User:Tom/RHCE EX300-2

From RoggeWiki
Jump to navigation Jump to search

00 Lab configuration

rhceipa.example.com  192.168.4.200
rhce1.example.com    192.168.4.210
rhce2.example.com    192.168.4.220

dns                  192.168.4.200
gateway              192.168.4.2

25 Configuring Kerberos

Account information: Information such as username and home directory. Typically LDAP is used here.

Authentication information: Needed to validate that a user is who he claims to be. Done by an authentication protocol such as Kerberos. 


KDC     Key Distribution Center. A central key server. Issues tickets.
Realm   All hosts that use the same KDC to get tickets.
TGT     Ticket Granting Ticket
Kerberos Basics

Kerberos authentication is based on tickets. These tickets are secured with encryption. Tickets are used as an alternative to transmitting passwords across the network. Tickets are sent over the network and encrypted with the user password.

Tickets are issued by a central server, the KDC (Key Distribution Center). A realm consists of all hosts the used the same KDC to get tickets. The DNS domain of the Kerberos site is written in caps as the Kerberos realm name.

Kerberos is not just used for user authentication. Applications running on hosts can also use Kerberos for secure access. Such a host is called an application server. Each application server and each server has an identity in Kerberos, with a password associated with it. The KDC knows the passwords of all users and servers.

Kerberos Principals

Users and services have Kerberos Principals. Services store their password in the keytab file, which allows the server to log in to Kerberos without human intervention. If a server is hosting Kerberized services, it needs to have the file /etc/krb5.keytab, which contains the names of all service principals on that server, in addition to the password. 

Principal name nfs/server.example.com@EXAMPLE.COM
User name      tom@EXAMPLE.COM
Configuring LDAP Authentication with Kerberos Authorization

authconfig-tui can be used. Several configuration files are involved.

Using nslcd or sssd as Authentication Backend Service

Verify that sssd packages are installed before using the authconfig utilities.. Use a gui, sssd is then used by default. Use yum group install "Directory Client" to install sssd and related packages. Start sssd before using the authconfig utilities.

Recipe:

Setup external Athentication

  • yum groups install "Directory Client"
  • mkdir /etc/openldap/cacerts
  • copy certificate to /etc/openldap/cacerts/.
  • Edit /etc/sysconfig/authconfig and set the following:
/etc/sysconfig/authconfig
FORCELEGACY=no                Switch off nslcd.
USESSSD=yes
USESSSDAUTH=yes
  • Start autconfig-tui and select "Cache Information", "Use LDAP" and "Use LDAP Authentication.
  • In LDAP settings screen "Use TLS" and specify Server labipa.example.com and Base DN: dc=example,dc=com
  • Complete the setup procedure in authconfig-tui.
  • Do cat /etc/sssd/sssd.conf to verify the configuration has been committed.
  • Systemctl restart sssd.
  • Do su - ldapuser1 and type id. THis will show that you are currently logged in as user ldapuser1

After configuring LDAP authentication you can now enable Kerberos authentication as well.

  • Start authconfig-tui
  • yum install pam_krb5 krb5-workstation to install the packages that add Kerberos support.
  • Select "Use Kerberos"
  • In the Kerberos Settings Screen, enter the following:
Realm:              EXAMPLE.COM
KDC:              labipa.example.com
Admin Server:     labipa.example.com

Or you can set the Use DNS to Resolve Hosts to Realms and Use DNS to Locate KDCs for Realms. This option is going to use the DNS SRV resource records that Kerbeors creates in DNS and makes it easy to find information about thhese services as well.

  • At the prompt, type kinit admin as root. When prompted provide the password of the admin user on the labipa server. This verifies that the host can authenticate and shows that Kerberos authentication configuration is correct.
  • Now you know that you can authenticate, type kinit ldapuser1 and enter the password. This proves that Kerberos authentication works correctly.
Commands
authconfig                Configure LDAP authentication with Kerberos authorization.
authconfig --test         Get an overview of the current configuration and see what services are used.
authconfig-tui
authconfig-gtk

kinit                      Obtain and cache kerberos ticket-granting ticket.
klist                      Lists cached Kerberos tickets.
Files
/etc/krb5.keytab             Needed by a server hosting Kerberized services. Contains names of all service principals on that server.

/etc/nslcd.conf              Alternative for sssd.
/etc/nsswitch.conf 
/etc/openldap/cacerts        Stores root certificate authorities
/etc/openldap/ldap.conf      LDAP client configuration. Specifies which LDAP user is used.
/etc/pamd.d/
/etc/sssd/sssd.conf          Daemon used for retrieving and caching user and authentication information.
                             Install sssd service before using the authconf utilities (yum install group "Directory Client").
/etc/sysconfig/authconfig
Packages
pam_krb5
krb5-workstation

26 iSCSI

An iSCSI Target provides storage which is accessed by an iSCSI Initiator.

Using command targetcli create

  • backstore
  • iscsi iqn for target
  • Create portal of /etc/redhat-release pre RHEL-7.1
  • Create lun
  • Create acl iqn

Using command iscsiadm do

  • Edit /etc/iscsi/initiatorname.iscsi and restart iscsid
  • iscsiadm --mode discovery
  • iscsiadm --mode node ... --login
  • iscsiadm -m session --rescan Discover added luns

Mount LV using UUID. use blkid for a list.

Note: RHEL 7.0 has no service isci-target. Use --add-port=3260/tcp instead.

Commands
targetcli
iscsiadm
lsscsi
lsblk --scsi

firewall-cmd --add-service iscsi-target --permanent
firewall-cmd --reload

systemctl start target
systemctl enable target

iscsiadm
Files
Packages
targetcli                 Target
iscsi-initiator-utils     Initiator

30 Routing and Networking

Commands
IPv6 Addresses / Networks
::1/128                        Local host.
::                             All addresses.
::/0                           The default router
2000::/3                       Global unicast address.
fc00::/7                       Unique local address.
fe80::/64                      Link-local address.
ff00::/8                       Multicast
2001::db8/32                   Addresses reserved for use in documentation.

Install rpm bash-completion to enable tab completion for nmcli. Command nmcli recognizes two sources; devices and connections. 

man 5 nmcli-examples           Examples how to create a team interface
man -k team     
man teamd.conf                 Describes   runner configurations          

nmcli con add type team con-name team0 config '{ "runner"; {"name": "loadbalance"}}'
nmcli con mod team0 ipv4.addresses 192.168.122.131/24
nmcli con add type team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0

nmcli con edit team1
          help print describe runner type, amongst other things.

nmcli con show et01                 Shows detailed IP configuration (for example: ipv4.addresses)
nmcli con add con-name eth1 type ethernet ifname eth1 ip6 2001:db8:0:1::100/64 gw6 2001:db8:0:1::1 ip4 192.168.122.131/24 gw4 192.168.122.1
mncli con mod con-name eth1 ipv6.address "2001:db8:0:1::1" 
nmcli con mod con-name eth1 +ipv6.address "2001:db8:0:2::1"

nmcli con up team0
nmcli con show
nmcli con reload                Run this command after modifying the configuration files in /etc/sysconfig/network-scripts directly.
teamdctl team0 state 
teamdctl team0 state view
teamnl team0 options             
ip link show

ip route show
Files
/etc/sysconfig/network-scripts/ifcfg-team0
/etc/sysconfig/network-scripts/ifcfg-team-slave-eth[12]

/etc/sysctl.d/forwarding.conf (net.ipv4.p_forward = 1)            Enable forwarding to configurethe server as a router.

32 Advanced Firewall Configuration

Basic ordering rules within zones(DPLAD)

  • Direct rules
  • Port forwarding and masquerading
  • Logging rules
  • Allow rules
  • Deny rules


Basic syntax of a rich rule:

  • rule
  • [source] [destination]
  • [service|port|protocol|icmp-block|masquerade|forward-port]
  • [log] [audit]
  • [accept] [reject] [drop]

For NAT the server needs to be configured as a router: /proc/sys/net/ipv4/ip_forward=1

Two types of NAT:

  • Masquerading: IP address of a node is changed by the IP address of the NAT router.
  • Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. Masquerading needs to be activated for portforwarding to another host!
Commands
firewall-cmd --reload                        
firewall-cmd --get-services                  Shows all services which are stored in /usr/lib/firewalld/services and /etc/firewalld/services

firewall-cmd --add-rich-rule=' rule '
firewall-cmd --remove-rich-rule=' rule '
firewall-cmd --query-rich-rule=' rule '
firewall-cmd --list-rich-rules

firewall-cmd --add-forward-port

firewall-cmd --timeout='xx'                  Lifetime of the rich rule

firewall-config                              GUI, package firewall-config

firewall-cmd --help                          Help information
man firewalld.richlanguage                   Shows rich language examples
Files
/etc/firewalld/services
/usr/lib/firewalld/services

33 Advanced Apache services

  • Apache basics
  • Apache SELinux related settings
  • Write access to DocumentRoot
  • Configuring TLS Security
  • Deploying CGI Applications PHP, Python
  • Configuring Private Directories
SELinux settings
httpd_sys_content_t       Context type    Set on directories that Apache is allowed access to     
httpd_syscontent_rw_t     Context type    Set on directories that Apache os allowed read/write access to
httpd_sys_script_exec_t   Context type    Used for directories that contain executable scripts
httpd_unified             Boolean         Unifies the handling of all httpd_content files. Disabled by default. Switch to on for relaxed access
httpd_enable_cgi          Boolean         Switch on by default to allow Apache to run scripts
httpd_tty_comm            Boolean         Used to determine of Apache is allowed access to a tty. Switch if you use TLS private keys that prompt for a password on startup
Commands
genkey                                              Generate SSL certificates and certificate requests
openssl                                             Idem

semanage fcontext -at httpd_sys_content_t "/var/www/html(/.*)?"
restorecon -Rv /var/www/html

setfacl -R -m g:development:rwX /var/www/html       rwX. Uppercase X to set execution bit to directories only.
setfacl -R -m d:g:development:rwx /var/www/html     -R recursive -m modify

man semanage-fcontext                               Examples

yum install httpd-manual
elinks http://localhost/manual                      SSL/TLS Encryption 
yum search TLS
yum install mod_ssl                                 Creates /etc/httpd/conf.d/ssl.conf
yum install mod_php                                 Creates /etc/httpd/conf.d/php.conf    Enable internal PHP interpreter
curl -L --insecure https://www.roggeware.nl         Verify https

yum install mod_php                                 For dynamic PHP content
yum install mod_wsgi

htpasswd
httpd -t                                            Check syntax configuration files
httpd -D DUMP_VHOSTS
Files
/etc/httpd/conf/httpd.conf                          Main configuration file
/etc/httpd/conf.d/ssl.conf                          TLS security

/etc/pki/tls/certs/www-roggeware-nl.ca-bindle       root ca  
/etc/pki/tls/certs/www-roggeware-nl.crt             public key 
/etc/pki/tls/private/www-roggeware-nl.key           private key

/usr/share/doc/mod_wsgi                             Documents about WSGI configuration
Parameters
DocumentRoot                                        Default location for contents
ServerRoot                                          Default directory for configuration files

<VirtualHost *:80>
       DocumentRoot /www/docs/account.example.com
       ServerName   account.example.com
</VirtualHost>

34 DNS

Setup a caching nameserver.

Unbound is the preferred package.

Edit /etc/unbound/unbound.cf: 

interface: 0.0.0.0                                   Accept connections from every interface.
access-control: 192.168.4.0/24 allow                 Accept requests from these IP addresses.
domain-insecure: example.com                         Bypass internal domains which not have been configured with DNS-SEC.
forward-zone: 
        name: "."
        forward-addr: 192.168.x.x                    Forward all requests to this server.
Commands
yum install unbound
systemctl start unbound
systemctl enable unbound
firewall-cmd --add-service dns --permanent

man unbound
man unbound.conf
host                                                 DNS lookup utility.
unbound-checkconf
unbound-control-setup                                Create server keys manually.
unbound-control dump_cache                           Dump contents of cache.
nmtui                                                Do not edit /etc/resolv.conf by hand.
nmcli
dig +dnssec DNSKEY rhatcert.com
Files
/etc/resolv.conf
/etc/unbound/unbound.conf

35 MariaDB

install mariadb mariadb-server mariadb-test
systemctl start mariadb
systemctl enable mariadb

Italic text 

firewall-cmd --add-service mysql --permanent

mysql_secure_installation
/usr/libexec/mysqld --help --verbose          Information about all the settings

show databases;
use databases;
create database dbname;
create table tablename (name varchar(40),place varchar(40));
describe tablename;

delete from tablename where field = ' value ';
update tablename set field = value where field2 = ' value ';
insert into tablename (field1,field2) values(' value1 ',' value2 ');

where clause = <> > >= <  >= BETWEEN LIKE IN

create user username@'localhost' identified by password;
drop user 'username'@'localhost';
grant select,update,delete,insert on *.* to username@'localhost';  
grant all priviliges on ...

mysqldump -u root =p -p database --databases >dumpfileItalic text
drop database databasename;
create database databasename;
mysql -u root -p -p databasename <dumpfile;
Files
/etc/my.cnf
/etc/my.cnf.d

36 NFS

Manco's: Kerberized NFS server en NFS V4 SELinux transparancy.

Selinux for NFSv4
nfs_t                  Allows the NFS server to access the share
public_content_t       Allows the NFS server (and other services as Samba, FTP and web) read access 
public_content_rw_t    Allows the NFS server read/write access
use_nfs_home_dirs      allows home directories to be exported over NFS

Above types are only effective when Booleans below are disabled. 

nfs_exports_all_ro     Boolean.
nfs_exports_all_rw     Boolean.

man 8 nfsd_selinux     Security Enhanced Linux Policy for the nfsd processes
NFSv4 Kerberos Authentication

Add sec=method to the share in /etc/exports. The following methods are available:

  • none Anonymous access is allowed. All access is based on the user nfsnobody. If this user needs write access as well, make the SELinux boolean nfsd_anon_write active also.
  • sys Default security. User access is based on UID and GID values.
  • krb5 NFS clients prove their identity using a Kerberos keytab file. To access files in the NFS share the user needs to initialize a Kerberos session as well, otherwize no access is allowed tot the files.
  • krb5i Same as krb5 with added cryptographic guarantee for untampered data.
  • krb5p Same as krb5i with added encryption.

To establish a Kerberized session:

  • /etc/krb5.keytab. Contains the security principals for both the NFS server as the NFS client, and is required to join the Kerberos realm. Use klist -k to verify the contents of the keytab file.
  • A Kerberized user session: After configuring remote authentication against a Kerberos server, the login procedure is already Kerberized and no additional action is needed. Use the klist command to verify this. If klist does not show any Kerberos credentioals, a Kerberized session can be established manually,
  • sec=method option. Both is the share definition and in the mount options.
  • The nfs-server as well as the nfs-secure-server services must be active on the NFS server. Since RHEL 7.1 these services are automatically loaded.
  • The nfs-secure-service must be loaded on the client. SInce RHEL 7.1 these services are automatically loaded.
Setup KDC recipe
  • yum install -y krb5-server krb5-workstation pam_krb5.
  • firewall-cmd --add-service Kerberos --permanent
  • Edit etc/krb5.conf and make EXAMPLE.COM active.
  • kdb5_util create -s -r EXAMPLE.COM
  • systemctl start krb5kdc kadmin
  • systemctl enable krb5kdc kadmin
  • kadmin.local
    • addprinc root/admin
    • addprinc user01
    • addprinc -randkey host/server1.example.com Add KDC hostname to the Kerberos database.
    • ktadd host/kbserver.example.com Create a local copy stored in (default) /etc/krb5.keytab.
Troubleshooting
# export KRB5_TRACE=/dev/stdout
# kinit
Loose ends

Edit /etc/ssh/sshd_config file and add/uncomment the following lines: 

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
NFSv4 SELinux Transparancy

Set on server side RPCNFSDARGS="-V 4.2" in file /etc/sysconfig/nfs and restart nfs-server (and possibly nfs-secure-server). OPtionRPCNFSDARGS is described in file /etc/sysconfig/nfs. On Client side mount the NFS share with option -o v4.2. m


Commands
man exports            Documents NFS server export table (with examples).
                       Normally user root is mapped to nfsnobody. This ensures that a root user coming from an NFS client
                       has minimal permissions on the NFS server. 
                       no_root_squash gives full access to user root from an NFS client.
man nfs                fstab format and options for the NFS filesystem.

semanage fcontext -a -t nfs_t "/srv/nfsexport(/.*)?"
getsebool -a
setsebool -P boolean
seinfo -t                             List of types. 
seinfo -xtnfs_t

systemctl start nfs-server
systemctl enable nfs-server
systemctl status remote-fs.target                       Vervangt _netdev in /etc/fstab om NFS filesystemen pas te mounten nadat
                                                        het netwerk aktief is.
systemctl start/enable nfs-secure-server for kerberos
restorecon -Rv /etc/krb5.keytab
ls -lZ /etc/krb5.keytab

firewall-cmd --add-service nfs --permanent --reload (add services rpc-bind and mountd to enable showmount -e server1 command).


exportfs -vr
showmount -e server     Show mount information for the NFS server on server. Also refers to rpc and mountd.
systemctl enable remote-fs.target on NFS client to have NFS filesystems mounted when the network has been activated.

kinit username  
klist -k
kdestroy                    Delete a ticket.
Files
/etc/exports           /srv/nfsexport *(rw)
/etc/exports           /secureshare *(sec=krb5p,rw)
/etc/fstab             /server.roggeware.nl:/srv/nfsexport  /mnt/nfs nfs _netdev 0 0

/etc/exports.d         for .exports files
Packages
nfs-utils
Ports
2049           NFS Processes (service nfs)
111            Client access (service rpcbind)
20049          Client access (service mountd, and service file shows port 20048)

37 Samba

  • Setup samba share.
  • Mount share as user.
  • Mount with credentials file in fstab.
  • Mount Multiuser Samba Mount
Securing Samba
samba_share_t              Give Samba read and write access to this directory and below.
public_content_t           Give Samba and other services read-only access.
public_content_rw_t        Give Samba and other services read-write access. Needs additional boolean.

smbd_anon_write            Allows write access for Samba anonymous users. Required for public_content_rw_t.
samba_enable_home_dirs     Allows Samba to share home directories.
use_samba_home_dirs        Allows remote SMB file shares to be mounted and shared as local home directories.
Samba Firewalling

A firewalld samba service is available. Opens ports 137-139 and 445.

Setup Kerberized Samba share

Add to /etc/samba/smb.conf 

security = ADS
realm = KERBEROS_REALM
encryptt passwords = yes
kerberos method = secrets and keytab
password server = kerberos.example.com
Access SMB Shares

Create credentials file /root/smbusers 

username=lisa
password=lisa

Add line in /etc/fstab 

//servername/sambashare    /mnt/lisa cifsd credentials=/root/smbusers,_netdev 0 0
Multiuser Samba mount

Add the basic multiuser mount to /etc/fstab: 

//server1/sambashare /mnt/multiuser cifs credentials=/root/multi,multiuser,sec=ntlmssp 0 0

As an authorized user do: 

cifscreds add server1

See for info about cifs, credentials, multiuser and sec= 

man mount.cifs
Commands
yum install samba samba-client cifs-util
systemctl enable smb
systemctl start smb

useradd -s /sbin/nologin lisa             Add a Samba user, no login needed/possible. 
groupadd groupname 
usermod -aG groupname lisa

semanage fcontext -at samba_share_t "/sambashare(/.*)?"
restorecon -Rcv /sambashare

getsebool -a                              Show all SELinux booleans.
setsebool -P smbd_anon_write 1            Set boolean permanent.
seinfo -t

smbpasswd -h
pdbedit -L                                List users in smbpasswd
smbclient -L //servername
testparm                                  Check for syntax errors in the configuration file

mount -o user=username //servername/sambashare /mnt
 
klist -k                  List keys in the keytab file

man mount.cifs            credentials= option
man cifscreds             
man firewalld.richlanguage
man semanage-fcontext
Files
/etc/samba/smb.conf                           Main Samba configuration file
/usr/lib/firewalld/services/samba.xml
/etc/krb5.keytab       mod 600 root root
Packages
samba
samba-client
cifs-utils

38 SMTP Server

The RHCE objective want you to create a null client. Such a client is not capable of receiving any messages, but has all the configuration that is needed to send mail messages to other hosts.

Configure on null-client: 

inet_interfaces=loopback-only
inet_protocols=ipv4
relayhost=[server1.example.com]
mynetworks=127.0.0.0/8 [::1]/128
mydestination=
mydomain=example.com

Steps 

   Adjust relayhost to point to corporate mail server:
   Enclose host name of corporate mail server in square brackets
   [root@server1 ~]# postconf -e "relayhost=[smtp1.example.com]"
   Configure Postfix mail server to only relay emails from local system
   Let mail server listen on loopback interface for emails to deliver only:
   [root@server1 ~]# postconf -e "inet_interfaces=loopback-only"
   Change null client configuration so it forwards mails originating from 127.0.0.0/8 IPv4 network and [::1]/128 IPv6 network to relay host:
   [root@server1 ~]# postconf -e "mynetworks=127.0.0.0/8 [::1]/128"
   Configure Postfix so outgoing mails have sender domain rewritten to company domain example.com:
   [root@server1 ~]# postconf -e "myorigin=desktop1.example.com"

   Prohibit Postfix mail server from delivering messages to local accounts
       Configure the null client not to act as end point for any mail domain:
           Does not accept mails where recipient is local email account for local delivery
           Need to set mydestination to empty value
           [root@server1 ~]# postconf -e "mydestination="
       Configure local null client not to sort mails into mailboxes on local system:
           Local email delivery turned off
           [root@server1 ~]# postconf -e "local_transport=error: local delivery disabled"
   Restart local postfix null client:
   [root@server1 ~]# systemctl restart postfix

Essential postfix parameters: 

inet_interfaces          Controls network interfaces Postfix listens on for incoming and outgoing messages
myorigin                 Rewrite locally posted email to appear to come from this domain. 
                         Helps ensure responses return to correct domain for which mail server is responsible
relayhost                Specifies which central mailserver to forward messages to.
mydestination            Domains handled by this server. Mail addressed to a domain not listed is rejected.
                         Configure domains mail server is end point for. Email addressed to these domains delivered into local mailboxes
local_transport          Specifies what to use for local mail delivery.
inet_protocols           Specify which protocols to use for delivery.
mynetworks               Spaceseparated list of networks that are allowed to relay.
Commands
postconf -e                                    Edit Postfix parameter
postconf -e 'myorigin = $mydomain'
postconf -e 'relayhost=[server4.example.com]'
postfix check                                  Check the contents of the /etc/postfix/main.cf file
postqueue -f                                   Flush the mailqeue
postqueue -p                                   Display the mailqueueu

systemctl reload postfix
man 5 postconf                                 Complete overview of postfix parameters
Files
/etc/postfix/main.cf
/var/log/maillog

39 Configure SSH

semanage port, man sshd_config, ssh-agent, ssh-add, ssh tunnel.

AllowUsers

Commands
semanage port -l                 List all port definitions.

man semanage-port
man sshd_config

Local port forwarding 

ssh -fNL 3333:server.roggeware.nl:80 root@server2.roggeware.nl            -f to run in the background, -N no command started.
ssh -fNL 4444:server.rhatcertificaion.com:80 root@server2.example.com

Remote port forwarding 

ssh -fNR80:localhost:8088 root@...
Files
/etc/ssh/sshd_config
~/ssh/config               SSH configuration for a specific user.

40 Time synchronisation

server, peer, allow

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service

Commands
chronyc help
chronyc sources -v    Shows current servers that chrony is synchronizing with.
chronyc tracking      Detailed information about the current local time configuration.
chronyc sourcestats   Detailed information about the state of the remote servers.
Files
/etc/chrony.conf
/etc/chrony.keys

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service

41 Diverse commando's

systemctl list-unit-files --type=service    Review enabled services

List commands
getsebool -a                            List all selinux booleans
seinfo                                  SELinux policy query tool
         --all
         -r                             List all roles
         -t                             List all types (*-t)
         -u                             List all users
semanage boolean --list                 List SELinux booleans with comments
semanage fcontext -l                    List all current rules

setfacl -m u:mike:x /home/shared        Give execute permissions to mike on directory /home/shared
setfacl -R -m u:mike:rx /home/shared    Allow user mike to have read and execute permissions on all files in the /home/shared directory and any subdirectory.
setfacl -R -x u:mike /home/shared       Remove permission settings for user mike
setfacl -R -b /home/shared              Remove all permissions for directory /home/shared and below
setfacl -d -m u:mike:rw /home/shared    Set permissions for new files (default) in /home/shared
setfacl -m mask:r-- /home/shared        Masks associated with ACls limits the permissions available. Max permission granted is read.
SELinux

The SELinux security model is based on subject, objects and actions. A subject is s process, such as a running command. An object is a file, a device, a socket, or in general any resource that can be accessed by a subject. An action is what may be doen by the subject to the object. SELinux assignes different contexts to objects. A context is just a label, which is used by the SElinux security policy to determine whether a subject's action on an object is allowed or not.

A label is made up of several context strings,separated by a colon. A user context ends with _u, a role context ends with _r, a type context ends with _t. 

sestatus                Used to get the status of a system running SELinux
setenforce permissive   
           enforcing 
semanage login -l       Review status of current SELinux users
id -Z                   Show user context as a regular user

getsebool
setsebool
          -P            Permanent, survives a reboot
semanage boolean -l     List all booleans with a short description
semanage Boolean -l -C  List all customized Booleans with a short description

semanage port -l        List all port labels

restorecon              Restore contexts to values stored in the SELinux policy
semanage fcontext -l    List all default file context rules
semanage -R --reference /var/ftp /ftp

sealert -a /var/log/audit/audit.log    Analyzes log and shows errors formatted.
ps -eZ

system-config-selinux   GUI Administration Tool
sealert -b              GUI SELinux Alert Browser
Files
/etc/selinux/targeted/context/files        Configured SELinux contexts.

42 Diverse commando's

chage                         Change user password expiry information
rpm -qd package           Show documentation files

yum group list hidden
yum group install "groupname"

sg                            Execute command as different group ID
gpasswd

/etc/login.defs               Shadow password suite configuration.
/etc/securetty                Remove tty to disable root access via local console.
/etc/security/access.conf     Login access control table.
/etc/security/su              Enable auth pam_wheel to allow wheel group members to do command 'su -'.


Environment User and Shell Configuration 

/etc/bashrc
/etc/profile
/etc/profile.d
/etc/skel             When a new user is created with useradd, files in this direcyory are copied to the home directory.

curl
nmap
nc

90 RHCE7 Task of the day

  • 10 minutes. Setup a default secure database called maria and backup the database with mysqldump.
  • 10 minutes. Setup a default secure MariaDB database called maria with a user named muser with all privileges.
  • 10 minutes. Setup a default secure MariaDB database called maria and create a table named people with two columns respectively name varchar(20) and age int(10) unsigned
  • 10 minutes. Setup a NFS server that exports the /opt directory in read-only mode.
  • 15 minutes. Configure a Samba server called MYSERVER, belonging to the MYGROUP group, sharing the /shared directory with the name "shared".
  • 03 minutes. Configure your machine to be a router.
  • 10 minutes. Set up a caching-only DNS server to forward DNS queries.
  • 10 minutes. Set up a caching-only DNS server.
  • 10 minutes. Configure a system to forward all email to a central mail server at 192.168.1.1 (change the IP address accordingly).
  • 05 minutes. Set up time synchronization with default configuration.
  • 10 minutes. Change the SSH process configuration to only listen on the 443 port.
  • 08 minutes. Set up an iScsi target based on a fileio backstore of 100MB called /opt/shareddata with CHAP authentication (username=usr/password=pwd), xfs filesystem and standard firewall configuration.

91 Chapters

Retrieved from "https://wiki.roggeman.nl/index.php?title=User:Tom/RHCE_EX300-2&oldid=6089"