1
Q
enable ssh access for root on both servers.
A
vi /etc/ssh/sshd_config
Change the following line (should be line 40):PermitRootLogin yes
systemctl restart sshd
2
Q
Ensure network services start at boot.
A
systemctl status NetworkManager
Check to see that it’s enabled and running. If not, then runsystemctl enable --now NetworkManager
3
Q
Set the target as multi-user and make sure it boots into that automatically. Reboot to confirm.
A
systemctl set-default multi-user systemctl reboot
4
Q
Configure the network interfaces and hostnames
A
nmcli con show
Output shows enp0s8 as unconfigured
nmcli con mod enp0s8 ipv4.method manual ipv4.addresses "192.168.55.71/24" ipv4.gateway "192.168.55.1" ipv4.dns "8.8.8.8" ipv6.method manual ipv6.addresses "2002:fe60:def0::55/64" nmcli con down enp0s8 nmcli con up enp0s8 nmcli general hostname rhcsa9-server1
Check to make sure everything is goodnmcli con show enp0s8
5
Q
Enable key-based ssh authentication for root on both servers.
A
On server1:
ssh-keygen ssh-copy-id root@192.168.55.72 scp /root/.ssh/* root@192.168.55.72:/root/.ssh
On server2:ssh-copy-id root@192.168.55.71
6
Q
Set the password on all of the newly created users to dbapass
A
for user in manny moe jack marcia jan cindy; do echo "dbapass" | passwd --stdin $user; done
7
Q
Create sudo command alias for MESSAGES with the command /bin/tail -f /var/log/messages
A
visudo
MESSAGESCmnd_Alias MESSAGES = /bin/tail -f /var/log/messages
8
Q
Find all files larger than 3MB in the /etc directory on server1 and copy them to /largefiles
A
mkdir /largefiles
find /etc -type f -size +3M -exec cp {} /largefiles \; 2>/dev/null
ls -al /largefiles/
9
Q
Put SELinux on server2 in permissive mode.
A
vi /etc/selinux/config
Change the following line:SELINUX=permissive
10
Q
create swap partition and mount it persitently
A
fdisk /dev/sdb n p [enter] \+1G t # change type 2 # partition 2 swap w free -m mkswap /dev/sdb2 vim /etc/fstab /dev/sdb2 swap swap defaults 0 0 swapon -va free -m
11
Q
Find all files that have the SUID permission set, and write the result to the file /root/suidfiles
A
find / -type f -perm /4000 > /root/suidfiles
12
Q
special permissions
A
**SUID 4 u+s ** User executes file with permissions of file owner.
SGID 2 g+s User executes file with permissions of group owner. Files created in directory get the same group owner.
**Sticky bit 1 +t **No meaning. Prevents users from deleting files from other users.
13
Q
Logical Volume Management
A
pvs- List physical volumespvcreate- Create physical volumevgs- List volume groupsvgcreate- Create volume grouplvs- List logical volumeslvcreate- Create logical volumelvcreate -l 100%FREE -n database1 db_storagecreates a logical volume called database1 under the volume group db_storage
14
Q
Creating LVM Logical Volumes
A
- first have to convert physical devices, such as disks or partitions, into physical volumes (PVs)
- create the volume group (VG) and assign PVs to it
- create the logical volume (LV) itself
15
Q
Add a 10-GiB disk to your virtual machine. On this disk, create a Stratis pool and volume. Use the name stratisvol for the volume, and mount it persistently on the directory /stratis.
A
dnf install stratisd stratis-clito install all the required packages.- Type
systemctl enable --now stratisdto enable the Stratis daemon. - Type
stratis pool create mypool /dev/sdcto add the entire disk /dev/sdc to the storage pool. - Type
stratis pool listto verify successful creation of the pool. - Type
stratis fs create mypool stratis1to create the first Stratis file system. Note that you don’t have to specify a file system size. - Type
stratis fs listto verify the creation of the file system. - Type
mkdir /stratisto create a mount point for the Stratis file system. - Type
stratis fs listto find the Stratis volume UUID. - Add the following line to /etc/fstab to enable the volume to be mounted automatically. Make sure to use the UUID name that is used by your Stratis file system.
UUID=xxx /stratis xfs defaults,x-systemd.requires=stratisd.service 0 0 - Type
mount -ato mount the Stratis volume. Use the mount command to verify that this procedure worked successfully.
16
Q
Create a configuration that allows user laura to run all administrative commands using sudo
A
sudo visudo -f /etc/sudoers.d/laura laura ALL=(ALL) ALL
17
Q
Create a directory with the name /users and ensure it contains the subdirectories linda and anna. Export this directory by using an NFS server
A
dnf install -y nfs-utils
mkdir -p /users/{linda,anna}
chown -R nfsnobody:nfsnobody /users
chmod -R 755 /users
man exports and search EXAMPLE
vim /etc/exports
/users *(rw,sync,no_root_squash)
systemctl enable --now nfs-server
firewall-cmd --add-service nfs --permanent
firewall-cmd --add-service rpc-bind --permanent
firewall-cmd --add-service mountd --permanent
firewall-cmd --reload
firewall-cmd --list-all
showmount -e localhost # verify the export
18
Q
create user craig with no login shell
A
useradd craig -s /sbin/nologin
19
Q
/var/fstab
user natasha should have read and write access
group Mac shoud have no access
A
setfacl -m u:natasha:rw- /var/fstab setfacl -m g:Mac:--- /var/fstab getfacl /var/fstab
20
Q
get default boot target
CLI-only boot environment
A
systemctl get-defaultmulti-user.target
21
Q
break into machine
A
e to get grub menu init=/bin/bash at end of line mount -o remount,rw / passwd root touch /.autorelabel exec /usr/lib/systemd/systemd
22
Q
generate ssh key and copy to another server
A
ssh-keygen ssh-copy-id user@server
23
Q
Documentation Commands
A
mandb # update man man man -k info /usr/share/doc
24
Q
Logging
A
/var/log/messagesjournalctlmkdir /var/log/journal to set up persistent journal loggingjournalctl --flush to flush the files from /run/log/journal to /var/log/journal
25
Tuning Profiles
`tuned-adm` is the tuned manager
apply profiles... use --help
configure dynamic tuning in /etc/tuned/tuned-main.conf
26
Repo Management
find config values in `man dnf.conf`
- If you can't remember `man dnf.conf`, first to `man -k dnf`, and it will show you all of the listings matching dnf. Go into `man dnf.conf` and then do `G` to go to the end. Page up a couple times and you'll see all of the repo options to drop into .repo files.
- auto-add a repo with `dnf config-manager --add-repo URL`
- After the auto-add, you can go and modify the .repo file created
`vi /etc/yum.repos.d/local.repo`
```
[BaseOS]
name=BaseOS
enabled=1
baseurl=http://192.168.55.47/repo/BaseOS/
gpgcheck=0
[AppStream]
name=AppStream
enabled=1
baseurl=http://192.168.55.47/repo/AppStream/
gpgcheck=0
```
27
Network Management
```
nmcli con show
nmcli con show
nmcli con mod
nmcli con up|down|reload
```
28
Managing Superuser Access
Run `visudo` to edit the /etc/sudoers file. DO NOT EDIT /etc/sudoers directly
`Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/dnf` says the SOFTWARE alias can run those commands
`%dba_admin ALL=SOFTWARE, SERVICES, PROCESSES` says the dba_admin group can run commands from those aliases
The file is pretty well-commented... Easy enough to figure out what to do
29
Time, timezone, NTP, hostname
```
timedatectl
/etc/chrony.conf
hostnamectl
nmcli general hostname
```
30
Configure autofs to automatically mount individual users' home directories from /export/home on server1 to /mnt/autofs_home/.
```
### on both servers:
dnf install -y nfs-utils autofs
systemctl enable --now autofs
mkdir /mnt/autofs_home
vim /etc/auto.master
/mnt/autofs_home /etc/auto.home
vim /etc/auto.home
* server1:/export/home/&
systemctl restart autofs
```
server1 - setup nfs
```
man exports | grep EXAMPLE
vim /etc/exports
/exports/home *(rw,no_root_squash)
systemctl enable --now nfs-server
firewall-cmd --add-service=nfs --permanent
firewall-cmd --add-service=rpc-bind --permanent
firewall-cmd --add-service=mountd --permanent
firewall-cmd --reload
showmount -e localhost
```
31
Set password policies to require a minimum of 8 characters and a maximum age of 60 days
```
vi /etc/login.defs
Change the following line (should be line 131)
PASS_MAX_DAYS 60
vi /etc/security/pwquality.conf
Uncomment or change the following line (should be line 11):
minlen = 8
```
32
Set the password on all of the newly created users to `dbapass`
`for user in manny moe jack marcia jan cindy; do echo "dbapass" | passwd --stdin $user; done`
33
Create sudo command alias for `MESSAGES` with the command `/bin/tail -f /var/log/messages` and enable craig privilege
```
visudo
Cmnd_Alias MESSAGES = /bin/tail -f /var/log/messages
craig ALL = MESSAGES
34
Configure server to create files with 660 permissions by default
```
vi /etc/login.defs
UMASK 007
```
35
create a tar w/gzip archive of /etc called etc_archive.tar.gz in the /archives directory
```
mkdir /archive
dnf install -y tar gzip
tar -czvf /archives/etc_archive.tar.gz /etc
```
36
On server1 create a folder called /links, and under links create a file called file01. Create a soft link called file02 pointing to file01, and a hard link called file03 pointing to file01. Check your work.
```
mkdir /links
touch /links/file01
ln -s /links/file01 /links/file02
ln /links/file01 /links/file03
ls -lai /links
```
37
Find all suid files and save the list to /root/suid.txt.
```
find / -type f -perm /u+s > /root/suid.txt
find / -type f -perm /4000 > root/duid.txt
```
38
Find all files larger than 3MB in the /etc directory on server1 and copy them to /largefiles
```
mkdir /largefiles
find /etc -type f -size +3M -exec cp {} /largefiles \; 2>/dev/null
ls -al /largefiles/
```
39
persistently mount /export/dba_files from the server 192.168.55.47 under /mnt/dba_files. Ensure manny is the user owner and dba_staff is the group owner. Ensure the groupID is applied to newly created files. Ensure users can only delete files they have created. Ensure only members of the dba_staff group can access the directory.
```
mkdir /mnt/dba_files
vi /etc/fstab
Add the following line to /etc/fstab:
192.168.55.47:/export/dba_files /mnt/dba_files nfs defaults 0 0
Write and quit /etc/fstab, then check the mount:
mount -a
Set the permissions:
chown manny:dba_staff /mnt/dba_files
chmod 770 /mnt/dba_files
chmod g+s,+t /mnt/dba_files
```
40
Create a job using `at` to write "This task was easy!" to /coolfiles/at_job.txt in 10 minutes
```
dnf install -y at
systemctl enable --now atd
at now + 10 minutes
mkdir /coolfiles
echo "This task was easy!" > /coolfiles/at_job.txt
#Ctrl-d to exit
```
41
Create a job using cron to write "Wow! I'm going to pass this test!" every Tuesday at 3pm to /var/log/messages
```
crontab -e
0 15 * * 2 root echo "Wow! I'm going to pass this test!" >> /var/log/messages
```
42
On server1, modify the bootloader with the following parameters:
```
Increase the timeout using GRUB_TIMEOUT=10
Add the following line: GRUB_TIMEOUT_STYLE=hidden
Add quiet to the end of the GRUB_CMDLINE_LINUX line
```
```
vi /etc/default/grub
Add or edit the following lines:
GRUB_TIMEOUT=10
GRUB_TIMEOUT_STYLE=hidden
GRUB_CMDLINE_LINUX ### add quiet to the end
Write and quit the file
grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot and watch the boot from the console to verify
systemctl reboot
```
43
Configure NTP synchronization on server. Point them to us.pool.ntp.org
```
man -k chron # to find chrony.conf
vi /etc/chrony.conf
Edit the following line (should be line 3):
pool us.pool.ntp.org iburst
Write and quit, then restart the service:
systemctl restart chronyd
Check the logs to ensure time is being pulled from the new source:
journalctl -u chronyd
You should see a line similar to the following at the end:
Feb 14 09:00:48 rhcsa9-server1 chronyd[705]: Selected source 73.61.36.59 (us.pool.ntp.org)
```
44
set a merged tuned profile using the the powersave and virtual-guest profiles.
```
dnf install -y tuned
systemctl enable --now tuned
tuned-adm profile powersave virtual-guest
```
45
Write a script that finds all the files owned by new_user and have size greater than 30KB and less than 50KB and store them in /tmp/
```
# vim find_files.sh
#!/bin/bash
find / -type f -user new_user -size +30k -size -50k -exec cp {} /tmp/ \;
# chmod +x $_
```
46
As a System Administrator you are responsible to take a backup of your /etc directory every night. Build a shell script to take a backup of the /etc/directory using the tar command. The backup script should be named as /root/backup.sh. Schedule this script to run at 11:00 PM every night – except Sundays.
```
# vim /root/backup.sh
#!/bin/bash
# you can add the file name with the date to keep all the changes
tar -cvf etc_backup.tar /etc/
# chmod +x /root/backup.sh
#/root/backup.sh
# crontab -e
* 23 * * 1-6 /root/backup.sh
```
47
Modify the GRUB timeout and make it 1 second instead of 5 seconds
Any change to /etc/default/grub require rebuilding the grub.cfg
```
vim /etc/default/grub
GRUB_TIMEOUT=1
-
# On BIOS-based machine :
grub2-mkconfig -o /boot/grub2/grub.cfg
#On UEFI-based machine :
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
```
reboot
To determine if the system is booted on BIOS or UEFI mode
`dmesg | egrep -i "efi|bios"`
48
Create three users (Derek, Tom, and Kenny) that belong to the instructors group. Prevent Tom's user from accessing a shell, and make his account expire 10 day from now
```
# groupadd instructors
# useradd Derek -G instructors
# useradd Tom -G instructors -s /sbin/nologin -e +10days
# useradd Kenny -G instructors
```
49
a group name is 'elite', they have to give administrative permission without password
```
visudo
Add the new line
%elite ALL=(ALL) NOPASSWD: ALL
:wq
```
50
51
Copy the lines containing the word "root" in /etc/password and copy them into a file /mnt/pass
`grep "root" /etc/passwd > /mnt/pass`
52
create user bob with UID 1234
* can only change passwordc
* cannot start an interactive shell
```
useradd bob -u 1234
* usermod -s /usr/bin/passwd bob
* usermod -s /sbin/nolgin bob
```
53
configure ssh so root is allowed to connect and on port 2022
```
vim /etc/ssh/sshd_config
port 2022
PermitRootLogin yes
semanage port -l | grep ssh
semanage port -a -t ssh_port_t -p tcp 2022
firewall-cmd --add-port=2022/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all
systemctl restart sshd
```
54
55
Create a directory /users/ and in this directory create the directories user1 through user5 using one command.
`mkdir -p /users/user{1..5}`
56
57
Configure a web server to use the nondefault document root **/webfiles**. In this directory, create a file **index.html** that has the contents **hello world** and then test that it works.
```
dnf install -y httpd
mkdir /webfiles
echo "hello world" > /webfiles/index.html
vim /etc/httpd/conf/httpd.conf
DocumentRoot "/webfiles"
# change this in 2 places
find context type
semanage fcontext -l | grep httpd | grep '/var/www'
chcon -R -t httpd_sys_content_t /webfiles
curl http://localhost
```
58
command-line arguments
```
$0 = Name of Script
$1 = First argument
$2 = Second argument
$3 = Third argument
...
$n = n argument
$# = Number of arguments provided
$@ = List of arguments provided
```
59
SELinux troubleshoot
Install everything under keywords `policycoreutils` and `setroubleshoot`
`dnf install -y policycore* setrouble*`
check logs, will have more details now
`grep httpd /var/log/messages`
