-
Notifications
You must be signed in to change notification settings - Fork 0
/
notatki.RHCSA
288 lines (282 loc) · 13.2 KB
/
notatki.RHCSA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
###############################
DOCUMENTATION IN w /usr/share/doc/
CHANGES MUST SURVIVE REBOOT
REMAMBER TO TURN ON SERVICES YOU INSTALL (OR JUST REBOOT THE TEST MACHINE)
IF SOMETHING DOES NOT WORK - CHECK /var/log/audit/auditlog !
###############################
* processor flags required for hardware virtualization:
- vmx (Intel)
- svm (AMD)
* sha256sum => md5sum
* Anaconda => RedHat installation program
* add 'text' to the kernel command line to force installation in text mode
* przy instalacji można uzyć alt-fX by przełączać się między konsolami,
- F2 - zwykla konsola
- F3,4,5 - logi z instalacji <!!!!>
* RHEL akceptuja "single" na commandline kernela, tak że bootują się
bezpośrednio do root'a
* można zabezpieczyć się przed zmianą hasła root'a przez założenie hasła na
bootloadera
password --md5 $1$0J76U1$lhEIGjrKAL.cm2Cx8fIHB/
* you can also password-protect a menu entry in the same way. This will make
grub to ask for password every time given entry was selected (but it will not
prevent changes to the command line)
* you can check grub help pages by issuing 'grub' and then 'help <command'
* yum - poslugiwanie sie grupami:
yum groupinfo base
yum grouplist
* RHEL uses upstarta
* mount -o loop
* system-config-firewall - na vanilla RHEL, jesli nei ma ferm-a ;) Ale
generalnie to maja zwykly skrypt do zapisywania iptablesow
* minium pamięci na RHEL to 512 MB
* yumdownloader --source vsftpd
* yum-builddep selinux-policy.spec
* by default, anonymous ftp for vsftpd leads to /var/ftp/ directory, due to the
fact that that's ftp user homedir.
* audit2allow -b -> show avc's starting from last boot
* rpm -q -f `which iostat` == dpkg -S iostat
* system-config-authconfig + yum groupinstall "Directory clients" -> enable LDAP
authentication for RHEL. Doing it on the commandline is a PITA. Files of inte-
-rest:
* /etc/pam_ldap.conf/etc/pam_ldap.conf
* /etc/openldap/ldap.conf
* /etc/nsswitch.conf
* virt-install -w bridge=br_tr --prompt - test mode install of the VMs
* chcon -v -R --reference /var/ftp /var/ft
* you can actually install a VM using only a virt-install command:
virt-install -w bridge=br_tr -n centos-test02 -r 768 --disk
path=/dev/mapper/guests_vg-centos--test02 -l
http://172.17.0.4/cblr/links/Centos-6.4-x86_64/ -x
'ks=ftp://172.17.0.16/pub/anaconda-ks.cfg'
* virt-clone --prompt
* tworzenie kickstartu:
- bazujac na /root/anaconda-ks.cfg
- uzywajac system-config-kickstart
* uzywanie kickstartu podczas instalacji RHEL:
- zgranie ks na jakiś nośnik
- edycja commandline jądra przy zabootowaniu instalatora
- dodanie ks=hd:sdb1:/ks.cfg lub ks=ftp://192.168.122.1/pub/ks.cfg
* kickstart documentation: pykickstart-1.74.12-1.el6.noarch ->
/usr/share/doc/pykickstart-1.74.12/kickstart-docs.txt
* sample kickstart (more information in pykickstart package !!!!):
install
url --url ftp://172.17.0.16/pub/inst #### <= this is the most important
# thing that is missing in original post-install kickstart
lang en_US.UTF-8
keyboard pl2
network --onboot yes --device eth0 --bootproto dhcp --noipv6
rootpw --iscrypted $6$8Eivc6KrRg.9avuP$b9bCNXhG0nS6YyXTQAdf03hQY3DyKS...
firewall --service=ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Europe/Warsaw
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet"
clearpart --all --initlabel --drives=sda
part / --fstype=ext4 --size=3000 --grow --fstype=ext4
part swap --size=512
reboot
%packages --nobase
@core
openssh-clients
%end
* to set up a local repo, the only thing that needs to be done is to serve
ISO contents with vsftpd server
* ttys configuration in RHEL can be found in /etc/init/start-ttys.conf and
in /etc/sysconfig/init
* getty - get text console - called by init(8) to open and initialize the
tty line, read a login name, and invoke login(1)
* wc -l < patch : redirect a file to stdin - read it as stdin
* find supports bash wildcards:
find /etc -name '???time'
find /etc -name '*time'
find /etc -name '[abc]*time'
* in the beginig of the exam it may be beneficiary to execute mlocate's job
* $$ - current process pid, usefull i.e. in a script:
renice +19 -p $$ >/dev/null 2>&1
ionice -c2 -n7 -p $$ >/dev/null 2>&1
* instead of cutting/heading/tailing - use awk:
locate -h | awk '/quiet/ {print $3}'
* yy - copy a line in VI to the buffer, instead of ctrl+v and p
* /etc/profile.d/ - environment variables, put an editor script here to change
the editor:
export VISUAL='/usr/bin/vim'
export EDITOR='/usr/bin/vim'
* whatis - search a man page with a given word in a title
* apropos - search a man page with a given work in the description
* to update whatis database you need to rerun whatis cronjob - ITS LIKE
A MLOCATE SERVICE
* fe80::fc54:ff:fe75:78fd/64 <- link-local address, fe80::/64 == network,
the adress itself is created by splitting the MAC address in half and adding
FF:FE in the middle
* ::1 - loobpack address
* :: - default address
* ff:: - multicast address
* ping6 - you need to specify network adapter
ping6 -I eth0 fe80::5054:ff:fe44:1ad1
* ifconfig shows more data than "ip a sh", i.e. collisions
* there are convinience scripts for up/downing the interface (they use the
configuration from the network config files):
- ifup eth0
- ifdown eth0
* netstat -nr <- it shows the status of the route as well compared to 'ip r sh'.
This is esp. imporatnt in determing routes injected by ICMP redirect packet.
* /etc/sysconfig/network -> /usr/share/doc/initscripts-*/sysconfig.txt
* /etc/sysconfig/network-scripts/ifcfg-eth0 -> /usr/share/doc/initscripts-*/sysconfig.txt
* dns resolving workflow:
/etc/nsswitch.conf <- By default among many other database search orders,
it defines the "hosts:" line that firstly the /etc/hosts file should be
consulted, and then the dns resolving should be conducted
/etc/hosts
/etc/resolv.conf <- defines the dns resolving configuration: nameservers,
ndots, etc...
* dot at the end of permissions in ls output means that there are additoinal
permissions controled by SELinux:
-rwxr-xr-x. 1 root root 378 Oct 12 16:33 add_system_to_cobbler.sh
* Something about uid/gid/euid/egid/suid/sgid
uid, gid - IDs of the user who executed the binary/process
euid, egid - effective uids/gids that take part in access policing
suid, sgid - used during changing uids/gids/euid/egids and droping privileges
in general
http://stackoverflow.com/questions/8499296/realuid-saved-uid-effective-uid-whats-going-on
http://www.osso.nl/tech/blog/2012/08/17/setuid-seteuid-uid-euid/
* SUID for file - change euid and suid of the process to the file owner
* SGID for file - change egid and sgid of the process to the file group
* SUID for directory - is ignored
* SGID for directory - all new files inherit group ownership of this directory
* sticky bit for file - ignored
* sticky bit for directory - prevents other users from renaming/deleting other
users files even if they have rwx for that directory
* for RHEL its not possible anymore to create file with execute permission by
default, even if umask is properly set
* in order to utilize ACLs you need to remount filesystem with "acl" option
* a plus sign at the end of permissions in ls output means that there are
additional ACLs applied:
-rw-rw-r--+ 1 kamila kamila 19 Dec 1 21:39 /home/kamila/testfile
* file attributes
lsattr - list attributes for given file
chattr - change attributes for given file
+i - immutable - file cannot be changed/deleted
+a - file can only be appended to - no deleting/purging/changing
* ntpq -p - list ntpd peers
* in cases when yum metadata gets corrupted, the easies way to fix it is to:
* yum clean all
* rm -fr /var/cache/yum/*
* getfacl <- print acl assigned to given file
* setfacl <- set acls for given file:
-m u:vespian:(r|r-x|w|x|etc...) /home/kamila
-x u:vespian /home/kamila <- remove all acl entries for given user and
resource
-b <- remove all non-standard acl entries
acl format: (u|g|o):(uid|gid):perms
* iptables flow chart - check the jpg file attached to the notes
* /etc/sysconfig/selinux <- set the policy type to use/turn on-off selinux
* getenforce/setenforce
* guest_u - no GUI, no networking, no sudo
* xguest_u - GUI, networking only via firefox
* semanage permissive -a DOMAIN <- put a single domain into permissive mode
* audit2allow -M <- odrazu generuje moduly!
* recovery modes:
- init=/bin/sh -> if everythin is fucked up - only rootfs is mounted,
no scripts are started
- single mode -> if the system is fucked up add 'single' to the kernel
command line
- runlevel 1 -> add '1' to the kernel boot comand, type exit/CTRL-D to
continue booting, starts scripts in /etc/rc1.d/
- booting without gui - add '3' to the kernel command line
* kernel parameters are all explained in kernel-parameters.txt file from
kernel-doc package
* grub minimal command line:
find /boot/grub/grub.conf -> scan all partitions in search of given file
cat (hd0,0)/boot/grub/grub.conf -> print a given cfg file
root <- print a current filesystem
tab-completion!
* rescue mode - live image in text mode
* runlevels:
0 - halt
1 - single user mode (but its not the same as linux-single)
5 - gui
6 - reboot
* switching runlevels:
telinit 5
* checking current runlevel:
runlevel -> first digit is previous runlevel, second it the current one
* initctl - command line tool to control upstart daemon
* ALT+LEFTARROW/RIGHTARROW - switch between adjacent terminals
* pvdisplay, vgdisplay, lvdisplay
* right before encrypting a hard drive it is wise to fill it with random data
* sample crypttab entry:
crypt-cos /dev/vdb1 (only first two fields are needed)
* blkid - show UUID -> device mapping
* mount -a -> synchronize fstab contents with filestystem currently mounted (but
it does not change mount-flags)
* automounter
- enables sysadmin to automatically mount filesystems/network shares/cdroms
(on access)
- configured via /etc/auto.{master,misc,net,smb}
- /etc/auto.net is executable, you can use it to list mounts on remote
machine (showmount util can also do it)
- * server:/export/home/& <- wildcard entry, the '&' character will
be replaced by the specified key (man 5 autofs)
* rpm -V package-name <- verify package files for changes
* rpm -K package-file <- verify package signature
* rpm -qi package-name <- query package information
* rpm -e package-name <- erase a package
* rpm -U package-name <- upgrade a package or install if it is not installed yet
* /boot/symvers* <- list of kernel modules along with their versions
* rpm -q package-name <- query a single package
* rpm -Va <- verify all packages
* yum-config-manager <- postconf, but for yum :)
* yum-config-manager --disable/--enable epel <- disable/enable repository
* yum repolist all
* yum list <- list all packages
* yum check-update <- == aptitutde update
* yum downgrade <- downgrade a package
* minimal yum repo basing on the install CD:
- mount DVD to /var/ftp/pub/repo, remamber to match SELinux context
- add folowing repo.conf file to yum configuration
[centosftp]
name=CentOS DVD via FTP
baseurl=ftp://192.168.122.65/pub/repo/
enabled=1
* /root/install.log <- list of packages installed during instalation.
* vipw, vigr <- like visudo but for passwd/groups file :)
* usermod <- use it to set an expiration date for an account
* groupmod <- use it to change GID of a group
* chage <- password aging utility (lock, expire, expiration datae, etc...)
* /etc/securetty - consoles on which root is allowed to log in
* /etc/secuirity/access.conf <- a bit more fine grained control of who can login
using tty consoles
* sg <- su, but for groups :)
* su -c <- execute just one command with elevated privileges
* sg -c <- execute given command with different group id
* sudo -l <- lists all the commands that the user may execute using sudo
* lshw -class network
* /etc/skel <- default environment files for new users
* star <- tar on steroids :)
- in order to create SELinux compatible archives: -xattr and -H=exustar
(create an extended attribute compatible header and store extended attributes)
* vncserver:
- yum search tiger; yum install tigervnc{-server}
- yum groupinstall Desktop
- vim /etc/sysconfig/vncservers
- useradd -m vncuser
- su - vncuser, vncpasswd or just start a server from a commandline
- add startxfce4 to /home/vespian/.vnc/xstartup (or install KDE/Gnome)
* jobspec defining for fg/jobs/bg commands: %1
* ps e <- show environment variables in the output
* run-parts <- runs commands from given directory
* atq, at 12:01AM, at now + 3 minutes <- run a command once at specified time
* /etc/cron.allow <- list users allowed to do crontab -e, /etc/cron.deny is ig-
nored
* /etc/cron.deny <- list users denied crontab -e, cron.allow takes precedence
though
* /etc/at.{allow,deny} <- similar to cron.{allow,deny}
* utmpdump btmp <- list failed login attempts
* lastlog <- list last successful logins for local users
#Optional:
* yum --setopt=group_package_types=optional groupinstall "Remote Desktop Clients"
* recommended way of mounting NFS shares in RHEL:
server1:/pub /share nfs rsize=8192,wsize=8192,timeo=14,intr,udp 0 0
* converting ext2 to ext3: tune2fs -j /dev/sdXX
* converting to ext4 (one-way): tune2fs -O extent,uninit_bg,dir_index /dev/vda1