User:Tom/RHCE EX300-2: Difference between revisions

25 Configuring Kerberos

KDC     Key Distribution Center. A central key server. Issues tickets.
Realm   All hosts taht use the same KDC to get tickets.
TGT     Ticket Granting Ticket

Principal name nfs/server.example.com@EXAMPLE.COM
User name      tom@EXAMPLE.COM

Using nslcd or sssd as Authentication Backend Service

Verify that sssd packges are installed before using the authconfig utilities.. Use a gui, sssd is then used by default. Use yum group install "Directory Client" to install sssd and related packages. Start sssd before using the authconfig utilities.

/etc/sysconfig/authconfig
FORCELEGACY=no                Switch off nslcd.
USESSSD=yes
USESSSDAUTH=yes

Commands

authconfig                Configure LDAP authentication with Kerberos authorization.
authconfig --test         Get an overview of the current configuration and see what services are used.
authconfig-tui
authconfig-gtk

kinit                      Obtain and cache kerberos ticket-granting ticket.
klist                      Lists cached Kerberos tickets.

Files

/etc/krb5.keytab             Needed by a server hosting Kerberized services. Contains names of all service principals on that server.

/etc/nslcd.conf              Alternative for sssd.
/etc/nsswitch.conf 
/etc/openldap/cacerts        Stores root certificate authorities
/etc/openldap/ldap.conf      LDAP client configuration
/etc/pamd.d/
/etc/sssd/sssd.conf          Daemon used for retrieving and caching user and authentication information.
                             Install sssd service before using the authcong utilities (yum install group "Directory Client").
/etc/sysconfig/authconfig    

Packages

pam_krb5
krb5-workstation

26 iSCSI

Commands

targetcli
firewall-cmd --add-service iscsi-target --permanent
firewall-cmd --reload
systemctl start target
systemctl enable target

iscsiadm

Files

Packages

targetcli                 Target

iscsi-initiator-utils     Initiator
lsscsi

30 Routing and Networking

Commands

IPv6 Addresses / Networks
::1/128                        Local host.
::                             All addresses.
::/0                           The default router
2000::/3                       Global unicast address.
fc00::/7                       Unique local address.
fe80::/64                      Link-local address.
ff00::/8                       Multicast
20001::db8/32                  Addresses reserved for use in documentation.

man 5 nmcli-examples           Examples how to create a team interface
man -k team                    

nmcli con add type team con-name team0 config '{ "runner"; {"name": "loadbalance"}}'
nmcli con mod team0 ipv4.addresses 192.168.122.131/24
nmcli con add tpye team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0

nmcli con show et01                 Shows detailed IP configuration (for example: ipv4.addresses)
nmcli con add con-name eth1 type ethernet ifname eth1 ip6 2001:db8:0:1::100/64 gw6 2001:db8:0:1::1 ip4 192.168.122.131/24 gw4 192.168.122.1
mncli con mod con-name eth1 ipv6.address "2001:db8:0:1::1" 
nmcli con mod con-name eth1 +ipv6.address "2001:db8:0:2::1"

nmcli con up team0
nmcli con show
teamdctl team0 state 
teamdctl team0 state view
teamnl team0 options             
ip link show

ip route show

Files

/etc/sysconfig/network-scripts/ifcfg-team0
/etc/sysconfig/network-scripts/ifcfg-team-slave-eth[12]

/etc/sysctl.d/forwarding.conf (net.ipv4.p_forward = 1)            Enable forwarding to configurethe server as a router.

32 Advanced Firewall Configuration

Basic ordering rules within zones:

• Direct rules
• Port forwarding and masquerading
• Logging rules
• Allow rules
• Deny rules

For NAT the server needs to be configured as a router: /proc/sys/netipv4/ip_forward=1

Two types of NAT:

• Masquerading: IP address of a node is changed by the IP address of the NAT router.
• Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. Masquerading needs to be activated for portforwarding to another host.

Commands

firewall-cmd --reload                        
firewall-cmd --get-services                  Shows all services which are stored in /usr/lib/firewalld/services and /etc/firewalld/services

firewall-cmd --add-rich-rule=' rule '
firewall-cmd --remove-rich-rule=' rule '
firewall-cmd --query-rich-rule=' rule '
firewall-cmd --list-rich-rules

firewall-cmd --add-forward-port

firewall-cmd --timeout='xx'                  Lifetime of the rich rule

man firewalld.richlanguage                   Shows rich language examples

Files

/etc/firewalld/services
/usr/lib/firewalld/services

33 Advanced Apache services

• Apache basics
• Apache SELinux related settings
• Write access to DocumentRoot
• Configuring TLS Security
• Deploying CGI Applications PHP, Python
• Configuring Private Directories

SELinux settings

httpd_sys_content_t       Context type    Set on directories that Apache is allowed access to     
httpd_syscontent_rw_t     Context type    Set on directories that Apache os allowed read/write access to
httpd_sys_script_exec_t   Context type    Used for directories that contain executable scripts
httpd_unified             Boolean         Unifies the handling of all httpd_conetn files. Disabled by default. Switch to on for relaxed access
httpd_enable_cgi          Boolean         Switch on by default to allow Apache to run scripts
httpd_tty_comm            Boolean         Used to determine of Apache is allowed access to a tty. Switch if you use TLS private keys that prompt for a password on startup

Commands

semanage fcontext -at httpd_sys_content_t "/var/www/html(/.*)?"
restorecon -Rv /var/www/html

setfacl -R -m g:development:rwX /var/www/html       -R recursive -m acl commands on commandline.
setfacl -R -m d:g:development:rwx /var/www/html

man semanage-fcontext                               Examples

yum install httpd-manual
elinks http://localhost/manual                      SSL/TLS Encryption 
yum search TLS
yum install mod_ssl                                 Creates /etc/httpd/conf.d/ssl/conf
curl -L --insecure https://www.roggeware.nl         Verify https

yum install mod_php                                 For dynamic PHP content
yum install mod_wsgi

Files

/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/ssl.conf                          TLS security
/etc/pki/tls/certs/www-roggeware-nl.ca-bindle       root ca  
/etc/pki/tls/certs/www-roggeware-nl.crt             public key 
/etc/pki/tls/private/www-roggeware-nl.key           private key

/usr/share/doc/mod_wsgi                             Documents about WSGI configuration

...

34 DNS

Unbound is the preferred package.

interface
access-control
forward-zone: name: "." forward-addr: 192.168.x.x
dig +dnssec DNSKEY rhatcert.com

Commands

yum install unbound
systemctl start unbound
systemctl enable unbound
firewall-cmd --add-service dns --permanent

man unbound
man unbound.conf
unbound-checkconf
nmtui
nmcli

Files

/etc/resolv.conf
/etc/unbound/unbound.conf

35 MariaDB

install mariadb mariadb-server mariadb-test
systemctl start mariadb
systemctl enable mariadb

Italic text

firewall-cmd --add-service mysql --permanent

mysql_secure_installation
/usr/libexec/mysqld --help --verbose          Information about all the settings

show databases;
use databases;
create database dbname;
create tsble tablename (name varchar(40),place varchar(40));
describe tablename;

delete from tablename where field = ' value ';
update tablename set field = value where field2 = ' value ';
insert into tablename (field1,field2) values(' value1 ',' value2 ');

where clause = <> > >= <  >= BETWEEN LIKE IN

create user username@'localhost' identified by password;
drop user 'username'@'localhost';
grant select,update,delete,insert on *.* to username@'localhost';  
grant all priviliges on ...

mysqldump -u root =p -p database --databases >dumpfileItalic text
drop database databasename;
create database databasename;
mysql -u root -p -p databasename <dumpfile;

Files

/etc/my.cnf
/etc/my.cnf.d

36 NFS

Selinux for NFSv4

nfs_t                  Allows the NFS server to access the share.
public_content_t       Allows the NFS server (and other services as Samba, FTP and web) read access 
public_content_rw_t    Allows the NFS server read/writeaccess

NFSv4 Kerberos Authentication

Add sec=method to the share in /etc/exports. The following methods are available:

• none Anonymous access is allowed. All access is based on the user nfsnobody. If this user needs write access as well, make the SELinux boolean nfsd_anon_write active also.
• sys Default security. User access is based on UID and GID values.
• krb5 NFS clients prove their identity using a Kerberos keytab file. To access files in the NFS sharem the user needs to initialize a Kerberos session as well, otherwize no access is allowed tot the files.
• krb5i Same as krb5 with added cryptographic guarantee for untampered data.
• krb5p Same as krb5i with added encryption.

To establish a Kerberized session:

• /etc/krb5.keytab. Contains the security principals for both the NFS server as the NFS client, and is required to join the Kerebors realm. Use klist -k to verify the contents of the keytab file.
• A Kerberized user session: After configuring remote authentication against a Kerberos server, the login procedure is already KKerberized and no additional action is needed. Ue the klist command to verify this. If klist does not show any KKerberos credentioals, a Kerberied session can be established manually,
• sec=method option. Both is the share definition and in the mount options.
• The nfs-server as well as the nfs-secure-server services must be active on the NFS server. Since RHEL 7.1 these services are automatically loaded.
• The nfs-secure-service must be loaded on the client. SInce RHEL 7.1 these services are automatically loaded.

Commands

man exports            Documents NFS server export table (with examples).

semanage fcontext -a -t nfs_t "/srv/nfsexport(/.*)?"
getsebool -a
setsebool -P boolean

systemctl start nfs-server
systemctl enable nfs-server
systemctl start/enable nfs-secure-server for kerberos
restorecon -Rv /etc/krb5.keytab
ls -lZ /etc/krb5.keytab

firewall-cmd --add-service nfs --permanent --reload

exportfs -vt
showmount -e server     Show mount information for the NFS server on server. Also refers to rpc and mountd

kinit username  
klist -k

Files

/etc/exports           /srv/nfsexport *(rw)
/etc/exports           /secureshare *(sec=krb5p,rw)
/etc/fstab             /server.roggeware.nl:/srv/nfsexport  /mnt/nfs nfs _netdev 0 0

Packages

nfs-utils

37 Samba

Securing Samba

samba_share_t              Give Samba read and write access to this directory and below.
public_content_t           Give Samba and other services read-only access.
public_content_rw_t        Give Samba and other services read-write access. Needs additional boolean.

smbd_anon_write            Allows write access for Samba anonymous users. Required for public_content_rw_t.
samba_enable_home_dirs     Allows Samba to share home directories.
use_samba_home_dirs        Allows remote SMB file shares to be mounted and shared as local home directories.

Samba Firewalling

A firewalld samba service is available. Opens ports 137-139 and 445.

Setup Kerberized Samba share

Add to /etc/samba/smb.conf

security = ADS
realm = KERBEROS_REALM
encryptt passwords = yes
kerberos method = secrets and keytab
password server = kerberos.example.com

Access SMB Shares

Create credentials file /root/smbusers

username=lisa
password=lisa

Add line in /etc/fstab

//servername/sambashare    /mnt/lisa cifsd credentials=/root/smbusers,_netdev 0 0 

Multiuser Samba mount

Commands

yum install samba samba-client cifs-util
systemctl enable smb
systemctl start smb

useradd -s /sbin/nologin lisa             Add a Samba user, no login needed/possible. 
groupadd groupname 
usermod -aG groupname lisa

semanage fcontext -at samba_share_t "/sambashare(/.*)?"
restorecon -Rcv /sambashare

getsebool -a                              Show all SELinux booleans.
setsebool -P smbd_anon_write 1            Set boolean permanent.
seinfo -t

smbpasswd -h
smbclient -L //servername
testparm

mount -o user=username //servername/sambashare /mnt
 
klist -k                  List keys in the keytab file

man mount.cifs            credentials= option
man cifscreds             
man firewalld.richlanguage
man semanage-fcontext

Files

/etc/samba/samba.conf
/usr/lib/firewalld/services/samba.xml
/etc/krb5.keytab       mod 600 root root

Packages

samba
samba-client
cifs-utils

38 SMTP Server

The RHCE objective want you to create a null client. Such a client is not capable of receiving any messages, but has all the configuration that is needed to send mail messages to other hosts.

Configure on null-client:

relayhost
inet_interfaces=loopback-only
mynetworks
mydestination=

Essential postfix parameters:

inet_interfaces          Interfaces on which Postfix will offer services.
myorigin                 Allows you to rewrite posted email to come from a specific domain instead of $myhostname
relayhost                Specifies which central mailserver to forward messages to.
mydestination            Domains handled by this server. Mail addressed to a domain not listed is rejected.
local_transport          Specifies what to use for local mail delivery.
inet_protocols           Specify which protocols to use for delivery.
mynetworks               Spaceseparated list of networks that are allowed to relay.

Commands

postconf -e                                    Edit Postfix parameter
postconf -e 'myorigin = $mydomain'
postconf -e 'relayhost=[server4.example.com]'
postfix check                                  Check the contents of the /etc/postfix/main.cf file
postqueue -f                                   Flush the mailqeue
postqueue -p                                   Display the mailqueueu

systemctl reload postfix
man 5 postconf                                 Complete overview of postfix parameters

Files

/etc/postfix/main.cf
/var/log/maillog

39 Configure SSH

semanage port, man sshd_config, ssh-agent, ssh-add, ssh tunnel.

Commands

semanage port -l                 List all port definitions.

man semanage-port
man sshd_config 

ssh -fNL 3333:server.roggeware.nl:80 root@server2.roggeware.nl            -f to run in the background, -N no command started.

Files

/etc/ssh/sshd_config

40 Time synchronisation

server, peer, allow

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service

Commands

chronyc help
chronyc sources -v    Shows current servers that chrony is synchronizing with.
chronyc tracking      Detailed information about the current local time configuration.
chronyc sourcestats   Detailed information about the state of the remote servers.

Files

/etc/chrony.conf
/etc/chrony.keys

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service

List commands
getsebool -a                      List all selinux booleans
seinfo                            SELinux policy query tool
         --all
         -r                       List all roles
         -t                       List all types (*-t)
         -u                       List all users
semanage boolean --list           List SELinux booleans with comments
semanage fcontext -l              List all current rules