{{tag>[rhel certification]}} =====RedHat EX300 objectives (20130304)===== *[[http://www.redhat.com/training/courses/ex200/examobjective|RHCSA EX200 exam objectives]] *[[http://www.redhat.com/training/courses/ex300/examobjective|RHCSA EX300 exam objectives]] =====System configuration and management===== ====Route IP traffic and create static routes.==== Show route ip r netstat -rn route Add route ip r add 192.168.40.0 via 192.168.40.1 dev eth0 Delete route ip r del 192.168.40.0 via 192.168.40.1 dev eth0 Persistent route #/etc/sysconfig/network-scripts/route-eth0 ADDRESS0=192.168.40.0 NETMASK0=255.255.255.255 GATEWAY0=192.168.40.1 ====Use iptables to implement packet filtering and configure network address translation (NAT).==== Show iptables iptables -nvL iptables config; settings, modules (conntrack, nat, ftp, etc) /etc/sysconfig/iptables-config iptables config; firewall rules /etc/sysconfig/iptables save/restore iptables iptables-save iptables-restore Set up NAT iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE Port forward iptables -t nat -A PREROUTING -i eth+ -p tcp -dport 20:21 -j DNAT -to-destination 192.168.15.36:20-21 iptables -t filter -A FORWARD -i eth+ -m state -state NEW -m tcp -p tcp -d 192.168.15.36 -dport 20:21 -j ACCEPT Enable forwarding sysctl -w net.ipv4.conf.all.forwarding=1 ====Use /proc/sys and sysctl to modify and set kernel runtime parameters.==== Show value sysctl net.ipv4.ip_forward #Output: net.ipv4.ip_forward = 0 cat /proc/sys/net/ipv4/ip_forward #Output: 0 Change setting sysctl -w net.ipv4.ip_forward=1 or echo 1 > /proc/sys/net/ipv4/ip_forward Persistent config #/etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 0 ====Configure a system to authenticate using Kerberos.==== yum -y install krb5-workstation system-config-authentication Textbased authconfig-tui ====Build a simple RPM that packages a single file.==== Install the rpm tools. yum install rpmdevtools Create a directory with a simple script. mkdir myscript-0.1 vi myscript-0.1/hello.sh chmod +x myscript-0.1/hello.sh Edit a (vi) template spec file. vi myscript.spec Name: myscript Version: 0.1 Release: 1%{?dist} Summary: myscript test rpm Group: none License: none URL: none Source0: myscript-0.1.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: /bin/cp Requires: /bin/bash %description Test RPM for EX300 exam %prep %setup -q %build echo "OK" %install rm -rf %{buildroot} mkdir -p %{buildroot}/tmp/myscript cp -R * %{buildroot}/tmp/myscript %clean rm -rf %{buildroot} %files /tmp/myscript/hello.sh %defattr(-,root,root,-) %doc %changelog Run rpmbuild in order to create a RPM tree. This will generate an error, but create the tree. rpmbuild -ba myscript.spec Create an archive tar.gz in the SOURCES directory. tar czvf rpmbuild/SOURCES/myscript-0.1.tar.gz myscript-0.1/ Copy the spec file to SPEC directory. cp myscript.spec rpmbuild/SPECS/ Build the RPM. rpmbuild -ba rpmbuild/SPECS/myscript.spec Test the RPM install. rpm -ivh rpmbuild/RPMS/x86_64/myscript-0.1-1.el6.x86_64.rpm ====Configure a system as an iSCSI initiator that persistently mounts an iSCSI target.==== Install utils yum install iscsi-initiator-utils Discover targets iscsiadm -m discovery -t st -p Log in to target: iscsiadm -m node -T -p -l Show added device dmesg List running sessions iscsiadm -m session ====Produce and deliver reports on system utilization (processor, memory, disk, and network).==== yum instal sysstat chkconfig sysstat on service sysstat start Read log files: sar -f /var/log/sa/sa17 ====Use shell scripting to automate system maintenance tasks.==== ====Configure a system to log to a remote system.==== Edit /etc/rsyslog.conf *.* @splunk.home:514 Restart resyslog service rsyslog restart ====Configure a system to accept logging from a remote system.==== Edit /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 Add iptables rules to /etc/sysconfig/iptables. -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT =====Network services===== Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below: ====Install the packages needed to provide the service.==== yum provides */ ====Configure SELinux to support the service.==== See EX200 objectives. ====Configure the service to start when the system is booted.==== chkconfig Or /etc/rc.local ====Configure the service for basic operation.==== Check for config in /etc and /etc/sysconfig. ====Configure host-based and user-based security for the service.==== Hostbased: TCP wrappers, iptables, application config. Userbased: users, groups, application config. ====HTTP/HTTPS==== yum -y groupinstall "Web Server" chkconfig httpd on service httpd start Edit iptables config: /etc/sysconfig/iptables. -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT Restart iptables service iptables restart ===Configure a virtual host.=== Create DocumentRoot mkdir -p /var/www/web1 mkdir -p /var/www/web2 Create /var/www/web1/index.html web1 test page Create /var/www/web2/index.html web2 test page Edit /etc/http/conf/httpd.conf NameVirtualHost *:80 Create new virtual host config /etc/httpd/conf.d/web.conf ServerAdmin webmaster@dummy-host.example.com DocumentRoot /var/www/web1 ServerName web1.study.home ErrorLog logs/web1-error_log CustomLog logs/web1-access_log common ServerAdmin webmaster@dummy-host.example.com DocumentRoot /var/www/web2 ServerName web2.study.home ErrorLog logs/web2-error_log CustomLog logs/web2-access_log common Restart Apache service httpd restart ===Configure private directories.=== Create private directory mkdir /var/www/web1/private Create /var/www/web1/private/index.html Private HTML page Create passwd file htpasswd -c /etc/httpd/.htpasswd privateuser Add config to /etc/http/conf.d/web.conf AuthName "Private Directory" AuthType basic AuthUserFile /etc/httpd/.htpasswd Require valid-user ===Deploy a basic CGI application.=== Create CGI directory /var/www/web1/cgi Edit script /var/www/web1/cgi/openports.cgi #!/bin/sh echo -e "Content-type: text/html\n\n"; echo "
"
echo "`netstat -tan`" # THIS WILL GIVE SELINUX TROUBLES
echo "
" Make it executable chmod +x openports.cgi Edit /etc/http/conf.d/web.conf Options +ExecCGI AddHandler cgi-script pl cgi ===Configure group-managed content.=== Create group groupadd admins Add users to admins Set rights mkdir -p /var/www/web1/admins chown apache.admins /var/www/web1/admins chmod 775 /www/site1 chmod g+s /www/site1 ====DNS==== ===Configure a caching-only name server.=== yum -y install bind chkconfig named on service named start There is a know bug generating the /etc/rndc.key. If this happens run: rndc-confgen -a -r /dev/urandom Open port 53 udp -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT Restart iptables service iptables restart ===Configure a caching-only name server to forward DNS queries.=== Note: Candidates are not expected to configure master or slave name servers. Edit /etc/named.conf listen-on port 53 { 127.0.0.1; 192.168.1.32; }; allow-query { localhost; 192.168.1.0/24; }; forward only; forwarders { 192.168.1.1; }; dnssec-enable no; dnssec-validation no; ====FTP==== ===Configure anonymous-only download.=== yum -y groupinstall "FTP server" service vsftpd start chkconfig vsftpd on Open iptables port -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT Edit /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_conntrack_ftp" service iptables restart ====NFS==== ===Provide network shares to specific clients.=== yum -y groupinstall "NFS file server" service rpcbind start chkconfig rpcbind on service nfs start chkconfig nfs on Edit /etc/exports /var/ftp/pub 192.168.42.0/24(ro,insecure) Export filesystems exportfs -a Edit NFS config /etc/sysconfig/nfs LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 STATD_PORT=662 Edit iptables and restart -A INPUT -m state --state NEW -m udp -p udp --dport 32802 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 32802 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 32769 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT Restart iptables service iptables restart ===Provide network shares suitable for group collaboration.=== Edit /etc/exports /opt/data/share 192.168.42.0/24(rw,insecure) Export filesystems exportfs -a Change rights to path chmod g+w .... ====SMB==== ===Provide network shares to specific clients.=== yum install samba -y chkconfig smb on chkconfig nmb on Edit iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT Restart iptables service iptables restart Edit /etc/samba/smb.conf [samba] comment= RHEL samba share path = /opt/data/samba browseable = yes writable = yes valid users=benst hosts allow = 192.168.1. hosts deny = 192.168.1.33 Add user password smbpasswd -a Set selinux label on dir chcon -t samba_share_t /opt/data/samba Give appropriate filesystem rights to share chown / chmod ... Set bools RO: setsebool -P samba_export_all_ro 1 RW: setsebool -P samba_export_all_rw 1 Start samba service smb start service nmb start ===Provide network shares suitable for group collaboration.=== ====SMTP==== ===Configure a mail transfer agent (MTA) to accept inbound email from other systems.=== Edit /etc/postfix/main.cf inet_interfaces = all Edit iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT Restart iptables and postfix service postfix restart service iptables restart ===Configure an MTA to forward (relay) email through a smart host.=== Edit /etc/postfix/main.cf relay_domains = domainname.com relayhost = mail.hostname.com Restart postfix service postfix restart ====SSH==== ===Configure key-based authentication.=== ===Configure additional options described in documentation.=== ====NTP==== ===Synchronize time using other NTP peers.===