User:Tom/RHCE EX300-2
< User:Tom
Jump to navigation
Jump to search
00 Lab configuration
rhceipa.example.com 192.168.4.200 rhce1.example.com 192.168.4.210 rhce2.example.com 192.168.4.220
dns 192.168.4.200 gateway 192.168.4.2
25 Configuring Kerberos
Account information: Information such as username and home directory. Typically LDAP is used here.
Authentication information: Needed to validate that a user is who he claims to be. Done by an authentication protocol such as Kerberos.
KDC Key Distribution Center. A central key server. Issues tickets. Realm All hosts that use the same KDC to get tickets. TGT Ticket Granting Ticket
Kerberos Basics
Kerberos authentication is based on tickets. These tickets are secured with encryption. Tickets are used as an alternative to transmitting passwords across the network. Tickets are sent over the network and encrypted with the user password.
Tickets are issued by a central server, the KDC (Key Distribution Center). A realm consists of all hosts the used the same KDC to get tickets. The DNS domain of the Kerberos site is written in caps as the Kerberos realm name.
Kerberos is not just used for user authentication. Applications running on hosts can also use Kerberos for secure access. Such a host is called an application server. Each application server and each server has an identity in Kerberos, with a password associated with it. The KDC knows the passwords of all users and servers.
Kerberos Principals
Users and services have Kerberos Principals. Services store their password in the keytab file, which allows the server to log in to Kerberos without human intervention. If a server is hosting Kerberized services, it needs to have the file /etc/krb5.keytab, which contains the names of all service principals on that server, in addition to the password.
Principal name nfs/server.example.com@EXAMPLE.COM User name tom@EXAMPLE.COM
Configuring LDAP Authentication with Kerberos Authorization
authconfig-tui can be used. Several configuration files are involved.
Using nslcd or sssd as Authentication Backend Service
Verify that sssd packages are installed before using the authconfig utilities.. Use a gui, sssd is then used by default. Use yum group install "Directory Client" to install sssd and related packages. Start sssd before using the authconfig utilities.
Recipe:
Setup external Athentication
- yum groups install "Directory Client"
- mkdir /etc/openldap/cacerts
- copy certificate to /etc/openldap/cacerts/.
- Edit /etc/sysconfig/authconfig and set the following:
/etc/sysconfig/authconfig FORCELEGACY=no Switch off nslcd. USESSSD=yes USESSSDAUTH=yes
- Start autconfig-tui and select "Cache Information", "Use LDAP" and "Use LDAP Authentication.
- In LDAP settings screen "Use TLS" and specify Server labipa.example.com and Base DN: dc=example,dc=com
- Complete the setup procedure in authconfig-tui.
- Do cat /etc/sssd/sssd.conf to verify the configuration has been committed.
- Systemctl restart sssd.
- Do su - ldapuser1 and type id. THis will show that you are currently logged in as user ldapuser1
After configuring LDAP authentication you can now enable Kerberos authentication as well.
- Start authconfig-tui
- yum install pam_krb5 krb5-workstation to install the packages that add Kerberos support.
- Select "Use Kerberos"
- In the Kerberos Settings Screen, enter the following:
Realm: EXAMPLE.COM KDC: labipa.example.com Admin Server: labipa.example.com
Or you can set the Use DNS to Resolve Hosts to Realms and Use DNS to Locate KDCs for Realms. This option is going to use the DNS SRV resource records that Kerbeors creates in DNS and makes it easy to find information about thhese services as well.
- At the prompt, type kinit admin as root. When prompted provide the password of the admin user on the labipa server. This verifies that the host can authenticate and shows that Kerberos authentication configuration is correct.
- Now you know that you can authenticate, type kinit ldapuser1 and enter the password. This proves that Kerberos authentication works correctly.
Commands
authconfig Configure LDAP authentication with Kerberos authorization. authconfig --test Get an overview of the current configuration and see what services are used. authconfig-tui authconfig-gtk
kinit Obtain and cache kerberos ticket-granting ticket. klist Lists cached Kerberos tickets.
Files
/etc/krb5.keytab Needed by a server hosting Kerberized services. Contains names of all service principals on that server.
/etc/nslcd.conf Alternative for sssd.
/etc/nsswitch.conf
/etc/openldap/cacerts Stores root certificate authorities
/etc/openldap/ldap.conf LDAP client configuration. Specifies which LDAP user is used.
/etc/pamd.d/
/etc/sssd/sssd.conf Daemon used for retrieving and caching user and authentication information.
Install sssd service before using the authconf utilities (yum install group "Directory Client").
/etc/sysconfig/authconfig
Packages
pam_krb5 krb5-workstation
26 iSCSI
An iSCSI Target provides storage which is accessed by an iSCSI Initiator.
Using command targetcli create
- backstore
- iscsi iqn for target
- Create portal of /etc/redhat-release pre RHEL-7.1
- Create lun
- Create acl iqn
Using command iscsiadm do
- Edit /etc/iscsi/initiatorname.iscsi and restart iscsid
- iscsiadm --mode discovery
- iscsiadm --mode node ... --login
- iscsiadm -m session --rescan Discover added luns
Mount LV using UUID. use blkid for a list.
Note: RHEL 7.0 has no service isci-target. Use --add-port=3260/tcp instead.
Commands
targetcli iscsiadm lsscsi lsblk --scsi
firewall-cmd --add-service iscsi-target --permanent firewall-cmd --reload
systemctl start target systemctl enable target
iscsiadm
Files
Packages
targetcli Target iscsi-initiator-utils Initiator
30 Routing and Networking
Commands
IPv6 Addresses / Networks ::1/128 Local host. :: All addresses. ::/0 The default router 2000::/3 Global unicast address. fc00::/7 Unique local address. fe80::/64 Link-local address. ff00::/8 Multicast 2001::db8/32 Addresses reserved for use in documentation.
Install rpm bash-completion to enable tab completion for nmcli. Command nmcli recognizes two sources; devices and connections.
man 5 nmcli-examples Examples how to create a team interface
man -k team
man teamd.conf Describes runner configurations
nmcli con add type team con-name team0 config '{ "runner"; {"name": "loadbalance"}}'
nmcli con mod team0 ipv4.addresses 192.168.122.131/24
nmcli con add type team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0
nmcli con edit team1
help print describe runner type, amongst other things.
nmcli con show et01 Shows detailed IP configuration (for example: ipv4.addresses) nmcli con add con-name eth1 type ethernet ifname eth1 ip6 2001:db8:0:1::100/64 gw6 2001:db8:0:1::1 ip4 192.168.122.131/24 gw4 192.168.122.1 mncli con mod con-name eth1 ipv6.address "2001:db8:0:1::1" nmcli con mod con-name eth1 +ipv6.address "2001:db8:0:2::1" nmcli con up team0 nmcli con show nmcli con reload Run this command after modifying the configuration files in /etc/sysconfig/network-scripts directly. teamdctl team0 state teamdctl team0 state view teamnl team0 options ip link show
ip route show
Files
/etc/sysconfig/network-scripts/ifcfg-team0 /etc/sysconfig/network-scripts/ifcfg-team-slave-eth[12]
/etc/sysctl.d/forwarding.conf (net.ipv4.p_forward = 1) Enable forwarding to configurethe server as a router.
32 Advanced Firewall Configuration
Basic ordering rules within zones(DPLAD)
- Direct rules
- Port forwarding and masquerading
- Logging rules
- Allow rules
- Deny rules
Basic syntax of a rich rule:
- rule
- [source] [destination]
- [service|port|protocol|icmp-block|masquerade|forward-port]
- [log] [audit]
- [accept] [reject] [drop]
For NAT the server needs to be configured as a router: /proc/sys/net/ipv4/ip_forward=1
Two types of NAT:
- Masquerading: IP address of a node is changed by the IP address of the NAT router.
- Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. Masquerading needs to be activated for portforwarding to another host!
Commands
firewall-cmd --reload firewall-cmd --get-services Shows all services which are stored in /usr/lib/firewalld/services and /etc/firewalld/services
firewall-cmd --add-rich-rule=' rule ' firewall-cmd --remove-rich-rule=' rule ' firewall-cmd --query-rich-rule=' rule ' firewall-cmd --list-rich-rules
firewall-cmd --add-forward-port
firewall-cmd --timeout='xx' Lifetime of the rich rule
firewall-config GUI, package firewall-config
firewall-cmd --help Help information man firewalld.richlanguage Shows rich language examples
Files
/etc/firewalld/services /usr/lib/firewalld/services
33 Advanced Apache services
- Apache basics
- Apache SELinux related settings
- Write access to DocumentRoot
- Configuring TLS Security
- Deploying CGI Applications PHP, Python
- Configuring Private Directories
SELinux settings
httpd_sys_content_t Context type Set on directories that Apache is allowed access to httpd_syscontent_rw_t Context type Set on directories that Apache os allowed read/write access to httpd_sys_script_exec_t Context type Used for directories that contain executable scripts httpd_unified Boolean Unifies the handling of all httpd_content files. Disabled by default. Switch to on for relaxed access httpd_enable_cgi Boolean Switch on by default to allow Apache to run scripts httpd_tty_comm Boolean Used to determine of Apache is allowed access to a tty. Switch if you use TLS private keys that prompt for a password on startup
Commands
genkey Generate SSL certificates and certificate requests openssl Idem
semanage fcontext -at httpd_sys_content_t "/var/www/html(/.*)?" restorecon -Rv /var/www/html
setfacl -R -m g:development:rwX /var/www/html rwX. Uppercase X to set execution bit to directories only. setfacl -R -m d:g:development:rwx /var/www/html -R recursive -m modify
man semanage-fcontext Examples
yum install httpd-manual elinks http://localhost/manual SSL/TLS Encryption yum search TLS yum install mod_ssl Creates /etc/httpd/conf.d/ssl.conf yum install mod_php Creates /etc/httpd/conf.d/php.conf Enable internal PHP interpreter curl -L --insecure https://www.roggeware.nl Verify https
yum install mod_php For dynamic PHP content yum install mod_wsgi
htpasswd httpd -t Check syntax configuration files
Files
/etc/httpd/conf/httpd.conf Main configuration file /etc/httpd/conf.d/ssl.conf TLS security
/etc/pki/tls/certs/www-roggeware-nl.ca-bindle root ca /etc/pki/tls/certs/www-roggeware-nl.crt public key /etc/pki/tls/private/www-roggeware-nl.key private key
/usr/share/doc/mod_wsgi Documents about WSGI configuration
Parameters
DocumentRoot Default location for contents ServerRoot Default directory for configuration files
<VirtualHost *:80>
DocumentRoot /www/docs/account.example.com
ServerName account.example.com
</VirtualHost>
34 DNS
Setup a caching nameserver.
Unbound is the preferred package.
Edit /etc/unbound/unbound.cf:
interface: 0.0.0.0 Accept connections from every interface.
access-control: 192.168.4.0/24 allow Accept requests from these IP addresses.
domain-insecure: example.com Bypass internal domains which not have been configured with DNS-SEC.
forward-zone:
name: "."
forward-addr: 192.168.x.x Forward all requests to this server.
Commands
yum install unbound systemctl start unbound systemctl enable unbound firewall-cmd --add-service dns --permanent
man unbound man unbound.conf host DNS lookup utility. unbound-checkconf unbound-control-setup Create server keys manually. unbound-control dump_cache Dump contents of cache. nmtui Do not edit /etc/resolv.conf by hand. nmcli dig +dnssec DNSKEY rhatcert.com
Files
/etc/resolv.conf /etc/unbound/unbound.conf
35 MariaDB
install mariadb mariadb-server mariadb-test systemctl start mariadb systemctl enable mariadb
Italic text
firewall-cmd --add-service mysql --permanent
mysql_secure_installation
/usr/libexec/mysqld --help --verbose Information about all the settings
show databases;
use databases;
create database dbname;
create table tablename (name varchar(40),place varchar(40));
describe tablename;
delete from tablename where field = ' value ';
update tablename set field = value where field2 = ' value ';
insert into tablename (field1,field2) values(' value1 ',' value2 ');
where clause = <> > >= < >= BETWEEN LIKE IN
create user username@'localhost' identified by password; drop user 'username'@'localhost'; grant select,update,delete,insert on *.* to username@'localhost'; grant all priviliges on ...
mysqldump -u root =p -p database --databases >dumpfileItalic text drop database databasename; create database databasename; mysql -u root -p -p databasename <dumpfile;
Files
/etc/my.cnf /etc/my.cnf.d
36 NFS
Manco's: Kerberized NFS server en NFS V4 SELinux transparancy.
Selinux for NFSv4
nfs_t Allows the NFS server to access the share. public_content_t Allows the NFS server (and other services as Samba, FTP and web) read access public_content_rw_t Allows the NFS server read/write access
NFSv4 Kerberos Authentication
Add sec=method to the share in /etc/exports. The following methods are available:
- none Anonymous access is allowed. All access is based on the user nfsnobody. If this user needs write access as well, make the SELinux boolean nfsd_anon_write active also.
- sys Default security. User access is based on UID and GID values.
- krb5 NFS clients prove their identity using a Kerberos keytab file. To access files in the NFS share the user needs to initialize a Kerberos session as well, otherwize no access is allowed tot the files.
- krb5i Same as krb5 with added cryptographic guarantee for untampered data.
- krb5p Same as krb5i with added encryption.
To establish a Kerberized session:
- /etc/krb5.keytab. Contains the security principals for both the NFS server as the NFS client, and is required to join the Kerberos realm. Use klist -k to verify the contents of the keytab file.
- A Kerberized user session: After configuring remote authentication against a Kerberos server, the login procedure is already Kerberized and no additional action is needed. Use the klist command to verify this. If klist does not show any Kerberos credentioals, a Kerberized session can be established manually,
- sec=method option. Both is the share definition and in the mount options.
- The nfs-server as well as the nfs-secure-server services must be active on the NFS server. Since RHEL 7.1 these services are automatically loaded.
- The nfs-secure-service must be loaded on the client. SInce RHEL 7.1 these services are automatically loaded.
Setup KDC recipe
- yum install -y krb5-server krb5-workstation pam_krb5.
- firewall-cmd --add-service Kerberos --permanent
- Edit etc/krb5.conf and make EXAMPLE.COM active.
- kdb5_util create -s -r EXAMPLE.COM
- systemctl start krb5kdc kadmin
- systemctl enable krb5kdc kadmin
- kadmin.local
- addprinc root/admin
- addprinc user01
- addprinc -randkey host/server1.example.com Add KDC hostname to the Kerberos database.
- ktadd host/kbserver.example.com Create a local copy stored in (default) /etc/krb5.keytab.
Troubleshooting
# export KRB5_TRACE=/dev/stdout # kinit
Loose ends
Edit /etc/ssh/sshd_config file and add/uncomment the following lines:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
NFSv4 SELinux Transparancy
Set on server side RPCNFSDARGS="-V 4.2" in file /etc/sysconfig/nfs and restart nfs-server (and possibly nfs-secure-server). OPtionRPCNFSDARGS is described in file /etc/sysconfig/nfs. On Client side mount the NFS share with option -o v4.2. m
Commands
man exports Documents NFS server export table (with examples).
Normally user root is mapped to nfsnobody. This ensures that a root user coming from an NFS client
has minimal permissions on the NFS server.
no_root_squash gives full access to user root from an NFS client.
man nfs fstab format and options for the NFS filesystem.
semanage fcontext -a -t nfs_t "/srv/nfsexport(/.*)?" getsebool -a setsebool -P boolean seinfo -t List of types. seinfo -xtnfs_t
systemctl start nfs-server
systemctl enable nfs-server
systemctl status remote-fs.target Vervangt _netdev in /etc/fstab om NFS filesystemen pas te mounten nadat
het netwerk aktief is.
systemctl start/enable nfs-secure-server for kerberos
restorecon -Rv /etc/krb5.keytab
ls -lZ /etc/krb5.keytab
firewall-cmd --add-service nfs --permanent --reload (add services rpc-bind and mountd to enable showmount -e server1 command).
exportfs -vr showmount -e server Show mount information for the NFS server on server. Also refers to rpc and mountd. systemctl enable remote-fs.target on NFS client to have NFS filesystems mounted when the network has been activated.
kinit username klist -k kdestroy Delete a ticket.
Files
/etc/exports /srv/nfsexport *(rw) /etc/exports /secureshare *(sec=krb5p,rw) /etc/fstab /server.roggeware.nl:/srv/nfsexport /mnt/nfs nfs _netdev 0 0
/etc/exports.d for .exports files
Packages
nfs-utils
Ports
2049 NFS Processes (service nfs) 111 Client access (service rpcbind) 20049 Client access (service mountd, and service file shows port 20048)
37 Samba
- Setup samba share.
- Mount share as user.
- Mount with credentials file in fstab.
- Mount Multiuser Samba Mount
Securing Samba
samba_share_t Give Samba read and write access to this directory and below. public_content_t Give Samba and other services read-only access. public_content_rw_t Give Samba and other services read-write access. Needs additional boolean.
smbd_anon_write Allows write access for Samba anonymous users. Required for public_content_rw_t. samba_enable_home_dirs Allows Samba to share home directories. use_samba_home_dirs Allows remote SMB file shares to be mounted and shared as local home directories.
Samba Firewalling
A firewalld samba service is available. Opens ports 137-139 and 445.
Add to /etc/samba/smb.conf
security = ADS realm = KERBEROS_REALM encryptt passwords = yes kerberos method = secrets and keytab password server = kerberos.example.com
Create credentials file /root/smbusers
username=lisa password=lisa
Add line in /etc/fstab
//servername/sambashare /mnt/lisa cifsd credentials=/root/smbusers,_netdev 0 0
Multiuser Samba mount
Add the basic multiuser mount to /etc/fstab:
//server1/sambashare /mnt/multiuser cifs credentials=/root/multi,multiuser,sec=ntlmssp 0 0
As an authorized user do:
cifscreds add server1
See for info about cifs, credentials, multiuser and sec=
man mount.cifs
Commands
yum install samba samba-client cifs-util systemctl enable smb systemctl start smb
useradd -s /sbin/nologin lisa Add a Samba user, no login needed/possible. groupadd groupname usermod -aG groupname lisa
semanage fcontext -at samba_share_t "/sambashare(/.*)?" restorecon -Rcv /sambashare
getsebool -a Show all SELinux booleans. setsebool -P smbd_anon_write 1 Set boolean permanent. seinfo -t
smbpasswd -h pdbedit -L List users in smbpasswd smbclient -L //servername testparm Check for syntax errors in the configuration file
mount -o user=username //servername/sambashare /mnt klist -k List keys in the keytab file
man mount.cifs credentials= option man cifscreds man firewalld.richlanguage man semanage-fcontext
Files
/etc/samba/smb.conf Main Samba configuration file /usr/lib/firewalld/services/samba.xml /etc/krb5.keytab mod 600 root root
Packages
samba samba-client cifs-utils
38 SMTP Server
The RHCE objective want you to create a null client. Such a client is not capable of receiving any messages, but has all the configuration that is needed to send mail messages to other hosts.
Configure on null-client:
inet_interfaces=loopback-only inet_protocols=ipv4 relayhost=[server1.example.com] mynetworks=127.0.0.0/8 [::1]/128 mydestination= mydomain=example.com
Steps
Adjust relayhost to point to corporate mail server: Enclose host name of corporate mail server in square brackets [root@server1 ~]# postconf -e "relayhost=[smtp1.example.com]" Configure Postfix mail server to only relay emails from local system Let mail server listen on loopback interface for emails to deliver only: [root@server1 ~]# postconf -e "inet_interfaces=loopback-only" Change null client configuration so it forwards mails originating from 127.0.0.0/8 IPv4 network and [::1]/128 IPv6 network to relay host: [root@server1 ~]# postconf -e "mynetworks=127.0.0.0/8 [::1]/128" Configure Postfix so outgoing mails have sender domain rewritten to company domain example.com: [root@server1 ~]# postconf -e "myorigin=desktop1.example.com"
Prohibit Postfix mail server from delivering messages to local accounts
Configure the null client not to act as end point for any mail domain:
Does not accept mails where recipient is local email account for local delivery
Need to set mydestination to empty value
[root@server1 ~]# postconf -e "mydestination="
Configure local null client not to sort mails into mailboxes on local system:
Local email delivery turned off
[root@server1 ~]# postconf -e "local_transport=error: local delivery disabled"
Restart local postfix null client:
[root@server1 ~]# systemctl restart postfix
Essential postfix parameters:
inet_interfaces Controls network interfaces Postfix listens on for incoming and outgoing messages
myorigin Rewrite locally posted email to appear to come from this domain.
Helps ensure responses return to correct domain for which mail server is responsible
relayhost Specifies which central mailserver to forward messages to.
mydestination Domains handled by this server. Mail addressed to a domain not listed is rejected.
Configure domains mail server is end point for. Email addressed to these domains delivered into local mailboxes
local_transport Specifies what to use for local mail delivery.
inet_protocols Specify which protocols to use for delivery.
mynetworks Spaceseparated list of networks that are allowed to relay.
Commands
postconf -e Edit Postfix parameter postconf -e 'myorigin = $mydomain' postconf -e 'relayhost=[server4.example.com]' postfix check Check the contents of the /etc/postfix/main.cf file postqueue -f Flush the mailqeue postqueue -p Display the mailqueueu
systemctl reload postfix man 5 postconf Complete overview of postfix parameters
Files
/etc/postfix/main.cf /var/log/maillog
39 Configure SSH
semanage port, man sshd_config, ssh-agent, ssh-add, ssh tunnel.
AllowUsers
Commands
semanage port -l List all port definitions.
man semanage-port man sshd_config
Local port forwarding
ssh -fNL 3333:server.roggeware.nl:80 root@server2.roggeware.nl -f to run in the background, -N no command started. ssh -fNL 4444:server.rhatcertificaion.com:80 root@server2.example.com
Remote port forwarding
ssh -fNR80:localhost:8088 root@...
Files
/etc/ssh/sshd_config ~/ssh/config SSH configuration for a specific user.
40 Time synchronisation
server, peer, allow
Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service
Commands
chronyc help chronyc sources -v Shows current servers that chrony is synchronizing with. chronyc tracking Detailed information about the current local time configuration. chronyc sourcestats Detailed information about the state of the remote servers.
Files
/etc/chrony.conf /etc/chrony.keys
Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service
41 Diverse commando's
systemctl list-unit-files --type=service Review enabled services
List commands
getsebool -a List all selinux booleans
seinfo SELinux policy query tool
--all
-r List all roles
-t List all types (*-t)
-u List all users
semanage boolean --list List SELinux booleans with comments
semanage fcontext -l List all current rules
setfacl -m u:mike:x /home/shared Give execute permissions to mike on directory /home/shared setfacl -R -m u:mike:rx /home/shared Allow user mike to have read and execute permissions on all files in the /home/shared directory and any subdirectory. setfacl -R -x u:mike /home/shared Remove permission settings for user mike setfacl -R -b /home/shared Remove all permissions for directory /home/shared and below setfacl -d -m u:mike:rw /home/shared Set permissions for new files (default) in /home/shared setfacl -m mask:r-- /home/shared Masks associated with ACls limits the permissions available. Max permission granted is read.
SELinux
The SELinux security model is based on subject, objects and actions. A subject is s process, such as a running command. An object is a file, a device, a socket, or in general any resource that can be accessed by a subject. An action is what may be doen by the subject to the object. SELinux assignes different contexts to objects. A context is just a label, which is used by the SElinux security policy to determine whether a subject's action on an object is allowed or not.
A label is made up of several context strings,separated by a colon. A user context ends with _u, a role context ends with _r, a type context ends with _t.
sestatus Used to get the status of a system running SELinux
setenforce permissive
enforcing
semanage login -l Review status of current SELinux users
id -Z Show user context as a regular user
getsebool
setsebool
-P Permanent, survives a reboot
semanage boolean -l List all booleans with a short description
semanage port -l List all port labels
restorecon Restore contexts to values stored in the SELinux policy semanage fcontext -l List all default file context rules semanage -R --reference /var/ftp /ftp
sealert -a /var/log/audit/audit.log Analyzes log and shows errors formatted. ps -eZ
system-config-selinux GUI Administration Tool sealert -b GUI SELinux Alert Browser
Files
/etc/selinux/targeted/context/files Configured SELinux contexts.
42 Diverse commando's
chage Change user password expiry information rpm -qd package Show documentation files
yum group list hidden yum group install "groupname"
sg Execute command as different group ID gpasswd
/etc/login.defs Shadow password suite configuration. /etc/securetty Remove tty to disable root access via local console. /etc/security/access.conf Login access control table. /etc/security/su Enable auth pam_wheel to allow wheel group members to do command 'su -'.
Environment User and Shell Configuration
/etc/bashrc /etc/profile /etc/profile.d /etc/skel When a new user is created with useradd, files in this direcyory are copied to the home directory.
curl nmap nc
90 RHCE7 Task of the day
- 10 minutes. Setup a default secure database called maria and backup the database with mysqldump.
- 10 minutes. Setup a default secure MariaDB database called maria with a user named muser with all privileges.
- 10 minutes. Setup a default secure MariaDB database called maria and create a table named people with two columns respectively name varchar(20) and age int(10) unsigned
- 10 minutes. Setup a NFS server that exports the /opt directory in read-only mode.
- 15 minutes. Configure a Samba server called MYSERVER, belonging to the MYGROUP group, sharing the /shared directory with the name "shared".
- 03 minutes. Configure your machine to be a router.
- 10 minutes. Set up a caching-only DNS server to forward DNS queries.
- 10 minutes. Set up a caching-only DNS server.
- 10 minutes. Configure a system to forward all email to a central mail server at 192.168.1.1 (change the IP address accordingly).
- 05 minutes. Set up time synchronization with default configuration.
- 10 minutes. Change the SSH process configuration to only listen on the 443 port.
- 08 minutes. Set up an iScsi target based on a fileio backstore of 100MB called /opt/shareddata with CHAP authentication (username=usr/password=pwd), xfs filesystem and standard firewall configuration.
91 Chapters
- Chapter 1 Prepare for Red Hat Hands-on Certifications.
- Chapter 2 Virtual Machines and Automated Installations.
- Chapter 3 Fundamental Command-Line Skills.
- Chapter 4 RHCSA Level Security Options.
- Chapter 5 RHCSA-level Security.
- Chapter 6 Linux Filesystem Administration.
- Chapter 7 Package Management.
- Chapter 8 User Administration.
- Chapter 9 RHCSA-level System Administration Tasks.
- Chapter 10 A Security Primer.
- Chapter 11 System Services and SELinux.
- Chapter 12 RHCE Administrative Task.