Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Ch1: Kickstart/Anaconda
-----------------------------------SECTIONS:
-------1) Locations:
url --url="http://classroom.example.com/...";
repo --baseurl="..."
2) Auth:
3) Partition:
4) Network:
5) Config:
Manager
group --name=admins --gid=1001
cd /usr/share/
find . -name '*kickstart*.txt' -print
./pykickstart-1.99.43.17/kickstart-docs.txt
** /usr/share/doc/pykickstart-1.99.43.17/kickstart-docs.txt
Sample File: /root/anaconda-ks.cfg
-----------echo "RUN_FIRSTBOOT=NO" >> /etc/sysconfig/firstboot
- press 'F12' to select the boot media, and choose 'pxe' boot
- on the boot menu, select the appropriate (usually the 1st one) and
press 'tab' key to see options
- add/append to end of line: ks=http://desktopX.example.com/ks-config/kickstart
.cfg
%packages
:
:
%end
lab kickstart setup
- installed the httpd web-server
- created the /var/www/html/ks-config/ directory
cp /home/student/kickstart.cfg /var/www/html/ks-config/
____________________________________
Ch2: Regex / grep
------------------------------------
cat
dog
concatenate
dogma
They are my pets
My dog and cat live peacefully
category
educated
boondoggle
vindication
chilidog
# This is a comment using '#'(hash)
; This is a comment using ';' (semicolon)
Example:
$string="My dog and cat live peacefully"
grep -w dog $string <-- match
grep '\<dog\>' $string <-- also match
c[aou]t = c, followed by 'a' or 'o' or 'u' and ends with t
c.*t
= c, followed by ANY num.of characters, end with t
c.\{2\}t = c, followed by exactly 2 characters, ends with t
Using 'grep'
-i
= case IN-sensitive
-v
= display lines that does NOT match
-r
= search recursively in a directory or list of files
-A <N> = display <N> of lines After regex match
-B <N> = display <N> of lines Before regex match
-w
= matches the entire 'word' (word bounary) in the pattern
-e
= when you need to use multiple regex with the logical OR
[0-9][0-9][0-9] = matches any 3 numbers
cat door.log |grep '1[345]:[0-9]\{2\}:[0-9]\{2\}' > door.out
cat wall.log |grep '14:[345][0-9]:[0-9]\{2\}' > wall.out
cat wall.out |grep -i -v 'no activity' > wall2.out
More examples: http://cyberciti.biz/faq/grep-regular-expressions
____________________________________
Ch3: More vim
-----------------------------------cmd mode: (default, when you first start vi/vim)
insert mode: press 'i' (or 'a' or 'o' or 'O')
yy = yank (copy)
dd = delete line
/etc/crontab
/etc/anacrontab
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
Shell scripts in the directories above will be run at those intervals
*Files in the /etc/cron.d/ has the usual 5 time-specs
Ch6: ACL
-----------------------------------Extends the basic 'rwx' permissions of users and groups
2 commands:
a) setfacl (to set the ACL permissions of resources)
b) getfacl (to view the ACL permissions)
setfacl -m u:<name>:rwX <file|dir>
setfacl -m g:<name>:rwX <file|dir>
setfacl -m o::- <file> <-- the dash '-' means no permission
* if <name> is left blank, then it applies to the file owner, otherwise
<name> can be the username or UID.
Default ACL
~~~~~~~~~~~~
setfacl -m d:u:<name>:rx <directory>
setfacl -x d:u:<name> <directory> <-- remove default ACL on dir. set previously
setfacl -b <dir>|<file> <-- removes ALL ACLs (including default ACL)
setfacl -k <directory> <-- removes default ACL on dir
** IMPORTANT: Always do 'chmod' first before setting the ACL via setfacl.
<<<________>>>
cd /shares;chown -R root:bakerstreet cases; chmod g+s cases;chmod 660 cases/*;se
tfacl -Rm g:scotlandyard:rwX cases;setfacl -Rm u:jones:r-X cases;setfacl -Rm d:g
:scotlandyard:rwX cases;setfacl -Rm d:u:jones:r-X cases;setfacl -m g::rwX cases
cd /shares;chown -R root:bakerstreet cases; chmod g+s cases;setfacl -Rm g:scotla
ndyard:rwX cases;chmod 660 cases/*;setfacl -Rm u:jones:r-X cases;setfacl -Rm d:g
:scotlandyard:rwX cases;setfacl -Rm d:u:jones:r-X cases;setfacl -m g::rwX cases
____________________________________
Ch7: SELinux
-----------------------------------Standard Linux Security (DAC - Discretionary Access Control)
- only 2 privilege levels: "user" and "root"
- main problem: any process/programs launched as the 'user' (bob)
has the user bob's permission. Eg. Bob launches Firefox - can firefox
read Bob's private-keys in ~/.ssh/id_rsa ? YES. So a compromised Firefox
wreak havoc. (Another example, Apache privilege escalation)
SELinux - MAC (Mandatory Access Control)
- default rule is everything is denied.
- every process ('subjects') has to be explicitly allowed to access
the resources ('objects') - such as files, sockets, devices, etc.
3 Types of Access Control
~~~~~~~~~~~~~~~~~~~~~~~
a) Type/Targeted Enforcement (TE) - this is the main mechanism
b) Role-Based Access Ctrl (RBAC)
c) Multi-Level Security (MLS) - usually in high security/Military
Security Context
---------------In SELinux, all subjects (processes) and objects (system resources) are associat
ed with a 'type' which taken together controls the access permissions for specif
ic users. This combo of:
- vi /etc/httpd/conf.d/userdir.conf
search for "UserDir disabled" <-- change this to:
UserDir enabled
search for "#UserDir public_html" <-- default is commented,ieit has a '#' at t
he begining,then uncomment it. It should read:
UserDir public_html
- stores only 1 copy of the partition data at the begining of the hdd.
- if lost or corrupted, then data is lost
GPT (GUID Partition Table) - use gdisk
GPT partitions are used in systems running the UEFI.
- stores partition data at begining of disk as well as backup partition tabl
e at
the end of the disk with CRC32 checksums
fdisk /dev/vda <-- note: there is no number,
i.e. fdisk /dev/vda1 <-- wrong.
gdisk /dev/vdb
FileSystems:
----------mkfs -t xfs /dev/vda1 <-- specify partition '1', i.e. /dev/vda1
mkfs -t ext4 /dev/vdb2 <-- partition 2 on second hdd. "-t" is type
mount /dev/vdb2 /mnt
Persistent: Mount points specified at /etc/fstab
TO find "UUID":
--------------blkid /dev/vdb1
blkid /dev/vdb2
Swap Space
------------mkswap /dev/vdb2
swapon /dev/vdb2 <-- turn on the swap space
swapoff /dev/vdb2 <-- turn off swap
example /etc/fstab entry:
UUID=fadkasuyr...dfsc swap
UUID=fadkasuyr...dfsc swap
swap
defaults
0 0
swap
pri=1
0 0
(specify swap priority)
The last 2 digits represents: "dump flag" and "fsck" (fileSystem check)
Since swap space does not need these 2 options, they are set to 0 0
For the root file system, it's 1 1
For the LOCALLY mounted file system (eg /dev/vdb1), they are usually 1 2 (but i
t can also be: 0 0)
the 'fsck' order is '2' which has less priority over the root filesystem.
BUT for network mounted (NFS or CIFS), use 0 0
because the remote disk is NOT under the local machine's control
To recap:
=========
fdisk /dev/vdb <-- to create partitions. Do NOT specify partition num.
n = create new partition. Then specify partition num.
accept the default first/starting sector
specify the disk size, e.g +512M or +1G, etc
p = print - display the changes you've made
t = change the partition type
w = write the changes to disk
Types, 't'
/dev/avengers/hulk
1 2
PV cmds
~~~~~~~~
pvcreate /dev/vdb1 /dev/vdb2
pvremove /dev/vdb1 /dev/vdb2
pvdisplay /dev/vdb2
pvmove /dev/vdb1 <-- this will move all the data (in the phy.extents to other PV
s in the same VG)
VG cmds
~~~~~~~
vgcreate <vgname> /dev/vdb1 /dev/vdb2
vgremove <vgname>
vgdisplay <vgname>
vgextend <vgname> /dev/vdc1
LV cmds
~~~~~~~
lvcreate -n <lvname> -L <SIZE> <vgname>
lvremove /dev/vgname/lvname
lvdisplay /dev/vgname/lvname
lvextend -L +300M /dev/vgname/lvname
-> after running lvextend, remember to run 'xfs_growfs' to expand the file syste
m to occupy the extended LV, e.g.
# xfs_growfs /mnt/storage
** alternatively, can use resize2fs, but instead of the mount point, it takes th
e LV name,e.g
# resize2fs /dev/vgname/lvname <-- may not always work. use "xfs_growfs" first
.
____________________________________
Ch11: NFS
-----------------------------------RHEL7 uses NFSv4 (uses TCP) by default and falls back to nfs3 or nfs2 if nfs4 is
not available. (NFS 3 or 2 can use either tcp or udp)
* Manually mount a NFS share (via cmd line OR via /etc/fstab)
* Automatic mount of NFS share via 'autofs' service
NFS shares are secured by various methods: 'none', 'sys', 'krb5', 'krb5i' and 'k
rb5p'
The nfs client must connect to the exported share using one of the methods above
as specified by the share (via the mount option, sec=<method>)
the Kerberos option will require at least /etc/krb5.keytab which will be provide
d. It is outside the scope of this course. Just remember it's required!
The "nfs-secure" (part of the 'nfs-utils' package) service is used to manage com
munication with the server when connecting to kerberos secured shares.
Steps in SEQUENCE:
--------------------1. check if nfs-utils package is installed (yum list nfs-utils)
If not installed, then 'yum install nfs-utils'
2. download the 'krb5.keytab' from the server/classroom and rename it to /etc/kr
b5.keytab
/mnt/public
/mnt/manual
/
/storage
nfs
nfs
xfs
xfs
sec=krb5p,sync
sec=sys,sync
defaults
defaults
0
0
1
0
0
0
1
2
b) Test it out:
# mount -a (to mount all the filesystem/shares in the /etc/fstab)
# df -h
For AutoMounts: (autofs)
~~~~~~~~~~~~~~~~~~~~~~~~~~
yum -y install autofs
a) create the master-map (*.autofs) files in the /etc/auto.master.d/
b) create the corresponding map file /etc/ (eg. /etc/auto.shares, /etc/auto.dire
ct, /etc/auto.work)
c) Enable and start autofs service:
# systemctl enable autofs
# systemctl start autofs
Automounter Benefits:
- users do not need root privileges to run mount/umount cmds
- nfs shares are not permanently connected via /etc/fstab
- "autofs" is the service that handles all these
yum install autofs: will create the following files & dir:
/etc/auto.master.d/ <-- directory
/etc/autofs_ldap_auth.conf
/etc/auto.master
/etc/auto.misc
/etc/auto.net
/etc/auto.smb
1. create a 'master map' file (*.autofs) - which identifies the base directory u
sed for mount points as well as identifies the mapping files (/etc/auto.*) used
for creating the automounts
Auto-Map:
=========
# vi /etc/auto.master.d/master.autofs
(add the following entry)
/shares
/etc/auto.work <-- /shares is the 'base directory'
# vi /etc/auto.work
work -rw,sync,sec=krb5p
docs -rw,sync,sec=sys
serverX.example.com:/shares/work
serverX.example.com:/shares/docs
'work' & 'docs' are the mount point that will be automatically created/remove
d by the 'autofs' service. The full path is /shares/work & /shares/docs (remem
ber that /shares is the base dir for the mount point)
OR, use wildcard:
# vi /etc/auto.work
*
-rw,sync,sec=krb5p
serverX:/shares/&
Direct-Map:
===========
The master-map file content: /etc/auto.master.d/direct.autofs
//etc/auto.direct
The content for the mapping-file: /etc/auto.direct:
/mnt/public -rw,sync,sec=krb5p
serverX:/shares/public
note: you need to create the /mnt/public directory manually.
In the case of auto-map, you only have to create base dir (/shares)
and the autofs service will automatically create the 'works' and 'docs' director
y when needed.
__________
IMPORTANT:
1) Use Fully Qualified Name, i.e. serverX.example.com:/shares and NOT serverX:/s
hares
2) Double check the 'security' type,ie. sec=krb5p <-- don't for the 'p' if aske
d to use encryption for security. (krb5i = for integrity check and 'sys' for loc
alsystem security).
____________________________________
Ch12: SMB
------------------------------------ Mount SMB file systems manually (cli and /etc/fstab)
- Mount SMB file systems (CIFS) automatically - via autofs
Required software packages: cifs-utils
Optional (but useful): samba-client package - has the 'sambaclient-*' cmd line u
tilities
3 Steps:
-------a) identify the remote share to access
b) determine the mount point where the share should be mounted (create it locall
y if needed)
c) mount the SMB share via cli or appropriate config change
Authentication:
- SMB shares can be flagged as non-browseable, and can be restricted to specific
users, groups
- there are many authentication scheme supported by SMB, the most common is the
username/pass combo.
(these can be stored in /etc/fstab itself or in a secret 'credentials' file, e
g /etc/smbcred.smb)
Manual Mount
~~~~~~~~~~~~
CLI:
//serverX/share /mnt/share
serverX:/shares
l system
3. Ctrl-X to continue booting - a root shell is presented where the actual syste
m is mounted
as 'read-only' on /sysroot
4. RE-mount /sysroot as read-write:
# mount -o remount,rw /sysroot
# chroot /sysroot <-- switch into chroot jail,
where /sysroot is treated as the root of the file-system
tree
# passwd root <-- reset root pass
# touch /.autorelabel <-- needed for SELinux relabelling for correct per
m settings
6. # exit (to exit from chroot)
# exit (exit the initramfs debug shell)
Repairig Grub2
---------------grub2-mkconfig > /boot/grub2/grub.cfg
* in grub menu entries, "linux16" is valid. Anything else
such as "os16" is wrong.
______
NOTES:
-----to remount a 'read-only' filesystem:
# mount -o remount,rw /
____________________________________
Ch14: FirewallD
------------------------------------ old ways: iptables, ip6tables, ebtables <-- find out what's ebtables
- firewalld - manages both ipv4 and ipv6
- All network traffic is classified into "zones".
- based on criteria such as source IP of packet, or the incoming NIC, traffic is
diverted to the appropriate zones and the rules in that zone is then applied
* every packet that comes into the system is first checked for the source IP add
r.
if it matches a specific zone, then the rules in that zone is applied. If the so
urce
IP is not tied to a zone, then the zone for the incoming network interface is us
ed.
If the network interface is not associated with any zone for some reason, then t
he
default zone will be used. The 'public' zone is used by default
Pre-defined zones:
------------------ trusted
- internal: similar to home
- home: reject all unless related to outgoing or ssh,ipp-client,dhcpv6-client
mdns,samba
- work: reject all unless related to outgoing or ssh,ipp-client,dhcpv6-client
- public: reject all unless related to outoing or ssh, dhcpv6-client
- external: reject all unless related to outgoing or ssh. Outgoing ipv4 traffic
thru this zone is
masq.
- dmz: reject all unless related to outgoing or ssh