#language variable $LANG #configuration file /etc/sysconfig/i18n ~/.

dmrc for GNOME Desktop rhn_register - register system to the RHN Chapter 1 Register with RHN rhn_register Red Hat Enterprise Linux Hypervisor Deployment Guide 5.1.7:Register to RHN Third-Party repositories /etc/yum.repos.d/ directory must end in *.repo repository definition contains the URL of the repository, a name, whether to use a GPG to check the package signatures, and if so the local file containing the trusted key. man yum(1) and yum.conf(5) [example] name=Name of repo baseurl=location of repo enabled=0 or 1 (0 = off 1 = on) gpgcheck=0 or 1 gpgkey=location of gpg key use virsh to start virtual server #virsh start vserver /etc/yum/pluginconf.d/rhnplugin.conf (used to enable or disable yum access to RH N) yum yum yum yum yum yum yum yum list available list installed list extras #lists none RH packages search packagename info packagename install packagename #includes deps remove packagename update packagename #(will update all if not package name is given)

Handling Third-Party Software rpm -qa --last #list all packages installed in order of last installed yum localinstall packagefile.rpm #can be used to installed package fies directly . will auto download deps as necessary rpm -qc packagename #list config files rpm -qd packagename #list doc files rpm -q --scripts #list shell scripts that may run after the package is installed or uninstalled - package will not install if script does not complete 0 rpm -ql #lists files installed by the package ###archive manager or file-roller (command line) to extract various archives Chapter 2 Network Management ifconfig replaced ip addr #show all ip addr show eth0 route -n replaced by ip interfaces #specific interface by ip route

#route-interface can be added in network-scripts for permanent routing /etc/resolv.conf to resolv DNS /etc/hosts to resolv local names /etc/nsswitch.conf to decide if /etc/hosts or /etc/resolv.conf will go first dhcp client logs - /var/lib/dhclient/dhclient-br.leases #or used interface ifup or ifdown to down or start interfaces service network command to start/stop all network interfaces locate sysconfig.txt for options of ifcfg configurations NETMASK can also be substituted with PREFIX PREFIX=24 same as NETMASK=255.255.255.0 You can now also use DNS1 and DNS2 entries in the ifcfg-* configuration DNS1=IP ADDR DNS2=IP ADDR NM_CONTROLLER=yes #let Network manager have control of it dhclient -r eth0 #release lease dhclient -v eth0 #request new lease #/var/lib/dhclient/* Network Interface Configuration IP Aliases ip addr add 1.1.1.1/24 dev eth0 label eth0:0 ip addr show /etc/sysconfig/network-scripts/ifcfg-eth0:0 #persistent configuration IPADDR=1.1.1.1 #NETMASK=255.255.255.0 or PREFIX=24 ONPARENT=yes #DEVICE is no longer needed Network Interface Configuration - Bonding BONDING_OPTS= #instead of modprobe.conf, or you can do a local.conf /etc/modprob e.d/local.conf Tuning Kernel Parameters sysctl -a sysctl -w (same as echo value > /proc/sys/kernel/param sysctl -p load from /etc/sysctl.conf edit /etc/sysctl.conf to make it permanent Chapter 3 Storage Management fdisk -cul /dev/sda #list fdisk -cu /dev/sda #go into fdisk (-cu is necessary now) ext4 is default for RHEL6 partprobe does not work for RHEL6, reboot necessary ext3 up to 2TB file size ext4 up to 16TB file size blkid displays information about the contents of the block devices (partitions a nd logcal volumes) including the UUID of the FS

1 2 for regular partitions (dump and priority - root gets 1 for priority) Enabling Data Privacy with Filesystem Encryption LUKS - Linux Unified Key Setup standard format for device encryption. LUKS encrypts the partition or volume; it must be decrypted before the ts in it can be mounted 1. new partition with fdisk 2. cryptsetup luksFormat /dev/device #encrypt the new partition and sets the dec ryption password 3. cryptsetup luksOpen /dev/device #unlocks the encrypted volume as /dev/mapper/ name after you enter the correct decryption password 4. create an ext4 fs on the decrypted volume: mkfs -t ext4 /dev/mapper/name 5. create dir mount point and mount it. mkdir /secret; mount /dev/mapper/name /s ecret 6. umount the fs and run cryptsetup luksClose /dev/device to lock the encrypted volume Persistent Mount Encrypted Partition /etc/crypttab lists one device per line, with the following space separated fiel ds: 1. local name to use for map to the unlocked device 2. name of the locked device 3. password to unlock the device. if this field is left blank, user will be prom pted during startup 1. name 2. /dev/device 3. password enter into /etc/fstab /dev/mapper/name (or UUID=UUIDnumber) /secret ext3 defaults 1 2

crypsetup luksFormat format to be encrypted FS cryptsetup luksOpen Unencrypt cryptsetup luksClose Encrypt Managing Swap Space use partition use file (dd if=/dev/zero of=/dev/locationofswapfile bs=1M count=512) fdisk type is 82 mkswap swapon -a swapon -s swapoff /dev/swappartition UUID=uuid swap swap defaults 0 0 Accessing iSCSI Storage Internet SCSI (poor man's SAN) iqn = iSCSI Qualified Name iqn.yyy-mm.{reverse domian}:label communication is cleartext but may be sent over an encrypted tunnel port tcp 3260 /etc/iscsi/initiatorname.iscsi Discovery iscsiadm -m discovery -t st -p ip Login iscsiadm -m node -T iqn -p ip -l Logout

isciadm -m node -T iqn -p ip -u Delete iscsiadm -m -node -T iqn -p ip -o delete iscsi and iscsid services need to be running (service iscsid restart) and chkcon fig to ensure it starts up for /etc/fstab to work #example iscsiadm -m node -T iqn.2010-09.com.example:rdisks.server6 -p 192.168.0.254 -l # login UUID=uuid /mount ext4 rw, _netdev 0 0 Chapter 4 Logical Volume Management pvcreate (physical volume) vgcreate (volume group) lvcreate (logical volume) lvm command initiates lvm prompt (doesn't provide resize2fs) pvs (report information of pvs) vgs (report information of vgs) lvs (report information of lvs) fdisk type is 8e /dev/VolGroup0/LogVol0 /dev/mapper/VolGroup0-LogVol0 EXAMPLE devices /dev/vda5 (create lvm configuration) /dev/vda6 for later extension change fdisk type to 83 pvcreate /dev/vda5 vgcreate vgname /dev/vda5 lvcreate -n lv_name -L200M vgname mkdir /lvmount mkfs -t ext4 /dev/vgname/lv_name edit /etc/fstab and/or test manually mounting mount -a or mount /dev/vgname/lv_name /lvmount #Class Example PG61 fdisk -cu /dev/vda 512 type 8e /dev/vda3 pvcreate /dev/vda3 vgcreate shazam /dev/vda3 lvcreate -n storage -L256M shazam mkdir /storage edit /etc/fstab /dev/shazam/storage /storage ext4 mount -a #extend logical volume lvextend -l +31 /dev/shazam/storage resize2fs -p /dev/shazam/storage verify with df -h

defaults

1 2

#reduce logical volume umount /storage fsck -f /dev/shazam/storage resize2fs -p /dev/shazam/storage 128M lvreduce -L128M /dev/shazam/storage mount -a #Extending and Reducing a Volume Group fdisk new 8e partition pvcreate /dev/vda4 vgextend shazam /dev/vda4 vgdisplay to verify #Reducing pvmove /dev/vda5 (used to relocate any physical extents used on /dev/vda4 to oth er pvs in the vg. enough space must be available) vgreduce shazam /dev/vda5 (remove pv from vg) #Create a Snapshot to facilitate data backup PG68 lvcreate -s -n storagesnap -L 20M /dev/shazam/storage mkdir /storagesnap mount -o ro /dev/shazam/storagesnap /storagesnap lvs /dev/shazam/storagesnap umount /storagesnap lvremove /dev/shazam/storagesnap Chapter 5 Account Management Managing Passwords man crypt for information on password hash $id$salt$encrypted /etc/shadow fields (accounts with never are empty fields between colons) username:passwordhash($id$salt$encrypted):dateoflastpasswordchange:minpassage:ma xpassage:passwordwarnperiod:passwordinactiveperiod root:$1$M6FmBChE$Ej8MEdoMAXrqMbGkR28bU/:14956:0:99999:7::: chage -d 0 username (enforce password change now) usermod can also be used for account management /etc/login.defs (login definitions to enforce login defs for all new users creat ed) Managing Filesystem Access Control Lists ext2/3/4 supported extended ACLS. have to be mounted with acl option + sign indicates acls are set (rwxrwxrwx+) getfacl page77 setfacl page77 setfacl -b /filename (blank all acls) Default ACLS Directories can have "default ACL" entries which are automatically set on new fi les created on that directory. setfacl -m d:u:elvis:rw directory set default ACL entry granting read-write acce ss to user elvis on all new files created (not existing ones) d option before u:g:o is the one that sets default inheritance ACL Mount Option Installer configures all ext4 file systems it creates to automatically turn on A CL suport

dumpe2fs /dev/device | grep Default tune2fs -o acl,user_xattr /dev/device setfacl -m u:student:- /etc/passwd (- gives no permissions) #Lab mkdir /opt/research chown .grads /opt/research chmod 770 /opt/research setfacl -m g:profs:rw /opt/research setfacl -m d:g:profs:rw /opt/research setfacl -m g:interns:r /opt/research setfacl -m d:interns:r /opt/research setfacl -m o::- /opt/research setfacl -m d:o::- /opt/research getfacl /opt/research #Criterion Test mkdir /home/stooges chown .stooges /home/stooges chmod 2770 /home/stooges setfacl -m g:stooges:rwx /home/stooges setfacl -m o::- /home/stooges setfacl -m d:g:stooges:rwx /home/stooges setfacl -m d:o::- /home/stooges #test 21 22 23 24 25 26 27 28 29 30 results mkdir /home/stooges man chmod chown .stooges /home/stooges/ chmod 2770 /home/stooges/ setfacl -m d:o::- /home/stooges/ setfacl -m o::- /home/stooges/ setfacl -m g:stooges:rwx /home/stooges/ setfacl -m d:g:stooges:rwx /home/stooges/ ls -ld /home/stooges/ getfacl /home/stooges/

Chapter 6 Authentication Management sssd - system security services daemon - page 87 Network Authentication Using an LDAP Server system-config-authentication System > Administration > Authentication #Components dn = distinguished name dn - dc=example,dc=como server name example.com certificate RHEL6 requires certificate for LDAP nsswitch.conf field is sss. example passwd: files sss Network Mounting Home Directories PG 89 45 system-config-authentication - configure ldap client 46 getent passwd ldapuser1 - verify account on ldap server

49 showmount -e instructor - check nfs shares on nfs server 50 vi /etc/auto.master - add location to mount 51 vi /etc/auto.guests - what is mounted * -rw instructor.example.com:/home/guests/& 52 service autofs reload - reload autofs 53 su - ldapuser1 - verify ldap user login and autofs home logged in fine Kerberos Configuration secure authentication over an insecure network Kerberos Realm Key Distribution Center (KDC) Kerberos Admin Server use authconfig authconfig --enableldap --ldapserver=instructor.example.com --enableldaptls --ld aploadcacert=http://instructor/pub/EXAMPLE-CA-CERT \ --ldapbasedn="dc=example,dc=com" --disableldapauth --enablekrb5 --krb5kdc=instru ctor.example.com \ --krb5admin=instructor.exaample.com --krb5realm=EXAMPLE.COM --enablesssd --enabl esssdauth --update authconfig won't restart sssd by default so you need to tell authconfig to enabl esssd and reload it... yum groupinstall directory-client increase verbosity of sssd - set debug_level=0-10 (0 lowest, 10 highest) SSSD provides offline cache /etc/sssd/sssd.conf sssd command line is authconfig /var/log/sssd Configuring sudo %wheel ALL=(ALL) NOPASSWD:ALL %wheel - group 1. ALL = what machine? 2. (ALL) = as what user? 3. NOPASSWD = don't use a password in front of what commands (4th field) 4. ALL = All commands Chapter 7 Installation, Kickstart, and Virtualization Creating a Kickstart File by Modifying Template when you boot up, use ks=(path to ks file) to use that remote ks file If a critical answer is missing, it will ask you during installation. system-config-kickstart Introduction to KVM Virtualization RHEL5 has ZEN support RHEL6 uses KVM KVM = Kernel-based Virtual Machine 64bit processes is a requirement for KVM get from page 106 lsmod for Intel kvm_intel (maybe svm_amd for AMD?) Virtual Guest Installation Specifications 1. A domain name must be specified

2. Point to install media to grab 1st and 2nd stages of anaconda 3. Virtual hardware elements must be specified: number and types of cpus size of ram virtual disk device (file or volume?) network connection and MAC address Virtual hard disk appears to be a guest as /dev/vda instead of /dev/sda Unit 8 Boot Management Resolve GRUB Issues Interrupt GRUB countdown: Esc Key Use "e" to edit current configuration Select lines to correct with arrow keys Type "e" again to edit the current line Esc takes you back to the menu and throws changes away "b" command boots with the current changes grub prompt kernel /vmlinuz* ro (read only) root=/dev/location/to/root/device rhgb = red hat graphical booter quit = supress messages (sucks) *you can add runlevel number to boot to a specific runlevel example: 1 or single /boot/grub/grub.conf default=number (boot stanza) timeout=seconds to timeout #hiddenmenu= (won't show menu) splashimage= (background pic) Changing The Default Runlevel 5 graphical 3 multi user with networking 1 single user mode (bypass authentication) runlevel - state of the system init runlevel (to change levels) pass the runlevel number as an argument to the kernel via GRUB runlevel command gives you current runlevel and last runlevel used (example: 5 3 (5 last runlevel, 3 current runlevel) who -r will show you the same but more descriptive Single-User Mode special runlevel which stops the boot process just before system services are st arted and opens a shell prompt as root. good for troubleshooting purposes if the system is hanging during service startu p but otherwise boots. misconfiguration of a system service, and in some cases, networking. RHEL6, when booting into single-user mode the init process reads its /etc/init/r cS.conf file normally, which runs /etc/rc.d/rc.sysinit. However, then init reads /etc/init/rcS-sulogin.conf (which pauss the boot process and opens the root she ll prompt), rather than reading /etc/init/rc.conf and running the service startu p scripts.

RHEL5 PG122 /etc/inittab The Boot Process and Rescue Mode emergency parameter to kernel option during boot for bash shell only The Rescue Shell RHEL6 provide rescule line on boot up prompt Hit ESC to get to boot prompt:linux rescue chroot /mnt/sysimage unchroot with exit command #mount command is bad example rpm -qf /bin/mount or /mnt/sysimage/bin/mount util-linux-ng* if network is enable, use a number of clients to get package wget from a local url #ftp #nfs mount rpm -ivh util-linux-ng* --force IF BASH were broken download package to non-chrooted environment and do rpm -Uvh --force bash*.rpm -root /mnt/sysimage Reinstall the Boot loader GRUB (Repairing Boot Issues) linux rescue chroot /mnt/sysimage /sbin/grub-install bootpart (/dev/sda) review /etc/grub/grub.conf Reboot system **Alternative way with DD or linux rescue root (hd0,0) setup (hd0) or (hd0,0) exit Repairing Damange Filesystems fsck -t or e2fsck (for ext2/3/4) fsck -b (use another superblock if first superblock is corrupt) dumpe2fs will show you superblock(s) location Procedure for Editing files from the Maintenance Shell 1. mount -o rw,remount / (remount root filesystem rw) 2. mount -a (for all) 3. /etc/fstab, /etc/crypttab 4. exit Unit 9 SELINUX Management Security Enhanced Linux Basic SELinux Security Concepts set of security rules that determine which process can access which files ls -Zd /var/www/html (list security contexts) drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 user:role:type:sensitivity-category (Targeted Policy only uses _t (type) field) restorecon -vR (restore all files to correct type context in directory)

semanage command semanage port -l (list all the port type contexts) SELinux Modes Enforcing Mode actively denies access Permissive Mode allows all interactions, even if there is no explicit rule, and it logs all of t he denied interactions getenforce (gives us selinux mode) setenforce 0 Permissive setenforce 1 Enforcing /etc/sysconfig/selinux can be used to set default selinux modes kernel boot arguments enforcing=0 or 1 selinux=0 or 1 List SELinux contexts of processes ps axZ List SELinux contexts of files ls -Z (d for directory) Display SELinux policy's pathname-to-context mapping semanage fcontext -l Managing SELinux Booleans switches that change the behavior of the SELinux policy in some way can be used to tune the policy to make selective adjustments man -k '_selinux' setsebool -P ftp_home_dir on (P = permanent, turn on ftp_home_dir access by user s via ftp) setsebool ftp_home_dir (will not survive reboots but works immediately) getsebool -a (list state of all booleans) semanage boolean -l (list boolean configuration and information on all booleans) Monitor SELinux Violations setroubleshoot-server package must be installed to send messages to /var/log/aud it/audit.log /var/log/messages logs UUIDs for SELinux Violations sealert -a /var/log/audit/audit.log (generate report of all logged violations) sealert -l UUID (provide UUID to get a text report for a specific UUID violation ) touch /.autorelabel; reboot (restorecon on all root filesystem) Unit 10 Firewall Management Rule - stored in chains - actual acl Chain - Every chain has a policy. Default is accept. Rules are stored in chains. - INPUT, OUTPUT, FORWARD, PRE/POSTROUTING, OUTPUT -I TARGET - ACCEPT, DROP-ignore packages, REJECT-send an ICMP negative response, LO G-packet proceeds but gets logged /var/log/messsages, MASQUERADE -j Table - contains chains which have rules- FILTER, NAT, MANGLE iptables -I INPUT -p tcp --dport 80 -j REJECT -t filter (I - CHAIN, -p port, --d

port (dest port) -j POLICY -t table) iptables -L -t filter (normal INPUT, OUTPUT, FORWARD rules) iptables -L -t nat (PRE/POSTROUTING, OUTPUT rules) iptables -L -t mangle (all chains) service iptables panic (will make policy DROP on all CHAINS, all traffic blocked ) iptables -nL (numeric listing) iptables -vL (more verbose) /etc/sysconfig/iptables-config (load nf_ modules (modprobe -l | grep nf)) service iptables save (writes to sysconfig/iptables) service iptables start (loads iptables rules and modules) Network Address Translation iptables -t nat PREROUTING (destination natting incoming traffice) POSTROUTING (source natting or masquerading) iptables -I POSTROUTING -o eth1 -j MASQUERADE -t nat (all packets going out from eth1 will be masqueraded) iptables -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.254: 80 -t nat iptables -I POSTROUTING -o eth1 -j SNAT --to--source 10.0.0.1 -t nat SNAT - can specify source address and port MASQUERADE - mask all outbound traffic with routing host source ip DNAT - can specify destination address and port PG 161 lab iptables iptables -F -t nat iptables -F -t filter iptables -I POSTROUTING -s 192.168.122.214 -j MASQUERADE -t nat iptables -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.122.214 -t nat Unit 11 NTP Server Configuration ntpdate -q instructor (query instructor) ntpdate -u instructor (adjustment of time from instructor) /etc/ntp/step-tickers (time server location when ntp service starts up - initial sync) server - client can sync from it only peer - client and server can sync from each other (2 redundant time server - exa mple) restrict - permit time sync with time source, with added restrictionsi (open up if no restrictions added) nomodify - do not allow modifying of state of server notrap - decline to provide logging information nopeer - do not allow peering kod (kiss of death packet) - message that tells offending host to stop Unit 12 System Logging Service Configure a Remote Logging Service /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad imudp.so

$UDPServerRun 514 send syslog to serverX /etc/rsyslog.conf *.info @192.168.0.106 Criterion Test on desktop6 enable ModLoad imudp.so enable UDPServerRun 512 service rsyslog restart on server6 edit /etc/rsyslog.conf *.info @192.168.0.6 service rsyslog restart Unit 13 Web Service yum -y install httpd httpd-manual mod_ssl /etc/httpd/conf.d/ssl.conf certificate in ssl.conf (for ssl apache) #SSLCertificateFile /etc/pki/tls/certs/localhost.crt Configure Name-Based Virtual Hosting VirtualHost - declare virtualhost with this tag and close with preceeding "/" NameVirtualHost - needs to be uncommented in order for NameVirtualHosts to work properly if setup in VirtualHost ServerName - name of virtual server name (http request name) ServerAlias - alias for server name ServerAdmin - e-mail of admin of server for errors DocumentRoot - location of root of web home semanage fcontext -l | grep /var/www semanage fcontext -a -t httpd_sys_content_t '/www6(/.*)?' (to add httpd_sys_cont ent_t to /www and all underlying directories for apache to read) service httpd configtest (to verify httpd.conf configuration and point out error s) ScriptAlias /cgi-bin/ /location/to/cgi-bin Configure User-Based Authentication Flat-File Authentication htpasswd -cm /etc/httpd/.htpasswd student <Directory /var/www/virtual/www6/html> block is put in VirtualHost declarations when Vhosts are used AuthName "Secret Stuff" AuthType basic AuthUserFile /location/of/.htpasswd Require valid-user #< lets valid users log in that are part of .htpasswd </Directory> Apache LDAP Authentication <Directory /var/www/virtual/www6/html> AuthName "LDAP secret place" AuthType basic AuthBasicProvider ldap AuthLDAPURL "ldap://fqdn/prefix" TLS

Require valid-user </Directory> #Troubleshooting Apache semanage port -l | grep http (list http ports used by selinux) semanage port -a -t http_port_t -p tcp 8000 (add new tcp http port) ErrorLog Directive in VirtualHost and main configuration when no VirtualHosts us ed CustomLog Directive in VirtualHost LogLevel Directive in httpd.conf semanage dontaudit off (enable full verbosity for SELinux) restorecon -vR (verbose and recursive) to restore selinux contexts man -K _selinux getbool -a | grep http semanage boolean -l | grep http setsebool -P boolean=on/off semanage port -l chcon -t public_content_t index.html (change context command) /etc/selinux/targeted/contexts/customizable_types restorecon -F (reset custimizable type contexts) openssl x509 -text < /location/of/cert/file | grep Subject (show cert as text) Unit 14 Basic SMPT Configuration MUA - Mail User Agent (client) thunderbird, outlook etc.. MTA - Mail Transfer Agent (postfix) MDA - Mail Delivery Agent (postfix) sendmail is no longer installed by default postfix is installed by default rpm -qf /usr/sbin/sendmail > postfix-* host -t mx redhat.com (look for mail transfer agent on redhat.com) The Postfix MTA /etc/postfix/main.cfg important value = inet_interfaces /var/log/maillog postfix flush (flush postfix queue) mailq (look at mail queue) postconf (postfix configuration command, allows you to set/view postfix values) postconf -e inet_interfaces=all (set) postconf inet_interfaces (view) netstat -tLupn (t-tcp, L-listen, u-UDP, n-numeric info, p-process info) Intranet Configuration /usr/share/doc/post*/README_FILES inet_interfaces - binding interface myorigin - Masquerade as (who i will appear to be) relayhost - Indirect delivery (who your smpt server is) mydestination - Receive mail for... local_transport - Local Delivery mynetworks - Relay from... Unit 15 Caching-Only DNS Server Authoritative - MASTER DNS server for domain, holds original zone files Non-Authoritative - SLAVE DNS server for domain, get updates from MASTER for zon e files Caching-only DNS Server - Caching resolved records

#DNS Clients libresolv.so (resolver library) /etc/hosts /etc/resolv.conf host (command) dig (command) gethostip (command) nsloookup (command) #DNS Resource Records A = Address record AAAA = IPV6 Address record CNAME = Canonical Name (Alias) for A record PTR = pointer record (reverse lookup) MX = mail exchange record NS = name server record SOA = start of authority SRV = server records TXT = text records Caching-only DNS Servers yum install bind edit /etc/named.conf service named start chkconfig named on named.conf listen-on post 53 {a any; }; (will bind to all ports) allow-query { localhost; }; (will only let localhost query us) forwarders { 192.168.0.254; }; test forwarders... host server6.example.com 192.168.0.106 firewall concerns - port 53/udp Unit 16 File Sharing with NFS #NFSv4 Complete Redesign Features a pseudo-root filesystem (fsid =0) All implementations support Kerberos No support daemons needed (idmapd will help user ids appropiately, optional) Only requires 2049 tcp /etc/fstab uses nfs4 instead of nfs (nfs will use as nfsv3) packages nfs-utils - rpm -qa nfs-utils nfs - rpm -qa nfs #/etc/exports /exports *(fsid=root) < pseudo-root filesystem < only works for NFSv4 clients /exports/read *(ro,async) < works with any version including older versions < as ync doesn't wait for disk writes on the NFS server, good on R/O /exports/write 192.168.0.0/24(rw,sync) < sync option ensures that writes are com mitted to disk on the nfs server exportfs -vr (verbose and re-export all directories) NFS Server Options ro/rw

sync/async fsid - enable pseudo-filesystem for NFSv4 crossmnt - gives ability to mount root fs no_root_squash - root can write to nfs share...root_squash makes root nfsnobody NFS Mounts showmount -e machine mount -t nfs4 machine.domain.com:/ /mnt pseudo-root filesystem needs a bind in /etc/fstab /data/read /exports/read none bind 0 0 /data/write /exports/write none bind 0 0 mount -t nfs4 host:/read /read < no need to specify full path since /exports is root filesystem so you just indicate the directory under /exports which is the p seudo-filesystem #/etc/fstab considerations machine:/ /localmount nfs4 ro,hard 0 0 rw goes good with hard option ro goes good with soft option #client-side NFS mount options rw/ro - rw is default soft - try once to mount, if not available, give up hard - keep trying to mount (default) intr - interrupt is allowed noauto - not mounted at boot #Securing an NFS Server root_squash - don't allow root permissive write (comes in as nfsnobody) no_root_squash - reverse of above allsquash - does root_squash for all users /etc/sysconfig/nfs - modify nfs options, port settings, for firewall settings, LOCKD_TCPPORT - rpcinfo -p nlockmgr LOCKD_UDPPORT - rpcinfo -p nlockmr MOUNTD_PORT - rpcinfo -p mountd rpcinfo -p (check portmapper assigned ports) rpcinfo -p remotehost (works as well) Criterion Test PG230 File Sharing with NFS edit /etc/sysconfig/nfs Unite 17 Sharing with CIFS Configures CIFS Share Demonstration #packages samba-common samba-client samba samba-doc #start and enable service service smb start chkconfig smb on #find documentation rpm -qc samba-common cat /etc/samba/smb.conf

#Setup Samba user and password useradd -s /sbin/nologin winuser smbpasswd -a winuser enter password #Allow SELinux to share home directories for Samba setsebool -P samba_enable_home_dirs on #Allow ports through firewall iptables -I INPUT -p udp --dport 137:138 -J ACCEPT iptables -I INPUT -p tcp --dport 139 -J ACCEPT iptables -I INPUT -p tcp --dport 445 -J ACCEPT service iptables save #Parts of the Samba service smb service script /etc/samba/smb.conf /etc/samba/smb.conf [global] section #workgroup = workgroup or domain #hosts allow = who can connect #security = user, domain or ads = user = local database of users #passwd backend = tdbsam < smbpasswd command to add users to my security = user /etc/samba/smb.conf other sections #[homes] < SELinux has a boolean to enable home directory access for users #[printers] #[...] example [myshare] path = /myshare/path guest ok = yes (no authentication to access share) no means you need to authenti cate #Samba-only users useradd -s /sbin/nologin user smbpasswd user #Securing - semanage boolean -l | grep -i samba samba_enable_home_dirs <selinux boolean setsebool -P boolean on/off Allow samba to create new home directories (eg: via PAM) *off by default use_samba_home_dirs < selinux boolean Support SAMBA home directories *off by def ault #Service Ports netstat -taupeln | grep smbd tcp 139 tcp 445 udp 137,138 #additional smbclient -U user //demo/doc #Practice test PG239 yum install samba samba-common samba-client samba-doc service smb restart edit smb.conf = add CLASS6 as workgroup useradd -s /sbin/nologin winuser6 echo "winpass" | passwd --stdin winuser6 setsebool -p samba_enable_home_dirs #Accessing CIFS Shares

mount -o username=user //server/share /localmount mount -o username=user,password=password,domain=domain //server/share /localmoun t credential files for persistent mounts /etc/fstab in options is credentials=/etc /filename (only readable by root for security) //server/share /mntpoint cifs credentials=/etc/filename 0 0 credentials file example #user= #password= smbclient -U #Configuring CIFS Shares Create a group Create a directory for sharing Ensure group owns it chmod 2775 directoy for future ownership of all new files created by same group Ensure SELinux context is corret - man samba_selinux****** semanage fcontext -a -t samba_share_t '/dir)/.*)?' restorecon -vr /dir add entry into smb.conf [dir] path = /path/to/dir #valid users = user1, user2 valid users = @group #read only = no, same as writeable=yes writeable = yes public = no #guest ok = no, same as public #Steps to Individual Printer Share ##prevent automatic sharingof all locally defined printers? disable printer share in smb.conf (comment out printer share) ##share a particular printer enable printer share in smb.conf [printerName] comment = One printer path = /var/spool/samba browseable = yes guest ok = yes writeable = no printable =yes printer name = printerName verify with smbclient -L //servername hosts allow = networks < can be used in specific shares hosts deny is also available Unit 18 File Sharing with FTP 1. create upload directory (drop-box) mkdir /var/ftp/upload ls -Z /var/ftp man ftpd_selinux semanage fcontext -a -t public_content_rw_t '/var/ftp/upload(/.*)?' < change co ntext or chcon -t public_content_rw_t /var/ftp/upload

restorecon -vR /var/ftp setsebool -P allow_ftpd_anon_write on vsftpd daemon runs as ftp user/group chown .ftp /var/ftp/upload chmod 730 stat /var/ftp/upload #edit /etc/vsftpd/vsftpd.conf anonymous_enable=YES write_enable=YES anon_upload_enable=YES chown_uploads=YES chown_username=nobody anon_umask=077 (default permissions of files) #iptables to support inbound ftp connections iptables -I INPUT -p tcp --dport 21 -s 192.168.0.0/24 -j ACCEPT iptables -I INPUT -m --state ESTABLISHED,RELATED -j ACCEPT /etc/sysconfig/iptables-config - IPTABLES_MODULES "nf_nat_ftp nf_conntrack_ftp" modprobe -l | grep ftp to find modules for connection tracking ftp (when using p ort 21 for connect and different dynamic ports for data to be ok due to ESTABLIS HED state rule and module enable in iptables-config service iptables save service iptables restart Unit 19 CUPS Service Configure Printers raw type - connecting to a remote printer that is controlled by another system printer driver is need when locally connected to your server/pc System > Administration > Printing or system-config-printer Cups uses PPD files for printer descriptions post script printer description fil e (printer driver) Unit 20 SSH Service ssh-keygen -t dsa creates a private and public key ssh-copy-id -i ~/.ssh/id_dsa.pub user@system (copy your ssh public key to a syst em) ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub to get a listing of local keys (g ood for verification) ssh fingerprints go to your local known_hosts file Unit 21 Virtual Network Computing (VNC) Service tigervnc-server vncserver tigervnc vnc 1. yum install tigervnc-server 2. edit /etc/sysconfig/vncservers VNCSERVERS="1:root 2:student" VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -localhost" 3. Set a VNC password vncpasswd: PASSWORD and verify 4. service vncserver start chkconfig vncserver on ******************************************************************************** ********************** ********************************************************************************

********************** ******************************************************************************** ********************** add route-eth0 to network-scripts to add static route for persistent reboots Comprehensive Review Test 1. iptables -I INPUT -s 127.0.0.0/8 -j ACCEPT 2. iptables -I INPUT -s 192.168.0.0/24 -j ACCEPT 3. iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 4. iptables -A INPUT -s 192.168.1.0/24 -J REJECT 5. iptables -A INPUT -J REJECT 6. chkconfig iptables on 1. Edit /etc/sysconfig/selinux and set to enforcing 2. iptables -I INPUT -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT 3. edit /etc/postfix/main.cf inet_interface=all service postfix restart chkconfig postfix on 4. Run system-config-authentication (ssh -X server6) test with ldap instead of kerberos in case ldap is having issues add with proper information ensure sssd is started at boot up getent passwd ldapuserX to test 5. create /etc/auto.master entry /home/guests /etc/auto.guests create /etc/auto.guests * -rw instructor.example.com:/home/guests/& service autofs reload chkconfig autofs on 6. server instructor.example.com disks = disks.serverX service iscsid start chkconfig iscsid on iscsiadm -m discovery -t st -p serverIP #discover iscsiadm -m node -T iqn.2010-09.com.example:rdisks:server6 -p serverIP -l #login edit /etc/iscsi/initiatorname.scsi add InitiatorName=iqn.2010-09.com.example:disks.server6 7. fdisk -cu /dev/sdX mkfs -t ext3 /dev/sdX1 mkdir /test e2label /dev/sdX1 /test edit into /etc/fstab add LABEL=/test /test ext4 _netdev 0 0 mount -a chown root.root /test chmod 755 /test 8.add pv to vg if no space left lvcreate -n mylv -L1024M vgsrv mkfs -t ext4 /dev/vgsrv/mylv mkdir /mylv edit /etc/fstab UUID="UUID" /mylv ext4 defaults 1 2 mount -a 9. service nfs start chkconfig nfs on edit /etc/exports add /test 192.168.0.0/24(ro,async,no_root_squash) exportfs -vR 10. useradd matt

echo "matt" | passwd --stdin matt 11. useradd cindy echo "cindy" | passwd --stdin cindy 12. groupadd admins usermod -G admins matt usermod -G admins cindy 13. edit smb.conf smbpasswd -a cindy smbpasswd -a matt [test] path = /test write list = matt ready only = yes guest ok = no #valid users = matt, cindy < in case guest ok does not allow cindy 14