book

Red Hat Enterprise Linux 8 Administration

by Miguel Pérez Colino, Pablo Iranzo Gómez, Scott McCarty

November 2021

Intermediate to advanced

534 pages

10h 18m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorsAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedGet in touchShare Your Thoughts
Technical requirements Obtaining RHEL software and a subscriptionInstalling RHEL8 Preparation for a physical server installationPreparation for a virtual server installationRunning an RHEL installation Summary
Technical requirements Automating RHEL deployments with AnacondaDeploying RHEL on the cloudInstallation best practicesSummary
Logging in as a user and managing multi-user environmentsUsing the root accountUsing and understanding the command promptChanging users with the su command Understanding users, groups, and basic permissionsUsersGroupsFile permissionsUsing the command line, environment variables, and navigating through the filesystemCommand line and environment variablesNavigating the filesystemBash autocompleteFilesystem hierarchyUnderstanding I/O redirection in the command lineFiltering output with grep and sed Listing, creating, copying, and moving files and directories, links, and hard links DirectoriesCopying and movingSymbolic and hard linksUsing tar and gzipCreating basic shell scriptsfor loopsif conditionalsExit codesUsing system documentation resourcesMan pagesInfo pagesOther documentation resourcesSummary
Technical requirementsManaging system services with systemdSystemd unit file structureManaging services to be started and stopped at bootManaging boot targetsScheduling tasks with cron and systemdSystem-wide crontabUser crontabSystemd timersLearning about time synchronization with chrony and NTPNTP clientNTP serverChecking for free resources – memory and disk (free and df)MemoryDisk spaceCPULoad averageOther monitoring toolsFinding logs, using journald, and reading log files, including log preservation and rotationLog rotationSummary
Creating, modifying, and deleting local user accounts and groupsManaging groups and reviewing assignmentsAdjusting password policies Configuring sudo access for administrative tasksUnderstanding sudo configurationUsing sudo to run admin commandsConfiguring sudoersChecking, reviewing, and modifying file permissions Using special permissionsUnderstanding and applying Set-UIDUnderstanding and applying Set-GIDUsing the sticky bitSummary
Technical requirementsExploring network configuration in RHELGetting to know the configuration files and NetworkManagerConfiguring network interfaces with IPv4 and IPv6IPv4 and IPv6... what does that mean?Configuring interfaces with nmtuiConfiguring interfaces with nm-connection-editorConfiguring interfaces with nmcliConfiguring interfaces with text filesConfiguring hostname and hostname resolutions (DNS)Overview of firewall configurationConfiguring the firewallTesting network connectivitySummary
RHEL subscription registration and managementManaging repositories and signatures with YUM/DNFDoing software installations, updates, and rollbacks with YUM/DNFCreating and syncing repositories with createrepo and reposyncUnderstanding RPM internalsSummary

Technical requirementsSSH and OpenSSH overview and base configurationOpenSSH serverOpenSSH clientAccessing remote systems with SSHKey-based authentication with SSHSSH agentSCP/rsync – remote file managementTransferring files with an OpenSSH secure file copyTransferring files with sftpTransferring files with rsyncAdvanced remote management – SSH tunnels and SSH redirectionsRemote terminals with tmuxSummary
Introduction to the RHEL firewall – firewalldEnabling firewalld in the system and reviewing the default zonesReviewing the different configuration items under firewalldEnabling and managing services and ports Creating and using service definitions for firewalldConfiguring firewalld with the web interfaceSummary
Technical requirementsSELinux usage in enforcing and permissive modesReviewing the SELinux context for files and processesTweaking the policy with semanageRestoring changed file contexts to the default policyUsing SELinux Boolean settings to enable servicesSELinux troubleshooting and common fixesSummary
Getting started with OpenSCAP and discovering system vulnerabilitiesUsing OpenSCAP with security profiles for OSPP and PCI DSSScanning for OSPP complianceScanning for PCI DSS complianceSummary
Technical requirementsLet's start with a definitionA bit of historyPartitioning disks (MBR and GPT disks)Formatting and mounting filesystemsSetting default mounts and options in fstab Using network filesystems with NFSSummary
Technical requirementsUnderstanding LVMCreating, moving, and removing physical volumesCombining physical volumes into volume groupsCreating and extending logical volumesAdding new disks to a volume group and extending a logical volumeRemoving logical volumes, volume groups, and physical volumes Reviewing LVM commandsSummary
Technical requirementsUnderstanding StratisInstalling and enabling Stratis Managing storage pools and filesystems with StratisPreparing systems to use VDOCreating a VDO volumeAssigning a VDO volume to an LVM volumeTesting a VDO volume and reviewing the statsSummary
Understanding the boot process – BIOS and UEFI bootingWorking with GRUB, the bootloader, and initrd system imagesManaging the boot sequence with systemdIntervening in the boot process to gain access to a systemSummary
Technical requirementsIdentifying processes, checking memory usage, and killing processesAdjusting kernel scheduling parameters to better manage processesInstalling tuned and managing tuning profilesCreating a custom tuned profileSummary
Technical requirementsIntroduction to containersInstalling container toolsRunning a container using Podman and UBIBasic container management – pull, run, stop, and removeAttaching persistent storage to a containerDeploying a container on a production system with systemdBuilding a container image using a Dockerfile or ContainerfileConfiguring Podman to search registry serversSummary of Podman optionsWhen to use Buildah and SkopeoBuilding container images with BuildahInspecting a remote container with SkopeoSummary
Technical requirements Tips for the exercisePractice exercise 1ExercisesExercise 1 resolution1. Configuring the time zone to GMT2. Allowing password-less login to the root user using SSH3. Creating a user named 'user' that can connect to the machine without a password4. The user 'user' should change their password every week, with 2 days' warning and 1 day of usage once expired5. The root user must be able to SSH as 'user' without a password, so that nobody can connect remotely as the root user using a password6. The user 'user' should be able to become root and execute commands without a password 7. When a user tries to log in over SSH, display a legal message about not allowing unauthorized access to this system8. SSH must listen on port 22222 instead of the default one9. Creating a group named 'devel'10. Making 'user' a member of 'devel'11. Storing user membership in a file called 'userids,' in a home folder for 'user'12. The user 'user' and root user should be able to connect to the localhost via SSH, without specifying the port, and default to compression for the connection13. Finding all man page names in the system, and putting the names into a file named 'manpages.txt'14. Printing usernames for users without a login, so they can be permitted access to the system, and printing the user ID and groups for each user15. Monitoring available system resources every 5 minutes without using cron, and storing them as /root/resources.log16. Adding a per-minute job to report the available percentage of free disk space and storing it in /root/freespace.log, so that it shows the filesystem and free space17. Configuring the system to only leave 3 days of logs18. Configuring log rotation for /root/freespace.log and /root/resources.log19. Configuring time synchronization against pool.ntp.org with fast sync20. Providing NTP server services for subnet 172.22.0.1/2421. Configuring system stats collection every minute22. Configuring the password length in the system for users to be 12 characters23. Creating a bot user called 'privacy,' which keeps its files only visible to itself by default24. Creating a folder named /shared that can be accessed by all users, and defaults new files and directories to still be accessible to users of the 'devel' group25. Configuring a network connection with IPv4 and IPv6 addressing named 'mynic,' using the provided data Ip6, as follows: 2001:db8:0:1::c000:207/64 g gateway 2001:db8:0:1::1 IPv4 192.0.1.3/24 gateway 192.0.1.126. Allowing the host to use a google hostname to reach www.google.com, and a redhat hostname to reach www.redhat.com 27. Reporting the files modified from those that the vendor distributed, and storing them in /root/altered.txt28. Making our system installation media packages available via HTTP under the path /mirror for other systems to use it as the mirror, and configuring the repository in our system. Removing the kernel packages from that mirror so that other systems (even ours) can't find new kernels. Ignoring the glibc packages from this repo to be installed without removing them29. As 'user,' make a copy of the /root folder in the /home/user/root/ folder, and keep it in sync every day, synchronizing additions and deletions30. Checking whether our system conforms to the PCI-DSS standard31. Adding a second hard drive of 30 GB to the system, but using only 15 GB to move the mirror to it, making it available at boot using compression and deduplication, and available under /mirror/mirror32. Configuring the filesystem to report at least 1,500 GB in size, to be used by our mirrors33. Creating a second copy of the mirror under /mirror/mytailormirror and removing all packages starting with k*34. Creating a new volume in the remaining space (15 GB) of the hard drive and using it to extend the root filesystem35. Creating a boot entry that allows us to boot into emergency mode in order to change the root password36. Creating a custom tuning profile that defines the readahead to be 4096 for the first drive and 1024 for the second drive – this profile should also crash the system should an OOM event occur37. Disabling and removing the installed httpd package, and setting up the httpd server using the registry.redhat.io/rhel8/httpd-24 image
Technical requirements Tips for the exercisePractice exercise – 2ExercisesAnswers to practice exercise 21. Download the necessary file from this book's GitHub repository at https://raw.githubusercontent.com/PacktPublishing/Red-Hat-Enterprise-Linux-8-Administration/main/chapter-19-exercise2/users.txt2. Use the users.txt file to generate users in the system in an automated way using the values provided, in the following order: username, placeholder, uid, gid, name, home, shell3. Create a group named users and add that group as the primary group to all users, leaving their own groups, named after each user, as secondary groups4. Change the home folders for the users so that are group owned5. Set up an HTTP server and enable a web page for each user, with a small introduction for each that is different between users 6. Allow all the users in the users group to become root without a password7. Create SSH keys for each user and add each key to root and the other users so that each user can SSH like the other users; that is, without a password8. Disable password access to the system with SSH9. Set each user with a different password using /dev/random and store the password in the users.txt file in the second field of the file10. If the number of letters in the username is a multiple of 2, add that fact to each users description web page 11. Create a container that runs the yq Python package12. Configure password aging for users that are not a multiple of 2 so that they're expiring13. Configure the daily compressed log rotation for a month of logs using date-named files14. Save all the logs generated in the day in /root/errors.log15. Install all the available updates for system libraries16. Repair the broken rpm binary using a previously downloaded package available in the /root folder17. Make all the processes that are executed by the user doe run with a low priority and the ones from john run with a higher priority (+/- 5)18. Make the system run with the highest throughput and performance19. Change the system network interface so that it uses an IP address that's higher than the one it was using. Add another IPv6 address to the same interface20. Create and add /opt/mysystem/bin/ to the system PATH for all users21. Create a firewall zone, assign it to an interface, and make it the default zone22. Add a repository hosted at https://myserver.com/repo/ with GPG key from https://myserver.com/mygpg.key to the system since our server might be down. Configure it so that it can be skipped if it's unavailable
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from Red Hat Enterprise Linux 8 Administration

Chapter 9: Securing Network Connectivity with firewalld

A great mentor and technologist working with military restricted environments once told me that "The only secure system is the one that is switched off, disconnected from any network, and buried in the middle of the desert." He is right, of course, but we must provide a service to make the system useful. This means having it running and connected to a network.

One of the techniques that's used in security to reduce incidents, such as avoiding unexpected exposure to a vulnerability and enabling unauthorized remote access, is reducing the attack surface and applying defense in depth principles. When you do that in a network, step one is filtering connections using a firewall. The firewall ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Red Hat Certified Engineer (RHCE) Study Guide: Ansible Automation for the Red Hat Enterprise Linux 8 Exam (EX294)

Publisher Resources

ISBN: 9781800569829Supplemental Content

Red Hat Enterprise Linux 8 Administration

by Miguel Pérez Colino, Pablo Iranzo Gómez, Scott McCarty

Chapter 9: Securing Network Connectivity with firewalld

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Red Hat Certified Engineer (RHCE) Study Guide: Ansible Automation for the Red Hat Enterprise Linux 8 Exam (EX294)

Red Hat RHCSA 8 Cert Guide: EX200

Red Hat RHCSA 8 Cert Guide: EX200, 2nd Edition

Red Hat and IT Security: With Red Hat Ansible, Red Hat OpenShift, and Red Hat Security Auditing

Publisher Resources

Chapter 9: Securing Network Connectivity with firewalld

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Red Hat Certified Engineer (RHCE) Study Guide: Ansible Automation for the Red Hat Enterprise Linux 8 Exam (EX294)

Red Hat RHCSA 8 Cert Guide: EX200

Red Hat RHCSA 8 Cert Guide: EX200, 2nd Edition

Red Hat and IT Security: With Red Hat Ansible, Red Hat OpenShift, and Red Hat Security Auditing

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.