[root@my32GB Packages]# rpm -ivh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/mozilla-vlc-1.1.13-1.el6.rf.x86_64.rpm --nodeps --force
~~~~~ Warning !!! Content posted here are gained through the real world experience or some may come from training or any other Internet sources. Reading this blog may confuse you or may increase understanding of UNIX/Linux operating system and its component. It might help you to land on Real job or may fire your from the Real job. So, use on your own risk !!! No left or right reserved !!! -Kamal ~~~~~
Friday, April 25, 2014
Install package without dependencies
[root@my32GB Packages]# rpm -ivh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/mozilla-vlc-1.1.13-1.el6.rf.x86_64.rpm --nodeps --force
Luks and GPG setup
LUKS [Linux Unified Key Setup]
- Luks ~ Linux unified key setup is used to encrypt a disk partition
Steps :
1. Create a empty partition
# dd if=/dev/urandom of=/dev/sdaX
Note: This will fill /dev/sdaX with garbage data
2. Format the partition using encrypt LUKS
# cryptsetup LuksFormat /dev/sdaX
Warning : Yes
Enter LUKS password : redhat
3. Open the partition with the name and with the password.
# cryptsetup luksopen /dev/sdaX secret
Note: secret=anyname; enter same password as above when prompted.
4. Format the patition with ext4 fs type.
# mkfs.ext4 /dev/mapper/scret
5. Add entry to crypttab,
# vi /etc/crypttab
secret /dev/sdaX none
:wq
6. Add entry to survive the mount upom reboot.
# vi /etc/fstab
Insert mode
/dev/mapper/secret /mnt ext4 defaults 0 0
:wq
7. Mount the FS.
# mount -a
Now, reboot your machine.
You will be always prompted to enter LUKS password
--------------------------------------------------------------------------
GPG [Gun Privacy Guard Key Encryption]
- GPG stands for Gun Privacy Key Encryption
- It is used to encrypt the data file, which can sent over the wire securely.
- Wrong password used to decrypt the data once with corrupt it.
To Encrypt :
# cat >mylok
# gpg -c mylok
Enter password
To Decrypt :
# gpg mylok.gpg
Note: mylok and mylok.gpg are now 2 different files
To Encrypt [ASCII]
# gpg -c -a mylok // mylok.asc file creared
Enter password
------------------------------------------------------------------------
- Luks ~ Linux unified key setup is used to encrypt a disk partition
Steps :
1. Create a empty partition
# dd if=/dev/urandom of=/dev/sdaX
Note: This will fill /dev/sdaX with garbage data
2. Format the partition using encrypt LUKS
# cryptsetup LuksFormat /dev/sdaX
Warning : Yes
Enter LUKS password : redhat
3. Open the partition with the name and with the password.
# cryptsetup luksopen /dev/sdaX secret
Note: secret=anyname; enter same password as above when prompted.
4. Format the patition with ext4 fs type.
# mkfs.ext4 /dev/mapper/scret
5. Add entry to crypttab,
# vi /etc/crypttab
secret /dev/sdaX none
:wq
6. Add entry to survive the mount upom reboot.
# vi /etc/fstab
Insert mode
/dev/mapper/secret /mnt ext4 defaults 0 0
:wq
7. Mount the FS.
# mount -a
Now, reboot your machine.
You will be always prompted to enter LUKS password
--------------------------------------------------------------------------
GPG [Gun Privacy Guard Key Encryption]
- GPG stands for Gun Privacy Key Encryption
- It is used to encrypt the data file, which can sent over the wire securely.
- Wrong password used to decrypt the data once with corrupt it.
To Encrypt :
# cat >mylok
# gpg -c mylok
Enter password
To Decrypt :
# gpg mylok.gpg
Note: mylok and mylok.gpg are now 2 different files
To Encrypt [ASCII]
# gpg -c -a mylok // mylok.asc file creared
Enter password
------------------------------------------------------------------------
Install, set up ssh
SSH
- Ssh allows you to connect to remote host
- provides user and token based authentication
- package name - openssh_server
- service name - sssd
- Configuration file - /etc/ssh/sshd_config
--------------------------------------------------------------------
ssh Server
# yum install openssh_server -y
# vim /etc/ssh/sshd_config
Insert mode
Shift+G
Press 'o' for new line
Allowusrers tom // Allow/deny users; if nothing mentioned
Denyusers harry all will be allowed by default
:wq
# service sshd restart
---------------------------------------------------------------------------------------
ssh client
# ssh username@ipaddress
Example :
# ssh tom@192.168.0.28
use -X or -Y option to get the graphical tool access
# ssh -X 192.168.0.28
Enter password
Try,
# system-config-date
-----------------------------------------------------------------------------------------
ssh Keyless Authentication
Pubilc key needs to be saved
Keybase Authentication :
i.) dsa
ii.) rsa
Condition : To login without password using ssh
i.) dsa
# su - user
# ssh-keygen-t dsa // use any option : dsr or rsa
Enter+Enter+Enter // Your Public key is saved in /.ssh # cd .ssh // under user home directory
# scp -rp id_dsa.pub 192.168.0.25:/home/user
Here,
-rp = with permission
Source = id_dsa.pub
Destination = 192.168.0.25:/home/user
ii.) rsa
# su - user
# ssh-keygen-t rsa
# ssh-copy-id -i id_rsa.pub 192.168.0.19 // for sending the public key
Now Try,
# ssh 192.168.0.19
------------------------------------------------------------------------------------------
ssh commands
i.) SCP command
# scp filename 192.168.0.19:/destination // Secured Copy
Example :
# scp -rp id_dsa.pub 192.168.0.25:/home/user
ii.) seq command
seq 111111>filename // will write 11111 lines in sequence in file
iii.) rsynch command
Condition : If you want the data appended to the file to only send to destination
rsynch sumit 192.168.0.19: // this will save time and bandwith both
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
- Ssh allows you to connect to remote host
- provides user and token based authentication
- package name - openssh_server
- service name - sssd
- Configuration file - /etc/ssh/sshd_config
--------------------------------------------------------------------
ssh Server
# yum install openssh_server -y
# vim /etc/ssh/sshd_config
Insert mode
Shift+G
Press 'o' for new line
Allowusrers tom // Allow/deny users; if nothing mentioned
Denyusers harry all will be allowed by default
:wq
# service sshd restart
---------------------------------------------------------------------------------------
ssh client
# ssh username@ipaddress
Example :
# ssh tom@192.168.0.28
use -X or -Y option to get the graphical tool access
# ssh -X 192.168.0.28
Enter password
Try,
# system-config-date
-----------------------------------------------------------------------------------------
ssh Keyless Authentication
Pubilc key needs to be saved
Keybase Authentication :
i.) dsa
ii.) rsa
Condition : To login without password using ssh
i.) dsa
# su - user
# ssh-keygen-t dsa // use any option : dsr or rsa
Enter+Enter+Enter // Your Public key is saved in /.ssh # cd .ssh // under user home directory
# scp -rp id_dsa.pub 192.168.0.25:/home/user
Here,
-rp = with permission
Source = id_dsa.pub
Destination = 192.168.0.25:/home/user
ii.) rsa
# su - user
# ssh-keygen-t rsa
# ssh-copy-id -i id_rsa.pub 192.168.0.19 // for sending the public key
Now Try,
# ssh 192.168.0.19
------------------------------------------------------------------------------------------
ssh commands
i.) SCP command
# scp filename 192.168.0.19:/destination // Secured Copy
Example :
# scp -rp id_dsa.pub 192.168.0.25:/home/user
ii.) seq command
seq 111111>filename // will write 11111 lines in sequence in file
iii.) rsynch command
Condition : If you want the data appended to the file to only send to destination
rsynch sumit 192.168.0.19: // this will save time and bandwith both
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
Configure SAMBA
Samba
- It is used for sharing files and folder, Printer between linux and other operating system
- works on port no. 137,138,139
- Package Name - Samba
- Service Name - smb
- Configuration file - /etc/samba/samba.conf
Check using RPM command is the package is installed or not
# rpm -qa samba
# rpm -qc samba [Configuration]
# rpm -qd samba [Documentation]
# rpm -ql samba [List]
=================================================================================
Samba - Server side
# yum install samba -y
# mkdir /share
# vim /etc/samba/smb.conf
[global]
domainname = WORKGROUP // Enter domain name provided LINE 74
Allow hosts = 192.168.10.
OR
Allow hosts = 0.0.0. // For ALL LINE 74
Shift+G
[Share]
[Comment=Samba Server]
path = /share
browsable = yes
writable = yes
valid users= harry
:wq
# service smb restart
# chkconf smb on
# chcon -t samba_share_t /share
# smbpasswd -a harry
------------------------------------------------------------------------------
Samba - Client side
# smbclient -L //192.168.10.224 -U harry
OR , in web browser
smb://192.168.10.224
------------------------------------------------------------------------------
To View Samba Configuration File Contents
# testparm
------------------------------------------------------------------------------
Condition :
When we create a file under samba server (/share), it will show the owner as root and root as per samba server
If you want that to be changed on client side from server side
# vim /etc/samba/smb.conf
[global]
domainname = WORKGROUP // Enter domain name provided LINE 74
Allow hosts = 192.168.10.
OR
Allow hosts = 0.0.0. // For ALL LINE 74
Shift+G
[Share]
[Comment=Samba Server]
path = /share
public = yes
browsable = yes
writable = yes
valid users= harry
create mask = 766
directory mask= 755
force user = root
force group = sales
:wq
# service smb restart
==============================================================================================
- It is used for sharing files and folder, Printer between linux and other operating system
- works on port no. 137,138,139
- Package Name - Samba
- Service Name - smb
- Configuration file - /etc/samba/samba.conf
Check using RPM command is the package is installed or not
# rpm -qa samba
# rpm -qc samba [Configuration]
# rpm -qd samba [Documentation]
# rpm -ql samba [List]
=================================================================================
Samba - Server side
# yum install samba -y
# mkdir /share
# vim /etc/samba/smb.conf
[global]
domainname = WORKGROUP // Enter domain name provided LINE 74
Allow hosts = 192.168.10.
OR
Allow hosts = 0.0.0. // For ALL LINE 74
Shift+G
[Share]
[Comment=Samba Server]
path = /share
browsable = yes
writable = yes
valid users= harry
:wq
# service smb restart
# chkconf smb on
# chcon -t samba_share_t /share
# smbpasswd -a harry
------------------------------------------------------------------------------
Samba - Client side
# smbclient -L //192.168.10.224 -U harry
OR , in web browser
smb://192.168.10.224
------------------------------------------------------------------------------
To View Samba Configuration File Contents
# testparm
------------------------------------------------------------------------------
Condition :
When we create a file under samba server (/share), it will show the owner as root and root as per samba server
If you want that to be changed on client side from server side
# vim /etc/samba/smb.conf
[global]
domainname = WORKGROUP // Enter domain name provided LINE 74
Allow hosts = 192.168.10.
OR
Allow hosts = 0.0.0. // For ALL LINE 74
Shift+G
[Share]
[Comment=Samba Server]
path = /share
public = yes
browsable = yes
writable = yes
valid users= harry
create mask = 766
directory mask= 755
force user = root
force group = sales
:wq
# service smb restart
==============================================================================================
Configure and set up ftp
FTP
- FTP stands for File transfer protocol
- It is used for uploading and downloading the files
- By Default, Root is not allowed for FTP service because,
FTP sends and recievs in clear text form
- Package name = vsftpd [for Server]
- Package name = ftp [for Client]
- Port NO. = 20 , 21
- Configuration file = /etc/vsftpd/vsftpd.conf
- Service = vsftpd
- Default Enabled user = anonymous // works without passowrd
-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------
FTP - Server Side
# yum install vsftpd -y
# service vsftpd restart
# chkconf vsftpd on
# cd /var/ftp/pub
# touch a b c d e
-----------------------------------------------------------------------------------------
FTP - Client Side
# yum install ftp -y
# ftp 192.168.0.78 // FTP server IP
-----------------------------------------------------------------------------------------
FTP - Commands
A.) To Download a file
i. get and mget command
# ftp 192.168.0.78 // FTP server IP
# get filename
# mget file1 file2 file3 // For Mutiple files
ii. wget command
# wget ftp://192.168.0.78/pub/a // FTP server IP ; a= filename
-----------------------------------------------------------------------------------------
B.) To upload a file
Server Side :
# yum install vsftpd -y
# service vsftpd restart
# chkconf vsftpd on
# cd /var/ftp/pub
# touch a b c d e
# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES // uncomment the line
:wq
# service vsftpd restart
==========================================================================================
Client Side :
# ftp IPaddress
name=anonymous
ftp> cd pub
ftp> put /root/Desktop/abc
===========================
Error recieved
227 : Enter Passive mode
553 : Could not create file
===========================
===================================================================================
NOte : Check the permission of PUB Folder, by default Write permission is not there
===================================================================================
# ls /var/ftp // Donot have write permission
# chmod 777 /var/ftp/pub
===========================================================
Note : Change the group name of pub folder from Root to FTP
===========================================================
# chgrp ftp /var/ftp/pub
====================
Try again,Same Error
====================
==============================
Now, check for SE linux policy
==============================
# setenforce 0
# getsbool -a | grep ftp
# setsebool -P allow_ftp_anon_write on // allow_ftp_anon_write = to allow annonymous user with write permission
# setenforce 1
# chcon -t public_content_rw-t pub/
==========
Try again,
==========
# ftp IPaddress
name=anonymous
ftp> cd pub
ftp> put /root/Desktop/abc
-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------
- FTP stands for File transfer protocol
- It is used for uploading and downloading the files
- By Default, Root is not allowed for FTP service because,
FTP sends and recievs in clear text form
- Package name = vsftpd [for Server]
- Package name = ftp [for Client]
- Port NO. = 20 , 21
- Configuration file = /etc/vsftpd/vsftpd.conf
- Service = vsftpd
- Default Enabled user = anonymous // works without passowrd
-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------
FTP - Server Side
# yum install vsftpd -y
# service vsftpd restart
# chkconf vsftpd on
# cd /var/ftp/pub
# touch a b c d e
-----------------------------------------------------------------------------------------
FTP - Client Side
# yum install ftp -y
# ftp 192.168.0.78 // FTP server IP
-----------------------------------------------------------------------------------------
FTP - Commands
A.) To Download a file
i. get and mget command
# ftp 192.168.0.78 // FTP server IP
# get filename
# mget file1 file2 file3 // For Mutiple files
ii. wget command
# wget ftp://192.168.0.78/pub/a // FTP server IP ; a= filename
-----------------------------------------------------------------------------------------
B.) To upload a file
Server Side :
# yum install vsftpd -y
# service vsftpd restart
# chkconf vsftpd on
# cd /var/ftp/pub
# touch a b c d e
# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES // uncomment the line
:wq
# service vsftpd restart
==========================================================================================
Client Side :
# ftp IPaddress
name=anonymous
ftp> cd pub
ftp> put /root/Desktop/abc
===========================
Error recieved
227 : Enter Passive mode
553 : Could not create file
===========================
===================================================================================
NOte : Check the permission of PUB Folder, by default Write permission is not there
===================================================================================
# ls /var/ftp // Donot have write permission
# chmod 777 /var/ftp/pub
===========================================================
Note : Change the group name of pub folder from Root to FTP
===========================================================
# chgrp ftp /var/ftp/pub
====================
Try again,Same Error
====================
==============================
Now, check for SE linux policy
==============================
# setenforce 0
# getsbool -a | grep ftp
# setsebool -P allow_ftp_anon_write on // allow_ftp_anon_write = to allow annonymous user with write permission
# setenforce 1
# chcon -t public_content_rw-t pub/
==========
Try again,
==========
# ftp IPaddress
name=anonymous
ftp> cd pub
ftp> put /root/Desktop/abc
-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------
Install configure set up ssh
SSH
- Ssh allows you to connect to remote host
- provides user and token based authentication
- package name - openssh_server
- service name - sssd
- Configuration file - /etc/ssh/sshd_config
--------------------------------------------------------------------
ssh Server
# yum install openssh_server -y
# vim /etc/ssh/sshd_config
Insert mode
Shift+G
Press 'o' for new line
Allowusrers tom // Allow/deny users; if nothing mentioned
Denyusers harry all will be allowed by default
:wq
# service sshd restart
---------------------------------------------------------------------------------------
ssh client
# ssh username@ipaddress
Example :
# ssh sam@192.168.10.20
use -X or -Y option to get the graphical tool access
# ssh -X 192.10.20
Enter password
Try,
# system-config-date
-----------------------------------------------------------------------------------------
ssh Keyless Authentication
Pubilc key needs to be saved
Keybase Authentication :
i.) dsa
ii.) rsa
Condition : To login without password using ssh
i.) dsa
# su - user
# ssh-keygen-t dsa // use any option : dsr or rsa
Enter+Enter+Enter // Your Public key is saved in /.ssh # cd .ssh // under user home directory
# scp -rp id_dsa.pub 192.168.10.20:/home/user
Here,
-rp = with permission
Source = id_dsa.pub
Destination = 192.168.10.20:/home/user
ii.) rsa
# su - user
# ssh-keygen-t rsa
# ssh-copy-id -i id_rsa.pub 192.168.10.21 // for sending the public key
Now Try,
# ssh 192.168.10.21
------------------------------------------------------------------------------------------
ssh commands
i.) SCP command
# scp filename 192.168.10.21:/destination // Secured Copy
Example :
# scp -rp id_dsa.pub 192.168.10.20:/home/user
ii.) seq command
seq 111111>filename // will write 11111 lines in sequence in file
iii.) rsynch command
Condition : If you want the data appended to the file to only send to destination
rsynch sumit 192.168.10.21: // this will save time and bandwith both
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
- Ssh allows you to connect to remote host
- provides user and token based authentication
- package name - openssh_server
- service name - sssd
- Configuration file - /etc/ssh/sshd_config
--------------------------------------------------------------------
ssh Server
# yum install openssh_server -y
# vim /etc/ssh/sshd_config
Insert mode
Shift+G
Press 'o' for new line
Allowusrers tom // Allow/deny users; if nothing mentioned
Denyusers harry all will be allowed by default
:wq
# service sshd restart
---------------------------------------------------------------------------------------
ssh client
# ssh username@ipaddress
Example :
# ssh sam@192.168.10.20
use -X or -Y option to get the graphical tool access
# ssh -X 192.10.20
Enter password
Try,
# system-config-date
-----------------------------------------------------------------------------------------
ssh Keyless Authentication
Pubilc key needs to be saved
Keybase Authentication :
i.) dsa
ii.) rsa
Condition : To login without password using ssh
i.) dsa
# su - user
# ssh-keygen-t dsa // use any option : dsr or rsa
Enter+Enter+Enter // Your Public key is saved in /.ssh # cd .ssh // under user home directory
# scp -rp id_dsa.pub 192.168.10.20:/home/user
Here,
-rp = with permission
Source = id_dsa.pub
Destination = 192.168.10.20:/home/user
ii.) rsa
# su - user
# ssh-keygen-t rsa
# ssh-copy-id -i id_rsa.pub 192.168.10.21 // for sending the public key
Now Try,
# ssh 192.168.10.21
------------------------------------------------------------------------------------------
ssh commands
i.) SCP command
# scp filename 192.168.10.21:/destination // Secured Copy
Example :
# scp -rp id_dsa.pub 192.168.10.20:/home/user
ii.) seq command
seq 111111>filename // will write 11111 lines in sequence in file
iii.) rsynch command
Condition : If you want the data appended to the file to only send to destination
rsynch sumit 192.168.10.21: // this will save time and bandwith both
------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------
NTP Server and CLient set up
Network Time Protocol (NTP)
NTP is used to synchronize the time of a remote computer system over the network. It oprates on port 123.
1. Configure NTP server
a. Edit /etc/ntp.conf file and specify the ntp server which you want to sync your system with remote system.
Note: Normally we sync the time with local time clock or University time clock.
# vi /etc/ntp.conf
uncomment the server section, in my case, I am using the time server from Reston, va
# Time server from, Reston VA
# nist1.aol-va.symmetricom.com Reston, Virginia
server 64.236.96.53
b. save the file and restart the ntpd service
# service ntpd status
ntpd is stopped
# service ntpd start
Starting ntpd: [ OK ]
c. Make sure to start the ntpd service on every reboot.
# chkconfig --list ntpd
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
# chkconfig ntpd on
# chkconfig --list ntpd
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
nist01.ntp.aol. .INIT. 16 u - 64 0 0.000 0.000 0.000
---------------------------------------------------------------------------------
Note: If you see ST value more than 5, your NTP is not syncing with the server. Please check and verify that server is operational.
Note: The Output jitter value of 000 or less than 1 is consider successfull
To check the NTP status,
# ntpstat -p
synchronised
time server re-starting
polling server every 64 s
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Setting up NTP Client
To setup NTP client, you just use the /etc/ntp.conf file and specify the NTP server name that you just created.
# vi /etc/ntp.confComment that all begins with server and add your NTP server info.
server 192.168.10.120
# service ntpd start
# chkconf ntpd on
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To update or sync your client system with NTP server,
# ntpdate -u 192.168.10.120
NTP is used to synchronize the time of a remote computer system over the network. It oprates on port 123.
1. Configure NTP server
a. Edit /etc/ntp.conf file and specify the ntp server which you want to sync your system with remote system.
Note: Normally we sync the time with local time clock or University time clock.
# vi /etc/ntp.conf
uncomment the server section, in my case, I am using the time server from Reston, va
# Time server from, Reston VA
# nist1.aol-va.symmetricom.com Reston, Virginia
server 64.236.96.53
b. save the file and restart the ntpd service
# service ntpd status
ntpd is stopped
# service ntpd start
Starting ntpd: [ OK ]
c. Make sure to start the ntpd service on every reboot.
# chkconfig --list ntpd
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
# chkconfig ntpd on
# chkconfig --list ntpd
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
nist01.ntp.aol. .INIT. 16 u - 64 0 0.000 0.000 0.000
---------------------------------------------------------------------------------
Note: If you see ST value more than 5, your NTP is not syncing with the server. Please check and verify that server is operational.
Note: The Output jitter value of 000 or less than 1 is consider successfull
To check the NTP status,
# ntpstat -p
synchronised
time server re-starting
polling server every 64 s
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Setting up NTP Client
To setup NTP client, you just use the /etc/ntp.conf file and specify the NTP server name that you just created.
# vi /etc/ntp.confComment that all begins with server and add your NTP server info.
server 192.168.10.120
# service ntpd start
# chkconf ntpd on
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To update or sync your client system with NTP server,
# ntpdate -u 192.168.10.120
Kernel and Grub information
To Break Root Password
1 Re-Boot the system
2 'Esc' -----> Press 'e'
3 Select Kernel line ----> Press 'e'
4 Space 1 and Enter [1 = To enter into Single user mode]
5 Press 'b' for boot
6 Terminal will be opened
7 # Setenforce 0
8 # passwd
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
RUN levels
0 - Shutdown
1 - Single usermode
2 - Multi usermode without NFS [networking]
3 - Multi usermode with Networking
4 - unused, only for R & D
5 - Multi usermode with Networking and Graphics
6 - reboot
--------------------------------------------------------------------------------------------
To Change Run Level
# vim /etc/inittab
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
To View Terminal
# tty
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
To View OS information
# uname // Name of OS
# uname -s // Name of OS
# uname -a // All information of OS
# uname -r // Release level of OS
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
Maintaining Kernel
RHEL 6.0 supports following processors :
i INTEL and AMD - 64 bit x86_64
ii INTEL and AMD - 32 bit x86
--------------------------------------------------------------------------------------------
To view Architecture of the system
# arch
Output : X86_64
--------------------------------------------------------------------------------------------
To open kernel file
# vim /etc/grub.conf
# vim /boot/grub/grub.conf
--------------------------------------------------------------------------------------------
Update and Boot from another Kernel
# vim /etc/grub.conf //to view kernel entry
Now, Download kernel from FTP server
# yum install lftp -y // lftp enables you to use tab when connected with FTP
# lftp 192.168.0.254
# cd /pub/rhel60/Packages
# get kernel-debug-2.6.32-71.el6.x86-64.rpm+use tab
# get kernel-firmware-2.3.32.71.ell6.norach.rpm+use tab
# exit
Now, you are at local PC [the above 2 files will be copied in the current working directory]
# rpm -ivh kernel-firmware.......
# rpm -ivh kernel-debug..........
--------------------------------------------------------------------------------------------
Passing Kernel Argument
# vim /etc/grub.conf
In the Kernel Entry, type
crashkernel=auto kernstack 1 // System will boot always in Single user mode
:wq
# init 6
--------------------------------------------------------------------------------------------
Passing Kernel Parameters
# vim /etc/grub.conf
In the Kernel Entry, type
nousb=sysctl 1 // nousb = No USB can be connected ;
:wq // sysctl = Always login in Single user mode
# init 6
--------------------------------------------------------------------------------------------
To List Kernel Modules [drivers]
# lsmod
--------------------------------------------------------------------------------------------
To manually install/uninstall device drivers
# modprobe usb_storage // To install
# modprobe -r usb_storage // To uninstall
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
GRUB
GRUB stands for Grand Unified Boot Loader
----------------------------------------------------------------------------
To set GRUB Password
# grub-md5-crypt
Enter password
Copy the Encrypted password
# vim /etc/grub.conf
At "hiddenmenu"
Press 'o' to Insert a new line
type Password --md5 pastepassword
:wq
# init 6
----------------------------------------------------------------------------
To Break GRUB Password
In order to break password, you would require Rescue disk
1 Boot from Rescue disk
2 Continue
3 ok // your system to be mounted /mnt/sysimg
4 Shell start Shell ---- Enter
5 # chroot /mnt/sysimg
6 # vim /etc/grub.conf
7 Delete the Password line // Press dd
8 exit
9 reboot reboot
----------------------------------------------------------------------------
What is "rhgb" on the grub, kernel line?
rhgb = redhat graphical boot - This is a GUI mode booting screen with most of the information hidden while the user sees a rotating activity icon spining and brief information as to what the computer is doing.
quiet = hides the majority of boot messages before rhgb starts. These are supposed to make the common user more comfortable. They get alarmed about seeing the kernel and initializing messages, so they hide them for their comfort.
Of course these people probably would be more alarmed with XP or 2K messages during safe mode operation.
=================================================================
GRUB Menu Configuration File
The configuration file (/boot/grub/grub.conf), which is used to create the list of operating systems to boot in GRUB's menu interface, essentially allows the user to select a pre-set group of commands to execute. The commands given in Section 2.6, “GRUB Commands” can be used, as well as some special commands that are only available in the configuration file.
2.7.1. Configuration File Structure
The GRUB menu interface configuration file is /boot/grub/grub.conf. The commands to set the global preferences for the menu interface are placed at the top of the file, followed by stanzas for each operating kernel or operating system listed in the menu.
The following is a very basic GRUB menu configuration file designed to boot either Red Hat Enterprise Linux or Microsoft Windows 2000:
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux AS (2.6.8-1.523)
root (hd0,0)
kernel /vmlinuz-2.6.8-1.523 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.8-1.523.img
# section to load Windows
title Windows
rootnoverify (hd0,0)
chainloader +1
This file configures GRUB to build a menu with Red Hat Enterprise Linux as the default operating system and sets it to autoboot after 10 seconds. Two sections are given, one for each operating system entry, with commands specific to the system disk partition table.
Note
Note that the default is specified as an integer. This refers to the first title line in the GRUB configuration file. For the Windows section to be set as the default in the previous example, change the default=0 to default=1.
Configuring a GRUB menu configuration file to boot multiple operating systems is beyond the scope of this chapter. Consult Section 2.9, “Additional Resources” for a list of additional resources.
Configuration File Directives
The following are directives commonly used in the GRUB menu configuration file:
chainloader </path/to/file> — Loads the specified file as a chain loader. Replace </path/to/file> with the absolute path to the chain loader. If the file is located on the first sector of the specified partition, use the blocklist notation, +1.
color <normal-color> <selected-color> — Allows specific colors to be used in the menu, where two colors are configured as the foreground and background. Use simple color names such as red/black. For example:
color red/black green/blue
default=<integer> — Replace <integer> with the default entry title number to be loaded if the menu interface times out.
fallback=<integer> — Replace <integer> with the entry title number to try if the first attempt fails.
hiddenmenu — Prevents the GRUB menu interface from being displayed, loading the default entry when the timeout period expires. The user can see the standard GRUB menu by pressing the Esc key.
initrd </path/to/initrd> — Enables users to specify an initial RAM disk to use when booting. Replace </path/to/initrd> with the absolute path to the initial RAM disk.
kernel </path/to/kernel> <option-1> <option-N> — Specifies the kernel file to load when booting the operating system. Replace </path/to/kernel> with an absolute path from the partition specified by the root directive. Multiple options can be passed to the kernel when it is loaded.
password=<password> — Prevents a user who does not know the password from editing the entries for this menu option.
Optionally, it is possible to specify an alternate menu configuration file after the password=<password> directive. In this case, GRUB restarts the second stage boot loader and uses the specified alternate configuration file to build the menu. If an alternate menu configuration file is left out of the command, a user who knows the password is allowed to edit the current configuration file.
For more information about securing GRUB, refer to the chapter titled Workstation Security in the Security Guide.
root (<device-type><device-number>,<partition>) — Configures the root partition for GRUB, such as (hd0,0), and mounts the partition.
rootnoverify (<device-type><device-number>,<partition>) — Configures the root partition for GRUB, just like the root command, but does not mount the partition.
timeout=<integer> — Specifies the interval, in seconds, that GRUB waits before loading the entry designated in the default command.
splashimage=<path-to-image> — Specifies the location of the splash screen image to be used when GRUB boots.
title group-title — Specifies a title to be used with a particular group of commands used to load a kernel or operating system.
To add human-readable comments to the menu configuration file, begin the line with the hash mark character (#)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Reference_Guide/s1-grub-configfile.html
https://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-grub-configfile.html
1 Re-Boot the system
2 'Esc' -----> Press 'e'
3 Select Kernel line ----> Press 'e'
4 Space 1 and Enter [1 = To enter into Single user mode]
5 Press 'b' for boot
6 Terminal will be opened
7 # Setenforce 0
8 # passwd
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
RUN levels
0 - Shutdown
1 - Single usermode
2 - Multi usermode without NFS [networking]
3 - Multi usermode with Networking
4 - unused, only for R & D
5 - Multi usermode with Networking and Graphics
6 - reboot
--------------------------------------------------------------------------------------------
To Change Run Level
# vim /etc/inittab
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
To View Terminal
# tty
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
To View OS information
# uname // Name of OS
# uname -s // Name of OS
# uname -a // All information of OS
# uname -r // Release level of OS
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
Maintaining Kernel
RHEL 6.0 supports following processors :
i INTEL and AMD - 64 bit x86_64
ii INTEL and AMD - 32 bit x86
--------------------------------------------------------------------------------------------
To view Architecture of the system
# arch
Output : X86_64
--------------------------------------------------------------------------------------------
To open kernel file
# vim /etc/grub.conf
# vim /boot/grub/grub.conf
--------------------------------------------------------------------------------------------
Update and Boot from another Kernel
# vim /etc/grub.conf //to view kernel entry
Now, Download kernel from FTP server
# yum install lftp -y // lftp enables you to use tab when connected with FTP
# lftp 192.168.0.254
# cd /pub/rhel60/Packages
# get kernel-debug-2.6.32-71.el6.x86-64.rpm+use tab
# get kernel-firmware-2.3.32.71.ell6.norach.rpm+use tab
# exit
Now, you are at local PC [the above 2 files will be copied in the current working directory]
# rpm -ivh kernel-firmware.......
# rpm -ivh kernel-debug..........
--------------------------------------------------------------------------------------------
Passing Kernel Argument
# vim /etc/grub.conf
In the Kernel Entry, type
crashkernel=auto kernstack 1 // System will boot always in Single user mode
:wq
# init 6
--------------------------------------------------------------------------------------------
Passing Kernel Parameters
# vim /etc/grub.conf
In the Kernel Entry, type
nousb=sysctl 1 // nousb = No USB can be connected ;
:wq // sysctl = Always login in Single user mode
# init 6
--------------------------------------------------------------------------------------------
To List Kernel Modules [drivers]
# lsmod
--------------------------------------------------------------------------------------------
To manually install/uninstall device drivers
# modprobe usb_storage // To install
# modprobe -r usb_storage // To uninstall
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
GRUB
GRUB stands for Grand Unified Boot Loader
----------------------------------------------------------------------------
To set GRUB Password
# grub-md5-crypt
Enter password
Copy the Encrypted password
# vim /etc/grub.conf
At "hiddenmenu"
Press 'o' to Insert a new line
type Password --md5 pastepassword
:wq
# init 6
----------------------------------------------------------------------------
To Break GRUB Password
In order to break password, you would require Rescue disk
1 Boot from Rescue disk
2 Continue
3 ok // your system to be mounted /mnt/sysimg
4 Shell start Shell ---- Enter
5 # chroot /mnt/sysimg
6 # vim /etc/grub.conf
7 Delete the Password line // Press dd
8 exit
9 reboot reboot
----------------------------------------------------------------------------
What is "rhgb" on the grub, kernel line?
rhgb = redhat graphical boot - This is a GUI mode booting screen with most of the information hidden while the user sees a rotating activity icon spining and brief information as to what the computer is doing.
quiet = hides the majority of boot messages before rhgb starts. These are supposed to make the common user more comfortable. They get alarmed about seeing the kernel and initializing messages, so they hide them for their comfort.
Of course these people probably would be more alarmed with XP or 2K messages during safe mode operation.
=================================================================
GRUB Menu Configuration File
The configuration file (/boot/grub/grub.conf), which is used to create the list of operating systems to boot in GRUB's menu interface, essentially allows the user to select a pre-set group of commands to execute. The commands given in Section 2.6, “GRUB Commands” can be used, as well as some special commands that are only available in the configuration file.
2.7.1. Configuration File Structure
The GRUB menu interface configuration file is /boot/grub/grub.conf. The commands to set the global preferences for the menu interface are placed at the top of the file, followed by stanzas for each operating kernel or operating system listed in the menu.
The following is a very basic GRUB menu configuration file designed to boot either Red Hat Enterprise Linux or Microsoft Windows 2000:
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux AS (2.6.8-1.523)
root (hd0,0)
kernel /vmlinuz-2.6.8-1.523 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.8-1.523.img
# section to load Windows
title Windows
rootnoverify (hd0,0)
chainloader +1
This file configures GRUB to build a menu with Red Hat Enterprise Linux as the default operating system and sets it to autoboot after 10 seconds. Two sections are given, one for each operating system entry, with commands specific to the system disk partition table.
Note
Note that the default is specified as an integer. This refers to the first title line in the GRUB configuration file. For the Windows section to be set as the default in the previous example, change the default=0 to default=1.
Configuring a GRUB menu configuration file to boot multiple operating systems is beyond the scope of this chapter. Consult Section 2.9, “Additional Resources” for a list of additional resources.
Configuration File Directives
The following are directives commonly used in the GRUB menu configuration file:
chainloader </path/to/file> — Loads the specified file as a chain loader. Replace </path/to/file> with the absolute path to the chain loader. If the file is located on the first sector of the specified partition, use the blocklist notation, +1.
color <normal-color> <selected-color> — Allows specific colors to be used in the menu, where two colors are configured as the foreground and background. Use simple color names such as red/black. For example:
color red/black green/blue
default=<integer> — Replace <integer> with the default entry title number to be loaded if the menu interface times out.
fallback=<integer> — Replace <integer> with the entry title number to try if the first attempt fails.
hiddenmenu — Prevents the GRUB menu interface from being displayed, loading the default entry when the timeout period expires. The user can see the standard GRUB menu by pressing the Esc key.
initrd </path/to/initrd> — Enables users to specify an initial RAM disk to use when booting. Replace </path/to/initrd> with the absolute path to the initial RAM disk.
kernel </path/to/kernel> <option-1> <option-N> — Specifies the kernel file to load when booting the operating system. Replace </path/to/kernel> with an absolute path from the partition specified by the root directive. Multiple options can be passed to the kernel when it is loaded.
password=<password> — Prevents a user who does not know the password from editing the entries for this menu option.
Optionally, it is possible to specify an alternate menu configuration file after the password=<password> directive. In this case, GRUB restarts the second stage boot loader and uses the specified alternate configuration file to build the menu. If an alternate menu configuration file is left out of the command, a user who knows the password is allowed to edit the current configuration file.
For more information about securing GRUB, refer to the chapter titled Workstation Security in the Security Guide.
root (<device-type><device-number>,<partition>) — Configures the root partition for GRUB, such as (hd0,0), and mounts the partition.
rootnoverify (<device-type><device-number>,<partition>) — Configures the root partition for GRUB, just like the root command, but does not mount the partition.
timeout=<integer> — Specifies the interval, in seconds, that GRUB waits before loading the entry designated in the default command.
splashimage=<path-to-image> — Specifies the location of the splash screen image to be used when GRUB boots.
title group-title — Specifies a title to be used with a particular group of commands used to load a kernel or operating system.
To add human-readable comments to the menu configuration file, begin the line with the hash mark character (#)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Reference_Guide/s1-grub-configfile.html
https://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-grub-configfile.html
SELINUX policy set up
SE Linux Policy [ Security Enhanced Linux Policy ]
Client====
Firewall==
TCP Wrapper==-
SElinux==
Server ==
TCP Wrapper = Allow/Deny using Services
Firewall = All/Deny using IP address
----------------------------------------------------------------------------------------------
Modes of SE Linux :
1. Enforcing
2. Permissive
3. Disables
Enforcing :
i.) It prevents unauthorized access for files and services
ii.) It Creates logs for unauthorized access.
Permissive:
i.) It creates logs only but doesn't prevent
Disabled :
i.) It doesn't create and prevent the logs, since Selinux is disables already
----------------------------------------------------------------------------------------------
How to change :
# getenforce // Show the SE linux mode
# setenforce 0 // To change to Permissive mode
# setenforce 1 // To change to Enforcing mode
----------------------------------------------------------------------------------------------
To disable it, goto Configuration file :
# vi /etc/sysconfig/selinux OR vi /etc/selinux/config
SELINUX=disabled
:wq
----------------------------------------------------------------------------------------------
To see log files :
# cat /var/log/messages | less
----------------------------------------------------------------------------------------------
Types of SELINUX :
1. Targeted : It contains system default security [processes are protected]
2. MLS (MultiLevel Security) : we create self defined rules to secure our system and process
** If we copy/Paste the files from one location to another location, it will apply SElinux content as per another location
** IF we move the files from one location to another location, it will carry same SElinux content to another location
--------------------------------------------------------------------------------------------------
Lab exercise :
1.) Create 4 files at different locations :
# touch /tmp/test1
# ls -lZ
# touch /etc/test2
# ls -lZ
# touch /home/test3
# ls -lZ
# touch /var/www/html/test1
# ls -lZ
2.) Copy test1 file to /var/www/html
# cp /tmp/test1 /var/www/html
3.) Moce test3 file to /var/www/html
# mv /home/test3 /var/www/html
4.) Now, see the property of the directory
# ls -lZ
5.) To Apply default, SElinux content to all files in the /var/www/html folder
# restorecon -Rv /var/www/html
6.) Now, if you create a file in desktop and file remains there and you want to apply SElinux content of html folder
# mkdir /root/Desktop/index.html
# chcon -Rv --reference /var/www/html /root/Desktop/index.html
---------------------------------------------------------------------------------------
Booleans
Booleans are the By Default permissions that allows or restricts to change the behavior of SElinux,
SELinux can change or tune it according to the requirements.
To view Boolean value of Service/System
# getsbool -a
OR
# getsbool -a | grep ftp
# setsebool -P allow_ftpd_amon_write on // -P = Permanent ; allow_ftpd_amon_write = service name ; on=on/off
----------------------------------------------------------------------------------------
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
# ls -lZ
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
# touch myfile
# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile
SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0).
More often you would be interested in type.
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Within SELinux, a security context is represented as variable-length strings that define the SELinux user, their role, a type identifier and an optional MCS / MLS security range or level as follows:
user:role:type[:range]
Where:
user ==> The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
role ==> The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
type ==> When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.
When a type is associated with an object, it defines what access permissions the SELinux user has to that object.
range ==> This field can also be know as a level and is only present if the policy supports MCS or MLS. The entry can consist of:
A single security level that contains a sensitivity level and zero or more categories (e.g. s0, s1:c0, s7:c10.c15).
A range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
This information is used to make access control decisions. On Distributed Access Control System (DAC systems), access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
The Z option can be used with ps, ls, cp, id, and others. For instance, to view your security context:
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
To view the security context associated with a file, run the following command,
# ls -lZ myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile
There are multiple commands for managing the SELinux context for files, such as chcon, semanage fcontext, and restorecon.
# semanage fcontext -l | more
# semanage fcontext -l | grep '/var/www'
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
Lets say you change your default document root to /opt/www, you will have different context. You need to change it to httpd_sys_content_t type. Other wise your web server will not work.
To change to a new context, you can use following command to add new context.
# semanage fcontext -a -t httpd_sys_content_t '/opt/www(/.*)?'
Note: -a --> to add a new fcontext with the type (-t) httpd_sys_content_t, and targets /opt/www and any sub-directories and files.
# semanage fcontext -l | grep 'srv/www' # list the fcontexts
# restorecon -Rv /opt/www
The restorecon command sets default contexts on files and directories, according to policy.
# echo "For selinux test" >test.file
# ls -lZ test.file
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 test.file
# mv test.file /var/www/html/
# ls -lZ /var/www/html/test.file
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /var/www/html/test.file
# restorecon -v /var/www/html/test.file
restorecon reset /var/www/html/test.file context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Note: if you change selinux from disabled to enforce or permissive mode, contexts have to re-label to the entire filesystem running restorecon / because context are not set so reboot is recommeneded.
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Temporary Changes: chcon
The chcon command changes the SELinux context for files. However, changes made with the chcon command do not survive a file system relabel, or the execution of the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon, users provide all or part of the SELinux context to change.
Run the chcon -t type file-name command to change the file type, where type is a type, such as httpd_sys_content_t, and file-name is a file or directory name.
Run the chcon -R -t type directory-name command to change the type of the directory and its contents, where type is a type, such as httpd_sys_content_t, and directory-name is a directory name.
Changing a File's or Directory's Type
# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile
# chcon -t samba_share_t myfile
# ls -lZ myfile
-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 myfile
Use restorecon -v myfile command to restore the SELinux context for the myfile file.
-v shows the change
# restorecon -v myfile
Changing a Directory and its Contents Types
# mkdir /best
# touch /best/note{1,2,3}
# ls -lZ /best
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note1
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note2
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note3
Run the chcon -R -t httpd_sys_content_t /best/ command to change the type of the /web/ directory context.
# chcon -R -t httpd_sys_content_t /best/
# ls -lZ /best
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note1
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note2
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note3
To restore the default SELinux contexts:
# restorecon -R -v /best/
restorecon reset /best context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note1 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note2 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note3 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
Client====
Firewall==
TCP Wrapper==-
SElinux==
Server ==
TCP Wrapper = Allow/Deny using Services
Firewall = All/Deny using IP address
----------------------------------------------------------------------------------------------
Modes of SE Linux :
1. Enforcing
2. Permissive
3. Disables
Enforcing :
i.) It prevents unauthorized access for files and services
ii.) It Creates logs for unauthorized access.
Permissive:
i.) It creates logs only but doesn't prevent
Disabled :
i.) It doesn't create and prevent the logs, since Selinux is disables already
----------------------------------------------------------------------------------------------
How to change :
# getenforce // Show the SE linux mode
# setenforce 0 // To change to Permissive mode
# setenforce 1 // To change to Enforcing mode
----------------------------------------------------------------------------------------------
To disable it, goto Configuration file :
# vi /etc/sysconfig/selinux OR vi /etc/selinux/config
SELINUX=disabled
:wq
----------------------------------------------------------------------------------------------
To see log files :
# cat /var/log/messages | less
----------------------------------------------------------------------------------------------
Types of SELINUX :
1. Targeted : It contains system default security [processes are protected]
2. MLS (MultiLevel Security) : we create self defined rules to secure our system and process
** If we copy/Paste the files from one location to another location, it will apply SElinux content as per another location
** IF we move the files from one location to another location, it will carry same SElinux content to another location
--------------------------------------------------------------------------------------------------
Lab exercise :
1.) Create 4 files at different locations :
# touch /tmp/test1
# ls -lZ
# touch /etc/test2
# ls -lZ
# touch /home/test3
# ls -lZ
# touch /var/www/html/test1
# ls -lZ
2.) Copy test1 file to /var/www/html
# cp /tmp/test1 /var/www/html
3.) Moce test3 file to /var/www/html
# mv /home/test3 /var/www/html
4.) Now, see the property of the directory
# ls -lZ
5.) To Apply default, SElinux content to all files in the /var/www/html folder
# restorecon -Rv /var/www/html
6.) Now, if you create a file in desktop and file remains there and you want to apply SElinux content of html folder
# mkdir /root/Desktop/index.html
# chcon -Rv --reference /var/www/html /root/Desktop/index.html
---------------------------------------------------------------------------------------
Booleans
Booleans are the By Default permissions that allows or restricts to change the behavior of SElinux,
SELinux can change or tune it according to the requirements.
To view Boolean value of Service/System
# getsbool -a
OR
# getsbool -a | grep ftp
# setsebool -P allow_ftpd_amon_write on // -P = Permanent ; allow_ftpd_amon_write = service name ; on=on/off
----------------------------------------------------------------------------------------
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
# ls -lZ
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
# touch myfile
# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile
SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0).
More often you would be interested in type.
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Within SELinux, a security context is represented as variable-length strings that define the SELinux user, their role, a type identifier and an optional MCS / MLS security range or level as follows:
user:role:type[:range]
Where:
user ==> The SELinux user identity. This can be associated to one or more roles that the SELinux user is allowed to use.
role ==> The SELinux role. This can be associated to one or more types the SELinux user is allowed to access.
type ==> When a type is associated with a process, it defines what processes (or domains) the SELinux user (the subject) can access.
When a type is associated with an object, it defines what access permissions the SELinux user has to that object.
range ==> This field can also be know as a level and is only present if the policy supports MCS or MLS. The entry can consist of:
A single security level that contains a sensitivity level and zero or more categories (e.g. s0, s1:c0, s7:c10.c15).
A range that consists of two security levels (a low and high) separated by a hyphen (e.g. s0 - s15:c0.c1023).
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
This information is used to make access control decisions. On Distributed Access Control System (DAC systems), access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
The Z option can be used with ps, ls, cp, id, and others. For instance, to view your security context:
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
To view the security context associated with a file, run the following command,
# ls -lZ myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile
There are multiple commands for managing the SELinux context for files, such as chcon, semanage fcontext, and restorecon.
# semanage fcontext -l | more
# semanage fcontext -l | grep '/var/www'
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
Lets say you change your default document root to /opt/www, you will have different context. You need to change it to httpd_sys_content_t type. Other wise your web server will not work.
To change to a new context, you can use following command to add new context.
# semanage fcontext -a -t httpd_sys_content_t '/opt/www(/.*)?'
Note: -a --> to add a new fcontext with the type (-t) httpd_sys_content_t, and targets /opt/www and any sub-directories and files.
# semanage fcontext -l | grep 'srv/www' # list the fcontexts
# restorecon -Rv /opt/www
The restorecon command sets default contexts on files and directories, according to policy.
# echo "For selinux test" >test.file
# ls -lZ test.file
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 test.file
# mv test.file /var/www/html/
# ls -lZ /var/www/html/test.file
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /var/www/html/test.file
# restorecon -v /var/www/html/test.file
restorecon reset /var/www/html/test.file context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Note: if you change selinux from disabled to enforce or permissive mode, contexts have to re-label to the entire filesystem running restorecon / because context are not set so reboot is recommeneded.
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Temporary Changes: chcon
The chcon command changes the SELinux context for files. However, changes made with the chcon command do not survive a file system relabel, or the execution of the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon, users provide all or part of the SELinux context to change.
Run the chcon -t type file-name command to change the file type, where type is a type, such as httpd_sys_content_t, and file-name is a file or directory name.
Run the chcon -R -t type directory-name command to change the type of the directory and its contents, where type is a type, such as httpd_sys_content_t, and directory-name is a directory name.
Changing a File's or Directory's Type
# ls -Z myfile
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 myfile
# chcon -t samba_share_t myfile
# ls -lZ myfile
-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 myfile
Use restorecon -v myfile command to restore the SELinux context for the myfile file.
-v shows the change
# restorecon -v myfile
Changing a Directory and its Contents Types
# mkdir /best
# touch /best/note{1,2,3}
# ls -lZ /best
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note1
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note2
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 note3
Run the chcon -R -t httpd_sys_content_t /best/ command to change the type of the /web/ directory context.
# chcon -R -t httpd_sys_content_t /best/
# ls -lZ /best
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note1
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note2
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 note3
To restore the default SELinux contexts:
# restorecon -R -v /best/
restorecon reset /best context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note1 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note2 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
restorecon reset /best/note3 context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
VNC and remove desktop
VNC [Virtual Network connection]
- VNC stands for Virtual Network connection
- Package name - tigervnc-server
- Service name - vncserver
---------------------------------------------------------------------
VNC server
# yum install tigetvnc-server -y
# vim /etc/syscionfig/vncservers
Insert mode
Shift+G
Uncomment VNCSERVERS="2:user2 1:user1" // add users to allow
:wq
# useradd user1
# useradd user2
# passwd user1
# passwd user2
# su - user1
# vncpasswd // provide the VNC password
# exit
# su - user2
# vncpasswd // provide the VNC password
# exit
# service vncserver restart
---------------------------------------------------------------------
VNC Client
# yum install tigervnc -y
# vncviewer 20.0.0.56:2 // VNC server IP
Enter VNCpassword
---------------------------------------------------------------------
---------------------------------------------------------------------
RDC [Remote Desktop Connection]
RDC is similar to RDP in windows
1. Goto --> System --> Preferences --> Remote Desktop
2. (tick) Allow other users to view desktop
3. (tick) Require user to enter password ___________
Goto, Client PC
# yum install tigervnc -y
# vncviewer 20.0.0.56
Enter password
- VNC stands for Virtual Network connection
- Package name - tigervnc-server
- Service name - vncserver
---------------------------------------------------------------------
VNC server
# yum install tigetvnc-server -y
# vim /etc/syscionfig/vncservers
Insert mode
Shift+G
Uncomment VNCSERVERS="2:user2 1:user1" // add users to allow
:wq
# useradd user1
# useradd user2
# passwd user1
# passwd user2
# su - user1
# vncpasswd // provide the VNC password
# exit
# su - user2
# vncpasswd // provide the VNC password
# exit
# service vncserver restart
---------------------------------------------------------------------
VNC Client
# yum install tigervnc -y
# vncviewer 20.0.0.56:2 // VNC server IP
Enter VNCpassword
---------------------------------------------------------------------
---------------------------------------------------------------------
RDC [Remote Desktop Connection]
RDC is similar to RDP in windows
1. Goto --> System --> Preferences --> Remote Desktop
2. (tick) Allow other users to view desktop
3. (tick) Require user to enter password ___________
Goto, Client PC
# yum install tigervnc -y
# vncviewer 20.0.0.56
Enter password
Operate running systems
Operate running systems
Boot, reboot, and shut down a system normally.
Physically power on the system
You can shutdown a system with the following commands
Shutdown Commands
# shutdown -h +<time delay in minutes> ex: shutdown -h +5 (Shuts down system in 5 min
# shutdown -h now (shutdown immediately)
# poweroff
# init 0 (Switches to runlevel 0 which shutdown the system)
# halt
Reboots Commands
# reboot
# shutdown -r +<time delay in minutes>
# shutdown -r now
# init 6 //switches to runlevel 6 which reboots the system immediately
Boot systems into different runlevels manually.
1) Boot your system and press any key within the allotted amount of time to get to the “Grub” bootloader screen.
2) Select your boot “OS” and press “a” to edit the boot command
3) Add the number of the runlevel you would like to use at the end of the command to boot to that runlevel
Example:
ro root=/dev/mapper/vg_centosvm-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_LVM_LV=vg_centosvm/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_LVM_LV=vg_centosvm/lv_root rd_NO_DM 1
The “1” at the end of the boot string will boot the system to runlevel 1
Use single-user mode to gain access to a system.
Boot the system to runlevel 1 as shown above to gain super user (root) access in run level 1
Boot, reboot, and shut down a system normally.
Physically power on the system
You can shutdown a system with the following commands
Shutdown Commands
# shutdown -h +<time delay in minutes> ex: shutdown -h +5 (Shuts down system in 5 min
# shutdown -h now (shutdown immediately)
# poweroff
# init 0 (Switches to runlevel 0 which shutdown the system)
# halt
Reboots Commands
# reboot
# shutdown -r +<time delay in minutes>
# shutdown -r now
# init 6 //switches to runlevel 6 which reboots the system immediately
Boot systems into different runlevels manually.
1) Boot your system and press any key within the allotted amount of time to get to the “Grub” bootloader screen.
2) Select your boot “OS” and press “a” to edit the boot command
3) Add the number of the runlevel you would like to use at the end of the command to boot to that runlevel
Example:
ro root=/dev/mapper/vg_centosvm-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD quiet SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto rd_LVM_LV=vg_centosvm/lv_swap KEYBOARDTYPE=pc KEYTABLE=us rd_LVM_LV=vg_centosvm/lv_root rd_NO_DM 1
The “1” at the end of the boot string will boot the system to runlevel 1
Use single-user mode to gain access to a system.
Boot the system to runlevel 1 as shown above to gain super user (root) access in run level 1
Fixing bad superblocks on filesystems
Fixing bad superblocks on filesystems
Occasionally, when a filesystem is mounted during the system boot, the mount will fail because the "superblock" cannot be read. There is aa easy fix, but you have to take a extreme care.
A. Procedure -- short form
1. determine the filesystems and devices
# df -h
2. Note the list of devices and corresponding filesystems and unmount the one that has a problem.
# umount {/badfilesystem}
3. Determine the superblock information.
# NOTE: YOU MUST USE THE "-n" OPTION TO AVOID
# REFORMATTING THE FILESYSTEM!
# mke2fs -F -n {/baddevicename}
Note: Expect about one screen of output
4. Pick a superblock backup and use that number as input
# e2fsck -b {superblockbackupnumber} {/baddevicename}
Note: Expect some output about Passes 1 - 5; be prepared to answer some questions about blocks or inodes that have some problems with.
5 remount the file system
# mount {/badfilesystem}
B. Procedure -- long form with example
1. Determine the filesystems and devices
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 26G 20G 4.8G 81% /
udev 4.0G 168K 4.0G 1% /dev
/dev/sda1 388M 38M 331M 11% /boot
/dev/mapper/system-ORA
8.4G 131M 7.8G 2% /ora
/dev/mapper/system-ORADATA
26G 129M 24G 1% /oradata
2. unmount the FS that has issue with.
# umount /oradata
3. Determine the superblock information
# dumpe2fs /dev/mapper/system-ORADATA | grep superblock
dumpe2fs 1.38 (30-Jun-2005)
Primary superblock at 0, Group descriptors at 1-2
Backup superblock at 32768, Group descriptors at 32769-32770
Backup superblock at 98304, Group descriptors at 98305-98306
Backup superblock at 163840, Group descriptors at 163841-163842
Backup superblock at 229376, Group descriptors at 229377-229378
Backup superblock at 294912, Group descriptors at 294913-294914
Backup superblock at 819200, Group descriptors at 819201-819202
Backup superblock at 884736, Group descriptors at 884737-884738
Backup superblock at 1605632, Group descriptors at 1605633-1605634
Backup superblock at 2654208, Group descriptors at 2654209-2654210
Backup superblock at 4096000, Group descriptors at 4096001-4096002
4. Pick a superblock backup and use that number as input
# e2fsck -b 294912 /dev/mapper/system-ORADATA
e2fsck 1.38 (30-Jun-2005)
/dev/mapper/system-ORADATA: recovering journal
/dev/mapper/system-ORADATA was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/system-ORADATA: ***** FILE SYSTEM WAS MODIFIED *****
/dev/mapper/system-ORADATA: 11/3335808 files (0.0% non-contiguous), 137492/6659072 blocks
5. Remount the file system
# mount /oradata
#
Occasionally, when a filesystem is mounted during the system boot, the mount will fail because the "superblock" cannot be read. There is aa easy fix, but you have to take a extreme care.
A. Procedure -- short form
1. determine the filesystems and devices
# df -h
2. Note the list of devices and corresponding filesystems and unmount the one that has a problem.
# umount {/badfilesystem}
3. Determine the superblock information.
# NOTE: YOU MUST USE THE "-n" OPTION TO AVOID
# REFORMATTING THE FILESYSTEM!
# mke2fs -F -n {/baddevicename}
Note: Expect about one screen of output
4. Pick a superblock backup and use that number as input
# e2fsck -b {superblockbackupnumber} {/baddevicename}
Note: Expect some output about Passes 1 - 5; be prepared to answer some questions about blocks or inodes that have some problems with.
5 remount the file system
# mount {/badfilesystem}
B. Procedure -- long form with example
1. Determine the filesystems and devices
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 26G 20G 4.8G 81% /
udev 4.0G 168K 4.0G 1% /dev
/dev/sda1 388M 38M 331M 11% /boot
/dev/mapper/system-ORA
8.4G 131M 7.8G 2% /ora
/dev/mapper/system-ORADATA
26G 129M 24G 1% /oradata
2. unmount the FS that has issue with.
# umount /oradata
3. Determine the superblock information
# dumpe2fs /dev/mapper/system-ORADATA | grep superblock
dumpe2fs 1.38 (30-Jun-2005)
Primary superblock at 0, Group descriptors at 1-2
Backup superblock at 32768, Group descriptors at 32769-32770
Backup superblock at 98304, Group descriptors at 98305-98306
Backup superblock at 163840, Group descriptors at 163841-163842
Backup superblock at 229376, Group descriptors at 229377-229378
Backup superblock at 294912, Group descriptors at 294913-294914
Backup superblock at 819200, Group descriptors at 819201-819202
Backup superblock at 884736, Group descriptors at 884737-884738
Backup superblock at 1605632, Group descriptors at 1605633-1605634
Backup superblock at 2654208, Group descriptors at 2654209-2654210
Backup superblock at 4096000, Group descriptors at 4096001-4096002
4. Pick a superblock backup and use that number as input
# e2fsck -b 294912 /dev/mapper/system-ORADATA
e2fsck 1.38 (30-Jun-2005)
/dev/mapper/system-ORADATA: recovering journal
/dev/mapper/system-ORADATA was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/system-ORADATA: ***** FILE SYSTEM WAS MODIFIED *****
/dev/mapper/system-ORADATA: 11/3335808 files (0.0% non-contiguous), 137492/6659072 blocks
5. Remount the file system
# mount /oradata
#
Permission and ACL
Unix file and directories level Permissions
There are main three types of permision in Linux/UNIX ( excluding SElinux).
Chmod - is used to assign permission to the Users, groups and others on a file or directory.
ACL - Is used to assign extra level of security or access to the user.
Special Permissions
Sticky Bit
Special group Permission
iii.) SGID (special Group ID)
-----------------------------------------------------------------------------------------
If you run,
# ls -l
-/---/---/---
U G O
U- Owner Permission
G- Group Permission
O- Other users
_____________________________
Symbolic Numeric
_____________________________
read r 4
write w 2
execute x 1
_____________________________
=7
-----------------------------------------------------------------------------------------
===================================================================
Maximum Permission of file and directory
Directory - 777 (r=4,w=2,x=1)
File - 666 (r=4,w=2,x=0)
===================================================================
Default Permission of file and directory [with ROOT]
Directory - 755
File - 644
===================================================================
Default Permission of file and directory [with local User]
Directory - 775
File - 664
====================================================================
-----------------------------------------------------------------------------------------
UMASK - Umask is a default value that define permission if directories and files
To view :
# umask
With Root Value = 0022
With local user = 0002
-----------------------------------------------------------------------------------------
* How to calculate default permission in case of Root
1. Directory :
Max Permission = 777
Umask Value = 0022
_______________________
= 755 Default permission of Directory
2. File :
Max Permission = 666
Umask Value = 0022
_______________________
= 644 Default permission of File
-------------------------------------------------------------------------------------------
* How to calculate default permission in case of Local user
1. Directory :
Max Permission = 777
Umask Value = 0002
_______________________
= 775 Default permission of Directory
2. File :
Max Permission = 666
Umask Value = 0002
_______________________
= 664 Default permission of File
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
CHMOD [Change Mode]
1. Symbolic Method
u- owner
g- group
o- Other
r- read
w- write
x- execute
'+'- add
'-'- remove
Example :
# Chmod ugo+rwx dir // This will assign read,write and execute permissions to owner, group and other users
# chmod go+rw dir // This will assign read,write permissions to owner, group users
# chmod o+r dir // This will assign read permission to other users
# chmod u+rwx,g+rw,o+r dir
To remove :
# chmod ugo -rwx dir
# chmod go-rw dir
# chmod o-r dir
# chmod u-rwx,g-rw,o-r dir
2. Numeric Method
# chmod 744 dir // Owner = 7 (r=4,w=2,x=1); group = 4 (r=4); other = 4 (r=4)
# chmod 511 dir
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
ACL [Access Control List]
# mkdir /tmp/test
# groupadd sales // Add users raj,sumit,hemant and ram
# chgrp sales /tmp/test
OR
# chown :sales /tmp/test
# chmod 777 /tmp/test
Condition 1 : Give read access to sumit user only to /tmp/test
# setfacl -m i:sumit:r-- /tmp/test
To check,
# getfacl /tmp/test
Condition 2 : Give read,write access to all sales group users to /tmp/test
# setfacl -m g:sales:rw- /tmp/test
To check,
# getfacl /tmp/test
Condition 4 : Remove all premission for all sales group users to /tmp/test
# setfacl -m g:sales:--- /tmp/test
To check,
# getfacl /tmp/test
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
Special Permissions
1. Sticky Bit
# chmod 1777 /tmp/test // Full permission assigned to owner,group and other users
However, other users still cannot delete the file to which they have full access
2. Group Permissions
Condition : If you create any file within test, the group should be sales by default [Sumit is already in sales group]
# chmod 2777 /tmp/test
OR
# chmod g+s /tmp/test
3. SGID
# chmod 4777 /tmp/test
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
There are main three types of permision in Linux/UNIX ( excluding SElinux).
Chmod - is used to assign permission to the Users, groups and others on a file or directory.
ACL - Is used to assign extra level of security or access to the user.
Special Permissions
Sticky Bit
Special group Permission
iii.) SGID (special Group ID)
-----------------------------------------------------------------------------------------
If you run,
# ls -l
-/---/---/---
U G O
U- Owner Permission
G- Group Permission
O- Other users
_____________________________
Symbolic Numeric
_____________________________
read r 4
write w 2
execute x 1
_____________________________
=7
-----------------------------------------------------------------------------------------
===================================================================
Maximum Permission of file and directory
Directory - 777 (r=4,w=2,x=1)
File - 666 (r=4,w=2,x=0)
===================================================================
Default Permission of file and directory [with ROOT]
Directory - 755
File - 644
===================================================================
Default Permission of file and directory [with local User]
Directory - 775
File - 664
====================================================================
-----------------------------------------------------------------------------------------
UMASK - Umask is a default value that define permission if directories and files
To view :
# umask
With Root Value = 0022
With local user = 0002
-----------------------------------------------------------------------------------------
* How to calculate default permission in case of Root
1. Directory :
Max Permission = 777
Umask Value = 0022
_______________________
= 755 Default permission of Directory
2. File :
Max Permission = 666
Umask Value = 0022
_______________________
= 644 Default permission of File
-------------------------------------------------------------------------------------------
* How to calculate default permission in case of Local user
1. Directory :
Max Permission = 777
Umask Value = 0002
_______________________
= 775 Default permission of Directory
2. File :
Max Permission = 666
Umask Value = 0002
_______________________
= 664 Default permission of File
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
CHMOD [Change Mode]
1. Symbolic Method
u- owner
g- group
o- Other
r- read
w- write
x- execute
'+'- add
'-'- remove
Example :
# Chmod ugo+rwx dir // This will assign read,write and execute permissions to owner, group and other users
# chmod go+rw dir // This will assign read,write permissions to owner, group users
# chmod o+r dir // This will assign read permission to other users
# chmod u+rwx,g+rw,o+r dir
To remove :
# chmod ugo -rwx dir
# chmod go-rw dir
# chmod o-r dir
# chmod u-rwx,g-rw,o-r dir
2. Numeric Method
# chmod 744 dir // Owner = 7 (r=4,w=2,x=1); group = 4 (r=4); other = 4 (r=4)
# chmod 511 dir
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
ACL [Access Control List]
# mkdir /tmp/test
# groupadd sales // Add users raj,sumit,hemant and ram
# chgrp sales /tmp/test
OR
# chown :sales /tmp/test
# chmod 777 /tmp/test
Condition 1 : Give read access to sumit user only to /tmp/test
# setfacl -m i:sumit:r-- /tmp/test
To check,
# getfacl /tmp/test
Condition 2 : Give read,write access to all sales group users to /tmp/test
# setfacl -m g:sales:rw- /tmp/test
To check,
# getfacl /tmp/test
Condition 4 : Remove all premission for all sales group users to /tmp/test
# setfacl -m g:sales:--- /tmp/test
To check,
# getfacl /tmp/test
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
Special Permissions
1. Sticky Bit
# chmod 1777 /tmp/test // Full permission assigned to owner,group and other users
However, other users still cannot delete the file to which they have full access
2. Group Permissions
Condition : If you create any file within test, the group should be sales by default [Sumit is already in sales group]
# chmod 2777 /tmp/test
OR
# chmod g+s /tmp/test
3. SGID
# chmod 4777 /tmp/test
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
System recovery techniques
System Recovery Techniques
How to check running and stop services at run level :
# cd /etc/rc5.d // To check at run level 5
# ls -ltr
Output :
K01......
K02......
K03......
.........
.........
.........
.........
S01......
S02......
.........
.........
K = Kill, service will be stopped on the current run level
S = Start, service will start on the current run level
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
Condition 1 : /etc/fstab is corrupted, how to recover
Entry of /boot file system is corrupted in /etc/fstab file
1. Insert the Rescue disk
2. continue
3. ok
4. Shell start --- Enter
5. # chroot /mnt/sysimg
6. # mount -o remount / ['/' rewritable form]
7. exit
8. exit
9. reboot reboot
Condition 2 : To Recover /etc/passwd
1. Insert the Rescue disk
2. continue
3. ok
4. Shell start --- Enter
5. # chroot /mnt/sysimg
6. # cd /etc
7. # ls [to view 'passwd-' file]
8. # cp -p passwd - /etc/passwd [-p = with permission]
9. exit
10. exit
11. reboot reboot
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
How to check running and stop services at run level :
# cd /etc/rc5.d // To check at run level 5
# ls -ltr
Output :
K01......
K02......
K03......
.........
.........
.........
.........
S01......
S02......
.........
.........
K = Kill, service will be stopped on the current run level
S = Start, service will start on the current run level
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
Condition 1 : /etc/fstab is corrupted, how to recover
Entry of /boot file system is corrupted in /etc/fstab file
1. Insert the Rescue disk
2. continue
3. ok
4. Shell start --- Enter
5. # chroot /mnt/sysimg
6. # mount -o remount / ['/' rewritable form]
7. exit
8. exit
9. reboot reboot
Condition 2 : To Recover /etc/passwd
1. Insert the Rescue disk
2. continue
3. ok
4. Shell start --- Enter
5. # chroot /mnt/sysimg
6. # cd /etc
7. # ls [to view 'passwd-' file]
8. # cp -p passwd - /etc/passwd [-p = with permission]
9. exit
10. exit
11. reboot reboot
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
NFS - General information
Network File System
1 NFS stands for Network File System
2 It is used for sharing files over the network
3 It works on TCP/IP protocol no.2049
4 It is available in 3 version : NFS V2, V3 and V4
** Package requrired to be installed : nfs-utils
** Default Sharing Path is : /etc/exports
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
Steps : Server side
1 # yum install nfs-utils -y
2 # mkdir /sumit
3 # cd /sumit
4 # touch a b c d e
5 # vim /etc/exports
Insert mode
/sumit 192.168.0.0/24(rw,synch) // to share for 192.168 IP range only
/sumit *(rw,synch) // to share for all
Esc and :wq
6 # service nfs restart
7 # chkconf nfs on
8 # exportfs
OR
# exportfs -v
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
Steps : Client side
On the Client, Mounting of the NFS share is required which can be done either ways :
A.) Temporary Mounting
# mount 192.168.0.40:/sumit /mnt
# cd /mnt
# ls -l
B.) Permanent Mounting
# vim /etc/fstab
Insert mode
192.168.0.40:/sumit /nfs nfs defaults 0 0
:wq
# mount -a
C.) On Demand Mounting [Auto Mount whenever user logins]
** Package name is required : autofs
# yum install autofs -y
# /vim /etc/auto.master
Shift+G // to goto last line
Insert mode
/ /etc/auto.nfs
:wq
# vim /etc/auto.nfs
Insert mode
* -rw 192.168.0.40:/& // *= what to mount, &=for all
:wq
# service autofs stop
# service autofs start
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
To view the Share available
# showmount -e 192.168.0.40 // IP address of NFS server
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
To check NFS Share on NFS Client
# cd /net/192.168.0.40/ [use tab to view]
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
1 NFS stands for Network File System
2 It is used for sharing files over the network
3 It works on TCP/IP protocol no.2049
4 It is available in 3 version : NFS V2, V3 and V4
** Package requrired to be installed : nfs-utils
** Default Sharing Path is : /etc/exports
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
Steps : Server side
1 # yum install nfs-utils -y
2 # mkdir /sumit
3 # cd /sumit
4 # touch a b c d e
5 # vim /etc/exports
Insert mode
/sumit 192.168.0.0/24(rw,synch) // to share for 192.168 IP range only
/sumit *(rw,synch) // to share for all
Esc and :wq
6 # service nfs restart
7 # chkconf nfs on
8 # exportfs
OR
# exportfs -v
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
Steps : Client side
On the Client, Mounting of the NFS share is required which can be done either ways :
A.) Temporary Mounting
# mount 192.168.0.40:/sumit /mnt
# cd /mnt
# ls -l
B.) Permanent Mounting
# vim /etc/fstab
Insert mode
192.168.0.40:/sumit /nfs nfs defaults 0 0
:wq
# mount -a
C.) On Demand Mounting [Auto Mount whenever user logins]
** Package name is required : autofs
# yum install autofs -y
# /vim /etc/auto.master
Shift+G // to goto last line
Insert mode
/ /etc/auto.nfs
:wq
# vim /etc/auto.nfs
Insert mode
* -rw 192.168.0.40:/& // *= what to mount, &=for all
:wq
# service autofs stop
# service autofs start
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
To view the Share available
# showmount -e 192.168.0.40 // IP address of NFS server
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
To check NFS Share on NFS Client
# cd /net/192.168.0.40/ [use tab to view]
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
Introduction to mail
Mail Server
Mail server components :
i.) mta - Mail transfer Agent
- It is used to relay mails from point to poing until it is delievered
- It works on Port no 25
- It uses SMTP
ii.) mda - Mail delievery Agent
- It deleivers mail to reciepents local message store
- By Default, it is /var/spool/mail/user
iii.) mua - Mail user Agent
- It is used to send and recieve email from client side
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Mail server
# yum install postfix -y
# vim /etc/postfix/main.cf
line no 73 hostname = your hostname
line no 83 domainname = your domain name
uncomment 99 myorganiz
uncomment 113 init_interface = all
comment 116 init_interface = local host
uncomment 165
line no 264 My network = 192.168.10.0/255.255.255.0,127.0.0.1/255.0.0.0
:wq
# service postfix restart
# chkconf postfix on
---------------------------------------------------------------------------------
Mail Forwarding
# vim /etc/aliases
Goto last line
root : username
:wq
# newaliases
---------------------------------------------------------------------------------
How to send email
# mail user@hostname
OR
# mail root@sama.expanor.local
Subject:
Body of mail
.Enter // to send email
---------------------------------------------------------------------------------
To Create Mail box
# yum install mutt -y
# mutt
---------------------------------------------------------------------------------
To view email
# cd /var/spool/messages
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
Mail server components :
i.) mta - Mail transfer Agent
- It is used to relay mails from point to poing until it is delievered
- It works on Port no 25
- It uses SMTP
ii.) mda - Mail delievery Agent
- It deleivers mail to reciepents local message store
- By Default, it is /var/spool/mail/user
iii.) mua - Mail user Agent
- It is used to send and recieve email from client side
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Mail server
# yum install postfix -y
# vim /etc/postfix/main.cf
line no 73 hostname = your hostname
line no 83 domainname = your domain name
uncomment 99 myorganiz
uncomment 113 init_interface = all
comment 116 init_interface = local host
uncomment 165
line no 264 My network = 192.168.10.0/255.255.255.0,127.0.0.1/255.0.0.0
:wq
# service postfix restart
# chkconf postfix on
---------------------------------------------------------------------------------
Mail Forwarding
# vim /etc/aliases
Goto last line
root : username
:wq
# newaliases
---------------------------------------------------------------------------------
How to send email
# mail user@hostname
OR
# mail root@sama.expanor.local
Subject:
Body of mail
.Enter // to send email
---------------------------------------------------------------------------------
To Create Mail box
# yum install mutt -y
# mutt
---------------------------------------------------------------------------------
To view email
# cd /var/spool/messages
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
Boot Process on Redhat
Boot Process in RHEL LINUX
1 POST(Power on Slef test is run) - which check for hardware devices which are connected physically
2 MBR(Master Boot Record) - i.) Loads Boot Loader
ii.) Read Grub information
iii.) Stage 1 - checks for OS installation through CD/DVD
iv.) stage 2 - Checks for /boot Partition, Check VMlinuz(kernel file), check initramfs
initramfs = it is a image which loads basics drivers of devices into kernel
3 Kernel Initialization - initiates files
i.) /etc/sysinit
ii.) /etc/fstab - File system is checked,if corrupted or not
iii.) /etc/hosts - looks for hostname
iv.) /etc/resolv.conf - DNS configured or not
v.) /etc/sysconfig/network-scripts/eth0 - check for IP information
vi.) /etc/sysconfig/network
vii.) /etc/inittab - to check runlevel
4 Run Level - /etc/rc.d/rc0.d
- /etc/rc.d/rc1.d
- /etc/rc.d/rc2.d
- ---------------
- /etc/rc.d/rc6.d
5 Service Startup Phase - /etc/init.d - All the service are checked , Running etc.
6 Run Customized Scripts- /etc/rc.local
7 Terminal Startup - /etc/init/tty.conf - It will look for Virtual Terminal [ALT+CTRL+F1.....F7]
8 Login - /etc/passwd
/etc/shadow
1 POST(Power on Slef test is run) - which check for hardware devices which are connected physically
2 MBR(Master Boot Record) - i.) Loads Boot Loader
ii.) Read Grub information
iii.) Stage 1 - checks for OS installation through CD/DVD
iv.) stage 2 - Checks for /boot Partition, Check VMlinuz(kernel file), check initramfs
initramfs = it is a image which loads basics drivers of devices into kernel
3 Kernel Initialization - initiates files
i.) /etc/sysinit
ii.) /etc/fstab - File system is checked,if corrupted or not
iii.) /etc/hosts - looks for hostname
iv.) /etc/resolv.conf - DNS configured or not
v.) /etc/sysconfig/network-scripts/eth0 - check for IP information
vi.) /etc/sysconfig/network
vii.) /etc/inittab - to check runlevel
4 Run Level - /etc/rc.d/rc0.d
- /etc/rc.d/rc1.d
- /etc/rc.d/rc2.d
- ---------------
- /etc/rc.d/rc6.d
5 Service Startup Phase - /etc/init.d - All the service are checked , Running etc.
6 Run Customized Scripts- /etc/rc.local
7 Terminal Startup - /etc/init/tty.conf - It will look for Virtual Terminal [ALT+CTRL+F1.....F7]
8 Login - /etc/passwd
/etc/shadow
ISCSI set up
ISCSI
- ISCSI stands for Internet Small Computer System Interface
- It is used for accessing raw partition over the network
- we will take space from SAN and will format, create FS
- Works on port No.3260
- Package name - isci-initiator-utils [client]
- Service name - iscsid
ISCSI initiator - A Client that needs access to SAN Storage
ISCSI target - A remote hard disk pretended to be ISCSI server or target portal
ISCSI target portal - A Server that provide target over network to initiator
IQN - SCSI Qualified Name
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
SCSI Server
# yum install scsi-target-utils -y
# fdisk /dev/sda
Create a partition // - /dev/sda4
# partx -a /dev/sda
# vim /etc/tgt/target.conf
Copy/Paste 31,32,33 line + (Shift+G) + Paste
umcomment <target in 2012-09:com.example:comment="">
umcomment backline-storage /dev/sda4 // Partiotion number, Also LVM path is LVM
</target>
:wq
# service tgtd start
# chkconf tgtd on
# tgt-admin -show
------------------------------------------------------------------------------------
ISCSI Client
# yum install iscsi-inititator-utils -y
# man isciadm [to see the sample command]
# iscsiadm --mode discoverydb --type sendtarget --portal 192.168.0.20 --discover // IQN will be searched. SCSI qualified name
# iscsiadm --mode node --targetname paste IQN --portal 192.168.0.20 --login // to login
# car /var/log/message // Attached SCSI disk
# dmesg // show the attached SCSI disk
# fdisk /dev/sdb // dmesg will show sdX
# format the partition
# vim /etc/fstab
UUID /scsi ext4 _netdev 0 0
:wq
# mount -a
# iscsiadm --mode node --targetname paste IQN --portal 192.168.0.20 --logout // to logout
# chkconf iscsi on
After Reboot of the machin, Lost+Found folder will exists under /scsi (then successful)
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
- ISCSI stands for Internet Small Computer System Interface
- It is used for accessing raw partition over the network
- we will take space from SAN and will format, create FS
- Works on port No.3260
- Package name - isci-initiator-utils [client]
- Service name - iscsid
ISCSI initiator - A Client that needs access to SAN Storage
ISCSI target - A remote hard disk pretended to be ISCSI server or target portal
ISCSI target portal - A Server that provide target over network to initiator
IQN - SCSI Qualified Name
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
SCSI Server
# yum install scsi-target-utils -y
# fdisk /dev/sda
Create a partition // - /dev/sda4
# partx -a /dev/sda
# vim /etc/tgt/target.conf
Copy/Paste 31,32,33 line + (Shift+G) + Paste
umcomment <target in 2012-09:com.example:comment="">
umcomment backline-storage /dev/sda4 // Partiotion number, Also LVM path is LVM
</target>
:wq
# service tgtd start
# chkconf tgtd on
# tgt-admin -show
------------------------------------------------------------------------------------
ISCSI Client
# yum install iscsi-inititator-utils -y
# man isciadm [to see the sample command]
# iscsiadm --mode discoverydb --type sendtarget --portal 192.168.0.20 --discover // IQN will be searched. SCSI qualified name
# iscsiadm --mode node --targetname paste IQN --portal 192.168.0.20 --login // to login
# car /var/log/message // Attached SCSI disk
# dmesg // show the attached SCSI disk
# fdisk /dev/sdb // dmesg will show sdX
# format the partition
# vim /etc/fstab
UUID /scsi ext4 _netdev 0 0
:wq
# mount -a
# iscsiadm --mode node --targetname paste IQN --portal 192.168.0.20 --logout // to logout
# chkconf iscsi on
After Reboot of the machin, Lost+Found folder will exists under /scsi (then successful)
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
How to install/setup vsftpd and run it as inetd service.
How to install/setup vsftpd and run it as inetd service.
1. Install vsftpd
# yum install vsftpd
2. Modify /etc/vsftpd/vsftpd.conf file as follows.
# vi /etc/vsftpd/vsftpd.conf | grep -v \#
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_std_format=NO
ascii_upload_enable=YES
ascii_download_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
log_ftp_protocol=YES
Note: “listen=YES” is commented out as follow,
#listen=YES
3. Check the status of vsftpd process.
# chkconfig --list | grep vsftpd
4. It might be off, if not turn it off so that it can be run as inetd based services.
Disable standalone vsftpd service.
# chkconfig vsftpd off
5. Create a file vsftpd under /etc/xinetd.d with the following content.
# vi vsftpd
service ftp
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/vsftpd
# server_args =
# log_on_success += DURATION USERID
# log_on_failure += USERID
# nice = 10
disable = no
}
wq!
# ls -l vsftpd
-rw-r--r-- 1 root root 423 Apr 02 09:45 vsftpd
# cd /etc/xinetd.d/
# ls -l vsftpd
-rw-r--r-- 1 root root 427 Aug 6 15:32 vsftpd
6. Restart the inetd services
# /etc/init.d/xinetd restart [or stop/start]
7. Reverify that vsftpd is not automatically restarting up on reboot.
# chkconfig --list | grep vsftpd
vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
vsftpd: on
8. Verify the content of the file /etc/pam.d/vsftpd
# cat /etc/pam.d/vsftpd
Step-6: Make sure /etc/pam.d/vsftpd file exists with following contents
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
9. Test your ftp connection from your PC to the server with your id.
Note: You can use pftp or wsftp or winscp to test the connection.
LVM: how to make a snapshot of root logical volume and rollback it
RHEL6 introduces new features on LVM. One of them is the snapshots.
For this test I maked a screenshot of root logical volume , I deleted /etc directory and restored it from the sreenshot. All worked !
[root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/rootvg-rootvol 23G 3.1G 18G 15% / tmpfs 498M 0 498M 0% /dev/shm /dev/sda1 485M 33M 427M 8% /boot
[root@localhost ~]# vgs
VG #PV #LV #SN Attr VSize VFree
rootvg 1 2 0 wz–n- 24.51g 0
VG #PV #LV #SN Attr VSize VFree
rootvg 1 2 0 wz–n- 24.51g 0
I saw no free space on rootvg so i added a new disk
[root@localhost ~]# sfdisk -l /dev/sdb
Disk /dev/sdb: 652 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sdb1 0+ 651 652- 5237158+ 8e Linux LVM
/dev/sdb2 0 - 0 0 0 Empty
/dev/sdb3 0 - 0 0 0 Empty
/dev/sdb4 0 - 0 0 0 Empty
/dev/sdb1 0+ 651 652- 5237158+ 8e Linux LVM
/dev/sdb2 0 - 0 0 0 Empty
/dev/sdb3 0 - 0 0 0 Empty
/dev/sdb4 0 - 0 0 0 Empty
[root@localhost ~]# pvcreate /dev/sdb1
Writing physical volume data to disk “/dev/sdb1″
Physical volume “/dev/sdb1″ successfully created
[root@localhost ~]# vgs
VG #PV #LV #SN Attr VSize VFree
rootvg 2 2 0 wz–n- 29.50g 4.99g
Nice. After i maked a screenshot with all free space on the vg.
Writing physical volume data to disk “/dev/sdb1″
Physical volume “/dev/sdb1″ successfully created
[root@localhost ~]# vgextend rootvg /dev/sdb1
Volume group “rootvg” successfully extended
Volume group “rootvg” successfully extended
[root@localhost ~]# vgs
VG #PV #LV #SN Attr VSize VFree
rootvg 2 2 0 wz–n- 29.50g 4.99g
Nice. After i maked a screenshot with all free space on the vg.
[root@localhost ~]# lvcreate -l 100%FREE –snapshot –name rootsnap /dev/rootvg/rootvol
Logical volume “rootsnap” created
Logical volume “rootsnap” created
[root@localhost ~]# lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
rootsnap rootvg swi-a-s- 4.99g rootvol 0.00
rootvol rootvg owi-aos- 22.46g
swapvol rootvg -wi-ao– 2.05g
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
rootsnap rootvg swi-a-s- 4.99g rootvol 0.00
rootvol rootvg owi-aos- 22.46g
swapvol rootvg -wi-ao– 2.05g
s attribute said to me that rootsnap is a snapshot !
[root@localhost ~]# lvdisplay /dev/rootvg/rootvol
— Logical volume —
LV Path /dev/rootvg/rootvol
LV Name rootvol
VG Name rootvg
LV UUID MgWa8V-yUnK-hqC0-Kv6X-strT-eccc-Kiwt8S
LV Write Access read/write
LV Creation host, time localhost.localdomain, 2013-01-29 19:04:19 +0100
LV snapshot status source of
rootsnap [active]
LV Status available
# open 1
LV Size 22.46 GiB
Current LE 5750
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:1
— Logical volume —
LV Path /dev/rootvg/rootvol
LV Name rootvol
VG Name rootvg
LV UUID MgWa8V-yUnK-hqC0-Kv6X-strT-eccc-Kiwt8S
LV Write Access read/write
LV Creation host, time localhost.localdomain, 2013-01-29 19:04:19 +0100
LV snapshot status source of
rootsnap [active]
LV Status available
# open 1
LV Size 22.46 GiB
Current LE 5750
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:1
First test I did:
[root@localhost ~]# dd if=/dev/zero of=test.img bs=1024k count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 80.6583 s, 13.0 MB/s
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 80.6583 s, 13.0 MB/s
THE SPACE ON THE SNAPSHOT MUST BE CHECKED !!!
[root@localhost ~]# lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
rootsnap rootvg swi-a-s- 4.99g rootvol 18.21
rootvol rootvg owi-aos- 22.46g
swapvol rootvg -wi-ao– 2.05g
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
rootsnap rootvg swi-a-s- 4.99g rootvol 18.21
rootvol rootvg owi-aos- 22.46g
swapvol rootvg -wi-ao– 2.05g
[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol
23G 4.2G 17G 20% /
tmpfs 498M 0 498M 0% /dev/shm
/dev/sda1 485M 33M 427M 8% /boot
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol
23G 4.2G 17G 20% /
tmpfs 498M 0 498M 0% /dev/shm
/dev/sda1 485M 33M 427M 8% /boot
After i erased /etc directory!
[root@localhost ~]# rm -rf /etc
[root@localhost ~]# cd /etc
-bash: cd: /etc: No such file or directory
[root@localhost ~]# df -h
df: cannot read table of mounted file systems: No such file or directory
I did a reboot and as expected the system was not able to boot up.
So , I used rescue mode from CD and I ran on the shell:
So , I used rescue mode from CD and I ran on the shell:
lvconvert –merge rootvg/rootsnap
At next boot the system came up without any problem/warning!
[root@localhost ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol
23G 3.1G 18G 15% /
tmpfs 498M 0 498M 0% /dev/shm
/dev/sda1 485M 33M 427M 8% /boot
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rootvg-rootvol
23G 3.1G 18G 15% /
tmpfs 498M 0 498M 0% /dev/shm
/dev/sda1 485M 33M 427M 8% /boot
[root@localhost ~]# cd /root
[root@localhost ~]# ls
anaconda-ks.cfg install.log install.log.syslog
[root@localhost ~]# ls
anaconda-ks.cfg install.log install.log.syslog
( The 1 gb file does not exist anymore )
[root@localhost ~]# lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
rootvol rootvg -wi-ao– 22.46g
swapvol rootvg -wi-ao– 2.05g
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
rootvol rootvg -wi-ao– 22.46g
swapvol rootvg -wi-ao– 2.05g
( the snapshot is not present )
With this i saw that the system was rollbacked with success.
So i will use this method on RHEL6 for rollingback after a patching!
Source: Redhat
Source: Redhat
Cache only DNS server
DNS [Domain Name Server] - Caching only
- DNS is used for IP to host and host to IP resolution
- It works on TCP/IP port no.53
- Package name - bind [berkley Internet name domain]
- Service name - named
- Configuration file -
- /etc/named.conf
- /etc/named.rfc/1912zones
- /var/named/named.loopback
- /var/named/named.localhost
Types of DNS server
a.) Master [Primary in windows]
b.) Slave [Secondary in windows]
c.) Caching only [Forwarder in windors]
Forward Lookup Zone :- Name to IP resolution
Backward Lookup Zone :- IP to Name resolution
Recursive Query : When the DNS query is resolved using forwarder
==================================================
DNS Caching will store locally all the successful DNS query sent to another DNS server
==================================================
How to Configure
1. Setup the IP manually,gateway, DNS (own IP address)
2. Enter the DNS IP in your local LAN enviroment [in client]
Server side :
# yum install bind -y
# vim /etc/named.conf
Listen on [any;]; // 10-11th line
allow query [localhost;any;];
recursion yes;
forwarders {Main DNS server IP} OR // Ex:- IP address provided from Airtel broadband
forwarders {Main DNS server I;8.8.8.8} //8.8.8.8 = Google IP address
:wq
# service named restart
# chkconf named on
# rndc dumpd // To create caching database
To View Database :
# cd /var/named/data
File name :- cache_dump.db
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
- DNS is used for IP to host and host to IP resolution
- It works on TCP/IP port no.53
- Package name - bind [berkley Internet name domain]
- Service name - named
- Configuration file -
- /etc/named.conf
- /etc/named.rfc/1912zones
- /var/named/named.loopback
- /var/named/named.localhost
Types of DNS server
a.) Master [Primary in windows]
b.) Slave [Secondary in windows]
c.) Caching only [Forwarder in windors]
Forward Lookup Zone :- Name to IP resolution
Backward Lookup Zone :- IP to Name resolution
Recursive Query : When the DNS query is resolved using forwarder
==================================================
DNS Caching will store locally all the successful DNS query sent to another DNS server
==================================================
How to Configure
1. Setup the IP manually,gateway, DNS (own IP address)
2. Enter the DNS IP in your local LAN enviroment [in client]
Server side :
# yum install bind -y
# vim /etc/named.conf
Listen on [any;]; // 10-11th line
allow query [localhost;any;];
recursion yes;
forwarders {Main DNS server IP} OR // Ex:- IP address provided from Airtel broadband
forwarders {Main DNS server I;8.8.8.8} //8.8.8.8 = Google IP address
:wq
# service named restart
# chkconf named on
# rndc dumpd // To create caching database
To View Database :
# cd /var/named/data
File name :- cache_dump.db
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
Wednesday, April 23, 2014
Some special characters pronunciation
Some special characters pronunciation
Character Pronunciation
! bang, exlamation, shriek
* star, asterisk, splat
$ dollar
@ at
% percent
# hash, pound, sharp
& ampersand, amper
" quote, double-quote
' single-quote, tick, apostrophe
( paren open
) paren close
( ) open/close bracket, parentheses
< less than
> greater than
- dash, hyphen, minus, tack
. dot, period
, comma, twitch
/ slash, forward-slash
\ backslash, slosh
: colon, two dots
; semi-colon, semi
= equals
? question-mark
^ caret (pron. carrot), hat
_ underscore, underbar
[ square left bracket
] square right bracket
[ ] open/close square bracket
{ curly, embrace, brace
} curly, unbrace
{ } open/close curly brackets, open/close brace
| pipe, or vertical bar, bar
~ tilde (pron. “til-duh”), twiddle
` backtick
+ plus
|| Double pipe
&& double ampersand
#! sh-bang (hash/bang)
/* slashterix
*/ asterslash
& amper-amp (the HTML and XML code for space)
Character Pronunciation
! bang, exlamation, shriek
* star, asterisk, splat
$ dollar
@ at
% percent
# hash, pound, sharp
& ampersand, amper
" quote, double-quote
' single-quote, tick, apostrophe
( paren open
) paren close
( ) open/close bracket, parentheses
< less than
> greater than
- dash, hyphen, minus, tack
. dot, period
, comma, twitch
/ slash, forward-slash
\ backslash, slosh
: colon, two dots
; semi-colon, semi
= equals
? question-mark
^ caret (pron. carrot), hat
_ underscore, underbar
[ square left bracket
] square right bracket
[ ] open/close square bracket
{ curly, embrace, brace
} curly, unbrace
{ } open/close curly brackets, open/close brace
| pipe, or vertical bar, bar
~ tilde (pron. “til-duh”), twiddle
` backtick
+ plus
|| Double pipe
&& double ampersand
#! sh-bang (hash/bang)
/* slashterix
*/ asterslash
& amper-amp (the HTML and XML code for space)
Tuesday, April 22, 2014
Unable to remove the package on redhat scriptlet failed error..
Unable to remove the package,
error: scriptlet failed, exit status 1
[root@samserv02 ~]# rpm -e CAeAC-1262-2.0.633.x86_64
ERROR: /opt/CA/eTrustAccessControl/lbin/uninstall_AC not found.
Uninstall of CAeAC is not complete.
error: %preun(CAeAC-1262-2.0.633.x86_64) scriptlet failed, exit status 1
[root@samserv02 ~]# rpm -e --noscripts CAeAC-1262-2.0.633.x86_64
[root@samserv02 ~]# rpm -qa | grep -i CAeAC
[root@samserv02 ~]# rpm -qa |grep -i ca-lic
ca-lic-01.90.04-00.x86_64
[root@samserv02 ~]# rpm -e ca-lic-01.90.04-00.x86_64
[root@samserv02 ~]# rpm -qa | egrep -i "CAeAC|ca-lic"
[root@samserv02 ~]#
[root@samserv02 ~]# rpm -e CAeAC-1262-2.0.633.x86_64
ERROR: /opt/CA/eTrustAccessControl/lbin/uninstall_AC not found.
Uninstall of CAeAC is not complete.
error: %preun(CAeAC-1262-2.0.633.x86_64) scriptlet failed, exit status 1
[root@samserv02 ~]# yum search CAeAC
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager
====================================== N/S Matched: CAeAC =======================================
CAeAC.x86_64 : CA ControlMinder Solution
Name and summary matches only, use "search all" for everything.
Running Transaction
Error in PREUN scriptlet in rpm package CAeAC
CAeAC-1262-2.0.633.x86_64 was supposed to be removed but is not!
Verifying : CAeAC-1262-2.0.633.x86_64 1/1
Failed:
CAeAC.x86_64 0:1262-2.0.633
Complete!
Wednesday, April 16, 2014
System monitoring with AIDE, SAR and Wireshark
System monitoring techniques :
1. AIDE [Advanced Intrusion Detection Environment]
2. SAR [System Activity Reporter]
AIDE
- AIDE stands for Advanced Intrusion Detection Environment
- Package name:- aide
- Configuration file:- /etc/aide.conf
# yum install aide -y
# vim /etc/aide.conf
Comment all # Next device what directory/file you want to comment.
# /boot NORMAL
# .............
# .............
# .............
(comment the above line if you don't want to monitory)
/test NORMAL // you want to monitory /test in this example
:wq
# mkdir /test
# cd /test
# touch a b c d
# aide --init // To create database or snapshot at this time
# zcat /var/lib/aide/aide.db.new.gz // To view database
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz // To rename the file, after making changes and compare
Now, Make changes to the file or directory within /test
Add, remove or delete etc
# aide --init // Again, database will be created the above name (/var/lib/aide/aide.db.new.gz)
# aide --check // To view the changes done
SAR:- System Activity Reporter
Package name: sysstat
Install:
# yum install sysstat -y
# sar -A // To check running process with utilisation
# sar 2 6 // same as above, 2 = seconds;6 = 6 times report i.e. after every 2 seconds 6 times
Network Monitoring
Wireshark is used for Network monitoring
# yum install wireshark-gnome -y
# wireshark
Subscribe to:
Posts (Atom)