RHEL6.4 Course Summary
Unit1
Tracking Security Updates
Update the following three categories
RHSA
RHBA
RHEA
yum updateinfo list View all updates
yum updateinfo list –cve = CVE-2013-0755 View an update
yum –security list updates view security update
yum updateinfo list | grep ‘Critical’ | cut -f1 -d ” | sort -u | wc -l
Unit2
Managing Software Updates
rpm -qa > /root/pre-update-software. $ (date +% Y% m% d) all of the packages installed imported into a document
yum updateinfo> /root/updateinfo-report.$(date +% Y% m% d)
yum update –security -y update only security package installed before gpgcheck = 1 to open
yum update –cve = <CVE> can update specific
rpm –import <GPG-KEY-FILE> Import key installation package
rpm -qa | grep gpg-pubkey view credible GPG keys
rpm -qi gpg-pubkey view package details
rpm -K rpm package installation package to view the md5 value is not correct
rpm -vvK rpm package gives debugging information
rpm -qp –scripts rpm package to view the installation package has no script
Unit3
Creating File Systems
lvcreate -l 100% FREE -n lvname vgname -l, –extents LogicalExtentsNumber [% {VG | PVS | FREE | ORIGIN}]
cryptsetup luksFormat / dev / vgname / lvname type YES to start the encryption format, enter the password
cryptsetup luksOpen / dev / vgname / lvname luksname opened and named
mkfs -t ext4 / dev / mapper / luksname settings file system
mkdir / secret
mount / dev / mapper / luksname / secret
umout / secret
cryptsetup luksClose luksname off encryption
dd if = / dev / urandom of = / path / to / passsword / file bs = 4096 count = 1 can also be used to encrypt the plaintext file
chmod 600 / path / to / password / file
cryptsetup luksAddkey / dev / vdaN / path / to / password / file here also need to enter a password
touch / etc / crypttab
luksname / dev / vgname / lvname / path / to / password / file
In / etc / fstab to add the following
/ Dev / mapper / luksname / secret ext4 defaults 1 2 so you can boot automatically mount the encrypted partition
Unit4
Managing File Systems
nosuid, noexec command has no suid permissions and execute permissions
tune2fs -l /dev/vd1 | head -n 19
tune2fs -l /dev/vda1 | grep ‘mount options’
tune2fs -o user_xattr, acl /dev/vda1 acl permission to add partitions, you can modify /etc/fstab file
lsattr view the file special attributes
chattr +, – grammar
only a supplementary
prohibit modification
Unit5
Managing Special Permissions
suid setUID
guid setGID
chmod u + s /path/to/procedure everyone has permission to run the program
belongs to the group chmod g + s /path/to/dir generated files folder unchanged
find /bin -perm /7000 Find all privileged position under the /bin
find /bin -perm 4000 Exact Match
find /bin -perm -4000 setUID
find /bin -perm -2000 setGID
find /bin -perm -6000 setUID and setGID can also use /6000
Unit6
Managing Additional File Access Controls
View umask umask value
getfacl somefile view the file ACLs (access control lists)
setfacl -mu:bob:rwx /path/to/file bob has owned and owning group permissions
setfacl -md:u:smith:rx subdir d u default user permissions rx subdir subdirectories
setfacl -mo::r/path/to/file owner readable
Unit7
Monitoring For File System Changes
AIDE (Advanced Intrusion Detection Environment) Advanced Intrusion Detection Environment
Its main function is to detect the integrity of the document
yum install -y aide aide to monitor file permissions
grep PERMS /etc/aide.conf added to monitor file
PERMS = p + i + u + g + acl + selinux p permissions, inode, u user, g User Group
/Etc PERMS
/root/\..* PERMS
aide –init initialize the database
mv /var/lib/aide/aide.db.new.gz /var/aide/aide.db.gz
aide –check on the above changes to the file, check verification
Unit8
Managing User Accounts
chage -m 0 -M 90 -W 7 -I 14 username
-m min days
-M Max days
-W Warn days
-I Inactive days
chage -d 0 username user to change the password at next logon
chage -l username listed in the user configuration information
userdel -r while *** user directory username ***
grep PASS_M /etc/login.defs in the configuration file can be modified to add the new user to take effect
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
PASS_MAX_DAYS 30
PASS_MIN_DAYS 3
PASS_MIN_LEN 8
getent passwd | cut -d: -f3 | sort -n | uniq -d see if the system has no duplicate account
Unit9
Managing Pluggable Authentication Modules
Flexibility PAM Pluggable Authentication Modules can be dynamic content needed to make changes to the verification, it can greatly improve verification
1, authentication management (authentication management)
Accept the user name and password, then the user’s password for authentication, and is responsible for setting the user’s some secret information
2, account management (account management)
Check whether the account is allowed to log into the system, whether the account has expired, account login Is there a limit period of time so
3, password management (password management)
Is mainly used to modify the user’s password
4, the session manager (session management)
Is to provide for the session management and accounting (accounting)
Various Linux distributions, PAM authentication module used is normally stored in the / lib / security / directory, you can use the ls command to see what this computer validation controls to support the general PAM module names such as pam_unix.so, the module can always Add this directory and ***, which does not directly affect the program runs, the specific impact on the PAM configuration directory.
PAM configuration file is usually stored in the /etc/pam.d/ directory.
Check whether the program is to support PAM, use the command:
ldd `which cmd` | grep libpam // cmd represents the view of the program name
If you include libpam library, the program will support PAM authentication.
ldd `which login` | grep libpam
libpam.so.0 => /lib64/libpam.so.0 (0x000000326d200000)
libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x000000326b600000)
/etc/pam.d Configuration File Syntax
type control module [module arguments]
grep maxlogins /etc/security/limits.conf
# <Domain> <type> <item> <value>
# – Maxlogins – max number of logins for this user
student – maxlogins 4 users to simultaneously configure the maximum number of logins
qa hard cpu 1 configuration cpu time
Limit the number of times a user entered password is incorrect
cat /etc/pam.d/system-auth same password-auth have to be changed
#% PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so onerr = fail deny = 3 unlock_time = 180 3 times wrong banned three minutes
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid> = 1000 quiet_success
auth required pam_deny.so
Also note the position of account required pam_tally2.so placed
account required pam_unix.so
pam_tally2 View user
pam_tally2 –reset -u username reset release disabled users
Unit10
Securing Console Access
Encryption is not the same $ 6 sh256 $ 1 md5
grub-crypt
Password:
Retype password:
$6$01wSV5m9GBdGdQ3J
$ oroEE6jjedQ59yQqJlxwAc1MBPSrdm6ufuUJil5rJaXmLgYNbsjz1F.kQlcrZYcrO5y9h014VkGCsH5PN7TTg.
grub-md5-crypt
Password:
Retype password:
$ 1$HqxBl1$DVC9jyW6HXZ8.vAlPo2QR1
cat /etc/grub.cfg
password –encrypted $ 6 $ 01wSV5m9GBdGdQ3J
$ oroEE6jjedQ59yQqJlxwAc1MBPSrdm6ufuUJil5rJaXmLgYNbsjz1F.kQlcrZYcrO5y9h014VkGCsH5PN7TTg.
Before /etc/issue certification Show
/etc/motd Message Of The Day and historically certified display after
/etc/ssh/sshd_config PermitRootLogin no ban ssh root user login
Unit11
Installing Central Authentication
IdM (Identity Management)
chkconfig NetworkManager off; service NetworkManager stop off NetworkManager, otherwise ipa-server installation
Not on
/etc/sysconfig/network-scripts/ifcfg-eth0 NIC to configure a static IP, gateway,
DNS must be configured NM_CONTROLLED=no
/etc/hosts of the machine to do to resolve ip server.example.com server
yum -y install ipa-server
ipa-server-install –idstart=2000 –idmax=20000 Note to uid plus a range
The installation is complete need to open the following ports:
TCP Ports:
80,443 HTTP / HTTPS
389,636 LDAP / LDAPS
88,464 kerberos
UDP Ports:
88,464 kerberos
123 ntp
Can also be used to specify a specific command line parameter, so you do not need to specify in the above interactive
ipa-server-install –hostname=server.example.com -n example.com -r EXAMPLE.COM -p RedHat123 -a
redhat123 -U
service sshd restart
kinit admin initialization, if the average user to change the password the first secondary
ipa user-find admin verification
The remaining add users, add the group, modify the configuration information can be operating https://server.example.com login name admin password in the browser
redaht123
Client installation as follows:
yum -y install ipa-client
ipa-client-install –mkhomedir attention to give the new user-generated directory
During the installation to use admin redhat123 certification at You can also use non-interactive installation
ipa-client-install –domain =example.com –server =server.example.com –realm =EXAMPLE.COM -p admin -w
redhat123 –mkhomedir -U
Finally, users can idm landed on the client, the home directory is automatically generated after landing
Unit12
Managing Central Authentication
kinit admin
ipa pwpolicy-show command line view policy
kpasswd bob for users to change passwords
These can be operated in the browser, including sudoers, users can use a command such as
Unit13
Configuring System Logging
ryslog-gnutls after installation support TLS port 6514
Log into the server and client service
Server configuration is as follows:
/etc/rsyslog.conf open port module supports TCP and UDP here to open the TCP
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
#Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
/etc/rsyslog.d/remote.conf This file is in the directory of the new rsyslog.d
:fromhost,isequal, “client.example.com” /var/log/client/messages
:fromhost,isequal, “client.example.com” ~ ~ after adding the client’s information is only stored in the above file
Client configuration is as follows:
Note first of all log /etc/rsyslog.conf send port, the local is not retained
*. *@@(O) server.example.com:514 two @ is gone TCP (o) is the port number for later use
logrotate log segmentation tool
In fact, there is a logwatch tool, you can send important information to the server specified mailbox every day
Unit14
Configuring System Auditing
/etc/sysconfig/auditd
/etc/audit/auditd.conf default port number tcp 60
/etc/audit/audit.rules man rules see the syntax
remote logging with the auditd /etc/audisp/plugins.d/syslog.conf setting active = yes and restart auditd service
Can be used to send information to a remote syslog server
After installing audispd-plugins package (each client, which is a multi-node), you can open /etc/audisp/plugins.d/au-remote.conf
active = yes to the audit log is sent to the log server
Concrete syntax can man auditctl
/etc/audit/audit.rules
-w / path / to / file -p rwxa -k key
-e 2
-w specified audit file path
-p access r read w write x execute a property changes
-k key
-e setting enabled flag, 0,1,2 can be set up after 2 / etc other documents do not add to the mix, there are problems too restart
Unit15
Controlling Access to Network Services
iptables firewall
iptables -L
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT system service use
iptables -A INPUT -m state –stat ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state –state NEW -p tcp –dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -m state –state NEW -p tcp –dport 80 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -m state –state NEW -p tcp –dport 514 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT
server iptables save record keeping
cat /etc/sysconfig/iptables default save location
iptables -nvL –line-numbers view verification
Another useful place for PPTP server, Internet problem -s segment after dialling into the PPTP server is automatically assigned IP
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
Recent Comments