{"id":3547,"date":"2014-09-10T22:47:38","date_gmt":"2014-09-10T14:47:38","guid":{"rendered":"http:\/\/rmohan.com\/?p=3547"},"modified":"2014-09-10T22:47:38","modified_gmt":"2014-09-10T14:47:38","slug":"rhel6-4-course-summary","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=3547","title":{"rendered":"RHEL6.4 Course Summary"},"content":{"rendered":"

RHEL6.4 Course Summary<\/p>\n

Unit1
\nTracking Security Updates
\nUpdate the following three categories
\nRHSA
\nRHBA
\nRHEA
\nyum updateinfo list View all updates
\nyum updateinfo list –cve = CVE-2013-0755 View an update
\nyum –security list updates view security update
\nyum updateinfo list | grep ‘Critical’ | cut -f1 -d ” | sort -u | wc -l<\/p>\n

Unit2
\nManaging Software Updates
\nrpm -qa > \/root\/pre-update-software. $ (date +% Y% m% d) all of the packages installed imported into a document
\nyum updateinfo> \/root\/updateinfo-report.$(date +% Y% m% d)
\nyum update –security -y update only security package installed before gpgcheck = 1 to open
\nyum update –cve = <CVE> can update specific
\nrpm –import <GPG-KEY-FILE> Import key installation package
\nrpm -qa | grep gpg-pubkey view credible GPG keys
\nrpm -qi gpg-pubkey view package details
\nrpm -K rpm package installation package to view the md5 value is not correct
\nrpm -vvK rpm package gives debugging information
\nrpm -qp –scripts rpm package to view the installation package has no script<\/p>\n

Unit3
\nCreating File Systems
\nlvcreate -l 100% FREE -n lvname vgname -l, –extents LogicalExtentsNumber [% {VG | PVS | FREE | ORIGIN}]
\ncryptsetup luksFormat \/ dev \/ vgname \/ lvname type YES to start the encryption format, enter the password
\ncryptsetup luksOpen \/ dev \/ vgname \/ lvname luksname opened and named
\nmkfs -t ext4 \/ dev \/ mapper \/ luksname settings file system
\nmkdir \/ secret
\nmount \/ dev \/ mapper \/ luksname \/ secret
\numout \/ secret
\ncryptsetup luksClose luksname off encryption<\/p>\n

dd if = \/ dev \/ urandom of = \/ path \/ to \/ passsword \/ file bs = 4096 count = 1 can also be used to encrypt the plaintext file
\nchmod 600 \/ path \/ to \/ password \/ file
\ncryptsetup luksAddkey \/ dev \/ vdaN \/ path \/ to \/ password \/ file here also need to enter a password
\ntouch \/ etc \/ crypttab
\nluksname \/ dev \/ vgname \/ lvname \/ path \/ to \/ password \/ file
\nIn \/ etc \/ fstab to add the following
\n\/ Dev \/ mapper \/ luksname \/ secret ext4 defaults 1 2 so you can boot automatically mount the encrypted partition<\/p>\n

Unit4
\nManaging File Systems
\nnosuid, noexec command has no suid permissions and execute permissions
\ntune2fs -l \/dev\/vd1 | head -n 19
\ntune2fs -l \/dev\/vda1 | grep ‘mount options’
\ntune2fs -o user_xattr, acl \/dev\/vda1 acl permission to add partitions, you can modify \/etc\/fstab file
\nlsattr view the file special attributes
\nchattr +, – grammar
\nonly a supplementary
\nprohibit modification<\/p>\n

Unit5
\nManaging Special Permissions
\nsuid setUID
\nguid setGID
\nchmod u + s \/path\/to\/procedure everyone has permission to run the program
\nbelongs to the group chmod g + s \/path\/to\/dir generated files folder unchanged
\nfind \/bin -perm \/7000 Find all privileged position under the \/bin
\nfind \/bin -perm 4000 Exact Match
\nfind \/bin -perm -4000 setUID
\nfind \/bin -perm -2000 setGID
\nfind \/bin -perm -6000 setUID and setGID can also use \/6000<\/p>\n

Unit6
\nManaging Additional File Access Controls
\nView umask umask value
\ngetfacl somefile view the file ACLs (access control lists)
\nsetfacl -mu:bob:rwx \/path\/to\/file bob has owned and owning group permissions
\nsetfacl -md:u:smith:rx subdir d u default user permissions rx subdir subdirectories
\nsetfacl -mo::r\/path\/to\/file owner readable<\/p>\n

Unit7
\nMonitoring For File System Changes
\nAIDE (Advanced Intrusion Detection Environment) Advanced Intrusion Detection Environment
\nIts main function is to detect the integrity of the document
\nyum install -y aide aide to monitor file permissions
\ngrep PERMS \/etc\/aide.conf added to monitor file
\nPERMS = p + i + u + g + acl + selinux p permissions, inode, u user, g User Group
\n\/Etc PERMS
\n\/root\/\\..* PERMS
\naide –init initialize the database
\nmv \/var\/lib\/aide\/aide.db.new.gz \/var\/aide\/aide.db.gz
\naide –check on the above changes to the file, check verification<\/p>\n

Unit8
\nManaging User Accounts
\nchage -m 0 -M 90 -W 7 -I 14 username
\n-m min days
\n-M Max days
\n-W Warn days
\n-I Inactive days
\nchage -d 0 username user to change the password at next logon
\nchage -l username listed in the user configuration information
\nuserdel -r while *** user directory username ***
\ngrep PASS_M \/etc\/login.defs in the configuration file can be modified to add the new user to take effect
\n# PASS_MAX_DAYS Maximum number of days a password may be used.
\n# PASS_MIN_DAYS Minimum number of days allowed between password changes.
\n# PASS_MIN_LEN Minimum acceptable password length.
\nPASS_MAX_DAYS 30
\nPASS_MIN_DAYS 3
\nPASS_MIN_LEN 8
\ngetent passwd | cut -d: -f3 | sort -n | uniq -d see if the system has no duplicate account<\/p>\n

Unit9
\nManaging Pluggable Authentication Modules
\nFlexibility PAM Pluggable Authentication Modules can be dynamic content needed to make changes to the verification, it can greatly improve verification
\n1, authentication management (authentication management)
\nAccept the user name and password, then the user’s password for authentication, and is responsible for setting the user’s some secret information
\n2, account management (account management)
\nCheck whether the account is allowed to log into the system, whether the account has expired, account login Is there a limit period of time so
\n3, password management (password management)
\nIs mainly used to modify the user’s password
\n4, the session manager (session management)
\nIs to provide for the session management and accounting (accounting)<\/p>\n

Various Linux distributions, PAM authentication module used is normally stored in the \/ lib \/ security \/ directory, you can use the ls command to see what this computer validation controls to support the general PAM module names such as pam_unix.so, the module can always Add this directory and ***, which does not directly affect the program runs, the specific impact on the PAM configuration directory.
\nPAM configuration file is usually stored in the \/etc\/pam.d\/ directory.
\nCheck whether the program is to support PAM, use the command:
\nldd `which cmd` | grep libpam \/\/ cmd represents the view of the program name
\nIf you include libpam library, the program will support PAM authentication.
\nldd `which login` | grep libpam
\nlibpam.so.0 => \/lib64\/libpam.so.0 (0x000000326d200000)
\nlibpam_misc.so.0 => \/lib64\/libpam_misc.so.0 (0x000000326b600000)
\n\/etc\/pam.d Configuration File Syntax
\ntype control module [module arguments]<\/p>\n

grep maxlogins \/etc\/security\/limits.conf
\n# <Domain> <type> <item> <value>
\n# – Maxlogins – max number of logins for this user
\nstudent – maxlogins 4 users to simultaneously configure the maximum number of logins
\nqa hard cpu 1 configuration cpu time
\nLimit the number of times a user entered password is incorrect
\ncat \/etc\/pam.d\/system-auth same password-auth have to be changed
\n#% PAM-1.0
\n# This file is auto-generated.
\n# User changes will be destroyed the next time authconfig is run.
\nauth required pam_env.so
\nauth required pam_tally2.so onerr = fail deny = 3 unlock_time = 180 3 times wrong banned three minutes
\nauth sufficient pam_fprintd.so
\nauth sufficient pam_unix.so nullok try_first_pass
\nauth requisite pam_succeed_if.so uid> = 1000 quiet_success
\nauth required pam_deny.so<\/p>\n

Also note the position of account required pam_tally2.so placed
\naccount required pam_unix.so<\/p>\n

pam_tally2 View user
\npam_tally2 –reset -u username reset release disabled users<\/p>\n

Unit10
\nSecuring Console Access
\nEncryption is not the same $ 6 sh256 $ 1 md5
\ngrub-crypt
\nPassword:
\nRetype password:
\n$6$01wSV5m9GBdGdQ3J<\/p>\n

$ oroEE6jjedQ59yQqJlxwAc1MBPSrdm6ufuUJil5rJaXmLgYNbsjz1F.kQlcrZYcrO5y9h014VkGCsH5PN7TTg.
\ngrub-md5-crypt
\nPassword:
\nRetype password:
\n$ 1$HqxBl1$DVC9jyW6HXZ8.vAlPo2QR1
\ncat \/etc\/grub.cfg
\npassword –encrypted $ 6 $ 01wSV5m9GBdGdQ3J<\/p>\n

$ oroEE6jjedQ59yQqJlxwAc1MBPSrdm6ufuUJil5rJaXmLgYNbsjz1F.kQlcrZYcrO5y9h014VkGCsH5PN7TTg.
\nBefore \/etc\/issue certification Show
\n\/etc\/motd Message Of The Day and historically certified display after
\n\/etc\/ssh\/sshd_config PermitRootLogin no ban ssh root user login<\/p>\n

Unit11
\nInstalling Central Authentication
\nIdM (Identity Management)
\nchkconfig NetworkManager off; service NetworkManager stop off NetworkManager, otherwise ipa-server installation<\/p>\n

Not on
\n\/etc\/sysconfig\/network-scripts\/ifcfg-eth0 NIC to configure a static IP, gateway,
\nDNS must be configured NM_CONTROLLED=no
\n\/etc\/hosts of the machine to do to resolve ip server.example.com server
\nyum -y install ipa-server
\nipa-server-install –idstart=2000 –idmax=20000 Note to uid plus a range<\/p>\n

The installation is complete need to open the following ports:
\nTCP Ports:
\n80,443 HTTP \/ HTTPS
\n389,636 LDAP \/ LDAPS
\n88,464 kerberos<\/p>\n

UDP Ports:
\n88,464 kerberos
\n123 ntp<\/p>\n

Can also be used to specify a specific command line parameter, so you do not need to specify in the above interactive
\nipa-server-install –hostname=server.example.com -n example.com -r EXAMPLE.COM -p RedHat123 -a<\/p>\n

redhat123 -U<\/p>\n

service sshd restart<\/p>\n

kinit admin initialization, if the average user to change the password the first secondary
\nipa user-find admin verification<\/p>\n

The remaining add users, add the group, modify the configuration information can be operating https:\/\/server.example.com login name admin password in the browser
\nredaht123<\/p>\n

Client installation as follows:<\/p>\n

yum -y install ipa-client<\/p>\n

ipa-client-install –mkhomedir attention to give the new user-generated directory<\/p>\n

During the installation to use admin redhat123 certification at You can also use non-interactive installation<\/p>\n

ipa-client-install –domain =example.com –server =server.example.com –realm =EXAMPLE.COM -p admin -w
\nredhat123 –mkhomedir -U<\/p>\n

Finally, users can idm landed on the client, the home directory is automatically generated after landing
\nUnit12
\nManaging Central Authentication
\nkinit admin
\nipa pwpolicy-show command line view policy
\nkpasswd bob for users to change passwords
\nThese can be operated in the browser, including sudoers, users can use a command such as<\/p>\n

Unit13
\nConfiguring System Logging
\nryslog-gnutls after installation support TLS port 6514
\nLog into the server and client service
\nServer configuration is as follows:
\n\/etc\/rsyslog.conf open port module supports TCP and UDP here to open the TCP
\n# Provides UDP syslog reception
\n#$ModLoad imudp
\n#$UDPServerRun 514
\n#Provides TCP syslog reception
\n$ModLoad imtcp
\n$InputTCPServerRun 514
\n\/etc\/rsyslog.d\/remote.conf This file is in the directory of the new rsyslog.d
\n:fromhost,isequal, “client.example.com” \/var\/log\/client\/messages
\n:fromhost,isequal, “client.example.com” ~ ~ after adding the client’s information is only stored in the above file<\/p>\n

Client configuration is as follows:
\nNote first of all log \/etc\/rsyslog.conf send port, the local is not retained
\n*. *@@(O) server.example.com:514 two @ is gone TCP (o) is the port number for later use
\nlogrotate log segmentation tool<\/p>\n

In fact, there is a logwatch tool, you can send important information to the server specified mailbox every day<\/p>\n

Unit14
\nConfiguring System Auditing
\n\/etc\/sysconfig\/auditd
\n\/etc\/audit\/auditd.conf default port number tcp 60
\n\/etc\/audit\/audit.rules man rules see the syntax
\nremote logging with the auditd \/etc\/audisp\/plugins.d\/syslog.conf setting active = yes and restart auditd service<\/p>\n

Can be used to send information to a remote syslog server
\nAfter installing audispd-plugins package (each client, which is a multi-node), you can open \/etc\/audisp\/plugins.d\/au-remote.conf<\/p>\n

active = yes to the audit log is sent to the log server
\nConcrete syntax can man auditctl
\n\/etc\/audit\/audit.rules
\n-w \/ path \/ to \/ file -p rwxa -k key
\n-e 2
\n-w specified audit file path
\n-p access r read w write x execute a property changes
\n-k key
\n-e setting enabled flag, 0,1,2 can be set up after 2 \/ etc other documents do not add to the mix, there are problems too restart<\/p>\n

Unit15
\nControlling Access to Network Services
\niptables firewall
\niptables -L
\niptables -F
\niptables -X
\niptables -Z
\niptables -A INPUT -i lo -j ACCEPT system service use
\niptables -A INPUT -m state –stat ESTABLISHED, RELATED -j ACCEPT
\niptables -A INPUT -p icmp -j ACCEPT
\niptables -A INPUT -m state –state NEW -p tcp –dport 22 -s 192.168.0.0\/24 -j ACCEPT
\niptables -A INPUT -m state –state NEW -p tcp –dport 80 -s 192.168.0.0\/24 -j ACCEPT
\niptables -A INPUT -m state –state NEW -p tcp –dport 514 -s 192.168.0.0\/24 -j ACCEPT
\niptables -A INPUT -s 192.168.0.0\/24 -j ACCEPT
\niptables -A INPUT -j LOG
\niptables -A INPUT -j REJECT
\nserver iptables save record keeping
\ncat \/etc\/sysconfig\/iptables default save location
\niptables -nvL –line-numbers view verification
\nAnother useful place for PPTP server, Internet problem -s segment after dialling into the PPTP server is automatically assigned IP
\niptables -t nat -A POSTROUTING -s 192.168.0.0\/24 -o eth0 -j MASQUERADE<\/p>\n","protected":false},"excerpt":{"rendered":"

RHEL6.4 Course Summary<\/p>\n

Unit1 Tracking Security Updates Update the following three categories RHSA RHBA RHEA yum updateinfo list View all updates yum updateinfo list –cve = CVE-2013-0755 View an update yum –security list updates view security update yum updateinfo list | grep ‘Critical’ | cut -f1 -d ” | sort -u | wc -l<\/p>\n

Unit2 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3547"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3547"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3547\/revisions"}],"predecessor-version":[{"id":3548,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3547\/revisions\/3548"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}