Skip to content

zerotrustprivacy/RHCSA-study

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RHCSA-study

Study notes for the exam.

Topics covered:

  • Managing physical storage
  • Install and configure software components and services
  • Establish network connections
  • Monitor and manage running processes
  • Manage and secure files and file systems
  • Administer users and groups
  • Review the system log files and journal for issues
  • Remotely manage systems with SSH and the Web Console
  • Install Red Hat Enterprise Linux using scalable methods
  • Access security files, file systems, and networks
  • Execute shell scripting and automation techniques
  • Manage storage devices, logical volumes, and file systems
  • Manage security and system access
  • Control the boot process and system services

Resources:

  • Sander van Vugt RHCSA 9 course
  • RHCSA 9 Textbook
  • Both can be found on the O'Reilly learning platform.
  • Red Hat System Administration I (RH124)
  • Red Hat System Administration II (RH134)

Using vim

Create file by using the command "vim "

When in Vim use "i" to get to INSERT mode and begin typing.

o = new line

ctrl + c = command mode

v = visual mode

dd = delete current line

gg = top of the document

^ = start of the line

:wq = save and exit

File System

Files on a Linux system are organized into a single file-system hierarchy

mkdir (make directory), rmdir (remove directory), cp (copy), and mv (move) are commands to manage files.

Hard links

Soft links

Configuration Files

Important File Locations

  • Source File: ~/.bashrc
  • Password Config: /etc/login.defs/user
  • Sudo Config: /etc/sudoers.d/user
  • Password info: /etc/passwd
  • Group info: /etc/group
  • SSH Config & Password Auth: /etc/ssh/sshd_config

Configure Users and Permissions

  • To change a user's password on log in: chage -d 0 user
  • Change expiration date for password: chage -M 30 user
  • Check user password expiration: chage -l user
  • Add user: useradd
  • Modify user: usermod
  • Add group: groupadd
  • Modify group: groupmod
  • Change permission: chmod
  • Change ownership: chown

File Access

  • Read # Write # Execute
  • Owning User # Owning Group # Other

Creating Partitions

Make File System

Unmount a mounted filesystem

Create a Swap

-------------------------------------------------------------------

Resize Logical Volumes and Volume Groups

---------------------------------------------------------------------------

Schedule Jobs

Schedule jobs to run on a repeating schedule with a user's crontab file.

"man at" shows how to execute schedule jobs. These are one time jobs. For example: "at now +3min" runs a job 3 min from now.

"atq" lists scheduled jobs. "atrm" removes the job.

Recurring Jobs: The crond daemon reads multiple config files. Each user has a personal file that they edit with "crontab -e". The fields in the crontab file are in the following order:

  • Minutes
  • Hours
  • Day of Month
  • Month
  • Day of Week
  • Command

---------------------------------------------------------------------

Manage Temporary Files

Red Hat includes the systemd-tmpfiles tool - provides a method to manage temporary directories and files. The systemd-tmpfiles-setup service runs the systemd-tmpfiles command.

systemd-tmpfiles-clean service configuration files exist in three places: /etc/tmpfiles.d/*.conf /run/tmpfiles.d/*.conf /usr/lib/tmpfiles.d/*.conf

In the config file, specify what to do... echo "d/etc/


Analyze and Store Logs

The rsyslog service is used to determine for handle log messages.

The logrotate command rotates log files to prevent them from taking too much space in the /var/log directory. When a log is rotated, it is renamed with an extension.

journalctl retrieves all log messages.

-r shows the most recent logs

-p shows the priority level

-b shows the current system boot

The system has its own journal located at system.journal. Indiviual users have their own journals pertaining to their own transacions inside of file called user-userid

Updating Time Zones: Use the command tzselect to view the appropriate time zone. Then use "timedatectl set-timezone" command to set the time zone.

----------------------------------------------------------------------------

Manage Compressed tar Archives

An archive is a file that contains multiple files. "tar" is the command to create manage and extract archives.

Command: dnf list - lists installed and available packages

Use dnf install -y software to install

----------------------------------------------------------------------------------

Manage Process and jobs

command & starts a job in the background.

Jobs- to view all running jobs

A runnable process can be stopped with CTRL+z

The ps command shows current running processes

The "top" command shows the highest running processes

ps -fU user ... for a user's processes

Use "Kill" or "killall dd" to kill processes. To kill a ZOMBIE process

Process Priorities

  • Nice and Renice can be used to change priorities of non-realtime processes
  • Nice ranges from -20 to 19. Positive values means lower priority.
  • Use " Cat /proc/sys/vm/swappiness" to see the value then use "echo _ _ /proc/sys/vm/swappiness" to change it. To make it persistent " cat >> swappiness.conf << EOF"
  • loginctl list-user: shows users currently logged in. loginctl terminate-user: to stop a user session

--------------------------------------------------------------

Creating Logical Volumes

Creating Logical volumes involves 4 steps :

  1. Convert physical devices into physical volumes: pvcreate
  2. Create the volume group and assign PVs to it: vgcreate (the name of the physical volume)(the location of the pv)
  3. Create the logical volume: lvcreate-n (the name of the lv) -L (the size of the lv)
  4. Make a file system on top of the logical volume: mkfs.ext4 /dev/(vg name)/(lv name)

Use lsblk to view the physical devices on the server

----------------------------------------------------------------------------

Systemd

  • systemctl edit unit.service : to edit unit files
  • systemctl list-dependencies for a complete overview of dependencies
  • Mask services : use Systemctl Stop (service) then systemctl mask (service)
  • Example: systemctl Status httpd [disabled] ...systemctl enable httpd...

Configure Logging

  • Preserve the systemd journal: check settings in /etc/systemd/journal.conf. The setting "STORAGE=AUTO" ensures that persistent storage is happening automatically. Make directory /var/log/journal. Restart service: systemctl restart systemd-journald.
  • Logrotate is started by a systemd timer to prevent disks from filling up. "systemctl cat logrotate.conf" to view the settings for logrotate.
  • Make sure that the /var/log/journal exists

-----------------------------------------------------------------------

SELinux

Security Enhanced Linux (SELinux) provides an additional layer of system security. It should always be enabled. There are two modes: permissive or enforcing. If permissive is enabled, no access is blocked. If enforcing is enabled, all restrictions are applied and SELinux is fully operational.

  • getenforce shows the current SELinux state.
  • setenforce toggles between enforcing and permissive and sets them temporarily.
  • To change the default mode persistently, you need to write it to /etc/sysconfig/selinux, or change GRUB kernel boot arguments.
  • Context management means applying contexts to files.

  • File context labels are applied to every Object: user, rule, type
  • semanage-fcontext : sets the file context label ( - a to set a new context label) ( -m to modify an existing context label )
  • When files are copied, they inherit the context type

Example: Setting Context Labels for Apache Document

Install curl.

Make a directory called "web" and create an index.html file within the directory.

Then edit the httpd conf file by adding "/web" to the DocumentRoot parameter. Be sure that the following is also added to the file:

Enable the httpd service and then restart. Curl http://localhost to confirm that SELinux has not been set to permissive and you'll see that this is not your webpage. Use "setenforce 0" and repeat the previous step.

Type semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" to apply to the directory "/web"

Type restorecon -R -v /web. The restorecon command restores the default SELinux contexts so that changes made by the "semange fcontext" command are persistent.

SELinux Rules and Policies

  • SELinux Booleans change the behavior of a rule. To change a Boolean, you can use "setsebool". To list all Booleans - "getsebool -a" or "semanage boolean -l"
  • To view logging, you need to access the audit log - "/var/log/audit/audit.log"... SELinux type is AVC so "grep AVC /var/log/audit/audit.log" will show the SELinux logs.
  • To understand the logs further, you can use "sealert -l UUID" for more information.

---------------------------------------------------------

Firewalld

Firewalld is a service that can configure firewall rules by using different interfaces. Administrators can manage rules but rules can also be added or removed without any direct action required of the system administrator.

A zone is a collection of rules applied to incoming packets matching a specific source address or network interface.

A Firewalld service - what should be accepted as incoming and outgoing traffic in the firewall. It typically includes ports to be opened, & kernel modules

firewall-cmd -- is the cmd line tool used for firewall configuration.

-------------------------------------------------------------

Automount

The /etc/fstab file can be used to mount the NFS file system

Within the file, you have 6 columns:

  1. server+share directory
  2. directory where you mount NFS share
  3. file system type (nfs)
  4. specify mount options (defaults)
  5. 0
  6. 0

Example: Configuring Automount

This example will show how to mount NFS server and NFS data automatically using autofs

  • dnf install -y autofs
  • cd /etc/
  • vim auto.master (add /nfsdata /etc/auto.nfsdata at the top of the file)
  • vim auto.misc
  • vim auto.nfsdata (files -rw nfsserver:/nfsdata)
  • systemctl enable --now autofs
  • ls /
  • cd /nfsdata
  • ls -al
  • cd files
  • mount | tail -3 (this will show the automount that was created)

Example: Automount on Home Directories

  • showmount -e nfsserver: to check what is currently mounted
  • vim /etc/auto.master (/homes /etc/auto.homes)
  • vim /etc/auto.homers (* -rw nfsserver:/home/ldap/&)
  • systemctl restart autofs
  • cd /homes
  • ls -a

------------------------------------------------------------- -------------------------------------------

Containers

A container has all that is needed to run an application. They are started from container images. Images are provided in image registries.

Features:

  • Control groups - set limits to the amount of resources that can be used
  • Namespaces - provide isolation so that containers only have access to their data and configuration

Containers need a user ID to be started. Root containers are started by the root users. Rootless containers are started by non-root users.

Normally each container runs one application.

Podman manages containers and container images

Container images are used to package container applications with all of their dependencies.

podman login registry.redhat.io

Configure Registry Access

  • Registry access is configured in /etc/containers/registries.conf
  • Container file - text file with instructions to build a custom container image
  • dnf install container-tools (view all supporting tools to work with containers)

Move to the directory with the repo files: cd /rhcsa ... and list the files

cat Containerfile

git clone repository

podman images then podman info to see all of the registries

podman login registry.access.redhat.com

podman build -t mymap

vim Containerfile add "-y" to the RUN section

--------------------------------------------------------------------------------

Common Podman Commands

  • podman search: searches registries for images
  • podman run: runs a container
  • podman stop: stops a currently running container
  • podman ps: show information about containers
  • podman build: build an image from a Containerfile
  • podman images: lists images
  • podman inspect: shows container or image details
  • podman pull: pulls an image from the registry
  • podman exec: executes a command in a running container
  • podman rm: removes a container

Trouble shooting containers

Use "podman inspect container"

podman logs: explore logs created by the container

Container access happens through port mappings. A port on the container host is exposed and forwards traffic to the container port.

podman run -d -p {portnumber}

--------------------------------------------

Persistent Storage in Containers

  • Persistent storage is made by creating a directory on the container host and mounting that directory using podman run -d... -v /hostdir:/containerdir
  • Namespaces provide isolation for the container and give it root access.
  • Rootless containers are launched in a namespace
  • The podman unshare command is used to run commands inside the container namespace
  • To see appropriate directory ownership for rootless containers, you must first find the UID of the user that runs the main application (podman inspect imagename)
  • Use podman unshare chown nn:nn directoryname to set the container UID as the owner of the directory on the host

--------------------------------------

Containers as Systemd Services

  • loginctl enable-linger to allow user services for a specific user (requires root privileges)
  • Create a regular user account to manage all containers
  • mkdir ~/.config/systemd/user; cd ~/.config/systemd/user
  • Use podman to generate a user systems file for an existing container
  • To generate a service file for a root container, do it from /etc/systemd/system
  • podman generate --new : creates a new container when the system unit is started and deletes it when the unit is stopped.
  • Edit the file that is generated and change the "WantedBy" line to "WantedBy=default.target"
  • Manage them by using systemctl --user commands.

About

Study notes that I am taking for the exam

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published