Professional Documents
Culture Documents
#vi /etc/sysconfig/iptables
Add following line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport
80 -j ACCEPT
b) Restart iptables service to reread configuration file and
add port 80:
#service iptables restart
c) Check iptables now allows incoming packets on port 80:
#iptables list
You should see the following line added to cmd output:
ACCEPT
tcp -- anywhere
NEW tcp dpt:http
anywhere
state
anywhere
state
F) Add RHEL 6.4 DVD files to vsFTP server so they can be used in
remote installs:
1) Create new /var/ftp/pub directory to hold RHEL install files:
#mkdir /var/ftp/pub/inst
2) Copy RHEL 6.4 DVD files from /data/rhel64 to new inst
subdirectory:
#cp ar /data/rhel64/. /var/ftp/pub/inst
6) Change selinux security context for my inst sub directory
and its files:
#chcon R reference /var/ftp/pub /var/ftp/pub/inst
7) Check you can now see the RHEL 6.4 DVD files via the web
browser:
browse to http://127.0.0.1/inst
You should now see the required files.
G) Setup local user doldham to use sudo cmd:
#usermod G wheel doldham
#vi /etc/sudoers
Uncomment following line to allow wheel group access to
sudo:
## Allows people in group wheel to run all commands
# %wheel
ALL=(ALL)
ALL
to:
## Allows people in group wheel to run all commands
%wheel
ALL=(ALL)
ALL
Write and save /etc/sudoers file.
H) Add eth0 NIC IP address details to /etc/hosts:
#vi /etc/hosts
Add following line:
192.168.0.40
rhel64vmhost1 rhel64vmhost1.dno.com
DNS1=192.168.0.1
DOMAIN=Home dno.com
Write and Save /etc/sysconfig/network-scripts/ifcfg-eth0
file.
6) Prove DNS lookup is now working:
#dig google.com
Note you should see an IP address returned for google.com.
7) Prove Firefox web browser now works:
Open Firefox and browse to google.com
Page should now load.
J) Configure NTP to sync to Red Hat public NTP pool servers:
1) Edit /etc/ntp.conf to confirm the 3 Red Hat NTP servers are
listed:
#vi /etc/ntp.conf
Confirm following lines are within the /etc/ntp.conf file:
server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org
If these are missing then add them and Write and Save
the /etc/ntp.conf
file.
2) Edit /etc/ntp.conf to confirm correct restrictions are in place:
#vi /etc/ntp.conf
Confirm following lines are within the /etc/ntp.conf file:
# Permit time synchronization with our time source,
but do not
# permit the source to query or modify the service
on this system.
restrict default kod nomodify notrap nopeer
noquery
refid
offset jitter
st t
when poll
=====================================
=====================
*janetzki.eu
131.188.3.220 2 u 58 64 377
43.353 -37.863 10.379
+h002.helix.fast 193.190.230.66 2 u 62 64 377
34.580 -54.235 14.04
+golf.zq1.de
122.227.206.195 3 u 60 64 377
40.022 -50.357 7.039
K) Install and configure DNS server:
1) Install all bind packages:
#yum install bind*
2) Edit /etc/named.conf and configure this as a DNS server
that the KVM VMs will poll for DNS queries:
#vi /etc/named.conf
As the KVM VMs will be installed with following IP
addressing:
server1.dnoexample.com eth0 192.168.122.51 /24
DG 192.168.122.1
(rhel64vmhost virtual network 1)
tester1.dnoexample.com eth0 192.168.122.151 /24
DG 192.168.122.1
outsider1.dnoexample.org eth0 192.168.100.100 /
24 DG 192.168.100.1
(rhel64vmhost1 virtual network 2)
These need to be added into the /etc/named.conf bold text
was added:
options {
listen-on port 53 { 127.0.0.1; 192.168.122.1; 192.168.100.1;};
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query
{ localhost; 192.168.122.0/24; 192.168.100.0/24;};
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
Zone "." IN {
type hint;
file "named.ca";
};
zone"dnoexample.com" IN {
type master;
file "fwd.dnoexample.com";
allow-update { none; };
};
zone"dnoexample.org" IN {
type master;
file "fwd.dnoexample.org";
allow-update { none; };
};
zone"122.168.192.in-addr.arpa" IN {
type master;
file "rev.dnoexample.com";
allow-update { none; };
};
zone"100.168.192.in-addr-arpa" IN {
type master;
file "rev.dnoexample.org";
allow-update { none; };
};
Include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
@
IN A 192.168.122.151
rhel64vmhost1
IN A 192.168.122.1
server1
IN A 192.168.122.51
tester1 IN A 192.168.122.151
#vi /var/named/rev.dnoexample.com
$TTL 86400
@ IN SOA
rhel64vmhost1.dnoexample.org.
root.dnoexample.org. (
2011071001 ;Serial
3600
;Refresh
1800
;Retry
604800
;Expire
86400
;Minimum TTL
)
@
IN NS
rhel64vmhost1.dnoexample.org.
@
IN A 192.168.100.1
@
IN A 192.168.100.101
rhel64vmhost1 IN A 192.168.100.1
outsider1 IN A 192.168.100.101
#vi /var/named/fwd.dnoexample.org
$TTL 86400
@ IN SOA
rhel64vmhost1.dnoexample.org.
root.dnoexample.org. (
2011071001 ;Serial
3600
;Refresh
1800
;Retry
604800
;Expire
86400
;Minimum TTL
)
@
IN NS
rhel64vmhost1.dnoexample.org.
@
IN A 192.168.100.1
@
IN A 192.168.100.101
rhel64vmhost1 IN A 192.168.100.1
outsider1 IN A 192.168.100.101
#vi /var/named/rev.dnoexample.org
$TTL 86400
@ IN SOA
rhel64vmhost1.dnoexample.org.
root.dnoexample.org. (
2011071001 ;Serial
3600
;Refresh
1800
;Retry
604800
86400
;Expire
;Minimum TTL
)
@
IN NS rhel64vmhost1.dnoexample.org.
@
IN PTR dnoexample.org.
rhel64vmhost1 IN A 192.168.100.1
outsider1 IN A 192.168.100.101
1
IN PTR rhel64vmhost1.dnoexample.org.
101
IN PTR outsider1.dnoexample.org.
4) Set correct selinux context for files created in 3):
#chcon --reference=/var/named fwd.*
#chcon reference=/var/named rev.*
5) Set correct ownership and file permissions on files created
in 3):
#chown root:named fwd.*
#chown root:named rev.*
#chmod o-r fwd.*
#chmod o-r rev.*
6) Add DNS port 53 for TCP and UDP within the iptables:
#vi /etc/sysconfig/iptables
Add following two lines:
-A INPUT -m state --state NEW -m udp -p udp
--dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp
--dport 53 -j ACCEPT
Write and Save /etc/sysconfig/iptables file.
7) Restart iptables server to take changes into effect:
#service iptables restart
Note we now need to install Red Hat KVM packages and
configure the 2 virtual networks so main server
rhel64vmhost1 has virtual NICs we can assign the .1
addresses for 192.168.122 and 192.168.100 subnets. Once
this completed we can return to finish the DNS setup.
install
install
install
install
install
install
install
qemu*
python-virtinst*
virt-manager*
virt-top*
virt-viewer*
libvirt
libvirt-client
53484 0
316506 1 kvm_intel
#dig @rhel64vmhost1.dnoexample.com
tester1.dnoexample.com
#dig @rhel64vmhost1.dnoexample.org
rhel64vmhost1.dnoexample.org
#dig @rhel64vmhost1.dnoexample.org
outsider1.dnoexample.org
These should all return the required IP addresses as follows:
rhel64vmhost1.dnoexample.com 192.168.122.1
server1.dnoexample.com
192.168.122.51
tester1.dnoexample.com
192.168.122.151
rhel64vmhost1.dnoexample.org 192.168.100.1
outsider1.dnoexample.org
192.168.100.101
Base Parallels RHEL 6.4 VM is now ready for you to create the
required Red Hat KVM VMs to use in the following LAB sections.
server1.dnoexample.com
192.168.122.51/24 DG 192.168.122.1
2
2 GB
1 x 12 GB virtual disk for use by whole server
clone1.dnoexample.org
192.168.100.51/24 DG 192.168.100.1
2
2 GB
1 x 12 GB virtual disk for use by whole
Basic server plus desktop, fonts, X Window
system and Internet browser
NETWORKING=yes
HOSTNAME=clone1.dnoexample.org
GATEWAY=192.168.100.1
Write and Save /etc/sysconfig/network file.
8) Amend /etc/sysconfig/network-scripts/ifcfg-eth1 file:
#vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=static
DNS1=192.168.100.1
GATEWAY=192.168.100.1
HWADDR=52:54:00:B6:A7:7F
IPADDR=192.168.100.51
NETMASK=255.255.255.0
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=ETHERNET
Write and Save /etc/sysconfig/network-scripts/ifcfg-eth1 file.
9) Amend /etc/hosts file to added hostname and IP address:
#vi /etc/hosts
Add following line:
192.168.100.51 clone1 clone1.dnoexample.org
Write and Save /etc/hosts file.
10)
Amend VM virtual network from cloned default network
to outsider1 network:
VM CONSOLE -> View -> Details -> NIC
Amend Source Device from Virtual network default : NAT
to Virtual network outsider : NAT and click Apply button.
11)
Reboot clone1.dnoexample.org.
12)
Confirm network access back to rhel64vmhost1 on
192.169.100 subnet:
#ping 192.168.100.1
As long as the above ping works the basic clone1 server setup
is completed.
tester1.dnoexample.com
192.168.122.151/24 DG 192.168.122.1
2
2 GB
1 x 12 GB virtual disk for use by whole
Basic server plus desktop, fonts, X Window
system and Internet browser
Language English
Keyboard UK
Enable IPv4 Manual Configuration
IPv4 address
192.168.122.151
Gateway
192.168.122.1
Name Server
192.168.122.1
** Note install will fail if kernel module nf_conntrack_ftp module is
not loaded **
To load this module:
#modprobe nf_conntrack_ftp
#lsmod | grep nf_conntrack_ftp
2) At Red Hat install splash screen click Next button.
3) Confirm Basic Storage Devices checkbox is selected and
click Next button.
4) Select Yes, discard any data option button.
5) Confirm hostname is server1.dnoexample.com and click
Next Button.
6) Select Europe/London as timezone and click Next button.
7) Enter root password twice and click Next button.
8) Select Use All Space option and click Next button.
9) Click Write changes to disk button.
10) Confirm Basic server is selected, check Customize now
checkbox and Next.
11) Add Desktops-> Desktop, Fonts and X Window system
and Applications->
Web Browser additional software and click Next button.
OS install will now start, wait until its finished.
12) At install complete splash screen click reboot button.
First boot of tester1.dnoexample.com will now occur:
1) Click Forward button at Welcome splash screen.
2) Confirm Yes check box is selected and click Forward
button.
3) Check NO, I prefer to register at a later time and click
Forward button.
4) Click Register Later button and click Forward button.
5) Enter doldham as new user and enter password twice and
click Forward.
6) Check Synchronize date and time over the network as
long as 3 default Red
outsider1.dnoexample.org
192.168.100.101/24 DG 192.168.100.1
2
2 GB
1 x 12 GB virtual disk for use by whole
Basic server plus desktop, fonts, X Window
system and Internet browser
lang en_US.UTF-8
keyboard uk
network --onboot yes --device eth0 --bootproto
static --ip 192.168.100.101 --netmask 255.255.255.0
--gateway 192.168.100.1 --nameserver
192.168.100.1 --noipv6 --hostname
outsider1.dnoexample.org
rootpw --iscrypted
$6$D56NF/WKvyWdFauz$dY.QQWm6SAP0PEuiCEJv370uaSC
Oz7Yg.Rttd8xGhlDY0m.85RSUEq3e7aN1ghV4iSBRGIqhUvKc
vF9hZKBY/1
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Europe/London
bootloader --location=mbr --driveorder=sda
--append="crashkernel=auto rhgb quiet"
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --all
zerombr
part /boot --fstype=ext4 --asprimary --size=500
part / --fstype=ext4 --asprimary --size=6656
part swap --asprimary --size=4096
part /home --fstype=ext4 --size=1024
%packages
@base
@client-mgmt-tools
@console-internet
@core
@debugging
@basic-desktop
@directory-client
@fonts
@hardware-monitoring
@internet-browser
@java-platform
@large-systems
@legacy-x
@network-file-system-client
@performance
@perl-runtime
@server-platform
@server-policy
@x11
mtools
pax
python-dmidecode
oddjob
sgpio
device-mapper-persistent-data
samba-winbind
certmonger
pam_krb5
krb5-workstation
libXmu
perl-DBD-SQLite
%end
shutdown
firstboot --disabled
2) Copy newly created kickstart file to /var/ftp/pub:
#cp /var/www/html/inst/outsider1-ks.cfg /var/ftp/pub
3) Change selinux settings for kickstart file in both
/var/www/html/inst and /var/ftp/pub.
#chcon reference=/var/www/html
/var/www/html/inst/outsider1-ks.cfg
#chcon reference=/var/ftp/pub
/var/ftp/pub/outsider1-ks.cfg
Make sure all users have read access to new kickstart file:
#chmod 444 /var/www/html/inst/outsider1-ks.cfg
#chmod 444 /var/ftp/pub/outsider1-ks.cfg
4) Create new outsider1.dnoexample.org from virt-manager
gui.
Select localhost (QEMU) and right click, then select New
option>
Enter hostname as outsider1.dnoexample.org
Leave install method as local install media (ISO image or
CDROM) and click Forward button.
Click Use CDROM or DVD option and set OS type to Linux
and Version should default to RHEL 6 then click Forward
button.
Set Memory to 2048 and 2 CPUs and click Forward button.
D) Now power down the remote system. You can ssh again into the
remote system and run the poweroff command directly from there.
Run the exit command immediately, or just wait until the VM has
had a chance to shut down. Now how do you reverse the process, so
this system does not start the next time you reboot the physical
host system?
Lab 8
A) In this lab, you'll use the commands described at the end of
Chapter 2 to test connections to available services. If you've created
the network installation servers described in Chapter 1, there will be
at least FTP and HTTP servers active on those systems. The default
ports for these services are 21 and 80, respectively. Try the telnet
localhost 21 command on a local system, where the vsFTP service is
active. Look at the following output:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 (vsFTPd 2.2.2)
B) Now exit from the local connection. Confirm the IP address of the
local system with the ifconfig eth0 command. It should be an
address such as 192.168.122.50. Log in to a remote VM such as
tester1.example.org with a command like ssh
root@192.168.122.150. Now try the same command again from that
remote system; for example, for the server1.example.com system
on IP address 192.168.122.50, run the following command:
Note you will need to install telnet to perform this test:
#yum install telnet
# telnet 192.168.122.50 21
Do you get a "connection refused" or a "no route to host" message?
What do each of those messages mean? It's acceptable if you're not
certain about how to address this issue now, as firewalls are not
covered until Chapter 4.
C) Now try nmap on the local system with the following command:
# nmap localhost
#yum update
d) Test new local repo:
#yum listrepo
e) Install missing package gcc:
#yum install nmap
# nmap 192.168.122.50
4. If you can't yet identify the problem, open the Network Manager
Network Connections tool. Review the wired Ethernet connections. If
you see the inconsistency, address it.
5. Make sure the system configuration works after a restart of the
/etc/init.d/network script, as well as a system reboot.
6. If you still have problems, look at the file in the /root/backup
directory. If you're not sure which file has been changed, run the ls
-ltr command. It'll be the last file listed in the output.
7. After completing this lab, restore the latest file copied to the
/root/backup directory to its original location. The standard directory
is described in the body of this chapter. Then run the chattr -i
/root/backup/* command; otherwise, Lab 3 won't work.
Answer:
File /etc/sysconfig/network-scripts/ifcfg-eth0 was amended as
follows:
IPADDR=192.168.12.51
From:
IPADDR=192.168.122.51
So eth0 is now configured on a new network subnet and cant reach
192.168.122.1 NIC on rhel64vmhost.dnoexample.com.
To fix amend IPADDR back to 192.168.122 subnet and restart
networking.
#vi /etc/sysconfig/network-scripts/ifcfg-eth0
#service network restart
Confirm you can now reach rhel64vmhost1.dnoexample.com.
Lab 3
This lab is based on the Ch3Lab3 script, available in the Chapter3/
subdirectory, as described earlier. If you followed the instructions at
the beginning of this section, the script should be available in the
/root directory. Navigate to that directory and take the following
steps.
Be aware, this lab assumes the first Ethernet adapter on the system
is active, as device eth0. If that isn't the case on your test system,
the script used in this lab won't work.
1. Execute the script for this lab with the ./Ch3Lab3 command.
2. Test connections to local and remote systems, such as the
hostname or FQDN for the local system or the IP address of the
nameserver listed in the /etc/resolv.conf file. Use the ping command
as appropriate.
3. Review applicable network configuration files. Run the ifconfig
command. Can you identify the problem yet?
4. If you can't yet identify the problem, try the ifconfig -a command.
Do you see a difference in the output? What do you do?
5. Make sure the system configuration works after a restart of the
/etc/init.d/network script, as well as a system reboot.
Answer:
Primary NOC eth0 was down.
Up eth0 as follows:
#ifup eth0
Lab 4
This lab is based on the Ch3Lab4 script, available in the Chapter3/
subdirectory, as described earlier. If you followed the instructions at
the beginning of this section, the script should be available in your
/root directory. Navigate to that directory and take the following
steps:
1. Execute the script associated with this lab with the ./Ch3Lab4
command.
2. Test connections to remote systems, such as the hostname or
FQDN for the local system. Try the ping command as appropriate, on
local and remote hostnames and IP addresses. Can you identify the
problem yet?
3. Make sure the system configuration works after a restart of the
/etc/init.d/network script, as well as a system reboot.
4. If you still have problems, look at the file in the /root/backup
directory. If you're not sure which file has been changed, run the ls
-ltr command. It'll be the last file listed in the output.
Answer:
File /etc/resolv.conf was amended:
nameserver 192.168.1.111
From:
nameserver 192.168.122.1
So any name resolution will fail as server is trying to use a
nameserver that doesnt exist.
To fix amend /etc/resolv.conf:
nameserver 192.168.122.1
Lab 5
In this lab, you'll set up an /etc/hosts file for the different systems on
the local network. The instructions in this lab are based on the test
systems described in Chapter 1.
1. Back up the /etc/hosts file to an appropriate directory, such as
/root.
2. Open the /etc/hosts file. You'll probably see IPv4 and IPv6 entries
for their respective loopback hostnames and addresses. That can
serve as a model for the other entries that you'll make in this file.
3. You'll probably see an entry with the local hostname and a
comment about it being added by the Network Manager. Do not
change that entry.
4. When all the noted systems are running, test the result. If these
systems are on virtual machines, that may depend in part on the
activation of IP forwarding as discussed in Chapter 1. Run the ping
command, first on each IP address in /etc/hosts, and then on each
hostname in /etc/hosts.
Answer:
Following added to /etc/hosts on each server.
192.168.0.40
192.168.122.1
192.168.100.1
192.168.122.51
192.168.122.151
rhel64vmhost1 rhel64vmhost1.dno.com
rhel64vmhost1.dnoexample.com
rhel64vmhost1.dnoexample.org
server1 server1.dnoexample.com
tester1 tester1.dnoexample.com
The Red Hat exams are unique based on their reliance on labs and
hands-on demonstrations. Be aware, while Labs 1 and 2 cover
different topics, they are designed to be run consecutively. The
same is true for Labs 5, 6, and 7, which are also designed to be run
consecutively.
Lab 1
In this lab you'll explore the role of permissions and the SUID bit. To
do so, you'll create a simple script in the /usr/local/bin directory. Call
it script1.
1. In a text editor, open file script1 in the /usr/local/bin directory.
2. Enter the following lines in that file:
#!/bin/bash
/bin/ls > filelist
3. Save the file.
4. Try to execute that script as the root administrative user. What
happens?
Answer:
The default umask has set the permissions of script1 file as rw-rr
so even script owner root does not have execute permission to run
the script.
5. Set up execute permissions for the user owner of the script1 file
with the chmod u+x /usr/local/bin/script1 command. Can you now
execute the script as the root administrative user?
Answer:
#chmod +x script1
#./script
#cat filelist
6. Now set up execute permissions for other users in the script1 file.
Log in as a regular user. Can you now execute the script as a regular
user?
Answer:
#chmod +x script1
#su doldham
#cd /usr/local/bin
#./script1
Note the script will run but as other users dont have the permission
to write into /usr/local/bin the ls output redirection into the file filelist
fails. To fix add other user write permissions to /usr/local/bin
directory. Also it will fail if you dont remove the original copy of
filelist output file created by first run as root user.
#chmod o+w /usr/local/bin
#./script1
#cat filelist
as root
as doldham
In this lab, you'll use the script created in Lab 1. You'll set up regular
permissions on that script, and then configure ACLs for that script to
be executed by a regular user. It also assumes that the filesystem
with the /usr/local/bin directory is the top-level root directory, and is
not already mounted with ACLs.
1. Change the permissions on the script1 file created in Lab 1 with
the chmod 644 /usr/local/bin/script1 command.
Answer:
#chmod 644 /usr/local/bin/script1
2. Log in as a regular user. Try to execute that script. What happens?
Answer:
As the script1 now has no execute permissions you cant run it as
root or a regular user.
3. Remount the top-level root directory (/) with ACLs with the
following command:
# mount -o remount,acl /
As long as the /etc/fstab file is configured in the top-level root
directory (/), this command should work. To verify, run the mount
command by itself; it should show output similar to:
/dev/vda2 on / type ext4 (rw,acl)
Answer:
/dev/sda2 on / type ext4 (rw,acl)
So root filesystem mounted on / including /usr/local/bin subdirectory
is now mounted to allow ACLs.
4. Now you'll be able to set ACLs on the noted script. Configure read
and execute ACLs for one regular user on the script1 file. Verify with
the getfacl command.
Answer:
#setfacl m u:doldham:r-x /usr/local/bin/script1
#getfacl /usr/local/bin/script1
getfacl: Removing leading '/' from absolute path names
# file: usr/local/bin/script1
# owner: root
# group: root
user::rwuser:doldham:r-x
group::r-mask::r-x
other::r-5. Repeat Step 2, logging in as the regular user given ACL privileges
to the script1 script. What happens?
Answer:
The specified normal user with ACL access can run script1 but other
regular users still cannot.
6. If you want to restore the original configuration, delete the script1
file from the /usr/local/bin directory. If your original configuration did
not include ACLs on the top level root directory, you can restore that
situation with the following command:
Answer:
#rm /usr/local/bin/script1
#rm /usr/local/bin/filelist
# mount -o remount /
Lab 3
In this lab, you'll set ACLs for a regular user for the root
administrative user's home directory, /root. Start with setting ACLs
for the directory, and review the results from the regular user's
account. What files can be read from the /root directory? What else
do you have to do to set up ACLs on a specific file in the /root
directory?
Just make sure to disable ACLs on the /root directory when the lab is
complete. ACLs can be a risky business if the account of the subject
regular user is ever compromised.
Answer:
1) Add ACL to root filesystem:
#mount o remount,acl /
#mount | grep acl
enabled
/selinux
enforcing
enforcing
24
targeted
or
#getenforce
Enforcing
2) Amend selinux status:
From cmd line:
#setenforce permissive
Amend /etc/sysconfig/selinux file and reboot:
#vi /etc/sysconfig/selinux
Change as follows:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#
enforcing - SELinux security policy is enforced.
#
permissive - SELinux prints warnings instead of enforcing.
#
disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#
targeted - Targeted processes are protected,
#
mls - Multi Level Security protection.
SELINUXTYPE=targeted
#reboot
New sestatus:
#sestatus
SELinux status:
enabled
SELinuxfs mount:
/selinux
Current mode:
permissive
Mode from config file:
error (Success)
Policy version:
24
Policy from config file:
targeted
So selinux is now in premissive mode.
Once we amend /etc/sysconfig/selinux file back to enforcing
and reboot,
reboots twice and takes a lot longer.
So avoid changing the setting in file in exam if at all possible,
if you have to change mode use setenforce cmd from cmd line
unless they explicitly state file needs updated i.e. change is
reboot persitant.
Lab 5
In this lab, you'll set up one regular user in the SELinux guest_u
category. Remember that the relevant commands start with
semanage login. Given the options with the __default__ user, there
are multiple ways to meet the requirements of this lab.
Before making any changes, record the current status of SELinux
users; one method is with the following command, which records the
SELinux User
__default__
unconfined_u
root
unconfined_u
system_u
system_u
1) Set regular user test1 into the guest_u
MLS/MCS Range
s0-s0:c0.c1023
s0-s0:c0.c1023
s0-s0:c0.c1023
category:
Make sure to make the script executable. If the script runs and the
disks file is created, then you were successful.
When the process is complete, log in to the GUI as an unconfined
user and review the SELinux users in the GUI SELinux Administration
tool. (For this purpose, it's acceptable to log into the GUI with the
root administrative account.) Use the User Mapping section, and the
tools available to restore the original configuration as documented
in the selinuxusers file. Don't forget to deactivate the
allow_guest_exec_content boolean.
Answer:
1) Check normal state of selinux boolean
allow_guest_exec_content:
#getsebool allow_guest_exec_content
allow_guest_exec_content --> off
2) Set selinux boolean allow_guest_exec_content on:
#setsebool P allow_guest_exec_content=1
#getsebool allow_guest_exec_content
allow_guest_exec_content --> on
3) Login to console as test1 user assigned as guest_u.
4) Create disklist script:
#vi disklist
Add required code:
#!/bin/bash
/bin/df > disks
Save and Write the disklist script.
5) Add execute permission to script:
#chmod u+x disklist
6) Run disklist script:
#./disklist
#cat disks
Note script does run and produce the disks output file but
does error with /bin/df /var/lib/nfs/rpc_pipefs permission
denied but rest of mounts are listed.
Note before the setting of selinux boolean
allow_guest_exec_content the script fails to run with a
permission error even with user execute privilege.
Lab 8
In this lab, you'll create a new /ftp directory with SELinux contexts
appropriate for that directory. It should be based on the contexts in
the /var/ftp/pub directory. Use the knowledge that you gained in this
chapter to complete this lab. When you are done, restore the
original contexts on the /ftp directory. How do the SELinux contexts
differ? From what file did the restored contexts come from? Are the
restored contexts the same as when the /ftp directory was created?
Answer:
1) Create new directory /ftp and confirm selinux contexts:
#mkdir /ftp
#ls Zd /ftp
drwxr-xr-x. root root
unconfined_u:object_r:default_t:s0 /ftp
2) Change contexts to whats required for an ftp directory:
#chcon reference=/var/ftp/pub /ftp
#ls Zd /ftp
drwxr-xr-x. root root
system_u:object_r:public_content_t:s0 /ftp
3) Restore original contexts to /ftp directory:
#restorecon F /ftp
#ls Zd /ftp
drwxr-xr-x. root root system_u:object_r:default_t:s0
/ftp
Once you restore the context it changes from unconfined_u to
system_u.
Lab 9
Answer:
A small 500m partition at the beginning of disk mounted on /boot.
2. Power-up the local system. During the boot process, when you
see the following message (the operating system name and version
number may vary), press a key.
Booting Red Hat Enterprise Linux Server (2.6.32-71.el6.x86_64) in 5
seconds....
Done.
3. Edit the default option. If the GRUB bootloader is already
password-protected, press P and enter the password.
4. Press A to edit the kernel command line.
Done.
5. What do you need to change and add to that command line to
boot the system into runlevel 3 with all boot messages displayed?
Remove rhgb quiet and add 3 to end of boot line.
6. Make required changes, and proceed with booting into runlevel 3.
Done.
7. Once the system is booted, what command verifies the current
runlevel?
#who r
or
#runlevel
8. Open the /etc/inittab configuration file. What's the current default
runlevel? Make a note of that number.
Default current runlevel is 5 multi usermode with X11 and
networking.
9. Edit the /etc/inittab configuration file so that the system boots
normally into runlevel 2.
#vi /etc/inittab
Change as follows:
id:2:initdefault:
Write and Save /etc/inittab file.
10. Reboot the system. How do you confirm that the changes
worked?
#who r
or
#runlevel
11. Edit the /etc/inittab configuration file. Restore the original
default runlevel.
#vi /etc/inittab
Change as follows:
Id:5:initdefault:
Save and Write /etc/inittab file.
Lab 2
This lab is focused on one thing you can do when booting into
runlevel 1, also known as single-user mode. As suggested by a nowsuperseded version of the RHCSA objectives, in this lab you'll
change the root administrative password. But here's a twist: assume
that you don't know the current version of that password. What do
you do?
Answer:
1) Break into boot sequence and edit boot line and boot into
single user mode.
2) Remove current root password from /etc/shadow file:
#vi /etc/shadow
Remove any text on root line after first colon and before
the 2nd colon.
Write and Save /etc/shadow file.
Lab 4
In this lab, you'll set up a second stanza in the GRUB configuration
file. Before getting started, it's best to back up the file. For example,
the following command backs up the file to the root user's home
directory (/root):
# cp /boot/grub/grub.conf ~
In the second stanza, you'll set up a system that boots into runlevel
1, with boot messages shown on the screen. Make sure to label that
stanza appropriately, so the option Single User Mode appears in the
GRUB menu. To prove the result, reboot the system, check the
menu, and boot into the Single User Mode option.
Password-protect that stanza using the techniques described in Lab
3. Reboot the system. If successful, when you select the Single User
Mode option, the GRUB menu should prompt for the password that
was just created.
Answer:
1) Backup /boot/grub/grub.conf file:
#cp /boot/grub/grub.conf /root/
2) Add 2nd required stanza to grub.conf file, which boots into
runlevel 1 with full messages and add a password to
stanza:
#vi /boot/grub/grub.conf
Copy the 4 lines starting with title line from the existing
stanza and paste them at bottom of the file.
Generate another grub password as per Lab 3 and add the
password directive after the new title line you just pasted.
Amend the end of the Kernel line to remove rhgb quiet and
add 1.
Write and Save the /boot/grub/grub.conf file.
3) Reboot server:
#reboot
Now break into boot sequence and select new 2nd entry in
grub loader note you will now have to enter the new grub
password to then use this to boot into single usermode.
Lab 5
Be careful with this lab. The steps may render this system
unbootable, unless you understand the skills described in this
chapter. There's always the risk that key configuration files will not
be properly backed up, which means there's a risk of losing all data
on the system. If you understand these risks, proceed with this lab.
This lab is based on the Ch5Lab5 script described earlier. If you
followed the instructions at the beginning of this section, the script
should be available in your /root directory. Navigate to that directory
and take the following steps:
1.Log into the root account. If you're not already there, navigate to
the /root directory. Execute the script for this lab with the ./Ch5Lab5
command.
Script run.
2. Reboot the system.
System rebooted.
3. When you see the grub> prompt, use the skills described in this
chapter to identify the drive and partition with the /boot directory.
Hint: the stage1 file will still exist in that directory.
Answer:
1) Confirm what disk has the /boot directory:
grub>root
You should see:
(hd0,0): Filesystem type is ext2fs, partition type 0x83find
2) Load kernel to boot:
grub>kernel /vmlinuz-2.6.32-358.el6.x86_64 ro
root=/dev/vda2
You should see:
7. You don't have to remember the UUID associated with the toplevel root directory; in fact, it would be remarkable if you did. Just
use the partition or volume device file such as /dev/vda1. (Hint: in
the default installation created in Chapter 1, the partition device file
associated with the top-level root directory is not /dev/vda1.)
8. After entering the location of the Initial RAM disk, run the boot
command at the grub> prompt.
9. If your efforts are successful, the system will boot normally. In the
answer section, you'll see how to restore the backed-up GRUB
configuration file.
10. If your efforts are not successful, boot the system from the
installation DVD or the network boot CD and select Rescue Installed
System as described in the main body of the Chapter.
4 through 10 covered in 3.
Lab 6
This lab is focused on active terminals. Normally, Linux includes six
active terminals. If a GUI is installed and active with a graphical
display manager, that system is run in place of the first active
terminal. To review, you can switch between active terminals with
the ALT key and the function key associated with a terminal number,
such as ALT-F1. If in the GUI, you'll need to add the CTRL key to the
combination.
1. Back up the current versions of the /etc/sysconfig/init and
/etc/init/start-ttys.conf configuration files. A logical location is the
current user's home directory. If you make a serious mistake, you'll
be able to restore the system from the backup. In the worst case,
you'll be able to restore these files from backup by booting into
single-user mode, as described in Lab 1 and in the body of the
chapter.
Answer:
1) Backup /etc/sysconfig/init and /etc/init/start-ttys.conf files:
#cp /etc/sysconfig/init /root
#cp /etc/init/start-ttys.conf /root
2. Now limit the active consoles to terminals 1 and 2.
Answer:
HOSTNAME=server1.example.org
To fix:
#vi /etc/sysconfig/network
Amend as follows:
NETWORKING=yes
HOSTNAME=server1.dnoexample.com
GATEWAY=192.168.122.1
Write and Save /etc/sysconfig/network file.
Restart network:
#service network restart
space /etc/fstab so that space is also used the next time you boot
Linux. Oh yes, use the UUIDs in /etc/fstab.
Answer:
1) Create 500MB partition on /dev/sda spare 1GB disk using
parted utility:
#parted /dev/sda
Parted>mklabel msdos
(Setup basic disk partition
table)
Parted>#mkpart
Partition Type Primary partition
Partition Start 1 MB
Partition end 513 MB
2) Create a ext4 filesystem on the newly created partition:
#mkfs.ext4 /dev/sda1
3) Confirm new partition UUID number:
#blkid | grep sda1
4) Edit /etc/fstab file to add this disk to be mounted upon
boot:
#vi /etc/fstab
Add following line:
UUID=252176c1-add2-4116-95d7-de2fef60dcf5 /test1
ext4 defaults
12
Partition Type
Partition Number
First Sector
end of /dev/sda1
Last Sector
disk.
Command>w
p for primary
2
Take default i.e. after the
Take default i.e. end of this
Write changes to disk
#mkswap /dev/sda2
Make note of the UUID number of the new swap partition.
Edit /etc/fstab to mount this new swap partition upon
boot:
11)
#vi /etc/fstab
Add the following line:
UUID=f28bfa50-d5b7-4f44-b80c-88e1697d5418
swap defaults 0 0
swap
#swapon /dev/sda2
13)
#swapon s
14) Reboot to confirm /etc/fstab entries are correct for both
new partitions:
#reboot
15)
Turn DOS
Set display units to
Delete
1
Partition 2 will be auto
Write new partition table
Command>n
partition.
Partition Type
Partition Number
First Sector
Last Sector
Command>n
new partition.
Partition Type
Partition Number
First Sector
partition 1.
Last Sector
disk.
Command>w
changes to disk.
Create new
p for primary
1
Take default i.e. 2048
+500M i.e. start plus 500 MB
Create
p for primary
2
Take default i.e. from end of
Take default i.e. to end of
Write
#vi /etc/fstab
Add following line:
UUID=d36241e5-0458-4b9c-b97d-b27bf94456a1 /test2
defaults 1 2
ext4
10)
#mkdir /test2
#mount t ext4 /dev/volgroup1/logvol1 /test2
11)
#mount /test2
Lab 3
In this lab, you'll continue the work done in Lab 2, expanding the
space available to the formatted LV closer to the capacity of the VG.
For example, if you were able to follow the size guidelines in Lab 2,
use appropriate commands to increase the space available to the LV
from 900MB to 950MB. Set it up on the /test3 directory in the
/etc/fstab file, formatted to the ext4 filesystem. Use the UUID for the
associated logical volume device in /etc/fstab.
Don't forget to delete or at least comment out any settings from
previous labs in the /etc/fstab file. Just one hint: it's far too easy to
skip steps during the process.
Answer:
1) Tidy up from Lab 2:
#umount /test2
#vi /etc/fstab
Amend line added in Lab 2 to comment out the auto mount
of LV as follows:
#UUID=d36241e5-0458-4b9c-b97d-b27bf94456a1 /test2
defaults 1 2
ext4
3) Resize the ext4 Filesystem to match the new size of the LV:
#resize2fs /dev/volgroup1/logvol1
If required run e2fsck f /dev/volgroup1/logvol1.
4) Confirm UUID of LV:
#blkid| grep logvol1
5) Create new mountpoint /test3:
#mkdir /test3
6) Edit /etc/fstab file to add auto mount to /test3 directory:
#vi /etc/fstab
Add following line:
#UUID=d36241e5-0458-4b9c-b97d-b27bf94456a1 /test3 ext4
defaults 1 2
ext4
#vi /etc/crypttab
Add following line:
9114727b-4611-40bd-9f2e-e80013ab22b5 UUID=9114727b-4611-40bd-9f2ee80013ab22b5 none
Test by rebooting:
#reboot
-A INPUT -m
-j ACCEPT
-A INPUT -m
-j ACCEPT
-A INPUT -m
32927 -j ACCEPT
-A INPUT -m
-j ACCEPT
-A INPUT -m
-j ACCEPT
-fstype=iso9660,ro,nosuid,nodev
:/dev/cdrom
-ro,soft,intr
192.168.122.51:/tmp
gpgcheck=1
gpgkey=http://192.168.122.1/inst/RPM-GPG-KEYredhat-release
3) Setup new repository rhel64vmhost1:
#yum clean all
#yum update
4) Test new local repo:
#yum listrepo
5) Install package xorg as a test of remote YUM repository:
#yum install xorg-x11-apps*
Lab 2
In this lab, you'll be identifying a potential security problem. You've
been given a tip by security staff that the problem is related to a
binary file that starts a server.
In this lab, you'll use a script in the Chapter7/ directory of the CD
included with the book. The script is called Ch7Lab2. You'll need to
copy the script to the server1.example.com test system created in
Chapter 2. The following steps assume the system is on a KVMbased virtual machine. If it's on a different virtual machine manager
such as VMware or Virtualbox, you'll have to consult the
documentation for that virtual machine manager, at least for
instructions on how to connect a CD/DVD drive.
1. Open the KVM Virtual Machine Manager from a GUI command line
with the virt-manager command.
2. Connect to the localhost (QEMU) system.
3. Double-click the virtual machine with the server1.example.com
system. In the window that appears, click View | Details.
4. Insert the CD for the book. Use the options that appear to connect
the CD/DVD drive to the virtual machine. Return to the console for
the virtual machine by clicking View | Console.
5. Boot the server1.example.com system. Mount the book CD with
the mount /dev/cdrom /media command.
6. Log in to the root administrative account.
.T.
/usr/sbin/vsftpd
This means that the vsftpd binary file modification time has
changed since it was installed, so binary file had been
compromised.
7) Remove vsftpd package:
#yum remove vsftpd
8) Re-install vsftpd package:
#yum install vsftpd
9) Confirm binary is now as it should be:
#rpm Va | grep /usr/sbin
This time there should be nothing outputted.
Lab 3
Note as not registered can not run this lab.
This lab may not be possible unless updates are available from the
RHN (or if you're using a rebuild of RHEL 6, a remote repository with
updates, configured in files in the /etc/yum.repos.d directory). In this
lab, you will examine what happens when you run an update to
upgrade to newer versions of packages available for new features,
to address security issues, and more. Before you start, run the
following command to clear the cache, to enable the full set of
messages:
# yum clean all
Run the following command to send the messages to a text file:
# yum update > update.txt
If a lot of updates are available, this process may take some time. If
you want to watch, run the following command in a different
command line console.
# tail -f update.txt
If you want to download and install the updates, use the -y switch,
which answers, "yes" to all prompts. The complete command
becomes
# yum update -y > update.txt
you expected?
Answer:
The older kernel has been added to grub.conf as the new first
stanza.
5. Check the results in the /boot directory. Observe the differences
with the original list of files in the /boot directory. Test the result with
a reboot.
Answer:
The following older kernel files have been added into /boot directory:
config-2.6.32-71.14.1.el6.x86_64
initramfs-2.6.32-71.14.1.el6.x86_64.img
symvers-2.6.32-71.14.1.el6.x86_64.gz
System.map-2.6.32-71.14.1.el6.x86_64
vmlinuz-2.6.32-71.14.1.el6.x86_64
When rebooted server1.dnoesampel.com is now running on older
kernel:
#uname a
Linux server1.example.com 2.6.32-71.14.1.el6.x86_64
To remove this older kernel perform the following:
1) Remove older kernel file:
#rpm ev kernel-2.6.32-71.14.1.el6.x86_64
2) Remove older kernel-firmware package:
#rpm ev kernel-firmware-2.6.32-71.14.1.el6
3) Confirm /boot/grub/grub.conf has been reverted to original
configuration:
#cat /boot/grub/grub.conf
I.E. the older kernel stanza should have been removed.
4) Confirm contents of /boot have reverted to original
contents:
#sudo bash
If you reach root prompt after entering your user password
for senioradm its worked.
Lab 4
Create a new user named junioradm. Set up that user with
privileges to run the fdisk command, with the help of sudo. In this
case, user junioradm should still be required to enter his regular
account password before he's allowed to run the fdisk command.
Answer:
1) Create new user junioradm account:
#useradd -c"Junior Admin" -d /home/junioradm -m -s
/bin/bash junioradm
Answer:
1) Copy /usr/share/doc/info-* to /etc/skel directory:
#cp ar /usr/share/doc/info-* /etc/skel
3) Create new infouser user account:
#useradd -c"Info User" -d /home/infouser -m -s /bin/bash
infouser
2) Set password for new user accounts mike, rick, terri and
maryam:
#passwd
#passwd
#passwd
#passwd
mike
rick
terri
maryam
G
G
G
G
galley
galley
galley
galley
mike
rick
terri
maryam
Lab 1
As the root user, create cron jobs that change the login message for
users at the text console. To do so, you'll want to change the
content of /etc/motd. Make sure that people who log in at different
times get appropriate messages:
If users log in between 7 a.m. and 1 p.m., create the login message
"Coffee time!"
If users log in between 1 p.m. and 6 p.m., create the login message
"Want some ice cream?"
If users log in between 6 p.m. and 7 a.m., create the login message
"Shouldn't you be doing something else?"
Answer:
1) Edit roots crontab file and jobs to set /etc/motd text based
on time of day:
#crontab e
Add the following lines:
#Example job definition:
#.------------------- minute (0-59)
#| .----------------- hour (0-23)
#| | .--------------- day of month (1-31)
#| | | .------------- month (1-12) OR jan,feb etc
#| | | | .----------- day of the week (0-6) OR sun,mon
etc note 0 is Sunday
#* * * * * cmd
0 7 * * * echo "Coffee Time!" > /etc/motd
0 13 * * * echo "Want some ice cream?" >
/etc/motd
0 18 * * * echo "Should'nt you be doing something
else?" > /etc/motd
Write and Save the crontab file.
3) Use date cmd to tmp set date and time to 06:59, and 17:59
to test above:
#date 031206592015
06:59 am
Answer:
1) Confirm if vinagre tigervnc and tigervnc-server packages
are installed on
server1.dnoexample.com:
#rpm qa | grep e tiger e vinagre
If any of these packages are missing install them:
#yum install tigervnc-server
2) Edit /etc/sysconfig/vncservers file:
#vi /etc/sysconfig/vncservers
Amend this file as follows:
Defaults:
# VNCSERVERS="2:myusername"
# VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp
-localhost"
Change to:
VNCSERVERS="2:doldham"
VNCSERVERARGS[2]="-geometry 800x600"
Write and Save /etc/sysconfig/vncservers file.
3) Stop tigervnc server service:
#/etc/init.d/vncserver stop
4) Switch to user doldham:
#su doldham
5) Start vncserver process for this user:
#vncserver :2
6) Confirm vncserver is now running:
#/etc/init.d/vncserver status
You should see:
6. Navigate toward the bottom of the dmesg file. Can you identify
the amount of swap space? Can you identify one or more partitions
with the default EXT4 filesystem?
Answer:
1) Review /var/log/dmesg:
#more /var/log/dmesg
There is 4128760k of swap added on
/dev/mapper/vg_server1-lv_swap.
There are 3 EXT4 partitions mounted at boot time:
Dm-1, vda1 and dm-0 these point to:
Dm-0 points to UUID of LUKS encrypted partition.
Dm-1 points to vg_server1-lv_root LVM root partition.
Vda1 points to /boot partition
7. Review the maillog log file. If that file is short, there may be an
older maillog-* file; if so, review that as well. Do you see any
messages associated with mail messages?
Answer:
1) Review /var/log/maillog:
#more /var/log/maillog
There are 3 separate emails to root account with mail
references of:
D0D0A30C3
8DC8930CB
451FE3118
All had status of sent.
8. Review the secure log file. Navigate to the bottom of the file. Do
you see a message associated with the failed login?
Answer:
1) Review /var/log/secure:
#more /var/log/secure