Identify the component of a Linux distribution that a file belongs to
What is tmpfs -> ref
Change kernel runtime parameters, persistent and non-persistent
List and Identify SELinux/AppArmor file and process contexts
SELinux
- List and Identify SELinux/AppArmor file and process contexts
- Fils and directory permissions
- security module - selinux
- Selinix has very fined grained control over what can be allow and what can't
selinux has policy configuration where users, and their role and is defined
SELinux Contexts
- Only certain users can enter certain roles and certain types.
- It lets authorized users and processes to their job, by granting the permissions they need.
- Authorized users and processes are allowed to take only a limited set of actions.
- Everything else is denied
unconfined_u:object_r:user_home_t:s0
user : role : type : level
Create, delete, and modify local user accounts
Manage local user accounts
Create, delete, and modify local groups and group memberships
Manage system-wide environment profiles
Manage template user environment
Configure user resource limits
To sets the limit on user like some user you want not to use more than 80% of CPU
- -> both hard and soft limit
nproc -> maximum number of processes that a user can create
fsize -> the max size
$ sudo vim /etc/security/limits.conf
$ man limits.conf
To see the limit of current session
$ ulimit -a
Manage user privileges
How come our users are allowed to run sudo command
$ groups
satish family wheel
so whowever is the part of wheel group you can use sudo
$ sudo gpassed -a satish wheel
Fine tuned control
$ sudo vim /etc/sudoers
$ sudo gpassed -d satish wheel
$ visudo
%wheel ALL=(ALL) ALL
%wheel -> users/groups
ALL -> host
ALL -> run as field
ALL -> list of command
without password
satish ALL=(ALL) NOPASSWD:ALL
Manage access to the root account
$ sudo --login
$ sudo -i
$ logout
# If the user don't have sudo privilege but they know the root password
$ su -
$ su -l
$ su --login
# Some system might have root account locked, it doesn't mean that we can't use the root user it just means that we can't just login root user as regualr user with passwd
When root is locked we still use following to login
$ sudo --login
but we can't use
$ su -
If we want to allow user with root user and passwd we have two options
if root never had passwd set
$ sudo passwd root
Or if root had a passwd set and then account was locked for some reason
$ sudo passwd --unlock root
$ sudo passwd -u root
$ su -
currnelty can login as root but you think it is unsecure
$ sudo passwd --lock root
$ sudo passwd -l root
only lock root account only when you know some user can sudo command otherwise you might lock root user
Configure PAM
Pluggable Authentication Modules
It gives us lots of flexibility to determine how we want certain utilities to perform authentication on system
$ ls /etc/pam.d
$ sudo vim /etc/pam.d/su
uncomment the following
auth sufficient pam_wheel.so trust use_uid
auth -> what type of authentication module
sufficient -> see in man cat pam.conf
List, create, delete, and modify physical storage partitions
Suppose you have 2TB of storage in your system and you want to install Linux and windows both operating system, the problem is windows uses NTFS file system where Linux uses some other file system such as xfs or ext4 file system.
The solution to this problem is to devide the storage let's say 1TB for windows and 1TB for Linux we call it as partitioning.
To see the partition on Linux we use lsblk command:
$ lsblk
TYPE
disk
part -> This is partition
lvm
disk
rom
disk can have multiple partition
sda -> s stands for serial which is connected to sata port , a means first disk, sda1 -> 1 means first partition
fdisk is a preinstalled partitioning utility with the following command it says show me the list of partition on this device /dev/sda
$ sudo fdisk --list /dev/sda
storage device space are devided into sector just like centimeter is devided into millimeter
For managing the partition we could use fdisk command however cfdisk is little easier command for managing partiion.
$cfdisk /dev/sdb
We select MBR/dos or gpt, latest OS has gpt supported
by choosing option TYPE you can make your filesystem as swap or UEFI etc
Configure and manage swap space
Suppose a scenario where you have 2GB of RAM and 1GB is being used by video editor and another 1GB is used by audio editor and now if you want to open chrome then linux will see no ram is available but it also sees that we haven't used video editor in last hour so it will move the memory data used by video editor to swap space.
Create and configure file systems
To store file files or directory in partition we first need to create filesystem.
To format the partition with xfs filesystem, following are the commands:
Configure systems to mount file systems at or during boot
$ ls /mnt/
# To mount /mnt directory to filesystem /dev/vdb1
$sudo mount /dev/vdb1 /mnt/
# To unmount
$ umount /mnt/
$ lsblk
$ mkdir /mybackups/
$ vi /etc/fstab
/dev/mapper/cs-root / xfs - - -
/dev/vdb2 /mybackups xfs defaults 0 2
# After editing the file run following command to force take changes
$ systemctl daemon-reload
$ vi /etc/fstab
# for swap and mount
/dev/vdb3 swap defaults 0 0
$ swapon --show
# Linux uses UUID so that even if you have changed the device ordering in motherbaord it identified correctly
$ blkid /dev/vdb3
Configure systems to mount file systems on demand
On demand mounting is useful when you have remote server.
Suppose you have 100s of fileserver and if you mount every server to filesystem it would be very heavy network usage since fileserver would be communicationg over NFS with filesystem.
so on demand mounting is very much useful here whenever you need it just mount otherwise unmount
Most command utlitiy is autofs and protocol is NFS
$ sudo dnf install autofs
sudo systemctl start autofs.service
sudo systemctl enable autofs.service
sudo dnf install nfs-utils
sudo systemctl start nfs-server.service
sudo systemctl enable nfs-server.service
sudo vim /etc/exports
/etc 127.0.0.1(ro)
sudo systemctl reload nfs-server.service
# To enable on demand mounting
$ sudo vim /etc/auto.master
/shares/ /etc/auto.shares --timeout=400
$ sudo vim /etc/auto.shares
mynetworkshare -fstype=auto 127.0.0.1/etc
OR
mynetworkshare -fstype=nfs4 127.0.0.1/etc
OR
mynetworkshare -fstype=auto,ro 127.0.0.1/etc
OR
mynetworkshare -fstype=auto,ro nfs1.example.com:/etc
OR
myext4files -fstype=auto :/dev/vdb2
$ sudo systemctl reload autofs
$ ls /shares/
$ ls /shares/mynetworkshare/
# /shares would be parent directory, in order to not have parent directory
$ sudo vim /etc/auto.master
/- /etc/auto.shares --timeout=400
Evaluate and compare the basic file system features and options
Findmount command will show all mount points including virtual file system
It will only shows the filesystem that are currently mounted
$ findmount
To only see real filesystem
$ findmount -t xfs
$ findmount -t xfs,ext4
To change the option
$ sudo mount -o ro /dev/vdb2 /mnt
$ sudo umount /mnt
# if you just want a file system ro, noexec, nosuid
$ sudo mount -o ro,noexec,nosuid /dev/vdb2 /mnt
$ findmount -t xfs,ext4
# now if you want to write
$ sudo mount -o rw,noexec,nosuid /dev/vdb2 /mnt
you might get an error
$ sudo mount -o remount,rw,noexec,nosuid /dev/vdb2 /mnt
$ man mount
$ man xfs
mount filesystem at or during boot time
$ sudo vim /etc/fstab
/dev/vdb1 /mybackups xfs defaults 0 2
/dev/vdb1 /mybackups xfs ro,noexec 0 2
$ sudo systemctl reboot
$ findmount -t xfs,ext4
Manage and configure LVM storage
Great way to give storage flexibility in Linux
Whether we have free space that are on different portions of the disk
OR
If we have multiple disks that we would like to combine together and represent OS as one partition
it also allows flexibility with resizing of those partitions
Create and configure encrypted storage
Configure networking and hostname resolution statically or dynamically
-----------
ip l
ip link show
ip addresses show
ip a
ip route show
ip r
DNS resolver
cat /etc/resolv.conf
nameserver 192.168.1.1
ls /etc/sysconfig/network.script/
cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
BOOTPROTO=dhcp
for static it would be none
with UI
$ sudo nmtui
force network manager to imeediately change network settings
$ sudo nmcli device reapply enps03
ping google.com
static resoltuion is done /etc/hosts
192.168.1.82 dbserver
ping dbserver
dynamic with resolve.conf
priority /etc/hosts, /etc/resolv.conf
ssh aaron@dbserver
------------
Configure network services to start automatically at boot
------------
systemctl status Networkmanager.service
yum install networkmanager
systemctl start Networkmanager.service
systemctl enable Networkmanager.service
another way to load at boot
nmcli connection show
enp0s3
nmcli connection modify enp0s3 autocannect yes
------------
Start, stop, and check the status of network services
------------
ss is the modern tool to check listening, TCP, UDP, process
ss -ltunp
netstat is the older command and it might get removed in the future.
127.0.0.1:323 OR [::1]:323
it will accept connection from localhost on port 323
0.0.0.0:22 OR [::]:22
it will accept connection from anywhere on the internet
systemctl stop sshd
ss -ltunp
os 1031
lsof -p 1031
netstat -nltup
----------------------
Implement packet filtering
------------------
$ firewall-cmd --get-default-zone
$ firewall-cmd --set-default-zone=public
$ sudo firewall-cmd --list-all
$ sudo firewall-cmd --info-service=cockpit
$ sudo firewall-cmd --add-service=http =$ sudo firewall-cmd --add-port=80/tcp
see the added rule
sudo firewall-cmd --list-all
to remove the added rule
sudo firewall-cmd --remove-service=http
$ sudo firewall-cmd --remove-port=80/tcp
--------------
In public zone -- to deny incoming connection to specific IP
filterning
trusted zone - 10.11.12.0 to 10.11.12.255
sudo firewall-cmd --add-source=10.11.12.0/24 --zone=trusted
firewall-cmd --get-active-zone
firewall-cmd --remove-source=10.11.12.0/24
--
these all rule are not permanent after reboot it will disappear to make it persistent
sudo firewall-cmd --add-port=12345/tcp
sudo firewall-cmd --list-all
sudo firewall-cmd --runtime-to-permanent
alternet command
sudo firewall-cmd --add-port=12345/tcp
+
sudo firewall-cmd --add-port=12345/tcp --permanent
----------
Statically route IP traffic
-----------------
send packet from one network 10.0.0.100 to 192.168.0.101 via gateway or router
$ sudo ip route add 192.169.0.0/24 via 10.0.0.100
if you have multiple network interface on your computer you could try this
$ sudo ip route add 192.168.0.0/24 via 10.11.12.100 dev enp0s3
sudo ip route del 192.168.0.0/24
add default route
$ sudo ip route add default via 10.0.0.100(gate or gateway or door)
if no route found in routing table then this data packet is sent to the default route in this case 10.0.0.100
sudo ip route del default 10.0.0.100
so route added with ip commands are temporary to add this as permanent
$ nmcli connection show
$ sudo nmcli connection modify enp0s3 +ipv4.routes "192.168.0.0/24 10.0.0.100"
$ sudo nmcli device reapply enp0s3
$ ip route show
see if the new route is active
to remove
$ sudo nmcli connection modify enp0s3 -ipv4.routes "192.168.0.0/24 10.0.0.100"
$ sudo nmcli device reapply enps03
--------
Synchronize time using other network peers
Synchronize time
systemctl status chronyd.service
timedatectl
timedatectl set-timezone asia/kolkata
timedatectl list-timezones
yum install chrony
enable
timedatectl
NTP service : actice
systemctl set-ntp true
Configure a caching DNS server
BIND is the most popular DNS system used today.
yum install bind bind-utils
conf file
/etc/named.conf
ip a
sudo vim /etc/named.conf
listen-on port 53 { 127.0.0.1; };
listen-on port 53 { 127.0.0.1; 192.168.0.17; };
listen-on port 53 { 127.0.0.1; };
allow-query { localhost; };
allow-query { localhost; 192.168.0.0/24; };
allow-query { any; };
recursion yes
systemctl start named.service
systemctl enable named.service
sudo firewall-cmd --add-service=dns --permanent
dig @127.0.0.1 google.com
dig @localhost google.com
dig @127.0.0.1 google.com
dig @127.0.0.1 google.com
TTL-172454
Maintain a DNS zone
---------------------
vim /etc/named.conf
zone "." IN {
};
zone "example.com" IN {
type master;
file "example.com.zone";
};
cp --preserve=ownership /var/named/named.locahost /var/named/example.com.zone
vi /var/named/example.com.zone
$TTL 1H
@ IN SOA @ adminstrator.example.com. (
)
@ NS ns1.example.com.
@ NS ns2.example.com.
ns1 A 10.11.12.9
ns2 A 10.11.12.10
@ A 203.0.113.15
www A 203.0.113.15
www CNAME 203.0.113.15
example.com. MX 10 mail1.example.com
MX 20 mail2.example.com
mail1 A 203.0.113.80
mail2 A 203.0.113.81
server1 AAAA 3243:2343:@43::1
example.com. TXT "we can write anything in here!"
save the file
sudo systemctl restart named.service
dig @localhost example.com
dig @localhost mail.example.com
what is reverse DNS ?
Configure email aliases
/var/spool/mail/satish
sudo yum install postfix
systemctl enable postfix
sendmail satish@localhost <<< "Hello satish"
cat /var/spool/mail/satish
--
vim /etc/aliases
advertising: satish
:wq
sudo newaliases
sendmail advertising@localhost <<< "hello"
cat /var/spool/mail/satish
--
vim /etc/aliases
contact: satish,rahul,jane
vim /etc/aliases
advertising: satish@somewebsite.com
sudo newaliases
-----------------
-----------------------
Restrict access to the HTTP proxy server
DOmain name verification
------------------------
and demo for file scanning
sudo yum install squid
systemctl start
systemclt enable
firewall-cmd --add-service=sqid
firewall-cmd --add-service=sqid --permanent
access rule
vi /etc/squid/squid.conf
acl localnet src 10.11.12.0/8
acl external src 203.0.113.0/24
Configure an HTTP server
-----------------------
yum install httpd
yum install mod_ssl
firewall-cmd --add-service=http
firewall-cmd --add-service=]http --permanent
same for https
systemclt start/enable httpd
vi /etc/httpd/conf.d/
vi /etc/httpd/conf/httpd.conf
serverName 10.11.12.9
DocumentROot
sudo vim /etc/httpd/conf.d/two.conf
-----
Manage and configure Virtual Machines
----------
yum install libvirt qumu-kvm
0 Comments