bencic.net

RHCE notes

This is the place where i am keeping my study notes for my RedHat Enterprise Linux Certified Engineer

I will add more to this page as I go along....

REQUIREMENTS
RHEL 5 requires at least 192MB of RAM

BOOT PROCESS
scenarios - /etc/inittab missing, try passing init=/bin/sh as a kernel parameter to boot to a shell then you can recreate or restore the inittab file

you can pass kernel parameters at boot to enter various runlevels,
- for runlevel 1 pass the word single or emergency

CRON
/etc/ctontab
.---------------- minute (0 - 59)
| .------------- hour (0 - 23)
| | .---------- day of month (1 - 31)
| | | .------- month (1 - 12) OR jan,feb,mar,apr ...
| | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
| | | | |
* * * * * command to be executed
*/5 * * * * /home/user/test.pl
run the script /home/user/test.pl every 5 minutes.

Managing daemons
ntsysv --level 35 - starts a GUI service config for runlevels 3 and 5

chkconfig --list all daemons
chkconfig --level sendmail on
chkconfig sendmail off

/etc/fstab
LABEL=/ / ext3 defaults 1 1
server1:/store /store nfs rw 0 0

fstab column meanings
- device name: can be the disks LABEL from e2label or UUID, device /dev/sdb1
- mount point: where to mount
- fs-type:
- options: defaults means ??? need to find out
- dump-freq: en/disable dump when dump is called
- pass-num: indicates the order in which the fsck utility will scan the partitions for errors when the computer powers on. 0 = none, 1 = first, 2 = next

Automounter autofs - mounts on demand
/etc.auto.master
/etc/auto.net servername, lists nfs shares on host

lsattr , list file attributes
chattr -i , changed a file to immutable so even root cannot delete it
chattr -a , change a file to append only ie allowing users to append to a log file.

ACCESS CONTROL LISTS
remount partition with option "acl"
getfacl prints file access control lists
gstfacl /home/john

setfacl prints file acl's similar to chown only you can have multiple users access, use -m to modify
setfacl -m user:john:r-x /home/john/file1

mask, ??? need to research this further

SELINUX
ls -Z, lists security context of files

output is Identity, role, domain

Identity: user_u (Generic user), root (root), system_u (system users)
Role: all files seem to be associated with the "object_r" role
Context domain ???

PARTITIONING

parted
..print [free | Num | all]
rm 10 , remove partition 10

- If harddrive is new you need to make a disk label
mklabel ....msdos

Creating partitions
mkpart
...primary
...ext3
...start.. 0
...end .. 100MB or 50%

partprobe - make sure linux reads the new partition table

Creating a swap disk
mkswap /dev/sda2
swapon /dev/sda2, don't forget to add an entry to fstab

REDHAT PACKAGE MANAGER

rpm -i install
-U upgrade
-F upgrades only existing packages
-e erase/remove package
-v verbose
-h hash on progress

You can use urls in rpm eg:
rpm -ivh ftp://ftp.blah/pub/blah.rpm

rpm --verify --file /bin/vi , Verify file has changed since install

yum whatprovides evince , can user wildcards
yum whatprovides /etc/fstab

need to insall rpm-build package before you can build
SRPMS Install source to /usr/src/redhat
..SOURCES contains orig source
..SPECS contains spec files
..BUILD source is unpacked here
..RPMS output of rpm after rpmbuild
..SRPMS output of srpm

rpmbuild -ba vsftp.spec , builds source and binaries
.. -bb builds just binaries

KICKSTART
pass kernel parameters to start kickstart, if there are multiple network interfaces then add the command ksdevice=eth0 so that it doesn't prompt for input
boot: linux ks=cdrom:/ks.cfg
boot: linux ks=hd:sdb1:/ks.cfg
boot: linux ks=nfs:192.168.1.1:/kicks/ks.cfg
boot: linux ks=http:192.168.1.1:/kicks/ks.cfg

utmpdump /var/log/wtmp, checks recent logins

USER ACCOUNT MANAGEMENT

/etc/passwd
john:x:500:500:John Bencic:/home/john:/bin/bash

Username: username, . Usernames can include hyphens (-) or underscores (_). However, they should not start with a number or include uppercase letters.
Password:an x, (*) or password. An x points to /etc/shadow for the actual password. An asterisk means the account is disabled.
User ID: The unique numeric user ID (UID) for that user. By default, Red Hat starts user IDs at 500.
Group ID: The numeric group ID (GID) associated with that user.
User info: eg Full Name
Home Directory: By default, RHEL places new home directories in /home/username.
Login Shell: By default, RHEL assigns users to the bash shell.

/etc/shadow file
john:1v0eSNIPX4Wau1:14499:2:30:6:15:14253:

Columns:
Username: username
Password: Encrypted password; requires an x in the second column of /etc/passwd
Password history: Date of the last password change, in number of days after January 1, 1970
mindays: Minimum number of days that you must keep a password (-m)
maxdays: Maximum number of days after which a password must be changed (-M)
warndays: Number of days before password expiration when a warning is given (-W)
inactive: Number of days after password expiration when an account is made inactive (-I)
disabled: Number of days after password expiration when an account is disabled (-E)

Adding users
useradd
, Adds user
usermod
, modifys user

-g: set the main login group
-G : supplementary groups -a appends to list
-e 2009-12-30 john : sets account expiration
-U: unlocks an account effectively removing the ! from the password

chage command changes user password expiration
userdel: removes user, use -r to delete the users home directory as well

QUOTAS

to enable quotas you need to mount the disk with group and user quota's as follows
/dev/sdb1 /home ext3 defaults,usrquota,grpquota 1 2

quotacheck -cugvm /home
-c Performs a new scan.
-v Performs a verbose scan.
-u Scans for user quotas.
-g Scans for group quotas.
-m dont try Remount the scanned filesystem readonly.

quotacheck will create and aquota.user and aquota.group file to keep track of the quotas

edquota -u john , edit quota for user john

edquota -t sets the grace periods, default is 7 days for inodes and files sizes

repquota -a / , -a all users. report on quota usage

Creating a share area for users
chown nobody.staff /home/staff
chmod 2770 /home/staff , or g+s to set group id

PAM
Pluggable Authentication Modules (PAM)

Format or PAM file
module_type control_flag module_path [arguments]

Module Types:auth, account, password, session

- auth: Authentication management Establishes the identity of a user. decides whether to prompt for a username and/or a password.
- account: Account management, Allows or denies access according to the account policies. time, password expiration or a list of restricted users.
- password: Password management, Manages other password policies eg limit number of times a user can try to log.
- session: Session management, Applies settings for an application eg set default settings for a login console.

Control Flags: determines what PAM does if module succeeds or fails
- required: If the module works, the command proceeds. If it fails, PAM proceeds to the next command in the configuration file-but the command controlled by PAM will still fail.
- Requisite: Stops the process if the module fails.
- Sufficient: If the module works, the login or other authentication proceeds. No other commands need be processed.
- Optional: PAM ignores module success or failure.
- Include: Includes all module_type directives from the noted configuration file; for example, if the directive is password include system-auth, this includes all password directives from the PAM system-auth file.

NIS
to connect a client to an nis server
edit /etc/yp.conf
add line: domain nisdomain server

start the service on boot
chkconfig ybbind on

manage password with the yppasswd command

LDAP
to connect a client to an ldap server

modify the /etc/ldap.conf file

host 127.0.0.1: IP of the LDAP server.
base dc=example,dc=com: Sets the default base distinguished name
ssl start_tls: Required if you want Transport Layer Security (TLS) support
pam_password: Supports encryption schemes for passwords; options include crypt, nds (Novell Directory Services), and ad (Active Directory).

modify the following lines to the /etc/nsswitch.conf to use for authenticating to ldap and ins
hosts: files nisplus nis dns
passwd: files nis ldap
shadow: files nis ldap
group: files nis ldap

NETWORKING

netstat -r
Kernel routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
191.72.1.0 * 255.255.255.0 U 40 0 0 eth0
127.0.0.0 * 255.0.0.0 UH 40 0 0 lo
^
Flag Description
G: The route uses a gateway.
U: The network adapter (Iface) is up.
H: Only a single host can be reached via this route.
D: This entry was created by an ICMP redirect message.
M: This entry was modified by an ICMP redirect message.

arp
# arp
Address HWtype HWaddress Flags Mask Iface
192.168.0.121 ether 52:A5:CB:54:52:A2 C eth0

arp -s bugsy 00:00:c0:cf:a1:33 , add a static arp entry for host bugsy
arp -d bugsy , remove entry from rap table

CUP PRINTING

install the printing group
yum groupinstall printing
use the system-config-printing to configure

printer class's - group of similar printers, printing to a class prints to any printer in the class which is not busy at the time.

using the older printing commands
lpr: used to add print requests
lpq: list queued requests
lprm: Remove requests from queue
lpc: Line Print Control administer one or more print queues.

lpc status
lpr -Pprintname filename , prints to printer named printername

Areas which I need work are
PAM
ACL's

RHCE notes

Pages

Archives

Categories

Links

Meta