Download Print this page

Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:

Manual (402 pages)

,

Configuration (86 pages)

,

Overview (68 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Installation Manual

Red Hat Enterprise Linux 5

Deployment Guide

Deployment, configuration and

administration of Red Hat Enterprise Linux 5

Deployment_Guide

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the ENTERPRISE LINUX 5 - DEPLOYMENT and is the answer not in the manual?

Questions and answers

Summary of Contents for Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT

Page 1: Red Hat Enterprise Linux
Red Hat Enterprise Linux 5 Deployment Guide Deployment, configuration and administration of Red Hat Enterprise Linux 5 Deployment_Guide...
Page 2 Deployment Guide Red Hat Enterprise Linux 5 Deployment Guide Deployment, configuration and administration of Red Hat Enterprise Linux 5 Edition 4 Copyright © 2007, 2008, 2009, 2010 Red Hat Inc.. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").
Page 3: Table Of Contents
Introduction xxiii 1. Document Conventions ....................xxiii 2. Send in Your Feedback ....................xxvi I. File Systems 1. File System Structure 1.1. Why Share a Common Structure? ................. 3 1.2. Overview of File System Hierarchy Standard (FHS) ..........3 1.2.1. FHS Organization ..................3 1.3.
Page 4 Deployment Guide 3.2.30. /proc/uptime ..................32 3.2.31. /proc/version ................... 32 3.3. Directories within /proc/ ................... 32 3.3.1. Process Directories .................. 32 3.3.2. /proc/bus/ ................... 34 3.3.3. /proc/driver/ ..................35 3.3.4. /proc/fs ....................36 3.3.5. /proc/ide/ ................... 36 3.3.6. /proc/irq/ ................... 37 3.3.7.
Page 5 7.1.2. Remounting the File Systems ..............80 7.1.3. Creating the Quota Database Files ............80 7.1.4. Assigning Quotas per User ..............81 7.1.5. Assigning Quotas per Group ..............82 7.1.6. Setting the Grace Period for Soft Limits ............ 82 7.2. Managing Disk Quotas ..................82 7.2.1.
Page 6 Deployment Guide 10.2.1. Finding RPM Packages ................ 122 10.2.2. Installing ....................122 10.2.3. Uninstalling ..................124 10.2.4. Upgrading .................... 125 10.2.5. Freshening ..................126 10.2.6. Querying ....................126 10.2.7. Verifying ....................127 10.3. Checking a Package's Signature ..............128 10.3.1. Importing Keys ..................128 10.3.2.
Page 7 15.5. Establishing an xDSL Connection ..............175 15.6. Establishing a Token Ring Connection ............. 181 15.7. Establishing a Wireless Connection ..............183 15.8. Managing DNS Settings .................. 186 15.9. Managing Hosts ....................187 15.10. Working with Profiles ..................189 15.11. Device Aliases ....................192 15.12.
Page 8 Deployment Guide 18.3. Event Sequence of an SSH Connection ............226 18.3.1. Transport Layer ................... 226 18.3.2. Authentication ..................227 18.3.3. Channels ..................... 228 18.4. Configuring an OpenSSH Server ..............228 18.4.1. Requiring SSH for Remote Connections ..........229 18.5. OpenSSH Configuration Files ................229 18.6.
Page 9 20.2.1. Samba Daemons ................. 266 20.3. Connecting to a Samba Share ................. 266 20.3.1. Command Line ..................268 20.3.2. Mounting the Share ................269 20.4. Configuring a Samba Server ................269 20.4.1. Graphical Configuration ................ 269 20.4.2. Command Line Configuration ..............274 20.4.3.
Page 10 Deployment Guide 22.5.1. General Configuration Tips ..............331 22.5.2. Configuration Directives for SSL ............345 22.5.3. MPM Specific Server-Pool Directives ............. 345 22.6. Adding Modules ....................347 22.7. Virtual Hosts ....................347 22.7.1. Setting Up Virtual Hosts ............... 347 22.8. Apache HTTP Secure Server Configuration ............348 22.8.1.
Page 11 24.5.2. Procmail Recipes ................. 393 24.6. Mail User Agents .................... 398 24.6.1. Securing Communication ..............398 24.7. Additional Resources ..................400 24.7.1. Installed Documentation ............... 400 24.7.2. Useful Websites ................... 401 24.7.3. Related Books ..................401 25. Lightweight Directory Access Protocol (LDAP) 25.1.
Page 12 Deployment Guide 28.1.7. /etc/sysconfig/desktop ............... 435 28.1.8. /etc/sysconfig/dhcpd ..............435 28.1.9. /etc/sysconfig/exim ..............436 28.1.10. /etc/sysconfig/firstboot ............436 28.1.11. /etc/sysconfig/gpm ..............436 28.1.12. /etc/sysconfig/hwconf ..............436 28.1.13. /etc/sysconfig/i18n ..............436 28.1.14. /etc/sysconfig/init ..............437 28.1.15. /etc/sysconfig/ip6tables-config ..........437 28.1.16. /etc/sysconfig/iptables-config ..........438 28.1.17.
Page 13 31.5.2. Runlevel 5 ................... 466 31.6. Additional Resources ..................467 31.6.1. Installed Documentation ............... 467 31.6.2. Useful Websites ................... 467 32. X Window System Configuration 32.1. Display Settings ....................469 32.2. Display Hardware Settings ................470 32.3. Dual Head Display Settings ................470 33.
Page 14 Deployment Guide 35.2. At and Batch ....................507 35.2.1. Configuring At Jobs ................507 35.2.2. Configuring Batch Jobs ................ 508 35.2.3. Viewing Pending Jobs ................508 35.2.4. Additional Command Line Options ............508 35.2.5. Controlling Access to At and Batch ............509 35.2.6.
Page 15 40. Manually Upgrading the Kernel 40.1. Overview of Kernel Packages ................551 40.2. Preparing to Upgrade ..................552 40.3. Downloading the Upgraded Kernel ..............553 40.4. Performing the Upgrade .................. 553 40.5. Verifying the Initial RAM Disk Image ..............554 40.6.
Page 16 Deployment Guide 43.1.6. Personal Firewalls ................620 43.1.7. Security Enhanced Communication Tools ..........621 43.2. Server Security ....................621 43.2.1. Securing Services With TCP Wrappers and xinetd ......... 622 43.2.2. Securing Portmap ................625 43.2.3. Securing NIS ..................626 43.2.4. Securing NFS ..................628 43.2.5.
Page 17 43.7.8. Starting and Stopping an IPsec Connection ........... 696 43.8. Firewalls ......................697 43.8.1. Netfilter and IPTables ................698 43.8.2. Basic Firewall Configuration ..............698 43.8.3. Using IPTables ..................702 43.8.4. Common IPTables Filtering ..............703 43.8.5. FORWARD and NAT Rules ..............704 43.8.6.
Page 18 Deployment Guide 44.7.4. Object Classes and Permissions ............746 44.8. Targeted Policy Overview ................746 44.8.1. What is the Targeted Policy? ..............746 44.8.2. Files and Directories of the Targeted Policy ........... 747 44.8.3. Understanding the Users and Roles in the Targeted Policy ..... 747 45.
Page 19 50.1.3. Audience ..................... 783 50.1.4. Course Objectives ................783 50.1.5. Follow-on Courses ................784 51. RH035: Red Hat Linux Essentials for Windows Professionals 51.1. Course Description ..................785 51.1.1. Prerequisites ..................785 51.1.2. Goal ....................785 51.1.3. Audience .................... 785 51.1.4.
Page 20 Deployment Guide 58.1. Course Description ..................799 58.1.1. Prerequisites ..................799 58.1.2. Goal ....................799 58.1.3. Audience .................... 799 58.1.4. Course Objectives ................799 58.1.5. Follow-on Courses ................800 59. RH423: Red Hat Enterprise Directory services and authentication 59.1. Course Description ..................801 59.1.1.
Page 21 64.5.1. Prerequisites ..................813 64.6. RH336: JBOSS for Administrators ..............814 64.6.1. Prerequisites ..................814 64.6.2. Course Summary ................. 814 64.7. RHD439: JBoss Clustering ................814 64.7.1. Prerequisites ..................815 64.8. RHD449: JBoss jBPM ..................815 64.8.1. Description ..................815 64.8.2.
Page 22 xxii...
Page 23: Document Conventions
Introduction Welcome to the Red Hat Enterprise Linux Deployment Guide. The Red Hat Enterprise Linux Deployment Guide contains information on how to customize your Red Hat Enterprise Linux system to fit your needs. If you are looking for a comprehensive, task-oriented guide for configuring and customizing your system, this is the manual for you.
Page 24 Introduction Use the cat testfile command to view the contents of a file, named testfile, in the current working directory. file name File names, directory names, paths, and RPM package names are represented this way. This style indicates that a particular file or directory exists with that name on your system. Examples: The .bashrc file in your home directory contains bash shell definitions and aliases for your own use.
Page 25 Document Conventions Click on the Back button to return to the webpage you last viewed. computer output Text in this style indicates text displayed to a shell prompt such as error messages and responses to commands. For example: The ls command displays the contents of a directory. For example: Desktop about.html logs...
Page 26 Submit a report in Bugzilla (http:// bugzilla.redhat.com/bugzilla/) against the component Deployment_Guide. If you have a suggestion for improving the documentation, try to be as specific as possible. If you have found an error, include the section number and some of the surrounding text so we can find it easily.
Page 27 Part I. File Systems File system refers to the files and directories stored on a computer. A file system can have different formats called file system types. These formats determine how the information is stored as files and directories. Some file system types store redundant copies of the data, while some file system types make hard drive access faster.
Page 29: Why Share A Common Structure
Chapter 1. File System Structure 1.1. Why Share a Common Structure? The file system structure is the most basic level of organization in an operating system. Almost all of the ways an operating system interacts with its users, applications, and security model are dependent upon the way it organizes files on storage devices.
Page 30 Chapter 1. File System Structure 1.2.1.1. The /boot/ Directory The /boot/ directory contains static files required to boot the system, such as the Linux kernel. These files are essential for the system to boot properly. Warning Do not remove the /boot/ directory. Doing so renders the system unbootable. 1.2.1.2.
Page 31 FHS Organization 1.2.1.4. The /lib/ Directory The /lib/ directory should contain only those libraries needed to execute the binaries in /bin/ and /sbin/. These shared library images are particularly important for booting the system and executing commands within the root file system. 1.2.1.5.
Page 32 Chapter 1. File System Structure 1.2.1.9. The /sbin/ Directory The /sbin/ directory stores executables used by the root user. The executables in /sbin/ are used at boot time, for system administration and to perform system recovery operations. Of this directory, the FHS says: /sbin contains binaries essential for booting, restoring, recovering, and/or repairing the system in addition to the binaries in /bin.
Page 33 FHS Organization Under the /usr/ directory, the bin/ subdirectory contains executables, etc/ contains system-wide configuration files, games is for games, include/ contains C header files, kerberos/ contains binaries and other Kerberos-related files, and lib/ contains object files and libraries that are not designed to be directly utilized by users or shell scripts.
Page 34: Special File Locations Under Red Hat Enterprise Linux
This location may also be used to temporarily store RPMs downloaded while updating the system. For more information about Red Hat Network, refer to the documentation online at https://rhn.redhat.com/. Another location specific to Red Hat Enterprise Linux is the /etc/sysconfig/ directory. This...
Page 35 Special File Locations Under Red Hat Enterprise Linux Chapter 28, The sysconfig Directory in this directory. Refer to for more information about what is within this directory and the role these files play in the boot process.
Page 37: The Ext3 File System
Chapter 2. The ext3 File System The default file system is the journaling ext3 file system. 2.1. Features of ext3 The ext3 file system is essentially an enhanced version of the ext2 file system. These improvements provide the following advantages: Availability After an unexpected power failure or system crash (also called an unclean system shutdown), each mounted ext2 file system on the machine must be checked for consistency by the e2fsck...
Page 38: Converting To An Ext3 File System
Chapter 2. The ext3 File System 1. Format the partition with the ext3 file system using mkfs. 2. Label the partition using e2label. 2.3. Converting to an ext3 File System The tune2fs allows you to convert an ext2 filesystem to ext3. Note Always use the e2fsck utility to check your filesystem before and after using tune2fs.
Page 39 Reverting to an ext2 File System /sbin/tune2fs -O ^has_journal /dev/mapper/VolGroup00-LogVol02 Check the partition for errors by typing the following command as root: /sbin/e2fsck -y /dev/mapper/VolGroup00-LogVol02 Then mount the partition again as ext2 file system by typing: mount -t ext2 /dev/mapper/VolGroup00-LogVol02 /mount/point In the above command, replace /mount/point with the mount point of the partition.
Page 41: Viewing Virtual Files
Chapter 3. The proc File System The Linux kernel has two primary functions: to control access to physical devices on the computer and to schedule when and how processes interact with these devices. The /proc/ directory — also called the proc file system — contains a hierarchy of special files which represent the current state of the kernel —...
Page 42: Changing Virtual Files
Chapter 3. The proc File System When viewing different virtual files in the /proc/ file system, some of the information is easily understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include lspci, apm, free, and top.
Page 43: Proc/Buddyinfo
/proc/buddyinfo 1.16 1.2 0x07 0x01 0xff 0x80 -1% -1 ? Running the apm -v command on such a system results in output similar to the following: APM BIOS 1.2 (kernel driver 1.16ac) AC on-line, no system battery For systems which do not use a battery as a power source, apm is able do little more than put the machine in standby mode.
Page 44: Proc/Cpuinfo
Chapter 3. The proc File System This output tells us the following: The root device is mounted read-only at boot time. The presence of ro on the kernel boot line overrides any instances of rw. root=/dev/VolGroup00/LogVol00 This tells us on which disk device or, in this case, on which logical volume, the root filesystem image is located.
Page 45: Proc/Crypto
/proc/crypto • processor — Provides each processor with an identifying number. On systems that have one processor, only a 0 is present. • cpu family — Authoritatively identifies the type of processor in the system. For an Intel-based system, place the number in front of "86" to determine the value. This is particularly helpful for those attempting to identify the architecture of an older system such as a 586, 486, or 386.
Page 46: Proc/Dma
Chapter 3. The proc File System 29 fb 36 netlink 128 ptm 136 pts 180 usb Block devices: 1 ramdisk 3 ide0 9 md 22 ide1 253 device-mapper 254 mdp The output from /proc/devices includes the major number and name of the device, and is broken into two major sections: Character devices and Block devices.
Page 47: Proc/Fb
/proc/fb 3.2.9. /proc/fb This file contains a list of frame buffer devices, with the frame buffer device number and the driver that controls it. Typical output of /proc/fb for systems which contain frame buffer devices looks similar to the following: 0 VESA VGA 3.2.10.
Page 48: Proc/Iomem
Chapter 3. The proc File System 5195422 XT-PIC ide1 NMI: ERR: For a multi-processor machine, this file may look slightly different: CPU0 CPU1 0: 1366814704 XT-PIC timer IO-APIC-edge keyboard XT-PIC cascade IO-APIC-edge 5323 5793 IO-APIC-edge PS/2 Mouse XT-PIC 11184294 15940594 IO-APIC-level Intel EtherExpress Pro 10/100 Ethernet 8450043...
Page 49: Proc/Ioports
/proc/ioports The first column displays the memory registers used by each of the different types of memory. The second column lists the kind of memory located within those registers and displays which memory registers are used by the kernel within the system RAM or, if the network interface card has multiple Ethernet ports, the memory registers assigned for each port.
Page 50: Proc/Loadavg
Chapter 3. The proc File System 3.2.16. /proc/loadavg This file provides a look at the load average in regard to both the CPU and IO over time, as well as additional data used by uptime and other commands. A sample /proc/loadavg file looks similar to the following: 0.20 0.18 0.12 1/80 11206 The first three columns measure CPU and IO utilization of the last one, five, and 15 minute periods.
Page 51: Proc/Meminfo
/proc/meminfo The /proc/mdstat file below shows a system with its md0 configured as a RAID 1 device, while it is currently re-syncing the disks: Personalities : [linear] [raid1] read_ahead 1024 sectors md0: active raid1 sda2[1] sdb2[0] 9940 blocks [2/2] [UU] resync=1% finish=12.3min algorithm 2 [3/3] [UUU] unused devices: <none>...
Page 52: Proc/Misc
Chapter 3. The proc File System • Active — The total amount of buffer or page cache memory, in kilobytes, that is in active use. This is memory that has been recently used and is usually not reclaimed for other purposes. •...
Page 53: Proc/Modules
/proc/modules 63 device-mapper 175 agpgart 135 rtc 134 apm_bios The first column is the minor number of each device, while the second column shows the driver in use. 3.2.21. /proc/modules This file displays a list of all modules loaded into the kernel. Its contents vary based on the configuration and use of your system, but it should be organized in a similar manner to this sample / proc/modules file output: Note...
Page 54: Proc/Mtrr
Chapter 3. The proc File System /dev ramfs rw 0 0 /dev/mapper/VolGroup00-LogVol00 / ext3 rw 0 0 none /dev ramfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 /sys /sys sysfs rw 0 0 none /dev/pts devpts rw 0 0 usbdevfs /proc/bus/usb usbdevfs rw 0 0 /dev/hda1 /boot ext3 rw 0 0 none /dev/shm tmpfs rw 0 0...
Page 55: Proc/Pci
/proc/pci • minor — The minor number of the device with this partition. This serves to separate the partitions into different physical devices and relates to the number at the end of the name of the partition. • #blocks — Lists the number of physical disk blocks contained in a particular partition. •...
Page 56: Proc/Stat
Chapter 3. The proc File System Active / Total Objects (% used) : 133629 / 147300 (90.7%) Active / Total Slabs (% used) : 11492 / 11493 (100.0%) Active / Total Caches (% used) : 77 / 121 (63.6%) Active / Total Size (% used) : 41739.83K / 44081.89K (94.7%) Minimum / Average / Maximum Object : 0.01K / 0.30K / 128.00K OBJS...
Page 57: Proc/Swaps
/proc/swaps cpu0 259246 7001 60190 34250993 137517 772 0 intr 354133732 347209999 2272 0 4 4 0 0 3 1 1249247 0 0 80143 0 422626 5169433 ctxt 12547729 btime 1093631447 processes 130523 procs_running 1 procs_blocked 0 preempt 5651840 209841 1554 21720 118519346 72939 154 27168 cpu0 42536 798 4841 14790880 14778 124 3117 cpu1 24184 569 3875 14794524 30209 29 3130 cpu2 28616 11 2182 14818198 4020 1 3493...
Page 58: Proc/Sysrq-Trigger
This file specifies the version of the Linux kernel and gcc in use, as well as the version of Red Hat Enterprise Linux installed on the system: Linux version 2.6.8-1.523 (user@foo.redhat.com) (gcc version 3.4.1 20040714 \ (Red Hat Enterprise Linux 3.4.1-7)) #1 Mon Aug 16 13:27:03 EDT 2004 This information is used for a variety of purposes, including the version data presented when a user logs in.
Page 59 Process Directories Each process directory contains the following files: • cmdline — Contains the command issued when starting the process. • cwd — A symbolic link to the current working directory for the process. • environ — A list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters.
Page 60: Proc/Bus
Chapter 3. The proc File System 2. Size of memory portions, in kilobytes. 3. Number of pages that are shared. 4. Number of pages that are code. 5. Number of pages of data/stack. 6. Number of library pages. 7. Number of dirty pages. •...
Page 61: Proc/Driver
/proc/driver/ The subdirectories and files available within /proc/bus/ vary depending on the devices connected to the system. However, each bus type has at least one directory. Within these bus directories are normally at least one subdirectory with a numerical name, such as 001, which contain binary files. For example, the /proc/bus/usb/ subdirectory contains files that track the various devices on any USB buses, as well as the drivers required for them.
Page 62: Proc/Fs
Chapter 3. The proc File System 3.3.4. /proc/fs This directory shows which file systems are exported. If running an NFS server, typing cat /proc/ fs/nfsd/exports displays the file systems being shared and the permissions granted for those file Chapter 19, Network File System (NFS).
Page 63: Proc/Irq
/proc/irq/ • geometry — The physical and logical geometry of the device. • media — The type of device, such as a disk. • model — The model name or number of the device. • settings — A collection of current device parameters. This file usually contains quite a bit of useful, technical information.
Page 64: Proc/Scsi
Chapter 3. The proc File System • atm/ directory — The files within this directory contain Asynchronous Transfer Mode (ATM) settings and statistics. This directory is primarily used with ATM networking and ADSL cards. • dev — Lists the various network devices configured on the system, complete with transmit and receive statistics.
Page 65 /proc/scsi/ For example, if a system contains a SCSI CD-ROM, a tape drive, a hard drive, and a RAID controller, this file looks similar to the following: Attached devices: Host: scsi1 Channel: 00 Id: 05 Lun: 00 Vendor: NEC Model: CD-ROM DRIVE:466 Rev: 1.06 Type: CD-ROM...
Page 66: Proc/Sys
Chapter 3. The proc File System IRQ: 30 SCBs: Active 0, Max Active 1, Allocated 15, HW 16, Page 255 Interrupts: 33726 BIOS Control Word: 0x18a6 Adapter Control Word: 0x1c5f Extended Translation: Enabled Disconnect Enable Flags: 0x00ff Ultra Enable Flags: 0x0020 Tag Queue Enable Flags: 0x0000 Ordered Queue Tag Flags: 0x0000 Default Tag Queue Depth: 8...
Page 67 /proc/sys/ -rw-r--r-- 1 root root 0 May 10 16:14 dir-notify-enable -r--r--r-- 1 root root 0 May 10 16:14 dquot-nr -rw-r--r-- 1 root root 0 May 10 16:14 file-max -r--r--r-- 1 root root 0 May 10 16:14 file-nr In this listing, the files dir-notify-enable and file-max can be written to and, therefore, can be used to configure the kernel.
Page 68 Chapter 3. The proc File System Can write CD-RW: Can read DVD: Can write DVD-R: Can write DVD-RAM: Can read MRW: Can write MRW: Can write RAM: This file can be quickly scanned to discover the qualities of an unknown CD-ROM. If multiple CD- ROMs are available on a system, each device is given its own column of information.
Page 69 /proc/sys/ • acct — Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log. By default, the file looks like the following: 4 2 30 The first value dictates the percentage of free space required for logging to resume, while the second value sets the threshold percentage of free space when logging is suspended.
Page 70 Chapter 3. The proc File System • hotplug — Configures the utility to be used when a configuration change is detected by the system. This is primarily used with USB and Cardbus PCI. The default value of /sbin/hotplug should not be changed unless testing a new program to fulfill this role. •...
Page 71 /proc/sys/ Each of these values defines a different rule for dealing with error messages. The first value, called the console loglevel, defines the lowest priority of messages printed to the console. (Note that, the lower the priority, the higher the loglevel number.) The second value sets the default loglevel for messages without an explicit loglevel attached to them.
Page 72 Chapter 3. The proc File System • p — Outputs all flags and registers to the console. • t — Outputs a list of processes to the console. • m — Outputs memory statistics to the console. • 0 through 9 — Sets the log level for the console. •...
Page 73 /proc/sys/ • version — Displays the date and time the kernel was last compiled. The first field in this file, such as #3, relates to the number of times a kernel was built from the source base. 3.3.9.4. /proc/sys/net/ This directory contains subdirectories concerning various networking topics. Various configurations at the time of kernel compilation make different directories available here, such as ethernet/, ipv4/, ipx/, and ipv6/.
Page 74 Chapter 3. The proc File System • icmp_destunreach_rate, icmp_echoreply_rate, icmp_paramprob_rate, and icmp_timeexeed_rate — Set the maximum ICMP send packet rate, in 1/100 of a second, to hosts under certain conditions. A setting of 0 removes any delay and is not a good idea. •...
Page 75 /proc/sys/ /usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt 3.3.9.5. /proc/sys/vm/ This directory facilitates the configuration of the Linux kernel's virtual memory (VM) subsystem. The kernel makes extensive and intelligent use of virtual memory, which is commonly referred to as swap space. The following files are commonly found in the /proc/sys/vm/ directory: •...
Page 76 Chapter 3. The proc File System /usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt • max_map_count — Configures the maximum number of memory map areas a process may have. In most cases, the default value of 65536 is appropriate. • min_free_kbytes — Forces the Linux VM (virtual memory manager) to keep a minimum number of kilobytes free.
Page 77: Proc/Sysvipc
/proc/sysvipc/ 3.3.10. /proc/sysvipc/ This directory contains information about System V IPC resources. The files in this directory relate to System V IPC calls for messages (msg), semaphores (sem), and shared memory (shm). 3.3.11. /proc/tty/ This directory contains information about the available and currently used tty devices on the system. Originally called teletype devices, any character-based data terminals are called tty devices.
Page 78: Additional Resources
Chapter 3. The proc File System net.ipv4.route.min_delay, with the directory slashes replaced by dots and the proc.sys portion assumed. The sysctl command can be used in place of echo to assign values to writable files in the /proc/ sys/ directory. For example, instead of using the command echo 1 >...
Page 79: Who Should Use Raid
Chapter 4. Redundant Array of Independent Disks (RAID) The basic idea behind RAID is to combine multiple small, inexpensive disk drives into an array to accomplish performance or redundancy goals not attainable with one large and expensive drive. This array of drives appears to the computer as a single logical storage unit or drive. 4.1.
Page 80: Software Raid
Chapter 4. Redundant Array of Independent Disks (RAID) 4.3.2. Software RAID Software RAID implements the various RAID levels in the kernel disk (block device) code. It offers the cheapest possible solution, as expensive disk controller cards or hot-swap chassis are not required. Software RAID also works with cheaper IDE disks as well as SCSI disks.
Page 81: Configuring Software Raid
Configuring Software RAID • Level 4 — Level 4 uses parity (see Note) concentrated on a single disk drive to protect data. It is better suited to transaction I/O rather than large file transfers. Because the dedicated parity disk represents an inherent bottleneck, level 4 is seldom used without accompanying technologies such as write-back caching.
Page 82: Creating The Raid Partitions
Chapter 4. Redundant Array of Independent Disks (RAID) • Creating file systems from the RAID devices. Note Although this procedure covers installating with a GUI application, system administrators can do the same with text-based installation. Configuration of software RAID must be done manually in Disk Druid during the installation process.
Page 83 Creating the RAID Partitions 2. Choose Create a software RAID partition to create a RAID partition as shown in Figure 4.2, “RAID Partition Options”. Note that no other RAID options (such as entering a mount point) are available until RAID partitions, as well as RAID devices, are created. Figure 4.2.
Page 84 Chapter 4. Redundant Array of Independent Disks (RAID) Figure 4.3. Adding a RAID Partition 4. Enter the size that you want the partition to be. 5. Select Fixed Size to specify partition size. Select Fill all space up to (MB) and enter a value (in MB) to specify partition size range.
Page 85: Creating The Raid Devices And Mount Points
Creating the RAID Devices and Mount Points Figure 4.4. RAID 1 Partitions Ready, Pre-Device and Mount Point Creation 4.5.2. Creating the RAID Devices and Mount Points Once you create all of your partitions as Software RAID partitions, you must create the RAID device and mount point.
Page 86 Chapter 4. Redundant Array of Independent Disks (RAID) Figure 4.5. RAID Options Figure 4.6, “Making a RAID Device and Assigning a Mount Point” 3. Next, appears, where you can make a RAID device and assign a mount point.
Page 87 Creating the RAID Devices and Mount Points Figure 4.6. Making a RAID Device and Assigning a Mount Point 4. Select a mount point. 5. Choose the file system type for the partition. At this point you can either configure a dynamic LVM file system or a traditional static ext2/ext3 file system.
Page 88 Chapter 4. Redundant Array of Independent Disks (RAID) Figure 4.7. The /boot/ Mount Error 8. The RAID partitions created appear in the RAID Members list. Select which of these partitions should be used to create the RAID device. 9. If configuring RAID 1 or RAID 5, specify the number of spare partitions. If a software RAID partition fails, the spare is automatically used as a replacement.
Page 89 Creating the RAID Devices and Mount Points Figure 4.8. Final Sample RAID Configuration Figure 4.9, “Final Sample RAID With LVM Configuration” The figure as shown in is an example of a RAID and LVM configuration.
Page 90 Chapter 4. Redundant Array of Independent Disks (RAID) Figure 4.9. Final Sample RAID With LVM Configuration You can continue with your installation process. Refer to the Red Hat Enterprise Linux Installation Guide for further instructions.
Page 91: Swap Space 5.1. What Is Swap Space
Chapter 5. Swap Space 5.1. What is Swap Space? Swap space in Linux is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM.
Page 92: Extending Swap On An Lvm2 Logical Volume
Chapter 5. Swap Space You have three options: create a new swap partition, create a new swap file, or extend swap on an existing LVM2 logical volume. It is recommended that you extend an existing logical volume. 5.2.1. Extending Swap on an LVM2 Logical Volume To extend an LVM2 swap logical volume (assuming /dev/VolGroup00/LogVol01 is the volume you want to extend): 1.
Page 93: Creating A Swap File
Creating a Swap File /dev/VolGroup00/LogVol02 swap swap defaults 0 0 4. Enable the extended logical volume: # swapon -va 5. Test that the logical volume has been extended properly: # cat /proc/swaps # free 5.2.3. Creating a Swap File To add a swap file: 1.
Page 94: Reducing Swap On An Lvm2 Logical Volume
Chapter 5. Swap Space You have three options: remove an entire LVM2 logical volume used for swap, remove a swap file, or reduce swap space on an existing LVM2 logical volume. 5.3.1. Reducing Swap on an LVM2 Logical Volume To reduce an LVM2 swap logical volume (assuming /dev/VolGroup00/LogVol01 is the volume you want to reduce): 1.
Page 95: Removing A Swap File
Removing a Swap File 3. Remove the following entry from the /etc/fstab file: /dev/VolGroup00/LogVol02 swap swap defaults 0 0 4. Test that the logical volume has been removed: # cat /proc/swaps # free 5.3.3. Removing a Swap File To remove a swap file: 1.
Page 97: Managing Disk Storage 6.1. Standard Partitions Using Parted
Chapter 6. Managing Disk Storage 6.1. Standard Partitions using parted The utility parted allows users to: • View the existing partition table • Change the size of existing partitions • Add partitions from free space or additional hard drives If you want to view the system's disk space usage or monitor the disk space usage, refer to Section 38.3, “File Systems”.
Page 98: Viewing The Partition Table
Chapter 6. Managing Disk Storage Command Description Make a partition and create the specified file mkpartfs part-type fs-type start-mb system end-mb Move the partition move minor-num start-mb end-mb Name the partition for Mac and PC98 disklabels name minor-num name only Display the partition table print Quit parted...
Page 99: Creating A Partition
Creating a Partition • fat16 • fat32 • hfs • jfs • linux-swap • ntfs • reiserfs • hp-ufs • sun-ufs • xfs If a Filesystem of a device shows no value, this means that its file system type is unknown. The Flags column lists the flags set for the partition.
Page 100 Chapter 6. Managing Disk Storage 6.1.2.1. Making the Partition From the partition table, determine the start and end points of the new partition and what partition type it should be. You can only have four primary partitions (with no extended partition) on a device. If you need more than four partitions, you can have three primary partitions, one extended partition, and multiple logical partitions within the extended.
Page 101: Removing A Partition
Removing a Partition e2label /dev/sda6 /work By default, the installation program uses the mount point of the partition as the label to make sure the label is unique. You can use any label you want. 6.1.2.4. Creating the Mount Point As root, create the mount point: mkdir /work 6.1.2.5.
Page 102: Resizing A Partition
Chapter 6. Managing Disk Storage Remove the partition with the command rm. For example, to remove the partition with minor number 3: rm 3 The changes start taking place as soon as you press Enter, so review the command before committing to it.
Page 103: Lvm Partition Management
LVM Partition Management After resizing the partition, use the print command to confirm that the partition has been resized correctly, is the correct partition type, and is the correct file system type. After rebooting the system into normal mode, use the command df to make sure the partition was mounted and is recognized with the new size.
Page 104 Chapter 6. Managing Disk Storage Command Description Backup volume group configuration vgcfgbackup Restore volume group configuration vgcfgrestore Change volume group attributes vgchange Check the consistency of a volume group vgck Change volume group metadata format vgconvert Create a volume group vgcreate Display volume group information vgdisplay...
Page 105 Chapter 7. Implementing Disk Quotas Disk space can be restricted by implementing disk quotas which alert a system administrator before a user consumes too much disk space or a partition becomes full. Disk quotas can be configured for individual users as well as user groups. This makes it possible to manage the space allocated for user-specific files (such as email) separately from the space allocated to the projects a user works on (assuming the projects are given their own groups).
Page 106: Remounting The File Systems
Chapter 7. Implementing Disk Quotas Note The following examples assume that a separate /home partition was created during the installation of Red Hat Enterprise Linux. The root (/) partition can be used for setting quota policies in the /etc/fstab file. 7.1.2.
Page 107: Assigning Quotas Per User
Assigning Quotas per User • a — Check all quota-enabled, locally-mounted file systems • v — Display verbose status information as the quota check proceeds • u — Check user disk quota information • g — Check group disk quota information After quotacheck has finished running, the quota files corresponding to the enabled quotas (user and/or group) are populated with data for each quota-enabled locally-mounted file system such as / home.
Page 108: Assigning Quotas Per Group
Chapter 7. Implementing Disk Quotas Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 500000 550000 37418 To verify that the quota for the user has been set, use the command: quota testuser 7.1.5.
Page 109: Enabling And Disabling
Enabling and Disabling 7.2.1. Enabling and Disabling It is possible to disable quotas without setting them to 0. To turn all user and group quotas off, use the following command: quotaoff -vaug If neither the -u or -g options are specified, only the user quotas are disabled. If only -g is specified, only group quotas are disabled.
Page 110: Keeping Quotas Accurate
7.3.2. Related Books • Red Hat Enterprise Linux Introduction to System Administration; Red Hat, Inc. — Available at http://www.redhat.com/docs/ and on the Documentation CD, this manual contains background information on storage management (including disk quotas) for new Red Hat Enterprise Linux...
Page 111: Setting Access Acls
Chapter 8. Access Control Lists Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented.
Page 112: Setting Default Acls
Chapter 8. Access Control Lists 1. Per user 2. Per group 3. Via the effective rights mask 4. For users not in the user group for the file The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory: setfacl -m <rules>...
Page 113: Retrieving Acls
Retrieving ACLs For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it): setfacl -m d:o:rx /share 8.4. Retrieving ACLs To determine the existing ACLs for a file or directory, use the getfacl command.
Page 114: Compatibility With Older Systems
Chapter 8. Access Control Lists Option Description Do not extract the files; use in conjunction with -x to show what extracting the files does. Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name.
Page 115: Useful Websites
Useful Websites • star man page — Explains more about the star utility and its many options 8.7.2. Useful Websites http://acl.bestbits.at/ • — Website for ACLs...
Page 117: What Is Lvm
Chapter 9. LVM (Logical Volume Manager) 9.1. What is LVM? LVM is a tool for logical volume management which includes allocating disks, striping, mirroring and resizing logical volumes. With LVM, a hard drive or set of hard drives is allocated to one or more physical volumes. LVM physical volumes can be placed on other block devices which might span two or more disks.
Page 118: What Is Lvm2
Chapter 9. LVM (Logical Volume Manager) Figure 9.2. Logical Volumes On the other hand, if a system is partitioned with the ext3 file system, the hard drive is divided into partitions of defined sizes. If a partition becomes full, it is not easy to expand the size of the partition. Even if the partition is moved to another hard drive, the original hard drive space has to be reallocated as a different partition or not used.
Page 119: Automatic Partitioning
Automatic Partitioning 9.3. Automatic Partitioning On the Disk Partitioning Setup screen, select Automatically partition. For Red Hat Enterprise Linux, LVM is the default method for disk partitioning. If you do not wish to have LVM implemented, or if you require RAID partitioning, manual disk partitioning through Disk Druid is required.
Page 120: Manual Lvm Partitioning
Chapter 9. LVM (Logical Volume Manager) Note If enabling quotas are of interest to you, it may be best to modify the automatic configuration to include other mount points, such as /home/ or /var/, so that each file system has its own independent quota configuration limits. In most cases, the default automatic LVM partitioning is sufficient, but advanced implementations could warrant modification or manual configuration of the partition tables.
Page 121 Creating the /boot/ Partition Figure 9.4. Two Blank Drives, Ready For Configuration Warning The /boot/ partition cannot reside on an LVM volume because the GRUB boot loader cannot read it. 1. Select New. 2. Select /boot from the Mount Point pulldown menu. 3.
Page 122 Chapter 9. LVM (Logical Volume Manager) Figure 9.5. Creation of the Boot Partition Click OK to return to the main screen. The following figure displays the boot partition correctly set:...
Page 123: Creating The Lvm Physical Volumes
Creating the LVM Physical Volumes Figure 9.6. The /boot/ Partition Displayed 9.4.2. Creating the LVM Physical Volumes Once the boot partition is created, the remainder of all disk space can be allocated to LVM partitions. The first step in creating a successful LVM implementation is the creation of the physical volume(s). 1.
Page 124 Chapter 9. LVM (Logical Volume Manager) Figure 9.7. Creating a Physical Volume 3. You cannot enter a mount point yet (you can once you have created all your physical volumes and then all volume groups). 4. A physical volume must be constrained to one drive. For Allowable Drives, select the drive on which the physical volume are created.
Page 125: Creating The Lvm Volume Groups
Creating the LVM Volume Groups Figure 9.8. Two Physical Volumes Created 9.4.3. Creating the LVM Volume Groups Once all the physical volumes are created, the volume groups can be created: 1. Click the LVM button to collect the physical volumes into volume groups. A volume group is basically a collection of physical volumes.
Page 126: Creating The Lvm Logical Volumes
Chapter 9. LVM (Logical Volume Manager) Figure 9.9. Creating an LVM Volume Group 2. Change the Volume Group Name if desired. 3. All logical volumes inside the volume group must be allocated in physical extent (PE) units. A physical extent is an allocation unit for data. 4.
Page 127 Creating the LVM Logical Volumes Figure 9.10. Creating a Logical Volume Repeat these steps for each volume group you want to create. You may want to leave some free space in the volume group so you can expand the logical volumes later. The default automatic configuration does not do this, but this manual configuration example does —...
Page 128 Chapter 9. LVM (Logical Volume Manager) Figure 9.11. Pending Logical Volumes Click OK to apply the volume group and all associated logical volumes. The following figure shows the final manual configuration:...
Page 129: Using The Lvm Utility System-Config-Lvm
Using the LVM utility system-config-lvm Figure 9.12. Final Manual Configuration 9.5. Using the LVM utility system-config-lvm The LVM utility allows you to manage logical volumes within X windows or graphically. You can access the application by selecting from your menu panel System > Administration > Logical Volume Management.
Page 130 Chapter 9. LVM (Logical Volume Manager) Figure 9.13. Main LVM Window The figure below illustrates the physical view for the volume. In this window, you can select and remove a volume from the volume group or migrate extents from the volume to another volume group. Figure 9.22, “Migrate Extents”.
Page 131 Using the LVM utility system-config-lvm Figure 9.15. Logical View Window On the left side column, you can select the individual logical volumes in the volume group to view more details about each. In this example the objective is to rename the logical volume name for 'LogVol03' to 'Swap'.
Page 132: Utilizing Uninitialized Entities
Chapter 9. LVM (Logical Volume Manager) Figure 9.16. Edit Logical Volume 9.5.1. Utilizing uninitialized entities 'Uninitialized Entities' consist of unpartitioned space and non LVM file systems. In this example partitions 3, 4, 5, 6 and 7 were created during installation and some unpartitioned space was left on the hard disk.
Page 133: Adding Unallocated Volumes To A Volume Group
Adding Unallocated Volumes to a volume group 9.5.2. Adding Unallocated Volumes to a volume group Once initialized, a volume will be listed in the 'Unallocated Volumes' list. The figure below illustrates an unallocated partition (Partition 3). The respective buttons at the bottom of the window allow you to: •...
Page 134 Chapter 9. LVM (Logical Volume Manager) Figure 9.19. Add physical volume to volume group Once added to an existing volume group the new logical volume is automatically added to the unused space of the selected volume group. You can use the unused space to: •...
Page 135: Migrating Extents
Migrating extents In the figure below, the uninitialized entities (partitions 3, 5, 6 and 7) were added to 'VolGroup00'. Figure 9.21. Logical view of volume group 9.5.3. Migrating extents To migrate extents from a physical volume, select the volume and click on the Migrate Selected Extent(s) From Volume button.
Page 136 Chapter 9. LVM (Logical Volume Manager) Figure 9.22. Migrate Extents The figure below illustrates a migration of extents in progress. In this example, the extents were migrated to 'Partition 3'. Figure 9.23. Migrating extents in progress Once the extents have been migrated, unused space is left on the physical volume. The figure below illustrates the physical and logical view for the volume group.
Page 137: Adding A New Hard Disk Using Lvm
Adding a new hard disk using LVM Figure 9.24. Logical and physical view of volume group 9.5.4. Adding a new hard disk using LVM In this example, a new IDE hard disk was added. The figure below illustrates the details for the new hard disk.
Page 138: Adding A New Volume Group
Chapter 9. LVM (Logical Volume Manager) 9.5.5. Adding a new volume group Once initialized, LVM will add the new volume to the list of unallocated volumes where you can add it to an existing volume group or create a new volume group. You can also remove the volume from LVM.
Page 139 Adding a new volume group Figure 9.27. Create new logical volume The figure below illustrates the physical view of the new volume group. The new logical volume named 'Backups' in this volume group is also listed. Figure 9.28. Physical view of new volume group...
Page 140: Extending A Volume Group
Chapter 9. LVM (Logical Volume Manager) 9.5.6. Extending a volume group In this example, the objective was to extend the new volume group to include an uninitialized entity (partition). This was to increase the size or number of extents for the volume group. To extend the volume group, click on the Extend Volume Group button.
Page 141: Editing A Logical Volume
Editing a Logical Volume 9.5.7. Editing a Logical Volume The LVM utility allows you to select a logical volume in the volume group and modify its name, size and specify filesystem options. In this example, the logical volume named 'Backups" was extended onto the remaining space for the volume group.
Page 142 Chapter 9. LVM (Logical Volume Manager) Figure 9.32. Edit logical volume - specifying mount options The figure below illustrates the logical and physical view of the volume group after the logical volume was extended to the unused space. Please note in this example that the logical volume named 'Backups' spans across two hard disks.
Page 143: Installed Documentation
• rpm -qd lvm2 — This command shows all the documentation available from the lvm package, including man pages. • lvm help — This command shows all LVM commands available. 9.6.2. Useful Websites http://sources.redhat.com/lvm2 • — LVM2 webpage, which contains an overview, link to the mailing lists, and more.
Page 145 Part II. Package Management All software on a Red Hat Enterprise Linux system is divided into RPM packages which can be installed, upgraded, or removed. This part describes how to manage the RPM packages on a Red Hat Enterprise Linux system using graphical and command line tools.
Page 147: Rpm Design Goals
Chapter 10. Package Management with RPM The RPM Package Manager (RPM) is an open packaging system, which runs on Red Hat Enterprise Linux as well as other Linux and UNIX systems. &FORMAL-RHI; encourages other vendors to use RPM for their own products. RPM is distributed under the terms of the GPL. The utility works only with packages built for processing by the rpm package.
Page 148: Using Rpm
RPM repositories, but if you are looking for RPM packages built by Red Hat, they can be found at the following locations: • The Red Hat Enterprise Linux CD-ROMs http://www.redhat.com/apps/support/errata/ • The Red Hat Errata Page available at Chapter 13, Red Hat Network •...
Page 149 Installing Preparing... ########################################### [100%] 1:foo ########################################### [100%] As you can see, RPM prints out the name of the package and then prints a succession of hash marks as a progress meter while the package is installed. The signature of a package is checked automatically when installing or upgrading a package. The signature confirms that the package was signed by an authorized party.
Page 150: Uninstalling
Chapter 10. Package Management with RPM Preparing... ########################################### [100%] file /usr/bin/foo from install of foo-1.0-1 conflicts with file from package bar-2.0.20 To make RPM ignore this error, use the --replacefiles option: rpm -ivh --replacefiles foo-1.0-1.i386.rpm 10.2.2.3. Unresolved Dependency RPM packages may sometimes depend on other packages, which means that they require other packages to be installed to run properly.
Page 151: Upgrading
Upgrading Note Notice that we used the package namefoo, not the name of the original package filefoo-1.0-1.i386.rpm. To uninstall a package, replace foo with the actual package name of the original package. You can encounter a dependency error when uninstalling a package if another installed package depends on the one you are trying to remove.
Page 152: Freshening
Chapter 10. Package Management with RPM To force RPM to upgrade anyway, use the --oldpackage option: rpm -Uvh --oldpackage foo-1.0-1.i386.rpm 10.2.5. Freshening Freshening is similar to upgrading, except that only existent packages are upgraded. Type the following command at a shell prompt: rpm -Fvh foo-1.2-1.i386.rpm RPM's freshen option checks the versions of the packages specified on the command line against the versions of packages that have already been installed on your system.
Page 153: Verifying
Verifying There are a number of ways to specify what information to display about queried packages. The following options are used to select the type of information for which you are searching. These are called Package Query Options. • -i displays package information including name, description, release, size, build date, install date, vendor, and other miscellaneous information.
Page 154: Checking A Package's Signature
Chapter 10. Package Management with RPM • 5 — MD5 checksum • S — file size • L — symbolic link • T — file modification time • D — device • U — user • G — group • M — mode (includes permissions and file type) •...
Page 155: Verifying Signature Of Packages
Verifying Signature of Packages rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release To display a list of all keys installed for RPM verification, execute the command: rpm -qa gpg-pubkey* For the Red Hat key, the output includes: gpg-pubkey-37017186-45761324 To display details about a specific key, use rpm -qi followed by the output from the previous...
Page 156 Source RPM: crontabs-1.10-7.src.rpm Size : 1004 License: Public Domain Signature : DSA/SHA1, Wed 05 Jan 2005 06:05:25 PM EST, Key ID 219180cddb42a60e Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : Root crontab files used to schedule the execution of programs.
Page 157: Related Books
Additional Resources Description : The crontabs package contains root crontab files. Crontab is the program used to install, uninstall, or list the tables used to drive the cron daemon. The cron daemon checks the crontab files to see when particular commands are scheduled to be executed. If commands are scheduled, then it executes them.
Page 159: Package Management Tool 11.1. Listing And Analyzing Packages
Chapter 11. Package Management Tool If you prefer to use a graphical interface to view and manage packages in your system, you can use the Package Management Tool, better known as pirut. This tool allows you to perform basic package management of your system through an easy-to-use interface to remove installed packages or download (and install) packages compatible to your system.
Page 160: Installing And Removing Packages
Chapter 11. Package Management Tool The Browse tab allows you to view packages by group. In Figure 11.1, “Package Management Tool”, the left window shows the different package group types you can choose from (for example, Desktop Environments, Applications, Development and more). When a package group type is selected, the right window displays the different package groups of that type.
Page 161 Installing and Removing Packages queued for download and installation. You can select multiple packages to download and install; once you have made your selection, click the Apply button. Figure 11.3. Package installation If there are any package dependencies for your selected downloads, the Package Management Tool will notify you accordingly.
Page 162 Chapter 11. Package Management Tool Figure 11.4. Package dependencies: installation Removing a package can be done in a similar manner. To remove a package installed in your system, click the checkbox beside the package name. The green check appearing beside the package name will be replaced by a package removal icon ( ).
Page 163 Installing and Removing Packages Figure 11.5. Package removal Note that if any other installed packages are dependent on the package you are removing, they will be removed as well. The Package Management Tool will notify you if there are any such dependencies. Click Details to view what packages are dependent on the one you are removing.
Page 164 Chapter 11. Package Management Tool Figure 11.6. Package dependencies: removal You can install and remove multiple packages by selecting packages to be installed / removed and then clicking Apply. The Package selections window displays the number of packages to be installed and removed.
Page 165 Installing and Removing Packages Figure 11.7. Installing and removing packages simultaneously...
Page 167 Chapter 12. YUM (Yellowdog Updater Modified) Yellowdog Update, Modified (YUM) is a package manager that was developed by Duke University to improve the installation of RPMs. yum searches numerous repositories for packages and their dependencies so they may be installed together in an effort to alleviate dependency issues. Red Hat Enterprise Linux 5.2 uses yum to fetch packages and install RPMs.
Page 168: Yum Options
Excludes a specific package by name or glob in a specific transaction. 12.4. Configuring yum By default, yum is configured through /etc/yum.conf. The following is an example of a typical / etc/yum.conf file: [main] cachedir=/var/cache/yum keepcache=0 debuglevel=2 logfile=/var/log/yum.log distroverpkg=redhat-release tolerant=1 exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 metadata_expire=1800...
Page 169: Main] Options
[main] Options [myrepo] name=RHEL 5 $releasever - $basearch baseurl=http://local/path/to/yum/repository/ enabled=1 A typical /etc/yum.conf file is made up of two types of sections: a [main] section, and a repository section. There can only be one [main] section, but you can specify multiple repositories in a single /etc/yum.conf.
Page 170: Repository] Options
Chapter 12. YUM (Yellowdog Updater Modified) exclude=<package name/s> This option allows you to exclude packages by keyword during installation/updates. If you are specifying multiple packages, this is a space-delimited list. Shell globs using wildcards (for example, * and ?) are allowed. retries=<number of retries>...
Page 171: Useful Yum Variables
/etc/yum.conf and .repo files). $releasever This is replaced with the package's version, as listed in distroverpkg. This defaults to the version of the redhat-release package. $arch This is replaced with your system's architecture, as listed by os.uname() in Python. $basearch This is replaced with your base architecture.
Page 173: Red Hat Network
All Security Alerts, Bug Fix Alerts, and Enhancement Alerts (collectively known as Errata Alerts) can be downloaded directly from Red Hat using the Package Updater standalone application or through the RHN website available at https://rhn.redhat.com/. Figure 13.1. Your RHN Red Hat Network saves you time because you receive email when updated packages are released.
Page 174 Errata Updates through a secure Web browser connection from any computer Caution You must activate your Red Hat Enterprise Linux product before registering your system with Red Hat Network to make sure your system is entitled to the correct services. To activate your product, go to: http://www.redhat.com/apps/activate/...
Page 175 After registering, use one of the following methods to start receiving updates: • Select Applications (the main menu on the panel) > System Tools > Package Updater on your desktop • Execute the command yum from a shell prompt https://rhn.redhat.com/ • Use the RHN website at...
Page 176 • Click on the package icon when it appears in the panel to launch the Package Updater. For more detailed instructions, refer to the documentation available at: http://www.redhat.com/docs/manuals/RHNetwork/ Red Hat Enterprise Linux includes a convenient panel icon that displays visible alerts when there is an update for your Red Hat Enterprise Linux system.
Page 177 Part III. Network- Related Configuration After explaining how to configure the network, this part discusses topics related to networking such as how to allow remote logins, share files and directories over the network, and set up a Web server.
Page 179: Network Interfaces
Chapter 14. Network Interfaces Under Red Hat Enterprise Linux, all network communications occur between configured software interfaces and physical networking devices connected to the system. The configuration files for network interfaces are located in the /etc/sysconfig/network- scripts/ directory. The scripts used to activate and deactivate these network interfaces are also located here.
Page 180: Interface Configuration Files
Chapter 14. Network Interfaces Warning The /etc/sysconfig/networking/ directory is used by the Network Administration Tool (system-config-network) and its contents should not be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion. For more information about configuring network interfaces using the Network Administration Tool, refer to Chapter 15, Network Configuration...
Page 181 Ethernet Interfaces parameters are identical to those used for bonding devices in /sys/class/net/<bonding device>/bonding, and the module parameters for the bonding driver as described in bonding Module Directives. This configuration method is used so that multiple bonding devices can have different configurations.
Page 182 Chapter 14. Network Interfaces HWADDR=<MAC-address> where <MAC-address> is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive must be used in machines containing more than one NIC to ensure that the interfaces are assigned the correct device names regardless of the configured load order for each NIC's module.
Page 183: Ipsec Interfaces
IPsec Interfaces This directive is used in conjunction with the MASTER directive. Section 14.2.3, “Channel Bonding Interfaces” Refer to for more about channel bonding interfaces. SRCADDR=<address> where <address> is the specified source IP address for outgoing packets. USERCTL=<answer> where <answer> is one of the following: •...
Page 184: Channel Bonding Interfaces
Chapter 14. Network Interfaces The racoon IKEv1 key management daemon negotiates and configures a set of parameters for IPSec. It can use preshared keys, RSA signatures, or GSS-API. If racoon is used to automatically manage key encryption, the following options are required: IKE_METHOD=<encryption-method>...
Page 185: Alias And Clone Files
Alias and Clone Files DEVICE=eth<N> BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes USERCTL=no In this example, replace <N> with the numerical value for the interface. For a channel bonding interface to be valid, the kernel module must be loaded. To ensure that the module is loaded when the channel bonding interface is brought up, add the following line to /etc/ modprobe.conf: alias bond<N>...
Page 186: Dialup Interfaces
Chapter 14. Network Interfaces BOOTPROTO=dhcp Since the default value for the USERCTL directive is no if it is not specified, users cannot bring this interface up and down. To give users the ability to control the interface, create a clone by copying ifcfg-eth0 to ifcfg-eth0-user and add the following line to ifcfg-eth0-user: USERCTL=yes This way a user can bring up the eth0 interface using the /sbin/ifup eth0-user command...
Page 187: Other Interfaces
Other Interfaces DEMAND=<answer> where <answer> is one of the following: • yes — This interface allows pppd to initiate a connection when someone attempts to use it. • no — A connection must be manually established for this interface. IDLETIMEOUT=<value> where <value>...
Page 188: Interface Control Scripts
Chapter 14. Network Interfaces ifcfg-lo A local loopback interface is often used in testing, as well as being used in a variety of applications that require an IP address pointing back to the same system. Any data sent to the loopback device is immediately returned to the host's network layer.
Page 189 Interface Control Scripts ifup-aliases Configures IP aliases from interface configuration files when more than one IP address is associated with an interface. ifup-ippp and ifdown-ippp Brings ISDN interfaces up and down. ifup-ipsec and ifdown-ipsec Brings IPsec interfaces up and down. ifup-ipv6 and ifdown-ipv6 Brings IPv6 interfaces up and down.
Page 190: Configuring Static Routes
Chapter 14. Network Interfaces Here, <action> can be either start, stop, or restart. To view a list of configured devices and currently active network interfaces, use the following command: /sbin/service network status 14.4. Configuring Static Routes Routing will be configured on routing devices, therefore it should not be necessary to configure static routes on Red Hat Enterprise Linux servers or clients.
Page 191 Configuring Static Routes subnet. The example machine has an eth0 interface in the 192.168.0.0/24 subnet, and an eth1 interface (10.10.10.1) in the 10.10.10.0/24 subnet: 10.10.10.0/24 via 10.10.10.1 dev eth1 Duplicate Default Gateways If the default gateway is already assigned from DHCP, the IP command arguments format can cause one of two errors during start-up, or when bringing up an interface from the down state using the ifup command: "RTNETLINK answers: File exists"...
Page 192: Network Function Files
Chapter 14. Network Interfaces ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=10.10.10.1 DHCP should assign these settings automatically, therefore it should not be necessary to configure static routes on Red Hat Enterprise Linux servers or clients. 14.5. Network Function Files Red Hat Enterprise Linux makes use of several files that contain important common functions used to bring interfaces up and down.
Page 193: Network Configuration
Chapter 15. Network Configuration To communicate with each other, computers must have a network connection. This is accomplished by having the operating system recognize an interface card (such as Ethernet, ISDN modem, or token ring) and configuring the interface to connect to the network. The Network Administration Tool can be used to configure the following types of network interfaces: •...
Page 194 Chapter 15. Network Configuration Figure 15.1. Network Administration Tool Use the Red Hat Hardware Compatibility List (http://hardware.redhat.com/hcl/) to determine if Red Hat Enterprise Linux supports your hardware device. 15.1. Overview To configure a network connection with the Network Administration Tool, perform the following steps: 1.
Page 195: Establishing An Ethernet Connection
Establishing an Ethernet Connection This chapter discusses each of these steps for each type of network connection. 15.2. Establishing an Ethernet Connection To establish an Ethernet connection, you need a network interface card (NIC), a network cable (usually a CAT5 cable), and a network to connect to. Different networks are configured to use different network speeds;...
Page 196 Chapter 15. Network Configuration Figure 15.2. Ethernet Settings Figure 15.3, “Ethernet After configuring the Ethernet device, it appears in the device list as shown in Device”.
Page 197 Establishing an Ethernet Connection Figure 15.3. Ethernet Device Be sure to select File > Save to save the changes. After adding the Ethernet device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, when the device is added, it is configured to start at boot time by default.
Page 198: Establishing An Isdn Connection
Chapter 15. Network Configuration 15.3. Establishing an ISDN Connection An ISDN connection is an Internet connection established with a ISDN modem card through a special phone line installed by the phone company. ISDN connections are popular in Europe. To add an ISDN connection, follow these steps: 1.
Page 199: Establishing A Modem Connection
Establishing a Modem Connection After adding the ISDN device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, when the device is added, it is configured not to start at boot time by default.
Page 200 Chapter 15. Network Configuration 2. Click the New button on the toolbar. 3. Select Modem connection from the Device Type list, and click Forward. 4. If there is a modem already configured in the hardware list (on the Hardware tab), the Network Administration Tool assumes you want to use it to establish a modem connection.
Page 201: Establishing An Xdsl Connection
Establishing an xDSL Connection Figure 15.7. Modem Device Be sure to select File > Save to save the changes. After adding the modem device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, when the device is added, it is configured not to start at boot time by default.
Page 202 Chapter 15. Network Configuration Some DSL providers require that the system is configured to obtain an IP address through DHCP with an Ethernet card. Some DSL providers require you to configure a PPPoE (Point-to-Point Protocol over Ethernet) connection with an Ethernet card. Ask your DSL provider which method to use. Section 15.2, “Establishing an Ethernet Connection”...
Page 203 Establishing an xDSL Connection Note The installation program detects supported Ethernet devices and prompts you to configure them. If you configured any Ethernet devices during the installation, they are displayed in the hardware list on the Hardware tab. Figure 15.9. xDSL Settings 5.
Page 204 Chapter 15. Network Configuration Figure 15.10, “xDSL 7. After configuring the DSL connection, it appears in the device list as shown in Device”. Figure 15.10. xDSL Device 8. After adding the xDSL connection, you can edit its configuration by selecting the device from the device list and clicking Edit.
Page 205 Establishing an xDSL Connection Figure 15.11. xDSL Configuration For example, when the device is added, it is configured not to start at boot time by default. Edit its configuration to modify this setting. Click OK when finished. 9. Once you are satisfied with your xDSL connection settings, select File > Save to save the changes.
Page 206 Chapter 15. Network Configuration Figure 15.12. xDSL Configuration - Provider Tab 3. Click the T-Online Account Setup button. This will open the Account Setup window for your T- Figure 15.13, “Account Setup”. Online account as shown in...
Page 207: Establishing A Token Ring Connection
Establishing a Token Ring Connection Figure 15.13. Account Setup 4. Enter your Adapter identifier, Associated T-Online number, Concurrent user number/suffix, and Personal password.. Click OK when finished to close the Account Setup window. 5. On the xDSL Configuration window, click OK. Be sure to select File > Save from the Network Administration Tool to save the changes.
Page 208 Chapter 15. Network Configuration 4. If you have already added the token ring card to the hardware list, select it from the Tokenring card list. Otherwise, select Other Tokenring Card to add the hardware device. 5. If you selected Other Tokenring Card, the Select Token Ring Adapter window as shown in Figure 15.14, “Token Ring Settings”...
Page 209: Establishing A Wireless Connection
Establishing a Wireless Connection Figure 15.15. Token Ring Device Be sure to select File > Save to save the changes. After adding the device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, you can configure whether the device is started at boot time. When the device is added, it is not activated immediately, as seen by its Inactive status.
Page 210 Chapter 15. Network Configuration 2. Click the New button on the toolbar. 3. Select Wireless connection from the Device Type list and click Forward. 4. If you have already added the wireless network interface card to the hardware list, select it from the Wireless card list.
Page 211 Establishing a Wireless Connection Figure 15.16. Wireless Settings 7. On the Configure Network Settings page, choose between DHCP and static IP address. You may specify a hostname for the device. If the device receives a dynamic IP address each time the network is started, do not specify a hostname.
Page 212: Managing Dns Settings
Chapter 15. Network Configuration Figure 15.17. Wireless Device Be sure to select File > Save to save the changes. After adding the wireless device, you can edit its configuration by selecting the device from the device list and clicking Edit. For example, you can configure the device to activate at boot time. When the device is added, it is not activated immediately, as seen by its Inactive status.
Page 213: Managing Hosts
Managing Hosts Figure 15.18. DNS Configuration Note The name servers section does not configure the system to be a name server. Instead, it configures which name servers to use when resolving IP addresses to hostnames and vice-versa. Warning If the hostname is changed and system-config-network is started on the local host, you may not be able to start another X11 application.
Page 214 Chapter 15. Network Configuration When your system tries to resolve a hostname to an IP address or tries to determine the hostname for an IP address, it refers to the /etc/hosts file before using the name servers (if you are using the default Red Hat Enterprise Linux configuration).
Page 215: Working With Profiles
Working with Profiles To change lookup order, edit the /etc/host.conf file. The line order hosts, bind specifies that /etc/hosts takes precedence over the name servers. Changing the line to order bind, hosts configures the system to resolve hostnames and IP addresses using the name servers first.
Page 216 Chapter 15. Network Configuration Figure 15.20. Office Profile Notice that the Home profile as shown in activates the eth0_home Figure 15.21, “Home Profile” logical device, which is associated with eth0.
Page 217 Working with Profiles Figure 15.21. Home Profile You can also configure eth0 to activate in the Office profile only and to activate a PPP (modem) device in the Home profile only. Another example is to have the Common profile activate eth0 and an Away profile activate a PPP device for use while traveling.
Page 218: Device Aliases
Chapter 15. Network Configuration kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 \ netprofile=<profilename> \ rhgb quiet initrd /initrd-2.6.9-5.EL.img To switch profiles after the system has booted, go to Applications (the main menu on the panel) > System Tools > Network Device Control (or type the command system-control-network) to select a profile and activate it.
Page 219 Device Aliases Figure 15.22. Network Device Alias Example Select the alias and click the Activate button to activate the alias. If you have configured multiple profiles, select which profiles in which to include it. To verify that the alias has been activated, use the command /sbin/ifconfig. The output should show the device and the device alias with different IP addresses: eth0 Link encap:Ethernet...
Page 220: Saving And Restoring The Network Configuration
Chapter 15. Network Configuration RX packets:5998 errors:0 dropped:0 overruns:0 frame:0 TX packets:5998 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1627579 (1.5 Mb) TX bytes:1627579 (1.5 Mb) 15.12. Saving and Restoring the Network Configuration The command line version of Network Administration Tool can be used to save the system's network configuration to a file.
Page 221: Controlling Access To Services
Chapter 16. Controlling Access to Services Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example, httpd if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
Page 222: Tcp Wrappers
Chapter 16. Controlling Access to Services when configuring a new service is neglecting to implement the necessary firewall Section 43.8.2, “Basic configuration and SELinux policies to allow access for it. Refer to Firewall Configuration” for more information. 16.1. Runlevels Before you can configure access to services, you must understand Linux runlevels. A runlevel is a state, or mode, that is defined by the services listed in the directory /etc/rc.d/rc<x>.d, where <x>...
Page 223: Services Configuration Tool
Services Configuration Tool to start special-purpose servers. xinetd can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more. xinetd runs constantly and listens on all ports for the services it manages.
Page 224 Chapter 16. Controlling Access to Services Figure 16.1. Services Configuration Tool The Services Configuration Tool displays the current runlevel as well as the runlevel you are currently editing. To edit a different runlevel, select Edit Runlevel from the pulldown menu and select Section 16.1, “Runlevels”...
Page 225: Ntsysv
ntsysv xinetd is also configured to remember the setting. You can enable/disable multiple xinetd services at a time and save the changes when you are finished. For example, assume you check rsync to enable it in runlevel 3 and then save the changes. The rsync service is immediately enabled.
Page 226 Chapter 16. Controlling Access to Services Figure 16.2. The ntsysv utility Warning Services managed by xinetd are immediately affected by ntsysv. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command service <daemon>...
Page 227: Chkconfig
chkconfig 16.5. chkconfig The chkconfig command can also be used to activate and deactivate services. The chkconfig -- list command displays a list of system services and whether they are started (on) or stopped (off) in runlevels 0-6. At the end of the list is a section for the services managed by xinetd. If the chkconfig --list command is used to query a service managed by xinetd, it displays whether the xinetd service is enabled (on) or disabled (off).
Page 229: Nameserver Zones
Chapter 17. Berkeley Internet Name Domain (BIND) On most modern networks, including the Internet, users locate other computers by name. This frees users from the daunting task of remembering the numerical network address of network resources. The most effective way to configure a network to allow such name-based connections is to set up a Domain Name Service (DNS) or a nameserver, which resolves hostnames on the network to numerical addresses and vice versa.
Page 230: Nameserver Types
Chapter 17. Berkeley Internet Name Domain (BIND) com, while sales is a sub-domain under example. The name furthest to the left, bob, identifies a specific machine hostname. Except for the hostname, each section is called a zone, which defines a specific namespace. A namespace controls the naming of the sub-domains to its left.
Page 231: Etc/Named.conf
/etc/named.conf Note If you have installed the bind-chroot package, the BIND service will run in the / var/named/chroot environment. All configuration files will be moved there. As such, named.conf will be located in /var/named/chroot/etc/named.conf, and so on. If you have installed the caching-nameserver package, the default configuration file is /etc/named.caching-nameserver.conf.
Page 232: Include Statement
Chapter 17. Berkeley Internet Name Domain (BIND) • localhost — Matches any IP address in use by the local system • localnets — Matches any IP address on any network to which the local system is connected • none — Matches no IP addresses When used in conjunction with other statements (such as the options statement), acl statements can be very useful in preventing the misuse of a BIND nameserver.
Page 233 Common Statement Types allow-recursion Similar to allow-query, this option applies to recursive queries. By default, all hosts are allowed to perform recursive queries on the nameserver. blackhole Specifies which hosts are not allowed to query the server. directory Specifies the named working directory if different from the default value, /var/named/. forwarders Specifies a list of valid IP addresses for nameservers where requests should be forwarded for resolution.
Page 234 Chapter 17. Berkeley Internet Name Domain (BIND) root-delegation-only Turns on the enforcement of delegation properties in top-level domains (TLDs) and root zones with an optional exclude list. Delegation is the process of dividing a single zone into multiple subzones. In order to create a delegated zone, items known as NS records are used. NameServer records (delegation records) announce the authoritative nameservers for a particular zone.
Page 235 Common Statement Types allow-query Specifies the clients that are allowed to request information about this zone. The default is to allow all query requests. allow-transfer Specifies the slave servers that are allowed to request a transfer of the zone's information. The default is to allow all transfer requests.
Page 236: Other Statement Types
Chapter 17. Berkeley Internet Name Domain (BIND) • slave — Designates the nameserver as a slave server for this zone. Also specifies the IP address of the master nameserver for the zone. zone-statistics Configures named to keep statistics concerning this zone, writing them to either the default location (/var/named/named.stats) or the file listed in the statistics-file option in the Section 17.2.2, “Other Statement Types”...
Page 237: Comment Tags
Comment Tags • algorithm <algorithm-name> — The type of algorithm used, such as dsa or hmac-md5. • secret "<key-value>" — The encrypted key. Section 17.4.2, “Configuring /etc/rndc.conf” Refer to for instructions on how to write a key statement. logging Allows for the use of multiple types of logs, called channels. By using the channel option within the logging statement, a customized type of log can be constructed —...
Page 238: Zone Files
Chapter 17. Berkeley Internet Name Domain (BIND) • // — When placed at the beginning of a line, that line is ignored by named. • # — When placed at the beginning of a line, that line is ignored by named. •...
Page 239: Zone File Resource Records
Zone File Resource Records Note The use of the $ORIGIN directive is unnecessary if the zone is specified in /etc/ named.conf because the zone name is used as the value for the $ORIGIN directive by default. $TTL Sets the default Time to Live (TTL) value for the zone. This is the length of time, in seconds, that a zone resource record is valid.
Page 240 Chapter 17. Berkeley Internet Name Domain (BIND) server1 IN A 10.0.1.5 IN CNAME server1 This refers to the Mail eXchange record, which tells where mail sent to a particular namespace controlled by this zone should go. IN MX <preference-value><email-server-name> Here, the <preference-value> allows numerical ranking of the email servers for a namespace, giving preference to some email systems over others.
Page 241 Zone File Resource Records <primary-name-server> <hostmaster-email> ( <serial-number> <time-to-refresh> <time-to-retry> <time-to-expire> <minimum-TTL> ) The @ symbol places the $ORIGIN directive (or the zone's name, if the $ORIGIN directive is not set) as the namespace being defined by this SOA resource record. The hostname of the primary nameserver that is authoritative for this domain is the <primary-name-server>...
Page 242: Example Zone File
Chapter 17. Berkeley Internet Name Domain (BIND) The following example illustrates the form an SOA resource record might take when it is populated with real values. dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ;...
Page 243: Reverse Name Resolution Zone Files
Reverse Name Resolution Zone Files The email servers configured with the MX records point to mail and mail2 via A records. Since the mail and mail2 names do not end in a trailing period (.), the $ORIGIN domain is placed after them, expanding them to mail.example.com and mail2.example.com.
Page 244: Using Rndc
Chapter 17. Berkeley Internet Name Domain (BIND) zone "1.0.10.in-addr.arpa" IN { type master; file "example.com.rr.zone"; allow-update { none; }; There is very little difference between this example and a standard zone statement, except for the zone name. Note that a reverse name resolution zone requires the first three blocks of the IP address reversed followed by .in-addr.arpa.
Page 245: Configuring /Etc/Rndc.conf
Configuring /etc/rndc.conf In this case, the <key-value> uses the HMAC-MD5 algorithm. Use the following command to generate keys using the HMAC-MD5 algorithm: dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name> A key with at least a 256-bit length is a good idea. The actual key that should be placed in the <key- value>...
Page 246: Command Line Options
Chapter 17. Berkeley Internet Name Domain (BIND) For more information about the /etc/rndc.conf file, refer to the rndc.conf man page. 17.4.3. Command Line Options An rndc command takes the following form: rndc <options><command><command-options> When executing rndc on a properly configured localhost, the following commands are available: •...
Page 247: Dns Protocol Enhancements
DNS Protocol Enhancements All of the features mentioned are discussed in greater detail in the BIND 9 Administrator Reference Manual referenced in Section 17.7.1, “Installed Documentation”. 17.5.1. DNS Protocol Enhancements BIND supports Incremental Zone Transfers (IXFR), where a slave nameserver only downloads the updated portions of a zone modified on a master nameserver.
Page 248: Ip Version 6
Chapter 17. Berkeley Internet Name Domain (BIND) 17.5.4. IP version 6 BIND version 9 supports name service in IP version 6 (IPv6) environments through the use of A6 zone records. If the network environment includes both IPv4 and IPv6 hosts, use the lwresd lightweight resolver daemon on all network clients.
Page 249: Additional Resources
Additional Resources 17.7. Additional Resources The following sources of information provide additional resources regarding BIND. 17.7.1. Installed Documentation BIND features a full range of installed documentation covering many different topics, each placed in its own subject directory. For each item below, replace <version-number> with the version of bind installed on the system: /usr/share/doc/bind-<version-number>/ This directory lists the most recent features.
Page 250: Useful Websites
• — The home page of the BIND project containing information about current releases as well as a PDF version of the BIND 9 Administrator Reference Manual. http://www.redhat.com/mirrors/LDP/HOWTO/DNS-HOWTO.html • — Covers the use of BIND as a resolving, caching nameserver and the configuration of various zone files necessary to serve as the primary nameserver for a domain.
Page 251: Why Use Ssh
Chapter 18. OpenSSH SSH™ (or Secure SHell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
Page 252: Ssh Protocol Versions
Chapter 18. OpenSSH between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient. This attack can be mounted through the use of a packet sniffer — a common network utility. •...
Page 253: Authentication
Authentication layer accomplishes this by handling the encryption and decryption of data, and by providing integrity protection of data packets as they are sent and received. The transport layer also provides compression, speeding the transfer of information. Once an SSH client contacts a server, key information is exchanged so that the two systems can correctly construct the transport layer.
Page 254: Channels
Chapter 18. OpenSSH on its security model, and the client can choose the order of authentication methods to attempt from the available options. 18.3.3. Channels After a successful authentication over the SSH transport layer, multiple channels are opened via a technique called multiplexing .
Page 255: Requiring Ssh For Remote Connections
Requiring SSH for Remote Connections It is also possible that the RSA host key has just been changed. If you want to keep the host keys generated for the system, backup the /etc/ssh/ssh_host*key* files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.
Page 256: Configuring An Openssh Client
Chapter 18. OpenSSH • ssh_host_rsa_key — The RSA private key used by the sshd daemon for version 2 of the SSH protocol. • ssh_host_rsa_key.pub — The RSA public key used by the sshd for version 2 of the SSH protocol. User-specific SSH configuration information is stored in the user's home directory within the ~/.ssh/ directory: •...
Page 257: Using The Scp Command
Using the scp Command The first time you ssh to a remote machine, you will see a message similar to the following: The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)? Type yes to continue.
Page 258: Using The Sftp Command
Chapter 18. OpenSSH This will transfer the local file shadowman to /home/username/shadowman on penguin.example.net. Alternately, you can leave off the final shadowman in the scp command. The general syntax to transfer a remote file to the local system is as follows: scp username@tohostname:<remotefile>...
Page 259: Port Forwarding
Port Forwarding 18.7.2. Port Forwarding SSH can secure otherwise insecure TCP/IP protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client. Port forwarding works by mapping a local port on the client to a remote port on the server. SSH can map any port from the server to any port on the client;...
Page 260: Generating Key Pairs
Chapter 18. OpenSSH System administrators concerned about port forwarding can disable this functionality on the server by specifying a No parameter for the AllowTcpForwarding line in /etc/ ssh/sshd_config and restarting the sshd service. 18.7.3. Generating Key Pairs If you do not want to enter your password every time you use ssh, scp, or sftp to connect to a remote machine, you can generate an authorization key pair.
Page 261 Generating Key Pairs 4. Change the permissions of the authorized_keys file using the following command: chmod 644 ~/.ssh/authorized_keys 5. If you are running GNOME or are running in a graphical desktop with GTK2+ libraries installed, Section 18.7.3.4, “Configuring ssh-agent with a GUI”.
Page 262 Chapter 18. OpenSSH 18.7.3.3. Generating an RSA Key Pair for Version 1.3 and 1.5 Use the following steps to generate an RSA key pair, which is used by version 1 of the SSH Protocol. If you are only connecting between systems that use DSA, you do not need an RSA version 1.3 or RSA version 1.5 key pair.
Page 263: Additional Resources
Additional Resources you have both DSA and RSA key pairs configured, you will be prompted for both. From this point on, you should not be prompted for a password by ssh, scp, or sftp. 18.7.3.5. Configuring ssh-agent The ssh-agent can be used to store your passphrase so that you do not have to enter it each time you make a ssh or scp connection.
Page 265: How It Works
Chapter 19. Network File System (NFS) A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network. This chapter focuses on fundamental NFS concepts and supplemental information.
Page 266: Required Services
Chapter 19. Network File System (NFS) Important In order for NFS to work with a default installation of Red Hat Enterprise Linux with a firewall enabled, IPTables with the default TCP port 2049 must be configured. Without proper IPTables configuration, NFS does not function properly. The NFS initialization script and rpc.nfsd process now allow binding to any specified port during system start up.
Page 267: Nfs Client Configuration
NFS Client Configuration 19.2. NFS Client Configuration NFS shares are mounted on the client side using the mount command. The format of the command is as follows: mount -t <nfs-type> -o <options><host>:</remote/export></local/directory> Replace <nfs-type> with either nfs for NFSv2 or NFSv3 servers, or nfs4 for NFSv4 servers. Replace <options>...
Page 268: Autofs
Chapter 19. Network File System (NFS) Replace <options> with a comma separated list of options for the NFS file system (refer to Section 19.4, “Common NFS Mount Options” for details). Refer to the fstab man page for additional information. 19.3. autofs One drawback to using /etc/fstab is that, regardless of how infrequently a user accesses the NFS mounted file system, the system must dedicate resources to keep the mounted file system in place.
Page 269: Autofs Configuration
autofs Configuration Proper use of the Name Service Switch (nsswitch) configuration. The Name Service Switch configuration file exists to provide a means of determining from where specific configuration data comes. The reason for this configuration is to allow administrators the flexibility of using the back-end database of choice, while maintaining a uniform software interface to access the data.
Page 270: Autofs Common Tasks
Chapter 19. Network File System (NFS) where: • <mount-point> is the autofs mount point. This can be a single directory name for an indirect mount or the full path of the mount point for direct mounts. Each direct and indirect map entry key (<mount-point>...
Page 271 autofs Common Tasks automount: files nis and the NIS auto.master map file contains the following: /home auto.home Also assume the NIS auto.home map contains the following: beth fileserver.example.com:/export/home/beth fileserver.example.com:/export/home/joe fileserver.example.com:/export/home/& and the file map /etc/auto.home does not exist. For the above example, lets assume that the client system needs to mount home directories from a different server.
Page 272 Chapter 19. Network File System (NFS) The most recently established schema for storing automount maps in LDAP is described by rfc2307bis. To use this schema it is necessary to set it in the autofs configuration (/etc/ sysconfig/autofs) by removing the comment characters from the schema definition. For example: DEFAULT_MAP_OBJECT_CLASS="automountMap"...
Page 273 autofs Common Tasks # base <automountMapName=auto.home,dc=example,dc=com> with scope subtree # filter: (objectclass=automount) # requesting: ALL # foo, auto.home, example.com dn: automountKey=foo,automountMapName=auto.home,dc=example,dc=com objectClass: automount automountKey: foo automountInformation: filer.example.com:/export/foo # /, auto.home, example.com dn: automountKey=/,automountMapName=auto.home,dc=example,dc=com objectClass: automount automountKey: / automountInformation: filer.example.com:/export/& 19.3.3.3. Adapting Autofs v4 Maps To Autofs v5 v4 Multi-map entries Autofs version 4 introduced the notion of a multi-map entry in the master map.
Page 274: Common Nfs Mount Options
Chapter 19. Network File System (NFS) In version 5, this is no longer the behaviour. Only the first master map found from the list of sources in nsswitch.conf is consulted. If it is desirable to merge the contents of multiple master maps, included maps can be used.
Page 275: Starting And Stopping Nfs
Starting and Stopping NFS version by the kernel and mount command. This option is not supported with NFSv4 and should not be used. • noacl — Turns off all ACL processing. This may be needed when interfacing with older versions of Red Hat Enterprise Linux, Red Hat Linux, or Solaris, since the most recent ACL technology is not compatible with older systems.
Page 276: Nfs Server Configuration
Chapter 19. Network File System (NFS) If the portmap service is running, then the nfs service can be started. To start an NFS server, as root type: /sbin/service nfs start Note nfslock also has to be started for both the NFS client and server to function properly. To start NFS locking as root type: /sbin/service nfslock start.
Page 277: Exporting Or Sharing Nfs File Systems
Exporting or Sharing NFS File Systems To use the NFS Server Configuration Tool, you must be running X Windows, have root privileges, and have the system-config-nfs RPM package installed. To start the application, click on System > Administration > Server Settings > NFS. You can also type the command system-config-nfs in a terminal.
Page 278 Chapter 19. Network File System (NFS) • Basic permissions — Specify whether the directory should have read-only or read/write permissions. Figure 19.3. Add Share The General Options tab allows the following options to be configured: Figure 19.4. NFS General Options...
Page 279 Exporting or Sharing NFS File Systems • Allow connections from port 1024 and higher — Services started on port numbers less than 1024 must be started as root. Select this option to allow the NFS service to be started by a user other than root.
Page 280 Chapter 19. Network File System (NFS) Figure 19.5. NFS User Access The User Access tab allows the following options to be configured: • Treat remote root user as local root — By default, the user and group IDs of the root user are both 0.
Page 281: Command Line Configuration
Command Line Configuration The NFS Server Configuration Tool reads and writes directly to the /etc/exports configuration file. Thus, the file can be modified manually after using the tool, and the tool can be used after modifying the file manually (provided the file was modified with correct syntax). The next this section discusses manually editing /etc/exports and using the /usr/sbin/ exportfs command to export NFS file systems.
Page 282: Running Nfs Behind A Firewall
Chapter 19. Network File System (NFS) /sbin/service nfs reload 19.6.3. Running NFS Behind a Firewall Because NFS requires portmap, which dynamically assigns ports for RPC services and can cause problems for configuring firewall rules, you can edit the /etc/sysconfig/nfs configuration file to Section 28.1.22, “/etc/ control which ports the required RPC services run on.
Page 283 The /etc/exports Configuration File • wildcards — Where a * or ? character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards should not be used with IP addresses;...
Page 284: The Exportfs Command
Chapter 19. Network File System (NFS) /another/exported/directory 192.168.0.3(rw,sync) In this example 192.168.0.3 can mount /another/exported/directory/ read/write and all transfers to disk are committed to the disk before the write request by the client is completed. Additionally, other options are available where no default value is specified. These include the ability to disable sub-tree checking, allow access from insecure ports, and allow insecure file locks (necessary for certain early NFS client implementations).
Page 285 The exportfs Command Section 19.7, “The /etc/ formatted in the same way they are specified in /etc/exports. Refer to exports Configuration File” for more information on /etc/exports syntax. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported.
Page 286: Securing Nfs
Chapter 19. Network File System (NFS) /home *(rw,fsid=0,sync) Using NFS version 2,3 and 4 the following would work: mount server:/home /mnt/home ls /mnt/home/joe Using v4 the following would work: mount -t nfs4 server:/ /mnt/home ls /mnt/home/joe The difference being "server:/home" and "server:/". To make the exports configurations compatible for all version, one needs to export (read only) the root filesystem with an fsid=0.
Page 287: File Permissions
File Permissions to mount the NFS share, since no username or password information is exchanged to provide additional security for the NFS mount. Wildcards should be used sparingly when exporting directories via NFS as it is possible for the scope of the wildcard to encompass more systems than intended.
Page 288: Nfs And Portmap
Chapter 19. Network File System (NFS) 19.9. NFS and portmap Note The following section only applies to NFSv2 or NFSv3 implementations that require the portmap service for backward compatibility. The portmapper maps RPC services to the ports they are listening on. RPC processes notify portmap when they start, registering the ports they are listening on and the RPC program numbers they expect to serve.
Page 289: Using Nfs Over Tcp
Using NFS over TCP 100005 mountd 100005 mountd 100005 mountd 100005 mountd 100005 mountd If one of the NFS services does not start up correctly, portmap is unable to map RPC requests from clients for that service to the correct port. In many cases, if NFS is not present in rpcinfo output, restarting NFS causes the service to correctly register with portmap and begin working.
Page 290: Additional Resources
Chapter 19. Network File System (NFS) UDP, since it's connection-less, the client continues to pound the network with data until the server reestablishes a connection. The main disadvantage is that there is a very small performance hit due to the overhead associated with the TCP protocol.
Page 291: Samba Features
Chapter 20. Samba Samba is an open source implementation of the Server Message Block (SMB) protocol. It allows the networking of Microsoft Windows®, Linux, UNIX, and other operating systems together, enabling access to Windows-based file and printer shares. Samba's use of SMB allows it to appear as a Windows server to Windows clients.
Page 292: Samba Daemons
Chapter 20. Samba 20.2.1. Samba Daemons Samba is comprised of three daemons (smbd, nmbd, and winbindd). Two services (smb and windbind) control how the daemons are started, stopped, and other service-related features. Each daemon is listed in detail, as well as which specific service has control over it. smbd The smbd server daemon provides file sharing and printing services to Windows clients.
Page 293 Connecting to a Samba Share Figure 20.1. SMB Workgroups in Nautilus Double-click one of the workgroup icons to view a list of computers within the workgroup.
Page 294: Command Line
Chapter 20. Samba Figure 20.2. SMB Machines in Nautilus Figure 20.2, “SMB Machines in Nautilus”, there is an icon for each machine As you can see from within the workgroup. Double-click on an icon to view the Samba shares on the machine. If a username and password combination is required, you are prompted for them.
Page 295: Mounting The Share
Mounting the Share with your username. If the -U switch is not used, the username of the current user is passed to the Samba server. To exit smbclient, type exit at the smb:\> prompt. 20.3.2. Mounting the Share Sometimes it is useful to mount a Samba share to a directory so that the files in the directory can be treated as if they are part of the local file system.
Page 296 Chapter 20. Samba Figure 20.3. Samba Server Configuration Tool Note The Samba Server Configuration Tool does not display shared printers or the default stanza that allows users to view their own home directories on the Samba server. 20.4.1.1. Configuring Server Settings The first step in configuring a Samba server is to configure the basic settings for the server and a few security options.
Page 297 Graphical Configuration Figure 20.5. Configuring Security Server Settings The Security tab contains the following options: • Authentication Mode — This corresponds to the security option. Select one of the following types of authentication. • ADS — The Samba server acts as a domain member in an Active Directory Domain (ADS) realm.
Page 298 Chapter 20. Samba • Share — Samba users do not have to enter a username and password combination on a per Samba server basis. They are not prompted for a username and password until they try to connect to a specific shared directory from a Samba server. •...
Page 299 Graphical Configuration To add a Samba user, select Preferences > Samba Users from the pulldown menu, and click the Add User button. In the Create New Samba User window select a Unix Username from the list of existing users on the local system. If the user has a different username on a Windows machine and needs to log into the Samba server from the Windows machine, specify that Windows username in the Windows Username field.
Page 300: Encrypted Passwords
Chapter 20. Samba • Writable — Enables users to read and write to the shared directory • Visible — Grants read-only rights to users for the shared directory. On the Access tab, select whether to allow only specified users to access the share or whether to allow all Samba users to access the share.
Page 301: Samba Server Types And The Smb.conf File
Samba Server Types and the smb.conf File Important To set up a domain member server, you must first join the domain or Active Directory using the net join command before starting the smb service. To stop the server, type the following command in a shell prompt while logged in as root: /sbin/service smb stop The restart option is a quick way of stopping and then starting Samba.
Page 302: Stand-Alone Server
Chapter 20. Samba The following sections describe the different ways a Samba server can be configured. Keep in mind your needs and the changes required to the smb.conf file for a successful configuration. 20.6.1. Stand-alone Server A stand-alone server can be a workgroup server or a member of a workgroup environment. A stand-alone server is not a domain controller and does not participate in a domain in any way.
Page 303 Stand-alone Server guest ok = Yes 20.6.1.3. Anonymous Print Server The following smb.conf file shows a sample configuration needed to implement an anonymous print server. Setting browseable to no as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV using NetBIOS, the client can have access to the printer if the client is also part of the DOCS workgroup.
Page 304: Domain Member Server
Chapter 20. Samba comment = All Printers path = /var/spool/samba printer admin = john, ed, @admins create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = Yes 20.6.2. Domain Member Server A domain member, while similar to a stand-alone server, is logged into a domain controller (either Windows or Samba) and is subject to the domain's security rules.
Page 305 Domain Member Server Section 43.6, information on Kerberos, the /etc/krb5.conf file, and the kinit command, refer to “Kerberos”. To join an Active Directory server (windows1.example.com), type the following command as root on the member server: net ads join -S windows1.example.com -U administrator%password Since the machine windows1 was automatically found in the corresponding Kerberos realm (the kinit command succeeded), the net command connects to the Active Directory server using its required administrator account and password.
Page 306: Domain Controller
Chapter 20. Samba Important After configuring the smb.conf file, join the domain before starting Samba by typing the following command as root: net rpc join -U administrator%password Note that the -S option, which specifies the domain server hostname, does not need to be stated in the net rpc join command.
Page 307: Samba Security Modes
Samba Security Modes # Set per user paths with pdbedit logon drive = H: domain logons = Yes os level = 35 preferred master = Yes domain master = Yes [homes] comment = Home Directories valid users = %S read only = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon/scripts...
Page 308 Chapter 20. Samba [GLOBAL] security = user The following sections describe other implementations of user-level security. 20.7.1.1. Domain Security Mode (User-Level Security) In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in smb.conf: [GLOBAL] security = domain...
Page 309: Share-Level Security
Share-Level Security 20.7.2. Share-Level Security With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers.
Page 310: Samba Network Browsing
Chapter 20. Samba The tdbsam backend is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns. ldapsam The ldapsam backend provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers using the OpenLDAP slurpd daemon.
Page 311: Wins (Windows Internetworking Name Server)
WINS (Windows Internetworking Name Server) 20.9.2. WINS (Windows Internetworking Name Server) Either a Samba server or a Windows NT server can function as a WINS server. When a WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows name resolution across networks.
Page 312: Samba Distribution Programs
Chapter 20. Samba write list = ed, john printer admin = ed, john Other printing configurations are also possible. To add additional security and privacy for printing confidential documents, users can have their own print spooler not located in a public path. If a job fails, other users would not have access to the file.
Page 313 Samba Distribution Programs Share name Type Description ---------- ---- ----------- data Disk Wakko data share Disk Wakko tmp share IPC$ IPC Service (Samba Server) ADMIN$ IPC Service (Samba Server) The following example displays a list of Samba users for a host named wakko: net -l user -S wakko root password: User name...
Page 314 Chapter 20. Samba Logon time: Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT pdbedit -v -L kristin Unix username: kristin...
Page 315 Samba Distribution Programs smbcontrol smbcontrol -i <options> smbcontrol <options> <destination> <messagetype> <parameters> The smbcontrol program sends control messages to running smbd or nmbd daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q' is entered. smbpasswd smbpasswd <options>...
Page 316: Additional Resources
Chapter 20. Samba Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions <enter> # Global parameters [global] workgroup = MYGROUP server string = Samba Server security = SHARE log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No [homes]...
Page 317: Useful Websites
Useful Websites • Samba-3 by Example by John H. Terpstra; Prentice Hall — This is another official release issued by the Samba development team which discusses detailed examples of OpenLDAP, DNS, DHCP, and printing configuration files. This has step-by-step related information that helps in real-world implementations.
Page 319: Configuring A Dhcp Server
Chapter 21. Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is a network protocol that automatically assigns TCP/ IP information to client machines. Each DHCP client connects to the centrally located DHCP server, which returns that client's network configuration (including the IP address, gateway, and DNS servers). 21.1.
Page 320 Chapter 21. Dynamic Host Configuration Protocol (DHCP) Two DNS update schemes are currently implemented — the ad-hoc DNS update mode and the interim DHCP-DNS interaction draft update mode. If and when these two are accepted as part of the Internet Engineering Task Force (IETF) standards process, there will be a third mode — the standard DNS update method.
Page 321 'test- lab' to describe all the subnets in a test lab environment. shared-network name { option domain-name "test.redhat.com"; option domain-name-servers ns1.redhat.com, ns2.redhat.com; option routers 192.168.0.254; more parameters for EXAMPLE shared-network subnet 192.168.1.0 netmask 255.255.252.0 { parameters for subnet range 192.168.1.1 192.168.1.254;...
Page 322 Chapter 21. Dynamic Host Configuration Protocol (DHCP) option host-name "raleigh.example.com"; hardware ethernet 00:A1:DD:74:C3:F2; fixed-address 192.168.1.6; Example 21.3. Group Declaration To configure a DHCP server that leases a dynamic IP address to a system within a subnet, modify Example 21.4, “Range Parameter” with your values.
Page 323: Lease Database
Lease Database For a complete list of option statements and what they do, refer to the dhcp-options man page. 21.2.2. Lease Database On the DHCP server, the file /var/lib/dhcpd/dhcpd.leases stores the DHCP client lease database. Do not change this file. DHCP lease information for each recently assigned IP address is automatically stored in the lease database.
Page 324: Dhcp Relay Agent
(Be sure to check the Hardware Compatibility List at hardware.redhat.com/hcl/). If either the installation program or kudzu does not recognize the network Chapter 41, General Parameters and Modules card, you can load the correct kernel module (refer to for details).
Page 325: Configuring A Multihomed Dhcp Server
Configuring a Multihomed DHCP Server scripts directory. In this directory, each device should have a configuration file named ifcfg- eth0, where eth0 is the network device name. The /etc/sysconfig/network file should contain the following line: NETWORKING=yes The NETWORKING variable must be set to yes if you want networking to start at boot time. The /etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines: DEVICE=eth0 BOOTPROTO=dhcp...
Page 326 Chapter 21. Dynamic Host Configuration Protocol (DHCP) Before making any changes, back up the existing /etc/sysconfig/dhcpd and /etc/dhcpd.conf files. The DHCP daemon listens on all network interfaces unless otherwise specified. Use the /etc/ sysconfig/dhcpd file to specify which network interfaces the DHCP daemon listens on. The following /etc/sysconfig/dhcpd example specifies that the DHCP daemon listens on the eth0 and eth1 interfaces: DHCPDARGS="eth0 eth1";...
Page 327: Host Configuration
Host Configuration dhcpd: Not configured to listen on any interfaces! option subnet-mask 255.255.255.0; The option subnet-mask option defines a subnet mask, and overrides the netmask value in the subnet declaration. In simple cases, the subnet and netmask values are the same. option routers 10.0.0.1;...
Page 328 Chapter 21. Dynamic Host Configuration Protocol (DHCP) fixed-address 172.16.0.20; host example0 The host declaration defines specific parameters for a single system, such as an IP address. To configure specific parameters for multiple hosts, use multiple host declarations. Most DHCP clients ignore the name in host declarations, and as such, this name can anything, as long as it is unique to other host declarations.
Page 329: Additional Resources
Additional Resources • assign a valid fixed-address for the network the host is connecting to. • make the name in the host declaration unique. When a name given in a host declaration is not unique, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages: dhcpd: /etc/dhcpd.conf line 31: host interface0: already exists dhcpd: }...
Page 331: Apache Http Server
Chapter 22. Apache HTTP Server The Apache HTTP Server is a robust, commercial-grade open source Web server developed by the Apache Software Foundation (http://www.apache.org/). Red Hat Enterprise Linux includes the Apache HTTP Server 2.2 as well as a number of server modules designed to enhance its functionality. The default configuration file installed with the Apache HTTP Server works without alteration for most situations.
Page 332: Migrating Apache Http Server Configuration Files
Chapter 22. Apache HTTP Server 22.2. Migrating Apache HTTP Server Configuration Files 22.2.1. Migrating Apache HTTP Server 2.0 Configuration Files This section outlines migration from version 2.0 to 2.2. If you are migrating from version 1.3, please Section 22.2.2, “Migrating Apache HTTP Server 1.3 Configuration Files to 2.0”.
Page 333 Migrating Apache HTTP Server 1.3 Configuration Files to 2.0 Finally, it is useful to know that the Apache HTTP Server has a testing mode to check for configuration errors. To use access it, type the following command: apachectl configtest 22.2.2.1. Global Environment Configuration The global environment section of the configuration file contains directives which affect the overall operation of the Apache HTTP Server, such as the number of concurrent requests it can handle and the locations of the various files.
Page 334 Chapter 22. Apache HTTP Server • MinSpareServers • MaxSpareServers • MaxClients • MaxRequestsPerChild The worker MPM implements a multi-process, multi-threaded server providing greater scalability. When using this MPM, requests are handled by threads, conserving system resources and allowing large numbers of requests to be served efficiently. Although some of the directives accepted by the worker MPM are the same as those accepted by the prefork MPM, the values for those directives should not be transfered directly from an Apache HTTP Server 1.3 installation.
Page 335: Main Server Configuration
Migrating Apache HTTP Server 1.3 Configuration Files to 2.0 Important If modifying the original file, note that it is of paramount importance that the httpd.conf contains the following directive: Include conf.d/*.conf Omission of this directive results in the failure of all modules packaged in their own RPMs (such as mod_perl, php, and mod_ssl).
Page 336 Chapter 22. Apache HTTP Server UserDir public_html For more on this topic, refer to the following documentation on the Apache Software Foundation's website: http://httpd.apache.org/docs-2.0/mod/mod_userdir.html#userdir • 22.2.2.2.2. Logging The following logging directives have been removed: • AgentLog • RefererLog • RefererIgnore However, agent and referrer logs are still available using the CustomLog and LogFormat directives.
Page 337 Migrating Apache HTTP Server 1.3 Configuration Files to 2.0 http://httpd.apache.org/docs-2.0/mod/mod_negotiation.html#cachenegotiateddocs • 22.2.2.2.5. Error Documents To use a hard-coded message with the ErrorDocument directive, the message should be enclosed in a pair of double quotation marks ", rather than just preceded by a double quotation mark as required in Apache HTTP Server 1.3.
Page 338 Chapter 22. Apache HTTP Server document which is handled by a module that is now implemented as a filter, as each contains trailing path information after the true file name. The core module, which initially handles the request, does not by default understand PATH_INFO and returns 404 Not Found errors for requests that contain such information.
Page 339 Migrating Apache HTTP Server 1.3 Configuration Files to 2.0 <VirtualHost _default_:443> # General setup for the virtual host ServerName ssl.host.name:443 ... </VirtualHost> It is also important to note that both the SSLLog and SSLLogLevel directives have been removed. ErrorLog The mod_ssl module now obeys the ErrorLog and LogLevel directives. Refer to LogLevel for more information about these directives.
Page 340 Chapter 22. Apache HTTP Server http://httpd.apache.org/docs-2.0/mod/mod_include.html • 22.2.2.4.5. The mod_auth_dbm and mod_auth_db Modules Apache HTTP Server 1.3 supported two authentication modules, mod_auth_db and mod_auth_dbm, which used Berkeley Databases and DBM databases respectively. These modules have been combined into a single module named mod_auth_dbm in Apache HTTP Server 2.0, which can access several different database formats.
Page 341 Migrating Apache HTTP Server 1.3 Configuration Files to 2.0 For more on this topic, refer to the following documentation on the Apache Software Foundation's website: http://httpd.apache.org/docs-2.0/mod/mod_auth_dbm.html • 22.2.2.4.6. The mod_perl Module The configuration for mod_perl has been moved from httpd.conf into the file /etc/httpd/ conf.d/perl.conf.
Page 342: Starting And Stopping Httpd
Chapter 22. Apache HTTP Server For more on this topic, refer to the following URL for details concerning the global scope changes: http://www.php.net/release_4_1_0.php • 22.2.2.4.9. The mod_authz_ldap Module Red Hat Enterprise Linux ships with the mod_authz_ldap module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory.
Page 343: Apache Http Server Configuration
Apache HTTP Server Configuration You can also stop httpd using /sbin/service httpd stop. The restart option is a shorthand way of stopping and then starting the Apache HTTP Server. You can restart the server as root by typing: apachectl restart /sbin/service httpd restart Apache will display a message on the console or in the ErrorLog if it encounters an error while starting.
Page 344: Basic Settings
Chapter 22. Apache HTTP Server changes and exit the program. If you want to add additional modules or configuration options that are not available in HTTP Configuration Tool, you cannot use this tool. The general steps for configuring the Apache HTTP Server using the HTTP Configuration Tool are as follows: 1.
Page 345 Basic Settings Enter a fully qualified domain name that you have the right to use in the Server Name text area. This option corresponds to the directive in httpd.conf. The ServerName directive ServerName sets the hostname of the Web server. It is used when creating redirection URLs. If you do not define a server name, the Web server attempts to resolve it from the IP address of the system.
Page 346: Default Settings
Chapter 22. Apache HTTP Server 22.4.2. Default Settings After defining the Server Name, Webmaster email address, and Available Addresses, click the Virtual Hosts tab. The figure below illustrates the Virtual Hosts tab. Figure 22.3. Virtual Hosts Tab Clicking on Edit will display the Virtual Host Properties window from which you can set your preferred settings.
Page 347: Site Configuration
Default Settings Figure 22.4. General Options If you add a virtual host, the settings you configure for the virtual host take precedence for that virtual host. For a directive not defined within the virtual host settings, the default value is used. 22.4.2.1.
Page 348 Chapter 22. Apache HTTP Server Figure 22.5. Site Configuration The entries listed in the Directory Page Search List define the directive. The DirectoryIndex DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
Page 349 Default Settings Use the Error Code section to configure Apache HTTP Server to redirect the client to a local or external URL in the event of a problem or error. This option corresponds to the ErrorDocument directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the Error Code column.
Page 350 Chapter 22. Apache HTTP Server • ExportCertData - creates CGI environment variables in SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAIN_n where n is a number 0,1,2,3,4... These files are used for more certificate checks by CGI scripts. • CompatEnvVars - enables backward compatibility for Apache SSL by adding CGI environment variables.
Page 351 Default Settings Figure 22.6. SSL 22.4.2.3. Logging Use the Logging tab to configure options for specific transfer and error logs. By default, the server writes the transfer log to the /var/log/httpd/access_log file and the error log to the /var/log/httpd/error_log file. The transfer log contains a list of all attempts to access the Web server.
Page 352 Chapter 22. Apache HTTP Server Figure 22.7. Logging You can configure a custom log format by checking Use custom logging facilities and entering a custom log string in the Custom Log String field. This configures the directive. Refer to LogFormat http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat for details on the format of this directive.
Page 353: Environment Variables
Default Settings Use the Log Level menu to set the verbosity of the error messages in the error logs. It can be set (from least verbose to most verbose) to emerg, alert, crit, error, warn, notice, info or debug. This option corresponds to the directive.
Page 354 Chapter 22. Apache HTTP Server Figure 22.8. Environment Variables To remove an environment variable so that the value is not passed to CGI scripts and SSI pages, use the Unset for CGI Scripts section. Click Add in the Unset for CGI Scripts section, and enter the name of the environment variable to unset.
Page 355 Default Settings 22.4.2.5. Directories Use the Directories page in the Performance tab to configure options for specific directories. This corresponds to the directive. <Directory> Figure 22.9. Directories Click the Edit button in the top right-hand corner to configure the Default Directory Options for all directories that are not specified in the Directory list below it.
Page 356 Chapter 22. Apache HTTP Server • FollowSymLinks — Allow symbolic links to be followed. • Includes — Allow server-side includes. • IncludesNOEXEC — Allow server-side includes, but disable the #exec and #include commands in CGI scripts. • Indexes — Display a formatted list of the directory's contents, if no DirectoryIndex (such as index.html) exists in the requested directory.
Page 357: Configuration Directives In Httpd.conf
Configuration Directives in httpd.conf Figure 22.10. Directory Settings If you check the Let .htaccess files override directory options, the configuration directives in the .htaccess file take precedence. 22.5. Configuration Directives in httpd.conf The Apache HTTP Server configuration file is /etc/httpd/conf/httpd.conf. The httpd.conf file is well-commented and mostly self-explanatory.
Page 358 Chapter 22. Apache HTTP Server Next look in the Web server's error log, /var/log/httpd/error_log. The error log may not be easy to interpret, depending on your level of expertise. However, the last entries in the error log should provide useful information. The following subsections contain a list of short descriptions for many of the directives included in httpd.conf.
Page 359 General Configuration Tips AddIcon AddIcon specifies which icon to show in server generated directory listings for files with certain extensions. For example, the Web server is set to show the icon binary.gif for files with .bin or .exe extensions. AddIconByEncoding This directive names icons which are displayed by files with MIME encoding in server generated directory listings.
Page 360 Chapter 22. Apache HTTP Server BrowserMatch The BrowserMatch directive allows the server to define environment variables and take appropriate actions based on the User-Agent HTTP header field — which identifies the client's Web browser type. By default, the Web server uses BrowserMatch to deny connections to specific browsers with known problems and also to disable keepalives and HTTP header flushes for browsers that are known to have problems with those actions.
Page 361 General Configuration Tips remotehost rfc931 user date "request" status bytes referrer user-agent DefaultIcon DefaultIcon specifies the icon displayed in server generated directory listings for files which have no other icon specified. The unknown.gif image file is the default. DefaultType DefaultType sets a default content type for the Web server to use for documents whose MIME types cannot be determined.
Page 362 Chapter 22. Apache HTTP Server When a user requests the page http://example/this_directory/, they get either the DirectoryIndex page, if it exists, or a server-generated directory list. The default for DirectoryIndex is index.html and the index.html.var type map. The server tries to find either of these files and returns the first one it finds.
Page 363 General Configuration Tips This directive has been deprecated for the configuration of virtual hosts. By default, Group is set to apache. HeaderName HeaderName names the file which, if it exists in the directory, is prepended to the start of server generated directory listings.
Page 364 Chapter 22. Apache HTTP Server Include conf.d/*.conf IndexIgnore IndexIgnore lists file extensions, partial file names, wildcard expressions, or full file names. The Web server does not include any files which match any of those parameters in server generated directory listings. IndexOptions IndexOptions controls the appearance of server generated directing listings, by adding icons, file descriptions, and so on.
Page 365 General Configuration Tips LanguagePriority LanguagePriority sets precedence for different languages in case the client Web browser has no language preference set. Listen The Listen command identifies the ports on which the Web server accepts incoming requests. By default, the Apache HTTP Server is set to listen to port 80 for non-secure Web communications and (in the /etc/httpd/conf.d/ssl.conf file which defines any secure servers) to port 443 for secure Web communications.
Page 366 Chapter 22. Apache HTTP Server The following are the format options if the CustomLog directive is set to combined: %h (remote host's IP address or hostname) Lists the remote IP address of the requesting client. If HostnameLookups is set to on, the client hostname is recorded unless it is not available from DNS.
Page 367 General Configuration Tips To enable name-based virtual hosting, uncomment the NameVirtualHost configuration directive and add the correct IP address. Then add additional VirtualHost containers for each virtual host as is necessary for your configuration. Options The Options directive controls which server features are available in a particular directory. For example, under the restrictive parameters specified for the root directory, Options is only set to the FollowSymLinks directive.
Page 368 Chapter 22. Apache HTTP Server Redirect When a webpage is moved, Redirect can be used to map the file location to a new URL. The format is as follows: Redirect /<old-path>/<file-name> http://<current-domain>/<current-path>/<file-name> In this example, replace <old-path> with the old path information for <file-name> and <current-domain>...
Page 369 General Configuration Tips ServerName www.example.com:80 When specifying a ServerName, be sure the IP address and server name pair are included in the / etc/hosts file. ServerRoot The ServerRoot directive specifies the top-level directory containing website content. By default, ServerRoot is set to "/etc/httpd" for both secure and non-secure servers. ServerSignature The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients.
Page 370 Chapter 22. Apache HTTP Server TypesConfig TypesConfig names the file which sets the default list of MIME type mappings (file name extensions to content types). The default TypesConfig file is /etc/mime.types. Instead of editing /etc/ mime.types, the recommended way to add MIME type mappings is to use the AddType directive. For more information about AddType, refer to AddType.
Page 371: Configuration Directives For Ssl
Configuration Directives for SSL public_html directories (0755 also works). Files that are served in a users' public_html directories must be set to at least 0644. VirtualHost <VirtualHost> and </VirtualHost> tags create a container outlining the characteristics of a virtual host. The VirtualHost container accepts most configuration directives. A commented VirtualHost container is provided in httpd.conf, which illustrates the minimum Section 22.7, “Virtual Hosts”...
Page 372 Chapter 22. Apache HTTP Server The following section list directives found within the MPM-specific server-pool containers. MaxClients MaxClients sets a limit on the total number of server processes, or simultaneously connected clients, that can run at one time. The main purpose of this directive is to keep a runaway Apache HTTP Server from crashing the operating system.
Page 373: Adding Modules
Adding Modules 22.6. Adding Modules The Apache HTTP Server is distributed with a number of modules. More information about Apache HTTP modules can be found on http://httpd.apache.org/docs/2.2/mod/. The Apache HTTP Server supports Dynamically Shared Objects (DSOs), or modules, which can easily be loaded at runtime as necessary.
Page 374: Apache Http Secure Server Configuration
Chapter 22. Apache HTTP Server # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost> To activate name-based virtual hosting, uncomment the NameVirtualHost line by removing the hash mark (#) and replace the asterisk (*) with the IP address assigned to the machine. Next, configure a virtual host by uncommenting and customizing the <VirtualHost>...
Page 375: An Overview Of Security-Related Packages
An Overview of Security-Related Packages 22.8.1. An Overview of Security-Related Packages To enable the secure server, you must have the following packages installed at a minimum: httpd The httpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
Page 376: Using Pre-Existing Keys And Certificates
Chapter 22. Apache HTTP Server 22.8.3. Using Pre-Existing Keys and Certificates If you already have an existing key and certificate (for example, if you are installing the secure server to replace another company's secure server product), you can probably use your existing key and certificate with the secure server.
Page 377 Types of Certificates begin using your secure server, however, you must generate your own key and obtain a certificate which correctly identifies your server. You need a key and a certificate to operate your secure server — which means that you can either generate a self-signed certificate or purchase a CA-signed certificate from a CA.
Page 378: Generating A Key
Chapter 22. Apache HTTP Server 22.8.5. Generating a Key You must be root to generate a key. First, use the cd command to change to the /etc/httpd/conf/ directory. Remove the fake key and certificate that were generated during the installation with the following commands: rm ssl.key/server.key rm ssl.crt/server.crt The crypto-utils package contains the genkey utility which you can use to generate keys as the name implies.
Page 379 Generating a Key your preferred, key size using the arrow keys, select Next to proceed to the next step. The figure below illustrates the key size selection screen. Figure 22.12. Choose key size Selecting the next step will initiate the random bits generation process which may take some time depending on the size of your selected key.
Page 380 Chapter 22. Apache HTTP Server Figure 22.13. Generating random bits On generating your key, you will be prompted to send a Certificate Request (CSR) to a Certificate Authority (CA). Figure 22.14. Generate CSR...
Page 381 Generating a Key Selecting Yes will prompt you to select the Certificate Authority you wish to send your request to. Selecting No will allow you to generate a self-signed certificate. The next step for this is illustrated in Figure 22.17, “Generating a self signed certificate for your server”.
Page 382 Chapter 22. Apache HTTP Server Figure 22.16. Enter details for your certificate If you prefer to generate a self signed cert key pair, you should not generate a CSR. To do this, select No as your preferred option in the Generate CSR screen. This will display the figure below from which you can enter your certificate details.
Page 383 Generating a Key Figure 22.17. Generating a self signed certificate for your server On entering the details of your certificate, select Next to proceed. The figure below illustrates an example of a the next screen displayed after completing the details for a certificate to be sent to Equifax.
Page 384 Chapter 22. Apache HTTP Server Pressing the return key, will display the next screen from which you can enable or disable the encryption of the private key. Use the spacebar to enable or disable this. When enabled, a [*] character will be displayed. On selecting your preferred option, select Next to proceed to the next step.
Page 385 Generating a Key Figure 22.20. Set passphase If you attempt to run genkey makeca on a server that has an existing key pair, an error message will be displayed as illustrated below. You need to delete your existing key file as indicated to generate a new key pair.
Page 386: How To Configure The Server To Use The New Key
Chapter 22. Apache HTTP Server Figure 22.21. genkey error http://httpd.apache.org/docs/2.2/ssl/ • http://httpd.apache.org/docs/2.2/vhosts/ • 22.8.6. How to configure the server to use the new key The steps to configure the Apache HTTP Server to use the new key are: • Obtain the signed certificate from the CA after submitting the CSR. •...
Page 387: Useful Websites
Useful Websites 22.9.1. Useful Websites http://httpd.apache.org/ • — The official website for the Apache HTTP Server with documentation on all the directives and default modules. http://www.modssl.org/ • — The official website for mod_ssl. http://www.apacheweek.com/ • — A comprehensive online weekly newsletter about all things Apache.
Page 389: Multiple Ports, Multiple Modes
Chapter 23. File Transfer Protocol (FTP) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system.
Page 390: Vsftpd
FTP server. For more information about configuring and administering Red Hat Content Accelerator, consult the documentation available online at http://www.redhat.com/ docs/manuals/tux/. • vsftpd — A fast, secure FTP daemon which is the preferred FTP server for Red Hat Enterprise Linux.
Page 391: Starting And Stopping Vsftpd
Starting and Stopping vsftpd • /etc/rc.d/init.d/vsftpd — The initialization script (initscript) used by the /sbin/service Section 23.4, “Starting and Stopping vsftpd” command to start, stop, or reload vsftpd. Refer to for more information about using this script. • /etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd.
Page 392: Starting Multiple Copies Of Vsftpd
Chapter 23. FTP By default, the vsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to Chapter 16, Controlling Access to Services more information regarding these tools.
Page 393: Vsftpd Configuration Options
vsftpd Configuration Options Section 23.5, For a detailed list of directives available within vsftpd's configuration file, refer to “vsftpd Configuration Options”. To configure any additional servers to start automatically at boot time, add the above command to the end of the /etc/rc.local file. 23.5.
Page 394: Log In Options And Access Controls
Chapter 23. FTP Modules (PAM)” for more information. If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges. The default value is YES. 23.5.2. Log In Options and Access Controls The following is a list of directives which control the login behavior and access control mechanisms. •...
Page 395: Anonymous User Options
Anonymous User Options • userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless the username is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
Page 396: Local User Options
Chapter 23. FTP • secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users. Anonymous logins are prevented unless the password provided is listed in /etc/ vsftpd.email_passwords.
Page 397: Directory Options
Directory Options There is no default value for this directive. • local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
Page 398: File Transfer Options
Chapter 23. FTP The default value is NO. 23.5.6. File Transfer Options The following lists directives which affect directories. • download_enable — When enabled, file downloads are permitted. The default value is YES. • chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.
Page 399: Network Options
Network Options • xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive (/var/log/ vsftpd.log by default). If xferlog_std_format is set to YES, file transfer information is logged but connections are not, and the log file specified in xferlog_file (/var/log/xferlog by default) is used instead.
Page 400 Chapter 23. FTP The default value is NO. Note, in Red Hat Enterprise Linux, the value is set to YES. • connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds. The default value is 60.
Page 401: Additional Resources
Additional Resources The default value is 0, which does not limit the transfer rate. • max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
Page 402: Installed Documentation
Chapter 23. FTP 23.6.1. Installed Documentation • The /usr/share/doc/vsftpd-<version-number>/ directory — Replace <version- number> with the installed version of the vsftpd package. This directory contains a README with basic information about the software. The TUNING file contains basic performance tuning tips and the SECURITY/ directory contains information about the security model employed by vsftpd.
Page 403: Email 24.1. Email Protocols
Chapter 24. Email The birth of electronic mail (email) occurred in the early 1960s. The mailbox was a file in a user's home directory that was readable only by that user. Primitive mail applications appended new text messages to the bottom of the file, making the user wade through the constantly growing file to find any particular message.
Page 404: Mail Access Protocols
Chapter 24. Email By default, Sendmail (/usr/sbin/sendmail) is the default SMTP program under Red Hat Enterprise Linux. However, a simpler mail server application called Postfix (/usr/sbin/postfix) is also available. 24.1.2. Mail Access Protocols There are two primary protocols used by email client applications to retrieve email from mail servers: the Post Office Protocol (POP) and the Internet Message Access Protocol (IMAP).
Page 405 Mail Access Protocols header information is downloaded for messages until opened, saving bandwidth. The user also has the ability to delete messages without viewing or downloading them. For convenience, IMAP client applications are capable of caching copies of messages locally, so the user can browse previously read messages when not directly connected to the IMAP server.
Page 406: Email Program Classifications
Chapter 24. Email More details on dovecot can be found online at http://www.dovecot.org. 24.2. Email Program Classifications In general, all email applications fall into at least one of three classifications. Each classification plays a specific role in the process of moving and managing email messages. While most users are only aware of the specific email program they use to receive and send messages, each one is important for ensuring that email arrives at the correct destination.
Page 407: Mail Transport Agents
Mail Transport Agents 24.3. Mail Transport Agents Red Hat Enterprise Linux includes two primary MTAs, Sendmail and Postfix. Sendmail is configured as the default MTA, although it is easy to switch the default MTA to Postfix. 24.3.1. Sendmail Sendmail's core purpose, like other MTAs, is to safely transfer email among hosts, usually using the SMTP protocol.
Page 408 Chapter 24. Email • access — Specifies which systems can use Sendmail for outbound email. • domaintable — Specifies domain name mapping. • local-host-names — Specifies aliases for the host. • mailertable — Specifies instructions that override routing for particular domains. •...
Page 409 Sendmail /sbin/service sendmail restart Important The default sendmail.cf file does not allow Sendmail to accept network connections from any host other than the local computer. To configure Sendmail as a server for other clients, edit the /etc/mail/sendmail.mc file, and either change the address specified in the Addr= option of the DAEMON_OPTIONS directive from 127.0.0.1 to the IP address of an active network device or comment out the DAEMON_OPTIONS directive all together by placing dnl at the beginning of the line.
Page 410 Chapter 24. Email 24.3.1.5. Stopping Spam Email spam can be defined as unnecessary and unwanted email received by a user who never requested the communication. It is a disruptive, costly, and widespread abuse of Internet communication standards. Sendmail makes it relatively easy to block new spamming techniques being employed to send junk email.
Page 411: Postfix
Postfix can be used to look up a particular email address from a common corporate directory by the user's last name. In this kind of implementation, LDAP is largely separate from Sendmail, with LDAP storing the hierarchical user information and Sendmail only being given the result of LDAP queries in pre- addressed email messages.
Page 412 Chapter 24. Email Important Before using Postfix, the default MTA must be switched from Sendmail to Postfix. 24.3.2.1. The Default Postfix Installation The Postfix executable is /usr/sbin/postfix. This daemon launches all related processes needed to handle mail delivery. Postfix stores its configuration files in the /etc/postfix/ directory. The following is a list of the more commonly used files: •...
Page 413: Fetchmail
Fetchmail • Uncomment the mydestination = $myhostname, localhost.$mydomain line. • Uncomment the mynetworks line, and replace 168.100.189.0/28 with a valid network setting for hosts that can connect to the server. • Uncomment the inet_interfaces = all line. • Comment the inet_interfaces = localhost line. •...
Page 414: Global Options
Chapter 24. Email Global options appear at the top of the .fetchmailrc file, followed by one or more server options, each of which designate a different email server that Fetchmail should check. User options follow server options for each user account checking that email server. Like server options, multiple user options may be specified for use with a particular server as well as to check multiple email accounts on the same server.
Page 415: Server Options
Fetchmail 24.3.3.3. Server Options Server options must be placed on their own line in .fetchmailrc after a poll or skip action. • auth <auth-type> — Replace <auth-type> with the type of authentication to be used. By default, password authentication is used, but some protocols support other types of authentication, including kerberos_v5, kerberos_v4, and ssh.
Page 416: Mail Transport Agent (Mta) Configuration
Chapter 24. Email 24.3.3.5. Fetchmail Command Options Most Fetchmail options used on the command line when executing the fetchmail command mirror the .fetchmailrc configuration options. In this way, Fetchmail may be used with or without a configuration file. These options are not used on the command line by most users because it is easier to leave them in the .fetchmailrc file.
Page 417 Mail Transport Agent (MTA) Configuration Even if a user does not plan to send email from the system, some automated tasks or system programs might use the /bin/mail command to send email containing log messages to the root user of the local system. Red Hat Enterprise Linux 5 provides three MTAs: Sendmail, Postfix, and Exim.
Page 418: Mail Delivery Agents
Chapter 24. Email daemon is started, and any other mail daemon is stopped; thus making the changes take place immediately. 24.5. Mail Delivery Agents Red Hat Enterprise Linux includes two primary MDAs, Procmail and mail. Both of the applications are considered LDAs and both move email from the MTA's spool file into the user's mailbox. However, Procmail provides a robust filtering system.
Page 419: Procmail Recipes
Procmail Recipes • DEFAULT — Sets the default mailbox where messages that do not match any recipes are placed. The default DEFAULT value is the same as $ORGMAIL. • INCLUDERC — Specifies additional rc files containing more recipes for messages to be checked against.
Page 420 Chapter 24. Email However, regular expressions are not very difficult to construct and even less difficult to understand when read. Additionally, the consistency of the way Procmail recipes are written, regardless of regular expressions, makes it easy to learn by example. To see example Procmail recipes, refer to Section 24.5.2.5, “Recipe Examples”.
Page 421 Procmail Recipes • a — Specifies that this recipe is only used if the previous recipe with an A or a flag also matched this message and was successfully completed. • B — Parses the body of the message and looks for matching conditions. •...
Page 422 Chapter 24. Email • > — Checks if the message is over a specified number of bytes. The following characters are used to perform special actions: • ! — In the action line, this character tells Procmail to forward the message to the specified email addresses.
Page 423 Procmail Recipes With this example, any messages sent by spammer@domain.com are sent to the /dev/null device, deleting them. Caution Be certain that rules are working as intended before sending messages to /dev/null for permanent deletion. If a recipe inadvertently catches unintended messages, and those messages disappear, it becomes difficult to troubleshoot the rule.
Page 424: Mail User Agents
Chapter 24. Email To file email tagged as spam, a rule similar to the following can be used: :0 Hw * ^X-Spam-Status: Yes spam This rule files all email tagged in the header as spam into a mailbox called spam. Since SpamAssassin is a Perl script, it may be necessary on busy servers to use the binary SpamAssassin daemon (spamd) and client application (spamc).
Page 425 Securing Communication known port numbers (993 and 995, respectively) that the MUA uses to authenticate and download messages. 24.6.1.2. Securing Email Client Communications Offering SSL encryption to IMAP and POP users on the email server is a simple matter. First, create an SSL certificate. This can be done two ways: by applying to a Certificate Authority (CA) for an SSL certificate or by creating a self-signed certificate.
Page 426: Additional Resources
Chapter 24. Email Again, answer all of the questions to complete the process. Once the certificate is generated, it is possible to use the stunnel command to start the imapd mail daemon using the following command: /usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd Once this command is issued, it is possible to open an IMAP email client and connect to the email server using SSL encryption.
Page 427: Useful Websites
Useful Websites • procmailex — Gives a number of useful, real-world examples of Procmail recipes. • procmailsc — Explains the weighted scoring technique used by Procmail to match a particular recipe to a message. • /usr/share/doc/spamassassin-<version-number>/ — Contains a large amount of information pertaining to SpamAssassin.
Page 429: Openldap Features
Chapter 25. Lightweight Directory Access Protocol (LDAP) The Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500 standard for directory sharing, but is less complex and resource-intensive.
Page 430: Ldap Terminology
Chapter 25. Lightweight Directory Access Protocol (LDAP) • IPv6 Support — OpenLDAP supports the next generation Internet Protocol version 6. • LDAP Over IPC — OpenLDAP can communicate within a system using interprocess communication (IPC). This enhances security by eliminating the need to communicate over a network. •...
Page 431: Openldap Daemons And Utilities
OpenLDAP Daemons and Utilities Any value enclosed within a < and a > is a variable and can be set whenever a new LDAP entry is created. This rule does not apply, however, to <id>. The <id> is a number determined by the application used to edit the entry.
Page 432: Nss, Pam, And Ldap
Chapter 25. Lightweight Directory Access Protocol (LDAP) Warning You must stop slapd by issuing the /sbin/service ldap stop command before using slapadd, slapcat or slapindex. Otherwise, the integrity of the LDAP directory is at risk. For more information on using these utilities, refer to their respective man pages. The openldap-clients package installs tools into /usr/bin/ which are used to add, modify, and delete entries in an LDAP directory.
Page 433: Php4, Ldap, And The Apache Http Server
PHP4, LDAP, and the Apache HTTP Server NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files. The pam_ldap module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba.
Page 434: The /Etc/Openldap/Schema/ Directory
25.5. The /etc/openldap/schema/ Directory The /etc/openldap/schema/ directory holds LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. The /etc/openldap/schema/redhat/ directory holds customized schemas distributed by Red Hat for Red Hat Enterprise Linux. All attribute syntax definitions and objectclass definitions are now located in the different schema files.
Page 435: Openldap Setup Overview
OpenLDAP Setup Overview 25.6. OpenLDAP Setup Overview This section provides a quick overview for installing and configuring an OpenLDAP directory. For more details, refer to the following URLs: http://www.openldap.org/doc/admin/quickstart.html — The Quick-Start Guide on the OpenLDAP • website. http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html — The LDAP Linux HOWTO from the Linux •...
Page 436: Configuring A System To Authenticate Using Openldap
Chapter 25. Lightweight Directory Access Protocol (LDAP) rootdn "cn=root,dc=example,dc=com" When populating an LDAP directory over a network, change the rootpw line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command: slappasswd When prompted, type and then re-type a password.
Page 437: Pam And Ldap
PAM and LDAP Install the Necessary LDAP Packages. First, make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap-servers package. The openldap, openldap-clients, and nss_ldap packages need to be installed on all LDAP client machines.
Page 438: Migrating Directories From Earlier Releases
Chapter 25. Lightweight Directory Access Protocol (LDAP) First, modify the migrate_common.ph file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like: $DEFAULT_MAIL_DOMAIN = "example"; The default base should also be changed to something like: $DEFAULT_BASE = "dc=example,dc=com";...
Page 439: Additional Resources
Additional Resources 25.9. Additional Resources The following resources offer additional information on LDAP. It is highly recommended that you review these, especially the OpenLDAP website and the LDAP HOWTO, before configuring LDAP on your system(s). 25.9.1. Installed Documentation • /usr/share/docs/openldap-<versionnumber>/ directory — Contains a general README document and miscellaneous information.
Page 440: Useful Websites
Chapter 25. Lightweight Directory Access Protocol (LDAP) • man slapd.conf — Describes the format and options available within the configuration file referenced by both the LDAP server applications (slapd and slurpd) and the LDAP administrative tools (slapadd, slapcat, and slapindex). 25.9.2.
Page 441: Authentication Configuration
Chapter 26. Authentication Configuration When a user logs in to a Red Hat Enterprise Linux system, the username and password combination must be verified, or authenticated, as a valid and active user. Sometimes the information to verify the user is located on the local system, and other times the system defers the authentication to a user database on a remote system.
Page 442 Chapter 26. Authentication Configuration Figure 26.1. User Information The following list explains what each option configures: The Enable NIS Support option configures the system to connect to an NIS server (as an NIS client) for user and password authentication. Click the Configure NIS... button to specify the NIS domain and NIS server.
Page 443 User Information LDAP The Enable LDAP Support option instructs the system to retrieve user information via LDAP. Click the Configure LDAP... button to specify the following: • LDAP Search Base DN — Specifies that user information should be retrieved using the listed Distinguished Name (DN).
Page 444: Authentication
Chapter 26. Authentication Configuration • domain — In this mode, Samba will attempt to validate the username/password by authenticating it through a Windows NT Primary or Backup Domain Controller, similar to how a Windows NT Server would. • ads — This mode instructs Samba to act as a domain member in an Active Directory Server (ADS) realm.
Page 445 Authentication Figure 26.2. Authentication The following explains what each option configures: Kerberos The Enable Kerberos Support option enables Kerberos authentication. Click the Configure Kerberos... button to open the Kerberos Settings dialogue and configure the following: • Realm — Configures the realm for the Kerberos server. The realm is the network that uses Kerberos, composed of one or more KDCs and a potentially large number of clients.
Page 446: Options
Chapter 26. Authentication Configuration The Kerberos Settings dialogue also allows you to use DNS to resolve hosts to realms and locate KDCs for realms. The krb5-libs and krb5-workstation packages must be installed for this option to work. For Section 43.6, “Kerberos”.
Page 447 Options Figure 26.3. Options Cache User Information Select this option to enable the name service cache daemon (nscd) and configure it to start at boot time. The nscd package must be installed for this option to work. For more information about nscd, refer to its man page using the command man nscd.
Page 448: Command Line Version
Chapter 26. Authentication Configuration The shadow-utils package must be installed for this option to work. For more information about Section 33.6, “Shadow Passwords”. shadow passwords, refer to Use MD5 Passwords Select this option to enable MD5 passwords, which allows passwords to be up to 256 characters instead of eight characters or less.
Page 449 Command Line Version Option Description Specify LDAP base DN --ldapbasedn=<dn> Enable Kerberos --enablekrb5 Disable Kerberos --disablekrb5 Specify Kerberos KDC --krb5kdc=<kdc> Specify Kerberos administration server --krb5adminserver=<server> Specify Kerberos realm --krb5realm=<realm> Enable use of DNS to find Kerberos --enablekrb5kdcdns KDCs Disable use of DNS to find Kerberos --disablekrb5kdcdns KDCs Enable use of DNS to find Kerberos...
Page 450 Chapter 26. Authentication Configuration Option Description Group that winbind users have as their --winbindtemplateprimarygroup=<nobody> primary group Shell that winbind users have as their --winbindtemplateshell=</bin/false> default login shell Configures winbind to assume --enablewinbindusedefaultdomain that users with no domain in their usernames are domain users Configures winbind to assume --disablewinbindusedefaultdomain that users with no domain in their...
Page 451 Part IV. System Configuration Part of a system administrator's job is configuring the system for various tasks, types of users, and hardware configurations. This section explains how to configure a Red Hat Enterprise Linux system.
Page 453: Console Access
Chapter 27. Console Access When normal (non-root) users log into a computer locally, they are given two types of special permissions: 1. They can run certain programs that they would otherwise be unable to run. 2. They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would otherwise be unable to access.
Page 454: Disabling Console Program Access
Chapter 27. Console Access 27.2. Disabling Console Program Access To disable access by users to console programs, run the following command as root: rm -f /etc/security/console.apps/* In environments where the console is otherwise secured (BIOS and boot loader passwords are set, Ctrl+Alt+Delete is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible from the console by default.
Page 455: Enabling Console Access For Other Applications
Enabling Console Access for Other Applications Open the original default perms file, 50-default.perms. The first section defines device classes, with lines similar to the following: <floppy>=/dev/fd[0-1]* \ /dev/floppy/* /mnt/floppy* <sound>=/dev/dsp* /dev/audio* /dev/midi* \ /dev/mixer* /dev/sequencer \ /dev/sound/* /dev/beep \ /dev/snd/* <cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom* Items enclosed in brackets name the device;...
Page 456: The Floppy Group
Chapter 27. Console Access cd /usr/bin ln -s consolehelper foo 2. Create the file /etc/security/console.apps/foo: touch /etc/security/console.apps/foo 3. Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to copy the PAM configuration file of the halt service, and then modify the copy if you want to change the behavior: cp /etc/pam.d/halt /etc/pam.d/foo Now, when /usr/bin/foo is executed, consolehelper is called, which authenticates the user with...
Page 457 The floppy Group the floppy group using the tool of your choice. For example, the gpasswd command can be used to add user fred to the floppy group: gpasswd -a fred floppy Now, user fred is able to access the system's diskette drive from the console.
Page 459: Etc/Sysconfig/Amd
Chapter 28. The sysconfig Directory The /etc/sysconfig/ directory contains a variety of system configuration files for Red Hat Enterprise Linux. This chapter outlines some of the files found in the /etc/sysconfig/ directory, their function, and their contents. The information in this chapter is not intended to be complete, as many of these files have a variety of options that are only used in very specific or rare circumstances.
Page 460: Etc/Sysconfig/Autofs
Chapter 28. The sysconfig Directory • yes — MD5 is used for authentication. • no — MD5 is not used for authentication. • USEKERBEROS=<value>, where <value> is one of the following: • yes — Kerberos is used for authentication. • no — Kerberos is not used for authentication. •...
Page 461: Etc/Sysconfig/Desktop
/etc/sysconfig/desktop • false or no — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux. • SRM=<value>, where <value> is the following: • false or no — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
Page 462: Etc/Sysconfig/Exim
Chapter 28. The sysconfig Directory 28.1.9. /etc/sysconfig/exim The /etc/sysconfig/exim file allows messages to be sent to one or more clients, routing the messages over whatever networks are necessary. The file sets the default values for exim to run. Its default values are set to run as a background daemon and to check its queue each hour in case something has backed up.
Page 463: Etc/Sysconfig/Init
/etc/sysconfig/init 28.1.14. /etc/sysconfig/init The /etc/sysconfig/init file controls how the system appears and functions during the boot process. The following values may be used: • BOOTUP=<value>, where <value> is one of the following: • color — The standard color boot display, where the success or failure of devices and services starting up is shown in different colors.
Page 464: Etc/Sysconfig/Iptables-Config
Chapter 28. The sysconfig Directory Once this file exists, any firewall rules saved in it persists through a system reboot or a service restart. Section 43.9, “IPTables”. For more information on ip6tables, refer to 28.1.16. /etc/sysconfig/iptables-config The /etc/sysconfig/iptables-config file stores information used by the kernel to set up packet filtering services at boot time or whenever the service is started.
Page 465: Etc/Sysconfig/Keyboard
/etc/sysconfig/keyboard 28.1.18. /etc/sysconfig/keyboard The /etc/sysconfig/keyboard file controls the behavior of the keyboard. The following values may be used: • KEYBOARDTYPE="sun|pc" where sun means a Sun keyboard is attached on /dev/kbd, or pc means a PS/2 keyboard connected to a PS/2 port. •...
Page 466: Etc/Sysconfig/Nfs
Chapter 28. The sysconfig Directory • HOSTNAME=<value>, where <value> should be the Fully Qualified Domain Name (FQDN), such as hostname.expample.com, but can be whatever hostname is necessary. • GATEWAY=<value>, where <value> is the IP address of the network's gateway. • GATEWAYDEV=<value>, where <value> is the gateway device, such as eth0. Configure this option if you have multiple interfaces on the same subnet, and require one of those interfaces to be the preferred route to the default gateway.
Page 467: Etc/Sysconfig/Ntpd
/etc/sysconfig/ntpd 3. Allow the TCP and UDP port specified with MOUNTD_PORT="x" 4. Allow the TCP and UDP port specified with STATD_PORT="x" 5. Allow the TCP port specified with LOCKD_TCPPORT="x" 6. Allow the UDP port specified with LOCKD_UDPPORT="x" 28.1.23. /etc/sysconfig/ntpd The /etc/sysconfig/ntpd file is used to pass arguments to the ntpd daemon at boot time. The ntpd daemon sets and maintains the system clock to synchronize with an Internet standard time server.
Page 468: Etc/Sysconfig/Spamassassin
Chapter 28. The sysconfig Directory • QUEUE=1h which is given to Sendmail as -q$QUEUE. The -q option is not given to Sendmail if / etc/sysconfig/sendmail exists and QUEUE is empty or undefined. 28.1.28. /etc/sysconfig/spamassassin The /etc/sysconfig/spamassassin file is used to pass arguments to the spamd daemon (a daemonized version of Spamassassin) at boot time.
Page 469: Etc/Sysconfig/Tux
/etc/sysconfig/tux 28.1.34. /etc/sysconfig/tux The /etc/sysconfig/tux file is the configuration file for the Red Hat Content Accelerator (formerly known as TUX), the kernel-based Web server. For more information on configuring the Red Hat Content Accelerator, use a Web browser to open the /usr/share/doc/tux-<version>/tux/ index.html file (replace <version>...
Page 470: Additional Resources
This directory contains the configuration files and GPG keys for Red Hat Network. No files in this directory should be edited by hand. For more information on Red Hat Network, refer to the Red Hat Network website online at https://rhn.redhat.com/. 28.3. Additional Resources This chapter is only intended as an introduction to the files in the /etc/sysconfig/ directory.
Page 471: Date And Time Configuration
Chapter 29. Date and Time Configuration The Time and Date Properties Tool allows the user to change the system date and time, to configure the time zone used by the system, and to setup the Network Time Protocol (NTP) daemon to synchronize the system clock with a time server.
Page 472 Chapter 29. Date and Time Configuration Figure 29.1. Time and Date Properties To change the date, use the arrows to the left and right of the month to change the month, use the arrows to the left and right of the year to change the year, and click on the day of the week to change the day of the week.
Page 473: Network Time Protocol (Ntp) Properties
Network Time Protocol (NTP) Properties 29.2. Network Time Protocol (NTP) Properties Figure 29.2, “NTP Properties”, the second tabbed window that appears is for configuring As shown in NTP. Figure 29.2. NTP Properties The Network Time Protocol (NTP) daemon synchronizes the system clock with a remote time server or time source.
Page 474: Time Zone Configuration
Chapter 29. Date and Time Configuration Clicking the OK button applies any changes made to the date and time, the NTP daemon settings, and the time zone settings. It also exits the program. 29.3. Time Zone Configuration Figure 29.3, “Timezone Properties”, the third tabbed window that appears is for As shown in configuring the system time zone.
Page 475 Time Zone Configuration Figure 29.3. Timezone Properties If your system clock is set to use UTC, select the System clock uses UTC option. UTC stands for the Universal Time, Coordinated, also known as Greenwich Mean Time (GMT). Other time zones are determined by adding or subtracting from the UTC time.
Page 477: Keyboard Configuration
Chapter 30. Keyboard Configuration The installation program allows you to configure a keyboard layout for your system. To configure a different keyboard layout after installation, use the Keyboard Configuration Tool. To start the Keyboard Configuration Tool, select System (on the panel) > Administration > Keyboard, or type the command system-config-keyboard at a shell prompt.
Page 479 Red Hat Enterprise Linux, be sure that the system's video card is compatible with the X11R7.1 release by checking the Red Hat Hardware Compatibility List located online at http://hardware.redhat.com/. In the X11R7.1 release, all libraries, headers, and binaries now live under /usr/ instead of /usr/ X11R6.
Page 480: Desktop Environments And Window Managers
Chapter 31. The X Window System The installation program installs and configures X automatically, unless the X11R7.1 release packages are not selected for installation. However, if there are any changes to the monitor, video card or other devices managed by the X server, X must be reconfigured. The best way to do this is to use the X Configuration Tool (system-config-display), particularly for devices that are not detected manually.
Page 481: X Server Configuration Files
X Server Configuration Files Four window managers are included with Red Hat Enterprise Linux: kwin The KWin window manager is the default window manager for KDE. It is an efficient window manager which supports custom themes. metacity The Metacity window manager is the default window manager for GNOME. It is a simple and efficient window manager which also supports custom themes.
Page 482: Xorg.conf
Chapter 31. The X Window System To load optional modules, they must be specified in the X server configuration file, /etc/X11/ Section 31.3.1.5, “Module”. xorg.conf. For more information about loading modules, refer to When Red Hat Enterprise Linux 5.2 is installed, the configuration files for X are created using information gathered about the system hardware during the installation process.
Page 483 xorg.conf 31.3.1.3. ServerLayout The ServerLayout section binds together the input and output devices controlled by the X server. At a minimum, this section must specify one output device and one input device. By default, a monitor (output device) and keyboard (input device) are specified. The following example illustrates a typical ServerLayout section: Section "ServerLayout"...
Page 484 Chapter 31. The X Window System 31.3.1.4. Files The Files section sets paths for services vital to the X server, such as the font path. This is an optional section, these paths are normally detected automatically. This section may be used to override any automatically detected defaults.
Page 485 xorg.conf instructs the X server to load the fbdevhw instead of the default modules. As such, if you add a Module section to /etc/X11/xorg.conf, you will need to specify any default modules you want to load as well as any extra modules. 31.3.1.6.
Page 486 Chapter 31. The X Window System Warning Be careful when manually editing values in the Monitor section of /etc/X11/ xorg.conf. Inappropriate values can damage or destroy a monitor. Consult the monitor's documentation for a listing of safe operating parameters. The following are commonly entries used in the Monitor section: •...
Page 487 xorg.conf • VendorName — An optional parameter which specifies the vendor of the video card. • BoardName — An optional parameter which specifies the name of the video card. • VideoRam — An optional parameter which specifies the amount of RAM available on the video card in kilobytes.
Page 488: Fonts
Chapter 31. The X Window System • SubSection "Display" — Specifies the screen modes available at a particular color depth. The Screen section can have multiple Display subsections, which are entirely optional since screen modes are automatically detected. This subsection is normally used to override autodetected modes. •...
Page 489 Fontconfig It is important to note that Fontconfig uses the /etc/fonts/fonts.conf configuration file, which should not be edited by hand. Due to the transition to the new font system, GTK+ 1.2 applications are not affected by any changes made via the Font Preferences dialog (accessed by selecting System (on the panel) >...
Page 490: Core X Font System
Chapter 31. The X Window System 31.4.2. Core X Font System For compatibility, Red Hat Enterprise Linux provides the core X font subsystem, which uses the X Font Server (xfs) to provide fonts to X client applications. The X server looks for a font server specified in the FontPath directive within the Files section of Section 31.3.1.4, “Files”...
Page 491: Runlevels And X
Runlevels and X • port — Specifies the TCP port that xfs listens on if no-listen does not exist or is commented out. • use-syslog — Specifies whether to use the system error log. 31.4.2.2. Adding Fonts to xfs To add fonts to the core X font subsystem (xfs), follow these steps: 1.
Page 492: Runlevel 5
Chapter 31. The X Window System When the startx command is executed, it searches for the .xinitrc file in the user's home directory to define the desktop environment and possibly other X client applications to run. If no .xinitrc file is present, it uses the system default /etc/X11/xinit/xinitrc file instead. The default xinitrc script then searches for user-defined files and default system files, including .Xresources, .Xmodmap, and .Xkbmap in the user's home directory, and Xresources, Xmodmap, and Xkbmap in the /etc/X11/ directory.
Page 493: Additional Resources
Additional Resources Users can specify which desktop environment they want to utilize when they authenticate using the GNOME or KDE display managers by selecting it from the Sessions menu item (accessed by selecting System (on the panel) > Preferences > More Preferences > Sessions). If the desktop environment is not specified in the display manager, the /etc/X11/xdm/Xsession script checks the .xsession and .Xclients files in the user's home directory to decide which desktop environment to load.
Page 495: X Window System Configuration
Chapter 32. X Window System Configuration During installation, the system's monitor, video card, and display settings are configured. To change any of these settings after installation, use the X Configuration Tool. To start the X Configuration Tool, go to System (on the panel) > Administration > Display, or type the command system-config-display at a shell prompt (for example, in an XTerm or GNOME terminal).
Page 496: Display Hardware Settings
Chapter 32. X Window System Configuration 32.2. Display Hardware Settings When the X Configuration Tool is started, it probes the monitor and video card. If the hardware is probed properly, the information for it is shown on the Hardware tab as shown in Figure 32.2, “Display Hardware Settings”.
Page 497 Dual Head Display Settings Figure 32.3. Dual Head Display Settings To enable use of Dual head, check the Use dual head checkbox. To configure the second monitor type, click the corresponding Configure button. You can also configure the other Dual head settings by using the corresponding drop-down list. For the Desktop layout option, selecting Spanning Desktops allows both monitors to use an enlarged usable workspace.
Page 499: Users And Groups
Chapter 33. Users and Groups The control of users and groups is a core element of Red Hat Enterprise Linux system administration. Users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use. Groups are logical expressions of organization, tying users together for a common purpose.
Page 500: Adding A New User
Chapter 33. Users and Groups Figure 33.1. User Manager To view a list of local users on the system, click the Users tab. To view a list of local groups on the system, click the Groups tab. To find a specific user or group, type the first few letters of the name in the Search filter field. Press Enter or click the Apply filter button.
Page 501 Adding a New User Select a login shell. If you are not sure which shell to select, accept the default value of /bin/bash. The default home directory is /home/<username>/. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting Create home directory.
Page 502: Modifying User Properties
Chapter 33. Users and Groups Figure 33.2. New User To configure more advanced user properties, such as password expiration, modify the user's Section 33.1.2, “Modifying User Properties” properties after adding the user. Refer to for more information. 33.1.2. Modifying User Properties To view the properties of an existing user, click on the Users tab, select the user from the user list, and click Properties from the menu (or choose File >...
Page 503 Modifying User Properties Figure 33.3. User Properties The User Properties window is divided into multiple tabbed pages: • User Data — Shows the basic user information configured when you added the user. Use this tab to change the user's full name, password, home directory, or login shell. •...
Page 504: Adding A New Group
Chapter 33. Users and Groups 33.1.3. Adding a New Group To add a new user group, click the Add Group button. A window similar to Figure 33.4, “New Group” appears. Type the name of the new group to create. To specify a group ID for the new group, select Specify group ID manually and select the GID.
Page 505: User And Group Management Tools
User and Group Management Tools The Group Users tab displays which users are members of the group. Use this tab to add or remove users from the group. Click OK to save your changes. 33.2. User and Group Management Tools Managing users and groups can be a tedious task;...
Page 506: Adding A Group
Chapter 33. Users and Groups Option Description Home directory to be used instead of default /home/<username>/ -d <home-dir> Date for the account to be disabled in the format YYYY-MM-DD -e <date> Number of days after the password expires until the account is -f <days>...
Page 507 Password Aging Important Shadow passwords must be enabled to use the chage command. Option Description Specifies the minimum number of days between which the user must -m <days> change passwords. If the value is 0, the password does not expire. Specifies the maximum number of days for which the password is -M <days>...
Page 508 Chapter 33. Users and Groups chage -d 0 username This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
Page 509: Explaining The Process
Explaining the Process make sure that the user is ready to log in before unlocking an account with a null password. In either case, upon initial log in, the user is prompted for a new password. 33.2.5. Explaining the Process The following steps illustrate what happens if the command useradd juan is issued on a system that has shadow passwords enabled: 1.
Page 510: Standard Users
Chapter 33. Users and Groups 4. A new line for a group named juan is created in /etc/gshadow. The line has the following characteristics: • It begins with the group name juan. • An exclamation point (!) appears in the password field of the /etc/gshadow file, which locks the group.
Page 511: Standard Groups
Standard Groups User Home Directory Shell dbus /sbin/nologin /etc/ntp /sbin/nologin canna /var/lib/canna /sbin/nologin nscd /sbin/nologin /sbin/nologin postfix /var/spool/postfix /sbin/nologin mailman /var/mailman /sbin/nologin named /var/named /bin/false amanda var/lib/amanda/ /bin/bash postgres /var/lib/pgsql /bin/bash exim /var/spool/exim /sbin/nologin sshd /var/empty/sshd /sbin/nologin rpcuser /var/lib/nfs /sbin/nologin nsfnobody 65534 65534...
Page 512 Chapter 33. Users and Groups Group Members root root root, bin, daemon daemon root, bin, daemon root, bin, adm root, adm, daemon disk root daemon, lp kmem wheel root mail mail, postfix, exim news news uucp uucp games gopher lock nobody users utmp...
Page 513: User Private Groups
User Private Groups Group Members rpcuser nfsnobody 65534 apache mysql webalizer mailnull smmsp squid ldap netdump pcap quaggavt quagga radvd slocate dovecot radiusd Table 33.5. Standard Groups 33.5. User Private Groups Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage.
Page 514: Group Directories
Chapter 33. Users and Groups 33.5.1. Group Directories Many IT organizations like to create a group for each major project and then assign people to the group if they need to access that project's files. Using this traditional scheme, managing files has been difficult;...
Page 515: Additional Resources
Additional Resources • Improves system security by moving encrypted password hashes from the world-readable /etc/ passwd file to /etc/shadow, which is readable only by the root user. • Stores information about password aging. • Allows the use the /etc/login.defs file to enforce security policies. Most utilities provided by the shadow-utils package work properly whether or not shadow passwords are enabled.
Page 516 Chapter 33. Users and Groups Configuration Files • man 5 group — The file containing group information for the system. • man 5 passwd — The file containing user information for the system. • man 5 shadow — The file containing passwords and account expiration information for the system.
Page 517: Printer Configuration
Chapter 34. Printer Configuration Printer Configuration Tool allows users to configure a printer. This tool helps maintain the printer configuration file, print spool directories, print filters, and printer classes. Red Hat Enterprise Linux 5.2 uses the Common Unix Printing System (CUPS). If a system was upgraded from a previous Red Hat Enterprise Linux version that used CUPS, the upgrade process preserves the configured queues.
Page 518: Adding A Local Printer
Chapter 34. Printer Configuration • Networked JetDirect — a printer connected directly to the network through HP JetDirect instead of a computer. Important If you add a new print queue or modify an existing one, you must apply the changes for them to take effect.
Page 519: Adding An Ipp Printer
Adding an IPP Printer Click Forward to open the New Printer dialogue (refer to Figure 34.3, “Adding a Local Printer”). If the printer has been automatically detected, the printer model appears in Select Connection. Select the printer model and click Forward to continue. If the device does not automatically appear, select the device to which the printer is connected (such as LPT #1 or Serial Port #1) in Select Connection.
Page 520: Adding A Samba (Smb) Printer
Chapter 34. Printer Configuration Figure 34.4. Adding an IPP Printer Click Forward to continue. Section 34.5, “Selecting the Printer Model and Finishing” Next, select the printer type. Refer to details. 34.3. Adding a Samba (SMB) Printer You can add a Samba (SMB) based printer share by clicking the New Printer button in the main Printer Configuration Tool window to display the window in Figure 34.2, “Adding a Printer”.
Page 521 Adding a Samba (SMB) Printer Figure 34.5. Adding a SMB Printer Figure 34.5, “Adding a SMB Printer”, available SMB shares are automatically detected As shown in and listed in the Share column. Click the arrow ( ) beside a Workgroup to expand it. From the expanded list, select a printer.
Page 522: Adding A Jetdirect Printer
Chapter 34. Printer Configuration As such, when you choose a username and password to access a Samba printer, it is advisable that you choose a password that is different from what you use to access your local Red Hat Enterprise Linux system. If there are files shared on the Samba print server, it is recommended that they also use a password different from what is used by the print queue.
Page 523: Selecting The Printer Model And Finishing
Selecting the Printer Model and Finishing 34.5. Selecting the Printer Model and Finishing Once you have properly selected a printer queue type, you can choose either option: • Select a Printer from database - If you select this option, choose the make of your printer from the list of Makes.
Page 524: Printing A Test Page
Chapter 34. Printer Configuration After applying the changes, print a test page to ensure the configuration is correct. Refer to Section 34.6, “Printing a Test Page” for details. 34.6. Printing a Test Page After you have configured your printer, you should print a test page to make sure the printer is functioning properly.
Page 525: The Policies Tab
The Policies Tab 34.7.2. The Policies Tab To change settings in print output, click the Policies tab. For example, to create a banner page (a page that describes aspects of the print job such as the originating printer, the username from the which the job originated, and the security status of the document being printed) click the Starting Banner or Ending Banner drop-menu and choose the option that best describes the nature of the print jobs (such as topsecret, classified, or confidential).
Page 526: The Printer And Job Optionstab
Chapter 34. Printer Configuration Figure 34.10. Access Control Tab 34.7.4. The Printer and Job OptionsTab The Printer Options tab contains various configuration options for the printer media and output.
Page 527: Managing Print Jobs
Managing Print Jobs Figure 34.11. Printer Options Tab • Page Size — Allows the paper size to be selected. The options include US Letter, US Legal, A3, and A4 • Media Source — set to Automatic by default. Change this option to use paper from a different tray. •...
Page 528: Additional Resources
Chapter 34. Printer Configuration Figure 34.12. GNOME Print Status To cancel a specific print job listed in the GNOME Print Status, select it from the list and select Edit > Cancel Documents from the pulldown menu. To view the list of print jobs in the print spool from a shell prompt, type the command lpq. The last few lines look similar to the following: Rank Owner/ID...
Page 529: Useful Websites
Useful Websites • man lprm — The manual page for the command line utility to remove print jobs from the print queue. • man mpage — The manual page for the command line utility to print multiple pages on one sheet of paper.
Page 531: Configuring Cron Tasks
Chapter 35. Automated Tasks In Linux, tasks can be configured to run automatically within a specified period of time, on a specified date, or when the system load average is below a specified number. Red Hat Enterprise Linux is pre-configured to run important system tasks to keep the system updated. For example, the slocate database used by the locate command is updated daily.
Page 532 Chapter 35. Automated Tasks • month — any integer from 1 to 12 (or the short name of the month such as jan or feb) • dayofweek — any integer from 0 to 7, where 0 or 7 represents Sunday (or the short name of the week such as sun or mon) •...
Page 533: Controlling Access To Cron
Controlling Access to Cron 35.1.2. Controlling Access to Cron The /etc/cron.allow and /etc/cron.deny files are used to restrict access to cron. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The cron daemon (crond) does not have to be restarted if the access control files are modified.
Page 534: Configuring Batch Jobs
Chapter 35. Automated Tasks The time must be specified first, followed by the optional date. For more information about the time format, read the /usr/share/doc/at-<version>/timespec text file. After typing the at command with the time argument, the at> prompt is displayed. Type the command to execute, press Enter, and type Ctrl+D .
Page 535: Controlling Access To At And Batch
Controlling Access to At and Batch Option Description Read the commands or shell script from a file instead of specifying them at the prompt. Send email to the user when the job has been completed. Display the time that the job is executed. Table 35.1.
Page 537: Log Files
Chapter 36. Log Files Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks. Log files can be very useful when trying to troubleshoot a problem with the system such as trying to load a kernel driver or when looking for unauthorized log in attempts to the system.
Page 538 Chapter 36. Log Files Figure 36.1. System Log Viewer To filter the contents of the selected log file, click on View from the menu and select Filter as illustrated below.
Page 539 Viewing Log Files Figure 36.2. System Log Viewer - View Menu Selecting the Filter menu item will display the Filter text field where you can type the keywords you wish to use for your filter. To clear your filter click on the Clear button.The figure below illustrates a sample filter.
Page 540: Adding A Log File
Chapter 36. Log Files Figure 36.3. System Log Viewer - Filter 36.3. Adding a Log File To add a log file you wish to view in the list, select File > Open. This will display the Open Log window where you can select the directory and filename of the log file you wish to view.The figure below illustrates the Open Log window.
Page 541: Monitoring Log Files
Monitoring Log Files Figure 36.4. Adding a Log File Click on the Open button to open the file. The file is immediately added to the viewing list where you can select it and view the contents. Please also note that the System Log Viewer also allows you to open zipped logs whose filenames end in ".gz".
Page 542 Chapter 36. Log Files Figure 36.5. Log File Alert Clicking on the messages log file displays the logs in the file with the new lines in bold as illustrated below.
Page 543 Monitoring Log Files Figure 36.6. Log file contents The new lines are displayed in bold for five seconds after which they are displayed in normal font.
Page 544 Chapter 36. Log Files Figure 36.7. Log file contents after five seconds...
Page 545 Part V. System Monitoring System administrators also monitor system performance. Red Hat Enterprise Linux contains tools to assist administrators with these tasks.
Page 547: Systemtap 37.1. Introduction
Chapter 37. SystemTap 37.1. Introduction SystemTap provides a simple command line interface and scripting language to simplify the gathering of information about the running Linux kernel so that it can be further analyzed. Data may be extracted, filtered, and summarized quickly and safely, to enable diagnoses of complex performance or functional problems.
Page 548: Using Systemtap
Chapter 37. SystemTap Figure 37.1. Flow of Data in SystemTap 37.3. Using SystemTap Systemtap works by translating a SystemTap script to C, running the system C compiler to create a kernel module from that. When the module is loaded, it activates all the probed events by hooking into the kernel.
Page 549 Tracing stapprobes man page for details. All these events are named using a unified syntax that looks like dot-separated parameterized identifiers: Event Description The startup of the systemtap session. begin The end of the systemtap session. The entry to the function named sys_open in the kernel.function("sys_open") kernel.
Page 551: Gathering System Information
Chapter 38. Gathering System Information Before you learn how to configure your system, you should learn how to gather essential system information. For example, you should know how to find the amount of free memory, the amount of available hard drive space, how your hard drive is partitioned, and what processes are running. This chapter discusses how to retrieve this type of information from your Red Hat Enterprise Linux system using simple commands and a few simple programs.
Page 552 Chapter 38. Gathering System Information Table 38.1, “Interactive top commands” contains useful interactive commands that you can use with top. For more information, refer to the top(1) manual page. Command Description Immediately refresh the display Space Display a help screen Kill a process.
Page 553: Memory Usage
Memory Usage • View the files opened by the selected process. To stop a process, select it and click End Process. Alternatively you can also stop a process by selecting it, clicking Edit on your menu and selecting Stop Process. To sort the information by a specific column, click on the name of the column.
Page 554 Chapter 38. Gathering System Information Swap: 1310712 1310712 The command free -m shows the same information in megabytes, which are easier to read. total used free shared buffers cached Mem: -/+ buffers/cache: Swap: 1279 1279 If you prefer a graphical interface for free, you can use the GNOME System Monitor. To start it from the desktop, go to System >...
Page 555: File Systems
File Systems Figure 38.2. GNOME System Monitor - Resources tab 38.3. File Systems The df command reports the system's disk space usage. If you type the command df at a shell prompt, the output looks similar to the following:...
Page 556 Chapter 38. Gathering System Information Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/VolGroup00-LogVol00 11675568 6272120 4810348 57% / /dev/sda1 100691 9281 86211 10% /boot none 322856 322856 0% /dev/shm By default, this utility shows the partition size in 1 kilobyte blocks and the amount of used and available disk space in kilobytes.
Page 557: Hardware
Hardware Figure 38.3. GNOME System Monitor - File Systems 38.4. Hardware If you are having trouble configuring your hardware or just want to know what hardware is in your system, you can use the Hardware Browser application to display the hardware that can be probed. To start the program from the desktop, select System (the main menu on the panel) >...
Page 558 Chapter 38. Gathering System Information Figure 38.4. Hardware Browser The Device Manager application can also be used to display your system hardware. This application can be started by selecting System (the main menu on the panel) > Administration > Hardware like the Hardware Browser.
Page 559 Hardware Figure 38.5. Device Manager You can also use the lspci command to list all PCI devices. Use the command lspci -v for more verbose information or lspci -vv for very verbose output. For example, lspci can be used to determine the manufacturer, model, and memory size of a system's video card: 00:00.0 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06) 00:00.1 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06)
Page 560: Additional Resources
Chapter 38. Gathering System Information 00:01.0 VGA compatible controller: S3 Inc. Savage 4 (rev 04) 00:02.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 08) 00:0f.0 ISA bridge: ServerWorks OSB4 South Bridge (rev 50) 00:0f.1 IDE interface: ServerWorks OSB4 IDE Controller 00:0f.2 USB Controller: ServerWorks OSB4/CSB5 OHCI USB Controller (rev 04) 01:03.0 SCSI storage controller: Adaptec AIC-7892P U160/m (rev 02) 01:05.0 RAID bus controller: IBM ServeRAID Controller...
Page 561: Overview Of Tools
Chapter 39. OProfile OProfile is a low overhead, system-wide performance monitoring tool. It uses the performance monitoring hardware on the processor to retrieve information about the kernel and executables on the system, such as when memory is referenced, the number of L2 cache requests, and the number of hardware interrupts received.
Page 562: Configuring Oprofile
Chapter 39. OProfile Command Description Converts sample database files from a foreign binary format to the opimport native format for the system. Only use this option when analyzing a sample database from a different architecture. Creates annotated source for an executable if the application was opannotate Section 39.5.4, “Using compiled with debugging symbols.
Page 563: Setting Events To Monitor
Setting Events to Monitor Note Even if OProfile is configured not to profile the kernel, the SMP kernel still must be running so that the oprofile module can be loaded from it. Setting whether samples should be collected within the kernel only changes what data is collected, not how or where the collected data is stored.
Page 564: Sampling Rate
Chapter 39. OProfile Processor Default Event for Counter Description Pentium Pro, Pentium CPU_CLK_UNHALTED The processor's clock is not halted II, Pentium III, Athlon, AMD64 Pentium 4 (HT and GLOBAL_POWER_EVENTS The time during which the processor is non-HT) not stopped Itanium 2 CPU_CYCLES CPU Cycles TIMER_INT...
Page 565: Separating Kernel And User-Space Profiles
Separating Kernel and User-space Profiles opcontrol --event=<event-name>:<sample-rate> Replace <sample-rate> with the number of events to wait before sampling again. The smaller the count, the more frequent the samples. For events that do not happen frequently, a lower count may be needed to capture the event instances.
Page 566: Starting And Stopping Oprofile
Chapter 39. OProfile opcontrol --separate=<choice> <choice> can be one of the following: • none — do not separate the profiles (default) • library — generate per-application profiles for libraries • kernel — generate per-application profiles for the kernel and kernel modules •...
Page 567: Analyzing The Data
Analyzing the Data To save the current set of sample files, execute the following command, replacing <name> with a unique descriptive name for the current session. opcontrol --save=<name> The directory /var/lib/oprofile/samples/name/ is created and the current sample files are copied to it. 39.5.
Page 568: Using Opreport On A Single Executable
Chapter 39. OProfile The following is part of a sample output: Profiling through timer interrupt TIMER:0| samples| ------------------ 25926 97.5212 no-vmlinux 1.3504 pi 0.2445 Xorg 0.2332 libvte.so.4.4.0 0.2106 libc-2.3.4.so 0.1279 libglib-2.0.so.0.400.7 0.0715 libXft.so.2.1.2 0.0639 bash 0.0301 ld-2.3.4.so 0.0301 libgdk-x11-2.0.so.0.400.13 0.0226 libgobject-2.0.so.0.400.7 0.0188 oprofiled 0.0150 libpthread-2.3.4.so 0.0150 libgtk-x11-2.0.so.0.400.13...
Page 569 Using opreport on a Single Executable 5.3571 _dl_mcount_wrapper_check 5.3571 mbrtowc 5.3571 memcpy 3.5714 _int_realloc 3.5714 _nl_intern_locale_data 3.5714 free 3.5714 strcmp 1.7857 __ctype_get_mb_cur_max 1.7857 __unregister_atfork 1.7857 __write_nocancel 1.7857 _dl_addr 1.7857 _int_free 1.7857 _itoa_word 1.7857 calc_eclosure_iter 1.7857 fopen@@GLIBC_2.1 1.7857 getpid 1.7857 memmove 1.7857 msort_with_tmp 1.7857...
Page 570: Getting More Detailed Output On The Modules
Chapter 39. OProfile 00a98749 1 8.3333 00a98753 1 8.3333 00a98789 1 8.3333 00a98864 1 8.3333 00a98869 1 8.3333 00a98b08 1 8.3333 The data is the same as the -l option except that for each symbol, each virtual memory address used is shown. For each virtual memory address, the number of samples and percentage of samples relative to the number of samples for the symbol is displayed.
Page 571: Using Opannotate
Using opannotate warning: could not check that the binary file /ext3 has not been modified since the profile was taken. Results may be inaccurate. CPU: AMD64 processors, speed 797.948 MHz (estimated) Counted DATA_CACHE_ACCESSES events (Data cache accesses) with a unit mask of 0x00 (No unit mask) count 500000 Counted DATA_CACHE_MISSES events (Data cache misses) with a unit mask of 0x00 (No unit mask) count 500000...
Page 572: Example Usage
Chapter 39. OProfile • kernel — If 0, samples are not collected for this counter event when the processor is in kernel- space; if 1, samples are collected even if the processor is in kernel-space. • unit_mask — Defines which unit masks are enabled for the counter. •...
Page 573 Graphical Interface Figure 39.1. OProfile Setup On the right side of the tab, select the Profile kernel option to count events in kernel mode for the Section 39.2.3, “Separating Kernel and User-space Profiles”. currently selected event, as discussed in If this option is unselected, no samples are collected for the kernel. Select the Profile user binaries option to count events in user mode for the currently selected Section 39.2.3, “Separating Kernel and User-space Profiles”.
Page 574: Installed Docs
Chapter 39. OProfile Figure 39.2. OProfile Configuration If the Verbose option is selected, the oprofiled daemon log includes more information. If Per-application kernel samples files is selected, OProfile generates per-application profiles for Section 39.2.3, “Separating Kernel and User-space the kernel and kernel modules as discussed in Profiles”.
Page 575: Driver Configuration
Part VI. Kernel and Driver Configuration System administrators can learn about and customize their kernels. Red Hat Enterprise Linux contains kernel tools to assist administrators with their customizations.
Page 577: Overview Of Kernel Packages
Chapter 40. Manually Upgrading the Kernel The Red Hat Enterprise Linux kernel is custom built by the Red Hat Enterprise Linux kernel team to ensure its integrity and compatibility with supported hardware. Before Red Hat releases a kernel, it must first pass a rigorous set of quality assurance tests. Red Hat Enterprise Linux kernels are packaged in RPM format so that they are easy to upgrade and verify using the Package Management Tool, or the yum command.
Page 578: Preparing To Upgrade
Red Hat Network. This *.src.rpm package must then be rebuilt locally using the rpmbuild command. For more information on obtaining and installing the kernel source package, refer to the latest updated Release Notes (including all http://www.redhat.com/docs/manuals/enterprise/ updates) at 40.2. Preparing to Upgrade Before upgrading the kernel, it is recommended that you take some precautionary steps.
Page 579: Downloading The Upgraded Kernel
40.3. Downloading the Upgraded Kernel There are several ways to determine if an updated kernel is available for the system. http://www.redhat.com/security/updates/ • Security Errata — Refer to for information on security errata, including kernel upgrades that fix security issues.
Page 580: Verifying The Initial Ram Disk Image
Chapter 40. Manually Upgrading the Kernel Important It is strongly recommended that you keep the old kernel in case there are problems with the new kernel. At a shell prompt, change to the directory that contains the kernel RPM packages. Use -i argument with the rpm command to keep the old kernel.
Page 581: Itanium Systems
40.6.2. Itanium Systems Itanium systems use ELILO as the boot loader, which uses /boot/efi/EFI/redhat/elilo.conf as the configuration file. Confirm that this file contains an image section with the same version as the kernel package just installed: prompt timeout=50 default=old image=vmlinuz-2.6.9-5.EL...
Page 582: Ibm S/390 And Ibm System Z Systems
Chapter 40. Manually Upgrading the Kernel 40.6.3. IBM S/390 and IBM System z Systems The IBM S/390 and IBM System z systems use z/IPL as the boot loader, which uses /etc/ zipl.conf as the configuration file. Confirm that the file contains a section with the same version as the kernel package just installed: [defaultboot] default=old target=/boot/ [linux]...
Page 583 IBM eServer pSeries Systems image=/vmlinux-2.6.9-5.EL label=linux read-only initrd=/initrd-2.6.9-5.EL.img append="root=LABEL=/" Notice that the default is not set to the new kernel. The kernel in the first image is booted by default. To change the default kernel to boot either move its image stanza so that it is the first one listed or add the directive default and set it to the label of the image stanza that contains the new kernel.
Page 585 Chapter 41. General Parameters and Modules This chapter is provided to illustrate some of the possible parameters available for common hardware device drivers , which under Red Hat Enterprise Linux are called kernel modules. In most cases, the default parameters do work. However, there may be times when extra module parameters are necessary for a device to function properly or to override the module's default parameters for the device.
Page 586 Chapter 41. General Parameters and Modules 13065 parport_pc 27493 parport 37001 2 lp,parport_pc uhci_hcd 23885 floppy 57317 34653 snd_ens1371 26721 gameport 16073 1 snd_ens1371 snd_rawmidi 24897 1 snd_ens1371 snd_ac97_codec 91360 1 snd_ens1371 snd_ac97_bus 2753 1 snd_ac97_codec snd_seq_dummy 4293 snd_seq_oss 32705 serio_raw 7493 snd_seq_midi_event...
Page 587: Persistent Module Loading
Persistent Module Loading To print to the screen all commands as /sbin/modprobe executes them, use the -v option. For example: /sbin/modprobe -v e100 Output similar to the following is displayed: /sbin/insmod /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko Using /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko Symbol version prefix 'smp_' The /sbin/insmod command also exists to load kernel modules; however, it does not resolve dependencies.
Page 588: Specifying Module Parameters
Chapter 41. General Parameters and Modules This approach is not necessary for network and SCSI interfaces because they have their own specific mechanisms. 41.3. Specifying Module Parameters In some situations, it may be necessary to supply parameters to a module as it is loaded for it to function properly.
Page 589 Storage parameters Hardware Module Parameters systems that do not have a BIOS aif_timeout — The duration of time in seconds to wait for applications to pick up AIFs before deregistering them. This is typically adjusted for heavily burdened systems. numacb — Request a limit to the number of adapter control blocks (FIB) allocated.
Page 590 Chapter 41. General Parameters and Modules Hardware Module Parameters global_tag_depth:<int> — Global tag depth for every target on every bus seltime:<int> — Selection Timeout (0/256ms,1/128ms,2/64ms,3/32ms) IBM ServeRAID ips.ko LSI Logic MegaRAID Mailbox unconf_disks — Set to megaraid_mbox.ko Driver expose unconfigured disks to kernel (default=0) busy_wait —...
Page 591 Storage parameters Hardware Module Parameters lpfc_nodev_tmo — Seconds driver will hold I/O waiting for a device to come back lpfc_topology — Select Fibre Channel topology lpfc_link_speed — Select link speed lpfc_fcp_class — Select Fibre Channel class of service for FCP sequences lpfc_use_adisc —...
Page 592 Chapter 41. General Parameters and Modules Hardware Module Parameters mptfc_dev_loss_tmo — Initial time the driver programs the transport to wait for an rport to return following a device loss event. mpt_pt_clear — Clear persistency table mpt_saf_te — Force enabling SEP Processor QLogic Fibre Channel Driver qla2xxx.ko ql2xlogintimeout —...
Page 593: Ethernet Parameters
Ethernet Parameters Hardware Module Parameters led — Set to 1 to enable LED support diff — 0 for no differential mode, 1 for BIOS, 2 for always, 3 for not GPIO3 irqm — 0 for open drain, 1 to leave alone, 2 for totem pole buschk —...
Page 594 Chapter 41. General Parameters and Modules Note For information about using these tools, consult the man pages for ethtool, mii-tool, and modinfo. Hardware Module Parameters 3Com EtherLink PCI III/XL debug — 3c59x debug level 3c59x.ko Vortex (3c590, 3c592, 3c595, (0-6) 3c597) Boomerang (3c900, options —...
Page 595 Ethernet Parameters Hardware Module Parameters compaq_ioaddr — 3c59x PCI I/O base address (Compaq BIOS problem workaround) compaq_irq — 3c59x PCI IRQ number (Compaq BIOS problem workaround) compaq_device_id — 3c59x PCI device ID (Compaq BIOS problem workaround) watchdog — 3c59x transmit timeout in milliseconds global_use_mmio —...
Page 596 Chapter 41. General Parameters and Modules Hardware Module Parameters FlowControl — Flow Control setting XsumRX — Disable or enable Receive Checksum offload TxIntDelay — Transmit Interrupt Delay TxAbsIntDelay — Transmit Absolute Interrupt Delay RxIntDelay — Receive Interrupt Delay RxAbsIntDelay — Receive Absolute Interrupt Delay InterruptThrottleRate —...
Page 597 Ethernet Parameters Hardware Module Parameters myri10ge_force_firmware — Force firmware to assume aligned completions myri10ge_skb_cross_4k — Can a small skb cross a 4KB boundary? myri10ge_initial_mtu — Initial MTU myri10ge_napi_weight — Set NAPI weight myri10ge_watchdog_timeout — Set watchdog timeout myri10ge_max_irq_loops — Set stuck legacy IRQ detection threshold NatSemi DP83815 Fast mtu —...
Page 598 Chapter 41. General Parameters and Modules Hardware Module Parameters options — pcnet32 initial option setting(s) (0-15) full_duplex — pcnet32 full duplex setting(s) (1) homepna — pcnet32 mode for 79C978 cards (1 for HomePNA, 0 for Ethernet, default Ethernet RealTek RTL-8169 Gigabit media —...
Page 599 Ethernet Parameters Hardware Module Parameters small_frames — Maximum size of receive frames that bypass interrupt latency (0,64,128,256,512) options — Deprecated: Bits 0-3: media type, bit 17: full duplex full_duplex — Deprecated: Forced full-duplex setting (0/1) enable_hw_cksum — Enable/ disable hardware cksum support (0/1) Broadcom Tigon3 tg3_debug —...
Page 600: Using Multiple Ethernet Cards
/etc/modprobe.conf. For additional information about using multiple Ethernet cards, refer to the Linux Ethernet-HOWTO online at http://www.redhat.com/mirrors/LDP/HOWTO/Ethernet-HOWTO.html. 41.5.2. The Channel Bonding Module Red Hat Enterprise Linux allows administrators to bind NICs together into a single channel using the bonding kernel module and a special network interface, called a channel bonding interface.
Page 601 The Channel Bonding Module sysfs is a virtual file system that represents kernel objects as directories, files and symbolic links. sysfs can be used to query for information about kernel objects, and can also manipulate those objects through the use of normal file system commands. The sysfs virtual file system has a line in / etc/fstab, and is mounted under /sys.
Page 602 Chapter 41. General Parameters and Modules ~]# echo balance-alb > /sys/class/net/bond0/bonding/mode After configuring some options for the bond in question, you can bring it up and test it by running ifconfig bond<N> up. If you decide to change the options, take the interface down, modify its parameters using sysfs, bring it back up, and re-test.
Page 603 The Channel Bonding Module • 1 — Debug messages are enabled. downdelay=<time_in_milliseconds> Specifies (in milliseconds) how long to wait after link failure before disabling the link. The value must be a multiple of the value specified in the miimon parameter. The value is set to 0 by default, which disables it.
Page 604 Chapter 41. General Parameters and Modules address for one of the slave NICs. Once this link is established, transmissions are sent out sequentially beginning with the first available interface. • broadcast or 3 — Sets a broadcast policy for fault tolerance. All transmissions are sent on all slave interfaces.
Page 605 The Channel Bonding Module • If no slaves are active, the first slave to recover is made the active slave. • When initially enslaved, the primary slave is always made the active slave. Changing the primary_reselect policy via sysfs will cause an immediate selection of the best active slave according to the new policy.
Page 606: Additional Resources
Chapter 41. General Parameters and Modules For fragmented TCP or UDP packets and all other IP protocol traffic, the source and destination port information is omitted. For non-IP traffic, the formula is the same as the layer2 transmit hash policy. This policy intends to mimic the behavior of certain switches;...
Page 607 Part VII. Security And Authentication Whether system administrators need to secure their mission-critical systems, services, or data, Red Hat Enterprise Linux provides a range of tools and methods to serve as part of a comprehensive security strategy. This chapter provides a general introduction to security, and from the perspective of Red Hat Enterprise Linux in particular.
Page 609: What Is Computer Security
Chapter 42. Security Overview Because of the increased reliance on powerful, networked computers to help run businesses and keep track of our personal information, industries have been formed around the practice of network and computer security. Enterprises have solicited the knowledge and skills of security experts to properly audit systems and tailor solutions to fit the operating requirements of the organization.
Page 610: Security Today
Chapter 42. Security Overview 42.1.1.2. Security Today In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on several of the most heavily-trafficked sites on the Internet. The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several other sites completely unreachable to normal users, as it tied up routers for several hours with large-byte ICMP packet transfers, also called a ping flood.
Page 611: Security Controls
Security Controls 42.1.2. Security Controls Computer security is often divided into three distinct master categories, commonly referred to as controls: • Physical • Technical • Administrative These three broad categories define the main objectives of proper security implementation. Within these controls are sub-categories that further detail the controls and how to implement them. 42.1.2.1.
Page 612: Conclusion
Chapter 42. Security Overview • Personnel recruitment and separation strategies • Personnel registration and accounting 42.1.3. Conclusion Now that you have learned about the origins, reasons, and aspects of security, you can determine the appropriate course of action with regard to Red Hat Enterprise Linux. It is important to know what factors and conditions make up security in order to plan and implement a proper strategy.
Page 613: Defining Assessment And Testing
Defining Assessment and Testing reconnaissance phase, during which important data regarding the target systems and resources is gathered. This phase leads to the system readiness phase, whereby the target is essentially checked for all known vulnerabilities. The readiness phase culminates in the reporting phase, where the findings are classified into categories of high, medium, and low risk;...
Page 614: Evaluating The Tools
Chapter 42. Security Overview Now that the difference between a vulnerability assessment and a penetration test is defined, take the findings of the assessment and review them carefully before conducting a penetration test as part of your new best practices approach. Warning Attempting to exploit vulnerabilities on production resources can have adverse effects to the productivity and efficiency of your systems and network.
Page 615: Scanning Hosts With Nmap
Evaluating the Tools the README file or man page for the tool. Additionally, look to the Internet for more information, such as articles, step-by-step guides, or even mailing lists specific to a tool. The tools discussed below are just a small sampling of the available tools. 42.2.3.1.
Page 616: Vlad The Scanner
Chapter 42. Security Overview scanning, and real-time vulnerability searches. Remember that there could be false positives and false negatives, even in a tool as powerful and as frequently updated as Nessus. Note Nessus is not included with Red Hat Enterprise Linux and is not supported. It has been included in this document as a reference to users who may be interested in using this popular application.
Page 617: Attackers And Vulnerabilities
Attackers and Vulnerabilities part of performing assessments may include reviewing physical security, personnel screening, or voice/PBX network assessment. New concepts, such as war walking scanning the perimeter of your enterprise's physical structures for wireless network vulnerabilities are some emerging concepts that you can investigate and, if needed, incorporate into your assessments.
Page 618: Threats To Network Security
Chapter 42. Security Overview Gray hat hackers typically subscribe to another form of the hacker ethic, which says it is acceptable to break into systems as long as the hacker does not commit theft or breach confidentiality. Some would argue, however, that the act of breaking into a system is in itself unethical. Regardless of the intent of the intruder, it is important to know the weaknesses a cracker may likely attempt to exploit.
Page 619: Unpatched Services
Threats to Server Security unwanted services, such as Telnet, DHCP, or DNS, to run on a server or workstation without the administrator realizing it, which in turn can cause unwanted traffic to the server, or even, a potential Section 43.2, “Server Security” pathway into the system for crackers.
Page 620: Threats To Workstation And Home Pc Security
Chapter 42. Security Overview One category of insecure network services are those that require unencrypted usernames and passwords for authentication. Telnet and FTP are two such services. If packet sniffing software is monitoring traffic between the remote user and such a service usernames and passwords can be easily intercepted.
Page 621: Common Exploits And Attacks
Common Exploits and Attacks Section 43.1, “Workstation Security” discusses in more detail what steps administrators and home users should take to limit the vulnerability of computer workstations. 42.4. Common Exploits and Attacks Table 42.1, “Common Exploits” details some of the most common exploits and entry points used by intruders to access organizational network resources.
Page 622 Chapter 42. Security Overview Exploit Description Notes eavesdropping on the connection Remote attacker must have access between the two nodes. to a compromised system on a LAN in order to perform such an attack; usually the cracker has used an active attack (such as IP spoofing or man-in- the-middle) to compromise a system on the LAN.
Page 623: Security Updates
Security Updates Exploit Description Notes administrative privileges on the rest of install unauthorized software or open the network. unsolicited email attachments. Safeguards can be implemented such that email client software does not automatically open or execute attachments. Additionally, the automatic update of workstation software via Red Hat Network or other system management services can alleviate the burdens of multi-seat...
Page 624: Updating Packages
Red Hat Update Agent or schedule the package to be updated through the website http:// rhn.redhat.com. Red Hat Enterprise Linux includes the Red Hat Network Alert Notification Tool, a convenient panel icon that displays visible alerts when there is an update for a registered Red Hat Enterprise Linux system.
Page 625: Using The Red Hat Errata Website
When security errata reports are released, they are published on the Red Hat Errata website available at http://www.redhat.com/security/. From this page, select the product and version for your system, and then select security at the top of the page to display only Red Hat Enterprise Linux Security Advisories.
Page 626: Installing Signed Packages
Chapter 42. Security Overview rpm -K /tmp/updates/*.rpm For each package, if the GPG key verifies successfully, the command returns gpg OK. If it doesn't, make sure you are using the correct Red Hat public key, as well as verifying the source of the content. Packages that do not pass GPG verifications should not be installed, as they may have been altered by a third party.
Page 627 Updating Packages Note In general, rebooting the system is the surest way to ensure that the latest version of a software package is used; however, this option is not always available to the system administrator. Applications User-space applications are any programs that can be initiated by a system user. Typically, such applications are used only when a user, script, or automated task utility launches them and they do not persist for long periods of time.
Page 628 Chapter 42. Security Overview xinetd Services Services controlled by the xinetd super service only run when a there is an active connection. Examples of services controlled by xinetd include Telnet, IMAP, and POP3. Because new instances of these services are launched by xinetd each time a new request is received, connections that occur after an upgrade are handled by the updated software.
Page 629: Securing Your Network 43.1. Workstation Security
Chapter 43. Securing Your Network 43.1. Workstation Security Securing a Linux environment begins with the workstation. Whether locking down a personal machine or securing an enterprise system, sound security policy begins with the individual computer. A computer network is only as secure as its weakest node. 43.1.1.
Page 630: Boot Loader Passwords
Chapter 43. Securing Your Network user mode, which in turn allows them to start arbitrary processes on the system or copy sensitive data. 2. Preventing System Booting — Some BIOSes allow password protection of the boot process. When activated, an attacker is forced to enter a password before the BIOS launches the boot loader.
Page 631: Password Security
Password Security Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the timeout line in the main section of the document, add the following line: password --md5 <password-hash> Replace <password-hash> with the value returned by /sbin/grub-md5-crypt The next time the system boots, the GRUB menu prevents access to the editor or command interface without first pressing p followed by the GRUB password.
Page 632: Creating Strong Passwords
Chapter 43. Securing Your Network cracking attacks. If an intruder can gain access to the machine as a regular user, he can copy the / etc/passwd file to his own machine and run any number of password cracking programs against it.
Page 633 Password Security • Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak. Some insecure examples include the following: •...
Page 634: Creating User Passwords Within An Organization
Chapter 43. Securing Your Network • Include Non-Alphanumeric Characters — Special characters such as &, $, and > can greatly improve the strength of a password (this is not possible if using DES passwords). • Pick a Password You Can Remember — The best password in the world does little good if you cannot remember it;...
Page 635 Password Security passwords, they can use the command line application passwd, which is Pluggable Authentication Manager (PAM) aware and therefore checks to see if the password is too short or otherwise easy to crack. This check is performed using the pam_cracklib.so PAM module. Since PAM is customizable, it is possible to add more password integrity checkers, such as pam_passwdqc (available from http://www.openwall.com/passwdqc/) or to write a new module.
Page 636 Chapter 43. Securing Your Network chage -M 90 <username> In the above command, replace <username> with the name of the user. To disable password expiration, it is traditional to use a value of 99999 after the -M option (this equates to a little over 273 years).
Page 637: Administrative Controls
Administrative Controls Figure 43.1. Specifying password aging options For more information about user and group configuration (including instructions on forcing first time Chapter 33, Users and Groups. passwords), refer to 43.1.4. Administrative Controls When administering a home machine, the user must perform some tasks as the root user or by acquiring effective root privileges via a setuid program, such as sudo or su.
Page 638: Allowing Root Access
Chapter 43. Securing Your Network the pam_console.so module.) However, other important system administration tasks, such as altering network settings, configuring a new mouse, or mounting network devices, are not possible without administrative privileges. As a result, system administrators must decide how much access the users on their network should receive.
Page 639 Administrative Controls Method Description Effects Does Not Affect access root login on any devices the network. The following administrative tasks via any attached to the computer. programs are prevented through setuid or other console from accessing the root mechanisms. device account: The following programs are not prevented from...
Page 640 Chapter 43. Securing Your Network 43.1.4.2.2. Disabling Root Logins To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface.
Page 641: Limiting Root Access
Administrative Controls 43.1.4.3. Limiting Root Access Rather than completely denying access to the root user, the administrator may want to allow access only via setuid programs, such as su or sudo. 43.1.4.3.1. The su Command When a user executes the su command, they are prompted for the root password and, after authentication, is given a root shell prompt.
Page 642 Chapter 43. Securing Your Network Figure 43.2. Adding users to the "wheel" group. Note The root user is part of the wheel group by default. 43.1.4.3.2. The sudo Command The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password.
Page 643: Available Network Services
Available Network Services The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/ sudoers configuration file are allowed to use the sudo command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled, as shown in Section 43.1.4.2.1, “Disabling the Root Shell”.
Page 644: Identifying And Configuring Services
Chapter 43. Securing Your Network • Buffer Overflow Attacks — Services that connect to ports numbered 0 through 1023 must run as an administrative user. If the application has an exploitable buffer overflow, an attacker could gain access to the system as the user running the daemon. Because exploitable buffer overflows exist, crackers use automated tools to identify systems with vulnerabilities, and once they have gained access, they use automated rootkits to maintain their access to the system.
Page 645: Insecure Services
Available Network Services Figure 43.3. Services Configuration Tool If unsure of the purpose for a particular service, the Services Configuration Tool has a description Figure 43.3, “Services Configuration Tool”, that provides additional information. field, illustrated in Checking which network services are available to start at boot time is only part of the story. You Section 43.2.8, “Verifying Which Ports should also check which ports are open and listening.
Page 646: Personal Firewalls
Chapter 43. Securing Your Network systems, such as NFS and SMB, also transmit information over the network unencrypted. It is the user's responsibility when using these protocols to limit what type of data is transmitted. Remote memory dump services, like netdump, transmit the contents of memory over the network unencrypted.
Page 647: Security Enhanced Communication Tools
Security Enhanced Communication Tools Firewalls prevent network packets from accessing the system's network interface. If a request is made to a port that is blocked by a firewall, the request is ignored. If a service is listening on one of these blocked ports, it does not receive the packets and is effectively disabled.
Page 648: Securing Services With Tcp Wrappers And Xinetd
Chapter 43. Securing Your Network Before delving into specific issues, review the following general tips for enhancing server security: • Keep all services current, to protect against the latest threats. • Use secure protocols whenever possible. • Serve only one type of network service per machine whenever possible. •...
Page 649: Enhancing Security With Xinetd
Securing Services With TCP Wrappers and xinetd The %c token supplies a variety of client information, such as the username and hostname, or the username and IP address to make the connection even more intimidating. For this banner to be displayed to incoming connections, add the following line to the /etc/ hosts.allow file: vsftpd : ALL : banners /etc/banners/ 43.2.1.1.2.
Page 650 Chapter 43. Securing Your Network Service (DoS) attacks. Refer to the man pages for xinetd and xinetd.conf for a list of available options. 43.2.1.2.1. Setting a Trap One important feature of xinetd is its ability to add hosts to a global no_access list. Hosts on this list are denied subsequent connections to services managed by xinetd for a specified period or until xinetd is restarted.
Page 651: Securing Portmap
Securing Portmap • <wait_period> — The number of seconds to wait before re-enabling the service after it has been disabled. The default interval is ten (10) seconds. • instances = <number_of_connections> — Specifies the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED. •...
Page 652: Securing Nis
Chapter 43. Securing Your Network iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT To similarly limit UDP traffic, use the following command. iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROP Section 43.8, “Firewalls”...
Page 653: Assign Static Ports And Use Iptables Rules
Securing NIS For instance, if someone either connects a laptop computer into the network or breaks into the network from outside (and manages to spoof an internal IP address), the following command reveals the /etc/passwd map: ypcat -d <NIS_domain> -h <DNS_hostname> passwd If this attacker is a root user, they can obtain the /etc/shadow file by typing the following command: ypcat -d <NIS_domain>...
Page 654: Securing Nfs
Chapter 43. Securing Your Network YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835" The following iptables rules can then be used to enforce which network the server listens to for these ports: iptables -A INPUT -p ALL -s! 192.168.0.0/24 --dport 834 -j DROP iptables -A INPUT -p ALL -s! 192.168.0.0/24 --dport 835 -j DROP This means that the server only allows connections to ports 834 and 835 if the requests come from the 192.168.0.0/24 network, regardless of the protocol.
Page 655: Securing The Apache Http Server
Chapter 22, Apache HTTP Server, and the Stronghold manuals, available at application. This includes http://www.redhat.com/docs/manuals/stronghold/. System Administrators should be careful when using the following configuration options: 43.2.5.1. FollowSymLinks This directive is enabled by default, so be sure to use caution when creating symbolic links to the document root of the Web server.
Page 656: Securing Ftp
Chapter 43. Securing Your Network 43.2.5.3. The UserDir Directive The UserDir directive is disabled by default because it can confirm the presence of a user account on the system. To enable user directory browsing on the server, use the following directives: UserDir enabled UserDir disabled root These directives activate user directory browsing for all user directories other than /root/.
Page 657: Ftp Greeting Banner
Securing FTP 43.2.6.1. FTP Greeting Banner Before submitting a username and password, all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system. To change the greeting banner for vsftpd, add the following directive to the /etc/vsftpd/ vsftpd.conf file: ftpd_banner=<insert_greeting_here>...
Page 658: User Accounts
Chapter 43. Securing Your Network By default the anonymous user cannot write to any directories. Caution If enabling anonymous access to an FTP server, be aware of where sensitive data is stored. 43.2.6.2.1. Anonymous Upload To allow anonymous users to upload files, it is recommended that a write-only directory be created within /var/ftp/pub/.
Page 659: Securing Sendmail
Securing Sendmail It is also possible to disable user accounts within each service directly. To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers 43.2.6.4. Use TCP Wrappers To Control Access Section 43.2.1.1, Use TCP Wrappers to control access to either FTP daemon as outlined in “Enhancing Security With TCP Wrappers”.
Page 660: Verifying Which Ports Are Listening
Chapter 43. Securing Your Network Note With NFSv4 using Kerberos, this is not the case, since the SECRPC_GSS kernel module does not utilize UID-based authentication. However, it is considered good practice not to put the mail spool directory on NFS shared volumes. 43.2.7.3.
Page 661: Single Sign-On (Sso)
Single Sign-on (SSO) This output shows the system is running portmap due to the presence of the sunrpc service. However, there is also a mystery service on port 834. To check if the port is associated with the official list of known services, type: cat /etc/services | grep 834 This command returns no output.
Page 662: Supported Applications
Chapter 43. Securing Your Network underlying authentication and authorization mechanisms so that users can log in to Red Hat Enterprise Linux from the log-in screen, and then not need to re-enter their passwords. These applications are detailed below. In addition, users can log in to their machines even when there is no network (offline mode) or where network connectivity is unreliable, for example, wireless access.
Page 663: Getting Started With Your New Smart Card
Getting Started with your new Smart Card a smart card that was designed to be used with the Red Hat Enterprise Linux Certificate System server product, it displays a user interface instructing the user how to enroll that smart card. •...
Page 664: How Smart Card Enrollment Works
Chapter 43. Securing Your Network • Ignore — Removing the smart card has no effect. If you need to enable the Online Certificate Status Protocol (OCSP), open the /etc/ pam_pkcs11/pam_pkcs11.conf file, and locate the following line: enable_ocsp = false; Change this value to true, as follows: enable_ocsp = true;...
Page 665: How Smart Card Login Works
How Smart Card Login Works Figure 43.4. How Smart Card Enrollment Works 43.3.4. How Smart Card Login Works This section provides a brief overview of the process of logging in using a smart card. 1. When the user inserts their smart card into the smart card reader, this event is recognized by the PAM facility, which prompts for the user's PIN.
Page 666: Configuring Firefox To Use Kerberos For Sso
Chapter 43. Securing Your Network Figure 43.5. How Smart Card Login Works Note You cannot log in with a card that has not been enrolled, even if it has been formatted. You need to log in with a formatted, enrolled card, or not using a smart card, before you can enroll a new card.
Page 667 Configuring Firefox to use Kerberos for SSO 4. Enter the name of the domain against which you want to authenticate, for example, .example.com. 5. Repeat the above procedure for the network.negotiate-auth.delegation-uris entry, using the same domain. Note You can leave this value blank, as it allows Kerberos ticket passing, which is not required.
Page 668: Pluggable Authentication Modules (Pam)
Chapter 43. Securing Your Network 43.3.5.1. Troubleshooting If you have followed the configuration steps above and Negotiate authentication is not working, you can turn on verbose logging of the authentication process. This could help you find the cause of the problem.
Page 669: Advantages Of Pam
Advantages of PAM In most situations, the default PAM configuration file for a PAM-aware application is sufficient. Sometimes, however, it is necessary to edit a PAM configuration file. Because misconfiguration of PAM can compromise system security, it is important to understand the structure of these files Section 43.4.3, “PAM Configuration File Format”...
Page 670 Chapter 43. Securing Your Network • password — This module interface is used for changing user passwords. • session — This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user's home directory and making the user's mailbox available.
Page 671 PAM Configuration File Format 43.4.3.2. Control Flag All PAM modules generate a success or failure result when called. Control flags tell PAM what do with the result. Modules can be stacked in a particular order, and the control flags determine how important the success or failure of a particular module is to the overall goal of authenticating the user to the service.
Page 672: Sample Pam Configuration Files
Chapter 43. Securing Your Network The following is a typical pam_userdb.so line in a PAM configuration. The <path-to-file> is the full path to the Berkeley DB database file: auth required pam_userdb.so db=<path-to-file> Invalid arguments are generally ignored and do not otherwise affect the success or failure of the PAM module.
Page 673: Creating Pam Modules
Creating PAM Modules • account required pam_unix.so — This module performs any necessary account verification. For example, if shadow passwords have been enabled, the account interface of the pam_unix.so module checks to see if the account has expired or if the user has not changed the password within the allowed grace period.
Page 674 Chapter 43. Securing Your Network pam_timestamp.so is in effect leaves the machine open to manipulation by anyone with physical access to the console. In the PAM timestamp scheme, the graphical administrative application prompts the user for the root password when it is launched. When the user has been authenticated, the pam_timestamp.so module creates a timestamp file.
Page 675: Pam And Device Ownership
PAM and Device Ownership /sbin/pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/null Failure to use this command will only remove the credentials (if any) from the pty where you run the command. Refer to the pam_timestamp_check man page for more information about destroying the timestamp file using pam_timestamp_check.
Page 676: Additional Resources
Chapter 43. Securing Your Network Warning If the gdm, kdm, or xdm display manager configuration file has been altered to allow remote users to log in and the host is configured to run at runlevel 5, it is advisable to change the <console> and <xconsole> directives in the /etc/security/ console.perms to the following values: <console>=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0 <xconsole>=:0\.[0-9] :0...
Page 677: Tcp Wrappers And Xinetd
TCP Wrappers and xinetd 43.4.8.1. Installed Documentation • PAM-related man pages — Several man pages exist for the various applications and configuration files involved with PAM. The following is a list of some of the more important man pages. Configuration Files •...
Page 678: Tcp Wrappers
Chapter 43. Securing Your Network network service is the xinetd super server. This service is called a super server because it controls connections to a subset of network services and further refines access control. Figure 43.9, “Access Control to Network Services” is a basic illustration of how these tools work together to protect network services.
Page 679: Tcp Wrappers Configuration Files
TCP Wrappers Configuration Files If a client is allowed to connect, TCP Wrappers release control of the connection to the requested service and take no further part in the communication between the client and the server. In addition to access control and logging, TCP Wrappers can execute commands to interact with the client before denying or releasing control of the connection to the requested network service.
Page 680 Chapter 43. Securing Your Network 1. It references /etc/hosts.allow. — The TCP-wrapped service sequentially parses the /etc/ hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to the next step. 2.
Page 681 TCP Wrappers Configuration Files • <option> — An optional action or colon-separated list of actions performed when the rule is triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter logging behavior. Note More information on the specialist terms above can be found elsewhere in this Guide: Section 43.5.2.1.1, “Wildcards”...
Page 682 Chapter 43. Securing Your Network • PARANOID — Matches any host where the hostname does not match the host address. Caution The KNOWN, UNKNOWN, and PARANOID wildcards should be used with care, because they rely on functioning DNS server for correct operation. Any disruption to name resolution may prevent legitimate users from gaining access to a service.
Page 683 TCP Wrappers Configuration Files ALL : *.example.com • The slash (/) — If a client list begins with a slash, it is treated as a file name. This is useful if rules specifying large numbers of hosts are necessary. The following example refers TCP Wrappers to the /etc/telnet.hosts file for all Telnet connections: in.telnetd : /etc/telnet.hosts Other, lesser used, patterns are also accepted by TCP Wrappers.
Page 684: Access Control
Chapter 43. Securing Your Network Note Organizationally, it is often easier to avoid using EXCEPT operators. This allows other administrators to quickly scan the appropriate files to see what hosts are allowed or denied access to services, without having to sort through EXCEPT operators. 43.5.2.2.
Page 685: Shell Commands
TCP Wrappers Configuration Files By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either hosts.allow or hosts.deny. Some administrators consider this an easier way of organizing access rules. 43.5.2.2.3.
Page 686: Xinetd
Chapter 43. Securing Your Network • %N — Returns the server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed. • %p — Returns the daemon's process ID. • %s —Returns various types of server information, such as the daemon process and the host or IP address of the server.
Page 687: Xinetd Configuration Files
xinetd Configuration Files 43.5.4. xinetd Configuration Files The configuration files for xinetd are as follows: • /etc/xinetd.conf — The global xinetd configuration file. • /etc/xinetd.d/ — The directory containing all service-specific files. 43.5.4.1. The /etc/xinetd.conf File The /etc/xinetd.conf file contains general configuration settings which affect every service under xinetd's control.
Page 688 Chapter 43. Securing Your Network 43.5.4.2. The /etc/xinetd.d/ Directory The /etc/xinetd.d/ directory contains the configuration files for each service managed by xinetd and the names of the files correlate to the service. As with xinetd.conf, this directory is read only when the xinetd service is started.
Page 689 xinetd Configuration Files 43.5.4.3. Altering xinetd Configuration Files A range of directives is available for services protected by xinetd. This section highlights some of the more commonly used options. 43.5.4.3.1. Logging Options The following logging options are available for both /etc/xinetd.conf and the service-specific configuration files within the /etc/xinetd.d/ directory.
Page 690 Chapter 43. Securing Your Network The only_from and no_access options can use a list of IP addresses or host names, or can specify an entire network. Like TCP Wrappers, combining xinetd access control with the enhanced logging configuration can increase security by blocking requests from banned hosts while verbosely recording each connection attempt.
Page 691 xinetd Configuration Files 43.5.4.3.3. Binding and Redirection Options The service configuration files for xinetd support binding the service to an IP address and redirecting incoming requests for that service to another IP address, hostname, or port. Binding is controlled with the bind option in the service-specific configuration files and links the service to one IP address on the system.
Page 692: Additional Resources
Chapter 43. Securing Your Network are using internal-only IP addresses, are not available from outside the gateway system. However, when certain services controlled by xinetd are configured with the bind and redirect options, the gateway machine can act as a proxy between outside systems and a particular internal machine configured to provide the service.
Page 693: Kerberos
Kerberos Configuration Files • man 5 hosts_access — The man page for the TCP Wrappers hosts access control files. • man hosts_options — The man page for the TCP Wrappers options fields. • man xinetd.conf — The man page listing xinetd configuration options. 43.5.5.2.
Page 694: Kerberos Terminology
Chapter 43. Securing Your Network Even if this is the case, a network that is connected to the Internet can no longer be assumed to be secure. Any attacker who gains access to the network can use a simple packet analyzer, also known as a packet sniffer, to intercept usernames and passwords, compromising user accounts and the integrity of the entire security infrastructure.
Page 695 Kerberos Terminology ciphertext Encrypted data. client An entity on the network (a user, a host, or an application) that can receive a ticket from Kerberos. credentials A temporary set of electronic credentials that verify the identity of a client for a particular service. Also called a ticket.
Page 696: How Kerberos Works
Chapter 43. Securing Your Network principal (or principal name) The principal is the unique name of a user or service allowed to authenticate using Kerberos. A principal follows the form root[/instance]@REALM. For a typical user, the root is the same as their login ID.
Page 697: Kerberos And Pam
Kerberos and PAM to an attacker for only a short period of time. After the TGT has been issued, the user does not have to re-enter their password until the TGT expires or until they log out and log in again. Whenever the user needs access to a network service, the client software uses the TGT to request a new ticket for that specific service from the TGS.
Page 698: Configuring A Kerberos 5 Server
Chapter 43. Securing Your Network Kerberos system. For example, users should not be allowed to authenticate to Telnet services with the same password they use for Kerberos authentication. 43.6.5. Configuring a Kerberos 5 Server When setting up Kerberos, install the KDC first. If it is necessary to set up slave servers, install the master first.
Page 699 Configuring a Kerberos 5 Server Most users are represented in the database by a single principal (with a NULL, or empty, instance, such as joe@EXAMPLE.COM). In this configuration, users with a second principal with an instance of admin (for example, joe/admin@EXAMPLE.COM) are able to wield full power over the realm's Kerberos database.
Page 700: Configuring A Kerberos 5 Client
Chapter 43. Securing Your Network 43.6.6. Configuring a Kerberos 5 Client Setting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the client packages and provide each client with a valid krb5.conf configuration file. While ssh and slogin are the preferred method of remotely logging in to client systems, Kerberized versions of rsh and rlogin are still available, though deploying them requires that a few more configuration changes be made.
Page 701: Domain-To-Realm Mapping
Domain-to-Realm Mapping contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP should function properly with Kerberos as long as the cyrus user is able to find the proper key in / etc/krb5.keytab, and the root for the principal is set to imap (created with kadmin). An alternative to cyrus-imap can be found in the dovecot package, which is also included in Red Hat Enterprise Linux.
Page 702 Chapter 43. Securing Your Network Start kadmin.local from a root shell on the master KDC and use its add_principal command to create a new entry for the master KDC's host service, and then use its ktadd command to simultaneously set a random key for the service and store the random key in the master's default keytab file.
Page 703: Setting Up Cross Realm Authentication
Setting Up Cross Realm Authentication Now perform a manual database propagation test by dumping the realm database, on the master KDC, to the default data file which the kprop command will read (/var/kerberos/krb5kdc/ slave_datatrans), and then use the kprop command to transmit its contents to the slave KDC. # /usr/kerberos/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans# kprop slavekdc.example.com Using kinit, verify that a client system whose krb5.conf lists only the slave KDC in its list of KDCs...
Page 704 Chapter 43. Securing Your Network Clients in the A.EXAMPLE.COM realm are now able to authenticate to services in the B.EXAMPLE.COM realm. Put another way, the B.EXAMPLE.COM realm now trusts the A.EXAMPLE.COM realm, or phrased even more simply, B.EXAMPLE.COM now trusts A.EXAMPLE.COM. This brings us to an important point: cross-realm trust is unidirectional by default.
Page 705 Setting Up Cross Realm Authentication For example, using credentials in A.EXAMPLE.COM, authenticating to a service in B.EXAMPLE.COM: A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM • A.EXAMPLE.COM and EXAMPLE.COM share a key for krbtgt/EXAMPLE.COM@A.EXAMPLE.COM • EXAMPLE.COM and B.EXAMPLE.COM share a key for krbtgt/B.EXAMPLE.COM@EXAMPLE.COM Another example, using credentials in SITE1.SALES.EXAMPLE.COM, authenticating to a service in EVERYWHERE.EXAMPLE.COM: SITE1.SALES.EXAMPLE.COM →...
Page 706: Additional Resources
Chapter 43. Securing Your Network B.EXAMPLE.COM = . C.EXAMPLE.COM = B.EXAMPLE.COM D.EXAMPLE.COM = B.EXAMPLE.COM D.EXAMPLE.COM = C.EXAMPLE.COM In this example, clients in the A.EXAMPLE.COM realm can obtain cross-realm credentials for B.EXAMPLE.COM directly from the A.EXAMPLE.COM KDC. If those clients wish to contact a service in theC.EXAMPLE.COM realm, they will first need to obtain necessary credentials from the B.EXAMPLE.COM realm (this requires that krbtgt/ B.EXAMPLE.COM@A.EXAMPLE.COM exist), and then use those credentials to obtain credentials for use in the C.EXAMPLE.COM realm (using krbtgt/C.EXAMPLE.COM@B.EXAMPLE.COM).
Page 707 Additional Resources • man kinit — Describes how to use this command to obtain and cache a ticket-granting ticket. • man kdestroy — Describes how to use this command to destroy Kerberos credentials. • man klist — Describes how to use this command to list cached Kerberos credentials. Administrative Applications •...
Page 708: Virtual Private Networks (Vpns)
Chapter 43. Securing Your Network 43.7. Virtual Private Networks (VPNs) Organizations with several satellite offices often connect to each other with dedicated lines for efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or Asynchronous Transfer Mode (ATM) lines as an end-to-end networking solution to link one office with others.
Page 709: Ipsec
IPsec 43.7.3. IPsec Red Hat Enterprise Linux supports IPsec for connecting remote hosts and networks to each other using a secure tunnel on a common carrier network such as the Internet. IPsec can be implemented using a host-to-host (one computer workstation to another) or network-to-network (one LAN/WAN to another) configuration.
Page 710: Ipsec Host-To-Host Configuration
Chapter 43. Securing Your Network Section 43.7.7, “IPsec Network-to-Network • To connect one LAN/WAN to another via IPsec, refer to Configuration”. 43.7.6. IPsec Host-to-Host Configuration IPsec can be configured to connect one desktop or workstation (host) to another using a host-to- host connection.
Page 711 IPsec Host-to-Host Configuration If only one Ethernet card exists in the system, the device name is typically eth0. The following example shows the relevant information from this command (note that this is an example output only): eth0 Link encap:Ethernet HWaddr 00:0C:6E:E8:98:1D inet addr:172.16.44.192 Bcast:172.16.45.255 Mask:255.255.254.0...
Page 712 Chapter 43. Securing Your Network Figure 43.10. IPsec Connection The following files are created when the IPsec connection is configured: • /etc/sysconfig/network-scripts/ifcfg-<nickname> • /etc/sysconfig/network-scripts/keys-<nickname> • /etc/racoon/<remote-ip>.conf • /etc/racoon/psk.txt If automatic encryption is selected, /etc/racoon/racoon.conf is also created. When the interface is up, /etc/racoon/racoon.conf is modified to include <remote-ip>.conf. 43.7.6.2.
Page 713 IPsec Host-to-Host Configuration • The IP address of each host • A unique name, for example, ipsec1. This is used to identify the IPsec connection and to distinguish it from other devices or connections. • A fixed encryption key or one automatically generated by racoon. •...
Page 714 Chapter 43. Securing Your Network To change the authentication key at any time, edit the keys-ipsec1 file on both workstations. Both authentication keys must be identical for proper connectivity. The next example shows the specific configuration for the phase 1 connection to the remote host. The file is called X.X.X.X.conf, where X.X.X.X is the IP address of the remote IPsec host.
Page 715 IPsec Host-to-Host Configuration is generated when the IPsec tunnel is activated. For Workstation A, the X.X.X.X in the include statement is Workstation B's IP address. The opposite is true of Workstation B. The following shows a typical racoon.conf file when the IPsec connection is activated. # Racoon IKE daemon configuration file.
Page 716: Ipsec Network-To-Network Configuration
Chapter 43. Securing Your Network [root@myServer ~]# /sbin/ifup <nickname> where <nickname> is the name you specified for the IPsec connection. To test the IPsec connection, run the tcpdump utility to view the network packets being transfered between the hosts and verify that they are encrypted via IPsec. The packet should include an AH header and should be shown as ESP packets.
Page 717 IPsec Network-to-Network Configuration • A fixed encryption key or one automatically generated by racoon • A pre-shared authentication key that is used during the initial stage of the connection and to exchange encryption keys during the session. 43.7.7.1. Network-to-Network (VPN) Connection A network-to-network IPsec connection uses two IPsec routers, one for each network, through which the network traffic for the private subnets is routed.
Page 718 Chapter 43. Securing Your Network If you select manual encryption, an encryption key must be provided later in the process. If you select automatic encryption, the racoon daemon manages the encryption key. The ipsec- tools package must be installed if you want to use automatic encryption. Click Forward to continue.
Page 719 IPsec Network-to-Network Configuration • If manual encryption was selected in step 6, specify the encryption key to use or click Generate to create one. Specify an authentication key or click Generate to generate one. This key can be any combination of numbers and letters. Click Forward to continue.
Page 720 Chapter 43. Securing Your Network 192.168.2.254 for LAN B. The IPsec routers are separate from each LAN gateway and use two network devices: eth0 is assigned to an externally-accessible static IP address which accesses the Internet, while eth1 acts as a routing point to process and transmit LAN packets from one network node to the remote network nodes.
Page 721 IPsec Network-to-Network Configuration The following example is the content of the pre-shared key file called /etc/sysconfig/network- scripts/keys-ipsecX (where X is 0 for LAN A and 1 for LAN B) that both networks use to authenticate each other. The contents of this file should be identical and only the root user should be able to read or write this file.
Page 722: Starting And Stopping An Ipsec Connection
Chapter 43. Securing Your Network Prior to starting the IPsec connection, IP forwarding should be enabled in the kernel. To enable IP forwarding: 1. Edit /etc/sysctl.conf and set net.ipv4.ip_forward to 1. 2. Use the following command to enable the change: [root@myServer ~] # sysctl -p /etc/sysctl.conf To start the IPsec connection, use the following command on each router: [root@myServer ~] # /sbin/ifup ipsec0...
Page 723: Firewalls
Firewalls [root@myServer ~] # /sbin/ifdown <nickname> 43.8. Firewalls Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. Red Hat Enterprise Linux includes several tools to assist administrators and security engineers with network-level access control issues.
Page 724: Netfilter And Iptables
Chapter 43. Securing Your Network Method Description Advantages Disadvantages Proxy Proxy firewalls filter all · Gives administrators · Proxies are often requests of a certain control over what application-specific (HTTP, protocol or type from LAN applications and protocols Telnet, etc.), or protocol- clients to a proxy machine, function outside of the LAN restricted (most proxies...
Page 725: Security Level Configuration Tool
Basic Firewall Configuration remote users can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Red Hat Enterprise Linux system with an Internet connection. 43.8.2.1. Security Level Configuration Tool During the Firewall Configuration screen of the Red Hat Enterprise Linux installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports.
Page 726: Enabling And Disabling The Firewall
Chapter 43. Securing Your Network 43.8.2.2. Enabling and Disabling the Firewall Select one of the following options for the firewall: • Disabled — Disabling the firewall provides complete access to your system and does no security checking. This should only be selected if you are running on a trusted network (not the Internet) or need to configure a custom firewall using the iptables command line tool.
Page 727: Other Ports
Basic Firewall Configuration or IMAP, or if you use a tool such as fetchmail. To allow delivery of mail to your machine, select this check box. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam. NFS4 The Network File System (NFS) is a file sharing protocol commonly used on *NIX systems.
Page 728: Using Iptables
Chapter 43. Securing Your Network the ipchains and iptables services should not be activated simultaneously. To make sure the ipchains service is disabled and configured not to start at boot time, use the following two commands: [root@myServer ~] # service ipchains stop [root@myServer ~] # chkconfig --level 345 ipchains off 43.8.3.
Page 729: Common Iptables Filtering
Common IPTables Filtering Each iptables chain is comprised of a default policy, and zero or more rules which work in concert with the default policy to define the overall ruleset for the firewall. The default policy for a chain can be either DROP or ACCEPT. Security-minded administrators typically implement a default policy of DROP, and only allow specific packets on a case-by-case basis.
Page 730: Forward And Nat Rules
Chapter 43. Securing Your Network [root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT This allows users to browse websites that communicate using the standard port 80. To allow access to secure websites (for example, https://www.example.com/), you also need to provide access to port 443, as follows: [root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT Important...
Page 731 FORWARD and NAT Rules Administrators must, therefore, find alternative ways to share access to Internet services without giving public IP addresses to every node on the LAN. Using private IP addresses is the most common way of allowing all nodes on a LAN to properly access internal and external network services. Edge routers (such as firewalls) can receive incoming transmissions from the Internet and route the packets to the intended LAN node.
Page 732: Postrouting And Ip Masquerading
Chapter 43. Securing Your Network [root@myServer ~ ] # sysctl -p /etc/sysctl.conf 43.8.5.1. Postrouting and IP Masquerading Accepting forwarded packets via the firewall's internal IP device allows LAN nodes to communicate with each other; however they still cannot communicate externally to the Internet. To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall's external device (in this case, eth0):...
Page 733: Malicious Software And Spoofed Ip Addresses
Malicious Software and Spoofed IP Addresses 43.8.5.3. DMZs and IPTables You can create iptables rules to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ). A DMZ is a special local subnetwork dedicated to providing services on a public carrier, such as the Internet.
Page 734: Iptables And Connection Tracking
Chapter 43. Securing Your Network Note There is a distinction between the DROP and REJECT targets when dealing with appended rules. The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP target, as the name implies, drops the packet without any warning.
Page 735: Iptables
Additional Resources http:// For more information about IPv6 networking, refer to the IPv6 Information Page at www.ipv6.org/. 43.8.9. Additional Resources There are several aspects to firewalls and the Linux Netfilter subsystem that could not be covered in this chapter. For more information, refer to the following resources. 43.8.9.1.
Page 736: Packet Filtering
Chapter 43. Securing Your Network Warning The default firewall mechanism in the 2.4 and later kernels is iptables, but iptables cannot be used if ipchains is already running. If ipchains is present at boot time, the kernel issues an error and fails to start iptables. The functionality of ipchains is not affected by these errors.
Page 737: Differences Between Iptables And Ipchains
Differences Between IPTables and IPChains packet coming from or going to a particular IP address, or set of addresses, when using a particular protocol and network service. Note By default, firewall rules are saved in the /etc/sysconfig/iptables or /etc/ sysconfig/ip6tables files. The iptables service starts before any DNS-related services when a Linux system is booted.
Page 738: Command Options For Iptables
Chapter 43. Securing Your Network Network interfaces must be associated with the correct chains in firewall rules. For example, incoming interfaces (-i option) can only be used in INPUT or FORWARD chains. Similarly, outgoing interfaces (-o option) can only be used in FORWARD or OUTPUT chains. In other words, INPUT chains and incoming interfaces work together;...
Page 739: Command Options
Command Options for IPTables iptables -D <chain-name> <line-number> In contrast, a command that adds a rule which filters packets from a particular subnet using a variety of specific parameters and options can be rather long. When constructing iptables commands, it is important to remember that some parameters and options require further parameters and options to construct a valid rule.
Page 740 Chapter 43. Securing Your Network This is especially important when adding rules using the -I with an integer argument. If you specify an existing number when adding a rule to a chain, iptables adds the new rule before (or above) the existing rule. •...
Page 741 Command Options for IPTables Originally designed to allow IP packets to travel over networks with differing frame sizes, these days fragmentation is more commonly used to generate DoS attacks using mal-formed packets. It's also worth noting that IPv6 disallows fragmentation entirely. •...
Page 742 Chapter 43. Securing Your Network you can also use the protocol ID, instead of the protocol name. Refer to the following examples, each of which have the same effect: iptables -A INPUT -p icmp --icmp-type any -j ACCEPT iptables -A INPUT -p 5813 --icmp-type any -j ACCEPT Service definitions are provided in the /etc/services file.
Page 743 Command Options for IPTables The --tcp-flags match option accepts two parameters. The first parameter is the mask; a comma-separated list of flags to be examined in the packet. The second parameter is a comma- separated list of flags that must be set for the rule to match. The possible flags are: •...
Page 744 Chapter 43. Securing Your Network 43.9.3.4.4. Additional Match Option Modules Additional match options are available through modules loaded by the iptables command. To use a match option module, load the module by name using the -m <module-name>, where <module-name> is the name of the module. Many modules are available by default.
Page 745: Target Options
Command Options for IPTables • mac module — Enables hardware MAC address matching. The mac module enables the following option: • --mac-source — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point character (!) after the --mac- source match option.
Page 746 Chapter 43. Securing Your Network Note Due to an issue with this option, you should add a trailing space to the log-prefix value. • --log-tcp-options — Logs any options set in the header of a TCP packet. • --log-tcp-sequence — Writes the TCP sequence number for the packet in the log. •...
Page 747: Saving Iptables Rules
Saving IPTables Rules [root@myserver ~]# 43.9.4. Saving IPTables Rules Rules created with the iptables command are stored in memory. If the system is restarted before saving the iptables rule set, all rules are lost. For netfilter rules to persist through a system reboot, they need to be saved.
Page 748 Chapter 43. Securing Your Network • start — If a firewall is configured (that is, /etc/sysconfig/iptables exists), all running iptables are stopped completely and then started using the /sbin/iptables-restore command. This option only works if the ipchains kernel module is not loaded. To check if this module is loaded, type the following command as root: [root@MyServer ~]# lsmod | grep ipchains If this command returns no output, it means the module is not loaded.
Page 749 IPTables Control Scripts To use the same initscript commands to control netfilter for IPv6, substitute ip6tables for iptables in the /sbin/service commands listed in this section. For more Section 43.9.6, “IPTables and IPv6”. information about IPv6 and netfilter, refer to 43.9.5.1.
Page 750: Iptables And Ipv6
Chapter 43. Securing Your Network 43.9.6. IPTables and IPv6 If the iptables-ipv6 package is installed, netfilter in Red Hat Enterprise Linux can filter the next- generation IPv6 Internet protocol. The command used to manipulate the IPv6 netfilter is ip6tables. Most directives for this command are identical to those used for iptables, except the nat table is not yet supported.
Page 751: Security And Selinux 44.1. Access Control Mechanisms (Acms)
Chapter 44. Security and SELinux 44.1. Access Control Mechanisms (ACMs) This section provides a basic introduction to Access Control Mechanisms (ACMs). ACMs provide a means for system administrators to control which users and processes can access different files, devices, interfaces, etc., in a computer system. This is a primary consideration when securing a computer system or network of any size.
Page 752: Multi-Level Security (Mls)
Chapter 44. Security and SELinux 44.1.5. Multi-Level Security (MLS) Multi-Level Security (MLS) is a specific Mandatory Access Control (MAC) security scheme. Under this scheme, processes are called Subjects. Files, sockets and other passive operating system entities are Section 44.6, “Multi-Level Security (MLS)”.
Page 753: Files Related To Selinux
Files Related to SELinux Figure 44.1. SELinux Decision Process SELinux Operating Modes Instead of running in enforcing mode, SELinux can run in permissive mode, where the AVC is checked and denials are logged, but SELinux does not enforce the policy. This can be useful for troubleshooting and for developing or fine-tuning SELinux policy.
Page 754 Chapter 44. Security and SELinux For example, running the cat command on the enforce file reveals either a 1 for enforcing mode or 0 for permissive mode. 44.2.2.2. SELinux Configuration Files The following sections describe SELinux configuration and policy files, and related file systems located in the /etc/ directory.
Page 755 Files Related to SELinux the wrong context. These processes could create files that would also be in the wrong context. Note Additional white space at the end of a configuration line or as extra lines at the end of the file may cause unexpected behavior. To be safe, remove unnecessary white space. •...
Page 756 Chapter 44. Security and SELinux 44.2.2.2.2. The /etc/selinux/ Directory The /etc/selinux/ directory is the primary location for all policy files as well as the main configuration file. The following example shows sample contents of the /etc/selinux/ directory: -rw-r--r-- 1 root root 448 Sep 22 17:34 config drwxr-xr-x 5 root root 4096 Sep 22 17:27 strict...
Page 757: Brief Background And History Of Selinux
Additional Resources • /sbin/restorecon — Sets the security context of one or more files by marking the extended attributes with the appropriate file or security context. • /sbin/fixfiles — Checks or corrects the security context database on the file system. Refer to the man page associated with these utilities for more information.
Page 758: Multi-Category Security (Mcs)
Chapter 44. Security and SELinux and has extended attributes (xattrs) in the ext3 file system. SELinux was moved to using xattrs to store security context information. The xattr namespace provides useful separation for multiple security modules existing on the same system. Much of the work to get the kernel ready for upstream, as well as subsequent SELinux development, has been a joint effort between the NSA, Red Hat, and the community of SELinux developers.
Page 759: Getting Started With Multi-Category Security (Mcs)
Getting Started with Multi-Category Security (MCS) security labels on files. The contents of this attribute will vary depending on the file or directory you inspect and the policy the machine is enforcing. Note This is expected to change in the 2.6.15 kernel (and already has in the latest -mm kernels), so that getxattr(2) always returns the kernel's canonicalized version of the label.
Page 760: Comparing Selinux And Standard Linux User Identities
Chapter 44. Security and SELinux MCS works on a simple principle: to access a file, a user needs to be assigned to all of the categories with which the file is labeled. The MCS check is applied after normal Linux Discretionary Access Control (DAC) and Type Enforcement (TE) rules, so it can only further restrict security.
Page 761: Configuring Categories
Configuring Categories james user_u daniel user_u root root s0-s0:c0.c1023 olga user_u Notice that at this stage only the root account is assigned to any categories. By default, the root account is configured with access to all categories. Red Hat Enterprise Linux and SELinux are preconfigured with several default categories, but to make effective use of MCS, the system administrator typically modifies these or creates further categories to suit local requirements.
Page 762: Assigning Categories To Users
Chapter 44. Security and SELinux [root@dhcp-133 ~]# service mcstrans restart 44.5.4. Assigning Categories to Users Now that the required categories have been added to the system, you can start assigning them to SELinux users and files. To further develop the example above, assume that James is in the Marketing department, Daniel is in the Finance and Payroll departments, and Olga is in the Personnel department.
Page 763: Assigning Categories To Files
Assigning Categories to Files Note MCS category access is assigned during login. Consequently, a user does not have access to newly-assigned categories until they log in again. Similarly, if access to a category is revoked, this is only apparent to the user after the next login. 44.5.5.
Page 764: Why Multi-Level
Chapter 44. Security and SELinux [olga@dhcp-133 ~]$ cat financeRecords.txt cat: financeRecords.txt: Permission Denied Note Refer to the man pages for semanage and chcat for more information on the available options for these commands. 44.6. Multi-Level Security (MLS) Protecting sensitive or confidential data is paramount in many businesses. In the event such information is made public, businesses may face legal or financial ramifications.
Page 765 Why Multi-Level? Figure 44.2. Information Security Levels 44.6.1.1. The Bell-La Padula Model (BLP) SELinux, like most other systems that protect multi-level data, uses the BLP model. This model specifies how information can flow within the system based on labels attached to each subject and object.
Page 766: Security Levels, Objects And Subjects
Chapter 44. Security and SELinux Figure 44.3. Available data flows using an MLS system Under such a system, users, computers, and networks use labels to indicate security levels. Data can flow between like levels, for example between "Secret" and "Secret", or from a lower level to a higher level.
Page 767: Mls Policy
MLS Policy An SL must have one sensitivity, and may have zero or more categories. Examples of SLs are: { Secret / UFO, Crypto }, { Top Secret / UFO, Crypto, Stargate } and { Unclassified } Note the hierarchical sensitivity followed by zero or more categories. The reason for having categories as well as sensitivities is so that sensitivities can be further compartmentalized on a need-to-know basis.
Page 768: Lspp Certification
Chapter 44. Security and SELinux 44.6.4. LSPP Certification Efforts are being made to have Linux certified as an MLS operating system. The certification is Labeled Security Protection Profile equivalent to the old B1 rating, which has been reworked into the Common Criteria under the scheme.
Page 769: Where Is The Policy
Where is the Policy? The policy can be defined either by modifying the existing files or by adding local Type Enforcement (TE) and File Context (FC) files to the policy tree. These new policies can be loaded into the kernel in real time.
Page 770: The Role Of Policy In The Boot Process
Chapter 44. Security and SELinux • /etc/selinux/targeted/contexts/files/ — contains the default contexts for the entire file system. This is referenced by restorecon when perfoming relabeling operations. • /etc/selinux/targeted/contexts/users/ — in the targeted policy, only the root file is in this directory. These files are used for determining context when a user logs in. For example, for the root user, the context is user_u:system_r:unconfined_t.
Page 771 The Role of Policy in the Boot Process /sbin/init mounts /proc/, and then searches for the selinuxfs file system type. If it is present, that means SELinux is enabled in the kernel. If init does not find SELinux in the kernel, or if it is disabled via the selinux=0 boot parameter, or if /etc/selinux/config specifies that SELINUX=disabled, the boot process proceeds with a non-SELinux system.
Page 772: Object Classes And Permissions
Chapter 44. Security and SELinux 44.7.4. Object Classes and Permissions SELinux defines a number of classes for objects, making it easier to group certain permissions by specific classes. For example: • File-related classes include filesystem for file systems, file for files, and dir for directories. Each class has its own associated set of permissions.
Page 773: Files And Directories Of The Targeted Policy
Files and Directories of the Targeted Policy The Strict Policy The opposite of the targeted policy is the strict policy. In the strict policy, every subject and object exists in a specific security domain, and all interactions and transitions are individually considered within the policy rules.
Page 774 Chapter 44. Security and SELinux mailman_cgi_t mailman_mail_t mailman_queue_t mysqld_t named_t ndc_t nscd_t ntpd_t pegasus_t portmap_t postgresql_t snmpd_t squid_t syslogd_t system_mail_t unconfined_t winbind_helper_t winbind_t ypbind_t user_r This is the default user role for regular Linux users. In a strict policy, individual users might be used, allowing for the users to have special roles to perform privileged operations.
Page 775 Understanding the Users and Roles in the Targeted Policy The one exception is the SELinux user root. You may notice root as the user identity in a process's context. This occurs when the SELinux user root starts daemons from the command line, or restarts a daemon originally started by init.
Page 777: Working With Selinux
Chapter 45. Working With SELinux SELinux presents both a new security paradigm and a new set of practices and tools for administrators and some end-users. The tools and techniques discussed in this chapter focus on standard operations performed by end-users, administrators, and analysts. 45.1.
Page 778: Checking The Security Context Of A Process, User, Or File Object
Chapter 45. Working With SELinux The type tmp_t is the default type for temporary files. Use the -Z option to specify the label for the new file: cp -Z user_u:object_r:user_home_t foo /tmp ls -Z /tmp/foo -rw-rw-r-- auser auser user_u:object_r:user_home_t /tmp/foo Moving Files: SELinux Options for mv Moving files with mv retains the original type associated with the file.
Page 779 Checking the Security Context of a Process, User, or File Object system_u:system_r:kernel_t root 15:09 0:00 [migration/0] system_u:system_r:kernel_t root 15:09 0:00 [ksoftirqd/0] user_u:system_r:unconfined_t user 3122 6908 3232 ? 16:47 0:01 /usr/libexec/gconfd-2 5 user_u:system_r:unconfined_t user 3125 2540 588 ? 16:47 0:00 /usr/bin/gnome-keyring-daemon user_u:system_r:unconfined_t user 3127...
Page 780: Relabeling A File Or Directory
Chapter 45. Working With SELinux 45.1.3. Relabeling a File or Directory You may need to relabel a file when moving or copying into special directories related to the targeted daemons, such as ~/public_html directories, or when writing scripts that work in directories outside of /home.
Page 781 Relabeling a File or Directory -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t index.html To make these files viewable from a special user public HTML folder, they need to have a type that httpd has permissions to read, presuming the Apache HTTP Server is configured for UserDir and the Boolean value httpd_enable_homedirs is enabled.
Page 782: Creating Archives That Retain Security Contexts
Chapter 45. Working With SELinux The archives/ directory already has the default type because it was created in the user's home directory: ls -Zd archives/ drwxrwxr-x auser auser user_u:object_r:user_home_t archives/ Using the restorecon command to relabel the files uses the default file contexts set by the policy, so these files are labeled with the default label for their current directory.
Page 783 Creating Archives That Retain Security Contexts star: 11 blocks + 0 bytes (total of 112640 bytes = 110.00k). Use the ls command with the -Z option to validate the security context: ls -Z all_web.star -rw-rw-r-- auser auser user_u:object_r:user_home_t \ all_web.star You can now copy the archive to a different directory.
Page 784: Administrator Control Of Selinux
Chapter 45. Working With SELinux 45.2. Administrator Control of SELinux Section 45.1, “End User Control of SELinux”, In addition to the tasks often performed by users in SELinux administrators could be expected to perform a number of additional tasks. These tasks typically require root access to the system.
Page 785: Relabeling A File System
Relabeling a File System [root@host2a ~]# sestatus -b | grep httpd | grep on$ httpd_builtin_scripting httpd_disable_trans httpd_enable_cgi httpd_enable_homedirs httpd_unified 45.2.2. Relabeling a File System You may never need to relabel an entire file system. This usually occurs only when labeling a file system for SELinux for the first time, or when switching between different types of policy, such as changing from the targeted to the strict policy.
Page 786: Managing Nfs Home Directories
Chapter 45. Working With SELinux If the relabeling operation applies a new policy that is different from the policy that was in place when the system booted, existing processes may be running in incorrect and insecure domains. For example, a process could be in a domain that is not an allowed transition for that process in the new policy, granting unexpected permissions to that process alone.
Page 787: Backing Up And Restoring The System
Backing Up and Restoring the System on the device node. For example, if your /var/ directory is located on an LVM (Logical Volume Management ) device, /dev/dm-0, the device node is identified in the message as dev=dm-0. When you see path=/ in this example, that is the top level of the LVM device dm-0, not necessarily the same as the root file system designation /.
Page 788 Chapter 45. Working With SELinux Note This sets the runtime value only. Use the -P option to make the change persistent across reboots. Any *_disable_trans booleans that are set to "on" invoke the conditional that prevents the process from transitioning to the domain on execution. Use the following command to find which of these booleans are set: getsebool -a | grep disable.*on httpd_disable_trans=1...
Page 789: Enable Or Disable Selinux
Enable or Disable SELinux Figure 45.1. Using the Security Level Configuration dialog box to change a runtime boolean. If you want to control these settings with scripts, you can use the setenforce(1), getenforce(1), and selinuxenabled(1) commands. 45.2.7. Enable or Disable SELinux Important Changes you make to files while SELinux is disabled may give them an unexpected security label, and new files will not have a label.
Page 790: Changing The Policy
Chapter 45. Working With SELinux [root@host2a ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - SELinux is fully disabled.
Page 791 Changing the Policy Use the following procedure to load a different policy using the system-config-selinux utility: Note You need administrator privileges to perform this procedure. Ensure that the complete directory structure for the required policy exists under /etc/selinux. On the System menu, point to Administration and then click Security Level and Firewall to display the Security Level Configuration dialog box.
Page 792: Specifying The Security Context Of Entire File Systems
Chapter 45. Working With SELinux Figure 45.2. Using the Security Level Configuration dialog box to load a custom policy. 45.2.9. Specifying the Security Context of Entire File Systems You can use the mount -o context= command to set a single context for an entire file system. This might be a file system that is already mounted and that supports xattrs, or a network file system that obtains a genfs label such as cifs_t or nfs_t.
Page 793: Changing The Security Category Of A File Or User
Changing the Security Category of a File or User linked to /var/www/html/foo, you have two security contexts to be concerned with. Because one security context is of the object class file and the other of type lnk_file, they are treated differently by the policy and unexpected behavior may occur. 45.2.10.
Page 794: Changing To A Different Role
Chapter 45. Working With SELinux togglesebool boolean ... This command toggles the setting of one or more booleans. This effects boolean settings in memory only; changes are not persistent across reboots. 45.2.13. Changing to a Different Role You use the newrole command to run a new shell with the specified type and/or role. Changing roles is typically only meaningful in the strict policy;...
Page 795: Dumping And Viewing Logs
Dumping and Viewing Logs Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \ syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \ a3=bfecc0d4 items=1 pid=2239 loginuid=-1 uid=48 gid=48 euid=48 \ suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 The following message provides more information about the target: Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \ item=0 name=/home/auser/public_html inode=921135 dev=00:00 The serial number stamp is always identical for a particular audited event.
Page 797: Customizing Selinux Policy
Chapter 46. Customizing SELinux Policy 46.1. Introduction In earlier releases of Red Hat Enterprise Linux it was necessary to install the selinux-policy- targeted-sources packages and then to create a local.te file in the /etc/selinux/ targeted/src/policy/domains/misc directory. You could use the audit2allow utility to translate the AVC messages into allow rules, and then rebuild and reload the policy.
Page 798: Building A Local Policy Module
Chapter 46. Customizing SELinux Policy Note This command does not list the base policy module, which is also installed. The /usr/share/selinux/targeted/ directory contains a number of policy package (*.pp) files. These files are included in the selinux-policy rpm and are used to build the policy file.
Page 799: Loading The Policy Package
Loading the Policy Package The TE file is comprised of three sections. The first section is the module command, which identifies the module name and version. The module name must be unique. If you create an semanage module using the name of a pre-existing module, the system would try to replace the existing module package with the newly-created version.
Page 801: References
Understanding and Customizing the Apache HTTP SELinux Policy http://docs.fedoraproject.org/selinux-apache-fc3/ Tutorials and talks from Russell Coker http://www.coker.com.au/selinux/talks/ibmtu-2004/ Generic Writing SELinux policy HOWTO https://sourceforge.net/docman/display_doc.php?docid=21959[amp ]group_id=21266 Red Hat Knowledgebase http://kbase.redhat.com/ General Information NSA SELinux main website http://www.nsa.gov/research/selinux/index.shtml NSA SELinux FAQ http://www.nsa.gov/research/selinux/faqs.shtml Fedora SELinux FAQ http://docs.fedoraproject.org/selinux-faq/...
Page 802 Chapter 47. References A Security Policy Configuration for the Security-Enhanced Linux http://www.nsa.gov/research/_files/selinux/papers/policy/policy.shtml Community SELinux community page http://selinux.sourceforge.net irc.freenode.net, #rhel-selinux History Quick history of Flask http://www.cs.utah.edu/flux/fluke/html/flask.html Full background on Fluke http://www.cs.utah.edu/flux/fluke/html/index.html...
Page 803: Viii. Red Hat Training And Certification
Part VIII. Red Hat Training And Certification Red Hat courses and certifications are indisputably regarded as the best in Linux, and perhaps in all of IT. Taught entirely by experienced Red Hat experts, our certification programs measure competency on actual live systems and are in great demand by employers and IT professionals alike. Choosing the right certification depends on your background and goals.
Page 805: Red Hat Training And Certification
Red Hat courses are performance—based—students have access to at least one dedicated system, and in some courses, as many as five. Instructors are all experienced Red Hat Certified Engineers (RHCEs) who are intimately familiar with course curriculum. http://www.redhat.com/explore/training Course schedules are available at Onsite Training Onsite training is delivered by Red Hat at your facility for teams of 12 to 16 people per class.
Page 807: Certification Tracks
Red Hat Certified Technician (RHCT) and Red Hat Certified Engineer (RHCE), the most acclaimed certifications in the Linux space. 49.1. Free Pre-assessment tests Test your Linux smarts and identify your Red Hat course level with our automated pre-assessment tests. http://www.redhat.com/explore/assess Completely free, no obligations, 10 minutes of your time.
Page 809: Rh033: Red Hat Linux Essentials
Chapter 50. RH033: Red Hat Linux Essentials http://www.redhat.com/training/rhce/courses/rh033.html 50.1. Course Description The first course for both RHCT and RHCE certification tracks, RH033 is ideal for individuals who have never used Linux or UNIX, and who have no prior command line experience in any other operating system.
Page 810: Follow-On Courses
Chapter 50. RH033: Red Hat Linux Essentials 50.1.5. Follow-on Courses RH133 Red Hat Linux Sys. Admin. RH253 Red Hat Linux Net. and Sec. Admin RH300 Red Hat Linux RHCE Rapid Track "I would enthusiastically recommend this course to anyone interested in Linux."——Mike Kimmel, ITT Systems Division...
Page 811: Rh035: Red Hat Linux Essentials For Windows Professionals
Chapter 51. RH035: Red Hat Linux Essentials for Windows Professionals http://www.redhat.com/training/rhce/courses/rh035.html 51.1. Course Description Designed for Windows® professionals with no prior UNIX or Linux experience, this course teaches fundamental Red Hat Enterprise Linux system administration skills. The first day provides a conceptual and practical transition for individuals to successfully add Linux management competencies to their portfolio.
Page 812 Chapter 51. RH035: Red Hat Linux Essentials for Windows Professionals RH253 Red Hat Linux Net. and Sec. Admin. (p. 9) RH300 Red Hat Linux RHCE Rapid Track (p. 10) "All in all I would rate this training experience as one of the best I have ever attended, and I've been in this industry for over 15 years."...
Page 813: Rh133: Red Hat Linux System Administration And Red Hat Certified Technician Rhct) Certification
RH133: Red Hat Linux System Administration and Red Hat Certified Technician (RHCT) Certification http://www.redhat.com/training/rhce/courses/rh133.html 52.1. Course Description RH133 focuses on skills in systems administration on Red Hat Linux, to a level where you can attach and configure a workstation on an existing network. This 4.5-day course provides intensive hands-on training on Red Hat Enterprise Linux, and includes the RH202 RHCT Certification Lab Exam on the last day.
Page 814: Follow-On Courses
Chapter 52. RH133: Red Hat Linux System Administration and Red Hat Certified Technician (RHCT) Certification 11. Perform performance, memory, and process mgmt. 12. Configure basic host security 52.1.5. Follow-on Courses RH253 Red Hat Linux Net. and Sec. Admin. (p. 9)
Page 815: Rh202 Rhct Exam - The Fastest Growing Credential In All Of Linux
RH202 RHCT EXAM - The fastest growing credential in all of Linux. http://www.redhat.com/training/rhce/courses/rh202.html 1. RHCT exam is included with RH133. It can also be purchased on its own for $349 2. RHCT exams occur on the fifth day of all RH133 classes 53.1.
Page 817: Rh253 Red Hat Linux Networking And Security Administration
Chapter 54. RH253 Red Hat Linux Networking and Security Administration 54.1. Course Description RH253 arms students with in-depth knowledge needed to configure common Red Hat Enterprise Linux network services. Network and local security tasks are also topics of this course. 54.1.1.
Page 818: Follow-On Courses
Chapter 54. RH253 Red Hat Linux Networking and Security Administration 12. Overview of OSS security tools 54.1.5. Follow-on Courses RH302 RHCE Certification Exam "This course was excellent. The teacher was fantastic—his depth of knowledge is amazing."——Greg Peters, Future Networks USA...
Page 819: Rh300: Rhce Rapid Track Course (And Rhce Exam)
RH300: RHCE Rapid track course (and RHCE exam) The fastest path to RHCE certification for experienced UNIX/Linux users. http://www.redhat.com/training/rhce/courses/rh300.html 55.1. Course Description Five days in duration, this course provides intensive hands-on training on Red Hat Linux, and includes the RHCE Certification Exam on the last day.
Page 821: Rh302 Rhce Exam
1. RHCE exams are included with RH300. It can also be purchased on its own. 2. RHCE exams occur on the fifth day of all RH300 classes http://www.redhat.com/training/rhce/courses/rhexam.html 56.1. Course Description RHCE stands apart from many other certification programs in the IT sector because of its emphasis on hands-on, performance-based testing of actual skills in Red Hat Linux installation, configuration, debugging, and setup of key networking services.
Page 823: Rhs333: Red Hat Enterprise Security: Network Services
RHS333: RED HAT enterprise security: network services Security for the most commonly deployed services. http://www.redhat.com/training/architect/courses/rhs333.html 57.1. Course Description Red Hat Enterprise Linux has gained considerable momentum as the operating system of choice for deploying network services such as web, ftp, email, and file sharing. Red Hat's RHCE curriculum provides training in deploying these services and on the essential elements of securing them.
Page 824: Follow-On Courses
Chapter 57. RHS333: RED HAT enterprise security: network services 10. Apache security 11. Basics of intrusion response 57.1.5. Follow-on Courses RH401 Red Hat Enterprise Deployment and System Mgmt. RH423 Red Hat Enterprise Directory Services and Authentication RH436 Red Hat Enterprise Storage Mgmt. RH442 Red Hat Enterprise System Monitoring and Performance Tuning...
Page 825: Rh401: Red Hat Enterprise Deployment And Systems Management
RH401: Red Hat Enterprise Deployment and systems management Manage Red Hat Enterprise Linux deployments. http://www.redhat.com/training/architect/courses/rh401.html 58.1. Course Description RH401 is a four-day intensive hands-on lab course in skills and methods critical to large-scale deployment and management of mission-critical Red Hat Enterprise Linux systems, including failover and load-balancing, CVS for system administrators, RPM rebuilding, and performance tuning for specific applications.
Page 826: Follow-On Courses
Chapter 58. RH401: Red Hat Enterprise Deployment and systems management 7. High-availability application failover clusters 58.1.5. Follow-on Courses RHS333 Enterprise Security: Securing Network Services RH423 Red Hat Enterprise Directory Services and Authentication RH436 Red Hat Enterprise Storage Mgmt. RH442 Red Hat Enterprise System Monitoring and Performance Tuning "After taking RH401 I am completely confident that I can implement enterprise—scale high—...
Page 827: Prerequisites
RH423: Red Hat Enterprise Directory services and authentication Manage and deploy directory services for Red Hat Enterprise Linux systems. http://www.redhat.com/training/architect/courses/rh423.html 59.1. Course Description RH423 is an intensive course that provides four days of instruction and labs on cross-platform integration of directory services to provide authentication or information service across the enterprise.
Page 828 Chapter 59. RH423: Red Hat Enterprise Directory services and authentication RH401 Red Hat Enterprise Deployment and Systems Management RH436 Red Hat Enterprise Storage Mgmt. (p. 16) RH442 Red Hat Enterprise System Monitoring and Performance Tuning...
Page 829: Selinux Courses 60.1. Rhs427: Introduction To Selinux And Red Hat Targeted Policy
60.1. RHS427: Introduction to SELinux and Red Hat Targeted Policy http://www.redhat.com/training/security/courses/rhs427.html 1-day rapid intro to SELinux, how it operates within the Red Hat targeted policy, and the tools available for working with this powerful capability. RHS427 constitutes the first day of RH429.
Page 831: Goal
Deploy and manage Red Hat's cluster file system technology. Equipment-intensive: 1. five servers 2. storage array http://www.redhat.com/training/architect/courses/rh436.html 61.1. Course Description RH436 provides intensive hands-on experience with the emerging Shared Storage technology delivered by Red Hat Global File System (GFS). This four-day course focuses on the implementation of native Red Hat Enterprise Linux technologies included in Red Hat Cluster Suite and GFS.
Page 832: Follow-On Courses
Chapter 61. RH436: Red Hat Enterprise storage management 8. Implement GFS modifications 9. Migrating Cluster Suite NFS from DAS to GFS 10. Re-visit Cluster Suite using GFS 61.1.5. Follow-on Courses RHS333 Enterprise Security: Securing Network Services RH401 Red Hat Enterprise Deployment and Systems Management RH423 Red Hat Enterprise Directory Services and Authentication RH442 Red Hat Enterprise System Monitoring and Performance Tuning "The class gave me a chance to use some of the latest Linux tools, and was a reminder of the benefits...
Page 833: Audience
RH442: Red Hat Enterprise system monitoring and performance tuning Performance tuning and capacity planning for Red Hat Enterprise Linux http://www.redhat.com/training/architect/courses/rh442.html 62.1. Course Description RH442 is an advanced four-day hands-on lab course covering system architecture, performance characteristics, monitoring, benchmarking, and network performance tuning.
Page 834: Follow-On Courses
Chapter 62. RH442: Red Hat Enterprise system monitoring and performance tuning 7. Application performance tuning considerations 8. Tuning for specific configurations 62.1.5. Follow-on Courses RHS333 Enterprise Security: Securing Network Services RH401 Red Hat Enterprise Deployment and Systems Management RH423 Red Hat Enterprise Directory Services and Authentication RH436 Red Hat Enterprise Storage Mgmt.
Page 835: Red Hat Enterprise Linux Developer Courses 63.1. Rhd143: Red Hat Linux Programming Essentials
Red Hat Enterprise Linux Developer Courses 63.1. RHD143: Red Hat Linux Programming Essentials http://www.redhat.com/training/developer/courses/rhd143.html An intensive hands-on course designed to rapidly train staff in key skills for developing applications and programs on Red Hat Enterprise Linux. This five-day course provides hands-on training, concepts, demonstrations, with emphasis on realistic labs and programming exercises.
Page 837: Jboss Courses 64.1. Rhd161 Jboss And Ejb3 For Java
Chapter 64. JBoss Courses 64.1. RHD161 JBoss and EJB3 for Java http://www.redhat.com/training/jboss/courses/rhd161.html Developers JBoss and EJB3 for Java Developers is targeted toward proficient Java developers who wish to extend their knowledge to EJB3 and J2EE middleware programming using the JBoss Application Server.
Page 838: Rhd167: Jboss - Hibernate Essentials
Chapter 64. JBoss Courses 6. A working knowledge of JDBC and EJB2.1 or EJB3.0 while not a prerequisite, is helpful. 64.3. RHD167: JBOSS - HIBERNATE ESSENTIALS http://www.redhat.com/training/jboss/courses/rhd167.html 64.3.1. Prerequisites 1. An understanding of the relational persistence model 2. Competency with the Java language 3.
Page 839: Rhd261:Jboss For Advanced J2Ee Developers
Pasternak, Consulting Engineer, United Switch & Signal 64.5. RHD261:JBOSS for advanced J2EE developers http://www.redhat.com/training/jboss/courses/rhd261.html JBoss for Advanced J2EE Developers is targeted toward J2EE professionals who wish to take advantage of the JBoss Application Server internal architecture to enhance the functionality and performance of J2EE applications on the JBoss Application Server.
Page 840: Rh336: Jboss For Administrators
It was apparent that he cared about our understanding of the material."--Jeremy Prellwitz, SiRAS.com, USA 64.6. RH336: JBOSS for Administrators http://www.redhat.com/training/jboss/courses/rh336.html 64.6.1. Prerequisites Basic working knowledge of the Windows or Linux (Unix-based) operating system. The student must have experience with the following: 1.
Page 841: Rhd449: Jboss Jbpm
(some very specific to the student) while maintaining the course direction. I am very excited about applying what I have learned in the course."——Andy Beier, Arizona Statue University, 64.8. RHD449: JBoss jBPM http://www.redhat.com/training/jboss/courses/rhd449.html 64.8.1. Description JBoss jBPM training is targeted for system architects and developers who work closely with business analysts and are responsible for bringing business processes into J2EE environment using jBPM as a BPM engine.
Page 842: Rhd451 Jboss Rules
5. Basic notions of JUnit test framework is recommended. 64.9. RHD451 JBoss Rules http://www.redhat.com/training/jboss/courses/rhd451.html The course covers the core engine for Drools 3 (JBoss Rules 3.0), as well as the various techniques and languages that can be used to manage business rules, and how the rule engine may be embedded in J2SE and J2EE applications.
Page 843: A. Revision History
Resolve BZ#507987: clarify and correct statements about partitions being in use while resizing or removing. Resolve BZ#462550: recommended amount of swap space, according to http://kbase.redhat.com/ faq/docs/DOC-15252 Resolve BZ#466239: line omitted from Postfix configuration meant connecting remotely failed...
Page 845: Colophon
Chapter 65. Colophon The manuals are written in DocBook XML v4.3 format. Garrett LeSage created the admonition graphics (note, tip, important, caution, and warning). They may be freely redistributed with the Red Hat documentation. Contributing Writers: John Ha (System Administration, Filesystems, Kernel), Joshua Wulf (Installation and Booting), Brian Cleary (Virtualization), David O'Brien (Security and SELinux), Michael Hideo (System Administration), Don Domingo (System Administration), Michael Behm (System Administration), Paul Kennedy (Storage), Melissa Goldin (Red Hat Network)
Page 846 Chapter 65. Colophon • Latin Languages • French • Jean-Paul Aubry • Fabien Decroux • Myriam Malga • Audrey Simons • Corina Roe • German • Jasna Dimanoski • Verena Furhuer • Bernd Groh • Daniela Kugelmann • Timo Trinks •...
Page 847 • Gujarati • Ankitkumar Rameshchandra Patel • Sweta Kothari • Hindi • Rajesh Ranjan • Malayalam • Ani Peter • Marathi • Sandeep Shedmake • Punjabi • Amanpreet Singh Alam • Jaswinder Singh • Tamil • I Felix • N Jayaradha...