RHCSA/RHCE study notes¶
Lessons learned:¶
To create your own repos:
Download packages to a directory of your choice
createrepo ${directory}
Create /etc/yum.repos.d/${file} repo file. At a minimum:
# cat /etc/yum.repos.d/inst.repo [${name}] name=${appropriately descriptive name} baseurl=${protocol}://${ip}/${directory}
Import the public keys:
cd ${directory} for f in *GPG* do echo rpm --import ${f} rpm --import ${f} done
If, for some reason, you don’t want to import the keys, add the gpgkey option to the stanza:
gpgkey=${protocol}://${ip}/${directory}/${gpg_key}
… would seem easier just to import that damn things…
Remove rhgb from kernel line in grub.conf to see the start up script process rather than that annoying progress bar.
rhel6 inittab contains only one line:
id:5:initdefault:
netstat -atunp
displays open ports. quicker/cleaner than executingnetstat -an | grep -i -e listen -e establish
# netstat -atunp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1245/rpcbind tcp 0 0 0.0.0.0:48276 0.0.0.0:* LISTEN 1320/rpc.statd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1505/vsftpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1494/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1375/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1585/master tcp 0 0 192.168.122.50:22 192.168.122.1:56570 ESTABLISHED 1855/sshd tcp 0 0 :::111 :::* LISTEN 1245/rpcbind tcp 0 0 :::22 :::* LISTEN 1494/sshd tcp 0 0 ::1:631 :::* LISTEN 1375/cupsd tcp 0 0 :::55447 :::* LISTEN 1320/rpc.statd tcp 0 0 ::1:25 :::* LISTEN 1585/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1245/rpcbind udp 0 0 0.0.0.0:53360 0.0.0.0:* 1320/rpc.statd udp 0 0 0.0.0.0:631 0.0.0.0:* 1375/cupsd udp 0 0 0.0.0.0:648 0.0.0.0:* 1320/rpc.statd udp 0 0 0.0.0.0:996 0.0.0.0:* 1245/rpcbind udp 0 0 :::111 :::* 1245/rpcbind udp 0 0 :::36913 :::* 1320/rpc.statd udp 0 0 :::996 :::* 1245/rpcbind
blkid
command identifies UUID of devices.# blkid /dev/mapper/vg00-root /dev/mapper/vg00-root: UUID="1509679d-ff00-4d6d-bda4-1821d9052567" TYPE="ext4"
Show function - very useful for messing with iptables:
show() { chain=${1:-FORWARD} chain=$(echo ${chain} | <tr> '[a-z]' '[A-Z]') echo ${chain} | \ grep -qi -e ^prerouting -e ^postrouting && args="-t nat" || args="" c=1; iptables ${args} -L ${chain} -n | while read line do echo "${line}" | grep -qi -e ^accept -e ^reject -e masq -e ^dnl if [ $? -eq 0 ] then printf "%02d %s\n" ${c} "${line}" c=$((c+1)) else printf "%2s %s\n" "." "${line}" fi done }
Notes:¶
Chapters 1-3:¶
03/30/14: Seems I lost the notes for my rhcsa test. Interesting as I’m usually quite good at keeping track of those. I even have crap from classes that were more than a decade ago.
Any rate, going over the rhcsa chapters just to ensure I have all the requisite info.
I rearranged data twixt mgmt and vmhost. Most of the permanent data will reside on mgmt. Also set up a git repo for the kickstart files. Central repo’s on mgmt.
I re-imaged vmhost again. It still has the Centos yum repos. Need to remmeber how to make those go away. (done)
Packages to install to for kvm:
yum -y groupinstall Virtualization yum -y groupinstall Virtualization Client yum -y groupinstall Virtualization Platform yum -y groupinstall Virtualization Tools
Autostart:
virsh autostart ${dom}
ln -s /etc/libvirt/qemu/${dom}.xml /etc/libvirt/qemu/autostart/${dom}.xml
virst autostart --disable ${dom}
unlink /etc/libvirt/qemu/autostart/${dom}.xml
I think I’m leaving it here for awhile. Finished chapter 1 & 2. I want to run through the kvm init at least one more time. Not something I do regularly so I tend to forget things - like how to create local repos, how to update the gpg key, how to reset the firewall if I have to update it via the system-config-firewall-tui, etc.
04/01/14: Chapter 3, basic command line tools. Pretty straight forward. No surprises
04/04/13: First thing to do, generate outsider1, then continue w/chapter 4.
Chapter 4: RHCSA level security options:¶
Server |
IP |
---|---|
server1 |
192.168.122.50 |
tester1 |
192.168.122.150 |
outsider1 |
192.168.200.100 |
umask: Even w/umask of 0022, files won’t be created w/execute bits enabled. Security thing.
lsattr/chattr: commands that can restrict even root from actions on specific files. Attributes that can be set:
a: Append only
c: Compressed
d: no dump
e: extent format
i: immutable (no edits/deletes)
j: data journalling
s: secure deletion
t: no tail merging
u: undeletable - misnamed. File can be recovered. it’s still deleted.
A: no atime upates - faster I/O
D: synchronous directory updates
S: synchronous updates
T: Top of directory hierarcy. Directories under /home are not related and should be stored on different blocks.
iptables format:
iptables -t ${type} <action direction> <packet pattern> -j <what to do>
type: filter or nat; filter is the default so you never have to type it.
action:
[A|I|D|F|L] [OUTPUT|INPUT|FORWARD]
A: append
I: insert
D: delete
F: flush
L: list
pattern:
-s CIDR (source)
-d CIDR (destination)
what to do:
DROP: no response to remote system.
REJECT: resonse sent to remote system
ACCEPT: duh
iptables rules: need to find out what the system-config-firewall apps are doing. I updated the /etc/sysconfig/iptables file with the correct line, then restarted iptables. Not able to ftp into server1. Update the file using the tui, and it works. RCS is saying there’s no difference in the file. OK… WTF?? For now, use the system-config things, but need to figure that out.
# rcsdiff iptables RCS file: RCS/iptables,v retrieving revision 1.2 diff -r1.2 iptables
selinux:
Change mode:
update /etc/sysconfig/selinux
setenforce [ enforcing | permissive | 1 | 0 ]
echo [1|0] > /selinux/enforce (enforcing | permissive)
semanage:
install via policycoreutils-python
Used to list/edit current policies
Examples:
semanage login -l
semanage login -a -s user_u michael
: Addes the user_u selinux user constraint to michael. More on thoese constraints later. NOTE: Is not in effect ifsu - ${user}
; only if he logs in directly.
getsebool|setsebool:
Bunches of booleans
Only set for the life of the system unless the
-P
arg supplied.
Chapter 5: boot process:¶
Can add other run levels, other than single after the kernel in grub menu:
[1-5]: run levels 1 - 5
single: doesn’t execute run level 1 start scripts
init=/bin/sh: mounts / and runs /bin/sh. The lowest level.
kernel args:
quiet: removes the initial boot display but still shows the start up process
rhgb: displays that annoying progress bar vs the start up process
Password protecting grub:
grub-md5-crypt
: prints an md5 hash of the password typed.password --md5 ${hash}
Before stanzas protects the stanza from editing.
Inside the stanza, prevents the execution of the stanza until the password is supplied.
manually booting from
grub>
promptBoot, interrupt, edit the appropriate stanza, then press
c
.At the
grub>
prompt, enterroot
to have the system search for the root partition.Alternatively,
find /grub/grub.conf
cat (hd0,0)/grub/grub.conf
Enter the lines one by one. Typing is going to be extremely critical. Exam study guide says you’re supposed to get responses when the command executes. I did not get responses in my kvm env if the command was successful.
boot
when everything’s said and done.
rhel6 inittab contains only one line:
id:5:initdefault:
And, done for the night.
Chapter 6: filesystem administration:¶
Before getting into this thing too far, I want to generate another 20 gig disk for use as my test bed. //few seconds later. Sweet, got to love lessons learned:
# virsh vol-create-as default part.img 20g
Vol part.img created
# virsh vol-list default
Name Path
-----------------------------------------
outsider1.img /var/lib/libvirt/images/outsider1.img
part.img /var/lib/libvirt/images/part.img
server1.img /var/lib/libvirt/images/server1.img
tester1.img /var/lib/libvirt/images/tester1.img
# virsh domblklist server1
Target Source
------------------------------------------------
vda /var/lib/libvirt/images/server1.img
# ``virsh attach-disk server1 /var/lib/libvirt/images/part.img vdb \
--persistent``
Disk attached successfully
# ssh server1 'grep -v -e vd[ab][0-9] -e dm- /proc/partitions'
major minor #blocks name
252 0 20971520 vda
252 16 20971520 vdb
Mostly standard shit. I didn’t go through parted like I did the first time. Much more familiar with fdisk and it’s guaranteed to be there.
LVM is pretty standard too. God, I forgot there’s a GUI for LVM. Really? That’s embarrasing. Want to see what an exported vg looks like to the vgs command, though.
# umount /mnt # vgexport vg01 # didn't run vgchange -a n vg01 Volume group "vg01" has active logical volumes # vgs # no change in vgs display VG #PV #LV #SN Attr VSize VFree vg00 1 2 0 wz--n- 19.51g 11.94g vg01 1 1 0 wz--n- 20.00g 18.00g # vgchange -a n vg01 0 logical volume(s) in volume group "vg01" now active # vgs # still no change in vgs display VG #PV #LV #SN Attr VSize VFree vg00 1 2 0 wz--n- 19.51g 11.94g vg01 1 1 0 wz--n- 20.00g 18.00g # vgexport vg01 Volume group "vg01" successfully exported # vgs # now an 'x' in the attr flags VG #PV #LV #SN Attr VSize VFree vg00 1 2 0 wz--n- 19.51g 11.94g vg01 1 1 0 wzx-n- 20.00g 18.00g
Linux Unified Key Setup (LUKS): Going to be some notes here. Haven’t fucked w/LUKS since the RHCSA test.
Steps:
Ensure kernel mods are in place:
lsmod | grep dm_crypt
modprobe dm_crypt
Create the device to be encrypted: partition, lv, whatever.
Format the partition for luks:
cryptsetup luksFormat ${dev}
Create mapping for ${dev}:
cryptsetup luksOpen ${dev} ${alias}
Create filesystem on ${alias}:
mkfs.ext /dev/mapper/${alias}
Create/populate /etc/crypttab
Update /etc/fstab as needed; mount, test, verify, reboot.
Example:
# Step 1: # lsmod | grep dm_crypt # modprobe dm_crypt # lsmod | grep dm_crypt dm_crypt 12862 0 dm_mod 84209 9 dm_crypt,dm_mirror,dm_log # Step 2: left as exercise for reader. # Step 3: # cryptsetup luksFormat /dev/vg01/luks WARNING! ======== This will overwrite data on /dev/vg01/luks irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: # Step 4: # cryptsetup luksOpen /dev/vg01/luks luks Enter passphrase for /dev/vg01/luks: # Step 5: # mkfs.ext4 /dev/mapper/luks mke2fs 1.41.12 (17-May-2010) [[snip]] # Step 6: # cat /etc/crypttab luks /dev/vg01/luks ${single-word-pwd_or"none"}
In theory, you can replace ‘none’ with the passphrase; however, security considerations apply and, apparently, the process doesn’t like spaces in the passphrase - at least you can’t quote the passphrase with either single or double quotes.
Chapter 7: package management:¶
No real surprises. Only item of note: to validate a third party package,
Download/import the gpg key from the site
rpm -K ${pkg}
Chapter 8: user administration:¶
Default password config located in /etc/login.defs:
# grep -v -e ^# -e ^$ /etc/login.defs MAIL_DIR /var/spool/mail PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 UID_MIN 500 UID_MAX 60000 GID_MIN 500 GID_MAX 60000 CREATE_HOME yes UMASK 077 USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512
ldap:
Book still has nss_ldap vs sssd. Believe that’s a mistake.
Book also doesn’t discuss the authconfig command. I believe I’ll use that one…
authconfig --enableldap --enableldapauth \ --ldapserver=ldaps://ldapsvr.olearycomputers.com \ --ldapbasedn="dc=oci,dc=com" --enablemkhomedir \ --ldaploadcacert=ftp://192.168.122.1/pub/CA/cacert.pem --update
No major surprises other than those two.
Chapter 9: RHCSA SA tasks:¶
VNC: fucking vnc…
yum -y install vinagre tigervnc tigervnc-server
Edit /etc/sysconfig/vncservers; add appropriate users/ports at bottom.
On a client,
yum -y install vinagre tigervnc
vncviewer ${ip}:${port}
as detailed in the file.Right way is to use port forwarding which looks like it needs some work.
# h tester1 # ssh -L 5901:localhost:5901 -N -f -l dkoleary server1 # vncviewer localhost:5901
Other than vnc, nothing too serious. Next starts things I haven’t gone through yet. should be exciting.
Chapter 10: security primer:¶
04/06/14: Spent the day troubleshooting kvm networking as my guests couldn’t ping or talk to each other. Ended up going comletely nuclear and reinstalling vmhost. Finally figured it out… KVM went rule happy when libvirtd is restarted. Too many rejects in the forward chain. Check the rhel_kvm page for details.
04/07/14: A short study day today. Wanted to get a little further since yesterday was such a waste.
While playing w/the firewall rules on server1, I’m not able to block outsider1 due to NAT. I could probably change the vm host to a router. That may be worthy of some investigation. * Firewall rules: Author suggests an addition to the firewall such that:
Create a chain calles SSH_CHAIN:
iptables -N SSH_CHAIN
Forward any new ssh traffic to the SSH chain:
iptables -A SSH_CHAIN -i ${in} -p tcp -m tcp --dport 22 -m state \ --state NEW -j SSH_CHAIN
Set a limit to the number of new requests that can come in:
iptables -A SSH_CHAING -i ${in} -p tcp -m tcp --dport 22 -m state \ --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl \ --name SSH -j DROP
Fucking excellent! The study author just gave me the answer to setting up routing.
sysctl net.ipv4.ip_forward = 1 (update /etc/sysctl.conf)
Flush the FORWARD chain and add:
iptables -F FORWARD iptables -A FORWARD -o eth0 -j ACCEPT iptables -A FORWARD -o virbr0 -j ACCEPT iptables -A FORWARD -o virbr1 -j ACCEPT iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
Once done, nat is now longer running and I can see the access as coming from the real vm IP:
# h server1 # ssh outsider1 root@outsider1's password: # h outsider1 # who root pts/0 2014-04-07 17:58 (server1)
04/08/14: Worked on the firewall rules and revamped the rhel_kvm network section. Probably learned more about firewalls than I’ll need for the test. Good self study.
04/10/14: Still on chapter 10: finished the firewall section though.
system-config-firewall
: relatively nice gui front end to the /etc/sysconfig/iptables file. If I’m running out of time, it’ll probably help get things running correctly. First pass, though, stick with the command line.Extended internet super user: fancy speak for xinetd. Fairly standard.
tcpwrappers:
The xinetd in linux is wrapped. not like those other guys where we have to
Daemon side must match the binary. Using telnet as the example:
in.telnetd
Client side can be specific IP or network/netmask. Not CIDR:
hosts.allow:
in.telnetd : 192.168.122.0/255.255.255.0
workshosts.allow:
in.telnetd : 192.168.122.0/24
doesn’t.
Leaving it here. Next section is pam. That should prove interesting.
04/12/14: need to finish a couple of chapters today. Finishing up chapter 10 now:
PAM
Nice: the /etc/pam.d/login file tells the login process to use system-auth
PAM sa guide: /usr/share/doc/pam-1.1.1/html/Linux-PAM_SAG.html
Line format:
${module} ${control_flag} ${module_path} ${arguments}
Module types;
auth: authentication: how/when and with what restrictions user are authenticated
account: allows/denies according to account policies
password: password mamangement
session: settings for application sessions.
Control flags:
required: Short version: sets a failed flag. pam continues to next statement regardless and up to app to figure out what to do w/the failure.
requisite: if fails, the module fails right there.
sufficient: if succeeds, the login/auth succeeds
optional: success/failure, not really considered.
include: includes other files.
Need to read the pam admin guide: http://www.olearycomputers.com/ll/pam/Linux-PAM_SAG.html
Relatively minor section on gpg2. Remember the other commands related to gpg, particularly
gpgocnfig
.Labs: (04/14/14)
gpg:
gpg --gen-key
gpg --armor --export ${user}
: otherwise in binarygpg -e -r ${user} ${file}
: not the otherway around.gpg -d ${file}
:Rest were no problem. Remember the selinux booleans.
Chapter 11: selinux:¶
Selinux:
When fucking w/selinux, don’t forget to install the semanage app via policycoreutils-python
Don’t forget the host of booleans that may need to be tweaked.
Don’t forget to use the -P option to make boolean settings permanent:
setsebool -P ${bool} ${value}
context changes and survivability:
chcon
will change the context and it will survive a reboot.It won’t, however, survive a
restorcon
semanage fcontext -a -s ${sel_user} -t ${sel_type} ${dir}
will survive both.
ssh: guy’s got some borked ideas about accessing root directly; but, other than that, pretty standared stuff. I did get a kick out of the These lines are tyically ignored when discussing the forced commands line.
Labs: no issues.
Chapter 12: rhce admin tasks:¶
scripts: really? hehe; that’s cute.
kernel parms: not really in depth. remember that you can dump them all via
sysctl -a
Creating an rpm package: this should be interesting.
In current source directory, create an empty, executable called configure.
Tar/gzip the whole thing and put the resuling file in ~/rpmbuild/SOURCES
yum -y install rpmbuild rpmdevtools
rpmdev-newspec
Hrm; directions in the book aren’t working. I’ll have to do some googling on creating a simple rpm package… that, or catch up on one of the labs.
Routing:
Standard routing commands; don’t forget the gw
/etc/sysconfig/network-scripts/route-${int}:
ADDRESS0=192.168.0.0 NETMASK0=255.255.255.0 GATEWAY0=192.168.122.1
Kerberos: use the
system-config-authentication
gui. much easier. kerberos is going to be dependent on an ntp server.ISCSI
yum -y install iscsi-initiator-utils
iscsiadmin -m discoverydb -t st -p 192.168.122.1 -D
Seems pretty straight forward; but, I can’t do anything w/kerberos or iscsi. Need the class for that. Got 2.5 chapters done today. Good progress.
Labs: expecting some fun w/the rpm package.
rpm build. Got it. I think I commented too much crap the first time. I was able to create the two rpms in the lab and even experiment a little.
yum -y install rpmbuild rpmdevtools
As a normal user,
rpmdev-setuptree; cd rpmbuild
Create a subdirectory w/version # (mypackage-1.0)
Put required files in it including an executable empty configure
rpmdev-newspec SPECS/${spec}
Fill out the summary lines (ones w/o ‘%’) as needed. Comment or erase ones that aren’t
Required commands:
%description
%prep and %setup-q
%build (comment out everything)
%install
%clean
%files (sub cmd %dir to create the directory?)
%defattr (w/final commands
First package lab was right from the book; the second was from scratch and memory. Yay for me!
Routing: fucking routing command. I really hate that.
route add default gw ${gw}
# that one I got…route add -net ${network_ip} netmask ${netmask} gw ${gw}
Format for the /etc/sysconfig/network-scripts/route-${int}:
ADDRESS0=${tgt_addr} NETMASK0=${netmask} GATEWAY0=${gw}
Chapter 13: electronic mail:¶
If both postfix/sendmail are installed, use the
alternatives
command to switch between them.# alternatives --config mta There are 2 programs which provide 'mta'. Selection Command ----------------------------------------------- + 1 /usr/sbin/sendmail.postfix * 2 /usr/sbin/sendmail.sendmail Enter to keep the current selection[+], or type selection number: 2
04/13/14
User level security:
Short section discussing having user accounts on the MTA system from which users will get their mail.
Set otherwise non-interactive accounts with shell=/sbin/nologin
MTA access configured via SASL which ties back to pam via:
Config files under /etc/sasl2 entry pwcheck_method
/etc/sysconfig/saslauthd
# grep -i ^mech /etc/sysconfig/saslauthd MECH=pam
Consider setting rules to listen to port 25 on specific networks only:
iptables:
iptables -A INPUT -m state --state NEW -m tcp -p tcp \ -s 192.168.122.0/24 --dport 25 -j ACCEPT
sendmail: daemonportoptions:
DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
postfix:
inet_interfaces = ${ip}
in /etc/postfix/main.cf
postfix:
Commands:
postconf check
command tests the ostifxi configpostmap
updates the hash databases.
Files:
access: same as senmail; don’t forget to run postmap afterwards
canonical: incoming email user rewrite/redirect
generic: outgoing user rewrite
main.cf: Upon installation, update:
myhostname
mydomain
uncomment myorigin (don’t edit otherwise)
inet_interfaces (as described in how to limit port 25 exposure)
inet_protocols, if needed/desired
mydestination: effectivley postfix’s version of local-host-names. add $mydomain to the list.
mynetworks: list of internal networks or those allowed to relay.
Authentication:
Create local accounts w/shells = /sbin/nologin. Set passwords
Configure postfix as noted above.
Perform steps in the README-Postfix-SASL-RedHat.txt doc under /usr/share/doc/postfix-${ver}/
Mostly standard; sendmail was pretty lightly covered. They’re pushing postfix so that’s the one I should be ready to configure.
Labs: nothing too extreme. Need to remember the docs for postfix. updating the main.cf file shouldn’t be too crazy for the most part.
Chapter 14: apache:¶
Mostly standard so far; groupinstal ‘web servers’ to get everything.
apache and selinux: When creating dirs for vhosts, ensure:
file context:
ls -dZ; chcon; semanage
CGI dirs have different contexts from the ones on /var/www/html.# ls -dZ /var/www/html /var/www/cgi-bin drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
booleans: book stresses httpd_enable_homedirs
host based security set up in the directory stanza. Examples:
deny from 192.168.122.150 deny from 192.168.122/24 allow from osborne.com
User/group security:
Directives: to be added to the appropriate <directory> stanza
AuthUserFile/AuthGroupFile: specifies the user/group files containing valid users.
Authtype basic: sets up the basic authorization type.
require [user|group] specifies the user or group required.
AuthName ${chto-to}: the name of the ‘realm’
Book doesn’t - yet - say how to populate the password database. BTW, the password database shouldn’t be in the same directory that the miscreants are viewing.
.htaccess:
If used, needs the AllowOverride Options directive in the directory stanza.
Allows the ability to override previously set permissions.
User/group pwds:
Create the password file:
htpasswd -c ${pwd_file} ${user}
- To add another user: ::
htpasswd ${pwd_file} ${user}
Group file format (location specified in the directive):
${group}: ${user} ${user}
User home directories:
Reset UserDir directives in httpd.conf
Set world executable bit on /home/${user} and /home/${user}/public_html or setfacl.
setsebool -P httpd_enable_homedirs 1
Upate <directory /home/*public_html> stanza as appropriate.
Group directories (also stressed as part of the test)
Create a new user that matches the group
shell = /sbin/nologin,
directory owned by nobody, perms 2770
setfacl -m u:apache:x /home/${user}
setfacl -m u:apache:x /home/${user}/public_html
Reset Userdir in httpd.conf
setsebool -P httpd_enable_homedirs 1
Upate <directory /home/*public_html> stanza as appropriate.
service httpd restart
SSL:
genkey ${fqdn}
: generates a set of self signed keys for ssl enabled domains.To configure multiple virtuals, need
NameVirtualHost *:443
added to ssl.confIt appears my vhost (both ssl and nonssl) are working; I just can’t get elinks to work w/the self signed cert. fuck.
CGI:
update the <directory cgi-bin stanza:
Options ExecCGI
AddHandler cgi-script .pl
If creating alternate cgi-bin dirs, don’t forget
ls -dZ; chcon; and semanage fcontext -a -s ...
Labs:
Virtual hosts: Mostly reasonable. Remember to put an IP address in the NameVirtualHost parameter. Also, remember the
httpd -t
andhttpd -S
commands.Remember the
genkey
command to generate self signed certs.Read the whole question: limit the home directory to the user means remotely as well. That implies an authentication mechanism.
Install the ‘web server’ group or the httpd-manual rpm somewhere. use the tutorials in the top right to ID required auth parms.
Long story short: this lab, while not difficult, took me about 4 hours. I need to get that time down and not include so many errors.
Chapter 15: samba. fucking samba:¶
If manually setting up firewall, ensure following ports are open:
137/udp: netbios name service
138/udp: netbios datagram service
139/tcp: netbios session servcie
445/tcp: MS directory service or Samba over iP.
iptables -I INPUT 8 -m state --state new -p udp -m udp --dport 137 -j ACCEPT iptables -I INPUT 9 -m state --state new -p udp -m udp --dport 138 -j ACCEPT iptables -I INPUT 10 -m state --state new -p tcp -m tcp --dport 139 -j ACCEPT iptables -I INPUT 11 -m state --state new -p tcp -m tcp --dport 445 -j ACCEPT
Check selinux booleans
Mostly standard other than that. the book pounced on samba_enable_home_dirs several times…
Labs: yep; fucking samba.
smbpasswd: In order to add a user, the account must exist on the local box. otherwise, samba responds with the completely helpful
Failed to add entry for user dkoleary
. Fucknuts.The group access thing seems to have stumped me. I’m not able to mount a samba directory as nobody nor write to it by anyone. Need to work that one a bit.
Chapter 16: More file sharing services:¶
NFS: A bit more entertaining than I was expecting. nfs ver 4 has come a long way. I’ll need to examine NFS in more depth at some point. Lessons learned:
Following ports need to be defined in /etc/sysconfig/nfs:
LOCKD_TCPPORT=4000
LOCKD_UDPPORT=4000
MOUNTD_PORT=4001
STATD_PORT=4002
Those same ports need to be opened in a firewall.
Book suggested two selinux booleans which don’t seem to exist anymore.
Need to play around w/the automounter on linux. Really don’t like the idea of nfs mounts in the /etc/fstab file.
vsftpd:
If allowing local users to access their home dirs, ensure chroot_local_user is set to yes.
If download only, ensure
write_enable=NO
is set.Book suggests that selinux type: public_content_rw_t needs to be set on whatever directory is used.
Directory used for anonymous access is the home directory of ftp user.
Labs: some issues w/anonymous ftp and passive mode. not sure what was up with that. Other than that, the nfs stuff went smoothly. Want and need to ensure I can get the automounter up and running in nothing flat too.
Chapter 17: dns, ftp, and logging:¶
DNS: simply a matter of extending the listen-on and allow-query lines as well as adding appropriate forwarders.
sar:
sar files written to /var/log/sa
check /etc/sysconfig/sysstat for days to keep and when to compress
ntp and rsyslog: no surprises.
At last. Done reading. wow.
Labs: For the most part, no issues. had some fun with the dns initially due to fuck ups. Wrong IP, wrong port, etc. sar and ntp had no issues.
Labs:¶
Redoing all of the labs. Modifying the ones in chapter 2, though. I’m already reasonably familiar with virt-install and kickstart. The only additional thing I’ll be doing is cloning a box.
luks encryption:
Remember,
cryptsetup luksFormat
vs luksOpen as firt command option, dumb ass!Third field in /etc/crypttab is absolute path to the file containing the passphrase. It includes any new lines. create the file via
echo -n '${passphrase}' > ${passphase_file}
. Once that’s done, rebooting w/a luks formatted partition works.
rpm creation. had to check in the book for the right format for the install command. Remember the $RPM_BUILD_ROOT