Preparing RHCE300
id : zz4l29sdsl
category : computer
blog : unixlinux
created : 12/06/10 - 22:09:01
  • Fuck it all, i'm preparing this shitty RHCE300 certification, here is my cheatsheet. Hope this will help at the exam ! Just a note, if I have it, it's only available for 3 years, definitly fuck $$$$$$ RH.
  • Let's go
Sticky bit
#chmod g+s <directory>

  • All file created in this directory have the same group as the directory.
User
  • System information on users created via Red Hat commands are located in /etc/login.defs
  • Add a user :
#useradd username

  • Change his principal group :
#usermod -g newgroup username

  • Add to a group :
#usermod -G group username

Quotas
Initialisation
  • Remount partition with quota (don't forget to modify /etc/fstab)
#mount -o remount,usrquota,grpquota /

  • Create quota file, on filesystem root :
#init 1
#quotacheck -cug /
#init 5

  • Activate quota
#quotaon /

User quota
  • Set a user quota :
#setquota -u username soft_limit hard_limit 0 0 partition
#setquota -u user1 512 1024 0 0 /
[user1@lab_client_1 ~]$ dd if=/dev/zero of=file bs=1k count=800
dm-0: warning, user block quota exceeded.
800+0 enregistrements lus
800+0 enregistrements ecrits
819200 octets (819 kB) copié 0,0112507 seconde, 72,8 MB/s
[user1@lab_client_1 ~]$ dd if=/dev/zero of=file bs=1k count=1600
dm-0: warning, user block quota exceeded.
dm-0: write failed, user block limit reached.
dd: Ecriture de `file': Debordement du quota d'espace disque
1001+0 enregistrements lus1000+0 enregistrements ecrits
1024000 octets (1,0 MB) copié 0,0181239 seconde, 56,5 MB/s
%%====== Group quota ======
* Set a group quota :
%%(cmdline)
#setquota -g groupname soft_limit hard_limit isoft_limit ihard_limit

ACL
  • Remount with acl :
#mount -o remount,acl /
or
#tune2fs /dev/mapper/rootvg-rootlv -o acl

  • Check if file system is acl enabled :
#tune2fs -l /dev/mapper/rootvg-rootlv | grep options

  • Get acl on a file :
#getfacl <file>

  • If there is a "+" at the end of file rights, there is an acl on it :
#ls -l /share/schedule-rw-rw-r--+ 1 root root 0 dé 6 19:33 /shared/schedule.txt

  • Set an acl for a user :
#setfacl -m u:<user>:<rights> <file>
#setfacl -m u:user1:rw /shared/schedule.txt
#getfacl /share/schedule.txt
getfacl:Removing leading '/' from absolute path names
# file: shared/schedule.txt
# owner: root
# group: root
user::rw-
user:user1:rw-
group::r--
mask::rw-
other::r--

  • Delete an acl for a user :
#setfacl -x u:<user> file
#setfacl -x u:user1 /shared/schedule.txt
#getfacl /shared/schedule
getfacl: Removing leading '/' from absolute path names
# file: shared/schedule.txt
# owner: root
# group: root
user::rw-
group::r--
mask::r--
other::r--

  • Set ACL on a directory for a group :
#setfacl -m d:g:<groupname>:<rigths> <directory>
#setfacl -m d:g:qgroup:rw /shared
#getfacl /shared
getfacl: Removing leading '/' from absolute path names
# file: shared
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:qgroup:rw-
default:mask::rwx
default:other::r-x

SE Linux
  • Configure SE Linux mode :
#vi /etc/sysconfig/selinux

  • Get Actual SELinux mode :
#getenforce

  • Switch to permissive :
#setenforce 0

  • Switch to enforcing :
#setenforce 1

  • Get booleans values :
#getsebool -a

  • Set boolean value :
#setsebool -P <boolean> on

iptables
  • Add a new INPUT chain :
#iptables -N <chain_name>
iptables -N CLASS_RULES
iptables -A INPUT -j CLASS-RULES
iptables-save > /etc/sysconfig/iptables

  • Don't forget ESTABLISHED and RELATED :
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  • Exemple with reject
-A INPUT -j REJECT --reject-with icmp-host-prohibited

  • Log all (last line for each chains) :
-A <CHAIN> -j LOG

Tcp warppers
  • Is a service compatible with tcp warpper
 
  • dynamic compiled :
#ldd `which sshd` | grep libwrap
        libwrap.so.0 => /lib/libwrap.so.0 (0x00d40000)

 
  • static compiled :
#strings `which portmap` | grep hosts
hosts_access_verbose
hosts_allow_table
hosts_deny_table
/etc/hosts.allow
/etc/hosts.deny

  • TCP Wrapper files :
/etc/hosts.allow
/etc/hosts.deny

  • Examples :
#cat /etc/hosts.allow
sshd: ALL
in.tftp: 192.168.0.
ALL: localhost
%%%%(cmdline)
#cat /etc/hosts.deny
ALL: ALL

  • Examples :
cat /etc/hosts.allow
sshd: ALL
in.tftp: 192.168.0.
ALL: localhost

#
cat /etc/hosts.deny ALL: ALL

  • Be carefull with service controled by inetd (in.)
Vsftpd
  • Installation :
# yum install vsftpd

  • SELinux, allow anonym writing :
# setseebool -P allow_ftpd_anon_write on

  • Allow read write in a different directory :
# chcon -t public_content_rw_t incoming

  • Allow ftp conntrack on iptables :
# vi /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
# service iptables restart

  • Allow connection from localhost :
# -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT

  • tcp wrapper :
# vi /etc/hosts.allow
vsftpd: 192.168.0.

  • Enable at bootup :
# chkconfig vsftpd on

NFS
  • Start services :
# service nfs start
# service nfslock start

  • Get rpcinfo :
# rpcinfo -p

  • Show mounted directory :
# showmount -e localhost

  • Ports used by nfs :
# vi /etc/sysconfig/nfs
RQUOTAD_PORT=4005
LOCKD_TCPPORT=4004
LOCKD_UDPPORT=4004
MOUNTD_PORT=4002
STATD_PORT=4003

  • iptables configuration :
# vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 4002:4005 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2049 -j ACCEPT

  • Exports :
# vi /etc/exports
/home/nfstest (rw,sync,root_squash)
/home/nfstest *.example.com(rw,sync,root_squash)
# exportfs -r

  • tcp wrappers :
# vi /etc/hosts.allow
portmap, mountd : 192.168.0.

  • Mount :
# mount 192.168.0.1:/home/nfstest /mnt

Samba
  • SELinux enable exports read or read write and anonyme writing:
# setsebool -P samba_export_all_ro on
# setsebool -P samba_export_all_rw on
# setsebool -P allow_smbd_anon_write on

  • SELinux change context :
# chcon -t public_content_rw_t /shared/juridique/

  • Add samba user (unix user must exists) :
# smbpasswd -a <user>

  • iptables rules :
# vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 139 -j ACCEPT

  • Share example :
# vi /etc/samba/smb.conf
[juridique]
       comment = All Printers
       path = /shared/jurisique
       browseable = yes
       guest ok = no
       writable = yes
       write list = @juridique