Documente Academic
Documente Profesional
Documente Cultură
SELinux modes
SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access
control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let
us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the
3 modes :
1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Actions contrary to the policy are only logged in the audit log.
3. Disabled : The SELinux is disabled entirely.
Configuration file
SELinux configuration file /etc/selinux/config :
# cat /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
Toggling SELinux modes (Temporarily)
To switch between the SELinux modes temporarily we can use the setenforce command as shown below :
# setenforce [ Enforcing | Permissive | 1 | 0 ]
0 –> Permissive
1 –> Enforcing
Verify the current mode of SELinux :
# getenforce
Enforcing
or we can also use the sestatus command to get a detailed status :
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux --> virtual FS similar to /proc
Current mode: enforcing --> current mode of operation
Mode from config file: permissive --> mode set in the /etc/sysconfig/selinux
file.
Policy version: 24
Policy from config file: targeted
Toggling SELinux modes (Permanently) [reboot require]
SELinux mode can be set permanently using either of below methods :
1. editing /etc/selinux/config file
2. editing kernel boot options
1. editing /etc/selinux/config file
to set SELinux to permissive, set the below line in the file /etc/selinux/config to :
vi /etc/selinux/config
....
SELINUX=permissive
...
Similarly the mode can be set to enforcing/disable by setting the mode in the same line.
2. editing kernel boot options
Edit the kernel boot line and append enforcing=0 to the kernel boot options. For example:
title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet enforcing=0
initrd /initrd-2.6.9-42.ELsmp.img
Change passwords and adjust password aging for local user accounts
password aging requires users to change their password periodically. Use the chage to configure password
expiration. The syntax is :
# chage [options] user_name
– When you fire the command chage, the currently set options are displayed as well.
# chage oracle
Changing the aging information for oracle
Enter the new value, or press ENTER for the default
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = OK for sync, '?' = unreachable,
| / 'x' = time may be in error, '~' = time is too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| / xxxx = adjusted offset,
|| Log2(Polling interval) -. | yyyy = measured offset,
|| | zzzz = estimated error.
|| | |
MS Name/IP address Stratum Poll LastRx Last sample
============================================================================
^* ntp.example.com 3 6 40 +31us[ -98us] +/- 118ms
Note that a Source state different than ‘*’ usually indicates a problem with the NTP server.
Source state ‘~’ means that the time is too variable
If the Source state is ‘~‘, it probably means that the server is accessible but the time is too variable. This can happen
if the server responds too slow or responds sometimes slower and sometimes faster. You could check the response
time of the pings to the server to see if they are slow or variable. This state has also been noticed when the server is
running on virtual machines which are too slow causing timing issues.
Chrony check and restart every hour
Once an hour, the chrony service checks the output of the chronyc sources -v command, by running
script /usr/sbin/palladion_chrony_healthcheck which runs /usr/sbin/palladion_check_chrony and checks its output:
if /usr/sbin/palladion_check_chrony returns 1 – it means there was no online source (no source with Source state = ‘*’) ,
so chrony restarts in an attempt to re-initialize the server status
if /usr/sbin/palladion_check_chrony returns 0 – this means everything is ok, chrony does not need to be restarted
because it already has a valid online source
# cat /etc/cron.d/chrony
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#
# Check chrony every hour and restart if necessary.
#
16 * * * * root /usr/sbin/palladion_chrony_healthcheck
Chrony logs
There are several chrony logs that can be used to troubleshoot. Most of them are located in /var/log/chrony/. Note that
the latest file is not always the *.log one. Sometimes it happens that even the *.log.2 or *.log.3 file are the ones that are
more recent. Here is an example of listing the files with sorting by the most recent:
# ls -lisaht /var/log/chrony/
total 1.5M
3801115 580K -rw-r--r-- 1 root root 574K Oct 21 14:56 measurements.log.3
3801131 544K -rw-r--r-- 1 root root 540K Oct 21 14:56 statistics.log.3
3801166 356K -rw-r--r-- 1 root root 350K Oct 21 14:56 tracking.log.3
3801089 4.0K drwxr-xr-x 16 root root 4.0K Oct 21 00:01 ..
3801114 4.0K drwxr-xr-x 2 root root 4.0K Oct 21 00:01 .
3801128 0 -rw-r--r-- 1 root root 0 Oct 21 00:01 tracking.log
3801110 0 -rw-r--r-- 1 root root 0 Oct 21 00:01 measurements.log
3801120 0 -rw-r--r-- 1 root root 0 Oct 21 00:01 statistics.log
3801167 0 -rw-r--r-- 1 root root 0 Oct 20 00:01 tracking.log.1
3801165 0 -rw-r--r-- 1 root root 0 Oct 20 00:01 statistics.log.1
3801159 0 -rw-r--r-- 1 root root 0 Oct 20 00:01 measurements.log.1
............
Try setting only one NTP server by entering its IP address
If until now you have been using two or more NTP servers (either because they were set or because you entered an
FQDN that resolves in different IP addresses), try to set one single NTP server by entering only one IP address. This may
solve your NTP related issue.
Tracing the communication with the NTP server
To double check if the NTP server is answering or not, it is possible to trace the traffic between chrony and the NTP
server for a period of time while monitoring the server:
1. Start a pcap trace with tcpdump on the NTP port 123 and leave it running until the issue appears (run it in ‘screen’ or
with ‘nohup’ to avoid it from being stopped if you disconnect from the shell command)
2. As soon as the issue re-appears, get a System Diagnostics covering the entire history since you have set the server to
DNS name until the gap reoccurred. If this produces a file that is too big, just get the System Diagnostics for Current data
and in addition copy all the files from /var/log/chrony/, and all files called /var/log/syslog* . Remember to stop the trace
you started at step 1
Schedule tasks using at and cron
– Linux can run tasks automatically, and comes with automated tasks utilities: cron, anacron, at, batch.
– cron jobs can run as often as every minute.
– A scheduled cron job is skipped if the system is down.
– anacron can run a job only once a day.
– Scheduled jobs are remembered and run the next time that the system is up.
– crond daemon searches multiple files and directories for scheduled jobs:
1. /var/spool/cron/
2. /etc/anacrontab
3. /etc/cron.d
Configuring cron jobs
cron jobs are defined in /etc/crontab.
The crontab entries are of the form:
Minutes Hours Date Month Day-of-Week command
where:
Minutes = [0 to 59]
Hours = [0 to 23]
Date = [1 to 31]
Month = [1 to 12]
Day-of-Week = [0 to 6] 0=Sunday - 6=Saturday
command = a script file or a shell command.
Other special characters can be used:
- An asterisk (*) can be used to specify all valid values.
- A hyphen (-) between integers specifies a range of integers.
- A list of values separated by commas (,) specifies a list.
- A forward slash (/) can be used to specify step values.
Other cron Directories and Files
/etc/cron.d
– Contains files with same syntax as the /etc/crontab – accessible by root privileges only
– Other cron directories in /etc: –
cron.hourly
cron.daily
cron.weekly
cron.monthly
– Scripts in these directories run hourly, daily, weekly, or monthly, depending on the name of the directory.
– The /etc/cron.allow and /etc/cron.deny files restrict user access to cron. If neither file exists, only root can use cron.
Crontab utility
– Users other that root can also configure cron using the crontab utility.
– user defined crontabs are stored in /var/spool/cron/[username].
– To create or edit a crontab entry :
# crontab -e
– To list the entries in the user defined crontab :
# crontab -l
Configuring anacron jobs
– anacron jobs are defined in /etc/anacrontab.
– Jobs are defined by :
Period in days : frequency of execution in days
Delay in minutes - Minutes to wait before executing the job
job-identifier - A unique name used in logfiles
command : a shell script or command to execute
example anacron file :
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22
service name condrestart systemctl try- restart name Restarts a service only if it is running
service name status systemctl status name Checks whether a service is running
service –status- all systemctl list-units –type service –all Displays the status of all services
Enabling and disabling services
chkconfig Utility systemctl Utility Description
chkconfig –list systemctl status name, systemctl is-enabled Checks whether a service is enabled
name name
chkconfig –list systemctl list-unit-files –type service Lists all services and checks whether they are enabled
1. creation method
# touch file1
# ls -l
-rw-r--r-- 1 root root 0 Sep 23 13:19 file1
# ln file1 file2
# ls -l
-rw-r--r-- 2 root root 0 Sep 23 13:19 file1
-rw-r--r-- 2 root root 0 Sep 23 13:19 file2
# ls -li
1282 -rw-r--r-- 2 root 0 root 0 Sep 23 13:19 file1
1282 -rw-r--r-- 2 root 0 root 0 Sep 23 13:19 file2
# find . -inum 1282
./file1
./file2
2. The link count increases by one, everytime you create a new hard link to the file as shown above.
3. Even if you delete any one of the file, it has no effect on the other file. Only the link count decrements
4. Hard links can not cross the file system.
5. You can not create hard links to directories.
append std out and std err to filename >> filename 2>&1 or 1>> filename 2>&1
redirect std out and std error to filename 1> filename 2>&1 or > filename 2>&1
Some examples of using I/O redirection
# cat goodfile badfile 1> output 2> errors
This command redirects the normal output (contents of goodfile) to the file output and sends any errors (about badfile
not existing, for example) to the file errors.
# mail user_id < textfile 2> errors
This command redirects the input for the mail command to come from file textfile and any errors are redirected to the
file errors.
# find / -name xyz -print 1> abc 2>&1
This command redirects the normal output to the file abc. The construct “2>&1” says “send error output to the same
place we directed normal output”.
Note that the order is important; command 2>&1 1>file does not do the same as command 1>file 2>&1. This is because
the 2>&1 construction means redirect standard error to the place where standard output currently goes. The
construction command 2>&1 1>file will first redirect standard error to where standard output goes (probably the
terminal, which is where standard error goes by default anyway) then will redirect standard output to file. This is
probably not what was intended.
# ( grep Bob filex > out ) 2> err
– any output of the grep command is sent to the file out and any errors are sent to the file err.
# find . -name xyz -print 2>/dev/null
This runs the find command, but sends any error output (due to inaccessible directories, for example), to /dev/null. Use
with care, unless error output really is of no interest.
#vi/vim editor
Inserting text
Command Action
i Insert text before current cursor position
:%s/old/new/g Search and replace all occurrence of string old with string new
:w! write change into the file even if you are not owner of the file
:wq! write change into the file and quit even if you are not owner of the file