#LinuxCBT EL-7 Edition# Current Release: 7 We will use: 1. CentOS7x 2. RedHat Enterprise 7x 3. Kernel Version: 3.10.x a. 'kpatch' - dynamic kernel patching facility - Tech Preview NOTE: Tech Previews are subject to problems that may adversely affect production NOTE: This positively impacts uptime b. 'modprobe.blacklist=module' - module blacklisting facility, where necessary (if conflicts with other modules or problematic hardware support or similar) 4. SWAP compression via 'zswap' - automagically-handled by the kernel 5. Supports: a. graphical (default) - new consolidated GUI (ALL options are on 1 screen) b. text-based - options are spread across a series of screens 6. 6.5x - 7x - in-place upgrades supported NOTE: Documentation claims NOT suggested, though supported NOTE: Backup and attempt on clone instances first NOTE: Clone instance should have the APP stack, not the data: i.e. '/home' 7. Installable from: a. Local media: CDs | DVDs b. ISO images b1. DVD image - most of the common selectable packages and package groups b2. Everything image - ALL available packages - CentOS b3. Network-based - Minimal installation - fetches remainder from Net b4. Live images - GNOME | KDE 8. GUI - Desktop (Window Dressing) a. GNOME 3 a1. GNOME Boxes (Virtualization light) b. KDE 9. 'systemd' - replaces 'sysv' and 'upstart' - 'sysV' and LSB init-scripts-compa tible 10. 'NetworkManager' - now includes FULL CLI support and improved NIC management NOTE: NetworkManager supports traditional NIC interface scripts 11. 'firewalld' - firewall manager 12. '40Gps' Ethernet support 13. KVM - Virtualization 14. Open VMWare Tools are included NOTE: Improves performance and manageability within VMWare HOSTS (ESX, etc.) 15. XFS - Default FS for new installations a. 16-Exabyte FS b. 8-Exabyte Files c. Online up-sizing (NOT downsizing) 16. GRUB2 - Default Bootloader - GPT, EFI, BIOS, OpenFirmware support 17. Platforms: a. x86_64 (64-bit) - Intel | AMD b. IBM Power7 c. SystemZ 196+ 18. Storage: 7.5GB or higher 19. Installation is consolidated and uses the same detection tools used at run-t ime 20. Installer makes sensible partitioning decisions, especially when storage is limited, reducing the footprint to 2-partitions: a. /
b. SWAP # GUI Installation of RedHat Enterprise 7x# 1. DVD ISO - most packages 2. Deploy within VMWare ESXi 3. Install from Windows Management GUI - VSphere Client NOTE: New installer presents consolidated GUI interface (ALL options) on 1 scree n NOTE: Multiple tasks can be carried out during installation: i.e. 'root password ', 'additional user' and the like NOTE: Configure NIC prior to NTP configuration NOTE: Initial Kickstart file is still supplied to shorten the time required for subsequent installs: ~/root NOTE: Default GNOME LOGIN allows anyone to restart | power-off the system. Will tweak later. # Text-based Installation # 1. CentOS 7x 2. RedHat Enterprise 7x NOTE: It's as simple as passing the string: 'inst.txt' on the kernel's command l ine during installation NOTE: The installation process is carried out via TEXT but does NOT impact the o utcome of the installed server's interface. i.e., server may run with or without a GUI. NOTE: It's merely a matter of the interface that is presented during installatio n, indicated by the 'inst.text' option passed to the installation kernel's comma nd line (CLI) NOTE: Ensure that you select: 'Tab' during the installation's main GRUB2 menu pr esentation and modify the kernel line to include: 'inst.text' to invoke TEXT-mod e NOTE: Sometimes VMWare ESXi does NOT update the screen when it receives no strea m of data from the GUEST, which results in console-access delays. NOTE: 'inst.text' TEXT Mode installation results in system booting to runlevel=3 by default. Use: 'init 5' to enter GUI and update 'inittab' as needed # Network-based (HTTP) # Requirements: 1. HTTPD instance somewhere: i.e. IIS, Apache, etc. 2. Export of the tree (ISO image) to the HTTP share location (URL) 3. Client-side - minimal (network boot) ISO image - Net access NOTE: PXE-booting obviates the need for any local media - look at this if desire d Tasks: 1. Explore HTTP configuration a. 192.168.75.101/{RHEL,CentOS} a1. http://192.168.75.101/CentOS/7 a2. http://192.168.75.101/RHEL/7
NOTE: Any of the ISO images will let you change the source to a network source # Kickstart Configuration # Features: 1. Automates delivery - rapid provisioning NOTE: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h tml/Installation_Guide_/sect-kickstart-syntax.html 2. Post-installation, '~root/anaconda-ks.cfg' file is created This file represents the settings associated with the current installation NOTE: If you, as we will, re-install existing systems using the resultant KS CFG files, there will be at least 1 prompt during installation concerning the targe t disk 3. The location of the CFG file MUST be specified upon installation invocation a. 'Tab' at main GRUB screen, indicate that KS is desired: a1. 'inst.ks=http://192.168.75.101/{RHEL,CentOS}/*.cfg' NOTE: Name your .cfg files in a fashion similar to Virtual Machine images: i.e. centos7-infrastructure-server-gui.cfg i.e. rhel7-is-gui-40GB.cfg 4. Debug information is stored in: '/tmp' of target system 5. NOTE: 'Kickstart Configurator' is NO longer developed NOTE: NOT ALL possible directives are covered 6. Required / optional sections are the same: i.e. command, %packages, [%pre] a nd [%post] 7. Omitted items will cause the installer to prompt the user for input Task: 1. Re-install both systems in an automated fashion a. Access nodes b. Modify .cfg files c. Publish .cfg files to HTTP repository c1. 'inst.ks=http://192.168.75.101/CentOS/centos7-is.cfg' c2. 'inst.ks=http://192.168.75.101/RHEL/rhel7-is.cfg' d. Re-install nodes using minimal|network ISO referencing the .cfg files NOTE: Ensure that published (HTTP) .cfg files are flagged 644 or readable by web user NOTE: Since we reprovisioned: CentOS7 instance entirely in VMWare, its default S DA was blank, which rendered the installation fully-automated NOTE: If VM instance fails to boot from ISO image, try the following: 1. Delete, then Re-provision GUEST 2. Remove startup disk and provision anew 2. Repeat process for 1 of the servers NOTE: This is mostly-automated, because we still must indicate the location of t he .cfg file at the GRUB2 menu NOTE: It is possible to fully-automate by using PXE and DHCP configuration that tells the client with .cfg file to use NOTE: Either way, it is still required to indicate which .cfg file to use for in stallation # Rescue Environment #
Features: 1. Multiple modes a. Rescue b. Emergency NOTE: Both are based on an installed system: i.e. N3 NOTE: Both provide Single-User modes to attempt to rectify system problems NOTE: Both modes are accessible from an already running system via: 'systemctl { rescue,emergency} NOTE: As a result of these modes, you enter Single-User mode, which drops networ k connectivity, thus external connections NOTE: 'systemctl ...' typically sends messages to logged-in users, unless '--now all' option is used NOTE: using: 'inst.rescue' from the kernel boot line NOTE: Standard GRUB2 menu, secondary '...rescue' option, is really a backup kern el, which launches into multi-user mode 2. Install Rescue Mode - based on the installation sources a. Provides a TUI and emergency fall-back $SHELL to help recover the system b. Select from 'Troubleshooting' menu or append: 'inst.rescue' to kernel boot line c. Searches system for mountable '/' FS and mounts it: '/mnt/sysimage' c1. This helps to fix files that may have been corrupted, i.e.: /etc/fstab and additionally possibly a corrupted GRUB2 environment c2. 'chroot /mnt/sysimage' - this becomes the new '/' and allows you to use A LL functionality, i.e.: 'grub2-install /boot' NOTE: Possible to fix bad driver, which prevents the system from loading NOTE: Nowadays, virtualize, and take snapshots prior to ALL key updates Tasks: 1. Mislabel GRUB2 references to the kernel a. '/etc/grub2.cfg' 2. Booted from Install Rescue Mode (from any ISO that boots the installer) 3. Repeat on CentOS NOTE: If you lose the 'root' password, use: a. Install Rescue Mode to mount the '/' FS b. 'chroot /mnt/sysimage' c. 'passwd root' d. 'reboot' NOTE: Because of this, for security purposes, guard that permitted boot media fo r ALL systems # Basic Linux Skills # 1. 'whoami' - reveals the currently-logged-in user - per-$SHELL(TTY) basis 2. 'tty' - reveals the name of the currently-connected $SHELL 3. 'w', 'who' - reveals the connected users and terminals 4. '/' - parent of ALL directories a. Default upon LOGIN and instantiation of new $SHELL is to place you in your: $HOME b. 'pwd' - reveals relative (to '/') location c. 'cd' - moves you around c1. 'cd ~' - directs you to your $HOME c2. 'cd ~USER' - directs you to that USER's $HOME d. 'ls' - myriad options reveals directory contents 5. 'id' - reveals your account and group details 6. 'touch' - creates, by default, an empty file, otherwise, updates the timestam ps associated with the target file(s)
7. 'echo' - echoes what you tell it to 8. 'cat' - dumps the contents of TEXT files a. 'echo "1" > 1.txt' b. 'echo "2" > 2.txt' c. 'cat 1.txt 2.txt > 1.2.txt' 9. 'mkdir NAME' 10. 'rm -rf temp/' - wipes the directory structure a. 'cp -apvf temp temp2' - duplicates the contents of 'temp' DIR to newly-crea ted 'temp2' DIR b. 'rm -rf temp/' c. 'mv temp2 temp' 11. 'history' - reveals the history of executed commands a. '!NUM' - executes the command indexed at NUM 12. Pagers - paginate textual data on a per-screen basis, dynamically a. 'more' b. 'less' Typically: 'f' || to move forward, 'b' to move back 13. Heads and Tails a. 'head' - examines the top of a document b. 'tail' - examines the bottom of a document 14. Word Count - which also counts number of lines in a document a. 'wc -l' - counts the number of lines b. 'wc FILE' - counts number of lines, words, etc. 15. Ascertain the type of target FILE a. 'file FILE' - uses a variety of methods to deduce the target file's type 16. Process status listing using: 'ps' a. 'ps' - displays processes tied to the current $SHELL, which usually is a li mited subset of the total b. 'ps -ef' 'UID PID PPID C STIME TTY TIME CMD' 17. Free memory (RAM && SWAP) a. 'free -m' 18. Disk Partition Utilization (Free): 'df' a. 'df -h' 19. Directory Utilization: 'du' a. 'du -chs' - scans tree and produces summary of usage b. 'du -chs /home' - dump the full utilization of the /home tree c. 'du -chs /var' - "" /var tree 20. Top processes and related metrics a. Aggregates data from multiple tools: uptime,ps,free and others b. 'top' c. 'uptime' - dumps how long the system has been up # Compression Utilities: tar, gzip, bzip2, zip # Features: 1. Archive and compress Tasks: 1. 'gzip' a. 'gzip -c Xorg.9.log.old > Xorg.9.log.old.gz' b. 'gunzip Xorg.9.log.old.gz' c. 'gzip -l Xorg.9.log.old.gz' - reveals stats about the compressed object d. 'zcat Xorg.9.log.old.gz' - auto-decompresses the content on-the-fly
2. 'bzip2' a. 'bzip2 -c Xorg.9.log.old > Xorg.9.log.old.bz2' b. 'bunzip2 Xorg.9.log.old.bz2' c. 'bzcat Xorg.9.log.old.bz2' 3. Zip & Unzip - typically most-compatible with Windows a. 'zip Xorg.9.log.old.zip Xorg.9.log.old' - TARGET first, SOURCE second NOTE: 'zip' includes native archival abilities, which is why you typically won't find: *.tar.zip files, but rather: *.tar.{bz2,gz} 4. Tar with: gzip && bzip2 a. 'tar -cvf linuxcbt-temp.tar /home/linuxcbt/temp' - creates archive with NO compression b. 'tar -tvf FILE' - exposes the contents, i.e. 'unzip -l', without extraction b. 'tar -xvf FILE' - extracts archive to current directory c. 'tar -cvzf linuxcbt-temp.tar.gz /home/linuxcbt/temp' - creates archive WITH gzip compression d. 'tar -cvjf linuxcbt-temp.tar.bz2 /home/linuxcbt/temp' e. 'tar -cvjf linuxcbt-temp.tar.bz2 /home/linuxcbt/temp /etc /var/log' NOTE: With 'zip' and 'tar', because they are archival tools, it makes sense to s pecify the TARGET first, then an aribitrary number of source files/directories f. 'tar -xvjf linuxcbt-temp.tar.bz2 ' # 'systemd' Service Management Framework # Features: 1. Akin to Solaris's SMF 2. Provides comprehensive unit management facility (services, devices, paths, e tc.) 3. Replaces 'upstart' - provides faster boot times due to a variety of features i.e. SSH && MySQL depend upon the Network Target, but not on each other, then so long as the Network Target has loaded properly, both SSH and MySQL can be invok ed in parallel NOTE: 'systemd' provides, like SMF, more discrete dependency relationships, unli ke SysV, which is numerically oriented, thus making it a serial system-invoker 4. Manages various facets via 'UNIT' files (units): i.e. a. services: i.e. ssh, httpd, etc. b. devices: USB, Storage, etc. c. sockets: networking, TCP/IP d. paths: file or directory e. mounts: NFS, Automount, etc. f. snapshots: the ability to temporarily backup the system state NOTE: 'service' units (.service files) replace SysV-style INIT scripts NOTE: '.service' files are similar to SysV-style INIT scripts 5. SysV and LSB-init scripts compatible - provides legacy support 6. Service management via: 'systemctl': status | start | stop | restart | enabl e | disable NOTE: Currently, 'systemctl' does NOT support custom service management command s NOTE: 'service' && 'chkconfig' are available, but superseded by: 'systemctl' use this instead. The capabilities of both tools are collapsed|consolidated into : 'systemctl' 7. Runlevel control - mapped to 'target' units for compatibility NOTE: 'runlevel' is provided, however, 'N' is sometimes returned when the targ et doesn't map directly NOTE: Runlevels are mapped to pre-defined targets in: '/usr/lib/systemd/system /runlevel*target'
NOTE: These files spell out, i.e.: When may a service load? What's required? whe n should the service NOT load? 8. State control: a. emergency b. rescue c. poweroff d. restart e. hibernation f. suspension 9. 'systemd' units - encapsulation of the following: a. services b. sockets c. system state snapshots d. paths e. mounts f. etc. 10. Supports system state snapshots - current unit configuration, which is tempo rarily held NOTE: snapshots do NOT persist reboots 11. D-bus activation of services a. D-bus activation (where supported by service) allows on-demand invocation o f service upon request by the client(service) 12. Socket-based activation (where supported by service) allows messages to be q ueued during service restarts a. 'systemd' functions as a proxy(broker) between the client and the ultimate service 13. Device-based activation - i.e. hot-plugged device activates corresponding se rvice(s) 14. Path-based activation - if paticular file || directory is accessed, correspo nding service(s) is invoked. i.e. NFS, NFS with Automount 15. On-demand starting of daemons 16. Parallelization of service invocation at startup: i.e. MySQL && SSH 17. Mount || Automout management 18. Services do NOT inherit environment: $PATH && $HOME from current $USER - mor e secure Key Directories: 1. '/usr/lib/systemd/system' - repository of ALL services: i.e. /etc/rc.d/init. d 2. '/etc/systemd/system' - symlinked, ACTIVE, services 3. '/run/systemd' - run-time systemd units - auto-generated # SystemD Primary user-space tool: 'systemctl' # Features: 1. All-encompassing device | service management tool 2. Provides comprehensive power-management options: a. Halt b. reboot c. poweroff d. hibernate e. suspend - especially important with: Virtual instances and mobile devices Tasks: 1. Explore basic power management control a. 'init 6' - 'systemctl [--no-wall] reboot' b. 'init 0' - 'systemctl [--no-wall] poweroff' NOTE: 'init 6', etc., still works, but may eventually be deprecated 2. Service Management
a. 'systemctl' - dumps ALL managed units: services, devices, paths, mounts, so ckets, etc. b. 'systemctl list-units' - lists loaded units of ALL types c. 'systemctl list-sockets' - lists loaded sockets, ordered by address NOTE: Useful in debugging problems communicating with sockets d. 'systemctl status [NAME..|PID..] - shows runtime stats d1. '/usr/lib/systemd/system/atd.service' - actual service file NOTE: The data returned is comprehensive, and under prior versions of RHEL, we h ad to aggregate these data from various sources: i.e. 'ps -ef | service_name', ' cat /var/run/PID', '/etc/*' e. 'systemctl show [NAME..|JOB..]' - shows properties of the units f. 'systemctl -t service' - returns ONLY services g. 'systemctl -t {device,socket}' - lists devices || sockets 3. Install Apache and Manage service a. 'yum install httpd' # Checksums # Features: 1. Generate unique fingerprints based on a set of data a. Files b. STDIN 2. Verifies the intrinsic quality of data to ensure non-tampering 3. Published content online, is usually accompanied by checksums for your perus al Tasks: 1. 'nano test.txt' - populate with junk 2. 'md5sum test.txt' - 'ba1f2511fc30423bdbb183fe33f3dd0f' '4cd713d16b3f7078041799001428d0ee' 'ba1f2511fc30423bdbb183fe33f3dd0f' NOTE: Checksums guarantee the intrinsic (internal, quality-related metric) of co ntent NOTE: md5sum = 128-bit checksum NOTE: this works for most situations, however, more bits: i.e. 256, 512, means m ore accurate and unique strings 3. 'sha1sum test.txt' - returns 160-bit string 4. Copying a file does NOT change its intrinsic value, which means the checksum should return identical to the source 5. Moving the file across the wire has no checksum effect, IF, the file was tra nsferred in total: 100% NOTE: i.e., if you transfer a fractional text file, you will have checksum misma tches NOTE: Broken, or, incomplete transmissions ranges the gamut of industries and im pacts us all. SO, check your checksums. a. 'rsync -avvzP *txt 192.168.75.121:' b. confirm checksums post-data-move 6. Generate large file, copy, and break transmission a. 'dd if=/dev/zero of=512MB bs=1M count=512' b. 'rsync -avvzP 512MB 192.168.75.121:' - break during transmission NOTE: Automated scripts may simply check for the existence of a file object and NOT necessarily the object's checksum or even a size range within which the file should be. This ultimately introduces corrupt data into your environment. # GREP #
Features: 1. Searches text files (textual data - typically line-based data) for matches a. Simple b. Extended regular expressions 2. Specializes in returning the FULL line of the matched item Tasks: 1. Create dummy data to parse a. 'grep "Linux" grep.test.txt' b. 'grep "^Linux" grep.test.txt' - returns lines that begin with "Linux" c. 'grep '^Linux$' grep.test.txt' - returns lines that begin and end with 'Lin ux' d. 'grep 'LinuxCBT' grep.test.txt' - returns lines that end with 'LinuxCBT' e. 'grep 'LinuxCBT ' grep.test.txt' - returns lines that end with 'LinuxCBT ' NOTE: Printable and non-printable chars (space(tab, various whitespace)) are ana lyzed NOTE: 'cat -A grep.test.txt' - reveals both types of chars f. 'grep 'B.*' grep.test.txt' - returns lines with 'B*' g. 'grep '.*W' grep.test.txt' - returns lines that contain 'W' anywhere '.*' - matches 0 or more times h. 'grep 'Linux.+' grep.test.txt' - nothing is returned because '+' is extende d h1. 'egrep 'Linux.+' grep.test.txt' - nothing is returned because '+' is exte nded i. '[e]grep '[Linux|BSD]' grep.test.txt' - uses character classes NOTE: Characters classes don't match the entire word, but rather, each presented character j. ' grep "Dec [1|3]" /var/log/messages' - parses|returns records from either : Dec [1|3] k. ' grep "Dec [1|3]" /var/log/messages | grep -i 'd-bus' - second parse is c ase-insensive (-i) # AWK # Features: 1. Field (column) Processor 2. Supports egrep-compatible (POSIX) REGEXES Tasks: 1. awk '{print $1 }' [FILE] || STDIN- prints the first field from the data-stre am 2. 'awk '{print $1,$2 }' FILE - returns $1,$2 NOTE: 'awk' can be used to transform Field and/or Record separators 3. 'awk -F'[:+;,]' '{print $1,$2,$3,$4}' grep.test.txt' - uses multiple possibl e delimiters to identify fields NOTE: Whitepspace is ALWAYS considered a possible field separator unless overrid en NOTE: Be careful if data-set contains space that is NOT to be treated as a field -separator 4. 'awk -F'[:+;]' '{print $0}' grep.test.txt' - returns the full lines 5. 'awk -F'[:+;]' '/LinuxCBT/ { print $1,$2,$3,$4}' grep.test.txt 6. 'awk -F'[:+;]' '{ if ($1 ~ /LinuxCBT/) print $1,$2,$3,$4}' grep.test.txt 7. 'awk '{ if ($5 ~ /kernel/) print $1,$2,$3,$6,$7}' /var/log/messages' NOTE: if 5th column(field) = 'kernel' then print the fields of interest from the record 8. 'awk '{ if ($5 ~ /kernel/) print $6,$7}' /var/log/messages' - simple way of anonymyzing the record by excluding: timestamp, source host, facility NOTE: Like 'grep', 'awk' iterates over ALL records, but selectively (optionally) returns data (fields) of interest
# SED - Streams Editor # Features: 1. Streams Editor - allows us to parse the discrete contents of textual data Usage: 1. 'sed -e 'instruction' file || STDIN NOTE: Additional '-e 'instruction' ' commands will perform additional modificati ons in the order presented 2. 'sed -f script_file_name file || STDIN' - organized way of providing N numbe r of instructions to 'sed' 3. 'sed -n '1p' grep.test.txt' - prints the FIRST line 4. 'sed -n '$p' grep.test.txt' - prints the LAST line 5. 'sed -n '3,6p' grep.test.txt' - prints lines 3-6 NOTE: 'sed' processes information 1-line at a time 6. 'sed -n -e '/^Linux$/,/AIX/p' grep.test.txt - prints lines from the line tha t begins and ends with: 'Linux' to the line that ends with AIX. 7. 'sed -n -e '/^Linux$/,+3p' grep.test.txt - prints 3 lines after the line th at begins and ends with: 'Linux' 8. 'sed -e '/^$/d' grep.test.txt - removes blank lines from file 9. 'sed -e 's/root/admin/' -e 's/linuxcbtel7desk1/systema/' /var/log/messages > messages.anonymous.1 # File Types - Permissions - SymLinks # Features: 1. Supported types: c,b,-,d, etc. - represented in first column of: 'ls -l' 2. File permissions for: owner, group members, and everyone else 3. Short and hard cuts to objects located throughout your system File Permissions: 1. 10-bits that represent Linux file permissions, despite the type of FS in use : i.e. EXT4, XFS, EXT{2,3}, ReiserFS, etc. 'crw--w----. 1 linuxcbt tty 136, 2 Dec 4 07:12 2' 6 2 0 '-' in bits 2-10 or 1-9, represents disabled bits 10-bits - leading bit describes the type of object in the FS 9-remaining bits: 1-9 or 2-10 represent permissions for: a. Owner of the object b. Members of the group labeled on the object: i.e. group=tty c. Everyone else Total permissions for objects = 7 7 7 (rwx rwx rwx) r=4 w=2 x=1 NOTE: When working with permissions we work with either: a. Octal notation: i.e. 777, 620, 644. etc. b. Symbolic notation: rwxrwxrwx(777), rw-w----, rw-r----c. We add permissions symbolically using: + and subtract using: d. With Octal notation, we simply specify the target Octal value: i.e. 644 Primary permissions tool = 'chmod' a. 'chmod 660 grep.test.txt && ls -l grep.test.txt' b. ' chmod u-x,g-rw grep.test.txt' - removes 'x' from owner, and 'rw' from grou p=linuxcbt resulting in an octal set = 0600 c. 'stat FILE' - returns the permissions and FS footprint d. 'chown/chgrp' - changes user/group ownership d1. 'chown root grep.test.txt' - makes new owner = uid=0 d2. 'chgrp root grep.test.txt' - makes new group owner = gid=0
d3. 'chown linuxcbt:linuxcbt grep.test.txt' - resets uid/gid permissions # Symbolic Links # Features: 1. Shortcuts with more capabilities NOTE: Typical Windows shortcuts are equivalent to soft-symbolic links 2. Soft symbolic links permit linking: a. within the same FS b. across disparate FSs c. Soft links merely link to the named representation of a file, within and/or across FSs d. Soft links have no impact on the link counter associated with files e. All soft links lead to one named-file. If this named file is altered, ALL s oft links fail. 3. Hard symbolic links permit linking: a. within the same FS b. but NOT across disparate FSs because of the INODE numbers that are used can not be guaranteed to be unique across FSs c. Hard links make direct references to the INODEs that underpin the files tha t we access: i.e. 'ls -li' to reveal the distinct INODEs d. Each outstanding Hard link increases the link counter associated with the f ile: 'ls -li' - reveals this e. Each outstanding link can be viewed as an instance of the INODE object that underlies the file. This means that the file persists within the FS until ALL h ard links have been removed 4. Both mechanisms (Soft and Hard) provide a way to publish content to users in various locations across the system a. Permits the exposition of content outside of normally protected zones: i.e. $USER || /home/$USER Tasks: 1. Soft links a. 'ln -s source_file target' a1. 'ln -s grep.test.txt grep2.test.txt' - creates soft link in the same dire ctory 'lrwxrwxrwx. 1 root root 13 Dec 5 09:18 grep2.test.txt -> grep.test. txt' NOTE: Despite the apparent: 0777 permissions associated with soft symlinks, the underlying (target) file's permissions always prevails. This is known as effecti ve permissions on the file object. a2. 'ln -s ~linuxcbt/Documents/grep.test.txt' a3. 'ln -s ~linuxcbt/Documents/grep.test.txt /boot' - creates soft link in a different FS a4. 'ls -l ~linuxcbt/Documents/grep.test.txt' - confirm link counter = 1 b. Break the source of the soft links b1. 'mv ~linuxcbt/Documents/grep.test.txt ~linuxcbt/Documents/grep.test.txtt' 2. Hard Links a. 'ln source_file target' - creates hard link - increments the link counter b. 'chmod 644 ~linuxcbt/Documents/temp/grep.test.txt.hard' - impacts the under lying INODE, which means ALL instances of the document (hard-link form) will now wear the latest permissions c. 'mkdir /projectx && ln ~linuxcbt/Documents/grep.test.txt' - creates an inst ance of the object for 'general' access without having to grant users access to your $HOME dir
d. Remove one or more hard instances d1. 'rm -rf ~linuxcbt/Documents/grep.test.txt' # SWAP # Features: 1. Virtual memory - disk-based memory 2. Dedicate (preferred) partitions to SWAP mission 3. Use an existing FS: i.e. XFS, EXT4, etc. and provision a file-based SWAP are a 4. SWAP remains a distinct FS type, despite the recent RHEL shift to XFS Tasks: 1. Create additional SWAP space from a file using existing FS a. 'dd if=/dev/zero of=/swap/swapfile1G-1 bs=1M count=1024' - creates a zeroed -out file as a basis with which to overlay an FS such as SWAP b. 'mkswap /swap/swapfile1G-1' - overlays SWAP FS on zeroed-out file NOTE: A unique: UUID is auto-assigned, and may be referenced via: /etc/fstab c. 'swapon /swap/swapfile1G-1' - enables the SWAP device dynamically d. 'swapon -s ' - displays current SWAP partitions e. Update: '/etc/fstab' - '/swap/swapfile1G-1 swap swap defaults 0 0' 2. Dedicate partitions to the SWAP mission a. Provision new partition && [reboot] - automatically recognized b. Create primary partition and enable swapping (mkswap /dev/sdb1) c. Enable Swapping: 'swapon /dev/sdb1' d. 'blkid /dev/sdb1' - obtain UUID and committ to: /etc/fstab e. 'swapoff /dev/sdb1 && swapon -a' - disables and re-reads from: /etc/fstab f. 'swapon -s' - dump current SWAP configuration # XFS # Features: 1. New default for RHEL7 2. Supports: a. Extension (growth) - NOT the ability to shrink b. Freeze | Unfreeze - for snapshots c. Backups | Restorations d. Sub-second timestamps: currently = nanosecond || 10^^-9 precision d1. 'stat FILE' and peruse e. Ability to separate the journal log from the data storage area - improves p erformance Tasks: 1. Create extra XFS mounts on target systems a. Provision storage: Virtual || Physical b. Identify and partition b1. 'fdisk -l' - this should reveal the new storage block: '/dev/sdc' b2. 'parted /dev/sdc mklabel gpt' b3. 'parted /dev/sdc mkpart 1 1 100%' c. Overlay with XFS file system c1. 'mkfs.xfs /dev/sdc1' d. Mount and Use d1. 'mkdir /projectx' d2. 'mount /dev/sdc1 /projectx && df -h && dd if=/dev/zero of=/projectx/512M count=512 bs=1M && ls -lh /projectx' e. Ensure mount persistence: /etc/fstab e1. 'blkid /dev/sdc1' - obtain and use in: /etc/fstab
e2. 'umount /projectx && mount -a && df -h' - confirm that '/projectx' is ava ilable e3. 'systemctl reboot || reboot' NOTE: We prefer to reference the: UUID in: /etc/fstab || via user-space(CLI) bec ause there are some instances where the kernel may relabel disks: i.e. /dev/sd{a ,b,c,etc.} upon system invocation # Logical Volume Management (LVM) # Features: 1. Volume Sets 2. The ability to aggregate storage from disparate sources into potentially 1 l arge representation of Enterprise storage 3. Storage Hierarchy - Configuration a. Physical Volumes (PVs) - distinct partitions/disks that will become part of a volume group b. Volume Groups - represent one or more Physical Volumes (PVs) - serves as an abstraction of storage c. Logical Volumes - Represent the fraction of storage upon which File Systems are overlaid 4. LVM Physical Volumes MUST be flagged as type 'lvm' by the partition manager: i.e. 'parted', 'fdisk', etc. Tasks: 1. 6-Steps to setup LVM a. Provision storage and create LVM a1. Use Hypervisor tool to add new a2. Use: 'parted' to create label: a3. 'parted /dev/sdd set 1 lvm on'
partitions using: 'parted' disks 'parted /dev/sdd mklabel gpt' - flags partition as type LVM
b. Create Physical Volume(s) b1. 'pvcreate /dev/sdc1 /dev/sdd1 && pvdisplay' c. Create Volume Group - assign PV(s) to the VG c1. 'vgcreate volgroup001 /dev/sdc1 /dev/sdd1' NOTE: Each Volume has its unique hierarchy in the '/dev' tree: '/dev/volgroup001 ' NOTE: Beneath which, are the distinct logical volumes (LVs), tied to the VG d. Create Logical Volume (LV) - a representation of some(fraction) or ALL of t he VG storage d1. 'lvcreate -L 10GB volgroup001 -n logvol001' d2. LVM creates this device for FS overlay: '/dev/volgroup001/logvol001' e. Overlay our desired FS on the LV e1. 'mkfs.{ext4,xfs} LV-Device' f. Mount, Use, and ensure persistence f1. 'mount /dev/volgroup001/logvol001 /projectx' g. Create data | test I/O - using: 'dd' NOTE: If you create identical files on different systems, so long as the inheren t data are identically ordered and presented, the checksums will be identical 2. Rename a logical volume for repurposing a. '/dev/mapper/volgroup001-logvol001' -> '/dev/mapper/volgroup001-projectx' a1. 'lvrename volgroup001 logvol001 projectx' NOTE: LVM logical volume changes on-the-fly, however, the 'df -h' dump is reflec ted at the next mount|remount of the volume 3. Resize LVMs - this takes place at the logical volume level a. 'lvresize -L 15GB /dev/volgroup001/projectx' b. 'resize2fs /dev/volgroup001/projectx' - resizes online b1. 'df -h' - confirm new storage
c. Resize XFS volume c1. Clean-up existing configuration c1a. 'umount /projectx' c1b. 'mkfs.xfs -f /dev/volgroup001/projectx' - overlays NEW XFS FS NOTE: At this point, the system generates a new UUID for the storage block NOTE: Confirm with: 'blkid /dev/volgroup001/projectx' NOTE: Update: /etc/fstab accordingly c2. 'lvresize -L 15GB /dev/volgroup001/projectx' c3. 'xfs_growfs /dev/volgroup001/projectx' - resizes on-the-fly, with 'df -h' updates automatically provided 4. Remove logical volumes with: 'lvremove' 5. We're out of space, extend volume group (vg) aggregate a. provision storage via VM b. partition && label as LVM c. 'pvcreate /dev/sde1' d. 'vgextend volgroup001 /dev/sde1' e. 'vgdisplay' - should reflect new storage # User & Group Management # Features: 1. flat file: /etc/{passwd,group,shadow} DBs 2. Default set includes: 'root', daemons, services, utilities, and the first-us er (created during installation) Tasks: 1. 'ls -l /etc/{passwd,group,shadow} 2. 'cat /etc/passwd' 'linuxcbt:x:1000:1000:LinuxCBT User:/home/linuxcbt:/bin/bash' 'root:x:0:0:root:/root:/bin/bash' UID=0GID=0 - special reservation for 'root' Accounts with: UID|GID=[1-999] are reserved for system/daemons/utilties/etc. Key fields in: /etc/passwd login name:x(shadow reference(/etc/shadow)):UID:GID:Description:$HOME:$SHELL Key fields in: /etc/shadow linuxcbt:$6$1u30enqi1ioWNmGv$QbzeBc21/73wkKmENPRRdhDHA.zltwKsVrQVj0tFTdBDaQ8rt0P Xspwm6z/0hdUb/m7i4N47Q5Jo6tphnZrDX/:16400:0:99999:7::: login name: encrypted password:Days since Unix epoch, password was last changed: Days before password may be changed (0=anytime): Days after which password must be changed (set this to 45-days) Days before password is to expire that user is warned Days afer password expires that account is disabled Days since Unix epoch, that account has been disabled Reserved field Key fields in: /etc/group linuxcbt:x:1000:linuxcbt group name (typically the User Principle Name (UPN) ): group shadow reference: GID: member(s) Tools: 1. 'useradd' a. 'useradd -g linuxcbt2 -G wheel -m linuxcbt2'
a. 'groupadd -g 1001 linuxcbt2 && useradd -g linuxcbt2 -G wheel,projectx -m li nuxcbt2 && passwd linuxcbt2' 2. 'usermod' 3. 'userdel' 4. 'groupadd' a. 'groupadd linuxcbt2' 5. 'groupmod' a. 'nano /etc/group' NOTE: You may have to re-initiate existing $SHELLs for the new group membership to reflect 6. 'groupdel' NOTE: Regardless of whether directory services are used, 'root' and basic system accounts are ALWAYS defined in: /etc/{passwd,shadow,group,gshadow} # Cron - Scheduler # Features: 1. Scheduler 2. Runs jobs on schedule: a. minute, hour, day, month, year 3. Assumes computer is always on, unlike: anacron 4. Global schedule: /etc/crontab && /etc/cron* (include directories) 5. Individual schedules: /var/spool/cron - one is stored per user - crontabs 6. Checks ALL config files every minute, including: /etc/anacrontab 7. 'crontab' - used to modify user'r cron table entries a. 'root' may use this tool to manage other user's cron tables b. per-user may use this tool to manager their cron table: /var/spool/cron/$US ER 8. Permit -> /etc/cron.allow 9. Deny -> /etc/cron.deny Tasks: 1. '/etc/crontab' - discuss the entries a. Minute(0-59) - i.e. 31, 1,11,21, 10,33,58, 10-23, */1, */5 b. Hour(0-23) - similar subdivision values apply. i.e. */2, 0,4,12 c. Day of the month(1-31) d. Month (1-12) e. Day of the week (Sun,Mon,Tue||0-7) NOTE: Some systems handle the extreme values for dow differently: 0,7 may be tre ated as Sunday or Monday. Consult Cron documentation per system 2. Simple 'uptime' script a. create simple BASH script and test from $SHELL b. 'crontab -e' - edit your own (non-privileged $USER's crontab) b1. make reference to absolute PATH of job c. Extract simple metrics from cron-collected data: 'awk '{ print $6,$10,$11,$12 }' 20141208.linuxcbtel7desk1.linuxcbt.internal.upti me.log | sed -e 's/,//g' ' This extracts the current user load, and 1,5,15-minute load average and removes superfluous ',' values from data NOTE: 'crontab' utility is the only way for non-privileged $USER to modify their crontab, as the actual crontab file in: /var/spool/cron is viewable only by 'ro ot' d. Modify crontab as 'root' because job runs too frequently
#Syslog# Features: 1. Logs daemon information as well as potentially other sources of data: i.e. n etworked devices, remote systems, etc. 2. Supports: a. Unix Domain Sockets (/dev/log) b. Internet sockets using: UDP:514 || TCP:514 3. Ability to log to local and remote targets (@hostname) simultaneously NOTE: Possible Syslog setups in your Prod environment: a. ALL interconnected devices (routers|switches|firewalls), log to 1 Syslog nod e, and that node replicates the logs to 1 or more other Syslog nodes b. ALL interconnected devices log to 2 or more Syslog nodes simultaneously 4. Default configuration accepts messages on: UDS but NOT on Internet socket 5. Implemented as 'rsyslog' 6. '/etc/rsyslog.conf' 7. RPM = rsyslog 8. In-built rules mechanism routes incoming messages accordingly a. Facilities - source of information: i.e. mail, local0-7, auth, etc. b. Levels - Importance of the incoming message - 0(Debug)-7(emerg) b1. Debug(0), Info(1), Notice(2), Warning(3), Error(4), Crit(5), Alert(6), Em erg(7) NOTE: You typically want to capture messages at: Warning(3) and higher NOTE: Message collection is cumulative up-the-chain: i.e. Messages captured at the Warning(3) level, will also include more severe m essages levels above, but not less severe messages below: i.e. Notice(2) or lowe r. NOTE: This reduces the verbosity and overall data storage requirements by sendin g only 'important' messages. Tasks: 1. Look at primary config file: '/etc/rsyslog.conf' a. RULES Section a1. Left side -> Facilities.Levels a2. Right side -> Destinations b. 'systemctl rsyslog restart && netstat -nultp | grep 514' - confirm TCP && U DP bindings NOTE: '/var/log/messages' -> catchall, so, messages coming from devices that log at the .info level and more severe, will be logged here as well. i.e. infrastru cture device logs to both its own file and: /var/log/messages NOTE: To prevent double-logging, exclude using a ruile that ends with: i.e. 'loc al4.none' in the primary catchall rule that routes messages to: /var/log/message s c. Create 2 new rules to send messages to: linuxcbtel71 && linuxcbtcent71 NOTE: All messages except: *.Debug, cron.none, authpriv.none, mail.none d. Alter both rules to ensure that ALL messages, from ALL facilities at level= info and higher(more severe) are duplicated to both nodes NOTE: Once you have designated 1 or more Syslog systems, be prepared to parse NOTE: This is why Syslog messages typically include: HOSTNAME, to help parse the source of messages # LogRotate # Features: 1. System-wide log-rotation capability 2. Archival capabilities
3. Rules-driven: a. '/etc/logrotate.d' - N number of rules governing various LOG files b. '/etc/logrotate.conf' - catchall of options and includes: '/etc/logrotate.d ' entries c. Segments logs: i.e. MAIL, LOCAL, USER, etc. c1. Logrotate focuses on a discrete set of files, NOT SYSLOG facilities NOTE: SYSLOG handles the routing of data to target files NOTE: LOGROTATE merely manages those files 4. Implemented as 'logrotate' package 5. Run daily (/etc/cron.daily/logrotate) by cron 6. Rotation is driven by: a. Size: i.e. 100k, 100MB, 100GB b. Time: i.e. daily, weekly, monthly, yearly 7. Both critera: time and size can be specified simultaneously NOTE: The first to be realized (time or size) is honored Tasks: 1. Examine current configuration a. '/etc/logrotate.conf' b. '/etc/logrotate.d' b1. daemon-specific log files rules NOTE: values not explicitly defined: i.e. 'dateext', or otherwise, at the scope level of the file, are inherited from the 'global' superscope. 2. Make a few tweaks along the way a. Change 'syslog' rotation frequency to: 'daily' vs. 'weekly' b. Enable compression across ALL files 3. Execute 'logrotate' a. 'sudo logrotate -v -f /etc/logrotate.conf' NOTE: 1 important reason to ALWAYS compress your logs during rotation is to mini mize the effects of DOS/DDOS attacks on available storate (/var), especially whe re /var is on the '/' mount point. NOTE: logrotate will eventually rotate off your disk the log files based on the rules defined, so be sure to archive otherwise NOTE: Any file that is SYSLOG-handled (LOG file is created by SYSLOG), place its rule within the: /etc/logrotate.d/syslog file to reduce the number of instances of SYSLOG reload NOTE: logrotate is merely a script binary, not a daemon, that is resident in the process table only when called NOTE: Daily, weekly, monthly jobs are now handled by Anacron: /etc/anacrontab #Common Network Utilities# Features: 1. Gather diagnostics 2. Ascertain node names and locations 3. Connectivity L2/L3 information 4. Path between interconnected nodes 5. Put/Fetch files/content from remote systems 6. Ability to sync content across local/remote directories Tasks: 1. PING - 'ping'
a. 'ping 192.168.75.1' - returns connectivity health between nodes NOTE: Look for is large STDEV across packets sent/received, as they indicate con nectivity issues b. 'ping -c 3 192.168.75.1' NOTE: If ICMP echo-reply/request are filtered then PING will fail you 2. ARP - Address Resolution Protocol a. 'arp -a' - displays for T amount of time the nodes on your subnet in the lo cal table b. 'rarp' - where available, resolves the known MAC address to the current L3 address 3. Traceroute && MTR - Returns hops between 2 Nodes a. 'traceroute www.linuxcbt.com' - one-off dump of path b. 'mtr www.linuxcbt.com' - returns more useful data, and is refreshed constan tly 4. Name Resolution Tools a. 'nslookup' - returns basic answers to queries a1. 'nslookup www.linuxcbt.com' b. 'dig' b1. 'dig @192.168.75.101 www.linuxcbt.com' - queries a specific resolver and provides more data b2. 'dig @192.168.75.101 -x 144.76.77.83' c. 'host www.linuxcbt.com' d. 'whois linuxcbt.com' - finds IP/Domain ownership information e. 'whois 144.76.77.83' - returns IP ownership info - typically the HOST 5. 'curl' a. 'curl http://192.168.75.101/index.html' - dumps remote content to STDOUT NOTE: By dumping to STDOUT, you can quickly query multiple servers to check poss ibly for corrupt content, because 'curl' supports multiple servers, files, wildc ards, etc. b. 'curl -O http://192.168.75.101/test.data' - pulls the file to a locally-nam ed equivalent 6. 'wget' - pulls content from remote sources a. 'wget http://192.168.75.101/test.data' NOTE: unlike 'curl', wget auto-stores content locally with an equivalent name, u nless otherwise specified b. 'wget http://192.168.75.101/index.html' # Time Administration # Features: 1. Time synchronization && administration a. Default includes: 'chronyd', which synchs the local system against various sources NOTE: Sources can be: external clocks, NTP, manual time config via: 'chronyc' NOTE: 'chronyc' by default, is limited to localhost connections, however, may be configured to accept remote connections using IP-based security NOTE: 'chronyd' works well in virtualized, intermittently connected situations b. Drop-in replacement for NTPD - 'rpm -ql chrony' b1. Currently, 'chronyd' supports NTPv3 only c. Only replace with NTP if permanently connected/enabled d. Currently, symmetric keys for time-synch security is supported
Usage: 1. 'timedatectl' 2. 'timedatectl list-timezones' 3. 'timedatectl set-timezone Asia/Tokyo' 4. 'systemctl reboot && timedatectl ' NOTE: Local time offset is merely used for display purposes. i.e. time values ar e stored using UTC 5. 'timedatectl set-ntp 1' - enable NTP synch 'chronyd' config a. '/etc/chrony.conf' a1. 'allow 192.168.75.0/24' a2. 'local stratum 1' - this allows this clock to be favoured by NTP clients a3. 'sudo systemctl restart chronyd' b. Point NTP clients to this instance NOTE: Ensure that ipTables is NOT blocking (Default) UDP:123 NOTE: Current time administration involves largely: 1. 'timedatectl' 2. 'chronyd' && possibly 'chronyc'(if one-off time configs are required)' NOTE: IF your system(s) is isolated, then the use of 'chronyc' becomes important NOTE: IF you replace 'chronyd' with 'ntpd', you will lose the rapid time updates that are applied to your node # YUM Package Management # Features: 1. RPM overlay a. Robust pacakage management: i.e. 'apt-get' 2. Package life cycle a. Search b. Install c. Update (Individual || Group ) d. Remove 3. Dependencies are auto-resolved: i.e. 'apt-get' 4. Supports Package Groups a. i.e. Security, etc. 5. Supports Repositories - containers of various packages: typically online a. Security updates b. New packages c. Original (Distribution) packages NOTE: RedHat 7 HOST requires subscription to use RedHat Repository NOTE: CentOS is preconfigured with online Repos 6. Transactioun history maintained: 'yum history...' 7. Ability to enable|disable Repos on-the-fly Basic Commands | Usage: a. 'yum list [installed|available]' - dumps currently-installed packages - supp orts globbing a1. 'yum list wge\*' b. 'yum group list [ids]' NOTE: If your system currenlty has NO Repos defined, then the 'Available' list w ill not be reflected. In this case, 'yum' can only work with the local DB NOTE: 'ids' option returns $SHELL-friendly package group names for usage during package life-cycle c. 'yum info package_name' d. 'yum group info security' e. 'yumdb info package_name' - returns local metadata - purpose, checksum, inst
aller, repository, etc. - ancillary, but possibly important metadata f. 'yum repolist [all]' - dumps enabled [all] configured Repos - '/etc/yum.repo s.d/*.repo' f1. '[all]' - option returns ALL enabled|disabled repositories g. 'yum search wget' - searches 'name' and 'summary' fields for package details g1. 'yum search wget lftp curl' - searches for multiple packages h. 'yum provides /usr/bin/sha256sum' - same as: 'rpm -qf /usr/bin/sha256sum' i. 'sudo yum remove lftp' j. 'sudo yum -y install lftp' NOTE: 'uname -a' reveals the current platform: i686 | x86_64 NOTE: 'yum' defaults to installing the package that matches your platform k. 'sudo yum -y install lftp.1686' - forces the installation of the i686 versio n of 'lftp' and any needed RPMs Updates: a. 'yum check-update' - search for ALL available updates b. 'yum [-y] update' - updates ALL updatable packages NOTE: Isn't always desriable c. 'yum [-y] update package[s]...' - updates specified package[s] c1. 'yum -y update openssl wget' - selectives updates
#YUM Repositories# Features: 1. Centralized access to content (RPM packages) a. Network-based 2. Can be: local (file://), remote (http://) || (ftp://) 3. Serves various packages: a. 'base' b. 'extras' c. 'plus' d. 'updates' NOTE: These are merely directory trees off the main repository tree NOTE: Each contains a .repo file and various RPMS NOTE: Each .repo file describes the content within that tree e. i.e. 'http://mirror.centos.org/centos/7/' - explore this tree NOTE: RedHat systems require a subscription to use 'their' CDN for updates, etc. NOTE: The various branches on repositories are specified in the YUM config files 4. Primary YUM config file: '/etc/yum.conf a. Sets globals b. Includes Repos from: '/etc/yum.repos.d' 5. 'yum repolist' - enumerates enabled Repos a. You may enable/disable Repos as needed 6. Packages can be flagged to 'install' only and not 'update' 7. 'yum-config'manager' - dumps the current configuration, but allows Repo admi nistration Tasks: 1. 'yum-config-manager [section[s]]' 2. Install YUM Repo a. One option is to dump the contents of the largest ISO image to a web-accesi ble instance b. Second option is to use the 'createrepo' RPM to setup a tree 3. Commence installation a. Obtain ISO image and mount and copy contents to a tree somewhere (i.e. stag ing) b. Ensure that the 'createrepo' RPM is installed as it provides us with the 'c reaterepo' utility NOTE: 'createrepo' may be run from other distros NOTE: 'createrepo' utility generates the necessary '.repo' file for usage by cli ents
c. Ensure directory tree, with '.repo' file, is in a web-accessible location d. Add the repository to 1 or more clients and use NOTE: Ensure that you have a valid RedHat subscription or find a third-party pro vider of the 'updates' branch d1. 'sudo yum-config-manager --add-repo http://192.168.75.101/RHEL/7' NOTE: 'yum-config-manager' merely writes the '.repo' file to: '/etc/yum.repos.d' NOTE: Add GPG key as follows: 'rpm --import http://192.168.75.101/RHEL/7/RPM-GPG -KEY-redhat-release' # IP Administration # Features: 1. DHCP - 'dhclient' is invoked to manage interface(s) 2. Static - settings are stored in interface configuration file: /etc/sysconfig /network-scripts 3. Both (Dynamic and Static) 4. Temporary configurations 5. Virtual interfaces - Potentially multiple L3 addresses (IPv[4|6]) 6. With this release a more complex set of logic is used to promote persistent NIC nomenclature, with the ultimate fallback resorting to: eth0-N 7. 'NetworkManager' is the primary manager of interfaces NOTE: If changes are not noticed, try restarting this daemon: 'systemctl restart NetworkManager' 8. '/etc/init.d/network' - is still applicable - legacy purposes 9. '/etc/init.d/network' && 'NetworkManager' services work in conjunction to ma nage interfaces, routes, and various network configuration items by consulting o ne another to avoid conflict Management Tools 1. 'nmtui*' - $SHELL(curses)-based - current limitations: Edit of VPNs, WiFi/W PA, 802.1x connections 2. 'nmcli' - FULL(capable of administering ALL network areas) CLI-suite 3. 'control-center' - GUI - Press 'Super' key - then type: a. 'control network' b. 'nm-connection-editor' Key Directories and Files: 1. 'lspci' - lists PCI-connected devices 2. '/etc/sysconfig/network-scripts' - interface configuration, control and netw ork functions files 3. '/etc/sysconfig/network' - system-wide(global) settings file: i.e. hostname, gateway(Default) Tasks: 1. 'lspci' - identify available NIC(s) 2. 'dmesg' - reflects last-boot detected hardware 3. 'lsmod | grep e100' - check Kernel driver/module 4. 'ifconfig' - dumps current configuration including default IP address assign ment a. 'DEV' - useful with other commands: i.e. 'ip' b. MAC Address information c. MTU d. Data in/out e. Error information NOTE: 'ifconfig' is NOT deprecated, but should not be used for general IP admini stration NOTE: Use: 'ip' command and its sub-commands to manage network details including IP, etc. 5. '/etc/sysconfig/network' - global settings
6. '/etc/sysconfig/network-scripts' - interface configuration a. 'ifcfg-lo' - loopback (mandatory) virtual interface b. 'ifcfg-DEV(s)' - various devices: i.e. ethernet/gigabit interface(s) 7. 'nmtui*' - $SHELL management tools a. 'nmtui' - 'Edit connection' - lists available interfaces, sans 'lo' a1. Add Static address to DHCP configuration: '/etc/sysconfig/network-script s/ifcfg-DEV' NOTE: 'ifcfg-DEV' file has been updated, but 'NetworkManager' has NOT been notif ied a2. 'sudo systemctl restart NetworkManager && ping -c 3 192.168.75.140' - wo rks! NOTE: This is NOT necessarily a bad thing, as we can inadvertently disconnect ou rselves remotely by mucking around with IP settings NOTE: Now, the system is configured in 'Hybrid' mode: DHCP and Static NOTE: 'ifconfig' reflects only the primary address, NOT the newly-attached addre ss NOTE: 'nmtui*' changes are permanent - because they update the config files 8. 'ip' a. 'ip addr [show]' - reveals ALL configuration b. 'sudo ip addr add ADDR/PREFIX dev DEV' - adds, on-the-fly, a temporary IPv 4 address b1. 'sudo ip addr add 192.168.75.141/32 dev eno16777736' c. 'sudo ip addr del ADDR/PREFIX dev DEV' c1. 'sudo ip addr 192.168.75.141/32 dev eno16777736' 8. Add a range of addresses (192.168.75.150-159) to our server a. 'for i in `seq 150 159`; do sudo ip addr add 192.168.75.$i/32 dev ens32; do ne ' 9. Update: '/etc/sysconfig/network-scripts/ifcfg-DEV' to include new addresses 10. Drop/Del addresses on-the-fly a. 'for i in `seq 150 159`; do sudo ip addr del 192.168.75.$i/32 dev ens32; do ne ' 11. Add secondary NIC via VMWare a. 'ifconfig' b. 'nmtui' NOTE: A reboot may be necessary to enable the interface on some systems # DHCP Server # Features: 1. Auto-configuration of IP-based client Tasks: 1. Installation of DHCP Server a. 'yum search dhcp' - 'dhcp.x86_64' + helper packages a1. 'sudo yum install dhcp' NOTE: Post-installation, DHCPD does not auto-start because it is absent of a con figuration b. Copy sample '/usr/share/doc/dhcp-4.2.5/dhcpd.conf.example' -> '/etc/dhcp/dh cpd.conf' b1. 'sudo cp -v /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd. conf' c. Peruse and modify this sample file to suit our network NOTE: Our nodes are multihomed, however, DHCPD will only serve on subnets to whi ch:
1. it is connected 2. Has a 'subnet' declaration in the configuration file NOTE: To ensure that DHCPD does NOT service unauthorized subnets, modify 'system d' startup configuration for DHCPD to ensure that it binds to the desired interf ace(s) NOTE: This is the equivalent of forcing the daemon to listen to a specific addre ss: i.e. MTA c1. Modify sample configuration to suit our: 192.168.76.0/24 subnet NOTE: Any directive listed outside of curly braces '{}' is a global/system-wide directive: i.e. 'domain-name' && 'domain-name-servers', etc. NOTE: Often times, in organizations, ALL nodes belong to a common domain name: i .e. 'linuxcbt.internal', however, if departments have distinct sub-domains, then use the 'domain-name' option at the subnet scope level: i.e. 'option domain-nam e dev.linuxcbt.internal', 'option domain-name sales.linuxcbt.internal' NOTE: This will ensure that each department's unique domain name is served accor dingly on a per-subnet basis NOTE: The same applies to other resources: i.e. 'option domain-name-servers' NOTE: Somewhere between the: 'default-lease-time' and 'max-lease-time' the clien t and server can agree on the actual lease time NOTE: DHCPD defaults to logging via: /var/log/messages, however, via 'local7' fa cility, you may redirect to another file NOTE: Clean-up file and include the absolute required directives d. Attempt to start DHCPD d1. 'systemctl start dhcpd' d2. 'sudo netstat -nulp | grep 67' 'udp 0 0 0.0.0.0:67 0.0.0.0:* 24708/dhcpd' DHCPD uses both: UDP:67(Server) and UDP:68(Client) e. Ensure that at least 1 DHCP client exists in the served subnet(s) e1. RHEL-7 Server will function as client NOTE: server's secondary interface is still not configurable NOTE: One workaround is to copy the interface config file of an existing interfa ce and modify f. Check DHCPD footprint: '/var/lib/dhcpd/dhcpd.leases' - leases are stored he re NOTE: If problems activating interface(s), simply resort to the $SHELL, and copy an existing interface configuration and modify accordingly g. Ensure that DHCPD is enabled upon system reboot g1. 'sudo systemctl enable dhcpd' h. Redirect 'local7' LOG - pollutes both: /var/log/{boot,messages}.log h1. 'sudo nano /etc/dhcp/dhcpd.conf' -> 'local6' - change facility h2. 'local6.none' -> add exception to -> '/etc/rsyslog.conf' #DNS# Features: 1. Name-to-IP(Forward) and IP-to-Name(Reverse) resolution NOTE: Overwhelmingly, humanity performs 'Forward' queries because it is natural and easier to remember Tasks: 1. Search and Install BIND as Caching-Only Server
a. 'yum search bind dns' -> 'bind.x86_64' b. 'sudo yum install bind' 2. Explore a. '/etc/named' a1. '/etc/named.conf' a2. '/var/named' - top-level directory for: a2a. 'chroot' environment a2b. 'slaves' zone(s) a2c. 'master' zone(s) a2d. Default (loopback, localhost, root DNS servers, etc.) 3. Start Caching-Only Server a. 'systemctl restart named && netstat -nulp | grep 53' - started and bound t o: loopback b. bind BIND to ALL addresses: '/etc/named.conf' c. Update query permissions in: '/etc/named.conf' 'allow-query { 127.0.0.1; 192.168.75.0/24; };' - this allows loopback and lo cal subnet to query NOTE: Earlier, when we provisioned the '192.168.76.122' address, it was applied with a '/32' subnet, which prohibits communications with any other node because it is outside of the broadcast domain of any other node 4. Primary Service/Zone Hosting a. 'linuxcbt.internal' - fictitious, internal zone NOTE: Use whenever possible, existing, properly configured BIND zones: i.e. linu xcbt.internal b. Examine and copy the current configuration from Ubuntu instance c. Update the BIND DB: db.linuxcbt.internal to reflect current conditions: i.e . SOA, NS and various A records d. Update: '/etc/named.conf' to reference the new zone as a primary zone e. Adjust zone file as needed: combination of too high serial value and domain SOA descriptor 5. Perform queries a. 'dig @192.168.75.121 linuxcbtrouter1.linuxcbt.internal' 6. Alter TTLs on records: SOA and 'linuxcbtrouter1' a. 'TTL 3600' b. '60' 7. Create another primary zone based on working zone: linuxcbt.internal a. 'linuxcbt.external' b. 'dig @192.168.75.121 linuxcbtrouter1.linuxcbt.internal' 8. Create SLAVE configuration on Secondary Instance a. '/etc/named.conf.local' b. Be sure to 'include "/etc/named.conf.local" ' - from: '/etc/named.conf' # FTP Server - Services # Features: 1. VSFTPD 2. Lightweight 3. Fast 4. Reliable 5. Stable 6. Feature-filled a. VHOSTS b. Anonymous
c. Jailed users d. Prohibited/Allowed Users e. SELinux-integration (Default) Tasks: 1. Install VSFTPD a. 'yum search vsftpd' b. 'yum install vsftpd' - NOT enabled by default c. 'systemctl status vsftpd' d. 'sudo systemctl enable vsftpd && systemctl status vsftpd && ps -ef | grep v sftp' 2. Start and use the service a. 'sudo systemctl start vsftpd' - this enables 'anonymous' and 'LOCAL USER' a ccess by default b. 'sudo netstat -ntlp | grep 21' - confirm TCP6(which also encompasses TCP4) binding c. 'lftp
[email protected]' c1. 'pwd' - reflects a CHROOTed 'anonymous' environment, which really resolve s to: /var/ftp c2. 'grep ftp /etc/passwd' 'ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin' NOTE: 'anonymous' user is mapped to: 'ftp' user, who may NOT login using termina l-oriented front-ends: i.e. SSH, Telnet, GNOME, KDE, etc. NOTE: Default 'anonymous' permissions permit download NOT upload d. 'lftp
[email protected]' - connect as a 'normal' user NOTE: 'normal' users are NOT CHROOTed by Default: i.e. 'pwd' NOTE: SELinux prohibits 'normal' users from uploading/downloading to their $HOME directories 3. Update the SELinux configuration to allow 'normal' users to interact with th eir $HOME directories a. 'getsebool -a | grep ^ftp' - dumps FTP-related SELinux booleans 'ftp_home_dir' b. 'setsebool -P ftp_home_dir=1' 4. CHROOT 'normal' users to improve Default security NOTE: Caveat: $HOME directories of $USERs MUST be writable by 'root' a. '/etc/vsftpd/vsftpd.conf' - update to CHROOT 'local' || 'normal' $USERs 5. Disable 'anonymous' access a. '/etc/vsftpd/vsftpd.conf' 6. LOGGING a. '/var/log/messages' - service/daemon(VSFTPD) behaviour(up/down/etc.) b. '/var/log/xferlog' - uploads/downloads - movement of content #Apache Web Services # Features: 1. HTTPD Server 2. Single binary handles: a. Prefork(Default) b. Worker (Threaded) c. Event (Conservative/effficient threading) Tasks: 1. Install
a. 'sudo yum install httpd' b. 'sudo systemctl enable httpd' c. 'sudo systemctl start httpd' d. 'ps -ef | grep httpd' - reveals 6 processes d1. Master process, which spawns N number of child processes d2. 5 child processes 2. Explore the environment a. '/etc/httpd' - config container (ServerRoot) - top-level a1. '/etc/httpd/conf/httpd.conf' - drives the default web server and includes ALL other files a2. '/etc/httpd/conf/conf.d/' - common *conf files: i.e. welcome, autoindex, etc. a3. '/etc/httpd/conf.modules.d' - load files for 'enabled' modules a4. '/etc/httpd/logs' -> /var/log/httpd - Apache LOGs(error,access) a5. '/etc/httpd/moules' -> /usr/lib64/httpd/modules - ALL Apache modules a6. '/etc/httpd/run' - PID files and run-time files created by Apache b. '/var/www' - Default web site content directory b1. '/var/www/html' - place content here b2. '/var/www/cgi-bin' - place CGI scripts here c. Update: '/etc/hosts' to suppress startup error concerning inability to reso lve hostname c1. place FQDN here c2. '/etc/httpd/conf/httpd.conf' -> update: 'ServerName' directive to FQDN c3. 'apachectl configtest && apachectl graceful' d. 'apachectl' - interacts directly with Apache HTTPD d1. 'apachectl status' d2. 'apachectl configtest' - checks for syntax errors across the config: http d.conf and all included items NOTE: Prior to the restart/graceful of Apache, ALWAYS run 'apachectl configtest' to reduce the likelihood of the inability to restart Apache, causing downtime 3. Install Manual: 'sudo yum install httpd-manual' a. '/etc/httpd/conf.d/manual.conf' - controls access to the manual b. Secure access to the manual to desirable nodes/networks/etc. b1. 'Order Deny,Allow Deny From ALL Allow From 127.0.0.1 ::1 192.168.0.0/16 10.0.0.0/8' NOTE: The Apache manual is unlikely to pose a security threat, however, securing it, albeit at the IP-level, lends practice in securing access to content
4. Apache LOGs - Features: Error(inability to access content, various 2xx-5xx e rrors), Access(hits), Customizable Access LOGS (represent variables of our choos ing) NOTE: '/etc/httpd/conf/httpd.conf' - contains LOG variable assignments a. '%h' - connect host b. '%l' - ident check - usually '-' - deprecated c. '%u' - connecting user - usually '-' - Noted if user has actually authenti cated d. '%t' - timestamp - day(2-digits)/Month(3 letters)/Year(4-digits):Hour:Minu te:Second-TimeZone e. '%r' - request method (GET/POST/etc.) f. '%>s' - status code returned to the client - 2xx-5xx g. '%b' - size of content returned to client - Optional: '%B' - logs '0' inst ead of '-' for zero bytes returned for applications that need a quantity NOTE: '%B' saves us from having to translate: '%b' value of '-' as meaning '0' b
ytes h. '%{Referer} - Referrer to our site - usually IP address of sending site i. '%{User-agent} - Browser/User-client used to access our content: i.e. mobi le, desktop, etc. j. '%I' - Bytes In k. '%O' - Bytes Out NOTE: 'error_log' does NOT use the 'LogFormat' VARs in its messages but rather h as a SYSLOG style represenation: a. TimeStamp b. Section of Apache that generated the message c. PID d. Daemon/Apache area service e. Message #Virtual Hosts# Features: 1. 2-Types a. IP-Based - one site(web) per IP address - inefficient usage of IPs b. Host Header Name-based - multiple sites per IP address - efficient way of u sing scarce IPv4 resources - relies upon HTTP1.1+ Tasks: 1. IP-Based - .131,.151,.152, .161,.162,.163 a. Add some spare addresses b. Test access sans VHosts - examine default behaviou of default site NOTE: By default, Apache serves the 'Default' HOST via ALL accessible IPs on the system c. Define IP-based HOST tied to: 192.168.75.{131,151} ServerAdmin
[email protected] ServerName site1.linuxcbt.internal DocumentRoot /var/www/site1 Options FollowSymLinks AllowOverride None Order allow,deny Allow from ALL ErrorLog logs/site1.linuxcbt.internal.error_log CustomLog logs/site1.linuxcbt.internal.access_log combined d. 'mkdir /var/www/site1' e. 'echo "TEST of SITE1: from linuxcbtel71.linuxcbt.internal" >> /var/www/site1 /index.html ' f. 'apachectl graceful && httpd -S' - reload and ensure that VHost is configure d 2. Replicate configuration on same and CentOS node 3. Name-Based Virtual Hosts a. Ensure ALL VHosts, where desired, share the same IP b. Ensure ALL VHosts, sharing the same IP, have the 'ServerName' directive dec lared c. 'apachectl configtest && apachectl graceful && httpd -S' NOTE: The new Name-Based VirtualHost configuration shows the fallback VHost, in
the event that thec lient requests the IP address from the user-agent without th e hostname: i.e. http://192.168.75.161 as opposed to: http://site3.linuxcbt.inte rnal d. Ensure DNS/Name resolution services(i.e. /etc/hosts) are properly configure d d1. Update DNS and ensure client uses DNS 4. Segregate LOGs per VHost NOTE: Currently, ALL VHosts are LOGGING via default catchall LOGs: /var/log/http d/{access,error}_log # MariaDB # Features: 1. RDBMS fork/spawn of MySQL Tasks: 1. Install MariaDB via YUM a. 'sudo yum install mariadb mariadb-server' b. 'sudo systemctl enable mariadb && sudo systemctl start mariadb' c. 'netstat -ntlp | grep 3306' 2. Secure the installation: enforces 'root' password, removes 'anonymous' acces s, etc. a. 'mysql -u root' - connects sans password b. 'select user,password,host from mysql.user;' - returns ALL users sans passw ords c. 'mysql_secure_installation' d. Test access using: 'root' and 'anonymous' 3. MySQL back-end usage largely consists of connecting with an appropriate fron t-end: a. 'mysql' - terminal monitor b. Upon invocation, 'mysql' client utilities read config directives from the f ollowing: b1. '/etc/my.cnf' - system-wide - and includes ALL 'include'd files b2. $HOME/.my.cnf - User-wide b3. Command Line Options (CLI) - overrides all aforementioned 4. Create, Use, Destroy simple AddressBook DB: a. 'create database addressbook;' b. 'create table contacts ( `fname` char(20), `lname` char(20), `bus_phone1` c har(20), `email` char(30), PRIMARY KEY (`email`) ); ' c. INSERT INTO contacts (fname,lname,bus_phone1,email) VALUE ('Dean','Davis',' +18885734943','
[email protected]'); d. UPDATE contacts SET lname='EMPLOYEE'; e. DELETE FROM contacts where fname='dean'; f. TRUNCATE contacts; - wipes table clean g. DROP database addressbook; #NMap # Features: 1. Reconnaissance tool - gather information about network participants, service s, etc. 2. Port Scanning -> TCP:{22,80,21,3306},ICMP 3. Host | Device detection -> Mobile, Known Desktop(DELL), etc. 4. Service detection -> What version of SSH, Apache, etc. 5. OS Fingerprinting -> What OS? Which version?
6. Multi-target scanning - expedites the overall scan 7. Largely: Reconnaissance, and partly vulnerability scanner (via NSEs) Tasks: 1. Install a. 'yum install nmap' -> 6.40x b. Absolute latest version -> insecure.org/nmap - this is the PROD route 2. Host | Device Detection a. 'nmap -v localhost' - scan yourself - start with the known NOTE: This basic scan does many things: 1. ICMP test of whether the TARGET is available 2. If ICMP fails, other methods are attempted, and if succeeds, NMap moves on to well-known(1000) ports 3. Finds open ports and reports on them 4. Summary is provided NOTE: Scan summary reveals that there are 2 more ports open on loopback than the routable IP: TCP:{631,25} b. 'nmap -v 192.168.75.0/24' NOTE: These non-privileged scans are invoked as: TCP:CONNECT scans, which comple te the entire TCP lifecyle, which results in a larger TARGET LOG footprint NOTE: To improve stealth, execute 'nmap' as privileged user: 'root' - TCP:SYN (h alf-open connections) c. 'nmap -v -sP 192.168.75.0/24' - quick check of ICMP-available nodes - retur ned in 3.20 sec instead of: roughly: 44seconds (regular TCP:Connect) scan d. 'sudo nmap -v 192.168.75.0/24' - TCP-SYN - slower, but fewer 'breadcrumbs' are left behind NOTE: Use this option for legitimate scans to reduce the footprint in your LOG f iles e. 'nmap -v -A 192.168.75.0/24' - all-encompassing scan of: service detection, scripts, OS, etc. NOTE: Reducing the target list may not save much time because NMap quickly deter mines of your entire proposed range, which nodes are up # Packet Capturing - TCPDump# Features: 1. Packet Capturing 2. Works using 3 qualifiers (BPF): a. Type - host|net|port b. Direction - src, dst, src or dst, src and dst (i.e. NTP, SYSLOG, TFTP) c. Protocol - ip, tcp, udp, etc. NOTE: By Default, you can capture traffic: a. To and from your system b. Broadcast traffic NOTE: If you desire to see|capture traffic between 2 remote nodes, then you'll n eed to mirror the packets to your system's interface Usage: 1. 'sudo tcpdump -v[v]' - dumps packets to|fro local system and potentially bro adcast packets 2. 'sudo tcpdump -w `date +%F`-01.capture -v -i eno16777736' - does NOT dump to STDOUT, but rather, reports the number of packets captured thus far and writes to a file
NOTE: 'tcpdump -w...' - captures ALL layers, so you can then post-process with B PFs 3. 'tcpdump -r 2014-12-23-01.capture' - replays the captured packets (137 packe ts) 4. 'tcpdump -c 30 -w `date +%F`-02.30-packets.capture -i eno16777736' - capture s 30 packets and exits 5. 'tcpdump -A -v -i eno16777736' - dumps L3 details 6. 'tcpdump -e -v -i eno16777736' - dumps L2 details 7. 'tcpdump -n -e -v -i eno16777736' - refrain from name resolution - improves performance 8. 'tcpdump -n -e -v -i eno16777736 host 192.168.75.121 and host 192.168.75.17' 9. 'tcpdump -n -e -A -v -i eno16777736 host 192.168.75.121 and tcp port 21' 10. 'tcpdump -n -e -A -v -i eno16777736 udp port 123' - capture ALL witnessed UD P:123 traffic #FirewallD - IPTables Front-End# Features: 1. 'firewall-config' GUI || 'firewall-cmd' TUI -> 'firewalld' -> IPTables -> Ke rnel NetFilter 2. 2 Perspectives on the application of rules: a. Run-time configuration b. Permanent configuration - initiated during one of the following conditions: b1. System initialization b2. Firewall reload NOTE: You can compare both: Permanent and Run-time configurations to Cisco's: St artup and Running configurations 3. Provides various network zones (IPTables Chains) a. Public (untrusted) - Outbound traffic is permitted, inbound NOT unless sour ced from us b. Work (trusted) - Traffic to-and-fro are trusted c. Home (trusted) " " d. DMZ (trusted/untrusted => Restricted) - Inbound traffic comes from the Net and DMZ interface(s) may source explicitly permitted traffic inbound to target s ystems: i.e back-end RDBMS e. etc. 4. The ability to generate/define custom zones 5. Service configuration | provisioning: i.e. 'DNS'(TCP|UDP:53) -> can be appli ed to various zones NOTE: The ability to group a variety of protocols and port combinations into one unit for rules application is important 6. Panic mode - drops ALL communications: i.e. DDOS or other attack NOTE: This mode will also drop your remote connection unless it is out-of-band: i.e. serial or third-party NIC connecting to the node NOTE: Ensure that ALL servers have a third-party, out-of-band means of accessing the system NOTE: Ensure that the out-of-band method provides FULL OS access: i.e. KVM, etc. Usage: 1. Ensure 'firewall-config' is installed NOTE: 'firewall-cmd' is installed by default, but is somewhat useless because of the myriad options a. 'sudo yum -y install firewall-config' 2. Access 'firewall-config' via: a. 'Key' -> 'firewall-config' b. $SHELL -> 'firewall-config' NOTE: Ensure that you are in the desired mode upon invocation: c. 'Runtime'
d. 'Permanent' e. Test current configuration (firewall) from remote system using: 'nmap' e1. 'nmap -v 192.168.75.17' - TCP:CONNECT - but failed due to lack of deeper inspection e2. 'sudo nmap -v 192.168.75.17' - TCP:SYN - worked 3. Panic Mode - drop ALL communications a. 'firewall-config' GUI -> Options -> Panic Mode b. Test communications - ALL fail until 'Panic Mode' is lifted 4. Shift Interface(s) to appropriate Zone(s): i.e. 'Public' -> 'Work' a. Options -> Change default Zone and zone of Interface(s) to suit your actual environment 5. Reload the configuration without committing changes to the 'Permanent' confi guration and evaluate a. 'sudo firewall-cmd --reload' || from 'firewall-config' GUI b. 'sudo iptables -L' - confirm re-established(saved) rules NOTE: Changes to the 'Permanent' configuration do NOT impact the 'Run-time' conf iguration unless you 'Reload' the configuration using one of the management tool s 6. Create 'PROD' service as an aggregate of ALL mandatory PROD services a. 'PROD" will contain: http,https,ssh,mysql,dns b. 'sudo firewall-cmd --reload' && possibly reload from GUI to reflect new ser vice NOTE: You currently cannot modify properties of the 'Runtime' configuration, as it is merely an instance of the saved, 'Permanent' configuration. To make change s, update the 'Permanent' configuration and 'Reload' so that it reflects in the 'Runtime' configuration. NOTE: Ensure that defined service(s) is applied to desired zone(s)
# SELinux # Features: 1. Restricts access by SUBJECTS (users and/or processes) to: OBJECTS (files) a. SUBJECTS: a1. Any user attached in any form to the system a2. Processes, which are attached to users attached to the system b. OBJECTS: b1. Any file on the system b2. '-', 'd', 'c', 'b', etc. 2. Provides: Mandatory Access Controls (MACs) 3. MACs stand in stark contrast to: Discretionary Access Controls (DACs) NOTE: DACs are standard Linux/Unix file system permissions 4. Provides, via policy (per subject -> object(s)), much more granular control of access to objects 5. SELinux provides a way to separate: users, processes, from objects via label ing of objects and subjects and monitors/controls their interaction 6. Provides: Types(applied to objects) - Types are labels applied to objects an d subjects 7. SELinux policy specifically defines and enforces permissions based on the my riad labels assigned to: subjects and objects 8. When a Type is applied to a process it is called a: domain 9. Domains provide virtual sandboxes for processes 10. 'sestatus' - reveals current status
11. 'setenforce' - enabling | disabling of SELinux mode of operation: permissive || enforcing 12. Audit LOG: '/var/log/audit/audit.log' - search here from SELinux-related pro blems 13. Advanced Vector Cache (AVC) is responsible for providing/denying/logging acc ess by subjects to: objects NOTE: Look for: 'avc' messages throughout your logs for details on potential bre aches as well as other LOG data 14. '/sys/fs/selinux' - pseudo-directory where user-space tools may interact wit h the SELinux/Kernel 15. '/etc/selinux' - current policy is revealed 16. 'setsebool' - sets boolean values for SELinux typically related to features/ restrictions applied, via the default: 'targeted' policy, to domains: i.e. HTTPD i.e. If HTTPD is unable to enter: '/home' || $HOME there is a boolean which can be enabled to permit access a. 'setsebool -P' - use this option to set booleans persistently 17. 'getsebool' - dumps the current booleans a. 'getsetbool -a' dumps ALL vars 18. 'ls -Z ...' - enumerates SELinux related data # SFTP-Only - SSH Account # Features: 1. File transmissions ONLY 2. NO TTY is assigned to connecting user 3. More secure than a full SSH connection a. It limits the total set of executable commands (SFTP commands only) 4. Facilitates uploading/downloading various files Tasks: 1. Examine current default a. Sans: 'nologin' $SHELL tied to user's account, users can typically SSH and obtain a TTY 2. Implement SFTP-ONly account a. Ensure: $HOME is NOT owned by the $USER who owns the directory 'drwx------. 17 linuxcbt linuxcbt 4096 Jan 24 01:19 /home/linuxcbt' a1. 'sudo chown root.root ~linuxcbt && ls -ld ~linuxcbt' a2. 'sudo chmod 755 ~linuxcbt' 3. Update system-wide SSH configuration to force SFTP-only sessions for the nam ed account: a. '/etc/ssh/sshd_config' 'ChrootDirectory /home/linuxcbt' 'ForceCommand internal-sftp' 'AllowTCPForwarding no' 'X11Forwarding no' b. 'sudo systemctl restart sshd' c. Confirm SFTP-only connectivity 4. Revert ~linuxcbt permissions and test a. 'sudo chown linuxcbt.linuxcbt /home/linuxcbt' # SFTP-Only - Forced Files Nomenclature - ~/.ssh/authorized_keys # Features: 1. Ability to control users' logins via: ~/.ssh/authorized_keys file 2. The client will relegated to SFTP-only, with the enforcement of the creation of a particular file name pattern: i.e. SFTP Client -> SERVER -> client_a.$$ NOTE: This yields a predictable file nomenclature which is useful for process pu rposes
3. Extension of SFTP-Only access 4. Does NOT require modification to: /etc/ssh/sshd_config: i.e. SFTP-Only CAVEAT: Unless you restrict the $USER from modifying: ~/.ssh/authorized_keys fil e, there is the risk that they may override your directive (unlike: /etc/ssh/ssh d_config' Tasks: 1. 'adduser linuxcbtsftp1 && passwd linuxcbtsftp1' 2. Setup PKI-based login 3. Modify TARGET (SERVER): $HOME/.ssh/authorized_keys - place options before 's sh-rsa KEY' 4. Test normal SSH connection from CLIENT -> no-pty allocated 5. Use account to move data via: 'dd' a. 'dd if=1000.txt | ssh 192.168.75.17' - produces the same content from CLIEN T on SERVER NOTE: This mechaniism supoorts the execution of most commands, including $SHELL scripts NOTE: The CLIENT can use different SSH keys to execute different commands on the SERVER
