RHCE "Cheat Sheet"
This document attempts to provide answers to all study points on the RHCE and RHCT Exam Preparation Guide in a single-page (and thus, printable) format. This is not a “brain dump” or an attempt to cheat the RH302 exam in any way. These are just my self-study notes. Use them at your own risk.
Note: Study points last updated on 2009-08-11. This list may become out
of date without notice (especially after I pass the test 
).
Testing Environment with Sun VirtualBox
install guest additions:
yum install gcc kernel-devel
sh /media/VBOXADDITIONS*/VBoxLinuxAdditions-x86.run
reboot
Prerequisite skills for RHCT and RHCE
Candidates should possess the following skills, as they may be
necessary in order to fulfill requirements of the RHCT and RHCE exams:
use
standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to
create, remove, view, and investigate files and directories
use grep, sed, and awk to process text streams and files
use a terminal-based text editor, such as vim or nano, to modify text files
use input/output redirection
| operator | description |
|---|---|
| > | redirect STDOUT to a file |
| 2> | redirect STDERR to a file |
| &> | redirect all output to a file |
| 2>&1 | redirect all output to a pipe |
- use » to append instead of overwrite
understand basic principles of TCP/IP networking, including IP addresses, netmasks, and gateways for IPv4 and IPv6
use su to switch user accounts
<span class="kw2">su</span> - <span class="sy0"><</span>user<span class="sy0">></span>
use passwd to set passwords
<span class="kw2">passwd</span> <span class="sy0"><</span>user<span class="sy0">></span>
use tar, gzip, and bzip2
<span class="co0"># compress (tar/gzip)</span><br /><span class="kw2">tar</span> cvzf <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>.tgz <span class="sy0"><</span>directory<span class="sy0">></span><br /> <br /><span class="co0"># extract (tar/gzip)</span><br /><span class="kw2">tar</span> xvzf <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>.tgz<br /> <br /><span class="co0"># compress (tar/bzip)</span><br /><span class="kw2">tar</span> cvjf <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>.tbz <span class="sy0"><</span>directory<span class="sy0">></span><br /> <br /><span class="co0"># extract (tar/bzip)</span><br /><span class="kw2">tar</span> xvjf <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>.tbz
configure an email client on Red Hat Enterprise Linux
<span class="kw3">echo</span> <span class="st0">"message"</span> | mail <span class="sy0"><</span>email<span class="sy0">></span> <span class="re5">-s</span> <span class="st0">"subject"</span><br />mail <span class="sy0"><</span>email<span class="sy0">></span> <span class="re5">-s</span> <span class="st0">"subject"</span> <span class="sy0"><</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>
use text and/or graphical browser to access HTTP/HTTPS URLs
- elinks
- lynx
use lftp to access FTP URLs
RHCT skills
Troubleshooting and System Maintenance
RHCTs should be able to:
boot systems into different run levels for troubleshooting and system maintenance
append the desired runlevel to grub's kernel line:
- 1-5 runs appropriate rc and init scripts
- single only runs rc.sysinit
- emergency skips all rc and init scripts
diagnose and correct misconfigured networking
- check /etc/sysconfig/network
- check /etc/sysconfig/network-scripts/ifcfg-<interface>
- service network restart
- chkconfig network on
- ifconfig
- ping <localhost ip>
- netstat -r
- ping <default gateway>
- ping 4.2.2.2
redhat network config tool:
system-config-network
diagnose and correct hostname resolution problems
- check /etc/nsswitch.conf
- check /etc/resolv.conf
- check /etc/hosts
- dig @<dns server> google.com
redhat network config tool:
system-config-network
configure the X Window System and a desktop environment
install x:
yum groupinstall <span class="st0">"x window system"</span>
- init respawns /etc/X11/prefdm -nodaemon to keep x running in runlevel 5
- startx to start manually
xfs is supposedly required for x windows (even though i can run x fine without it…):
service xfs on<br />chkconfig xfs on
x environment config:
- /etc/sysconfig/desktop
- /etc/X11/xinit/xinitrc
- /etc/X11/xinit/Xclients
- ~/.xinitrc
- ~./Xclients
redhat display config tool:
system-config-display <span class="br0">[</span>--reconfig<span class="br0">]</span>
install gnome desktop:
yum groupinstall <span class="st0">"gnome desktop environment"</span>
switchdesk allows you to change your desktop environment:
yum <span class="kw2">install</span> switchdesk<br />switchdesk
if switchdesk is not available, edit /etc/sysconfig/desktop:
<span class="re2">DISPLAYMANAGER</span>=<span class="sy0"><</span>GNOME|KDE|XDM<span class="sy0">></span><br /><span class="re2">DESKTOP</span>=<span class="sy0"><</span>GNOME|KDE<span class="sy0">></span>
add new partitions, filesystems, and swap to existing systems
partitions
manage partitions:
fdisk <span class="sy0"><</span>device<span class="sy0">></span><br />partprobe
filesystems
make filesystems:
mkfs.<span class="sy0"><</span>ext2|ext3<span class="sy0">></span>
label filesystems:
e2label <span class="sy0"><</span>partition<span class="sy0">></span> <span class="sy0"><</span>label<span class="sy0">></span><br />blkid
manage filesystem settings:
tune2fs <span class="sy0"><</span>partition<span class="sy0">></span><br />dumpe2fs <span class="sy0"><</span>partition<span class="sy0">></span>
swap
note that it's possible to create a swap file instead of a partition:
<span class="kw2">dd</span> <span class="re2"><span class="kw1">if</span></span>=<span class="sy0">/</span>dev<span class="sy0">/</span>zero <span class="re2">of</span>=<span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span> <span class="re2">bs</span>=<span class="nu0">1024</span> <span class="re2">count</span>=<span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>
format the file/partition:
mkswap <span class="sy0"><</span>partition|<span class="kw2">file</span><span class="sy0">></span><br /><span class="kw2">nano</span> <span class="re5">-w</span> <span class="sy0">/</span>etc<span class="sy0">/</span>fstab<br />swapon <span class="re5">-va</span><br /><span class="kw2">cat</span> <span class="sy0">/</span>proc<span class="sy0">/</span>swaps
use standard command-line tools to analyze problems and configure system
- check for full filesystems, quotas
Installation and Configuration
RHCTs must be able to:
perform network OS installation
at boot prompt:
linux askmethod
implement a custom partitioning scheme
configure printing
printing support is provided by cups:
service cups start<br />chkconfig cups on
redhat printer config tool:
system-config-printer
web config tool:
http://localhost:631<br />
printing via command line:
<span class="co0"># print</span><br /><span class="kw2">lpr</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br /><span class="co0"># view print queue</span><br />lpq<br /><span class="co0"># remove print job</span><br />lprm <span class="sy0"><</span>job number<span class="sy0">></span>
configure the scheduling of tasks using cron and at
cron
make sure vixie cron is installed and running:
yum <span class="kw2">install</span> vixie-cron<br />service crond start<br />chkconfig crond on
- if /etc/cron.allow exists, only these users are allowed (/etc/cron.deny is ignored)
- if /etc/cron.allow does not exist, everyone allowed except users in /etc/cron.deny
- if neither exists, only root allowed
- empty /etc/cron.deny means all users allowed (default)
edit your cron jobs:
crontab <span class="re5">-e</span>
crontab format:
<minute> <hour> <day of month> <month> <day of week> <command><br />
/etc/crontab has additional user field before command.
at/batch
make sure at is installed and running:
yum <span class="kw2">install</span> at<br />service atd start<br />chkconfig atd on
- if /etc/at.allow exists, only these users are allowed (/etc/at.deny is ignored)
- if /etc/at.allow does not exist, everyone allowed except users in /etc/at.deny
- if neither exists, only root allowed
- empty /etc/at.deny means all users allowed (default)
<span class="co0"># add jobs</span><br />at now + <span class="nu0">1</span> hour<br />at<span class="sy0">></span> <span class="sy0"><</span><span class="kw3">command</span><span class="sy0">></span><br /> <br />at 09:00 <span class="nu0">2009</span>-07-<span class="nu0">23</span><br />at<span class="sy0">></span> <span class="sy0"><</span><span class="kw3">command</span><span class="sy0">></span><br /> <br />batch<br />at<span class="sy0">></span> <span class="sy0"><</span><span class="kw3">command</span><span class="sy0">></span>
<span class="co0"># list jobs</span><br />atq
remove <span class="kw3">jobs</span><br />atrm <span class="sy0"><</span>job<span class="sy0">></span>
attach system to a network directory service, such as NIS or LDAP
redhat config tools:
system-config-authentication<br />authconfig-tui
required packages for nis:
yum <span class="kw2">install</span> ypbind portmap
required packages for ldap:
yum <span class="kw2">install</span> nss-ldap openldap
configure autofs
make sure the autofs service is running:
service autofs start<br />chkconfig autofs on
ensure the following line in /etc/nsswitch.conf:
automount: files nis
define an autofs-controlled mountpoint called test by adding the following to /etc/auto.master:
<span class="sy0">/</span><span class="kw3">test</span> <span class="sy0">/</span>etc<span class="sy0">/</span>auto.test
create /etc/auto.test:
blah example.com:<span class="sy0">/</span>pub<span class="sy0">/</span>something<br /><span class="sy0">*</span> example:<span class="sy0">/</span>home<span class="sy0">/&</span>
- local /test/blah ⇒ remote example.com:/pub/something
- local /test/user ⇒ remote example:/home/user ( this method can be used to automount home directories)
test automounting:
<span class="kw2">ls</span> <span class="sy0">/</span><span class="kw3">test</span><span class="sy0">/</span>blah<br /><span class="kw2">ls</span> <span class="sy0">/</span><span class="kw3">test</span><span class="sy0">/</span>user<br /> <br /><span class="co0"># redhat defaults</span><br /><span class="kw2">ls</span> <span class="sy0">/</span>net<span class="sy0">/<</span><span class="kw2">hostname</span><span class="sy0">></span><br /><span class="kw2">ls</span> <span class="sy0">/</span>misc<span class="sy0">/</span><span class="kw3">cd</span>
add and manage users, groups, quotas, and File Access Control Lists
redhat user/group config tool:
system-config-users
users
/etc/passwd file format:
username:password:uid:gid:gecos:homedir:shell<br />
/etc/shadow file format:
username:password:lastpwchange:minpwchange:maxpwage:pwchangewarn:inactive:expire<br />
command line user management:
useradd <span class="sy0"><</span>user<span class="sy0">></span><br />usermod <span class="sy0"><</span>user<span class="sy0">></span><br />chage <span class="sy0"><</span>user<span class="sy0">></span><br />userdel <span class="sy0"><</span>user<span class="sy0">></span><br />pwck
- default account expiration settings in /etc/login.defs
groups
/etc/group file format:
groupname:password:gid:members<br />
command line group management:
<span class="kw2">groups</span> <span class="sy0"><</span>user<span class="sy0">></span><br />groupadd <span class="sy0"><</span>user<span class="sy0">></span><br />groupmod <span class="sy0"><</span>user<span class="sy0">></span><br />groupdel <span class="sy0"><</span>user<span class="sy0">></span> <br />grpck
quotas
install quota package
yum <span class="kw2">install</span> quota
add fs options to /etc/fstab:
usrquota,grpquota
remount device
<span class="kw2">mount</span> <span class="re5">-o</span> remount <span class="sy0"><</span><span class="kw2">mount</span> point<span class="sy0">></span>
init quota database:
quotacheck <span class="re5">-cugm</span> <span class="sy0"><</span>device<span class="sy0">></span>
enable/disable quotas
quotaon <span class="sy0"><</span>device<span class="sy0">></span><br />quotaoff <span class="sy0"><</span>device<span class="sy0">></span>
edit quotas
edquota <span class="re5">-u</span> <span class="sy0"><</span>user<span class="sy0">></span><br />edquota <span class="re5">-g</span> <span class="sy0"><</span>group<span class="sy0">></span>
edit grace time
edquota <span class="re5">-ut</span> <span class="sy0"><</span>user<span class="sy0">></span><br />edquota <span class="re5">-gt</span> <span class="sy0"><</span>group<span class="sy0">></span>
check/report quotas
quota <span class="sy0"><</span>user<span class="sy0">></span><br />repquota <span class="re5">-aug</span>
Access Control Lists
install acl package
yum <span class="kw2">install</span> acl
add fs options to /etc/fstab:
acl
remount device:
<span class="kw2">mount</span> <span class="re5">-o</span> remount <span class="sy0"><</span><span class="kw2">mount</span> point<span class="sy0">></span>
manage acls:
<span class="co0"># set acls</span><br />setfacl <span class="re5">-m</span> <span class="br0">[</span>d:<span class="br0">]</span>u:<span class="sy0"><</span>user<span class="sy0">></span>:<span class="sy0"><</span>r|<span class="kw2">w</span>|x|-<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />setfacl <span class="re5">-m</span> <span class="br0">[</span>d:<span class="br0">]</span>g:<span class="sy0"><</span>group<span class="sy0">></span>:<span class="sy0"><</span>r|<span class="kw2">w</span>|x|-<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># get acls</span><br />getfacl <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># remove acls</span><br />setfacl <span class="re5">-x</span> u:<span class="sy0"><</span>user<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />setfacl <span class="re5">-x</span> g:<span class="sy0"><</span>user<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />setfacl <span class="re5">--remove-all</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />setfacl <span class="re5">--remove-default</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>
configure filesystem permissions for collaboration
- create new group
- add users to group
- chown folder to root.<group>
- chmod folder to 2770 (g+s)
install and update packages using rpm
<span class="co0"># install</span><br />rpm <span class="re5">-ivh</span> <span class="sy0"><</span>package<span class="sy0">></span>.rpm<br /> <br /><span class="co0"># update</span><br />rpm <span class="re5">-Uvh</span> <span class="sy0"><</span>package<span class="sy0">></span>.rpm<br /> <br /><span class="co0"># freshen </span><br />rpm <span class="re5">-Fvh</span> <span class="sy0"><</span>package<span class="sy0">></span>.rpm<br /> <br /><span class="co0"># remove</span><br />rpm <span class="re5">-e</span> <span class="sy0"><</span>package<span class="sy0">></span><br /> <br /><span class="co0"># query by file name</span><br />rpm <span class="re5">-qf</span> <span class="sy0"><</span>full path of <span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># verify a file</span><br />rpm <span class="re5">-Vf</span> <span class="sy0">></span> <span class="sy0"><</span>full path of <span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># verify status of all packages</span><br />rpm <span class="re5">-Va</span> <span class="sy0">></span> <span class="sy0">/</span>tmp<span class="sy0">/</span>rpmverify
while inside the rescue environment, use the –root option to specify the real location of your root file system (e.g. –root=/mnt/sysimage).
properly update the kernel package
- always do an install (i.e. rpm -ivh <kernel package>) rather than an update
- check /boot/grub/grub.conf for proper configuration
configure the system to update/install packages from remote repositories using yum or pup
yum config goes in /etc/yum.repos.d/
[id]<br />name=my repo<br />baseurl=http://example.com/centos/<br />enabled=1<br />
modify the system bootloader
- production config is in /boot/grub/grub.conf
- see examples in /usr/share/doc/grub-*/menu.lst
implement software RAID at install-time and run-time
to start, we need at least two devices/partitions of type “linux raid autodetect” (use fdisk to set partition type to “fd”)
create raid device:
mdadm <span class="re5">--create</span> <span class="sy0">/</span>dev<span class="sy0">/</span>md0 --<span class="re2">level</span>=<span class="sy0"><</span>0|<span class="nu0">1</span>|<span class="nu0">4</span>|<span class="nu0">5</span>|<span class="nu0">6</span>|<span class="nu0">10</span><span class="sy0">></span> --raid-<span class="re2">devices</span>=<span class="sy0"><</span>num<span class="sy0">></span> <span class="sy0"><</span>device list<span class="sy0">></span>
fail disk in array:
mdadm <span class="sy0">/</span>dev<span class="sy0">/</span>md0 <span class="re5">-f</span> <span class="sy0"><</span>device<span class="sy0">></span>
remove disk from array:
mdadm <span class="sy0">/</span>dev<span class="sy0">/</span>md0 <span class="re5">-r</span> <span class="sy0"><</span>device<span class="sy0">></span>
add disk to array:
mdadm <span class="sy0">/</span>dev<span class="sy0">/</span>md0 <span class="re5">-a</span> <span class="sy0"><</span>device<span class="sy0">></span>
stop array:
mdadm <span class="re5">--stop</span> <span class="sy0">/</span>dev<span class="sy0">/</span>md0
check raid status:
mdadm <span class="re5">--detail</span> <span class="sy0">/</span>dev<span class="sy0">/</span>md0
<span class="kw2">cat</span> <span class="sy0">/</span>proc<span class="sy0">/</span>mdstat
format works as usual:
mkfs.ext3 <span class="sy0">/</span>dev<span class="sy0">/</span>md0
don't forget to configure /etc/fstab appropriately.
use /proc/sys and sysctl to modify and set kernel run-time parameters
config is in /etc/sysctl.conf
<span class="co0"># search through parameters</span><br />sysctl <span class="re5">-a</span> | <span class="kw2">grep</span> <span class="sy0"><</span>whatever<span class="sy0">></span><br /><span class="co0"># apply changes from config file immediately</span><br />sysctl <span class="re5">-p</span>
use scripting to automate system maintenance tasks
configure NTP for time synchronization with a higher-stratum server
redhat config tool:
system-config-date<br />
- config is in /etc/ntp.conf
synchronization configuration example:
server 0.pool.ntp.org<br />server 1.pool.ntp.org<br />server 2.pool.ntp.org<br />
apply changes:
service ntpd restart<br />chkconfig ntpd on<br />
verify changes:
ntpq <span class="re5">-p</span>
RHCE skills
Troubleshooting and System Maintenance
RHCEs must demonstrate the RHCT skills listed above, and should be able to:
use the rescue environment provided by first installation CD
linux rescue
- when working in non-chrooted rescue mode:
- mount /dev/hdc /mnt/source (to access install files on the cd/dvd)
- rpm commands should use the –root=/mnt/sysimage option
manually make /dev and /proc available in chrooted mode:
<span class="kw2">mount</span> <span class="re5">-o</span> <span class="kw3">bind</span> <span class="sy0">/</span>dev <span class="sy0">/</span>mnt<span class="sy0">/</span>sysimage<span class="sy0">/</span>dev<br /><span class="kw2">mount</span> <span class="re5">-o</span> <span class="kw3">bind</span> <span class="sy0">/</span>proc <span class="sy0">/</span>mnt<span class="sy0">/</span>sysimage<span class="sy0">/</span>proc
diagnose and correct boot failures arising from bootloader, module, and filesystem errors
check in order:
- mbr
- /boot/grub/grub.conf
- /etc/fstab
- /etc/inittab
- /etc/rc.d/rc.sysinit
- /etc/rc.d/rc*.d
- /etc/rc.d/init.d/*
- /etc/rc.d/rc.local
grub errors
- in general, use the last line before the error message to see where grub error'd out
- to find correct value for root option, type find /grub/stage1 at the grub command line ( remember that all file names in grub.conf are relative to the root option)
- check for missing files in kernel and/or initrd lines
kernel errors
- missing/corrupt initrd file results in: kernel panic - not syncing: vfs: unable to mount root fs on unknown-block
- invalid root parameter for kernel results in: setuproot: error mounting /proc: No such file or directory
reinstall grub to mbr:
grub-install <span class="sy0"><</span>device<span class="sy0">></span>
recreate initrd:
mkinitrd <span class="sy0"><</span>filename<span class="sy0">></span> <span class="sy0"><</span>kernel version<span class="sy0">></span>
fix corrupt filesystem:
fsck <span class="sy0"><</span>partition<span class="sy0">></span>
if fsck is unable to locate a superblock, you can specify an alternative one:
dumpe2fs <span class="sy0"><</span>partition<span class="sy0">></span><br />fsck <span class="re5">-b</span> <span class="sy0"><</span>block<span class="co0">#> <partition></span>
diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)
see what's listening on what port:
<span class="kw2">netstat</span> <span class="re5">-ntaupe</span>
add, remove, and resize logical volumes
redhat lvm config tool:
yum <span class="kw2">install</span> system-config-lvm<br />system-config-lvm
create physical volume:
pvcreate <span class="sy0"><</span>device<span class="sy0">></span>
create volume group:
vgcreate <span class="sy0"><</span>name<span class="sy0">></span> <span class="sy0"><</span>pv device<span class="sy0">></span> <span class="br0">[</span>pv device<span class="br0">]</span>
extend volume group:
vgextend <span class="sy0"><</span>name<span class="sy0">></span> <span class="sy0"><</span>pv device<span class="sy0">></span>
create logical volume:
lvcreate <span class="re5">--size</span> <span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>M <span class="re5">--name</span> <span class="sy0"><</span>lv name<span class="sy0">></span> <span class="sy0"><</span>vg name<span class="sy0">></span>
extend logical volume:
lvextend <span class="re5">--size</span> <span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>M <span class="sy0"><</span>device<span class="sy0">></span><br />resize2fs <span class="sy0"><</span>device<span class="sy0">></span>
shrink logical volume:
resize2fs <span class="sy0"><</span>device<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>M<br />lvreduce <span class="re5">--size</span> <span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>M <span class="sy0"><</span>device<span class="sy0">></span>
remove logical volume:
lvremove <span class="sy0"><</span>device<span class="sy0">></span>
diagnose and correct networking services problems where SELinux contexts are interfering with proper operation.
enable/disable selinux in /etc/sysconfig/selinux:
SELINUX=enforcing<br />SELINUXTYPE=targeted<br />
install selinux troubleshooter:
yum <span class="kw2">install</span> setroubleshoot<br />service setroubleshoot start<br />chkconfig setroubleshoot on
install selinux management tool:
yum <span class="kw2">install</span> policycoreutils-gui
list selinux errors:
sealert <span class="re5">-a</span> <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>audit<span class="sy0">/</span>audit.log | <span class="kw2">less</span>
launch gui browser:
sealert <span class="re5">-b</span>
list selinux booleans:
getsebool <span class="re5">-a</span>
set selinux boolean:
setsebool <span class="re5">-P</span> <span class="sy0"><</span>boolean<span class="sy0">></span> = <span class="sy0"><</span>0|<span class="nu0">1</span><span class="sy0">></span>
list security contexts:
<span class="kw2">ls</span> <span class="re5">-Z</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>
change security contexts:
<span class="co0"># using reference (copy contexts from existing known-good file)</span><br />chcon <span class="re5">-R</span> <span class="re5">--reference</span> <span class="sy0"><</span>old <span class="kw2">file</span><span class="sy0">></span> <span class="sy0"><</span>new <span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># manual</span><br />chcon <span class="re5">-R</span> <span class="re5">-u</span> <span class="sy0"><</span>user<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />chcon <span class="re5">-R</span> <span class="re5">-t</span> <span class="sy0"><</span><span class="kw3">type</span><span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>
Installation and Configuration
RHCEs must demonstrate the RHCT-level skills listed above, and they
must be capable of configuring the following network services. For each
of these services, RHCEs must be able to:
- install the packages needed to provide the service
- configure SELinux to support the service
- configure the service to start when the system is booted
- configure the service for basic operation
- Configure host-based and user-based security for the service
HTTP/HTTPS
install
yum <span class="kw2">install</span> httpd mod_ssl
selinux
make new DocumentRoot match default DocumentRoot ( this applies to any directory that apache will serve files from):
chcon <span class="re5">-R</span> <span class="re5">--reference</span> <span class="sy0">/</span>var<span class="sy0">/</span>www <span class="sy0">/</span>www
start at boot
chkconfig httpd on
basic config
- requirements for ~user/ directories:
- UserDir directive
- chmod 701 the user's home directory
- change security context on the user's UserDir
- requirements for .htaccess file usage:
- AllowOverride All directive
- requirements for name-based virtual hosts:
- NameVirtualHost *:80 and NameVirtualHost *:443 directives
- each virtual host requires appropriate ServerName and ServerAlias directives
- a single virtual host cannot span multiple ports (i.e. 80 and 443). two separate VirtualHost *:<port> sections are needed to do this.
self-signed ssl cert:
<span class="kw3">cd</span> <span class="sy0">/</span>etc<span class="sy0">/</span>pki<span class="sy0">/</span>tls<span class="sy0">/</span>certs<br /><span class="kw2">rm</span> localhost.crt<br /><span class="kw2">make</span> testcert
check virtual host config:
httpd <span class="re5">-D</span> DUMP_VHOSTS
host-based security
firewall config:
| protocol | ports |
|---|---|
| tcp | 80, 443 |
hosts are allowed by default and must be explicitly denied:
<Directory /var/www/html> <br /> Order deny,allow<br /> Deny from 192.168.0.0/255.255.255.0<br /> Deny from badguys.example.com<br /></Directory><br />
hosts are denied by default and must be explicitly allowed:
<Directory /var/www/html> <br /> Order allow,deny<br /> Allow from 192.168.0.0/255.255.255.0<br /> Allow from goodguys.example.com<br /></Directory><br />
user-based security
create web password file:
htpasswd <span class="re5">-c</span> <span class="sy0">/</span>etc<span class="sy0">/</span>httpd<span class="sy0">/</span>webusers testuser1<br />htpasswd <span class="sy0">/</span>etc<span class="sy0">/</span>httpd<span class="sy0">/</span>webusers testuser2
create web group file (/etc/httpd/webgroups):
testgroup: testuser1 testuser2
allow access by group:
<Directory /var/www/html> <br /> AuthType Basic<br /> AuthName "top secret area"<br /> AuthUserFile /etc/httpd/webusers<br /> AuthGroupFile /etc/httpd/webgroups<br /> Require group testgroup<br /></Directory><br />
verify service functionality
test http/https:
elinks <span class="sy0"><</span>http|https<span class="sy0">></span>:<span class="sy0">//<</span><span class="kw2">hostname</span><span class="sy0">>/</span><span class="br0">[</span>path<span class="br0">]</span>
SMB
install
yum <span class="kw2">install</span> samba samba-client
selinux
allow samba to share home directories:
setsebool <span class="re5">-P</span> <span class="re2">samba_enable_home_dirs</span>=<span class="nu0">1</span>
mark a directory as sharable with samba:
chcon <span class="re5">-R</span> <span class="re5">-T</span> samba_share_t <span class="sy0"><</span>directory<span class="sy0">></span>
start at boot
chkconfig smb on
basic config
redhat samba config tool:
yum <span class="kw2">install</span> system-config-samba<br />system-config-samba
set workgroup/domain:
workgroup = <workgroup><br />
security modes:
# connections check local pwdb (default)<br />security = user<br /><br /># member server on a domain, uses pwdb on a dc<br />security = domain<br />workgroup = EXAMPLE<br /><br /># member server on an ad domain using kerberos, uses pwdb on a dc<br />security = ads<br />realm = EXAMPLE.COM<br />password server = kerberos.example.com<br /><br /># used when samba was not capable of being a domain member server (DO NOT USE)<br />security = server<br />encrypt passwords = yes<br />password server = <netbios name of dc><br /><br /># each share requires a password (DO NOT USE)<br />security = share<br />
share options:
[<share name>]<br /># path for share<br />path = <path> <br /><br /># share is visible <br />browseable = <yes|no><br /><br /># rw enabled<br />writeable = <yes|no><br /><br /># this is a shared printer<br />printable = <yes|no><br /><br /># all users connecting to this share use <group> as their primary group<br />group = <group name><br />
join domain:
net rpc <span class="kw2">join</span> <span class="re5">-U</span> root
fstab example:
<span class="sy0">//<</span><span class="kw2">hostname</span><span class="sy0">>/<</span>share<span class="sy0">></span> <span class="sy0"><</span>mountpoint<span class="sy0">></span> cifs <span class="re2">user</span>=<span class="sy0"><</span>username<span class="sy0">></span>,<span class="re2">pass</span>=<span class="sy0"><</span>password<span class="sy0">></span> 0 0
mount.cifs and umount.cifs need to be chmod'ed u+s in order to be used by non-root users
host-based security
firewall config:
| protocol | ports |
|---|---|
| tcp | 139, 445 |
| udp | 137, 138 |
hosts allow/deny can be used per-server or per-share:
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24<br />hosts deny = 0.0.0.0/0<br />
user-based security
account maintenance:
<span class="co0"># add account (local linux account must exist first, or be translated via /etc/samba/smbusers):</span><br />smbpasswd <span class="re5">-a</span> <span class="sy0"><</span>username<span class="sy0">></span><br /> <br /><span class="co0"># enable/disable account:</span><br />smbpasswd <span class="re5">-e</span> <span class="sy0"><</span>username<span class="sy0">></span><br />smbpasswd <span class="re5">-d</span> <span class="sy0"><</span>username<span class="sy0">></span><br /> <br /><span class="co0"># remove account:</span><br />smbpasswd <span class="re5">-x</span> <span class="sy0"><</span>username<span class="sy0">></span>
service smb reload may be needed after account changes
share access:
valid users = <user1> @<group1><br />
- share access is also controlled by unix file permissions
verify service functionality
list shares:
smbclient <span class="re5">-L</span> <span class="sy0"><</span><span class="kw2">hostname</span><span class="sy0">></span> <span class="re5">-U</span> <span class="sy0"><</span>username<span class="sy0">></span>
browse shares:
smbclient <span class="sy0">//<</span><span class="kw2">hostname</span><span class="sy0">>/<</span>share<span class="sy0">></span> <span class="re5">-U</span> <span class="sy0"><</span>username<span class="sy0">></span>
test allow/deny statements for a host:
testparm <span class="sy0">/</span>etc<span class="sy0">/</span>samba<span class="sy0">/</span>smb.conf <span class="sy0"><</span><span class="kw2">hostname</span><span class="sy0">></span> <span class="sy0"><</span>ip address<span class="sy0">></span>
NFS
install
yum <span class="kw2">install</span> portmap nfs-utils
start at boot
chkconfig portmap on<br />chkconfig nfs on<br />chkconfig nfslock on<br />chkconfig netfs on
basic config
redhat config tool:
yum <span class="kw2">install</span> system-config-nfs<br />system-config-nfs
format of /etc/exports:
<mountpoint> <host>(<options>) [<host>(<options>) ...]<br />
activate new exports:
<span class="sy0">/</span>etc<span class="sy0">/</span>init.d<span class="sy0">/</span>nfs restart
host-based security
edit /etc/sysconfig/nfs and restart nfs to set static ports
firewall config:
<span class="co0"># see ports </span><br />rpcinfo <span class="re5">-p</span>
host based security is intrinsic to the format of the exports file
user-based security
use standard file permissions
verify service functionality
list exports:
showmount -e <host><br />
FTP
install
yum <span class="kw2">install</span> vsftpd
selinux
allow local users to log in and cd into home directories:
setsebool <span class="re5">-P</span> <span class="re2">ftp_home_dir</span>=<span class="nu0">1</span>
start at boot
chkconfig vsftpd on
basic config
host-based security
- use ipchains with -[!]s option
firewall config:
| protocol | ports |
|---|---|
| tcp | 21 |
ftp data transfers will not work unless ip_conntrack_ftp is added to IPTABLES_MODULES in /etc/sysconfig/iptables-config
tcp_wrappers example:
vsftpd : 192.168.0.<br />
user-based security
- allow/deny controlled via /etc/vsftpd/user_list ( users in /etc/vsftpd/ftpusers are always denied via pam)
- default allow/deny is configured by userlist_deny statement in vsftpd.conf
verify service functionality
test ftp:
<span class="kw2">ftp</span> <span class="sy0"><</span>server<span class="sy0">></span>
Web proxy
install
yum <span class="kw2">install</span> squid
selinux
allow squid to connect to the network (this is recommended, but was not needed in my testing):
setsebool <span class="re5">-P</span> <span class="re2">squid_connect_any</span>=<span class="nu0">1</span>
start at boot
chkconfig squid on
host-based security
firewall config:
| protocol | ports |
|---|---|
| tcp | 3128 |
allow access from local networks:
acl our_networks src 192.168.1.0/24 192.168.2.0/23<br />http_access allow our_networks<br />
user-based security
verify service functionality
test proxy:
<span class="re2">HTTP_PROXY</span>=<span class="sy0"><</span>server<span class="sy0">></span>:<span class="nu0">3128</span> elinks
SMTP
install
yum <span class="kw2">install</span> postfix<br />alternatives <span class="re5">--config</span> mta<br />service <span class="kw2">sendmail</span> stop
start at boot
chkconfig postfix on
basic config
listen on public interfaces:
inet_interfaces = all<br />
specify all destination hostnames/domains:
mydestination = <hostname1>, <hostname2>, ...<br />
specify origin domain:
myorigin = $mydomain<br />
local aliases in /etc/aliases ( dont forget to run newaliases to apply changes):
<alias>: <user1>[, user2]<br />
virtual aliases in /etc/postfix/virtual ( dont forget to run postmap /etc/postfix/virtual to apply changes):
<virtual alias>: <user><br />
enable virtual aliases:
virtual_alias_maps = hash:/etc/postfix/virtual<br />
outbound address rewriting in /etc/postfix/generic ( dont forget to run postmap /etc/postfix/generic to apply changes):
<outbound alias>: <user><br />
enable outbound aliases:
smtp_generic_maps = hash:/etc/postfix/generic<br />
host-based security
- use ipchains with -[!]s option
firewall config:
| protocol | ports |
|---|---|
| tcp | 25 |
user-based security
use smtp auth?
verify service functionality
test smtp:
telnet <span class="sy0"><</span>server<span class="sy0">></span> <span class="nu0">25</span>
IMAP, IMAPS, and POP3
install
yum <span class="kw2">install</span> dovecot
start at boot
chkconfig dovecot on
basic config
enable protocols:
protocols = <protocol list><br />
create custom ssl cert:
nano -w /etc/pki/dovecot/dovecot-openssl.cnf<br />/usr/share/doc/dovecot-*/examples/mkcert.sh<br />service dovecot restart<br />
host-based security
use ipchains with -[!]s option
| protocol | ports |
|---|---|
| tcp | 143, 110, 995, 993 |
user-based security
use pam_listfile in /etc/pam.d/dovecot
verify service functionality
test mailbox acess:
mutt <span class="re5">-f</span> <span class="sy0"><</span>imap|imaps|pop|pops<span class="sy0">></span>:<span class="sy0">//<</span>user<span class="sy0">>@<</span>server<span class="sy0">></span>
SSH
install
yum <span class="kw2">install</span> openssh-server
start at boot
chkconfig sshd on
user-based security
allow/deny user access:
AllowUsers user1 user2 user3@example.com<br />DenyUsers user4 user5 user6@example.com<br />
host-based security
- use ipchains with -[!]s option
firewall config:
| protocol | ports |
|---|---|
| tcp | 22 |
tcp_wrappers example:
sshd : 192.168.0.<br />
verify service functionality
test logging in:
<span class="kw2">ssh</span> <span class="sy0"><</span>user<span class="sy0">>@<</span>server<span class="sy0">></span>
DNS (caching name server, slave name server)
install
yum <span class="kw2">install</span> bind-chroot caching-nameserver
start at boot
chkconfig named on
basic config
copy sample config:
<span class="kw2">cp</span> <span class="re5">-a</span> <span class="sy0">/</span>var<span class="sy0">/</span>named<span class="sy0">/</span><span class="kw2">chroot</span><span class="sy0">/</span>etc<span class="sy0">/</span>named.caching-nameserver.conf <span class="sy0">/</span>var<span class="sy0">/</span>named<span class="sy0">/</span><span class="kw2">chroot</span><span class="sy0">/</span>etc<span class="sy0">/</span>named.conf
caching-only nameserver:
- edit listen-on directives (comment out to listen on all interfaces)
- edit allow-query directives (comment out allow queries from everyone)
- edit match-clients and match-destinations directives to allow recursive queries from other hosts
slave nameserver:
- get slave example from /usr/share/doc/bind-*/sample/etc/named.conf
host-based security
firewall config:
| protocol | ports |
|---|---|
| tcp | 53 |
| udp | 53 |
allow-query example:
allow-query { 192.168.0.0/16; localnets; };<br />user-based security
N/A
verify service functionality
test query:
dig <span class="sy0">@<</span>server<span class="sy0">></span> <span class="sy0"><</span>domain<span class="sy0">></span>
test zone transfer:
dig <span class="sy0">@<</span>server<span class="sy0">></span> <span class="sy0"><</span>domain<span class="sy0">></span> axfr
NTP
install
yum <span class="kw2">install</span> ntp
start at boot
chkconfig ntpd on
host-based security
firewall config:
| protocol | ports |
|---|---|
| udp | 123 |
allow other servers to sync with us:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap<br />
user-based security
N/A
verify service functionality
show peers:
ntpq <span class="re5">-p</span>
RHCEs must also be able to:
configure hands-free installation using Kickstart
yum <span class="kw2">install</span> system-config-kickstart
- make installation tree available
- create kickstart file (use system-config-kickstart to create ks.cfg) and validate (using ksvalidator)
- validate kickstart file
- make kickstart file available
- bootable diskette (place in top level directory)
- bootable cdrom (place in top level directory)
- network (http, ftp, nfs)
- use bootable media and supply appropriate kernel parameter
<span class="re2">ks</span>=floppy:<span class="sy0">/</span>ks.cfg<br /><span class="re2">ks</span>=cdrom:<span class="sy0">/</span>ks.cfg<br /><span class="re2">ks</span>=http:<span class="sy0">//</span>example.com<span class="sy0">/</span>ks.cfg<br /><span class="re2">ks</span>=nfs:example.com:<span class="sy0">/</span>ks.cfg
implement logical volumes at install-time
use iptables to implement packet filtering and/or NAT
do not
use system-config-securitylevel, as it will overwrite your custom
iptables rules. the following method seems to be the best way to go:
- make changes in /etc/sysconfig/iptables
- run /etc/init.d/iptables restart to apply changes
packet filtering
packet filtering example:
<span class="re5">-A</span> <span class="sy0"><</span>chain<span class="sy0">></span> <span class="re5">-p</span> <span class="sy0"><</span>tcp<span class="sy0">/</span>udp<span class="sy0">></span> <span class="re5">-m</span> <span class="sy0"><</span>tcp<span class="sy0">/</span>udp<span class="sy0">></span> <span class="br0">[</span>-s<span class="br0">[</span><span class="sy0">!</span><span class="br0">]</span> <span class="sy0"><</span><span class="kw3">source</span> address<span class="sy0">></span><span class="br0">]</span> <span class="re5">--dport</span> <span class="sy0"><</span>destination port<span class="sy0">></span> <span class="re5">-j</span> ACCEPT
NAT
enable ip forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1<br />
to test from another machine:
ip route replace default via <span class="sy0"><</span>ip address<span class="sy0">></span>
inbound dnat:
iptables <span class="re5">-t</span> nat <span class="re5">-A</span> PREROUTING <span class="re5">-p</span> <span class="sy0"><</span>tcp<span class="sy0">/</span>udp<span class="sy0">></span> <span class="re5">--dport</span> <span class="sy0"><</span>destination port<span class="sy0">></span> <span class="re5">-j</span> DNAT <span class="re5">--to-dest</span> <span class="sy0"><</span>private server<span class="sy0">></span>:<span class="sy0"><</span>port<span class="sy0">></span>
outbound dnat:
iptables <span class="re5">-t</span> nat <span class="re5">-A</span> OUTPUT <span class="re5">-p</span> <span class="sy0"><</span>tcp<span class="sy0">/</span>udp<span class="sy0">></span> <span class="re5">--dport</span> <span class="sy0"><</span>destination port<span class="sy0">></span> <span class="re5">-j</span> DNAT <span class="re5">--to-dest</span> <span class="sy0"><</span>private server<span class="sy0">></span>:<span class="sy0"><</span>port<span class="sy0">></span>
masquerading:
iptables <span class="re5">-t</span> nat <span class="re5">-A</span> POSTROUTING <span class="re5">-o</span> <span class="sy0"><</span>outbound interface<span class="sy0">></span> <span class="re5">-j</span> MASQUERADE
snat:
iptables <span class="re5">-t</span> nat <span class="re5">-A</span> POSTROUTING <span class="re5">-j</span> SNAT <span class="re5">--to-source</span> <span class="sy0"><</span>public server<span class="sy0">></span>:<span class="sy0"><</span>port<span class="sy0">></span>
use PAM to implement user-level restrictions
module documentation
- /usr/share/doc/pam-*/txts
module configuration
- /etc/pam.d
- /etc/security
<module interface> <control flag> <module name> <module arguments><br />
| module interface | description |
|---|---|
| auth | user authentication (e.g. verifies password, set group membership or kerberos tickets, etc.) |
| account | verifies that access is allowed (e.g. expired account?, check group membership, etc.) |
| password | handles password changes |
| session | manages user sessions (e.g. mount home dir, create mailbox, logging, etc.) |
| control flag | description |
|---|---|
| required | must pass, continue testing on failure |
| requisite | must pass, stop testing on failure |
| sufficient | failure is ignored, but if passing so far, return success at this point |
| optional | pass or failure is irrelevant |
| include | include another file |
pam_listfile.so example
allow/deny users if listed in /etc/special:
auth required pam_listfile.so onerr=success item=user sense=<allow|deny> file=/etc/special<br />
Additional Notes
tcp_wrappers
file format:
<daemon list> : <client list> [except <client list>] [: <option>]<br />
search order:
- /etc/hosts.allow
- /etc/hosts.deny
- allow by default
searching stops on first match
Troubleshooting
unable to log in
- password wrong or expired?
- account locked?
- shell set to /sbin/nologin, /bin/false, etc.?
- root user and PermitRootLogin no in /etc/ssh/sshd_config?
- root user and terminal not listed in /etc/securetty?
- non-root user and /etc/nologin exists?
- check pam_listfile restrictions
Credit: http://conigliaro.org/wiki/rhce
No comments:
Post a Comment