Red Hat ENTERPRISE LINUX 5 - VIRTUAL SERVER ADMINISTRATION Скачать руководство пользователя страница 644 | Manualshive

Страница: 644 / 848

background image

Chapter 43. Securing Your Network

618

•

Buffer Overflow Attacks

— Services that connect to ports numbered 0 through 1023 must run as

an administrative user. If the application has an exploitable buffer overflow, an attacker could gain
access to the system as the user running the daemon. Because exploitable buffer overflows exist,
crackers use automated tools to identify systems with vulnerabilities, and once they have gained
access, they use automated rootkits to maintain their access to the system.

Note

The threat of buffer overflow vulnerabilities is mitigated in Red Hat Enterprise Linux by

ExecShield

, an executable memory segmentation and protection technology supported

by x86-compatible uni- and multi-processor kernels. ExecShield reduces the risk of buffer
overflow by separating virtual memory into executable and non-executable segments. Any
program code that tries to execute outside of the executable segment (such as malicious
code injected from a buffer overflow exploit) triggers a segmentation fault and terminates.

Execshield also includes support for

No eXecute

(NX) technology on AMD64 platforms

and

eXecute Disable

(XD) technology on Itanium and Intel

®

64 systems. These

technologies work in conjunction with ExecShield to prevent malicious code from running
in the executable portion of virtual memory with a granularity of 4KB of executable code,
lowering the risk of attack from stealthy buffer overflow exploits.

Tip

To limit exposure to attacks over the network, all services that are unused should be
turned off.

43.1.5.2. Identifying and Configuring Services

To enhance security, most network services installed with Red Hat Enterprise Linux are turned off by
default. There are, however, some notable exceptions:

•

cupsd

— The default print server for Red Hat Enterprise Linux.

•

lpd

— An alternative print server.

•

xinetd

— A super server that controls connections to a range of subordinate servers, such as

gssftp

and

telnet

.

•

sendmail

— The Sendmail

Mail Transport Agent

(MTA) is enabled by default, but only listens for

connections from the localhost.

•

sshd

— The OpenSSH server, which is a secure replacement for Telnet.

When determining whether to leave these services running, it is best to use common sense and err
on the side of caution. For example, if a printer is not available, do not leave

cupsd

running. The

same is true for

portmap

. If you do not mount NFSv3 volumes or use NIS (the

ypbind

service), then

portmap

should be disabled.

Red Hat Enterprise Linux ships with three programs designed to switch services on or off. They are
the

Services Configuration Tool

(

system-config-services

),

ntsysv

, and

chkconfig

. For

information on using these tools, refer to

Chapter 16, Controlling Access to Services

.

«
...
642
643
644
645
646
...
»

Содержание ENTERPRISE LINUX 5 - VIRTUAL SERVER ADMINISTRATION

Страница 1: ...Red Hat Enterprise Linux 5 Deployment Guide Deployment configuration and administration of Red Hat Enterprise Linux 5 Deployment_Guide ...

Страница 2: ...r of this document waives the right to enforce and agrees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United Stat...

Страница 3: ...tual Files 15 3 1 2 Changing Virtual Files 16 3 2 Top level Files within the proc File System 16 3 2 1 proc apm 16 3 2 2 proc buddyinfo 17 3 2 3 proc cmdline 17 3 2 4 proc cpuinfo 18 3 2 5 proc crypto 19 3 2 6 proc devices 19 3 2 7 proc dma 20 3 2 8 proc execdomains 20 3 2 9 proc fb 21 3 2 10 proc filesystems 21 3 2 11 proc interrupts 21 3 2 12 proc iomem 22 3 2 13 proc ioports 23 3 2 14 proc kcor...

Страница 4: ...nd Linear Support 54 4 5 Configuring Software RAID 55 4 5 1 Creating the RAID Partitions 56 4 5 2 Creating the RAID Devices and Mount Points 59 5 Swap Space 65 5 1 What is Swap Space 65 5 2 Adding Swap Space 65 5 2 1 Extending Swap on an LVM2 Logical Volume 66 5 2 2 Creating an LVM2 Logical Volume for Swap 66 5 2 3 Creating a Swap File 67 5 3 Removing Swap Space 67 5 3 1 Reducing Swap on an LVM2 L...

Страница 5: ...d Documentation 88 8 7 2 Useful Websites 89 9 LVM Logical Volume Manager 91 9 1 What is LVM 91 9 1 1 What is LVM2 92 9 2 LVM Configuration 92 9 3 Automatic Partitioning 93 9 4 Manual LVM Partitioning 94 9 4 1 Creating the boot Partition 94 9 4 2 Creating the LVM Physical Volumes 97 9 4 3 Creating the LVM Volume Groups 99 9 4 4 Creating the LVM Logical Volumes 100 9 5 Using the LVM utility system c...

Страница 6: ...141 12 2 yum Commands 141 12 3 yum Options 142 12 4 Configuring yum 142 12 4 1 main Options 143 12 4 2 repository Options 144 12 5 Useful yum Variables 145 13 Red Hat Network 147 III Network Related Configuration 151 14 Network Interfaces 153 14 1 Network Configuration Files 153 14 2 Interface Configuration Files 154 14 2 1 Ethernet Interfaces 154 14 2 2 IPsec Interfaces 157 14 2 3 Channel Bonding...

Страница 7: ...s 203 17 1 2 Nameserver Types 204 17 1 3 BIND as a Nameserver 204 17 2 etc named conf 205 17 2 1 Common Statement Types 205 17 2 2 Other Statement Types 210 17 2 3 Comment Tags 211 17 3 Zone Files 212 17 3 1 Zone File Directives 212 17 3 2 Zone File Resource Records 213 17 3 3 Example Zone File 216 17 3 4 Reverse Name Resolution Zone Files 217 17 4 Using rndc 218 17 4 1 Configuring etc named conf ...

Страница 8: ...tion 241 19 2 1 Mounting NFS File Systems using etc fstab 241 19 3 autofs 242 19 3 1 What s new in autofs version 5 242 19 3 2 autofs Configuration 243 19 3 3 autofs Common Tasks 244 19 4 Common NFS Mount Options 248 19 5 Starting and Stopping NFS 249 19 6 NFS Server Configuration 250 19 6 1 Exporting or Sharing NFS File Systems 251 19 6 2 Command Line Configuration 255 19 6 3 Running NFS Behind a...

Страница 9: ...0 12 Additional Resources 290 20 12 1 Installed Documentation 290 20 12 2 Related Books 290 20 12 3 Useful Websites 291 21 Dynamic Host Configuration Protocol DHCP 293 21 1 Why Use DHCP 293 21 2 Configuring a DHCP Server 293 21 2 1 Configuration File 293 21 2 2 Lease Database 297 21 2 3 Starting and Stopping the Server 297 21 2 4 DHCP Relay Agent 298 21 3 Configuring a DHCP Client 298 21 4 Configu...

Страница 10: ...23 3 Files Installed with vsftpd 364 23 4 Starting and Stopping vsftpd 365 23 4 1 Starting Multiple Copies of vsftpd 366 23 5 vsftpd Configuration Options 367 23 5 1 Daemon Options 367 23 5 2 Log In Options and Access Controls 368 23 5 3 Anonymous User Options 369 23 5 4 Local User Options 370 23 5 5 Directory Options 371 23 5 6 File Transfer Options 372 23 5 7 Logging Options 372 23 5 8 Network O...

Страница 11: ...7 2 Migrating Old Authentication Information to LDAP Format 411 25 8 Migrating Directories from Earlier Releases 412 25 9 Additional Resources 413 25 9 1 Installed Documentation 413 25 9 2 Useful Websites 414 25 9 3 Related Books 414 26 Authentication Configuration 415 26 1 User Information 415 26 2 Authentication 418 26 3 Options 420 26 4 Command Line Version 422 IV System Configuration 425 27 Co...

Страница 12: ...2 28 1 29 etc sysconfig squid 442 28 1 30 etc sysconfig system config securitylevel 442 28 1 31 etc sysconfig system config selinux 442 28 1 32 etc sysconfig system config users 442 28 1 33 etc sysconfig system logviewer 442 28 1 34 etc sysconfig tux 443 28 1 35 etc sysconfig vncservers 443 28 1 36 etc sysconfig xinetd 443 28 2 Directories in the etc sysconfig Directory 443 28 3 Additional Resourc...

Страница 13: ...485 33 5 User Private Groups 487 33 5 1 Group Directories 488 33 6 Shadow Passwords 488 33 7 Additional Resources 489 33 7 1 Installed Documentation 489 34 Printer Configuration 491 34 1 Adding a Local Printer 492 34 2 Adding an IPP Printer 493 34 3 Adding a Samba SMB Printer 494 34 4 Adding a JetDirect Printer 496 34 5 Selecting the Printer Model and Finishing 497 34 5 1 Confirming Printer Config...

Страница 14: ...Information 525 38 1 System Processes 525 38 2 Memory Usage 527 38 3 File Systems 529 38 4 Hardware 531 38 5 Additional Resources 534 38 5 1 Installed Documentation 534 39 OProfile 535 39 1 Overview of Tools 535 39 2 Configuring OProfile 536 39 2 1 Specifying the Kernel 536 39 2 2 Setting Events to Monitor 537 39 2 3 Separating Kernel and User space Profiles 539 39 3 Starting and Stopping OProfile...

Страница 15: ...s 580 41 6 1 Installed Documentation 580 41 6 2 Useful Websites 580 VII Security And Authentication 581 42 Security Overview 583 42 1 Introduction to Security 583 42 1 1 What is Computer Security 583 42 1 2 Security Controls 585 42 1 3 Conclusion 586 42 2 Vulnerability Assessment 586 42 2 1 Thinking Like the Enemy 586 42 2 2 Defining Assessment and Testing 587 42 2 3 Evaluating the Tools 588 42 3 ...

Страница 16: ...n Files 646 43 4 5 Creating PAM Modules 647 43 4 6 PAM and Administrative Credential Caching 647 43 4 7 PAM and Device Ownership 649 43 4 8 Additional Resources 650 43 5 TCP Wrappers and xinetd 651 43 5 1 TCP Wrappers 652 43 5 2 TCP Wrappers Configuration Files 653 43 5 3 xinetd 660 43 5 4 xinetd Configuration Files 661 43 5 5 Additional Resources 666 43 6 Kerberos 667 43 6 1 What is Kerberos 667 ...

Страница 17: ... Control MAC 725 44 1 4 Role based Access Control RBAC 725 44 1 5 Multi Level Security MLS 726 44 1 6 Multi Category Security MCS 726 44 2 Introduction to SELinux 726 44 2 1 SELinux Overview 726 44 2 2 Files Related to SELinux 727 44 2 3 Additional Resources 731 44 3 Brief Background and History of SELinux 731 44 4 Multi Category Security MCS 732 44 4 1 Introduction 732 44 4 2 Applications for Mul...

Страница 18: ...nux 763 45 2 8 Changing the Policy 764 45 2 9 Specifying the Security Context of Entire File Systems 766 45 2 10 Changing the Security Category of a File or User 767 45 2 11 Running a Command in a Specific Security Context 767 45 2 12 Useful Commands for Scripts 767 45 2 13 Changing to a Different Role 768 45 2 14 When to Reboot 768 45 3 Analyst Control of SELinux 768 45 3 1 Enabling Kernel Auditi...

Страница 19: ...se Description 789 53 1 1 Prerequisites 789 54 RH253 Red Hat Linux Networking and Security Administration 791 54 1 Course Description 791 54 1 1 Prerequisites 791 54 1 2 Goal 791 54 1 3 Audience 791 54 1 4 Course Objectives 791 54 1 5 Follow on Courses 792 55 RH300 RHCE Rapid track course and RHCE exam 793 55 1 Course Description 793 55 1 1 Prerequisites 793 55 1 2 Goal 793 55 1 3 Audience 793 55 ...

Страница 20: ...Audience 805 61 1 4 Course Objectives 805 61 1 5 Follow on Courses 806 62 RH442 Red Hat Enterprise system monitoring and performance tuning 807 62 1 Course Description 807 62 1 1 Prerequisites 807 62 1 2 Goal 807 62 1 3 Audience 807 62 1 4 Course Objectives 807 62 1 5 Follow on Courses 808 63 Red Hat Enterprise Linux Developer Courses 809 63 1 RHD143 Red Hat Linux Programming Essentials 809 63 2 R...

Страница 21: ... 6 1 Prerequisites 814 64 6 2 Course Summary 814 64 7 RHD439 JBoss Clustering 814 64 7 1 Prerequisites 815 64 8 RHD449 JBoss jBPM 815 64 8 1 Description 815 64 8 2 Prerequisites 815 64 9 RHD451 JBoss Rules 816 64 9 1 Prerequisites 816 A Revision History 817 65 Colophon 819 ...

Страница 22: ...xxii ...

Страница 23: ...d Authentication Red Hat Training and Certification This guide assumes you have a basic understanding of your Red Hat Enterprise Linux system If you need help installing Red Hat Enterprise Linux refer to the Red Hat Enterprise Linux Installation Guide 1 Document Conventions In this manual certain words are represented in different fonts typefaces sizes and weights This highlighting is systematic d...

Страница 24: ...combination of keystrokes is represented in this way For example The Ctrl Alt Backspace key combination exits your graphical session and returns you to the graphical login screen or the console text found on a GUI interface A title word or phrase found on a GUI interface screen or window is shown in this style Text shown in this style indicates a particular GUI screen or an element on a GUI screen...

Страница 25: ...her on the command line or into a text box on a GUI screen is displayed in this style In the following example text is displayed in this style To boot your system into the text based installation program you must type in the text command at the boot prompt replaceable Text used in examples that is meant to be replaced with data provided by the user is displayed in this style In the following examp...

Страница 26: ...move only the necessary partitions Removing other partitions could result in data loss or a corrupted system environment 2 Send in Your Feedback If you find an error in the Red Hat Enterprise Linux Deployment Guide or if you have thought of a way to make this manual better we would like to hear from you Submit a report in Bugzilla http bugzilla redhat com bugzilla against the component Deployment_...

Страница 27: ...ts determine how the information is stored as files and directories Some file system types store redundant copies of the data while some file system types make hard drive access faster This part discusses the ext3 swap RAID and LVM file system types It also discusses the parted utility to manage partitions and access control lists ACLs to customize file permissions ...

Страница 28: ......

Страница 29: ...e The top level of this organization is crucial Access to the underlying directories can be restricted or security problems could manifest themselves if from the top level down it does not adhere to a rigid structure 1 2 Overview of File System Hierarchy Standard FHS Red Hat Enterprise Linux uses the Filesystem Hierarchy Standard FHS file system structure which defines the names locations and perm...

Страница 30: ...e automatically detected when connected e g via usb or inserted e g via CD or DVD drive and a popup window displaying the contents is automatically displayed Files in the dev directory are essential for the system to function properly File Description dev hda The master device on primary IDE channel dev hdb The slave device on primary IDE channel dev tty0 The first virtual console dev tty1 The sec...

Страница 31: ...ed throughout the file system giving the system administrator an easy way to determine the role of each file within a particular package For example if sample is the name of a particular software package located within the opt directory then all of its files are placed in directories inside the opt sample directory such as opt sample bin for binaries and opt sample man for manual pages Packages th...

Страница 32: ...v Directory The srv directory contains site specific data served by your system running Red Hat Enterprise Linux This directory gives users the location of data files for a particular service such as FTP WWW or CVS Data that only pertains to a specific user should go in the home directory 1 2 1 11 The sys Directory The sys directory utilizes the new sysfs virtual file system specific to the 2 6 ke...

Страница 33: ... subdirectories which are similar in purpose to those in the usr directory usr local bin etc games include lib libexec sbin share src In Red Hat Enterprise Linux the intended use for the usr local directory is slightly different from that specified by the FHS The FHS says that usr local should be where software that is to remain safe from system software upgrades is stored Since software upgrades ...

Страница 34: ...ecial File Locations Under Red Hat Enterprise Linux Red Hat Enterprise Linux extends the FHS structure slightly to accommodate special files Most files pertaining to RPM are kept in the var lib rpm directory For more information on RPM refer to the chapter Chapter 10 Package Management with RPM The var cache yum directory contains files used by the Package Updater including RPM header information ...

Страница 35: ...e Locations Under Red Hat Enterprise Linux 9 in this directory Refer to Chapter 28 The sysconfig Directory for more information about what is within this directory and the role these files play in the boot process ...

Страница 36: ...10 ...

Страница 37: ...ed of the hardware Data Integrity The ext3 file system prevents loss of data integrity in the event that an unclean system shutdown occurs The ext3 file system allows you to choose the type and level of protection that your data receives By default the ext3 volumes are configured to keep a high level of data consistency with regard to the state of the file system Speed Despite writing some data mo...

Страница 38: ...atic device A traditional storage volume for example dev hdbX where hdb is a storage device name and X is the partition number Issue the df command to display mounted file systems For the remainder of this section the sample commands use the following value for the block device dev mapper VolGroup00 LogVol02 You must recreate the initrd image so that it will contain the ext3 kernel module To creat...

Страница 39: ...n again as ext2 file system by typing mount t ext2 dev mapper VolGroup00 LogVol02 mount point In the above command replace mount point with the mount point of the partition Next remove the journal file at the root level of the partition by changing to the directory where it is mounted and typing rm f journal You now have an ext2 partition If you want to permanently change the partition to ext2 rem...

Страница 40: ...14 ...

Страница 41: ...unt of information In addition most of the time and date settings on virtual files reflect the current time and date indicative of the fact they are constantly updated Virtual files such as proc interrupts proc meminfo proc mounts and proc partitions provide an up to the moment glimpse of the system s hardware Others like the proc filesystems file and the proc sys directory provide system configur...

Страница 42: ... returns either a 0 or a 1 A 0 indicates that the kernel is not forwarding network packets Using the echo command to change the value of the ip_forward file to 1 immediately turns packet forwarding on Tip Another command used to alter settings in the proc sys subdirectory is sbin sysctl For more information on this command refer to Section 3 4 Using the sysctl Command For a listing of some of the ...

Страница 43: ...1 16 AC off line battery status high 99 1 day 5 52 3 2 2 proc buddyinfo This file is used primarily for diagnosing memory fragmentation issues Using the buddy algorithm each column represents the number of pages of a certain order a certain size that are available at any given time For example for zone DMA direct memory access there are 90 of 2 0 PAGE_SIZE chunks of memory Similarly there are 6 of...

Страница 44: ...rise Linux refer to http www tldp org HOWTO LVM HOWTO index html rhgb A short lowercase acronym that stands for Red Hat Graphical Boot providing rhgb on the kernel command line signals that graphical booting is supported assuming that etc inittab shows that the default runlevel is set to 5 with a line like this id 5 initdefault quiet Indicates that all verbose kernel messages except those which ar...

Страница 45: ...isplays the amount of level 2 memory cache available to the processor siblings Displays the number of sibling CPUs on the same physical CPU for architectures which use hyper threading flags Defines a number of different qualities about the processor such as the presence of a floating point unit FPU and the ability to process MMX instructions 3 2 5 proc crypto This file lists all installed cryptogr...

Страница 46: ...configured size Block devices can send and receive information in blocks of a size configured per device For more information about devices refer to the following installed documentation usr share doc kernel doc version Documentation devices txt 3 2 7 proc dma This file contains a list of the registered ISA DMA channels in use A sample proc dma files looks like the following 4 cascade 3 2 8 proc e...

Страница 47: ...xfs nodev tmpfs nodev pipefs nodev eventpollfs nodev devpts ext2 nodev ramfs nodev hugetlbfs iso9660 nodev mqueue ext3 nodev rpc_pipefs nodev autofs The first column signifies whether the file system is mounted on a block device Those beginning with nodev are not mounted on a device The second column lists the names of the file systems supported The mount command cycles through the file systems li...

Страница 48: ... AT computer interrupts IO APIC edge The voltage signal on this interrupt transitions from low to high creating an edge where the interrupt occurs and is only signaled once This kind of interrupt as well as the IO APIC level interrupt are only seen on systems with processors from the 586 family and higher IO APIC level Generates interrupts when its voltage signal is high until the signal is low ag...

Страница 49: ...cf8 0cff PCI conf1 d000 dfff PCI Bus 01 e000 e00f VIA Technologies Inc Bus Master IDE e000 e007 ide0 e008 e00f ide1 e800 e87f Digital Equipment Corporation DECchip 21140 FasterNet e800 e87f tulip The first column gives the I O port address range reserved for the device listed in the second column 3 2 14 proc kcore This file represents the physical memory of the system and is stored in the core fil...

Страница 50: ...ISORY WRITE 3175 fd 00 2531425 0 EOF 7 POSIX ADVISORY WRITE 3056 fd 00 2548663 0 EOF Each lock has its own line which starts with a unique number The second column refers to the class of lock used with FLOCK signifying the older style UNIX file locks from a flock system call and POSIX representing the newer POSIX locks from the lockf system call The third column can have two values ADVISORY or MAN...

Страница 51: ...2 kB HighTotal 0 kB HighFree 0 kB LowTotal 255908 kB LowFree 69936 kB SwapTotal 524280 kB SwapFree 524280 kB Dirty 4 kB Writeback 0 kB Mapped 42236 kB Slab 25912 kB Committed_AS 118680 kB PageTables 1236 kB VmallocTotal 3874808 kB VmallocUsed 1416 kB VmallocChunk 3872908 kB HugePages_Total 0 HugePages_Free 0 Hugepagesize 4096 kB Much of the information here is used by the free top and ps commands ...

Страница 52: ...el to cache data structures for its own use Committed_AS The total amount of memory in kilobytes estimated to complete the workload This value represents the worst case scenario value and also includes swap memory PageTables The total amount of memory in kilobytes dedicated to the lowest page table level VMallocTotal The total amount of memory in kilobytes of total allocated virtual address space ...

Страница 53: ...e 0x12871000 uhci_hcd 28377 0 Live 0x12869000 md5 3777 1 Live 0x1282c000 ipv6 211845 16 Live 0x128de000 ext3 92585 2 Live 0x12886000 jbd 65625 1 ext3 Live 0x12857000 dm_mod 46677 3 Live 0x12833000 The first column contains the name of the module The second column refers to the memory size of the module in bytes The third column lists how many instances of the module are currently loaded A value of...

Страница 54: ...n the proc mtrr file may look similar to the following reg00 base 0x00000000 0MB size 256MB write back count 1 reg01 base 0xe8000000 3712MB size 32MB write combining count 1 MTRRs are used with the Intel P6 family of processors Pentium II and higher and control processor access to memory ranges When using a video card on a PCI or AGP bus a properly configured proc mtrr file can increase performanc...

Страница 55: ...poration 82371AB PIIX4 USB rev 1 IRQ 5 Master Capable Latency 32 I O at 0xd400 0xd41f Bus 0 device 4 function 3 Bridge Intel Corporation 82371AB PIIX4 ACPI rev 2 IRQ 9 Bus 0 device 9 function 0 Ethernet controller Lite On Communications Inc LNE100TX rev 33 IRQ 5 Master Capable Latency 32 I O at 0xd000 0xd0ff Bus 0 device 12 function 0 VGA compatible controller S3 Inc ViRGE DX or GX rev 1 IRQ 11 Ma...

Страница 56: ...314 67 0 25K 31 15 124K size 256 452 331 73 0 02K 2 226 8K biovec 1 420 420 100 0 19K 21 20 84K skbuff_head_cache 305 256 83 0 06K 5 61 20K biovec 4 290 4 1 0 01K 1 290 4K revoke_table 264 264 100 4 00K 264 1 1056K size 4096 260 256 98 0 19K 13 20 52K biovec 16 260 256 98 0 75K 52 5 208K biovec 64 Some of the more commonly used statistics in proc slabinfo that are included into usr bin slabtop inc...

Страница 57: ...ork up for the softirq to execute The softirq runs at a lower priority than the IRQ and therefore may be interrupted more frequently The total for all CPUs is given at the top while each individual CPU is listed below with its own statistics The following example is a 4 way Intel Pentium Xeon configuration with multi threading enabled therefore showing four physical processors and four virtual pro...

Страница 58: ... 6 8 1 523 user foo redhat com gcc version 3 4 1 20040714 Red Hat Enterprise Linux 3 4 1 7 1 Mon Aug 16 13 27 03 EDT 2004 This information is used for a variety of purposes including the version data presented when a user logs in 3 3 Directories within proc Common groups of information concerning the kernel are grouped into directories and subdirectories within the proc directory 3 3 1 Process Dir...

Страница 59: ...ociated with this process This file can be rather long depending upon the complexity of the process but sample output from the sshd process begins like the following 08048000 08086000 r xp 00000000 03 03 391479 usr sbin sshd 08086000 08088000 rw p 0003e000 03 03 391479 usr sbin sshd 08088000 08095000 rwxp 00000000 00 00 0 40000000 40013000 r xp 0000000 03 03 293205 lib ld 2 2 5 so 40013000 4001400...

Страница 60: ...pInh 0000000000000000 CapPrm 00000000fffffeff CapEff 00000000fffffeff The information in this output includes the process name and ID the state such as S sleeping or R running user group ID running the process and detailed data regarding memory usage 3 3 1 1 proc self The proc self directory is a link to the currently running process This allows a process to look at itself without having to know i...

Страница 61: ... usb devices file T Bus 01 Lev 00 Prnt 00 Port 00 Cnt 00 Dev 1 Spd 12 MxCh 2 B Alloc 0 900 us 0 Int 0 Iso 0 D Ver 1 00 Cls 09 hub Sub 00 Prot 00 MxPS 8 Cfgs 1 P Vendor 0000 ProdID 0000 Rev 0 00 S Product USB UHCI Root Hub S SerialNumber d400 C Ifs 1 Cfg 1 Atr 40 MxPwr 0mA I If 0 Alt 0 EPs 1 Cls 09 hub Sub 00 Prot 00 Driver hub E Ad 81 I Atr 03 Int MxPS 8 Ivl 255ms 3 3 3 proc driver This directory ...

Страница 62: ...hether DMA or UDMA is enabled for the devices on the IDE channels Intel PIIX4 Ultra 33 Chipset Primary Channel Secondary Channel enabled enabled drive0 drive1 drive0 drive1 DMA enabled yes no yes no UDMA enabled yes no no no UDMA enabled 2 X X X UDMA DMA PIO Navigating into the directory for an IDE channel such as ide0 provides additional information The channel file provides the channel number wh...

Страница 63: ...his directory is used to set IRQ to CPU affinity which allows the system to connect a particular IRQ to only one CPU Alternatively it can exclude a CPU from handling any IRQs Each IRQ has its own directory allowing for the individual configuration of each IRQ The proc irq prof_cpu_mask file is a bitmask that contains the default values for the smp_affinity file in the IRQ directory The values in s...

Страница 64: ...es filter mangle or nat ip_mr_cache Lists the multicast routing cache ip_mr_vif Lists multicast virtual interfaces netstat Contains a broad yet detailed collection of networking statistics including TCP timeouts SYN cookies sent and received and much more psched Lists global packet scheduler parameters raw Lists raw device statistics route Lists the kernel s routing table rt_cache Contains the cur...

Страница 65: ...m has its own directory within proc scsi which contains files specific to each SCSI controller using that driver From the previous example aic7xxx and megaraid directories are present since two drivers are in use The files in each of the directories typically contain an I O address range IRQ information and statistics for the SCSI controller using that driver Each controller can report a different...

Страница 66: ... 0 0 0 1 131 0 0 0 This output reveals the transfer speed to the SCSI devices connected to the controller based on channel ID as well as detailed statistics concerning the amount and sizes of files read or written by that device For example this controller is communicating with the CD ROM at 20 megabytes per second while the tape drive is only communicating at 10 megabytes per second 3 3 9 proc sy...

Страница 67: ...echo 4 2 45 proc sys kernel acct Note Any configuration changes made using the echo command disappear when the system is restarted To make configuration changes take effect after the system is rebooted refer to Section 3 4 Using the sysctl Command The proc sys directory contains several subdirectories controlling different aspects of a running kernel 3 3 9 1 proc sys dev This directory provides pa...

Страница 68: ...ude dentry state Provides the status of the directory cache The file looks similar to the following 57411 52939 45 0 0 0 The first number reveals the total number of directory cache entries while the second number displays the number of unused entries The third number tells the number of seconds between when a directory has been freed and when it can be reclaimed and the fourth measures the pages ...

Страница 69: ...sing init 0 or forces an immediate reboot without syncing the dirty buffers to disk 1 domainname Configures the system domain name such as example com exec shield Configures the Exec Shield feature of the kernel Exec Shield provides protection against certain types of buffer overflow attacks There are two possible values for this virtual file 0 Disables Exec Shield 1 Enables Exec Shield This is th...

Страница 70: ...tered by changing the kernel source and recompiling ostype Displays the type of operating system By default this file is set to Linux and this value can only be changed by changing the kernel source and recompiling overflowgid and overflowuid Defines the fixed group ID and user ID respectively for use with system calls on architectures that only support 16 bit group and user IDs panic Defines the ...

Страница 71: ...s value is 33554432 However the kernel supports much larger values than this shmmni Sets the maximum number of shared memory segments for the whole system in bytes By default this value is 4096 sysrq Activates the System Request Key if this value is set to anything other than zero 0 the default The System Request Key allows immediate input to the kernel through simple key combinations For example ...

Страница 72: ...tion sysrq txt for more information about the System Request Key sysrq key Defines the key code for the System Request Key 84 is the default sysrq sticky Defines whether the System Request Key is a chorded key combination The accepted values are as follows 0 Alt SysRq and the system request code must be pressed simultaneously This is the default value 1 Alt SysRq must be pressed simultaneously but...

Страница 73: ...e warning message is ignored This setting is used to mitigate DoS attacks The idea of a DoS attack is to bombard the targeted system with requests that generate errors and fill up disk partitions with log files or require all of the system s resources to handle the error logging The settings in message_burst and message_cost are designed to be modified based on the system s acceptable risk versus ...

Страница 74: ...etries1 Sets the number of permitted re transmissions attempting to answer an incoming connection Default of 3 tcp_retries2 Sets the number of permitted re transmissions of TCP packets Default of 15 The file called usr share doc kernel doc version Documentation networking ip sysctl txt contains a complete list of files and options available in the proc sys net ipv4 directory A number of other dire...

Страница 75: ...ive writeback of dirty data at this percentage of total memory for the generator of dirty data via pdflush The default value is 40 dirty_writeback_centisecs Defines the interval between pdflush daemon wakeups which periodically writes dirty in memory data out to disk The default value is 500 expressed in hundredths of a second laptop_mode Minimizes the number of times that a hard disk needs to spi...

Страница 76: ...d failing requests that are blatantly invalid Unfortunately since memory is allocated using a heuristic rather than a precise algorithm this setting can sometimes allow available memory on the system to be overloaded This is the default setting 1 The kernel performs no memory over commit handling Under this setting the potential for memory overload is increased but so is performance for memory int...

Страница 77: ...tem dev console dev console 5 1 system console dev tty dev tty 5 0 system dev tty unknown dev vc d 4 1 63 console The proc tty driver serial file lists the usage statistics and status of each of the serial tty lines In order for tty devices to be used as network devices the Linux kernel enforces line discipline on the device This allows the driver to place a specific type of header with every bloc...

Страница 78: ...the kernel Any values added to etc sysctl conf therefore take effect each time the system boots 3 5 Additional Resources Below are additional sources of information about proc file system 3 5 1 Installed Documentation Some of the best documentation about the proc file system is installed on the system by default usr share doc kernel doc version Documentation filesystems proc txt Contains assorted ...

Страница 79: ...array are actually one large drive 4 2 Who Should Use RAID System Administrators and others who manage large amounts of data would benefit from using RAID technology Primary reasons to deploy RAID include Enhances speed Increases storage capacity using a single virtual disk Minimizes disk failure 4 3 Hardware RAID versus Software RAID There are two possible RAID approaches Hardware RAID and Softwa...

Страница 80: ...mber disks of the array allowing high I O performance at low inherent cost but provides no redundancy The storage capacity of a level 0 array is equal to the total capacity of the member disks in a Hardware RAID or the total capacity of member partitions in a Software RAID Level 1 RAID level 1 or mirroring has been used longer than any other form of RAID Level 1 provides redundancy by writing iden...

Страница 81: ... performance bottleneck is the parity calculation process With modern CPUs and Software RAID that usually is not a very big problem As with level 4 the result is asymmetrical performance with reads substantially outperforming writes Level 5 is often used with write back caching to reduce the asymmetry The storage capacity of Hardware RAID level 5 is equal to the capacity of member disks minus the ...

Страница 82: ...and dev sdb to illustrate the creation of simple RAID1 configurations They detail how to create a simple RAID 1 configuration by implementing multiple RAID devices On the Disk Partitioning Setup screen select Manually partition with Disk Druid 4 5 1 Creating the RAID Partitions In a typical situation the disk drives are new or are formatted Both drives are shown as raw devices with no partition co...

Страница 83: ... options such as entering a mount point are available until RAID partitions as well as RAID devices are created Figure 4 2 RAID Partition Options 3 A software RAID partition must be constrained to one drive For Allowable Drives select the drive to use for RAID If you have multiple drives by default all drives are selected and you must deselect the drives you do not want ...

Страница 84: ...n is created as a logical partition If other operating systems are already on the system unselecting this option should be considered For more information on primary versus logical extended partitions refer to the appendix section of the Red Hat Enterprise Linux Installation Guide 7 Repeat these steps to create as many partitions as you need for your partitions Repeat these steps to create as many...

Страница 85: ...2 Creating the RAID Devices and Mount Points Once you create all of your partitions as Software RAID partitions you must create the RAID device and mount point 1 Select the RAID button on the Disk Druid main partitioning screen refer to Figure 4 5 RAID Options 2 Figure 4 5 RAID Options appears Select Create a RAID device ...

Страница 86: ...er 4 Redundant Array of Independent Disks RAID 60 Figure 4 5 RAID Options 3 Next Figure 4 6 Making a RAID Device and Assigning a Mount Point appears where you can make a RAID device and assign a mount point ...

Страница 87: ...sical volume LVM If LVM is not required continue on with the following instructions 6 Select a device name such as md0 for the RAID device 7 Choose your RAID level You can choose from RAID 0 RAID 1 and RAID 5 Note If you are making a RAID partition of boot you must choose RAID level 1 and it must use one of the first two drives IDE first SCSI second If you are not creating a seperate RAID partitio...

Страница 88: ...pare you want to specify you must create an additional software RAID partition in addition to the partitions for the RAID device Select the partitions for the RAID device and the partition s for the spare s 10 After clicking OK the RAID device appears in the Drive Summary list 11 Repeat this chapter s entire process for configuring additional partitions devices and mount points such as the root pa...

Страница 89: ...ting the RAID Devices and Mount Points 63 Figure 4 8 Final Sample RAID Configuration The figure as shown in Figure 4 9 Final Sample RAID With LVM Configuration is an example of a RAID and LVM configuration ...

Страница 90: ...nt Array of Independent Disks RAID 64 Figure 4 9 Final Sample RAID With LVM Configuration You can continue with your installation process Refer to the Red Hat Enterprise Linux Installation Guide for further instructions ...

Страница 91: ...nded Amount of Swap Space 4GB of RAM or less a minimum of 2GB of swap space 4GB to 16GB of RAM a minimum of 4GB of swap space 16GB to 64GB of RAM a minimum of 8GB of swap space 64GB to 256GB of RAM a minimum of 16GB of swap space 256GB to 512GB of RAM a minimum of 32GB of swap space Table 5 1 Recommended System Swap Space Important File systems and LVM2 volumes assigned as swap space cannot be in ...

Страница 92: ...VolGroup00 LogVol01 2 Resize the LVM2 logical volume by 256 MB lvm lvresize dev VolGroup00 LogVol01 L 256M 3 Format the new swap space mkswap dev VolGroup00 LogVol01 4 Enable the extended logical volume swapon va 5 Test that the logical volume has been extended properly cat proc swaps free 5 2 2 Creating an LVM2 Logical Volume for Swap To add a swap volume group assuming dev VolGroup00 LogVol02 is...

Страница 93: ...he swap file with the command mkswap swapfile 4 To enable the swap file immediately but not automatically at boot time swapon swapfile 5 To enable it at boot time edit etc fstab to include the following entry swapfile swap swap defaults 0 0 The next time the system boots it enables the new swap file 6 After adding the new swap file and enabling it verify it is enabled by viewing the output of the ...

Страница 94: ...wap dev VolGroup00 LogVol01 4 Enable the extended logical volume swapon va 5 Test that the logical volume has been reduced properly cat proc swaps free 5 3 2 Removing an LVM2 Logical Volume for Swap The swap logical volume cannot be in use no system locks or processes on the volume The easiest way to achieve this it to boot your system in rescue mode Refer to for instructions on booting into rescu...

Страница 95: ... a Swap File To remove a swap file 1 At a shell prompt as root execute the following command to disable the swap file where swapfile is the swap file swapoff v swapfile 2 Remove its entry from the etc fstab file 3 Remove the actual file rm swapfile 5 4 Moving Swap Space To move swap space from one location to another follow the steps for removing swap space and then follow the steps for adding swa...

Страница 96: ...70 ...

Страница 97: ...el may not properly recognize the changes If the partition table does not match the actual state of the mounted partitions information could be written to the wrong partition resulting in lost and overwritten data The easiest way to achieve this it to boot your system in rescue mode When prompted to mount the file system select Skip Alternately if the drive does not contain any partitions in use s...

Страница 98: ...rting parted use the command print to view the partition table A table similar to the following appears Model ATA ST3160812AS scsi Disk dev sda 160GB Sector size logical physical 512B 512B Partition Table msdos Number Start End Size Type File system Flags 1 32 3kB 107MB 107MB primary ext3 boot 2 107MB 105GB 105GB primary ext3 3 105GB 107GB 2147MB primary linux swap 4 107GB 160GB 52 9GB extended ro...

Страница 99: ...xample dev sda Doing so allows you to view or configure the partition table of a device 6 1 2 Creating a Partition Warning Do not attempt to create a partition on a device that is in use Before creating a partition boot into rescue mode or unmount any partitions on the device and turn off any swap space on the device Start parted where dev sda is the device on which to create the partition parted ...

Страница 100: ... partition is created However parted does not support creating an ext3 file system Thus if you wish to create an ext3 file system use mkpart and create the file system with the mkfs command as described later The changes start taking place as soon as you press Enter so review the command before executing to it After creating the partition use the print command to confirm that it is in the partitio...

Страница 101: ... point for the new partition and the next column should be the file system type for example ext3 or swap If you need more information about the format read the man page with the command man fstab If the fourth column is the word defaults the partition is mounted at boot time To mount the partition without rebooting as root type the command mount work 6 1 3 Removing a Partition Warning Do not attem...

Страница 102: ...d remove it from the file 6 1 4 Resizing a Partition Warning Do not attempt to resize a partition on a device that is in use Before resizing a partition boot into rescue mode or unmount any partitions on the device and turn off any swap space on the device Start parted where dev sda is the device on which to resize the partition parted dev sda View the current partition table to determine the mino...

Страница 103: ... lvmchange Due to use of the device mapper this command has been deprecated lvmdiskscan List devices that may be used as physical volumes lvmsadc Collect activity data lvmsar Create activity report lvreduce Reduce the size of a logical volume lvremove Remove logical volume s from the system lvrename Rename a logical volume lvresize Resize a logical volume lvs Display information about logical volu...

Страница 104: ...Unregister a volume group from the system vgextend Add physical volumes to a volume group vgimport Register exported volume group with system vgmerge Merge volume groups vgmknodes Create the special files for volume group devices in dev vgreduce Remove a physical volume from a volume group vgremove Remove a volume group vgrename Rename a volume group vgs Display information about volume groups vgs...

Страница 105: ...a RPM must be installed to implement disk quotas Note For more information on installing RPM packages refer to Part II Package Management 7 1 Configuring Disk Quotas To implement disk quotas use the following steps 1 Enable quotas per file system by modifying the etc fstab file 2 Remount the file system s 3 Create the quota database files and generate the disk usage table 4 Assign quota policies E...

Страница 106: ...After each quota enabled file system is remounted the system is capable of working with disk quotas However the file system itself is not yet ready to support quotas The next step is to run the quotacheck command The quotacheck command examines quota enabled file systems and builds a table of the current disk usage per file system The table is then used to update the operating system s copy of dis...

Страница 107: ...ol02 440436 0 0 37418 0 0 Note The text editor defined by the EDITOR environment variable is used by edquota To change the editor set the EDITOR environment variable in your bash_profile file to the full path of the editor of your choice The first column is the name of the file system that has a quota enabled for it The second column shows how many blocks the user is currently using The next two c...

Страница 108: ...has been set use the command quota g devel 7 1 6 Setting the Grace Period for Soft Limits If soft limits are set for a given quota whether inode or block and for either users or groups the grace period or amount of time a soft limit can be exceeded should be set with the command edquota t While other edquota commands operate on a particular user s or group s quota the t option operates on every fi...

Страница 109: ...eating a disk usage report entails running the repquota utility For example the command repquota home produces this output Report for user quotas on device dev mapper VolGroup00 LogVol02 Block grace time 7days Inode grace time 7days Block limits File limits User used soft hard grace used soft hard grace root 36 0 0 4 0 0 kristin 540 0 0 125 0 0 testuser 440400 500000 550000 37418 0 0 To view the d...

Страница 110: ...tc cron monthly The most accurate quota statistics can be obtained when the file system s analyzed are not in active use Thus the cron task should be schedule during a time where the file system s are used the least If this time is various for different file systems with quotas run quotacheck for each file system at different times with multiple cron tasks Refer to Chapter 35 Automated Tasks for m...

Страница 111: ...on For example mount t ext3 o acl dev VolGroup00 LogVol02 work Alternatively if the partition is listed in the etc fstab file the entry for the partition can include the acl option LABEL work work ext3 acl 1 2 If an ext3 file system is accessed via Samba and ACLs have been enabled for it the ACLs are recognized because Samba has been compiled with the with acl support option No special flags are r...

Страница 112: ...mask The mask is the union of all permissions of the owning group and all of the user and group entries o perms Sets the access ACL for users other than the ones in the group for the file White space is ignored Permissions perms must be a combination of the characters r w and x for read write and execute If a file or directory already has an ACL and the setfacl command is used the additional rules...

Страница 113: ... a default ACL is specified the default ACL is also displayed as illustrated below john main getfacl home sales file home sales owner john group john user rw user barryg r group r mask r other r default user rwx default user john rwx default group r x default mask rwx default other r x 8 5 Archiving File Systems With ACLs Warning The tar and dump commands do not backup ACLs The star utility is sim...

Страница 114: ...ing the files from an archive By default they are striped when files are extracted acl When creating or extracting archive or restore any ACLs associated with the files and directories Table 8 1 Command Line Options for star 8 6 Compatibility with Older Systems If an ACL has been set on any file on a given file system that file system has the ext_attr attribute This attribute can be seen using the...

Страница 115: ...Useful Websites 89 star man page Explains more about the star utility and its many options 8 7 2 Useful Websites http acl bestbits at Website for ACLs ...

Страница 116: ...90 ...

Страница 117: ...er cannot read it If the root partition is on a logical volume create a separate boot partition which is not a part of a volume group Since a physical volume cannot span over multiple drives to span over more than one drive create one or more physical volumes per drive Figure 9 1 Logical Volumes The volume groups can be divided into logical volumes which are assigned mount points such as home and ...

Страница 118: ...ation LVM can be configured during the graphical installation process the text based installation process or during a kickstart installation You can use the system config lvm utility to create your own LVM configuration post installation The next two sections focus on using Disk Druid during installation to complete this task The third section introduces the LVM utility system config lvm which all...

Страница 119: ... is the first partition on the first drive dev sda1 Bootable partitions cannot reside on LVM logical volumes A single LVM volume group VolGroup00 is created which spans all selected drives and all remaining space available In the following example the remainder of the first drive dev sda2 and the entire second drive dev sdb1 are allocated to the volume group Two LVM logical volumes LogVol00 and Lo...

Страница 120: ...of the swap space logical volume on the system in which case the automatic LVM configuration should be modified to leave available space for future growth 9 4 Manual LVM Partitioning The following section explains how to manually configure LVM for Red Hat Enterprise Linux Because there are numerous ways to manually configure a system with LVM the following example is similar to the default configu...

Страница 121: ... size the default radio button selected in the Additional Size Options area 7 Select Force to be a primary partition to make the partition be a primary partition A primary partition is one of the first four partitions on the hard drive If unselected the partition is created as a logical partition If other operating systems are already on the system unselecting this option should be considered For ...

Страница 122: ...Chapter 9 LVM Logical Volume Manager 96 Figure 9 5 Creation of the Boot Partition Click OK to return to the main screen The following figure displays the boot partition correctly set ...

Страница 123: ...e boot partition is created the remainder of all disk space can be allocated to LVM partitions The first step in creating a successful LVM implementation is the creation of the physical volume s 1 Select New 2 Select physical volume LVM from the File System Type pulldown menu as shown in Figure 9 7 Creating a Physical Volume ...

Страница 124: ...volume the specified size select Fill all space up to MB and enter a size in MBs to give range for the physical volume size or select Fill to maximum allowable size to make it grow to fill all available space on the hard disk If you make more than one growable they share the available free space on the disk 7 Select Force to be a primary partition if you want the partition to be a primary partitio...

Страница 125: ...e created 1 Click the LVM button to collect the physical volumes into volume groups A volume group is basically a collection of physical volumes You can have multiple logical volumes but a physical volume can only be in one volume group Note There is overhead disk space reserved in the volume group The volume group size is slightly less than the total of physical volume sizes ...

Страница 126: ...s A physical extent is an allocation unit for data 4 Select which physical volumes to use for the volume group 9 4 4 Creating the LVM Logical Volumes Create logical volumes with mount points such as home and swap space Remember that boot cannot be a logical volume To add a logical volume click the Add button in the Logical Volumes section A dialog window as shown in Figure 9 10 Creating a Logical ...

Страница 127: ...each volume group you want to create Tip You may want to leave some free space in the volume group so you can expand the logical volumes later The default automatic configuration does not do this but this manual configuration example does approximately 1 GB is left as free space for future expansion ...

Страница 128: ...hapter 9 LVM Logical Volume Manager 102 Figure 9 11 Pending Logical Volumes Click OK to apply the volume group and all associated logical volumes The following figure shows the final manual configuration ...

Страница 129: ...r the volume group that was created during the installation boot Ext3 file system Displayed under Uninitialized Entities DO NOT initialize this partition LogVol00 LVM contains the directory 312 extents LogVol02 LVM contains the home directory 128 extents LogVol03 LVM swap 28 extents The logical volumes above were created in disk entity dev hda2 while boot was created in dev hda1 The system also co...

Страница 130: ...move a volume from the volume group or migrate extents from the volume to another volume group Steps to migrate extents are discussed in Figure 9 22 Migrate Extents Figure 9 14 Physical View Window The figure below illustrates the logical view for the selected volume group The logical volume size is also indicated with the individual logical volume sizes illustrated ...

Страница 131: ...ing space available in a logical volume group The figure below illustrates this Please note that this logical volume cannot be changed in size as there is currently no free space in the volume group If there was remaining space this option would be enabled see Figure 9 31 Edit logical volume Click on the OK button to save your changes this will remount the volume To cancel your changes click on th...

Страница 132: ...and ensure that you read the Properties for Disk Entity on the right column of the window to ensure that you do not delete critical data In this example partition 1 cannot be initialized as it is boot Uninitialized entities are illustrated below Figure 9 17 Uninitialized Entities In this example partition 3 will be initialized and added to an existing volume group To initialize a partition or unpa...

Страница 133: ...me group add the unallocated volume to an existing volume group remove the volume from LVM To add the volume to an existing volume group click on the Add to Existing Volume Group button Figure 9 18 Unallocated Volumes Clicking on the Add to Existing Volume Group button will display a pop up window listing the existing volume groups to which you can add the physical volume you are about to initiali...

Страница 134: ...on the Create New Logical Volume s button select one of the existing logical volumes and increase the extents see Section 9 5 6 Extending a volume group select an existing logical volume and remove it from the volume group by clicking on the Remove Selected Logical Volume s button Please note that you cannot select unused space to perform this operation The figure below illustrates the logical vie...

Страница 135: ...have a sufficient number of free extents to migrate extents within a volume group An error message will be displayed if you do not have a sufficient number of free extents To resolve this problem please extend your volume group see Section 9 5 6 Extending a volume group If a sufficient number of free extents is detected in the volume group a pop up window will be displayed from which you can selec...

Страница 136: ...9 23 Migrating extents in progress Once the extents have been migrated unused space is left on the physical volume The figure below illustrates the physical and logical view for the volume group Please note that the extents of LogVol00 which were initially in hda2 are now in hda3 Migrating extents allows you to move logical volumes in case of hard disk upgrades or to manage your disk space better ...

Страница 137: ...tes the details for the new hard disk From the figure below the disk is uninitialized and not mounted To initialize a partition click on the Initialize Entity button For more details see Section 9 5 1 Utilizing uninitialized entities Once initialized LVM will add the new volume to the list of unallocated volumes as illustrated in Figure 9 26 Create new volume group Figure 9 25 Uninitialized hard d...

Страница 138: ...disk In this example a new volume group was created as illustrated below Figure 9 26 Create new volume group Once created a new volume group will be displayed in the list of existing volume groups as illustrated below The logical view will display the new volume group with unused space as no logical volumes have been created To create a logical volume select the volume group and click on the Creat...

Страница 139: ...3 Figure 9 27 Create new logical volume The figure below illustrates the physical view of the new volume group The new logical volume named Backups in this volume group is also listed Figure 9 28 Physical view of new volume group ...

Страница 140: ...lume Group window you can select disk entities partitions to add to the volume group Please ensure that you check the contents of any Uninitialized Disk Entities partitions to avoid deleting any critical data see Figure 9 25 Uninitialized hard disk In the example the disk entity partition dev hda6 was selected as illustrated below Figure 9 29 Select disk entities Once added the new volume will be ...

Страница 141: ...olume On this window you can also mount the volume after making the changes and mount it when the system is rebooted Please note that you should indicate the mount point If the mount point you specify does not exist a popup window will be displayed prompting you to create it The Edit Logical Volume window is illustrated below Figure 9 31 Edit logical volume If you wish to mount the volume select t...

Страница 142: ...The figure below illustrates the logical and physical view of the volume group after the logical volume was extended to the unused space Please note in this example that the logical volume named Backups spans across two hard disks A volume can be striped across two or more physical devices using LVM ...

Страница 143: ... qd lvm2 This command shows all the documentation available from the lvm package including man pages lvm help This command shows all LVM commands available 9 6 2 Useful Websites http sources redhat com lvm2 LVM2 webpage which contains an overview link to the mailing lists and more http tldp org HOWTO LVM HOWTO LVM HOWTO from the Linux Documentation Project ...

Страница 144: ...118 ...

Страница 145: ...re on a Red Hat Enterprise Linux system is divided into RPM packages which can be installed upgraded or removed This part describes how to manage the RPM packages on a Red Hat Enterprise Linux system using graphical and command line tools ...

Страница 146: ......

Страница 147: ...al patches that you create This clear delineation between pristine sources and your patches along with build instructions eases the maintenance of the package as new versions of the software are released Note Because RPM makes changes to your system you must be logged in as root to install remove or upgrade an RPM package 10 1 RPM Design Goals To understand how to use RPM it can be helpful to unde...

Страница 148: ...portant only for developers but it results in higher quality software for end users too 10 2 Using RPM RPM has five basic modes of operation not counting package building installing uninstalling upgrading querying and verifying This section contains an overview of each mode For complete details and options try rpm help or man rpm You can also refer to Section 10 5 Additional Resources for more inf...

Страница 149: ...ch as warning V3 DSA signature NOKEY key ID 0352860f Refer to Section 10 3 Checking a Package s Signature for more information on checking a package s signature Warning If you are installing a kernel package you should use rpm ivh instead Refer to Chapter 40 Manually Upgrading the Kernel for details 10 2 2 1 Package Already Installed If a package of the same name and version is already installed t...

Страница 150: ... from the Red Hat Enterprise Linux CD ROM set it usually suggest the package s needed to resolve the dependency Find the suggested package s on the Red Hat Enterprise Linux CD ROMs or from Red Hat Network and add it to the command rpm ivh foo 1 0 1 i386 rpm bar 2 0 20 3 i386 rpm If installation of both packages is successful output similar to the following is displayed Preparing 100 1 foo 50 2 bar...

Страница 151: ... installing kernel packages because RPM replaces the previous kernel package This does not affect a running system but if the new kernel is unable to boot during your next restart there would be no other kernel to boot instead Using the i option adds the kernel to your GRUB boot menu etc grub conf Similarly removing an old unneeded kernel removes the kernel from GRUB Because RPM performs intellige...

Страница 152: ...es that are already installed on your system freshening does the job Thus you do not have to delete any unwanted packages from the group that you downloaded before using RPM In this case issue the following command rpm Fvh rpm RPM automatically upgrades only those packages that are already installed 10 2 6 Querying The RPM database stores information about all RPM packages installed in your system...

Страница 153: ...ther things verifying compares the size MD5 sum permissions type owner and group of each file The command rpm V verifies a package You can use any of the Verify Options listed for querying to specify the packages you wish to verify A simple use of verifying is rpm V foo which verifies that all the files in the foo package are as they were when they were originally installed For example To verify a...

Страница 154: ...ther hand how trustworthy is the developer who created the package If the package is signed with the developer s GnuPG key you know that the developer really is who they say they are An RPM package can be signed using Gnu Privacy Guard or GnuPG to help you make certain your downloaded package is trustworthy GnuPG is a tool for secure communication it is a complete and free replacement for the encr...

Страница 155: ...essage is displayed md5 gpg OK This means that the signature of the package has been verified and that it is not corrupt 10 4 Practical and Common Examples of RPM Usage RPM is a useful tool for both managing your system and diagnosing and fixing problems The best way to make sense of all of its options is to look at some examples Perhaps you have deleted some files by accident but you are not sure...

Страница 156: ...z usr share man man1 ps 1 gz usr share man man1 skill 1 gz usr share man man1 slabtop 1 gz usr share man man1 snice 1 gz usr share man man1 tload 1 gz usr share man man1 top 1 gz usr share man man1 uptime 1 gz usr share man man1 w 1 gz usr share man man1 watch 1 gz usr share man man5 sysctl conf 5 gz usr share man man8 sysctl 8 gz usr share man man8 vmstat 8 gz You may find a new RPM but you do no...

Страница 157: ...u may find more uses for it 10 5 Additional Resources RPM is an extremely complex utility with many options and methods for querying installing upgrading and removing packages Refer to the following resources to learn more about RPM 10 5 1 Installed Documentation rpm help This command displays a quick reference of RPM parameters man rpm The RPM man page gives more detail about RPM parameters than ...

Страница 158: ...132 ...

Страница 159: ...kages in the same way that the rpm command does Note While the Package Management Tool can automatically resolve dependencies during package installation and removal it cannot perform a forced install remove the same way that rpm e nodeps or rpm U nodeps can The X Window System is required to run the Package Management Tool To start the application go to Applications the main menu on the panel Add...

Страница 160: ...installed in your system are marked with a green check By default the All packages option above the main window is selected this specifies that all packages be displayed Use the Installed packages option to display only packages that are already installed in your system and the Available packages option to view what packages you can download and install The Search tab allows you to use keywords to...

Страница 161: ... selection click the Apply button Figure 11 3 Package installation If there are any package dependencies for your selected downloads the Package Management Tool will notify you accordingly Click Details to view what additional packages are needed To proceed with downloading and installing the package along with all other dependent packages click Continue ...

Страница 162: ...stalled in your system click the checkbox beside the package name The green check appearing beside the package name will be replaced by a package removal icon This indicates that the package is queued for removal you can also select multiple packages to be removed at the same time Once you have selected the packages you want to remove click the Apply button ...

Страница 163: ... on the package you are removing they will be removed as well The Package Management Tool will notify you if there are any such dependencies Click Details to view what packages are dependent on the one you are removing To proceed with removing your selected package s along with all other dependent packages click Continue ...

Страница 164: ...gure 11 6 Package dependencies removal You can install and remove multiple packages by selecting packages to be installed removed and then clicking Apply The Package selections window displays the number of packages to be installed and removed ...

Страница 165: ...Installing and Removing Packages 139 Figure 11 7 Installing and removing packages simultaneously ...

Страница 166: ...140 ...

Страница 167: ...idually to install or update the latest packages from Red Hat Network 12 1 Setting Up a yum Repository To set up a repository follow these steps Procedure 12 1 Setting Up a yum Repository 1 Install the createrepo package 2 Copy all the packages into one directory for example mnt local_repo 3 Run createrepo on that directory for example createrepo mnt local_repo This will create the necessary metad...

Страница 168: ... yum Options yum options are typically stated before specific yum commands i e yum options command package name s Most of these options can be set as default using the configuration file The following is a list of the most commonly used yum options For a complete list of available yum options refer to man yum y Answer yes to every question in the transaction t Sets yum to be tolerant of errors wit...

Страница 169: ...repository information from repo files and the repository section of the etc yum conf file to create a master list of repositories to use for each transaction Refer to Section 12 4 2 repository Options for more information about options you can use for both the repository section and repo files If reposdir is not set yum uses the default directory etc yum repos d gpgcheck 1 or 0 This disables enab...

Страница 170: ...conf with reposdir repo files and the etc yum conf file can contain multiple repository entries Each repository entry consists of the following mandatory parts repository ID The repository ID is a unique one word string that serves as a repository identifier name repository name This is a human readable string describing the repository baseurl http file or ftp path This is a URL to the directory w...

Страница 171: ...his option is the opposite of exclude When this option is set on a repository yum will only be able to see the specified packages in that repository By default all packages in a repository are visible to yum 12 5 Useful yum Variables The following is a list of variables you can use for both yum commands and yum configuration files i e etc yum conf and repo files releasever This is replaced with th...

Страница 172: ...146 ...

Страница 173: ...ilable at https rhn redhat com Figure 13 1 Your RHN Red Hat Network saves you time because you receive email when updated packages are released You do not have to search the Web for updated packages or security alerts By default Red Hat Network installs the packages as well You do not have to learn how to use RPM or worry about resolving software package dependencies RHN does it all Red Hat Networ...

Страница 174: ...ater Use the Package Updater to download the latest software packages for your system with optional package installation Red Hat Network website Manage multiple systems downloaded individual packages and schedule actions such as Errata Updates through a secure Web browser connection from any computer Caution You must activate your Red Hat Enterprise Linux product before registering your system wit...

Страница 175: ...ed the Software Update Setup Assistant prompts you to register If you did not register then select Applications the main menu on the panel System Tools Package Updater on your desktop to start the registration process Alternately execute the command yum update from a shell prompt Figure 13 3 Registering with RHN After registering use one of the following methods to start receiving updates Select A...

Страница 176: ...ore detailed instructions refer to the documentation available at http www redhat com docs manuals RHNetwork Tip Red Hat Enterprise Linux includes a convenient panel icon that displays visible alerts when there is an update for your Red Hat Enterprise Linux system This panel icon is not present if no updates are available ...

Страница 177: ...elated Configuration After explaining how to configure the network this part discusses topics related to networking such as how to allow remote logins share files and directories over the network and set up a Web server ...

Страница 178: ......

Страница 179: ...terprise Linux system The primary network configuration files are as follows etc hosts The main purpose of this file is to resolve hostnames that cannot be resolved any other way It can also be used to resolve hostnames on small networks with no DNS server Regardless of the type of network the computer is on this file should contain a line specifying the IP address of the loopback device 127 0 0 1...

Страница 180: ...e X is a unique number corresponding to a specific interface Because each device has its own configuration file an administrator can control how each interface functions individually The following is a sample ifcfg eth0 file for a system using a fixed IP address DEVICE eth0 BOOTPROTO none ONBOOT yes NETWORK 10 0 1 0 NETMASK 255 255 255 0 IPADDR 10 0 1 27 USERCTL no The values required in an interf...

Страница 181: ...dynamically allocated PPP devices where it is the logical name DHCP_HOSTNAME Use this option only if the DHCP server requires the client to specify a hostname before receiving an IP address DNS 1 2 address where address is a name server address to be placed in etc resolv conf if the PEERDNS directive is set to yes ETHTOOL_OPTS options where options are any device specific options supported by etht...

Страница 182: ... bonding interface to which the Ethernet interface is linked This directive is used in conjunction with the SLAVE directive Refer to Section 14 2 3 Channel Bonding Interfaces for more information about channel bonding interfaces NETMASK mask where mask is the netmask value NETWORK address where address is the network address This directive is deprecated as the value is calculated automatically wit...

Страница 183: ...ress of the destination IPsec router Below is a listing of the configurable parameters for an IPsec interface DST address where address is the IP address of the IPsec destination host or router This is used for both host to host and network to network IPsec configurations DSTNET network where network is the network address of the IPsec destination network This is only used for network to network I...

Страница 184: ...llows administrators to bind multiple network interfaces together into a single channel using the bonding kernel module and a special network interface called a channel bonding interface Channel bonding enables two or more network interfaces to act as one simultaneously increasing the bandwidth and providing redundancy To create a channel bonding interface create a file in the etc sysconfig networ...

Страница 185: ... The Channel Bonding Module 14 2 4 Alias and Clone Files Two lesser used types of interface configuration files are alias and clone files Alias interface configuration files which are used to bind multiple addresses to a single interface use the ifcfg if name alias value naming scheme For example an ifcfg eth0 0 file could be configured to specify DEVICE eth0 0 and a static IP address of 10 0 0 2 ...

Страница 186: ... If you are connecting to the Internet via a dialup connection a configuration file is necessary for the interface PPP interface files are named using the following format ifcfg ppp X where X is a unique number corresponding to a specific interface The PPP interface configuration file is created automatically when wvdial the Network Administration Tool or Kppp is used to create a dialup account It...

Страница 187: ...ta a frame can carry not counting its header information In some dialup situations setting this to a value of 576 results in fewer packets dropped and a slight improvement to the throughput for a connection NAME name where name is the reference to the title given to a collection of dialup connection configurations PAPNAME name where name is the username given during the Password Authentication Pro...

Страница 188: ...ol Scripts The interface control scripts activate and deactivated system interfaces There are two primary interface control scripts that call on control scripts located in the etc sysconfig network scripts directory sbin ifdown and sbin ifup The ifup and ifdown interface scripts are symbolic links to scripts in the sbin directory When either of these scripts are called they require the value of th...

Страница 189: ...up ppp and ifdown ppp Brings a PPP interface up or down ifup routes Adds static routes for a device as its interface is brought up ifdown sit and ifup sit Contains function calls related to bringing up and down an IPv6 tunnel within an IPv4 connection ifup sl and ifdown sl Brings a SLIP interface up or down ifup wireless Brings up a wireless interface Warning Removing or modifying any scripts in t...

Страница 190: ... interface X X X X is the IP address of the default gateway The interface is the interface that is connected to or can reach the default gateway Define a static route Each line is parsed as an individual route X X X X X via X X X X dev interface X X X X X is the network number and netmask for the static route X X X X and interface are the IP address and interface for the default gateway respective...

Страница 191: ... X X X X NETMASK0 X X X X GATEWAY0 X X X X ADDRESS0 X X X X is the network number for the static route NETMASK0 X X X X is the netmask for the network number defined with ADDRESS0 X X X X GATEWAY0 X X X X is the default gateway or an IP address that can be used to reach ADDRESS0 X X X X The following is a sample route eth0 file using the network netmask directives format The default gateway is 192...

Страница 192: ...n interface setting hostnames finding a gateway device verifying whether or not a particular device is down and adding a default route As the functions required for IPv6 interfaces are different from IPv4 interfaces a etc sysconfig network scripts network functions ipv6 file exists specifically to hold this information The functions in this file configure and delete static IPv6 routes create and r...

Страница 193: ... used to configure IPsec connections manage DNS settings and manage the etc hosts file used to store additional hostnames and IP address combinations To use the Network Administration Tool you must have root privileges To start the application go to the Applications the main menu on the panel System Settings Network or type the command system config network at a shell prompt for example in an XTer...

Страница 194: ...supports your hardware device 15 1 Overview To configure a network connection with the Network Administration Tool perform the following steps 1 Add a network device associated with the physical hardware device 2 Add the physical hardware device to the hardware list if it does not already exist 3 Configure the hostname and DNS settings 4 Configure any hosts that cannot be looked up through DNS ...

Страница 195: ...you to configure them If you configured any Ethernet devices during the installation they are displayed in the hardware list on the Hardware tab 5 If you selected Other Ethernet Card the Select Ethernet Adapter window appears Select the manufacturer and model of the Ethernet card Select the device name If this is the system s first Ethernet card select eth0 as the device name if this is the second...

Страница 196: ...Chapter 15 Network Configuration 170 Figure 15 2 Ethernet Settings After configuring the Ethernet device it appears in the device list as shown in Figure 15 3 Ethernet Device ...

Страница 197: ...he device is added it is not activated immediately as seen by its Inactive status To activate the device select it from the device list and click the Activate button If the system is configured to activate the device when the computer starts the default this step does not have to be performed again If you associate more than one device with an Ethernet card the subsequent devices are device aliase...

Страница 198: ... resources and D channel protocol for the adapter Click Forward to continue Figure 15 4 ISDN Settings 5 If your Internet Service Provider ISP is in the pre configured list select it Otherwise enter the required information about your ISP account If you do not know the values contact your ISP Click Forward 6 In the IP Settings window select the Encapsulation Mode and whether to obtain an IP address...

Страница 199: ...s added it is not activated immediately as seen by its Inactive status To activate the device select it from the device list and click the Activate button If the system is configured to activate the device when the computer starts the default this step does not have to be performed again Figure 15 5 ISDN Device 15 4 Establishing a Modem Connection A modem can be used to configure an Internet conne...

Страница 200: ...5 6 Modem Settings appears Figure 15 6 Modem Settings 6 Configure the modem device baud rate flow control and modem volume If you do not know these values accept the defaults if the modem was probed successfully If you do not have touch tone dialing uncheck the corresponding checkbox Click Forward 7 If your ISP is in the pre configured list select it Otherwise enter the required information about ...

Страница 201: ...options login name password and more can also be changed When the device is added it is not activated immediately as seen by its Inactive status To activate the device select it from the device list and click the Activate button If the system is configured to activate the device when the computer starts the default this step does not have to be performed again 15 5 Establishing an xDSL Connection ...

Страница 202: ... use DHCP refer to Section 15 2 Establishing an Ethernet Connection to configure your Ethernet card If you are required to use PPPoE follow these steps 1 Click the Devices tab 2 Click the New button 3 Select xDSL connection from the Device Type list and click Forward as shown in Figure 15 8 Select Device Type Figure 15 8 Select Device Type 4 If your Ethernet card is in the hardware list select the...

Страница 203: ... Name and Password If you are not setting up a T Online account select Normal from the Account Type pulldown menu If you are setting up a T Online account select T Online from the Account Type pulldown menu and enter any values in the Login name and Password field You can further configure your T Online account settings once the DSL connection has been fully configured refer to Setting Up a T Onli...

Страница 204: ...nfiguring the DSL connection it appears in the device list as shown in Figure 15 10 xDSL Device Figure 15 10 xDSL Device 8 After adding the xDSL connection you can edit its configuration by selecting the device from the device list and clicking Edit ...

Страница 205: ...etting Click OK when finished 9 Once you are satisfied with your xDSL connection settings select File Save to save the changes Setting Up a T Online Account If you are setting up a T Online Account follow these additional steps 1 Select the device from the device list and click Edit 2 Select the Provider tab from the xDSL Configuration menu as shown in Figure 15 12 xDSL Configuration Provider Tab ...

Страница 206: ...twork Configuration 180 Figure 15 12 xDSL Configuration Provider Tab 3 Click the T Online Account Setup button This will open the Account Setup window for your T Online account as shown in Figure 15 13 Account Setup ...

Страница 207: ...te button If the system is configured to activate the device when the computer starts the default this step does not have to be performed again 15 6 Establishing a Token Ring Connection A token ring network is a network in which all the computers are connected in a circular pattern A token or a special network packet travels around the token ring and allows computers to send information to each ot...

Страница 208: ...ing card select tr0 if this is the second token ring card select tr1 and so on The Network Administration Tool also allows the user to configure the resources for the adapter Click Forward to continue Figure 15 14 Token Ring Settings 6 On the Configure Network Settings page choose between DHCP and static IP address You may specify a hostname for the device If the device receives a dynamic IP addre...

Страница 209: ...y its Inactive status To activate the device select it from the device list and click the Activate button If the system is configured to activate the device when the computer starts the default this step does not have to be performed again 15 7 Establishing a Wireless Connection Wireless Ethernet devices are becoming increasingly popular The configuration is similar to the Ethernet configuration e...

Страница 210: ...istration Tool also allows the user to configure the resources for the wireless network interface card Click Forward to continue 6 On the Configure Wireless Connection page as shown in Figure 15 16 Wireless Settings configure the settings for the wireless device Note Open System and Shared Key Authentication For the Authentication dropdown note that wireless access points using WEP encryption have...

Страница 211: ...c IP address You may specify a hostname for the device If the device receives a dynamic IP address each time the network is started do not specify a hostname Click Forward to continue 8 Click Apply on the Create Wireless Device page After configuring the wireless device it appears in the device list as shown in Figure 15 17 Wireless Device ...

Страница 212: ...e select it from the device list and click the Activate button If the system is configured to activate the device when the computer starts the default this step does not have to be performed again 15 8 Managing DNS Settings The DNS tab allows you to configure the system s hostname domain name servers and search domain Name servers are used to look up other hosts on the network If the DNS server na...

Страница 213: ...dresses to hostnames and vice versa Warning If the hostname is changed and system config network is started on the local host you may not be able to start another X11 application As such you may have to re login to a new desktop session 15 9 Managing Hosts The Hosts tab allows you to add edit or remove hosts from the etc hosts file This file contains IP addresses and their corresponding hostnames ...

Страница 214: ...hat you add them to the etc hosts file To add an entry to the etc hosts file go to the Hosts tab click the New button on the toolbar provide the requested information and click OK Select File Save or press Ctrl S to save the changes to the etc hosts file The network or network services do not need to be restarted since the current version of the file is referred to each time an address is resolved...

Страница 215: ...tings After configuring the profiles you can use the Network Administration Tool to switch back and forth between them By default there is one profile called Common To create a new profile select Profile New from the pull down menu and enter a unique name for the profile You are now modifying the new profile as indicated by the status bar at the bottom of the main window Click on an existing devic...

Страница 216: ...Chapter 15 Network Configuration 190 Figure 15 20 Office Profile Notice that the Home profile as shown in Figure 15 21 Home Profile activates the eth0_home logical device which is associated with eth0 ...

Страница 217: ...ctivate a profile at boot time modify the boot loader configuration file to include the netprofile profilename option For example if the system uses GRUB as the boot loader and boot grub grub conf contains title Red Hat Enterprise Linux 2 6 9 5 EL root hd0 0 kernel vmlinuz 2 6 9 5 EL ro root dev VolGroup00 LogVol00 rhgb quiet initrd initrd 2 6 9 5 EL img Modify it to the following where profilenam...

Страница 218: ...evice name followed by a colon and a number for example eth0 1 They are useful if you want to have multiple IP addresses for a system that only has one network card After configuring the Ethernet device such as eth0 to use a static IP address DHCP does not work with aliases go to the Devices tab and click New Select the Ethernet card to configure with an alias set the static IP address for the ali...

Страница 219: ...92 168 100 5 Bcast 192 168 100 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 161930 errors 1 dropped 0 overruns 0 frame 0 TX packets 244570 errors 0 dropped 0 overruns 0 carrier 0 collisions 475 txqueuelen 100 RX bytes 55075551 52 5 Mb TX bytes 178108895 169 8 Mb Interrupt 10 Base address 0x9000 eth0 1 Link encap Ethernet HWaddr 00 A0 CC 60 B7 G4 inet addr 192 ...

Страница 220: ... used as part of an automated backup script to save the configuration before upgrading or reinstalling or to copy the configuration to a different Red Hat Enterprise Linux system To save or export the network configuration of a system to the file tmp network config execute the following command as root system config network cmd e tmp network config To restore or import the network configuration fr...

Страница 221: ...mand line utility that allows you to turn services on and off for the different runlevels Non xinetd services can not be started stopped or restarted using this utility You may find that these tools are easier to use than the alternatives editing the numerous symbolic links located in the directories below etc rc d by hand or editing the xinetd configuration files in etc xinetd d Another way to ma...

Страница 222: ...o the following id 5 initdefault Change the number in this line to the desired runlevel The change does not take effect until you reboot the system 16 2 TCP Wrappers Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services Any network services managed by xinetd as well as any program with built in support for libwrap can use TCP wrappers to ...

Страница 223: ...rvice is disabled If the disable attribute is set to no the service is enabled You can edit any of the xinetd configuration files or change its enabled status using the Services Configuration Tool ntsysv or chkconfig For a list of network services controlled by xinetd review the contents of the etc xinetd d directory with the command ls etc xinetd d 16 3 Services Configuration Tool The Services Co...

Страница 224: ...service as well as the status of the service If the service is not an xinetd service the status window shows whether the service is currently running If the service is controlled by xinetd the status window displays the phrase xinetd service To start stop or restart a service immediately select the service from the list and click the appropriate button on the toolbar or choose the action from the ...

Страница 225: ...ze the runlevel Reinitialize the runlevel by going to a shell prompt and typing the command telinit x where x is the runlevel number in this example 3 This option is recommended if you change the Start at Boot value of multiple services and want to activate the changes immediately 3 Do nothing else You do not have to stop the httpd service You can wait until the system is rebooted for the service ...

Страница 226: ...immediately affected by ntsysv For all other services changes do not take effect immediately You must stop or start the individual service with the command service daemon stop where daemon is the name of the service you want to stop for example httpd Replace stop with start or restart to start or restart the service ...

Страница 227: ... or not in a specific runlevel For example to turn nscd off in runlevels 3 4 and 5 use the following command chkconfig level 345 nscd off Warning Services managed by xinetd are immediately affected by chkconfig For example if xinetd is running while rsync is disabled and the command chkconfig rsync on is executed then rsync is immediately enabled without having to restart xinetd manually Changes f...

Страница 228: ...202 ...

Страница 229: ...uffle which machines handle a name based query DNS is normally implemented using centralized servers that are authoritative for some domains and refer to other DNS servers for other domains When a client host requests information from a nameserver it usually connects to port 53 The nameserver then attempts to resolve the FQDN based on its resolver library which may contain authoritative informatio...

Страница 230: ... There are four primary nameserver configuration types master Stores original and authoritative zone records for a namespace and answers queries about the namespace from other nameservers slave Answers queries from other nameservers concerning namespaces for which it is considered an authority However slave nameservers get their namespace information from master nameservers caching only Offers nam...

Страница 231: ...y minor errors prevent the named service from starting A typical named conf file is organized similar to the following example statement 1 statement 1 name statement 1 class option 1 option 2 option N statement 2 statement 2 name statement 2 class option 1 option 2 option N statement N statement N name statement N class option 1 option 2 option N 17 2 1 Common Statement Types The following types o...

Страница 232: ...normal access 17 2 1 2 include Statement The include statement allows files to be included in a named conf file In this way sensitive configuration data such as keys can be placed in a separate file with restrictive permissions An include statement takes the following form include file name In this statement file name is replaced with an absolute path to a file 17 2 1 3 options Statement The optio...

Страница 233: ...ed does not attempt name resolution itself in the event that queries to nameservers specified in the forwarders directive fail listen on Specifies the network interface on which named listens for queries By default all interfaces are used Using this directive on a DNS server which also acts a gateway BIND can be configured to only answer queries that originate from one of the networks The followin...

Страница 234: ... man page for more details 17 2 1 4 zone Statement A zone statement defines the characteristics of a zone such as the location of its configuration file and zone specific options This statement can be used to override the global options statements A zone statement takes the following form zone zone name zone class zone options zone options In this statement zone name is the name of the zone zone c...

Страница 235: ...on and is used only if the zone is defined as typeslave notify Specifies whether or not named notifies the slave servers when a zone is updated This directive accepts the following options yes Notifies slave servers no Does not notify slave servers explicit Only notifies slave servers specified in an also notify list within a zone statement type Defines the type of zone Below is a list of valid op...

Страница 236: ... named service is instructed to read the var named example com zone file It also tells named not to allow any other hosts to update A slave server s zone statement for example com is slightly different from the previous example For a slave server the type is set to slave and in place of the allow update line is a directive telling named the IP address of the master server The following is an examp...

Страница 237: ... that affect how named should respond to remote nameservers especially with regard to notifications and zone transfers The transfer format option controls whether one resource record is sent with each message one answer or multiple resource records are sent with each message many answers While many answers is more efficient only newer BIND nameservers understand it trusted keys Contains assorted p...

Страница 238: ...ds Directives tell the nameserver to perform tasks or apply special settings to the zone Resource records define the parameters of the zone and assign identities to individual hosts Directives are optional but resource records are required to provide name service to a zone All directives and resource records should be entered on individual lines Comments can be placed after semicolon characters in...

Страница 239: ...ing are used most frequently A This refers to the Address record which specifies an IP address to assign to a name as in this example host IN A IP address If the host value is omitted then an A record points to a default IP address for the top of the namespace This system is the target for all non FQDN requests Consider the following A record examples for the example com zone file server1 IN A 10 ...

Страница 240: ...s refers to the NameServer record which announces the authoritative nameservers for a particular zone The following illustrates the layout of an NS record IN NS nameserver name Here nameserver name should be an FQDN Next two nameservers are listed as authoritative for the domain It is not important whether these nameservers are slaves or if one is a master they are both still considered authoritat...

Страница 241: ...t The time to retry directive is a numerical value used by slave servers to determine the length of time to wait before issuing a refresh request in the event that the master nameserver is not answering If the master has not replied to a refresh request before the amount of time specified in the time to expire directive elapses the slave servers stop responding as an authority for requests concern...

Страница 242: ...example com hostmaster example com 2001062501 serial 21600 refresh after 6 hours 3600 retry after 1 hour 604800 expire after 1 week 86400 minimum TTL of 1 day NS dns1 example com NS dns2 example com dns1 A 10 0 1 1 AAAA aaaa bbbb 1 dns2 A 10 0 1 2 AAAA aaaa bbbb 2 MX 10 mail example com MX 20 mail2 example com mail A 10 0 1 5 AAAA aaaa bbbb 5 mail2 A 10 0 1 6 AAAA aaaa bbbb 6 This sample zone file...

Страница 243: ...ticular namespace into an FQDN It looks very similar to a standard zone file except that PTR resource records are used to link the IP addresses to a fully qualified domain name The following illustrates the layout of a PTR record last IP digit IN PTR FQDN of system The last IP digit is the last number in an IP address which points to a particular system s FQDN In the following example IP addresses...

Страница 244: ...ndc configuration file etc rndc conf Note If you have installed the bind chroot package the BIND service will run in the var named chroot environment All configuration files will be moved there As such the rndc conf file is located in var named chroot etc rndc conf Note that since the rndc utility does not run in a chroot environment etc rndc conf is a symlink to var named chroot etc rndc conf 17 ...

Страница 245: ...e an include statement to reference it For example include etc rndc key 17 4 2 Configuring etc rndc conf The key is the most important statement in etc rndc conf key key name algorithm hmac md5 secret key value The key name and key value should be exactly the same as their settings in etc named conf To match the keys specified in the target server s etc named conf add the following lines to etc rn...

Страница 246: ...ally it may be necessary to override the default settings in the etc rndc conf file The following options are available c configuration file Specifies the alternate location of a configuration file p port number Specifies a port number to use for the rndc connection other than the default port 953 s server Specifies a server other than the default server listed in etc rndc conf y key name Specifie...

Страница 247: ...t originates from This is primarily used to deny sensitive DNS entries from clients outside of the local network while allowing queries from clients inside the local network The view statement uses the match clients option to match IP addresses or entire networks and give them special options and zone data 17 5 3 Security BIND supports a number of different methods to protect the updating and tran...

Страница 248: ...domain name denotes a fully qualified domain name If the period is omitted then named appends the name of the zone or the ORIGIN value to complete it If a firewall is blocking connections from the named daemon to other nameservers the recommended best practice is to change the firewall settings whenever possible Warning Avoid Using Fixed UDP Source Ports Recent research in DNS security has shown t...

Страница 249: ...o address them usr share doc bind version number misc This directory contains documents designed to address specific advanced issues Users of BIND version 8 should consult the migration document for specific changes they must make when moving to BIND 9 The options file lists all of the options implemented in BIND 9 that are used in etc named conf usr share doc bind version number rfc This director...

Страница 250: ...a resolving caching nameserver and the configuration of various zone files necessary to serve as the primary nameserver for a domain 17 7 3 Related Books DNS and BIND by Paul Albitz and Cricket Liu O Reilly Associates A popular reference that explains both common and esoteric BIND configuration options as well as providing strategies for securing a DNS server The Concise Guide to DNS and BIND by N...

Страница 251: ...rver This technique called X11 forwarding provides a secure means to use graphical applications over a network Because the SSH protocol encrypts everything it sends and receives it can be used to secure otherwise insecure protocols Using a technique called port forwarding an SSH server can become a conduit to securing otherwise insecure protocols like POP and increasing overall system and data sec...

Страница 252: ... known only by the local and remote systems 18 2 SSH Protocol Versions The SSH protocol allows any client and server programs built to the protocol s specifications to communicate securely and to be used interchangeably Two varieties of SSH version 1 and version 2 currently exist The OpenSSH suite under Red Hat Enterprise Linux uses SSH version 2 which has an enhanced key exchange algorithm not vu...

Страница 253: ...uerade as an SSH server during the initial contact since the local system does not know the difference between the intended server and a false one set up by an attacker To help prevent this verify the integrity of a new SSH server by contacting the server administrator before connecting for the first time or in the event of a host key mismatch SSH is designed to work with almost any kind of public...

Страница 254: ...k This allows great flexibility in handling different types of remote connections without having to change the basic infrastructure of the protocol 18 4 Configuring an OpenSSH Server To run an OpenSSH server you must first make sure that you have the proper RPM packages installed The openssh server package is required and is dependent on the openssh package The OpenSSH daemon uses the configuratio...

Страница 255: ...d configuring services with chkconfig usr sbin ntsysv and the Services Configuration Tool refer to Chapter 16 Controlling Access to Services 18 5 OpenSSH Configuration Files OpenSSH has two different sets of configuration files one for client programs ssh scp and sftp and one for the server daemon sshd System wide SSH configuration information is stored in the etc ssh directory moduli Contains Dif...

Страница 256: ...ys of SSH servers accessed by the user This file is very important for ensuring that the SSH client is connecting the correct SSH server Important If an SSH server s host key has changed the client notifies the user that the connection cannot proceed until the server s host key is deleted from the known_hosts file using a text editor Before doing this however contact the system administrator of th...

Страница 257: ...e without logging in to a shell prompt The syntax is ssh hostnamecommand For example if you want to execute the command ls usr share doc on the remote machine penguin example net type the following command at a shell prompt ssh penguin example net ls usr share doc After you enter the correct password the contents of the remote directory usr share doc will be displayed and you will return to your l...

Страница 258: ...se commands To read the man page execute the command man sftp at a shell prompt The sftp utility is only available in OpenSSH version 2 5 0p1 and higher 18 7 More Than a Secure Shell A secure command line interface is just the beginning of the many ways SSH can be used Given the proper amount of bandwidth X11 sessions can be directed over an SSH channel Or by using TCP IP forwarding previously ins...

Страница 259: ...port 1100 on the client system are directed securely to the mail example com server If mail example com is not running an SSH server but another machine on the same network is SSH can still be used to secure part of the connection However a slightly different command is necessary ssh L 1100 mail example com 110 other example com In this example POP3 requests from port 1100 on the client machine ar...

Страница 260: ...ant to save your generated key pair backup the ssh directory in your home directory After reinstalling copy this directory back to your home directory This process can be done for all users on your system including root 18 7 3 1 Generating an RSA Key Pair for Version 2 Use the following steps to generate an RSA key pair for version 2 of the SSH protocol This is the default starting with OpenSSH 2 ...

Страница 261: ...uthenticate a user Passphrases differ from passwords in that you can use spaces or tabs in the passphrase Passphrases are generally longer than passwords because they are usually phrases instead of a single word The public key is written to ssh id_dsa pub The private key is written to ssh id_dsa It is important never to give anyone the private key 2 Change the permissions of the ssh directory with...

Страница 262: ...o save your passphrase so that you do not have to enter it each time you initiate an ssh or scp connection If you are using GNOME the gnome ssh askpass package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME You will not have to enter your password or passphrase for any ssh or scp connection made during that GNOME sess...

Страница 263: ...r bin ssh agent SHELL 2 Then type the command ssh add and enter your passphrase s If you have more than one key pair configured you will be prompted for each one 3 When you log out your passphrase s will be forgotten You must execute these two commands each time you log in to a virtual console or open a terminal window 18 8 Additional Resources The OpenSSH and OpenSSL projects are in constant deve...

Страница 264: ...238 ...

Страница 265: ...e NFS server sends the client a file handle after the client is authorized to access the shared volume This file handle is an opaque object stored on the server s side and is passed along with RPC requests from the client The NFS server can be restarted without affecting the clients and the cookie remains intact However because UDP is stateless if the server goes down unexpectedly UDP clients cont...

Страница 266: ...nnections to the requested RPC service The following RPC processes facilitate NFS services rpc mountd This process receives mount requests from NFS clients and verifies the requested file system is currently exported This process is started automatically by the nfs service and does not require user configuration rpc nfsd Allows explicit NFS versions and protocols the server advertises to be define...

Страница 267: ...t state the hostname of the NFS server the directory on the server being exported and the directory on the local machine where the NFS share is to be mounted You must be root to modify the etc fstab file The general syntax for the line in etc fstab is as follows server usr local pub pub nfs rsize 8192 wsize 8192 timeo 14 intr The mount point pub must exist on the client machine before this command...

Страница 268: ...e with the usual requirements of other industry standard automounters Mount point hostname exported directory and options can all be specified in a set of files or other supported network sources rather than configuring them manually for each host Please ensure that you have the autofs package installed if you wish to use this service 19 3 1 What s new in autofs version 5 Direct map support Autofs...

Страница 269: ...t maps for the direct mounts below tmp auto_dcthon tmp auto_test3_direct tmp auto_test4_direct 19 3 2 autofs Configuration The primary configuration file for the automounter is etc auto master also referred to as the master map which may be changed as described in the introduction section above The master map lists autofs controlled mount points on the system and their corresponding configuration ...

Страница 270: ...ource of the mount Following the above configuration the autofs mount points will be home payroll and home sales The fstype option is often omitted and is generally not needed for correct operation The automounter will create the directories if they do not exist If the directories exist before the automounter was started the automounter will not remove them when it exits You can start or restart t...

Страница 271: ...you just want to augment the site wide auto home map with a few entries create a etc auto home file map and in it put your new entries and at the end include the NIS auto home map Then the etc auto home file map might look similar to mydir someserver export mydir auto home Given the NIS auto home map listed above an ls of home would now give ls home beth joe mydir This last example works as expect...

Страница 272: ... An LDIF of a sample configuration is described below extended LDIF LDAPv3 base with scope subtree filter objectclass automountMap automountMapName auto master requesting ALL auto master example com dn automountMapName auto master dc example dc com objectClass top objectClass automountMap automountMapName auto master extended LDIF LDAPv3 base automountMapName auto master dc example dc com with sco...

Страница 273: ...ns2 Any number of maps can be combined into a single map in this manner This feature is no longer present in v5 This is because Version 5 supports included maps which can be used to attain the same results Consider the following multi map example home file etc auto home nis auto home This can be replaced by the following configuration for v5 etc nsswitch conf must list automount files nis etc auto...

Страница 274: ...fstab settings and autofs The following are options commonly used for NFS mounts fsid num Forces the file handle and file attributes settings on the wire to be num instead of a number derived from the major and minor number of the block device on the mounted file system The value 0 has special meaning when used with NFSv4 NFSv4 has a concept of a root of the overall exported file system The export...

Страница 275: ...es wsize by setting a larger data block size in bytes to be transferred at one time Be careful when changing these values some older Linux kernels and network cards do not work well with larger block sizes For NFSv2 or NFSv3 the default values for both parameters is set to 8192 For NFSv4 the default values for both parameters is set to 32768 sec mode Specifies the type of security to utilize when ...

Страница 276: ...take effect after editing the configuration file for NFS To restart the server as root type sbin service nfs restart The condrestart conditional restart option only starts nfs if it is currently running This option is useful for scripts because it does not start the daemon if it is not running To conditionally restart the server as root type sbin service nfs condrestart To reload the NFS server co...

Страница 277: ...orts for each process instead of using the random ports assigned by the portmapper You can set the NFS Server settings by clicking on the Server Settings button The figure below illustrates the NFS Server Settings window Figure 19 2 NFS Server Settings 19 6 1 Exporting or Sharing NFS File Systems Sharing or serving files from an NFS server is known as exporting the directories The NFS Server Confi...

Страница 278: ...em NFS 252 Basic permissions Specify whether the directory should have read only or read write permissions Figure 19 3 Add Share The General Options tab allows the following options to be configured Figure 19 4 NFS General Options ...

Страница 279: ...perations on request Enabled by default this option does not allow the server to reply to requests before the changes made by the request are written to the disk This option corresponds to sync If this is not selected the async option is used Force sync of write operations immediately Do not delay writing to disk This option corresponds to no_wdelay Hide filesystems beneath turns the nohide option...

Страница 280: ...his option is selected all user and group IDs are mapped to the anonymous user This option corresponds to all_squash Specify local user ID for anonymous users If Treat all client users as anonymous users is selected this option lets you specify a user ID for the anonymous user This option corresponds to anonuid Specify local group ID for anonymous users If Treat all client users as anonymous users...

Страница 281: ...n to the disk For example misc export speedy example com sync would allow users from speedy example com to mount misc export with the default read only permissions but misc export speedy example com rw sync would allow users from speedy example com to mount misc export with read write privileges Refer to Section 19 6 4 Hostname Formats for an explanation of possible hostname formats Caution Be car...

Страница 282: ...ptable format is a b c d netmask where a b c d is the network and netmask is the netmask for example 192 168 100 8 255 255 255 0 Netgroups In the format group name where group name is the NIS netgroup name 19 7 The etc exports Configuration File The etc exports file controls which file systems are exported to remote hosts and specifies options Blank lines are ignored comments can be made by starti...

Страница 283: ...tem are read only Remote hosts are not able to make changes to the data shared on the file system To allow hosts to make changes to the file system the read write rw option must be specified wdelay Causes the NFS server to delay writing to the disk if it suspects another write request is imminent This can improve performance by reducing the number of times the disk must be accessed by separate wri...

Страница 284: ...ystem being exported to remote users via NFS as well as the access level for those file systems are listed in the etc exports file When the nfs service starts the usr sbin exportfs command launches and reads this file passes control to rpc mountd if NFSv2 or NFSv3 for the actual mounting process then to rpc nfsd where the file systems are then available to remote users When issued manually the usr...

Страница 285: ...yped in a terminal with no arguments the exportfs command shows all the exported directories Since NFSv4 no longer utilizes the MOUNT protocol which was used with the NFSv2 and NFSv3 protocols the mounting of file systems has changed An NFSv4 client now has the ability to see all of the exports served by the NFSv4 server as a single file system called the NFSv4 pseudo file system On Red Hat Enterp...

Страница 286: ... implement depends on your existing network environment and your security concerns The following sections explain the differences between implementing security measures with NFSv2 NFSv3 and NFSv4 If at all possible use of NFSv4 is recommended over other versions of NFS 19 8 1 1 Using NFSv2 or NFSv3 NFS controls who can mount an exported file system based on the host making the mount request not th...

Страница 287: ...he Microsoft Windows NT model not the POSIX model because of its features and because it is widely deployed NFSv2 and NFSv3 do not have support for native ACL attributes Another important security feature of NFSv4 is the removal of the use of the MOUNT protocol for mounting file systems This protocol presented possible security holes because of the way that it handled file handles For more informa...

Страница 288: ...es for each of the NFS RPC daemons The man pages for rpc mountd and rpc statd contain information regarding the precise syntax for these rules 19 9 1 Troubleshooting NFS and portmap Because portmap provides coordination between RPC services and the port numbers used to communicate with them it is useful to view the status of current RPC services using portmap when troubleshooting The rpcinfo comma...

Страница 289: ... etc auto misc server side with NIS For example on demand via the command line client side mount o udp shadowman example com misc export misc local When the NFS mount is specified in etc fstab client side server usr local pub pub nfs rsize 8192 wsize 8192 timeo 14 intr udp When the NFS mount is specified in an autofs configuration file for a NIS server available for NIS enabled workstations myproj...

Страница 290: ...o mount file systems at boot time man nfs Provides details on NFS specific file system export and mount options man exports Shows common options used in the etc exports file when exporting NFS file systems 19 11 2 Useful Websites http nfs sourceforge net The home of the Linux NFS project and a great place for project status updates http www citi umich edu projects nfsv4 linux An NFSv4 for Linux 2 ...

Страница 291: ...nd a 300 page implementation and integration manual For more information about these published titles refer to Section 20 12 2 Related Books 20 1 1 Samba Features Samba is a powerful and versatile server application Even seasoned system administrators must know its abilities and limitations before attempting installation and configuration What Samba can do Serve directory trees and printers to Lin...

Страница 292: ...indows NT 2000 or Windows Server 2003 This makes Windows user group information understandable by UNIX platforms This is achieved by using Microsoft RPC calls Pluggable Authentication Modules PAM and the Name Service Switch NSS This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine Though bundled with the Samba distribution the winbind service is controlled separ...

Страница 293: ...Connecting to a Samba Share 267 Figure 20 1 SMB Workgroups in Nautilus Double click one of the workgroup icons to view a list of computers within the workgroup ...

Страница 294: ...ork for Samba servers use the findsmb command For each server found it displays its IP address NetBIOS name workgroup name operating system and SMB server version To connect to a Samba share from a shell prompt type the following command smbclient hostname sharename U username Replace hostname with the hostname or IP address of the Samba server you want to connect to sharename with the name of the...

Страница 295: ...directories as a Samba share It also shares all printers configured for the system as Samba shared printers In other words you can attach a printer to the system and print to it from the Windows machines on your network 20 4 1 Graphical Configuration To configure Samba using a graphical interface use the Samba Server Configuration Tool For command line configuration skip to Section 20 4 2 Command ...

Страница 296: ...ng a Samba server is to configure the basic settings for the server and a few security options After starting the application select Preferences Server Settings from the pulldown menu The Basic tab is displayed as shown in Figure 20 4 Configuring Basic Server Settings Figure 20 4 Configuring Basic Server Settings On the Basic tab specify which workgroup the computer should be in as well as a brief...

Страница 297: ...ield Note The Kerberos Realm field must be supplied in all uppercase letters such as EXAMPLE COM Using a Samba server as a domain member in an ADS realm assumes proper configuration of Kerberos including the etc krb5 conf file Domain The Samba server relies on a Windows NT Primary or Backup Domain Controller to verify the user The server passes the username and password to the Controller and waits...

Страница 298: ...mat instead of as a plain text word that can be intercepted This corresponds to the encrypted passwords option Refer to Section 20 4 3 Encrypted Passwords for more information about encrypted Samba passwords Guest Account When users or guest users log into a Samba server they must be mapped to a valid user on the server Select one of the existing usernames on the system to be the guest Samba accou...

Страница 299: ...ds for Samba it is recommended that the Samba passwords for all users are different from their system passwords To edit an existing user select the user from the list and click Edit User To delete an existing Samba user select the user and click the Delete User button Deleting a Samba user does not delete the associated system user account The users are modified immediately after clicking the OK b...

Страница 300: ...KGROUPNAME server string BRIEF COMMENT ABOUT SERVER Replace WORKGROUPNAME with the name of the Windows workgroup to which this machine should belong The BRIEF COMMENT ABOUT SERVER is optional and is used as the Windows comment about the Samba system To create a Samba share directory on your Linux system add the following section to your smb conf file after modifying it to reflect your needs and yo...

Страница 301: ...is changed Samba automatically reloads it after a few minutes Issuing a manual restart or reload is just as effective To conditionally restart the server type the following command as root sbin service smb condrestart A manual reload of the smb conf file can be useful in case of a failed automatic reload by the smb service To ensure that the Samba server configuration file is reloaded without rest...

Страница 302: ...evels for a single Samba server cannot be mixed The security directive is a global Samba parameter located in the global configuration section of the smb conf file global workgroup DOCS netbios name DOCS_SRV security share data comment Documentation Samba Server path export read only Yes guest only Yes 20 6 1 2 Anonymous Read Write The following smb conf file shows a sample configuration needed to...

Страница 303: ...ap name cups disable spools Yes show add printer wizard No printing cups printers comment All Printers path var spool samba guest ok Yes printable Yes use client driver Yes browseable Yes 20 6 1 4 Secure Read Write File and Print Server The following smb conf file shows a sample configuration needed to implement a secure read write print server Setting the security directive to user forces Samba t...

Страница 304: ...beros for Active Directory authentication the realm directive is required If Active Directory and Kerberos are running on different servers the password server directive may be required to help the distinction global realm EXAMPLE COM security ADS encrypt passwords yes Optional Use only if Samba cannot determine the Kerberos server automatically password server kerberos example com In order to joi...

Страница 305: ...Windows NT4 based domain member server Becoming a member server of an NT4 based domain is similar to connecting to an Active Directory The main difference is NT4 based domains do not use Kerberos in their authentication method making the smb conf file simpler In this instance the Samba member server functions as a pass through to the NT4 based domain server global workgroup DOCS netbios name DOCS_...

Страница 306: ...atforms cannot be mixed in a PDC BDC environment In a Samba environment there can be only one PDC and zero or more BDCs Important Samba cannot exist in a mixed Samba Windows domain controller environment Samba cannot be a BDC of a Windows PDC or vice versa Alternatively Samba PDCs and BDCs can coexist 20 6 3 1 Primary Domain Controller PDC using tdbsam The simplest and most common implementation o...

Страница 307: ...ber of an Active Directory it is not possible for Samba to operate as an Active Directory domain controller 20 7 Samba Security Modes There are only two types of security modes for Samba share level and user level which are collectively known as security levels Share level security can only be implemented in one way while user level security can be implemented in one of four different ways The dif...

Страница 308: ...domain as a native Active Directory member Even if a security policy restricts the use of NT compatible authentication protocols the Samba server can join an ADS using Kerberos Samba in Active Directory member mode can accept Kerberos tickets In smb conf the following directives make Samba an Active Directory member server GLOBAL security ADS realm EXAMPLE COM password server kerberos example com ...

Страница 309: ... not recommended for use by any means It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method smbpasswd A popular backend used in previous Samba packages the smbpasswd backend utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account and encrypted password information The smbpass...

Страница 310: ...that already implement MySQL At present mysqlsam is now packed in a module separate from Samba and as such is not officially supported by Samba 20 9 Samba Network Browsing Network browsing enables Windows and Samba servers to appear in the Windows Network Neighborhood Inside the Network Neighborhood icons are represented as servers and if opened the server s shares and printers that are available ...

Страница 311: ...ins support Yes Tip All servers including Samba should connect to a WINS server to resolve NetBIOS names Without WINS browsing only occurs on the local subnet Furthermore even if a domain wide list is somehow obtained hosts cannot be resolved for the client without WINS 20 10 Samba with CUPS Printing Support Samba allows client machines to share printers connected to the Samba server In addition S...

Страница 312: ...of executing findsmb as any valid user on a system findsmb IP ADDR NETBIOS NAME WORKGROUP OS VERSION 10 1 59 25 VERVE MYGROUP Unix Samba 3 0 0 15 10 1 59 26 STATION22 MYGROUP Unix Samba 3 0 2 7 FC1 10 1 56 45 TREK WORKGROUP Windows 5 0 Windows 2000 LAN Manager 10 1 57 94 PIXEL MYGROUP Unix Samba 3 0 0 15 10 1 57 137 MOBILE001 WORKGROUP Windows 5 0 Windows 2000 LAN Manager 10 1 57 141 JAWS KWIKIMAR...

Страница 313: ...the target machine replies Here is an example nmblookup trek querying trek on 10 1 59 255 10 1 56 45 trek 00 pdbedit pdbedit options The pdbedit program manages accounts located in the SAM database All backends are supported including smbpasswd LDAP NIS and the tdb database library The following are examples of adding deleting and listing users pdbedit a kristin new password retype new password Un...

Страница 314: ... 18 Jan 2038 22 14 07 GMT Password last set Thu 29 Jan 2004 08 29 28 GMT Password can change Thu 29 Jan 2004 08 29 28 GMT Password must change Mon 18 Jan 2038 22 14 07 GMT pdbedit L andriusb 505 joe 503 lisa 504 kristin 506 pdbedit x joe pdbedit L andriusb 505 lisa 504 kristin 506 rpcclient rpcclient server options The rpcclient program issues administrative commands using Microsoft RPCs which pro...

Страница 315: ...s to a Samba server smbtar smbtar options The smbtar program performs backup and restores of Windows based share files and directories to a local tape archive Though similar to the tar command the two are not compatible testparm testparm options filename hostname IP_address The testparm program checks the syntax of the smb conf file If your smb conf file is in the default location etc samba smb co...

Страница 316: ...ons The wbinfo program displays information from the winbindd daemon The winbindd daemon must be running for wbinfo to work 20 12 Additional Resources The following sections give you the means to explore Samba in greater detail 20 12 1 Installed Documentation usr share doc samba version number All additional files included with the Samba distribution This includes all helper scripts sample configu...

Страница 317: ...tation created by the Samba development team Many resources are available in HTML and PDF formats while others are only available for purchase Although many of these links are not Red Hat Enterprise Linux specific some concepts may apply http samba org samba archives html 1 Active email lists for the Samba community Enabling digest mode is recommended due to high levels of list activity Samba news...

Страница 318: ...292 ...

Страница 319: ...s will go into effect If an organization has a functional DHCP server properly connected to a network laptops and other mobile computer users can move these devices from office to office 21 2 Configuring a DHCP Server The dhcp package contains an ISC DHCP server First install the package as the superuser yum install dhcp Installing the dhcp package creates a file etc dhcpd conf which is merely an ...

Страница 320: ...eclarations The parameters that start with the keyword option are reffered to as options These options control DHCP options whereas parameters configure values that are not optional or control how the DHCP server behaves Parameters including options declared before a section enclosed in curly brackets are considered global parameters Global parameters apply to all the sections below it Important I...

Страница 321: ...t lab environment shared network name option domain name test redhat com option domain name servers ns1 redhat com ns2 redhat com option routers 192 168 0 254 more parameters for EXAMPLE shared network subnet 192 168 1 0 netmask 255 255 252 0 parameters for subnet range 192 168 1 1 192 168 1 254 subnet 192 168 2 0 netmask 255 255 252 0 parameters for subnet range 192 168 2 1 192 168 2 254 Example ...

Страница 322: ...55 255 0 range 192 168 1 10 192 168 1 100 Example 21 4 Range Parameter To assign an IP address to a client based on the MAC address of the network interface card use the hardware ethernet parameter within a host declaration As demonstrated in Example 21 5 Static IP Address using DHCP the host apex declaration specifies that the network interface card with the MAC address 00 A0 78 8E 9E AA always r...

Страница 323: ...ename the dhcpd leases backup file to dhcpd leases and then start the daemon 21 2 3 Starting and Stopping the Server Important When the DHCP server is started for the first time it fails unless the dhcpd leases file exists Use the command touch var lib dhcpd dhcpd leases to create the file if it does not exist If the same server is also running BIND as a DNS server this step is not necessary as st...

Страница 324: ...P Relay Agent The DHCP Relay Agent dhcrelay allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets When a DHCP client requests information the DHCP Relay Agent forwards the request to the list of DHCP servers specified when the DHCP Relay Agent is started When a DHCP server returns a reply the reply is broadcast or unica...

Страница 325: ... using DHCP then yes is the default no Do not modify etc resolv conf SRCADDR address where address is the specified source IP address for outgoing packets USERCTL answer where answer is one of the following yes Non root users are allowed to control this device no Non root users are not allowed to control this device If you prefer using a graphical interface refer to Chapter 15 Network Configuratio...

Страница 326: ...e networks ddns update style interim default lease time 600 max lease time 7200 subnet 10 0 0 0 netmask 255 255 255 0 option subnet mask 255 255 255 0 option routers 10 0 0 1 range 10 0 0 5 10 0 0 15 subnet 172 16 0 0 netmask 255 255 255 0 option subnet mask 255 255 255 0 option routers 172 16 0 1 range 172 16 0 5 172 16 0 15 subnet 10 0 0 0 netmask 255 255 255 0 A subnet declaration is required f...

Страница 327: ... interfaces are not supported by DHCP If an alias interface is the only interface in the only subnet specified in etc dhcpd conf the DHCP daemon fails to start 21 4 1 Host Configuration Before making any changes back up the existing etc sysconfig dhcpd and etc dhcpd conf files Configuring a single system for multiple networks The following etc dhcpd conf example creates two subnets and configures ...

Страница 328: ...he hardware ethernet option This address must be outside the IP address pool specified with the range option If option statements do not end with a semicolon the DHCP daemon fails to start and an error such as the following is logged to var log messages etc dhcpd conf line 20 semicolon expected dhcpd dhcpd dhcpd etc dhcpd conf line 38 unexpected end of file dhcpd dhcpd dhcpd Configuration file err...

Страница 329: ...ed in etc dhcpd conf 21 5 Additional Resources For additional configuration options refer to the following resources 21 5 1 Installed Documentation dhcpd man page Describes how the DHCP daemon works dhcpd conf man page Explains how to configure the DHCP configuration file includes some examples dhcpd leases man page Explains how to configure the DHCP leases file includes some examples dhcp options...

Страница 330: ...304 ...

Страница 331: ... 4 and earlier This section reviews some of the features of Apache HTTP Server 2 2 and outlines important changes If you are upgrading from version 1 3 you should also read the instructions on migrating from version 1 3 to version 2 0 For instructions on migrating a version 1 3 configuration file to the 2 0 format refer to Section 22 2 2 Migrating Apache HTTP Server 1 3 Configuration Files to 2 0 ...

Страница 332: ...rs More information on upgrading from version 2 0 to 2 2 can be found on http httpd apache org docs 2 2 upgrading html 22 2 2 Migrating Apache HTTP Server 1 3 Configuration Files to 2 0 This section details migrating an Apache HTTP Server 1 3 configuration file to be utilized by Apache HTTP Server 2 0 If upgrading to Red Hat Enterprise Linux 5 from Red Hat Enterprise Linux 2 1 note that the new st...

Страница 333: ...ple Apache HTTP Server 1 3 directive Port 123 ServerName www example com To migrate this setting to Apache HTTP Server 2 0 use the following structure Listen 123 ServerName www example com 123 For more on this topic refer to the following documentation on the Apache Software Foundation s website http httpd apache org docs 2 0 mod mpm_common html listen http httpd apache org docs 2 0 mod core html ...

Страница 334: ...l 22 2 2 1 3 Dynamic Shared Object DSO Support There are many changes required here and it is highly recommended that anyone trying to modify an Apache HTTP Server 1 3 configuration to suit version 2 0 as opposed to migrating the changes into the version 2 0 configuration copy this section from the stock Apache HTTP Server 2 0 configuration file Those who do not want to copy the section from the s...

Страница 335: ...ult values include them explicitly as conf srm conf and conf access conf files 22 2 2 2 Main Server Configuration The main server configuration section of the configuration file sets up the main server which responds to any requests that are not handled by a virtual host defined within a VirtualHost container Values here also provide defaults for any VirtualHost containers defined The directives u...

Страница 336: ...the FancyIndexing option within the IndexOptions directive The VersionSort option to the IndexOptions directive causes files containing version numbers to be sorted in a more natural way For example httpd 2 0 6 tar appears before httpd 2 0 36 tar in a directory index page The defaults for the ReadmeName and HeaderName directives have changed from README and HEADER to README html and HEADER html Fo...

Страница 337: ... Section 22 2 2 2 Main Server Configuration Important Note that SSL TLS virtual host configuration has been moved out of the main server configuration file and into etc httpd conf d ssl conf http httpd apache org docs 2 0 vhosts 22 2 2 4 Modules and Apache HTTP Server 2 0 In Apache HTTP Server 2 0 the module system has been changed to allow modules to be chained together or combined in new and int...

Страница 338: ...irectives which is used for configuring virtual hosts The User and Group directives can still be used in general but are deprecated for configuring virtual hosts For example the following is a sample Apache HTTP Server 1 3 directive VirtualHost vhost example com 80 User someone Group somegroup VirtualHost To migrate this setting to Apache HTTP Server 2 0 use the following structure VirtualHost vho...

Страница 339: ...e mod_disk_cache mod_mem_cache These generally use directives similar to the older versions of the mod_proxy module but it is advisable to verify each directive before migrating any cache settings For more on this topic refer to the following documentation on the Apache Software Foundation s website http httpd apache org docs 2 0 mod mod_proxy html 22 2 2 4 4 The mod_include Module The mod_include...

Страница 340: ...MType DB require valid user Location Note that the AuthDBMUserFile directive can also be used in htaccess files The dbmmanage Perl script used to manipulate username and password databases has been replaced by htdbm in Apache HTTP Server 2 0 The htdbm program offers equivalent functionality and like mod_auth_dbm can operate a variety of database formats the T option can be used on the command line...

Страница 341: ...r mod_perl 1 x should work without modification with mod_perl 2 x XS modules require recompilation and may require minor Makefile modifications 22 2 2 4 7 The mod_python Module Configuration for mod_python has moved from httpd conf to the etc httpd conf d python conf file For this file to be loaded and hence for mod_python to work the statement Include conf d conf must be in httpd conf as describe...

Страница 342: ...p httpd apache org docs 2 0 mod mod_auth_ldap html for details on the status of this module The etc httpd conf d authz_ldap conf file configures the mod_authz_ldap module Refer to usr share doc mod_authz_ldap version index html replacing version with the version number of the package or http authzldap othello ch for more information on configuring the mod_authz_ldap third party module 22 3 Startin...

Страница 343: ...wever needs to be enabled in your httpd conf configuration file for this to work For more details on mod_status can be found on http httpd apache org docs 2 2 mod mod_status html Note If running the Apache HTTP Server as a secure server the secure server s password is required after the machine boots when using an encrypted private SSL key You can find more information on http httpd apache org doc...

Страница 344: ...lick on the Virtual Hosts tab and configure the default settings 3 Under the Virtual Hosts tab configure the Default Virtual Host 4 To serve more than one URL or virtual host add any additional virtual hosts 5 Configure the server settings under the Server tab 6 Configure the connections settings under the Performance Tuning tab 7 Copy all necessary files to the DocumentRoot and cgi bin directorie...

Страница 345: ...listen to port 80 for non secure Web communications Click the Add button to define additional ports on which to accept requests A window as shown in Figure 22 2 Available Addresses appears Either choose the Listen to all addresses option to listen to all IP addresses on the defined port or specify a particular IP address over which the server accepts connections in the Address field Only specify o...

Страница 346: ...ch you can set your preferred settings To add new settings click on the Add button which will also display the Virtual Host Properties window Clicking on the Edit Default Settings button displays the Virtual Host Properties window without the General Options tab In the General Options tab you can change the hostname the document root directory and also set the webmaster s email address In the Host...

Страница 347: ... precedence for that virtual host For a directive not defined within the virtual host settings the default value is used 22 4 2 1 Site Configuration The figure below illustrates the Page Optionstab from which you can configure the Directory Page Search List and Error Pages If you are unsure of these settings do not modify them ...

Страница 348: ...en a user requests the page http www example com this_directory they are going to get either the DirectoryIndex page if it exists or a server generated directory list The server tries to find one of the files listed in the DirectoryIndex directive and returns the first one it finds If it does not find any of these files and if Options Indexes is set for that directory the server generates and retu...

Страница 349: ... all error pages along with the email address of the website maintainer specified by the ServerAdmin 7 directive Show footer Display just the default footer at the bottom of error pages No footer Do not display a footer at the bottom of error pages 22 4 2 2 SSL Support The mod_ssl enables encryption of the HTTP protocol over SSL SSL Secure Sockets Layer protocol is used for communication and encry...

Страница 350: ... strict access which forces denial of access whenever the SSLRequireSSL and SSLRequire directives indicate access is forbiden OptRenegotiate enables avoidance of unnecessary handshakes by mod_ssl which also performs safe parameter checks It is recommended to enable OptRenegotiate on a per directory basis More information on the above SSL options can be found on http httpd apache org docs 2 2 mod m...

Страница 351: ...attempts to access the Web server It records the IP address of the client that is attempting to connect the date and time of the attempt and the file on the Web server that it is trying to retrieve Enter the name of the path and file in which to store this information If the path and file name do not start with a slash the path is relative to the server root directory as configured This option cor...

Страница 352: ...ils on the format of this directive The error log contains a list of any server errors that occur Enter the name of the path and file in which to store this information If the path and file name do not start with a slash the path is relative to the server root directory as configured This option corresponds to the ErrorLog 13 directive 11 http httpd apache org docs 2 2 mod mod_log_config html logf...

Страница 353: ...e for your own Web server s benefit as well as for the Internet s benefit you should leave this option set to No Reverse Lookup 22 4 2 4 Environment Variables Use the Environment tab to configure options for specific variables to set pass or unset for CGI scripts Sometimes it is necessary to modify environment variables for CGI scripts or server side include SSI pages The Apache HTTP Server can us...

Страница 354: ...nment variable to unset Click OK to add it to the list This corresponds to the UnsetEnv 18 directive To edit any of these environment values select it from the list and click the corresponding Edit button To delete any entry from the list select it and click the corresponding Delete button To learn more about environment variables in the Apache HTTP Server refer to the following http httpd apache ...

Страница 355: ...y Options for all directories that are not specified in the Directory list below it The options that you choose are listed as the Options 20 directive within the Directory 21 directive You can configure the following options ExecCGI Allow execution of CGI scripts CGI scripts are not executed if this option is not chosen 19 http httpd apache org docs 2 2 mod core html directory 20 http httpd apache...

Страница 356: ...eside the Directory list box A window as shown in Figure 22 10 Directory Settings appears Enter the directory to configure in the Directory text field at the bottom of the window Select the options in the right hand list and configure the Order 22 directive with the left hand side options The Order directive controls the order in which allow and deny directives are evaluated In the Allow hosts fro...

Страница 357: ...ith the release of Apache HTTP Server 2 2 many configuration options have changed If migrating from version 1 3 to 2 2 please firstly read Section 22 2 2 Migrating Apache HTTP Server 1 3 Configuration Files to 2 0 22 5 1 General Configuration Tips If configuring the Apache HTTP Server edit etc httpd conf httpd conf and then either reload restart or stop and start the httpd process as outlined in S...

Страница 358: ... pair so that when a file of that media type is requested a particular CGI script is executed AddDescription When using FancyIndexing as an IndexOptions parameter the AddDescription directive can be used to display user specified descriptions for certain files or file types in a server generated directory listing The AddDescription directive supports listing specific files wildcard expressions or ...

Страница 359: ...h serve content in multiple languages based on the client Web browser s language settings AddType Use the AddType directive to define or override a default MIME type and file extension pairs The following example directive tells the Apache HTTP Server to recognize the tgz file extension AddType application x tar tgz Alias The Alias setting allows directories outside the DocumentRoot directory to b...

Страница 360: ...xpire Specifies how long HTML documents are retained without a reload from the originating Web server in the cache The default is 24 hours 86400 seconds CacheLastModifiedFactor Specifies the creation of an expiry expiration date for a document which did not come from its originating server with its own expiry set The default CacheLastModifiedFactor is set to 0 1 meaning that the expiry date for su...

Страница 361: ...ry on the system which needs more permissive settings has to be explicitly given those settings In the default configuration another Directory container is configured for the DocumentRoot which assigns less rigid parameters to the directory tree so that the Apache HTTP Server can access the files residing there The Directory container can be also be used to configure additional cgi bin directories...

Страница 362: ...ml The server looks for the following file in the default directory var www html foo html To change the DocumentRoot so that it is not shared by the secure and the non secure Web servers refer to Section 22 7 Virtual Hosts ErrorDocument The ErrorDocument directive associates an HTTP response code with a message or a URL to be sent back to the client By default the Web server outputs a simple and u...

Страница 363: ... that are applied if the test stated in the IfDefine tag is true The directives are ignored if the test is false The test in the IfDefine tags is a parameter name for example HAVE_PERL If the parameter is defined meaning that it is provided as an argument to the server s start up command then the test is true In this case when the Web server is started the test is true and the directives contained...

Страница 364: ...d in conjunction with FancyIndexing presents a short description for the file in server generated directory listings IndexOptions has a number of other parameters which can be set to control the appearance of server generated directories The IconHeight and IconWidth parameters require the server to include HTML HEIGHT and WIDTH tags for the icons in server generated webpages The IconsAreLinks para...

Страница 365: ...g Modules Note the load order of the modules is no longer important with Apache HTTP Server 2 0 Refer to Section 22 2 2 1 3 Dynamic Shared Object DSO Support for more information about Apache HTTP Server 2 0 DSO support Location The Location and Location tags create a container in which access control based on URL can be specified For instance to allow people connecting from within the server s do...

Страница 366: ...bpage which referred the client host to Web server User Agent i user agent Lists the type of Web browser making the request LogLevel LogLevel sets how verbose the error messages in the error logs are LogLevel can be set from least verbose to most verbose to emerg alert crit error warn notice info or debug The default LogLevel is warn MaxKeepAliveRequests This directive sets the maximum number of r...

Страница 367: ...rtualHost for more information Order The Order directive controls the order in which allow and deny directives are evaluated The server is configured to evaluate the Allow directives before the Deny directives for the DocumentRoot directory PidFile PidFile names the file where the server records its process ID PID By default the PID is listed in var run httpd pid Proxy Proxy and Proxy tags create ...

Страница 368: ...xecutables and scripts is designated by the ScriptAlias directive This directory is known as a cgi bin and is set to var www cgi bin by default It is possible to establish directories for storing executables outside of the cgi bin directory For instructions on doing so refer to AddHandler and Directory ServerAdmin Sets the ServerAdmin directive to the email address of the Web server administrator ...

Страница 369: ...ield sent back to clients should include details of the Operating System type and information about compiled in modules By default ServerTokens is set to Full which sends information about the Operating System type and compiled in modules Setting the ServerTokens to Prod sends the product name only and is recommended as many hackers check information in the Server header when scanning for vulnerab...

Страница 370: ...y files inaccessible to this user are also inaccessible to clients connecting to the Apache HTTP Server By default User is set to apache This directive has been deprecated for the configuration of virtual hosts Note For security reasons the Apache HTTP Server does not run as the root user UserDir UserDir is the subdirectory within each user s home directory where they should place personal HTML fi...

Страница 371: ...onf d ssl conf file It s purpose in this context is to disable HTTP keepalive and to allow SSL to close the connection without a closing notification from the client browser This setting is necessary for certain browsers that do not reliably shut down the SSL connection For more information on other directives within the SSL configuration file refer to the following URLs http localhost manual mod ...

Страница 372: ...ers The default MinSpareServers value is 5 the default MaxSpareServers value is 20 These default settings should be appropriate for most situations Be careful not to increase the MinSpareServers to a large number as doing so creates a heavy processing load on the server even when traffic is light MinSpareThreads and MaxSpareThreads These values are only used with the worker MPM They adjust how the...

Страница 373: ... header files as well as the APache eXtenSion usr sbin apxs application which uses the include files and the header files to compile DSOs After writing a module use usr sbin apxs to compile the module sources outside the Apache source tree For more information about using the usr sbin apxs command refer to the the Apache documentation online at http httpd apache org docs 2 2 dso html as well as th...

Страница 374: ...org docs 2 2 vhosts 22 8 Apache HTTP Secure Server Configuration This section provides basic information on the Apache HTTP Server with the mod_ssl security module enabled to use the OpenSSL library and toolkit The combination of these three components are referred to in this section as the secure Web server or just as the secure server The mod_ssl module is a security module for the Apache HTTP S...

Страница 375: ... keys think of them as secret encoder decoder rings in data format In conventional or symmetric cryptography both ends of the transaction have the same key which they use to decode each other s transmissions In public or asymmetric cryptography two keys co exist a public key and a private key A person or an organization keeps their private key a secret and publishes their public key Data encoded w...

Страница 376: ...ers for example if you previously used a different secure server product the VeriSign certificate you obtained to use with the previous configuration will not work with the new configuration You must obtain a new certificate If you have an existing key and certificate that you can use you do not have to generate a new key and obtain a new certificate However you may need to move and rename the fil...

Страница 377: ...r but be aware that a self signed certificate does not provide the same functionality as a CA signed certificate A self signed certificate is not automatically recognized by most Web browsers and does not provide any guarantee concerning the identity of the organization that is providing the website A CA signed certificate provides both of these important capabilities for a secure server If your s...

Страница 378: ...ng you wish to generate keys for www example com using the genkey utility type in the following command in your terminal genkey www example com Please note that the make based process is no longer shipped with RHEL 5 This will start the genkey graphical user interface The figure below illustrates the first screen To navigate use the keyboard arrow and tab keys This windows indicates where your key...

Страница 379: ...tep The figure below illustrates the key size selection screen Figure 22 12 Choose key size Selecting the next step will initiate the random bits generation process which may take some time depending on the size of your selected key The larger the size of your key the longer it will take to generate it ...

Страница 380: ...hapter 22 Apache HTTP Server 354 Figure 22 13 Generating random bits On generating your key you will be prompted to send a Certificate Request CSR to a Certificate Authority CA Figure 22 14 Generate CSR ...

Страница 381: ...llow you to generate a self signed certificate The next step for this is illustrated in Figure 22 17 Generating a self signed certificate for your server Figure 22 15 Choose Certificate Authority CA On Selecting your preferred option select Next to proceed to the next step The next screen allows you to enter the details of your certificate ...

Страница 382: ...generate a CSR To do this select No as your preferred option in the Generate CSR screen This will display the figure below from which you can enter your certificate details Entering your certificate details and pressing the return key will display the Figure 22 19 Protecting your private key from which you can choose to encrypt your private key or not ...

Страница 383: ...ur certificate select Next to proceed The figure below illustrates an example of a the next screen displayed after completing the details for a certificate to be sent to Equifax Please note that if you are generating a self signed key for your server this screen is not displayed Figure 22 18 Begin certificate request ...

Страница 384: ...ption select Next to proceed to the next step Figure 22 19 Protecting your private key The next screen allows you to set your key passphase Please do not lose this pass phase as you will not be able to run the server without it You will need to regenerate a new private or public key pair and request a new certificate from your CA as indicated For security the passphase is not displayed as you type...

Страница 385: ...20 Set passphase If you attempt to run genkey makeca on a server that has an existing key pair an error message will be displayed as illustrated below You need to delete your existing key file as indicated to generate a new key pair ...

Страница 386: ... submitting the CSR Copy the certificate to the path for example etc pki tls certs www example com crt Edit etc httpd conf d ssl conf Change the SSLCertificateFile and SSLCertificateKey lines to be SSLCertificateFile etc pki tls certs www example com crt SSLCertificateKeyFile etc pki tls private www example com key where the www example com part should match the argument passed on the genkey comma...

Страница 387: ...che org The official website for the Apache HTTP Server with documentation on all the directives and default modules http www modssl org The official website for mod_ssl http www apacheweek com A comprehensive online weekly newsletter about all things Apache ...

Страница 388: ...362 ...

Страница 389: ...ese modes active mode Active mode is the original method used by the FTP protocol for transferring data to the client application When an active mode data transfer is initiated by the FTP client the server opens a connection from port 20 on the server to the IP address and a random unprivileged port greater than 1024 specified by the client This arrangement means that the client machine must be al...

Страница 390: ...hen considered a chroot jail For example if the directory var ftp is the primary shared directory vsftpd reassigns var ftp to the new root directory known as This disallows any potential malicious hacker activities for any directories not contained below the new root directory Use of these security practices has the following effect on how vsftpd deals with requests The parent process runs with th...

Страница 391: ...irective is set to YES default or NO in etc vsftpd vsftpd conf If etc vsftpd user_list is used to grant access to users the usernames listed must not appear in etc vsftpd ftpusers var ftp The directory containing files served by vsftpd It also contains the var ftp pub directory for anonymous users Both directories are world readable but writable only by the root user 23 4 Starting and Stopping vsf...

Страница 392: ...files refer to Chapter 17 Berkeley Internet Name Domain BIND For vsftpd to answer requests on different IP addresses multiple copies of the daemon must be running The first copy must be run using the vsftpd initscripts as outlined in Section 23 4 Starting and Stopping vsftpd This copy uses the standard configuration file etc vsftpd vsftpd conf Each additional FTP site must have a configuration fil...

Страница 393: ...n a directive Comment lines must be preceded by a hash mark and are ignored by the daemon For a complete list of all directives available refer to the man page for vsftpd conf Important For an overview of ways to secure vsftpd refer to Section 43 2 Server Security The following is a list of some of the more important directives within etc vsftpd vsftpd conf All directives not explicitly found with...

Страница 394: ... in the ftpd_banner directive There is no default value for this directive cmds_allowed Specifies a comma delimited list of FTP commands allowed by the server All other commands are rejected There is no default value for this directive deny_email_enable When enabled any anonymous user utilizing email passwords specified in the etc vsftpd banned_emails are denied access to the server The name of th...

Страница 395: ... User Options The following lists directives which control anonymous user access to the server To use these options the anonymous_enable directive must be set to YES anon_mkdir_write_enable When enabled in conjunction with the write_enable directive anonymous users are allowed to create new directories within a parent directory which has write permissions The default value is NO anon_root Specifie...

Страница 396: ...t_list_file directive are placed in a chroot jail upon log in If enabled in conjunction with the chroot_local_user directive the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in The default value is NO chroot_list_file Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to ...

Страница 397: ...irectories dirlist_enable When enabled users are allowed to view directory lists The default value is YES dirmessage_enable When enabled a message is displayed whenever a user enters a directory with a message file This message resides within the current directory The name of this file is specified in the message_file directive and is message by default The default value is NO Note in Red Hat Ente...

Страница 398: ...ecified in the xferlog_file directive var log xferlog by default and a standard vsftpd log file specified in the vsftpd_log_file directive var log vsftpd log by default The default value is NO log_ftp_protocol When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO all FTP commands and responses are logged This directive is useful for debugging The default value is NO...

Страница 399: ...d does not log connections to the server The default value is NO Note in Red Hat Enterprise Linux the value is set to YES Important To maintain compatibility with log files written by the older wu ftpd FTP server the xferlog_std_format directive is set to YES under Red Hat Enterprise Linux However this setting means that connections to the server are not logged To both log connections in vsftpd fo...

Страница 400: ...twork connections There is no default value for this directive Tip If running multiple copies of vsftpd serving different IP addresses the configuration file for each copy of the vsftpd daemon must have a different value for this directive Refer to Section 23 4 1 Starting Multiple Copies of vsftpd for more information about multihomed FTP servers listen_address6 Specifies the IPv6 address on which...

Страница 401: ...ssive mode connections This setting is used to limit the port range so that firewall rules are easier to create The default value is 0 which does not limit the highest passive port range The value must not exceed 65535 pasv_min_port Specifies the lowest possible port sent to the FTP clients for passive mode connections This setting is used to limit the port range so that firewall rules are easier ...

Страница 402: ...ges Server Applications man vsftpd Describes available command line options for vsftpd Configuration Files man vsftpd conf Contains a detailed list of options available within the configuration file for vsftpd man 5 hosts_access Describes the format and options available within the TCP wrappers configuration files hosts allow and hosts deny 23 6 2 Useful Websites http vsftpd beasts org The vsftpd ...

Страница 403: ... then supplied to the recipient s email client To enable this process a variety of standard network protocols allow different machines often running different operating systems and using different email programs to send and receive email The following protocols discussed are the most commonly used in the transfer of email 24 1 1 Mail Transport Protocols Mail delivery from a client application to t...

Страница 404: ...ntent of each message This can take a long time if any messages have large attachments The most current version of the standard POP protocol is POP3 There are however a variety of lesser used POP protocol variants APOP POP3 with MDS authentication An encoded hash of the user s password is sent from the email client to the server rather then sending an unencrypted password KPOP POP3 with Kerberos a...

Страница 405: ...e included in the dovecot package The use of IMAP and POP is configured through dovecot by default dovecot runs only IMAP To configure dovecot to use POP 1 Edit etc dovecot conf to have the line protocols imap imaps pop3 pop3s 2 Make that change operational for the current session by running the command sbin service dovecot restart 3 Make that change operational after the next reboot by running th...

Страница 406: ...wever these client programs only send outbound messages to an MTA they are authorized to use and do not directly deliver the message to the intended recipient s email server Since Red Hat Enterprise Linux installs two MTAs Sendmail and Postfix email client programs are often not required to act as an MTA Red Hat Enterprise Linux also includes a special purpose MTA called Fetchmail For more informa...

Страница 407: ...eyond the scope of this section to go into all that Sendmail should or could be configured to do With literally hundreds of different options and rule sets entire volumes have been dedicated to helping explain everything that can be done and how to fix things that go wrong Refer to the Section 24 7 Additional Resources for a list of Sendmail resources This section reviews the files installed with ...

Страница 408: ...ple com add the following line to the virtusertable file example com bob other example com To finalize the change the virtusertable db file must be updated using the following command as root makemap hash etc mail virtusertable etc mail virtusertable This creates an updated virtusertable db file containing the new configuration 24 3 1 3 Common Sendmail Configuration Changes When altering the Sendm...

Страница 409: ...e generated Consult the usr share sendmail cf README file before editing any files in the directories under the usr share sendmail cf directory as they can affect the future configuration of etc mail sendmail cf files 24 3 1 4 Masquerading One common Sendmail configuration is to have a single machine act as a mail gateway for all machines on the network For instance a company may want to have a ma...

Страница 410: ...er badspammer com ERROR 550 Go away and do not spam us anymore tux badspammer com OK 10 0 RELAY This example shows that any email sent from badspammer com is blocked with a 550 RFC 821 compliant error code with a message sent back to the spammer Email sent from the tux badspammer com sub domain is accepted The last line shows that any email sent from the 10 0 network can be relayed through the mai...

Страница 411: ...s to use a common LDAP server Consult usr share sendmail cf README for detailed LDAP routing configuration instructions and examples Next recreate the etc mail sendmail cf file by running m4 and restarting Sendmail Refer to Section 24 3 1 3 Common Sendmail Configuration Changes for instructions For more information on LDAP refer to Chapter 25 Lightweight Directory Access Protocol LDAP 24 3 2 Postf...

Страница 412: ...x main cf file does not allow Postfix to accept network connections from a host other than the local computer For instructions on configuring Postfix as a server for other clients refer to Section 24 3 2 2 Basic Postfix Configuration When changing some options within files in the etc postfix directory it may be necessary to restart the postfix service for the changes to take effect The easiest way...

Страница 413: ...a fetchmailrc file in the user s home directory Using preferences in the fetchmailrc file Fetchmail checks for email on a remote server and downloads it It then delivers it to port 25 on the local machine using the local MTA to place the email in the correct user s spool file If Procmail is available it is launched to filter the email and place it in a mailbox so that it can be read by an MUA 24 3...

Страница 414: ...et3 is user1 here In this example the global options specify that the user is sent email as a last resort postmaster option and all email errors are sent to the postmaster instead of the sender bouncemail option The set action tells Fetchmail that this line contains a global option Then two email servers are specified one set to check using POP3 the other for trying various protocols to find one t...

Страница 415: ...ail gives up on a connection attempt If this value is not set a default of 300 seconds is assumed 24 3 3 4 User Options User options may be placed on their own lines beneath a server option or on the same line as the server option In either case the defined options must follow the user option defined below fetchall Orders Fetchmail to download all messages in the queue including messages that have...

Страница 416: ...splaying every communication between Fetchmail and remote email servers V Displays detailed version information lists its global options and shows settings to be used with each user including the email protocol and authentication method No email is retrieved for any users when using this option 24 3 3 7 Special Options These options are occasionally useful for overriding defaults often found in th...

Страница 417: ... package must also be installed Note For more information on installing RPM packages refer to Part II Package Management To start the Mail Transport Agent Switcher select System the main menu on the panel Administration Mail Transport Agent Switcher or type the command system switch mail at a shell prompt for example in an XTerm or GNOME terminal The program automatically detects if the X Window S...

Страница 418: ...atches a specified set of conditions or recipes in the rc file If a message matches a recipe then the email is placed in a specified file is deleted or is otherwise processed When Procmail starts it reads the email message and separates the body from the header information Next Procmail looks for etc procmailrc and rc files in the etc procmailrcs directory for default system wide Procmail environm...

Страница 419: ...IR Sets the current working directory for Procmail If set all other Procmail paths are relative to this directory ORGMAIL Specifies the original mailbox or another place to put the messages if they cannot be placed in the default or recipe required location By default a value of var spool mail LOGNAME is used SUSPEND Sets the amount of time in seconds that Procmail pauses if a necessary resource s...

Страница 420: ...action to perform specifies the action taken when the message matches one of the conditions There can only be one action per recipe In many cases the name of a mailbox is used here to direct matching messages into that file effectively sorting the email Special action characters may also be used before the action is specified Refer to Section 24 5 2 4 Special Conditions and Actions for more inform...

Страница 421: ...lt h Uses the header in a resulting action This is the default behavior w Tells Procmail to wait for the specified filter or program to finish and reports whether or not it was successful before considering the message filtered W Is identical to w except that Program failure messages are suppressed For a detailed list of additional flags refer to the procmailrc man page 24 5 2 3 Specifying a Local...

Страница 422: ... section The structure of Procmail recipes and useful sample Procmail recipes can be found at various places on the Internet such as http www iki fi era procmail links html The proper use and adaptation of regular expressions can be derived by viewing these recipe examples In addition introductory information about basic regular expression rules can be found in the grep man page The following simp...

Страница 423: ... To lines Consult the many Procmail online resources available in Section 24 7 Additional Resources for more detailed and powerful recipes 24 5 2 6 Spam Filters Because it is called by Sendmail Postfix and Fetchmail upon receiving new emails Procmail can be used as a powerful tool for combating spam This is particularly true when Procmail is used in conjunction with SpamAssassin When used together...

Страница 424: ...e scores of mail programs available under Red Hat Enterprise Linux There are full featured graphical email client programs such as Ximian Evolution as well as text based email programs such as mutt The remainder of this section focuses on securing communication between the client and server 24 6 1 Securing Communication Popular MUAs included with Red Hat Enterprise Linux such as Ximian Evolution a...

Страница 425: ...lete the process To create a self signed SSL certificate for POP change to the etc pki tls certs directory and type the following commands as root rm f ipop3d pem make ipop3d pem Again answer all of the questions to complete the process Important Please be sure to remove the default imapd pem and ipop3d pem files before issuing each make command Once finished execute the sbin service xinetd restar...

Страница 426: ...ation on m4 file locations for Sendmail supported mailers how to access enhanced features and more In addition the sendmail and aliases man pages contain helpful information covering various Sendmail options and the proper configuration of the Sendmail etc mail aliases file usr share doc postfix version number Contains a large amount of information about ways to configure Postfix Replace version n...

Страница 427: ...An excellent Procmail FAQ offers troubleshooting tips details about file locking and the use of wildcard characters http www uwasa fi ts info proctips html Contains dozens of tips that make using Procmail much easier Includes instructions on how to test procmailrc files and use Procmail scoring to decide if a particular action should be taken http www spamassassin org The official site of the Spam...

Страница 428: ...402 ...

Страница 429: ...ver it can either query a directory or attempt to modify it In the event of a query the server either answers the query locally or it can refer the querent to an LDAP server which does have the answer If the client application is attempting to modify information within an LDAP directory the server verifies that the user has permission to make the change and then adds or updates the information Thi...

Страница 430: ...lude a fax number an address and so on People can also be represented as entries in an LDAP directory with common attributes such as the person s telephone number and email address Some attributes are required while other attributes are optional An objectclass definition sets which attributes are required for each entry Objectclass definitions are found in various schema files located in the etc o...

Страница 431: ...ple LDAP servers To perform administrative tasks the openldap servers package installs the following utilities into the usr sbin directory slapadd Adds entries from an LDIF file to an LDAP directory For example the command usr sbin slapadd l ldif input reads in the LDIF file ldif input containing the new entries Important Only the root user may use usr sbin slapadd However the directory server run...

Страница 432: ...rms a comparison using specified parameters ldapwhoami Opens a connection to an LDAP server binds and performs a whoami operation ldapmodrdn Opens a connection to an LDAP server binds and modifies the RDNs of entries With the exception of ldapsearch each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be ...

Страница 433: ...authorizing users based on attributes of that user s LDAP directory entry determining access to assets based on the user and group privileges of the asset and denying access for users with expired passwords The mod_ssl module is required when using the mod_authz_ldap module Important The mod_authz_ldap module does not authenticate a user to an LDAP directory using an encrypted password hash This f...

Страница 434: ...files are referenced in etc openldap slapd conf using include lines as shown in this example include etc openldap schema core schema include etc openldap schema cosine schema include etc openldap schema inetorgperson schema include etc openldap schema nis schema include etc openldap schema rfc822 MailMember schema include etc openldap schema redhat autofs schema Caution Do not modify schema items ...

Страница 435: ...n about configuring services refer to Chapter 16 Controlling Access to Services 4 Add entries to an LDAP directory with ldapadd 5 Use ldapsearch to determine if slapd is accessing the information correctly 6 At this point the LDAP directory should be functioning properly and can be configured with LDAP enabled applications 25 6 1 Editing etc openldap slapd conf To use the slapd LDAP server modify ...

Страница 436: ... encryption is enabled To enable TLS encryption review the comments in etc openldap slapd conf and refer to the man page for slapd conf For added security the rootpw directive should be commented out after populating the LDAP directory by preceding it with a hash mark When using the usr sbin slapadd command line tool locally to populate the LDAP directory use of the rootpw directive is not necessa...

Страница 437: ...pport under the User Information tab It is also possible to edit these files by hand On the client machines the etc nsswitch conf must be edited to use LDAP To do this run the Authentication Configuration Tool system config authentication and select Enable LDAP Support under the User Information tab If editing etc nsswitch conf by hand add ldap to the appropriate lines For example passwd files lda...

Страница 438: ...o migrate_all_offline sh NetInfo yes migrate_all_netinfo_online sh NetInfo no migrate_all_netinfo_offline sh NIS YP yes migrate_all_nis_online sh NIS YP no migrate_all_nis_offline sh Table 25 1 LDAP Migration Scripts 25 8 Migrating Directories from Earlier Releases With Red Hat Enterprise Linux OpenLDAP uses Sleepycat Software s Berkeley DB system as its on disk storage format for directories Earl...

Страница 439: ...dapsearch Describes how to search for entries within an LDAP directory man ldappasswd Describes how to set or change the password of an LDAP user man ldapcompare Describes how to use the ldapcompare tool man ldapwhoami Describes how to use the ldapwhoami tool man ldapmodrdn Describes how to modify the RDNs of entries Server Applications man slapd Describes command line options for the LDAP server ...

Страница 440: ...version changes http www padl com 2 Developers of nss_ldap and pam_ldap among other useful LDAP tools http www kingsmountain com ldapRoadmap shtml Jeff Hodges LDAP Road Map contains links to several useful FAQs and emerging news concerning the LDAP protocol http www ldapman org articles Articles that offer a good introduction to LDAP including methods to design a directory tree and customizing dir...

Страница 441: ...on Tool then the firewall will prevent NIS Network Information Service authentication This chapter does not explain each of the different authentication types in detail Instead it explains how to use the Authentication Configuration Tool to configure them To start the graphical version of the Authentication Configuration Tool from the desktop select the System on the panel Administration Authentic...

Страница 442: ... for user and password authentication Click the Configure NIS button to specify the NIS domain and NIS server If the NIS server is not specified the daemon attempts to find it via broadcast The ypbind package must be installed for this option to work If NIS support is enabled the portmap and ypbind services are started and are also enabled to start at boot time For more information about NIS refer...

Страница 443: ...ing Hesiod LHS Specifies the domain prefix used for Hesiod queries Hesiod RHS Specifies the default Hesiod domain The hesiod package must be installed for this option to work For more information about Hesiod refer to its man page using the command man hesiod You can also refer to the hesiod conf man page man hesiod conf for more information on LHS and RHS Winbind The Enable Winbind Support option...

Страница 444: ...server should act as a domain member of Winbind Domain Controllers Use this option to specify which domain controller winbind should use For more information about domain controllers please refer to Section 20 6 3 Domain Controller Template Shell When filling out the user information for a Windows NT user the winbindd daemon uses the value chosen here to to specify the login shell for that user Fo...

Страница 445: ...s button to open the Kerberos Settings dialogue and configure the following Realm Configures the realm for the Kerberos server The realm is the network that uses Kerberos composed of one or more KDCs and a potentially large number of clients KDC Defines the Key Distribution Center KDC which is the server that issues Kerberos tickets Admin Servers Specifies the administration server s running kadmi...

Страница 446: ...nd coolkey packages must be installed for this option to work For more information about smart cards refer to Section 43 3 1 3 Supported Smart Cards under Section 43 3 Single Sign on SSO SMB The Enable SMB Support option configures PAM to use a Server Message Block SMB server to authenticate users SMB refers to a client server protocol used for cross system communication it is also the protocol us...

Страница 447: ...ust be installed for this option to work For more information about nscd refer to its man page using the command man nscd Use Shadow Passwords Select this option to store passwords in shadow password format in the etc shadow file instead of etc passwd Shadow passwords are enabled by default during installation and are highly recommended to increase the security of the system ...

Страница 448: ...em accounts including root in the machine 26 4 Command Line Version The Authentication Configuration Tool can also be run as a command line tool with no interface The command line version can be used in a configuration script or a kickstart script The authentication options are summarized in Table 26 1 Command Line Options Tip These options can also be found in the authconfig man page or by typing...

Страница 449: ...mbservers server Specify SMB servers enablewinbind Enable winbind for user information by default disablewinbind Disable winbind for user information by default enablewinbindauth Enable winbindauth for authentication by default disablewinbindauth Disable winbindauth for authentication by default smbsecurity user server domain ads Security mode to use for Samba and winbind smbrealm STRING Default r...

Страница 450: ...users with no domain in their usernames are not domain users winbindjoin Administrator Joins the winbind domain or ADS realm now as this administrator enablewins Enable WINS for hostname resolution disablewins Disable WINS for hostname resolution enablehesiod Enable Hesiod disablehesiod Disable Hesiod hesiodlhs lhs Specify Hesiod LHS hesiodrhs rhs Specify Hesiod RHS enablecache Enable nscd disable...

Страница 451: ...em Configuration Part of a system administrator s job is configuring the system for various tasks types of users and hardware configurations This section explains how to configure a Red Hat Enterprise Linux system ...

Страница 452: ......

Страница 453: ...used at the console To completely disable this ability comment out the following line in etc inittab by putting a hash mark in front of it ca ctrlaltdel sbin shutdown t3 r now Alternatively you may want to allow certain non root users the right to shutdown or reboot the system from the console using Ctrl Alt Del You can restrict this privilege to certain users by taking the following steps 1 Add t...

Страница 454: ...oks like this console tty 0 9 0 9 vc 0 9 0 9 0 9 0 9 0 9 When users log in they are attached to some sort of named terminal which can be either an X server with a name like 0 or mymachine example com 1 0 or a device like dev ttyS0 or dev pts 2 The default is to define that local virtual consoles and local X servers are considered local but if you want to consider the serial terminal next to you on...

Страница 455: ...ar to the following console 0660 floppy 0660 root floppy console 0600 sound 0640 root console 0600 cdrom 0600 root disk To define permissions for a scanner add a line similar to the following in 51 default perms console 0600 scanner 0600 root Then when you log in at the console you are given ownership of the dev scanner device with the permissions of 0600 readable and writable by you only When you...

Страница 456: ... any other application that is configured to use pam_timestamp and run from the same session is automatically authenticated for the user the user does not have to enter the root password again This module is included in the pam package To enable this feature add the following lines to your PAM configuration file in etc pam d auth include config util account include config util session include conf...

Страница 457: ...e floppy group using the tool of your choice For example the gpasswd command can be used to add user fred to the floppy group gpasswd a fred floppy Now user fred is able to access the system s diskette drive from the console ...

Страница 458: ...432 ...

Страница 459: ...rs used by amd these parameters allow for the automatic mounting and unmounting of file systems 28 1 2 etc sysconfig apmd The etc sysconfig apmd file is used by apmd to configure what power settings to start stop change on suspend or resume This file configures how apmd functions at boot time depending on whether the hardware supports Advanced Power Management APM or whether the user has configure...

Страница 460: ...c automount rules The default value is an empty string DAEMONOPTIONS value where value is the timeout length in seconds before unmounting the device The default value is 60 seconds timeout 60 UNDERSCORETODOT value where value is a binary value that controls whether to convert underscores in file names into dots For example auto_home to auto home and auto_mnt to auto mnt The default value is 1 true...

Страница 461: ...rsal Time Greenwich Mean Time ARC The ARC console s 42 year time offset is in effect for Alpha based systems only 28 1 7 etc sysconfig desktop The etc sysconfig desktop file specifies the desktop for new users and the display manager to run when entering runlevel 5 Correct values are DESKTOP value where value is one of the following GNOME Selects the GNOME desktop environment KDE Selects the KDE d...

Страница 462: ...al applications and documentation The etc sysconfig firstboot file tells the Setup Agent application not to run on subsequent reboots To run it the next time the system boots remove etc sysconfig firstboot and execute chkconfig level 5 firstboot on 28 1 11 etc sysconfig gpm The etc sysconfig gpm file is used to pass arguments to the gpm daemon at boot time The gpm daemon is the mouse server which ...

Страница 463: ...olor via the echo en command The default color is set to red SETCOLOR_WARNING value where value sets the warning color via the echo en command The default color is set to yellow SETCOLOR_NORMAL value where value resets the color to normal via the echo en LOGLEVEL value where value sets the initial console logging level for the kernel The default is 3 8 means everything including debugging while 1 ...

Страница 464: ...tem are configured at startup The following values may be used IRDA value where value is one of the following boolean values yes irattach runs and periodically checks to see if anything is trying to connect to the infrared port such as another notebook computer trying to make a network connection For infrared devices to work on the system this line must be set to yes no irattach does not run preve...

Страница 465: ...aemon at boot time The named daemon is a Domain Name System DNS server which implements the Berkeley Internet Name Domain BIND version 9 distribution This server maintains a table of which hostnames are associated with IP addresses on the network Currently only the following values may be used ROOTDIR some where where some where refers to the full directory path of a configured chroot environment ...

Страница 466: ...map which dynamically assigns ports for RPC services This causes problems for configuring firewall rules To overcome this problem use the etc sysconfig nfs file to control which ports the required RPC services run on The etc sysconfig nfs may not exist by default on all systems If it does not exist create it and add the following variables alternatively if the file exists un comment and change the...

Страница 467: ...ut available parameters for this file refer to the radvd man page By default this file sets the owner of the radvd process to the user radvd 28 1 25 etc sysconfig samba The etc sysconfig samba file is used to pass arguments to the smbd and the nmbd daemons at boot time The smbd daemon offers file sharing connectivity for Windows clients on the network The nmbd daemon offers NetBIOS over IP naming ...

Страница 468: ... chosen by the user the last time the Security Level Configuration Tool system config securitylevel was run Users should not modify this file by hand For more information about the Security Level Configuration Tool refer to Section 43 8 2 Basic Firewall Configuration 28 1 31 etc sysconfig system config selinux The etc sysconfig system config selinux file contains all options chosen by the user the...

Страница 469: ...used to pass arguments to the xinetd daemon at boot time The xinetd daemon starts programs that provide Internet services when a request to the port for that service is received For more information about available parameters for this file refer to the xinetd man page For more information on the xinetd service refer to Section 43 5 3 xinetd 28 2 Directories in the etc sysconfig Directory The follo...

Страница 470: ...ration files and GPG keys for Red Hat Network No files in this directory should be edited by hand For more information on Red Hat Network refer to the Red Hat Network website online at https rhn redhat com 28 3 Additional Resources This chapter is only intended as an introduction to the files in the etc sysconfig directory The following source contains more comprehensive information 28 3 1 Install...

Страница 471: ...leges to use the tool There are three ways to start the application From the desktop go to Applications the main menu on the panel System Settings Date Time From the desktop right click on the time in the toolbar and select Adjust Date and Time Type the command system config date system config time or dateconfig at a shell prompt for example in an XTerm or a GNOME terminal 29 1 Time and Date Prope...

Страница 472: ...e arrows to the left and right of the year to change the year and click on the day of the week to change the day of the week To change the time use the up and down arrow buttons beside the Hour Minute and Second in the Time section Clicking the OK button applies any changes made to the date and time the NTP daemon settings and the time zone settings It also exits the program ...

Страница 473: ...ion allows you to configure an NTP daemon to synchronize your system clock with a remote server To enable this feature select Enable Network Time Protocol This enables the NTP Servers list and other options You can choose one of the predefined servers edit a predefined server by clicking the Edit or add a new server name by clicking Add Your system does not start synchronizing with the NTP server ...

Страница 474: ...by choosing the desired time zone from the list below the map To use the map click on the desired region The map zooms into the region selected after which you may choose the city specific to your time zone A red X appears and the time zone selection changes in the list below the map Alternatively you can also use the list below the map In the same way that the map lets you choose a region before ...

Страница 475: ... Properties If your system clock is set to use UTC select the System clock uses UTC option UTC stands for the Universal Time Coordinated also known as Greenwich Mean Time GMT Other time zones are determined by adding or subtracting from the UTC time ...

Страница 476: ...450 ...

Страница 477: ...out after installation use the Keyboard Configuration Tool To start the Keyboard Configuration Tool select System on the panel Administration Keyboard or type the command system config keyboard at a shell prompt Figure 30 1 Keyboard Configuration Tool Select a keyboard layout from the list for example U S English and click OK Changes take effect immediately ...

Страница 478: ...452 ...

Страница 479: ...ng user requests to the X server 31 1 The X11R7 1 Release Red Hat Enterprise Linux 5 2 now uses the X11R7 1 release as the base X Window System which includes several video driver EXA and platform support enhancements over the previous release among others In addition this release also includes several automatic configuration features for the X server X11R7 1 is the first release to take specific ...

Страница 480: ...that most Red Hat Enterprise Linux users are familiar with To create the latter more comprehensive GUI two main classes of X client application must connect to the X server a desktop environment and a window manager 31 2 1 Desktop Environments A desktop environment integrates various X clients to create a common graphical user environment and development platform Desktop environments have advanced...

Страница 481: ...er to Section 16 1 Runlevels Once you are logged in to Runlevel 3 you will be presented with a terminal prompt not a graphical environment To start a window manager type xinit e path to window manager at the prompt path to window manager is the location of the window manager binary file The binary file can be located by typing which window manager name where window manager name is the name of the ...

Страница 482: ... etc X11 xorg conf file accept a boolean switch which turns the feature on or off Acceptable boolean values are 1 on true or yes Turns the option on 0 off false or no Turns the option off The following are some of the more important sections in the order in which they appear in a typical etc X11 xorg conf file More detailed information about the X server configuration file can be found in the xorg...

Страница 483: ...ier Screen0 An example of a Screen section with the identifier Screen0 can be found in Section 31 3 1 9 Screen If the video card has more than one head another Screen entry with a different number and a different Screen section identifier is necessary The numbers to the right of Screen0 give the absolute X and Y coordinates for the upper left corner of the screen 0 0 by default InputDevice Specifi...

Страница 484: ...ath is unix 7100 This tells the X server to obtain font information using UNIX domain sockets for inter process communication IPC on port 7100 Refer to Section 31 4 Fonts for more information concerning X and fonts ModulePath An optional parameter which specifies alternate directories which store X server modules 31 3 1 5 Module By default the X server automatically loads the following modules fro...

Страница 485: ...the device A mouse may also be specified to override any autodetected defaults for the device The following options are typically included when adding a mouse in the xorg conf Protocol Specifies the protocol used by the mouse such as IMPS 2 Device Specifies the location of the physical device Emulate3Buttons Specifies whether to allow a two button mouse to act like a three button mouse when both m...

Страница 486: ...video modes for the monitor at particular resolutions with certain horizontal sync and vertical refresh resolutions Refer to the xorg conf man page for a more detailed explanation of Modeline entries Option option name An optional entry which specifies extra parameters for the section Replace option name with a valid option listed for this section in the xorg conf man page 31 3 1 8 Device Each Dev...

Страница 487: ...n in the xorg conf man page One of the more common options is dpms for Display Power Management Signaling a VESA standard which activates the Service Star energy compliance setting for the monitor 31 3 1 9 Screen Each Screen section binds one video card or video card head to one monitor by referencing the Device section and the Monitor section for each While one Screen section is the minimum addit...

Страница 488: ...lustrates a typical DRI section Section DRI Group 0 Mode 0666 EndSection Since different video cards use DRI in different ways do not add to this section without first referring to http dri sourceforge net 31 4 Fonts Red Hat Enterprise Linux uses two subsystems to manage and display fonts under X Fontconfig and xfs The newer Fontconfig font subsystem simplifies font management and provides advance...

Страница 489: ...ng new fonts to the Fontconfig subsystem is a straightforward process 1 To add fonts system wide copy the new fonts into the usr share fonts directory It is a good idea to create a new subdirectory such as local or similar to help distinguish between user installed and default fonts To add fonts for an individual user copy the new fonts into the fonts directory in the user s home directory 2 Use t...

Страница 490: ...t separate each font path in a list Use the string unscaled immediately after the font path to make the unscaled fonts in that path load first Then specify the entire path again so that other scaled fonts are also loaded client limit Specifies the maximum number of clients the font server services The default is 10 clone self Allows the font server to clone a new version of itself when the client ...

Страница 491: ...s scale 4 Reload the xfs font server configuration file by issuing the following command as root service xfs reload 31 5 Runlevels and X In most cases the Red Hat Enterprise Linux installer configures a machine to boot into a graphical login environment known as Runlevel 5 It is possible however to boot into a text only multi user mode called Runlevel 3 and begin an X session from there For more i...

Страница 492: ...nt trying GNOME first and then KDE followed by twm When in runlevel 3 the user is returned to a text mode user session after ending an X session 31 5 2 Runlevel 5 When the system boots into runlevel 5 a special X client application called a display manager is launched A user must authenticate using the display manager before any desktop environment or window managers are launched Depending on the ...

Страница 493: ...For more information on how display managers control user authentication refer to the usr share doc gdm version number README where version number is the version number for the gdm package installed and the xdm man page 31 6 Additional Resources There is a large amount of detailed information available about the X server the clients that connect to it and the assorted desktop environments and wind...

Страница 494: ...468 ...

Страница 495: ...ram After changing any of the settings log out of the graphical desktop and log back in to enable the changes 32 1 Display Settings The Settings tab allows users to change the resolution and color depth The display of a monitor consists of tiny dots called pixels The number of pixels displayed at one time is called the resolution For example the resolution 1024x768 means that 1024 horizontal pixel...

Страница 496: ...isplay Hardware Settings Figure 32 2 Display Hardware Settings To change the monitor type or any of its settings click the corresponding Configure button To change the video card type or any of its settings click the Configure button beside its settings 32 3 Dual Head Display Settings If multiple video cards are installed on the system dual head monitor support is available and is configured via t...

Страница 497: ...lick the corresponding Configure button You can also configure the other Dual head settings by using the corresponding drop down list For the Desktop layout option selecting Spanning Desktops allows both monitors to use an enlarged usable workspace Selecting Individual Desktops shares the mouse and keyboard among the displays but restricts windows to a single display ...

Страница 498: ...472 ...

Страница 499: ...s for the owner the group and everyone else The file owner can be changed only by the root user and access permissions can be changed by both the root user and file owner Red Hat Enterprise Linux also supports access control lists ACLs for files and directories which allow permissions for specific users outside of the owner to be set For more information about ACLs refer to Chapter 8 Access Contro...

Страница 500: ...User Manager does not display system users To view all users including the system users go to Edit Preferences and uncheck Hide system users and groups from the dialog box 33 1 1 Adding a New User To add a new user click the Add User button A window as shown in Figure 33 2 New User appears Type the username and full name for the new user in the appropriate fields Type the user s password in the Pa...

Страница 501: ...rise Linux uses a user private group UPG scheme The UPG scheme does not add or change anything in the standard UNIX way of handling groups it offers a new convention Whenever you create a new user by default a unique group with the same name as the user is created If you do not want to create this group unselect Create a private group for the user To specify a user ID for the user select Specify u...

Страница 502: ...adding the user Refer to Section 33 1 2 Modifying User Properties for more information 33 1 2 Modifying User Properties To view the properties of an existing user click on the Users tab select the user from the user list and click Properties from the menu or choose File Properties from the pulldown menu A window similar to Figure 33 3 User Properties appears ...

Страница 503: ...is locked to lock the user account and prevent the user from logging into the system Password Info Displays the date that the user s password last changed To force the user to change passwords after a certain number of days select Enable password expiration and enter a desired value in the Days before change required field The number of days before the user s password expires the number of days be...

Страница 504: ...lect the GID Note that Red Hat Enterprise Linux also reserves group IDs lower than 500 for system groups Figure 33 4 New Group Click OK to create the group The new group appears in the group list 33 1 4 Modifying Group Properties To view the properties of an existing group select the group from the group list and click Properties from the menu or choose File Properties from the pulldown menu A win...

Страница 505: ...el Industry standard methods of adding deleting and modifying user groups gpasswd Industry standard method of administering the etc group file pwck grpck Tools used for the verification of the password group and associated shadow files pwconv pwunconv Tools used for the conversion of passwords to shadow passwords and back to standard passwords 33 2 1 Command Line Configuration If you prefer comman...

Страница 506: ...s than 500 and without a home directory p password The password encrypted with crypt s User s login shell which defaults to bin bash u uid User ID for the user which must be unique and greater than 499 Table 33 1 useradd Command Line Options 33 2 3 Adding a Group To add a group to the system use the command groupadd groupadd group name Command line options for groupadd are detailed in Table 33 2 g...

Страница 507: ...pires E date Specifies the date on which the account is locked in the format YYYY MM DD Instead of the date the number of days since January 1 1970 can also be used W days Specifies the number of days before the password expiration date to warn the user Table 33 3 chage Command Line Options Tip If the chage command is followed directly by a username with no options it displays the current password...

Страница 508: ...060718 Red Hat 4 1 1 9 on linux2 Type help copyright credits or license for more information At the prompt type the following commands Replace password with the password to encrypt and salt with a random combination of at least 2 of the following any alphanumeric character the slash character or a dot import crypt print crypt crypt password salt The output is the encrypted password similar to 12Cs...

Страница 509: ...n is left blank The home directory for juan is set to home juan The default shell is set to bin bash 2 A new line for juan is created in etc shadow The line has the following characteristics It begins with the username juan Two exclamation points appear in the password field of the etc shadow file which locks the account Note If an encrypted password is passed using the p flag it is placed in the ...

Страница 510: ...t assign a password to the account using the passwd command and optionally set password aging guidelines 33 3 Standard Users Table 33 4 Standard Users lists the standard users configured in the etc passwd file by an Everything installation The groupid GID in this table is the primary group for the user See Section 33 4 Standard Groups for a listing of standard groups User UID GID Home Directory Sh...

Страница 511: ...e 48 48 var www sbin nologin xfs 43 43 etc X11 fs sbin nologin gdm 42 42 var gdm sbin nologin htt 100 101 usr lib im sbin nologin mysql 27 27 var lib mysql bin bash webalizer 67 67 var www usage sbin nologin mailnull 47 47 var spool mqueue sbin nologin smmsp 51 51 var spool mqueue sbin nologin squid 23 23 var spool squid sbin nologin ldap 55 55 var lib ldap bin false netdump 34 34 var crash bin ba...

Страница 512: ...oot adm daemon tty 5 disk 6 root lp 7 daemon lp mem 8 kmem 9 wheel 10 root mail 12 mail postfix exim news 13 news uucp 14 uucp man 15 games 20 gopher 30 dip 40 ftp 50 lock 54 nobody 99 users 100 rpm 37 utmp 22 floppy 19 vcsa 69 dbus 81 ntp 38 canna 39 nscd 28 rpc 32 postdrop 90 postfix 89 mailman 41 exim 93 named 25 postgres 26 sshd 74 ...

Страница 513: ...that user is the only member of the UPG UPGs make it safe to set default permissions for a newly created file or directory allowing both the user and the group of that user to make modifications to the file or directory The setting which determines what permissions are applied to a newly created file or directory is called a umask and is configured in the etc bashrc file Traditionally on UNIX syst...

Страница 514: ...ciate the contents of the directory with the emacs group type chown R root emacs usr share emacs site lisp Now it is possible to add the proper users to the group with the gpasswd command usr bin gpasswd a username emacs To allow users to create files within the directory use the following command chmod 775 usr share emacs site lisp When a user creates a new file it is assigned the group of the us...

Страница 515: ... about users and groups and tools to manage them refer to the following resources 33 7 1 Installed Documentation Related man pages There are a number of man pages for the various applications and configuration files involved with managing users and groups Some of the more important man pages have been listed here User and Group Administrative Applications man chage A command to modify password agi...

Страница 516: ...iguration Files man 5 group The file containing group information for the system man 5 passwd The file containing user information for the system man 5 shadow The file containing passwords and account expiration information for the system ...

Страница 517: ...e 34 1 Printer Configuration Tool The following types of print queues can be configured AppSocket HP JetDirect a printer connected directly to the network through HP JetDirect or Appsocket interface instead of a computer Internet Printing Protocol IPP a printer that can be accessed over a TCP IP network via the Internet Printing Protocol for example a printer attached to another Red Hat Enterprise...

Страница 518: ...er To add a local printer such as one attached through a parallel port or USB port on your computer click the New Printer button in the main Printer Configuration Tool window to display the window in Figure 34 2 Adding a Printer Figure 34 2 Adding a Printer Click Forward to proceed Enter a unique name for the printer in the Printer Name field The printer name can contain letters numbers dashes and...

Страница 519: ...ly configured to use IPP If a firewall is enabled on the printer server then the firewall should be configured to allow send receive connections on the incoming UDP port 631 If a firewall is enabled on the client the system sending the print request then the firewall should be configured to allow accept and create connections through port 631 You can add a networked IPP printer by clicking the New...

Страница 520: ...king the New Printer button in the main Printer Configuration Tool window to display the window in Figure 34 2 Adding a Printer Enter a unique name for the printer in the Printer Name field The printer name can contain letters numbers dashes and underscores _ it must not contain any spaces You can also use the Description and Location fields to further distinguish this printer from others that may...

Страница 521: ... printer This user must exist on the SMB system and the user must have permission to access the printer The default user name is typically guest for Windows servers or nobody for Samba servers Enter the Password if required for the user specified in the Username field You can then test the connection by clicking Verify Upon successful verification a dialog box appears confirming printer share acce...

Страница 522: ...ow in Figure 34 2 Adding a Printer Enter a unique name for the printer in the Printer Name field The printer name can contain letters numbers dashes and underscores _ it must not contain any spaces You can also use the Description and Location fields to further distinguish this printer from others that may be configured on your system Both of these fields are optional and may contain spaces Figure...

Страница 523: ...r Model After choosing an option click Forward to continue Figure 34 7 Selecting a Printer Model appears You now have to choose the corresponding model and driver for the printer The recommended printed driver is automatically selected based on the printer model you chose The print driver processes the data that you want to print into a format the printer can understand Since a local printer is at...

Страница 524: ...s you should print a test page to test the different configuration 34 7 Modifying Existing Printers To delete an existing printer select the printer and click the Delete button on the toolbar The printer is removed from the printer list once you confirm deletion of the printer configuration To set the default printer select the printer from the printer list and click the Make Default Printer butto...

Страница 525: ...ose the option that best describes the nature of the print jobs such as topsecret classified or confidential Figure 34 9 Policies Tab You can also configure the Error Policy of the printer by choosing an option from the drop down menu You can choose to abort the print job retry or stop it 34 7 3 The Access Control Tab You can change user level access to the configured printer by clicking the Acces...

Страница 526: ...Chapter 34 Printer Configuration 500 Figure 34 10 Access Control Tab 34 7 4 The Printer and Job OptionsTab The Printer Options tab contains various configuration options for the printer media and output ...

Страница 527: ...o use such as Landscape modes horizontal or vertical printout copies or scaling increase or decrease the size of the printable area which can be used to fit an oversize print area onto a smaller physical sheet of print medium 34 8 Managing Print Jobs When you send a print job to the printer daemon such as printing a text file from Emacs or printing an image from The GIMP the print job is added to ...

Страница 528: ...he command lprm job number For example lprm 902 would cancel the print job in Example 34 1 Example of lpq output You must have proper permissions to cancel a print job You can not cancel print jobs that were started by other users unless you are logged in as root on the machine to which the printer is attached You can also print a file directly from a shell prompt For example the command lpr sampl...

Страница 529: ...of paper man cupsd The manual page for the CUPS printer daemon man cupsd conf The manual page for the CUPS printer daemon configuration file man classes conf The manual page for the class configuration file for CUPS 34 9 2 Useful Websites http www linuxprinting org GNU Linux Printing contains a large amount of information about printing in Linux http www cups org Documentation FAQs and newsgroups ...

Страница 530: ...504 ...

Страница 531: ...ne if the package is installed use the rpm q vixie cron command To determine if the service is running use the command sbin service crond status 35 1 1 Configuring Cron Tasks The main configuration file for cron etc crontab contains the following lines SHELL bin bash PATH sbin bin usr sbin usr bin MAILTO root HOME run parts 01 root run parts etc cron hourly 02 4 root run parts etc cron daily 22 4 ...

Страница 532: ...ourly etc cron daily etc cron weekly and etc cron monthly directories on an hourly daily weekly or monthly basis respectively The files in these directories should be shell scripts If a cron task is required to be executed on a schedule other than hourly daily weekly or monthly it can be added to the etc cron d directory All files in this directory use the same syntax as etc crontab Refer to Examp...

Страница 533: ...e 35 2 At and Batch While cron is used to schedule recurring tasks the at command is used to schedule a one time task at a specific time and the batch command is used to schedule a one time task to be executed when the systems load average drops below 0 8 To use at or batch the at RPM package must be installed and the atd service must be running To determine if the package is installed use the rpm...

Страница 534: ...d After typing the batch command the at prompt is displayed Type the command to execute press Enter and type Ctrl D Multiple commands can be specified by typing each command followed by the Enter key After typing all the commands press Enter to go to a blank line and type Ctrl D Alternatively a shell script can be entered at the prompt pressing Enter after each line in the script and typing Ctrl D...

Страница 535: ...users listed in it are allowed to use at or batch and the at deny file is ignored If at allow does not exist users listed in at deny are not allowed to use at or batch 35 2 6 Starting and Stopping the Service To start the at service use the command sbin service atd start To stop the service use the command sbin service atd stop It is recommended that you start the service at boot time Refer to Cha...

Страница 536: ...510 ...

Страница 537: ... for their log files You may notice multiple files in the log file directory with numbers after them These are created when the log files are rotated Log files are rotated so their file sizes do not become too large The logrotate package contains a cron task that automatically rotates log files according to the etc logrotate conf configuration file and the configuration files in the etc logrotate ...

Страница 538: ...Chapter 36 Log Files 512 Figure 36 1 System Log Viewer To filter the contents of the selected log file click on View from the menu and select Filter as illustrated below ...

Страница 539: ...Log Viewer View Menu Selecting the Filter menu item will display the Filter text field where you can type the keywords you wish to use for your filter To clear your filter click on the Clear button The figure below illustrates a sample filter ...

Страница 540: ...lter 36 3 Adding a Log File To add a log file you wish to view in the list select File Open This will display the Open Log window where you can select the directory and filename of the log file you wish to view The figure below illustrates the Open Log window ...

Страница 541: ...names end in gz 36 4 Monitoring Log Files System Log Viewer monitors all opened logs by default If a new line is added to a monitored log file the log name appears in bold in the log list If the log file is selected or displayed the new lines appear in bold at the bottom of the log file and after five seconds are displayed in normal format This is illustrated in the figures below The figure below ...

Страница 542: ...Chapter 36 Log Files 516 Figure 36 5 Log File Alert Clicking on the messages log file displays the logs in the file with the new lines in bold as illustrated below ...

Страница 543: ...Monitoring Log Files 517 Figure 36 6 Log file contents The new lines are displayed in bold for five seconds after which they are displayed in normal font ...

Страница 544: ...Chapter 36 Log Files 518 Figure 36 7 Log file contents after five seconds ...

Страница 545: ...Part V System Monitoring System administrators also monitor system performance Red Hat Enterprise Linux contains tools to assist administrators with these tasks ...

Страница 546: ......

Страница 547: ...37 2 Implementation SystemTap takes a compiler oriented approach to generating instrumentation Refer to Figure 37 1 Flow of Data in SystemTap Flow of data in SystemTap for an overall diagram of SystemTap used in this discussion In the upper right hand corner of the diagram is the probe stp the probe script the developer has written This is parsed by the translator into parse trees During this time...

Страница 548: ...and line program stap 37 3 1 Tracing The simplest kind of probe is simply to trace an event This is the effect of inserting strategically located print statements into a program This is often the first step of problem solving explore by seeing a history of what has happened This style of instrumentation is the simplest It just asks systemtap to print something at each event To express this in the ...

Страница 549: ...e part and the subsequent FILENAME part You can also put wildcards into the file name and even add a colon and a line number if you want to restrict the search that precisely Since systemtap will put a separate probe in every place that matches a probe point a few wildcards can expand to hundreds or thousands of probes so be careful what you ask for Once you identify the probe points the skeleton ...

Страница 550: ...524 ...

Страница 551: ... following command ps ax grep emacs The top command displays currently running processes and important information about them including their memory and CPU usage The list is both real time and interactive An example of output from the top command is provided as follows top 15 02 46 up 35 min 4 users load average 0 17 0 65 1 00 Tasks 110 total 1 running 107 sleeping 0 stopped 2 zombie Cpu s 41 1 u...

Страница 552: ...e desktop select System Administration System Monitor or type gnome system monitor at a shell prompt such as an XTerm Select the Process Listing tab The GNOME System Monitor allows you to search for a process in the list of running processes Using the Gnome System Monitor you can also view all processes your processes or active processes The Edit menu item allows you to Stop a process Continue or ...

Страница 553: ...n This sorts the information by the selected column in ascending order Click on the name of the column again to toggle the sort between ascending and descending order Figure 38 1 GNOME System Monitor 38 2 Memory Usage The free command displays the total amount of physical memory and swap space for the system as well as the amount of memory that is used free shared in kernel buffers and cached tota...

Страница 554: ...ad total used free shared buffers cached Mem 630 536 93 0 172 219 buffers cache 145 485 Swap 1279 0 1279 If you prefer a graphical interface for free you can use the GNOME System Monitor To start it from the desktop go to System Administration System Monitor or type gnome system monitor at a shell prompt such as an XTerm Click on the Resources tab ...

Страница 555: ...ms 529 Figure 38 2 GNOME System Monitor Resources tab 38 3 File Systems The df command reports the system s disk space usage If you type the command df at a shell prompt the output looks similar to the following ...

Страница 556: ... entry for dev shm This entry represents the system s virtual memory file system The du command displays the estimated amount of space being used by files in a directory If you type du at a shell prompt the disk usage for each of the subdirectories is displayed in a list The grand total for the current directory and subdirectories are also shown as the last line in the list If you do not want to s...

Страница 557: ... the hardware that can be probed To start the program from the desktop select System the main menu on the panel Administration Hardware or type hwbrowser at a shell prompt As shown in Figure 38 4 Hardware Browser it displays your CD ROM devices diskette drives hard drives and their partitions network devices pointing devices system devices and video cards Click on the category name in the left men...

Страница 558: ...ion can be started by selecting System the main menu on the panel Administration Hardware like the Hardware Browser To start the application from a terminal type hal device manager Depending on your installation preferences the graphical menu above may start this application or the Hardware Browser when clicked The figure below illustrates the Device Manager window ...

Страница 559: ...e command lspci v for more verbose information or lspci vv for very verbose output For example lspci can be used to determine the manufacturer model and memory size of a system s video card 00 00 0 Host bridge ServerWorks CNB20LE Host Bridge rev 06 00 00 1 Host bridge ServerWorks CNB20LE Host Bridge rev 06 ...

Страница 560: ...t know the manufacturer or model number 38 5 Additional Resources To learn more about gathering system information refer to the following resources 38 5 1 Installed Documentation ps help Displays a list of options that can be used with ps top manual page Type man top to learn more about top and its many options free manual page type man free to learn more about free and its many options df manual ...

Страница 561: ...ome limitations when using it Use of shared libraries Samples for code in shared libraries are not attributed to the particular application unless the separate library option is used Performance monitoring samples are inexact When a performance monitoring register triggers a sample the interrupt handling is not precise like a divide by zero exception Due to the out of order execution of instructio...

Страница 562: ...ing not to monitor the kernel is required The following sections describe how to use the opcontrol utility to configure OProfile As the opcontrol commands are executed the setup options are saved to the root oprofile daemonrc file 39 2 1 Specifying the Kernel First configure whether OProfile should monitor the kernel This is the only configuration option that is required before starting OProfile A...

Страница 563: ... athlon 4 AMD64 x86 64 hammer 4 Itanium ia64 itanium 4 Itanium 2 ia64 itanium2 4 TIMER_INT timer 1 IBM eServer iSeries and pSeries timer 1 ppc64 power4 8 ppc64 power5 6 ppc64 970 8 IBM eServer S 390 and S 390x timer 1 IBM eServer zSeries timer 1 Table 39 2 OProfile Processors and Counters Use Table 39 2 OProfile Processors and Counters to verify that the correct processor type was detected and to ...

Страница 564: ...ailable for profiling execute the following command as root the list is specific to the system s processor type ophelp The events for each counter can be configured via the command line or with a graphical interface For more information on the graphical interface refer to Section 39 8 Graphical Interface If the counter cannot be set to a specific event an error message is displayed To set the even...

Страница 565: ...ng a bitwise or operation opcontrol event event name sample rate unit mask 39 2 3 Separating Kernel and User space Profiles By default kernel mode and user mode information is gathered for each event To configure OProfile to ignore events in kernel mode for a specific counter execute the following command opcontrol event event name sample rate unit mask 0 Execute the following command to start pro...

Страница 566: ...ommand as root opcontrol start Output similar to the following is displayed Using log file var lib oprofile oprofiled log Daemon started Profiler running The settings in root oprofile daemonrc are used The OProfile daemon oprofiled is started it periodically writes the sample data to the var lib oprofile samples directory The log file for the daemon is located at var lib oprofile oprofiled log To ...

Страница 567: ...xecutable being profiled must be used with these tools to analyze the data If it must change after the data is collected backup the executable used to create the samples as well as the sample files Please note that the sample file and the binary have to agree Making a backup isn t going to work if they do not match oparchive can be used to address this problem Samples for each executable are writt...

Страница 568: ... is the number of samples recorded for the executable The second column is the percentage of samples relative to the total number of samples The third column is the name of the executable Refer to the opreport man page for a list of available command line options such as the r option used to sort the output from the executable with the smallest number of samples to the one with the largest number ...

Страница 569: ...umber of samples to the smallest reverse order use r in conjunction with the l option i symbol name List sample data specific to a symbol name For example the following output is from the command opreport l i __gconv_transform_utf8_internal lib tls libc version so samples symbol name 12 100 000 __gconv_transform_utf8_internal The first line is a summary for the symbol executable combination The fi...

Страница 570: ...s for the modules for an executable in the root directory but this is unlikely to be the place with the actual code for the module You will need to take some steps to make sure that analysis tools get the executable For example on an AMD64 machine the sampling is set up to record Data cache accesses and Data cache misses and assuming you would like to see the data for the ext3 module opreport ext3...

Страница 571: ... left It also puts in a comment at the beginning of each function listing the total samples for the function For this utility to work the executable must be compiled with GCC s g option By default Red Hat Enterprise Linux packages are not compiled with this option The general syntax for opannotate is as follows opannotate search dirs src dir source executable The directory containing the source co...

Страница 572: ... dedicated systems Determine processor usage The CPU_CLK_UNHALTED event can be monitored to determine the processor load over a given period of time This data can then be used to determine if additional processors or a faster processor might improve system performance 39 8 Graphical Interface Some OProfile preferences can be set with a graphical interface To start it execute the oprof_start comman...

Страница 573: ...les If this option is unselected no samples are collected for user applications Use the Count text field to set the sampling rate for the currently selected event as discussed in Section 39 2 2 1 Sampling Rate If any unit masks are available for the currently selected event as discussed in Section 39 2 2 2 Unit Masks they are displayed in the Unit Masks area on the right side of the Setup tab Sele...

Страница 574: ... command To force data to be written to samples files as discussed in Section 39 5 Analyzing the Data click the Flush profiler data button This is equivalent to the opcontrol dump command To start OProfile from the graphical interface click Start profiler To stop the profiler click Stop profiler Exiting the application does not stop OProfile from sampling 39 9 Additional Resources This chapter onl...

Страница 575: ...art VI Kernel and Driver Configuration System administrators can learn about and customize their kernels Red Hat Enterprise Linux contains kernel tools to assist administrators with their customizations ...

Страница 576: ......

Страница 577: ...Package Management Tool and yum refer to Chapter 13 Red Hat Network 40 1 Overview of Kernel Packages Red Hat Enterprise Linux contains the following kernel packages some may not apply to your architecture kernel Contains the kernel for multi processor systems For x86 system only the first 4GB of RAM is used As such x86 systems with over 4GB of RAM should use the kernel PAE kernel devel Contains th...

Страница 578: ...uired to build modules against the kernel xen package Note The kernel source package has been removed and replaced with an RPM that can only be retrieved from Red Hat Network This src rpm package must then be rebuilt locally using the rpmbuild command For more information on obtaining and installing the kernel source package refer to the latest updated Release Notes including all updates at http w...

Страница 579: ...Server System z architecture i686 for Intel Pentium II Intel Pentium III Intel Pentium 4 AMD Athlon and AMD Duron systems 40 3 Downloading the Upgraded Kernel There are several ways to determine if an updated kernel is available for the system Security Errata Refer to http www redhat com security updates for information on security errata including kernel upgrades that fix security issues Via Red ...

Страница 580: ... an initial RAM disk already exists use the command ls l boot to make sure the initrd version img file was created the version should match the version of the kernel just installed On iSeries systems the initial RAM disk file and vmlinux file are combined into one file which is created with the addRamDisk command This step is performed automatically if the kernel and its associated packages are in...

Страница 581: ...nge the value of the default variable to the title section number for the title section that contains the new kernel The count starts with 0 For example if the new kernel is the first title section set default to 0 Begin testing the new kernel by rebooting the computer and watching the messages to ensure that the hardware is detected properly 40 6 2 Itanium Systems Itanium systems use ELILO as the...

Страница 582: ...t the hardware is detected properly 40 6 4 IBM eServer iSeries Systems The boot vmlinitrd kernel version file is installed when you upgrade the kernel However you must use the dd command to configure the system to boot the new kernel 1 As root issue the command cat proc iSeries mf side to determine the default side either A B or C 2 As root issue the following command where kernel version is the v...

Страница 583: ...he kernel in the first image is booted by default To change the default kernel to boot either move its image stanza so that it is the first one listed or add the directive default and set it to the label of the image stanza that contains the new kernel Begin testing the new kernel by rebooting the computer and watching the messages to ensure that the hardware is detected properly ...

Страница 584: ...558 ...

Страница 585: ...pported device drivers in groups of packages called kernel smp unsupported kernel version and kernel hugemem unsupported kernel version Replace kernel version with the version of the kernel installed on the system These packages are not installed by the Red Hat Enterprise Linux installation program and the modules provided are not supported by Red Hat Inc 41 1 Kernel Module Utilities A group of co...

Страница 586: ...34913 1 ide_cd mii 5825 1 pcnet32 pcspkr 3521 0 ext3 129737 2 jbd 58473 1 ext3 mptspi 17353 3 scsi_transport_spi 25025 1 mptspi mptscsih 23361 1 mptspi sd_mod 20929 16 scsi_mod 134121 5 sg mptspi scsi_transport_spi mptscsih sd_mod mptbase 52193 2 mptspi mptscsih For each line the first column is the name of the module the second column is the size of the module and the third column is the use coun...

Страница 587: ...le utility is modinfo Use the command sbin modinfo to display information about a kernel module The general syntax is sbin modinfo options module Options include d which displays a brief description of the module and p which lists the parameters the module supports For a complete list of options refer to the modinfo man page man modinfo 41 2 Persistent Module Loading Kernel modules are usually loa...

Страница 588: ... useful for listing various information about a kernel module such as version dependencies paramater options and aliases 41 4 Storage parameters Hardware Module Parameters 3ware Storage Controller and 9000 series 3w xxxx ko 3w 9xxx ko Adaptec Advanced Raid Products Dell PERC2 2 Si 3 Si 3 Di HP NetRAID 4M IBM ServeRAID and ICP SCSI driver aacraid ko nondasd Control scanning of hba for nondasd devic...

Страница 589: ...94x AHA 398x AHA 274x AHA 274xT AHA 2842 AHA 2910B AHA 2920C AHA 2930 U U2 AHA 2940 W U UW AU U2W U2 U2B U2BOEM AHA 2944D WD UD UWD AHA 2950U2 W B AHA 3940 U W UW AUW U2W U2B AHA 3950U2D AHA 3985 U W UW AIC 777x AIC 785x AIC 786x AIC 787x AIC 788x AIC 789x AIC 3860 aic7xxx ko verbose Enable verbose diagnostic logging allow_memio Allow device registers to be memory mapped debug Bitmask of debug val...

Страница 590: ...per IO command default 128 cmd_per_lun Maximum number of commands per logical unit default 64 fast_load Faster loading of the driver skips physical devices default 0 debug_level Debug level for driver default 0 Emulex LightPulse Fibre Channel SCSI driver lpfc ko lpfc_poll FCP ring polling mode control 0 none 1 poll with interrupts enabled 3 poll and disable FCP ring interrupts lpfc_log_verbose Ver...

Страница 591: ...f milliseconds after which an interrupt response is generated lpfc_cr_count A count of I O completions after which an interrupt response is generated lpfc_multi_ring_support Determines number of primary SLI rings to spread IOCB entries across lpfc_fdmi_on Enable FDMI support lpfc_discovery_threads Maximum number of ELS commands during discovery lpfc_max_luns Maximum allowed LUN lpfc_poll_tmo Milli...

Страница 592: ...s a PORT DOWN status ql2xplogiabsentdevice Option to enable PLOGI to devices that are not present after a Fabric scan ql2xloginretrycount Specify an alternate value for the NVRAM login retry count ql2xallocfwdump Option to enable allocation of memory for a firmware dump during HBA initialization Default is 1 allocate memory extended_error_logging Option to enable extended error logging ql2xfdmiena...

Страница 593: ...ebug Set bits to enable debugging settle Settle delay in seconds Default 3 nvram Option currently not used excl List ioport addresses here to prevent controllers from being attached safe Set other settings to a safe mode Table 41 1 Storage Module Parameters 41 5 Ethernet Parameters Important Most modern Ethernet based network interface cards NICs do not require module parameters to alter settings ...

Страница 594: ...59x same as options but applies to all NICs if options is unset full_duplex 3c59x full duplex setting s 1 global_full_duplex 3c59x same as full_duplex but applies to all NICs if full_duplex is unset hw_checksums 3c59x Hardware checksum checking by adapter s 0 1 flow_ctrl 3c59x 802 3x flow control usage PAUSE only 0 1 enable_wol 3c59x Turn on Wake on LAN for adapter s 0 1 global_enable_wol 3c59x sa...

Страница 595: ...8139 SMC EZ Card Fast Ethernet RealTek cards using RTL8129 or RTL8139 Fast Ethernet chipsets 8139too ko Broadcom 4400 10 100 PCI ethernet driver b44 ko b44_debug B44 bitmapped debugging message enable value Broadcom NetXtreme II BCM5706 5708 Driver bnx2 ko disable_msi Disable Message Signaled Interrupt MSI Intel Ether Express 100 driver e100 ko debug Debug level 0 none 16 all eeprom_bad_csum_allow...

Страница 596: ...Interrupt Throttling Rate SmartPowerDownEnable Enable PHY smart power down KumeranLockLoss Enable Kumeran lock loss workaround Myricom 10G driver 10GbE myri10ge ko myri10ge_fw_name Firmware image name myri10ge_ecrc_enable Enable Extended CRC on PCI E myri10ge_max_intr_slots Interrupt queue slots myri10ge_small_bytes Threshold of small packets myri10ge_msi Enable Message Signalled Interrupts myri10...

Страница 597: ...3815 Fast Ethernet natsemi ko mtu DP8381x MTU all boards debug DP8381x default debug level rx_copybreak DP8381x copy breakpoint for copy only tiny frames options DP8381x Bits 0 3 media type bit 17 full duplex full_duplex DP8381x full duplex setting s 1 AMD PCnet32 and AMD PCnetPCI pcnet32 ko PCnet32 and PCnetPCI pcnet32 ko debug pcnet32 debug level max_interrupt_work pcnet32 maximum events handled...

Страница 598: ... DAC Unsafe on 32 bit PCI slot debug Debug verbosity level 0 none 16 all Neterion Xframe 10GbE Server Adapter s2io ko SIS 900 701G PCI Fast Ethernet sis900 ko multicast_filter_limit SiS 900 7016 maximum number of filtered multicast addresses max_interrupt_work SiS 900 7016 maximum events handled per interrupt sis900_debug SiS 900 7016 bitmapped debugging message level Adaptec Starfire Ethernet dri...

Страница 599: ...LAN use AUI port s 0 1 duplex ThunderLAN duplex setting s 0 default 1 half 2 full speed ThunderLAN port speen setting s 0 10 100 debug ThunderLAN debug mask bbuf ThunderLAN use big buffer 0 1 Digital 21x4x Tulip PCI Ethernet cards SMC EtherPower 10 PCI 8432T 8432BT SMC EtherPower 10 100 PCI 9332DST DEC EtherWorks 100 10 PCI DE500 XA DEC EtherWorks 10 PCI DE450 DEC QSILVER s Znyx 312 etherarray All...

Страница 600: ...andwidth and providing redundancy To channel bond multiple network interfaces the administrator must perform the following steps 1 Add the following line to etc modprobe conf alias bond N bonding Replace N with the interface number such as 0 For each configured channel bonding interface there must be a corresponding entry in etc modprobe conf 2 Configure a channel bonding interface as outlined in ...

Страница 601: ...fig bond0 Link encap Ethernet HWaddr 00 00 00 00 00 00 UP BROADCAST RUNNING MASTER MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 0 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 0 0 0 b eth0 Link encap Ethernet HWaddr 52 54 00 26 9E F1 inet addr 192 168 122 251 Bcast 192 168 122 255 Mask 255 255 255 0 inet6 ad...

Страница 602: ...ameters install the kernel doc package and then locating and opening the included bonding txt file yum y install kernel doc nano w rpm ql kernel doc grep bonding txt Bonding Interface Parameters arp_interval time_in_milliseconds Specifies in milliseconds how often ARP monitoring occurs Important It is essential that both arp_interval and arp_ip_target parameters are specified or alternatively the ...

Страница 603: ... such as eth0 not the bond interface If MII is supported the command returns Link detected yes If using a bonded interface for high availability the module for each NIC must support MII Setting the value to 0 the default turns this feature off When configuring this setting a good starting point for this parameter is 100 Important It is essential that both arp_interval and arp_ip_target parameters ...

Страница 604: ...d NA is issued immediately after the failover The valid range is 0 255 the default value is 1 This option affects only the active backup mode primary interface_name Specifies the interface name such as eth0 of the primary device The primary device is the first of the bonding interfaces to be used and is not abandoned unless it fails This setting is particularly useful when one NIC in the bonding i...

Страница 605: ...ithin the kernel However this is still configurable in case your device driver does not support netif_carrier_on off Valid values are 1 Default setting Enables the use of netif_carrier_ok 0 Enables the use of MII ETHTOOL ioctls Tip If the bonding interface insists that the link is up when it should not be it is possible that your network device driver does not support netif_carrier_on off xmit_has...

Страница 606: ...la is the same as for the layer2 transmit hash policy This policy is intended to provide a more balanced distribution of traffic than layer2 alone especially in environments where a layer3 gateway device is required to reach most destinations This algorithm is 802 3ad compliant 41 6 Additional Resources For more information on kernel modules and their utilities refer to the following resources 41 ...

Страница 607: ...conceptual information in the areas of security assessment common exploits and intrusion and incident response It also provides conceptual and specific configuration information on how to use SELinux to harden Workstation Server VPN firewall and other implementations This chapter assumes a basic knowledge of IT security and consequently provides only minimal coverage of common security practices s...

Страница 608: ......

Страница 609: ...ary such as total cost of ownership TCO and quality of service QoS In these metrics industries calculate aspects such as data integrity and high availability as part of their planning and process management costs In some industries such as electronic commerce the availability and trustworthiness of data can be the difference between success and failure 42 1 1 1 How did Computer Security Come about...

Страница 610: ...es or coordinated attacks is a direct threat to the success of the organization Unfortunately system and network security can be a difficult proposition requiring an intricate knowledge of how an organization regards uses manipulates and transmits its information Understanding the way an organization and the people that make up the organization conducts business is paramount to implementing a prop...

Страница 611: ...ms Security guards Picture IDs Locked and dead bolted steel doors Biometrics includes fingerprint voice face iris handwriting and other automated methods used to recognize individuals 42 1 2 2 Technical Controls Technical controls use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network Technical controls are far reaching i...

Страница 612: ...s often difficult to find expert resources for all of your systems While it is possible to have personnel knowledgeable in many areas of information security at a high level it is difficult to retain staff who are experts in more than a few subject areas This is mainly because each subject area of information security requires constant attention and focus Information security does not stand still ...

Страница 613: ...ound vulnerability assessment you are somewhat at an advantage since you are internal and your status is elevated to trusted This is the viewpoint you and your co workers have once logged on to your systems You see print servers file servers databases and other resources There are striking distinctions between these two types of vulnerability assessments Being internal to your company gives you el...

Страница 614: ...ernal or internal to the company The answers to these questions are important as they help determine not only which tools to select but also the manner in which they are used To learn more about establishing methodologies refer to the following websites http www isecom org projects osstmm htm The Open Source Security Testing Methodology Manual OSSTMM http www owasp org The Open Web Application Sec...

Страница 615: ... can be run from a shell prompt by typing the nmap command followed by the hostname or IP address of the machine to scan nmap foo example com The results of the scan which could take up to a few minutes depending on where the host is located should look similar to the following Starting nmap V 3 50 www insecure org nmap Interesting ports on localhost localdomain 127 0 0 1 The 1591 ports scanned bu...

Страница 616: ...ese servers Note Nikto is not included with Red Hat Enterprise Linux and is not supported It has been included in this document as a reference to users who may be interested in using this popular application More information about Nikto can be found at the following URL http www cirt net code nikto shtml 42 2 3 4 VLAD the Scanner VLAD is a vulnerabilities scanner developed by the RAZOR team at Bin...

Страница 617: ...hat sharing this knowledge is the hackers duty to the community During this quest for knowledge some hackers enjoy the academic challenges of circumventing security controls on computer systems For this reason the press often uses the term hacker to describe those who illicitly access systems and networks with unscrupulous malicious or criminal intent The more accurate term for this type of comput...

Страница 618: ... MAC address spoofing by both outside intruders and unauthorized users on local hosts 42 3 2 1 2 Centralized Servers Another potential networking pitfall is the use of centralized computing A common cost cutting measure for many businesses is to consolidate all services to a single powerful machine This can be convenient as it is easier to manage and costs considerably less than multiple server co...

Страница 619: ...g tracking and proper system maintenance to ensure a more secure computing environment Refer to Section 42 5 Security Updates for more information about keeping a system up to date 42 3 3 3 Inattentive Administration Administrators who fail to patch their systems are one of the greatest threats to server security According to the System Administration Network and Security Institute SANS the primar...

Страница 620: ...er since administrators often find themselves forced to use these services careful configuration is critical Refer to Section 43 2 Server Security for more information about setting up services in a safe manner 42 3 4 Threats to Workstation and Home PC Security Workstations and home PCs may not be as prone to attack as networks or servers but since they often contain sensitive data such as credit ...

Страница 621: ...ush and leave the password null a perfect entry point for malicious users who discover the account Default Shared Keys Secure services sometimes package default security keys for development or evaluation testing purposes If these keys are left unchanged and are placed in a production environment on the Internet all users with the same default keys have access to that shared key resource and any s...

Страница 622: ...aps can be read or the attacker can start a denial of service attack which drains system resources or renders it unavailable to other users Services sometimes can have vulnerabilities that go unnoticed during development and testing these vulnerabilities such as buffer overflows where attackers crash a service using arbitary values that fill the memory buffer of an application giving the attacker ...

Страница 623: ...ion as to the true source of the attack difficult Advances in ingress filtering IETF rfc2267 using iptables and Network IDSes such as snort assist administrators in tracking down and preventing distributed DoS attacks Table 42 1 Common Exploits 42 5 Security Updates As security vulnerabilities are discovered the affected software must be updated in order to limit any potential security risks If th...

Страница 624: ...e RPM signature to make sure they have not been tampered with and updates them The package install can occur immediately or can be scheduled during a certain time period Red Hat Network requires a System Profile for each machine to be updated The System Profile contains hardware and software information about the system This information is kept confidential and is not given to anyone else It is on...

Страница 625: ...e a private key secret key held by Red Hat locks the package while the public key unlocks and verifies the package If the public key distributed by Red Hat does not match the private key during RPM verification the package may have been altered and therefore cannot be trusted The RPM utility within Red Hat Enterprise Linux automatically tries to verify the GPG signature of an RPM package before in...

Страница 626: ...booted using the new kernel the old kernel may be removed using the following command rpm e old kernel package Replace old kernel package in the previous example with the name of the older kernel RPM Note It is not a requirement that the old kernel be removed The default boot loader GRUB allows for multiple kernels to be installed then chosen from a menu at boot time Important Before installing an...

Страница 627: ... a number of applications and services Applications utilizing a shared library typically load the shared code when the application is initialized so any applications using the updated library must be halted and relaunched To determine which running applications link against a particular library use the lsof command as in the following example lsof usr lib libwrap so This command returns a list of ...

Страница 628: ...ce upgrade the package for the service then halt all processes currently running To determine if the process is running use the ps command and then use the kill or killall command to halt current instances of the service For example if security errata imap packages are released upgrade the packages then type the following command as root into a shell prompt ps aux grep imap This command returns al...

Страница 629: ...e BIOS or BIOS equivalent and the boot loader can prevent unauthorized users who have physical access to systems from booting using removable media or obtaining root privileges through single user mode The security measures you should take to protect against such attacks depends both on the sensitivity of the information on the workstation and the location of the machine For example if a machine i...

Страница 630: ... refer to the manufacturer s instructions 43 1 2 2 Boot Loader Passwords The primary reasons for password protecting a Linux boot loader are as follows 1 Preventing Access to Single User Mode If attackers can boot the system into single user mode they are logged in automatically as root without being prompted for the root password 2 Preventing Access to the GRUB Console If the machine uses GRUB as...

Страница 631: ... To create a different password for a particular kernel or operating system add a lock line to the stanza followed by a password line Each stanza protected with a unique password should begin with lines similar to the following example title DOS lock password md5 password hash 43 1 3 Password Security Passwords are the primary method that Red Hat Enterprise Linux uses to verify a user s identity T...

Страница 632: ...cker may have gained access before dawn and edited the log files to cover his tracks In addition to format and storage considerations is the issue of content The single most important thing a user can do to protect his account against a password cracking attack is create a strong password 43 1 3 1 Creating Strong Passwords When creating a secure password it is a good idea to follow these guideline...

Страница 633: ...verting a bad password does not make it any more secure Some insecure examples include the following R0X4H nauj 9 DS Do Not Write Down Your Password Never store a password on paper It is much safer to memorize it Do Not Use the Same Password For All Machines It is important to make separate passwords for each machine This way if one system is compromised all of your machines are not immediately at...

Страница 634: ... one letter such as H o7r 77w 7gHwg Finally do not use the example password above for any systems ever While creating secure passwords is imperative managing them properly is also important especially for system administrators within larger organizations The following section details good practices for creating and managing user passwords within an organization 43 1 3 2 Creating User Passwords Wit...

Страница 635: ...ilable online at http www openwall com john Crack Perhaps the most well known password cracking software Crack is also very fast though not as easy to use as John The Ripper It can be found online at http www openwall com john Slurpie Slurpie is similar to John The Ripper and Crack but it is designed to run on multiple computers simultaneously creating a distributed password cracking attack It can...

Страница 636: ...06 08 18 Password Expiration Warning 7 Password Inactive 1 Account Expiration Date YYYY MM DD 1969 12 31 root interch dev1 Refer to the man page for chage for more information on the available options You can also use the graphical User Manager application to create password aging policies as follows Note you need Administrator privileges to perform this procedure 1 Click the System menu on the Pa...

Страница 637: ...grams are denoted by an s in the owner section of a long format listing as in the following example rwsr xr x 1 root root 47324 May 1 08 09 bin su Note The s may be upper case or lower case If it appears as upper case it means that the underlying permission bit has not been set For the system administrators of an organization however choices must be made as to how much administrative access users ...

Страница 638: ...ese services transmit this information over the network in plain text Running Email Attachments As Root Although rare email viruses that affect Linux do exist The only time they are a threat however is when they are run by the root user 43 1 4 2 Disallowing Root Access If an administrator is uncomfortable allowing users to log in as root for these or other reasons the root password should be kept ...

Страница 639: ...imit root access to services Edit the file for the target service in the etc pam d directory Make sure the pam_listfile so is required for authentication 1 Prevents root access to network services that are PAM aware The following services are prevented from accessing the root account FTP clients Email clients login gdm kdm xdm ssh scp sftp Any PAM aware services Programs and services that are not ...

Страница 640: ...it the SSH daemon s configuration file etc ssh sshd_config Change the line that reads PermitRootLogin yes to read as follows PermitRootLogin no 43 1 4 2 4 Disabling Root Using PAM PAM through the lib security pam_listfile so module allows great flexibility in denying specific accounts The administrator can use this module to reference a list of users who are not allowed to log in Below is an examp...

Страница 641: ...rmod G wheel username In the previous command replace username with the username you want to add to the wheel group You can also use the User Manager to modify group memberships as follows Note you need Administrator privileges to perform this procedure 1 Click the System menu on the Panel point to Administration and then click Users and Groups to display the User Manager Alternatively type the co...

Страница 642: ...thenticated and assuming that the command is permitted the administrative command is executed as if they were the root user The basic format of the sudo command is as follows sudo command In the above example command would be replaced by a command normally reserved for the root user such as mount Important Users of the sudo command should take extra care to log out before walking away from their m...

Страница 643: ...ocalhost sbin shutdown h now This example states that any user can issue the command sbin shutdown h now as long as it is issued from the console The man page for sudoers has a detailed listing of options for this file 43 1 5 Available Network Services While user access to administrative controls is an important issue for system administrators within an organization monitoring which network servic...

Страница 644: ...icious code from running in the executable portion of virtual memory with a granularity of 4KB of executable code lowering the risk of attack from stealthy buffer overflow exploits Tip To limit exposure to attacks over the network all services that are unused should be turned off 43 1 5 2 Identifying and Configuring Services To enhance security most network services installed with Red Hat Enterpri...

Страница 645: ...etwork service is insecure This is why turning off unused services is so important Exploits for services are routinely revealed and patched making it very important to regularly update packages associated with any network service Refer to Section 42 5 Security Updates for more information Some network protocols are inherently more insecure than others These include any services that Transmit Usern...

Страница 646: ...more information about sshd FTP is not as inherently dangerous to the security of the system as remote shells but FTP servers must be carefully configured and monitored to avoid problems Refer to Section 43 2 6 Securing FTP for more information about securing FTP servers Services that should be carefully implemented and behind a firewall include finger authd this was called identd in previous Red ...

Страница 647: ...rnet has grown so has the threat of communication interception Over the years tools have been developed to encrypt communications as they are transferred over the network Red Hat Enterprise Linux ships with two basic tools that use high level public key cryptography based encryption algorithms to protect information as it travels over the network OpenSSH A free implementation of the SSH protocol f...

Страница 648: ...fer to Section 16 2 TCP Wrappers for more information on configuring TCP Wrappers and xinetd The following subsections assume a basic knowledge of each topic and focus on specific security options 43 2 1 1 Enhancing Security With TCP Wrappers TCP Wrappers are capable of much more than denying access to services This section illustrates how they can be used to send connection banners warn of attack...

Страница 649: ...ss To allow the connection and log it place the spawn directive in the etc hosts allow file Note Because the spawn directive executes any shell command create a special script to notify the administrator or execute a chain of commands in the event that a particular client attempts to connect to the server 43 2 1 1 3 TCP Wrappers and Enhanced Logging If certain types of connections are of more conc...

Страница 650: ...e values for the deny_time attribute are FOREVER which keeps the ban in effect until xinetd is restarted and NEVER which allows the connection and logs it Finally the last line should read disable no This enables the trap itself While using SENSOR is a good way to detect and stop connections from undesirable hosts it has two drawbacks It does not work against stealth scans An attacker who knows th...

Страница 651: ... NFS It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls For these reasons it is difficult to secure Note Securing portmap only affects NFSv2 and NFSv3 implementations since NFSv4 no longer requires it If you plan to implement an NFSv2 or NFSv3 server then portmap is required and the following section applies If running RPC service...

Страница 652: ...ltiple NIS servers usr sbin ypserv This is the NIS server daemon NIS is somewhat insecure by today s standards It has no host authentication mechanisms and transmits all of its information over the network unencrypted including password hashes As a result extreme care must be taken when setting up a network that uses NIS This is further complicated by the fact that the default configuration of NIS...

Страница 653: ...s file is blank or does not exist as is the case after a default installation NIS listens to all networks One of the first things to do is to put netmask network pairs in the file so that ypserv only responds to requests from the appropriate network Below is a sample entry from a var yp securenets file 255 255 255 0 192 168 0 0 Warning Never start an NIS server for the first time without creating ...

Страница 654: ...shes are ever sent over the network making the system far more secure Refer to Section 43 6 Kerberos for more information about Kerberos 43 2 4 Securing NFS The Network File System NFS is a service that provides network accessible file systems for client machines Refer to Chapter 19 Network File System NFS for more information about NFS The following subsections assume a basic knowledge of NFS Imp...

Страница 655: ...o nfsnobody which prevents uploading of programs with the setuid bit set If no_root_squash is used remote root users are able to change any file on the shared file system and leave applications infected by trojans for other users to inadvertently execute 43 2 5 Securing the Apache HTTP Server The Apache HTTP Server is one of the most stable and secure services that ships with Red Hat Enterprise Li...

Страница 656: ...ons for Executable Directories Ensure that only the root user has write permissions to any directory containing scripts or CGIs To do this type the following commands chown root directory_name chmod 755 directory_name Important Always verify that any scripts running on the system work as intended before putting them into production 43 2 6 Securing FTP The File Transfer Protocol FTP is an older TCP...

Страница 657: ... Wrappers and Connection Banners To reference this greeting banner file for vsftpd add the following directive to the etc vsftpd vsftpd conf file banner_file etc banners ftp msg Important Make sure that you specify the path to the banner file correctly in etc vsftpd vsftpd conf or else every attempt to connect to vsftpd will result in the connection being closed immediately and a 500 OOPS cannot o...

Страница 658: ...anonymous users to read and write in directories often find that their servers become a repository of stolen software Additionally under vsftpd add the following line to the etc vsftpd vsftpd conf file anon_upload_enable YES 43 2 6 3 User Accounts Because FTP transmits unencrypted usernames and passwords over insecure networks for authentication it is a good idea to deny system users access to the...

Страница 659: ...owing issues 43 2 7 1 Limiting a Denial of Service Attack Because of the nature of email a determined attacker can flood the server with mail fairly easily and cause a denial of service By setting limits to the following directives in etc mail sendmail mc the effectiveness of such attacks is limited confCONNECTION_RATE_THROTTLE The number of connections the server can receive per second By default...

Страница 660: ...e since these programs do not connect to the machine from the network but rather check to see what is running on the system For this reason these applications are frequent targets for replacement by attackers Crackers attempt to cover their tracks if they open unauthorized network ports by replacing netstat and lsof with their own modified versions A more reliable way to check which ports are list...

Страница 661: ...s command Also the p option reveals the process ID PID of the service that opened the port In this case the open port belongs to ypbind NIS which is an RPC service handled in conjunction with the portmap service The lsof command reveals similar information to netstat since it is also capable of linking open ports to services lsof i grep 834 The relevant portion of the output from this command foll...

Страница 662: ...ate correctly as should any reader that is supported by PCSC lite Red Hat Enterprise Linux has also been tested with Common Access Cards CAC The supported reader for CAC is the SCM SCR 331 USB Reader As of Red Hat Enterprise Linux 5 2 Gemalto smart cards Cyberflex Access 64k v2 standard with DER SHA1 value configured as in PKCSI v2 1 are now supported These smart cards now use readers compliant wi...

Страница 663: ...you have the nss tools package loaded 3 Download and install your corporate specific root certificates Use the following command to install the root CA certificate certutil A d etc pki nssdb n root ca cert t CT C C i ca_cert_in_base64_format crt 4 Verify that you have the following RPMs installed on your system esc pam_pkcs11 coolkey ifd egate ccid gdm authconfig and authconfig gtk 5 Enable Smart ...

Страница 664: ...lowing command to locate the source of the problem pklogin_finder debug If you run the pklogin_finder tool in debug mode while an enrolled smart card is plugged in it attempts to output information about the validity of certificates and if it is successful in attempting to map a login ID from the certificates that are on the card 43 3 3 How Smart Card Enrollment Works Smart cards are said to be en...

Страница 665: ... logging in using a smart card 1 When the user inserts their smart card into the smart card reader this event is recognized by the PAM facility which prompts for the user s PIN 2 The system then looks up the user s current certificates and verifies their validity The certificate is then mapped to the user s UID 3 This is validated against the KDC and login granted ...

Страница 666: ...ring Firefox to use Kerberos for SSO You can configure Firefox to use Kerberos for Single Sign on In order for this functionality to work correctly you need to configure your web browser to send your Kerberos credentials to the appropriate KDC The following section describes the configuration changes and other requirements to achieve this 1 In the address bar of Firefox type about config to displa...

Страница 667: ...authentication and you should consider upgrading Figure 43 6 Configuring Firefox for SSO with Kerberos You now need to ensure that you have Kerberos tickets In a command shell type kinit to retrieve Kerberos tickets To display the list of available tickets type klist The following shows an example output from these commands user host kinit Password for user EXAMPLE COM user host klist Ticket cache...

Страница 668: ...tering nsAuthGSSAPI GetNextToken 1208994096 8d683d8 gss_init_sec_context failed Miscellaneous failure Server not found in Kerberos database This generally indicates a Kerberos configuration problem Make sure that you have the correct entries in the domain_realm section of the etc krb5 conf file For example example com EXAMPLE COM example com EXAMPLE COM If nothing appears in the log it is possible...

Страница 669: ...ctory does not exist 43 4 2 1 PAM Service Files Each PAM aware application or service has a file in the etc pam d directory Each file in this directory has the same name as the service to which it controls access The PAM aware program is responsible for defining its service name and installing its own PAM configuration file in the etc pam d directory For example the login program defines its servi...

Страница 670: ...acking makes it easy for an administrator to require specific conditions to exist before allowing the user to authenticate For example the reboot command normally uses several stacked modules as seen in its PAM configuration file root MyServer cat etc pam d reboot PAM 1 0 auth sufficient pam_rootok so auth required pam_console so auth include system auth account required pam_permit so The first li...

Страница 671: ...ion when no other modules reference the interface Important The order in which required modules are called is not critical Only the sufficient and requisite control flags cause order to become important A newer control flag syntax that allows for more precise control is now available for PAM The pam d man page and the PAM documentation located in the usr share doc pam version number directory wher...

Страница 672: ... This module ensures that if the user is trying to log in as root the tty on which the user is logging in is listed in the etc securetty file if that file exists If the tty is not listed in the file any attempt to log in as root fails with a Login incorrect message auth required pam_unix so nullok This module prompts the user for a password and then checks the password using the information stored...

Страница 673: ...not to prompt the user for a new password Instead it accepts any password that was recorded by a previous password module In this way all new passwords must pass the pam_cracklib so test for secure passwords before being accepted session required pam_unix so The final line instructs the session interface of the pam_unix so module to manage the session This module logs the user name and the service...

Страница 674: ...d by an authentication icon which appears in the notification area of the panel Figure 43 7 The Authentication Icon 43 4 6 1 Removing the Timestamp File Before abandoning a console where a PAM timestamp is active it is recommended that the timestamp file be destroyed To do this from a graphical environment click the authentication icon on the panel This causes a dialog box to appear Click the Forg...

Страница 675: ...n a user logs in to a Red Hat Enterprise Linux system the pam_console so module is called by login or the graphical login programs gdm kdm and xdm If this user is the first user to log in at the physical console referred to as the console user the module grants the user ownership of a variety of devices normally owned by root The console user owns these devices until the last local session for tha...

Страница 676: ...he following value console tty 0 9 0 9 vc 0 9 0 9 43 4 7 2 Application Access The console user also has access to certain programs configured for use in the etc security console apps directory This directory contains configuration files which enable the console user to run certain applications in sbin and usr sbin These configuration files have the same name as the applications that they set up On...

Страница 677: ...imestamp Describes the pam_timestamp so module usr share doc pam version number Contains a System Administrators Guide a Module Writers Manual and the Application Developers Manual as well as a copy of the PAM standard DCE RFC 86 0 where version number is the version number of PAM usr share doc pam version number txts README pam_timestamp Contains information about the pam_timestamp so PAM module ...

Страница 678: ...anagement Refer to Section 43 9 IPTables for information about using firewalls with iptables 43 5 1 TCP Wrappers The TCP Wrappers package tcp_wrappers is installed by default and provides host based access control to network services The most important component within the package is the usr lib libwrap a library In general terms a TCP wrapped service is one that has been compiled against the libw...

Страница 679: ...k service is not linked to libwrap a The following example indicates that usr sbin sshd is linked to libwrap a root myserver ldd usr sbin sshd grep libwrap libwrap so 0 usr lib libwrap so 0 0x00655000 root myserver 43 5 1 1 Advantages of TCP Wrappers TCP Wrappers provide the following advantages over other network service control techniques Transparency to both the client and the wrapped network s...

Страница 680: ...es so any changes to hosts allow or hosts deny take effect immediately without restarting network services Warning If the last line of a hosts access file is not a newline character created by pressing the Enter key the last rule in the file fails and an error is logged to either var log messages or var log secure This is also the case for a rule that spans multiple lines without using the backsla...

Страница 681: ... sshd log deny Note that each option field is preceded by the backslash Use of the backslash prevents failure of the rule due to length This sample rule states that if a connection to the SSH daemon sshd is attempted from a host in the example com domain execute the echo command to append the attempt to a special log file and deny the connection Because the optional deny directive is used this lin...

Страница 682: ...he initial numeric groups of an IP address The following example applies to any host within the 192 168 x x network ALL 192 168 IP address netmask pair Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses The following example applies to any host with an address range of 192 168 0 0 through 192 168 1 255 ALL 192 168 0 0 255 255 254 0 Important W...

Страница 683: ...appers does not support host look ups which means portmap can not use hostnames to identify hosts Consequently access control rules for portmap in hosts allow or hosts deny must use IP addresses or the keyword ALL for specifying hosts Changes to portmap access control rules may not take effect immediately You may need to restart the portmap service Widely used services such as NIS and NFS depend o...

Страница 684: ...mple connections to the SSH daemon from any host in the example com domain are logged to the default authpriv syslog facility because no facility value is specified with a priority of emerg sshd example com severity emerg It is also possible to specify a facility using the severity option The following example logs any SSH connection attempts by hosts from the example com domain to the local0 faci...

Страница 685: ...lso called honey pots It can also be used to send messages to connecting clients The twist directive must occur at the end of the rule line In the following example clients attempting to access FTP services from the example com domain are sent a message using the echo command vsftpd example com twist bin echo 421 This domain has been black listed Access denied For more information about shell comm...

Страница 686: ...able expansions as well as additional access control options refer to section 5 of the man pages for hosts_access man 5 hosts_access and the man page for hosts_options Refer to Section 43 5 5 Additional Resources for more information about TCP Wrappers 43 5 3 xinetd The xinetd daemon is a TCP wrapped super service which controls access to a subset of popular network services including FTP IMAP and...

Страница 687: ...to the var log secure file Adding a directive such as FILE var log xinetdlog would create a custom log file called xinetdlog in the var log directory log_on_success Configures xinetd to log successful connection attempts By default the remote host s IP address and the process ID of the server processing the request are recorded log_on_failure Configures xinetd to log failed connection attempts or ...

Страница 688: ...socket_type stream wait no user root server usr kerberos sbin telnetd log_on_failure USERID disable yes These lines control various aspects of the telnet service service Specifies the service name usually one of those listed in the etc services file flags Sets any of a number of attributes for the connection REUSE instructs xinetd to reuse the socket for a Telnet connection Note The REUSE flag is ...

Страница 689: ...inetd conf man page 43 5 4 3 2 Access Control Options Users of xinetd services can choose to use the TCP Wrappers hosts access rules provide access control via the xinetd configuration files or a mixture of both Refer to Section 43 5 2 TCP Wrappers Configuration Files for more information about TCP Wrappers hosts access control files This section discusses using xinetd to control access to service...

Страница 690: ...ar log messages as follows Sep 7 14 58 33 localhost xinetd 5285 FAIL telnet address from 172 16 45 107 Sep 7 14 58 33 localhost xinetd 5283 START telnet pid 5285 from 172 16 45 107 Sep 7 14 58 33 localhost xinetd 5283 EXIT telnet status 0 pid 5285 duration 0 sec When using TCP Wrappers in conjunction with xinetd access controls it is important to understand the relationship between the two access ...

Страница 691: ...n of the connection between the requesting client machine and the host actually providing the service transferring data between the two systems The advantages of the bind and redirect options are most clearly evident when they are used together By binding a service to a particular IP address on a system and then redirecting requests for this service to a second machine that only the first machine ...

Страница 692: ...ed in either the xinetd conf file or the service specific configuration files in the xinetd d directory max_load Defines the CPU usage or load average threshold for a service It accepts a floating point number argument The load average is a rough measure of how many processes are active at a given time See the uptime who and procinfo commands for more information about load average There are more ...

Страница 693: ...d used by the protocol is inherently insecure as evidenced by the transfer of unencrypted passwords over a network using the traditional FTP and Telnet protocols Kerberos is a way to eliminate the need for protocols that allow unsafe methods of authentication thereby enhancing overall network security 43 6 1 What is Kerberos Kerberos is a network authentication protocol created by MIT and uses sym...

Страница 694: ...o the one host that issues tickets used for authentication called the key distribution center KDC the entire Kerberos authentication system is at risk For an application to use Kerberos its source must be modified to make the appropriate calls into the Kerberos libraries Applications modified in this way are considered to be Kerberos aware or kerberized For some applications this can be quite prob...

Страница 695: ... If a network service such as cyrus IMAP uses GSS API it can authenticate using Kerberos hash Also known as a hash value A value generated by passing a string through a hash function These values are typically used to ensure that transmitted data has not been tampered with hash function A way of generating a digital fingerprint from input data These functions rearrange transpose or otherwise alter...

Страница 696: ... A plain text human readable password 43 6 3 How Kerberos Works Kerberos differs from username password authentication methods Instead of authenticating each user to each network service Kerberos uses symmetric encryption and a trusted third party a KDC to authenticate users to a suite of network services When a user authenticates to the KDC the KDC sends a ticket specific to that session back to ...

Страница 697: ...share doc ntp version number index html for details on setting up Network Time Protocol servers where version number is the version number of the ntp package installed on your system Domain Name Service DNS You should ensure that the DNS entries and hosts on the network are all properly configured Refer to the Kerberos V5 System Administrator s Guide in usr share doc krb5 server version number for...

Страница 698: ...tion about NTP 2 Install the krb5 libs krb5 server and krb5 workstation packages on the dedicated machine which runs the KDC This machine needs to be very secure if possible it should not run any services other than the KDC 3 Edit the etc krb5 conf and var kerberos krb5kdc kdc conf configuration files to reflect the realm name and domain to realm mappings A simple realm can be constructed by repla...

Страница 699: ...ion Type the following kadmin local command at the KDC terminal to create the first principal usr kerberos sbin kadmin local q addprinc username admin 6 Start Kerberos using the following commands sbin service krb5kdc start sbin service kadmin start sbin service krb524 start 7 Add principals for the users using the addprinc command within kadmin kadmin and kadmin local are command line interfaces ...

Страница 700: ...rsh and rlogin services that workstation must have the xinetd package installed Using kadmin add a host principal for the workstation on the KDC The instance in this case is the hostname of the workstation Use the randkey option for the kadmin s addprinc command to create the principal and assign it a random key addprinc randkey host blah example com Now that the principal has been created keys ca...

Страница 701: ...ufficient but in others the realm name which is derived will be the name of a non existant realm In these cases the mapping from the server s DNS domain name to the name of its realm must be specified in the domain_realm section of the client system s krb5 conf For example domain_realm example com EXAMPLE COM example com EXAMPLE COM The above configuration specifies two mappings The first mapping ...

Страница 702: ...ssword Password for jimbo admin EXAMPLE COM kadmin add_principal randkey host slavekdc example com Principal host slavekdc example com EXAMPLE COM created kadmin ktadd host slavekdc example com EXAMPLE COM Entry for principal host slavekdc example com with kvno 3 encryption type Triple DES cbc mode with HMAC sha1 added to keytab WRFILE etc krb5 keytab Entry for principal host slavekdc example com ...

Страница 703: ...e in the B EXAMPLE COM realm both realms must share a key for a principal named krbtgt B EXAMPLE COM A EXAMPLE COM and both keys must have the same key version number associated with them To accomplish this select a very strong password or passphrase and create an entry for the principal in both realms using kadmin kadmin r A EXAMPLE COM kadmin add_principal krbtgt B EXAMPLE COM A EXAMPLE COM Ente...

Страница 704: ...t be able to determine how to obtain credentials for services in that realm First things first the principal name for a service provided from a specific server system in a given realm typically looks like this service server example com EXAMPLE COM In this example service is typically either the name of the protocol in use other common values include ldap imap cvs and HTTP or host server example c...

Страница 705: ...LE ORG DEVEL EXAMPLE COM EXAMPLE COM COM ORG EXAMPLE ORG PROD EXAMPLE ORG DEVEL EXAMPLE COM and EXAMPLE COM share a key for krbtgt EXAMPLE COM DEVEL EXAMPLE COM EXAMPLE COM and COM share a key for krbtgt COM EXAMPLE COM COM and ORG share a key for krbtgt ORG COM ORG and EXAMPLE ORG share a key for krbtgt EXAMPLE ORG ORG EXAMPLE ORG and PROD EXAMPLE ORG share a key for krbtgt PROD EXAMPLE ORG EXAMP...

Страница 706: ...AMPLE COM realm directly Without the indicating this the client would instead attempt to use a hierarchical path in this case A EXAMPLE COM EXAMPLE COM B EXAMPLE COM 43 6 10 Additional Resources For more information about Kerberos refer to the following resources 43 6 10 1 Installed Documentation The Kerberos V5 Installation Guide and the Kerberos V5 System Administrator s Guide in PostScript and ...

Страница 707: ...and KDC 43 6 10 2 Useful Websites http web mit edu kerberos www Kerberos The Network Authentication Protocol webpage from MIT http www nrl navy mil CCS people kenh kerberos faq html The Kerberos Frequently Asked Questions FAQ ftp athena dist mit edu pub kerberos doc usenix PS The PostScript version of Kerberos An Authentication Service for Open Network Systems by Jennifer G Steiner Clifford Neuman...

Страница 708: ...on These VPN solutions irrespective of whether they are hardware or software based act as specialized routers that exist between the IP connection from one office to another 43 7 1 How Does a VPN Work When a packet is transmitted from a client it sends it through the VPN router or gateway which adds an Authentication Header AH for routing and authentication The data is then encrypted and finally e...

Страница 709: ... This phase manages the actual IPsec connection between remote nodes and networks The Red Hat Enterprise Linux implementation of IPsec uses IKE for sharing keys between hosts across the Internet The racoon keying daemon handles the IKE key distribution and exchange Refer to the racoon man page for more information about this daemon 43 7 5 IPsec Installation Implementing IPsec requires that the ips...

Страница 710: ...m the following procedures on the actual machine that you are configuring Avoid attempting to configure and establish IPsec connections remotely 1 In a command shell type system config network to start the Network Administration Tool 2 On the IPsec tab click New to start the IPsec configuration wizard 3 Click Forward to start configuring a host to host IPsec connection 4 Enter a unique name for th...

Страница 711: ...o Section 43 7 7 IPsec Network to Network Configuration Click Forward to continue 8 If manual encryption was selected in step 6 specify the encryption key to use or click Generate to create one a Specify an authentication key or click Generate to generate one It can be any combination of numbers and letters b Click Forward to continue 9 Verify the information on the IPsec Summary page and then cli...

Страница 712: ...ickname etc racoon remote ip conf etc racoon psk txt If automatic encryption is selected etc racoon racoon conf is also created When the interface is up etc racoon racoon conf is modified to include remote ip conf 43 7 6 2 Manual IPsec Host to Host Configuration The first step in creating a connection is to gather system and network information from each workstation For a host to host connection y...

Страница 713: ...ost You should choose a name that is convenient and meaningful for your installation The following is the IPsec configuration file for Workstation A for a host to host IPsec connection with Workstation B The unique name to identify the connection in this example is ipsec1 so the resulting file is called etc sysconfig network scripts ifcfg ipsec1 DST X X X X TYPE IPSEC ONBOOT no IKE_METHOD PSK For ...

Страница 714: ...hange_mode aggressive The default configuration for IPsec on Red Hat Enterprise Linux uses an aggressive authentication mode which lowers the connection overhead while allowing configuration of several IPsec connections with multiple hosts my_identifier address Specifies the identification method to use when authenticating nodes Red Hat Enterprise Linux uses IP addresses to identify nodes encrypti...

Страница 715: ...fs_group 2 Defines the Diffie Hellman key exchange protocol which determines the method by which the IPsec nodes establish a mutual temporary session key for the second phase of IPsec connectivity By default the Red Hat Enterprise Linux implementation of IPsec uses group 2 or modp1024 of the Diffie Hellman cryptographic key exchange groups Group 2 uses a 1024 bit modular exponentiation that preven...

Страница 716: ...ion shows a network to network IPsec tunneled connection Figure 43 11 A network to network IPsec tunneled connection This diagram shows two separate LANs separated by the Internet These LANs use IPsec routers to authenticate and initiate a connection using a secure tunnel through the Internet Packets that are intercepted in transit would require brute force decryption in order to crack the cipher ...

Страница 717: ...rk to Network IPsec Alternate network configuration options include a firewall between each IP router and the Internet and an intranet firewall between each IPsec router and subnet gateway The IPsec router and the gateway for the subnet can be one system with two Ethernet devices one with a public IP address that acts as the IPsec router and one with a private IP address that acts as the gateway f...

Страница 718: ...rk IP address Local Network Gateway The gateway for the private subnet Click Forward to continue Figure 43 13 Local Network Information 8 On the Remote Network page enter the following information Remote IP Address The publicly addressable IP address of the IPsec router for the other private network In our example for ipsec0 enter the publicly addressable IP address of ipsec1 and vice versa Remote...

Страница 719: ... list and then click Activate to activate the connection 12 Enable IP forwarding a Edit etc sysctl conf and set net ipv4 ip_forward to 1 b Use the following command to enable the change root myServer sbin sysctl p etc sysctl conf The network script to activate the IPsec connection automatically creates network routes to send packets through the IPsec router if necessary 43 7 7 2 Manual IPsec Netwo...

Страница 720: ...on in this example is ipsec0 so the resulting file is called etc sysconfig network scripts ifcfg ipsec0 TYPE IPSEC ONBOOT yes IKE_METHOD PSK SRCGW 192 168 1 254 DSTGW 192 168 2 254 SRCNET 192 168 1 0 24 DSTNET 192 168 2 0 24 DST X X X X The following list describes the contents of this file TYPE IPSEC Specifies the type of connection ONBOOT yes Specifies that the connection should initiate on boot...

Страница 721: ...he IPsec connection Note that the include line at the bottom of the file is automatically generated and only appears if the IPsec tunnel is running Racoon IKE daemon configuration file See man racoon conf for a description of the format and entries path include etc racoon path pre_shared_key etc racoon psk txt path certificate etc racoon certs sainfo anonymous pfs_group 2 lifetime time 1 hour encr...

Страница 722: ...ple to view the network packets being transfered between the hosts or networks and verify that they are encrypted via IPsec For example to check the IPsec connectivity of LAN A use the following command root myServer tcpdump n i eth0 host lana example com The packet should include an AH header and should be shown as ESP packets ESP means it is encrypted For example back slashes denote a continuati...

Страница 723: ...nd one or a small pool of public IP addresses masquerading all requests to one source rather than several The Linux kernel has built in NAT functionality through the Netfilter kernel subsystem Can be configured transparently to machines on a LAN Protection of many machines and services behind one or more external IP addresses simplifies administration duties Restriction of user access to and from ...

Страница 724: ...ter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services Netfilter also has the ability to mangle IP header information for advanced routing and connection state management Netfilter is controlled using the iptables tool 43 8 1 1 IPTables Overview The power and flexibility of Netfilter is implemented using the iptables administration tool a command ...

Страница 725: ...ux installation you were given the option to enable a basic firewall as well as to allow specific devices incoming services and ports After installation you can change this preference by using the Security Level Configuration Tool To start this application use the following command root myServer system config securitylevel Figure 43 15 Security Level Configuration Tool Note The Security Level Conf...

Страница 726: ...b servers to serve web pages If you plan on making your Web server publicly available select this check box This option is not required for viewing pages locally or for developing web pages This service requires that the httpd package be installed Enabling WWW HTTP will not open a port for HTTPS the SSL version of HTTP If this service is required select the Secure WWW HTTPS check box FTP The FTP p...

Страница 727: ...wall If Enable firewall was selected the options selected are translated to iptables commands and written to the etc sysconfig iptables file The iptables service is also started so that the firewall is activated immediately after saving the selected options If Disable firewall was selected the etc sysconfig iptables file is removed and the iptables service is stopped immediately The selected optio...

Страница 728: ...use the following command root myServer chkconfig level 345 iptables on This forces iptables to start whenever the system is booted into runlevel 3 4 or 5 43 8 3 1 IPTables Command Syntax The following sample iptables command illustrates the basic command syntax root myServer iptables A chain j target The A option specifies that the rule be appended to chain Each chain is comprised of one or more ...

Страница 729: ... rules and outline some of the rules you might implement in the course of building your iptables firewall 43 8 3 3 Saving and Restoring IPTables Rules Changes to iptables are transitory if the system is rebooted or if the iptables service is restarted the rules are automatically flushed and reset To save the rules so that they are loaded when the iptables service is started use the following comma...

Страница 730: ... There may be times when you require remote access to the LAN Secure services for example SSH can be used for encrypted remote connection to LAN services Administrators with PPP based resources such as modem banks or bulk ISP accounts dial up access can be used to securely circumvent firewall barriers Because they are direct connections modem connections are typically behind a firewall gateway For...

Страница 731: ...o control where packets can be routed within a LAN For example to allow forwarding for the entire LAN assuming the firewall gateway is assigned an internal IP address on eth1 use the following rules root myServer iptables A FORWARD i eth1 j ACCEPT root myServer iptables A FORWARD o eth1 j ACCEPT This rule gives systems behind the firewall gateway access to the internal network The gateway routes p...

Страница 732: ...rnal IP address of the firewall gateway 43 8 5 2 Prerouting If you have a server on your internal network that you want make available externally you can use the j DNAT target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded For example if you want to forward incoming HTTP requests t...

Страница 733: ...c subnets or even specific nodes within a LAN You can also restrict certain dubious applications or programs such as trojans worms and other client server viruses from contacting their server For example some trojans scan networks for services on ports from 31337 to 31340 called the elite ports in cracking terminology Since there are no legitimate services that communicate via these non standard p...

Страница 734: ...a is transferred on a different port typically port 20 INVALID A packet that is not part of any connections in the connection tracking table You can use the stateful functionality of iptables connection tracking with any network protocol even if the protocol itself is stateless such as UDP The following example shows a rule that uses connection tracking to forward only the packets that are associa...

Страница 735: ... as Netfilter and iptables It includes topics that cover analyzing firewall logs developing firewall rules and customizing your firewall using various graphical tools Linux Firewalls by Robert Ziegler New Riders Press contains a wealth of information on building firewalls using both 2 2 kernel ipchains as well as Netfilter and iptables Additional security topics such as remote access issues and in...

Страница 736: ...ter The built in chains for the filter table are as follows INPUT Applies to network packets that are targeted for the host OUTPUT Applies to locally generated network packets FORWARD Applies to network packets routed through the host The built in chains for the nat table are as follows PREROUTING Alters network packets when they arrive OUTPUT Alters locally generated network packets before they a...

Страница 737: ...s command configures these tables as well as sets up new tables if necessary 43 9 2 Differences Between IPTables and IPChains Both ipchains and iptables use chains of rules that operate within the Linux kernel to filter packets based on matches with specified rules or rule sets However iptables offers a more extensible way of filtering packets giving the administrator greater control without build...

Страница 738: ...ters based on the source or destination of the packet Target Specifies what action is taken on packets matching the above criteria Refer to Section 43 9 3 4 IPTables Match Options and Section 43 9 3 5 Target Options for more information about specific options that address these aspects of a packet The options used with specific iptables rules must be grouped logically based on the purpose and cond...

Страница 739: ...efore adding it to the user specified chain This command can help you construct complex iptables rules by prompting you for additional parameters and options D integer rule Deletes a rule in a particular chain by number such as 5 for the fifth rule in a chain or by rule specification The rule specification must exactly match an existing rule E Renames a user defined chain A user defined chain is a...

Страница 740: ...d chain The rule s number must be specified after the chain s name The first rule in a chain corresponds to rule number one X Deletes a user specified chain You cannot delete a built in chain Z Sets the byte and packet counters in all chains for a table to zero 43 9 3 3 IPTables Parameter Options Certain iptables commands including those used to add append delete insert or replace rules within a p...

Страница 741: ...these modules include LOG MARK and REJECT among others Refer to the iptables man page for more information about these and other targets This option can also be used to direct a packet matching a particular rule to a user defined chain outside of the current chain so that other rules can be applied to the packet If no target is specified the packet moves past the rule with no action taken The coun...

Страница 742: ... the TCP protocol p tcp dport Sets the destination port for the packet To configure this option use a network service name such as www or smtp a port number or a range of port numbers To specify a range of port numbers separate the two numbers with a colon For example p tcp dport 3000 3200 The largest acceptable valid range is 0 65535 Use an exclamation point character after the dport option to ma...

Страница 743: ...be reversed with the exclamation point character 43 9 3 4 2 UDP Protocol These match options are available for the UDP protocol p udp dport Specifies the destination port of the UDP packet using the service name port number or range of port numbers The destination port match option is synonymous with dport sport Specifies the source port of the UDP packet using the service name port number or rang...

Страница 744: ... a number and time modifier are not used the default value of 3 hour is assumed limit burst Sets a limit on the number of packets able to match a rule at one time This option is specified as an integer and should be used in conjunction with the limit option If no value is specified the default value of five 5 is assumed state module Enables state matching The state module enables the following opt...

Страница 745: ...ith a RETURN target matches a rule in a chain called from another chain the packet is returned to the first chain to resume rule checking where it left off If the RETURN rule is used on a built in chain and the packet cannot move up to its previous chain the default target for the current chain is used In addition extensions are available which allow other targets to be specified These extensions ...

Страница 746: ...es each chain has processed the number of packets and bytes each rule has matched and which interfaces apply to a particular rule x Expands numbers into their exact values On a busy system the number of packets and bytes processed by a particular chain or rule may be abbreviated to Kilobytes Megabytes Megabytes or Gigabytes This option forces the full number to be displayed n Displays IP addresses...

Страница 747: ... way to distribute sets of iptables rules to multiple machines You can also save the iptables rules to a separate file for distribution backup or other purposes To save your iptables rules type the following command as root root myserver iptables save filename where filename is a user defined name for your ruleset Important If distributing the etc sysconfig iptables file to other machines type sbi...

Страница 748: ...s This option only works if the ipchains kernel module is not loaded If the IPTABLES_SAVE_ON_RESTART directive in the etc sysconfig iptables config configuration file is changed from its default value to yes current rules are saved to etc sysconfig iptables and any existing rules are moved to the file etc sysconfig iptables save Refer to Section 43 9 5 1 IPTables Control Scripts Configuration File...

Страница 749: ...es current firewall rules to etc sysconfig iptables when the firewall is stopped This directive accepts the following values yes Saves existing rules to etc sysconfig iptables when the firewall is stopped moving the previous version to the etc sysconfig iptables save file no The default value Does not save existing rules when the firewall is stopped IPTABLES_SAVE_ON_RESTART Saves current firewall ...

Страница 750: ...ive IPTABLES_MODULES the equivalent in the ip6tables config file is IP6TABLES_MODULES 43 9 7 Additional Resources Refer to the following sources for additional information on packet filtering with iptables Section 43 8 Firewalls Contains a chapter about the role of firewalls within an overall security strategy as well as strategies for constructing firewall rules 43 9 7 1 Installed Documentation m...

Страница 751: ...ss Control MAC Mandatory Access Control MAC is a security mechanism that restricts the level of control that users subjects have over the objects that they create Unlike in a DAC implementation where users have full control over their own files directories etc MAC adds additional labels or categories to all file system objects Users and processes must have the appropriate access to these categorie...

Страница 752: ...Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system SELinux defines the access and transition rights of every user application process and file on the system SELinux then governs the interactions of these entities using a security policy that specifies how strict or lenient a given Red Hat Enterprise Linux installation should be On a...

Страница 753: ...do file system contains commands that are most commonly used by the kernel subsystem This type of file system is similar to the proc pseudo file system Administrators and users do not normally need to manipulate this component The following example shows sample contents of the selinux directory rw rw rw 1 root root 0 Sep 22 13 14 access dr xr xr x 1 root root 0 Sep 22 13 14 booleans w 1 root root ...

Страница 754: ...s not enforce policy This is useful for debugging and troubleshooting purposes In permissive mode more denials are logged because subjects can continue with actions that would otherwise be denied in enforcing mode For example traversing a directory tree in permissive mode produces avc denied messages for every directory level read In enforcing mode SELinux would have stopped the initial traversal ...

Страница 755: ...can be turned on or off using Boolean values controlled by the SELinux Administration Tool system config selinux Setting a Boolean value for a targeted daemon to 0 zero disables policy transition for the daemon For example you can set dhcpd_disable_trans to 0 to prevent init from transitioning dhcpd from the unconfined_t domain to the domain specified in dhcpd te Use the getsebool a command to lis...

Страница 756: ...n enforcing mode setenforce 0 SELinux runs in permissive mode To actually disable SELinux you need to either specify the appropriate setenforce parameter in etc sysconfig selinux or pass the parameter selinux 0 to the kernel either in etc grub conf or at boot time usr sbin sestatus v Displays the detailed status of a system running SELinux The following example shows an excerpt of sestatus v outpu...

Страница 757: ...nt project from the National Security Agency NSA 1 and others It is an implementation of the Flask operating system security architecture 2 The NSA integrated SELinux into the Linux kernel using the Linux Security Modules LSM framework SELinux motivated the creation of LSM at the suggestion of Linus Torvalds who wanted a modular approach to security instead of just accepting SELinux into the kerne...

Страница 758: ...artments within sensitivity levels and enforce the need to know security principle Refer to Section 44 6 Multi Level Security MLS for more information about Multi Level Security 44 4 1 1 What is Multi Category Security MCS is an adaptation of MLS From a technical point of view MCS is a policy change combined with a few userland modifications to hide some of the unneeded MLS technology Some kernel ...

Страница 759: ...4 Multi Category Security MCS and introduces some basic examples of usage 44 5 1 Introduction MCS labeling from a user and system administrator standpoint is straightforward It consists of configuring a set of categories which are simply text labels such as Company_Confidential or Medical_Records and then assigning users to those categories The system administrator first configures the categories ...

Страница 760: ...stem_r user_u user s0 s0 s0 c0 c1023 system_r sysadm_r user_r Refer to Section 44 8 3 Understanding the Users and Roles in the Targeted Policy for more information about SELinux users and roles SELinux Logins One of the properties of targeted policy is that login users all run in the same security context From a TE point of view in targeted policy they are security equivalent To effectivly use MCS...

Страница 761: ...e the chcat L command to list the current categories root dhcp 133 chcat L s0 s0 s0 c0 c1023 SystemLow SystemHigh s0 c0 c1023 SystemHigh To modify the categories or to start creating your own modify the etc selinux selinuxtype setrans conf file For the example introduced above add the Marketing Finance Payroll and Personnel categories as follows this example uses the targeted policy and irrelevant...

Страница 762: ...sers root dhcp 133 chcat L l daniel james olga daniel Finance Payroll james Marketing olga Personnel You can add further Linux users assign them to SELinux user identities and then assign categories to them as required For example if the company director also requires a user account with access to all categories follow the same procedure as above Create a user account for the company director Karl...

Страница 763: ... financeRecords txt rw r r daniel daniel user_u object_r user_home_t financeRecords txt Notice that at this stage the file has the default context for a file created in the user s home directory user_home_t and has no categories assigned to it We can add the required category using the chcat command Now when you check the security context of the file you can see the category has been applied danie...

Страница 764: ...those employed by businesses and other organizations Having information of different security levels on the same computer systems poses a real threat It is not a straight forward matter to isolate different information security levels even though different users log in using different accounts with different permissions and different access controls Some organizations go as far as to purchase dedi...

Страница 765: ... 6 1 1 The Bell La Padula Model BLP SELinux like most other systems that protect multi level data uses the BLP model This model specifies how information can flow within the system based on labels attached to each subject and object Refer to the following diagram ...

Страница 766: ...4 6 1 2 MLS and System Privileges MLS access rules are always combined with conventional access permissions file permissions For example if a user with a security level of Secret uses Discretionary Access Control DAC to block access to a file by other users this also blocks access by users with a security level of Top Secret A higher security clearance does not automatically give permission to arb...

Страница 767: ...ce to access an Object of a particular classification For example under MLS the system needs to know how to process a request such as Can a process running with a clearance of Top Secret UFO Rail gun write to a file classified as Top Secret UFO The MLS model and the policy implemented for it will determine the answer Consider for example the problem of information leaking out of the Rail gun categ...

Страница 768: ...e of an application or the content of a document For example a file can have any type of content and be for any purpose but if it belongs to a user and exists in that user s home directory it is considered to be of a specific security type user_home_t These object types are considered alike because they are accessible in the same way by the same set of subjects Similarly processes tend to be of th...

Страница 769: ...he existing policy which facilitate the writing of new policy These rules are preprocessed into many additional rules as part of building the policy conf file which is compiled into the binary policy Access rights are divided differently among domains and no domain is required to act as a master for all other domains Moving between domains is controlled by the policy through login programs userspa...

Страница 770: ...vel Makefile To help applications that need the various SELinux paths libselinux provides a number of functions that return the paths to the different configuration files and directories This negates the need for applications to hard code the paths especially since the active policy location is dependent on the SELINUXTYPE setting in etc selinux config For example if SELINUXTYPE is set to strict t...

Страница 771: ... the policy into the kernel 6 By this stage of the process the policy is fully loaded into the kernel The initial SIDs are then mapped to security contexts in the policy In the case of the targeted policy the new domain is user_u system_r unconfined_t The kernel can now begin to retrieve security contexts dynamically from the in kernel security server 7 init then re executes itself so that it can ...

Страница 772: ... is an overview and examination of the SELinux targeted policy the current supported policy for Red Hat Enterprise Linux Much of the content in this chapter is applicable to all types of SELinux policy in terms of file locations and the type of content in those files The difference lies in which files exist in the key locations and their contents 44 8 1 What is the Targeted Policy The SELinux poli...

Страница 773: ...in every role which significantly reduces the usefulness of roles in the targeted policy More extensive use of roles requires a change to the strict policy paradigm where every process runs in an individually considered domain Effectively there are only two roles in the targeted policy system_r and object_r The initial role is system_r and everything else inherits that role The remaining roles are...

Страница 774: ...d as a placeholder in the label sysadm_r This is the system administrator role in a strict policy If you log in directly as the root user the default role may actually be staff_r If this is true use the newrole r sysadm_r command to change to the SELinux system administrator role to perform system administration tasks In the targeted policy the following retain sysadm_r for compatibility sysadm_r ...

Страница 775: ...eted Policy 749 The one exception is the SELinux user root You may notice root as the user identity in a process s context This occurs when the SELinux user root starts daemons from the command line or restarts a daemon originally started by init ...

Страница 776: ...750 ...

Страница 777: ...ecurity context must now be considered in terms of the label of the file the process accessing it and the directories where the operation is happening Because of this moving and copying files with mv and cp may have unexpected results Copying Files SELinux Options for cp Unless you specify otherwise cp follows the default behavior of creating a new file based on the domain of the creating process ...

Страница 778: ...ile s type cp Makes a copy of the file using the default behavior based on the domain of the creating process cp and the type of the target directory cp p Makes a copy of the file preserving the specified attributes and security contexts if possible The default attributes are mode ownership and timestamps Additional attributes are links and all cp Z user role type Makes a copy of the file with the...

Страница 779: ...and to inspect the security context of a different user That is you can only display the security context of the currently logged in user user localhost id uid 501 user gid 501 user groups 501 user context user_u system_r unconfined_t user localhost id root uid 0 root gid 0 root groups 0 root 1 bin 2 daemon 3 sys 4 adm 6 disk 10 wheel user localhost id Z root id cannot display context when selinux...

Страница 780: ...has the wrong security label and you address this by using a relabeling operation such as restorecon you must restart mysqld after the relabeling operation Setting the executable file to have the correct type mysqld_exec_t ensures that it transitions to the proper domain when started Use the chcon command to change a file to the correct type You need to know the correct type that you want to apply...

Страница 781: ...unlabeled file Use the restorecon command to restore files to the default values according to the policy There are two other methods for performing this operation that work on the entire file system fixfiles or a policy relabeling operation Each of these methods requires superuser privileges Cautions against both of these methods appear in Section 45 2 2 Relabeling a File System The following exam...

Страница 782: ...te how to create such an archive You need to use the appropriate xattr and H exustar options to ensure that the extra attributes are captured and that the header for the star file is of a type that fully supports xattrs Refer to the man page for more information about these and other options The following example illustrates the creation and extraction of a set of html files and directories Note t...

Страница 783: ...ser auser httpd_sys_content_t 1 html rw rw r auser auser httpd_sys_content_t 2 html rw rw r auser auser httpd_sys_content_t 3 html rw rw r auser auser httpd_sys_content_t 4 html rw rw r auser auser httpd_sys_content_t 5 html rw rw r auser auser httpd_sys_content_t index html tmp web_files rw rw r auser auser user_u object_r user_home_t 1 html rw rw r auser auser user_u object_r user_home_t 2 html ...

Страница 784: ...es information about the security contexts of a series of files that are specified in etc sestatus conf root localhost sestatus v SELinux status enabled SELinuxfs mount selinux Current mode enforcing Mode from config file enforcing Policy version 21 Policy from config file targeted Process contexts Current context user_u system_r unconfined_t Init context system_u system_r init_t sbin mingetty sys...

Страница 785: ...ng some processes may continue running with an incorrect context Manually ensuring that all the daemons are restarted and running in the correct context can be difficult Use the following procedure to relabel a file system using this method touch autorelabel reboot At boot time init rc checks for the existence of autorelabel If this file exists SELinux performs a complete file system relabel using...

Страница 786: ...g the Security Context of Entire File Systems explains how to mount a directory so that httpd can execute scripts If you do this for user home directories it gives the Apache HTTP Server increased access to those directories Remember that a mountpoint label applies to the entire mounted file system Future versions of the SELinux policy address the functionality of NFS 45 2 4 Granting Access to a D...

Страница 787: ...tenforce command to change between permissive and enforcing modes at runtime Use setenforce 0 to enter permissive mode use setenforce 1 to enter enforcing mode The sestatus command displays the current mode and the mode from the configuration file referenced during boot sestatus grep i mode Current mode permissive Mode from config file permissive Note that changing the runtime enforcement does not...

Страница 788: ...ost2a getsebool httpd_disable_trans httpd_disable_trans off root host2a togglesebool httpd_disable_trans httpd_disable_trans active You can configure all of these settings using system config selinux The same configuration files are used so changes appear bidirectionally Changing a Runtime Boolean Use the following procedure to change a runtime boolean using the GUI Note Administrator privileges a...

Страница 789: ...u make to files while SELinux is disabled may give them an unexpected security label and new files will not have a label You may need to relabel part or all of the file system after re enabling SELinux From the command line you can edit the etc sysconfig selinux file This file is a symlink to etc selinux config The configuration file is self explanatory Changing the value of SELINUX or SELINUXTYPE...

Страница 790: ...oint to Administration and then click Security Level and Firewall to display the Security Level Configuration dialog box 2 Click the SELinux tab 3 In the SELinux Setting select either Disabled Enforcing or Permissive and then click OK 4 If you changed from Enabled to Disabled or vice versa you need to restart the machine for the change to take effect Changes made using this dialog box are immediat...

Страница 791: ...tructure for the required policy exists under etc selinux 2 On the System menu point to Administration and then click Security Level and Firewall to display the Security Level Configuration dialog box 3 Click the SELinux tab 4 In the Policy Type list select the policy that you want to load and then click OK This list is only visible if more than one policy is installed 5 Restart the machine for th...

Страница 792: ...and that supports xattrs or a network file system that obtains a genfs label such as cifs_t or nfs_t For example if you need the Apache HTTP Server to read from a mounted directory or loopback file system you need to set the type to httpd_sys_content_t mount t nfs o context system_u object_r httpd_sys_content_t server1 example com shared scripts var www cgi Tip When troubleshooting httpd and SELin...

Страница 793: ...idered to be part of the command In this example bin contexttest is a user defined script runcon t httpd_t bin contexttest ARG1 ARG2 You can also specify the entire context as follows runcon user_u system_r httpd_t bin contexttest 45 2 12 Useful Commands for Scripts The following is a list of useful commands introduced with SELinux and which you may find useful when writing scripts to help adminis...

Страница 794: ...ELinux 45 3 Analyst Control of SELinux This section describes some common tasks that a security analyst might need to perform on an SELinux system 45 3 1 Enabling Kernel Auditing As part of an SELinux analysis or troubleshooting exercise you might choose to enable complete kernel level auditing This can be quite verbose because it generates one or more additional audit messages for each AVC audit ...

Страница 795: ...0 name home auser public_html inode 921135 dev 00 00 The serial number stamp is always identical for a particular audited event The time stamp may or may not be identical Note If you are using an audit daemon for troubleshooting the daemon may capture audit messages into a location other than var log messages such as var log audit audit log 45 3 2 Dumping and Viewing Logs The Red Hat Enterprise Li...

Страница 796: ...770 ...

Страница 797: ...further customization functionality 46 1 1 Modular Policy Red Hat Enterprise Linux introduces the concept of modular policy This allows vendors to ship SELinux policy separately from the operating system policy It also allows administrators to make local changes to policy without worrying about the next policy install The most important command that was added was semodule semodule is the tool used...

Страница 798: ...t is not preventing any applications form running as intended it does interrupt the normal work flow of the user Creating a local policy module addresses this issue 46 2 1 Using audit2allow to Build a Local Policy Module The audit2allow utility now has the ability to build policy modules Use the following command to build a policy module based on specific contents of the audit log file ausearch m ...

Страница 799: ...dule does not need to access the file descriptor 46 2 3 Loading the Policy Package The last step in the process of creating a local policy module is to load the policy package into the kernel Use the semodule command to load the policy package root host2a semodule i mysemanage pp This command recompiles the policy file and regenerates the file context file The changes are permanent and will surviv...

Страница 800: ...774 ...

Страница 801: ...oc php docid 21959 amp group_id 21266 1 Red Hat Knowledgebase http kbase redhat com General Information NSA SELinux main website http www nsa gov research selinux index shtml NSA SELinux FAQ http www nsa gov research selinux faqs shtml Fedora SELinux FAQ http docs fedoraproject org selinux faq SELinux NSA s Open Source Security Enhanced Linux http www oreilly com catalog selinux Technology An Over...

Страница 802: ... gov research _files selinux papers policy policy shtml Community SELinux community page http selinux sourceforge net IRC irc freenode net rhel selinux History Quick history of Flask http www cs utah edu flux fluke html flask html Full background on Fluke http www cs utah edu flux fluke html index html ...

Страница 803: ...ienced Red Hat experts our certification programs measure competency on actual live systems and are in great demand by employers and IT professionals alike Choosing the right certification depends on your background and goals Whether you have advanced minimal or no UNIX or Linux experience whatsoever Red Hat Training has a training and certification path that is right for you ...

Страница 804: ......

Страница 805: ...prior to arrival to ensure the training venue is prepared to run Red Hat Enterprise Linux Red Hat or JBoss courses and or Red Hat certification exams Onsites are a great way to train large groups at once Open enrollment can be leveraged later for incremental training For more information visit http www redhat com explore onsite eLearning Fully updated for Red Hat Enterprise Linux 4 No time for cla...

Страница 806: ...780 ...

Страница 807: ...eer RHCE Red Hat Certified Engineer began in 1999 and has been earned by more than 20 000 Linux experts Called the crown jewel of Linux certifications independent surveys have ranked the RHCE program 1 in all of IT Red Hat Certified Security Specialist RHCSS An RHCSS has RHCE security knowledge plus specialized skills in Red Hat Enterprise Linux Red Hat Directory Server and SELinux to meet the sec...

Страница 808: ...782 ...

Страница 809: ... and customizing a Red Hat system for common command line processes and desktop productivity roles and who is ready to learn system administration RH133 50 1 3 Audience Users who are new to Linux and have no prior UNIX or command line skills who want to develop and practice the basic skills to use and control their own Red Hat Linux system 50 1 4 Course Objectives 1 Understand the Linux file syste...

Страница 810: ...784 50 1 5 Follow on Courses RH133 Red Hat Linux Sys Admin RH253 Red Hat Linux Net and Sec Admin RH300 Red Hat Linux RHCE Rapid Track I would enthusiastically recommend this course to anyone interested in Linux Mike Kimmel ITT Systems Division ...

Страница 811: ...vel experience as an IT professional no prior UNIX or Linux experience required 51 1 2 Goal A Red Hat Enterprise Linux power user familiar with common command line processes who can perform some system administration tasks using graphical tools The individual will also be ready to develop a deeper understanding of Red Hat Enterprise Linux system administration RH133 51 1 3 Audience The typical stu...

Страница 812: ...essionals 786 RH253 Red Hat Linux Net and Sec Admin p 9 RH300 Red Hat Linux RHCE Rapid Track p 10 All in all I would rate this training experience as one of the best I have ever attended and I ve been in this industry for over 15 years Bill Legge IT Consultant ...

Страница 813: ...ich can be proved by passing the RHCT Exam The exam is a performance based lab exam that tests actual ability to install configure and attach a new Red Hat Linux system to an existing production network 52 1 3 Audience Linux or UNIX users who understand the basics of Red Hat Linux and desire further technical training to begin the process of becoming a system administrator 52 1 4 Course Objectives...

Страница 814: ...nux System Administration and Red Hat Certified Technician RHCT Certification 788 11 Perform performance memory and process mgmt 12 Configure basic host security 52 1 5 Follow on Courses RH253 Red Hat Linux Net and Sec Admin p 9 ...

Страница 815: ...1 Course Description The RHCT Red Hat Certified Technician is a hands on performance based exam testing candidates actual skills in installing configuring and troubleshooting Red Hat Enterprise Linux The Certification Lab Exam is bundled with RH133 but individuals who have mastered the content of RH033 and RH133 can take just the exam 53 1 1 Prerequisites Candidates should consider taking RH033 an...

Страница 816: ...790 ...

Страница 817: ...el 54 1 3 Audience Linux or UNIX system administrators who already have some real world experience with Red Hat Enterprise Linux systems administration want a first course in networking services and security and want to build skills at configuring common network services and security administration using Red Hat Enterprise Linux 54 1 4 Course Objectives 1 Networking services on Red Hat Linux serve...

Страница 818: ...ng and Security Administration 792 12 Overview of OSS security tools 54 1 5 Follow on Courses RH302 RHCE Certification Exam This course was excellent The teacher was fantastic his depth of knowledge is amazing Greg Peters Future Networks USA ...

Страница 819: ...er in UNIX or Linux environments 55 1 2 Goal Upon successful completion of this course individuals will be a Red Hat Linux system administrator who has been trained and then tested using the RHCE Exam 55 1 3 Audience UNIX or Linux system administrators who have significant real world experience and who want a fast track course to prepare for the RHCE Exam 55 1 4 Course Objectives 1 Hardware and In...

Страница 820: ...794 ...

Страница 821: ...performance based testing of actual skills in Red Hat Linux installation configuration debugging and setup of key networking services 56 1 1 Prerequisites See RH300 course prerequisites For further information please refer to the RHCE Exam Prep Guide www redhat com training rhce examprep html 56 1 2 Content 1 Section I Troubleshooting and System Maintenance 2 5 hrs 2 Section II Installation and Co...

Страница 822: ...796 ...

Страница 823: ...the outset 57 1 2 Goal This class advances beyond the essential security coverage offered in the RHCE curriculum and delves deeper into the security features capabilities and risks associated with the most commonly deployed services 57 1 3 Audience The audience for this course includes system administrators consultants and other IT professionals responsible for the planning implementation and main...

Страница 824: ...urity 11 Basics of intrusion response 57 1 5 Follow on Courses RH401 Red Hat Enterprise Deployment and System Mgmt RH423 Red Hat Enterprise Directory Services and Authentication RH436 Red Hat Enterprise Storage Mgmt RH442 Red Hat Enterprise System Monitoring and Performance Tuning ...

Страница 825: ...ification are strongly advised to contact Red Hat Global Learning Services for a skills assessment when they enroll 58 1 2 Goal RH401 trains senior system administrators to manage large numbers of Enterprise Linux servers in a variety of roles and or manage them for mission critical applications that require failover and load balancing Further RH401 is benchmarked on expert level competencies in m...

Страница 826: ...prise Security Securing Network Services RH423 Red Hat Enterprise Directory Services and Authentication RH436 Red Hat Enterprise Storage Mgmt RH442 Red Hat Enterprise System Monitoring and Performance Tuning After taking RH401 I am completely confident that I can implement enterprise scale high availability solutions end to end Barry Brimer Bunge North America ...

Страница 827: ... Learning Services for a skills assessment when they enroll 59 1 2 Goal RH423 trains senior system administrators to manage and deploy directory services on and for Red Hat Enterprise Linux systems Gaining an understanding of the basic concepts configuration and management of LDAP based services is central to this course Students will integrate standard network clients and services with the direct...

Страница 828: ...at Enterprise Directory services and authentication 802 RH401 Red Hat Enterprise Deployment and Systems Management RH436 Red Hat Enterprise Storage Mgmt p 16 RH442 Red Hat Enterprise System Monitoring and Performance Tuning ...

Страница 829: ...ult SELinux is enabled on Red Hat Enterprise Linux systems enforcing a set of mandatory access controls that Red Hat calls the targeted policy These access controls substantially enhance the security of the network services they target but can sometimes affect the behavior of third party applications and scripts that worked on previous versions of Red Hat Enterprise Linux 60 2 RHS429 Red Hat Enter...

Страница 830: ...804 ...

Страница 831: ...without RHCE certification are encouraged to verify skills with Red Hat s free online pre assessment tests 61 1 2 Goal This course is designed to train people with RHCE level competency on skills required to deploy and manage highly available storage data to the mission critical enterprise computing environment Complementing skills gained in RH401 this course delivers extensive hands on training w...

Страница 832: ...Securing Network Services RH401 Red Hat Enterprise Deployment and Systems Management RH423 Red Hat Enterprise Directory Services and Authentication RH442 Red Hat Enterprise System Monitoring and Performance Tuning The class gave me a chance to use some of the latest Linux tools and was a reminder of the benefits of using Linux for high availability systems Paul W Frields FBI Operational Technology...

Страница 833: ...inux This class will cover 1 A discussion of system architecture with an emphasis on understanding the implications of system architecture on system performance 2 Methods for testing the effects of performance adjustments benchmarking 3 Open source benchmarking utilities 4 Methods for analyzing system performance and networking performance 5 Tuning configurations for specific application loads 62 ...

Страница 834: ...mance tuning considerations 8 Tuning for specific configurations 62 1 5 Follow on Courses RHS333 Enterprise Security Securing Network Services RH401 Red Hat Enterprise Deployment and Systems Management RH423 Red Hat Enterprise Directory Services and Authentication RH436 Red Hat Enterprise Storage Mgmt ...

Страница 835: ...the course students will understand the Linux architecture hardware and memory management modularization and the layout of the kernel source and will have practiced key concepts and skills for development of character block and network drivers 63 3 RHD236 Red Hat Linux Kernel Internals http www redhat com training developer courses rhd236 html This course is designed to provide a detailed examinat...

Страница 836: ...810 ...

Страница 837: ...p www redhat com training jboss courses rhd163 html JBoss for Web Developers focuses on web tier technologies in the JBoss Enterprise Middleware System JEMS product stack We cover details on JBoss Portal how to create and deploy portlets integrating portlets with other web tier frameworks such as JavaServer Faces JSF and configuring and tuning the Tomcat web container embedded in JBoss Application...

Страница 838: ... are looking for an introduction to object oriented software development Database administrators who are interested in how ORM may affect performance and how to tune the performance of the SQL database management system and persistence layer will also find this course of value This course covers the JBoss Inc implementation of the JSR 220 sub specification for Java Persistence and it covers the fo...

Страница 839: ...5 RHD261 JBOSS for advanced J2EE developers http www redhat com training jboss courses rhd261 html JBoss for Advanced J2EE Developers is targeted toward J2EE professionals who wish to take advantage of the JBoss Application Server internal architecture to enhance the functionality and performance of J2EE applications on the JBoss Application Server This course covers topics such as JMX and those b...

Страница 840: ...upporting Java applications with XML configurations however is strongly recommended 64 6 2 Course Summary JBoss for Administrators is targeted toward application support individuals such as system administrators configuration management and quality assurance personnel who wish to become proficient in configuring and administrating the JBoss application server 3 2 x and 4 x series and the applicati...

Страница 841: ...eier Arizona Statue University USA 64 8 RHD449 JBoss jBPM http www redhat com training jboss courses rhd449 html 64 8 1 Description JBoss jBPM training is targeted for system architects and developers who work closely with business analysts and are responsible for bringing business processes into J2EE environment using jBPM as a BPM engine In addition The JBoss jBPM training will provide students ...

Страница 842: ...ay be embedded in J2SE and J2EE applications This course will be a complimentary course to any future courses on rule management using future releases of Jboss Rules 64 9 1 Prerequisites 1 Basic Java competency 2 Some understanding of what constitutes an inferencing rule engine versus a scripting engine 3 Viewing of the Jboss Rules webinars and demos is recommended but not required 4 Java EE speci...

Страница 843: ... sbin racoon not sbin racoon Resolve BZ 510847 missing footnotes in PDF output Resolve BZ 510851 rewrite proc cmdline minor section to make more sense Resolve BZ 515613 correct location of RHEL5 GPG keys and key details Resolve BZ 523070 various minor fixes redhatprovides to rpm q whatprovides Revision 6 Wed Sep 02 2009 Douglas Silas dhensley redhat com Resolve BZ 492539 This directive is useful t...

Страница 844: ...818 ...

Страница 845: ...inistration Michael Behm System Administration Paul Kennedy Storage Melissa Goldin Red Hat Network Honoring those who have gone before Sandra Moore Edward C Bailey Karsten Wade Mark Johnson Andrius Benokraitis Lucy Ringland Honoring engineering efforts Jeffrey Fearn Technical Editing Michael Behm Graphic Artist Andrew Fitzsimon The Red Hat Localization Team consists of the following people East As...

Страница 846: ...Roe German Jasna Dimanoski Verena Furhuer Bernd Groh Daniela Kugelmann Timo Trinks Italian Francesco Valente Brazilian Portuguese Glaucia de Freitas Leticia de Lima David Barzilay Spanish Angela Garcia Gladys Guerrero Yelitza Louze Manuel Ospina Russian Yuliya Poyarkova Indic Languages Bengali Runa Bhattacharjee ...

Страница 847: ...821 Gujarati Ankitkumar Rameshchandra Patel Sweta Kothari Hindi Rajesh Ranjan Malayalam Ani Peter Marathi Sandeep Shedmake Punjabi Amanpreet Singh Alam Jaswinder Singh Tamil I Felix N Jayaradha ...

Страница 848: ...822 ...

Отзывы:

Нет отзывов

Похожие инструкции для ENTERPRISE LINUX 5 - VIRTUAL SERVER ADMINISTRATION

70 MC - ZR70MC MiniDV Digital Camcorder

Бренд: Canon Страницы: 57

Бренд: Nero Страницы: 76

Remote Client Software V 4.0.1

Бренд: Q-See Страницы: 72

OpenView Storage Area Manager (SAM) 3.1

Бренд: HP Страницы: 13

Бренд: HP Страницы: 85

Pro 3405 Series

Бренд: HP Страницы: 9

Бренд: HP Страницы: 2

Pavilion u600 - Desktop PC

Бренд: HP Страницы: 2

Бренд: HP Страницы: 12

Pavilion w1000 - Desktop PC

Бренд: HP Страницы: 1

Pro 3520 Series

Бренд: HP Страницы: 15

Бренд: HP Страницы: 4

Бренд: HP Страницы: 4

Pro 3500 Series

Бренд: HP Страницы: 16

Бренд: HP Страницы: 95

Бренд: HP Страницы: 106

Бренд: HP Страницы: 201

Бренд: HP Страницы: 139

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды