-
Notifications
You must be signed in to change notification settings - Fork 0
/
Doc to edit for chap by chap notes modifiedl.txt
417 lines (361 loc) · 19.6 KB
/
Doc to edit for chap by chap notes modifiedl.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
# RHCSA-Study
Just a repo to post new RHCSA study material....
#RHCSA Training
##Chapters
- [1 Installing RH](./objectives/1_Installing.md)
- [2 essential tools](./objectives/2_essential_tools.md)
- [3 Essential File MGMT Tools](./objectives/3_file_mgmt_tools.md)
- [4 working w/ text files](./objectives/4_working_w_text_files.md)
- [5 Connecting to to RH Ent Linux](./objectives/5_Conn_to_RH_Ent_Linux.md)
- [6 User and Group MGMT](./objectives/6_User_and_Group_mgmt.md)
- [7 Configuring permissions](./objectives/7_configuring permissions.md)
- [8 Configuring Networking](./objectives/8_configuring_networking.md)
- [9 Managing Processes](./objectives/9_managing_processes.md)
- [10 working with virtual machines](./objectives/10_working_with_virtual_machines.md)
- [11 operate running systems](./objectives/11_operate_running_systems.md)
- [12 configure local storage](./objectives/12_configure_local_storage.md)
- [13 file systems](./objectives/13_file_systems.md)
- [14 maintain systems](./objectives/14_maintain_systems.md)
- [15 manage users and groups](./objectives/15_manage_users_and_groups.md)
- [16 selinux](./objectives/16_selinux.md)
- [17 recovery](./objectives/17_recovery.md)
- [18 essential tools](./objectives/18_essential_tools.md)
- [19 operate running systems](./objectives/19_operate_running_systems.md)
- [20 configure local storage](./objectives/20_configure_local_storage.md)
- [21 file systems](./objectives/21_file_systems.md)
- [22 maintain systems](./objectives/22_maintain_systems.md)
- [23 manage users and groups](./objectives/23_manage_users_and_groups.md)
- [24 selinux](./objectives/24_selinux.md)
##Commands
- [swapon](./commands/swapon.md)
- [system-config-authentication](./commands/system-config-authentication.md)
##Packages
- [authconfig-gtk](./packages/authconfig-gtk.md)
- [chrony](./packages/chrony.md)
- [cifs-utils](./packages/cifs-utils.md)
- [ipa-client](./packages/ipa-client.md)
- [krb5-workstation](./packages/krb5-workstation.md)
- [nfs-utils](./packages/nfs-utils.md)
- [nss-pam-ldapd](./packages/nss-pam-ldapd.md)
- [openldap-clients](./packages/openldap-clients.md)
- [samba-client](./packages/samba-client.md)
- [settroubleshoot-server](./packages/settroubleshoot-server.md)
##Services
- [nmb](./services/nmb.md)
- [rpcbind](./services/rpcbind.md)
- [smb](./services/smb.md)
- [winbind](./services/winbind.md)
##Course Objectives
# objectives: 1_Installing
The following objective is to Recover / Reset the root password on a RHEL 7 system.
###Rescue Process (lost root password)
- start or reboot the system
- at the grub menu, press the [ESC] key to interrupt the boot proc
- press 'e' to edit the boot record
- scroll down to the 'linux16' entry and press the [end] key
- add `rd.break console=tty1`
- press CTRL-X to boot
- remount in r/w mode: `mount -o remount,rw /sysroot`
- switch to chroot jail: `chroot /sysroot`
- reset pw: `passwd root`
- create SELinux blank file under root: `touch /.autorelabel`
- type `exit` twice to reboot system
# objectives: 2_essential_tools
###Archive, compress, unpack and uncompress files:
| Tool | Archive | Extract |
|:----------:|:----------------------------:|:-------------------------:|
| tar (gzip) | `tar cfzv archive.tar.gz` | `tar xvf archive.tar.gz .`|
| tar (bzip) | `tar cfjv archive.tar.bz` | `tar xvf archive.tar.bz .`|
| star | `star -c -f=archive.tar dir/`| `star -x -f=archive.tar .`|
| gzip | `gzip file` | `gunzip file.gz` |
| bzip2 | `bzip2 file` | `bunzip file.bz2` |
####Create a test directory with 3 files, list, change ownership
- `mkdir test && touch test/{file1,file2,file3}` - create some directories
- `ls -l test/` - list in long mode
- `chown -R nobody:wheel test/` - recursively change owner & group
####Changing Modes (octal & ugo)
- `chmod 0755 test/file1` - change mode to 0755 octal way
- `chmod u=rwx,g=rx,o=rx test/file{2,3}` - change mode to 0755 ugo way
- `ls -l test/` - list changes to verify
####Set Special Permissions (files / directories)
- `chmod 1750 test/file1` - Sticky Bit
- `chmod 2750 test/file2` - Set GID
- `chmod 4750 test/file3` - Set UID
# objectives: 3_file_mgmt_tools
###Boot systems into different targets manually
- `systemctl list-units --type=target --all` - view full list of targets
- `systemctl get-default` - get default run-level
- `systemctl isolate multi-user.target` - change to multi-user (RL 3)
- `systemctl isolate graphical.target` - switch to graphical (RL 5)
- `systemctl set-default graphical.target` - set default to graphical
###Identify CPU/memory intensive processes, adjust with renice & kill
- open up new tab
- `nice -n -10 yes` - start basic process with a nice level of -10
- `top` - view nice level of existing programs
`renice [-n] priority [-g|-p|-u] identifiers (group, pid, user)`
####Renice
- `renice -n 5 -p 1701` - change priority to proc
- `renice -n 5 -g wheel` - change priority by group
- `renice -n 5 -u johnny` - change priority by user
####Start, stop and pause a process
- `kill (-SIGSTOP | -19) pid` - suspend process to be continued later
- `kill (-SIGCONT | -18) pid` - continue a process that was suspended
- `kill (-SIGTERM | -15) pid` - kill a process, can be gracefully caught
- `kill (-SIGKILL | -9) pid` - kill a process, cannot be caught
####Start, stop and check status of network services
- `systemctl status name.service` - check status
- same format for service: start, stop, restart, reload, enable
- `systemctl enable name.service` - enable service at boot
# objectives: 4_working_w_text_files
####List, create, delete partions on MBR and GPT disks
- `fdisk -l` - list all partitions
- `fdisk /dev/vda` - create a new primary partition
- `[n]` - for new partition
- `[p]` - primary
- `(1-4)` - partition number
- `<size/sector>` - choose appropriate sizing
- `[t]` - filesystem type, `8e` for LVM, `82` for swap
- `[w]` - save the partition changes
- `partprobe` - force kernel to read updated partition table
- `mkfs.ext4 /dev/vda1` - format the disk for ext4
- `mkfs.xfs /dev/vda2` - format the disk for xfs
- `mkfs.vfat /dev/vda3` - format the disk for vfat
- `mkdir /mnt/{ext4,xfs,vfat}` - create mount points for each filesystem
- `blkid /dev/vda[n]` - retrieve UUID for appropriate partition
- update `/etc/fstab` with appopriate entry
```
#/etc/fstab
UUID='...' /dev/vda1 /mnt/ext4 ext4 defaults 0 2
UUID='...' /dev/vda2 /mnt/xfs xfs defaults 0 0
UUID='...' /dev/vda3 /mnt/vfat vfat defaults 0 0
```
- `mount -a` - mount all filesystems
####Create and remove physical volumes, assign physical volumes to volume groups, and create and delete logical volumes
- `lsblk -a` - display current block devices and configuration
- `pvcreate /dev/vdb1` - create a physical volume
- `vgcreate <vgname> -s 8m /dev/vdb1` - create volume group, set extant size (4m default, set to 8m)
- `lvcreate -n <lvname> -L 25G <vgname>` - create logical volume, assign name and size
- `mkfs.xfs /dev/<vgname>/<lvname>` - create filesystem (xfs) on logical volume
- `mkdir /mnt/lvm` - create mountpoint
- `blkid /dev/<vgname>/<lvname` - display UUID
- `vi /etc/fstab` - update fstab
```
UUID="..." /mnt/lvm xfs defaults 0 0
# or
/dev/vg1/lv1 /mnt/lvm xfs defaults 0 0
```
####Add swap to a system non-destructively
- `lvcreate -L 1G -n <lv_swapname> <vgname>` - create new logical volume for swap space
- `mkswap /dev/<vgname>/<lv_swapname>` - create swap
- `swapon /dev/<vgname>/<lv_swapname>` - activate swap
- `swapon -s` - verify swap summary
- `vi /etc/fstab` - update fstab
- `/dev/vg/swap swap swap defaults 0 0` - entry
# objectives: 5_Conn_to_RH_Ent_Linux
###Create, mount and unmount filesystems (ext4, xfs, vfat)
- `lvcreate -L 100M -n <lv_name> /dev/<vgname>` - create new volume
- `mkfs.<ext4|xfs|vfat> /dev/<vgname>/<lvname>` - create ext4 filesystem
- `mount /dev/<vgname><lvname>` - manually mount the filesystem
- `vi /etc/fstab` - update fstab for each filesystem
```
# /etc/fstab
/dev/vg1/lv1 /mnt/ext4 ext4 defaults 1 2
/dev/vg1/lv1 /mnt/xfs xfs defaults 0 0
/dev/vg1/lv1 /mnt/vfat vfat defaults 0 0
```
#####Mount and unmount file systems (NFS)
- `yum install -y nfs-utils` - ensure required NFS services are installed
- `systemctl enable rpcbind.service` - enable rpcbind
- `systemctl start rpcbind.service` - start rpcbind
- `systemctl enable nfs-client.target` - enable nfs-client target
- `systemctl start nfs-client.target` - start nfs-client target
- `vi /etc/fstab` - add fstab entry for nfs4
```
nfsserver:/dir/share /mnt/nfs nfs4 defaults 0 0
```
- `mount -a` - automount fstab entries
#####Mount and unmount file systems (CIFS)
- `yum install -y cifs-utils samba-client` - ensure required CIFS services are installed
- `systemctl enable smb.service` - enable samba
- `systemctl enable nmb.service` - enable nmb
- `systemctl enable winbind.service` - enable windbind
- `vi /etc/fstab` - add fstab entry for CIFS
```
//smbserver/share /mnt/cifs cifs rw,username=user,password=pw 0 0
```
- `mount -a` - automount fstab entries
#####Extend existing logical volumes
- `lvcreate -L 100M -n <lvname> /dev/<vgname>` - create new volume if needed
- `mkfs.ext4 /dev/<vgname>/<lvname>` - make an ext4 filesystem
- `mount /dev/<vgname>/<lvname> /mnt/ext4` - mount it somewhere logical
- `lvextend -l +100%FREE -r /dev/<vgname>/<lvname>` - allocate ALL free space
- `lvextend -L +50M -r /dev/<vgname>/<lvname>` - allocate additional 50M or what have you
#####Create and configure set-GID directories for collaboration
- `groupadd -g 50000 <gname>` - create a new group
- `mkdir /share` - create a shared directory in root
- `chown nobody:<gname> /share` - change ownership of dir to *gname*
- `chmod 2770 /share` - assign / set GID bit (SGID) to /share
- (allows all members of group write privs, removes all for everyone else)
- `useradd -G <gname> <uname>` - create new users and assign them this group
#####Create and manage ACLs
- `getfacl <file>` - view file ACLs
- `setfacl -Rm u:<username>:rwx <file>` - change file ACL to 7 for user
- `setfacl g:<groupname>:rwx <file>` - same but for group
- `setfacl -x u:<username> <file>` - remove ACLs from file
- `setfacl -b u:<username> <file>` - *completely* remove ACLs from file
# objectives: 6_User_and_Group_mgmt
####Configure networking, update connections / devices
- Devices and connections are two distinct things
- devices are actual interfaces on the system
- connections can be bound & be turned on/off
- only 1 connection can be up at a time
- `nmcli con show` or `nmcli dev status` - display network connections or devices
- `nmcli con del <name|UUID>` - remove a connection / interface
- `nmcli con add con-name <name> ifname <interface> type ethernet ip4 1.1.1.1/24 gw4 1.1.1.1`
- create a connection (provide ip / gateway)
- `nmcli con reload` - reload configs into network manager
- `ip address show` or `ip a` - check configuration
- `nmcli con show <name>` - all information about a connection
- `nmcli con down <name>` - stop a connection
- `nmcli con up <name>` - start a connection
- To modify a connection:
- `nmcli con mod <name> ipv4.address 1.1.1.1/24` - ip address
- `nmcli con mod <name> ipv4.gateway 1.1.1.1` - gateway
- `nmcli con reload` - reload configs into network manager
- `nmcli con up <name>` - ensure connection is up
- `nmcli con delete <name>` - delete the connection when through
#####Hostname updates: statically or dynamically
- `hostnamectl <--static|--transient|--pretty>` - view all current hostnames (static, transient, pretty)
- `hostnamectl set-hostname <name>` - set the hostname
- use `--static`, `--transient`, `--pretty` for individual hostnames
- hostname resolution relies on `/etc/nsswitch.conf`
- `hosts: files dns` - entry resloves first through files (static) then dns (dynamic)
- *static* comes from `/etc/hosts` file
- *dynamic* comes from `/etc/resolve.conf` file
- `nmcli con mod <interface> +ipv4.dns 1.1.1.1` - add DNS server
- `+ipv4.dns` - adds a server
- `ipv4.dns` - replaces it
- `-ipv4.dns` - removes a server
- `nmcli con up <interface>` - restart connection
####Schedule tasks using at and cron
| Minute | Hour | Day Of Month | Month | Day Of Week | CMD |
|:------:|:----:|:------------:|:-----:|:-----------:|:---------------:|
| 0-59 | 0-23 | 1-31 | 1-12 | 1-7 | /root/script.sh |
- `crontab -u <username> -e` - edit users crontab
- wildcards `*` can be used to match every value
- cron jobs that neet to run routinely can be placed in `/etc/cron.{daily,weekly,monthly}`
- these must be executable
#####Configure time services using NTP
- `timedatectl` - get current config
- `timedatectl list-timezones` - list available time zones
- `timedatectl set-timezone <timezone>` - set the timezone eg: `America/Chicago`
- `yum install -y ntp` - install ntp
- `systemctl enable ntpd.service` - enable ntpd at boot
- `systemctl start ntpd.service` - start ntpd
- config file is at `/etc/ntp.conf`
#####Configure time services using Chrony
- `yum install -y chrony` - install chrony
- `systemctl enable cronyd.service` - enable chronyd at boot
- `systemctl start cronyd.service` - start chronyd
- `ntpdate <timeserver>` - synchronize server
- config file is located at `/etc/chrony.conf`
####Install and update packages from Redhat network, remote repo or local file system
- `yum-config-manager --add-repo=http://myrepo.com` - leverage this tool to generate repo file
- `vi /etc/yum.repos.d/<remote>.repo` - modify the repository to
```
[base]
[myrepo.com]
name=added from http://myrepo.com
baseurl=http://myrepo.com
enabled=1
gpgcheck=0 # <----- add this line!
```
# objectives: 7_manage_users_and_groups
####Create, delete and modify local user accounts
- `useradd <username>` - create a new user
- `useradd -G <group> <username>` - add existing user to new group
- `usermod -aG <supgroup> <username>` - add user to supplementary group
- `userdel -r <username>` - remove the user completely from the system
####Change passwords and adjust password aging for local user accounts
- `chage -M <max_days> <username>` - set the maximum password age
- `chage -I <username>` - set the account / user to *inactive*
- `chage -d 0 <username>` - force user to change password at next login
- `date -d "+180 days"` - determine the date 180+ days from today
- `vi /etc/login.defs` - update password policy configuration file
####Create, delete and modify local groups and group memberships
- `groupadd -r <groupname>` - create a new system group
- `groupmod -n <newname> <groupname>` - rename existing group
- `groupmod -g <groupid> <groupname>` - assign a GID to group
- `groupdel <groupname>` - delete existing group
####Configure a system to use an existing auth service for user/group info
- using LDAP server: `server.example.com`
#####LDAP Client Configuration
- `yum install -y openldap-clients nss-pam-ldapd` - install LDAP tools
- `authconfig-tui` - Text user interface wizard to setup LDAP
- Cache Information
- Use LDAP
- Use MD5
- Use Shadow
- Use LDAP Auth
- Local Auth
- In LDAP Settings:
- Use TLS: `ldap://server.example.com`, `dc=example,dc=com`
- `/etc/openldap/cacerts` - location of LDAP server cert
- `yum install -y autofs nfs-utils` - ensure NFS/AUTOFS tools are installed
- `vi /etc/auto.master.d/home.autofs` - create the master entry
- `/home /etc/auto.home` - add the primary mountpoint, point to config
- `vi /etc/auto.home` - create *home* automount
- `*-rw,sync --fstype=nfs4 instructor.example.com:/home/guests/&` - add this line to `/etc/auto.demo`
- `systemctl start autofs.service` - start up autofs
- `systemctl enable autofs.service` - enable it
- `su - <ldapuser>` - test the configuration
#####Kerberos Configuration
- `yum install authconfig-gtk krb5-workstation` - install Kerberos tools
- `system-config-authentication` - run the CLI tool to connect to IPA
- ensure *Kerberos* is checked, and *DNS* is unchecked
- verify with `getent` and `ssh` (TODO: figure more out about this)
- ![kerberos](./.images/kerberos.png)
- `yum install ipa-client` - ensure IPA tools are installed
- `ipa-client-install --domain=server.example.com --no-ntp --mkhomdir` - connect to test IPA
- Enter AD credentials provided for adding Linux computers
# objectives: 8_configuring_networking
####Firewall Management (firewall-cmd, firewalld, iptables)
- *Configure firewall settings using firewall-config, firewall-cmd, or iptables*
- `firewall-cmd --permanent <cmd>` - must add `--permanent` for changes to persist
- `firewall-cmd --list-all` - list configuration
- `firewall-cmd --list-services --zone=<zone|default>` - list added services to default or specific zone
- `firewall-cmd --get-services` - available services to enable
- `firewall-cmd --add-service=<service>` - enable service in default zone
- `firewall-cmd --add-port=<port/protocol>` - add a port if not defined
- `firewall-cmd --reload` - reload changes
- `firewall-cmd --get-default-zone` - see context of default zone
####Diagnose and address routine SELinux policy violations
- `sestatus` - show status
- `setenforce Enforcing (or 1)` - set SELinux to enforcing mode
- `vi /etc/selinux/config` - config file to set perm state
- `chcon -t <type_t> <file>` - test changing type label context
- `setsebool -P <boolean> 1|0` - turn an SELinux boolean on or off
- `ausearch -m avc` - audit failures and review
- `grep AVC /var/log/audit/audit.log` - secondary way to get errors
- `audit2allow -wa` - generate steps to make the AVC failure allowed
- `audit2allow -aM <name>.local` - create a new module/policy package
- `restorecon <file>` - restore contexts: `/etc/selinux/targeted/contexts/files/`
- `semanage fcontext -l` - view all file contexts (grep if needbe)
- `yum install -y settroubleshoot-server` - install SELinux troubleshooting tools
- `sealert -a /var/log/audit/audit.log` - displays SELinux policy violations
# objectives: 9
# objectives: 10
# objectives: 11
# objectives: 12
# objectives: 13
# objectives: 14
# objectives: 15
# objectives: 16
# objectives: 17
# objectives: 18
# objectives: 19
# objectives: 20
# objectives: 21
# objectives: 22
# objectives: 23
# objectives: 24