RHEL 7

RHEL 7 .....

************************RHCSA Version 7 ****************

Initial configuration.txt:

*you have been provided a virtual box named as serverX.example.com (hint:where X is your domain number)

* password for both virtual machine should be "Postroll"

*serverX.example.com provided with ip=172.25.X.10/255.255.255.0

*serverX.example.com are provided with gateway 172.25.254.254 & example.com dns domain with the IP: 172.25.254.254

gateway 172.25.0.1 netmask 255.255.255.0 nameserver 172.25.254.250

1) configure your systems that should be running Enforcing

2) create a new 100MB Physical partition mounted under /Gluster

(Note because partition sizes are seldom exactly what is specified when

they are created, any thing within the range of 70MB to 120MB is acceptable)

3) create a new 150MB swap partition f/s.

(Note because partition sizes are seldom exactly what is specified when they are created,

any thing within the range of 130MB to 170MB is acceptable)

4) create a repositary for http://content.example.com/rhel7.0/x86_64/dvd

5) create the following user, groups, and group memberships:

6) create a collaborative directory /redhat/sysgrp with the following characteristics:

 --> Group owneship of /redhat/sysgrpis sysgrp

--> The directory should be readbale,writable, and accessable to members of sysgrp,

but not to any other user.

(It is understood that root has access to all files and directories on the system.

--> Files created in /redhat/sysgrp automatically have group ownership set to the sysgrp group

7) Install the appropriate kernel update from http://content.example.com/rhel7.0/x86_64/errata

   The following criteria must also be met:

   -->The updated kernel is the default kerneal when the system rebooted.

   -->The original kernel remains available and bootable on the system

8) Enable IP forwarding on your machine

9) The user andrew must configure a cron job that runs daily at 14:23 local time and executes - /bin/echo hiya

10) Bind with LDAP used provided by classroom.example.com for userr authentication.

Note the following:-

--> The LDAP search base DN is dc=example,dc=com

--> The LDAP certificate file is

http://classroom.example.com/pub/EXAMPLE-CA-CERT

-->ldapuserX should be able to log into your system, whereX is your ServerX ((hint:where X is your domain number),

but will not have a home directory, until you have completed the autofs requirement,

below all LDAP users have password of "password"

11) configure autofs to automount the home directories of LDAP users,

Note the following:

-->classroom.example.com (172.25.254.254), NFS-exports /home/guests to your system, whereX is your server Number.

-->LDAP userX's home directory is classroom.example.com:/home/guests/ldapuserX

-->LdapuserX's home directory should be automounted locally beneath /home as /home/guests/ldapuserX

-->home directories must be writable by their users

-->while you are able to login as any of the users ldapuser1 through ldapuser20 the only home directory that is accessible from

   your system is ldapuserX.

Example:- classroom.example.com would configure the automaster such that ldapuser100's home directory

 /home/guests/ldapuserX gets mounted automatically upon login.

The NFS share would be classroom.example.com:/home/guests/ldapuser100

12) Configure your system so that it is an NTP client of classroom.example.com

13) copy the file /etc/fstab to /var/tmp

    configure the permission of /var/tmp/fstab so that

    the file /var/tmp/fstab is owned by the root user, belongs to the group root

    should not be executable by anyone.

   The user andrew is able to read & write /var/tmp/fstab

   The user susan can neighter write nor read /var/tmp/fstab

   All other users (current or future) have the ability to read /var/tmp/fstab.

14) Resize the logical volume, logical-data and it filesystem to 400MB.

    Make sure that the filesystem contents remain intact.

    (Note: partitions are seldom exactly  the size requested,so any thing within the range of 370MB to 430MB is acceptable)

15) Add the user talusan with userid 2985

    find the file which owned by user julice and copy the file into /root/findresults directory.

16) create a new physical volume, create a new volume group in the name of datacontainer, vg extent is 16.00MB

    create a new logical volume in the name of datacopy with the size of 50 extents and file system must vfat then

    mount it under /datasource

17) create an archive file /root/local.tgz for /usr/local. it should be compressed by gzip.

18) search the string sarah in the /etc/passwd file and save the output in /root/lines

************************RHCE Version 7 ****************

1) configure your systems that should be running Enforcing

2) configure repository

--->create a repository for your virtual machines

--->The url is http://station.network0.example.com/content/rhel7.0/x86_64/dvd

3) ssh configuration

--->configure ssh access on your virtual machines as follows

--->clients witin my22ilt.org shouldnot access to ssh on your systems

4) configure port forwarding.

--->configure serverX to forward traffic incoming on port 80/tcp from desktop to port on 5243/tcp.

5) simple command

--->create a command called qsatat on both serverX and desktopX

--->It should able to execute the following command

(ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm)

---> The command should be executable by all users

6) configure ipv6 network

--->create eth0 with a static ipv6 addresses as follows

--->configure a static ipv6 address in serverX as fddb:fe2a:ab1e::c0a8:64/64

--->desktop as fddb:fe2a:ab1e::c0a8:02/64

7) Link Aggregation:-

--->configure your serverX and DesktopX which watches for link changes and selects on active port for data transfors.

--->ServerX should have the address as 192.168.8.10/255.255.255.0

--->DesktopX should have the address as 192.168.8.11/255.255.255.0

8) SMTP configuration

--->configure the SMTP mail service on serverX and desktopX which only reply mail from local system through station.network0.example.com

--->all outgoing mail have ther sender domain at example.com ensure that mail should not store locally.

--->Verify the mail server is woring by sender mail to a natasha user.

9) NFS server

--->configure serverX with the following requirements.

--->share the /nfsshare directory with the example.com domain clients only, share must be writable

--->share the /securesamba/nfs, enable krb5p security to secure access to the NFS share from url

http://sttation.network0.example.com/pub/keytabs/serverX.keytab

--->The exported directory should have read/write access from all subdomains of the example.com domain.

Ensure the directory /securesamba/nfs should be owned by the user arora with read/write permission.

--->configure NFS mount.

--->Mount /nfsshare directory on desktopX under /Public directory persistently at system boot time.

--->Mount /securesamba/nfs with krb5p secured share on desktopX beneath /secure provided with keytab

http://sttation.network0.example.com/pub/keytabs/desktopX.keytab

10) configure smb access.

--->share the /sambadir directory via SMB on serverX.

--->Your SMB must be a member of the TESTGROUP workgroup.

--->The share's name must be model

--->The model share must be available to example.com domain clients only

--->The model share must be browseable

--->susan must have read access to the share, authenticating with the same password of password if necessary.

--->Configure the serverX to share /opensamba with SMB share must be OPENGROUP.

--->The user raman has readable,writable accessible to the /opensamba SMB share.

--->The user should have the SMB password "Hakinggood"

11) SMB Mount:-

Mount the samba share /opensamaba permanently bebeath /mnt/smbspace desktopX as multiuser mount.

--->The samba share should be mounted with the credentials of raman,

12) Webserver:

--->Implemet a webserver for site http://serverX.example.com

--->Download the webpage from http://station.network0.example.com/pub/rhce.html

--->rename the downloaded file into index.html

--->copy the file into the document root.

-do not make any modification of index.html

13) Secured Webserver:

-->Configure the website http://serverX.example.com with TLS

-->SSLcertificate file :- http://classroom.example.com/pub/tls/certs/wwwX.crt

-->SSLcertificatekeyfile :- http://classroom.example.com/pub/tls/private/wwwX.key

-->SSL CA certificate :- http://classroom.example.com/pub/tls/certs/example-ca.crt

14) Webpage content modfication:-

--->Implement website for http://serverX.example.com/owndir

--->create a directory named as "owndir" under the document root of webserver

--->donload http://station.network0.example.com/pub/restrict.html

--->rename the file to index.html - the content of the owndir should be visible to everyone

browsing from your localsystem but not be accissible from other location.

15) Virtual hosting:-

--->steup a virtual host an alternate document root.

--->Extend your web to include a virtual for the site http://vhostsX.example.com/

--->set the doucment root are /srv/netX/vhosts/

--->Download  http://classroom.example.com/pubvhostsX.html

--->rename it as index.html and place in document root of vhosts.

Note:- The other website configures for your system must sill accessible.

vhosts.networkX.example.com is already provided by the name server on example.com.

16) Dynamic Web configuration:

--->configure website http://wsgiX.example.com:8961 on server with document root

--->/srv/vhosts/scripts/ site should executes webapp.wsgi

--->page is already provided http://classroom.example.com/pub/webapp.wsgi

--->content of the script should not modified

17) script:

--->create a script on serverX called /root/random with the following details

--->when run as /root/random Postconf, should bring the output as "Postroll"

--->when run as /root/random Postroll, should bring the output as "Postconf"

--->when run with only other argument or wihout argument, should bring the stderr as

"/root/random Postconf | Postroll"

18) script 2:

--->create a script on serverX called /root/createusers

--->when this script is called with the test file argument, it should add all the users from the file

--->downloaded the fire from http://station.network0.example.com/pub/testfile

--->all user should have the login shell as /bin/false, passwd not required.

--->when this script is called wih anyother argument, it should print the message "Input File Not Found"

--->When this script is run without any argument, it should dissplay "Usage "/root/createuser"

Note:- If the users are added no need to delete.

19) Configure SCSI storage.

--->create a new /GB iscsi_block target on your serverX.example.com

--->The server should export on iscsi disk called iqn.2014.11.com.example.serverX.

--->This target should be only be available allowd to clients with an IQN of iqn.2014.11.com.example.desktopX.

20) ISCSI initiator

-The serverX.example.com provides an iscsi port (3260). connect the disk with desktopX.example.com

and configure filesystem with the following requirements,

-create 800MB partition on ISCSI blcok device and assign the filesystem as xfs.

-Mount the volume under /mnt/initiator at the system boot time.

The filesystem should contain the copy of http://classroom.example.com/pub/iscsi.txt

The file should be owned by root with 0644 permission Note: don't modify the content.

21 Maria Db--Q

--->configure mariadb on serverX

--->on serverX mariadb has corrupted due to some issues

--->anyhow you have the logical backup file http://classroom.example.com/pub/mariadb.mdb

--->Install a new mariadb server & restore the database from the above provided file.

--->create a database called student

--->A new ticket has been assigned to you to create new remote access accounts with the following information.

--->Enter a correct username where host=172.25.0.% from the table "user_details"

--->Enter a priviledges where user=Jay from the table "user_details"

***********************************************END of the Questions *************

=======================***All The Best***==========

===> Extra for knowledge

Check the syntax:

# postfix check

Check the non-default configuration:

# postconf -n

Set the SELinux allow_postfix_local_write_mail_spool boolean to ‘on‘:

# setsebool -P allow_postfix_local_write_mail_spool on

Restart the postfix configuration:

# systemctl restart postfix

Add a new service to the firewall:

# firewall-cmd --permanent --add-service=smtp

To know if Firewalld is running, type:

# systemctl status firewalld

# firewall-cmd --state

To get the default zone, type:

# firewall-cmd --get-default-zone

To get the list of zones where you’ve got network interfaces or sources assigned to, type:

# firewall-cmd --get-active-zones

To get the list of all the available zones, type:

# firewall-cmd --get-zones

# firewall-cmd --set-default-zone=home

Install the Web Server package group:

# yum groupinstall -y "Web server"

Activate at boot time and start the service:

# systemctl enable httpd

# systemctl start httpd

Add the HTTPS service to the firewall configuration and reload it:

# firewall-cmd --permanent --add-service=https

Success

# firewall-cmd --reload

Success

Check the validity of the configuration:

# httpd -t

Syntax OK

Or:

# apachectl configtest

Syntax OK

Restart the Apache webserver:

# apachectl restart

----------------------

RHEL7: Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target.

Presentation

In the iSCSI world, you’ve got two types of agents:

an iSCSI target provides some storage (here called server),

an iSCSI initiator uses this available storage (here called client).

As you already guessed, we are going to use two virtual machines, respectively called server and client. If necessary, the server and client virtual machines can be one and only one machine.

iSCSI target configuration

Most of the target configuration is done interactively through the targetcli command. This command uses a directory tree to access the different objects.

To create an iSCSI target, you need to follow several steps on the server virtual machine.

Install the following packages:

# yum install -y targetcli

Activate the target service at boot:

# systemctl enable target

Note: This is mandatory, otherwise your configuration won’t be read after a reboot!

Execute the targetcli command:

# targetcli

Warning: Could not load preferences file /root/.targetcli/prefs.bin.

targetcli shell version 2.1.fb34

Copyright 2011-2013 by Datera, Inc and others.

For help on commands, type 'help'.

/>

Create a file called shareddata of 100MB in the /opt directory (don’t hesitate to use tab completion):

/> backstores/fileio create shareddata /opt/shareddata.img 100M

Created fileio shareddata with size 104857600

Create a target with an iscsi qualified name (iqn) and an associated TPG (Target Portal Group):

/> iscsi/ create iqn.2014-08.com.example:tgt1

Created target iqn.2014-08.com.example:tgt1.

Created TPG 1.

Now, we can go to the newly created directory:

/> cd iscsi/iqn.2014-08.com.example:tgt1/tpg1

/iscsi/iqn.20...ple:tgt1/tpg1> ls

o- tpg1 ................................................. [no-gen-acls, no-auth]

  o- acls ............................................................ [ACLs: 0]

  o- luns ............................................................ [LUNs: 0]

  o- portals ...................................................... [Portals: 0]

Below tpg1, three objects have been defined:

acls (access control lists: restrict access to resources),

luns (logical unit number: define exported resources),

portals (define ways to reach the exported resources; consist in pairs of IP addresses and ports).

Create a portal (a pair of IP address and port through which the target can be contacted by initiators):

/iscsi/iqn.20...ple:tgt1/tpg1> portals/ create

Using default IP port 3260

Binding to INADDR_ANY (0.0.0.0)

Created network portal 0.0.0.0:3260.

Create a lun:

/iscsi/iqn.20...ple:tgt1/tpg1> luns/ create /backstores/fileio/shareddata

Created LUN 0.

Don’t set any authentication:

/iscsi/iqn.20...ple:tgt1/tpg1> set attribute authentication=0 demo_mode_write_protect=0

Parameter authentication is now '0'.

Parameter demo_mode_write_protect is now '0'.

Note: Don’t forget the demo_mode_write_protect=0 option, otherwise the resource will be in read-only mode, not advisable to create a file system!

Don’t set any acl:

/iscsi/iqn.20...ple:tgt1/tpg1> set attribute generate_node_acls=1

Parameter generate_node_acls is now '1'.

Now, to check the configuration, type:

/iscsi/iqn.20...ple:tgt1/tpg1> ls

o- tpg1 .................................................... [gen-acls, no-auth]

  o- acls ............................................................ [ACLs: 0]

  o- luns ............................................................ [LUNs: 1]

  | o- lun0 .......................... [fileio/shareddata (/opt/shareddata.img)]

  o- portals ...................................................... [Portals: 1]

    o- 0.0.0.0:3260 ....................................................... [OK]

Finally, you can quit the targetcli command:

/iscsi/iqn.20...ple:tgt1/tpg1> exit

Global pref auto_save_on_exit=true

Last 10 configs saved in /etc/target/backup.

Configuration saved to /etc/target/saveconfig.json

Note: The configuration is automatically saved to the /etc/target/saveconfig.json file.

Also, it can be useful to check the ports currently used:

# netstat -ant

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:3260            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN

tcp6       0      0 ::1:25                  :::*                    LISTEN

tcp6       0      0 :::22                   :::*                    LISTEN

Create the /etc/firewalld/services/iscsi.xml file and paste the following lines:

<?xml version="1.0" encoding="utf-8"?>

<service>

<short>iSCSI</short>

<description>iSCSI protocol</description>

<port protocol="tcp" port="3260"/>

</service>

Add a new service to the firewall:

# firewall-cmd --permanent --add-service=iscsi

Success

Reload the firewall configuration:

# firewall-cmd --reload

Success

iSCSI initiator configuration

To create an iSCSI initiator, you need to follow several steps on the client virtual machine.

Install the following package:

# yum install -y iscsi-initiator-utils

Execute the iscsiadm command in discovery mode with the server ip address (here 192.168.1.81):

# iscsiadm --mode discovery --type sendtargets --portal 192.168.1.81

192.168.1.81:3260,1 iqn.2014-08.com.example:tgt1

Execute the iscsiadm command in node mode with the server ip address (here 192.168.1.81):

# iscsiadm --mode node --targetname iqn.2014-08.com.example:tgt1 --portal 192.168.1.81 --login

Logging in to [iface: default, target: iqn.2014-08.com.example:tgt1, portal: 192.168.1.81,3260] (multiple)

Login to [iface: default, target: iqn.2014-08.com.example:tgt1, portal: 192.168.1.81,3260] successful.

To check the configuration, type:

# lsblk --scsi

NAME HCTL       TYPE VENDOR   MODEL             REV TRAN

sda  2:0:0:0    disk LIO-ORG  shareddata       4.0  iscsi

To be sure that your resource is not in read-only mode (1=read-only mode), type:

# lsblk | egrep "NAME|sda"

NAME               MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT

sda                  8:0    0  100M  0 disk

Now, you can create a file system:

# mkfs.ext4 /dev/sda

mke2fs 1.42.9 (28-Dec-2013)

/dev/sda is entire device, not just one partition!

Proceed anyway? (y,n) y

Filesystem label=

OS type: Linux

Block size=1024 (log=0)

Fragment size=1024 (log=0)

Stride=0 blocks, Stripe width=4096 blocks

25688 inodes, 102400 blocks

5120 blocks (5.00%) reserved for the super user

First data block=1

Maximum filesystem blocks=33685504

13 block groups

8192 blocks per group, 8192 fragments per group

1976 inodes per group

Superblock backups stored on blocks:

8193, 24577, 40961, 57345, 73729

Allocating group tables: done

Writing inode tables: done

Creating journal (4096 blocks): done

Writing superblocks and filesystem accounting information: done

Retrieve the UUID of this disk:

# blkid | grep "/dev/sda"

/dev/sda: UUID="4a184c70-20ad-4d91-a0b1-c2cf0eb1986f" TYPE="ext4"

Add the disk UUID to the /etc/fstab file:

# echo "UUID=..." >> /etc/fstab

Note: Be very careful to type >> and not >, otherwise this will destroy all your configuration!

Make a copy of the /etc/fstab file before doing this operation if you don’t want to take any risk.

Edit the /etc/fstab file and add the mount point (here /mnt), the file system type (here ext4) and the mount options (_netdev):

UUID=... /mnt ext4 _netdev 0 0

To check your configuration, type:

# mount -a

---------------------------

RHEL7: Configure Apache private directories.

First, follow the instructions to install an Apache web server.

Then, create a private directory (called here private):

# cd /var/www/html

# mkdir private

# echo "This is a test." > private/index.html

# restorecon -R .

There are several ways to restrict access to this directory:

1) host-based private directories

To only allow the test.example.com host (add the name/IP address in the /etc/hosts file if necessary) to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:

<Directory "/var/www/html/private">

AllowOverride None

Options None

Require host test.example.com

</Directory>

Check the configuration file:

# apachectl configtest

Syntax OK

2) user-based private directories

To only allow me to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:

<Directory "/var/www/html/private">

AuthType Basic

AuthName "Password protected area"

AuthUserFile /etc/httpd/conf/passwd

Require user me

</Directory>

Check the configuration file:

# apachectl configtest

Syntax OK

Create the passwd file and store me‘s password:

# cd /etc/httpd/conf

# htpasswd -c passwd me

New password: your password

Re-type new password: your password

Adding password for user me

# chmod 600 passwd

# chown apache:apache passwd

Note: The .htpasswd file can locally be used instead of the httpd.conf file in 1) and 2) for the same purpose.

Whatever the option chosen, restart the httpd service:

# systemctl restart httpd

Check the httpd service:

# yum install -y elinks

# elinks http://localhost/private

------------------------------

RHEL7: Configure Apache group-managed content.

First, follow the instructions to install an Apache web server.

To allow only a group of users (here nikos and steve from the team) to access a specific directory (here private), edit the /etc/httpd/conf/httpd.conf file and paste the following lines at the end:

<Directory "/var/www/html/private">

AuthType Basic

AuthName "Password protected area"

AuthGroupFile /etc/httpd/conf/team

AuthUserFile /etc/httpd/conf/passwd

Require group team

</Directory>

Check the configuration file:

# apachectl configtest

Syntax OK

Create the /var/www/html/private directory and assign the correct SELinux context:

# mkdir -p /var/www/html/private

# restorecon -R /var/www/html/private

Create the /etc/httpd/conf/team file and paste the following line:

team: nikos steve

Create the /etc/httpd/conf/passwd file, add the nikos and steve accounts with their own passwords:

# htpasswd -c /etc/httpd/conf/passwd nikos

New password: nikos

Re-type new password: nikos

Adding password for user nikos

# htpasswd /etc/httpd/conf/passwd steve

New password: steve

Re-type new password: steve

Adding password for user steve

Restart the httpd service:

# systemctl restart httpd

---------------------------

RHEL7: Configure an Apache virtual host.

First, follow the instructions to install an Apache web server.

Let’s assume your website is called dummy-host.example.com.

Create the /var/www/html/dummy-host.example.com directory:

# cd /var/www/html

# mkdir dummy-host.example.com

Create an index.html file and assign the correct SELinux context:

# echo "This is a test." > dummy-host.example.com/index.html

# restorecon -R dummy-host.example.com

Create the /etc/httpd/conf.d/vhosts.conf file and paste the following lines:

<VirtualHost *:80>

ServerAdmin webmaster@dummy-host.example.com

DocumentRoot /var/html/www/dummy-host.example.com

ServerName dummy-host.example.com

ErrorLog logs/dummy-host.example.com-error_log

CustomLog logs/dummy-host.example.com-access_log common

</VirtualHost>

Optionaly, rename the /etc/httpd/conf.d/ssl.conf file, otherwise you get an additional non-working https virtual host displayed in the configuration.

# cd /etc/httpd/conf.d; mv ssl.conf ssl.conf2

Check the validity of the configuration:

# apachectl configtest

Syntax OK

Note: You can also type: # httpd -t

Restart the httpd service:

# apachectl restart

Note1: You can also type: # systemctl restart httpd

Note2: For minor configuration changes, it is also possible to restart the Apache daemon without losing the current connections: # apachectl graceful

Check the virtual host(s) configuration:

# httpd -D DUMP_VHOSTS

VirtualHost configuration:

*:80                   is a NameVirtualHost

         default server dummy-host.example.com (/etc/httpd/conf.d/vhosts.conf:1)

         port 80 namevhost dummy-host.example.com (/etc/httpd/conf.d/vhosts.conf:1)

         port 80 namevhost dummy-host.example.com (/etc/httpd/conf.d/vhosts.conf:1)

Check the configuration:

# yum install -y elinks

# elinks http://dummy-host.example.com

------------------------------------------

RHEL7: Configure a caching-only name server.

Install the bind package:

# yum install -y bind

Edit the /etc/named.conf file and change the listen-on option from 127.0.0.1 to any:

listen-on port 53 { any; };

In the same file, change the allow-query option from localhost to any:

allow-query { any; };

In the same file, disable the dnssec-validation option:

dnssec-validation no;

Check the configuration file:

# named-checkconf

Add a new service to the firewall:

# firewall-cmd --permanent --add-service=dns

success

Reload the firewall configuration:

# firewall-cmd --reload

success

Activate the DNS service:

# systemctl enable named

Start the DNS service:

# systemctl start named

Check the configuration:

# nslookup cnn.com 127.0.0.1

# dig @127.0.0.1 cnn.com

_____________________________________________________________________

********************************************************************************

RHCE 7 EXAM

********************************************************************************

Base system user: kiosk/redhat

Vm1- serverX.example.com/172.25.X.11/24 user:root/Postroll

Vm2- desktopX.example.com

rht-vmctl start <Vm-Name>

rht-vmctl view <Vm-Name>

rht-vmctl reset <Vm-Name>  ---> it will reset the VM to original state.

#systemctl mask iptables.service

#systemctl mask ip6tables.service

#systemctl mask ebtables.service

1) configure your systems that should be running Enforcing

#getenforce

#vim /etc/sysconfig/selinux

SELINUX=enforcing

:wq

2) configure repository

--->create a repository for your virtual machines

--->The url is http://station.network0.example.com/content/rhel7.0/x86_64/dvd

#cd /etc/yum.repos.d/

#ls

#vim redhat.repo

[RHEL]

baseurl=http://station.network0.example.com/content/rhel7.0/x86_64/dvd

gpgcheck=0

:wq

#yum clean all

#yum list all

3) ssh configuration

--> configure ssh access on your virtual hosts as follows

--> clients within my22ilt.org should not have access to ssh on your systems

--> example.com domain should have access to ssh on your systems

#vim /etc/hosts.deny

sshd:10.32.0.0/255.255.255.0

:wq

4) configure port forwarding

 configure serverX to forward traffic incoming on port 80/tcp from desktopX to port on 5243/tcp.

Ans:

#firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.5.10 forward-port port=5243 protocol=tcp to-port=80'

#firewall-cmd --reload

#firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=172.25.5.10 forward-port port=5243 protocol=tcp to-port=80'

#firewall-cmd --list-rich-rules

#ssh server5.example.com -P 5243 --> verify at desktop-vm

5) simple command

--->create a command called qsatat on both serverX and desktopX

--->It should able to execute the following command

(ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm)

---> The command should be executable by all users

Ans: vim /bin/qstat

ps -eo pid,tid,rtprio,class,ni,pri,psr,pcpu,stat,wchan:14,comm

:wq

#scp /bin/qstat desktop5:/bin

6) configure ipv6 network

--->create eth0 with a static ipv6 addresses as follows

--->configure a static ipv6 address in serverX as fddb:fe2a:ab1e::c0a8:64/64

--->desktop as fddb:fe2a:ab1e::c0a8:02/64

Ans:

Internet protocol version-6 -128 bit address

Ex: 2008:0001:0000:0a81:0000:0000:0000:0001  =2008:1:0:a81::1

    ------------------- -------------------

    Net ID             Host ID

each field has a 16 bit address.

Letters should be lowercase from "a" to "f"

Numbers 0-9 are acceptable

Note: if we have 2 or more fields has 0" values then we can replace it with "::".

:1/128 --> local address or loop back address

:: --> is undefined address

::/0 --> default address ( it means every network)

fe80/64  --> private address

127.0.0.0::1/128  --> local address or loop back address

#ip addr show   --> to show the available interface in system

#lab ipv6 setup  ----> for lab setup to practice in institute.

#nmcli connection show

# nmcli connection modify "System eth0" ipv6.addresses fddb:fe2a:ab1e::c0a8:64/64 ipv6.method manual

# nmcli connection  reload

# nmcli connection  up "System eth0"

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

 ping6 fddb:fe2a:ab1e::c0a8:64 --> check the ipv6 address by "ping6"

steps involved in IPV4/IPV6

===========================

1)Add the connection

2)Assign IP

3)Set the the IP as Manual (Static)

4)Reload the connection

5)Enable the connection

6)Communicate with the IP you defined

--> single command to assign the IP & Make it up

#nmcli connection modify <con-name> ipv4.address <IP> ipv4.method manual

7) Link Aggregation:-

--->configure your serverX and DesktopX which watches for link changes and selects on active port for data transfors.

--->ServerX should have the address as 192.168.8.10/255.255.255.0

--->DesktopX should have the address as 192.168.8.11/255.255.255.0

Link Aggregation:

========================

Mode:

1) Round Robin

2) Active Backup

3) Load Balancing

4) Broadcast

Modes are called as runners

#ip addr show

#nmcli connection add type team con-name team0 ifname team0 config '{"runner":{"name":"activebackup"}}'

#nmcli connection modify team0 ipv4.addresses 192.168.5.11/24 ipv4.method manual

#nmcli connection show

#nmcli connection add type team-slave con-name team0-port1 ifname eth1 master team0

#nmcli connection add type team-slave con-name team0-port2 ifname eth2 master team0

# teamdctl team0 state

#nmcli connection up team0

#nmcli connection up team0-port1

#nmcli connection up team0-port2

#ping 192.168.5.11

Steps involved:

1) Add the Master connection

2) Assign IP & change it as static

3) Add the slave interface to the Master

4) Bringsup the interfaces

5) Verify with "ping" cmd.

#nmcli connection dev/device dis/disconnect team0  --> just for knowledge

8) SMTP configuration

--->configure the SMTP mail service on serverX and desktopX which only reply mail from local system through station.network0.example.com

--->all outgoing mail have ther sender domain at example.com ensure that mail should not store locally.

--->Verify the mail server is woring by sender mail to a natasha user.

Answer:

Package Name: postfix

service Name: postfix.service

protocol=smtp

port=25

configuration: /etc/postfix/main.cf

imaps://imapX.example.com

#lab smtp-nullclient setup

#yum install postfix -y

#firewall-cmd --permanent --add-port=25/tcp

or

#firewall-cmd --permanent --add-service=smtp

#firewall-cmd --reload

#firewall-cmd --list-ports

#systemctl enable postfix.service

#systemctl start postfix.service

#postconf -e "relayhost=[smtpX.example.com]"

#postconf -e "myorigion=example.com"

#postconf -e "mydestination="

#postconf -e "mynetworks=127.0.0.0/8 [::1]/128'

#postconf -e "inet_interfaces=loopback-only"

#systemctl restart postfix.service

configuration = /etc/postfix/main.conf

9) NFS server

--->configure serverX with the following requirements.

--->share the /nfsshare directory with the example.com domain clients only, share must be writable

--->share the /securesamba/nfs, enable krb5p security to secure access to the NFS share from url

http://sttation.network0.example.com/pub/keytabs/serverX.keytab

--->The exported directory should have read/write access from all subdomains of the example.com domain.

Ensure the directory /securesamba/nfs should be owned by the user arora with read/write permission.

--->configure NFS mount.

--->Mount /nfsshare directory on desktopX under /Public directory persistently at system boot time.

--->Mount /securesamba/nfs with krb5p secured share on desktopX beneath /secure provided with keytab

http://sttation.network0.example.com/pub/keytabs/desktopX.keytab

Answer:

#yum install nfs* -y

#systemctl enable nfs-server.service

#systemctl start nfs-server.service

#firewall-cmd --permanent --add-service=nfs

#firewall-cmd --reload

#mkdir /nfsshare

#vim /etc/exports

/nfsshare *.example.com(rw)

:wq

#systemctl restart nfs-server.service

Desktop -Vm-NFS

#yum install nfs-utility -y

#mkdir /public

#vim /etc/fstab

serverX.example.com:/nfsshare /public nfs defaults 0 0

:wq

#mount -a

10) NFS-Kerboroes security

==========================

#lab nfskrb5 setup

#yum install krb5* -y

#systemctl enable nfs-secure-server.service

#systemctl start nfs-secure-server.service

#firewall-cmd --permanent --add-service=kerboros

#wget -o /etc/kbr5.keytab http://classroom.example.com/pub/keytabs/serverX.keytab

#wget -o /etc/kbr5.keytab http://classroom.example.com/pub/keytabs/desktopX.keytab

#mkdir /securesamba/nfs

#vim /etc/exports

/securesamba/nfs *.example.com(sec=krb5p,rw)

:wq

#systemctl restart nfs-secure-server.service

#exportfs -r

#exportfs -a

Server-Vm

#useradd arora

#chown arora /securesamba/nfs

#setfacl -m u:arora:rw /securesamba/nfs

#getfacl /securesamba/nfs

NFS-Kerboroes at Desktop-Vm

#lab nfskrb5 setup

#yum install krb5* -y

#systemctl enable nfs-secure.service

#systemctl start nfs-secure.service

#mkdir /secure

#vim /etc/fstab

serverX.example.com:/securesamba/nfs /secure nfs defaults,sec=krb5p 0 0

:wq

#mount -a

SAMBA

==========================

10)a) configure smb access

-->share the /sambadir directory via SMB on serverX

-->your SMB server must be a member of the TESTGROUP WORKGROUP

-->The share's name must be model

-->The model share must be available to example.com domain clients only

-->The model share must be browsable

-->susan must have need access to the share, authenticating with the same password of password if necessary.

b) Configure the serverX to share /opstack with SMB share name must be OPENGROUP.

-->The user frankenstein has readable,writable,accesseable to the /opstack SMB share,

-->The user martin has read access to the /opstack SMB share.

-->Both users should have the SMB password"SantiTago"

c) smb mount

-->mount the samba share /opstack permanently beneath /mnt/smbspace on desktopX as multiuser mount.

-->The samba share should be mounted with the credentials of frankenstein

Answer:

#yum install samba* -y

#systemctl enable smb.service nmb.service

#systemctl start smb.service nmb.service

#mkdir /sambadir

#firewall-cmd --permanent -add-service=samba

#firewall-cmd --reload

#firewall-cmd --list-services

#vim /etc/samba/smb.conf

workgroup = TESTGROUP

hosts allow = 172.25.

[model]

path = /sambadir

browseable = yes

valid users = susan

read only =yes

[OPENGROUP]

path=/opstack

write list = frankenstein

writable = no

valid user=frankenstein,martin   --- extra we can also provide like this

:wq

#smbpasswd -a susan

#smbpasswd -e susan

#systemctl restart smb.service nmb.service

#restorecon /sambadir/

#chcon -R -t samba_share_t /sambadir/

#getsebool -a | grep samba

samba_create_home_dirs --> off

samba_domain_controller --> off

samba_enable_home_dirs --> off

samba_export_all_ro --> off

samba_export_all_rw --> off

samba_portmapper --> off

samba_run_unconfined --> off

samba_share_fusefs --> off

samba_share_nfs --> off

sanlock_use_samba --> off

use_samba_home_dirs --> off

virt_sandbox_use_samba --> off

virt_use_samba --> off

#setsebool -P samba_enable_home_dirs on

#systemctl restart smb.service nmb.service

#setfacl -m u:frankenstein:rwx /opstack

#chcon -R -t samba_share_t /opstack

# ls -lZd /opstack

drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /opstack

# ls -lZd /sambadir/

drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /sambadir/

# useradd frankenstein

# useradd raman

# smbpasswd -a frankenstein

#smbpasswd -e frankenstein

Desktop-VM-Samba

=================

#mkdir /mnt/sambaspace

#yum install cifs-utils -y

#echo "username=frankenstein password=SantiTago" > /root/multo.txt

#vim /etc/fstab

//serverX.example.com/OPENGROUP /mnt/sambaspace cifs credentials=/root/multi.txt,multiuser,sec=ntlmssp 0 0

:wq

#mount -a

#cat /root/multi.txt

username=frankenstein

password=SantiTago

#yum install samba-client

#smbclient -L <samba server> -U <samba-user>

#smbclient -L serverX.example.com -U frankenstein

12) Webserver:

--->Implemet a webserver for site http://serverX.example.com

--->Download the webpage from http://station.network0.example.com/pub/rhce.html

--->rename the downloaded file into index.html

--->copy the file into the document root.

-do not make any modification of index.html

Ans:

configuarion file: /etc/httpd/conf/httpd.conf

Document root /var/www/html

package http* service=httpd.service

#yum insttall http* -y

#systemctl enable httpd.service

#systemctl start httpd.service

#firewall-cmd --permanent --add-service=http

#firewall-cmd --reload

#firewall-cmd --list-services

#cd /var/www/html

#wget http://classroom.example.com/pub/rhce.html

#mv rhce.html index.html

#vim /etc/httpd/conf.d/myweb.conf

<VirtualHost *:80>

servername serverX.example.com

DocumentRoot /var/www/html

</VirtualHost>

check through firefox http://serverX.example.com/

13) Secured Webserver:

-->Configure the website http://serverX.example.com with TLS

-->SSLcertificate file :- http://classroom.example.com/pub/tls/certs/wwwX.crt

-->SSLcertificatekeyfile :- http://classroom.example.com/pub/tls/private/wwwX.key

-->SSL CA certificate :- http://classroom.example.com/pub/tls/certs/example-ca.crt

#yum install mod_ssl -y

#cd /etc/pki/tls/certs

#wget http://classroom.example.com/pub/tls/certs/wwwX.crt

#wget http://classroom.example.com/pub/tls/example-ca.crt

#cd /etc/pki/tls/private

#wget http://classroom.example.com/pub/tls/private/wwwX.key

#vim /etc/httpd/conf.d/myweb.conf

<VirtualHost *:443>

serverName serverX.example.com

sslengine on

sslcertificatefile /etc/pki/tls/certs/wwwX.crt

sslcertificatekeyfile /ettc/pki/tls/private/wwwX.key

sslcertificatechainfile /etc/pki/tls/certs/example-ca.crt

</VirtualHost>

#systemctl restart httpd.service

#firewall-cmd --permanent --add-service=https

#firewall-cmd --reload

#firewall-cmd --list-services

check through firefox https://serverX.example.com/

14) Webpage content modfication:-

--->Implement website for http://serverX.example.com/owndir

--->create a directory named as "owndir" under the document root of webserver

--->donload http://station.network0.example.com/pub/restrict.html

--->rename the file to index.html - the content of the owndir should be visible to everyone

browsing from your localsystem but not be accissible from other location.

#mkdir /var/www/html/owndir

#cd /var/www/html/owndir

#wget http://classroom.example.com/pub/restrict.html

#chcon -R -t httpd_sys_content_t /var/www/html/owndir

#vim /etc/httpd/conf.d/myweb.conf

<Directory /var/www/html/owndir>

order deny,allow

deny from all

allow from 172.25.X.11

</Directory>

check through firefox https://serverX.example.com/owndir

15) Virtual hosting:-

--->steup a virtual host an alternate document root.

--->Extend your web to include a virtual for the site http://vhostsX.example.com/

--->set the doucment root are /srv/netX/vhosts/

--->Download  http://classroom.example.com/pubvhostsX.html

--->rename it as index.html and place in document root of vhosts.

Note:- The other website configures for your system must sill accessible.

vhosts.networkX.example.com is already provided by the name server on example.com.

Ans:

#mkdir -p /serv/netX/vhosts

#chcon -R -t httpd_sys_content_t /serv/netX/vhosts

#ls -lZd /serv/netX/vhosts  --> to verify

#wget http://classroom.example.com/pub/vhosts.html

#mv vhosts.html index.html

#vim /etc/httpd/conf.d/myweb.conf

<VirtualHost *:80>

serverName vhostsX.example.com

DocumentRoot /serv/netX/vhosts

</VirtualHost>

<Directory /serv/netX/vhosts>

require all granted

</Directory>

:wq

semanage fcontext -l | grep -i http

check through firefox http://vhostsX.example.com/

16) Dynamic Web configuration:

--->configure website http://wsgiX.example.com:8961 on server with document root

--->/srv/vhosts/scripts/ site should executes webapp.wsgi

--->page is already provided http://classroom.example.com/pub/webapp.wsgi

--->content of the script should not modified

Ans:

#yum install mod_wsgi mod_php -y

#mkdir -p /srv/vhosts/scripts

#chcon -R -t httpd_sys_script_exec_t /srv/vhosts/scripts

#semanage port -a -t http_port_t -p 8961/tcp

#firewall-cmd --permanent --add-port=8961/tcp

#cd /srv/vhosts/scripts

#wget http://classroom.example.com/pub/webapp.wsgi

#vim /etc/httpd/conf/httpd.conf

Listen 8961

Name VirtualHost *:80

Name VirtualHost *:8961

:wq

#vim /etc/httpd/conf.d/myweb.conf

<VirtualHost *:8961>

ServerName wsgiX.example.com

DocumentRoot /srv/vhosts/scripts/

WSGIScriptAlias / /srv/vhosts/scripts/webapp.wsgi

</VirtualHost>

<Directory /srv/vhosts/scripts>

require all granted

</Directory>

#systemctl restart httpd.service

check through firefox http://wsgiX.example.com/

=======================

17) script:1

--->create a script on serverX called /root/random with the following details

--->when run as /root/random Postconf, should bring the output as "Postroll"

--->when run as /root/random Postroll, should bring the output as "Postconf"

--->when run with only other argument or wihout argument, should bring the stderr as

"/root/random Postconf | Postroll"

#vim /root/random

case $@ in

postconf ) echo "Postroll";;

Postroll ) echo "postconf";;

         *) echo "/root/random postconf | Postroll";;

esac

#chmod a+x /root/random

18) script 2:

--->create a script on serverX called /root/createusers

--->when this script is called with the test file argument, it should add all the users from the file

--->downloaded the fire from http://station.network0.example.com/pub/testfile

--->all user should have the login shell as /bin/false, passwd not required.

--->when this script is called wih anyother argument, it should print the message "Input File Not Found"

--->When this script is run without any argument, it should dissplay "Usage "/root/createuser"

Note:- If the users are added no need to delete.

Ans:

#wget http://classroom.example.com/pub/testfile

#vim /root/createusers

a=""

case $@ in

testfile ) for b in `cat testfile`

do

useradd -s /bin/false $b;

done;;

$a ) echo "Usage:/root/createusers";;

* ) echo "Input file Not Found";;

esac

#chmod a+x /root/createusers

19) Configure SCSI storage. (Target CLI)

--->create a new /GB iscsi_block target on your serverX.example.com

--->The server should export on iscsi disk called iqn.2014.11.com.example.serverX.

--->This target should be only be available allowd to clients with an IQN of iqn.2014.11.com.example.desktopX.

Ans:

Server-Vm

--------

#yum install targetcli* -y

#systemctl enable target.service

#systemctl start target.service

#firewall-cmd --permanent --add-port=3260/tcp

#firewall-cmd --reload

#fdisk /dev/vdb

:n,:p,:1,:Enter,:+1G,:w

#partprobe /dev/vdb

#cat /proc/partitions

#targetcli

>ls

>cd /backstores/block

>create block1 /dev/vdb1

>cd /iscsi

>create iqn.2014-10.com.example:serverX

>cd /iscsi/iqn.2014-10.com.example/tpg1/acls

>create iqn.2014-10.com.example:desktopX

>cd /iscsi/iqn.2014-10.com.example/tpg1/luns

>create /backstore/block/block1

>cd /iscsi/iqn.2014-10.com.example/tpg1/portals

>create 172.25.X.11/3260      ------->( server ip)

>exit

#systemctl restart target.service

20) ISCSI initiator

-The serverX.example.com provides an iscsi port (3260). connect the disk with desktopX.example.com

and configure filesystem with the following requirements,

-create 800MB partition on ISCSI blcok device and assign the filesystem as xfs.

-Mount the volume under /mnt/initiator at the system boot time.

The filesystem should contain the copy of http://classroom.example.com/pub/iscsi.txt

The file should be owned by root with 0644 permission Note: don't modify the content.

Desktop-Vm

----------

#yum install iscsi-initiator-utils -y

#systemctl enable iscsi.service iscsid.service

#systemctl start iscsi.service iscsid.service

#vim /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2014-10.com.example:desktopX

:wq

#systemctl restart iscsi.service iscsid.service

#systemctl start iscsi.service

#systemctl start iscsid.service

man iscsiadm -- search with /examples and take discoverydb and login commands and modify the ipaddress.

#iscsiadm --mode discoverydb --type sendtargets --portal 172.25.11.11 --discover

#iscsiadm --mode node --targetname iqn.2014-06.com.example:server11 --portal 172.25.11.11:3260 --login

cat /proc/partitions

#fdisk /dev/sdc

n,p,1,Enter,+200M,w

#partprobe /dev/sdc

#blkid

#vim /etc/fstab

UUID=<uuid value> /media ext4 _netdev 0 0

:wq

=================

Maria Db--Q

================

-->configure mariadb on serverX

on serverX mariadb has corrupted due to some issues

anyhow you have the logical backup file http://classroom.example.com/pub/mariadb.mdb

Install a new mariadb server & restore the database from the above provided file.

create a database called student

A new ticket has been assigned to you to create new remote access accounts with the following information.

Enter a correct username where host=172.25.0.% from the table "user_details"

Enter a priviledges where user=Jay from the table "user_details"

User    Accepts connections from list         password     privileges

Karthi    localhost                 karthi_password    select on user_details table from student database

fabric  anyhost                 fabric_password    select,insert,update,delete on user_details table from student database

smith     localhost                 smith_password  select on all tables from student database

Ans:Maria Db

#yum groupinstall mariadb mariadb-client -y

#systemctl enable mariadb.service

#systemctl start mariadb.service

#firewall-cmd --permanent --add-service=mysql

#firewall-cmd --reload

#wget http://classroom.example.com/pub/mariadb.mdb

#mysql -u root

>create database student;

>exit

#mysql -u root student < /mariadb.mdb

#mysql -u root

>create user  karthi@localhost identified by 'karthi_password';

>create user smith@localhost indentified by 'smith_password';

>create user fabric@'%' identified by 'fabric_password';

>grant select on student.contact to karthi@'localhost1';

>grant select,insert,update,delete on student contact to faric@'%';

>create table user_details (username char (30), host char(30), privileges char (30));

>insert into user_details values ('jay', '172.25.0.%','select,delete');

>insert into user_details values ('martin','172.25.6.%','select,delete');

>insert into user_details values ('guru', '172.25.6.11','select,delete');

>select it from user_details;

>show tables;

>pager less -n -i -s -F -R;

>slect username from user_details where host='172.25.0.%';

>select privileges from user_details where username='jay';

>select user from mysql.user;

>select * from contact where UID="1010";

Extra Knowledge:

#mysql_secure_installation   --> to set the database root passwd

#mysql -u root

>show databases;

>create database db1;

>show tables;

>create table tb1 (Name Char(30), ContactNo float);

>show tables;

>describe tb1;

>insert into tb1 values ('redhat',123512478);

>select name from tb1;

>insert into tb1 values ('fedora',1234678978);

>select name from tb1;

>select * from tb1;

>select * from tb1 where name='redhat';

>update tb1 set name='REDHAT' where name='redhat';

>alter table tb1 add Email char(40);

>update tb1 set Email="ram@example.com" where name='redhat';

>slect * from tb1;

>alter table tb1 modify Email int;

>select * from tb1;

>alter table tb1 drop Email;  ---> to delete the object

>drop table tb1;     ---> to delete the table from database.

>drop database db1;  ---> to delete the database.

>mysqldump -u root -p mysql > /backup/mysql.dump  ---> to take the backup of mysql dump.

>mysql -u root -p newdb < /backup.mysql.dump

>select tb1_contact email from tb1 innerjoin tb2 on <condition>

______________________________________________________________________________

RHCSA EXAM

*************************

RHCSA-VM configuration.txt:

*you have been provided a virtual box named as serverX.example.com (hint:where X is your domain number)

* password for both virtual machine should be "Postroll"

*serverX.example.com provided with ip=172.25.X.10/255.255.255.0

*serverX.example.com are provided with gateway 172.25.254.254 & example.com dns domain with the IP: 172.25.254.254

Before starting exam.

--> ping server-vm ip , desktop-vm ip and classroom.example.com

--> from server-vm ping base machine and server.

--> check hostname and IP address of server-vm and desktop-vm

#vim /etc/hostname

serverX.example.com

:wq

#/etc/sysconfig/network-scripts/ifcfg-eth0

IPADDR= 172.25.5.11

PREFIX=24

BOOTPROTO=static

:wq

#systemctl restart NetworkManager.service

#rht-vmctl start server

#rht-vmctl view server

if the vm has set with multi-user.target then set it to graphical.target

#systemctl get-default --> to check the running target

#systemctl set-default graphical.target

---> mask the iptable servervice before starting exam.

#systemctl mask iptables.service

--> To break the root password do the following

#systemctl reboot 

press "e" to edit

Go to end of the line "linux16" and type rd.break console=tty1 and press ctrl+x to boot.

#mount -o remount,rw /sysroot

#chroot /sysroot

#passwd root

#touch /.autorelabel

#exit

#exit

**Warning - SElinux targeted policy relabel is required.

Relabeling could take a very long time, depending a filesystem size & speed of hard drives.

One of the unit is in systed process is service for all services, and each service ends

with ".service" extention.

--> To change the system target do the following

#systemctl reboot and press "e" to edit and goto end of the line "linux16" type the following entry.

systemd.unit=graphical.target then ctrl+x to boot the system

--->command mode to change the system target

#systemctl get-default  ---> to check the present target mode

#systemctl set-default graphical.target  ---> to make it permanent

#systemctl isolate graphical.target   --> to make it temporarly available

1) configure Selinux

The machine should be running enforcing mode

Answer:

#getenforce  ----> to check the selinux status

#vim /etc/sysconfig/selinux

SELINUX=enforcing

:wq

#setenforce 1  (Note: 0=permisive 1= enforcing)

usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]

Example:

[root@foundation3 ~]# cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted

2) create a new 100MB Physical partition mounted under /Gluster

(Note because partition sizes are seldom exactly what is specified when they are created, any thing within the range of 70MB to 120MB is acceptable)

Answer:

#fdisk /dev/vdb

:n,:p,:1,:Enter,:+100M,:w

#partprobe /dev/vdb

#cat /proc/partitions

#mkfs.ext4 /dev/vdb1

#mkdir /Gluster

#vim /etc/fstab

/dev/vdb1 /Gluster ext4 defaults 0 0

:wq

#mount -a

#df -h

3) create a new 150MB swap partition f/s.

(Note because partition sizes are seldom exactly what is specified when they are created,

any thing within the range of 130MB to 170MB is acceptable)

Answer:

fdisk /dev/vdb

:n,:p,2:,Enter,+150M,t:82,:2,:w

#partprobe /dev/vdb

#cat /proc/partitions

#mkswap /dev/vdb2

#vim /etc/fstab

/dev/vdb2 swap swap defaults 0 0

:wq

#swapon /dev/vdb2

#free -m

#swapon -s  ---> it will show the summary of swap configuration.

4) create a repositary for http://content.example.com/rhel7.0/x86_64/dvd

Answer:

#cd /etc/yum.repos.d

#ls

# rm -rf * --> remove any existing repo files.

#vim redhat.repo

[apps]

baseurl=http://content.example.com/rhel7.0/x86_64/dvd

gpgcheck=0

:wq

#yum clean all

#yum list all  --> it should not list the rpm's in red colour.

#yum repolist  --> to verfiy your repo file.

5) create the following user, groups, and group memberships:

--> A group named sysgrp

--> A user andrew who belongs to sysgrp as a secondary group

--> A user susan also belongs to sysgrp as a secondary group

--> A user sarah who does not have access to an interactive shell on system and who not a member of sysgrp

--> susan,sarah, andrew password = "Postroll"

Anser:

#groupadd sysgrp

#useradd andrew

#useradd susan

#usermod -G sysgrp andrew

#usermod -G sysgrp susan

#useradd sarah

#usermod -s /sbin/nologin sarah

#passwd andrew

#passwd susan

#passwd sarah

6) create a collaborative directory /redhat/sysgrp with the following characteristics:

 --> Group owneship of /redhat/sysgrpis sysgrp

--> The directory should be readbale,writable, and accessable to members of sysgrp,

but not to any other user.

(It is understood that root has access to all files and directories on the system.

--> Files created in /redhat/sysgrp automatically have group ownership set to the sysgrp group

Answer:

#mkdir -p /redhat/sysgrp

#chgrp sysgrp /redhat/sysgrp

#chmod 770 /redhat/sysgrp

#chmod g+s /redhat/sysgrp

7) Install the appropriate kernel update from http://content.example.com/rhel7.0/x86_64/errata

   The following criteria must also be met:

   -->The updated kernel is the default kerneal when the system rebooted.

   -->The original kernel remains available and bootable on the system

Answer:

#vim /etc/grub.conf

#vim /etc/yum.repos.d/redhat.repo

[kernel]

baseurl=http://content.example.com/rhel7.0/x86_64/errata

gpgcheck=0

:wq

#yum clean all

#yum list all

#yum repolist

#yum install kernel -y

#cat /etc/grup.conf  --> verify two kernel exist or not

8) Enable IP forwarding on your machine

[root@foundation3 ~]# vim /etc/sysctl.conf

# System default settings live in /usr/lib/sysctl.d/00-system.conf.

# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file

#

# For more information, see sysctl.conf(5) and sysctl.d(5).

net.ipv4.ip_forward=1

:wq

[root@foundation3 ~]# sysctl -p

net.ipv4.ip_forward = 1

9) The user andrew must configure a cron job that runs daily at 14:23 local time and executes - /bin/echo hiya

Answer:

#yum install cronie -y

#crontab -eu andrew

23 14 * * * /bin/echo hiya

:wq

#crontab -lu andrew  --> to verify the crontab entries

#systemctl enable crond.service

#systemctl start crond.service

#vim /etc/crontab  ---> to check the definaition of entries.

# For details see man 4 crontabs

# Example of job definition:

# .---------------- minute (0 - 59)

# |  .------------- hour (0 - 23)

# |  |  .---------- day of month (1 - 31)

# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...

# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

# |  |  |  |  |

# *  *  *  *  * user-name  command to be executed

10) Bind with LDAP used provided by classroom.example.com for userr authentication.

Note the following:-

--> The LDAP search base DN is dc=example,dc=com

--> The LDAP certificate file is

http://classroom.example.com/pub/EXAMPLE-CA-CERT

-->ldapuserX should be able to log into your system, whereX is your ServerX ((hint:where X is your domain number),

but will not have a home directory, until you have completed the autofs requirement,

below all LDAP users have password of "password"

LDAP Answer

---------

Leight weight directory access portal

Port-389

Package Name= Auth*

service Name= sshd

Tool= system-config-authentication

Addition requirements:

1) autofs:package/service

LDAPS;- Secured LDAP.

TLS: Transport layer security protocal

yum install auth* -y

yum install sssd -y

system-config-authentication

Click on Identify & Authentication

click on User Account Database " LDAP" under User Account Configuration.

LDAP search Base DN: dc=example,dc=com

LDAP Server ldap://classroom.example.com

select the box Use TLS to encrypt connections

Note: if you use ldaps://classroom.example.com then no need to select TLS encrpt connections.

click on Download CA Certificate

certificate URL: http://classroom.example.com/pub/EXAMPLE-CA-CERT

Authentication Method - LDAP Password

click on Apply.

Start the services manually

#systemctl enable sssd.service

#systemctl start sssd.service

To check the

#showmount -e classroom.example.com

#getent passwd ldapuserX ( if your LDAP is configured properly then you will get output)

#firewall-cmd --permanent --add-service=ldap

#firewall-cmd --reload

#firewall-cmd --list-services

11) configure autofs to automount the home directories of LDAP users,

Note the following:

-->classroom.example.com (172.25.254.254), NFS-exports /home/guests to your system, whereX is your server Number.

-->LDAP userX's home directory is classroom.example.com:/home/guests/ldapuserX

-->LdapuserX's home directory should be automounted locally beneath /home as /home/guests/ldapuserX

-->home directories must be writable by their users

-->while you are able to login as any of the users ldapuser1 through ldapuser20 the only home directory that is accessible from

   your system is ldapuserX.

Example:- classroom.example.com would configure the automaster such that ldapuser100's home directory /home/guests/ldapuserX gets mounted automatically upon login. The NFS share would be classroom.example.com:/home/guests/ldapuser100

#yum install autofs -y

#vim /etc/auto.master

make the following entry under /misc

/home/guests /etc/auto.misc

:wq

#vim /etc/auto.misc

ldapuserX -rw classroom.example.com:/home/guests/ldapuserX

:wq

#systemctl enable autofs.service

#systemctl start autofs.service

#systemctl is-enabled autofs.service  -->     To check if its enabled/disabled

#su - ldapuser5

exit

12) Configure your system so that it is an NTP client of classroom.example.com

#yum install chrony

#systemctl enable chronyd.service

#systemctl start chronyd.service

# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

server classroom.example.com ibrust

:wq

#systemctl status chronyd.service

#chronyc sources -V  --> to check the reach level

13) copy the file /etc/fstab to /var/tmp

    configure the permission of /var/tmp/fstab so that

    the file /var/tmp/fstab is owned by the root user, belongs to the group root

    should not be executable by anyone.

   The user andrew is able to read & write /var/tmp/fstab

   The user susan can neighter write nor read /var/tmp/fstab

   All other users (current or future) have the ability to read /var/tmp/fstab.

Answer:

#cp /etc/fstab /var/tmp/

#cd /var/tmp/

#ls fstab

#setfacl -m u:andrew:rw /var/tmp/fstab

#setfac; -m u:susan:--- /var/tmp/fstab

# getfacl /var/tmp/fstab

getfacl: Removing leading '/' from absolute path names

# file: var/tmp/fstab

# owner: root

# group: root

user::rw-

user:andrew:rw-

user:susan:---

group::r--

mask::rw-

other::r--

14) Resize the logical volume, logical-data and it filesystem to 400MB.

    Make sure that the filesystem contents remain intact.

    (Note: partitions are seldom exactly  the size requested,so any thing within the range of 370MB to 430MB is acceptable)

#umount /datasource

#e2fsck -f /dev/datacontainer/datacopy

#resize2fs /dev/datacontainer/datacopy 400M

#lvreduce -L 400M /dev/datacontainer/datacopy

#mount -a

15) Add the user talusan with userid 2985

    find the file which owned by user julice and copy the file into /root/findresults directory.

Answer:

#useradd -u 2985 talusan

#id talusan

#useradd julia

#mkdir /root/findresults

#find / -user julia -exec cp {} /root/findresults \;

16) create a new physical volume, create a new volume group in the name of datacontainer, vg extent is 16.00MB

    create a new logical volume in the name of datacopy with the size of 50 extents and file system must vfat then

    mount it under /datasource

Answer:

#fdisk /dev/vdb

:m,:n,:p,:3,Enter,:+900M,:t,:8e,:w

#partprobe /dev/vdb

#pvcreate /dev/vdb3

#vgcreate -s 16M datacontainer /dev/vdb3

#lvcreate -l 50 -n datacopy datacontainer

#lvs

#mkdir /datasource

#mkfs.vfat /dev/datacontainer/datacopy

#vim /etc/fstab

/dev/datacontainer/datacopy /datasource vfat defaults 0 0

:wq

#mount -a

17) create an archive file /root/local.tgz for /usr/local. it should be compressed by gzip.

Answer:

#tar -czvf /root/local.tgz /usr/local/

18) search the string sarah in the /etc/passwd file and save the output in /root/lines

#grep sarah /etc/passwd > /root/lines

.