RHCSA/RHCE study notes

Lessons learned:

  • To create your own repos:

    • Download packages to a directory of your choice

    • createrepo ${directory}

    • Create /etc/yum.repos.d/${file} repo file. At a minimum:

      # cat /etc/yum.repos.d/inst.repo
      [${name}]
      name=${appropriately descriptive name}
      baseurl=${protocol}://${ip}/${directory}
      
    • Import the public keys:

      cd ${directory}
      for f in *GPG*
      do
          echo rpm --import ${f}
          rpm --import ${f}
      done
      
    • If, for some reason, you don’t want to import the keys, add the gpgkey option to the stanza:

      gpgkey=${protocol}://${ip}/${directory}/${gpg_key}
      

      ... would seem easier just to import that damn things...

  • Remove rhgb from kernel line in grub.conf to see the start up script process rather than that annoying progress bar.

  • rhel6 inittab contains only one line: id:5:initdefault:

  • netstat -atunp displays open ports. quicker/cleaner than executing netstat -an | grep -i -e listen -e establish

    # netstat -atunp
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1245/rpcbind
    tcp        0      0 0.0.0.0:48276               0.0.0.0:*                   LISTEN      1320/rpc.statd
    tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      1505/vsftpd
    tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1494/sshd
    tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      1375/cupsd
    tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1585/master
    tcp        0      0 192.168.122.50:22           192.168.122.1:56570         ESTABLISHED 1855/sshd
    tcp        0      0 :::111                      :::*                        LISTEN      1245/rpcbind
    tcp        0      0 :::22                       :::*                        LISTEN      1494/sshd
    tcp        0      0 ::1:631                     :::*                        LISTEN      1375/cupsd
    tcp        0      0 :::55447                    :::*                        LISTEN      1320/rpc.statd
    tcp        0      0 ::1:25                      :::*                        LISTEN      1585/master
    udp        0      0 0.0.0.0:111                 0.0.0.0:*                               1245/rpcbind
    udp        0      0 0.0.0.0:53360               0.0.0.0:*                               1320/rpc.statd
    udp        0      0 0.0.0.0:631                 0.0.0.0:*                               1375/cupsd
    udp        0      0 0.0.0.0:648                 0.0.0.0:*                               1320/rpc.statd
    udp        0      0 0.0.0.0:996                 0.0.0.0:*                               1245/rpcbind
    udp        0      0 :::111                      :::*                                    1245/rpcbind
    udp        0      0 :::36913                    :::*                                    1320/rpc.statd
    udp        0      0 :::996                      :::*                                    1245/rpcbind
    
  • blkid command identifies UUID of devices.

    # blkid /dev/mapper/vg00-root
    /dev/mapper/vg00-root: UUID="1509679d-ff00-4d6d-bda4-1821d9052567" TYPE="ext4"
    
  • Show function - very useful for messing with iptables:

    show()
    {   chain=${1:-FORWARD}
        chain=$(echo ${chain} | <tr> '[a-z]' '[A-Z]')
        echo ${chain} | \
            grep -qi -e ^prerouting -e ^postrouting && args="-t nat" || args=""
        c=1; iptables ${args} -L ${chain} -n | while read line
        do
            echo "${line}" | grep -qi -e ^accept -e ^reject -e masq -e ^dnl
            if [ $? -eq 0 ]
            then
                printf "%02d %s\n" ${c} "${line}"
                c=$((c+1))
            else
                printf "%2s %s\n" "." "${line}"
            fi
        done
    }
    

Notes:

Chapters 1-3:

03/30/14: Seems I lost the notes for my rhcsa test. Interesting as I’m usually quite good at keeping track of those. I even have crap from classes that were more than a decade ago.

Any rate, going over the rhcsa chapters just to ensure I have all the requisite info.

  • I rearranged data twixt mgmt and vmhost. Most of the permanent data will reside on mgmt. Also set up a git repo for the kickstart files. Central repo’s on mgmt.

  • I re-imaged vmhost again. It still has the Centos yum repos. Need to remmeber how to make those go away. (done)

  • Packages to install to for kvm:

    yum -y groupinstall Virtualization
    yum -y groupinstall Virtualization Client
    yum -y groupinstall Virtualization Platform
    yum -y groupinstall Virtualization Tools
    
  • Autostart:

    • virsh autostart ${dom}
    • ln -s /etc/libvirt/qemu/${dom}.xml /etc/libvirt/qemu/autostart/${dom}.xml
    • virst autostart --disable ${dom}
    • unlink /etc/libvirt/qemu/autostart/${dom}.xml

I think I’m leaving it here for awhile. Finished chapter 1 & 2. I want to run through the kvm init at least one more time. Not something I do regularly so I tend to forget things - like how to create local repos, how to update the gpg key, how to reset the firewall if I have to update it via the system-config-firewall-tui, etc.

04/01/14: Chapter 3, basic command line tools. Pretty straight forward. No surprises

04/04/13: First thing to do, generate outsider1, then continue w/chapter 4.

Chapter 4: RHCSA level security options:

Server IP
server1 192.168.122.50
tester1 192.168.122.150
outsider1 192.168.200.100
  • umask: Even w/umask of 0022, files won’t be created w/execute bits enabled. Security thing.

  • lsattr/chattr: commands that can restrict even root from actions on specific files. Attributes that can be set:

    • a: Append only
    • c: Compressed
    • d: no dump
    • e: extent format
    • i: immutable (no edits/deletes)
    • j: data journalling
    • s: secure deletion
    • t: no tail merging
    • u: undeletable - misnamed. File can be recovered. it’s still deleted.
    • A: no atime upates - faster I/O
    • D: synchronous directory updates
    • S: synchronous updates
    • T: Top of directory hierarcy. Directories under /home are not related and should be stored on different blocks.
  • iptables format:

    iptables -t ${type} <action direction> <packet pattern> -j <what to do>
    
    • type: filter or nat; filter is the default so you never have to type it.
    • action: [A|I|D|F|L] [OUTPUT|INPUT|FORWARD]
      • A: append
      • I: insert
      • D: delete
      • F: flush
      • L: list
    • pattern:
      • -s CIDR (source)
      • -d CIDR (destination)
    • what to do:
      • DROP: no response to remote system.
      • REJECT: resonse sent to remote system
      • ACCEPT: duh
  • iptables rules: need to find out what the system-config-firewall apps are doing. I updated the /etc/sysconfig/iptables file with the correct line, then restarted iptables. Not able to ftp into server1. Update the file using the tui, and it works. RCS is saying there’s no difference in the file. OK... WTF?? For now, use the system-config things, but need to figure that out.

    # rcsdiff iptables RCS file: RCS/iptables,v retrieving revision 1.2 diff -r1.2 iptables

  • selinux:

    • Change mode:
      • update /etc/sysconfig/selinux
      • setenforce [ enforcing | permissive | 1 | 0 ]
      • echo [1|0] > /selinux/enforce (enforcing | permissive)
    • semanage:
      • install via policycoreutils-python
      • Used to list/edit current policies
      • Examples:
        • semanage login -l
        • semanage  login -a -s user_u michael: Addes the user_u selinux user constraint to michael. More on thoese constraints later. NOTE: Is not in effect if su - ${user}; only if he logs in directly.
    • getsebool|setsebool:
      • Bunches of booleans
      • Only set for the life of the system unless the -P arg supplied.

Chapter 5: boot process:

  • Can add other run levels, other than single after the kernel in grub menu:
    • [1-5]: run levels 1 - 5
    • single: doesn’t execute run level 1 start scripts
    • init=/bin/sh: mounts / and runs /bin/sh. The lowest level.
  • kernel args:
    • quiet: removes the initial boot display but still shows the start up process
    • rhgb: displays that annoying progress bar vs the start up process
  • Password protecting grub:
    • grub-md5-crypt: prints an md5 hash of the password typed.
    • password --md5 ${hash}
      • Before stanzas protects the stanza from editing.
      • Inside the stanza, prevents the execution of the stanza until the password is supplied.
  • manually booting from grub> prompt
    • Boot, interrupt, edit the appropriate stanza, then press c.
    • At the grub> prompt, enter root to have the system search for the root partition.
    • Alternatively, find /grub/grub.conf
    • cat (hd0,0)/grub/grub.conf
    • Enter the lines one by one. Typing is going to be extremely critical. Exam study guide says you’re supposed to get responses when the command executes. I did not get responses in my kvm env if the command was successful.
    • boot when everything’s said and done.
  • rhel6 inittab contains only one line: id:5:initdefault:

And, done for the night.

Chapter 6: filesystem administration:

Before getting into this thing too far, I want to generate another 20 gig disk for use as my test bed. //few seconds later. Sweet, got to love lessons learned:

# virsh vol-create-as default part.img 20g
Vol part.img created

# virsh vol-list default
Name                 Path
-----------------------------------------
outsider1.img        /var/lib/libvirt/images/outsider1.img
part.img             /var/lib/libvirt/images/part.img
server1.img          /var/lib/libvirt/images/server1.img
tester1.img          /var/lib/libvirt/images/tester1.img

# virsh domblklist server1
Target     Source
------------------------------------------------
vda        /var/lib/libvirt/images/server1.img

# ``virsh attach-disk server1 /var/lib/libvirt/images/part.img vdb \
    --persistent``
Disk attached successfully

# ssh server1 'grep -v -e vd[ab][0-9] -e dm- /proc/partitions'
major minor  #blocks  name

 252        0   20971520 vda
 252       16   20971520 vdb
  • Mostly standard shit. I didn’t go through parted like I did the first time. Much more familiar with fdisk and it’s guaranteed to be there.

  • LVM is pretty standard too. God, I forgot there’s a GUI for LVM. Really? That’s embarrasing. Want to see what an exported vg looks like to the vgs command, though.

    # umount /mnt
    # vgexport vg01                         # didn't run vgchange -a n vg01
      Volume group "vg01" has active logical volumes
    # vgs                                   # no change in vgs display
      VG   #PV #LV #SN Attr   VSize  VFree
      vg00   1   2   0 wz--n- 19.51g 11.94g
      vg01   1   1   0 wz--n- 20.00g 18.00g
    # vgchange -a n vg01
      0 logical volume(s) in volume group "vg01" now active
    # vgs                                   # still no change in vgs display
      VG   #PV #LV #SN Attr   VSize  VFree
      vg00   1   2   0 wz--n- 19.51g 11.94g
      vg01   1   1   0 wz--n- 20.00g 18.00g
    # vgexport vg01
      Volume group "vg01" successfully exported
    # vgs                                  # now an 'x' in the attr flags
      VG   #PV #LV #SN Attr   VSize  VFree
      vg00   1   2   0 wz--n- 19.51g 11.94g
      vg01   1   1   0 wzx-n- 20.00g 18.00g
    
  • Linux Unified Key Setup (LUKS): Going to be some notes here. Haven’t fucked w/LUKS since the RHCSA test.

    • Steps:

      1. Ensure kernel mods are in place:
        • lsmod | grep dm_crypt
        • modprobe dm_crypt
      2. Create the device to be encrypted: partition, lv, whatever.
      3. Format the partition for luks: cryptsetup luksFormat ${dev}
      4. Create mapping for ${dev}: cryptsetup luksOpen ${dev} ${alias}
      5. Create filesystem on ${alias}: mkfs.ext /dev/mapper/${alias}
      6. Create/populate /etc/crypttab
      7. Update /etc/fstab as needed; mount, test, verify, reboot.
    • Example:

      # Step 1:
      # lsmod | grep dm_crypt
      # modprobe dm_crypt
      # lsmod | grep dm_crypt
      dm_crypt               12862  0
      dm_mod                 84209  9 dm_crypt,dm_mirror,dm_log
      
      # Step 2: left as exercise for reader.
      # Step 3:
      # cryptsetup luksFormat /dev/vg01/luks
      
      WARNING!
      ========
      This will overwrite data on /dev/vg01/luks irrevocably.
      
      Are you sure? (Type uppercase yes): YES
      Enter LUKS passphrase:
      Verify passphrase:
      
      # Step 4:
      # cryptsetup luksOpen /dev/vg01/luks luks
      Enter passphrase for /dev/vg01/luks:
      
      # Step 5:
      # mkfs.ext4 /dev/mapper/luks
      mke2fs 1.41.12 (17-May-2010)
      [[snip]]
      
      # Step 6:
      # cat /etc/crypttab
      luks /dev/vg01/luks ${single-word-pwd_or"none"}
      

      In theory, you can replace ‘none’ with the passphrase; however, security considerations apply and, apparently, the process doesn’t like spaces in the passphrase - at least you can’t quote the passphrase with either single or double quotes.

Chapter 7: package management:

No real surprises. Only item of note: to validate a third party package,

  • Download/import the gpg key from the site
  • rpm -K ${pkg}

Chapter 8: user administration:

  • Default password config located in /etc/login.defs:

    # grep -v -e ^# -e ^$ /etc/login.defs
    MAIL_DIR        /var/spool/mail
    PASS_MAX_DAYS   99999
    PASS_MIN_DAYS   0
    PASS_MIN_LEN    5
    PASS_WARN_AGE   7
    UID_MIN                   500
    UID_MAX                 60000
    GID_MIN                   500
    GID_MAX                 60000
    CREATE_HOME     yes
    UMASK           077
    USERGROUPS_ENAB yes
    ENCRYPT_METHOD SHA512
    
  • ldap:

    • Book still has nss_ldap vs sssd. Believe that’s a mistake.

    • Book also doesn’t discuss the authconfig command. I believe I’ll use that one...

      authconfig --enableldap --enableldapauth \
          --ldapserver=ldaps://ldapsvr.olearycomputers.com \
          --ldapbasedn="dc=oci,dc=com" --enablemkhomedir \
          --ldaploadcacert=ftp://192.168.122.1/pub/CA/cacert.pem  --update
      

No major surprises other than those two.

Chapter 9: RHCSA SA tasks:

  • VNC: fucking vnc...

    • yum -y install vinagre tigervnc tigervnc-server

    • Edit /etc/sysconfig/vncservers; add appropriate users/ports at bottom.

    • On a client, yum -y install vinagre tigervnc

    • vncviewer ${ip}:${port} as detailed in the file.

    • Right way is to use port forwarding which looks like it needs some work.

      # h
      tester1
      # ssh -L 5901:localhost:5901 -N -f -l dkoleary server1
      # vncviewer localhost:5901
      

Other than vnc, nothing too serious. Next starts things I haven’t gone through yet. should be exciting.

Chapter 10: security primer:

04/06/14: Spent the day troubleshooting kvm networking as my guests couldn’t ping or talk to each other. Ended up going comletely nuclear and reinstalling vmhost. Finally figured it out... KVM went rule happy when libvirtd is restarted. Too many rejects in the forward chain. Check the rhel_kvm page for details.

04/07/14: A short study day today. Wanted to get a little further since yesterday was such a waste.

  • While playing w/the firewall rules on server1, I’m not able to block outsider1 due to NAT. I could probably change the vm host to a router. That may be worthy of some investigation. * Firewall rules: Author suggests an addition to the firewall such that:

    • Create a chain calles SSH_CHAIN: iptables -N SSH_CHAIN

    • Forward any new ssh traffic to the SSH chain:

      iptables -A SSH_CHAIN -i ${in} -p tcp -m tcp --dport 22 -m state \
      --state NEW -j SSH_CHAIN
      
    • Set a limit to the number of new requests that can come in:

      iptables -A SSH_CHAING -i ${in} -p tcp -m tcp --dport 22 -m state \
      --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl \
      --name SSH -j DROP
      
  • Fucking excellent! The study author just gave me the answer to setting up routing.

    • sysctl net.ipv4.ip_forward = 1 (update /etc/sysctl.conf)

    • Flush the FORWARD chain and add:

      iptables -F FORWARD
      iptables -A FORWARD -o eth0 -j ACCEPT
      iptables -A FORWARD -o virbr0 -j ACCEPT
      iptables -A FORWARD -o virbr1 -j ACCEPT
      iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
      
    • Once done, nat is now longer running and I can see the access as coming from the real vm IP:

      # h
      server1
      # ssh outsider1
      root@outsider1's password:
      # h
      outsider1
      # who
      root     pts/0        2014-04-07 17:58 (server1)
      

04/08/14: Worked on the firewall rules and revamped the rhel_kvm network section. Probably learned more about firewalls than I’ll need for the test. Good self study.

04/10/14: Still on chapter 10: finished the firewall section though.

  • system-config-firewall: relatively nice gui front end to the /etc/sysconfig/iptables file. If I’m running out of time, it’ll probably help get things running correctly. First pass, though, stick with the command line.
  • Extended internet super user: fancy speak for xinetd. Fairly standard.
  • tcpwrappers:
    • The xinetd in linux is wrapped. not like those other guys where we have to
    • Daemon side must match the binary. Using telnet as the example: in.telnetd
    • Client side can be specific IP or network/netmask. Not CIDR:
      • hosts.allow: in.telnetd : 192.168.122.0/255.255.255.0 works
      • hosts.allow: in.telnetd : 192.168.122.0/24 doesn’t.

Leaving it here. Next section is pam. That should prove interesting.

04/12/14: need to finish a couple of chapters today. Finishing up chapter 10 now:

  • PAM

    • Nice: the /etc/pam.d/login file tells the login process to use system-auth

    • PAM sa guide: /usr/share/doc/pam-1.1.1/html/Linux-PAM_SAG.html

    • Line format:

      ${module} ${control_flag} ${module_path} ${arguments}
      
    • Module types;

      • auth: authentication: how/when and with what restrictions user are authenticated
      • account: allows/denies according to account policies
      • password: password mamangement
      • session: settings for application sessions.
    • Control flags:

      • required: Short version: sets a failed flag. pam continues to next statement regardless and up to app to figure out what to do w/the failure.
      • requisite: if fails, the module fails right there.
      • sufficient: if succeeds, the login/auth succeeds
      • optional: success/failure, not really considered.
      • include: includes other files.
    • Need to read the pam admin guide: http://www.olearycomputers.com/ll/pam/Linux-PAM_SAG.html

  • Relatively minor section on gpg2. Remember the other commands related to gpg, particularly gpgocnfig.

  • Labs: (04/14/14)

    • gpg:

      gpg --gen-key gpg --armor --export ${user}: otherwise in binary gpg -e -r ${user} ${file}: not the otherway around. gpg -d ${file}:

    • Rest were no problem. Remember the selinux booleans.

Chapter 11: selinux:

  • Selinux:
    • When fucking w/selinux, don’t forget to install the semanage app via policycoreutils-python
    • Don’t forget the host of booleans that may need to be tweaked.
    • Don’t forget to use the -P option to make boolean settings permanent: setsebool -P ${bool} ${value}
    • context changes and survivability:
      • chcon will change the context and it will survive a reboot.
      • It won’t, however, survive a restorcon
      • semanage fcontext -a -s ${sel_user} -t ${sel_type} ${dir} will survive both.
  • ssh: guy’s got some borked ideas about accessing root directly; but, other than that, pretty standared stuff. I did get a kick out of the These lines are tyically ignored when discussing the forced commands line.
  • Labs: no issues.

Chapter 12: rhce admin tasks:

  • scripts: really? hehe; that’s cute.

  • kernel parms: not really in depth. remember that you can dump them all via sysctl -a

  • Creating an rpm package: this should be interesting.

    • In current source directory, create an empty, executable called configure.
    • Tar/gzip the whole thing and put the resuling file in ~/rpmbuild/SOURCES
    • yum -y install rpmbuild rpmdevtools
    • rpmdev-newspec
    • Hrm; directions in the book aren’t working. I’ll have to do some googling on creating a simple rpm package... that, or catch up on one of the labs.
  • Routing:

    • Standard routing commands; don’t forget the gw

    • /etc/sysconfig/network-scripts/route-${int}:

      ADDRESS0=192.168.0.0
      NETMASK0=255.255.255.0
      GATEWAY0=192.168.122.1
      
  • Kerberos: use the system-config-authentication gui. much easier. kerberos is going to be dependent on an ntp server.

  • ISCSI

    • yum -y install iscsi-initiator-utils
    • iscsiadmin -m discoverydb -t st -p 192.168.122.1 -D

Seems pretty straight forward; but, I can’t do anything w/kerberos or iscsi. Need the class for that. Got 2.5 chapters done today. Good progress.

  • Labs: expecting some fun w/the rpm package.

    • rpm build. Got it. I think I commented too much crap the first time. I was able to create the two rpms in the lab and even experiment a little.

      • yum -y install rpmbuild rpmdevtools
      • As a normal user, rpmdev-setuptree; cd rpmbuild
      • Create a subdirectory w/version # (mypackage-1.0)
      • Put required files in it including an executable empty configure
      • rpmdev-newspec SPECS/${spec}
        • Fill out the summary lines (ones w/o ‘%’) as needed. Comment or erase ones that aren’t
        • Required commands:
          • %description
          • %prep and %setup-q
          • %build (comment out everything)
          • %install
          • %clean
          • %files (sub cmd %dir to create the directory?)
          • %defattr (w/final commands
      • First package lab was right from the book; the second was from scratch and memory. Yay for me!
    • Routing: fucking routing command. I really hate that.

      • route add default gw ${gw} # that one I got...

      • route add -net ${network_ip} netmask ${netmask} gw ${gw}

      • Format for the /etc/sysconfig/network-scripts/route-${int}:

        ADDRESS0=${tgt_addr}
        NETMASK0=${netmask}
        GATEWAY0=${gw}
        

Chapter 13: electronic mail:

  • If both postfix/sendmail are installed, use the alternatives command to switch between them.

    # alternatives --config mta
    
    There are 2 programs which provide 'mta'.
    
    Selection    Command
    -----------------------------------------------
    + 1           /usr/sbin/sendmail.postfix
    * 2           /usr/sbin/sendmail.sendmail
    
    Enter to keep the current selection[+], or type selection number: 2
    

04/13/14

  • User level security:

    • Short section discussing having user accounts on the MTA system from which users will get their mail.

    • Set otherwise non-interactive accounts with shell=/sbin/nologin

    • MTA access configured via SASL which ties back to pam via:

      • Config files under /etc/sasl2 entry pwcheck_method

      • /etc/sysconfig/saslauthd

        # grep -i ^mech /etc/sysconfig/saslauthd
        MECH=pam
        
  • Consider setting rules to listen to port 25 on specific networks only:

    • iptables:

      iptables -A INPUT -m state --state NEW -m tcp -p tcp \
      -s 192.168.122.0/24 --dport 25 -j ACCEPT
      
    • sendmail: daemonportoptions:

      DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
      
    • postfix: inet_interfaces = ${ip} in /etc/postfix/main.cf

  • postfix:

    • Commands:
      • postconf check command tests the ostifxi config
      • postmap updates the hash databases.
    • Files:
      • access: same as senmail; don’t forget to run postmap afterwards
      • canonical: incoming email user rewrite/redirect
      • generic: outgoing user rewrite
    • main.cf: Upon installation, update:
      • myhostname
      • mydomain
      • uncomment myorigin (don’t edit otherwise)
      • inet_interfaces (as described in how to limit port 25 exposure)
      • inet_protocols, if needed/desired
      • mydestination: effectivley postfix’s version of local-host-names. add $mydomain to the list.
      • mynetworks: list of internal networks or those allowed to relay.
    • Authentication:
      • Create local accounts w/shells = /sbin/nologin. Set passwords
      • Configure postfix as noted above.
      • Perform steps in the README-Postfix-SASL-RedHat.txt doc under /usr/share/doc/postfix-${ver}/

Mostly standard; sendmail was pretty lightly covered. They’re pushing postfix so that’s the one I should be ready to configure.

  • Labs: nothing too extreme. Need to remember the docs for postfix. updating the main.cf file shouldn’t be too crazy for the most part.

Chapter 14: apache:

  • Mostly standard so far; groupinstal ‘web servers’ to get everything.

  • apache and selinux: When creating dirs for vhosts, ensure:

    • file context: ls -dZ; chcon; semanage CGI dirs have different contexts from the ones on /var/www/html.

      # ls -dZ /var/www/html /var/www/cgi-bin
      drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/
      drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
      
    • booleans: book stresses httpd_enable_homedirs

  • host based security set up in the directory stanza. Examples:

    deny from 192.168.122.150
    deny from 192.168.122/24
    allow from osborne.com
    
  • User/group security:

    • Directives: to be added to the appropriate <directory> stanza

      • AuthUserFile/AuthGroupFile: specifies the user/group files containing valid users.
      • Authtype basic: sets up the basic authorization type.
      • require [user|group] specifies the user or group required.
      • AuthName ${chto-to}: the name of the ‘realm’
    • Book doesn’t - yet - say how to populate the password database. BTW, the password database shouldn’t be in the same directory that the miscreants are viewing.

    • .htaccess:

      • If used, needs the AllowOverride Options directive in the directory stanza.
      • Allows the ability to override previously set permissions.
    • User/group pwds:

      • Create the password file:

        htpasswd -c ${pwd_file} ${user}
        
      • To add another user: ::

        htpasswd ${pwd_file} ${user}

      • Group file format (location specified in the directive):

        ${group}: ${user} ${user}
        
  • User home directories:

    • Reset UserDir directives in httpd.conf
    • Set world executable bit on /home/${user} and /home/${user}/public_html or setfacl.
    • setsebool -P httpd_enable_homedirs 1
    • Upate <directory /home/*public_html> stanza as appropriate.
  • Group directories (also stressed as part of the test)

    • Create a new user that matches the group
      • shell = /sbin/nologin,
      • directory owned by nobody, perms 2770
      • setfacl -m u:apache:x /home/${user}
      • setfacl -m u:apache:x /home/${user}/public_html
    • Reset Userdir in httpd.conf
    • setsebool -P httpd_enable_homedirs 1
    • Upate <directory /home/*public_html> stanza as appropriate.
    • service httpd restart
  • SSL:

    • genkey ${fqdn}: generates a set of self signed keys for ssl enabled domains.
    • To configure multiple virtuals, need NameVirtualHost *:443 added to ssl.conf
    • It appears my vhost (both ssl and nonssl) are working; I just can’t get elinks to work w/the self signed cert. fuck.
  • CGI:

    • update the <directory cgi-bin stanza:
      • Options ExecCGI
      • AddHandler cgi-script .pl
    • If creating alternate cgi-bin dirs, don’t forget ls -dZ; chcon; and semanage fcontext -a -s ...
  • Labs:

    • Virtual hosts: Mostly reasonable. Remember to put an IP address in the NameVirtualHost parameter. Also, remember the httpd -t and httpd -S commands.
    • Remember the genkey command to generate self signed certs.
    • Read the whole question: limit the home directory to the user means remotely as well. That implies an authentication mechanism.
    • Install the ‘web server’ group or the httpd-manual rpm somewhere. use the tutorials in the top right to ID required auth parms.
    • Long story short: this lab, while not difficult, took me about 4 hours. I need to get that time down and not include so many errors.

Chapter 15: samba. fucking samba:

  • If manually setting up firewall, ensure following ports are open:

    • 137/udp: netbios name service

    • 138/udp: netbios datagram service

    • 139/tcp: netbios session servcie

    • 445/tcp: MS directory service or Samba over iP.

      iptables -I INPUT 8 -m state --state new -p udp -m udp --dport 137 -j ACCEPT
      iptables -I INPUT 9 -m state --state new -p udp -m udp --dport 138 -j ACCEPT
      iptables -I INPUT 10 -m state --state new -p tcp -m tcp --dport 139 -j ACCEPT
      iptables -I INPUT 11 -m state --state new -p tcp -m tcp --dport 445 -j ACCEPT
      
  • Check selinux booleans

Mostly standard other than that. the book pounced on samba_enable_home_dirs several times...

  • Labs: yep; fucking samba.
    • smbpasswd: In order to add a user, the account must exist on the local box. otherwise, samba responds with the completely helpful Failed to add entry for user dkoleary. Fucknuts.
    • The group access thing seems to have stumped me. I’m not able to mount a samba directory as nobody nor write to it by anyone. Need to work that one a bit.

Chapter 16: More file sharing services:

  • NFS: A bit more entertaining than I was expecting. nfs ver 4 has come a long way. I’ll need to examine NFS in more depth at some point. Lessons learned:
    • Following ports need to be defined in /etc/sysconfig/nfs:
      • LOCKD_TCPPORT=4000
      • LOCKD_UDPPORT=4000
      • MOUNTD_PORT=4001
      • STATD_PORT=4002
    • Those same ports need to be opened in a firewall.
    • Book suggested two selinux booleans which don’t seem to exist anymore.
    • Need to play around w/the automounter on linux. Really don’t like the idea of nfs mounts in the /etc/fstab file.
  • vsftpd:
    • If allowing local users to access their home dirs, ensure chroot_local_user is set to yes.
    • If download only, ensure write_enable=NO is set.
    • Book suggests that selinux type: public_content_rw_t needs to be set on whatever directory is used.
    • Directory used for anonymous access is the home directory of ftp user.
  • Labs: some issues w/anonymous ftp and passive mode. not sure what was up with that. Other than that, the nfs stuff went smoothly. Want and need to ensure I can get the automounter up and running in nothing flat too.

Chapter 17: dns, ftp, and logging:

  • DNS: simply a matter of extending the listen-on and allow-query lines as well as adding appropriate forwarders.
  • sar:
    • sar files written to /var/log/sa
    • check /etc/sysconfig/sysstat for days to keep and when to compress
  • ntp and rsyslog: no surprises.

At last. Done reading. wow.

  • Labs: For the most part, no issues. had some fun with the dns initially due to fuck ups. Wrong IP, wrong port, etc. sar and ntp had no issues.

Labs:

Redoing all of the labs. Modifying the ones in chapter 2, though. I’m already reasonably familiar with virt-install and kickstart. The only additional thing I’ll be doing is cloning a box.

  • luks encryption:
    • Remember, cryptsetup luksFormat vs luksOpen as firt command option, dumb ass!
    • Third field in /etc/crypttab is absolute path to the file containing the passphrase. It includes any new lines. create the file via echo -n '${passphrase}' > ${passphase_file}. Once that’s done, rebooting w/a luks formatted partition works.
  • rpm creation. had to check in the book for the right format for the install command. Remember the $RPM_BUILD_ROOT