#LinuxCBT EL-7 Edition#

Current Release: 7
We will use:
1. CentOS7x
2. RedHat Enterprise 7x

3. Kernel Version: 3.10.x

a. 'kpatch' - dynamic kernel patching facility - Tech Preview
NOTE: Tech Previews are subject to problems that may adversely affect production
NOTE: This positively impacts uptime
b. 'modprobe.blacklist=module' - module blacklisting facility, where necessary (if
conflicts with other modules or problematic hardware support or similar)

4. SWAP compression via 'zswap' - automagically-handled by the kernel

5. Supports:
a. graphical (default) - new consolidated GUI (ALL options are on 1 screen)
b. text-based - options are spread across a series of screens
6. 6.5x - 7x - in-place upgrades supported
NOTE: Documentation claims NOT suggested, though supported
NOTE: Backup and attempt on clone instances first
NOTE: Clone instance should have the APP stack, not the data: i.e. '/home'
7. Installable from:
a. Local media: CDs | DVDs
b. ISO images
b1. DVD image - most of the common selectable packages and package groups
b2. Everything image - ALL available packages - CentOS
b3. Network-based - Minimal installation - fetches remainder from Net
b4. Live images - GNOME | KDE

8. GUI - Desktop (Window Dressing)

a. GNOME 3
a1. GNOME Boxes (Virtualization light)
b. KDE

9. 'systemd' - replaces 'sysv' and 'upstart' - 'sysV' and LSB init-scripts-

compatible
10. 'NetworkManager' - now includes FULL CLI support and improved NIC management
NOTE: NetworkManager supports traditional NIC interface scripts
11. 'firewalld' - firewall manager
12. '40Gps' Ethernet support
13. KVM - Virtualization
14. Open VMWare Tools are included
NOTE: Improves performance and manageability within VMWare HOSTS (ESX, etc.)
15. XFS - Default FS for new installations
a. 16-Exabyte FS
b. 8-Exabyte Files
c. Online up-sizing (NOT downsizing)
16. GRUB2 - Default Bootloader - GPT, EFI, BIOS, OpenFirmware support
17. Platforms:
a. x86_64 (64-bit) - Intel | AMD
b. IBM Power7
c. SystemZ 196+
18. Storage: 7.5GB or higher
19. Installation is consolidated and uses the same detection tools used at run-time
20. Installer makes sensible partitioning decisions, especially when storage is
limited, reducing the footprint to 2-partitions:
a. /
 b. SWAP

# GUI Installation of RedHat Enterprise 7x#

1. DVD ISO - most packages

2. Deploy within VMWare ESXi
3. Install from Windows Management GUI - VSphere Client

NOTE: New installer presents consolidated GUI interface (ALL options) on 1 screen
NOTE: Multiple tasks can be carried out during installation: i.e. 'root password',
'additional user' and the like
NOTE: Configure NIC prior to NTP configuration
NOTE: Initial Kickstart file is still supplied to shorten the time required for
subsequent installs: ~/root

NOTE: Default GNOME LOGIN allows anyone to restart | power-off the system. Will
tweak later.

# Text-based Installation #
1. CentOS 7x
2. RedHat Enterprise 7x

NOTE: It's as simple as passing the string: 'inst.txt' on the kernel's command line
during installation

NOTE: The installation process is carried out via TEXT but does NOT impact the
outcome of the installed server's interface. i.e., server may run with or without a
GUI.

NOTE: It's merely a matter of the interface that is presented during installation,
indicated by the 'inst.text' option passed to the installation kernel's command
line (CLI)
NOTE: Ensure that you select: 'Tab' during the installation's main GRUB2 menu
presentation and modify the kernel line to include: 'inst.text' to invoke TEXT-mode

NOTE: Sometimes VMWare ESXi does NOT update the screen when it receives no stream
of data from the GUEST, which results in console-access delays.

NOTE: 'inst.text' TEXT Mode installation results in system booting to runlevel=3 by

default. Use: 'init 5' to enter GUI and update 'inittab' as needed

# Network-based (HTTP) #
Requirements:
1. HTTPD instance somewhere: i.e. IIS, Apache, etc.
2. Export of the tree (ISO image) to the HTTP share location (URL)
3. Client-side - minimal (network boot) ISO image - Net access
NOTE: PXE-booting obviates the need for any local media - look at this if desired

Tasks:
1. Explore HTTP configuration
a. 192.168.75.101/{RHEL,CentOS}
a1. http://192.168.75.101/CentOS/7
a2. http://192.168.75.101/RHEL/7

NOTE: Any of the ISO images will let you change the source to a network source
# Kickstart Configuration #
Features:
1. Automates delivery - rapid provisioning

NOTE: https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide_/sect-kickstart-syntax.html

2. Post-installation, '~root/anaconda-ks.cfg' file is created

This file represents the settings associated with the current installation
NOTE: If you, as we will, re-install existing systems using the resultant KS CFG
files, there will be at least 1 prompt during installation concerning the target
disk

3. The location of the CFG file MUST be specified upon installation invocation
a. 'Tab' at main GRUB screen, indicate that KS is desired:
a1. 'inst.ks=http://192.168.75.101/{RHEL,CentOS}/*.cfg'
NOTE: Name your .cfg files in a fashion similar to Virtual Machine images:
i.e. centos7-infrastructure-server-gui.cfg
i.e. rhel7-is-gui-40GB.cfg

4. Debug information is stored in: '/tmp' of target system

5. NOTE: 'Kickstart Configurator' is NO longer developed
NOTE: NOT ALL possible directives are covered

6. Required / optional sections are the same: i.e. command, %packages, [%pre] and
[%post]
7. Omitted items will cause the installer to prompt the user for input

Task:
1. Re-install both systems in an automated fashion
a. Access nodes
b. Modify .cfg files
c. Publish .cfg files to HTTP repository
c1. 'inst.ks=http://192.168.75.101/CentOS/centos7-is.cfg'
c2. 'inst.ks=http://192.168.75.101/RHEL/rhel7-is.cfg'
d. Re-install nodes using minimal|network ISO referencing the .cfg files
NOTE: Ensure that published (HTTP) .cfg files are flagged 644 or readable by web
user

NOTE: Since we reprovisioned: CentOS7 instance entirely in VMWare, its default SDA
was blank, which rendered the installation fully-automated

NOTE: If VM instance fails to boot from ISO image, try the following:
1. Delete, then Re-provision GUEST
2. Remove startup disk and provision anew

2. Repeat process for 1 of the servers

NOTE: This is mostly-automated, because we still must indicate the location of
the .cfg file at the GRUB2 menu

NOTE: It is possible to fully-automate by using PXE and DHCP configuration that

tells the client with .cfg file to use
NOTE: Either way, it is still required to indicate which .cfg file to use for
installation

# Rescue Environment #
Features:
 1. Multiple modes
a. Rescue
b. Emergency
NOTE: Both are based on an installed system: i.e. N3
NOTE: Both provide Single-User modes to attempt to rectify system problems
NOTE: Both modes are accessible from an already running system via: 'systemctl
{rescue,emergency}
NOTE: As a result of these modes, you enter Single-User mode, which drops network
connectivity, thus external connections
NOTE: 'systemctl ...' typically sends messages to logged-in users, unless '--
nowall' option is used
NOTE: using: 'inst.rescue' from the kernel boot line
NOTE: Standard GRUB2 menu, secondary '...rescue' option, is really a backup kernel,
which launches into multi-user mode

2. Install Rescue Mode - based on the installation sources

a. Provides a TUI and emergency fall-back $SHELL to help recover the system
b. Select from 'Troubleshooting' menu or append: 'inst.rescue' to kernel boot
line
c. Searches system for mountable '/' FS and mounts it: '/mnt/sysimage'
c1. This helps to fix files that may have been corrupted, i.e.: /etc/fstab
and additionally possibly a corrupted GRUB2 environment
c2. 'chroot /mnt/sysimage' - this becomes the new '/' and allows you to use ALL
functionality, i.e.: 'grub2-install /boot'
NOTE: Possible to fix bad driver, which prevents the system from loading

NOTE: Nowadays, virtualize, and take snapshots prior to ALL key updates

Tasks:
1. Mislabel GRUB2 references to the kernel
a. '/etc/grub2.cfg'

2. Booted from Install Rescue Mode (from any ISO that boots the installer)

3. Repeat on CentOS
NOTE: If you lose the 'root' password, use:
a. Install Rescue Mode to mount the '/' FS
b. 'chroot /mnt/sysimage'
c. 'passwd root'
d. 'reboot'
NOTE: Because of this, for security purposes, guard that permitted boot media for
ALL systems

# Basic Linux Skills #

1. 'whoami' - reveals the currently-logged-in user - per-$SHELL(TTY) basis
2. 'tty' - reveals the name of the currently-connected $SHELL
3. 'w', 'who' - reveals the connected users and terminals
4. '/' - parent of ALL directories
a. Default upon LOGIN and instantiation of new $SHELL is to place you in your:
$HOME
b. 'pwd' - reveals relative (to '/') location
c. 'cd' - moves you around
c1. 'cd ~' - directs you to your $HOME
c2. 'cd ~USER' - directs you to that USER's $HOME
d. 'ls' - myriad options reveals directory contents
5. 'id' - reveals your account and group details
6. 'touch' - creates, by default, an empty file, otherwise, updates the timestamps
associated with the target file(s)
7. 'echo' - echoes what you tell it to
8. 'cat' - dumps the contents of TEXT files
a. 'echo "1" > 1.txt'
b. 'echo "2" > 2.txt'
c. 'cat 1.txt 2.txt > 1.2.txt'
9. 'mkdir NAME'
10. 'rm -rf temp/' - wipes the directory structure
a. 'cp -apvf temp temp2' - duplicates the contents of 'temp' DIR to newly-created
'temp2' DIR
b. 'rm -rf temp/'
c. 'mv temp2 temp'
11. 'history' - reveals the history of executed commands
a. '!NUM' - executes the command indexed at NUM

12. Pagers - paginate textual data on a per-screen basis, dynamically

a. 'more'
b. 'less'
Typically: 'f' || <SPACE> to move forward, 'b' to move back

13. Heads and Tails

a. 'head' - examines the top of a document
b. 'tail' - examines the bottom of a document

14. Word Count - which also counts number of lines in a document

a. 'wc -l' - counts the number of lines
b. 'wc FILE' - counts number of lines, words, etc.

15. Ascertain the type of target FILE

a. 'file FILE' - uses a variety of methods to deduce the target file's type

16. Process status listing using: 'ps'

a. 'ps' - displays processes tied to the current $SHELL, which usually is a
limited subset of the total
b. 'ps -ef'
'UID PID PPID C STIME TTY TIME CMD'

17. Free memory (RAM && SWAP)

a. 'free -m'

18. Disk Partition Utilization (Free): 'df'

a. 'df -h'
19. Directory Utilization: 'du'
a. 'du -chs' - scans tree and produces summary of usage
b. 'du -chs /home' - dump the full utilization of the /home tree
c. 'du -chs /var' - "" /var tree
20. Top processes and related metrics
a. Aggregates data from multiple tools: uptime,ps,free and others
b. 'top'
c. 'uptime' - dumps how long the system has been up

# Compression Utilities: tar, gzip, bzip2, zip #

Features:
1. Archive and compress

Tasks:
1. 'gzip'
a. 'gzip -c Xorg.9.log.old > Xorg.9.log.old.gz'
b. 'gunzip Xorg.9.log.old.gz'
c. 'gzip -l Xorg.9.log.old.gz' - reveals stats about the compressed object
 d. 'zcat Xorg.9.log.old.gz' - auto-decompresses the content on-the-fly

2. 'bzip2'
a. 'bzip2 -c Xorg.9.log.old > Xorg.9.log.old.bz2'
b. 'bunzip2 Xorg.9.log.old.bz2'
c. 'bzcat Xorg.9.log.old.bz2'

3. Zip & Unzip - typically most-compatible with Windows

a. 'zip Xorg.9.log.old.zip Xorg.9.log.old' - TARGET first, SOURCE second
NOTE: 'zip' includes native archival abilities, which is why you typically won't
find: *.tar.zip files, but rather: *.tar.{bz2,gz}

4. Tar with: gzip && bzip2

a. 'tar -cvf linuxcbt-temp.tar /home/linuxcbt/temp' - creates archive with NO
compression
b. 'tar -tvf FILE' - exposes the contents, i.e. 'unzip -l', without extraction
b. 'tar -xvf FILE' - extracts archive to current directory
c. 'tar -cvzf linuxcbt-temp.tar.gz /home/linuxcbt/temp' - creates archive WITH
gzip compression
d. 'tar -cvjf linuxcbt-temp.tar.bz2 /home/linuxcbt/temp'
e. 'tar -cvjf linuxcbt-temp.tar.bz2 /home/linuxcbt/temp /etc /var/log'

NOTE: With 'zip' and 'tar', because they are archival tools, it makes sense to
specify the TARGET first, then an aribitrary number of source files/directories

f. 'tar -xvjf linuxcbt-temp.tar.bz2 '

# 'systemd' Service Management Framework #

Features:
1. Akin to Solaris's SMF
2. Provides comprehensive unit management facility (services, devices, paths,
etc.)
3. Replaces 'upstart' - provides faster boot times due to a variety of features
i.e. SSH && MySQL depend upon the Network Target, but not on each other, then so
long as the Network Target has loaded properly, both SSH and MySQL can be invoked
in parallel
NOTE: 'systemd' provides, like SMF, more discrete dependency relationships, unlike
SysV, which is numerically oriented, thus making it a serial system-invoker

4. Manages various facets via 'UNIT' files (units): i.e.

a. services: i.e. ssh, httpd, etc.
b. devices: USB, Storage, etc.
c. sockets: networking, TCP/IP
d. paths: file or directory
e. mounts: NFS, Automount, etc.
f. snapshots: the ability to temporarily backup the system state
NOTE: 'service' units (.service files) replace SysV-style INIT scripts
NOTE: '.service' files are similar to SysV-style INIT scripts
5. SysV and LSB-init scripts compatible - provides legacy support
6. Service management via: 'systemctl': status | start | stop | restart | enable |
disable
NOTE: Currently, 'systemctl' does NOT support custom service management commands
NOTE: 'service' && 'chkconfig' are available, but superseded by: 'systemctl' - use
this instead. The capabilities of both tools are collapsed|consolidated into:
'systemctl'
7. Runlevel control - mapped to 'target' units for compatibility
NOTE: 'runlevel' is provided, however, 'N' is sometimes returned when the target
doesn't map directly
NOTE: Runlevels are mapped to pre-defined targets in:
'/usr/lib/systemd/system/runlevel*target'
NOTE: These files spell out, i.e.: When may a service load? What's required? when
should the service NOT load?

8. State control:
a. emergency
b. rescue
c. poweroff
d. restart
e. hibernation
f. suspension
9. 'systemd' units - encapsulation of the following:
a. services
b. sockets
c. system state snapshots
d. paths
e. mounts
f. etc.
10. Supports system state snapshots - current unit configuration, which is
temporarily held
NOTE: snapshots do NOT persist reboots
11. D-bus activation of services
a. D-bus activation (where supported by service) allows on-demand invocation of
service upon request by the client(service)
12. Socket-based activation (where supported by service) allows messages to be
queued during service restarts
a. 'systemd' functions as a proxy(broker) between the client and the ultimate
service
13. Device-based activation - i.e. hot-plugged device activates corresponding
service(s)
14. Path-based activation - if paticular file || directory is accessed,
corresponding service(s) is invoked. i.e. NFS, NFS with Automount
15. On-demand starting of daemons
16. Parallelization of service invocation at startup: i.e. MySQL && SSH
17. Mount || Automout management
18. Services do NOT inherit environment: $PATH && $HOME from current $USER - more
secure
Key Directories:
1. '/usr/lib/systemd/system' - repository of ALL services: i.e. /etc/rc.d/init.d
2. '/etc/systemd/system' - symlinked, ACTIVE, services
3. '/run/systemd' - run-time systemd units - auto-generated

# SystemD Primary user-space tool: 'systemctl' #

Features:
1. All-encompassing device | service management tool
2. Provides comprehensive power-management options:
a. Halt
b. reboot
c. poweroff
d. hibernate
e. suspend - especially important with: Virtual instances and mobile devices

Tasks:
1. Explore basic power management control
a. 'init 6' - 'systemctl [--no-wall] reboot'
b. 'init 0' - 'systemctl [--no-wall] poweroff'
NOTE: 'init 6', etc., still works, but may eventually be deprecated
 2. Service Management
a. 'systemctl' - dumps ALL managed units: services, devices, paths, mounts,
sockets, etc.
b. 'systemctl list-units' - lists loaded units of ALL types
c. 'systemctl list-sockets' - lists loaded sockets, ordered by address
NOTE: Useful in debugging problems communicating with sockets
d. 'systemctl status [NAME..|PID..] - shows runtime stats
d1. '/usr/lib/systemd/system/atd.service' - actual service file
NOTE: The data returned is comprehensive, and under prior versions of RHEL, we had
to aggregate these data from various sources: i.e. 'ps -ef | service_name', 'cat
/var/run/PID', '/etc/*'

e. 'systemctl show [NAME..|JOB..]' - shows properties of the units

f. 'systemctl -t service' - returns ONLY services
g. 'systemctl -t {device,socket}' - lists devices || sockets

3. Install Apache and Manage service

a. 'yum install httpd'

# Checksums #
Features:
1. Generate unique fingerprints based on a set of data
a. Files
b. STDIN
2. Verifies the intrinsic quality of data to ensure non-tampering
3. Published content online, is usually accompanied by checksums for your perusal

Tasks:
1. 'nano test.txt' - populate with junk
2. 'md5sum test.txt' - 'ba1f2511fc30423bdbb183fe33f3dd0f'
'4cd713d16b3f7078041799001428d0ee'
'ba1f2511fc30423bdbb183fe33f3dd0f'

NOTE: Checksums guarantee the intrinsic (internal, quality-related metric) of

content
NOTE: md5sum = 128-bit checksum
NOTE: this works for most situations, however, more bits: i.e. 256, 512, means more
accurate and unique strings
3. 'sha1sum test.txt' - returns 160-bit string
4. Copying a file does NOT change its intrinsic value, which means the checksum
should return identical to the source
5. Moving the file across the wire has no checksum effect, IF, the file was
transferred in total: 100%
NOTE: i.e., if you transfer a fractional text file, you will have checksum
mismatches
NOTE: Broken, or, incomplete transmissions ranges the gamut of industries and
impacts us all. SO, check your checksums.

a. 'rsync -avvzP *txt 192.168.75.121:'

b. confirm checksums post-data-move
6. Generate large file, copy, and break transmission
a. 'dd if=/dev/zero of=512MB bs=1M count=512'
b. 'rsync -avvzP 512MB 192.168.75.121:' - break during transmission
NOTE: Automated scripts may simply check for the existence of a file object and NOT
necessarily the object's checksum or even a size range within which the file should
be. This ultimately introduces corrupt data into your environment.
# GREP #
Features:
1. Searches text files (textual data - typically line-based data) for matches
a. Simple
b. Extended regular expressions
2. Specializes in returning the FULL line of the matched item

Tasks:
1. Create dummy data to parse
a. 'grep "Linux" grep.test.txt'
b. 'grep "^Linux" grep.test.txt' - returns lines that begin with "Linux"
c. 'grep '^Linux$' grep.test.txt' - returns lines that begin and end with 'Linux'
d. 'grep 'LinuxCBT' grep.test.txt' - returns lines that end with 'LinuxCBT'
e. 'grep 'LinuxCBT ' grep.test.txt' - returns lines that end with 'LinuxCBT '
NOTE: Printable and non-printable chars (space(tab, various whitespace)) are
analyzed
NOTE: 'cat -A grep.test.txt' - reveals both types of chars

f. 'grep 'B.*' grep.test.txt' - returns lines with 'B*'

g. 'grep '.*W' grep.test.txt' - returns lines that contain 'W' anywhere
'.*' - matches 0 or more times
h. 'grep 'Linux.+' grep.test.txt' - nothing is returned because '+' is extended
h1. 'egrep 'Linux.+' grep.test.txt' - nothing is returned because '+' is
extended
i. '[e]grep '[Linux|BSD]' grep.test.txt' - uses character classes
NOTE: Characters classes don't match the entire word, but rather, each presented
character
j. ' grep "Dec [1|3]" /var/log/messages' - parses|returns records from either:
Dec [1|3]
k. ' grep "Dec [1|3]" /var/log/messages | grep -i 'd-bus' - second parse is
case-insensive (-i)

# AWK #
Features:
1. Field (column) Processor
2. Supports egrep-compatible (POSIX) REGEXES

Tasks:
1. awk '{print $1 }' [FILE] || STDIN- prints the first field from the data-stream
2. 'awk '{print $1,$2 }' FILE - returns $1,$2
NOTE: 'awk' can be used to transform Field and/or Record separators
3. 'awk -F'[:+;,]' '{print $1,$2,$3,$4}' grep.test.txt' - uses multiple possible
delimiters to identify fields
NOTE: Whitepspace is ALWAYS considered a possible field separator unless overriden
NOTE: Be careful if data-set contains space that is NOT to be treated as a field-
separator

4. 'awk -F'[:+;]' '{print $0}' grep.test.txt' - returns the full lines

5. 'awk -F'[:+;]' '/LinuxCBT/ { print $1,$2,$3,$4}' grep.test.txt
6. 'awk -F'[:+;]' '{ if ($1 ~ /LinuxCBT/) print $1,$2,$3,$4}' grep.test.txt
7. 'awk '{ if ($5 ~ /kernel/) print $1,$2,$3,$6,$7}' /var/log/messages'
NOTE: if 5th column(field) = 'kernel' then print the fields of interest from the
record
8. 'awk '{ if ($5 ~ /kernel/) print $6,$7}' /var/log/messages' - simple way of
anonymyzing the record by excluding: timestamp, source host, facility
NOTE: Like 'grep', 'awk' iterates over ALL records, but selectively (optionally)
returns data (fields) of interest

# SED - Streams Editor #

Features:
1. Streams Editor - allows us to parse the discrete contents of textual data

Usage:
1. 'sed -e 'instruction' file || STDIN
NOTE: Additional '-e 'instruction' ' commands will perform additional modifications
in the order presented
2. 'sed -f script_file_name file || STDIN' - organized way of providing N number
of instructions to 'sed'

3. 'sed -n '1p' grep.test.txt' - prints the FIRST line

4. 'sed -n '$p' grep.test.txt' - prints the LAST line
5. 'sed -n '3,6p' grep.test.txt' - prints lines 3-6
NOTE: 'sed' processes information 1-line at a time
6. 'sed -n -e '/^Linux$/,/AIX/p' grep.test.txt - prints lines from the line that
begins and ends with: 'Linux' to the line that ends with AIX.
7. 'sed -n -e '/^Linux$/,+3p' grep.test.txt - prints 3 lines after the line that
begins and ends with: 'Linux'
8. 'sed -e '/^$/d' grep.test.txt - removes blank lines from file
9. 'sed -e 's/root/admin/' -e 's/linuxcbtel7desk1/systema/' /var/log/messages >
messages.anonymous.1

# File Types - Permissions - SymLinks #

Features:
1. Supported types: c,b,-,d, etc. - represented in first column of: 'ls -l'
2. File permissions for: owner, group members, and everyone else
3. Short and hard cuts to objects located throughout your system

File Permissions:
1. 10-bits that represent Linux file permissions, despite the type of FS in use:
i.e. EXT4, XFS, EXT{2,3}, ReiserFS, etc.
'crw--w----. 1 linuxcbt tty 136, 2 Dec 4 07:12 2'
6 2 0
'-' in bits 2-10 or 1-9, represents disabled bits
10-bits - leading bit describes the type of object in the FS
9-remaining bits: 1-9 or 2-10 represent permissions for:
a. Owner of the object
b. Members of the group labeled on the object: i.e. group=tty
c. Everyone else
Total permissions for objects = 7 7 7 (rwx rwx rwx)
r=4
w=2
x=1

NOTE: When working with permissions we work with either:

a. Octal notation: i.e. 777, 620, 644. etc.
b. Symbolic notation: rwxrwxrwx(777), rw-w----, rw-r-----
c. We add permissions symbolically using: + and subtract using: -
d. With Octal notation, we simply specify the target Octal value: i.e. 644

Primary permissions tool = 'chmod'

a. 'chmod 660 grep.test.txt && ls -l grep.test.txt'
b. ' chmod u-x,g-rw grep.test.txt' - removes 'x' from owner, and 'rw' from
group=linuxcbt resulting in an octal set = 0600
c. 'stat FILE' - returns the permissions and FS footprint
d. 'chown/chgrp' - changes user/group ownership
d1. 'chown root grep.test.txt' - makes new owner = uid=0
d2. 'chgrp root grep.test.txt' - makes new group owner = gid=0
d3. 'chown linuxcbt:linuxcbt grep.test.txt' - resets uid/gid permissions
# Symbolic Links #
Features:
1. Shortcuts with more capabilities
NOTE: Typical Windows shortcuts are equivalent to soft-symbolic links
2. Soft symbolic links permit linking:
a. within the same FS
b. across disparate FSs
c. Soft links merely link to the named representation of a file, within and/or
across FSs
d. Soft links have no impact on the link counter associated with files
e. All soft links lead to one named-file. If this named file is altered, ALL soft
links fail.

3. Hard symbolic links permit linking:

a. within the same FS
b. but NOT across disparate FSs because of the INODE numbers that are used cannot
be guaranteed to be unique across FSs
c. Hard links make direct references to the INODEs that underpin the files that
we access: i.e. 'ls -li' to reveal the distinct INODEs
d. Each outstanding Hard link increases the link counter associated with the
file: 'ls -li' - reveals this
e. Each outstanding link can be viewed as an instance of the INODE object that
underlies the file. This means that the file persists within the FS until ALL hard
links have been removed

4. Both mechanisms (Soft and Hard) provide a way to publish content to users in
various locations across the system
a. Permits the exposition of content outside of normally protected zones: i.e.
$USER || /home/$USER

Tasks:
1. Soft links
a. 'ln -s source_file target'
a1. 'ln -s grep.test.txt grep2.test.txt' - creates soft link in the same
directory
'lrwxrwxrwx. 1 root root 13 Dec 5 09:18 grep2.test.txt ->
grep.test.txt'
NOTE: Despite the apparent: 0777 permissions associated with soft symlinks, the
underlying (target) file's permissions always prevails. This is known as effective
permissions on the file object.
a2. 'ln -s ~linuxcbt/Documents/grep.test.txt'
a3. 'ln -s ~linuxcbt/Documents/grep.test.txt /boot' - creates soft link in a
different FS
a4. 'ls -l ~linuxcbt/Documents/grep.test.txt' - confirm link counter = 1

b. Break the source of the soft links

b1. 'mv ~linuxcbt/Documents/grep.test.txt ~linuxcbt/Documents/grep.test.txtt'

2. Hard Links
a. 'ln source_file target' - creates hard link - increments the link counter
b. 'chmod 644 ~linuxcbt/Documents/temp/grep.test.txt.hard' - impacts the
underlying INODE, which means ALL instances of the document (hard-link form) will
now wear the latest permissions
c. 'mkdir /projectx && ln ~linuxcbt/Documents/grep.test.txt' - creates an
instance of the object for 'general' access without having to grant users access to
your $HOME dir
 d. Remove one or more hard instances
d1. 'rm -rf ~linuxcbt/Documents/grep.test.txt'

# SWAP #
Features:
1. Virtual memory - disk-based memory
2. Dedicate (preferred) partitions to SWAP mission
3. Use an existing FS: i.e. XFS, EXT4, etc. and provision a file-based SWAP area
4. SWAP remains a distinct FS type, despite the recent RHEL shift to XFS

Tasks:
1. Create additional SWAP space from a file using existing FS
a. 'dd if=/dev/zero of=/swap/swapfile1G-1 bs=1M count=1024' - creates a zeroed-
out file as a basis with which to overlay an FS such as SWAP
b. 'mkswap /swap/swapfile1G-1' - overlays SWAP FS on zeroed-out file
NOTE: A unique: UUID is auto-assigned, and may be referenced via: /etc/fstab
c. 'swapon /swap/swapfile1G-1' - enables the SWAP device dynamically
d. 'swapon -s ' - displays current SWAP partitions
e. Update: '/etc/fstab' - '/swap/swapfile1G-1 swap swap defaults 0 0'

2. Dedicate partitions to the SWAP mission

a. Provision new partition && [reboot] - automatically recognized
b. Create primary partition and enable swapping (mkswap /dev/sdb1)
c. Enable Swapping: 'swapon /dev/sdb1'
d. 'blkid /dev/sdb1' - obtain UUID and committ to: /etc/fstab
e. 'swapoff /dev/sdb1 && swapon -a' - disables and re-reads from: /etc/fstab
f. 'swapon -s' - dump current SWAP configuration

# XFS #
Features:
1. New default for RHEL7
2. Supports:
a. Extension (growth) - NOT the ability to shrink
b. Freeze | Unfreeze - for snapshots
c. Backups | Restorations
d. Sub-second timestamps: currently = nanosecond || 10^^-9 precision
d1. 'stat FILE' and peruse
e. Ability to separate the journal log from the data storage area - improves
performance

Tasks:
1. Create extra XFS mounts on target systems
a. Provision storage: Virtual || Physical
b. Identify and partition
b1. 'fdisk -l' - this should reveal the new storage block: '/dev/sdc'
b2. 'parted /dev/sdc mklabel gpt'
b3. 'parted /dev/sdc mkpart 1 1 100%'
c. Overlay with XFS file system
c1. 'mkfs.xfs /dev/sdc1'
d. Mount and Use
d1. 'mkdir /projectx'
d2. 'mount /dev/sdc1 /projectx && df -h && dd if=/dev/zero of=/projectx/512M
count=512 bs=1M && ls -lh /projectx'

e. Ensure mount persistence: /etc/fstab

e1. 'blkid /dev/sdc1' - obtain and use in: /etc/fstab
 e2. 'umount /projectx && mount -a && df -h' - confirm that '/projectx' is
available
e3. 'systemctl reboot || reboot'
NOTE: We prefer to reference the: UUID in: /etc/fstab || via user-space(CLI)
because there are some instances where the kernel may relabel disks: i.e.
/dev/sd{a,b,c,etc.} upon system invocation

# Logical Volume Management (LVM) #

Features:
1. Volume Sets
2. The ability to aggregate storage from disparate sources into potentially 1
large representation of Enterprise storage
3. Storage Hierarchy - Configuration
a. Physical Volumes (PVs) - distinct partitions/disks that will become part of a
volume group
b. Volume Groups - represent one or more Physical Volumes (PVs) - serves as an
abstraction of storage
c. Logical Volumes - Represent the fraction of storage upon which File Systems
are overlaid
4. LVM Physical Volumes MUST be flagged as type 'lvm' by the partition manager:
i.e. 'parted', 'fdisk', etc.

Tasks:
1. 6-Steps to setup LVM
a. Provision storage and create LVM
a1. Use Hypervisor tool to add new
a2. Use: 'parted' to create label:
a3. 'parted /dev/sdd set 1 lvm on'
partitions using: 'parted'
disks
'parted /dev/sdd mklabel gpt'
- flags partition as type LVM

b. Create Physical Volume(s)

b1. 'pvcreate /dev/sdc1 /dev/sdd1 && pvdisplay'
c. Create Volume Group - assign PV(s) to the VG
c1. 'vgcreate volgroup001 /dev/sdc1 /dev/sdd1'
NOTE: Each Volume has its unique hierarchy in the '/dev' tree: '/dev/volgroup001'
NOTE: Beneath which, are the distinct logical volumes (LVs), tied to the VG

d. Create Logical Volume (LV) - a representation of some(fraction) or ALL of the

VG storage
d1. 'lvcreate -L 10GB volgroup001 -n logvol001'
d2. LVM creates this device for FS overlay: '/dev/volgroup001/logvol001'
e. Overlay our desired FS on the LV
e1. 'mkfs.{ext4,xfs} LV-Device'
f. Mount, Use, and ensure persistence
f1. 'mount /dev/volgroup001/logvol001 /projectx'
g. Create data | test I/O - using: 'dd'
NOTE: If you create identical files on different systems, so long as the inherent
data are identically ordered and presented, the checksums will be identical

2. Rename a logical volume for repurposing

a. '/dev/mapper/volgroup001-logvol001' -> '/dev/mapper/volgroup001-projectx'
a1. 'lvrename volgroup001 logvol001 projectx'
NOTE: LVM logical volume changes on-the-fly, however, the 'df -h' dump is reflected
at the next mount|remount of the volume

3. Resize LVMs - this takes place at the logical volume level

a. 'lvresize -L 15GB /dev/volgroup001/projectx'
b. 'resize2fs /dev/volgroup001/projectx' - resizes online
b1. 'df -h' - confirm new storage
 c. Resize XFS volume
c1. Clean-up existing configuration
c1a. 'umount /projectx'
c1b. 'mkfs.xfs -f /dev/volgroup001/projectx' - overlays NEW XFS FS
NOTE: At this point, the system generates a new UUID for the storage block
NOTE: Confirm with: 'blkid /dev/volgroup001/projectx'
NOTE: Update: /etc/fstab accordingly

c2. 'lvresize -L 15GB /dev/volgroup001/projectx'

c3. 'xfs_growfs /dev/volgroup001/projectx' - resizes on-the-fly, with 'df -h'
updates automatically provided

4. Remove logical volumes with: 'lvremove'

5. We're out of space, extend volume group (vg) aggregate
a. provision storage via VM
b. partition && label as LVM
c. 'pvcreate /dev/sde1'
d. 'vgextend volgroup001 /dev/sde1'
e. 'vgdisplay' - should reflect new storage

# User & Group Management #

Features:
1. flat file: /etc/{passwd,group,shadow} DBs
2. Default set includes: 'root', daemons, services, utilities, and the first-user
(created during installation)

Tasks:
1. 'ls -l /etc/{passwd,group,shadow}
2. 'cat /etc/passwd'
'linuxcbt:x:1000:1000:LinuxCBT User:/home/linuxcbt:/bin/bash'
'root:x:0:0:root:/root:/bin/bash'
UID=0GID=0 - special reservation for 'root'
Accounts with: UID|GID=[1-999] are reserved for system/daemons/utilties/etc.

Key fields in: /etc/passwd

login name:x(shadow reference(/etc/shadow)):UID:GID:Description:$HOME:$SHELL

Key fields in: /etc/shadow

linuxcbt:
$6$1u30enqi1ioWNmGv$QbzeBc21/73wkKmENPRRdhDHA.zltwKsVrQVj0tFTdBDaQ8rt0PXspwm6z/0hdU
b/m7i4N47Q5Jo6tphnZrDX/:16400:0:99999:7:::
login name:
encrypted password:Days since Unix epoch, password was last changed:
Days before password may be changed (0=anytime):
Days after which password must be changed (set this to 45-days)
Days before password is to expire that user is warned
Days afer password expires that account is disabled
Days since Unix epoch, that account has been disabled
Reserved field

Key fields in: /etc/group

linuxcbt:x:1000:linuxcbt
group name (typically the User Principle Name (UPN) ):
group shadow reference:
GID:
member(s)

Tools:
 1. 'useradd'
a. 'useradd -g linuxcbt2 -G wheel -m linuxcbt2'
a. 'groupadd -g 1001 linuxcbt2 && useradd -g linuxcbt2 -G wheel,projectx -m
linuxcbt2 && passwd linuxcbt2'

2. 'usermod'
3. 'userdel'
4. 'groupadd'
a. 'groupadd linuxcbt2'
5. 'groupmod'
a. 'nano /etc/group'
NOTE: You may have to re-initiate existing $SHELLs for the new group membership to
reflect
6. 'groupdel'

NOTE: Regardless of whether directory services are used, 'root' and basic system
accounts are ALWAYS defined in: /etc/{passwd,shadow,group,gshadow}

# Cron - Scheduler #
Features:
1. Scheduler
2. Runs jobs on schedule:
a. minute, hour, day, month, year
3. Assumes computer is always on, unlike: anacron
4. Global schedule: /etc/crontab && /etc/cron* (include directories)
5. Individual schedules: /var/spool/cron - one is stored per user - crontabs
6. Checks ALL config files every minute, including: /etc/anacrontab
7. 'crontab' - used to modify user'r cron table entries
a. 'root' may use this tool to manage other user's cron tables
b. per-user may use this tool to manager their cron table: /var/spool/cron/$USER
8. Permit -> /etc/cron.allow
9. Deny -> /etc/cron.deny

Tasks:
1. '/etc/crontab' - discuss the entries
a. Minute(0-59) - i.e. 31, 1,11,21, 10,33,58, 10-23, */1, */5
b. Hour(0-23) - similar subdivision values apply. i.e. */2, 0,4,12
c. Day of the month(1-31)
d. Month (1-12)
e. Day of the week (Sun,Mon,Tue||0-7)
NOTE: Some systems handle the extreme values for dow differently: 0,7 may be
treated as Sunday or Monday. Consult Cron documentation per system

2. Simple 'uptime' script

a. create simple BASH script and test from $SHELL
b. 'crontab -e' - edit your own (non-privileged $USER's crontab)
b1. make reference to absolute PATH of job
c. Extract simple metrics from cron-collected data:
'awk '{ print $6,$10,$11,$12 }'
20141208.linuxcbtel7desk1.linuxcbt.internal.uptime.log | sed -e 's/,//g'
'
This extracts the current user load, and 1,5,15-minute load average and removes
superfluous ',' values from data

NOTE: 'crontab' utility is the only way for non-privileged $USER to modify their
crontab, as the actual crontab file in: /var/spool/cron is viewable only by 'root'
d. Modify crontab as 'root' because job runs too frequently
#Syslog#
Features:
1. Logs daemon information as well as potentially other sources of data: i.e.
networked devices, remote systems, etc.
2. Supports:
a. Unix Domain Sockets (/dev/log)
b. Internet sockets using: UDP:514 || TCP:514
3. Ability to log to local and remote targets (@hostname) simultaneously
NOTE: Possible Syslog setups in your Prod environment:
a. ALL interconnected devices (routers|switches|firewalls), log to 1 Syslog node,
and that node replicates the logs to 1 or more other Syslog nodes
b. ALL interconnected devices log to 2 or more Syslog nodes simultaneously
4. Default configuration accepts messages on: UDS but NOT on Internet socket
5. Implemented as 'rsyslog'
6. '/etc/rsyslog.conf'
7. RPM = rsyslog
8. In-built rules mechanism routes incoming messages accordingly
a. Facilities - source of information: i.e. mail, local0-7, auth, etc.
b. Levels - Importance of the incoming message - 0(Debug)-7(emerg)
b1. Debug(0), Info(1), Notice(2), Warning(3), Error(4), Crit(5), Alert(6),
Emerg(7)
NOTE: You typically want to capture messages at: Warning(3) and higher
NOTE: Message collection is cumulative up-the-chain:
i.e. Messages captured at the Warning(3) level, will also include more severe
messages levels above, but not less severe messages below: i.e. Notice(2) or lower.
NOTE: This reduces the verbosity and overall data storage requirements by sending
only 'important' messages.

Tasks:
1. Look at primary config file: '/etc/rsyslog.conf'
a. RULES Section
a1. Left side -> Facilities.Levels
a2. Right side -> Destinations
b. 'systemctl rsyslog restart && netstat -nultp | grep 514' - confirm TCP && UDP
bindings
NOTE: '/var/log/messages' -> catchall, so, messages coming from devices that log at
the .info level and more severe, will be logged here as well. i.e. infrastructure
device logs to both its own file and: /var/log/messages
NOTE: To prevent double-logging, exclude using a ruile that ends with: i.e.
'local4.none' in the primary catchall rule that routes messages to:
/var/log/messages

c. Create 2 new rules to send messages to: linuxcbtel71 && linuxcbtcent71

NOTE: All messages except: *.Debug, cron.none, authpriv.none, mail.none

d. Alter both rules to ensure that ALL messages, from ALL facilities at
level=info and higher(more severe) are duplicated to both nodes

NOTE: Once you have designated 1 or more Syslog systems, be prepared to parse
NOTE: This is why Syslog messages typically include: HOSTNAME, to help parse the
source of messages

# LogRotate #
Features:
1. System-wide log-rotation capability
 2. Archival capabilities
3. Rules-driven:
a. '/etc/logrotate.d' - N number of rules governing various LOG files
b. '/etc/logrotate.conf' - catchall of options and includes: '/etc/logrotate.d'
entries
c. Segments logs: i.e. MAIL, LOCAL, USER, etc.
c1. Logrotate focuses on a discrete set of files, NOT SYSLOG facilities
NOTE: SYSLOG handles the routing of data to target files
NOTE: LOGROTATE merely manages those files
4. Implemented as 'logrotate' package
5. Run daily (/etc/cron.daily/logrotate) by cron
6. Rotation is driven by:
a. Size: i.e. 100k, 100MB, 100GB
b. Time: i.e. daily, weekly, monthly, yearly
7. Both critera: time and size can be specified simultaneously
NOTE: The first to be realized (time or size) is honored

Tasks:
1. Examine current configuration
a. '/etc/logrotate.conf'
b. '/etc/logrotate.d'
b1. daemon-specific log files rules
NOTE: values not explicitly defined: i.e. 'dateext', or otherwise, at the scope
level of the file, are inherited from the 'global' superscope.

2. Make a few tweaks along the way

a. Change 'syslog' rotation frequency to: 'daily' vs. 'weekly'
b. Enable compression across ALL files

3. Execute 'logrotate'
a. 'sudo logrotate -v -f /etc/logrotate.conf'

NOTE: 1 important reason to ALWAYS compress your logs during rotation is to

minimize the effects of DOS/DDOS attacks on available storate (/var), especially
where /var is on the '/' mount point.

NOTE: logrotate will eventually rotate off your disk the log files based on the
rules defined, so be sure to archive otherwise

NOTE: Any file that is SYSLOG-handled (LOG file is created by SYSLOG), place its
rule within the: /etc/logrotate.d/syslog file to reduce the number of instances of
SYSLOG reload

NOTE: logrotate is merely a script binary, not a daemon, that is resident in the
process table only when called

NOTE: Daily, weekly, monthly jobs are now handled by Anacron: /etc/anacrontab

#Common Network Utilities#

Features:
1. Gather diagnostics
2. Ascertain node names and locations
3. Connectivity L2/L3 information
4. Path between interconnected nodes
5. Put/Fetch files/content from remote systems
6. Ability to sync content across local/remote directories
Tasks:
1. PING - 'ping'
a. 'ping 192.168.75.1' - returns connectivity health between nodes
NOTE: Look for is large STDEV across packets sent/received, as they indicate
connectivity issues
b. 'ping -c 3 192.168.75.1'
NOTE: If ICMP echo-reply/request are filtered then PING will fail you

2. ARP - Address Resolution Protocol

a. 'arp -a' - displays for T amount of time the nodes on your subnet in the local
table
b. 'rarp' - where available, resolves the known MAC address to the current L3
address

3. Traceroute && MTR - Returns hops between 2 Nodes

a. 'traceroute www.linuxcbt.com' - one-off dump of path
b. 'mtr www.linuxcbt.com' - returns more useful data, and is refreshed constantly

4. Name Resolution Tools

a. 'nslookup' - returns basic answers to queries
a1. 'nslookup www.linuxcbt.com'
b. 'dig'
b1. 'dig @192.168.75.101 www.linuxcbt.com' - queries a specific resolver and
provides more data
b2. 'dig @192.168.75.101 -x 144.76.77.83'
c. 'host www.linuxcbt.com'
d. 'whois linuxcbt.com' - finds IP/Domain ownership information
e. 'whois 144.76.77.83' - returns IP ownership info - typically the HOST

5. 'curl'
a. 'curl http://192.168.75.101/index.html' - dumps remote content to STDOUT
NOTE: By dumping to STDOUT, you can quickly query multiple servers to check
possibly for corrupt content, because 'curl' supports multiple servers, files,
wildcards, etc.
b. 'curl -O http://192.168.75.101/test.data' - pulls the file to a locally-named
equivalent

6. 'wget' - pulls content from remote sources

a. 'wget http://192.168.75.101/test.data'
NOTE: unlike 'curl', wget auto-stores content locally with an equivalent name,
unless otherwise specified
b. 'wget http://192.168.75.101/index.html'

# Time Administration #
Features:
1. Time synchronization && administration
a. Default includes: 'chronyd', which synchs the local system against various
sources
NOTE: Sources can be: external clocks, NTP, manual time config via: 'chronyc'
NOTE: 'chronyc' by default, is limited to localhost connections, however, may be
configured to accept remote connections using IP-based security
NOTE: 'chronyd' works well in virtualized, intermittently connected situations
b. Drop-in replacement for NTPD - 'rpm -ql chrony'
b1. Currently, 'chronyd' supports NTPv3 only
c. Only replace with NTP if permanently connected/enabled
d. Currently, symmetric keys for time-synch security is supported
Usage:
1. 'timedatectl'
2. 'timedatectl list-timezones'
3. 'timedatectl set-timezone Asia/Tokyo'
4. 'systemctl reboot && timedatectl '

NOTE: Local time offset is merely used for display purposes. i.e. time values are
stored using UTC

5. 'timedatectl set-ntp 1' - enable NTP synch

'chronyd' config
a. '/etc/chrony.conf'
a1. 'allow 192.168.75.0/24'
a2. 'local stratum 1' - this allows this clock to be favoured by NTP clients
a3. 'sudo systemctl restart chronyd'
b. Point NTP clients to this instance
NOTE: Ensure that ipTables is NOT blocking (Default) UDP:123

NOTE: Current time administration involves largely:

1. 'timedatectl'
2. 'chronyd' && possibly 'chronyc'(if one-off time configs are required)'
NOTE: IF your system(s) is isolated, then the use of 'chronyc' becomes important
NOTE: IF you replace 'chronyd' with 'ntpd', you will lose the rapid time updates
that are applied to your node

# YUM Package Management #

Features:
1. RPM overlay
a. Robust pacakage management: i.e. 'apt-get'
2. Package life cycle
a. Search
b. Install
c. Update (Individual || Group )
d. Remove
3. Dependencies are auto-resolved: i.e. 'apt-get'
4. Supports Package Groups
a. i.e. Security, etc.
5. Supports Repositories - containers of various packages: typically online
a. Security updates
b. New packages
c. Original (Distribution) packages
NOTE: RedHat 7 HOST requires subscription to use RedHat Repository
NOTE: CentOS is preconfigured with online Repos
6. Transactioun history maintained: 'yum history...'
7. Ability to enable|disable Repos on-the-fly

Basic Commands | Usage:

a. 'yum list [installed|available]' - dumps currently-installed packages -
supports globbing
a1. 'yum list wge\*'
b. 'yum group list [ids]'
NOTE: If your system currenlty has NO Repos defined, then the 'Available' list will
not be reflected. In this case, 'yum' can only work with the local DB
NOTE: 'ids' option returns $SHELL-friendly package group names for usage during
package life-cycle
 c. 'yum info package_name'
d. 'yum group info security'
e. 'yumdb info package_name' - returns local metadata - purpose, checksum,
installer, repository, etc. - ancillary, but possibly important metadata
f. 'yum repolist [all]' - dumps enabled [all] configured Repos -
'/etc/yum.repos.d/*.repo'
f1. '[all]' - option returns ALL enabled|disabled repositories
g. 'yum search wget' - searches 'name' and 'summary' fields for package details
g1. 'yum search wget lftp curl' - searches for multiple packages
h. 'yum provides /usr/bin/sha256sum' - same as: 'rpm -qf /usr/bin/sha256sum'
i. 'sudo yum remove lftp'
j. 'sudo yum -y install lftp'
NOTE: 'uname -a' reveals the current platform: i686 | x86_64
NOTE: 'yum' defaults to installing the package that matches your platform
k. 'sudo yum -y install lftp.1686' - forces the installation of the i686 version
of 'lftp' and any needed RPMs

Updates:
a. 'yum check-update' - search for ALL available updates
b. 'yum [-y] update' - updates ALL updatable packages
NOTE: Isn't always desriable
c. 'yum [-y] update package[s]...' - updates specified package[s]
c1. 'yum -y update openssl wget' - selectives updates
#YUM Repositories#
Features:
1. Centralized access to content (RPM packages)
a. Network-based
2. Can be: local (file://), remote (http://) || (ftp://)
3. Serves various packages:
a. 'base'
b. 'extras'
c. 'plus'
d. 'updates'
NOTE: These are merely directory trees off the main repository tree
NOTE: Each contains a .repo file and various RPMS
NOTE: Each .repo file describes the content within that tree
e. i.e. 'http://mirror.centos.org/centos/7/' - explore this tree
NOTE: RedHat systems require a subscription to use 'their' CDN for updates, etc.
NOTE: The various branches on repositories are specified in the YUM config files
4. Primary YUM config file: '/etc/yum.conf
a. Sets globals
b. Includes Repos from: '/etc/yum.repos.d'
 5. 'yum repolist' - enumerates enabled Repos
a. You may enable/disable Repos as needed
6. Packages can be flagged to 'install' only and not 'update'
7. 'yum-config'manager' - dumps the current configuration, but allows Repo
administration

Tasks:
1. 'yum-config-manager [section[s]]'
2. Install YUM Repo
a. One option is to dump the contents of the largest ISO image to a web-accesible
instance
b. Second option is to use the 'createrepo' RPM to setup a tree
3. Commence installation
a. Obtain ISO image and mount and copy contents to a tree somewhere (i.e.
staging)
b. Ensure that the 'createrepo' RPM is installed as it provides us with the
'createrepo' utility
NOTE: 'createrepo' may be run from other distros
NOTE: 'createrepo' utility generates the necessary '.repo' file for usage by
clients
c. Ensure directory tree, with '.repo' file, is in a web-accessible location
d. Add the repository to 1 or more clients and use
NOTE: Ensure that you have a valid RedHat subscription or find a third-party
provider of the 'updates' branch
d1. 'sudo yum-config-manager --add-repo http://192.168.75.101/RHEL/7'
NOTE: 'yum-config-manager' merely writes the '.repo' file to: '/etc/yum.repos.d'
NOTE: Add GPG key as follows: 'rpm --import http://192.168.75.101/RHEL/7/RPM-GPG-
KEY-redhat-release'

# IP Administration #
Features:
1. DHCP - 'dhclient' is invoked to manage interface(s)
2. Static - settings are stored in interface configuration file:
/etc/sysconfig/network-scripts
3. Both (Dynamic and Static)
4. Temporary configurations
5. Virtual interfaces - Potentially multiple L3 addresses (IPv[4|6])
6. With this release a more complex set of logic is used to promote persistent NIC
nomenclature, with the ultimate fallback resorting to: eth0-N
7. 'NetworkManager' is the primary manager of interfaces
NOTE: If changes are not noticed, try restarting this daemon: 'systemctl restart
NetworkManager'
8. '/etc/init.d/network' - is still applicable - legacy purposes
9. '/etc/init.d/network' && 'NetworkManager' services work in conjunction to
manage interfaces, routes, and various network configuration items by consulting
one another to avoid conflict

Management Tools
1. 'nmtui*' - $SHELL(curses)-based - current limitations: Edit of VPNs, WiFi/WPA,
802.1x connections
2. 'nmcli' - FULL(capable of administering ALL network areas) CLI-suite
3. 'control-center' - GUI - Press 'Super' key - then type:
a. 'control network'
b. 'nm-connection-editor'

Key Directories and Files:

1. 'lspci' - lists PCI-connected devices
2. '/etc/sysconfig/network-scripts' - interface configuration, control and network
functions files
 3. '/etc/sysconfig/network' - system-wide(global) settings file: i.e. hostname,
gateway(Default)

Tasks:
1. 'lspci' - identify available NIC(s)
2. 'dmesg' - reflects last-boot detected hardware
3. 'lsmod | grep e100' - check Kernel driver/module
4. 'ifconfig' - dumps current configuration including default IP address
assignment
a. 'DEV' - useful with other commands: i.e. 'ip'
b. MAC Address information
c. MTU
d. Data in/out
e. Error information
NOTE: 'ifconfig' is NOT deprecated, but should not be used for general IP
administration
NOTE: Use: 'ip' command and its sub-commands to manage network details including
IP, etc.

5. '/etc/sysconfig/network' - global settings

6. '/etc/sysconfig/network-scripts' - interface configuration
a. 'ifcfg-lo' - loopback (mandatory) virtual interface
b. 'ifcfg-DEV(s)' - various devices: i.e. ethernet/gigabit interface(s)

7. 'nmtui*' - $SHELL management tools

a. 'nmtui' - 'Edit connection' - lists available interfaces, sans 'lo'
a1. Add Static address to DHCP configuration: '/etc/sysconfig/network-
scripts/ifcfg-DEV'
NOTE: 'ifcfg-DEV' file has been updated, but 'NetworkManager' has NOT been notified
a2. 'sudo systemctl restart NetworkManager && ping -c 3 192.168.75.140' -
works!
NOTE: This is NOT necessarily a bad thing, as we can inadvertently disconnect
ourselves remotely by mucking around with IP settings
NOTE: Now, the system is configured in 'Hybrid' mode: DHCP and Static
NOTE: 'ifconfig' reflects only the primary address, NOT the newly-attached address
NOTE: 'nmtui*' changes are permanent - because they update the config files
8. 'ip'
a. 'ip addr [show]' - reveals ALL configuration
b. 'sudo ip addr add ADDR/PREFIX dev DEV' - adds, on-the-fly, a temporary IPv4
address
b1. 'sudo ip addr add 192.168.75.141/32 dev eno16777736'
c. 'sudo ip addr del ADDR/PREFIX dev DEV'
c1. 'sudo ip addr 192.168.75.141/32 dev eno16777736'

8. Add a range of addresses (192.168.75.150-159) to our server

a. 'for i in `seq 150 159`; do sudo ip addr add 192.168.75.$i/32 dev ens32; done
'

9. Update: '/etc/sysconfig/network-scripts/ifcfg-DEV' to include new addresses

10. Drop/Del addresses on-the-fly

a. 'for i in `seq 150 159`; do sudo ip addr del 192.168.75.$i/32 dev ens32; done
'

11. Add secondary NIC via VMWare

a. 'ifconfig'
b. 'nmtui'
NOTE: A reboot may be necessary to enable the interface on some systems

# DHCP Server #
Features:
1. Auto-configuration of IP-based client

Tasks:
1. Installation of DHCP Server
a. 'yum search dhcp' - 'dhcp.x86_64' + helper packages
a1. 'sudo yum install dhcp'
NOTE: Post-installation, DHCPD does not auto-start because it is absent of a
configuration
b. Copy sample '/usr/share/doc/dhcp-4.2.5/dhcpd.conf.example' ->
'/etc/dhcp/dhcpd.conf'
b1. 'sudo cp -v /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example
/etc/dhcp/dhcpd.conf'
c. Peruse and modify this sample file to suit our network
NOTE: Our nodes are multihomed, however, DHCPD will only serve on subnets to which:
1. it is connected
2. Has a 'subnet' declaration in the configuration file
NOTE: To ensure that DHCPD does NOT service unauthorized subnets, modify 'systemd'
startup configuration for DHCPD to ensure that it binds to the desired interface(s)
NOTE: This is the equivalent of forcing the daemon to listen to a specific address:
i.e. MTA
c1. Modify sample configuration to suit our: 192.168.76.0/24 subnet
NOTE: Any directive listed outside of curly braces '{}' is a global/system-wide
directive: i.e. 'domain-name' && 'domain-name-servers', etc.

NOTE: Often times, in organizations, ALL nodes belong to a common domain name: i.e.
'linuxcbt.internal', however, if departments have distinct sub-domains, then use
the 'domain-name' option at the subnet scope level: i.e. 'option domain-name
dev.linuxcbt.internal', 'option domain-name sales.linuxcbt.internal'
NOTE: This will ensure that each department's unique domain name is served
accordingly on a per-subnet basis
NOTE: The same applies to other resources: i.e. 'option domain-name-servers'

NOTE: Somewhere between the: 'default-lease-time' and 'max-lease-time' the client

and server can agree on the actual lease time

NOTE: DHCPD defaults to logging via: /var/log/messages, however, via 'local7'

facility, you may redirect to another file
NOTE: Clean-up file and include the absolute required directives

d. Attempt to start DHCPD

d1. 'systemctl start dhcpd'
d2. 'sudo netstat -nulp | grep 67'
'udp 0 0 0.0.0.0:67 0.0.0.0:*
24708/dhcpd'
DHCPD uses both: UDP:67(Server) and UDP:68(Client)

e. Ensure that at least 1 DHCP client exists in the served subnet(s)

e1. RHEL-7 Server will function as client
NOTE: server's secondary interface is still not configurable
NOTE: One workaround is to copy the interface config file of an existing interface
and modify
f. Check DHCPD footprint: '/var/lib/dhcpd/dhcpd.leases' - leases are stored here

NOTE: If problems activating interface(s), simply resort to the $SHELL, and copy an
existing interface configuration and modify accordingly

g. Ensure that DHCPD is enabled upon system reboot

g1. 'sudo systemctl enable dhcpd'

h. Redirect 'local7' LOG - pollutes both: /var/log/{boot,messages}.log

h1. 'sudo nano /etc/dhcp/dhcpd.conf' -> 'local6' - change facility
h2. 'local6.none' -> add exception to -> '/etc/rsyslog.conf'

#DNS#
Features:
1. Name-to-IP(Forward) and IP-to-Name(Reverse) resolution
NOTE: Overwhelmingly, humanity performs 'Forward' queries because it is natural and
easier to remember

Tasks:
1. Search and Install BIND as Caching-Only Server
a. 'yum search bind dns' -> 'bind.x86_64'
b. 'sudo yum install bind'

2. Explore
a. '/etc/named'
a1. '/etc/named.conf'
a2. '/var/named' - top-level directory for:
a2a. 'chroot' environment
a2b. 'slaves' zone(s)
a2c. 'master' zone(s)
a2d. Default (loopback, localhost, root DNS servers, etc.)

3. Start Caching-Only Server

a. 'systemctl restart named && netstat -nulp | grep 53' - started and bound to:
loopback
b. bind BIND to ALL addresses: '/etc/named.conf'
c. Update query permissions in: '/etc/named.conf'
'allow-query { 127.0.0.1; 192.168.75.0/24; };' - this allows loopback and local
subnet to query

NOTE: Earlier, when we provisioned the '192.168.76.122' address, it was applied

with a '/32' subnet, which prohibits communications with any other node because it
is outside of the broadcast domain of any other node

4. Primary Service/Zone Hosting

a. 'linuxcbt.internal' - fictitious, internal zone
NOTE: Use whenever possible, existing, properly configured BIND zones: i.e.
linuxcbt.internal
b. Examine and copy the current configuration from Ubuntu instance
c. Update the BIND DB: db.linuxcbt.internal to reflect current conditions: i.e.
SOA, NS and various A records
d. Update: '/etc/named.conf' to reference the new zone as a primary zone
e. Adjust zone file as needed: combination of too high serial value and domain
SOA descriptor

5. Perform queries
a. 'dig @192.168.75.121 linuxcbtrouter1.linuxcbt.internal'

6. Alter TTLs on records: SOA and 'linuxcbtrouter1'

a. 'TTL 3600'
b. '60'
 7. Create another primary zone based on working zone: linuxcbt.internal
a. 'linuxcbt.external'
b. 'dig @192.168.75.121 linuxcbtrouter1.linuxcbt.internal'

8. Create SLAVE configuration on Secondary Instance

a. '/etc/named.conf.local'
b. Be sure to 'include "/etc/named.conf.local" ' - from: '/etc/named.conf'

# FTP Server - Services #

Features:
1. VSFTPD
2. Lightweight
3. Fast
4. Reliable
5. Stable
6. Feature-filled
a. VHOSTS
b. Anonymous
c. Jailed users
d. Prohibited/Allowed Users
e. SELinux-integration (Default)

Tasks:
1. Install VSFTPD
a. 'yum search vsftpd'
b. 'yum install vsftpd' - NOT enabled by default
c. 'systemctl status vsftpd'
d. 'sudo systemctl enable vsftpd && systemctl status vsftpd && ps -ef | grep
vsftp'

2. Start and use the service

a. 'sudo systemctl start vsftpd' - this enables 'anonymous' and 'LOCAL USER'
access by default
b. 'sudo netstat -ntlp | grep 21' - confirm TCP6(which also encompasses TCP4)
binding
c. 'lftp anonymous@192.168.75.121'
c1. 'pwd' - reflects a CHROOTed 'anonymous' environment, which really resolves
to: /var/ftp
c2. 'grep ftp /etc/passwd'
'ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin'
NOTE: 'anonymous' user is mapped to: 'ftp' user, who may NOT login using terminal-
oriented front-ends: i.e. SSH, Telnet, GNOME, KDE, etc.
NOTE: Default 'anonymous' permissions permit download NOT upload

d. 'lftp linuxcbt@192.168.75.121' - connect as a 'normal' user

NOTE: 'normal' users are NOT CHROOTed by Default: i.e. 'pwd'
NOTE: SELinux prohibits 'normal' users from uploading/downloading to their $HOME
directories

3. Update the SELinux configuration to allow 'normal' users to interact with their
$HOME directories
a. 'getsebool -a | grep ^ftp' - dumps FTP-related SELinux booleans
'ftp_home_dir'
b. 'setsebool -P ftp_home_dir=1'

4. CHROOT 'normal' users to improve Default security

NOTE: Caveat: $HOME directories of $USERs MUST be writable by 'root'
 a. '/etc/vsftpd/vsftpd.conf' - update to CHROOT 'local' || 'normal' $USERs

5. Disable 'anonymous' access

a. '/etc/vsftpd/vsftpd.conf'

6. LOGGING
a. '/var/log/messages' - service/daemon(VSFTPD) behaviour(up/down/etc.)
b. '/var/log/xferlog' - uploads/downloads - movement of content

#Apache Web Services #

Features:
1. HTTPD Server
2. Single binary handles:
a. Prefork(Default)
b. Worker (Threaded)
c. Event (Conservative/effficient threading)

Tasks:
1. Install
a. 'sudo yum install httpd'
b. 'sudo systemctl enable httpd'
c. 'sudo systemctl start httpd'
d. 'ps -ef | grep httpd' - reveals 6 processes
d1. Master process, which spawns N number of child processes
d2. 5 child processes

2. Explore the environment

a. '/etc/httpd' - config container (ServerRoot) - top-level
a1. '/etc/httpd/conf/httpd.conf' - drives the default web server and includes
ALL other files
a2. '/etc/httpd/conf/conf.d/' - common *conf files: i.e. welcome, autoindex,
etc.
a3. '/etc/httpd/conf.modules.d' - load files for 'enabled' modules
a4. '/etc/httpd/logs' -> /var/log/httpd - Apache LOGs(error,access)
a5. '/etc/httpd/moules' -> /usr/lib64/httpd/modules - ALL Apache modules
a6. '/etc/httpd/run' - PID files and run-time files created by Apache
b. '/var/www' - Default web site content directory
b1. '/var/www/html' - place content here
b2. '/var/www/cgi-bin' - place CGI scripts here

c. Update: '/etc/hosts' to suppress startup error concerning inability to resolve

hostname
c1. place FQDN here
c2. '/etc/httpd/conf/httpd.conf' -> update: 'ServerName' directive to FQDN
c3. 'apachectl configtest && apachectl graceful'

d. 'apachectl' - interacts directly with Apache HTTPD

d1. 'apachectl status'
d2. 'apachectl configtest' - checks for syntax errors across the config:
httpd.conf and all included items
NOTE: Prior to the restart/graceful of Apache, ALWAYS run 'apachectl configtest' to
reduce the likelihood of the inability to restart Apache, causing downtime

3. Install Manual: 'sudo yum install httpd-manual'

a. '/etc/httpd/conf.d/manual.conf' - controls access to the manual
b. Secure access to the manual to desirable nodes/networks/etc.
b1. 'Order Deny,Allow
Deny From ALL
 Allow From 127.0.0.1 ::1 192.168.0.0/16 10.0.0.0/8'
NOTE: The Apache manual is unlikely to pose a security threat, however, securing
it, albeit at the IP-level, lends practice in securing access to content

4. Apache LOGs - Features: Error(inability to access content, various 2xx-5xx

errors), Access(hits), Customizable Access LOGS (represent variables of our
choosing)
NOTE: '/etc/httpd/conf/httpd.conf' - contains LOG variable assignments
a. '%h' - connect host
b. '%l' - ident check - usually '-' - deprecated
c. '%u' - connecting user - usually '-' - Noted if user has actually
authenticated
d. '%t' - timestamp - day(2-digits)/Month(3 letters)/Year(4-
digits):Hour:Minute:Second-TimeZone
e. '%r' - request method (GET/POST/etc.)
f. '%>s' - status code returned to the client - 2xx-5xx
g. '%b' - size of content returned to client - Optional: '%B' - logs '0' instead
of '-' for zero bytes returned for applications that need a quantity
NOTE: '%B' saves us from having to translate: '%b' value of '-' as meaning '0'
bytes
h. '%{Referer} - Referrer to our site - usually IP address of sending site
i. '%{User-agent} - Browser/User-client used to access our content: i.e. mobile,
desktop, etc.
j. '%I' - Bytes In
k. '%O' - Bytes Out

NOTE: 'error_log' does NOT use the 'LogFormat' VARs in its messages but rather has
a SYSLOG style represenation:
a. TimeStamp
b. Section of Apache that generated the message
c. PID
d. Daemon/Apache area service
e. Message

#Virtual Hosts#
Features:
1. 2-Types
a. IP-Based - one site(web) per IP address - inefficient usage of IPs
b. Host Header Name-based - multiple sites per IP address - efficient way of
using scarce IPv4 resources - relies upon HTTP1.1+

Tasks:
1. IP-Based - .131,.151,.152, .161,.162,.163
a. Add some spare addresses
b. Test access sans VHosts - examine default behaviou of default site
NOTE: By default, Apache serves the 'Default' HOST via ALL accessible IPs on the
system

c. Define IP-based HOST tied to: 192.168.75.{131,151}

<VirtualHost 192.168.75.131>
ServerAdmin webmaster@linuxcbtel71.linuxcbt.internal
ServerName site1.linuxcbt.internal
DocumentRoot /var/www/site1
<Directory /var/www/site1>
Options FollowSymLinks
AllowOverride None
 Order allow,deny
Allow from ALL
</Directory>
ErrorLog logs/site1.linuxcbt.internal.error_log
CustomLog logs/site1.linuxcbt.internal.access_log combined
</VirtualHost>

d. 'mkdir /var/www/site1'
e. 'echo "TEST of SITE1: from linuxcbtel71.linuxcbt.internal" >>
/var/www/site1/index.html '
f. 'apachectl graceful && httpd -S' - reload and ensure that VHost is configured

2. Replicate configuration on same and CentOS node

3. Name-Based Virtual Hosts

a. Ensure ALL VHosts, where desired, share the same IP
b. Ensure ALL VHosts, sharing the same IP, have the 'ServerName' directive
declared
c. 'apachectl configtest && apachectl graceful && httpd -S'
NOTE: The new Name-Based VirtualHost configuration shows the fallback VHost, in the
event that thec lient requests the IP address from the user-agent without the
hostname: i.e. http://192.168.75.161 as opposed to: http://site3.linuxcbt.internal
d. Ensure DNS/Name resolution services(i.e. /etc/hosts) are properly configured
d1. Update DNS and ensure client uses DNS

4. Segregate LOGs per VHost

NOTE: Currently, ALL VHosts are LOGGING via default catchall LOGs: /var/log/httpd/
{access,error}_log

# MariaDB #
Features:
1. RDBMS fork/spawn of MySQL

Tasks:
1. Install MariaDB via YUM
a. 'sudo yum install mariadb mariadb-server'
b. 'sudo systemctl enable mariadb && sudo systemctl start mariadb'
c. 'netstat -ntlp | grep 3306'

2. Secure the installation: enforces 'root' password, removes 'anonymous' access,

etc.
a. 'mysql -u root' - connects sans password
b. 'select user,password,host from mysql.user;' - returns ALL users sans
passwords
c. 'mysql_secure_installation'
d. Test access using: 'root' and 'anonymous'

3. MySQL back-end usage largely consists of connecting with an appropriate front-

end:
a. 'mysql' - terminal monitor
b. Upon invocation, 'mysql' client utilities read config directives from the
following:
b1. '/etc/my.cnf' - system-wide - and includes ALL 'include'd files
b2. $HOME/.my.cnf - User-wide
b3. Command Line Options (CLI) - overrides all aforementioned
 4. Create, Use, Destroy simple AddressBook DB:
a. 'create database addressbook;'
b. 'create table contacts ( `fname` char(20), `lname` char(20), `bus_phone1`
char(20), `email` char(30), PRIMARY KEY (`email`) ); '
c. INSERT INTO contacts (fname,lname,bus_phone1,email) VALUE
('Dean','Davis','+18885734943','sales@linuxcbt.com');
d. UPDATE contacts SET lname='EMPLOYEE';
e. DELETE FROM contacts where fname='dean';
f. TRUNCATE contacts; - wipes table clean
g. DROP database addressbook;

#NMap #
Features:
1. Reconnaissance tool - gather information about network participants, services,
etc.
2. Port Scanning -> TCP:{22,80,21,3306},ICMP
3. Host | Device detection -> Mobile, Known Desktop(DELL), etc.
4. Service detection -> What version of SSH, Apache, etc.
5. OS Fingerprinting -> What OS? Which version?
6. Multi-target scanning - expedites the overall scan
7. Largely: Reconnaissance, and partly vulnerability scanner (via NSEs)

Tasks:
1. Install
a. 'yum install nmap' -> 6.40x
b. Absolute latest version -> insecure.org/nmap - this is the PROD route

2. Host | Device Detection

a. 'nmap -v localhost' - scan yourself - start with the known
NOTE: This basic scan does many things:
1. ICMP test of whether the TARGET is available
2. If ICMP fails, other methods are attempted, and if succeeds, NMap moves on to
well-known(1000) ports
3. Finds open ports and reports on them
4. Summary is provided
NOTE: Scan summary reveals that there are 2 more ports open on loopback than the
routable IP: TCP:{631,25}

b. 'nmap -v 192.168.75.0/24'
NOTE: These non-privileged scans are invoked as: TCP:CONNECT scans, which complete
the entire TCP lifecyle, which results in a larger TARGET LOG footprint
NOTE: To improve stealth, execute 'nmap' as privileged user: 'root' - TCP:SYN
(half-open connections)

c. 'nmap -v -sP 192.168.75.0/24' - quick check of ICMP-available nodes - returned

in 3.20 sec instead of: roughly: 44seconds (regular TCP:Connect) scan

d. 'sudo nmap -v 192.168.75.0/24' - TCP-SYN - slower, but fewer 'breadcrumbs' are

left behind
NOTE: Use this option for legitimate scans to reduce the footprint in your LOG
files

e. 'nmap -v -A 192.168.75.0/24' - all-encompassing scan of: service detection,

scripts, OS, etc.
NOTE: Reducing the target list may not save much time because NMap quickly
determines of your entire proposed range, which nodes are up
# Packet Capturing - TCPDump#
Features:
1. Packet Capturing
2. Works using 3 qualifiers (BPF):
a. Type - host|net|port
b. Direction - src, dst, src or dst, src and dst (i.e. NTP, SYSLOG, TFTP)
c. Protocol - ip, tcp, udp, etc.
NOTE: By Default, you can capture traffic:
a. To and from your system
b. Broadcast traffic
NOTE: If you desire to see|capture traffic between 2 remote nodes, then you'll need
to mirror the packets to your system's interface

Usage:
1. 'sudo tcpdump -v[v]' - dumps packets to|fro local system and potentially
broadcast packets
2. 'sudo tcpdump -w `date +%F`-01.capture -v -i eno16777736' - does NOT dump to
STDOUT, but rather, reports the number of packets captured thus far and writes to a
file
NOTE: 'tcpdump -w...' - captures ALL layers, so you can then post-process with BPFs
3. 'tcpdump -r 2014-12-23-01.capture' - replays the captured packets (137 packets)
4. 'tcpdump -c 30 -w `date +%F`-02.30-packets.capture -i eno16777736' - captures
30 packets and exits
5. 'tcpdump -A -v -i eno16777736' - dumps L3 details
6. 'tcpdump -e -v -i eno16777736' - dumps L2 details
7. 'tcpdump -n -e -v -i eno16777736' - refrain from name resolution - improves
performance
8. 'tcpdump -n -e -v -i eno16777736 host 192.168.75.121 and host 192.168.75.17'
9. 'tcpdump -n -e -A -v -i eno16777736 host 192.168.75.121 and tcp port 21'
10. 'tcpdump -n -e -A -v -i eno16777736 udp port 123' - capture ALL witnessed
UDP:123 traffic

#FirewallD - IPTables Front-End#

Features:
1. 'firewall-config' GUI || 'firewall-cmd' TUI -> 'firewalld' -> IPTables ->
Kernel NetFilter
2. 2 Perspectives on the application of rules:
a. Run-time configuration
b. Permanent configuration - initiated during one of the following conditions:
b1. System initialization
b2. Firewall reload
NOTE: You can compare both: Permanent and Run-time configurations to Cisco's:
Startup and Running configurations
3. Provides various network zones (IPTables Chains)
a. Public (untrusted) - Outbound traffic is permitted, inbound NOT unless sourced
from us
b. Work (trusted) - Traffic to-and-fro are trusted
c. Home (trusted) " "
d. DMZ (trusted/untrusted => Restricted) - Inbound traffic comes from the Net and
DMZ interface(s) may source explicitly permitted traffic inbound to target systems:
i.e back-end RDBMS
e. etc.
4. The ability to generate/define custom zones
5. Service configuration | provisioning: i.e. 'DNS'(TCP|UDP:53) -> can be applied
to various zones
NOTE: The ability to group a variety of protocols and port combinations into one
unit for rules application is important
6. Panic mode - drops ALL communications: i.e. DDOS or other attack
NOTE: This mode will also drop your remote connection unless it is out-of-band:
i.e. serial or third-party NIC connecting to the node
NOTE: Ensure that ALL servers have a third-party, out-of-band means of accessing
the system
NOTE: Ensure that the out-of-band method provides FULL OS access: i.e. KVM, etc.

Usage:
1. Ensure 'firewall-config' is installed
NOTE: 'firewall-cmd' is installed by default, but is somewhat useless because of
the myriad options
a. 'sudo yum -y install firewall-config'

2. Access 'firewall-config' via:

a. 'Key' -> 'firewall-config'
b. $SHELL -> 'firewall-config'
NOTE: Ensure that you are in the desired mode upon invocation:
c. 'Runtime'
d. 'Permanent'
e. Test current configuration (firewall) from remote system using: 'nmap'
e1. 'nmap -v 192.168.75.17' - TCP:CONNECT - but failed due to lack of deeper
inspection
e2. 'sudo nmap -v 192.168.75.17' - TCP:SYN - worked
3. Panic Mode - drop ALL communications
a. 'firewall-config' GUI -> Options -> Panic Mode
b. Test communications - ALL fail until 'Panic Mode' is lifted
4. Shift Interface(s) to appropriate Zone(s): i.e. 'Public' -> 'Work'
a. Options -> Change default Zone and zone of Interface(s) to suit your actual
environment

5. Reload the configuration without committing changes to the 'Permanent'

configuration and evaluate
a. 'sudo firewall-cmd --reload' || from 'firewall-config' GUI
b. 'sudo iptables -L' - confirm re-established(saved) rules
NOTE: Changes to the 'Permanent' configuration do NOT impact the 'Run-time'
configuration unless you 'Reload' the configuration using one of the management
tools

6. Create 'PROD' service as an aggregate of ALL mandatory PROD services

a. 'PROD" will contain: http,https,ssh,mysql,dns
b. 'sudo firewall-cmd --reload' && possibly reload from GUI to reflect new
service

NOTE: You currently cannot modify properties of the 'Runtime' configuration, as it

is merely an instance of the saved, 'Permanent' configuration. To make changes,
update the 'Permanent' configuration and 'Reload' so that it reflects in the
'Runtime' configuration.

NOTE: Ensure that defined service(s) is applied to desired zone(s)

# SELinux #
Features:
1. Restricts access by SUBJECTS (users and/or processes) to: OBJECTS (files)
a. SUBJECTS:
a1. Any user attached in any form to the system
 a2. Processes, which are attached to users attached to the system

b. OBJECTS:
b1. Any file on the system
b2. '-', 'd', 'c', 'b', etc.

2. Provides: Mandatory Access Controls (MACs)

3. MACs stand in stark contrast to: Discretionary Access Controls (DACs)
NOTE: DACs are standard Linux/Unix file system permissions
4. Provides, via policy (per subject -> object(s)), much more granular control of
access to objects
5. SELinux provides a way to separate: users, processes, from objects via labeling
of objects and subjects and monitors/controls their interaction

6. Provides: Types(applied to objects) - Types are labels applied to objects and

subjects
7. SELinux policy specifically defines and enforces permissions based on the
myriad labels assigned to: subjects and objects
8. When a Type is applied to a process it is called a: domain
9. Domains provide virtual sandboxes for processes
10. 'sestatus' - reveals current status
11. 'setenforce' - enabling | disabling of SELinux mode of operation: permissive ||
enforcing
12. Audit LOG: '/var/log/audit/audit.log' - search here from SELinux-related
problems
13. Advanced Vector Cache (AVC) is responsible for providing/denying/logging access
by subjects to: objects
NOTE: Look for: 'avc' messages throughout your logs for details on potential
breaches as well as other LOG data
14. '/sys/fs/selinux' - pseudo-directory where user-space tools may interact with
the SELinux/Kernel
15. '/etc/selinux' - current policy is revealed
16. 'setsebool' - sets boolean values for SELinux typically related to
features/restrictions applied, via the default: 'targeted' policy, to domains: i.e.
HTTPD
i.e. If HTTPD is unable to enter: '/home' || $HOME there is a boolean which can be
enabled to permit access
a. 'setsebool -P' - use this option to set booleans persistently
17. 'getsebool' - dumps the current booleans
a. 'getsetbool -a' dumps ALL vars

18. 'ls -Z ...' - enumerates SELinux related data

# SFTP-Only - SSH Account #

Features:
1. File transmissions ONLY
2. NO TTY is assigned to connecting user
3. More secure than a full SSH connection
a. It limits the total set of executable commands (SFTP commands only)
4. Facilitates uploading/downloading various files

Tasks:
1. Examine current default
a. Sans: 'nologin' $SHELL tied to user's account, users can typically SSH and
obtain a TTY

2. Implement SFTP-ONly account

a. Ensure: $HOME is NOT owned by the $USER who owns the directory
'drwx------. 17 linuxcbt linuxcbt 4096 Jan 24 01:19 /home/linuxcbt'
a1. 'sudo chown root.root ~linuxcbt && ls -ld ~linuxcbt'
a2. 'sudo chmod 755 ~linuxcbt'

3. Update system-wide SSH configuration to force SFTP-only sessions for the named
account:
a. '/etc/ssh/sshd_config'
'ChrootDirectory /home/linuxcbt'
'ForceCommand internal-sftp'
'AllowTCPForwarding no'
'X11Forwarding no'
b. 'sudo systemctl restart sshd'
c. Confirm SFTP-only connectivity
4. Revert ~linuxcbt permissions and test
a. 'sudo chown linuxcbt.linuxcbt /home/linuxcbt'

# SFTP-Only - Forced Files Nomenclature - ~/.ssh/authorized_keys #

Features:
1. Ability to control users' logins via: ~/.ssh/authorized_keys file
2. The client will relegated to SFTP-only, with the enforcement of the creation of
a particular file name pattern: i.e. SFTP Client -> SERVER -> client_a.$$
NOTE: This yields a predictable file nomenclature which is useful for process
purposes
3. Extension of SFTP-Only access
4. Does NOT require modification to: /etc/ssh/sshd_config: i.e. SFTP-Only

CAVEAT: Unless you restrict the $USER from modifying: ~/.ssh/authorized_keys file,
there is the risk that they may override your directive (unlike:
/etc/ssh/sshd_config'

Tasks:
1. 'adduser linuxcbtsftp1 && passwd linuxcbtsftp1'
2. Setup PKI-based login
3. Modify TARGET (SERVER): $HOME/.ssh/authorized_keys - place options before 'ssh-
rsa KEY'
4. Test normal SSH connection from CLIENT -> no-pty allocated
5. Use account to move data via: 'dd'
a. 'dd if=1000.txt | ssh 192.168.75.17' - produces the same content from CLIENT
on SERVER
NOTE: This mechaniism supoorts the execution of most commands, including $SHELL
scripts
NOTE: The CLIENT can use different SSH keys to execute different commands on the
SERVER