############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session. I am posting them here in hopes they will assist others who may be preparing to take this exam.
My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat. If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################
For all of the following problems:
- SELinux must be activated in enforcing mode.
- The 'X' sign represents your station number.
- The RHEL 6.1 repository url is:
http://server1.example.com/isos/RHEL-6.1-x86_64/Server
0) Set up access to the yum repository provided above. Install setroubleshoot.
NOTES:
[root@web01 ~]# vi /etc/yum.repos.d/myrepo.repo
...
[myrepo]
name = my repo
gpgcheck = 0
baseurl=http://server1.example.com/isos/RHEL-6.1-x86_64/Server
...
[root@web01 ~]# yum install setroubleshoot
[root@web01 ~]# service auditd restart
STATUS: COMPLETE
--
1) Fix your machine so that it will present a graphical login prompt upon bootup.
NOTES:
[root@web01 ~]# vi /etc/inittab
# change
id:4:initdefault:
# to
id:5:initdefault:
STATUS: COMPLETE
--
2) Replace your DHCP-assigned IP configuration with a static network setup. Your machine should stay in the same subnet, using the same default gateway and DNS server, as well as the same IP address and netmask, but it will be set up statically instead of dynamically.
NOTES:
[root@web01 ~]# service NetworkManager stop
[root@web01 ~]# chkconfig NetworkManager off
[root@web01 ~]# setup
Put in static configuration
STATUS: COMPLETE
--
3) Add 1GiB of swap space to your machine using a raw device.
NOTES:
[root@web01 ~]# fdisk /dev/sda
n
e
default
default
n
default
+1G
t
5
82
w
[root@web01 ~]# reboot
[root@web01 ~]# mkswap /dev/sda5
[root@web01 ~]# swapon /dev/sda5
[root@web01 ~]# vi /etc/fstab
...
/dev/sda5 swap swap defaults 0 0
...
STATUS: COMPLETE
--
4) Create user accounts named "student", "mike", and "linus" each with passwords of "redhat" and belonging to a secondary group called "rhce".
NOTES:
[root@web01 ~]# groupadd rhce
[root@web01 ~]# for i in student mike linus; do echo "useradd $i -G rhce"; done
[root@web01 ~]# for i in student mike linus; do passwd $i; done
STATUS: COMPLETE
--
5) Restrict the "rhce" group to own no more than 1GiB of data and up to 1000 files in the /home filesystem.
NOTES:
[root@web01 ~]# vi /etc/fstab
# change
/dev/mapper/VolGroup00-LogVol01 /home ext4 defaults 1 2
# to
/dev/mapper/VolGroup00-LogVol01 /home ext4 defaults,usrquota,grpquota 1 2
[root@web01 ~]# umount /home
[root@web01 ~]# mount -a
[root@web01 ~]# quotacheck -mavug
[root@web01 ~]# quotaon -a
[root@web01 ~]# edquota -g rhce
...
/dev/mapper/VolGroup00-LogVol01 40 0 104857600 5 0 1000
...
# Quota dervived from: echo $((1024*1024*100))
[root@web01 ~]# repquota -g /home
STATUS: COMPLETE
--
6) Setup a /home/rhce directory to facilitate collaboration among the rhce group. Each member should be able to create files and modify each others' files, but should not be able to delete any one else's files in this directory.
NOTES:
[root@web01 ~]# mkdir /home/rhce
[root@web01 ~]# chown root:rhce /home/rhce
[root@web01 ~]# chmod 770 /home/rhce
[root@web01 ~]# chmod +t /home/rhce
[root@web01 ~]# chmod g+s /home/rhce
STATUS: COMPLETE
--
7) Configure your machine to be an NIS client of server1 for authenticating users in the example.com domain. You should then be able to login with a username of "stationX" using "stationX" for the password.
NOTES:
[root@web01 ~]# setup --> Authentication configuration
Select: NIS and Kerboros
Domain: example.com
Server: server1
Check both boxes at bottom
# Now lets just do the automount stuff for completion
[root@web01 ~]# showmount -e server1
[root@web01 ~]# vi /etc/auto.master
...
/home/nis /etc/auto.nis
...
[root@web01 ~]# vi /etc/auto.nis
...
* server1.example.com:/home/nis/&
...
[root@web01 ~]# service autofs restart
[root@web01 ~]# ssh station3@localhost # And verify you have your home dir
STATUS: COMPLETE
--
8) Expand the filesystem on /home to 3GiB in size.
NOTES:
[root@web01 ~]# lvresize -r -L 3G /dev/mapper/VolGroup00-LogVol01
STATUS: COMPLETE
--
9) Set up a default configuration FTP server. Verify anonymous access to the pub folder. Block ftp connections from 192.168.0.32.
NOTES:
[root@web01 ~]# yum install vsftpd
[root@web01 ~]# chkconfig vsftpd on
[root@web01 ~]# service vsftpd start
[root@web01 ~]# iptables --flush
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -s 192.168.0.32 -m tcp -p tcp --dport 21 -j REJECT
...
[root@web01 ~]# service iptables restart
[root@web01 ~]# rpm -qlv vsftpd | fgrep /var/ftp # Figure out what perms it should have by default
[root@web01 ~]# chmod 755 /var/ftp
STATUS: COMPLETE
--
10) Set up a default configuration webserver. In the index file, place the word "stationX" where X is your station number. Make this web server only accessible to your machine and server1.example.com.
NOTES:
[root@web01 ~]# yum install httpd
[root@web01 ~]# chkconfig httpd on
[root@web01 ~]# service httpd start
[root@web01 ~]# echo "station3" > /var/www/html/index.html
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -s 192.168.1.44 --dport http -j ACCEPT
-A INPUT -p tcp -s 127.0.0.1 --dport http -j ACCEPT
-A INPUT -p tcp -s server1.example.com --dport http -j ACCEPT
-A INPUT -m tcp -p tcp --dport 80 -j REJECT
...
# Now, setup the Apache acl cause that was ambigious about access:
[root@web01 ~]# vi /etc/httpd/conf/htpd.conf
...
< Directory />
Order allow,deny
Allow from 192.168.1.44 127.0.0.1 server1.example.com
...
[root@web01 ~]# service httpd restart
# Tried to browse to the url, no dice
[root@web01 ~]# ls -alZ /var/www/html/
[root@web01 ~]# setenforce 0
# confirmed selinux is the issue
[root@web01 ~]# setenforce 1
[root@web01 ~]# tail /var/log/messages |grep SELinux
[root@web01 ~]# chcon -R --reference /var/www /var/www/html
# -or-
[root@web01 ~]# restorecon -R /var/www/html
[root@web01 ~]# service httpd restart
STATUS: COMPLETE
--
11) Set up a new 1G logical volume. Encrypt the volume with LUKS and set it up to automatically decrypt and mount to /crypt at boot. Use the ext4 filesystem and place an empty file in the root of the encrypted filesystem with a name of "stationX".
NOTES:
[root@web01 ~]# lvcreate -n crypt -L 1G VolGroup00
[root@web01 ~]# mkdir /crypt
[root@web01 ~]# cryptsetup luksFormat /dev/VolGroup00/crypt
[root@web01 ~]# cryptsetup luksOpen /dev/mapper/VolGroup00-crypt crypt
[root@web01 ~]# mkfs -t ext4 /dev/mapper/crypt
[root@web01 ~]# vi /etc/fstab
...
/dev/mapper/crypt /crypt ext4 defaults 1 2
...
[root@web01 ~]# mount -a
[root@web01 ~]# dd if=/dev/urandom of=/etc/keyfile bs=1k count=4
[root@web01 ~]# cryptsetup luksAddKey /dev/VolGroup00/crypt /etc/keyfile
[root@web01 ~]# chmod 400 /etc/keyfile
[root@web01 ~]# vi /etc/crypttab
...
crypt /dev/VolGroup00/crypt /etc/keyfile
...
[root@web01 ~]# touch /crypt/station3
# How to test this to ensure it'll mount on boot
[root@web01 ~]# umount /crypt
[root@web01 ~]# cryptsetup luksClose /dev/mapper/crypto
[root@web01 ~]# bash
[root@web01 ~]# . /etc/init.d/functions
[root@web01 ~]# init_crypto 1 # If your key works, it won't prompt for a passphrase.
[root@web01 ~]# mount -a
STATUS: COMPLETE
--
12) Create a new user "alice". Give alice, not in the rhce group, read and write access to /home/rhce.
NOTES:
[root@web01 ~]# useradd alice
[root@web01 ~]# passwd alice
[root@web01 ~]# setfacl -R -m u:alice:rwx /home/rhce
[root@web01 ~]# setfacl -R -m default:u:alice:rwx /home/rhce
[root@web01 ~]# chmod +t /home/rhce # Had to set this again... thinking acl blew it out
STATUS: COMPLETE