Search This Blog

Sunday, July 31, 2011

Configure a system to use an existing LDAP directory service for user and group information

#system-config-authentication
Then select "ldap"
Enter base dn and ldap server name
Download certificate by entering given url.
select authentication method

Diagnose and address routine SELinux policy violations

Use either of the given below files to check logs
/var/log/audit/audit.log
/var/log/messages
#sealert

Use boolean settings to modify system SELinux settings

To find boolean selinux of a service
# getsebool -a | grep servicename
eg:
# getsebool -a | grep http

Change boolean
#setsebool -P [boolean = ]
eg:
# setsebool -P httpd_enable_homedirs=1

Restore default file contexts

#restorecon -R filename

List and identify SELinux file and process context

List file context
#ll -Z filename

SELinux uses three different contexts to enforce security: user, role, and domain

User context:
unconfined_u Unprotected user
system_u System user
user_u Normal user

Role context:
object_r File
system_r Users and processes

Domain context:
unconfined_r Unprotected file or process

To see Process context
#ps -Zl

Set enforcing and permissive modes for SELinux

#lokkit --selinux=permissive
#lokkit --selinux=enforcing

Configure firewall settings using system-config-firewall or iptables

#system-config-firewall
Then either enable or disable firewall

Using iptables:
Flushing the default filter table
#iptables -F

List the default filter table
#iptables -L

Block ALL inbound traffic
#iptables -A INPUT -j REJECT

Block ALL outbound traffic
#iptables -A OUTPUT -j REJECT

Saving firewalls
#service iptables save

Drop all pkts coming to eth0
#iptables -A INPUT -i eth0 -j DROP

Deleting a Rule
# iptables -D INPUT -i eth0 -j DROP

Match protocol
# iptables -A INPUT -p tcp -j DROP

Setting the default Policy
# iptables -P INPUT DROP

Match destination port
# iptables -A INPUT -p tcp --dport 21 -j REJECT

Configure a system to use an existing LDAP directory service for user and group information

#system-config-authentication
Then select "ldap"
Download certificate from the given url

Create, delete and modify local groups and group memberships

Create group
#grpadd groupname

Delete group
#groupdel groupname

Add members
#groupadd -G groupname username

Change passwords and adjust password aging for local user accounts

Change password
#passwd username

Adjust password aging
#chage username

Create, delete, and modify local user accounts

Create user account
# useradd username

Delete user account
#userdel username

Modify user account
#usermod -G groupname username

Configure a system to run a default configuration NTP server and synchronize time using other NTP peers

Go to system -> administration -> date and time

Then tick "synchronize date and time over network"
Enter NTP server address

Update the kernel package appropriately to ensure a bootable system Modify the system bootloader

At first find the kernel package to be installed
Then to install type
#rpm -ivh kernel_package_name

Then to decide which kernel to boot first, go to /etc/grub.conf and change
default 1 or 2 as per required kernel

Install and update software packages from Red Hat Network, a remote repository, or from the local filesystem

Enter url of yum server in /etc/yum.repos.d/filename.repo (only in lan)
ELSE
#yum install package_to_download
#yum search package_name
#yum update package_name

Configure a system to run a default configuration FTP server

1)yum install vsftpd
2)Go to /etc/vsftpd/vsftpd.conf
check
local_enable=YES
3)Make anonymouse_enable=YES if required
4)service vsftpd restart
5)chkconfig vsftpd on

Configure a system to run a default configuration HTTP server

yum install httpd
1)Place the index.html file in /var/www/html
2)Go to /etc/httpd/conf/httpd.conf
Find ServerName in that file and modify it according to your required site
eg:
ServerName www.host1.domain10.com
3)service network restart
4)chkconfig httpd --level 5 on

Now go in browser and enter the site for eg. www.host1.domain10.com to get the required index.html site

Configure network services to start automatically at boot

To start network service automatically at boot type
#chkconfig servicename --level 5 on

Install Red Hat Enterprise Linux automatically using Kickstart

First boot the system with CD-ROM and at the boot prompt type a command like this, substituting your own info:
linux ks=http://192.168.1.2/pub/ks.kfg
or
linux ks=ftp/http://host/ks.cfg
or
linux ks=nfs:host:/ks.cfg

Configure systems to boot into a specific runlevel automatically

Go to /etc/inittab and modify inittab default with values from 1 to 5 depending on the runlevel which we want

Schedule tasks using cron

#crontab -e -u username
Now enter something like below where * have meaning as given below
* * * * * command
mins hrs DOM MOY DOW
00-59 00-23 1-31 1-12 0-7 0=7=Sun 1=Mon,..

Example : Users often forget to shutdown their machines and go home
Hence, machine should auto shutdown at 11 pm

# crontab -e
============
00 23 * * * root /sbin/shutdown -h now

To see cron jobs for user
#crontab -l -u usernaem

Configure networking and hostname resolution statically or dynamically

Static configuration of dns:
Go to /etc/resolv.conf and enter
nameserver ip_dns_server

Configuring hostnames statically

go in /etc/hosts and enter resolution for eg
192.168.1.1 abc.xyz.org

Create and manage Access Control Lists (ACLs)

ACLs are an addition to the standard Unix file permissions (r,w,x,-) for User, Group, and Other for read, write, execute and deny permissions. ACLs give users and administrators flexibility and direct fine-grained control over who can read, write, and execute files.

#getfacl filename
(will show file permissions)

#setfacl -m u:user:rw- filename
(Gives user read,write permission over filename

#ll
show files which have acces control lists applied ("+" sign in last collumn)
Example: -rw-rw-r--+

Create and configure set-GID directories for collaboration

The Linux Files can be setuid or setgid. When a user executes a setuid file, the program runs with the effective user ID of the file’s owner, rather than that of the user. Similarly, when a user executes a setgid file, the program runs with the effective group ID of the file’s group owner, rather than that of the user.
Directories can also be setgid. When a user creates a file in a non-setgid directory, the group ownership of the file is set to the user’s group ID. However, when a user creates a file in a setgid directory, the group ownership of the file is set to the group owner of the directory.

#chmod u+s filename/directoryname
#chmod g+s filename/directoryname

Extend existing unencrypted ext4-formatted logical volumes

For extending lvm /dev/vgname/lvname
#e2fsck -f /dev/vgname/lvname
#lvextend -L size /dev/vgnamae/lvname
#resize2fs /dev/vgname/lvname

Configure systems to mount ext4, LUKS-encrypted and network file systems automatically

Mount ext4 automatically
Open /etc/fstab and enter
/dev/sdb1 /mountpoint ext4 defaults 0 0

Mount LUKS-encrypted automatically
Discussed in
Luks

Mount nfs automatically
Open /etc/fstab and enter
nfsserver:/mount_dir /mountpoint nfs defaults 0 0

Mount and unmount CIFS and NFS network file systems

CIFS
# mount -t cifs //server/share /mountpoint -o user=username
#umount /mountpoint

NFS

#mount -t nfs hostname:/mountpoint /mountpoint
#umount /mountpoint

Mount, unmount and use LUKS-encrypted file systems

Given in the link
Luks filesystem

Create, mount, unmount and use ext2, ext3 and ext4 file systems

Creation of filesystem
Its same as discussed before
#fdisk /dev/sda
then press
n
select extended or primary partition
Give size
Then type t
And then give code for particular filesystem like Linux swap, LVM, etc.
finally type
w

Mount and umount filesystem
#mount /dev/sdb1 /mountpoint
#umount /mountpoint

Add new partitions, logical volumes and swap to a system non-destructively

At first make a partition of type "linux swap" using fdisk. Suppose /dev/sdb2 is that partition.
then type
#mkswap /dev/sdb2
#swapon /dev/sdb2
#swapon -s
(this will show u all swap devices)

Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label

To find uuid type
#blkid devicename
devicename can be /dev/sdb1 etc

Then go in /etc/fstab and enter
UUID=... /mountpoint ext4 defaults 0 0
where u will get uuid value from blkid command
Also ext4 can be replaced by type of file system

Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot

Suppose a partition named /dev/sdb1 is available
Now we have to format it with luks
#cryptsetup luksFormat /dev/sdb1

Now partition needs to be labeled
#cryptsetup luksOpen /dev/sdb1 newname

Now format that partition with ext4 or ext3
#mkfs.ext4 /dev/mapper/newname

Now in /etc/crypttab enter
newname /dev/sdb1

Finally in fstab enter
/dev/mapper/newname /mountpoint ext4 defaults 1 2

or if permanent changes are not required then
#mount /dev/mapper/newname /mountpoint
#umount /mountpoint

Create and remove physical volumes, assign physical volumes to volume groups, create and delete logical volumes

Create and remove physical volumes
Suppose there is partition named /dev/sdb which is of type lvm
To create pv
#pvcreate /dev/sdb
To remove pv
#pvremove /dev/sdb

Assign physical volumes to volume groups
#vgcreate -s size vgname /dev/sdb

Create and delete logical volumes
#lvcreate -L size -n lvname vgname
Delete
#lvremove /dev/vgname/lvname

List, create, delete and set partition type for primary, extended, and logical partitions

List partitions
#fdisk -l

Create partition
#fdisk /dev/vda
(vda can be replaced by sda if its not virtual machine)
Then press
n
After that select e or p for extended or primary partition type.
Then give appropriate size
Finally type
w
Then type
p
to check partition table where you can see the newly created partition.

Start, stop and check the status of network services

#service network start
#service network stop
#service network status
#service network restart

Access a virtual machine's console

This should preferably done in GUI mode as its very friendly to understand. Go to Applications and find vm manager and start it. You can even stop it from there itself. You can even shutdown your VM forcefully.
From command line use
#virt-manager
I have also discussed about this in my post
VM installation

Locate and interpret system log files

/var/log/messages file is an important system log
#tail -10f /var/log/messages
Above command give recent 10 lines of log information and gets refreshed automatically

dentify CPU/memory intensive processes, adjust process priority with renice, and kill processes

Identify CPU/memory intensive processes
#top
and
#ps -el

Adjust priority:
#renice no pid
where no is -20 or 0 or 20

Kill process
#egrep process
Find process id
Then with that process id
#kill -9 pid

Use single-user mode to gain access to a system

Reboot the system and then press 'a' when grub screen comes. After that enter ' 1' to enter into single user mode. Now you directly enter as root. To get back to gui mode enter init 5.

Boot systems into different runlevels manually

There are total following number of run-levels
Runlevel 0 - Halt
Runlevel 1 - Single User mode.
Runlevel 2 - This is basic functions, multi-user mode, without any networking.
Runlevel 3 - This is what servers usually run in, as it provides all of the services of the normal server, without the graphical user interface.
Runlevel 4 - For future use
Runlevel 5 - GUI mode
Runlevel 6 - Reboot

Command to be given is
#init no.
where no is from 0 to 6

Boot, reboot, and shut down a system normally

Reboot
#reboot
or
# init 6

shutdown
#shutdown -h now

Locate, read and use system documentation including man, info, and files in /usr/share/doc .

#man command
#info command
#fgrep -Ri keyword /usr/share/doc/package

List, set and change standard ugo/rwx permissions

Modify user
# usermod -g groupname user_to_be_added

Change group ownership
#chgrp root filename

Change ownership
# chown username.groupname filename

Change permission

#chmod xxx filename
(where xxx can be digits like 644, 755, etc representing user,group and other permission)

or
chmod u=rwx,g=rx,o=rx filename

List permission

#ls -l

Create hard and soft links

1) Soft link
It is a shortcut.
#ln -s targetfile nameoflink

For eg -> ln -s /usr/bin/clear /sbin/c


2)Hard link
It is also a shortcut
#ln targetfile nameoflink

Create, delete, copy and move files and directories

cp -> copy (for files)
cp -a -> copy (for directories)
cp -p -> copy and preserve date and time

mv -> move OR rename

rmdir -> remove empty directory
rm -> remove (for files)
rm -f -> remove forcefully (for files)
rm -r -> remove recursively (for directories)

Create and edit text files

To create file
#touch filename

#vi filename

i = to enter edit mode
esc = to move to out of edit mode
dd = to delete line
yy = to copy line
p = to paste
:wq = save and quit

Archive, compress, unpack and uncompress files using tar, star, gzip, and bzip2

1)Making tar from folder named test
#tar -cvf test.tar test

2)Untarring
#tar -xvf test.tar

3)To convert to test.Z
# compress test.tar

4)uncompress
# uncompress test.tar.Z

5)gzip
(compress)
#gzip test.tar
(uncompress)
#gunzip test.tar.gz
or
(compress)
#tar -zcvf test.tar.gz folder_to_compress
(uncompress)
#tar -zxvf test.tar.gz


6)bzip2
#bzip2 test.tar
or
(compress)
#tar -jcvf test.tar.bz2 folder_to_compress
(uncompress)
#tar -jxvf test.tar.bz2

Log in and switch users in multi-user runlevels

To switch user
# su - username

To switch to root
# su

Access remote systems using ssh and VNC

1)Basic ssh access
#ssh user@host

2)VNC
vncviewer is an Xt-based client application for the VNC (Virtual Network Computing) system. It can connect to any VNC-compatible server such as Xvnc or WinVNC, allowing you to control desktop environment of a different machine.

#vncviewer host:port

Use grep and regular expressions to analyze text

1) grep 'word' filename

2)cat filename | grep 'something'

Regular expressions

1)The following example displays lines starting with the vivek only
grep ^vivek /etc/passwd

2)Find lines ending with word foo:
grep 'foo$' filename

3)Match line only containing foo:
grep '^foo$' filename

4)You can match two numeric digits (i.e. match foo11, foo12 etc):
grep 'foo[0-9][0-9]' filename

Use input-output redirection (>, >>, |, 2>, etc.)

> : is used to overwrite contents of one file to other
>> : is used to append contents from one file to other
0> : std input
1> : redirect to std output
2> : redirect to std error
2>&1: std error to std output

Examples:
1)cat file1 > file2
(overwriting contents of file2 with file1)

2)cat file1 >> file2
(appending file2 with file1)

3)cat file1 > /dev/test 2>&1
(if the above copy command is wrong then that error will also be directed to output. In this case whether command is right or wrong it will be directed to /dev/test file)

Saturday, July 30, 2011

Access a shell prompt and issue commands with correct syntax

After logging into linux whatever you see is bash shell where you can issue commands.
I am just listing out basics commands here which can be used in exam. More commands will follow.

ls -> list content
ls -l -> list content in long listing format
alias -> display all aliases for current user
exit -> log out from the system
cd .. -> change to parent directory
cd - -> change to previous directory
cd -> change to home directory
ps -> display process status of current terminal
ps -l -> display process status of current terminal in Ctrl+c -> cancel/quit process
Ctrl+r -> search command
Ctrl+l -> clear screen
Ctrl+d -> log out
Ctrl+Alt+Delete -> reboot

Installing RHEL 6 on Vmware/Virtual box

I personally installed virtual box in ubuntu and then installed rhel 6. Virtual box is freely available.

For installing virtual box in ubuntu give command
apt-get install virtualbox

Then after starting virtual box, create a new virtual machine inside it by selecting the os as linux and then giving approximate maximum size of the disc to be 10gb. Minimum 6.5 gb will be required for installing rhel 6. After that point to .iso file of rhel6 and keep everything else default.

After that power on that virtual machine and start installing rhel. And after that you can install rhel just like installing it on physical machine and without worrying about corrupting or losing your actual physical machine.

Steps for installing rhel 6 ( Same for vmware and virtualbox )
1) Select Install or upgrade option.

2)Then keep other things default till you are asked for device where you need to select cd/dvd and skip checking of the external device.

3)Then warning comes where you should select "Install anyway"

4)Then again you will see another warning where you have to select "Reinitialize all".

5)Do simple steps as indicated till you reach where you need to select custom layout. Now make one partition of 6.5gb, mount point as "/" and "ext4" partition. Then format it.

6)Then select "Software Development Workstation software set" for installing and click next.

7)After that progress bar comes where you just need to allow things to happen on its own. Finally reboot.

8)Finally you are done and now rhel 6 starts as usual.

RHCE objectives

I am listing down the RHCE objectives directly from red hat website.

System Configuration and Management

Route IP traffic and create static routes
Use iptables to implement packet filtering and configure network address translation (NAT)
Use /proc/sys and sysctl to modify and set kernel run-time parameters
Configure system to authenticate using Kerberos
Build a simple RPM that packages a single file
Configure a system as an iSCSI initiator that persistently mounts an iSCSI target
Produce and deliver reports on system utilization (processor, memory, disk, and network)
Use shell scripting to automate system maintenance tasks
Configure a system to log to a remote system
Configure a system to accept logging from a remote system

Network Services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

Install the packages needed to provide the service
Configure SELinux to support the service
Configure the service to start when the system is booted
Configure the service for basic operation
Configure host-based and user-based security for the service

RHCE candidates should also be capable of meeting the following objectives associated with specific services:
HTTP/HTTPS

Configure a virtual host
Configure private directories
Deploy a basic CGI application
Configure group-managed content

DNS

Configure a caching-only name server
Configure a caching-only name server to forward DNS queries
Note: Candidates are not expected to configure master or slave name servers

FTP

Configure anonymous-only download

NFS

Provide network shares to specific clients
Provide network shares suitable for group collaboration

SMB

Provide network shares to specific clients
Provide network shares suitable for group collaboration

SMTP

Configure a mail transfer agent (MTA) to accept inbound email from other systems
Configure an MTA to forward (relay) email through a smart host

SSH

Configure key-based authentication
Configure additional options described in documentation

RHCSA objectives

I am at first making list of Rhcsa objectives so that you can refer them easily. These are taken directly from Red hat website.

Understand and Use Essential Tools


Access a shell prompt and issue commands with correct syntax

Use input-output redirection (>, >>, |, 2>, etc.)

Use grep and regular expressions to analyze text


Access remote systems using ssh and VNC

Log in and switch users in multi-user runlevels

Archive, compress, unpack and uncompress files using tar, star, gzip, and bzip2


Create and edit text files

Create, delete, copy and move files and directories

Create hard and soft links

List, set and change standard ugo/rwx permissions


Locate, read and use system documentation including man, info, and files in /usr/share/doc .

[Note: Red Hat may use applications during the exam that are not included in Red Hat Enterprise Linux for the purpose of evaluating candidate's abilities to meet this objective.]

Operate Running Systems


Boot, reboot, and shut down a system normally

Boot systems into different runlevels manually

Use single-user mode to gain access to a system


Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes


Locate and interpret system log files

Access a virtual machine's console

Start, stop and check the status of network services

Configure Local Storage


List, create, delete and set partition type for primary, extended, and logical partitions

Create and remove physical volumes, assign physical volumes to volume groups, create and delete logical volumes


Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot

Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label

Add new partitions, logical volumes and swap to a system non-destructively


Create and Configure File Systems

Create, mount, unmount and use ext2, ext3 and ext4 file systems


Mount, unmount and use LUKS-encrypted file systems

Mount and unmount CIFS and NFS network file systems

Configure systems to mount ext4, LUKS-encrypted and network file systems automatically

Extend existing unencrypted ext4-formatted logical volumes

Create and configure set-GID directories for collaboration


Create and manage Access Control Lists (ACLs)

Deploy, Configure and Maintain Systems


Configure networking and hostname resolution statically or dynamically


Schedule tasks using cron

Configure systems to boot into a specific runlevel automatically

Install Red Hat Enterprise Linux automatically using Kickstart

Configure a physical machine to host virtual guests

Install Red Hat Enterprise Linux systems as virtual guests


Configure network services to start automatically at boot


Configure a system to run a default configuration HTTP server

Configure a system to run a default configuration FTP server


Install and update software packages from Red Hat Network, a remote repository, or from the local filesystem


Update the kernel package appropriately to ensure a bootable system. Modify the system bootloader

Configure a system to run a default configuration NTP server and synchronize time using other NTP peers


Manage Users and Groups

Create, delete, and modify local user accounts


Change passwords and adjust password aging for local user accounts

Create, delete and modify local groups and group memberships

Configure a system to use an existing LDAP directory service for user and group information


Manage Security

Configure firewall settings using system-config-firewall or iptables

Set enforcing and permissive modes for SELinux

List and identify SELinux file and process context

Restore default file contexts

Use boolean settings to modify system SELinux settings

Diagnose and address routine SELinux policy violations

RHCSA and RHCE passed (RHEL 6)

Hi everyone, I cleared my Red Hat Certified System Administrator and Red Hat Certified Engineer exam last monday with score 282/300 in RHCSA and 273/300 in RHCE.

There have been around 20% changes in RHEL 6 exams as compared to the earlier RHEL 5 exam. The most important being that the exam is now on virtual machine rather than physical machine. As a result there have been quite a few changes and the exam has become a bit time consuming as compared to previous one as we need to use physical machine for testing purpose. Especially Rhce is really dificult to complete in 2 hrs. Again selinux is one of the most important part without which its impossible to clear rhce.

I studied for this exam for 1 month exactly after i gave my last semester exam of computer engineering. I gave both rhcsa and rhce on the same day and I studied as per the objectives given at red hat site. I will be making note of whatever I studied in the coming post.

RHCSA objectives
RHCE objectives