RHCE: My study guide

Thu 05 May 2011 // posts

RHCE Exam Objectives (as of 31/03/2011)

System Configuration and Management

Route IP traffic and create static routes

  • route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.254
  • route add -host 192.168.3.3 netmask 255.255.255.0 dev tun0
  • For persistent changes edit /etc/sysconfig/network-scripts/route-device.
    • Examples:
      • 192.168.3.0/255.255.255.0 via 192.168.1.254
      • 192.168.3.3 dev tun0

Use iptables to implement packet filtering and configure network address translation (NAT)

  • Filter:
    • iptables -t filter | -A | -D | INPUT | OUTPUT ... -j | ACCEPT
    • ex. iptables -I INPUT -s 192.168.101.3 -p tcp –dport 22 -j ACCEPT – Allow incoming tcp traffic on port 22 (ssh) from 192.168.101.3
  • Nat:
    • iptables -t nat | -A | -D ... -j | DNAT | MASQUERADE
    • ex. iptables -t nat -I PREROUTING -p tcp –dport 8800 -j DNAT –to-destination 192.168.101.3:80 – Forward incoming tcp traffic on port 8800 to 192.168.101.3:80

Use /proc/sys and sysctl to modify and set kernel run-time parameters

  1. List: sysctl -a | grep key
  2. Configure /etc/sysctl.conf
  3. Apply configuration: sysctl -p

Configure system to authenticate using Kerberos

  • system-config-authentication

Build a simple RPM that packages a single file

  1. rpmdev-setuptree
  2. cd \~/rpmbuild
  3. rpmdev-newspec SPEC/hello.spec
  4. edit SPEC/hello.spec
  5. rpmbuild -ba SPEC/hello.spec

Configure a system as an iSCSI initiator that persistently mounts an iSCSI target

  • Find targets:
    • iscsiadm -m discovery -t sendtargets -p host
  • Login to target:
    • iscsiadm -m node –targetname iqn.2001-05.com.doe:test -p host:port –login

Produce and deliver reports on system utilization (processor, memory, disk, and network)

  • Report: sar -A
  • Data path: /var/log/sa (sar -f saDD)
  • Schedule definition: /etc/cron.d/sysstat

Use shell scripting to automate system maintenance tasks

  • N/A

Configure a system to log to a remote system

  • TCP
    • /etc/rsyslog: *.* @@host:port
  • UDP
    • /etc/rsyslog: *.* @host:port

Configure a system to accept logging from a remote system

  • Activate TCP server in /etc/rsyslog:
    • \$ModLoad imtcp.so
      \$InputTCPServerRun 514
  • Activate UDP server in /etc/rsyslog:
    • \$ModLoad imudp.so
      \$InputUDPServerRun 514

Network Services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service
  • RHCE candidates should also be capable of meeting the following objectives associated with specific services:

HTTP/HTTPS

Configure a virtual host

  • /etc/httpd/conf/httpd.conf:
    • NameVirtualHost *:80
      <VirtualHost *:80>
      ServerName docs.example.com
      DocumentRoot /path
      </VirtualHost>

Configure private directories

  • Configure /etc/httpd/conf/httpd.conf:
    • AuthType basic
      AuthName "private rhel1"
      AuthUserFile /www/.rhel1_priv_user
      Require valid-user
      Order deny,allow
      Deny from all
  • Create user/password file:
    • htpasswd -c /www/.rhel1_priv_user user

Deploy a basic CGI application

  • /etc/httpd/conf/httpd.conf:
    • Directory Options +ExecCGI
      AddHandler cgi-script .pl .cgi
  • cgi-bin/hello.pl:
    • print “Content-type: text/html\n\n”;
      print “hello!”;

Configure group-managed content

  1. groupadd webdesigners
  2. add users to webdesigners
  3. mkdir /www/site1
  4. chgrp apache.webdesigners /www/site1
  5. chmod 775 /www/site1
  6. chmod g+s /www/site1

Install the packages needed to provide the service

  • yum install httpd

Configure SELinux to support the service

  • Use the appropriate SELinux booleans
    • getsebool -a | grep httpd
  • Use httpd_sys_content_t file context for content

Configure the service to start when the system is booted

  • chkconfig httpd on

Configure the service for basic operation

  1. Install service
  2. Configure the service to start when the system is booted
  3. Configure SELinux support
  4. Update /etc/sysconfig/iptables:
    • open tcp port 80

Configure host-based and user-based security for the service

  • Host
    • use iptables
    • /etc/httpd/conf/httpd.conf:
      • Allow from good_ip
        Deny from all
        Order deny,allow
  • User

    • /etc/httpd/conf/httpd.conf:
      • Use AuthType Basic
  • *

DNS

Configure a caching-only name server

  • named.conf:
    • allow-query { good_ips; };
      recursion yes;

Configure a caching-only name server to forward DNS queries

  • named.conf:
    • allow-query { good_ips; };
      forward only;
      forwarders { forwarder_ip; };
      recursion yes;
  • Note: Candidates are not expected to configure master or slave name servers

Install the packages needed to provide the service

  • yum install bind

Configure SELinux to support the service

  • getsebool -a | grep named

Configure the service to start when the system is booted

  • chkconfig named on

Configure the service for basic operation

  1. Install service
  2. “Configure a caching-only name server”
  3. Configure the service to start when the system is booted
  4. Configure SELinux support
  5. Update /etc/sysconfig/iptables:
    • open tcp and udp port 53

Configure host-based and user-based security for the service

  • Host
    • Open tcp and udp port 53 with iptables
  • User
    • N/A

FTP

Configure anonymous-only download

  • vsftpd.conf:
    • anonymous_enable=YES
      anon_upload_enable=NO
      local_enable=NO

Install the packages needed to provide the service

  • yum install vsftpd

Configure SELinux to support the service

  • getsebool -a | grep ftpd
  • Use public_content_t file context for content

Configure the service to start when the system is booted

  • chkconfig vsftpd on

Configure the service for basic operation

  1. Install service
  2. “Configure anonymous-only download”
  3. Configure the service to start when the system is booted
  4. Configure SELinux support
  5. Update /etc/sysconfig/iptables:
    • open tcp port 21

Configure host-based and user-based security for the service

  • Host
    • Use iptables
  • User
    • vsftpd.conf:
      • local_enable=YES

NFS

Provide network shares to specific clients

  • /etc/exports:
    • /mpoint host(ro) host2(rw) 192.168.2.0/24(ro) -- allow read/write access to host2, read-only to host and 192.168.2.0/24**

Provide network shares suitable for group collaboration

  1. Create a sharegroup
  2. Add users to sharegroup
  3. Create shared directory and set gid on it.

Install the packages needed to provide the service

  • yum install nfs-utils

Configure SELinux to support the service

  • getsebool -a | grep nfs

Configure the service to start when the system is booted

  • chkconfig nfs on

Configure the service for basic operation

  1. Install service
  2. “Provide network shares to specific clients”
  3. Configure the service to start when the system is booted
  4. Configure SELinux support
  5. Configure static lockd, statd, mountd, rquotad ports in /etc/sysconfig/nfs
  6. Update /etc/sysconfig/iptables:
    • open those ports

Configure host-based and user-based security for the service

  • Host:
    • Define host permissions in /etc/exports
  • User:
    • Use filesystem permissions

SMB

Provide network shares to specific clients

  • In smb.conf create a section like:
    • [share]
      valid users = username
      write list = username
      path = /share
      create mask = 0755

Provide network shares suitable for group collaboration

  1. add group workers (groupadd name; net rpc group add name)
  2. add users to group (useradd name; net rpc user add username)
  3. In smb.conf create a section like:
    • [shared]
      path = /shared
      force group = +workers
      valid users = @workers viewer
      write list = @workers

Install the packages needed to provide the service

  • yum install samba

Configure SELinux to support the service

  • getsebool -a | grep samba

Configure the service to start when the system is booted

  • chkconfig smb start

Configure the service for basic operation

  1. Install service
  2. Create a share
  3. Configure the service to start when the system is booted
  4. Configure SELinux support
  5. Update /etc/sysconfig/iptables:
    • open tcp ports 139 and 445

Configure host-based and user-based security for the service

  • User
    • Configure users permissions in smb.conf
  • Host
    • Use iptables
    • smb.conf can also be used with "hosts allow"/"hosts deny" property

SMTP

Configure a mail transfer agent (MTA) to accept inbound email from other systems

  • Configure /etc/postfix/main.cf:
    • Configure myhostname, mydomain, myorigin, mynetworks, mydestinationsvariables
    • Set inet_interfaces = all

Configure an MTA to forward (relay) email through a smart host

  • Configure /etc/postfix/main.cf:
    • relayhost = host

Install the packages needed to provide the service

  • yum install postfix

Configure SELinux to support the service

  • getsebool -a | grep postfix

Configure the service to start when the system is booted

  • chkconfig postfix on

Configure the service for basic operation

  1. Install service
  2. Configure the service to start when the system is booted
  3. Configure SELinux support
  4. Update /etc/sysconfig/iptables:
    • open tcp ports 25

Configure host-based and user-based security for the service

  • User:
    • /etc/postfix/main.cf:
      • smtpd_sasl_auth_enable = yes
        smtpd_sasl_security_options = noanonymous
        broken_sasl_auth_clients = yes
        smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
        service saslauthd start
    • service saslauthd start
    • chkconfig saslauthd on
  • Host:
    • Use iptables

SSH

Configure key-based authentication

  • Configure /etc/ssh/sshd_config:
    • PubkeyAuthentication yes
  • Test:
    • ssh-copy-id user@host
      ssh user@host

Configure additional options described in documentation

  • N/A

Install the packages needed to provide the service

  • yum install openssh-server

Configure SELinux to support the service

  • getsebool -a | grep ssh

Configure the service to start when the system is booted

  • chkconfig ssh on

Configure the service for basic operation

  1. Install service
  2. Configure the service to start when the system is booted
  3. Configure SELinux support
  4. Update /etc/sysconfig/iptables:
    • open tcp ports 22

Configure host-based and user-based security for the service

  • User:
    • sshd_config:
      • AllowUsers user@host
    • OR disable shell access for a user if needed
  • Host:
    • Use iptables

NTP

Synchronize time using other NTP peers

  • Test:
    • ntpdate -q 123.123.56.123
  • Configure ntp.conf:
    • server 123.123.56.123 [iburst]

Install the packages needed to provide the service

  • yum install ntp

Configure SELinux to support the service

  • N/A

Configure the service to start when the system is booted

  • chkconfig ntpd on

Configure the service for basic operation

  1. Install service
  2. Configure the service to start when the system is booted
  3. (If NTP is configured as a server)Update /etc/sysconfig/iptables:
    • open udp port 123

Configure host-based and user-based security for the service

  • Host:
    • (If NTP is configured as a server) Use iptables
  • User:
    • N/A

social