Friday, April 25, 2014

Install package without dependencies



[root@my32GB Packages]# rpm -ivh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/mozilla-vlc-1.1.13-1.el6.rf.x86_64.rpm --nodeps --force

Luks and GPG setup

LUKS [Linux Unified Key Setup]

- Luks  ~ Linux unified key setup is used to encrypt a disk partition

Steps :

1.    Create a empty partition
# dd if=/dev/urandom of=/dev/sdaX       
Note: This will fill /dev/sdaX with garbage data

2.    Format the partition using encrypt LUKS
# cryptsetup LuksFormat /dev/sdaX      
        Warning         : Yes
        Enter LUKS password    : redhat

3. Open the partition with the name and with the password.
# cryptsetup luksopen /dev/sdaX secret   
Note: secret=anyname; enter same password as above when prompted.

4.     Format the patition with ext4 fs type.
# mkfs.ext4 /dev/mapper/scret

5.    Add entry to crypttab,
# vi /etc/crypttab
        secret /dev/sdaX    none
        :wq

6. Add entry to survive the mount upom reboot.
  # vi /etc/fstab
        Insert mode
        /dev/mapper/secret  /mnt  ext4  defaults 0 0
        :wq
7.    Mount the FS.
# mount -a   

Now, reboot your machine.
You will be always prompted to enter LUKS password

--------------------------------------------------------------------------
GPG [Gun Privacy Guard Key Encryption]


- GPG stands for Gun Privacy Key Encryption
- It is used to encrypt the data file, which can sent over the wire securely.
- Wrong password used to decrypt the data once with corrupt it.


To Encrypt :

# cat >mylok
# gpg -c mylok
  Enter password

To Decrypt :

# gpg mylok.gpg           
Note: mylok and mylok.gpg are now 2 different files

To Encrypt [ASCII]

# gpg -c -a mylok            // mylok.asc file creared
  Enter password

------------------------------------------------------------------------

Install, set up ssh

        SSH

- Ssh allows you to connect to remote host
- provides user and token based authentication
- package name         - openssh_server
- service name        - sssd
- Configuration file     - /etc/ssh/sshd_config

--------------------------------------------------------------------

        ssh Server

# yum install openssh_server -y
# vim /etc/ssh/sshd_config
  Insert mode
  Shift+G
  Press 'o' for new line
  Allowusrers tom        // Allow/deny users; if nothing mentioned
  Denyusers harry            all will be allowed by default
  :wq
# service sshd restart

---------------------------------------------------------------------------------------

        ssh client

# ssh username@ipaddress

Example :

# ssh tom@192.168.0.28

use -X or -Y option to get the graphical tool access

# ssh -X 192.168.0.28
  Enter password
  Try,
# system-config-date

-----------------------------------------------------------------------------------------

        ssh Keyless Authentication

Pubilc key needs to be saved
Keybase Authentication :
i.)  dsa
ii.) rsa


Condition : To login without password using ssh

i.) dsa

# su - user
# ssh-keygen-t dsa        // use any option : dsr or rsa
Enter+Enter+Enter        // Your Public key is saved in /.ssh        # cd .ssh            // under user home directory
# scp -rp id_dsa.pub 192.168.0.25:/home/user
Here,
-rp = with permission
Source = id_dsa.pub
Destination = 192.168.0.25:/home/user

ii.) rsa

# su - user
# ssh-keygen-t rsa
# ssh-copy-id -i id_rsa.pub 192.168.0.19    // for sending the public key

Now Try,

# ssh 192.168.0.19

------------------------------------------------------------------------------------------

ssh commands

i.) SCP command

# scp filename 192.168.0.19:/destination         // Secured Copy
Example :
# scp -rp id_dsa.pub 192.168.0.25:/home/user

ii.) seq command

seq 111111>filename            // will write 11111 lines in sequence in file

iii.) rsynch command

Condition : If you want the data appended to the file to only send to destination

rsynch sumit 192.168.0.19:        // this will save time and bandwith both

------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------

Configure SAMBA

        Samba

- It is used for sharing files and folder, Printer between linux and other operating system
- works on port no. 137,138,139
- Package Name         - Samba
- Service Name         - smb
- Configuration file    - /etc/samba/samba.conf

Check using RPM command is the package is installed or not

# rpm -qa samba
# rpm -qc samba        [Configuration]
# rpm -qd samba        [Documentation]
# rpm -ql samba        [List]

=================================================================================

    Samba - Server side

# yum install samba -y
# mkdir /share
# vim /etc/samba/smb.conf
  [global]
  domainname = WORKGROUP        // Enter domain name provided    LINE 74
  Allow hosts = 192.168.10.
  OR
  Allow hosts = 0.0.0.            // For ALL    LINE 74
  Shift+G
  [Share]
  [Comment=Samba Server]
  path = /share
  browsable = yes
  writable = yes
  valid users= harry
  :wq
# service smb restart
# chkconf smb on
# chcon -t samba_share_t  /share
# smbpasswd -a harry

------------------------------------------------------------------------------

    Samba - Client side

# smbclient -L //192.168.10.224 -U harry
OR , in web browser
smb://192.168.10.224

------------------------------------------------------------------------------

To View Samba Configuration File Contents

# testparm

------------------------------------------------------------------------------

Condition :
When we create a file under samba server (/share), it will show the owner as root and root as per samba server
If you want that to be changed on client side from server side

# vim /etc/samba/smb.conf
  [global]
  domainname = WORKGROUP        // Enter domain name provided    LINE 74
  Allow hosts = 192.168.10.
  OR
  Allow hosts = 0.0.0.            // For ALL    LINE 74
  Shift+G
  [Share]
  [Comment=Samba Server]
  path = /share
  public = yes
  browsable = yes
  writable = yes
  valid users= harry
  create mask = 766
  directory mask= 755
  force user = root
  force group = sales
  :wq
# service smb restart
 
==============================================================================================

Configure and set up ftp

            FTP

- FTP stands for File transfer protocol
- It is used for uploading and downloading the files
- By Default, Root is not allowed for FTP service because,
  FTP sends and recievs in clear text form

- Package name     = vsftpd     [for Server]
- Package name     = ftp         [for Client]
- Port NO.    = 20 , 21
- Configuration file = /etc/vsftpd/vsftpd.conf
- Service     = vsftpd
- Default Enabled user = anonymous    // works without passowrd

-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------

FTP -        Server Side

# yum install vsftpd -y
# service vsftpd restart
# chkconf vsftpd on
# cd /var/ftp/pub
# touch a b c d e

-----------------------------------------------------------------------------------------

FTP -        Client Side

# yum install ftp -y
# ftp 192.168.0.78        // FTP server IP

-----------------------------------------------------------------------------------------

FTP -        Commands

A.) To Download a file

i.    get and mget command

# ftp 192.168.0.78            // FTP server IP
# get filename
# mget file1 file2 file3        // For Mutiple files

ii.    wget command

# wget ftp://192.168.0.78/pub/a        // FTP server IP ; a= filename

-----------------------------------------------------------------------------------------

B.) To upload a file

Server Side :

# yum install vsftpd -y
# service vsftpd restart
# chkconf vsftpd on
# cd /var/ftp/pub
# touch a b c d e
# vim /etc/vsftpd/vsftpd.conf
  anon_upload_enable=YES    // uncomment the line
  :wq
# service vsftpd restart
==========================================================================================

Client Side :

# ftp IPaddress
  name=anonymous
ftp> cd pub
ftp> put /root/Desktop/abc
===========================
Error recieved
227 : Enter Passive mode
553 : Could not create file
===========================

===================================================================================
NOte : Check the permission of PUB Folder, by default Write permission is not there
===================================================================================

# ls /var/ftp            // Donot have write permission
# chmod 777 /var/ftp/pub

===========================================================
Note : Change the group name of pub folder from Root to FTP
===========================================================

# chgrp ftp /var/ftp/pub

====================
Try again,Same Error
====================

==============================
Now, check for SE linux policy
==============================
# setenforce 0
# getsbool -a | grep ftp
# setsebool -P allow_ftp_anon_write on        // allow_ftp_anon_write = to allow annonymous user with write permission
# setenforce 1
# chcon -t public_content_rw-t pub/

==========
Try again,
==========

# ftp IPaddress
  name=anonymous
ftp> cd pub
ftp> put /root/Desktop/abc

-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------

Install configure set up ssh

        SSH

- Ssh allows you to connect to remote host
- provides user and token based authentication
- package name         - openssh_server
- service name        - sssd
- Configuration file     - /etc/ssh/sshd_config

--------------------------------------------------------------------

        ssh Server

# yum install openssh_server -y
# vim /etc/ssh/sshd_config
  Insert mode
  Shift+G
  Press 'o' for new line
  Allowusrers tom        // Allow/deny users; if nothing mentioned
  Denyusers harry            all will be allowed by default
  :wq
# service sshd restart

---------------------------------------------------------------------------------------

        ssh client

# ssh username@ipaddress

Example :

# ssh sam@192.168.10.20

use -X or -Y option to get the graphical tool access

# ssh -X 192.10.20
  Enter password
  Try,
# system-config-date

-----------------------------------------------------------------------------------------

        ssh Keyless Authentication

Pubilc key needs to be saved
Keybase Authentication :
i.)  dsa
ii.) rsa


Condition : To login without password using ssh

i.) dsa

# su - user
# ssh-keygen-t dsa        // use any option : dsr or rsa
Enter+Enter+Enter        // Your Public key is saved in /.ssh        # cd .ssh            // under user home directory
# scp -rp id_dsa.pub 192.168.10.20:/home/user
Here,
-rp = with permission
Source = id_dsa.pub
Destination = 192.168.10.20:/home/user

ii.) rsa

# su - user
# ssh-keygen-t rsa
# ssh-copy-id -i id_rsa.pub 192.168.10.21    // for sending the public key

Now Try,

# ssh 192.168.10.21

------------------------------------------------------------------------------------------

        ssh commands

i.) SCP command

# scp filename 192.168.10.21:/destination         // Secured Copy
Example :
# scp -rp id_dsa.pub 192.168.10.20:/home/user

ii.) seq command

seq 111111>filename            // will write 11111 lines in sequence in file

iii.) rsynch command

Condition : If you want the data appended to the file to only send to destination

rsynch sumit 192.168.10.21:        // this will save time and bandwith both

------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------

NTP Server and CLient set up

Network Time Protocol (NTP)

NTP is used to synchronize the time of a remote computer system over the network. It oprates on port 123.


1. Configure NTP server
a. Edit /etc/ntp.conf file and specify the ntp server which you want to sync your system with remote system.
Note: Normally we sync the time with local time clock or University time clock.

# vi /etc/ntp.conf

uncomment the server section, in my case, I am using the time server from Reston, va

# Time server from, Reston VA
# nist1.aol-va.symmetricom.com Reston, Virginia
server  64.236.96.53


b. save the file and restart the ntpd service

# service ntpd status
ntpd is stopped

# service ntpd start
Starting ntpd:                                             [  OK  ]

c. Make sure to start the ntpd service on every reboot.

# chkconfig --list ntpd
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
# chkconfig ntpd on
# chkconfig --list ntpd
ntpd            0:off   1:off   2:on    3:on    4:on    5:on    6:off



# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 nist01.ntp.aol. .INIT.          16 u    -   64    0    0.000    0.000   0.000

---------------------------------------------------------------------------------

Note: If you see ST value more than 5, your NTP is not syncing with the server. Please check and verify that server is operational.
Note: The Output jitter value of 000 or less than 1 is consider successfull

To check the NTP status,
# ntpstat -p

synchronised
  time server re-starting
   polling server every 64 s

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Setting up NTP Client

To setup NTP client, you just use the /etc/ntp.conf file and specify the NTP server name that you just created.

# vi /etc/ntp.confComment that all begins with server and add your NTP server info.

server    192.168.10.120

# service ntpd start
# chkconf ntpd on

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To update or sync your client system with NTP server,

# ntpdate -u 192.168.10.120       

Kernel and Grub information

        To Break Root Password

1 Re-Boot the system
2 'Esc' -----> Press 'e'
3 Select Kernel line ----> Press 'e'
4 Space 1 and Enter            [1 = To enter into Single user mode]
5 Press 'b' for boot
6 Terminal will be opened
7 # Setenforce 0
8 # passwd

--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------

        RUN levels

0 -    Shutdown
1 -    Single usermode
2 -    Multi usermode without NFS [networking]
3 -    Multi usermode with Networking
4 -    unused, only for R & D
5 -    Multi usermode with Networking and Graphics
6 -    reboot

--------------------------------------------------------------------------------------------

        To Change Run Level

# vim /etc/inittab

--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------

        To View Terminal

# tty

--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------

        To View OS information

# uname             // Name of OS
# uname -s            // Name of OS
# uname -a            // All information of OS
# uname -r            // Release level of OS

--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------

         Maintaining Kernel 

RHEL 6.0 supports following processors :

i    INTEL and AMD - 64 bit x86_64
ii    INTEL and AMD - 32 bit x86
--------------------------------------------------------------------------------------------

        To view Architecture of the system

# arch
Output : X86_64
--------------------------------------------------------------------------------------------

        To open kernel file

# vim /etc/grub.conf
# vim /boot/grub/grub.conf
--------------------------------------------------------------------------------------------

        Update and Boot from another Kernel

# vim /etc/grub.conf                //to view kernel entry

Now, Download kernel from FTP server

# yum install lftp -y                // lftp enables you to use tab when connected with FTP
# lftp 192.168.0.254
# cd /pub/rhel60/Packages
# get kernel-debug-2.6.32-71.el6.x86-64.rpm+use tab
# get kernel-firmware-2.3.32.71.ell6.norach.rpm+use tab
# exit

Now, you are at local PC        [the above 2 files will be copied in the current working directory]

# rpm -ivh kernel-firmware.......
# rpm -ivh kernel-debug..........
--------------------------------------------------------------------------------------------
       
        Passing Kernel Argument

# vim /etc/grub.conf

In the Kernel Entry, type
    crashkernel=auto kernstack 1        // System will boot always in Single user mode
        :wq
# init 6

--------------------------------------------------------------------------------------------
       
        Passing Kernel Parameters

# vim /etc/grub.conf

In the Kernel Entry, type
    nousb=sysctl 1                // nousb = No USB can be connected ;
        :wq                    // sysctl = Always login in Single user mode
# init 6

--------------------------------------------------------------------------------------------
       
        To List Kernel Modules [drivers]

# lsmod

--------------------------------------------------------------------------------------------
       
        To manually install/uninstall device drivers

# modprobe usb_storage        // To install
# modprobe -r usb_storage    // To uninstall

--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------

            GRUB 

GRUB stands for Grand Unified Boot Loader

----------------------------------------------------------------------------

        To set GRUB Password

# grub-md5-crypt
  Enter password
  Copy the Encrypted password
# vim /etc/grub.conf
  At "hiddenmenu"
  Press 'o' to Insert a new line
  type Password --md5 pastepassword
  :wq
# init 6
----------------------------------------------------------------------------

        To Break GRUB Password

In order to break password, you would require Rescue disk

1 Boot from Rescue disk
2 Continue
3 ok                  // your system to be mounted /mnt/sysimg
4 Shell start Shell ---- Enter
5 # chroot /mnt/sysimg
6 # vim /etc/grub.conf
7 Delete the Password line     // Press dd
8 exit
9 reboot reboot
----------------------------------------------------------------------------






What is "rhgb" on the grub, kernel line?

rhgb = redhat graphical boot - This is a GUI mode booting screen with most of the information hidden while the user sees a rotating activity icon spining and brief information as to what the computer is doing.

quiet = hides the majority of boot messages before rhgb starts. These are supposed to make the common user more comfortable. They get alarmed about seeing the kernel and initializing messages, so they hide them for their comfort.

Of course these people probably would be more alarmed with XP or 2K messages during safe mode operation.




=================================================================


GRUB Menu Configuration File
The configuration file (/boot/grub/grub.conf), which is used to create the list of operating systems to boot in GRUB's menu interface, essentially allows the user to select a pre-set group of commands to execute. The commands given in Section 2.6, “GRUB Commands” can be used, as well as some special commands that are only available in the configuration file.
2.7.1. Configuration File Structure
The GRUB menu interface configuration file is /boot/grub/grub.conf. The commands to set the global preferences for the menu interface are placed at the top of the file, followed by stanzas for each operating kernel or operating system listed in the menu.
The following is a very basic GRUB menu configuration file designed to boot either Red Hat Enterprise Linux or Microsoft Windows 2000:
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux AS (2.6.8-1.523)
        root (hd0,0)
        kernel /vmlinuz-2.6.8-1.523 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
        initrd /initrd-2.6.8-1.523.img

# section to load Windows
title Windows
        rootnoverify (hd0,0)
        chainloader +1
This file configures GRUB to build a menu with Red Hat Enterprise Linux as the default operating system and sets it to autoboot after 10 seconds. Two sections are given, one for each operating system entry, with commands specific to the system disk partition table.
Note
Note that the default is specified as an integer. This refers to the first title line in the GRUB configuration file. For the Windows section to be set as the default in the previous example, change the default=0 to default=1.
Configuring a GRUB menu configuration file to boot multiple operating systems is beyond the scope of this chapter. Consult Section 2.9, “Additional Resources” for a list of additional resources.



Configuration File Directives
The following are directives commonly used in the GRUB menu configuration file:
chainloader </path/to/file> — Loads the specified file as a chain loader. Replace </path/to/file> with the absolute path to the chain loader. If the file is located on the first sector of the specified partition, use the blocklist notation, +1.
color <normal-color> <selected-color> — Allows specific colors to be used in the menu, where two colors are configured as the foreground and background. Use simple color names such as red/black. For example:
color red/black green/blue
default=<integer> — Replace <integer> with the default entry title number to be loaded if the menu interface times out.
fallback=<integer> — Replace <integer> with the entry title number to try if the first attempt fails.
hiddenmenu — Prevents the GRUB menu interface from being displayed, loading the default entry when the timeout period expires. The user can see the standard GRUB menu by pressing the Esc key.
initrd </path/to/initrd> — Enables users to specify an initial RAM disk to use when booting. Replace </path/to/initrd> with the absolute path to the initial RAM disk.
kernel </path/to/kernel> <option-1> <option-N> — Specifies the kernel file to load when booting the operating system. Replace </path/to/kernel> with an absolute path from the partition specified by the root directive. Multiple options can be passed to the kernel when it is loaded.
password=<password> — Prevents a user who does not know the password from editing the entries for this menu option.
Optionally, it is possible to specify an alternate menu configuration file after the password=<password> directive. In this case, GRUB restarts the second stage boot loader and uses the specified alternate configuration file to build the menu. If an alternate menu configuration file is left out of the command, a user who knows the password is allowed to edit the current configuration file.
For more information about securing GRUB, refer to the chapter titled Workstation Security in the Security Guide.
root (<device-type><device-number>,<partition>) — Configures the root partition for GRUB, such as (hd0,0), and mounts the partition.
rootnoverify (<device-type><device-number>,<partition>) — Configures the root partition for GRUB, just like the root command, but does not mount the partition.
timeout=<integer> — Specifies the interval, in seconds, that GRUB waits before loading the entry designated in the default command.
splashimage=<path-to-image> — Specifies the location of the splash screen image to be used when GRUB boots.
title group-title — Specifies a title to be used with a particular group of commands used to load a kernel or operating system.
To add human-readable comments to the menu configuration file, begin the line with the hash mark character (#)

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Reference_Guide/s1-grub-configfile.html
https://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-grub-configfile.html

SELINUX policy set up

 SE Linux Policy [ Security Enhanced Linux Policy ]

Client====
Firewall==
TCP Wrapper==-
SElinux==
Server ==

TCP Wrapper = Allow/Deny using Services
Firewall    = All/Deny using IP address
----------------------------------------------------------------------------------------------

Modes of SE Linux :

1.    Enforcing
2.    Permissive
3.    Disables

Enforcing :   
 i.)  It prevents unauthorized access for files and services
 ii.) It Creates logs for unauthorized access.

Permissive:   
 i.)  It creates logs only but doesn't prevent

Disabled  :   
 i.)  It doesn't create and prevent the logs, since Selinux is disables already
----------------------------------------------------------------------------------------------

How to change :

# getenforce          // Show the SE linux mode
# setenforce 0        // To change to Permissive mode
# setenforce 1        // To change to Enforcing mode
----------------------------------------------------------------------------------------------

To disable it, goto Configuration file :

# vi /etc/sysconfig/selinux    OR vi /etc/selinux/config
  SELINUX=disabled
  :wq
----------------------------------------------------------------------------------------------

To see log files :

# cat /var/log/messages | less
----------------------------------------------------------------------------------------------

Types of SELINUX :

1.    Targeted :             It contains system default security [processes are protected]
2.    MLS (MultiLevel Security) :    we create self defined rules to secure our system and process

** If we copy/Paste the files from one location to another location, it will apply SElinux content as per another location
** IF we move the files from one location to another location, it will carry same SElinux content to another location

--------------------------------------------------------------------------------------------------

Lab exercise :

1.) Create 4 files at different locations :
# touch /tmp/test1
# ls -lZ
# touch /etc/test2
# ls -lZ
# touch /home/test3
# ls -lZ
# touch /var/www/html/test1
# ls -lZ

2.) Copy test1 file to /var/www/html
# cp /tmp/test1 /var/www/html

3.) Moce test3 file to /var/www/html
# mv /home/test3 /var/www/html

4.) Now, see the property of the directory
# ls -lZ

5.) To Apply default, SElinux content to all files in the /var/www/html folder
# restorecon -Rv /var/www/html

6.) Now, if you create a file in desktop and file remains there and you want to apply SElinux content of html folder
# mkdir /root/Desktop/index.html
# chcon -Rv --reference /var/www/html /root/Desktop/index.html

---------------------------------------------------------------------------------------

Booleans

Booleans are the By Default permissions that allows or restricts to change the behavior of SElinux,
SELinux can change or tune it according to the requirements.

To view Boolean value of Service/System

# getsbool -a
    OR
# getsbool -a | grep ftp
# setsebool -P allow_ftpd_amon_write on        // -P = Permanent ; allow_ftpd_amon_write = service name ; on=on/off
----------------------------------------------------------------------------------------

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV


# ls -lZ
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
# touch myfile
# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile

SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0).
More often you would be interested in type.

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

Within SELinux, a security context is represented as variable-length strings that define the SELinux user, their role, a type identifier and an optional MCS / MLS security range or level as follows:
user:role:type[:range]
Where:
user ==> The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
role ==> The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
type ==> When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.
When a type is associated with an object, it defines what access permissions the SELinux user has to that object.
range ==> This field can also be know as a level and is only present if the policy supports MCS or MLS. The entry can consist of:
A single security level that contains a sensitivity level and zero or more categories (e.g. s0, s1:c0, s7:c10.c15).
A range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

This information is used to make access control decisions. On Distributed Access Control System (DAC systems), access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.

The Z option can be used with ps, ls, cp, id, and others. For instance, to view your security context:

# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

To view the security context associated with a file, run the following command,
# ls -lZ myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile

There are multiple commands for managing the SELinux context for files, such as chcon, semanage fcontext, and restorecon.

# semanage fcontext -l | more
# semanage fcontext -l | grep '/var/www'
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0

Lets say you change your default document root to /opt/www, you will have different context. You need to change it to httpd_sys_content_t type. Other wise your web server will not work.
To change to a new context, you can use following command to add new context.
# semanage fcontext -a -t httpd_sys_content_t '/opt/www(/.*)?'
Note: -a --> to add a new fcontext with the type (-t) httpd_sys_content_t, and targets /opt/www and any sub-directories and files.

# semanage fcontext -l | grep 'srv/www'  # list the fcontexts

# restorecon -Rv /opt/www
The restorecon command sets default contexts on files and directories, according to policy.

# echo "For selinux test" >test.file
# ls -lZ test.file
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 test.file

# mv test.file /var/www/html/
# ls -lZ /var/www/html/test.file
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /var/www/html/test.file

# restorecon -v /var/www/html/test.file
restorecon reset /var/www/html/test.file context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Note: if you change selinux from disabled to enforce or permissive mode, contexts have to re-label to the entire filesystem running restorecon / because context are not set so reboot is recommeneded.

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

Temporary Changes: chcon
The chcon command changes the SELinux context for files. However, changes made with the chcon command do not survive a file system relabel, or the execution of the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon, users provide all or part of the SELinux context to change.

Run the chcon -t type file-name command to change the file type, where type is a type, such as httpd_sys_content_t, and file-name is a file or directory name.

Run the chcon -R -t type directory-name command to change the type of the directory and its contents, where type is a type, such as httpd_sys_content_t, and directory-name is a directory name.


Changing a File's or Directory's Type

# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile

#  chcon -t samba_share_t myfile
# ls -lZ myfile
-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 myfile

Use restorecon -v myfile command to restore the SELinux context for the myfile file.
-v shows the change

# restorecon -v myfile

Changing a Directory and its Contents Types
# mkdir /best
# touch /best/note{1,2,3}
# ls -lZ /best
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note1
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note2
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note3

Run the chcon -R -t httpd_sys_content_t /best/ command to change the type of the /web/ directory context.
# chcon -R -t httpd_sys_content_t /best/
# ls -lZ /best
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note1
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note2
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note3

To restore the default SELinux contexts:
# restorecon -R -v /best/
restorecon reset /best context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note1 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note2 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note3 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0

VNC and remove desktop

        VNC [Virtual Network connection]

- VNC stands for Virtual Network connection
- Package name - tigervnc-server
- Service name - vncserver

---------------------------------------------------------------------

        VNC server

# yum install tigetvnc-server -y
# vim /etc/syscionfig/vncservers
          Insert mode
        Shift+G
Uncomment      VNCSERVERS="2:user2 1:user1"            // add users to allow
                :wq
# useradd user1
# useradd user2
# passwd user1
# passwd user2
# su - user1
# vncpasswd        // provide the VNC password
# exit
# su - user2
# vncpasswd        // provide the VNC password
# exit
# service vncserver restart

---------------------------------------------------------------------

        VNC Client

# yum install tigervnc -y
# vncviewer 20.0.0.56:2            // VNC server IP
  Enter VNCpassword

---------------------------------------------------------------------
---------------------------------------------------------------------

        RDC [Remote Desktop Connection]

RDC is similar to RDP in windows

1.    Goto --> System --> Preferences --> Remote Desktop
2.    (tick) Allow other users to view desktop
3.    (tick) Require user to enter password ___________

Goto, Client PC

# yum install tigervnc -y
# vncviewer 20.0.0.56
  Enter password

Operate running systems

Operate running systems

    Boot, reboot, and shut down a system normally.

Physically power on the system

You can shutdown a system with the following commands

Shutdown Commands
# shutdown -h +<time delay in minutes> ex: shutdown -h +5 (Shuts down system in 5 min
# shutdown -h now (shutdown immediately)
# poweroff
# init 0 (Switches to runlevel 0 which shutdown the system)
# halt

Reboots Commands
# reboot
# shutdown -r +<time delay in minutes>
# shutdown -r now
# init 6   //switches to runlevel 6 which reboots the system immediately



    Boot systems into different runlevels manually.

1) Boot your system and press any key within the allotted amount of time to get to the “Grub” bootloader screen.
2) Select your boot “OS” and press “a” to edit the boot command
3) Add the number of the runlevel you would like to use at the end of the command to boot to that runlevel
Example:

ro root=/dev/mapper/vg_centosvm-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_LVM_LV=vg_centosvm/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_LVM_LV=vg_centosvm/lv_root rd_NO_DM 1

The “1” at the end of the boot string will boot the system to runlevel 1



    Use single-user mode to gain access to a system.

Boot the system to runlevel 1 as shown above to gain super user (root) access in run level 1

Fixing bad superblocks on filesystems

Fixing bad superblocks on filesystems

Occasionally, when a filesystem is mounted during the system boot, the mount will fail because the "superblock" cannot be read. There is aa easy fix, but you have to take a extreme care.

A. Procedure -- short form

1. determine the filesystems and devices
# df -h

2. Note the list of devices and corresponding filesystems and unmount the one that has a problem.
# umount {/badfilesystem}

3. Determine the superblock information.
#  NOTE: YOU MUST USE THE "-n" OPTION TO AVOID
#        REFORMATTING THE FILESYSTEM!

# mke2fs -F -n {/baddevicename}

Note: Expect about one screen of output

4.  Pick a superblock backup and use that number as input
# e2fsck -b {superblockbackupnumber} {/baddevicename}

Note: Expect some output about Passes 1 - 5; be prepared to answer some questions about blocks or inodes that have some problems with.

5 remount the file system
# mount {/badfilesystem}

B. Procedure -- long form with example

1. Determine the filesystems and devices
# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              26G   20G  4.8G  81% /
udev                  4.0G  168K  4.0G   1% /dev
/dev/sda1             388M   38M  331M  11% /boot
/dev/mapper/system-ORA
                      8.4G  131M  7.8G   2% /ora
/dev/mapper/system-ORADATA
                       26G  129M   24G   1% /oradata

2. unmount the FS that has issue with.
# umount /oradata

3. Determine the superblock information
# dumpe2fs /dev/mapper/system-ORADATA | grep superblock
dumpe2fs 1.38 (30-Jun-2005)
  Primary superblock at 0, Group descriptors at 1-2
  Backup superblock at 32768, Group descriptors at 32769-32770
  Backup superblock at 98304, Group descriptors at 98305-98306
  Backup superblock at 163840, Group descriptors at 163841-163842
  Backup superblock at 229376, Group descriptors at 229377-229378
  Backup superblock at 294912, Group descriptors at 294913-294914
  Backup superblock at 819200, Group descriptors at 819201-819202
  Backup superblock at 884736, Group descriptors at 884737-884738
  Backup superblock at 1605632, Group descriptors at 1605633-1605634
  Backup superblock at 2654208, Group descriptors at 2654209-2654210
  Backup superblock at 4096000, Group descriptors at 4096001-4096002

4. Pick a superblock backup and use that number as input
# e2fsck -b 294912 /dev/mapper/system-ORADATA
e2fsck 1.38 (30-Jun-2005)
/dev/mapper/system-ORADATA: recovering journal
/dev/mapper/system-ORADATA was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information

/dev/mapper/system-ORADATA: ***** FILE SYSTEM WAS MODIFIED *****
/dev/mapper/system-ORADATA: 11/3335808 files (0.0% non-contiguous), 137492/6659072 blocks

5. Remount the file system
# mount /oradata
#

Permission and ACL

Unix file and directories level Permissions

There are main three types of permision in Linux/UNIX ( excluding SElinux).

Chmod - is used to assign permission to the Users, groups and others on a file or directory.
ACL - Is used to assign extra level of security or access to the user.
Special Permissions
    Sticky Bit  
    Special group Permission  
                    iii.) SGID (special Group ID)
-----------------------------------------------------------------------------------------

If you run,
# ls -l

-/---/---/---
   U   G   O

U- Owner Permission
G- Group Permission
O- Other users

_____________________________
        Symbolic  Numeric
_____________________________
read        r    4
write        w    2
execute     x    1
_____________________________
               =7

-----------------------------------------------------------------------------------------
===================================================================
    Maximum Permission of file and directory

Directory -    777   (r=4,w=2,x=1)
File      -    666   (r=4,w=2,x=0)
===================================================================
    Default Permission of file and directory [with ROOT]

Directory -    755  
File      -    644  
===================================================================
    Default Permission of file and directory [with local User]

Directory -    775  
File      -    664  
====================================================================
-----------------------------------------------------------------------------------------

UMASK - Umask is a default value that define permission if directories and files

To view :

# umask

With Root Value = 0022
With local user = 0002

-----------------------------------------------------------------------------------------

* How to calculate default permission in case of Root

1. Directory :

Max Permission    =  777
Umask Value     = 0022
_______________________
                = 755  Default permission of Directory


2. File      :

Max Permission    =  666
Umask Value     = 0022
_______________________
                = 644  Default permission of File

-------------------------------------------------------------------------------------------


* How to calculate default permission in case of Local user

1. Directory :

Max Permission    =  777
Umask Value     = 0002
_______________________
                = 775  Default permission of Directory


2. File      :

Max Permission    =  666
Umask Value     = 0002
_______________________
                = 664  Default permission of File

-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

            CHMOD  [Change Mode]

1. Symbolic Method

u- owner
g- group
o- Other
r- read
w- write
x- execute
'+'- add
'-'- remove

Example :

# Chmod ugo+rwx dir        // This will assign read,write and execute permissions to owner, group and other users

# chmod go+rw dir        // This will assign read,write permissions to owner, group users

# chmod o+r dir            // This will assign read permission to other users

# chmod u+rwx,g+rw,o+r dir

To remove :

# chmod ugo -rwx dir

# chmod go-rw dir

# chmod o-r dir

# chmod u-rwx,g-rw,o-r dir


2. Numeric Method

# chmod 744 dir            // Owner = 7 (r=4,w=2,x=1); group = 4 (r=4); other = 4 (r=4)

# chmod 511 dir

-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

            ACL [Access Control List]

# mkdir /tmp/test
# groupadd sales        // Add users raj,sumit,hemant and ram
# chgrp sales /tmp/test
OR
# chown :sales /tmp/test
# chmod 777 /tmp/test

Condition 1 : Give read access to sumit user only to /tmp/test

# setfacl -m i:sumit:r-- /tmp/test
To check,
# getfacl /tmp/test

Condition 2 : Give read,write access to all sales group users to /tmp/test

# setfacl -m g:sales:rw- /tmp/test
To check,
# getfacl /tmp/test

Condition 4 : Remove all premission for all sales group users to /tmp/test

# setfacl -m g:sales:--- /tmp/test
To check,
# getfacl /tmp/test

-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

            Special Permissions

1.    Sticky Bit

# chmod 1777 /tmp/test            // Full permission assigned to owner,group and other users

However, other users still cannot delete the file to which they have full access

2.    Group Permissions

Condition : If you create any file within test, the group should be sales by default  [Sumit is already in sales group]

# chmod 2777 /tmp/test
OR
# chmod g+s /tmp/test

3.    SGID

# chmod 4777 /tmp/test

-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------

System recovery techniques

            System Recovery Techniques

How to check running and stop services at run level :

# cd /etc/rc5.d        // To check at run level 5
# ls -ltr

Output :
K01......
K02......
K03......
.........
.........
.........
.........
S01......
S02......
.........
.........
K = Kill, service will be stopped on the current run level
S = Start, service will start on the current run level

--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------

Condition 1 : /etc/fstab is corrupted, how to recover

Entry of /boot file system is corrupted in /etc/fstab file

1.    Insert the Rescue disk
2.    continue
3.    ok
4.    Shell start --- Enter
5.    # chroot /mnt/sysimg
6.    # mount -o remount /        ['/' rewritable form]
7.     exit
8.    exit
9.    reboot reboot

Condition 2 : To Recover /etc/passwd


1.    Insert the Rescue disk
2.    continue
3.    ok
4.    Shell start --- Enter
5.    # chroot /mnt/sysimg
6.    # cd /etc
7.    # ls                [to view 'passwd-' file]
8.    # cp -p passwd - /etc/passwd    [-p = with permission]
9.     exit
10.    exit
11.    reboot reboot

--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------

NFS - General information

Network File System

1 NFS stands for Network File System
2 It is used for sharing files over the network
3 It works on TCP/IP protocol no.2049
4 It is available in 3 version : NFS V2, V3 and V4


** Package requrired to be installed : nfs-utils
** Default Sharing Path is : /etc/exports

----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------

Steps :     Server side

1 # yum install nfs-utils -y
2 # mkdir /sumit
3 # cd /sumit
4 # touch a b c d e
5 # vim /etc/exports
    Insert mode
    /sumit        192.168.0.0/24(rw,synch)    // to share for 192.168 IP range only
    /sumit        *(rw,synch)            // to share for all
    Esc and :wq
6 # service nfs restart
7 # chkconf nfs on
8 # exportfs
    OR
  # exportfs -v

----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------

Steps :     Client side

On the Client, Mounting of the NFS share is required which can be done either ways :

A.)    Temporary Mounting

# mount 192.168.0.40:/sumit /mnt
# cd /mnt
# ls -l

B.)    Permanent Mounting

# vim /etc/fstab
  Insert mode
  192.168.0.40:/sumit    /nfs    nfs    defaults  0 0
  :wq
# mount -a

C.)     On Demand Mounting    [Auto Mount whenever user logins]

** Package name is required : autofs

# yum install autofs -y
# /vim /etc/auto.master
  Shift+G            // to goto last line
  Insert mode
  /    /etc/auto.nfs
  :wq
# vim /etc/auto.nfs
  Insert mode
  *    -rw    192.168.0.40:/&            // *= what to mount, &=for all
  :wq
# service autofs stop
# service autofs start

----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------

        To view the Share available

# showmount -e 192.168.0.40        // IP address of NFS server

----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------

        To check NFS Share on NFS Client

# cd /net/192.168.0.40/        [use tab to view]


----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------

Introduction to mail

        Mail Server

Mail server components :

i.) mta - Mail transfer Agent
- It is used to relay mails from point to poing until it is delievered
- It works on Port no 25
- It uses SMTP

ii.) mda - Mail delievery Agent
- It deleivers mail to reciepents local message store
- By Default, it is /var/spool/mail/user

iii.) mua - Mail user Agent
- It is used to send and recieve email from client side

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------

        Mail server

# yum install postfix -y
# vim /etc/postfix/main.cf
line no        73  hostname = your hostname
line no     83  domainname = your domain name
uncomment    99  myorganiz
uncomment    113 init_interface = all
comment        116 init_interface = local host
uncomment    165
line no        264 My network = 192.168.10.0/255.255.255.0,127.0.0.1/255.0.0.0
         :wq
# service postfix restart
# chkconf postfix on

---------------------------------------------------------------------------------

        Mail Forwarding

# vim /etc/aliases
  Goto last line
  root : username
  :wq
# newaliases

---------------------------------------------------------------------------------

        How to send email

# mail user@hostname
   OR
# mail root@sama.expanor.local
  Subject:
  Body of mail
  .Enter        // to send email

---------------------------------------------------------------------------------

        To Create Mail box

# yum install mutt -y
# mutt

---------------------------------------------------------------------------------

        To view email

# cd /var/spool/messages

---------------------------------------------------------------------------------
---------------------------------------------------------------------------------

Boot Process on Redhat

            Boot Process in RHEL LINUX

1 POST(Power on Slef test is run) - which check for hardware devices which are connected physically

2 MBR(Master Boot Record) - i.) Loads Boot Loader
               ii.) Read Grub information
              iii.) Stage 1 - checks for OS installation through CD/DVD
               iv.) stage 2 - Checks for /boot Partition, Check VMlinuz(kernel file), check initramfs
                initramfs = it is a image which loads basics drivers of devices into kernel

3 Kernel Initialization - initiates files
               i.) /etc/sysinit
              ii.) /etc/fstab     - File system is checked,if corrupted or not
             iii.) /etc/hosts     - looks for hostname
              iv.) /etc/resolv.conf - DNS configured or not
               v.) /etc/sysconfig/network-scripts/eth0 - check for IP information
               vi.) /etc/sysconfig/network
             vii.) /etc/inittab     - to check runlevel

4 Run Level        - /etc/rc.d/rc0.d
            - /etc/rc.d/rc1.d
            - /etc/rc.d/rc2.d
            - ---------------
            - /etc/rc.d/rc6.d

5 Service Startup Phase - /etc/init.d    - All the service are checked , Running etc.

6 Run Customized Scripts- /etc/rc.local

7 Terminal Startup    - /etc/init/tty.conf    - It will look for Virtual Terminal [ALT+CTRL+F1.....F7]

8 Login            - /etc/passwd
              /etc/shadow

ISCSI set up

 ISCSI

- ISCSI stands for Internet Small Computer System Interface
- It is used for accessing raw partition over the network
- we will take space from SAN and will format, create FS
- Works on port No.3260
- Package name - isci-initiator-utils  [client]
- Service name - iscsid

ISCSI initiator     - A Client that needs access to SAN Storage
ISCSI target        - A remote hard disk pretended to be ISCSI server or target portal
ISCSI target portal    - A Server that provide target over network to initiator
IQN                    - SCSI Qualified Name

--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------

        SCSI Server

# yum install scsi-target-utils -y
# fdisk /dev/sda
  Create a partition          // - /dev/sda4
# partx -a /dev/sda
# vim /etc/tgt/target.conf
  Copy/Paste 31,32,33 line + (Shift+G) + Paste
umcomment  <target in 2012-09:com.example:comment="">
umcomment  backline-storage  /dev/sda4            // Partiotion number, Also LVM path is LVM
       </target>
           :wq
# service tgtd start
# chkconf tgtd on
# tgt-admin -show

------------------------------------------------------------------------------------

        ISCSI Client

# yum install iscsi-inititator-utils -y
# man isciadm        [to see the sample command]
# iscsiadm --mode discoverydb --type sendtarget --portal 192.168.0.20 --discover    // IQN will be searched. SCSI qualified name
# iscsiadm --mode node --targetname paste IQN --portal 192.168.0.20 --login        // to login
# car /var/log/message                                    // Attached SCSI disk
# dmesg                                            // show the attached SCSI disk
# fdisk /dev/sdb                                    // dmesg will show sdX
# format the partition
# vim /etc/fstab
  UUID    /scsi   ext4   _netdev   0 0
  :wq
# mount -a
# iscsiadm --mode node --targetname paste IQN --portal 192.168.0.20 --logout        // to logout
# chkconf iscsi on

After Reboot of the machin, Lost+Found folder will exists under /scsi (then successful)

--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------

How to install/setup vsftpd and run it as inetd service.


How to install/setup vsftpd and run it as inetd service.

1. Install vsftpd
# yum install vsftpd
2. Modify /etc/vsftpd/vsftpd.conf file as follows.
#  vi /etc/vsftpd/vsftpd.conf | grep -v \#
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_std_format=NO
ascii_upload_enable=YES
ascii_download_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
log_ftp_protocol=YES
Note: “listen=YES” is commented out as follow,
#listen=YES
3. Check the status of vsftpd process.
# chkconfig --list | grep vsftpd
4. It might be off, if not turn it off so that it can be run as inetd based services.
Disable standalone vsftpd service.
# chkconfig vsftpd off
5. Create a file vsftpd under /etc/xinetd.d with the following content.
# vi vsftpd
service ftp
{
        socket_type             = stream
        protocol                = tcp
        wait                    = no
        user                    = root
        server                  = /usr/sbin/vsftpd
#       server_args             =
#       log_on_success          += DURATION USERID
#       log_on_failure          += USERID
#       nice                    = 10
        disable                 = no
}
wq!
# ls -l vsftpd
-rw-r--r-- 1 root root 423 Apr 02 09:45 vsftpd

# cd /etc/xinetd.d/
# ls -l vsftpd
-rw-r--r-- 1 root root 427 Aug  6 15:32 vsftpd

6. Restart the inetd services
# /etc/init.d/xinetd restart [or stop/start]

7. Reverify that vsftpd is not automatically restarting up on reboot.
# chkconfig --list | grep vsftpd
vsftpd 0:off   1:off   2:off   3:off   4:off   5:off   6:off
        vsftpd:         on
8. Verify the content of the file /etc/pam.d/vsftpd
# cat /etc/pam.d/vsftpd

Step-6:  Make sure /etc/pam.d/vsftpd file exists with following contents
#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
9. Test your ftp connection from your PC to the server with your id.
Note: You can use pftp or wsftp or winscp to test the connection.

LVM: how to make a snapshot of root logical volume and rollback it

RHEL6 introduces new features on LVM. One of them is the snapshots. 
For this test I maked a screenshot of root logical volume , I deleted /etc directory and restored it from the sreenshot. All worked !
[root@localhost ~]# df -h
 Filesystem Size Used Avail Use% Mounted on
 /dev/mapper/rootvg-rootvol
 23G 3.1G 18G 15% /
 tmpfs 498M 0 498M 0% /dev/shm
 /dev/sda1 485M 33M 427M 8% /boot
[root@localhost ~]# vgs
VG #PV #LV #SN Attr VSize VFree
rootvg 1 2 0 wz–n- 24.51g 0
I saw no free space on rootvg so i added a new disk
[root@localhost ~]# sfdisk -l /dev/sdb
Disk /dev/sdb: 652 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sdb1          0+    651     652-   5237158+  8e  Linux LVM
/dev/sdb2          0       -       0          0    0  Empty
/dev/sdb3          0       -       0          0    0  Empty
/dev/sdb4          0       -       0          0    0  Empty
[root@localhost ~]# pvcreate /dev/sdb1
Writing physical volume data to disk “/dev/sdb1″
Physical volume “/dev/sdb1″ successfully created

[root@localhost ~]# vgextend rootvg /dev/sdb1
Volume group “rootvg” successfully extended

[root@localhost ~]# vgs
VG     #PV #LV #SN Attr   VSize  VFree
rootvg   2   2   0 wz–n- 29.50g 4.99g

Nice. After i maked a screenshot with all free space on the vg.

[root@localhost ~]# lvcreate -l 100%FREE –snapshot –name rootsnap /dev/rootvg/rootvol
Logical volume “rootsnap” created
[root@localhost ~]# lvs
LV       VG     Attr     LSize  Pool Origin  Data%  Move Log Copy%  Convert
rootsnap rootvg swi-a-s-  4.99g      rootvol   0.00
rootvol  rootvg owi-aos- 22.46g
swapvol  rootvg -wi-ao–  2.05g
s attribute said to me that rootsnap is a snapshot !
[root@localhost ~]# lvdisplay /dev/rootvg/rootvol
— Logical volume —
LV Path                /dev/rootvg/rootvol
LV Name                rootvol
VG Name                rootvg
LV UUID                MgWa8V-yUnK-hqC0-Kv6X-strT-eccc-Kiwt8S
LV Write Access        read/write
LV Creation host, time localhost.localdomain, 2013-01-29 19:04:19 +0100
LV snapshot status     source of
rootsnap [active]

LV Status              available
# open                 1
LV Size                22.46 GiB
Current LE             5750
Segments               1
Allocation             inherit
Read ahead sectors     auto
- currently set to     256
Block device           253:1
First test I did:
[root@localhost ~]# dd if=/dev/zero of=test.img bs=1024k count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 80.6583 s, 13.0 MB/s
THE SPACE ON THE SNAPSHOT MUST BE CHECKED !!!
[root@localhost ~]# lvs
LV       VG     Attr     LSize  Pool Origin  Data%  Move Log Copy%  Convert
rootsnap rootvg swi-a-s-  4.99g      rootvol  18.21
rootvol  rootvg owi-aos- 22.46g
swapvol  rootvg -wi-ao–  2.05g
[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol
23G  4.2G   17G  20% /
tmpfs                 498M     0  498M   0% /dev/shm
/dev/sda1             485M   33M  427M   8% /boot
After i erased /etc directory!
[root@localhost ~]# rm -rf /etc
[root@localhost ~]# cd /etc
-bash: cd: /etc: No such file or directory
[root@localhost ~]# df -h
df: cannot read table of mounted file systems: No such file or directory
I did a reboot and as expected the system was not able to boot up.
So , I used rescue mode from CD and I ran on the shell:
lvconvert –merge rootvg/rootsnap
At next boot the system came up without any problem/warning!
[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol
23G  3.1G   18G  15% /
tmpfs                 498M     0  498M   0% /dev/shm
/dev/sda1             485M   33M  427M   8% /boot
[root@localhost ~]# cd /root
[root@localhost ~]# ls
anaconda-ks.cfg  install.log  install.log.syslog
( The 1 gb file does not exist anymore )
[root@localhost ~]# lvs
LV      VG     Attr     LSize  Pool Origin Data%  Move Log Copy%  Convert
rootvol rootvg -wi-ao– 22.46g
swapvol rootvg -wi-ao–  2.05g
( the snapshot is not present )
With this i saw that the system was rollbacked with success.
So i will use this method on RHEL6 for rollingback after a patching!

Source: Redhat

Cache only DNS server

        DNS [Domain Name Server] - Caching only

- DNS is used for IP to host and host to IP resolution
- It works on TCP/IP port no.53
- Package name         - bind          [berkley Internet name domain]
- Service name         - named
- Configuration file     -
    - /etc/named.conf
    - /etc/named.rfc/1912zones
    - /var/named/named.loopback
    - /var/named/named.localhost


        Types of DNS server

a.)    Master            [Primary in windows]
b.)    Slave            [Secondary in windows]
c.)    Caching only        [Forwarder in windors]

Forward Lookup Zone  :- Name to IP resolution
Backward Lookup Zone :- IP to Name resolution

Recursive Query :  When the DNS query is resolved using forwarder

==================================================
DNS Caching will store locally all the successful DNS query sent to another DNS server
==================================================

        How to Configure

1.    Setup the IP manually,gateway, DNS (own IP address)
2.    Enter the DNS IP in your local LAN enviroment [in client]

Server side :

# yum install bind -y
# vim /etc/named.conf
  Listen on [any;];                // 10-11th line
  allow query [localhost;any;];
  recursion yes;
  forwarders {Main DNS server IP}   OR        // Ex:- IP address provided from Airtel broadband
  forwarders {Main DNS server I;8.8.8.8}       //8.8.8.8 = Google IP address
  :wq
# service named restart
# chkconf named on
# rndc dumpd                    // To create caching database


To View Database :
# cd /var/named/data

File name :- cache_dump.db 

----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------

Binding

Note:

Wednesday, April 23, 2014

Some special characters pronunciation

Some special characters pronunciation
Character  Pronunciation
!   bang, exlamation, shriek
*   star, asterisk, splat
$   dollar
@   at
%   percent
#  hash, pound, sharp
&   ampersand, amper
"   quote, double-quote
'   single-quote, tick, apostrophe
(  paren open
)  paren close
( )   open/close bracket, parentheses
<   less than
>   greater than
-   dash, hyphen, minus, tack
.   dot, period
,   comma, twitch
/   slash, forward-slash
\   backslash, slosh
:   colon, two dots
;   semi-colon, semi
=   equals
?   question-mark
^   caret (pron. carrot), hat
_   underscore, underbar
[   square left bracket
]  square right bracket
[ ]   open/close square bracket
{  curly, embrace, brace
}  curly, unbrace
{ }   open/close curly brackets, open/close brace
|   pipe, or vertical bar, bar
~   tilde (pron. “til-duh”), twiddle
`   backtick
+  plus

||  Double pipe
&&  double ampersand
#!  sh-bang (hash/bang)
/*  slashterix
*/  asterslash

&amp;  amper-amp  (the HTML and XML code for space)

Tuesday, April 22, 2014

Unable to remove the package on redhat scriptlet failed error..


Unable to remove the package,
error: scriptlet failed, exit status 1

[root@samserv02 ~]# rpm -e CAeAC-1262-2.0.633.x86_64
ERROR: /opt/CA/eTrustAccessControl/lbin/uninstall_AC not found.
Uninstall of CAeAC is not complete.
error: %preun(CAeAC-1262-2.0.633.x86_64) scriptlet failed, exit status 1
[root@samserv02 ~]# rpm -e --noscripts CAeAC-1262-2.0.633.x86_64
[root@samserv02 ~]# rpm -qa | grep -i CAeAC
[root@samserv02 ~]# rpm -qa |grep -i ca-lic
ca-lic-01.90.04-00.x86_64
[root@samserv02 ~]# rpm -e ca-lic-01.90.04-00.x86_64
[root@samserv02 ~]# rpm -qa | egrep -i "CAeAC|ca-lic"
[root@samserv02 ~]#


[root@samserv02 ~]# rpm -e CAeAC-1262-2.0.633.x86_64
ERROR: /opt/CA/eTrustAccessControl/lbin/uninstall_AC not found.
Uninstall of CAeAC is not complete.
error: %preun(CAeAC-1262-2.0.633.x86_64) scriptlet failed, exit status 1

[root@samserv02 ~]# yum search CAeAC
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager
====================================== N/S Matched: CAeAC =======================================
CAeAC.x86_64 : CA ControlMinder Solution
  Name and summary matches only, use "search all" for everything.

Running Transaction
Error in PREUN scriptlet in rpm package CAeAC
CAeAC-1262-2.0.633.x86_64 was supposed to be removed but is not!
  Verifying  : CAeAC-1262-2.0.633.x86_64                                                                                          1/1
Failed:
  CAeAC.x86_64 0:1262-2.0.633
Complete!

Wednesday, April 16, 2014

Some characters

^  = (circumflex or caret)
~ = (tilde)

System monitoring with AIDE, SAR and Wireshark


System monitoring techniques :

1.    AIDE [Advanced Intrusion Detection Environment]
2.    SAR  [System Activity Reporter]

AIDE
  • AIDE stands for Advanced Intrusion Detection Environment
  • Package name:- aide
  • Configuration file:- /etc/aide.conf
Installation:
# yum install aide -y
# vim /etc/aide.conf
  Comment all # Next device what directory/file you want to comment.
  # /boot   NORMAL
  # .............
  # .............
  # .............
  (comment the above line if you don't want to monitory)
  /test       NORMAL                        // you want to monitory /test in this example
  :wq

# mkdir /test
# cd /test
# touch a b c d
# aide --init                            // To create database or snapshot at this time
# zcat /var/lib/aide/aide.db.new.gz                // To view database
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz    // To rename the file, after making changes and compare

Now, Make changes to the file or directory within /test
Add, remove or delete etc

# aide --init                            // Again, database will be created the above name (/var/lib/aide/aide.db.new.gz)
# aide --check                            // To view the changes done

SAR:- System Activity Reporter
Package name: sysstat

Install:
# yum install sysstat -y

# sar -A            // To check running process with utilisation
# sar 2 6            // same as above, 2 = seconds;6 = 6 times report i.e. after every 2 seconds 6 times

Network Monitoring

Wireshark is used for Network monitoring

# yum install wireshark-gnome -y
# wireshark