Sunteți pe pagina 1din 49

#LinuxCBT EL-7 Edition#

Current Release: 7
We will use:
1. CentOS7x
2. RedHat Enterprise 7x
3. Kernel Version: 3.10.x
a. 'kpatch' - dynamic kernel patching facility - Tech Preview
NOTE: Tech Previews are subject to problems that may adversely affect production
NOTE: This positively impacts uptime
b. 'modprobe.blacklist=module' - module blacklisting facility, where necessary
(if conflicts with other modules or problematic hardware support or similar)
4. SWAP compression via 'zswap' - automagically-handled by the kernel
5. Supports:
a. graphical (default) - new consolidated GUI (ALL options are on 1 screen)
b. text-based - options are spread across a series of screens
6. 6.5x - 7x - in-place upgrades supported
NOTE: Documentation claims NOT suggested, though supported
NOTE: Backup and attempt on clone instances first
NOTE: Clone instance should have the APP stack, not the data: i.e. '/home'
7. Installable from:
a. Local media: CDs | DVDs
b. ISO images
b1. DVD image - most of the common selectable packages and package groups
b2. Everything image - ALL available packages - CentOS
b3. Network-based - Minimal installation - fetches remainder from Net
b4. Live images - GNOME | KDE
8. GUI - Desktop (Window Dressing)
a. GNOME 3
a1. GNOME Boxes (Virtualization light)
b. KDE
9. 'systemd' - replaces 'sysv' and 'upstart' - 'sysV' and LSB init-scripts-compa
tible
10. 'NetworkManager' - now includes FULL CLI support and improved NIC management
NOTE: NetworkManager supports traditional NIC interface scripts
11. 'firewalld' - firewall manager
12. '40Gps' Ethernet support
13. KVM - Virtualization
14. Open VMWare Tools are included
NOTE: Improves performance and manageability within VMWare HOSTS (ESX, etc.)
15. XFS - Default FS for new installations
a. 16-Exabyte FS
b. 8-Exabyte Files
c. Online up-sizing (NOT downsizing)
16. GRUB2 - Default Bootloader - GPT, EFI, BIOS, OpenFirmware support
17. Platforms:
a. x86_64 (64-bit) - Intel | AMD
b. IBM Power7
c. SystemZ 196+
18. Storage: 7.5GB or higher
19. Installation is consolidated and uses the same detection tools used at run-t
ime
20. Installer makes sensible partitioning decisions, especially when storage is
limited, reducing the footprint to 2-partitions:
a. /
b. SWAP

# GUI Installation of RedHat Enterprise 7x#


1. DVD ISO - most packages
2. Deploy within VMWare ESXi
3. Install from Windows Management GUI - VSphere Client
NOTE: New installer presents consolidated GUI interface (ALL options) on 1 scree
n
NOTE: Multiple tasks can be carried out during installation: i.e. 'root password
', 'additional user' and the like
NOTE: Configure NIC prior to NTP configuration
NOTE: Initial Kickstart file is still supplied to shorten the time required for
subsequent installs: ~/root
NOTE: Default GNOME LOGIN allows anyone to restart | power-off the system. Will
tweak later.

# Text-based Installation #
1. CentOS 7x
2. RedHat Enterprise 7x
NOTE: It's as simple as passing the string: 'inst.txt' on the kernel's command l
ine during installation
NOTE: The installation process is carried out via TEXT but does NOT impact the o
utcome of the installed server's interface. i.e., server may run with or without
a GUI.
NOTE: It's merely a matter of the interface that is presented during installatio
n, indicated by the 'inst.text' option passed to the installation kernel's comma
nd line (CLI)
NOTE: Ensure that you select: 'Tab' during the installation's main GRUB2 menu pr
esentation and modify the kernel line to include: 'inst.text' to invoke TEXT-mod
e
NOTE: Sometimes VMWare ESXi does NOT update the screen when it receives no strea
m of data from the GUEST, which results in console-access delays.
NOTE: 'inst.text' TEXT Mode installation results in system booting to runlevel=3
by default. Use: 'init 5' to enter GUI and update 'inittab' as needed

# Network-based (HTTP) #
Requirements:
1. HTTPD instance somewhere: i.e. IIS, Apache, etc.
2. Export of the tree (ISO image) to the HTTP share location (URL)
3. Client-side - minimal (network boot) ISO image - Net access
NOTE: PXE-booting obviates the need for any local media - look at this if desire
d
Tasks:
1. Explore HTTP configuration
a. 192.168.75.101/{RHEL,CentOS}
a1. http://192.168.75.101/CentOS/7
a2. http://192.168.75.101/RHEL/7
NOTE: Any of the ISO images will let you change the source to a network source

# Kickstart Configuration #
Features:
1. Automates delivery - rapid provisioning
NOTE: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h
tml/Installation_Guide_/sect-kickstart-syntax.html
2. Post-installation, '~root/anaconda-ks.cfg' file is created
This file represents the settings associated with the current installation
NOTE: If you, as we will, re-install existing systems using the resultant KS CFG
files, there will be at least 1 prompt during installation concerning the targe
t disk
3. The location of the CFG file MUST be specified upon installation invocation
a. 'Tab' at main GRUB screen, indicate that KS is desired:
a1. 'inst.ks=http://192.168.75.101/{RHEL,CentOS}/*.cfg'
NOTE: Name your .cfg files in a fashion similar to Virtual Machine images:
i.e. centos7-infrastructure-server-gui.cfg
i.e. rhel7-is-gui-40GB.cfg
4. Debug information is stored in: '/tmp' of target system
5. NOTE: 'Kickstart Configurator' is NO longer developed
NOTE: NOT ALL possible directives are covered
6. Required / optional sections are the same: i.e. command, %packages, [%pre] a
nd [%post]
7. Omitted items will cause the installer to prompt the user for input
Task:
1. Re-install both systems in an automated fashion
a. Access nodes
b. Modify .cfg files
c. Publish .cfg files to HTTP repository
c1. 'inst.ks=http://192.168.75.101/CentOS/centos7-is.cfg'
c2. 'inst.ks=http://192.168.75.101/RHEL/rhel7-is.cfg'
d. Re-install nodes using minimal|network ISO referencing the .cfg files
NOTE: Ensure that published (HTTP) .cfg files are flagged 644 or readable by web
user
NOTE: Since we reprovisioned: CentOS7 instance entirely in VMWare, its default S
DA was blank, which rendered the installation fully-automated
NOTE: If VM instance fails to boot from ISO image, try the following:
1. Delete, then Re-provision GUEST
2. Remove startup disk and provision anew
2. Repeat process for 1 of the servers
NOTE: This is mostly-automated, because we still must indicate the location of t
he .cfg file at the GRUB2 menu
NOTE: It is possible to fully-automate by using PXE and DHCP configuration that
tells the client with .cfg file to use
NOTE: Either way, it is still required to indicate which .cfg file to use for in
stallation

# Rescue Environment #
Features:
1. Multiple modes
a. Rescue
b. Emergency
NOTE: Both are based on an installed system: i.e. N3
NOTE: Both provide Single-User modes to attempt to rectify system problems
NOTE: Both modes are accessible from an already running system via: 'systemctl {
rescue,emergency}
NOTE: As a result of these modes, you enter Single-User mode, which drops networ
k connectivity, thus external connections
NOTE: 'systemctl ...' typically sends messages to logged-in users, unless '--now
all' option is used
NOTE: using: 'inst.rescue' from the kernel boot line
NOTE: Standard GRUB2 menu, secondary '...rescue' option, is really a backup kern
el, which launches into multi-user mode
2. Install Rescue Mode - based on the installation sources
a. Provides a TUI and emergency fall-back $SHELL to help recover the system
b. Select from 'Troubleshooting' menu or append: 'inst.rescue' to kernel boot
line
c. Searches system for mountable '/' FS and mounts it: '/mnt/sysimage'
c1. This helps to fix files that may have been corrupted, i.e.: /etc/fstab
and additionally possibly a corrupted GRUB2 environment
c2. 'chroot /mnt/sysimage' - this becomes the new '/' and allows you to use A
LL functionality, i.e.: 'grub2-install /boot'
NOTE: Possible to fix bad driver, which prevents the system from loading
NOTE: Nowadays, virtualize, and take snapshots prior to ALL key updates

Tasks:
1. Mislabel GRUB2 references to the kernel
a. '/etc/grub2.cfg'
2. Booted from Install Rescue Mode (from any ISO that boots the installer)
3. Repeat on CentOS
NOTE: If you lose the 'root' password, use:
a. Install Rescue Mode to mount the '/' FS
b. 'chroot /mnt/sysimage'
c. 'passwd root'
d. 'reboot'
NOTE: Because of this, for security purposes, guard that permitted boot media fo
r ALL systems
# Basic Linux Skills #
1. 'whoami' - reveals the currently-logged-in user - per-$SHELL(TTY) basis
2. 'tty' - reveals the name of the currently-connected $SHELL
3. 'w', 'who' - reveals the connected users and terminals
4. '/' - parent of ALL directories
a. Default upon LOGIN and instantiation of new $SHELL is to place you in your:
$HOME
b. 'pwd' - reveals relative (to '/') location
c. 'cd' - moves you around
c1. 'cd ~' - directs you to your $HOME
c2. 'cd ~USER' - directs you to that USER's $HOME
d. 'ls' - myriad options reveals directory contents
5. 'id' - reveals your account and group details
6. 'touch' - creates, by default, an empty file, otherwise, updates the timestam
ps associated with the target file(s)
7. 'echo' - echoes what you tell it to
8. 'cat' - dumps the contents of TEXT files
a. 'echo "1" > 1.txt'
b. 'echo "2" > 2.txt'
c. 'cat 1.txt 2.txt > 1.2.txt'
9. 'mkdir NAME'
10. 'rm -rf temp/' - wipes the directory structure
a. 'cp -apvf temp temp2' - duplicates the contents of 'temp' DIR to newly-crea
ted 'temp2' DIR
b. 'rm -rf temp/'
c. 'mv temp2 temp'
11. 'history' - reveals the history of executed commands
a. '!NUM' - executes the command indexed at NUM
12. Pagers - paginate textual data on a per-screen basis, dynamically
a. 'more'
b. 'less'
Typically: 'f' || <SPACE> to move forward, 'b' to move back
13. Heads and Tails
a. 'head' - examines the top of a document
b. 'tail' - examines the bottom of a document
14. Word Count - which also counts number of lines in a document
a. 'wc -l' - counts the number of lines
b. 'wc FILE' - counts number of lines, words, etc.
15. Ascertain the type of target FILE
a. 'file FILE' - uses a variety of methods to deduce the target file's type
16. Process status listing using: 'ps'
a. 'ps' - displays processes tied to the current $SHELL, which usually is a li
mited subset of the total
b. 'ps -ef'
'UID PID PPID C STIME TTY TIME CMD'
17. Free memory (RAM && SWAP)
a. 'free -m'
18. Disk Partition Utilization (Free): 'df'
a. 'df -h'
19. Directory Utilization: 'du'
a. 'du -chs' - scans tree and produces summary of usage
b. 'du -chs /home' - dump the full utilization of the /home tree
c. 'du -chs /var' - "" /var tree
20. Top processes and related metrics
a. Aggregates data from multiple tools: uptime,ps,free and others
b. 'top'
c. 'uptime' - dumps how long the system has been up
# Compression Utilities: tar, gzip, bzip2, zip #
Features:
1. Archive and compress
Tasks:
1. 'gzip'
a. 'gzip -c Xorg.9.log.old > Xorg.9.log.old.gz'
b. 'gunzip Xorg.9.log.old.gz'
c. 'gzip -l Xorg.9.log.old.gz' - reveals stats about the compressed object
d. 'zcat Xorg.9.log.old.gz' - auto-decompresses the content on-the-fly
2. 'bzip2'
a. 'bzip2 -c Xorg.9.log.old > Xorg.9.log.old.bz2'
b. 'bunzip2 Xorg.9.log.old.bz2'
c. 'bzcat Xorg.9.log.old.bz2'
3. Zip & Unzip - typically most-compatible with Windows
a. 'zip Xorg.9.log.old.zip Xorg.9.log.old' - TARGET first, SOURCE second
NOTE: 'zip' includes native archival abilities, which is why you typically won't
find: *.tar.zip files, but rather: *.tar.{bz2,gz}
4. Tar with: gzip && bzip2
a. 'tar -cvf linuxcbt-temp.tar /home/linuxcbt/temp' - creates archive with NO
compression
b. 'tar -tvf FILE' - exposes the contents, i.e. 'unzip -l', without extraction
b. 'tar -xvf FILE' - extracts archive to current directory
c. 'tar -cvzf linuxcbt-temp.tar.gz /home/linuxcbt/temp' - creates archive WITH
gzip compression
d. 'tar -cvjf linuxcbt-temp.tar.bz2 /home/linuxcbt/temp'
e. 'tar -cvjf linuxcbt-temp.tar.bz2 /home/linuxcbt/temp /etc /var/log'
NOTE: With 'zip' and 'tar', because they are archival tools, it makes sense to s
pecify the TARGET first, then an aribitrary number of source files/directories
f. 'tar -xvjf linuxcbt-temp.tar.bz2 '
# 'systemd' Service Management Framework #
Features:
1. Akin to Solaris's SMF
2. Provides comprehensive unit management facility (services, devices, paths, e
tc.)
3. Replaces 'upstart' - provides faster boot times due to a variety of features
i.e. SSH && MySQL depend upon the Network Target, but not on each other, then so
long as the Network Target has loaded properly, both SSH and MySQL can be invok
ed in parallel
NOTE: 'systemd' provides, like SMF, more discrete dependency relationships, unli
ke SysV, which is numerically oriented, thus making it a serial system-invoker
4. Manages various facets via 'UNIT' files (units): i.e.
a. services: i.e. ssh, httpd, etc.
b. devices: USB, Storage, etc.
c. sockets: networking, TCP/IP
d. paths: file or directory
e. mounts: NFS, Automount, etc.
f. snapshots: the ability to temporarily backup the system state
NOTE: 'service' units (.service files) replace SysV-style INIT scripts
NOTE: '.service' files are similar to SysV-style INIT scripts
5. SysV and LSB-init scripts compatible - provides legacy support
6. Service management via: 'systemctl': status | start | stop | restart | enabl
e | disable
NOTE: Currently, 'systemctl' does NOT support custom service management command
s
NOTE: 'service' && 'chkconfig' are available, but superseded by: 'systemctl' -
use this instead. The capabilities of both tools are collapsed|consolidated into
: 'systemctl'
7. Runlevel control - mapped to 'target' units for compatibility
NOTE: 'runlevel' is provided, however, 'N' is sometimes returned when the targ
et doesn't map directly
NOTE: Runlevels are mapped to pre-defined targets in: '/usr/lib/systemd/system
/runlevel*target'
NOTE: These files spell out, i.e.: When may a service load? What's required? whe
n should the service NOT load?
8. State control:
a. emergency
b. rescue
c. poweroff
d. restart
e. hibernation
f. suspension
9. 'systemd' units - encapsulation of the following:
a. services
b. sockets
c. system state snapshots
d. paths
e. mounts
f. etc.
10. Supports system state snapshots - current unit configuration, which is tempo
rarily held
NOTE: snapshots do NOT persist reboots
11. D-bus activation of services
a. D-bus activation (where supported by service) allows on-demand invocation o
f service upon request by the client(service)
12. Socket-based activation (where supported by service) allows messages to be q
ueued during service restarts
a. 'systemd' functions as a proxy(broker) between the client and the ultimate
service
13. Device-based activation - i.e. hot-plugged device activates corresponding se
rvice(s)
14. Path-based activation - if paticular file || directory is accessed, correspo
nding service(s) is invoked. i.e. NFS, NFS with Automount
15. On-demand starting of daemons
16. Parallelization of service invocation at startup: i.e. MySQL && SSH
17. Mount || Automout management
18. Services do NOT inherit environment: $PATH && $HOME from current $USER - mor
e secure
Key Directories:
1. '/usr/lib/systemd/system' - repository of ALL services: i.e. /etc/rc.d/init.
d
2. '/etc/systemd/system' - symlinked, ACTIVE, services
3. '/run/systemd' - run-time systemd units - auto-generated
# SystemD Primary user-space tool: 'systemctl' #
Features:
1. All-encompassing device | service management tool
2. Provides comprehensive power-management options:
a. Halt
b. reboot
c. poweroff
d. hibernate
e. suspend - especially important with: Virtual instances and mobile devices

Tasks:
1. Explore basic power management control
a. 'init 6' - 'systemctl [--no-wall] reboot'
b. 'init 0' - 'systemctl [--no-wall] poweroff'
NOTE: 'init 6', etc., still works, but may eventually be deprecated
2. Service Management
a. 'systemctl' - dumps ALL managed units: services, devices, paths, mounts, so
ckets, etc.
b. 'systemctl list-units' - lists loaded units of ALL types
c. 'systemctl list-sockets' - lists loaded sockets, ordered by address
NOTE: Useful in debugging problems communicating with sockets
d. 'systemctl status [NAME..|PID..] - shows runtime stats
d1. '/usr/lib/systemd/system/atd.service' - actual service file
NOTE: The data returned is comprehensive, and under prior versions of RHEL, we h
ad to aggregate these data from various sources: i.e. 'ps -ef | service_name', '
cat /var/run/PID', '/etc/*'
e. 'systemctl show [NAME..|JOB..]' - shows properties of the units
f. 'systemctl -t service' - returns ONLY services
g. 'systemctl -t {device,socket}' - lists devices || sockets
3. Install Apache and Manage service
a. 'yum install httpd'

# Checksums #
Features:
1. Generate unique fingerprints based on a set of data
a. Files
b. STDIN
2. Verifies the intrinsic quality of data to ensure non-tampering
3. Published content online, is usually accompanied by checksums for your perus
al
Tasks:
1. 'nano test.txt' - populate with junk
2. 'md5sum test.txt' - 'ba1f2511fc30423bdbb183fe33f3dd0f'
'4cd713d16b3f7078041799001428d0ee'
'ba1f2511fc30423bdbb183fe33f3dd0f'
NOTE: Checksums guarantee the intrinsic (internal, quality-related metric) of co
ntent
NOTE: md5sum = 128-bit checksum
NOTE: this works for most situations, however, more bits: i.e. 256, 512, means m
ore accurate and unique strings
3. 'sha1sum test.txt' - returns 160-bit string
4. Copying a file does NOT change its intrinsic value, which means the checksum
should return identical to the source
5. Moving the file across the wire has no checksum effect, IF, the file was tra
nsferred in total: 100%
NOTE: i.e., if you transfer a fractional text file, you will have checksum misma
tches
NOTE: Broken, or, incomplete transmissions ranges the gamut of industries and im
pacts us all. SO, check your checksums.
a. 'rsync -avvzP *txt 192.168.75.121:'
b. confirm checksums post-data-move
6. Generate large file, copy, and break transmission
a. 'dd if=/dev/zero of=512MB bs=1M count=512'
b. 'rsync -avvzP 512MB 192.168.75.121:' - break during transmission
NOTE: Automated scripts may simply check for the existence of a file object and
NOT necessarily the object's checksum or even a size range within which the file
should be. This ultimately introduces corrupt data into your environment.

# GREP #
Features:
1. Searches text files (textual data - typically line-based data) for matches
a. Simple
b. Extended regular expressions
2. Specializes in returning the FULL line of the matched item
Tasks:
1. Create dummy data to parse
a. 'grep "Linux" grep.test.txt'
b. 'grep "^Linux" grep.test.txt' - returns lines that begin with "Linux"
c. 'grep '^Linux$' grep.test.txt' - returns lines that begin and end with 'Lin
ux'
d. 'grep 'LinuxCBT' grep.test.txt' - returns lines that end with 'LinuxCBT'
e. 'grep 'LinuxCBT ' grep.test.txt' - returns lines that end with 'LinuxCBT '
NOTE: Printable and non-printable chars (space(tab, various whitespace)) are ana
lyzed
NOTE: 'cat -A grep.test.txt' - reveals both types of chars
f. 'grep 'B.*' grep.test.txt' - returns lines with 'B*'
g. 'grep '.*W' grep.test.txt' - returns lines that contain 'W' anywhere
'.*' - matches 0 or more times
h. 'grep 'Linux.+' grep.test.txt' - nothing is returned because '+' is extende
d
h1. 'egrep 'Linux.+' grep.test.txt' - nothing is returned because '+' is exte
nded
i. '[e]grep '[Linux|BSD]' grep.test.txt' - uses character classes
NOTE: Characters classes don't match the entire word, but rather, each presented
character
j. ' grep "Dec [1|3]" /var/log/messages' - parses|returns records from either
: Dec [1|3]
k. ' grep "Dec [1|3]" /var/log/messages | grep -i 'd-bus' - second parse is c
ase-insensive (-i)
# AWK #
Features:
1. Field (column) Processor
2. Supports egrep-compatible (POSIX) REGEXES
Tasks:
1. awk '{print $1 }' [FILE] || STDIN- prints the first field from the data-stre
am
2. 'awk '{print $1,$2 }' FILE - returns $1,$2
NOTE: 'awk' can be used to transform Field and/or Record separators
3. 'awk -F'[:+;,]' '{print $1,$2,$3,$4}' grep.test.txt' - uses multiple possibl
e delimiters to identify fields
NOTE: Whitepspace is ALWAYS considered a possible field separator unless overrid
en
NOTE: Be careful if data-set contains space that is NOT to be treated as a field
-separator
4. 'awk -F'[:+;]' '{print $0}' grep.test.txt' - returns the full lines
5. 'awk -F'[:+;]' '/LinuxCBT/ { print $1,$2,$3,$4}' grep.test.txt
6. 'awk -F'[:+;]' '{ if ($1 ~ /LinuxCBT/) print $1,$2,$3,$4}' grep.test.txt
7. 'awk '{ if ($5 ~ /kernel/) print $1,$2,$3,$6,$7}' /var/log/messages'
NOTE: if 5th column(field) = 'kernel' then print the fields of interest from the
record
8. 'awk '{ if ($5 ~ /kernel/) print $6,$7}' /var/log/messages' - simple way of
anonymyzing the record by excluding: timestamp, source host, facility
NOTE: Like 'grep', 'awk' iterates over ALL records, but selectively (optionally)
returns data (fields) of interest
# SED - Streams Editor #
Features:
1. Streams Editor - allows us to parse the discrete contents of textual data
Usage:
1. 'sed -e 'instruction' file || STDIN
NOTE: Additional '-e 'instruction' ' commands will perform additional modificati
ons in the order presented
2. 'sed -f script_file_name file || STDIN' - organized way of providing N numbe
r of instructions to 'sed'
3. 'sed -n '1p' grep.test.txt' - prints the FIRST line
4. 'sed -n '$p' grep.test.txt' - prints the LAST line
5. 'sed -n '3,6p' grep.test.txt' - prints lines 3-6
NOTE: 'sed' processes information 1-line at a time
6. 'sed -n -e '/^Linux$/,/AIX/p' grep.test.txt - prints lines from the line tha
t begins and ends with: 'Linux' to the line that ends with AIX.
7. 'sed -n -e '/^Linux$/,+3p' grep.test.txt - prints 3 lines after the line th
at begins and ends with: 'Linux'
8. 'sed -e '/^$/d' grep.test.txt - removes blank lines from file
9. 'sed -e 's/root/admin/' -e 's/linuxcbtel7desk1/systema/' /var/log/messages >
messages.anonymous.1
# File Types - Permissions - SymLinks #
Features:
1. Supported types: c,b,-,d, etc. - represented in first column of: 'ls -l'
2. File permissions for: owner, group members, and everyone else
3. Short and hard cuts to objects located throughout your system
File Permissions:
1. 10-bits that represent Linux file permissions, despite the type of FS in use
: i.e. EXT4, XFS, EXT{2,3}, ReiserFS, etc.
'crw--w----. 1 linuxcbt tty 136, 2 Dec 4 07:12 2'
6 2 0
'-' in bits 2-10 or 1-9, represents disabled bits
10-bits - leading bit describes the type of object in the FS
9-remaining bits: 1-9 or 2-10 represent permissions for:
a. Owner of the object
b. Members of the group labeled on the object: i.e. group=tty
c. Everyone else
Total permissions for objects = 7 7 7 (rwx rwx rwx)
r=4
w=2
x=1
NOTE: When working with permissions we work with either:
a. Octal notation: i.e. 777, 620, 644. etc.
b. Symbolic notation: rwxrwxrwx(777), rw-w----, rw-r-----
c. We add permissions symbolically using: + and subtract using: -
d. With Octal notation, we simply specify the target Octal value: i.e. 644
Primary permissions tool = 'chmod'
a. 'chmod 660 grep.test.txt && ls -l grep.test.txt'
b. ' chmod u-x,g-rw grep.test.txt' - removes 'x' from owner, and 'rw' from grou
p=linuxcbt resulting in an octal set = 0600
c. 'stat FILE' - returns the permissions and FS footprint
d. 'chown/chgrp' - changes user/group ownership
d1. 'chown root grep.test.txt' - makes new owner = uid=0
d2. 'chgrp root grep.test.txt' - makes new group owner = gid=0
d3. 'chown linuxcbt:linuxcbt grep.test.txt' - resets uid/gid permissions
# Symbolic Links #
Features:
1. Shortcuts with more capabilities
NOTE: Typical Windows shortcuts are equivalent to soft-symbolic links
2. Soft symbolic links permit linking:
a. within the same FS
b. across disparate FSs
c. Soft links merely link to the named representation of a file, within and/or
across FSs
d. Soft links have no impact on the link counter associated with files
e. All soft links lead to one named-file. If this named file is altered, ALL s
oft links fail.
3. Hard symbolic links permit linking:
a. within the same FS
b. but NOT across disparate FSs because of the INODE numbers that are used can
not be guaranteed to be unique across FSs
c. Hard links make direct references to the INODEs that underpin the files tha
t we access: i.e. 'ls -li' to reveal the distinct INODEs
d. Each outstanding Hard link increases the link counter associated with the f
ile: 'ls -li' - reveals this
e. Each outstanding link can be viewed as an instance of the INODE object that
underlies the file. This means that the file persists within the FS until ALL h
ard links have been removed
4. Both mechanisms (Soft and Hard) provide a way to publish content to users in
various locations across the system
a. Permits the exposition of content outside of normally protected zones: i.e.
$USER || /home/$USER
Tasks:
1. Soft links
a. 'ln -s source_file target'
a1. 'ln -s grep.test.txt grep2.test.txt' - creates soft link in the same dire
ctory
'lrwxrwxrwx. 1 root root 13 Dec 5 09:18 grep2.test.txt -> grep.test.
txt'
NOTE: Despite the apparent: 0777 permissions associated with soft symlinks, the
underlying (target) file's permissions always prevails. This is known as effecti
ve permissions on the file object.
a2. 'ln -s ~linuxcbt/Documents/grep.test.txt'
a3. 'ln -s ~linuxcbt/Documents/grep.test.txt /boot' - creates soft link in a
different FS
a4. 'ls -l ~linuxcbt/Documents/grep.test.txt' - confirm link counter = 1
b. Break the source of the soft links
b1. 'mv ~linuxcbt/Documents/grep.test.txt ~linuxcbt/Documents/grep.test.txtt'

2. Hard Links
a. 'ln source_file target' - creates hard link - increments the link counter
b. 'chmod 644 ~linuxcbt/Documents/temp/grep.test.txt.hard' - impacts the under
lying INODE, which means ALL instances of the document (hard-link form) will now
wear the latest permissions
c. 'mkdir /projectx && ln ~linuxcbt/Documents/grep.test.txt' - creates an inst
ance of the object for 'general' access without having to grant users access to
your $HOME dir
d. Remove one or more hard instances
d1. 'rm -rf ~linuxcbt/Documents/grep.test.txt'

# SWAP #
Features:
1. Virtual memory - disk-based memory
2. Dedicate (preferred) partitions to SWAP mission
3. Use an existing FS: i.e. XFS, EXT4, etc. and provision a file-based SWAP are
a
4. SWAP remains a distinct FS type, despite the recent RHEL shift to XFS
Tasks:
1. Create additional SWAP space from a file using existing FS
a. 'dd if=/dev/zero of=/swap/swapfile1G-1 bs=1M count=1024' - creates a zeroed
-out file as a basis with which to overlay an FS such as SWAP
b. 'mkswap /swap/swapfile1G-1' - overlays SWAP FS on zeroed-out file
NOTE: A unique: UUID is auto-assigned, and may be referenced via: /etc/fstab
c. 'swapon /swap/swapfile1G-1' - enables the SWAP device dynamically
d. 'swapon -s ' - displays current SWAP partitions
e. Update: '/etc/fstab' - '/swap/swapfile1G-1 swap swap defaults 0 0'
2. Dedicate partitions to the SWAP mission
a. Provision new partition && [reboot] - automatically recognized
b. Create primary partition and enable swapping (mkswap /dev/sdb1)
c. Enable Swapping: 'swapon /dev/sdb1'
d. 'blkid /dev/sdb1' - obtain UUID and committ to: /etc/fstab
e. 'swapoff /dev/sdb1 && swapon -a' - disables and re-reads from: /etc/fstab
f. 'swapon -s' - dump current SWAP configuration

# XFS #
Features:
1. New default for RHEL7
2. Supports:
a. Extension (growth) - NOT the ability to shrink
b. Freeze | Unfreeze - for snapshots
c. Backups | Restorations
d. Sub-second timestamps: currently = nanosecond || 10^^-9 precision
d1. 'stat FILE' and peruse
e. Ability to separate the journal log from the data storage area - improves p
erformance

Tasks:
1. Create extra XFS mounts on target systems
a. Provision storage: Virtual || Physical
b. Identify and partition
b1. 'fdisk -l' - this should reveal the new storage block: '/dev/sdc'
b2. 'parted /dev/sdc mklabel gpt'
b3. 'parted /dev/sdc mkpart 1 1 100%'
c. Overlay with XFS file system
c1. 'mkfs.xfs /dev/sdc1'
d. Mount and Use
d1. 'mkdir /projectx'
d2. 'mount /dev/sdc1 /projectx && df -h && dd if=/dev/zero of=/projectx/512M
count=512 bs=1M && ls -lh /projectx'
e. Ensure mount persistence: /etc/fstab
e1. 'blkid /dev/sdc1' - obtain and use in: /etc/fstab
e2. 'umount /projectx && mount -a && df -h' - confirm that '/projectx' is ava
ilable
e3. 'systemctl reboot || reboot'
NOTE: We prefer to reference the: UUID in: /etc/fstab || via user-space(CLI) bec
ause there are some instances where the kernel may relabel disks: i.e. /dev/sd{a
,b,c,etc.} upon system invocation

# Logical Volume Management (LVM) #


Features:
1. Volume Sets
2. The ability to aggregate storage from disparate sources into potentially 1 l
arge representation of Enterprise storage
3. Storage Hierarchy - Configuration
a. Physical Volumes (PVs) - distinct partitions/disks that will become part of
a volume group
b. Volume Groups - represent one or more Physical Volumes (PVs) - serves as an
abstraction of storage
c. Logical Volumes - Represent the fraction of storage upon which File Systems
are overlaid
4. LVM Physical Volumes MUST be flagged as type 'lvm' by the partition manager:
i.e. 'parted', 'fdisk', etc.
Tasks:
1. 6-Steps to setup LVM
a. Provision storage and create LVM partitions using: 'parted'
a1. Use Hypervisor tool to add new disks
a2. Use: 'parted' to create label: 'parted /dev/sdd mklabel gpt'
a3. 'parted /dev/sdd set 1 lvm on' - flags partition as type LVM
b. Create Physical Volume(s)
b1. 'pvcreate /dev/sdc1 /dev/sdd1 && pvdisplay'
c. Create Volume Group - assign PV(s) to the VG
c1. 'vgcreate volgroup001 /dev/sdc1 /dev/sdd1'
NOTE: Each Volume has its unique hierarchy in the '/dev' tree: '/dev/volgroup001
'
NOTE: Beneath which, are the distinct logical volumes (LVs), tied to the VG
d. Create Logical Volume (LV) - a representation of some(fraction) or ALL of t
he VG storage
d1. 'lvcreate -L 10GB volgroup001 -n logvol001'
d2. LVM creates this device for FS overlay: '/dev/volgroup001/logvol001'
e. Overlay our desired FS on the LV
e1. 'mkfs.{ext4,xfs} LV-Device'
f. Mount, Use, and ensure persistence
f1. 'mount /dev/volgroup001/logvol001 /projectx'
g. Create data | test I/O - using: 'dd'
NOTE: If you create identical files on different systems, so long as the inheren
t data are identically ordered and presented, the checksums will be identical
2. Rename a logical volume for repurposing
a. '/dev/mapper/volgroup001-logvol001' -> '/dev/mapper/volgroup001-projectx'
a1. 'lvrename volgroup001 logvol001 projectx'
NOTE: LVM logical volume changes on-the-fly, however, the 'df -h' dump is reflec
ted at the next mount|remount of the volume
3. Resize LVMs - this takes place at the logical volume level
a. 'lvresize -L 15GB /dev/volgroup001/projectx'
b. 'resize2fs /dev/volgroup001/projectx' - resizes online
b1. 'df -h' - confirm new storage
c. Resize XFS volume
c1. Clean-up existing configuration
c1a. 'umount /projectx'
c1b. 'mkfs.xfs -f /dev/volgroup001/projectx' - overlays NEW XFS FS
NOTE: At this point, the system generates a new UUID for the storage block
NOTE: Confirm with: 'blkid /dev/volgroup001/projectx'
NOTE: Update: /etc/fstab accordingly
c2. 'lvresize -L 15GB /dev/volgroup001/projectx'
c3. 'xfs_growfs /dev/volgroup001/projectx' - resizes on-the-fly, with 'df -h'
updates automatically provided
4. Remove logical volumes with: 'lvremove'
5. We're out of space, extend volume group (vg) aggregate
a. provision storage via VM
b. partition && label as LVM
c. 'pvcreate /dev/sde1'
d. 'vgextend volgroup001 /dev/sde1'
e. 'vgdisplay' - should reflect new storage

# User & Group Management #


Features:
1. flat file: /etc/{passwd,group,shadow} DBs
2. Default set includes: 'root', daemons, services, utilities, and the first-us
er (created during installation)
Tasks:
1. 'ls -l /etc/{passwd,group,shadow}
2. 'cat /etc/passwd'
'linuxcbt:x:1000:1000:LinuxCBT User:/home/linuxcbt:/bin/bash'
'root:x:0:0:root:/root:/bin/bash'
UID=0GID=0 - special reservation for 'root'
Accounts with: UID|GID=[1-999] are reserved for system/daemons/utilties/etc.
Key fields in: /etc/passwd
login name:x(shadow reference(/etc/shadow)):UID:GID:Description:$HOME:$SHELL
Key fields in: /etc/shadow
linuxcbt:$6$1u30enqi1ioWNmGv$QbzeBc21/73wkKmENPRRdhDHA.zltwKsVrQVj0tFTdBDaQ8rt0P
Xspwm6z/0hdUb/m7i4N47Q5Jo6tphnZrDX/:16400:0:99999:7:::
login name:
encrypted password:Days since Unix epoch, password was last changed:
Days before password may be changed (0=anytime):
Days after which password must be changed (set this to 45-days)
Days before password is to expire that user is warned
Days afer password expires that account is disabled
Days since Unix epoch, that account has been disabled
Reserved field
Key fields in: /etc/group
linuxcbt:x:1000:linuxcbt
group name (typically the User Principle Name (UPN) ):
group shadow reference:
GID:
member(s)
Tools:
1. 'useradd'
a. 'useradd -g linuxcbt2 -G wheel -m linuxcbt2'
a. 'groupadd -g 1001 linuxcbt2 && useradd -g linuxcbt2 -G wheel,projectx -m li
nuxcbt2 && passwd linuxcbt2'
2. 'usermod'
3. 'userdel'
4. 'groupadd'
a. 'groupadd linuxcbt2'
5. 'groupmod'
a. 'nano /etc/group'
NOTE: You may have to re-initiate existing $SHELLs for the new group membership
to reflect
6. 'groupdel'
NOTE: Regardless of whether directory services are used, 'root' and basic system
accounts are ALWAYS defined in: /etc/{passwd,shadow,group,gshadow}

# Cron - Scheduler #
Features:
1. Scheduler
2. Runs jobs on schedule:
a. minute, hour, day, month, year
3. Assumes computer is always on, unlike: anacron
4. Global schedule: /etc/crontab && /etc/cron* (include directories)
5. Individual schedules: /var/spool/cron - one is stored per user - crontabs
6. Checks ALL config files every minute, including: /etc/anacrontab
7. 'crontab' - used to modify user'r cron table entries
a. 'root' may use this tool to manage other user's cron tables
b. per-user may use this tool to manager their cron table: /var/spool/cron/$US
ER
8. Permit -> /etc/cron.allow
9. Deny -> /etc/cron.deny
Tasks:
1. '/etc/crontab' - discuss the entries
a. Minute(0-59) - i.e. 31, 1,11,21, 10,33,58, 10-23, */1, */5
b. Hour(0-23) - similar subdivision values apply. i.e. */2, 0,4,12
c. Day of the month(1-31)
d. Month (1-12)
e. Day of the week (Sun,Mon,Tue||0-7)
NOTE: Some systems handle the extreme values for dow differently: 0,7 may be tre
ated as Sunday or Monday. Consult Cron documentation per system

2. Simple 'uptime' script


a. create simple BASH script and test from $SHELL
b. 'crontab -e' - edit your own (non-privileged $USER's crontab)
b1. make reference to absolute PATH of job
c. Extract simple metrics from cron-collected data:
'awk '{ print $6,$10,$11,$12 }' 20141208.linuxcbtel7desk1.linuxcbt.internal.upti
me.log | sed -e 's/,//g'
'
This extracts the current user load, and 1,5,15-minute load average and removes
superfluous ',' values from data
NOTE: 'crontab' utility is the only way for non-privileged $USER to modify their
crontab, as the actual crontab file in: /var/spool/cron is viewable only by 'ro
ot'
d. Modify crontab as 'root' because job runs too frequently
#Syslog#
Features:
1. Logs daemon information as well as potentially other sources of data: i.e. n
etworked devices, remote systems, etc.
2. Supports:
a. Unix Domain Sockets (/dev/log)
b. Internet sockets using: UDP:514 || TCP:514
3. Ability to log to local and remote targets (@hostname) simultaneously
NOTE: Possible Syslog setups in your Prod environment:
a. ALL interconnected devices (routers|switches|firewalls), log to 1 Syslog nod
e, and that node replicates the logs to 1 or more other Syslog nodes
b. ALL interconnected devices log to 2 or more Syslog nodes simultaneously
4. Default configuration accepts messages on: UDS but NOT on Internet socket
5. Implemented as 'rsyslog'
6. '/etc/rsyslog.conf'
7. RPM = rsyslog
8. In-built rules mechanism routes incoming messages accordingly
a. Facilities - source of information: i.e. mail, local0-7, auth, etc.
b. Levels - Importance of the incoming message - 0(Debug)-7(emerg)
b1. Debug(0), Info(1), Notice(2), Warning(3), Error(4), Crit(5), Alert(6), Em
erg(7)
NOTE: You typically want to capture messages at: Warning(3) and higher
NOTE: Message collection is cumulative up-the-chain:
i.e. Messages captured at the Warning(3) level, will also include more severe m
essages levels above, but not less severe messages below: i.e. Notice(2) or lowe
r.
NOTE: This reduces the verbosity and overall data storage requirements by sendin
g only 'important' messages.
Tasks:
1. Look at primary config file: '/etc/rsyslog.conf'
a. RULES Section
a1. Left side -> Facilities.Levels
a2. Right side -> Destinations
b. 'systemctl rsyslog restart && netstat -nultp | grep 514' - confirm TCP && U
DP bindings
NOTE: '/var/log/messages' -> catchall, so, messages coming from devices that log
at the .info level and more severe, will be logged here as well. i.e. infrastru
cture device logs to both its own file and: /var/log/messages
NOTE: To prevent double-logging, exclude using a ruile that ends with: i.e. 'loc
al4.none' in the primary catchall rule that routes messages to: /var/log/message
s

c. Create 2 new rules to send messages to: linuxcbtel71 && linuxcbtcent71


NOTE: All messages except: *.Debug, cron.none, authpriv.none, mail.none
d. Alter both rules to ensure that ALL messages, from ALL facilities at level=
info and higher(more severe) are duplicated to both nodes
NOTE: Once you have designated 1 or more Syslog systems, be prepared to parse
NOTE: This is why Syslog messages typically include: HOSTNAME, to help parse the
source of messages

# LogRotate #
Features:
1. System-wide log-rotation capability
2. Archival capabilities
3. Rules-driven:
a. '/etc/logrotate.d' - N number of rules governing various LOG files
b. '/etc/logrotate.conf' - catchall of options and includes: '/etc/logrotate.d
' entries
c. Segments logs: i.e. MAIL, LOCAL, USER, etc.
c1. Logrotate focuses on a discrete set of files, NOT SYSLOG facilities
NOTE: SYSLOG handles the routing of data to target files
NOTE: LOGROTATE merely manages those files
4. Implemented as 'logrotate' package
5. Run daily (/etc/cron.daily/logrotate) by cron
6. Rotation is driven by:
a. Size: i.e. 100k, 100MB, 100GB
b. Time: i.e. daily, weekly, monthly, yearly
7. Both critera: time and size can be specified simultaneously
NOTE: The first to be realized (time or size) is honored
Tasks:
1. Examine current configuration
a. '/etc/logrotate.conf'
b. '/etc/logrotate.d'
b1. daemon-specific log files rules
NOTE: values not explicitly defined: i.e. 'dateext', or otherwise, at the scope
level of the file, are inherited from the 'global' superscope.
2. Make a few tweaks along the way
a. Change 'syslog' rotation frequency to: 'daily' vs. 'weekly'
b. Enable compression across ALL files
3. Execute 'logrotate'
a. 'sudo logrotate -v -f /etc/logrotate.conf'
NOTE: 1 important reason to ALWAYS compress your logs during rotation is to mini
mize the effects of DOS/DDOS attacks on available storate (/var), especially whe
re /var is on the '/' mount point.

NOTE: logrotate will eventually rotate off your disk the log files based on the
rules defined, so be sure to archive otherwise
NOTE: Any file that is SYSLOG-handled (LOG file is created by SYSLOG), place its
rule within the: /etc/logrotate.d/syslog file to reduce the number of instances
of SYSLOG reload
NOTE: logrotate is merely a script binary, not a daemon, that is resident in the
process table only when called
NOTE: Daily, weekly, monthly jobs are now handled by Anacron: /etc/anacrontab

#Common Network Utilities#


Features:
1. Gather diagnostics
2. Ascertain node names and locations
3. Connectivity L2/L3 information
4. Path between interconnected nodes
5. Put/Fetch files/content from remote systems
6. Ability to sync content across local/remote directories
Tasks:
1. PING - 'ping'
a. 'ping 192.168.75.1' - returns connectivity health between nodes
NOTE: Look for is large STDEV across packets sent/received, as they indicate con
nectivity issues
b. 'ping -c 3 192.168.75.1'
NOTE: If ICMP echo-reply/request are filtered then PING will fail you
2. ARP - Address Resolution Protocol
a. 'arp -a' - displays for T amount of time the nodes on your subnet in the lo
cal table
b. 'rarp' - where available, resolves the known MAC address to the current L3
address
3. Traceroute && MTR - Returns hops between 2 Nodes
a. 'traceroute www.linuxcbt.com' - one-off dump of path
b. 'mtr www.linuxcbt.com' - returns more useful data, and is refreshed constan
tly
4. Name Resolution Tools
a. 'nslookup' - returns basic answers to queries
a1. 'nslookup www.linuxcbt.com'
b. 'dig'
b1. 'dig @192.168.75.101 www.linuxcbt.com' - queries a specific resolver and
provides more data
b2. 'dig @192.168.75.101 -x 144.76.77.83'
c. 'host www.linuxcbt.com'
d. 'whois linuxcbt.com' - finds IP/Domain ownership information
e. 'whois 144.76.77.83' - returns IP ownership info - typically the HOST
5. 'curl'
a. 'curl http://192.168.75.101/index.html' - dumps remote content to STDOUT
NOTE: By dumping to STDOUT, you can quickly query multiple servers to check poss
ibly for corrupt content, because 'curl' supports multiple servers, files, wildc
ards, etc.
b. 'curl -O http://192.168.75.101/test.data' - pulls the file to a locally-nam
ed equivalent

6. 'wget' - pulls content from remote sources


a. 'wget http://192.168.75.101/test.data'
NOTE: unlike 'curl', wget auto-stores content locally with an equivalent name, u
nless otherwise specified
b. 'wget http://192.168.75.101/index.html'

# Time Administration #
Features:
1. Time synchronization && administration
a. Default includes: 'chronyd', which synchs the local system against various
sources
NOTE: Sources can be: external clocks, NTP, manual time config via: 'chronyc'
NOTE: 'chronyc' by default, is limited to localhost connections, however, may be
configured to accept remote connections using IP-based security
NOTE: 'chronyd' works well in virtualized, intermittently connected situations
b. Drop-in replacement for NTPD - 'rpm -ql chrony'
b1. Currently, 'chronyd' supports NTPv3 only
c. Only replace with NTP if permanently connected/enabled
d. Currently, symmetric keys for time-synch security is supported
Usage:
1. 'timedatectl'
2. 'timedatectl list-timezones'
3. 'timedatectl set-timezone Asia/Tokyo'
4. 'systemctl reboot && timedatectl '
NOTE: Local time offset is merely used for display purposes. i.e. time values ar
e stored using UTC
5. 'timedatectl set-ntp 1' - enable NTP synch
'chronyd' config
a. '/etc/chrony.conf'
a1. 'allow 192.168.75.0/24'
a2. 'local stratum 1' - this allows this clock to be favoured by NTP clients
a3. 'sudo systemctl restart chronyd'
b. Point NTP clients to this instance
NOTE: Ensure that ipTables is NOT blocking (Default) UDP:123
NOTE: Current time administration involves largely:
1. 'timedatectl'
2. 'chronyd' && possibly 'chronyc'(if one-off time configs are required)'
NOTE: IF your system(s) is isolated, then the use of 'chronyc' becomes important
NOTE: IF you replace 'chronyd' with 'ntpd', you will lose the rapid time updates
that are applied to your node
# YUM Package Management #
Features:
1. RPM overlay
a. Robust pacakage management: i.e. 'apt-get'
2. Package life cycle
a. Search
b. Install
c. Update (Individual || Group )
d. Remove
3. Dependencies are auto-resolved: i.e. 'apt-get'
4. Supports Package Groups
a. i.e. Security, etc.
5. Supports Repositories - containers of various packages: typically online
a. Security updates
b. New packages
c. Original (Distribution) packages
NOTE: RedHat 7 HOST requires subscription to use RedHat Repository
NOTE: CentOS is preconfigured with online Repos
6. Transactioun history maintained: 'yum history...'
7. Ability to enable|disable Repos on-the-fly
Basic Commands | Usage:
a. 'yum list [installed|available]' - dumps currently-installed packages - supp
orts globbing
a1. 'yum list wge\*'
b. 'yum group list [ids]'
NOTE: If your system currenlty has NO Repos defined, then the 'Available' list w
ill not be reflected. In this case, 'yum' can only work with the local DB
NOTE: 'ids' option returns $SHELL-friendly package group names for usage during
package life-cycle
c. 'yum info package_name'
d. 'yum group info security'
e. 'yumdb info package_name' - returns local metadata - purpose, checksum, inst
aller, repository, etc. - ancillary, but possibly important metadata
f. 'yum repolist [all]' - dumps enabled [all] configured Repos - '/etc/yum.repo
s.d/*.repo'
f1. '[all]' - option returns ALL enabled|disabled repositories
g. 'yum search wget' - searches 'name' and 'summary' fields for package details
g1. 'yum search wget lftp curl' - searches for multiple packages
h. 'yum provides /usr/bin/sha256sum' - same as: 'rpm -qf /usr/bin/sha256sum'
i. 'sudo yum remove lftp'
j. 'sudo yum -y install lftp'
NOTE: 'uname -a' reveals the current platform: i686 | x86_64
NOTE: 'yum' defaults to installing the package that matches your platform
k. 'sudo yum -y install lftp.1686' - forces the installation of the i686 versio
n of 'lftp' and any needed RPMs
Updates:
a. 'yum check-update' - search for ALL available updates
b. 'yum [-y] update' - updates ALL updatable packages
NOTE: Isn't always desriable
c. 'yum [-y] update package[s]...' - updates specified package[s]
c1. 'yum -y update openssl wget' - selectives updates
#YUM Repositories#
Features:
1. Centralized access to content (RPM packages)
a. Network-based
2. Can be: local (file://), remote (http://) || (ftp://)
3. Serves various packages:
a. 'base'
b. 'extras'
c. 'plus'
d. 'updates'
NOTE: These are merely directory trees off the main repository tree
NOTE: Each contains a .repo file and various RPMS
NOTE: Each .repo file describes the content within that tree
e. i.e. 'http://mirror.centos.org/centos/7/' - explore this tree
NOTE: RedHat systems require a subscription to use 'their' CDN for updates, etc.
NOTE: The various branches on repositories are specified in the YUM config files
4. Primary YUM config file: '/etc/yum.conf
a. Sets globals
b. Includes Repos from: '/etc/yum.repos.d'
5. 'yum repolist' - enumerates enabled Repos
a. You may enable/disable Repos as needed
6. Packages can be flagged to 'install' only and not 'update'
7. 'yum-config'manager' - dumps the current configuration, but allows Repo admi
nistration
Tasks:
1. 'yum-config-manager [section[s]]'
2. Install YUM Repo
a. One option is to dump the contents of the largest ISO image to a web-accesi
ble instance
b. Second option is to use the 'createrepo' RPM to setup a tree
3. Commence installation
a. Obtain ISO image and mount and copy contents to a tree somewhere (i.e. stag
ing)
b. Ensure that the 'createrepo' RPM is installed as it provides us with the 'c
reaterepo' utility
NOTE: 'createrepo' may be run from other distros
NOTE: 'createrepo' utility generates the necessary '.repo' file for usage by cli
ents
c. Ensure directory tree, with '.repo' file, is in a web-accessible location
d. Add the repository to 1 or more clients and use
NOTE: Ensure that you have a valid RedHat subscription or find a third-party pro
vider of the 'updates' branch
d1. 'sudo yum-config-manager --add-repo http://192.168.75.101/RHEL/7'
NOTE: 'yum-config-manager' merely writes the '.repo' file to: '/etc/yum.repos.d'
NOTE: Add GPG key as follows: 'rpm --import http://192.168.75.101/RHEL/7/RPM-GPG
-KEY-redhat-release'
# IP Administration #
Features:
1. DHCP - 'dhclient' is invoked to manage interface(s)
2. Static - settings are stored in interface configuration file: /etc/sysconfig
/network-scripts
3. Both (Dynamic and Static)
4. Temporary configurations
5. Virtual interfaces - Potentially multiple L3 addresses (IPv[4|6])
6. With this release a more complex set of logic is used to promote persistent
NIC nomenclature, with the ultimate fallback resorting to: eth0-N
7. 'NetworkManager' is the primary manager of interfaces
NOTE: If changes are not noticed, try restarting this daemon: 'systemctl restart
NetworkManager'
8. '/etc/init.d/network' - is still applicable - legacy purposes
9. '/etc/init.d/network' && 'NetworkManager' services work in conjunction to ma
nage interfaces, routes, and various network configuration items by consulting o
ne another to avoid conflict
Management Tools
1. 'nmtui*' - $SHELL(curses)-based - current limitations: Edit of VPNs, WiFi/W
PA, 802.1x connections
2. 'nmcli' - FULL(capable of administering ALL network areas) CLI-suite
3. 'control-center' - GUI - Press 'Super' key - then type:
a. 'control network'
b. 'nm-connection-editor'
Key Directories and Files:
1. 'lspci' - lists PCI-connected devices
2. '/etc/sysconfig/network-scripts' - interface configuration, control and netw
ork functions files
3. '/etc/sysconfig/network' - system-wide(global) settings file: i.e. hostname,
gateway(Default)

Tasks:
1. 'lspci' - identify available NIC(s)
2. 'dmesg' - reflects last-boot detected hardware
3. 'lsmod | grep e100' - check Kernel driver/module
4. 'ifconfig' - dumps current configuration including default IP address assign
ment
a. 'DEV' - useful with other commands: i.e. 'ip'
b. MAC Address information
c. MTU
d. Data in/out
e. Error information
NOTE: 'ifconfig' is NOT deprecated, but should not be used for general IP admini
stration
NOTE: Use: 'ip' command and its sub-commands to manage network details including
IP, etc.
5. '/etc/sysconfig/network' - global settings
6. '/etc/sysconfig/network-scripts' - interface configuration
a. 'ifcfg-lo' - loopback (mandatory) virtual interface
b. 'ifcfg-DEV(s)' - various devices: i.e. ethernet/gigabit interface(s)

7. 'nmtui*' - $SHELL management tools


a. 'nmtui' - 'Edit connection' - lists available interfaces, sans 'lo'
a1. Add Static address to DHCP configuration: '/etc/sysconfig/network-script
s/ifcfg-DEV'
NOTE: 'ifcfg-DEV' file has been updated, but 'NetworkManager' has NOT been notif
ied
a2. 'sudo systemctl restart NetworkManager && ping -c 3 192.168.75.140' - wo
rks!
NOTE: This is NOT necessarily a bad thing, as we can inadvertently disconnect ou
rselves remotely by mucking around with IP settings
NOTE: Now, the system is configured in 'Hybrid' mode: DHCP and Static
NOTE: 'ifconfig' reflects only the primary address, NOT the newly-attached addre
ss
NOTE: 'nmtui*' changes are permanent - because they update the config files
8. 'ip'
a. 'ip addr [show]' - reveals ALL configuration
b. 'sudo ip addr add ADDR/PREFIX dev DEV' - adds, on-the-fly, a temporary IPv
4 address
b1. 'sudo ip addr add 192.168.75.141/32 dev eno16777736'
c. 'sudo ip addr del ADDR/PREFIX dev DEV'
c1. 'sudo ip addr 192.168.75.141/32 dev eno16777736'
8. Add a range of addresses (192.168.75.150-159) to our server
a. 'for i in `seq 150 159`; do sudo ip addr add 192.168.75.$i/32 dev ens32; do
ne '
9. Update: '/etc/sysconfig/network-scripts/ifcfg-DEV' to include new addresses
10. Drop/Del addresses on-the-fly
a. 'for i in `seq 150 159`; do sudo ip addr del 192.168.75.$i/32 dev ens32; do
ne '
11. Add secondary NIC via VMWare
a. 'ifconfig'
b. 'nmtui'
NOTE: A reboot may be necessary to enable the interface on some systems

# DHCP Server #
Features:
1. Auto-configuration of IP-based client
Tasks:
1. Installation of DHCP Server
a. 'yum search dhcp' - 'dhcp.x86_64' + helper packages
a1. 'sudo yum install dhcp'
NOTE: Post-installation, DHCPD does not auto-start because it is absent of a con
figuration
b. Copy sample '/usr/share/doc/dhcp-4.2.5/dhcpd.conf.example' -> '/etc/dhcp/dh
cpd.conf'
b1. 'sudo cp -v /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.
conf'
c. Peruse and modify this sample file to suit our network
NOTE: Our nodes are multihomed, however, DHCPD will only serve on subnets to whi
ch:
1. it is connected
2. Has a 'subnet' declaration in the configuration file
NOTE: To ensure that DHCPD does NOT service unauthorized subnets, modify 'system
d' startup configuration for DHCPD to ensure that it binds to the desired interf
ace(s)
NOTE: This is the equivalent of forcing the daemon to listen to a specific addre
ss: i.e. MTA
c1. Modify sample configuration to suit our: 192.168.76.0/24 subnet
NOTE: Any directive listed outside of curly braces '{}' is a global/system-wide
directive: i.e. 'domain-name' && 'domain-name-servers', etc.
NOTE: Often times, in organizations, ALL nodes belong to a common domain name: i
.e. 'linuxcbt.internal', however, if departments have distinct sub-domains, then
use the 'domain-name' option at the subnet scope level: i.e. 'option domain-nam
e dev.linuxcbt.internal', 'option domain-name sales.linuxcbt.internal'
NOTE: This will ensure that each department's unique domain name is served accor
dingly on a per-subnet basis
NOTE: The same applies to other resources: i.e. 'option domain-name-servers'
NOTE: Somewhere between the: 'default-lease-time' and 'max-lease-time' the clien
t and server can agree on the actual lease time
NOTE: DHCPD defaults to logging via: /var/log/messages, however, via 'local7' fa
cility, you may redirect to another file
NOTE: Clean-up file and include the absolute required directives
d. Attempt to start DHCPD
d1. 'systemctl start dhcpd'
d2. 'sudo netstat -nulp | grep 67'
'udp 0 0 0.0.0.0:67 0.0.0.0:*
24708/dhcpd'
DHCPD uses both: UDP:67(Server) and UDP:68(Client)
e. Ensure that at least 1 DHCP client exists in the served subnet(s)
e1. RHEL-7 Server will function as client
NOTE: server's secondary interface is still not configurable
NOTE: One workaround is to copy the interface config file of an existing interfa
ce and modify
f. Check DHCPD footprint: '/var/lib/dhcpd/dhcpd.leases' - leases are stored he
re
NOTE: If problems activating interface(s), simply resort to the $SHELL, and copy
an existing interface configuration and modify accordingly
g. Ensure that DHCPD is enabled upon system reboot
g1. 'sudo systemctl enable dhcpd'
h. Redirect 'local7' LOG - pollutes both: /var/log/{boot,messages}.log
h1. 'sudo nano /etc/dhcp/dhcpd.conf' -> 'local6' - change facility
h2. 'local6.none' -> add exception to -> '/etc/rsyslog.conf'

#DNS#
Features:
1. Name-to-IP(Forward) and IP-to-Name(Reverse) resolution
NOTE: Overwhelmingly, humanity performs 'Forward' queries because it is natural
and easier to remember
Tasks:
1. Search and Install BIND as Caching-Only Server
a. 'yum search bind dns' -> 'bind.x86_64'
b. 'sudo yum install bind'
2. Explore
a. '/etc/named'
a1. '/etc/named.conf'
a2. '/var/named' - top-level directory for:
a2a. 'chroot' environment
a2b. 'slaves' zone(s)
a2c. 'master' zone(s)
a2d. Default (loopback, localhost, root DNS servers, etc.)
3. Start Caching-Only Server
a. 'systemctl restart named && netstat -nulp | grep 53' - started and bound t
o: loopback
b. bind BIND to ALL addresses: '/etc/named.conf'
c. Update query permissions in: '/etc/named.conf'
'allow-query { 127.0.0.1; 192.168.75.0/24; };' - this allows loopback and lo
cal subnet to query
NOTE: Earlier, when we provisioned the '192.168.76.122' address, it was applied
with a '/32' subnet, which prohibits communications with any other node because
it is outside of the broadcast domain of any other node
4. Primary Service/Zone Hosting
a. 'linuxcbt.internal' - fictitious, internal zone
NOTE: Use whenever possible, existing, properly configured BIND zones: i.e. linu
xcbt.internal
b. Examine and copy the current configuration from Ubuntu instance
c. Update the BIND DB: db.linuxcbt.internal to reflect current conditions: i.e
. SOA, NS and various A records
d. Update: '/etc/named.conf' to reference the new zone as a primary zone
e. Adjust zone file as needed: combination of too high serial value and domain
SOA descriptor
5. Perform queries
a. 'dig @192.168.75.121 linuxcbtrouter1.linuxcbt.internal'
6. Alter TTLs on records: SOA and 'linuxcbtrouter1'
a. 'TTL 3600'
b. '60'
7. Create another primary zone based on working zone: linuxcbt.internal
a. 'linuxcbt.external'
b. 'dig @192.168.75.121 linuxcbtrouter1.linuxcbt.internal'
8. Create SLAVE configuration on Secondary Instance
a. '/etc/named.conf.local'
b. Be sure to 'include "/etc/named.conf.local" ' - from: '/etc/named.conf'
# FTP Server - Services #
Features:
1. VSFTPD
2. Lightweight
3. Fast
4. Reliable
5. Stable
6. Feature-filled
a. VHOSTS
b. Anonymous
c. Jailed users
d. Prohibited/Allowed Users
e. SELinux-integration (Default)

Tasks:
1. Install VSFTPD
a. 'yum search vsftpd'
b. 'yum install vsftpd' - NOT enabled by default
c. 'systemctl status vsftpd'
d. 'sudo systemctl enable vsftpd && systemctl status vsftpd && ps -ef | grep v
sftp'
2. Start and use the service
a. 'sudo systemctl start vsftpd' - this enables 'anonymous' and 'LOCAL USER' a
ccess by default
b. 'sudo netstat -ntlp | grep 21' - confirm TCP6(which also encompasses TCP4)
binding
c. 'lftp anonymous@192.168.75.121'
c1. 'pwd' - reflects a CHROOTed 'anonymous' environment, which really resolve
s to: /var/ftp
c2. 'grep ftp /etc/passwd'
'ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin'
NOTE: 'anonymous' user is mapped to: 'ftp' user, who may NOT login using termina
l-oriented front-ends: i.e. SSH, Telnet, GNOME, KDE, etc.
NOTE: Default 'anonymous' permissions permit download NOT upload
d. 'lftp linuxcbt@192.168.75.121' - connect as a 'normal' user
NOTE: 'normal' users are NOT CHROOTed by Default: i.e. 'pwd'
NOTE: SELinux prohibits 'normal' users from uploading/downloading to their $HOME
directories
3. Update the SELinux configuration to allow 'normal' users to interact with th
eir $HOME directories
a. 'getsebool -a | grep ^ftp' - dumps FTP-related SELinux booleans
'ftp_home_dir'
b. 'setsebool -P ftp_home_dir=1'
4. CHROOT 'normal' users to improve Default security
NOTE: Caveat: $HOME directories of $USERs MUST be writable by 'root'
a. '/etc/vsftpd/vsftpd.conf' - update to CHROOT 'local' || 'normal' $USERs
5. Disable 'anonymous' access
a. '/etc/vsftpd/vsftpd.conf'
6. LOGGING
a. '/var/log/messages' - service/daemon(VSFTPD) behaviour(up/down/etc.)
b. '/var/log/xferlog' - uploads/downloads - movement of content

#Apache Web Services #


Features:
1. HTTPD Server
2. Single binary handles:
a. Prefork(Default)
b. Worker (Threaded)
c. Event (Conservative/effficient threading)
Tasks:
1. Install
a. 'sudo yum install httpd'
b. 'sudo systemctl enable httpd'
c. 'sudo systemctl start httpd'
d. 'ps -ef | grep httpd' - reveals 6 processes
d1. Master process, which spawns N number of child processes
d2. 5 child processes
2. Explore the environment
a. '/etc/httpd' - config container (ServerRoot) - top-level
a1. '/etc/httpd/conf/httpd.conf' - drives the default web server and includes
ALL other files
a2. '/etc/httpd/conf/conf.d/' - common *conf files: i.e. welcome, autoindex,
etc.
a3. '/etc/httpd/conf.modules.d' - load files for 'enabled' modules
a4. '/etc/httpd/logs' -> /var/log/httpd - Apache LOGs(error,access)
a5. '/etc/httpd/moules' -> /usr/lib64/httpd/modules - ALL Apache modules
a6. '/etc/httpd/run' - PID files and run-time files created by Apache
b. '/var/www' - Default web site content directory
b1. '/var/www/html' - place content here
b2. '/var/www/cgi-bin' - place CGI scripts here
c. Update: '/etc/hosts' to suppress startup error concerning inability to reso
lve hostname
c1. place FQDN here
c2. '/etc/httpd/conf/httpd.conf' -> update: 'ServerName' directive to FQDN
c3. 'apachectl configtest && apachectl graceful'
d. 'apachectl' - interacts directly with Apache HTTPD
d1. 'apachectl status'
d2. 'apachectl configtest' - checks for syntax errors across the config: http
d.conf and all included items
NOTE: Prior to the restart/graceful of Apache, ALWAYS run 'apachectl configtest'
to reduce the likelihood of the inability to restart Apache, causing downtime
3. Install Manual: 'sudo yum install httpd-manual'
a. '/etc/httpd/conf.d/manual.conf' - controls access to the manual
b. Secure access to the manual to desirable nodes/networks/etc.
b1. 'Order Deny,Allow
Deny From ALL
Allow From 127.0.0.1 ::1 192.168.0.0/16 10.0.0.0/8'
NOTE: The Apache manual is unlikely to pose a security threat, however, securing
it, albeit at the IP-level, lends practice in securing access to content

4. Apache LOGs - Features: Error(inability to access content, various 2xx-5xx e


rrors), Access(hits), Customizable Access LOGS (represent variables of our choos
ing)
NOTE: '/etc/httpd/conf/httpd.conf' - contains LOG variable assignments
a. '%h' - connect host
b. '%l' - ident check - usually '-' - deprecated
c. '%u' - connecting user - usually '-' - Noted if user has actually authenti
cated
d. '%t' - timestamp - day(2-digits)/Month(3 letters)/Year(4-digits):Hour:Minu
te:Second-TimeZone
e. '%r' - request method (GET/POST/etc.)
f. '%>s' - status code returned to the client - 2xx-5xx
g. '%b' - size of content returned to client - Optional: '%B' - logs '0' inst
ead of '-' for zero bytes returned for applications that need a quantity
NOTE: '%B' saves us from having to translate: '%b' value of '-' as meaning '0' b
ytes
h. '%{Referer} - Referrer to our site - usually IP address of sending site
i. '%{User-agent} - Browser/User-client used to access our content: i.e. mobi
le, desktop, etc.
j. '%I' - Bytes In
k. '%O' - Bytes Out
NOTE: 'error_log' does NOT use the 'LogFormat' VARs in its messages but rather h
as a SYSLOG style represenation:
a. TimeStamp
b. Section of Apache that generated the message
c. PID
d. Daemon/Apache area service
e. Message

#Virtual Hosts#
Features:
1. 2-Types
a. IP-Based - one site(web) per IP address - inefficient usage of IPs
b. Host Header Name-based - multiple sites per IP address - efficient way of u
sing scarce IPv4 resources - relies upon HTTP1.1+
Tasks:
1. IP-Based - .131,.151,.152, .161,.162,.163
a. Add some spare addresses
b. Test access sans VHosts - examine default behaviou of default site
NOTE: By default, Apache serves the 'Default' HOST via ALL accessible IPs on the
system
c. Define IP-based HOST tied to: 192.168.75.{131,151}
<VirtualHost 192.168.75.131>
ServerAdmin webmaster@linuxcbtel71.linuxcbt.internal
ServerName site1.linuxcbt.internal
DocumentRoot /var/www/site1
<Directory /var/www/site1>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from ALL
</Directory>
ErrorLog logs/site1.linuxcbt.internal.error_log
CustomLog logs/site1.linuxcbt.internal.access_log combined
</VirtualHost>
d. 'mkdir /var/www/site1'
e. 'echo "TEST of SITE1: from linuxcbtel71.linuxcbt.internal" >> /var/www/site1
/index.html '
f. 'apachectl graceful && httpd -S' - reload and ensure that VHost is configure
d
2. Replicate configuration on same and CentOS node

3. Name-Based Virtual Hosts


a. Ensure ALL VHosts, where desired, share the same IP
b. Ensure ALL VHosts, sharing the same IP, have the 'ServerName' directive dec
lared
c. 'apachectl configtest && apachectl graceful && httpd -S'
NOTE: The new Name-Based VirtualHost configuration shows the fallback VHost, in
the event that thec lient requests the IP address from the user-agent without th
e hostname: i.e. http://192.168.75.161 as opposed to: http://site3.linuxcbt.inte
rnal
d. Ensure DNS/Name resolution services(i.e. /etc/hosts) are properly configure
d
d1. Update DNS and ensure client uses DNS
4. Segregate LOGs per VHost
NOTE: Currently, ALL VHosts are LOGGING via default catchall LOGs: /var/log/http
d/{access,error}_log

# MariaDB #
Features:
1. RDBMS fork/spawn of MySQL
Tasks:
1. Install MariaDB via YUM
a. 'sudo yum install mariadb mariadb-server'
b. 'sudo systemctl enable mariadb && sudo systemctl start mariadb'
c. 'netstat -ntlp | grep 3306'
2. Secure the installation: enforces 'root' password, removes 'anonymous' acces
s, etc.
a. 'mysql -u root' - connects sans password
b. 'select user,password,host from mysql.user;' - returns ALL users sans passw
ords
c. 'mysql_secure_installation'
d. Test access using: 'root' and 'anonymous'
3. MySQL back-end usage largely consists of connecting with an appropriate fron
t-end:
a. 'mysql' - terminal monitor
b. Upon invocation, 'mysql' client utilities read config directives from the f
ollowing:
b1. '/etc/my.cnf' - system-wide - and includes ALL 'include'd files
b2. $HOME/.my.cnf - User-wide
b3. Command Line Options (CLI) - overrides all aforementioned

4. Create, Use, Destroy simple AddressBook DB:


a. 'create database addressbook;'
b. 'create table contacts ( `fname` char(20), `lname` char(20), `bus_phone1` c
har(20), `email` char(30), PRIMARY KEY (`email`) ); '
c. INSERT INTO contacts (fname,lname,bus_phone1,email) VALUE ('Dean','Davis','
+18885734943','sales@linuxcbt.com');
d. UPDATE contacts SET lname='EMPLOYEE';
e. DELETE FROM contacts where fname='dean';
f. TRUNCATE contacts; - wipes table clean
g. DROP database addressbook;

#NMap #
Features:
1. Reconnaissance tool - gather information about network participants, service
s, etc.
2. Port Scanning -> TCP:{22,80,21,3306},ICMP
3. Host | Device detection -> Mobile, Known Desktop(DELL), etc.
4. Service detection -> What version of SSH, Apache, etc.
5. OS Fingerprinting -> What OS? Which version?
6. Multi-target scanning - expedites the overall scan
7. Largely: Reconnaissance, and partly vulnerability scanner (via NSEs)

Tasks:
1. Install
a. 'yum install nmap' -> 6.40x
b. Absolute latest version -> insecure.org/nmap - this is the PROD route
2. Host | Device Detection
a. 'nmap -v localhost' - scan yourself - start with the known
NOTE: This basic scan does many things:
1. ICMP test of whether the TARGET is available
2. If ICMP fails, other methods are attempted, and if succeeds, NMap moves on
to well-known(1000) ports
3. Finds open ports and reports on them
4. Summary is provided
NOTE: Scan summary reveals that there are 2 more ports open on loopback than the
routable IP: TCP:{631,25}
b. 'nmap -v 192.168.75.0/24'
NOTE: These non-privileged scans are invoked as: TCP:CONNECT scans, which comple
te the entire TCP lifecyle, which results in a larger TARGET LOG footprint
NOTE: To improve stealth, execute 'nmap' as privileged user: 'root' - TCP:SYN (h
alf-open connections)
c. 'nmap -v -sP 192.168.75.0/24' - quick check of ICMP-available nodes - retur
ned in 3.20 sec instead of: roughly: 44seconds (regular TCP:Connect) scan
d. 'sudo nmap -v 192.168.75.0/24' - TCP-SYN - slower, but fewer 'breadcrumbs'
are left behind
NOTE: Use this option for legitimate scans to reduce the footprint in your LOG f
iles
e. 'nmap -v -A 192.168.75.0/24' - all-encompassing scan of: service detection,
scripts, OS, etc.
NOTE: Reducing the target list may not save much time because NMap quickly deter
mines of your entire proposed range, which nodes are up

# Packet Capturing - TCPDump#


Features:
1. Packet Capturing
2. Works using 3 qualifiers (BPF):
a. Type - host|net|port
b. Direction - src, dst, src or dst, src and dst (i.e. NTP, SYSLOG, TFTP)
c. Protocol - ip, tcp, udp, etc.
NOTE: By Default, you can capture traffic:
a. To and from your system
b. Broadcast traffic
NOTE: If you desire to see|capture traffic between 2 remote nodes, then you'll n
eed to mirror the packets to your system's interface

Usage:
1. 'sudo tcpdump -v[v]' - dumps packets to|fro local system and potentially bro
adcast packets
2. 'sudo tcpdump -w `date +%F`-01.capture -v -i eno16777736' - does NOT dump to
STDOUT, but rather, reports the number of packets captured thus far and writes
to a file
NOTE: 'tcpdump -w...' - captures ALL layers, so you can then post-process with B
PFs
3. 'tcpdump -r 2014-12-23-01.capture' - replays the captured packets (137 packe
ts)
4. 'tcpdump -c 30 -w `date +%F`-02.30-packets.capture -i eno16777736' - capture
s 30 packets and exits
5. 'tcpdump -A -v -i eno16777736' - dumps L3 details
6. 'tcpdump -e -v -i eno16777736' - dumps L2 details
7. 'tcpdump -n -e -v -i eno16777736' - refrain from name resolution - improves
performance
8. 'tcpdump -n -e -v -i eno16777736 host 192.168.75.121 and host 192.168.75.17'
9. 'tcpdump -n -e -A -v -i eno16777736 host 192.168.75.121 and tcp port 21'
10. 'tcpdump -n -e -A -v -i eno16777736 udp port 123' - capture ALL witnessed UD
P:123 traffic

#FirewallD - IPTables Front-End#


Features:
1. 'firewall-config' GUI || 'firewall-cmd' TUI -> 'firewalld' -> IPTables -> Ke
rnel NetFilter
2. 2 Perspectives on the application of rules:
a. Run-time configuration
b. Permanent configuration - initiated during one of the following conditions:
b1. System initialization
b2. Firewall reload
NOTE: You can compare both: Permanent and Run-time configurations to Cisco's: St
artup and Running configurations
3. Provides various network zones (IPTables Chains)
a. Public (untrusted) - Outbound traffic is permitted, inbound NOT unless sour
ced from us
b. Work (trusted) - Traffic to-and-fro are trusted
c. Home (trusted) " "
d. DMZ (trusted/untrusted => Restricted) - Inbound traffic comes from the Net
and DMZ interface(s) may source explicitly permitted traffic inbound to target s
ystems: i.e back-end RDBMS
e. etc.
4. The ability to generate/define custom zones
5. Service configuration | provisioning: i.e. 'DNS'(TCP|UDP:53) -> can be appli
ed to various zones
NOTE: The ability to group a variety of protocols and port combinations into one
unit for rules application is important
6. Panic mode - drops ALL communications: i.e. DDOS or other attack
NOTE: This mode will also drop your remote connection unless it is out-of-band:
i.e. serial or third-party NIC connecting to the node
NOTE: Ensure that ALL servers have a third-party, out-of-band means of accessing
the system
NOTE: Ensure that the out-of-band method provides FULL OS access: i.e. KVM, etc.

Usage:
1. Ensure 'firewall-config' is installed
NOTE: 'firewall-cmd' is installed by default, but is somewhat useless because of
the myriad options
a. 'sudo yum -y install firewall-config'
2. Access 'firewall-config' via:
a. 'Key' -> 'firewall-config'
b. $SHELL -> 'firewall-config'
NOTE: Ensure that you are in the desired mode upon invocation:
c. 'Runtime'
d. 'Permanent'
e. Test current configuration (firewall) from remote system using: 'nmap'
e1. 'nmap -v 192.168.75.17' - TCP:CONNECT - but failed due to lack of deeper
inspection
e2. 'sudo nmap -v 192.168.75.17' - TCP:SYN - worked
3. Panic Mode - drop ALL communications
a. 'firewall-config' GUI -> Options -> Panic Mode
b. Test communications - ALL fail until 'Panic Mode' is lifted
4. Shift Interface(s) to appropriate Zone(s): i.e. 'Public' -> 'Work'
a. Options -> Change default Zone and zone of Interface(s) to suit your actual
environment
5. Reload the configuration without committing changes to the 'Permanent' confi
guration and evaluate
a. 'sudo firewall-cmd --reload' || from 'firewall-config' GUI
b. 'sudo iptables -L' - confirm re-established(saved) rules
NOTE: Changes to the 'Permanent' configuration do NOT impact the 'Run-time' conf
iguration unless you 'Reload' the configuration using one of the management tool
s
6. Create 'PROD' service as an aggregate of ALL mandatory PROD services
a. 'PROD" will contain: http,https,ssh,mysql,dns
b. 'sudo firewall-cmd --reload' && possibly reload from GUI to reflect new ser
vice
NOTE: You currently cannot modify properties of the 'Runtime' configuration, as
it is merely an instance of the saved, 'Permanent' configuration. To make change
s, update the 'Permanent' configuration and 'Reload' so that it reflects in the
'Runtime' configuration.
NOTE: Ensure that defined service(s) is applied to desired zone(s)

# SELinux #
Features:
1. Restricts access by SUBJECTS (users and/or processes) to: OBJECTS (files)
a. SUBJECTS:
a1. Any user attached in any form to the system
a2. Processes, which are attached to users attached to the system
b. OBJECTS:
b1. Any file on the system
b2. '-', 'd', 'c', 'b', etc.
2. Provides: Mandatory Access Controls (MACs)
3. MACs stand in stark contrast to: Discretionary Access Controls (DACs)
NOTE: DACs are standard Linux/Unix file system permissions
4. Provides, via policy (per subject -> object(s)), much more granular control
of access to objects
5. SELinux provides a way to separate: users, processes, from objects via label
ing of objects and subjects and monitors/controls their interaction
6. Provides: Types(applied to objects) - Types are labels applied to objects an
d subjects
7. SELinux policy specifically defines and enforces permissions based on the my
riad labels assigned to: subjects and objects
8. When a Type is applied to a process it is called a: domain
9. Domains provide virtual sandboxes for processes
10. 'sestatus' - reveals current status
11. 'setenforce' - enabling | disabling of SELinux mode of operation: permissive
|| enforcing
12. Audit LOG: '/var/log/audit/audit.log' - search here from SELinux-related pro
blems
13. Advanced Vector Cache (AVC) is responsible for providing/denying/logging acc
ess by subjects to: objects
NOTE: Look for: 'avc' messages throughout your logs for details on potential bre
aches as well as other LOG data
14. '/sys/fs/selinux' - pseudo-directory where user-space tools may interact wit
h the SELinux/Kernel
15. '/etc/selinux' - current policy is revealed
16. 'setsebool' - sets boolean values for SELinux typically related to features/
restrictions applied, via the default: 'targeted' policy, to domains: i.e. HTTPD
i.e. If HTTPD is unable to enter: '/home' || $HOME there is a boolean which can
be enabled to permit access
a. 'setsebool -P' - use this option to set booleans persistently
17. 'getsebool' - dumps the current booleans
a. 'getsetbool -a' dumps ALL vars
18. 'ls -Z ...' - enumerates SELinux related data
# SFTP-Only - SSH Account #
Features:
1. File transmissions ONLY
2. NO TTY is assigned to connecting user
3. More secure than a full SSH connection
a. It limits the total set of executable commands (SFTP commands only)
4. Facilitates uploading/downloading various files

Tasks:
1. Examine current default
a. Sans: 'nologin' $SHELL tied to user's account, users can typically SSH and
obtain a TTY
2. Implement SFTP-ONly account
a. Ensure: $HOME is NOT owned by the $USER who owns the directory
'drwx------. 17 linuxcbt linuxcbt 4096 Jan 24 01:19 /home/linuxcbt'
a1. 'sudo chown root.root ~linuxcbt && ls -ld ~linuxcbt'
a2. 'sudo chmod 755 ~linuxcbt'
3. Update system-wide SSH configuration to force SFTP-only sessions for the nam
ed account:
a. '/etc/ssh/sshd_config'
'ChrootDirectory /home/linuxcbt'
'ForceCommand internal-sftp'
'AllowTCPForwarding no'
'X11Forwarding no'
b. 'sudo systemctl restart sshd'
c. Confirm SFTP-only connectivity
4. Revert ~linuxcbt permissions and test
a. 'sudo chown linuxcbt.linuxcbt /home/linuxcbt'
# SFTP-Only - Forced Files Nomenclature - ~/.ssh/authorized_keys #
Features:
1. Ability to control users' logins via: ~/.ssh/authorized_keys file
2. The client will relegated to SFTP-only, with the enforcement of the creation
of a particular file name pattern: i.e. SFTP Client -> SERVER -> client_a.$$
NOTE: This yields a predictable file nomenclature which is useful for process pu
rposes
3. Extension of SFTP-Only access
4. Does NOT require modification to: /etc/ssh/sshd_config: i.e. SFTP-Only
CAVEAT: Unless you restrict the $USER from modifying: ~/.ssh/authorized_keys fil
e, there is the risk that they may override your directive (unlike: /etc/ssh/ssh
d_config'

Tasks:
1. 'adduser linuxcbtsftp1 && passwd linuxcbtsftp1'
2. Setup PKI-based login
3. Modify TARGET (SERVER): $HOME/.ssh/authorized_keys - place options before 's
sh-rsa KEY'
4. Test normal SSH connection from CLIENT -> no-pty allocated
5. Use account to move data via: 'dd'
a. 'dd if=1000.txt | ssh 192.168.75.17' - produces the same content from CLIEN
T on SERVER
NOTE: This mechaniism supoorts the execution of most commands, including $SHELL
scripts
NOTE: The CLIENT can use different SSH keys to execute different commands on the
SERVER