Documente Academic
Documente Profesional
Documente Cultură
Ch1: Kickstart/Anaconda
-----------------------------------SECTIONS:
-------1) Locations:
url --url="http://classroom.example.com/...";
repo --baseurl="..."
2) Auth:
3) Partition:
4) Network:
5) Config:
Manager
group --name=admins --gid=1001
cd /usr/share/
find . -name '*kickstart*.txt' -print
./pykickstart-1.99.43.17/kickstart-docs.txt
** /usr/share/doc/pykickstart-1.99.43.17/kickstart-docs.txt
Sample File: /root/anaconda-ks.cfg
-----------echo "RUN_FIRSTBOOT=NO" >> /etc/sysconfig/firstboot
- press 'F12' to select the boot media, and choose 'pxe' boot
- on the boot menu, select the appropriate (usually the 1st one) and
press 'tab' key to see options
- add/append to end of line: ks=http://desktopX.example.com/ks-config/kickstart
.cfg
%packages
:
:
%end
lab kickstart setup
- installed the httpd web-server
- created the /var/www/html/ks-config/ directory
cp /home/student/kickstart.cfg /var/www/html/ks-config/
____________________________________
Ch2: Regex / grep
------------------------------------
cat
dog
concatenate
dogma
They are my pets
My dog and cat live peacefully
category
educated
boondoggle
vindication
chilidog
# This is a comment using '#'(hash)
; This is a comment using ';' (semicolon)
Example:
$string="My dog and cat live peacefully"
grep -w dog $string <-- match
grep '\<dog\>' $string <-- also match
c[aou]t = c, followed by 'a' or 'o' or 'u' and ends with t
c.*t
= c, followed by ANY num.of characters, end with t
c.\{2\}t = c, followed by exactly 2 characters, ends with t
Using 'grep'
-i
= case IN-sensitive
-v
= display lines that does NOT match
-r
= search recursively in a directory or list of files
-A <N> = display <N> of lines After regex match
-B <N> = display <N> of lines Before regex match
-w
= matches the entire 'word' (word bounary) in the pattern
-e
= when you need to use multiple regex with the logical OR
[0-9][0-9][0-9] = matches any 3 numbers
cat door.log |grep '1[345]:[0-9]\{2\}:[0-9]\{2\}' > door.out
cat wall.log |grep '14:[345][0-9]:[0-9]\{2\}' > wall.out
cat wall.out |grep -i -v 'no activity' > wall2.out
More examples: http://cyberciti.biz/faq/grep-regular-expressions
____________________________________
Ch3: More vim
-----------------------------------cmd mode: (default, when you first start vi/vim)
insert mode: press 'i' (or 'a' or 'o' or 'O')
yy = yank (copy)
dd = delete line
/etc/crontab
/etc/anacrontab
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
Shell scripts in the directories above will be run at those intervals
*Files in the /etc/cron.d/ has the usual 5 time-specs
Ch6: ACL
-----------------------------------Extends the basic 'rwx' permissions of users and groups
2 commands:
a) setfacl (to set the ACL permissions of resources)
b) getfacl (to view the ACL permissions)
setfacl -m u:<name>:rwX <file|dir>
setfacl -m g:<name>:rwX <file|dir>
setfacl -m o::- <file> <-- the dash '-' means no permission
* if <name> is left blank, then it applies to the file owner, otherwise
<name> can be the username or UID.
Default ACL
~~~~~~~~~~~~
setfacl -m d:u:<name>:rx <directory>
setfacl -x d:u:<name> <directory> <-- remove default ACL on dir. set previously
setfacl -b <dir>|<file> <-- removes ALL ACLs (including default ACL)
setfacl -k <directory> <-- removes default ACL on dir
ACL Mask
~~~~~~~~~
The ACL mask restricts existing permissions that exceed the mask but
does nothing to permissions that are less permissive than the mask, i.e.
it sets
- named
- group
- named
**************
** IMPORTANT: Always do 'chmod' first before setting the ACL via setfacl.
**************
<<<________>>>
cd /shares;chown -R root:bakerstreet cases; chmod g+s cases;chmod 660 cases/*;se
tfacl -Rm g:scotlandyard:rwX cases;setfacl -Rm u:jones:r-X cases;setfacl -Rm d:g
:scotlandyard:rwX cases;setfacl -Rm d:u:jones:r-X cases;setfacl -m g::rwX cases
cd /shares;chown -R root:bakerstreet cases; chmod g+s cases;setfacl -Rm g:scotla
ndyard:rwX cases;chmod 660 cases/*;setfacl -Rm u:jones:r-X cases;setfacl -Rm d:g
:scotlandyard:rwX cases;setfacl -Rm d:u:jones:r-X cases;setfacl -m g::rwX cases
____________________________________
Ch7: SELinux
-----------------------------------Standard Linux Security (DAC - Discretionary Access Control)
- only 2 privilege levels: "user" and "root"
- main problem: any process/programs launched as the 'user' (bob)
has the user bob's permission. Eg. Bob launches Firefox - can firefox
read Bob's private-keys in ~/.ssh/id_rsa ? YES. So a compromised Firefox
wreak havoc. (Another example, Apache privilege escalation)
SELinux - MAC (Mandatory Access Control)
- default rule is everything is denied.
- every process ('subjects') has to be explicitly allowed to access
the resources ('objects') - such as files, sockets, devices, etc.
faults/system policy.
Essential Software Packages to install
~~~~~~~~~~~~~~~~~~~~~~
yum install policycoreutils policycoreutils-python policycoreutils-gui
yum install setroubleshoot setroubleshoot-server
Essential CMDs:
~~~~~~~~~~~~~~
getenforce
setenforce 1 (enforcing)
setenforce 0 (permissive)
semanage boolean -l
semanage boolean -l -C <-- shows variation from the default
semanage fcontext -l <-- to list all
semanage fcontext -l | grep 'httpd_.*content*'
semanage fcontext -a -t <TYPE> '/directory(/.*)?'
restorecon -Rv /directory
chcon -Rv --reference <good_dir_context> <destination_dir>
chcon -Rv --reference /var/www/html /custom <-- '-R' for recursive, 'v' verbose
chcon -Rv --reference /var/www/html '/custom(/.*)?' <-- Cap.Hook doesn't work wi
th chcon
example:
semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?'
restorecon -RFv /virtual
ls -ldZ /var/www/html
semanage fcontext -a -t httpd_sys_content_t <-- "-a -t" (add type)
semanage fcontext -d -t httpd_sys_content_t <-- "-d -t" (delete type)
getsebool -l
setsebool -P httpd_enable_homedirs on <-- "-P" for permanent
semanage boolean -l (to view all the booleans)
Booleans
~~~~~~~~
semanage boolean -l <-- show all default boolean values and their description
semanage boolean -l -C <-- shows the variation of the boolean that differs from
default
(this happens when we use the 'P' (permanent flag) to set a boolean value, e.g
# setsebool -P httpd_enable_homedirs on (<-- "P" for permanent)
# semanage boolean -l -C
getsebool -a | less <-- to list the current boolean settings
Viewing SELinux Alerts
----------------------tail -f /var/log/messages
OR
journalctl -f -l -p err
Apache 101
---------1) Config file: vi /etc/httpd/conf/httpd.conf
- search for "DocumentRoot" <-- this specify the location of the web (html) fil
es.
default is /var/www/html
to change to another location, need to edit 2 lines, e.g.
a) DocumentRoot /var/www/html => to: DocumentRoot /custom
b) <Directory /var/www/html> => to: <Directory /custom>
- After editing the Apache config file, remember to restart Apache,i.e. "system
ctl restart httpd"
2) Publish web content from User's home directory:
- vi /etc/httpd/conf.d/userdir.conf
search for "UserDir disabled" <-- change this to:
UserDir enabled
search for "#UserDir public_html" <-- default is commented,ieit has a '#' at t
he begining,then uncomment it. It should read:
UserDir public_html
FileSystems:
----------mkfs -t xfs /dev/vda1 <-- specify partition '1', i.e. /dev/vda1
mkfs -t ext4 /dev/vdb2 <-- partition 2 on second hdd. "-t" is type
mount /dev/vdb2 /mnt
Persistent: Mount points specified at /etc/fstab
TO find "UUID":
--------------blkid /dev/vdb1
blkid /dev/vdb2
Swap Space
------------mkswap /dev/vdb2
swapon /dev/vdb2 <-- turn on the swap space
swap
defaults
0 0
swap
pri=1
0 0
(specify swap priority)
The last 2 digits represents: "dump flag" (an old backup utility called 'dump')
and "fsck" (fileSystem check).
Since swap space does not need these 2 options, they are set to 0 0
For the root file system, it's typically 1 1.
For the LOCALLY mounted file system (eg /dev/vdb1), they are
usually 1 2 (but it can also be: 0 0)
(the 'fsck' order is '2' which has less priority over the root filesystem)
Note: on most modern systems today, it's 0 0
For network mounted (NFS or CIFS), use 0 0 because the
remote disk is NOT under the local machine's control
To recap:
=========
fdisk /dev/vdb <-- to create partitions. Do NOT specify partition num.
n = create new partition. Then specify partition num.
accept the default first/starting sector
specify the disk size, e.g +512M or +1G, etc
p = print - display the changes you've made
t = change the partition type
w = write the changes to disk
Types, 't'
83 <-- default Linux partition
8e <-- LVM partition
82 <-- swap space
(for 'gdisk' - add 2 zeroes at the end, eg. 8e00 for LVM, 8300 for Linux part)
Then run 'partprobe' to tell the kernel of the new partition
create filesystem:
----------------mkfs -t xfs /dev/vdb1
mkfs -t ext /dev/vdb3
...etc
Making Swap space
- create the partition using fdisk or gdisk. Change type to 82
- mkswap /dev/vdb2
- swapon /dev/vdb2
IF adding the swap entry into the /etc/fstab, then enable it by
swapon -a <-- "-a" for all
To disable swap
swapoff -a
To set a priority for the swap-space in /etc/fstab, use:
/dev/vdb2
swap
swap
defaults
0 0
/dev/vdb3
swap
swap
pri=1
0 0
**IMPORTANT NOTE:
- do NOT create different partitions using both fdisk and gdisk. It will confuse
the system. If you had created the 1st partition using gdisk, then use gdisk fo
r ALL other other partition on that disk. If you had created the 1st partition u
sing fdisk, then use fdisk for all the other partitions on that disk.
____________________________________
Ch10: LVM
-----------------------------------5 steps in creating a usable LV
a) prepare the physical device - use fdisk/gdisk to create partitions.
# fdisk /dev/vdb
# fdisk /dev/vdc
b) create the PV (initialize the partitions)
# pvcreate /dev/vdb1 /dev/vdb2 /dev/vdc1
c) create the VG (called 'avengers')
# vgcreate avengers /dev/vdb1 /dev/vdb2 /dev/vdc1
d) create the LV (called 'hulk', 10G in size in the 'avengers' volume group)
# lvcreate -n hulk -L 10G avengers
e) create the filesystem, e.g.
# mkfs -t xfs /dev/avengers/hulk
then, create a mount point to mount this new filesystem, eg.
# mkdir /mnt/hulk
# mount /dev/avengers/hulk /mnt/hulk
# mount -a
OR add entry in /etc/fstab (to make the mount permanent/survive a reboot)
/dev/avengers/hulk
1 2
PV cmds
~~~~~~~~
pvcreate /dev/vdb1 /dev/vdb2
pvremove /dev/vdb1 /dev/vdb2
pvdisplay /dev/vdb2
pvmove /dev/vdb1 <-- this will move all the data (in the phy.extents to other PV
s in the same VG)
VG cmds
~~~~~~~
vgcreate <vgname> /dev/vdb1 /dev/vdb2
vgremove <vgname>
vgdisplay <vgname>
vgextend <vgname> /dev/vdc1
LV cmds
~~~~~~~
lvcreate -n <lvname> -L <SIZE> <vgname>
lvremove /dev/vgname/lvname
lvdisplay /dev/vgname/lvname
lvextend -L +300M /dev/vgname/lvname
-> after running lvextend, remember to run 'xfs_growfs' to expand the file syste
m to occupy the extended LV, e.g.
# xfs_growfs /mnt/storage
** alternatively, can use resize2fs, but instead of the mount point, it takes th
e LV name,e.g
# resize2fs /dev/vgname/lvname <-- may not always work. use "xfs_growfs" first
.
____________________________________
Ch11: NFS
-----------------------------------RHEL7 uses NFSv4 (uses TCP) by default and falls back to nfs3 or nfs2 if nfs4 is
not available. (NFS 3 or 2 can use either tcp or udp)
* Manually mount a NFS share (via cmd line OR via /etc/fstab)
* Automatic mount of NFS share via 'autofs' service
NFS shares are secured by various methods: 'none', 'sys', 'krb5', 'krb5i' and 'k
rb5p'
The nfs client must connect to the exported share using one of the methods above
as specified by the share (via the mount option, sec=<method>)
the Kerberos option will require at least /etc/krb5.keytab which will be provide
d. It is outside the scope of this course. Just remember it's required!
The "nfs-secure" (part of the 'nfs-utils' package) service is used to manage com
munication with the server when connecting to kerberos secured shares.
Steps in SEQUENCE:
--------------------1. check if nfs-utils package is installed (yum list nfs-utils)
If not installed, then 'yum install nfs-utils'
2. download the 'krb5.keytab' from the server/classroom and rename it to /etc/kr
b5.keytab
# wget http://classroom.example.com/pub/keytabs/desktop0.keytab -O /etc/krb5.
keytab
3. # systemctl enable nfs-secure
# systemctl start nfs-secure
4. Create the mountpoints on the DesktopX
# mkdir -p /mnt/public
For Manual Mounts:
~~~~~~~~~~~~~~~~~
a). Edit /etc/fstab and add the following line:
server0:/shares/public
server0:/shares/public
# /dev/vda1
# /dev/shazam/storage
/mnt/public
/mnt/manual
/
/storage
nfs
nfs
xfs
xfs
sec=krb5p,sync
sec=sys,sync
defaults
defaults
0
0
1
0
0
0
1
2
b) Test it out:
# mount -a (to mount all the filesystem/shares in the /etc/fstab)
# df -h
For AutoMounts: (autofs)
~~~~~~~~~~~~~~~~~~~~~~~~~~
yum -y install autofs
serverX.example.com:/shares/work
serverX.example.com:/shares/docs
'work' & 'docs' are the mount point that will be automatically created/remove
d by the 'autofs' service. The full path is /shares/work & /shares/docs (remem
ber that /shares is the base dir for the mount point)
OR, use wildcard:
# vi /etc/auto.work
*
-rw,sync,sec=krb5p
serverX:/shares/&
Direct-Map:
===========
The master-map file content: /etc/auto.master.d/direct.autofs
//etc/auto.direct
The content for the mapping-file: /etc/auto.direct:
/mnt/public -rw,sync,sec=krb5p
serverX:/shares/public
note: you need to create the /mnt/public directory manually.
In the case of auto-map, you only have to create base dir (/shares)
and the autofs service will automatically create the 'works' and 'docs' director
y when needed.
__________
IMPORTANT:
1) Use Fully Qualified Name, i.e. serverX.example.com:/shares and NOT serverX:/s
hares
2) Double check the 'security' type,ie. sec=krb5p <-- don't for the 'p' if aske
d to use encryption for security. (krb5i = for integrity check and 'sys' for loc
alsystem security).
____________________________________
Ch12: SMB
------------------------------------ Mount SMB file systems manually (cli and /etc/fstab)
- Mount SMB file systems (CIFS) automatically - via autofs
Required software packages: cifs-utils
Optional (but useful): samba-client package - has the 'sambaclient-*' cmd line u
tilities
3 Steps:
-------a) identify the remote share to access
b) determine the mount point where the share should be mounted (create it locall
y if needed)
c) mount the SMB share via cli or appropriate config change
Authentication:
- SMB shares can be flagged as non-browseable, and can be restricted to specific
users, groups
- there are many authentication scheme supported by SMB, the most common is the
username/pass combo.
(these can be stored in /etc/fstab itself or in a secret 'credentials' file, e
g /etc/smbcred.smb)
Manual Mount
~~~~~~~~~~~~
CLI:
# mount -t cifs -o guest
//serverX/share /mnt/share
.smb
(For CIFS/samba - take note of the colon ":")
cases -fstype=cifs,credential=/etc/smbcred.smb ://serverX/cases
(For NFS:)
cases -rw,sync,sec=krb5p
serverX:/shares
systemctl get-default
systemctl set-default graphical.target
systemctl isolate multi-user.target (runlevel6.target <-- reboot)
important targets
---------------rescue.target : sulogin prompt, basic system initialization completed, system
in read/write mode
emergency.target: sulogin prompt, initramfs pivot compete and system root mounte
d on / (read only)
** To select a different target at boot time, a special option can be appended t
o the kernel
command line from the boot loader: eg: systemd.unit=rescue.target
Fix incorrect /etc/fstab entry
-----------------------------1. Reboot
2. Interrupt the boot loader menu countdown by pressing any key
3. Move the cursor to the entry to be started. Press "e" to edit that entry
4. Move cursor to the line that starts with "linux16". This is the kernel cmd li
ne
5. Append: systemd.unit=<desired.target>
eg: systemd.unit=rescue.target
6. Press 'ctrl-X' to reboot
Recover root passwd
-------------------1. Select the Boot-Entry (default or the rescue), and press 'e' to edit
2. Goto the the 'linux16' (the line that has /boot/vmlinuz-3.x.x <-- this is the
kernel)
press the 'end' key to go to end of the line, and append: "rd.break" (without
quotes)
=> this will break just before ctrl is handed from the initramfs t othe actua
l system
3. Ctrl-X to continue booting - a root shell is presented where the actual syste
m is mounted
as 'read-only' on /sysroot
4. RE-mount /sysroot as read-write:
# mount -o remount,rw /sysroot
# chroot /sysroot <-- switch into chroot jail,
where /sysroot is treated as the root of the file-system
tree
# passwd root <-- reset root pass
# touch /.autorelabel <-- needed for SELinux relabelling for correct per
m settings
6. # exit (to exit from chroot)
# exit (exit the initramfs debug shell)
Repairig Grub2
---------------grub2-mkconfig > /boot/grub2/grub.cfg
* in grub menu entries, "linux16" is valid. Anything else
such as "os16" is wrong.
______
NOTES:
-----to remount a 'read-only' filesystem:
# mount -o remount,rw /
____________________________________
Ch14: FirewallD
------------------------------------ old ways: iptables, ip6tables, ebtables <-- find out what's ebtables
- firewalld - manages both ipv4 and ipv6
- All network traffic is classified into "zones".
- based on criteria such as source IP of packet, or the incoming NIC, traffic is
diverted to the appropriate zones and the rules in that zone is then applied
* every packet that comes into the system is first checked for the source IP add
r.
if it matches a specific zone, then the rules in that zone is applied. If the so
urce
IP is not tied to a zone, then the zone for the incoming network interface is us
ed.
If the network interface is not associated with any zone for some reason, then t
he
default zone will be used. The 'public' zone is used by default
Pre-defined zones:
------------------ trusted
- internal: similar to home
- home: reject all unless related to outgoing or ssh,ipp-client,dhcpv6-client
mdns,samba
- work: reject all unless related to outgoing or ssh,ipp-client,dhcpv6-client
- public: reject all unless related to outoing or ssh, dhcpv6-client
- external: reject all unless related to outgoing or ssh. Outgoing ipv4 traffic
thru this zone is
masq.
- dmz: reject all unless related to outgoing or ssh
- block: reject all unless related to outgoing
- drop: drop all unless related to outgoing (do not respond with icmp err messag
e)
Predefined Services: firewall-cmd --get-services (to view all)
-------------------ssh: local ssh server. Port 22
dhcpv6-client: local DHCPv6 client. Port 546/udp
ipp-client: local IPP priting. Port 631/udp
samba-client: local Windows file & print sharing client. Port 137/udp & 138/udp
mdns: Multicast DNS (mDNS) local-link name resolution. Port 5353/udp to 224.0.0.
251
To configure firewalld
------------------------firewall-config & (GUI) [yum -y install firewall-config]
firewall-cmd (cli)
~~~~~~~~~~~~\
firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=<ZONE>
firewall-cmd --add-source=<CIDR> --zone=<ZONE> (default zone is assumed if zone
is not specified)
firewall-cmd --remove-source=<CIDR> --zone=<ZONE>
firewall-cmd --add-interface=<IFACE> --zone=<ZONE>
firewall-cmd --change-interface=<IFACE> --zone=<ZONE>
firewall-cmd
firewall-cmd
firewall-cmd
firewall-cmd
--add-service=<SERVICE> --zone=<ZONE>
--add-port=PORT/PROTO --zone=<ZONE>
--remove-service=<SERVICE> --zone=<ZONE>
--remove-port=PORT/PROTO --zone=<ZONE>