Ben Stienstra

Linux, Unix, network, radio and more...

User Tools

Site Tools


rhel_ex300_objectives

~~TOC~~

RedHat EX300 objectives (20130304)

System configuration and management

Route IP traffic and create static routes.

Show route

ip r
netstat -rn
route

Add route

ip r add 192.168.40.0 via 192.168.40.1 dev eth0

Delete route

ip r del 192.168.40.0 via 192.168.40.1 dev eth0

Persistent route

#/etc/sysconfig/network-scripts/route-eth0
ADDRESS0=192.168.40.0
NETMASK0=255.255.255.255
GATEWAY0=192.168.40.1

Use iptables to implement packet filtering and configure network address translation (NAT).

Show iptables

iptables -nvL

iptables config; settings, modules (conntrack, nat, ftp, etc)

/etc/sysconfig/iptables-config

iptables config; firewall rules

/etc/sysconfig/iptables

save/restore iptables

iptables-save
iptables-restore

Set up NAT

iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE

Port forward

iptables -t nat -A PREROUTING -i eth+ -p tcp -dport 20:21 -j DNAT -to-destination 192.168.15.36:20-21
iptables -t filter -A FORWARD -i eth+ -m state -state NEW -m tcp -p tcp -d 192.168.15.36 -dport 20:21 -j ACCEPT

Enable forwarding

sysctl -w net.ipv4.conf.all.forwarding=1

Use /proc/sys and sysctl to modify and set kernel runtime parameters.

Show value

sysctl net.ipv4.ip_forward

#Output:
net.ipv4.ip_forward = 0
cat /proc/sys/net/ipv4/ip_forward

#Output:
0

Change setting

sysctl -w net.ipv4.ip_forward=1

or

echo 1 > /proc/sys/net/ipv4/ip_forward

Persistent config

#/etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

Configure a system to authenticate using Kerberos.

yum -y install krb5-workstation
system-config-authentication

Textbased

authconfig-tui

Build a simple RPM that packages a single file.

Install the rpm tools.

yum install rpmdevtools

Create a directory with a simple script.

mkdir myscript-0.1
vi myscript-0.1/hello.sh
chmod +x myscript-0.1/hello.sh

Edit a (vi) template spec file.

vi myscript.spec
Name:		myscript
Version:	0.1
Release:	1%{?dist}
Summary:	myscript test rpm

Group:		none
License:	none
URL:		none
Source0:	myscript-0.1.tar.gz
BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

BuildRequires:	/bin/cp
Requires:	/bin/bash

%description
Test RPM for EX300 exam

%prep
%setup -q

%build
echo "OK" 

%install
rm -rf %{buildroot}
mkdir -p %{buildroot}/tmp/myscript
cp -R * %{buildroot}/tmp/myscript

%clean
rm -rf %{buildroot}

%files
/tmp/myscript/hello.sh
%defattr(-,root,root,-)
%doc

%changelog

Run rpmbuild in order to create a RPM tree. This will generate an error, but create the tree.

rpmbuild -ba myscript.spec

Create an archive tar.gz in the SOURCES directory.

tar czvf rpmbuild/SOURCES/myscript-0.1.tar.gz myscript-0.1/

Copy the spec file to SPEC directory.

cp myscript.spec rpmbuild/SPECS/

Build the RPM.

rpmbuild -ba rpmbuild/SPECS/myscript.spec

Test the RPM install.

rpm -ivh rpmbuild/RPMS/x86_64/myscript-0.1-1.el6.x86_64.rpm

Configure a system as an iSCSI initiator that persistently mounts an iSCSI target.

Install utils

yum install iscsi-initiator-utils

Discover targets

iscsiadm -m discovery -t st -p <remote host>

Log in to target:

iscsiadm -m node -T <fqdn> -p <remote host> -l

Show added device

dmesg

List running sessions

iscsiadm -m session

Produce and deliver reports on system utilization (processor, memory, disk, and network).

yum instal sysstat
chkconfig sysstat on
service sysstat start

Read log files:

sar -f /var/log/sa/sa17

Use shell scripting to automate system maintenance tasks.

Configure a system to log to a remote system.

Edit /etc/rsyslog.conf

*.* @splunk.home:514

Restart resyslog

service rsyslog restart

Configure a system to accept logging from a remote system.

Edit /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Add iptables rules to /etc/sysconfig/iptables.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

Install the packages needed to provide the service.

yum provides */<filename, daemon, etc..>

Configure SELinux to support the service.

See EX200 objectives.

Configure the service to start when the system is booted.

chkconfig

Or

/etc/rc.local

Configure the service for basic operation.

Check for config in /etc and /etc/sysconfig.

Configure host-based and user-based security for the service.

Hostbased: TCP wrappers, iptables, application config.

Userbased: users, groups, application config.

HTTP/HTTPS

yum -y groupinstall "Web Server"
chkconfig httpd on
service httpd start

Edit iptables config: /etc/sysconfig/iptables.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

Restart iptables

service iptables restart

Configure a virtual host.

Create DocumentRoot

mkdir -p /var/www/web1
mkdir -p /var/www/web2

Create /var/www/web1/index.html

<html>
web1 test page
</html>

Create /var/www/web2/index.html

<html>
web2 test page
</html>

Edit /etc/http/conf/httpd.conf

NameVirtualHost *:80

Create new virtual host config /etc/httpd/conf.d/web.conf

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/web1
    ServerName web1.study.home
    ErrorLog logs/web1-error_log
    CustomLog logs/web1-access_log common
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/web2
    ServerName web2.study.home
    ErrorLog logs/web2-error_log
    CustomLog logs/web2-access_log common
</VirtualHost>

Restart Apache

service httpd restart

Configure private directories.

Create private directory

mkdir /var/www/web1/private

Create /var/www/web1/private/index.html

<html>
Private HTML page
</html>

Create passwd file

htpasswd -c /etc/httpd/.htpasswd privateuser

Add config to /etc/http/conf.d/web.conf

<Directory /var/www/web1/private>
AuthName "Private Directory"
AuthType basic
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>

Deploy a basic CGI application.

Create CGI directory

/var/www/web1/cgi

Edit script /var/www/web1/cgi/openports.cgi

#!/bin/sh
echo -e "Content-type: text/html\n\n";
echo "<pre>"
echo "`netstat -tan`" # THIS WILL GIVE SELINUX TROUBLES
echo "</pre>"

Make it executable

chmod +x openports.cgi

Edit /etc/http/conf.d/web.conf

<Directory /var/www/web1/cgi>
Options +ExecCGI 
AddHandler cgi-script pl cgi
</Directory>

Configure group-managed content.

Create group

groupadd admins

Add users to admins

Set rights

mkdir -p /var/www/web1/admins
chown apache.admins /var/www/web1/admins
chmod 775 /www/site1
chmod g+s /www/site1

DNS

Configure a caching-only name server.

yum -y install bind
chkconfig named on
service named start

There is a know bug generating the /etc/rndc.key. If this happens run:

rndc-confgen -a -r /dev/urandom

Open port 53 udp

-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT

Restart iptables

service iptables restart

Configure a caching-only name server to forward DNS queries.

Note: Candidates are not expected to configure master or slave name servers.

Edit /etc/named.conf

listen-on port 53 { 127.0.0.1; 192.168.1.32; };
allow-query { localhost; 192.168.1.0/24; };
forward only;
forwarders { 192.168.1.1; };

dnssec-enable no;
dnssec-validation no;

FTP

Configure anonymous-only download.

yum -y groupinstall "FTP server"
service vsftpd start
chkconfig vsftpd on

Open iptables port

-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

Edit /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_ftp"
service iptables restart

NFS

Provide network shares to specific clients.

yum -y groupinstall "NFS file server"
service rpcbind start
chkconfig rpcbind on

service nfs start
chkconfig nfs on

Edit /etc/exports

/var/ftp/pub    192.168.42.0/24(ro,insecure)

Export filesystems

exportfs -a 

Edit NFS config /etc/sysconfig/nfs

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

Edit iptables and restart

-A INPUT -m state --state NEW -m udp -p udp --dport 32802 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 32802 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 32769 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT

Restart iptables

service iptables restart

Provide network shares suitable for group collaboration.

Edit /etc/exports

/opt/data/share 192.168.42.0/24(rw,insecure)

Export filesystems

exportfs -a

Change rights to path

chmod g+w ....

SMB

Provide network shares to specific clients.

yum install samba -y
chkconfig smb on
chkconfig nmb on

Edit iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT

Restart iptables

service iptables restart

Edit /etc/samba/smb.conf

[samba]
        comment= RHEL samba share
        path = /opt/data/samba
        browseable = yes
        writable = yes
        valid users=benst
        hosts allow = 192.168.1.
        hosts deny = 192.168.1.33

Add user password

smbpasswd -a <username>

Set selinux label on dir

chcon -t samba_share_t /opt/data/samba

Give appropriate filesystem rights to share

chown / chmod ...

Set bools RO:

setsebool -P samba_export_all_ro 1

RW:

setsebool -P samba_export_all_rw 1

Start samba

service smb start
service nmb start

Provide network shares suitable for group collaboration.

SMTP

Configure a mail transfer agent (MTA) to accept inbound email from other systems.

Edit /etc/postfix/main.cf

inet_interfaces = all

Edit iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

Restart iptables and postfix

service postfix restart
service iptables restart

Configure an MTA to forward (relay) email through a smart host.

Edit /etc/postfix/main.cf

relay_domains = domainname.com
relayhost = mail.hostname.com

Restart postfix

service postfix restart

SSH

Configure key-based authentication.

Configure additional options described in documentation.

NTP

Synchronize time using other NTP peers.

rhel_ex300_objectives.txt · Last modified: 2014/08/11 12:38 by admin