Sample BIND config

/etc/named.conf

 options {
    listen-on port 53 { 127.0.0.1; 192.168.122.140; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "penoycentral.net" {
    type master;
    file "penoycentral.net.zone";
    };

zone "122.168.192.in-addr.arpa" IN {
    type master;
    file "192.168.122.zone";
};

include "/etc/named.rfc1912.zones";

/var/named/penoycentral.net.zone

 $TTL 1D
penoycentral.net. IN SOA centos01.penoycentral.net. root.penoycentral.net (
04 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@    IN NS centos01
centos01 IN A 192.168.122.140
centos02 IN A 192.168.122.8
rhel01 IN A 192.168.122.122
rhel02 IN A 192.168.122.120

/var/named/192.168.122.zone

 $TTL 1D
@ IN SOA centos01.penoycentral.net. root.penoycentral.net (
2012020202 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
    IN NS    centos01.penoycentral.net.
140    IN PTR    centos01.penoycentral.net.
8    IN PTR    centos02.penoycentral.net.

 To check zone config
named-checkzone penoycentral.net penoycentral.net.zone
named-checkzone penoycentral.net 192.168.122.zone
named-checkconf /etc/named.conf

Finally passed RHCE

It has been a long day for me.. RHCSA exam in the morning and RHCE exam in the afternoon. Finally after months of self study and 4 days on the rapid track course, i nailed both exam.
Pretty much to say that i'm so proud  on the cert. This is not the type of exam that you will just choose among the multiple choice or configure in a simulated environment. It will test your knowledge on how well you understood Redhat.
On future takers, i advised you to know the exam objectives inside and out. SELinux looks like intimidating at first, but as soon as you understand how it works,it will be a piece of cake for you :)

Materials/books used

RHCSA/RHCE Red Hat Linux Certification Study Guide (Exams EX200 & EX300), 6th Edition (Certification Press)  -- Michael Jang
Highly recommend!!! Comes with a CD with pdfs and labs exams at the end of every chapter. My fav source of info for the exam.

Hands-on Guide to the Red Hat® Exams: RHCSA™ and RHCE® Cert Guide and Lab Manual (Certification Guide) -- Damian Tommasino
Lots of errors, but hey, as soon as you pointed the errors in the book, it just shows that you know your stuffs. Used to counter check configs and setup.

RH300 RHCE Rapid Track course
Final review for the exam. It cost much but highly recommended also. It guides me and helps to fill in the gaps on what i have learned already on my home lab. Before taking the course, i advised that you first do your home work. Learn the exam objectives, build your own home lab, simulate the configs as advised on Michael and Damian's book. In this way when you attend the course, you can ask all the questions that you have on your instructor. This is fast-paced course so make full use of it.

texastwister/OpenRHCE - GitHub - This is a beast study guide. I used this as a last minute review before taking the exam. Reading the whole week while in the train :) Highly recommended also

As  always, we signed the Non-disclosure Agreement so i will not divulge anything specific about the exam. I might update this blog,but will not be on the RHCE exam specific anymore.
Study!!! study!!!! study!!!!! lab!!!! lab!!!! lab!!!! simulate!!!! simulate!!!! and always follow the KISS principle..

###NTP####

/etc/ntp.conf
server

to sync time to the internet time server

service ntpd stop
ntpdate 0.fedora.pool.ntp.org
service ntpd start

to check ntp

ntpq -p

set iptables

iptables -I INPUT -m udp -p udp --dport 123 -j ACCEPT
iptables -I INPUT -m tcp -p tcp --dport 123 -j ACCEPT

Setting up LDAP Server for Authencation

Although LDAP server is not part of the exam, we need to learn how to setup our server as a client. You can check out Laurent Domb OSS Blog if you want to configure LDAP authentication server in your labs.

Lab Postfix Sample config

dovecot.conf
[root@rhel01 dovecot]# grep -v ^# /etc/dovecot/dovecot.conf
!include conf.d/*.conf
protocols = imap pop3
listen = 192.168.122.122
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

/etc/postfix/main.cf
[root@rhel01 postfix]# grep -v ^# main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = rhel01.penoycentral.net
mydomain = penoycentral.net
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost, mail.penoycentral.net
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.1.0/24, 192.168.122.0/24, 127.0.0.1/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES



DNS penoycentral.net zone config for the mailserver to work properly
[root@wk named]# cat /var/named/penoycentral.net.zone
$TTL 1D
@ IN SOA penoycentral.net. root.penoycentral.net (
2011091302 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS wk.penoycentral.net.
wk IN A 192.168.1.70
@ IN MX 10 mail.penoycentral.net.
rhel01 IN A 192.168.122.122
rhel02 IN A 192.168.122.120
mail IN CNAME rhel01

To check if MX records setup properly in the domain
[root@rhel02 /]# nslookup
> set type=mx
> penoycentral.net
Server: 192.168.1.70
Address: 192.168.1.70#53

penoycentral.net mail exchanger = 10 mail.penoycentral.net.


#### postfix usefull commands #####

delete mailq
#postsuper -d

Creating Simple RPM Part 2

Needed packages
1. rpm-build
2. rpmdevtools


Create RPM Howto
* run rpmdev-setuptree creates rpmbuild directories
1. create directory and the file inside the created dir

mkdir ~/Hello-1.0
touch ~/Hello-1.0/hello
chmod +x ~/Hello-1.0/hello

2. create the gzip-compressed tar and copy to the SOURCE dir

tar cvzf Hello-1.0.tar.gz ~/Hello-1.0
cp Hello-1.0.tar.gz ~/rpmbuild/SOURCES

3. create the spec file

rpmdev-newspec

4. copy the sample spec file to the package spec

cp newpackage.spec hello.spec

5. Edit hello.spec

Name: Hello
Version: 1.0
Release: 1%{?dist}
Summary: Hellow RPM

Group: Miscellaneous
License: GPL
URL: www.penoycentral.net
Source0: Hello-1.0.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

%description
A sample RPM for RHCE exam

%prep
%setup -q


%build


%install
rm -rf $RPM_BUILD_ROOT
install -d -m 0755 $RPM_BUILD_ROOT/opt/Hello-1.0
install -m 0755 hello $RPM_BUILD_ROOT/opt/Hello-1.0/hello

%clean
rm -rf $RPM_BUILD_ROOT


%files
%dir /opt/Hello-1.0
%defattr(-,root,root,-)
/opt/Hello-1.0/hello

6. Build the source rpm
rpmbuild -ba ~/rpmbuild/SPECS/hello.spec

7. RPM package can now be found in ~/rpmbuild/RPMS/x86_64/Hello-1.0.rpm

System Messages

facility.level


###
facility
###
user - messages generated by user processes. Default facility
kern - kernel messages
daemon - system daemons
auth - authorization system(login,su,getty)
lpr - generates messages from the line printer spoooling systemlpr and lpc
news - reserved for the usenet network news system
uucp - uucp system does not currently used
audit - audit facility
local0-7 - reserved for local use
mark - timestamp messages
* - indicates all facilities except mark


###
level
###
emerg - panic conditions that would normally be broadcast to all users
alert - conditions need to be corrected immediately such as corrupted database
crit - warnings about critical conditions, such as disk errors
err - other errors
warning -warning messages
notice - not error conditions but need handling such failed login
info - informational messages
debug - normally used when debugging programs
none - does not send messages

Archive and compression

star will retain the SELinux permission
example:
pack chris directory
star -xattr -H=exustar -f=chris.star chris/

unpack chris directory
star -x -f=chris.star

Centos 6 officially released

read the release notes at http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.0

CentOS 6 Released

CentOS 6 was finally released and asking help to seed their torrent.

@CentOS: Help seed the CentOS-6.0/x86_64 ISOS via torrent : http://t.co/VP45uYA

Available for i386 and x86_64

Virtual Machines using KVM

To install with prompt
#virt-install --prompt

List virtual machine
#virsh list

Stop virtual machine
#virsh destroy <vm name>

Configure VM autostart
#virsh autostart <vm name>

Unconfigure VM autostart
#virsh autostart --disable <vm name>

To install
#virt-install --name=rhel03.localdomain -r 768 --disk path=/var/lib/libvirt/images/rhel03.localdomain.img,size=8 -l http://192.168.122.1/pub/inst -x "ks=http://192.168.122.1/pub/ks/rhel03.cfg"

Scientific Linux 6

Freshly installed Scientific Linux 6 on my laptop. Decided to use KVM for my labs as opposed of using Virtualbox to keep inline with the Redhat exam objectives of configuring virtual machines using KVM.

I already got Michael Jang's 6th edition book and all i can say that it was well written. Quite addicted to it actually.

Still trying to enroll for RH300 to speed things up but the local training center cancelled the schedule 2 months in a row. They say that they might have the class in August. Not sure if i still need the class by that time.

Oh well, halted for almost a month now.. need to pump up and get back to the labs...

Encrypted Filesystem using Luks

This is a simple demostration of encrypting filesystem using luks

1. cryptsetup luksFormat /dev/sdb1

2. cryptsetup luksOpen /dev/sdb1 lukstest
    this will create /dev/mapper/lukstest

3.edit /etc/crypttab
    lukstest /dev/sdb1 none luks
Note: in Michael Jang's 6th edition book, it was not mentioned in chapter 6 to create /etc/crypttab file but it was included in the Lab exam answers. Without this file, system will not ask password when rebooted.

4. mkfs.ext4 /dev/mapper/lukstest

5. add an entry in /etc/fstab
   /dev/mapper/lukstest /mnt/lukstest ext4 defaults 0 0

6. reboot the system, it should prompt for password to mount /mnt/lukstest

Accounts Management

useradd <options> <username>
-b home dir
-c comment
-e expire date yyyy-mm-dd
-m creates home dir for new user
-r system account
-s shell
-u UID

usermod <options> <username>
-c comment
-d home dir
-g primary group
-G secondary group
-l new login name
-L locks user
-s shell
-u uid
-U unlock user

passwd <options> <username>
-L locks user
-U unlock user
-S status of passwrd

chage <options><username>
-d indicates day password was changed
-E expiration date yyyy-mm-dd
-I change password inactive after password expires before account is locked
-l show aging info
-m min days
-M max days
-W warn days

Note:
account is locked when you see ! character at the start of the password in /etc/shadow

groupadd <group name>
-r creates a system group
-g GID

File and directory permission

r  4
w  2
x  1

extended attributes
SUID 4
SGID 2
Stickybit 1

to set suid
chmod 4664 test

to set sgid
chmod 2664 test

to set sticky bit
chmod 1664 testr  4
w  2
x  1

extended attributes
SUID 4
SGID 2
Stickybit 1

to set suid
chmod 4664 test

to set sgid
chmod 2664 test

to set sticky bit
chmod 1664 test

CGI script in Apache

/etc/httpd/conf/httpd.conf cgi config file can be found under ScriptAlias.

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#

AllowOverride None
Options None
Order allow,deny
Allow from all

We can create a simple cgi script by following this site : http://www.elated.com/articles/your-first-cgi-script/ and upload the script in /var/www/cgi-bin

/var/www/cgi-bin/hello.cgi

#!/usr/bin/perl
print "Content-type: text/html\n\n";
print <<END_HTML;
<html>
<head></head>
<body>Hello, World!</body>
</html>
END_HTML

Add an execution permission on hello.cgi
#chmod ugo+x /var/www/cgi-bin/hello.cgi

Test the cgi script
http://rhel02/cgi-bin/hello.cgi

Ports to remember

#########
Ports to remember
#########
TCP
80 http
443 https
22 ssh
20 ftp-data
21 ftp
53 domain
5901  vnc (depends on the settings of /etc/sysconfig/vncservers)

UDP
53 domain

Manage Security thru Selinux

Commands to remember

sestatus show selinux status
getenforce show enforcing status of selinux
setenforce enforcing|permissive set status of selinux
getsebool -a show the boolean value of the service
setsebool -P set the the boolean value
chcon - u(user) -r (role) -t (type) change context of a file
chcon --reference=<dir> <dir_to_change_context> copy the context of the dir as referrence
restorecon -F myfile restore file default file context

User
unconfined_u unprotected user
system_u system user
user_u normal user

Role
object_r file
system_r users processes

domain
unconfined_r unprotected file or process

Set enforcing and permissive modes for SELinux
-thru configfile edit /etc/sysconfig/selinux
-or use the command setenforce
#setenforce Enforcing|Permissive

List and identify SELinux file and process context
- File
ls -lZ

-Process
ps -eZ|grep <process name>

Restore default file contexts
restorecon -F myfile
chcon - u(user) -r (role) -t (type) change context of a file
chcon --reference=<dir> <dir_to_change_context> copy the context of the dir as referrence

Use boolean settings to modify system SELinux settings
getsebool -a show the boolean value of the service
setsebool -P <boolean>=1/0 set the the boolean value

Diagnose and address routine SELinux policy violations

To get man pages for a certain commands
man -k _selinux

Description of the boolean
semanage boolean -l #provided by the policycoreutils-python

To survive a SELinux relabel
ex: #semanage fcontext -a -s system_u -t httpd_sys_script_exec_t /var/www/cgi-bin

Using e2label

To label a device
e2label /dev/mapper/vg_mp3-lv_mp3 MP3Data

To show the label
blkid
findfs LABEL=MP3Data
e2label /dev/mapper/vg_mp3-lv

To mount a labeled device
mount -t ext4 LABEL=MP3Data /mp3_data

On fstab

LABEL=MP3Data   /mp3_data       ext4    defaults    0 0

Fixing broken mbr in grub

grub > find /grub/grub.conf    or grub> root
grub> setup (hd0)