BLACK-BOX TESTING
WHITE-BOX TESTING
LOAD TESTING
REGRESSION TESTING
TEST AUTOMATION
FUNCTIONAL TESTING
WIRELESS TESTING
COMPATIBILITY TESTING
"QA
SERVICES"
- SQAL-BLACKBOXL TEST CENTER (view on Google Sidewiki)
BLACK-BOX TESTING
WHITE-BOX TESTING
LOAD TESTING
REGRESSION TESTING
TEST AUTOMATION
FUNCTIONAL TESTING
WIRELESS TESTING
COMPATIBILITY TESTING
"QA
SERVICES"
- SQAL-BLACKBOXL TEST CENTER (view on Google Sidewiki)
Qualirites of software testert
in reference to: qualities.pdf (application/pdf Object) (view on Google Sidewiki)
This document attempts to provide answers to all study points on the RHCE and RHCT Exam Preparation Guide in a single-page (and thus, printable) format. This is not a “brain dump” or an attempt to cheat the RH302 exam in any way. These are just my self-study notes. Use them at your own risk.
Note: Study points last updated on 2009-08-11. This list may become out
of date without notice (especially after I pass the test ).
install guest additions:
yum install gcc kernel-devel
sh /media/VBOXADDITIONS*/VBoxLinuxAdditions-x86.run
reboot
Candidates should possess the following skills, as they may be
necessary in order to fulfill requirements of the RHCT and RHCE exams:
operator | description |
---|---|
> | redirect STDOUT to a file |
2> | redirect STDERR to a file |
&> | redirect all output to a file |
2>&1 | redirect all output to a pipe |
<span class="kw2">su</span> - <span class="sy0"><</span>user<span class="sy0">></span>
<span class="kw2">passwd</span> <span class="sy0"><</span>user<span class="sy0">></span>
<span class="co0"># compress (tar/gzip)</span><br /><span class="kw2">tar</span> cvzf <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>.tgz <span class="sy0"><</span>directory<span class="sy0">></span><br /> <br /><span class="co0"># extract (tar/gzip)</span><br /><span class="kw2">tar</span> xvzf <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>.tgz<br /> <br /><span class="co0"># compress (tar/bzip)</span><br /><span class="kw2">tar</span> cvjf <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>.tbz <span class="sy0"><</span>directory<span class="sy0">></span><br /> <br /><span class="co0"># extract (tar/bzip)</span><br /><span class="kw2">tar</span> xvjf <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>.tbz
<span class="kw3">echo</span> <span class="st0">"message"</span> | mail <span class="sy0"><</span>email<span class="sy0">></span> <span class="re5">-s</span> <span class="st0">"subject"</span><br />mail <span class="sy0"><</span>email<span class="sy0">></span> <span class="re5">-s</span> <span class="st0">"subject"</span> <span class="sy0"><</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>
RHCTs should be able to:
append the desired runlevel to grub's kernel line:
redhat network config tool:
system-config-network
redhat network config tool:
system-config-network
install x:
yum groupinstall <span class="st0">"x window system"</span>
xfs is supposedly required for x windows (even though i can run x fine without it…):
service xfs on<br />chkconfig xfs on
x environment config:
redhat display config tool:
system-config-display <span class="br0">[</span>--reconfig<span class="br0">]</span>
install gnome desktop:
yum groupinstall <span class="st0">"gnome desktop environment"</span>
switchdesk allows you to change your desktop environment:
yum <span class="kw2">install</span> switchdesk<br />switchdesk
if switchdesk is not available, edit /etc/sysconfig/desktop:
<span class="re2">DISPLAYMANAGER</span>=<span class="sy0"><</span>GNOME|KDE|XDM<span class="sy0">></span><br /><span class="re2">DESKTOP</span>=<span class="sy0"><</span>GNOME|KDE<span class="sy0">></span>
manage partitions:
fdisk <span class="sy0"><</span>device<span class="sy0">></span><br />partprobe
make filesystems:
mkfs.<span class="sy0"><</span>ext2|ext3<span class="sy0">></span>
label filesystems:
e2label <span class="sy0"><</span>partition<span class="sy0">></span> <span class="sy0"><</span>label<span class="sy0">></span><br />blkid
manage filesystem settings:
tune2fs <span class="sy0"><</span>partition<span class="sy0">></span><br />dumpe2fs <span class="sy0"><</span>partition<span class="sy0">></span>
note that it's possible to create a swap file instead of a partition:
<span class="kw2">dd</span> <span class="re2"><span class="kw1">if</span></span>=<span class="sy0">/</span>dev<span class="sy0">/</span>zero <span class="re2">of</span>=<span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span> <span class="re2">bs</span>=<span class="nu0">1024</span> <span class="re2">count</span>=<span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>
format the file/partition:
mkswap <span class="sy0"><</span>partition|<span class="kw2">file</span><span class="sy0">></span><br /><span class="kw2">nano</span> <span class="re5">-w</span> <span class="sy0">/</span>etc<span class="sy0">/</span>fstab<br />swapon <span class="re5">-va</span><br /><span class="kw2">cat</span> <span class="sy0">/</span>proc<span class="sy0">/</span>swaps
RHCTs must be able to:
at boot prompt:
linux askmethod
printing support is provided by cups:
service cups start<br />chkconfig cups on
redhat printer config tool:
system-config-printer
web config tool:
http://localhost:631<br />
printing via command line:
<span class="co0"># print</span><br /><span class="kw2">lpr</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br /><span class="co0"># view print queue</span><br />lpq<br /><span class="co0"># remove print job</span><br />lprm <span class="sy0"><</span>job number<span class="sy0">></span>
make sure vixie cron is installed and running:
yum <span class="kw2">install</span> vixie-cron<br />service crond start<br />chkconfig crond on
edit your cron jobs:
crontab <span class="re5">-e</span>
crontab format:
<minute> <hour> <day of month> <month> <day of week> <command><br />
/etc/crontab has additional user field before command.
make sure at is installed and running:
yum <span class="kw2">install</span> at<br />service atd start<br />chkconfig atd on
<span class="co0"># add jobs</span><br />at now + <span class="nu0">1</span> hour<br />at<span class="sy0">></span> <span class="sy0"><</span><span class="kw3">command</span><span class="sy0">></span><br /> <br />at 09:00 <span class="nu0">2009</span>-07-<span class="nu0">23</span><br />at<span class="sy0">></span> <span class="sy0"><</span><span class="kw3">command</span><span class="sy0">></span><br /> <br />batch<br />at<span class="sy0">></span> <span class="sy0"><</span><span class="kw3">command</span><span class="sy0">></span>
<span class="co0"># list jobs</span><br />atq
remove <span class="kw3">jobs</span><br />atrm <span class="sy0"><</span>job<span class="sy0">></span>
redhat config tools:
system-config-authentication<br />authconfig-tui
required packages for nis:
yum <span class="kw2">install</span> ypbind portmap
required packages for ldap:
yum <span class="kw2">install</span> nss-ldap openldap
make sure the autofs service is running:
service autofs start<br />chkconfig autofs on
ensure the following line in /etc/nsswitch.conf:
automount: files nis
define an autofs-controlled mountpoint called test by adding the following to /etc/auto.master:
<span class="sy0">/</span><span class="kw3">test</span> <span class="sy0">/</span>etc<span class="sy0">/</span>auto.test
create /etc/auto.test:
blah example.com:<span class="sy0">/</span>pub<span class="sy0">/</span>something<br /><span class="sy0">*</span> example:<span class="sy0">/</span>home<span class="sy0">/&</span>
test automounting:
<span class="kw2">ls</span> <span class="sy0">/</span><span class="kw3">test</span><span class="sy0">/</span>blah<br /><span class="kw2">ls</span> <span class="sy0">/</span><span class="kw3">test</span><span class="sy0">/</span>user<br /> <br /><span class="co0"># redhat defaults</span><br /><span class="kw2">ls</span> <span class="sy0">/</span>net<span class="sy0">/<</span><span class="kw2">hostname</span><span class="sy0">></span><br /><span class="kw2">ls</span> <span class="sy0">/</span>misc<span class="sy0">/</span><span class="kw3">cd</span>
redhat user/group config tool:
system-config-users
/etc/passwd file format:
username:password:uid:gid:gecos:homedir:shell<br />
/etc/shadow file format:
username:password:lastpwchange:minpwchange:maxpwage:pwchangewarn:inactive:expire<br />
command line user management:
useradd <span class="sy0"><</span>user<span class="sy0">></span><br />usermod <span class="sy0"><</span>user<span class="sy0">></span><br />chage <span class="sy0"><</span>user<span class="sy0">></span><br />userdel <span class="sy0"><</span>user<span class="sy0">></span><br />pwck
/etc/group file format:
groupname:password:gid:members<br />
command line group management:
<span class="kw2">groups</span> <span class="sy0"><</span>user<span class="sy0">></span><br />groupadd <span class="sy0"><</span>user<span class="sy0">></span><br />groupmod <span class="sy0"><</span>user<span class="sy0">></span><br />groupdel <span class="sy0"><</span>user<span class="sy0">></span> <br />grpck
install quota package
yum <span class="kw2">install</span> quota
add fs options to /etc/fstab:
usrquota,grpquota
remount device
<span class="kw2">mount</span> <span class="re5">-o</span> remount <span class="sy0"><</span><span class="kw2">mount</span> point<span class="sy0">></span>
init quota database:
quotacheck <span class="re5">-cugm</span> <span class="sy0"><</span>device<span class="sy0">></span>
enable/disable quotas
quotaon <span class="sy0"><</span>device<span class="sy0">></span><br />quotaoff <span class="sy0"><</span>device<span class="sy0">></span>
edit quotas
edquota <span class="re5">-u</span> <span class="sy0"><</span>user<span class="sy0">></span><br />edquota <span class="re5">-g</span> <span class="sy0"><</span>group<span class="sy0">></span>
edit grace time
edquota <span class="re5">-ut</span> <span class="sy0"><</span>user<span class="sy0">></span><br />edquota <span class="re5">-gt</span> <span class="sy0"><</span>group<span class="sy0">></span>
check/report quotas
quota <span class="sy0"><</span>user<span class="sy0">></span><br />repquota <span class="re5">-aug</span>
install acl package
yum <span class="kw2">install</span> acl
add fs options to /etc/fstab:
acl
remount device:
<span class="kw2">mount</span> <span class="re5">-o</span> remount <span class="sy0"><</span><span class="kw2">mount</span> point<span class="sy0">></span>
manage acls:
<span class="co0"># set acls</span><br />setfacl <span class="re5">-m</span> <span class="br0">[</span>d:<span class="br0">]</span>u:<span class="sy0"><</span>user<span class="sy0">></span>:<span class="sy0"><</span>r|<span class="kw2">w</span>|x|-<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />setfacl <span class="re5">-m</span> <span class="br0">[</span>d:<span class="br0">]</span>g:<span class="sy0"><</span>group<span class="sy0">></span>:<span class="sy0"><</span>r|<span class="kw2">w</span>|x|-<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># get acls</span><br />getfacl <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># remove acls</span><br />setfacl <span class="re5">-x</span> u:<span class="sy0"><</span>user<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />setfacl <span class="re5">-x</span> g:<span class="sy0"><</span>user<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />setfacl <span class="re5">--remove-all</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />setfacl <span class="re5">--remove-default</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>
<span class="co0"># install</span><br />rpm <span class="re5">-ivh</span> <span class="sy0"><</span>package<span class="sy0">></span>.rpm<br /> <br /><span class="co0"># update</span><br />rpm <span class="re5">-Uvh</span> <span class="sy0"><</span>package<span class="sy0">></span>.rpm<br /> <br /><span class="co0"># freshen </span><br />rpm <span class="re5">-Fvh</span> <span class="sy0"><</span>package<span class="sy0">></span>.rpm<br /> <br /><span class="co0"># remove</span><br />rpm <span class="re5">-e</span> <span class="sy0"><</span>package<span class="sy0">></span><br /> <br /><span class="co0"># query by file name</span><br />rpm <span class="re5">-qf</span> <span class="sy0"><</span>full path of <span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># verify a file</span><br />rpm <span class="re5">-Vf</span> <span class="sy0">></span> <span class="sy0"><</span>full path of <span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># verify status of all packages</span><br />rpm <span class="re5">-Va</span> <span class="sy0">></span> <span class="sy0">/</span>tmp<span class="sy0">/</span>rpmverify
while inside the rescue environment, use the –root option to specify the real location of your root file system (e.g. –root=/mnt/sysimage).
yum config goes in /etc/yum.repos.d/
[id]<br />name=my repo<br />baseurl=http://example.com/centos/<br />enabled=1<br />
to start, we need at least two devices/partitions of type “linux raid autodetect” (use fdisk to set partition type to “fd”)
create raid device:
mdadm <span class="re5">--create</span> <span class="sy0">/</span>dev<span class="sy0">/</span>md0 --<span class="re2">level</span>=<span class="sy0"><</span>0|<span class="nu0">1</span>|<span class="nu0">4</span>|<span class="nu0">5</span>|<span class="nu0">6</span>|<span class="nu0">10</span><span class="sy0">></span> --raid-<span class="re2">devices</span>=<span class="sy0"><</span>num<span class="sy0">></span> <span class="sy0"><</span>device list<span class="sy0">></span>
fail disk in array:
mdadm <span class="sy0">/</span>dev<span class="sy0">/</span>md0 <span class="re5">-f</span> <span class="sy0"><</span>device<span class="sy0">></span>
remove disk from array:
mdadm <span class="sy0">/</span>dev<span class="sy0">/</span>md0 <span class="re5">-r</span> <span class="sy0"><</span>device<span class="sy0">></span>
add disk to array:
mdadm <span class="sy0">/</span>dev<span class="sy0">/</span>md0 <span class="re5">-a</span> <span class="sy0"><</span>device<span class="sy0">></span>
stop array:
mdadm <span class="re5">--stop</span> <span class="sy0">/</span>dev<span class="sy0">/</span>md0
check raid status:
mdadm <span class="re5">--detail</span> <span class="sy0">/</span>dev<span class="sy0">/</span>md0
<span class="kw2">cat</span> <span class="sy0">/</span>proc<span class="sy0">/</span>mdstat
format works as usual:
mkfs.ext3 <span class="sy0">/</span>dev<span class="sy0">/</span>md0
don't forget to configure /etc/fstab appropriately.
config is in /etc/sysctl.conf
<span class="co0"># search through parameters</span><br />sysctl <span class="re5">-a</span> | <span class="kw2">grep</span> <span class="sy0"><</span>whatever<span class="sy0">></span><br /><span class="co0"># apply changes from config file immediately</span><br />sysctl <span class="re5">-p</span>
redhat config tool:
system-config-date<br />
synchronization configuration example:
server 0.pool.ntp.org<br />server 1.pool.ntp.org<br />server 2.pool.ntp.org<br />
apply changes:
service ntpd restart<br />chkconfig ntpd on<br />
verify changes:
ntpq <span class="re5">-p</span>
RHCEs must demonstrate the RHCT skills listed above, and should be able to:
linux rescue
manually make /dev and /proc available in chrooted mode:
<span class="kw2">mount</span> <span class="re5">-o</span> <span class="kw3">bind</span> <span class="sy0">/</span>dev <span class="sy0">/</span>mnt<span class="sy0">/</span>sysimage<span class="sy0">/</span>dev<br /><span class="kw2">mount</span> <span class="re5">-o</span> <span class="kw3">bind</span> <span class="sy0">/</span>proc <span class="sy0">/</span>mnt<span class="sy0">/</span>sysimage<span class="sy0">/</span>proc
check in order:
reinstall grub to mbr:
grub-install <span class="sy0"><</span>device<span class="sy0">></span>
recreate initrd:
mkinitrd <span class="sy0"><</span>filename<span class="sy0">></span> <span class="sy0"><</span>kernel version<span class="sy0">></span>
fix corrupt filesystem:
fsck <span class="sy0"><</span>partition<span class="sy0">></span>
if fsck is unable to locate a superblock, you can specify an alternative one:
dumpe2fs <span class="sy0"><</span>partition<span class="sy0">></span><br />fsck <span class="re5">-b</span> <span class="sy0"><</span>block<span class="co0">#> <partition></span>
see what's listening on what port:
<span class="kw2">netstat</span> <span class="re5">-ntaupe</span>
redhat lvm config tool:
yum <span class="kw2">install</span> system-config-lvm<br />system-config-lvm
create physical volume:
pvcreate <span class="sy0"><</span>device<span class="sy0">></span>
create volume group:
vgcreate <span class="sy0"><</span>name<span class="sy0">></span> <span class="sy0"><</span>pv device<span class="sy0">></span> <span class="br0">[</span>pv device<span class="br0">]</span>
extend volume group:
vgextend <span class="sy0"><</span>name<span class="sy0">></span> <span class="sy0"><</span>pv device<span class="sy0">></span>
create logical volume:
lvcreate <span class="re5">--size</span> <span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>M <span class="re5">--name</span> <span class="sy0"><</span>lv name<span class="sy0">></span> <span class="sy0"><</span>vg name<span class="sy0">></span>
extend logical volume:
lvextend <span class="re5">--size</span> <span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>M <span class="sy0"><</span>device<span class="sy0">></span><br />resize2fs <span class="sy0"><</span>device<span class="sy0">></span>
shrink logical volume:
resize2fs <span class="sy0"><</span>device<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>M<br />lvreduce <span class="re5">--size</span> <span class="sy0"><</span><span class="kw2">size</span><span class="sy0">></span>M <span class="sy0"><</span>device<span class="sy0">></span>
remove logical volume:
lvremove <span class="sy0"><</span>device<span class="sy0">></span>
enable/disable selinux in /etc/sysconfig/selinux:
SELINUX=enforcing<br />SELINUXTYPE=targeted<br />
install selinux troubleshooter:
yum <span class="kw2">install</span> setroubleshoot<br />service setroubleshoot start<br />chkconfig setroubleshoot on
install selinux management tool:
yum <span class="kw2">install</span> policycoreutils-gui
list selinux errors:
sealert <span class="re5">-a</span> <span class="sy0">/</span>var<span class="sy0">/</span>log<span class="sy0">/</span>audit<span class="sy0">/</span>audit.log | <span class="kw2">less</span>
launch gui browser:
sealert <span class="re5">-b</span>
list selinux booleans:
getsebool <span class="re5">-a</span>
set selinux boolean:
setsebool <span class="re5">-P</span> <span class="sy0"><</span>boolean<span class="sy0">></span> = <span class="sy0"><</span>0|<span class="nu0">1</span><span class="sy0">></span>
list security contexts:
<span class="kw2">ls</span> <span class="re5">-Z</span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>
change security contexts:
<span class="co0"># using reference (copy contexts from existing known-good file)</span><br />chcon <span class="re5">-R</span> <span class="re5">--reference</span> <span class="sy0"><</span>old <span class="kw2">file</span><span class="sy0">></span> <span class="sy0"><</span>new <span class="kw2">file</span><span class="sy0">></span><br /> <br /><span class="co0"># manual</span><br />chcon <span class="re5">-R</span> <span class="re5">-u</span> <span class="sy0"><</span>user<span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span><br />chcon <span class="re5">-R</span> <span class="re5">-t</span> <span class="sy0"><</span><span class="kw3">type</span><span class="sy0">></span> <span class="sy0"><</span><span class="kw2">file</span><span class="sy0">></span>
RHCEs must demonstrate the RHCT-level skills listed above, and they
must be capable of configuring the following network services. For each
of these services, RHCEs must be able to:
yum <span class="kw2">install</span> httpd mod_ssl
make new DocumentRoot match default DocumentRoot ( this applies to any directory that apache will serve files from):
chcon <span class="re5">-R</span> <span class="re5">--reference</span> <span class="sy0">/</span>var<span class="sy0">/</span>www <span class="sy0">/</span>www
chkconfig httpd on
self-signed ssl cert:
<span class="kw3">cd</span> <span class="sy0">/</span>etc<span class="sy0">/</span>pki<span class="sy0">/</span>tls<span class="sy0">/</span>certs<br /><span class="kw2">rm</span> localhost.crt<br /><span class="kw2">make</span> testcert
check virtual host config:
httpd <span class="re5">-D</span> DUMP_VHOSTS
firewall config:
protocol | ports |
---|---|
tcp | 80, 443 |
hosts are allowed by default and must be explicitly denied:
<Directory /var/www/html> <br /> Order deny,allow<br /> Deny from 192.168.0.0/255.255.255.0<br /> Deny from badguys.example.com<br /></Directory><br />
hosts are denied by default and must be explicitly allowed:
<Directory /var/www/html> <br /> Order allow,deny<br /> Allow from 192.168.0.0/255.255.255.0<br /> Allow from goodguys.example.com<br /></Directory><br />
create web password file:
htpasswd <span class="re5">-c</span> <span class="sy0">/</span>etc<span class="sy0">/</span>httpd<span class="sy0">/</span>webusers testuser1<br />htpasswd <span class="sy0">/</span>etc<span class="sy0">/</span>httpd<span class="sy0">/</span>webusers testuser2
create web group file (/etc/httpd/webgroups):
testgroup: testuser1 testuser2
allow access by group:
<Directory /var/www/html> <br /> AuthType Basic<br /> AuthName "top secret area"<br /> AuthUserFile /etc/httpd/webusers<br /> AuthGroupFile /etc/httpd/webgroups<br /> Require group testgroup<br /></Directory><br />
test http/https:
elinks <span class="sy0"><</span>http|https<span class="sy0">></span>:<span class="sy0">//<</span><span class="kw2">hostname</span><span class="sy0">>/</span><span class="br0">[</span>path<span class="br0">]</span>
yum <span class="kw2">install</span> samba samba-client
allow samba to share home directories:
setsebool <span class="re5">-P</span> <span class="re2">samba_enable_home_dirs</span>=<span class="nu0">1</span>
mark a directory as sharable with samba:
chcon <span class="re5">-R</span> <span class="re5">-T</span> samba_share_t <span class="sy0"><</span>directory<span class="sy0">></span>
chkconfig smb on
redhat samba config tool:
yum <span class="kw2">install</span> system-config-samba<br />system-config-samba
set workgroup/domain:
workgroup = <workgroup><br />
security modes:
# connections check local pwdb (default)<br />security = user<br /><br /># member server on a domain, uses pwdb on a dc<br />security = domain<br />workgroup = EXAMPLE<br /><br /># member server on an ad domain using kerberos, uses pwdb on a dc<br />security = ads<br />realm = EXAMPLE.COM<br />password server = kerberos.example.com<br /><br /># used when samba was not capable of being a domain member server (DO NOT USE)<br />security = server<br />encrypt passwords = yes<br />password server = <netbios name of dc><br /><br /># each share requires a password (DO NOT USE)<br />security = share<br />
share options:
[<share name>]<br /># path for share<br />path = <path> <br /><br /># share is visible <br />browseable = <yes|no><br /><br /># rw enabled<br />writeable = <yes|no><br /><br /># this is a shared printer<br />printable = <yes|no><br /><br /># all users connecting to this share use <group> as their primary group<br />group = <group name><br />
join domain:
net rpc <span class="kw2">join</span> <span class="re5">-U</span> root
fstab example:
<span class="sy0">//<</span><span class="kw2">hostname</span><span class="sy0">>/<</span>share<span class="sy0">></span> <span class="sy0"><</span>mountpoint<span class="sy0">></span> cifs <span class="re2">user</span>=<span class="sy0"><</span>username<span class="sy0">></span>,<span class="re2">pass</span>=<span class="sy0"><</span>password<span class="sy0">></span> 0 0
mount.cifs and umount.cifs need to be chmod'ed u+s in order to be used by non-root users
firewall config:
protocol | ports |
---|---|
tcp | 139, 445 |
udp | 137, 138 |
hosts allow/deny can be used per-server or per-share:
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24<br />hosts deny = 0.0.0.0/0<br />
account maintenance:
<span class="co0"># add account (local linux account must exist first, or be translated via /etc/samba/smbusers):</span><br />smbpasswd <span class="re5">-a</span> <span class="sy0"><</span>username<span class="sy0">></span><br /> <br /><span class="co0"># enable/disable account:</span><br />smbpasswd <span class="re5">-e</span> <span class="sy0"><</span>username<span class="sy0">></span><br />smbpasswd <span class="re5">-d</span> <span class="sy0"><</span>username<span class="sy0">></span><br /> <br /><span class="co0"># remove account:</span><br />smbpasswd <span class="re5">-x</span> <span class="sy0"><</span>username<span class="sy0">></span>
service smb reload may be needed after account changes
share access:
valid users = <user1> @<group1><br />
list shares:
smbclient <span class="re5">-L</span> <span class="sy0"><</span><span class="kw2">hostname</span><span class="sy0">></span> <span class="re5">-U</span> <span class="sy0"><</span>username<span class="sy0">></span>
browse shares:
smbclient <span class="sy0">//<</span><span class="kw2">hostname</span><span class="sy0">>/<</span>share<span class="sy0">></span> <span class="re5">-U</span> <span class="sy0"><</span>username<span class="sy0">></span>
test allow/deny statements for a host:
testparm <span class="sy0">/</span>etc<span class="sy0">/</span>samba<span class="sy0">/</span>smb.conf <span class="sy0"><</span><span class="kw2">hostname</span><span class="sy0">></span> <span class="sy0"><</span>ip address<span class="sy0">></span>
yum <span class="kw2">install</span> portmap nfs-utils
chkconfig portmap on<br />chkconfig nfs on<br />chkconfig nfslock on<br />chkconfig netfs on
redhat config tool:
yum <span class="kw2">install</span> system-config-nfs<br />system-config-nfs
format of /etc/exports:
<mountpoint> <host>(<options>) [<host>(<options>) ...]<br />
activate new exports:
<span class="sy0">/</span>etc<span class="sy0">/</span>init.d<span class="sy0">/</span>nfs restart
edit /etc/sysconfig/nfs and restart nfs to set static ports
firewall config:
<span class="co0"># see ports </span><br />rpcinfo <span class="re5">-p</span>
host based security is intrinsic to the format of the exports file
use standard file permissions
list exports:
showmount -e <host><br />
yum <span class="kw2">install</span> vsftpd
allow local users to log in and cd into home directories:
setsebool <span class="re5">-P</span> <span class="re2">ftp_home_dir</span>=<span class="nu0">1</span>
chkconfig vsftpd on
firewall config:
protocol | ports |
---|---|
tcp | 21 |
ftp data transfers will not work unless ip_conntrack_ftp is added to IPTABLES_MODULES in /etc/sysconfig/iptables-config
tcp_wrappers example:
vsftpd : 192.168.0.<br />
test ftp:
<span class="kw2">ftp</span> <span class="sy0"><</span>server<span class="sy0">></span>
yum <span class="kw2">install</span> squid
allow squid to connect to the network (this is recommended, but was not needed in my testing):
setsebool <span class="re5">-P</span> <span class="re2">squid_connect_any</span>=<span class="nu0">1</span>
chkconfig squid on
firewall config:
protocol | ports |
---|---|
tcp | 3128 |
allow access from local networks:
acl our_networks src 192.168.1.0/24 192.168.2.0/23<br />http_access allow our_networks<br />
test proxy:
<span class="re2">HTTP_PROXY</span>=<span class="sy0"><</span>server<span class="sy0">></span>:<span class="nu0">3128</span> elinks
yum <span class="kw2">install</span> postfix<br />alternatives <span class="re5">--config</span> mta<br />service <span class="kw2">sendmail</span> stop
chkconfig postfix on
listen on public interfaces:
inet_interfaces = all<br />
specify all destination hostnames/domains:
mydestination = <hostname1>, <hostname2>, ...<br />
specify origin domain:
myorigin = $mydomain<br />
local aliases in /etc/aliases ( dont forget to run newaliases to apply changes):
<alias>: <user1>[, user2]<br />
virtual aliases in /etc/postfix/virtual ( dont forget to run postmap /etc/postfix/virtual to apply changes):
<virtual alias>: <user><br />
enable virtual aliases:
virtual_alias_maps = hash:/etc/postfix/virtual<br />
outbound address rewriting in /etc/postfix/generic ( dont forget to run postmap /etc/postfix/generic to apply changes):
<outbound alias>: <user><br />
enable outbound aliases:
smtp_generic_maps = hash:/etc/postfix/generic<br />
firewall config:
protocol | ports |
---|---|
tcp | 25 |
use smtp auth?
test smtp:
telnet <span class="sy0"><</span>server<span class="sy0">></span> <span class="nu0">25</span>
yum <span class="kw2">install</span> dovecot
chkconfig dovecot on
enable protocols:
protocols = <protocol list><br />
create custom ssl cert:
nano -w /etc/pki/dovecot/dovecot-openssl.cnf<br />/usr/share/doc/dovecot-*/examples/mkcert.sh<br />service dovecot restart<br />
use ipchains with -[!]s option
protocol | ports |
---|---|
tcp | 143, 110, 995, 993 |
use pam_listfile in /etc/pam.d/dovecot
test mailbox acess:
mutt <span class="re5">-f</span> <span class="sy0"><</span>imap|imaps|pop|pops<span class="sy0">></span>:<span class="sy0">//<</span>user<span class="sy0">>@<</span>server<span class="sy0">></span>
yum <span class="kw2">install</span> openssh-server
chkconfig sshd on
allow/deny user access:
AllowUsers user1 user2 user3@example.com<br />DenyUsers user4 user5 user6@example.com<br />
firewall config:
protocol | ports |
---|---|
tcp | 22 |
tcp_wrappers example:
sshd : 192.168.0.<br />
test logging in:
<span class="kw2">ssh</span> <span class="sy0"><</span>user<span class="sy0">>@<</span>server<span class="sy0">></span>
yum <span class="kw2">install</span> bind-chroot caching-nameserver
chkconfig named on
copy sample config:
<span class="kw2">cp</span> <span class="re5">-a</span> <span class="sy0">/</span>var<span class="sy0">/</span>named<span class="sy0">/</span><span class="kw2">chroot</span><span class="sy0">/</span>etc<span class="sy0">/</span>named.caching-nameserver.conf <span class="sy0">/</span>var<span class="sy0">/</span>named<span class="sy0">/</span><span class="kw2">chroot</span><span class="sy0">/</span>etc<span class="sy0">/</span>named.conf
caching-only nameserver:
slave nameserver:
firewall config:
protocol | ports |
---|---|
tcp | 53 |
udp | 53 |
allow-query example:
allow-query { 192.168.0.0/16; localnets; };<br />
N/A
test query:
dig <span class="sy0">@<</span>server<span class="sy0">></span> <span class="sy0"><</span>domain<span class="sy0">></span>
test zone transfer:
dig <span class="sy0">@<</span>server<span class="sy0">></span> <span class="sy0"><</span>domain<span class="sy0">></span> axfr
yum <span class="kw2">install</span> ntp
chkconfig ntpd on
firewall config:
protocol | ports |
---|---|
udp | 123 |
allow other servers to sync with us:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap<br />
N/A
show peers:
ntpq <span class="re5">-p</span>
RHCEs must also be able to:
yum <span class="kw2">install</span> system-config-kickstart
<span class="re2">ks</span>=floppy:<span class="sy0">/</span>ks.cfg<br /><span class="re2">ks</span>=cdrom:<span class="sy0">/</span>ks.cfg<br /><span class="re2">ks</span>=http:<span class="sy0">//</span>example.com<span class="sy0">/</span>ks.cfg<br /><span class="re2">ks</span>=nfs:example.com:<span class="sy0">/</span>ks.cfg
do not
use system-config-securitylevel, as it will overwrite your custom
iptables rules. the following method seems to be the best way to go:
packet filtering example:
<span class="re5">-A</span> <span class="sy0"><</span>chain<span class="sy0">></span> <span class="re5">-p</span> <span class="sy0"><</span>tcp<span class="sy0">/</span>udp<span class="sy0">></span> <span class="re5">-m</span> <span class="sy0"><</span>tcp<span class="sy0">/</span>udp<span class="sy0">></span> <span class="br0">[</span>-s<span class="br0">[</span><span class="sy0">!</span><span class="br0">]</span> <span class="sy0"><</span><span class="kw3">source</span> address<span class="sy0">></span><span class="br0">]</span> <span class="re5">--dport</span> <span class="sy0"><</span>destination port<span class="sy0">></span> <span class="re5">-j</span> ACCEPT
enable ip forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1<br />
to test from another machine:
ip route replace default via <span class="sy0"><</span>ip address<span class="sy0">></span>
inbound dnat:
iptables <span class="re5">-t</span> nat <span class="re5">-A</span> PREROUTING <span class="re5">-p</span> <span class="sy0"><</span>tcp<span class="sy0">/</span>udp<span class="sy0">></span> <span class="re5">--dport</span> <span class="sy0"><</span>destination port<span class="sy0">></span> <span class="re5">-j</span> DNAT <span class="re5">--to-dest</span> <span class="sy0"><</span>private server<span class="sy0">></span>:<span class="sy0"><</span>port<span class="sy0">></span>
outbound dnat:
iptables <span class="re5">-t</span> nat <span class="re5">-A</span> OUTPUT <span class="re5">-p</span> <span class="sy0"><</span>tcp<span class="sy0">/</span>udp<span class="sy0">></span> <span class="re5">--dport</span> <span class="sy0"><</span>destination port<span class="sy0">></span> <span class="re5">-j</span> DNAT <span class="re5">--to-dest</span> <span class="sy0"><</span>private server<span class="sy0">></span>:<span class="sy0"><</span>port<span class="sy0">></span>
masquerading:
iptables <span class="re5">-t</span> nat <span class="re5">-A</span> POSTROUTING <span class="re5">-o</span> <span class="sy0"><</span>outbound interface<span class="sy0">></span> <span class="re5">-j</span> MASQUERADE
snat:
iptables <span class="re5">-t</span> nat <span class="re5">-A</span> POSTROUTING <span class="re5">-j</span> SNAT <span class="re5">--to-source</span> <span class="sy0"><</span>public server<span class="sy0">></span>:<span class="sy0"><</span>port<span class="sy0">></span>
<module interface> <control flag> <module name> <module arguments><br />
module interface | description |
---|---|
auth | user authentication (e.g. verifies password, set group membership or kerberos tickets, etc.) |
account | verifies that access is allowed (e.g. expired account?, check group membership, etc.) |
password | handles password changes |
session | manages user sessions (e.g. mount home dir, create mailbox, logging, etc.) |
control flag | description |
---|---|
required | must pass, continue testing on failure |
requisite | must pass, stop testing on failure |
sufficient | failure is ignored, but if passing so far, return success at this point |
optional | pass or failure is irrelevant |
include | include another file |
allow/deny users if listed in /etc/special:
auth required pam_listfile.so onerr=success item=user sense=<allow|deny> file=/etc/special<br />
file format:
<daemon list> : <client list> [except <client list>] [: <option>]<br />
search order:
searching stops on first match