install ncsa_auth
htpasswd /etc/squid/passwd username create username / password file
Edit /etc/squid/squid.conf
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwdauth_param basic children 5auth_param basic realm Squid proxy-caching web serverauth_param basic credentialsttl 2 hoursauth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIREDhttp_access allow ncsa_users
verify service functionality
test proxy:
HTTP_PROXY=<server>:3128 elinks
SMTP
Using Sendmail
yum install sendmail sendmail-cf
edit /etc/mail/sendmail.mc
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
LOCAL_DOMAIN(`example.com')dnl
build new sendmail.cf :
make -C /etc/mail
edit /etc/mail/access
Connect:192.168.0 RELAY allow relay from local LAN
edit /etc/mail/local-host-names
example.com domains hosted on our server
quake.lan
edit /etc/mail/virtualusertable
[email protected] [email protected] virtual users mappings
/etc/aliases
root: admin aliases to other accounts
tony: mark
run newaliases to build new file
to enable masquerading in sendmail
edit /etc/mail/sendmail.mc
MASQUERADE_AS(`mydomain.com')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(mydomainalias.com)dnl
MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
rebuild sendmail.cf file ( make -C /etc/mail )
check mail passing through : /var/log/maillog
check /var/spool/mail to see mailboxes
install
yum install postfixalternatives --config mtaservice sendmail stop
start at boot
chkconfig postfix on
basic config
listen on public interfaces:
inet_interfaces = all
specify all destination hostnames/domains:
mydestination = <hostname1>, <hostname2>, ...
specify origin domain:
myorigin = $mydomain
local aliases in /etc/aliases ( dont forget to run newaliases to apply changes):
<alias>: <user1>[, user2]
virtual aliases in /etc/postfix/virtual ( dont forget to run postmap /etc/postfix/virtual to apply changes):
<virtual alias>: <user>
enable virtual aliases:
virtual_alias_maps = hash:/etc/postfix/virtual
outbound address rewriting in /etc/postfix/generic ( dont forget to run postmap /etc/postfix/generic to apply changes):
<outbound alias>: <user>
enable outbound aliases:
smtp_generic_maps = hash:/etc/postfix/generic
host-based security
• use iptables with -[!]s option
firewall config:
protocol ports tcp 25
user-based security
use smtp auth?
verify service functionality
test smtp:
telnet <server> 25
IMAP, IMAPS, and POP3
install
yum install dovecot
start at boot
chkconfig dovecot on
basic config
enable protocols:
protocols = imap imaps pop3 pop3s
create custom ssl cert:
nano -w /etc/pki/dovecot/dovecot-openssl.cnf/usr/share/doc/dovecot-*/examples/mkcert.shservice dovecot restart
or
mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem.origmv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem.origcd /etc/pki/tls/certs/make dovecot.pemcp dovecot.pem /etc/pki/dovecot/certs/cp dovecot.pem /etc/pki/dovecot/private/
host-based security
use iptables with -[!]s option
protocol ports tcp 143, 110, 995, 993
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 143 -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
user-based security
use pam_listfile in /etc/pam.d/dovecot
verify service functionality
test mailbox acess:
mutt -f <imap|imaps|pop|pops>://<user>@<server>
SSH
install
yum install openssh-server
start at boot
chkconfig sshd on
Generate Public / Private key pair
ssh-keygen -t rsa create public / private keys for user
ssh-copy-id -i .ssh/id_rsa.pub server_IP send public key and install in server
ssh-keygen -p create password for ssh keys to be used
user-based security
allow/deny user access:
AllowUsers user1 user2 [email protected] user4 user5 [email protected]
host-based security
• use ipchains with -[!]s option
firewall config:
protocol ports tcp 22 tcp_wrappers example:
sshd : 192.168.0.
verify service functionality
test logging in:
ssh <user>@<server>
DNS (caching name server, slave name server)
install
yum install bind-chroot caching-nameserver system-config-bind
start at boot
chkconfig named on
setup bind with system-config-bind
make sure there is no file /var/named/chroot/etc/named.conf
system-config-bind
this will ask to create new named.conf
Now start editing DNS Server options > right click on DNS Server > EDIT
add Forwarders > Ipv4 > 192.168.0.200
New > View > name: External > From ACL : anyto ACL : any
Once saved all other settings are migrated into the View.
Right click on DNS Server or View > Add Zone > Class : InternetOrigin Type : Forward quake.lanZone Type : master
go on quake.lan > right click > Add > A,MX,CNAME,PTR records
check DNS resolution with dig or nslookup
open IPTABLES ports 53 UDP and TCP.
basic config
copy sample config:
cp -a /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.conf
caching-only nameserver:
• edit listen-on directives (comment out to listen on all interfaces)• edit allow-query directives (comment out allow queries from everyone)• edit match-clients and match-destinations directives to allow recursive queries from other
hosts
slave nameserver:
• get slave example from /usr/share/doc/bind-*/sample/etc/named.conf
host-based security
firewall config:
protocol ports tcp 53 udp 53 allow-query example:
allow-query { 192.168.0.0/16; localnets; };
user-based security
N/A
verify service functionality
test query:
dig @<server> <domain>
test zone transfer:
dig @<server> <domain> axfr
NTP
install
yum install ntp
start at boot
chkconfig ntpd on
host-based security
firewall config:
protocol ports udp 123 allow other servers to sync with us:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
user-based security
N/A
verify service functionality
show peers:
ntpq -p
RHCEs must also be able to:
configure hands-free installation using Kickstart
yum install system-config-kickstart
1. make installation tree available2. create kickstart file (use system-config-kickstart to create ks.cfg) and validate (using
ksvalidator)3. validate kickstart file4. make kickstart file available
• bootable diskette (place in top level directory)• bootable cdrom (place in top level directory)• network (http, ftp, nfs)
5. use bootable media and supply appropriate kernel parameter
ks=floppy:/ks.cfgks=cdrom:/ks.cfgks=http://example.com/ks.cfgks=nfs:example.com:/ks.cfg
implement logical volumes at install-time
use iptables to implement packet filtering and/or NAT
do not use system-config-securitylevel, as it will overwrite your custom iptables rules. the following method seems to be the best way to go:
1. make changes in /etc/sysconfig/iptables to load conntrack modules2. run /etc/init.d/iptables restart to apply changes
packet filtering
packet filtering example:
-A <chain> -p <tcp/udp> -m <tcp/udp> [-s[!] <source address>] --dport <destination port> -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 631 -j ACCEPT
NAT
enable ip forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
to test from another machine:
ip route replace default via <ip address>
inbound dnat:
iptables -t nat -A PREROUTING -p <tcp/udp> --dport <destination port> -j DNAT --to-dest <private server>:<port>
outbound dnat:
iptables -t nat -A OUTPUT -p <tcp/udp> --dport <destination port> -j DNAT --to-dest <private server>:<port>
masquerading:
iptables -t nat -A POSTROUTING -o <outbound interface> -j MASQUERADE
snat:
iptables -t nat -A POSTROUTING -j SNAT --to-source <public server>:<port>
setup for router to internet
Check Deployment guide chapter for IPTABLES syntax
Setup RH Firewall with default settings using eth0 to Internet while eth1 to LAN.
vi /etc/sysct.conf and set net.ipv4.ip_forward = 1
add following rules from CLI:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.188.133:80
iptables-save > /etc/sysconfig/iptables
Add extra rules to the RH-FIREWALL-1 ACCEPT / DENY statements
use PAM to implement user-level restrictions
module documentation
• /usr/share/doc/pam-*/txts
module configuration
• /etc/pam.d• /etc/security
<module interface> <control flag> <module name> <module arguments>
module interface
description
auth user authentication (e.g. verifies password, set group membership or kerberos tickets, etc.)
account verifies that access is allowed (e.g. expired account?, check group membership, etc.)
password handles password changes session manages user sessions (e.g. mount home dir, create mailbox, logging, etc.) control flag description required must pass, continue testing on failure
requisite must pass, stop testing on failure sufficient failure is ignored, but if passing so far, return success at this point optional pass or failure is irrelevant include include another file
pam_listfile.so example
allow/deny users if listed in /etc/special:
auth required pam_listfile.so onerr=success item=user sense=<allow|deny> file=/etc/special
Additional Notes
tcp_wrappers
file format:
<daemon list> : <client list> [except <client list>] [: <option>]
search order:
1. /etc/hosts.allow2. /etc/hosts.deny3. allow by default
searching stops on first match
Troubleshooting
unable to log in
• password wrong or expired?• account locked?• shell set to /sbin/nologin, /bin/false, etc.?• root user and PermitRootLogin no in /etc/ssh/sshd_config?• root user and terminal not listed in /etc/securetty?• non-root user and /etc/nologin exists?• check pam_listfile restrictions