book

Essential System Administration, 3rd Edition

Name: Essential System Administration, 3rd Edition
Author: Æleen Frisch
ISBN: 9780596003432

by Æleen Frisch

August 2002

Beginner

1176 pages

36h 52m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Essential System Administration, 3rd Edition
Dedication
Preface
The Unix Universe
Unix Versions Discussed in This Book
Audience
Organization
Chapter Descriptions
Conventions Used in This Book
Comments and Questions
Acknowledgments
1. Introduction to System Administration

1.1. Thinking About System Administration
1.2. Becoming Superuser
1.2.1. Controlling Access to the Superuser Account1.2.2. Running a Single Command as root1.2.3. sudo: Selective Access to Superuser Commands
1.3. Communicating with Users
1.3.1. Sending a Message1.3.2. Sending a Message to All Users1.3.3. The Message of the Day1.3.4. Specifying the Pre-Login Message
1.4. About Menus and GUIs
1.4.1. Ups and Downs1.4.2. AIX: SMIT and WSM1.4.3. HP-UX: SAM1.4.4. Solaris: admintool and Sun Management Console1.4.5. Linux: Linuxconf1.4.6. Red Hat Linux: redhat-config-*1.4.7. SuSE Linux: YaST21.4.8. FreeBSD: sysinstall1.4.9. Tru64: SysMan1.4.10. Other Freely Available Administration Tools1.4.10.1. The Ximian Setup Tools1.4.11. VNC
1.5. Where Does the Time Go?
2. The Unix Way
2.1. Files
2.1.1. File Ownership2.1.1.1. Displaying file ownership2.1.1.2. Who owns new files?2.1.1.3. Changing file ownership2.1.2. File Protection2.1.2.1. Types of file and directory access2.1.2.2. Access classes2.1.2.3. Setting file protection2.1.2.4. Beyond the basics2.1.2.5. Specifying numeric file modes2.1.2.6. Specifying the default file mode2.1.2.7. Special-purpose access modes2.1.2.8. Save-text access on directories2.1.2.9. Setgid access on directories2.1.2.10. Numerical equivalents for special access modes2.1.3. How to Recognize a File Access Problem2.1.4. Mapping Files to Disks2.1.4.1. Regular files2.1.4.2. Directories2.1.4.3. Special files: character and block device files2.1.4.4. Links2.1.4.4.1. Tru64 Context-Dependent Symbolic Links2.1.4.5. Sockets2.1.4.6. Named pipes2.1.4.7. Using ls to identify file types
2.2. Processes
2.2.1. Interactive Processes2.2.2. Batch Processes2.2.3. Daemons2.2.4. Process Attributes2.2.4.1. The life cycle of a process2.2.4.2. Setuid and setgid file access and process execution2.2.4.3. The relationship between commands and files
2.3. Devices
2.3.1. An In-Depth Device Example: Disks2.3.1.1. Fixed-disk special files2.3.2. Special Files for Other Devices2.3.2.1. Commands for listing the devices on a system2.3.2.2. The AIX Object Data Manager2.3.3. The Unix Filesystem Layout2.3.4. The Root Directory2.3.5. The /usr Directory2.3.6. The /var Directory
3. Essential AdministrativeTools and Techniques
3.1. Getting the Most from Common Commands
3.1.1. Getting Help3.1.1.1. Changing the search order3.1.1.2. Setting up man -k3.1.2. Piping into grep and awk3.1.3. Finding Files3.1.4. Repeating Commands3.1.5. Creating Several Directory Levels at Once3.1.6. Duplicating an Entire Directory Tree3.1.7. Comparing Directories3.1.8. Deleting Pesky Files3.1.9. Putting a Command in a Cage3.1.10. Starting at the End3.1.11. Be Creative
3.2. Essential Administrative Techniques
3.2.1. Periodic Program Execution: The cron Facility3.2.1.1. crontab files3.2.1.1.1. FreeBSD and Linux crontab entry format enhancements3.2.1.2. Adding crontab entries3.2.1.3. cron log files3.2.1.4. Using cron to automate system administration3.2.1.4.1. FreeBSD: The periodic command3.2.1.4.2. Linux: The /etc/cron.* directories3.2.1.5. cron security issues3.2.2. System Messages3.2.2.1. The syslog facility3.2.2.2. Configuring syslog3.2.2.3. Enhancements to syslog.conf3.2.2.3.1. AIX3.2.2.3.2. FreeBSD and Linux3.2.2.3.3. Solaris3.2.2.3.4. The Tru64 syslog log file hierarchy3.2.2.4. The logger utility3.2.3. Hardware Error Messages3.2.3.1. The AIX error log3.2.3.1.1. Viewing errors under HP-UX3.2.3.1.2. The Tru64 binary error logger3.2.4. Administering Log Files3.2.4.1. Managing log file disk requirements3.2.4.2. Monitoring log file contents3.2.5. Managing Software Packages3.2.5.1. HP-UX: Bundles, products, and subproducts3.2.5.2. AIX: Apply versus commit3.2.5.3. FreeBSD ports3.2.6. Building Software Packages from Source Code3.2.6.1. mtools: Using configure and accepting imperfections3.2.6.2. bzip2: Converting Linux-based make procedures3.2.6.3. jove: Configuration via make file settings3.2.6.4. Internet software archives
4. Startup and Shutdown
4.1. About the Unix Boot Process
4.1.1. From Power On to Loading the Kernel4.1.2. Booting to Multiuser Mode4.1.3. Booting to Single-User Mode4.1.3.1. Password protection for single-user mode4.1.3.2. Firmware passwords4.1.4. Starting a Manual Boot4.1.4.1. AIX4.1.4.2. FreeBSD4.1.4.3. HP-UX4.1.4.4. Linux4.1.4.5. Tru644.1.4.6. Solaris4.1.4.7. Booting from alternate media4.1.5. Boot Activities in Detail4.1.5.1. Boot messages4.1.5.2. Saved boot log files4.1.5.3. General considerations4.1.5.4. Preliminaries4.1.5.5. Preparing filesystems4.1.5.6. Checking and mounting the root filesystem4.1.5.7. Preparing other local filesystems4.1.5.8. Saving a crash dump4.1.5.9. Starting paging4.1.5.10. Security-related activities4.1.5.11. Checking disk quotas4.1.5.12. Starting servers and initializing local subsystems4.1.5.12.1. The AIX System Resource Controller4.1.5.13. Connecting to the network4.1.5.14. Housekeeping activities4.1.5.15. Allowing users onto the system
4.2. Initialization Files and Boot Scripts
4.2.1. Initialization Files Under FreeBSD4.2.2. Initialization Files on System V Systems4.2.2.1. System V run levels4.2.2.2. Using the telinit command to change run levels4.2.2.3. Initialization files overview4.2.2.4. The init configuration file4.2.2.5. The rcn initialization scripts4.2.2.6. Boot script configuration files4.2.2.7. File location summary4.2.2.8. Solaris initialization scripts4.2.2.9. Tru64 initialization scripts4.2.2.10. Linux initialization scripts4.2.2.11. AIX: Making System V work like BSD4.2.3. Customizing the Boot Process4.2.3.1. Adding to the boot scripts4.2.3.2. Eliminating certain boot-time activities4.2.3.3. Modifying standard scripts4.2.3.4. Guidelines for writing initialization scripts
4.3. Shutting Down a Unix System
4.3.1. The System V shutdown Command4.3.1.1. HP-UX shutdown security4.3.2. The BSD-Style shutdown Command4.3.3. The Linux shutdown Command4.3.4. Ensuring Disk Accuracy with the sync Command4.3.5. Aborting a Shutdown
4.4. Troubleshooting: Handling Crashes and Boot Failures
4.4.1. Power-Failure Scripts4.4.2. When the System Won’t Boot4.4.2.1. Bad or flaky hardware4.4.2.2. Unreadable filesystems on working disks4.4.2.3. Damage to non-filesystem areas of a disk4.4.2.4. Incompatible hardware4.4.2.5. System configuration errors
5. TCP/IP Networking
5.1. Understanding TCP/IP Networking
5.1.1. Media and Topologies5.1.1.1. Identifying network adapters5.1.2. Protocols and Layers5.1.3. Ports, Services, and Daemons5.1.4. Administrative Commands5.1.5. A Sample TCP/IP Conversation5.1.6. Names and Addresses5.1.7. Subnets and Supernets5.1.7.1. Introducing IPv6 host addresses5.1.8. Connecting Network Segments
5.2. Adding a New Network Host
5.2.1. Configuring the Network Interface with ifconfig5.2.1.1. Ethernet interface names5.2.1.2. Other uses of ifconfig5.2.1.3. ifconfig on Solaris systems5.2.1.4. Interface configuration at boot time5.2.2. Dynamic IP Address Assignment with DHCP5.2.2.1. AIX5.2.2.2. FreeBSD5.2.2.3. HP-UX5.2.2.4. Linux5.2.2.5. Solaris5.2.2.6. Tru645.2.3. Name Resolution Options5.2.3.1. The /etc/hosts file5.2.3.2. Configuring a DNS client5.2.3.3. The name service switch file5.2.4. Routing Options5.2.4.1. AIX5.2.4.2. FreeBSD5.2.4.3. HP-UX5.2.4.4. Linux5.2.4.5. Solaris5.2.4.6. Tru64
5.3. Network Testing and Troubleshooting
6. Managing Users and Groups
6.1. Unix Users and Groups
6.1.1. The Password File, /etc/passwd6.1.2. The Shadow Password File, /etc/shadow6.1.2.1. The FreeBSD /etc/ master.passwd file6.1.2.2. The protected password database under HP-UX and Tru646.1.3. The Group File, /etc/group6.1.3.1. User-private groups6.1.4. Dynamic Group Memberships6.1.4.1. The Linux group shadow file, /etc/gshadow6.1.4.2. The HP-UX /etc/logingroup file6.1.4.3. AIX group sets6.1.5. User Account Database File Protections6.1.6. Standard Unix Users and Groups6.1.7. Using Groups Effectively
6.2. Managing User Accounts
6.2.1. Adding a New User Account6.2.2. Defining a New User Account6.2.3. Assigning a Shell6.2.3.1. Captive accounts6.2.4. Assigning a Password6.2.5. Creating a Home Directory6.2.6. User Environment Initialization Files6.2.6.1. Sample login initialization files6.2.6.2. Sample shell initialization files6.2.6.3. The AIX /etc/security/environ file6.2.6.4. Desktop environment initialization files6.2.6.5. Systemwide initialization files6.2.7. Setting File Ownership6.2.8. Adding the User to Other System Facilities6.2.9. Specifying Other User Account Controls6.2.9.1. AIX user account controls6.2.9.2. FreeBSD user account controls6.2.9.3. Linux user account controls6.2.9.4. Solaris login process settings6.2.9.5. Specifying login time restrictions under HP-UX and Tru646.2.10. Testing the New Account6.2.10.1. Using su to re-create a user’s environment6.2.11. Disabling and Removing User Accounts6.2.11.1. Removing a user account
6.3. Administrative Tools for Managing User Accounts
6.3.1. Command-Line Utilities6.3.1.1. The useradd command: HP-UX, Linux, Solaris, and Tru646.3.1.1.1. Setting useradd’s defaults6.3.1.1.2. Modifying accounts with usermod6.3.1.1.3. Removing accounts with userdel6.3.1.2. Commands for managing groups6.3.1.3. The Linux gpasswd command6.3.1.4. The FreeBSD user account utilities6.3.1.5. The AIX user account utilities6.3.1.5.1. Removing user accounts6.3.1.5.2. Utilities for managing groups6.3.2. Graphical User Account Managers6.3.2.1. Managing users with SMIT under AIX6.3.2.2. Managing users with SAM under HP-UX6.3.2.2.1. HP-UX account and file exclusion6.3.2.3. Linux graphical user managers6.3.2.3.1. Managing users with Linuxconf6.3.2.3.2. The KDE User Manager6.3.2.3.3. The Red Hat User Manager6.3.2.4. Solaris GUI tools for managing user accounts6.3.2.5. Managing user accounts with dxaccounts under Tru646.3.3. Automation You Have to Do Yourself
6.4. Administering User Passwords
6.4.1. Selecting Effective Passwords6.4.1.1. Forcing a password change6.4.1.2. Managing dozens of passwords6.4.2. Educating Users About Selecting Effective Passwords6.4.2.1. Password advice in the age of the Internet6.4.3. Setting Password Restrictions6.4.3.1. Password aging6.4.3.2. Password triviality checks6.4.3.2.1. Tru646.4.3.2.2. AIX6.4.3.2.3. Linux6.4.3.2.4. FreeBSD6.4.3.3. The freely available npasswd command6.4.3.4. Password history lists6.4.3.5. Password settings default values6.4.4. Testing User Passwords for Weaknesses6.4.4.1. John the Ripper6.4.4.2. Using Crack to find poorly chosen passwords6.4.4.3. How well do they do?
6.5. User Authentication with PAM
6.5.1. PAM Defaults6.5.2. PAM Modules Under Linux6.5.2.1. Checking passwords at selection time6.5.2.2. Specifying allowed times and locations for system access6.5.2.3. MD5 passwords6.5.3. PAM Modules Provided by Other Unix Systems6.5.4. More Complex PAM Configuration
6.6. LDAP: Using a Directory Service for User Authentication
6.6.1. About LDAP6.6.2. LDAP Directories6.6.2.1. About schemas6.6.3. Installing and Configuring OpenLDAP: An Overview6.6.3.1. More about LDAP searching6.6.4. Using OpenLDAP for User Authentication6.6.4.1. Select an appropriate schema6.6.4.2. Convert existing user account data6.6.4.3. Specify the name service search order6.6.4.3.1. Configure PAM to use OpenLDAP6.6.4.4. Configure directory access control6.6.4.5. OpenLDAP access control6.6.5. Securing OpenLDAP Authentication6.6.6. Wither NIS?
7. Security
7.1. Prelude: What’s Wrong with This Picture?
7.2. Thinking About Security
7.2.1. Security Policies and Plans7.2.1.1. Security policies7.2.1.2. Security plans7.2.2. Unix Lines of Defense7.2.2.1. Physical security7.2.2.2. Firewalls and network filters7.2.2.3. Passwords7.2.2.4. Encrypting data7.2.2.5. Backups7.2.3. Version-Specific Security Facilities
7.3. User Authentication Revisited
7.3.1. Smart Cards7.3.2. One-Time Passwords7.3.3. Solaris and HP-UX Dialup Passwords7.3.4. AIX Secondary Authentication Programs7.3.5. Better Network Authentication: Kerberos
7.4. Protecting Files and the Filesystem
7.4.1. Search Path Issues7.4.2. Small Mistakes Compound into Large Holes7.4.3. The setuid and setgid Access Modes7.4.3.1. Writing setuid/setgid programs7.4.4. Access Control Lists7.4.4.1. Introducing access control lists7.4.4.2. Manipulating AIX ACLs7.4.4.3. HP-UX ACLs7.4.4.4. POSIX access control lists: Linux, Solaris, and Tru647.4.5. Encryption7.4.5.1. The crypt command7.4.5.2. Public key encryption: PGP and GnuPG7.4.5.3. Selecting passphrases
7.5. Role-Based Access Control
7.5.1. AIX Roles7.5.2. Solaris Role-Based Access Control
7.6. Network Security
7.6.1. Establishing Trust7.6.1.1. The implications of trust7.6.2. The Secure Shell7.6.3. Securing Network Daemons7.6.3.1. TCP Wrappers: Better inetd access control and logging7.6.3.2. xinetd7.6.3.3. Disable what you don’t need7.6.4. Port Scanning7.6.5. Defending the Border: Firewalls and Packet Filtering
7.7. Hardening Unix Systems
7.7.1. Plan Before Acting7.7.2. Secure the Physical System7.7.3. Install the Operating System7.7.4. Secure Local Filesystems7.7.5. Securing Services7.7.6. Restrict root Access7.7.7. Configure User Authentication and Account Defaults7.7.8. Set up Remote Authentication7.7.9. Install and Configure Ongoing Monitoring7.7.10. Backup7.7.11. Other Activities
7.8. Detecting Problems
7.8.1. Password File Issues7.8.2. Monitoring the Filesystem7.8.2.1. Checking file ownership and protection7.8.2.2. Looking for setuid and setgid files7.8.2.3. Checking modification dates and inode numbers7.8.2.4. Computing checksums7.8.2.5. Run fsck occasionally7.8.3. Automating Security Monitoring7.8.3.1. Trusted computing base checking7.8.3.2. System integrity checking with Tripwire7.8.3.3. Vulnerability scanning7.8.3.3.1. General system security monitoring via COPS7.8.3.4. Scanning for network vulnerabilities7.8.4. What to Do if You Find a Problem7.8.5. Investigating System Activity7.8.5.1. Monitoring unsuccessful login attempts7.8.5.2. su log files7.8.5.3. History on the root account7.8.5.4. Tracking user activities7.8.5.5. Event-auditing systems7.8.6. Intruders Can Read
8. Managing Network Services
8.1. Managing DNS Servers
8.1.1. Zones8.1.2. Name Server Types8.1.3. About BIND8.1.4. Configuring named8.1.4.1. The master configuration file: named.conf8.1.4.2. The root hints file8.1.4.3. Zone files8.1.4.3.1. Reverse zone files and PTR records8.1.4.3.2. IPv6 zone file resource records8.1.4.4. Common mistakes to avoid8.1.4.5. Using subdomains8.1.4.5.1. Reverse zone files with arbitrary subnetting8.1.4.6. Forwarders8.1.4.7. Slave name server notifications8.1.4.8. Dynamic updates8.1.4.9. Incremental zone transfers8.1.4.10. Access control8.1.4.11. Securing DNS communications8.1.4.11.1. BIND 9 security futures8.1.4.12. BIND 9 views8.1.4.13. Securing the named process8.1.4.14. Configuring logging8.1.5. Name Server Maintenance and Troubleshooting8.1.5.1. Controlling the named server process8.1.5.2. Using the nslookup and dig utilities
8.2. Routing Daemons
8.2.1. Routing Concepts and Protocols8.2.1.1. Configuring routed8.2.1.2. Configuring gated8.2.1.2.1. Vendor specifics
8.3. Configuring a DHCP Server
8.3.1. AIX8.3.2. ISC DHCP: FreeBSD and Linux8.3.3. HP-UX8.3.4. Solaris8.3.5. Tru64
8.4. Time Synchronization with NTP
8.4.1. How NTP Works8.4.2. Setting Up NTP8.4.2.1. Enabling ntpd under FreeBSD8.4.3. A Simple Authentic Time Option
8.5. Managing Network Daemons under AIX
8.6. Monitoring the Network
8.6.1. Standard Networking Utilities8.6.2. Packet Sniffers8.6.2.1. The Solaris snoop command8.6.2.2. Packet collecting under AIX and HP-UX8.6.3. The Simple Network Management Protocol8.6.3.1. SNMP concepts and constructs8.6.3.2. SNMP implementations8.6.3.3. Net-SNMP client utilities8.6.3.3.1. Generating traps8.6.3.3.2. AIX and Tru64 clients8.6.3.4. Configuring SNMP agents8.6.3.4.1. Net-SNMP snmpd daemon (FreeBSD and Linux)8.6.3.4.2. Net-SNMP access control8.6.3.4.3. The Net-SNMP trap daemon8.6.3.4.4. Configuring SNMP nder HP-UX8.6.3.4.5. Configuring SNMP under Solaris8.6.3.4.6. The AIX snmpd daemon8.6.3.4.7. The Tru64 snmpd daemon8.6.3.5. SNMP and security8.6.4. Network Management Packages8.6.4.1. Proactive network monitoring8.6.4.1.1. NetSaint8.6.4.2. Identifying trends over time8.6.4.2.1. MRTG and RRDtool8.6.4.2.2. Using Cricket to feed RRDtool
9. Electronic Mail
9.1. About Electronic Mail
9.1.1. Mail Addressing and Delivery9.1.1.1. DNS MX records9.1.1.2. Mail aliases9.1.1.3. Mail forwarding9.1.1.4. Putting it all together9.1.2. Electronic Mail Policies
9.2. Configuring User Mail Programs
9.2.1. Automated Email Message Encryption
9.3. Configuring Access Agents
9.3.1. Setting Up User Agents to Use POP and IMAP
9.4. Configuring the Transport Agent
9.4.1. sendmail9.4.1.1. Configuring sendmail9.4.1.2. Getting started: A sample mail client configuration9.4.1.3. Building sendmail.cf9.4.1.4. Configuring the mail hub9.4.1.5. Selecting mailers9.4.1.5.1. More about pipes to files and programs9.4.1.6. Some client and mail hub variations9.4.1.6.1. An isolated internal network9.4.1.6.2. A null client9.4.1.6.3. Mailer-specific and other local relays9.4.1.7. More addressing options9.4.1.7.1. Sender aliasing9.4.1.7.2. Using LDAP for incoming mail addresses9.4.1.7.3. The redirect feature9.4.1.8. Virtual hosting9.4.1.9. The services switch file9.4.1.10. Spam suppression9.4.1.10.1. Message relaying9.4.1.11. Public blacklists and the access database9.4.1.12. sendmail security9.4.1.12.1. The sendmail default user9.4.1.12.2. Privacy options9.4.1.12.3. SASL authentication9.4.1.12.4. Reducing the sendmail daemon’s privileges9.4.1.13. Monitoring ongoing operation9.4.1.14. Performance9.4.1.15. Debugging techniques9.4.1.16. Macro summary9.4.2. Postfix9.4.2.1. Installing Postfix9.4.2.2. Configuring Postfix9.4.2.2.1. Notifying the daemon9.4.2.2.2. Client systems9.4.2.2.3. The mail hub9.4.2.2.4. The local delivery agent9.4.2.2.5. Systems with intermittent Internet connections9.4.2.2.6. Address transformations9.4.2.2.7. Virtual domains9.4.2.2.8. LDAP lookups9.4.2.3. Access control and spam suppression9.4.2.4. Postfix security9.4.2.5. Monitoring and performance9.4.2.6. Debugging
9.5. Retrieving Mail Messages
9.6. Mail Filtering with procmail
9.6.1. Configuring procmail9.6.1.1. Other procmail disposition options9.6.1.2. Using procmail to discard spam9.6.1.3. Using procmail for security scanning9.6.1.4. Debugging procmail9.6.1.5. Additional information
9.7. A Few Final Tools
10. Filesystems and Disks
10.1. Filesystem Types
10.1.1. About Unix Filesystems: Moments from History10.1.1.1. Journaled filesystems10.1.1.2. BSD soft updates10.1.2. Default Local Filesystems
10.2. Managing Filesystems
10.2.1. Mounting and Dismounting Filesystems10.2.2. Disk Special File Naming Conventions10.2.3. The mount and umount Commands10.2.4. Figuring Out Who’s Using a File10.2.5. The Filesystem Configuration File10.2.5.1. Solaris: /etc/vfstab10.2.5.2. AIX: /etc/filesystems and /etc/swapspaces10.2.6. Automatic Filesystem Mounting10.2.7. Using fsck to Validate a Filesystem10.2.7.1. After fsck
10.3. From Disks to Filesystems
10.3.1. Defining Disk Partitions10.3.2. Adding Disks10.3.2.1. Preparing and connecting the disk10.3.2.2. Making special files10.3.2.3. FreeBSD10.3.2.4. Linux10.3.2.4.1. The Reiser filesystem10.3.2.5. Solaris10.3.2.6. AIX, HP-UX, and Tru6410.3.2.7. Remaking an existing filesystem10.3.3. Logical Volume Managers10.3.3.1. Disks, volume groups, and logical volumes10.3.3.2. Disk striping10.3.3.3. Disk mirroring and RAID10.3.3.4. AIX10.3.3.4.1. Replacing a failed disk10.3.3.4.2. Getting information from the LVM10.3.3.4.3. Disk striping and disk mirroring10.3.3.5. HP-UX10.3.3.5.1. Displaying LVM information10.3.3.5.2. Disk striping and mirroring10.3.3.6. Tru6410.3.3.6.1. AdvFS10.3.3.6.2. LSM10.3.3.7. Solaris10.3.3.8. Linux10.3.3.9. FreeBSD10.3.4. Floppy Disks10.3.4.1. Floppy disk special files10.3.4.2. Using DOS disks on Unix systems10.3.4.3. The Mtools utilities10.3.4.4. Stupid DOS partition tricks10.3.5. CD-ROM Devices10.3.5.1. CD-ROM drives under AIX10.3.5.2. The Solaris media-handling daemon
10.4. Sharing Filesystems
10.4.1. NFS10.4.1.1. Mounting remote directories10.4.1.2. Exporting local filesystems10.4.1.2.1. Exporting directories under Linux10.4.1.2.2. Exporting filesystems under Solaris10.4.2. The NFS Automounter10.4.3. Samba10.4.3.1. Samba authentication10.4.3.1.1. Mounting Windows filesystems under Linux and FreeBSD
11. Backup and Restore
11.1. Planning for Disasters and Everyday Needs
11.1.1. Backup Capacity Planning11.1.2. Backup Strategies11.1.2.1. Unattended backups11.1.2.2. Data verification11.1.2.3. Storing backup media11.1.2.4. Off-site and long-term storage
11.2. Backup Media
11.2.1. Magnetic tape11.2.2. Magneto-optical disks11.2.3. CDs and DVDs11.2.4. Removable disks: Zip and Jaz11.2.5. Floppy disks11.2.6. Hard disks11.2.7. Stackers, jukeboxes, and similar devices11.2.8. Media Lifetime11.2.9. Comparing Backup Media11.2.10. Tape Special Files11.2.10.1. AIX tape device attributes
11.3. Backing Up Files and Filesystems
11.3.1. When tar or cpio Is Enough11.3.1.1. The tar command11.3.1.1.1. Solaris enhancements to the tar command11.3.1.1.2. The GNU tar utility: Linux and FreeBSD11.3.1.2. The cpio command11.3.1.3. Incremental backups with tar and cpio11.3.1.4. pax: Detente between tar and cpio11.3.2. Backing Up Individual Filesystems with dump11.3.2.1. The HP-UX fbackup utility11.3.3. Related Tape Utilities11.3.3.1. Data copying and conversion with dd11.3.3.2. Tape manipulation with mt
11.4. Restoring Files from Backups
11.4.1. Restores from tar and cpio Archives11.4.2. Restoring from dump Archives11.4.2.1. The restore utility’s interactive mode11.4.2.2. The HP-UX frecover utility11.4.3. Moving Data Between Systems
11.5. Making Table of Contents Files
11.6. Network Backup Systems
11.6.1. Remote Backups and Restores11.6.2. The Amanda Facility11.6.2.1. About Amanda11.6.2.2. How Amanda works11.6.2.3. Doing the math11.6.2.4. Configuring Amanda11.6.2.4.1. Setting up an Amanda client11.6.2.4.2. Selecting an Amanda server11.6.2.4.3. Setting up the Amanda server11.6.2.5. Amanda reports and logs11.6.2.6. Restoring files from an Amanda backup11.6.3. Commercial Backup Packages
11.7. Backing Up and Restoring the System Filesystems
11.7.1. AIX: mksysb and savevg11.7.1.1. Restoring individual files from a mksysb tape11.7.1.2. Saving and restoring AIX user volume groups11.7.2. FreeBSD11.7.3. HP-UX: make_recovery11.7.4. Linux11.7.5. Solaris11.7.6. Tru64: btcreate
12. Serial Lines and Devices
12.1. About Serial Lines
12.1.1. Device Files for Serial Lines12.1.2. The tty Command
12.2. Specifying Terminal Characteristics
12.2.1. termcap and terminfo12.2.1.1. termcap entries12.2.1.2. terminfo entries12.2.1.3. Modifying entries12.2.2. The tset Command12.2.3. The stty Command
12.3. Adding a New Serial Device
12.3.1. Making the Physical Connection12.3.1.1. Hardware handshaking and flow control12.3.2. Terminal Line Configuration12.3.2.1. FreeBSD configuration files12.3.2.1.1. Secure terminal lines12.3.2.1.2. The /etc/gettytab file12.3.2.2. System V configuration files12.3.2.2.1. The /etc/gettydefs file12.3.2.2.2. Setting terminal line types under HP-UX12.3.2.2.3. The Linux mgetty configuration files12.3.2.2.4. Configuring terminal lines under AIX12.3.3. Starting the Terminal Line12.3.4. Terminal Handling Under Solaris12.3.4.1. Structure of the Service Access Facility12.3.4.2. Port monitors12.3.4.3. Creating port monitors with pmadm12.3.4.4. The ttydefs file12.3.4.5. Using admintool to configure serial lines
12.4. Troubleshooting Terminal Problems
12.5. Controlling Access to Serial Lines
12.6. HP-UX and Tru64 Terminal Line Attributes
12.7. The HylaFAX Fax Service
12.7.1. Sending Faxes12.7.2. Managing Faxes12.7.3. HylaFAX Configuration Files12.7.4. Controlling Access to HylaFAX
12.8. USB Devices
12.8.1. FreeBSD USB Support12.8.2. Linux USB Support12.8.3. Solaris USB Support
13. Printers and the Spooling Subsystem
13.1. The BSD Spooling Facility
13.1.1. User Commands13.1.2. Manipulating Print Jobs13.1.3. Managing Queues13.1.4. The Spooling Daemon13.1.5. Configuring Queues: The printcap File13.1.5.1. Spooling directories13.1.5.2. Restricting printer access13.1.5.3. A filter program13.1.6. Remote Printing13.1.7. Adding a New Printer13.1.8. LPD Variations13.1.8.1. FreeBSD13.1.8.2. Tru6413.1.8.3. Linux
13.2. System V Printing
13.2.1. User Commands13.2.1.1. The system default printer13.2.1.2. Device classes13.2.1.3. Getting status information13.2.2. Manipulating Individual Print Requests13.2.3. Managing Queues13.2.4. Starting and Stopping the Print Service13.2.5. Managing Printers and Destination Classes13.2.5.1. Defining or modifying a printer13.2.5.2. Deleting printers13.2.5.3. Managing device classes13.2.5.4. In-queue priorities13.2.5.4.1. Priorities under HP-UX13.2.5.4.2. Priorities under Solaris13.2.5.5. Printer interface programs13.2.6. Remote Printing13.2.6.1. HP-UX remote printing13.2.6.2. Solaris remote printing13.2.7. Adding a New Printer13.2.8. System V Spooling System Variations13.2.8.1. Solaris: Additional configuration files13.2.8.2. Solaris: Controlling printer access13.2.8.3. Solaris: Forms and filters13.2.8.4. HP-UX: Altering pending print jobs13.2.8.5. HP-UX: Analyzing printer usage13.2.8.6. Graphical administration tools
13.3. The AIX Spooling Facility
13.3.1. Manipulating Print Jobs13.3.1.1. Job numbers13.3.1.2. The default print queue under AIX13.3.1.3. Displaying job and queue status information13.3.1.4. Deleting print jobs13.3.1.5. Moving jobs between queues13.3.1.6. Suspending print jobs13.3.1.7. Print job priorities13.3.2. Managing Queues and Devices13.3.3. The qdaemon Server Process13.3.4. Configuring Queues: The /etc/qconfig File13.3.4.1. Creating and modifying print queues13.3.5. Remote Printing13.3.6. Adding a New Printer13.3.7. Using the Queueing System as a Batch Service
13.4. Troubleshooting Printers
13.5. Sharing Printers with Windows Systems
13.5.1. Printing to a Windows Printer from a Unix System13.5.2. Accepting Incoming Windows Print Jobs via Samba13.5.2.1. Creating queues for the Samba printers under Windows
13.6. LPRng
13.6.1. Enhancements to the lpc Command13.6.1.1. Print classes and job priorities13.6.2. Configuring LPRng13.6.2.1. Separate client and server entries13.6.2.2. Using a common printcap file for many hosts13.6.2.3. Special-purpose queues13.6.2.3.1. Bounce queues13.6.2.3.2. Printer pools13.6.2.4. Filters13.6.2.5. Other printcap entry options13.6.3. Global Print Spooler Settings13.6.4. Printer Access Control13.6.4.1. Other LPRng capabilities
13.7. CUPS
13.7.1. Printer Administration13.7.1.1. CUPS configuration files13.7.1.2. Access control and authentication
13.8. Font Management Under X
13.8.1. Font Basics13.8.2. Managing Fonts under X13.8.3. Adding Fonts to X13.8.3.1. Printing support13.8.4. Handling TrueType Fonts
14. Automating Administrative Tasks
14.1. Creating Effective Shell Scripts
14.1.1. Password File Security14.1.2. Monitoring Disk Usage14.1.3. Root Filesystem Backups and System Snapshots14.1.4. A Few More Tricks14.1.5. Testing and Debugging Scripts
14.2. Perl: An Alternate Administrative Language
14.2.1. A Quick Introduction14.2.2. A Walking Tour of Perl14.2.3. Perl Reports14.2.4. Graphical Interfaces with Perl
14.3. Expect: Automating Interactive Programs
14.3.1. A First Example: Testing User Environments14.3.2. A Timed Prompt14.3.3. Repeating a Command Over and Over14.3.4. Automating Configuration File Distribution14.3.5. Keep Trying Until It Works
14.4. When Only C Will Do
14.5. Automating Complex Configuration Tasks with Cfengine
14.5.1. About Cfengine14.5.2. Actions14.5.3. Classes14.5.4. Configuring cfservd14.5.5. Running Cfengine
14.6. Stem: Simplified Creation of Client-Server Applications
14.7. Adding Local man Pages
15. Managing System Resources
15.1. Thinking About System Performance
15.1.1. The Tuning Process15.1.1.1. Define the problem in as much detail as you can.15.1.1.2. Determine what’s causing the problem.15.1.1.3. Formulate explicit performance improvement goals.15.1.1.4. Design and implement modifications to the system and applications to achieve those goals.15.1.1.5. Monitor the system to determine how well the changes worked.15.1.1.6. Return to the first step and begin again.15.1.2. Some Tuning Caveats
15.2. Monitoring and Controlling Processes
15.2.1. The ps Command15.2.2. Other Process Listing Utilities15.2.3. The /proc Filesystem15.2.4. Kernel Idle Processes15.2.5. Process Resource Limits15.2.6. Process Resource Limits Under AIX15.2.7. Signaling and Killing Processes15.2.7.1. Killing multiple processes with killall15.2.7.2. Processes that won’t die15.2.7.3. Pausing and restarting processes
15.3. Managing CPU Resources
15.3.1. Nice Numbers and Process Priorities15.3.2. Monitoring CPU Usage15.3.2.1. Recognizing a CPU shortage15.3.3. Changing a Process’s Nice Number15.3.3.1. renice under AIX, HP-UX, and Tru6415.3.3.2. Changing process priorities under Solaris15.3.3.3. Setting a user’s default nice numbers under Tru6415.3.4. Configuring the System Scheduler15.3.4.1. The AIX scheduler15.3.4.2. The Solaris scheduler15.3.4.3. Tru6415.3.5. Unix Batch-Processing Facilities
15.4. Managing Memory
15.4.1. Monitoring Memory Use and Paging Activity15.4.1.1. Determining the amount of physical memory15.4.1.2. Monitoring memory use15.4.1.3. Recognizing memory problems15.4.1.4. The filesystem cache15.4.2. Configuring the Virtual Memory Manager15.4.2.1. AIX15.4.2.2. FreeBSD15.4.2.3. HP-UX15.4.2.4. Linux15.4.2.5. Solaris15.4.2.6. Tru6415.4.3. Managing Paging Space15.4.3.1. How much paging space?15.4.3.2. Listing paging areas15.4.3.3. Activating paging areas15.4.3.4. Creating new paging areas15.4.3.5. Filesystem paging15.4.3.6. Linux and HP-UX paging space priorities15.4.3.7. Removing paging areas
15.5. Disk I/O Performance Issues
15.5.1. Monitoring Disk I/O Performance15.5.2. Getting the Most From the Disk Subsystem15.5.2.1. Disk hardware15.5.2.2. Distributing the data among the available disks15.5.2.3. Data placement on disk15.5.3. Tuning Disk I/O Performance15.5.3.1. Sequential read-ahead15.5.3.1.1. AIX15.5.3.1.2. Linux15.5.3.2. Disk I/O pacing
15.6. Monitoring and Managing Disk Space Usage
15.6.1. Where Did It All Go?15.6.2. Handling Disk Shortage Problems15.6.2.1. Using find to locate or remove wasted space15.6.2.2. Limiting the growth of log files15.6.3. Controlling Disk Usage with Disk Quotas15.6.3.1. Preparing filesystems for quotas15.6.3.2. Setting users’ quota limits15.6.3.3. Setting the soft limit expiration period15.6.3.4. Enabling quota checking15.6.3.5. Quota consistency checking15.6.3.6. Disk quota reports15.6.3.7. Group-based quotas (AIX, FreeBSD, Tru64 and Linux)
15.7. Network Performance
15.7.1. Basic Network Performance Monitoring15.7.2. General TCP/IP Network Performance Principles15.7.2.1. Two TCP parameters15.7.3. DNS Performance15.7.4. NFS Performance15.7.4.1. NFS Version 3 performance improvements15.7.4.2. NFS performance principles
16. Configuring and Building Kernels
16.1. FreeBSD and Tru64
16.1.1. Changing FreeBSD Kernel Parameters16.1.2. FreeBSD Kernel Modules16.1.3. Installing the FreeBSD Boot Loader16.1.4. Tru64 Dynamic Kernel Configuration
16.2. HP-UX
16.3. Linux
16.3.1. Using lilo16.3.1.1. Using a graphical message screen16.3.1.2. lilo and Windows16.3.1.3. More complex booting scenarios16.3.1.4. lilo’s -r option16.3.1.5. The boot.message file16.3.2. The Grub Boot Loader16.3.3. Booting a Linux System with syslinux16.3.4. Restoring the DOS Master Boot Program16.3.5. Booting Alpha Linux Systems16.3.6. Linux Loadable Modules
16.4. Solaris
16.5. AIX System Parameters
17. Accounting
17.1. Standard Accounting Files
17.2. BSD-Style Accounting: FreeBSD, Linux, and AIX
17.2.1. Enabling and Disabling Accounting17.2.2. Merging Accounting Records into the Summary Files17.2.3. After a Crash17.2.4. Image-Based Resource Use Reporting: sa17.2.5. Connect Time Reporting: ac
17.3. System V-Style Accounting: AIX, HP-UX, and Solaris
17.3.1. Setting Up Accounting17.3.2. Accounting Reports17.3.3. Solaris Project-Based Extended Accounting17.3.4. The upacct Package
17.4. Printing Accounting
17.4.1. Printer Accounting Under LPRng
18. The Profession of System Administration
SAGE: The System Administrators Guild
Administrative Virtues
A. Administrative Shell Programming
A.1. Basic Syntax
A.1.1. I/O RedirectionA.1.2. The dot CommandA.1.3. Return Codes and the exit CommandA.1.4. Compound CommandsA.1.5. Command SubstitutionA.1.6. Argument Symbols and Other $ AbbreviationsA.1.7. Variable SubstitutionA.1.7.1. bash variable substitution extensionsA.1.8. Variable Double Dereferencing
A.2. The if Statement
A.2.1. The test Command (a.k.a. [ )
A.3. Other Control Structures
A.3.1. The while and until CommandsA.3.2. The case CommandA.3.3. The for CommandA.3.3.1. The bash arithmetic for loopA.3.4. The Null Command
A.4. Getting Input: The read Command
A.4.1. The bash select command
A.5. Other Useful Commands
A.5.1. setA.5.2. evalA.5.3. printfA.5.4. exprA.5.4.1. bash integer arithmeticA.5.4.2. bash arrays
A.6. Shell Functions
A.6.1. bash Local Variables
About the Author
Colophon
Copyright

Content preview from Essential System Administration, 3rd Edition

Hardening Unix Systems

Throughout this chapter, I’ve been suggesting that systems ought to provide only the minimum amount of services and access that are needed. This is especially true for important server systems, especially—but not limited to—ones at site boundaries. The process of making a system more secure than the level the default installed operating system provides is known as hardening the system.

In this section, we’ll look at the general principles of system hardening. Naturally, the actual process is very operating system-specific. Some vendors provide information and/or tools for automating some of the process. There are also some open source and commercial tools related to this topic. Here is a list of helpful websites related to system hardening that are available at this writing (July 2002):

AIX

http://biss.beckman.uiuc.edu/security/workshops/1999-10/

FreeBSD

http://www.trustedbsd.org

http://draenor.org/securebsd/

HP-UX

http://www.interex.org/conference/iworks2001/proceedings/5103/5103.pdf

http://www.bastille-linux.org (This tool works under HP-UX as well.)

Linux

http://www.linux-sec.net/Distro/distro.gwif.html

http://www.bastille-linux.org

Solaris

http://wwws.sun.com/software/security/blueprints/

http://www.yassp.org

Tru64

http://www.maths.usyd.edu.au/u/psz/securedu.html

Tip

Many operating systems are available in an enhanced security or “trusted” version. This is true of AIX, HP-UX, Solaris, and Tru64. There are several heightened-security Linux distributions and BSD projects ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Unix® and Linux® System Administration Handbook, Fourth Edition

Publisher Resources

ISBN: 0596003439Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Essential System Administration, 3rd Edition

by Æleen Frisch

Hardening Unix Systems

Tip

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Unix® and Linux® System Administration Handbook, Fourth Edition

Modern System Administration

TCP/IP Network Administration, 3rd Edition

Red Hat RHCSA 8 Cert Guide: EX200, 2nd Edition

Publisher Resources