Anda di halaman 1dari 43

If you choose to use Linux, you will inevitably need to use the terminal or command line console.

Some common popular shells are: bash, csh and tsch among several others. Unix-like system
users are already familiar with the terminal. For Windows users, it is similar to DS-DOS, only
much more powerful. The real power and appeal in Unix and Linux is not only in in the general
free and open nature of the software and ideas (FOSS) but also in the efficient use of the
command line. With the command line you have the flexibility to interact directly with the kernel
(the core of the system) as well as a host of other useful features. You are open to thousands of
different options, commands and tools that, in the end, provide a highly stable, highly
configurable and very highly functional operating environment. Most commands and some
configuration (.conf) files also have man pages or manual pages which allow you to read
about the verbose options and descriptions available. To access man pages type: man

Applicable to Centos Versions:


Centos ALL versions

Requirements
Explanation of requirements.
1. Access to any Unix or Linux system.
2. Desire to learn.

Commonly used terminal commands that


span nearly all Linux distributions
|A|
alias Create an alias, aliases allow a string to be substituted for a word when it is used as the first
word of a simple command. This is a built in bash command.
example: user1@foo ]$ alias la=ls -lAXh color=always|less -R (Now issuing the command la will
actually run a long listing, in color, sorted by extension.) Also see: unalias
apropos Apropos searches a set of database files containing short descriptions of system commands
for keywords and displays the result on the standard output.
example: user1@foo ]$ apropos search (this command displays a list of possible commands and their
respective descriptions with the string search in the command or in the command description.)
|B|
bcwipe Bcwipe repeatedly overwrites special patterns to the files to be destroyed. In normal mode,
35 passes are used (of which 8 are random). Patterns used were recommended in article by Peter
Gutmann (http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html) entitled secure deletion of
data from magnetic and solid-state memory. In quick mode, U.S. DoD(Department of Defence)
5200.28 standard are used with 7 pass wiping. In custom mode U.S. DoD 5200.28 standard are used
with user defined number of passes.
example: user1@foo ]$ bcwipe -ng -r -v /home/temp (this command will do a 35 pass; recursive;
verbose DoD wipe on /home/temp. Usually, bcwipe is used on an entire drive or partition where
sensitive or personal data has been kept to prevent recovery of the data if the drive or system is being
sold or given to an unknown party.)
|C|
cd Change directory, used to navigating directory structures via the command line.
example: user1@foo ]$ cd /etc/X11 (this command changes the current working directory (cwd) to
/etc/X11)
chkconfig Updates and queries runlevel information for system services.
example: user1@foo ]$ chkconfig level 2345 httpd on (the command adds the httpd daemon to start at
runlevels 2,3,4 and 5.)
chmod Change file mode bits.
example: user1@foo ]$ chmod -Rf 700 /home (this command changes everything under /home and all
subdirectories to rwx only for the owner of the file or directory or root.)
chown Change file ownership and group.
example: user1@foo ]$ chown -R user1:user1 /home/testing (this command changes the file ownership
and group ownership of every subdirectory under /home/testing to user1.)
cp Copy files, used for copying files to and from different directories.
example: user1@foo ]$ cp ~/foo.txt /mnt/storage (this command copies the file foo.txt from
/home/user1/foo.txt to /mnt/storage/foo.txt)
|D|
dd Copy a file, converting and formatting according to the specified options.
example: root@foo ]# dd if=/dev/dvd of=dvd_foo.iso (this command creates an iso image from the
device /dev/dvd and writes to a local file (dvd_foo.iso) in the (cwd) current working directory.)
df Displays total disk usage for mounted filesystems.
example: user1@foo ]$ df -h (this command displays the used/free space ratio on all currently mounted
filesystems.)
diff In the simplest case, diff compares the contents of the two files from-file and to-file. A file name
of stands for text read from the standard input. As a special case, diff compares a copy of standard
input to itself. If from-file is a directory and to-file is not, diff compares the file in from-file whose file
name is that of to-file, and vice versa. The non-directory file must not be -. If both from-file and to-file
are directories, diff compares corresponding files in both directories, in alphabetical order; this
comparison is not recursive unless the -r or recursive option is given. diff never compares the actual
contents of a directory as if it were a file. The file that is fully specified may not be standard input,
because standard input is nameless
and the notion of file with the same name does not apply. diff options begin with -, so normally
from-file and to-file may not begin
with -. However, as an argument by itself treats the remaining arguments as file names even if they
begin with -.
example: user1@foo ]$ diif /var/log/messages /var/log/messages.saved (this command displays the
differences between the 2 files.)
dstat Displays a variety of realtime system stats.
example: user1@foo ]$ dstat -f (this command displays realtime stats in the system console.)
du Displays total disk usage for named directories.
example: user1@foo ]$ du -chs /home (this command displays in user readable format the space usage
for the directory /home)
|E|
exit Exits a login terminal or a session as a certain user.
example: root@foo ]# exit (this command will exit the current (# root) shell and drop the user back to
the ($ user) prompt, if logged in via su or su -. )
|F|
fdisk Fdisk is a powerful disk partitioning utility.
example: root@foo ]# fdisk -l (this command lists the currently detected partitions and partition types.
Use the man page to understand the full scope of this very useful and powerful command.)
find Find searches a given directory structure for a named string and displays pertinent results.
example: user1@foo ]$ find ~ -name foo (this searches the user1s home and any subdirectories for any
occurrence of foo and displays the results, if any.)
fsck Fsck initiates filesystem integrity check and repair on unmounted filesystems.
example: root@foo ]# fsck -y /dev/hda1 (this command forces a filesystem check on the partition hda1
and fixes any errors encountered without prompting the user to ok any confimation dialogs. use with
caution and read the man page.)
fuser Identify processes using files or sockets.
example: user1@foo ]$ fuser -m /mnt/floppy (this command searches for processes using /mnt/floppy
and displays the results.)
|G|
grep Grep searches the named input file(s) (or standard input if no files are named, or the file name
is given) for lines containing a match to the given pattern. By default, grep prints the matching lines.
example: user1@foo ]$ rpm -qa | grep foo (this command searches the rpm database for a string foo
and prints any matches it encounters.)
groupadd Create a new group on the system.
example: user1@foo ]$ groupadd mytestgroup (this command creates a group on the system called
mytestgroup.)
|H|
head Ouput the first part of files to the terminal
example: user1@foo ]$ head mytextfile.txt (this command outputs the the first N lines of the file
mytextfile.txt. by defauilt this is 10 lines.)
hostname Hostname is the program that is used to either set or display the current host, domain or
node name of the system. These names are used by many of the networking programs to identify the
machine. The domain name is also used by NIS/YP.
example: user1@foo ]$ hostname (this command displays the current hostname.)
|I|
ifconfig Ifconfig is used to configure the kernel-resident network interfaces. It is used at boot time to
set up interfaces as necessary. After that, it is usually only needed when debugging or when system
tuning is needed. If no arguments are given, ifconfig displays the status of the currently active
interfaces. If a single interface argument is given, it displays the status of the given interface only; if a
single -a argument is given, it displays the status of all interfaces, even those that are down. Otherwise,
it configures an interface.
example: user1@foo ]$ ifconfig (this command issued by itself will print all currently configured
network interfaces.)
ifdown Brings a network interface down (offline) manually.
example: user1@foo ]$ ifdown eth0 (this command brings the network interface eth0 down or
offline.)
iftop Display bandwidth usage on an interface by host.
example: user1@foo ]$ iftop -i wlan0 (this command listens on the wlan0 interface and displays
information about traffic statistics.)
ifup Brings a network interface up (online) manually.
example: user1@foo ]$ ifup eth0 (this command brings the network interface eth0 up or online.)
init Process control initialization.
example: user1@foo ]$ init 3 (this command brings the system into init 3 text-only mode.)
iptraf An interactive colorful IP LAN traffic monitor.
example: user1@foo ]$ iptraf (this command starts iptraf in the terminal.)
|J|
jwhois Jwhois searches Whois servers for the object on the command line. The host to query is taken
from a global configuration file, a configuration file specified on the command line, or selected directly
on the command line.
example: user1@foo ]$ jwhois google.com (this command queries the whois database for the contact
and domain registration details of google.com.)
|K|
kill Terminate a currently running or rogue process. also see: killall
example: user1@foo ]$ kill -9 27068 (this command terminates a process with a process id of 27058
found by using the command ps aux.)
| L|
last Lists users who have recently logged into or out of the system. Also displays time, date and
duration.
example: user1@foo ]$ last (this command lists all of the users who have recently logged into or out of
the system.)
less Less is a program similar to more, but which allows backward movement in the file as well as
forward movement. Also, less does not have to read the entire input file before starting, so with large
input files it starts up faster than text editors like vi. Less uses termcap (or terminfo on some systems),
so it can run on a variety of
terminals. There is even limited support for hardcopy terminals. (on a hardcopy terminal, lines which
should be printed at the top of the screen are prefixed with a caret.)
example: user1@foo ]$ less -p CPU /var/log/dmesg (this command searches /var/log/dmesg for any
instance of the string CPU and displays those lines with CPU highlighted.)
locate Locate, in combination with updatedb provides a secure way to index and quickly search for
files on your system. It uses incremental encoding to compress its database to make searching faster,
but it will also store file permissions and ownership so that users will not see files they do not have
access to.
example: user1@foo ]$ locate gimp (this command searches a secure database starting at / for the given
string. note: you must first run the command updatedb before using locate.)
ls Lists files, directories and their respective permissions (depending on the switches and options
used.)
example: user1@foo ]$ ls -als (this command lists all of the files and subdirectories in the current
working directory (cwd) and
their respective permissions. to slow down long directory listings use: ls -als | less use q to exit.)
lspci lspci is a utility for displaying information about all PCI buses in the system and all devices
connected to them.)
example: user1@foo ]$ lspci -v (this command lists all of the pci devices detected by the system in
verbose mode.)
lsusb lsusb is a utility for displaying information about USB buses in the system and the devices
connected to them. To use lsusb make sure you have usb-utils package installed.)
example: user1@foo ]$ lsusb -v (this command lists all of the usb devices detected by the system in
verbose mode.)
|M|
man Man formats and displays the on-line manual pages. If you specify section, man only looks in
that section of the manual. name is normally the name of the manual page, which is typically the name
of a command, function, or file. However, if name contains a slash (/) then man interprets it as a file
specification, so that you can do man ./foo.5 or even man /cd/foo/bar.1.gz.
example: user1@foo ]$ man sudo (this command will display the sudo command man page and a
verbose list of options and usage.)
more File perusal filter for crt viewing.
example: user1@foo ]$ more +3 myfile.txt (in this example we would see the results of myfile.txt
displayed starting at line 3)
mount Mount a filesystem. see also: umount.
example: root@foo ]# mount -t ext3 /dev/hdk3 /mnt/foo (this command mounts partition 3 on the hard
disk /dev/hdk on /mnt/foo where the user can then access it with the proper rwx permissions.
automounting filesystems can be taken care of in /etc/fstab)
mv Move files from one directory to another. (similar to cut) this option deletes the file from the
original location and moves it to another, it is also used to rename files.)
example: user1@foo ]$ mv foo.rpm foo2.rpm (this command renames foo.rpm to foo2.rpm within
the same directory.)
|N|
nano Nano is a small, free and friendly editor which aims to replace pico, the default editor included
in the non-free pine package. Rather than just copying picos look and feel, nano also implements some
missing (or disabled by default) features in pico, such as search and replace and go to line number.
example: root@foo ]# nano /var/log/dmesg (this command displays the text file /var/log/dmesg in a
terminal window and presents it for editing or reading.)
|O|
octave A high-level interactive language for numerical computations.
example: root@foo ]# octave help (this command will display the options for the octave command.)
|P|
passwd Passwd is used to update a users authentication token(s). Passwd is configured to work
through the Linux-PAM API. Essentially, it initializes itself as a passwd service with Linux-PAM and
utilizes configured password modules to authenticate and then update a users password..
example: user1@foo ]$ passwd newuser (this command prompts the issuer to provide a new password
for the given user and then updates the password database accordingly replacing the previous password
with the new one.)
pkill Look up or signal processes based on name and other attributes.
example: user1@foo ]$ pkill -HUP syslogd (this command makes syslog re-read its configuration file.)
ps Prints a list of currently running processes, their respective owners and process ids.
example: user1@foo ]$ ps aux (this command displays the currently running processes among other
important data about the respective processes.)
pwd Print the name of the working directory.
example: user1@foo ]$ pwd (this command prints the current path/working directory in your shell,
such as: /home/user1/foo)
|Q|
quota Displays a list of users disk usage and limits. By default only the user quotas are printed.
Quota reports the quotas of all the filesystems listed in /etc/mtab. For filesystems that are NFS-mounted
a call to the rpc.rquotad on the server machine is performed to get the information.
example: root@foo ]# quota user1 (this command displays the requested users disk quota usage and
limits.)
|R|
rm Remove files and/or directories.
example: user1@foo ]$ rm -rf ~/temp (this command removes the directory /home/user1/temp)
rsync A faster more flexible replacement for rcp (remote file copy)
example: user1@foo ]$ rsync -avz -e ssh rsync@remote.acme.com:/home/rsync/out/
/home/rsync/from_remote (this command copies the contents of /home/rsync/out to
/home/rsync/from_remote on a remote system.)
(An important thing here, is that the presence or absence of a trailing / in the source directory
determines whether the directory itself is copied, or simply the contents of this source directory.
Leaving out the trailing slash creates the new directory out on the remote machine.)
|S|
service Run a system V init script on the system.
example: user1@foo ]$ service httpd restart (this command restarts a running httpd daemon or starts an
idle/stopped httpd daemon.)
shutdown Bring the system down.
example: user1@foo ]$ shutdown -r now (this command shuts the system down immediately and
reboots.)
ssh Starts the secure shell connection with a system running the sshd (secure shell daemon).
example: user1@foo ]$ ssh 192.168.0.10 (this command initiates a secure shell connection between the
localhost computer and the internal local network computer at 192.168.0.10.)
stat Display file or filesystem status.
example: user1@foo ]$ stat /home (this command displays the status of the /home directory such as,
block size, inodes, links, access and last modified date(s), among other user definable variables.)
strace Trace system calls and signals.
example: user1@foo ]$ strace -p 3284 (this command will start a trace on all system calls and signals
associated with process # 3284.)
su Substitute user command. most commonly used to run commands / daemons which require root
privileges, view / alter certain directories, files and log files.
example: user1@foo ]$ su (this command will prompt the user for the root password and, if supplied
correctly, logs the user into roots profile. the denotes that the user should inherit roots profile and
path. this is quite helpful when issuing commands from many directories without typing the entire path
to the command. system administrators should see the sudo command for extending certain
privileges to users who do not need or cannot be trusted with the root
password.)
sudo Super userdo allows a user to issue some commands which require elevated privileges as
defined in /etc/sudoers but does not require knowledge of the root password.
example: user1@foo ]$ sudo mount -t ext3 /dev/hdk3 /mnt/foo (this command allows a normal user
with sudo privileges to issue a command that requires elevated privileges to run. the user will be
required to enter their own password to complete the command by default, this option can be changed
to not require a password. see: man sudoers)
|T|
tail Output the last part of a file.
example: user1@foo ]$ tail -n 5 vhosts.conf (this command outputs the last 5 lines of the file
vhosts.conf to the terminal.)
tar The tar command compresses or uncompresses tar or tar.gz archived files and directory
structures.
example: user1@foo ]$ tar -xvfz foo.tar.gz (this command uncompresses the file foo.tar.gz into the
cwd.)
top The top program provides a dynamic real-time view of a running system. It can display system
summary information as well as a list of tasks currently being managed by the Linux kernel. The types
of system summary information shown and the types, order and size of information displayed for tasks
are all user configurable and that configuration can be made persistent across restarts. The program
provides a limited interactive interface for process manipulation as well as a much more extensive
interface for personal configuration encompassing every aspect of its operation. And while top is
referred to throughout this document, you are free to name the program anything you wish. That new
name, possibly an alias, will then be reflected on tops display and used when reading and writing a
configuration file.
example: user1@foo ]$ top -u user1 (this command shows all the processes owned by user1 in realtime
in the terminal.)
|U|
uname Print certain system information such as: currently running kernel, hostname, etcetera.
example: user1@foo ]$ uname -a (this command prints information about the currently running kernel
as well as other information.)
useradd When invoked without the -D option, the useradd command creates a new user account
using the values specified on the command line and the default values from the system. Depending on
command line options, the useradd command will update system files and may also create the new
users home directory and copy initial files. The version provided with Red Hat Linux will create a
group for each user added to the system by default.
example: root@foo ]# useradd -d -g 500 newuser (this command adds a new user to the system with a
home directory of /home/newuser and a group id of 500. Alternatively, you can also use somehing like
ftp instead of 500 to specify what group(s) you want to add the new user to. see also: man adduser
and userdel / deluser.)
usermod Modify a user account.
example: user1@foo ]$ usermod -a -G sshusers user1 (this command adds user1 to the group sshusers.)
|V|
vi vi is, quite simply, a programmers terminal-based text editor. vi is on every Unix / Linux system
you will ever encounter and is very powerful. It can be used for high level programming or simply to
edit a text file, save and close it.
example: user1@foo ]$ vi /var/log/dmesg (this command displays the text file /var/log/dmesg in a
terminal window and presents it for editing or reading.)
|W|
wall This command allows root or other users allowed to issue commands as root to send a message
to everyones terminal.
example: user1@foo ]$ wall hows everyone doing today? (this command prints the message hows
everyone doing today? to the terminal.)
wc The wc command prints newline, word, and byte counts for each file, and a total line if more than
one file is specified. With no file, or when file is -, read standard input.
example: user1@foo ]$ wc -l /var/log/dmesg (this command displays the total number of lines in the
text file /var/log/dmesg.)
who Shows who is currently logged on to the system.
example: user1@foo ]$ who -last (this command displays verbose output of the users and processes
logged into the system.)
whois (see jwhois.)
|X|
xrandr Xrandr is used to set the screen size, orientation and/or reflection. The -s option is a small
integer index used to specify which size the screen should be set to. To find out what sizes are
available, use the -q option, which reports the sizes available, the current rotation, and the possible
rotations and reflections. The default size is the first size specified in the list. The -o option is used to
specify the orientation of the screen, and can be one of normal inverted left right 0 1 2 3. The -x
option instructs the server to reflect the screen on the X axis. The -y option instructs the server to
reflect the screen on the Y axis. Reflection is applied after rotation. The -help option prints out a usage
summary. The verbose option tells you what xrandr is doing, selects for events, and tells you when
events are received to enable debugging.
example: user1@foo ]$ xrandr verbose (this command shows the current reflection, rotation and other
information.)
xwininfo Xwininfo is a utility for displaying information about windows. Various
information is displayed depending on which options are selected. If no options are chosen, -stats is
assumed. The user has the option of selecting the target window with the mouse (by clicking any
mouse button in the desired window) or by specifying its
window id on the command line with the -id option. Or instead of specifying the window by its id
number, the -name option may be used to specify which window is desired by name. There is also a
special -root option to quickly obtain information on the
screens root window.
example: user1@foo ]$ xwininfo (this command displays the geometry for the specified window.)
|Y|
yum Yum is a powerful, interactive, and automated package update / query / install program which
can be used for maintaining systems using rpm (Redhat Package Manager).
example: root@foo ]# yum exclude=kernel* update (this common command initiates a full system
update, while telling yum to exclude / ignore any kernel packages.)
|Z|
zip Zip is a compression and file packaging utility for Unix, VMS, MSDOS, OS/2, Windows NT,
Minix, Atari and Macintosh, Amiga and Acorn RISC OS. It is analogous to a combination of the UNIX
commands tar(1) and compress(1) and is compatible with PKZIP (Phil Katzs ZIP for MSDOS
systems). A companion program (unzip), unpacks zip archives. The zip and unzip programs can work
with archives produced by PKZIP, and PKZIP and PKUNZIP can work with archives produced by zip.
Zip version 2.3 is compatible with PKZIP 2.04. Note that PKUNZIP 1.10 cannot extract files produced
by PKZIP 2.04 or zip 2.3. You must use PKUNZIP 2.04g or unzip 5.0p1 (or later versions) to extract
them.
example: user1@foo ]$ zip -r foo1 foo2 (this command creates the archive foo2.zip, containing all the
files and directories in the directory foo1 that is contained within the current directory.)

An Introduction to SELinux on CentOS 7 Part


1: Basic Concepts
PostedSeptember 5, 2014 182.5k views Security CentOS
Introduction
Security Enhanced Linux or SELinux is an advanced access control mechanism built into most modern
Linux distributions. It was initially developed by the US National Security Agency to protect computer
systems from malicious intrusion and tampering. Over time, SELinux was released in the public
domain and various distributions have since incorporated it in their code.
Many system administrators find SELinux a somewhat uncharted territory. The topic can seem
daunting and at times quite confusing. However, a properly configured SELinux system can greatly
reduce security risks, and knowing a bit about it can help you troubleshoot access-related error
messages. In this tutorial we will learn about the concepts behind SELinux its packages, commands,
and configuration files and the error messages it logs when access is denied. We will also see a few
practical instances of putting SELinux in action.
Note
The commands, packages, and files shown in this tutorial were tested on CentOS 7. The
concepts remain the same for other distributions.

In this tutorial, we will be running the commands as the root user unless otherwise stated. If you don't
have access to the root account and use another account with sudo privileges, you need to precede the
commands with the sudo keyword.

Why SELinux
Before we begin, let's understand a few concepts.
SELinux implements what's known as MAC (Mandatory Access Control). This is implemented on top
of what's already present in every Linux distribution, the DAC (Discretionary Access Control).
To understand DAC, let's first consider how traditional Linux file security works.
In a traditional security model, we have three entities: User, Group, and Other (u,g,o) who can have a
combination of Read, Write, and Execute (r,w,x) permissions on a file or directory. If a user jo creates a
file in their home directory, that user will have read/write access to it, and so will the jo group. The
"other" entity will possibly have no access to it. In the following code block, we can consider the
hypothetical contents of jo's home directory.
You don't need to set up this jo user - we'll be setting up plenty of users later in the tutorial.
Running a command like this:
ls -l /home/jo/

can show output like the following:


total 4
-rwxrw-r--. 1 jo jo 41 Aug 6 22:45 myscript.sh

Now jo can change this access. jo can grant (and restrict) access to this file to other users and groups or
change the owner of the file. These actions can leave critical files exposed to accounts who don't need
this access. jo can also restrict to be more secure, but that's discretionary: there's no way for the system
administrator to enforce it for every single file in the system.
Consider another case: when a Linux process runs, it may run as the root user or another account with
superuser privileges. That means if a black-hat hacker takes control of the application, they can use that
application to get access to whatever resource the user account has access to. For processes running as
the root user, basically this means everything in the Linux server.
Think about a scenario where you want to restrict users from executing shell scripts from their home
directories. This can happen when you have developers working on a production system. You would
like them to view log files, but you don't want them to use su or sudo commands, and you don't want
them to run any scripts from their home directories. How do you do that?
SELinux is a way to fine-tune such access control requirements. With SELinux, you can define what a
user or process can do. It confines every process to its own domain so the process can interact with
only certain types of files and other processes from allowed domains. This prevents a hacker from
hijacking any process to gain system-wide access.

Setting Up a Test System


To help us learn the concepts, we will build a test server running both a web and an SFTP server. We
will start with a bare installation of CentOS 7 with minimal packages installed and install the Apache
and vsftp daemons on that server. However, we will not configure either of these applications.
We will also create a few test user accounts in our cloud server. We will use these accounts in different
places throughout the lesson.
Finally, we will install needed SELinux-related packages. This is to ensure we can work with the latest
SELinux commands.

Installing Apache and SFTP Services


First, let's log in to the server as the root user and run the following command to install Apache:
yum install httpd

The output will show the package being downloaded and ask you for permission to install:
Loaded plugins: fastestmirror, langpacks
...
...
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
httpd x86_64 2.4.6-18.el7.centos updates 2.7 M

Transaction Summary
================================================================================
Install 1 Package

Total download size: 2.7 M


Installed size: 9.3 M
Is this ok [y/d/N]:

Pressing y will install the Apache web server daemon.


Downloading packages:
httpd-2.4.6-18.el7.centos.x86_64.rpm | 2.7 MB 00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : httpd-2.4.6-18.el7.centos.x86_64 1/1
Verifying : httpd-2.4.6-18.el7.centos.x86_64 1/1

Installed:
httpd.x86_64 0:2.4.6-18.el7.centos

Complete!

Start the daemon manually:


service httpd start

Running the service httpd status command will show the service is now running:
Redirecting to /bin/systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Tue 2014-08-19 13:39:48 EST; 1min 40s ago
Main PID: 339 (httpd)
...
...

Next we will install vsftp:


yum install vsftpd

The output should look similar to the following:


Loaded plugins: fastestmirror, langpacks
...
...
===================================================================================
===========================
Package Arch Version
Repository Size
===================================================================================
===========================
Installing:
vsftpd x86_64 3.0.2-9.el7
base 165 k

Transaction Summary
===================================================================================
===========================
Install 1 Package

Total download size: 165 k


Installed size: 343 k
Is this ok [y/d/N]:

Press y to install the package.


Next, we will use the service vsftpd start command to start the vsftpd daemon. The output
should show something like the following:
Redirecting to /bin/systemctl status vsftpd.service
vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
Active: active (running) since Tue 2014-08-19 13:48:57 EST; 4s ago
Process: 599 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited,
status=0/SUCCESS)
Main PID: 600 (vsftpd)
...
...

Installing SELinux Packages


A number of packages are used in SELinux. Some are installed by default. Here is a list for Red Hat-
based distributions:
policycoreutils (provides utilities for managing SELinux)
policycoreutils-python (provides utilities for managing SELinux)
selinux-policy (provides SELinux reference policy)
selinux-policy-targeted (provides SELinux targeted policy)
libselinux-utils (provides some tools for managing SELinux)
setroubleshoot-server (provides tools for deciphering audit log messages)
setools (provides tools for audit log monitoring, querying policy, and file context management)
setools-console (provides tools for audit log monitoring, querying policy, and file context
management)
mcstrans (tools to translate different levels to easy-to-understand format)

Some of these are installed already. To check what SELinux packages are installed on your CentOS 7
system, you can run a few commands like the one below (with different search terms after grep) as
the root user:
rpm -qa | grep selinux

The output should look something like this:


libselinux-utils-2.2.2-6.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7.noarch
selinux-policy-3.12.1-153.el7.noarch
libselinux-python-2.2.2-6.el7.x86_64
You can go ahead and install all the packages with the command below (yum will just update any you
already have), or just the ones that you find missing from your system:
yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-
targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans

Now we should have a system that's loaded with all the SELinux packages. We also have Apache and
SFTP servers running with their default configurations. We also have four regular user accounts ready
for testing in addition to the root account.

SELinux Modes
It's time to start playing around with SELinux, so let's begin with SELinux modes. At any one time,
SELinux can be in any of three possible modes:
Enforcing
Permissive
Disabled

In enforcing mode SELinux will enforce its policy on the Linux system and make sure any
unauthorized access attempts by users and processes are denied. The access denials are also written to
relevant log files. We will talk about SELinux policies and audit logs later.
Permissive mode is like a semi-enabled state. SELinux doesn't apply its policy in permissive mode, so
no access is denied. However any policy violation is still logged in the audit logs. It's a great way to
test SELinux before enforcing it.
The disabled mode is self-explanatory the system won't be running with enhanced security.

Checking SELinux Modes and Status


We can run the getenforce command to check the current SELinux mode.
getenforce

SELinux should currently be disabled, so the output will look like this:
Disabled

We can also run the sestatus command:


sestatus

When SELinux is disabled the output will show:


SELinux status: disabled
SELinux Configuration File
The main configuration file for SELinux is /etc/selinux/config. We can run the following command to
view its contents:
cat /etc/selinux/config

The output will look something like this:


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are
protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

There are two directives in this file. The SELINUX directive dictates the SELinux mode and it can
have three possible values as we discussed before.
The SELINUXTYPE directive determines the policy that will be used. The default value is
targeted. With a targeted policy, SELinux allows you to customize and fine tune access control
permissions. The other possible value is "MLS" (multilevel security), an advanced mode of protection.
Also with MLS, you need to install an additional package.

Enabling and Disabling SELinux


Enabling SELinux is fairly simple; but unlike disabling it, should be done in a two-step process. We
assume that SELinux is currently disabled, and that you've installed all of the SELinux packages from
the earlier section.
As a first step, we need to edit the /etc/selinux/config file to change the SELINUX directive
to permissive mode.
vi /etc/sysconfig/selinux

...
SELINUX=permissive
...

Setting the status to permissive first is necessary because every file in the system needs to have its
context labelled before SELinux can be enforced. Unless all files are properly labelled, processes
running in confined domains may fail because they can't access files with the correct contexts. This can
cause the boot process to fail or start with errors. We will introduce contexts and domains later in the
tutorial.
Now issue a system reboot:
reboot

The reboot process will see all the files in the server labelled with an SELinux context. Since the
system is running in permissive mode, SELinux errors and access denials will be reported but it won't
stop anything.
Log in to your server again as root. Next, search for the string "SELinux is preventing" from the
contents of the /var/log/messages file.
cat /var/log/messages | grep "SELinux is preventing"

If there are no errors reported, we can safely move to the next step. However, it would still be a good
idea to search for text containing "SELinux" in /var/log/messages file. In our system, we ran the
following command:
cat /var/log/messages | grep "SELinux"

This showed some error messages related to the GNOME Desktop that was running. This was
happening when SELInux was either disabled or in permissive mode:
Aug 20 11:31:14 localhost kernel: SELinux: Initializing.
Aug 20 11:31:16 localhost kernel: SELinux: Disabled at runtime.
Aug 20 11:31:21 localhost journal: Unable to lookup SELinux process context:
Invalid argument
Aug 20 11:33:20 localhost gnome-session: SELinux Troubleshooter: Applet requires
SELinux be enabled to run.

Aug 20 11:37:15 localhost kernel: SELinux: Initializing.


Aug 20 11:37:17 localhost kernel: SELinux: Disabled at runtime.
Aug 20 11:37:23 localhost journal: Unable to lookup SELinux process context:
Invalid argument
Aug 20 11:37:44 localhost gnome-session: SELinux Troubleshooter: Applet requires
SELinux be enabled to run.

Aug 20 11:39:42 localhost kernel: SELinux: Initializing.


Aug 20 11:39:44 localhost kernel: SELinux: Disabled at runtime.
Aug 20 11:39:50 localhost journal: Unable to lookup SELinux process context:
Invalid argument

These types of errors are fine.


In the second phase, we need to edit the config file to change the SELINUX directive from permissive
to enforcing in the /etc/sysconfig/selinux file:
...
SELINUX=enforcing
...

Next, reboot the server again.


reboot
Once the server is back online, we can run the sestatus command to check the SELinux status. It
should now show more details about the server:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: error (Success)
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Check the /var/log/messages file:


cat /var/log/messages | grep "SELinux"

There should be no errors. The output should look something like this:
Aug 20 11:42:06 localhost kernel: SELinux: Initializing.
Aug 20 11:42:09 localhost systemd[1]: Successfully loaded SELinux policy in
183.302ms.

Aug 20 11:44:25 localhost kernel: SELinux: Initializing.


Aug 20 11:44:28 localhost systemd[1]: Successfully loaded SELinux policy in
169.039ms.

Checking SELinux Modes and Status (Again)


We can run the getenforce command to check the current SELinux mode.
getenforce

If our system is running in enforcing mode the output will look like this:
Enforcing

The output will be different if SELinux is disabled:


Disabled

We can alo run the sestatus command to get a better picture.


sestatus

If SELinux isn't disabled, the output will show its current status, its current mode, the mode defined in
the configuration file, and the policy type.
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

When SELinux is disabled the output will show:


SELinux status: disabled

We can also temporarily switch between enforcing and permissive modes using the setenforce
command. (Note that we can't run setenforce when SELinux is disabled.)

First change the SELinux mode from enforcing to permissive in our CentOS 7 system:
setenforce permissive

Running the sestatus command now shows the current mode is different from the mode defined in
config file:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Switch back to enforcing:


setenforce enforcing

SELinux Policy
At the heart of SELinux' security engine is its policy. A policy is what the name implies: a set of rules
that define the security and access rights for everything in the system. And when we say everything, we
mean users, roles, processes, and files. The policy defines how each of these entities are related to one
another.

Some Basic Terminology


To understand policy, we have to learn some basic terminology. We will go into the details later, but
here is a brief introduction. An SELinux policy defines user access to roles, role access to domains, and
domain access to types.
Users
SELinux has a set of pre-built users. Every regular Linux user account is mapped to one or more
SELinux users.
In Linux, a user runs a process. This can be as simple as the user jo opening a document in the vi editor
(it will be jo's account running the vi process) or a service account running the httpd daemon. In the
SELinux world, a process (a daemon or a running program) is called a subject.
Roles
A role is like a gateway that sits between a user and a process. A role defines which users can access
that process. Roles are not like groups, but more like filters: a user may enter or assume a role at any
time provided the role grants it. The definition of a role in SELinux policy defines which users have
access to that role. It also defines what process domains the role itself has access to. Roles come into
play because part of SELinux implements what's known as Role Based Access Control (RBAC).
Subjects and Objects
A subject is a process and can potentially affect an object.
An object in SELinux is anything that can be acted upon. This can be a file, a directory, a port, a tcp
socket, the cursor, or perhaps an X server. The actions that a subject can perform on an object are the
subject's permissions.
Domains are for Subjects
A domain is the context within which an SELinux subject (process) can run. That context is like a
wrapper around the subject. It tells the process what it can and can't do. For example, the domain will
define what files, directories, links, devices, or ports are accessible to the subject.
Types are for Objects
A type is the context for a file's context that stipulates the file's purpose. For example, the context of a
file may dictate that it's a web page, or that the file belongs to the /etc directory, or that the file's
owner is a specific SELinux user. A file's context is called its type in SELinux lingo.
So what is SELinux policy?
SELinux policy defines user access to roles, role access to domains, and domain access to types. First
the user has to be authorized to enter a role, and then the role has to be authorized to access the domain.
The domain in turn is restricted to access only certain types of files.
The policy itself is a bunch of rules that say that so-and-so users can assume only so-and-so roles, and
those roles will be authorized to access only so-and-so domains. The domains in turn can access only
so-and-so file types. The following image shows the concept:
Terminology tip: The last bit, where a process running within a particular domain can perform only
certain operations on certain types of objects, is called Type Enforcement (TE).
Coming back to the topic of policies, SELinux policy implementations are also typically targeted by
default. If you remember the SELinux config file that we saw before, the SELINUXTYPE directive is
set to be targeted. What this means is that, by default, SELinux will restrict only certain processes
in the system (i.e. only certain processes are targeted). The ones that are not targeted will run in
unconfined domains.
The alternative is a deny-by-default model where every access is denied unless approved by the policy.
It would be a very secure implementation, but this also means that developers have to anticipate every
single possible permission every single process may need on every single possible object. The default
behaviour sees SELinux concerned with only certain processes.
SELinux Policy Behavior
SELinux policy is not something that replaces traditional DAC security. If a DAC rule prohibits a user
access to a file, SELinux policy rules won't be evaluated because the first line of defense has already
blocked access. SELinux security decisions come into play after DAC security has been evaluated.
When an SELinux-enabled system starts, the policy is loaded into memory. SELinux policy comes in
modular format, much like the kernel modules loaded at boot time. And just like the kernel modules,
they can be dynamically added and removed from memory at run time. The policy store used by
SELinux keeps track of the modules that have been loaded. The sestatus command shows the
policy store name. The semodule -l command lists the SELinux policy modules currently loaded
into memory.
To get a feeling for this, let's run the semodule command:
semodule -l | less

The output will look something like this:


abrt 1.2.0
accountsd 1.0.6
acct 1.5.1
afs 1.8.2
aiccu 1.0.2
aide 1.6.1
ajaxterm 1.0.0
alsa 1.11.4
amanda 1.14.2
amtu 1.2.3
anaconda 1.6.1
antivirus 1.0.0
apache 2.4.0
...
...

semodule can be used for a number other tasks like installing, removing, reloading, upgrading,
enabling and disabling SELinux policy modules.
By now you would probably be interested to know where the module files are located. Most modern
distributions include binary versions of the modules as part of the SELinux packages. The policy files
have a .pp extension. For CentOS 7, we can run the following command:
ls -l /etc/selinux/targeted/modules/active/modules/

The listing shows a number of files with the .pp extension. If you look closely, they will relate to
different applications:
...
-rw-r--r--. 1 root root 10692 Aug 20 11:41 anaconda.pp
-rw-r--r--. 1 root root 11680 Aug 20 11:41 antivirus.pp
-rw-r--r--. 1 root root 24190 Aug 20 11:41 apache.pp
-rw-r--r--. 1 root root 11043 Aug 20 11:41 apcupsd.pp
...

The .pp files are not human readable though.

The way SELinux modularization works is that when the system boots, policy modules are combined
into what's known as the active policy. This policy is then loaded into memory. The combined binary
version of this loaded policy can be found under the /etc/selinux/targeted/policy
directory.
ls -l /etc/selinux/targeted/policy/

will show the active policy.


total 3428
-rw-r--r--. 1 root root 3510001 Aug 20 11:41 policy.29
Changing SELinux Boolean Settings
Although you can't read the policy module files, there's a simple way to tweak their settings. That's
done through SELinux booleans.
To see how it works, let's run the semanage boolean -l command.
semanage boolean -l | less

This shows the different switches that can be turned on or off, what they do, and their current statuses:
ftp_home_dir (off , off) Allow ftp to home dir
smartmon_3ware (off , off) Allow smartmon to 3ware
mpd_enable_homedirs (off , off) Allow mpd to enable homedirs
xdm_sysadm_login (off , off) Allow xdm to sysadm login
xen_use_nfs (off , off) Allow xen to use nfs
mozilla_read_content (off , off) Allow mozilla to read content
ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs
mount_anyfile (on , on) Allow mount to anyfile
...
...

We can see the first option allows the FTP daemon to access users' home directories. The setting is
turned off at the moment.
To change any of the settings, we can use the setsebool command. As an example, let's consider the
anonymous FTP write access:
getsebool ftpd_anon_write

This shows us the switch is off at the moment:


ftpd_anon_write --> off

Next we change the boolean to enable it:


setsebool ftpd_anon_write on

Checking the value again should show the change:


ftpd_anon_write --> on

Changed booleans are not permanent. They revert to their old values after a reboot. To make things
permanent, we can use the -P switch with the setsebool command.

List of Files and Directories


To see the list of files and directories
[root@techbrown~]# ls <options> <arguments>

Options

-l Long list including attributes


-a All files and directories including hidden
-d For a particular file or directory
-R Recursive to see the tree structure

Creation of files
Files can be created by using any of the three methods given below:
Cat command
Touch command
Vi editor

Cat (Concatenation) Command


Creating and displayed text files
[root@techbrown~]# cat <option> <arguments><filesname>

To create a file
[root@techbrown~]# cat > <filename>

To view the contents of a file


[root@techbrown~]# cat <files=name>

To append or add to an existing file


[root@techbrown~]# cat >> <filename>

To combines the data of two or more files into a third file


[root@techbrown~]# cat <first file> <second file> >> <third file>

Touch Command
To create a zero byte file
[root@techbrown~]# touch <filename>

To create multiple zero byte files


[root@techbrown~]# touch <first file> <second file> <third file>

To change the time stamp of a file or directory


[root@techbrown~]# touch <directory or filename>

Vi Editor
To create file
[root@techbrown~]# vi <filename>

Creating Directories
To create a directory
[root@techbrown~]# mkdir <directory name>

To create multiple directories


[root@techbrown~]# mkdir <first dir> <second dir> <third dir>
To create nested directories
[root@techbrown~]# mkdir p <first dir>/<second dir>/<third dir>

Navigation of Directories
To change the directory
[root@techbrown~]# cd <path of the directory>

To change directory one level back


[root@techbrown~]# cd ..

To change directory two levels back


[root@techbrown~]# cd ../..

To change to the last working directory


[root@techbrown~]# cd

To change to the users home directory


[root@techbrown~]# cd

Help or Manual Page


To view the manual page of a command
[root@techbrown~]# man <command>

Copying
To copy a file or directory
[root@techbrown~]# cp <options> <source file> <destination>

Options

-r Recursive (to copy the directory along with its contents)


-v Verbose
-p Copy with permissions

Moving and Renaming


To move a file or directory to a different location
[root@techbrown~]# mv <source file or directory> <destination>

Rename a file or directory


[root@techbrown~]# mv <old name> <new name>

Deleting
To remove or delete an empty directory
[root@techbrown~]# rmdir <directory name>
To remove or delete a file or directory
[root@techbrown~]# rm <option> <file or directory name>

Options

-r Recursive (directory along with contents)


-f forcefully

Some other commands


To see the date
[root@techbrown~]# date

To see the calendar


[root@techbrown~]# cal

File Viewing Commands


To view the contents o f a file screen-wise
[root@techbrown~]# less <file name>

To view the top lines of a file


[root@techbrown~]# head <filename>

[root@techbrown~]# head -5 <filename>

To view the bottom line of a file


[root@techbrown~]# tail <filename>

[root@techbrown~]# tail -3 <filename>

VI editor modes
VI editor has three modes of operations
Command Mode
Insert mode
Ex Mode (Extended Command Mode)

Insert Mode
I Insert the text at the current cursor position.
l Insert the text in beginning of a line
a Adds the text after the current cursor position
A Adds the text at the end of a line
o Insert the text one line below current cursor position
O Insert the text one line above current cursor position

Ex mode
:q Quit without saving
:q! Quit forcefully without saving
:w Write (save)
:wq Save and quit
:wq! Save and quit forcefully
:se nu sets line numbers
:se nonu Remove line numbers
:84 The cursor goes to line 84

Command Mode
dd Deletes a line
ndd Deletes n lines
yy Copies a line
nyy Copies n lines
p Put (pastes the deleted or copied text)
u Undo(you can undo 1000 times)
G Moves the cursor to the last line of the file
Congratulations now you have ready to use Basic Linux Commands on Terminal or Console.

ection 0. Background Information


1.Background Information
In this lesson, you will be exposed to some very common and
popular commands to help you navigate around in the Linux
world via a command line.

2.Pre-requisites
CentOS 6.6: Lesson 1: Installing CentOS 6.6

3. Lab Notes
In this lab we will do the following:
1. Determine who the current user is after switching
user.
2. Determine who the current user was before switching
user.
3. Learning how to create, rename and delete files.
4. Learning how to view files.

4.Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web
site for any purpose that is unlawful or that is prohibited
by these terms, conditions, and notices.
In accordance with UCC 2-316, this product is provided
with "no warranties, either express or implied." The
information contained is provided "as-is", with "no
guarantee of merchantability."
In addition, this is a teaching website that does not
condone malicious behavior of any kind.
You are on notice, that continuing and/or using this lab
outside your "own" test environment is considered malicious
and is against the law.
2015 No content replication of any kind is allowed
without express written permission.

Section 1. Configure CentOS-6.6 Virtual Machine Settings


1.Open Your VMware Player
Instructions:
1. On Your Host Computer, Go To
2. Start --> All Program --> VMWare --> VMWare Player

2.Edit CentOS-6.6 Virtual Machine Settings


Instructions:
1. Highlight CentOS-6.6
2. Click Edit virtual machine settings

3.Auto Detect Hard Drive
Instructions:
1. Click on CD/DVD(IDE)
2. Click the Use physical drive: radio button
3. Make sure Auto detect is selected

4. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click the OK Button

Section 2. Play Virtual Machine
1.Start the CentOS-6.6 VM
Instructions:
1. Click on the CentOS-6.6 VM
2. Click on Play virtual machine

Section 3. Login to CentOS
1.Login to CentOS
Note(FYI):
1. Until you click the user, in this case Security
Student, the Password field will not be displayed.
Instructions:
1.Click on Security Student
This will display the password text box.
2. Supply its' password
3. Click the Log In Button

2.Open a Terminal
Instructions:
1. Applications --> System Tools --> Terminal

3.Switch User to root


Instruction:
1. su - root
2. Supply the Root Password
Notes (FYI):
1. su - root, this command allows the user student to
switch user to user root, provided the root password
can be supplied.

4.Get IP Address
Instructions:
1. ifconfig -a
Notes (FYI):
1.As indicated below, my IP address is 192.168.1.101 for
Network Interface eth1.
Please record your IP address
2.The Local Loopback Address is 127.0.0.1 for Network
Interface lo.
The loopback device is a special, virtual network interface
that your computer uses to communicate with itself. When
the network or wifi is disconnected the loopback exists so
applications running on your computer can always connect
to servers on the same machine.

Section 4. Who Am I and Who Was I?


1.Who Am I -and- Who Was I?
Instructions:
1. whoami
2.ps -f
Obtain the PPID associated with the line that
contains "su - root". My PPID is 30234. Record
your PPID.
3. ps -eaf | grep 30234 | grep -v grep
4. who am i
Note(FYI):
1. whoami, this command displays the user name associated
with the current effective user ID.
2.ps -f, this command display processes. Using the ps
command without using the all (-ea) option, will only
display the process for the current effective user.
The (-f) option will display a full listing.
3.ps -eaf | grep 30234 | grep -v grep
ps -eaf, will display all the systems running
processes.
grep 30234, will search for only current PID and
parent PPID processes that contain the string
30234.
grep -v grep, use (-v) to ignore a process line
with grep in it.
Notice the current process (PID) associated with
30234 is the student's bash shell, which is
created during the login process.
4. who am i, will display the original logged in user.
Notice the user is student.

Section 5. Directory Navigation


1.Moving Up and Down a Directory Tree
Instructions:
1. cd /etc/sysconfig/network-scripts
2. pwd
3. cd ../
4. cd ../../
5. pwd
Note(FYI):
1.Change directory to the /etc/sysconfig/network-scripts
directory. Notice network-scripts is three
directories down.
/etc - First level directory
/etc/sysconfig - Second level directory
/etc/sysconfig/network-scripts - Third level
directory
2. pwd, display current working directory.
3. cd ../, change directory one level up from
/etc/sysconfig/network-scripts to /etc/sysconfig.
4. pwd, display current working directory.
5. cd ../../, change directory two level up from
/etc/sysconfig to /.
6. pwd, display current working directory.

2.Go Back To Previous Directory


Instructions:
1. cd /home/student
2. pwd
3. cd /etc/sysconfig/network-scripts
4. pwd
5. cd -
Note(FYI):
1.Change directory to the /home/student directory.
2. pwd, display current working directory.
3.Change directory to the /etc/sysconfig/network-scripts
directory.
4. pwd, display current working directory.
5. cd -, Go back to the previous directory.

3.Go To Current User's home directory


Instructions:
1. cd /
2. pwd
3. whoami
4. grep "^root" /etc/passwd
5. cd ~
6. pwd
Note(FYI):
1.Change directory to the / directory.
2. pwd, display current working directory.
3. whoami, this command displays the user name associated
with the current effective user ID.
4. grep "^root" /etc/passwd, Search the /etc/passwd file
for line in the file that starts with (^) the string
"root".
5.Change directory to the /etc/sysconfig/network-scripts
directory.
6. pwd, display current working directory.
7. cd ~, Go to current user's home directory. The
currently user is root. User root's home directory is
located in "/root".

Section 6. Basic Linux File Types


1.Creating File Types
Instructions:
1. mkdir -p /var/tmp/etc/passwd_dir
2. cd /var/tmp/etc
3. ln -s /etc/passwd passwd_link
4. cp /etc/passwd passwd_file
5. cp passwd_file .passwd_hidden_file
6. ls -la
Note(FYI):
1. mkdir, this command create a directory. The "-p"
option will create any directories that don't already
exist.
2. Change Directory into the /var/tmp/etc directory.
3. Create a softlink or short cut, called passwd_link to
the /etc/passwd.
4. Copy the /etc/passwd file and name it passwd_file
5. Make another copy of the passwd_file and name it
.passwd_hidden_file. In Linux, a file starting with a
period(.) makes it invisible to a regular file
listing.
6.ls -la, The ls command list directory contents. The
"-l" option provides a long listing format. The "-a"
will display invisible files starting with
period(.).

2.Listing Visible and Invisible Files


Instructions:
1. ls -l
2. ls -la
Note(FYI):
1. ls -l, This command displays a long listing of the
visible files. Notice, you cannot see the
.passwd_hidden_file.
2.ls -la, This command displays a long listing of both
visible and invisible files.
1.passwd_dir, is a directory. Notice the
permissions (drwxr-xr-x) start with a "d" that
indicates the file is actually a directory.
2. passwd_file, is a file. The permissions (-rw-r--
r--)start with a "-", which indicates a file.
3. .passwd_hidden_file, is also a file, but since it
starts with a ".", it is not visible to a regular
file listing.
4. passwd_link, is a symbolic link. The permissions
(lrwxrwxrwx) start with a "l", which indicates a
link.

3.Determine File Types


Instructions:
1. file /var/tmp/etc/passwd_file
2. file /var/tmp/etc/passwd_link
3. file /var/tmp/etc/passwd_dir/
4. file /usr/bin/perl
Note(FYI):
1.file, is a command used to determine file types.
1. /var/tmp/etc/passwd_file - ASCII text
2. /var/tmp/etc/passwd_link - Symbolic link
3. /var/tmp/etc/passwd_dir/ - Directory
4. /usr/bin/perl - Executable

4.Listing All Directory Contents


Instructions:
1. ls -alR /var/tmp/etc/
2. find /var/tmp/etc/ -print
Note(FYI):
1. ls -alR /var/tmp/etc/, Recursively(R) long list(l)
all(a) the contents of the /var/tmp/etc/ directory.
Notice that after all the immediate directories and
files have been listed, then all the files located
in /var/tmp/etc/passwd_dir are listed.
2. find /var/tmp/etc/ -print, The find command is used in
the same fashion to list all the files in
/var/tmp/etc. Notice it is a cleaner looking list
that could better be used in a program.

Section 7. Display File Contents


1.Using the cat command (Print Output)
Instructions:
1. cat /var/tmp/etc/passwd_file
Note(FYI):
1. cat, this command can be used for (1) concatenating
files and (2)printing output to the screen. In this
case, we are using it to just display the contents of
a file.

2.Using the cat command (File Creation)


Instructions:
1. cat /var/tmp/etc/passwd_file >
/var/tmp/etc/passwd_file2
2. ls -l /var/tmp/etc/passwd_file*
3. md5sum /var/tmp/etc/passwd_file*
Note(FYI):
1. (cat /var/tmp/etc/passwd_file) will display file
contents to the screen. The the greater than/redirect
operator (>) will redirect the content into another
file called /var/tmp/etc/passwd_file2.
2. (ls -l /var/tmp/etc/passwd_file*), will display all
the files starting with the string passwd_file in
the /var/tmp/etc directory.
3. (md5sum /var/tmp/etc/passwd_file*) will display all
the MD5 checksums for all the files starting with the
string passwd_file.

3.Using the more command


Instructions:
1. more /var/tmp/etc/passwd_file
2. Press <Enter> until off the contents of the file is
displayed.
Note(FYI):
1. more, is a command that is used to page through text
one screenful at a time.

Section 8. Display File Contents


1.Opening a file with VI
Instructions:
1. vi /var/tmp/etc/passwd_file
Note(FYI):
1. vi is a plain text editor.


2.Save and Exit VI
Instructions:
1. Press the <Esc> button
2. Type :wq!

3.Opening a file with gedit


Instructions:
1. gedit /var/tmp/etc/passwd_file 2>/dev/null
2. Click "X" to close gedit
Note(FYI):
1.gedit, is the gnome text editor.

Section 9. Copying, Moving and Deleting Files


1.Opening a file with gedit
Instructions:
1. cd /var/tmp/etc
2. ls -l
3. cp passwd_file2 passwd_file4
4. mv passwd_file4 passwd_file3
5. ls -l
Note(FYI):
1. cd /var/tmp/etc, Change directory into /var/tmp/etc.
2. ls -l, List the files in the /var/tmp/etc directory.
3. cp passwd_file2 passwd_file4, use the copy command
(cp) to copy file passwd_file2 and name the new file
passwd_file4.
4. mv passwd_file4 passwd_file3, use the move/rename
command (mv)to rename passwd_file4 to passwd_file3.
5. ls -l, List the files in the /var/tmp/etc directory.


2.Opening a file with gedit
Instructions:
1. cp passwd_file3 passwd_file5
2. ls -l passwd_file*
3. rm passwd_file5
4. y
5. ls -l passwd_file*
Note(FYI):
1. cp passwd_file3 passwd_file5, use the copy command
(cp) to copy file passwd_file3 and name the new file
passwd_file5.
2. ls -l passwd_file*, In the /var/tmp/etc directory,
list all the files that start with the string
passwd_file. The asterisk(*) is a wild card.
3. rm passwd_file5, use the remove/delete command (rm)to
delete the passwd_file5 file.
4. If you do not use the (-f) option with the rm command,
then you will prompted to re-verify the deletion of a
file.
5. See comment #2.

Section 10. Proof of Lab


1.Proof of Lab
Instructions:
1. find /var/tmp/etc/ -print | xargs ls -lad
2. date
3.echo "Your Name"
Put in your actual name in place of "Your Name"
e.g., echo "John Gray"
Note(FYI):
1.find /var/tmp/etc/ -print | xargs ls -lad
Use (find /var/tmp/etc/ -print)to display all the
file in the /var/tmp/etc directory.
Use (xargs ls -lad) to display the long listing of
both visible and invisible files.
Proof of Lab Instructions
1. Press the <Ctrl> and <Alt> key at the same time.
2. Press the <PrtScn> key.
3. Paste into a word document
4. Upload to Moodle