############################ Everything below are my raw notes that I took while attending an unofficial RHCSA training session. I am posting them here in hopes they will assist others who may be preparing to take this exam. My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat. If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat. ############################
For all of the following problems: - SELinux must be activated in enforcing mode. - The 'X' sign represents your station number. - The RHEL 6.1 repository url is: http://server1.example.com/isos/RHEL-6.1-x86_64/Server 0) Set up access to the yum repository provided above. Install setroubleshoot. NOTES: [[email protected] ~]# vi /etc/yum.repos.d/myrepo.repo ... [myrepo] name = my repo gpgcheck = 0 baseurl=http://server1.example.com/isos/RHEL-6.1-x86_64/Server ... [[email protected] ~]# yum install setroubleshoot [[email protected] ~]# service auditd restart STATUS: COMPLETE -- 1) Fix your machine so that it will present a graphical login prompt upon bootup. NOTES: [[email protected] ~]# vi /etc/inittab # change id:4:initdefault: # to id:5:initdefault: STATUS: COMPLETE -- 2) Replace your DHCP-assigned IP configuration with a static network setup. Your machine should stay in the same subnet, using the same default gateway and DNS server, as well as the same IP address and netmask, but it will be set up statically instead of dynamically. NOTES: [[email protected] ~]# service NetworkManager stop [[email protected] ~]# chkconfig NetworkManager off [[email protected] ~]# setup Put in static configuration STATUS: COMPLETE -- 3) Add 1GiB of swap space to your machine using a raw device. NOTES: [[email protected] ~]# fdisk /dev/sda n e default default n default +1G t 5 82 w [[email protected] ~]# reboot [[email protected] ~]# mkswap /dev/sda5 [[email protected] ~]# swapon /dev/sda5 [[email protected] ~]# vi /etc/fstab ... /dev/sda5 swap swap defaults 0 0 ... STATUS: COMPLETE -- 4) Create user accounts named "student", "mike", and "linus" each with passwords of "redhat" and belonging to a secondary group called "rhce". NOTES: [[email protected] ~]# groupadd rhce [[email protected] ~]# for i in student mike linus; do echo "useradd $i -G rhce"; done [[email protected] ~]# for i in student mike linus; do passwd $i; done STATUS: COMPLETE -- 5) Restrict the "rhce" group to own no more than 1GiB of data and up to 1000 files in the /home filesystem. NOTES: [[email protected] ~]# vi /etc/fstab # change /dev/mapper/VolGroup00-LogVol01 /home ext4 defaults 1 2 # to /dev/mapper/VolGroup00-LogVol01 /home ext4 defaults,usrquota,grpquota 1 2 [[email protected] ~]# umount /home [[email protected] ~]# mount -a [[email protected] ~]# quotacheck -mavug [[email protected] ~]# quotaon -a [[email protected] ~]# edquota -g rhce ... /dev/mapper/VolGroup00-LogVol01 40 0 104857600 5 0 1000 ... # Quota dervived from: echo $((1024*1024*100)) [[email protected] ~]# repquota -g /home STATUS: COMPLETE -- 6) Setup a /home/rhce directory to facilitate collaboration among the rhce group. Each member should be able to create files and modify each others' files, but should not be able to delete any one else's files in this directory. NOTES: [[email protected] ~]# mkdir /home/rhce [[email protected] ~]# chown root:rhce /home/rhce [[email protected] ~]# chmod 770 /home/rhce [[email protected] ~]# chmod +t /home/rhce [[email protected] ~]# chmod g+s /home/rhce STATUS: COMPLETE -- 7) Configure your machine to be an NIS client of server1 for authenticating users in the example.com domain. You should then be able to login with a username of "stationX" using "stationX" for the password. NOTES: [[email protected] ~]# setup --> Authentication configuration Select: NIS and Kerboros Domain: example.com Server: server1 Check both boxes at bottom # Now lets just do the automount stuff for completion [[email protected] ~]# showmount -e server1 [[email protected] ~]# vi /etc/auto.master ... /home/nis /etc/auto.nis ... [[email protected] ~]# vi /etc/auto.nis ... * server1.example.com:/home/nis/& ... [[email protected] ~]# service autofs restart [[email protected] ~]# ssh [email protected] # And verify you have your home dir STATUS: COMPLETE -- 8) Expand the filesystem on /home to 3GiB in size. NOTES: [[email protected] ~]# lvresize -r -L 3G /dev/mapper/VolGroup00-LogVol01 STATUS: COMPLETE -- 9) Set up a default configuration FTP server. Verify anonymous access to the pub folder. Block ftp connections from 192.168.0.32. NOTES: [[email protected] ~]# yum install vsftpd [[email protected] ~]# chkconfig vsftpd on [[email protected] ~]# service vsftpd start [[email protected] ~]# iptables --flush [[email protected] ~]# vi /etc/sysconfig/iptables ... -A INPUT -s 192.168.0.32 -m tcp -p tcp --dport 21 -j REJECT ... [[email protected] ~]# service iptables restart [[email protected] ~]# rpm -qlv vsftpd | fgrep /var/ftp # Figure out what perms it should have by default [[email protected] ~]# chmod 755 /var/ftp STATUS: COMPLETE -- 10) Set up a default configuration webserver. In the index file, place the word "stationX" where X is your station number. Make this web server only accessible to your machine and server1.example.com. NOTES: [[email protected] ~]# yum install httpd [[email protected] ~]# chkconfig httpd on [[email protected] ~]# service httpd start [[email protected] ~]# echo "station3" > /var/www/html/index.html [[email protected] ~]# vi /etc/sysconfig/iptables ... -A INPUT -p tcp -s 192.168.1.44 --dport http -j ACCEPT -A INPUT -p tcp -s 127.0.0.1 --dport http -j ACCEPT -A INPUT -p tcp -s server1.example.com --dport http -j ACCEPT -A INPUT -m tcp -p tcp --dport 80 -j REJECT ... # Now, setup the Apache acl cause that was ambigious about access: [[email protected] ~]# vi /etc/httpd/conf/htpd.conf ... < Directory /> Order allow,deny Allow from 192.168.1.44 127.0.0.1 server1.example.com ... [[email protected] ~]# service httpd restart # Tried to browse to the url, no dice [[email protected] ~]# ls -alZ /var/www/html/ [[email protected] ~]# setenforce 0 # confirmed selinux is the issue [[email protected] ~]# setenforce 1 [[email protected] ~]# tail /var/log/messages |grep SELinux [[email protected] ~]# chcon -R --reference /var/www /var/www/html # -or- [[email protected] ~]# restorecon -R /var/www/html [[email protected] ~]# service httpd restart STATUS: COMPLETE -- 11) Set up a new 1G logical volume. Encrypt the volume with LUKS and set it up to automatically decrypt and mount to /crypt at boot. Use the ext4 filesystem and place an empty file in the root of the encrypted filesystem with a name of "stationX". NOTES: [[email protected] ~]# lvcreate -n crypt -L 1G VolGroup00 [[email protected] ~]# mkdir /crypt [[email protected] ~]# cryptsetup luksFormat /dev/VolGroup00/crypt [[email protected] ~]# cryptsetup luksOpen /dev/mapper/VolGroup00-crypt crypt [[email protected] ~]# mkfs -t ext4 /dev/mapper/crypt [[email protected] ~]# vi /etc/fstab ... /dev/mapper/crypt /crypt ext4 defaults 1 2 ... [[email protected] ~]# mount -a [[email protected] ~]# dd if=/dev/urandom of=/etc/keyfile bs=1k count=4 [[email protected] ~]# cryptsetup luksAddKey /dev/VolGroup00/crypt /etc/keyfile [[email protected] ~]# chmod 400 /etc/keyfile [[email protected] ~]# vi /etc/crypttab ... crypt /dev/VolGroup00/crypt /etc/keyfile ... [[email protected] ~]# touch /crypt/station3 # How to test this to ensure it'll mount on boot [[email protected] ~]# umount /crypt [[email protected] ~]# cryptsetup luksClose /dev/mapper/crypto [[email protected] ~]# bash [[email protected] ~]# . /etc/init.d/functions [[email protected] ~]# init_crypto 1 # If your key works, it won't prompt for a passphrase. [[email protected] ~]# mount -a STATUS: COMPLETE -- 12) Create a new user "alice". Give alice, not in the rhce group, read and write access to /home/rhce. NOTES: [[email protected] ~]# useradd alice [[email protected] ~]# passwd alice [[email protected] ~]# setfacl -R -m u:alice:rwx /home/rhce [[email protected] ~]# setfacl -R -m default:u:alice:rwx /home/rhce [[email protected] ~]# chmod +t /home/rhce # Had to set this again... thinking acl blew it out STATUS: COMPLETE