====================== RHCSA/RHCE study notes ====================== Lessons learned: ================ * To create your own repos: * Download packages to a directory of your choice * ``createrepo ${directory}`` * Create `/etc/yum.repos.d/${file}` repo file. At a minimum: :: # cat /etc/yum.repos.d/inst.repo [${name}] name=${appropriately descriptive name} baseurl=${protocol}://${ip}/${directory} * Import the public keys: :: cd ${directory} for f in *GPG* do echo rpm --import ${f} rpm --import ${f} done * If, for some reason, you don't want to import the keys, add the *gpgkey* option to the stanza: :: gpgkey=${protocol}://${ip}/${directory}/${gpg_key} ... would seem easier just to import that damn things... * Remove rhgb from kernel line in grub.conf to see the start up script process rather than that annoying progress bar. * rhel6 inittab contains only one line: ``id:5:initdefault:`` * ``netstat -atunp`` displays open ports. quicker/cleaner than executing ``netstat -an | grep -i -e listen -e establish`` :: # netstat -atunp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1245/rpcbind tcp 0 0 0.0.0.0:48276 0.0.0.0:* LISTEN 1320/rpc.statd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1505/vsftpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1494/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1375/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1585/master tcp 0 0 192.168.122.50:22 192.168.122.1:56570 ESTABLISHED 1855/sshd tcp 0 0 :::111 :::* LISTEN 1245/rpcbind tcp 0 0 :::22 :::* LISTEN 1494/sshd tcp 0 0 ::1:631 :::* LISTEN 1375/cupsd tcp 0 0 :::55447 :::* LISTEN 1320/rpc.statd tcp 0 0 ::1:25 :::* LISTEN 1585/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1245/rpcbind udp 0 0 0.0.0.0:53360 0.0.0.0:* 1320/rpc.statd udp 0 0 0.0.0.0:631 0.0.0.0:* 1375/cupsd udp 0 0 0.0.0.0:648 0.0.0.0:* 1320/rpc.statd udp 0 0 0.0.0.0:996 0.0.0.0:* 1245/rpcbind udp 0 0 :::111 :::* 1245/rpcbind udp 0 0 :::36913 :::* 1320/rpc.statd udp 0 0 :::996 :::* 1245/rpcbind * ``blkid`` command identifies UUID of devices. :: # blkid /dev/mapper/vg00-root /dev/mapper/vg00-root: UUID="1509679d-ff00-4d6d-bda4-1821d9052567" TYPE="ext4" * Show function - very useful for messing with iptables: :: show() { chain=${1:-FORWARD} chain=$(echo ${chain} | '[a-z]' '[A-Z]') echo ${chain} | \ grep -qi -e ^prerouting -e ^postrouting && args="-t nat" || args="" c=1; iptables ${args} -L ${chain} -n | while read line do echo "${line}" | grep -qi -e ^accept -e ^reject -e masq -e ^dnl if [ $? -eq 0 ] then printf "%02d %s\n" ${c} "${line}" c=$((c+1)) else printf "%2s %s\n" "." "${line}" fi done } Notes: ====== Chapters 1-3: ------------- 03/30/14: Seems I lost the notes for my rhcsa test. Interesting as I'm usually quite good at keeping track of those. I even have crap from classes that were more than a decade ago. Any rate, going over the rhcsa chapters just to ensure I have all the requisite info. * I rearranged data twixt mgmt and vmhost. Most of the *permanent* data will reside on mgmt. Also set up a git repo for the kickstart files. Central repo's on mgmt. * I re-imaged vmhost again. It still has the Centos yum repos. Need to remmeber how to make those go away. (done) * Packages to install to for kvm: :: yum -y groupinstall Virtualization yum -y groupinstall Virtualization Client yum -y groupinstall Virtualization Platform yum -y groupinstall Virtualization Tools * Autostart: * ``virsh autostart ${dom}`` * ``ln -s /etc/libvirt/qemu/${dom}.xml /etc/libvirt/qemu/autostart/${dom}.xml`` * ``virst autostart --disable ${dom}`` * ``unlink /etc/libvirt/qemu/autostart/${dom}.xml`` I think I'm leaving it here for awhile. Finished chapter 1 & 2. I want to run through the kvm init at least one more time. Not something I do regularly so I tend to forget things - like how to create local repos, how to update the gpg key, how to reset the firewall if I have to update it via the system-config-firewall-tui, etc. 04/01/14: Chapter 3, basic command line tools. Pretty straight forward. No surprises 04/04/13: First thing to do, generate outsider1, then continue w/chapter 4. Chapter 4: RHCSA level security options: ---------------------------------------- +-----------+-----------------+ | Server | IP | +===========+=================+ | server1 | 192.168.122.50 | +-----------+-----------------+ | tester1 | 192.168.122.150 | +-----------+-----------------+ | outsider1 | 192.168.200.100 | +-----------+-----------------+ * umask: Even w/umask of 0022, files won't be created w/execute bits enabled. Security thing. * lsattr/chattr: commands that can restrict even root from actions on specific files. Attributes that can be set: * a: Append only * c: Compressed * d: no dump * e: extent format * i: immutable (no edits/deletes) * j: data journalling * s: secure deletion * t: no tail merging * u: undeletable - misnamed. File can be recovered. it's still deleted. * A: no atime upates - faster I/O * D: synchronous directory updates * S: synchronous updates * T: Top of directory hierarcy. Directories under /home are not related and should be stored on different blocks. * iptables format: :: iptables -t ${type} -j * type: filter or nat; filter is the default so you never have to type it. * action: ``[A|I|D|F|L] [OUTPUT|INPUT|FORWARD]`` * A: append * I: insert * D: delete * F: flush * L: list * pattern: * -s CIDR (source) * -d CIDR (destination) * what to do: * DROP: no response to remote system. * REJECT: resonse sent to remote system * ACCEPT: duh * iptables rules: need to find out what the system-config-firewall apps are doing. I updated the /etc/sysconfig/iptables file with the correct line, then restarted iptables. Not able to ftp into server1. Update the file using the tui, and it works. RCS is saying there's no difference in the file. OK... WTF?? For now, use the system-config things, but need to figure that out. # rcsdiff iptables RCS file: RCS/iptables,v retrieving revision 1.2 diff -r1.2 iptables * selinux: * Change mode: * update /etc/sysconfig/selinux * setenforce [ enforcing | permissive | 1 | 0 ] * echo [1|0] > /selinux/enforce (enforcing | permissive) * semanage: * install via policycoreutils-python * Used to list/edit current policies * Examples: * ``semanage login -l`` * ``semanage login -a -s user_u michael``: Addes the user_u selinux user constraint to michael. More on thoese constraints later. NOTE: Is not in effect if ``su - ${user}``; only if he logs in directly. * getsebool|setsebool: * Bunches of booleans * Only set for the life of the system unless the ``-P`` arg supplied. Chapter 5: boot process: ------------------------ * Can add other run levels, other than single after the kernel in grub menu: * [1-5]: run levels 1 - 5 * single: doesn't execute run level 1 start scripts * init=/bin/sh: mounts / and runs /bin/sh. The lowest level. * kernel args: * quiet: removes the initial boot display but still shows the start up process * rhgb: displays that annoying progress bar vs the start up process * Password protecting grub: * ``grub-md5-crypt``: prints an md5 hash of the password typed. * ``password --md5 ${hash}`` * Before stanzas protects the stanza from editing. * Inside the stanza, prevents the execution of the stanza until the password is supplied. * manually booting from ``grub>`` prompt * Boot, interrupt, edit the appropriate stanza, then press ``c``. * At the ``grub>`` prompt, enter ``root`` to have the system search for the root partition. * Alternatively, ``find /grub/grub.conf`` * ``cat (hd0,0)/grub/grub.conf`` * Enter the lines one by one. Typing is going to be extremely critical. Exam study guide says you're supposed to get responses when the command executes. I did not get responses in my kvm env if the command was successful. * ``boot`` when everything's said and done. * rhel6 inittab contains only one line: ``id:5:initdefault:`` And, done for the night. Chapter 6: filesystem administration: ------------------------------------- Before getting into this thing too far, I want to generate another 20 gig disk for use as my test bed. //few seconds later. Sweet, got to love lessons learned: :: # virsh vol-create-as default part.img 20g Vol part.img created # virsh vol-list default Name Path ----------------------------------------- outsider1.img /var/lib/libvirt/images/outsider1.img part.img /var/lib/libvirt/images/part.img server1.img /var/lib/libvirt/images/server1.img tester1.img /var/lib/libvirt/images/tester1.img # virsh domblklist server1 Target Source ------------------------------------------------ vda /var/lib/libvirt/images/server1.img # ``virsh attach-disk server1 /var/lib/libvirt/images/part.img vdb \ --persistent`` Disk attached successfully # ssh server1 'grep -v -e vd[ab][0-9] -e dm- /proc/partitions' major minor #blocks name 252 0 20971520 vda 252 16 20971520 vdb * Mostly standard shit. I didn't go through parted like I did the first time. Much more familiar with fdisk and it's guaranteed to be there. * LVM is pretty standard too. God, I forgot there's a GUI for LVM. Really? That's embarrasing. Want to see what an exported vg looks like to the vgs command, though. :: # umount /mnt # vgexport vg01 # didn't run vgchange -a n vg01 Volume group "vg01" has active logical volumes # vgs # no change in vgs display VG #PV #LV #SN Attr VSize VFree vg00 1 2 0 wz--n- 19.51g 11.94g vg01 1 1 0 wz--n- 20.00g 18.00g # vgchange -a n vg01 0 logical volume(s) in volume group "vg01" now active # vgs # still no change in vgs display VG #PV #LV #SN Attr VSize VFree vg00 1 2 0 wz--n- 19.51g 11.94g vg01 1 1 0 wz--n- 20.00g 18.00g # vgexport vg01 Volume group "vg01" successfully exported # vgs # now an 'x' in the attr flags VG #PV #LV #SN Attr VSize VFree vg00 1 2 0 wz--n- 19.51g 11.94g vg01 1 1 0 wzx-n- 20.00g 18.00g * Linux Unified Key Setup (LUKS): Going to be some notes here. Haven't fucked w/LUKS since the RHCSA test. * Steps: 1. Ensure kernel mods are in place: * ``lsmod | grep dm_crypt`` * ``modprobe dm_crypt`` 2. Create the device to be encrypted: partition, lv, whatever. 3. Format the partition for luks: ``cryptsetup luksFormat ${dev}`` 4. Create mapping for ${dev}: ``cryptsetup luksOpen ${dev} ${alias}`` 5. Create filesystem on ${alias}: ``mkfs.ext /dev/mapper/${alias}`` 6. Create/populate /etc/crypttab 7. Update /etc/fstab as needed; mount, test, verify, reboot. * Example: :: # Step 1: # lsmod | grep dm_crypt # modprobe dm_crypt # lsmod | grep dm_crypt dm_crypt 12862 0 dm_mod 84209 9 dm_crypt,dm_mirror,dm_log # Step 2: left as exercise for reader. # Step 3: # cryptsetup luksFormat /dev/vg01/luks WARNING! ======== This will overwrite data on /dev/vg01/luks irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: # Step 4: # cryptsetup luksOpen /dev/vg01/luks luks Enter passphrase for /dev/vg01/luks: # Step 5: # mkfs.ext4 /dev/mapper/luks mke2fs 1.41.12 (17-May-2010) [[snip]] # Step 6: # cat /etc/crypttab luks /dev/vg01/luks ${single-word-pwd_or"none"} In theory, you can replace 'none' with the passphrase; however, security considerations apply and, apparently, the process doesn't like spaces in the passphrase - at least you can't quote the passphrase with either single or double quotes. Chapter 7: package management: ------------------------------ No real surprises. Only item of note: to validate a third party package, * Download/import the gpg key from the site * rpm -K ${pkg} Chapter 8: user administration: ------------------------------- * Default password config located in /etc/login.defs: :: # grep -v -e ^# -e ^$ /etc/login.defs MAIL_DIR /var/spool/mail PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 UID_MIN 500 UID_MAX 60000 GID_MIN 500 GID_MAX 60000 CREATE_HOME yes UMASK 077 USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512 * ldap: * Book still has nss_ldap vs sssd. Believe that's a mistake. * Book also doesn't discuss the authconfig command. I believe I'll use that one... :: authconfig --enableldap --enableldapauth \ --ldapserver=ldaps://ldapsvr.olearycomputers.com \ --ldapbasedn="dc=oci,dc=com" --enablemkhomedir \ --ldaploadcacert=ftp://192.168.122.1/pub/CA/cacert.pem --update No major surprises other than those two. Chapter 9: RHCSA SA tasks: -------------------------- * VNC: fucking vnc... * ``yum -y install vinagre tigervnc tigervnc-server`` * Edit /etc/sysconfig/vncservers; add appropriate users/ports at bottom. * On a client, ``yum -y install vinagre tigervnc`` * ``vncviewer ${ip}:${port}`` as detailed in the file. * Right way is to use port forwarding which looks like it needs some work. :: # h tester1 # ssh -L 5901:localhost:5901 -N -f -l dkoleary server1 # vncviewer localhost:5901 Other than vnc, nothing too serious. Next starts things I haven't gone through yet. should be exciting. Chapter 10: security primer: ---------------------------- 04/06/14: Spent the day troubleshooting kvm networking as my guests couldn't ping or talk to each other. Ended up going comletely nuclear and reinstalling vmhost. Finally figured it out... KVM went rule happy when libvirtd is restarted. Too many rejects in the forward chain. Check the rhel_kvm page for details. 04/07/14: A short study day today. Wanted to get a little further since yesterday was such a waste. * While playing w/the firewall rules on server1, I'm not able to block outsider1 due to NAT. I could probably change the vm host to a router. That may be worthy of some investigation. * Firewall rules: Author suggests an addition to the firewall such that: * Create a chain calles SSH_CHAIN: ``iptables -N SSH_CHAIN`` * Forward any new ssh traffic to the SSH chain: :: iptables -A SSH_CHAIN -i ${in} -p tcp -m tcp --dport 22 -m state \ --state NEW -j SSH_CHAIN * Set a limit to the number of new requests that can come in: :: iptables -A SSH_CHAING -i ${in} -p tcp -m tcp --dport 22 -m state \ --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl \ --name SSH -j DROP * Fucking excellent! The study author just gave me the answer to setting up routing. * sysctl net.ipv4.ip_forward = 1 (update /etc/sysctl.conf) * Flush the FORWARD chain and add: :: iptables -F FORWARD iptables -A FORWARD -o eth0 -j ACCEPT iptables -A FORWARD -o virbr0 -j ACCEPT iptables -A FORWARD -o virbr1 -j ACCEPT iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited * Once done, nat is now longer running and I can see the access as coming from the real vm IP: :: # h server1 # ssh outsider1 root@outsider1's password: # h outsider1 # who root pts/0 2014-04-07 17:58 (server1) 04/08/14: Worked on the firewall rules and revamped the rhel_kvm network section. Probably learned more about firewalls than I'll need for the test. Good self study. 04/10/14: Still on chapter 10: finished the firewall section though. * ``system-config-firewall``: relatively nice gui front end to the /etc/sysconfig/iptables file. If I'm running out of time, it'll probably help get things running correctly. First pass, though, stick with the command line. * *Extended internet super user*: fancy speak for xinetd. Fairly standard. * tcpwrappers: * The xinetd in linux is wrapped. not like those other guys where we have to * Daemon side must match the binary. Using telnet as the example: ``in.telnetd`` * Client side can be specific IP or network/netmask. **Not** CIDR: * hosts.allow: ``in.telnetd : 192.168.122.0/255.255.255.0`` works * hosts.allow: ``in.telnetd : 192.168.122.0/24`` doesn't. Leaving it here. Next section is pam. That should prove interesting. 04/12/14: need to finish a couple of chapters today. Finishing up chapter 10 now: * PAM * Nice: the /etc/pam.d/login file tells the login process to use system-auth * PAM sa guide: /usr/share/doc/pam-1.1.1/html/Linux-PAM_SAG.html * Line format: :: ${module} ${control_flag} ${module_path} ${arguments} * Module types; * auth: authentication: how/when and with what restrictions user are authenticated * account: allows/denies according to account policies * password: password mamangement * session: settings for application sessions. * Control flags: * required: Short version: sets a failed flag. pam continues to next statement regardless and up to app to figure out what to do w/the failure. * requisite: if fails, the module fails right there. * sufficient: if succeeds, the login/auth succeeds * optional: success/failure, not really considered. * include: includes other files. * Need to read the pam admin guide: http://www.olearycomputers.com/ll/pam/Linux-PAM_SAG.html * Relatively minor section on gpg2. Remember the other commands related to gpg, particularly ``gpgocnfig``. * Labs: (04/14/14) * gpg: ``gpg --gen-key`` ``gpg --armor --export ${user}``: otherwise in binary ``gpg -e -r ${user} ${file}``: not the otherway around. ``gpg -d ${file}``: * Rest were no problem. Remember the selinux booleans. Chapter 11: selinux: -------------------- * Selinux: * When fucking w/selinux, don't forget to install the semanage app via policycoreutils-python * Don't forget the host of booleans that may need to be tweaked. * Don't forget to use the *-P* option to make boolean settings permanent: ``setsebool -P ${bool} ${value}`` * context changes and survivability: * ``chcon`` will change the context and it will survive a reboot. * It won't, however, survive a ``restorcon`` * ``semanage fcontext -a -s ${sel_user} -t ${sel_type} ${dir}`` will survive both. * ssh: guy's got some borked ideas about accessing root directly; but, other than that, pretty standared stuff. I did get a kick out of the *These lines are tyically ignored* when discussing the forced commands line. * Labs: no issues. Chapter 12: rhce admin tasks: ----------------------------- * scripts: really? hehe; that's cute. * kernel parms: not really in depth. remember that you can dump them all via ``sysctl -a`` * Creating an rpm package: this should be interesting. * In current source directory, create an empty, executable called configure. * Tar/gzip the whole thing and put the resuling file in ~/rpmbuild/SOURCES * ``yum -y install rpmbuild rpmdevtools`` * ``rpmdev-newspec`` * Hrm; directions in the book aren't working. I'll have to do some googling on creating a simple rpm package... that, or catch up on one of the labs. * Routing: * Standard routing commands; don't forget the gw * /etc/sysconfig/network-scripts/route-${int}: :: ADDRESS0=192.168.0.0 NETMASK0=255.255.255.0 GATEWAY0=192.168.122.1 * Kerberos: use the ``system-config-authentication`` gui. much easier. kerberos is going to be dependent on an ntp server. * ISCSI * ``yum -y install iscsi-initiator-utils`` * ``iscsiadmin -m discoverydb -t st -p 192.168.122.1 -D`` Seems pretty straight forward; but, I can't do anything w/kerberos or iscsi. Need the class for that. Got 2.5 chapters done today. Good progress. * Labs: expecting some fun w/the rpm package. * rpm build. Got it. I think I commented too much crap the first time. I was able to create the two rpms in the lab and even experiment a little. * ``yum -y install rpmbuild rpmdevtools`` * As a normal user, ``rpmdev-setuptree; cd rpmbuild`` * Create a subdirectory w/version # (mypackage-1.0) * Put required files in it including an executable empty *configure* * ``rpmdev-newspec SPECS/${spec}`` * Fill out the summary lines (ones w/o '%') as needed. Comment or erase ones that aren't * Required commands: * %description * %prep and %setup-q * %build (comment out everything) * %install * %clean * %files (sub cmd %dir to create the directory?) * %defattr (w/final commands * First package lab was right from the book; the second was from scratch and memory. Yay for me! * Routing: fucking routing command. I really hate that. * ``route add default gw ${gw}`` # that one I got... * ``route add -net ${network_ip} netmask ${netmask} gw ${gw}`` * Format for the /etc/sysconfig/network-scripts/route-${int}: :: ADDRESS0=${tgt_addr} NETMASK0=${netmask} GATEWAY0=${gw} Chapter 13: electronic mail: ---------------------------- * If both postfix/sendmail are installed, use the ``alternatives`` command to switch between them. :: # alternatives --config mta There are 2 programs which provide 'mta'. Selection Command ----------------------------------------------- + 1 /usr/sbin/sendmail.postfix * 2 /usr/sbin/sendmail.sendmail Enter to keep the current selection[+], or type selection number: 2 04/13/14 * User level security: * Short section discussing having user accounts on the MTA system from which users will get their mail. * Set otherwise non-interactive accounts with shell=/sbin/nologin * MTA access configured via SASL which ties back to pam via: * Config files under */etc/sasl2* entry pwcheck_method * */etc/sysconfig/saslauthd* :: # grep -i ^mech /etc/sysconfig/saslauthd MECH=pam * Consider setting rules to listen to port 25 on specific networks only: * iptables: :: iptables -A INPUT -m state --state NEW -m tcp -p tcp \ -s 192.168.122.0/24 --dport 25 -j ACCEPT * sendmail: daemonportoptions: :: DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA * postfix: ``inet_interfaces = ${ip}`` in */etc/postfix/main.cf* * postfix: * Commands: * ``postconf check`` command tests the ostifxi config * ``postmap`` updates the hash databases. * Files: * access: same as senmail; don't forget to run postmap afterwards * canonical: incoming email user rewrite/redirect * generic: outgoing user rewrite * main.cf: Upon installation, update: * myhostname * mydomain * uncomment myorigin (don't edit otherwise) * inet_interfaces (as described in how to limit port 25 exposure) * inet_protocols, if needed/desired * mydestination: effectivley postfix's version of local-host-names. add *$mydomain* to the list. * mynetworks: list of *internal* networks or those allowed to relay. * Authentication: * Create local accounts w/shells = /sbin/nologin. Set passwords * Configure postfix as noted above. * Perform steps in the README-Postfix-SASL-RedHat.txt doc under */usr/share/doc/postfix-${ver}/* Mostly standard; sendmail was pretty lightly covered. They're pushing postfix so that's the one I should be ready to configure. * Labs: nothing too extreme. Need to remember the docs for postfix. updating the main.cf file shouldn't be too crazy for the most part. Chapter 14: apache: -------------------- * Mostly standard so far; groupinstal 'web servers' to get everything. * apache and selinux: When creating dirs for vhosts, ensure: * file context: ``ls -dZ; chcon; semanage`` CGI dirs have different contexts from the ones on /var/www/html. :: # ls -dZ /var/www/html /var/www/cgi-bin drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ * booleans: book stresses httpd_enable_homedirs * host based security set up in the directory stanza. Examples: :: deny from 192.168.122.150 deny from 192.168.122/24 allow from osborne.com * User/group security: * Directives: to be added to the appropriate stanza * AuthUserFile/AuthGroupFile: specifies the user/group files containing valid users. * Authtype basic: sets up the basic authorization type. * require [user|group] specifies the user or group required. * AuthName ${chto-to}: the name of the 'realm' * Book doesn't - yet - say how to populate the password database. BTW, the password database shouldn't be in the same directory that the miscreants are viewing. * .htaccess: * If used, needs the *AllowOverride Options* directive in the directory stanza. * Allows the ability to override previously set permissions. * User/group pwds: * Create the password file: :: htpasswd -c ${pwd_file} ${user} * To add another user: :: htpasswd ${pwd_file} ${user} * Group file format (location specified in the directive): :: ${group}: ${user} ${user} * User home directories: * Reset *UserDir* directives in httpd.conf * Set world executable bit on /home/${user} and /home/${user}/public_html or setfacl. * ``setsebool -P httpd_enable_homedirs 1`` * Upate stanza as appropriate. * Group directories (also stressed as part of the test) * Create a new user that matches the group * shell = /sbin/nologin, * directory owned by nobody, perms 2770 * ``setfacl -m u:apache:x /home/${user}`` * ``setfacl -m u:apache:x /home/${user}/public_html`` * Reset Userdir in httpd.conf * ``setsebool -P httpd_enable_homedirs 1`` * Upate stanza as appropriate. * ``service httpd restart`` * SSL: * ``genkey ${fqdn}``: generates a set of self signed keys for ssl enabled domains. * To configure multiple virtuals, need ``NameVirtualHost *:443`` added to ssl.conf * It appears my vhost (both ssl and nonssl) are working; I just can't get elinks to work w/the self signed cert. fuck. * CGI: * update the ${passphase_file}``. Once that's done, rebooting w/a luks formatted partition works. * rpm creation. had to check in the book for the right format for the install command. Remember the $RPM_BUILD_ROOT