RHCE EXAM Package Management

QUE 1:- Configure your server to use a separate YUM repository. Solution: -

# vim /etc/yum.repos.d/server.repo
[Base] Name=rhcsa baseurl=ftp ://< server IP add>/pub/<path> gpgcheck=0 enable=1

# yum clean all # yum list all

QUE 2:- Build a simple rpm package. Download the redhat-release SRPM from the materials directory in server machine Solution: - Open a web browser and type URL http://server.example.com/pub/materials and download Redhat-release package under /root

# yum install rpm-build # rpm ivh redhat-release-6-6.0.0.24.el6.src.rpm # cd /root/rpmbuild # cd SPECS # rpmbuild ba redhat-release.spec (here -ba =build binary & source package) # cd

Security & Access Management

QUE 3:- How you can use firewall or tcpwrappers as a Security measure. Note: tcpwrappers used as a Security measure for RHCSA Exam So Firewall wiil be disable Solution: -

# iptables F # chkconfig iptables off # service iptables save # service iptables stop # service iptables status
Note: - Tcpwrappers are measures in /etc/hosts.allow and /etc/hosts.deny. QUE 4:- Selinux must be in enforcing mode Solution: -

# vim /etc/sysconfig/selinux
SELINUX=enforcing

# setenforce 1 (to set selinux mode) # getenforce (to view selinux mode)
Enforcing

# reboot

Kernel management
QUE 5.1:- Configure the Kernel parameter for forwarding your IP or Enable IP forwarding. Solution: -

# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

# sysctl p
QUE 6.1:- Add the kernel parameter kernctl=5 to the kernel command line in /boot/grub/grub.conf Or QUE 6.2:- Pass a kernel boot line argument sysvctl, make it permanent & it should be displayed by cat /proc/cmdline. Solution: - Open a grub.conf file and edit the kernel arguments

# vim /boot/grub/grub.conf
Kernctl=5
Or

sysvctl

# reboot
Check the modified kernel arguments using command line

# cat /proc/cmdline

SSH server
QUE 7.1:-Configure SSH Server. Only example.com domain's persons can come in to your machine and remote.test domain's persons cannot for SSH. Or QUE 7.2:-Configure SSH access as follows: 1. Harry has remote SSH access to your machine from within example.com. 2. Clients within my133t.org should NOT have access to ssh on your system. Solution: -

# chkconfig sshd on # service sshd restart # vim /etc/hosts.allow

sshd: .example.com

# vim /etc/hosts.deny
sshd: .remote.test Or sshd: .my133t.com (Note: while using hosts.deny & hosts.allow file wild cards should not be used)

Scheduling Tasks
QUE 8.1:- To Deny cron service for sarsha user and allow cron service for all users Or QUE 8.2:- bertarm should not set crontab for himself; other users must configure crontab for themselves. Solution: - Create said user if user does not exit

# useradd sarsha # passwd sarsha # vim /etc/cron.deny

Sarsha

or or or

# useradd bertarm # passwd bertarm # vim /etc/cron.deny

bertarm

Note: By default all user access cron service

Advance Filesystem Administration

QUE 9.1:- Download iso file from server under /root and Mount iso file in /mnt/virtdisk Or QUE 9.2: boot.iso is available in /root directory. Mount it under /mnt/discimg directory for permanently. Solution: -

# yum install wget # cd /root # wget http://server.example.com/pub/disk.iso # mkdir /mnt/virtdisk # vim /etc/fstab
/root/disk.iso /mnt/virtdisk iso9660 defaults,loop 00

# mount -a # df -Th
QUE.10.1:- Connecting to Cold Storage SAN that will be configured to access its own dedicated iscsi target, iscsi target IP is 172.24.48.254, iscsi target iqn.201009.com.example:rdisks.serverX, Partition, format and mount to /cold storage Solution: - Install iscsi package

# yum install iscsi*

Connect to the target

# iscsiadm -m discovery -t st -p 172.24.48.254

Then display your iscsi target with start iqn

# vim /etc/iscsi/initiatorname.iscsi
InitatorName=iqn.2010-09.com.example:rdisks.serverX

# chkconfig iscsid on # service iscsid restart # iscsiadm -m node -T iqn.2010-09.com.example:rdisks.serverX p 172.24.48.254 l # tail /var/log/messages (determine the device name of the iscsi device in the log files) # fdisk /dev/sda (Create a partition table on the device as required) # mkfs.ext4 /dev/sda1 (create a file system on partition) # mkdir /coldstorage (create a mount point for partition) # blkid /dev/sda1 (determine UUID of partition) # vim /etc/fstab (create partition mountable on every reboot)
UUID=XXXX-XXXX-XXXX-XXXX /coldstorage ext4, _netdev 00

# mount -a # df -Th
QUE 10.2:- ISCSI server is available in host.domain60.example.com (172.24.60.250) server for you. a. Create a 1200 MiB partition. b. Format it by ext4 filesystem. c. Copy a file from ftp://rhgls.domain60.example.com/pub/iscsi/iscsi.txt

d. DOT NOT make any modifications to the content of iscsi.txt e. This partition must be permanently available by /etc/fstab. Solution: Install iscsi package

# yum install iscsi* wget

Connect to the target

# iscsiadm -m discovery -t st -p 172.24.60.250

Then display your iscsi target with start iqn

# vim /etc/iscsi/initiatorname.iscsi
InitatorName=iqn.2010-09.com.example:rdisks.serverX

# chkconfig iscsid on # service iscsid restart # iscsiadm -m node T iqn.2010-09.com.example:rdisks.serverX p 172.24.60.250 l # tail /var/log/messages (determine the device name of the iscsi device in the log files) # fdisk /dev/sda (Create a partition table on the device as required) # mkfs.ext4 /dev/sda1 (create a file system on partition) # mkdir /coldstorage (create a mount point for partition) # blkid /dev/sda1 (determine UUID of partition) # vim /etc/fstab (create partition mountable on every reboot)
UUID=XX-XX-XX-XX /coldstorage ext4, _netdev 00

# mount -a # df Th

DNS Server administration

QUE 11:- Configure a caching-only DNS server that forwards requests to the physical host system Solution: -

# yum install bind

Modify the named configuration file

# vim /etc/named.conf
listen-on port 53 {any ;}; listen-on port 53 {any ;}; allow-query {localhost; 172.24.48.0/24 ;}; forwarders {172.24.48.254 ;}; Dnssec-query no;

# chkconfig named on # service named restart

Test from the desktop X system (where X is a machine number)

# host serverX.example.com 172.24.48.X (where X is a machine number)

NFS Server Administration

QUE 12.1:- Export your /common directory via NFS to the example.com domain only.

# mkdir /common # vim /etc/export

/common *.example.com(ro,sync)

# chcon -R --reference=/var/ftp/pub

/common

# exportfs -ra # chkconfig nfs on # service nfs restart # showmount -e x.x.x.x (where as x.x.x.x is IP of nfs server)
QUE 12.2:- Export /share directory, allow example.com and deny all. The exported directory must be automatically mounted under /net/misc/serverX. Solution: -

# mkdir /share # vim /etc/exports

/share *.example.com(ro,sync)

# exportfs -ra # chkconfig nfs on # service nfs restart # showmount -e x.x.x.x # vim /etc/auto.master
/net/misc/serverX

(Where as x.x.x.x is IP of nfs server)

/etc/auto.misc (Where X is a your machine number) serverx.example.com:/share (Where as serverx is nfs server)

# vim /etc/auto.misc
Share -ro,sync,intr

# service autofs stop # service autofs start # chcon -R --reference=/var/ftp/pub # cd /net/misc/serverX # cd share

/share

(setting Selinux permission)

FTP Server Administration

QUE 13.1:- Configure ftp server. Make access to example.com and deny all. Or QUE 13.2:-Configure FTP access on your system: a. Clients within the example.com domain should have anonymous FTP access. b. Clients outside example.com should NOT have access to your service. Solution: -

# yum install vsftpd ftp # chkconfig vsftpd on # service vsftpd restart # vim /etc/hosts.deny
Vsftpd: ALL EXCEPT .example.com

QUE 14:- Set up drop-box for anonymous upload should be enabled on /var/ftp/upload, Anonymous Should connects as wx and allow for only your domain Solution: - Open a Configuration File and uncomment a line

# vim /etc/vsftpd/vsftpd.conf

anon_upload_enable=YES anon_mkdir_write_enable=YES

# mkdir /var/ftp/upload # chgrp ftp /var/ftp/upload # chmod 730 /var/ftp/upload # yum install libsemanage* # yum install libsemanage-python # yum install policycoreutils* # chkconfig vsftpd on # service vsftpd restart # semanage fcontext -a t public_content_rw_t /var/ftp/upload (/.*)? # restorecon -vvFR /var/ftp/upload # getsebool -a | grep ftp # setsebool -P allow_ftpd_anon_write=1 # setsebool -P allow_ftpd_full_access=1 # setsebool -P ftp_home_dir=1

Samba Server Administration

QUE 15.1:- Configure CIFS server. Share /share directory in such a way that only persons sitting in example domain whose workgroup is RHCEGROUP and the name of the share will be share. The share must be read only and the share must be browseable and accessible by user jerry only. Solution: - Install samba package

# yum install samba

Open smb.conf file and edit

# vim /etc/samba/smb.conf
workgroup = RHCEGROUP (Edit a line) hosts allow = 127. 172.24.48. (Open semicolon and edit line) [share] comment = samba server path = /share writable = no browseable = yes valid users = jerry

# Smbpasswd -a jerry # chkconfig smb on # service smb restart # getsebool -a | grep samba # setsebool -P samba_create_home_dirs=1 # setsebool -P samba_domain_controller=1 # setsebool -P samba_enable_home_dirs=1 # setsebool -P samba_export_all_ro=1 # setsebool -P samba_export_all_rw=1 # setsebool -P use_samba_home_dirs=1

# getsebool -a | grep smb # setsebool -P allow_smbd_anon_write=1 # smbclient //server.example.com/share -u jerry Password: Smb:\>
QUE 15.2:- Share the /common directory via SMB: a. Your SMB server must be a member of the STAFF workgroup b. The shares name must be common c. The common share must be available to example.com domain clients only. d. The common share must be browseable. e. Harry must have read access to the share, authenticating with the same password roxicant, if necessary. Solution: - Install samba package

# yum install samba

Open smb.conf file and edit

# vim /etc/samba/smb.conf
workgroup = STAFF (This is name of workgroup) hosts allow = 127. *.example.com (Open semicolon and edit line) [common] (This is share name) comment = Samba Server path = /common (This is shared path) writable = no (Write access can be mentioned here) browseable = yes valid users = Harry (Valid user should be mentioned here) # Smbpasswd -a harry (set samba login passwd for harry as roxicant)

# chkconfig smb on # service smb restart # getsebool -a | grep samba # setsebool -P samba_export_all_ro=1 (Setting read only access to shared path) # getsebool -a | grep smb # setsebool -P allow_smbd_anon_write=0 (Setting anonymous access off) # smbclient //server.example.com/share -u jerry (accessing samba share) Password: Smb:\>

Web Server Administration

QUE 16.1:- Configure the http server with document root is the default path. Get your html page from the server server.example.com/pub/serverX.html. Do not change the contents of your html page. Or Solution: 1. Install the packages required for configuring http server

# yum install httpd wget

2. Configure http server with document root default path

# vim /etc/httpd/conf/httpd.conf
< VirtualHost *:80> ServerAdmin DocumentRoot ServerName </VirtualHost >
3. Setting html page from given path

root@serverX.example.com /var/www/html serverX.example.com

(Where X is a your machine number)

# cd /var/www/html # wget http://server.example.com/pub/serverX.html # mv serverX.html index.html # chcon -R --reference=/var/www/html index.html # chkconfig httpd on # service httpd restart
4. Testing http server

# elinks http://serverX.example.com

(Where X is a machine number)

QUE 16.2:- Extend by your web server to host virtual site wwwX.example.com. Document root should be /var/www/virtual. Get your html page from server server/pub/wwwX.html to its document root as index.html. John should be able to write contents to /var/www/virtual Solution: - Open Configuration file & uncomment the line NameVirtualHost *:80 to enable virtual hosting

# vim /etc/httpd/conf/httpd.conf
NameVirtualHost *:80 (Uncomment this line to enable virtual hosting) < VirtualHost *:80> ServerAdmin root@serverX.example.com DocumentRoot /var/www/virtual ServerName wwwX.example.com </VirtualHost > (Where as wwwX.example.com is virtual host name)

# mkdir /var/www/virtual # cd /var/www/virtual # wget http://server.example.com/pub/wwwX.html # mv wwwX.html index.html # chcon -R --reference=/var/www/html /var/www/virtual # chkconfig httpd on # service httpd restart # elinks http://wwwX.example.com (Where X is a machine number)
Enable Access control to filesystem for giving write access to John to /var/www/virtual

# vim /etc/fstab
/dev/mapper/GLSvg-GLSroot / ext4 defaults,acl 1 1 (Note by default need to enable acl in rhel6)

# mount -o remount; / # mount

# setfacl -m u:john:rwx /var/www/virtual

QUE 16.6:- Extend by your web server to host local site localhost.localdomain. Document root should be /var/www/localhost. Get your html page from server server/pub/local.html to its doc root as index.html. Solution: - Open Configuration file and last 7 line Copy and paste. Change the lines number (1, 2, 3, 4, 7) and uncomment changes line. (Line number 5 and 6 will be commented)

# vim /etc/httpd/conf/httpd.conf
< VirtualHost *:80> ServerAdmin root@serverX.example.com (Where X is a your machine number) DocumentRoot /var/www/localhost ServerName localhost.localdomain </VirtualHost >

# mkdir /var/www/localhost # cd /var/www/localhost # wget http://server.example.com/pub/local.html # mv local.html index.html # chcon -R --reference=/var/www/html /var/www/localhost # chkconfig httpd on # service httpd restart # elinks http://localhost.localdomain
QUE 20:- Creating a Custom Self-Signed Certificate for servserX.example.com that will expire after a year. The certificate should have the following characteristics: The key should be 1024 bits and should not be encrypted Country code = local country State = local state Locality = local city Organization = Red Hat Inc. Common name = serverX.example.com Solution: 1. Install following packages for generating certificate

# yum install crypto-utils mod_ssl # genkey --days 365 serverX.example.com

Provide the appropriate input as required while generating certificate & note down the path of newly generated certificate file & certificate key 2. Open the /etc/httpd/conf.d/ssl.conffile & change the path of SSLCertificateFile & SSLCertificateFile as follows

# vim /etc/httpd/conf.d/ssl.conf
# SSLCertificateFile /etc/pki/tls/certs/localhost.crt (old path) SSLCertificateFile /etc/pki/tls/certs/serverX.example.com.crt # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key (old path) SSLCertificateKeyFile /etc/pki/tls/private/serverX.example.com.key

3. Restart the httpd service

# service httpd restart

QUE 16.2: Implement a web server for the site http://station.domain60.example.com, and then perform the following steps: a. Download ftp://server1.example.com/pub/rhce/station.html b. Rename the downloaded file to index.html

c. Copy this index.html to the DocumentRoot of your web server. d. DO NOT make any modifications to the content of index.html. QUE 16.4:- Extend your web server to include a virtual host for the site http://www.domain60.example.com then perform the following steps: a. Set the DocumentRoot to /var/www/virtual b. Download ftp://server1.example.com/pub/rhce/www.html c. Rename the downloaded file to index.html d. Place this index.html in the DocumentRoot of the virtual host. e. DO NOT make any modifications to the content of index.html f. Ensure that harry is able to create content in /var/www/virtual. QUE 16.5: - Create a secret directory in the default DocumentRoot of http://host.domain60.example.com a. Download ftp://server1.example.com/pub/rhce/station.html to secret directory b. Rename the downloaded file to index.html c. DO NOT make any modifications to the content of index.html d. secret is access by any user from your localhost only e. Other networks host should be deny to access secret.

Mail Server Administration

QUE 17.1:- Configure Postfix. Set up Intranet E-mail for user john. Johns mail should me spooled to /var/spool/mail/john. Your server should accept from remote networks. Solution: -

# yum install postfix

Open a main.cf config file and edit the line

# vim /etc/postfix/main.cf
myhostname = serverX.example.com mydomain = example.com myorigin = $myhostname myorigin = $mydomain inet_interfaces = all #inet_interfaces = localhost (Uncomment a line and edit) (Uncomment a line and edit) (Uncomment a line) (Uncomment a line) (Uncomment a line) (Comment a line)

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

(Uncomment a line) mynetworks =127.0.0.1/8, 172.24.48.0/24 (Uncomment a line and edit) relay_domains = $mydestination (Uncomment a line) relayhost = $mydomain (Uncomment a line)

#chkconfig postfix on #service postfix restart

QUE 17.2:- Configure SMTP mail service according to the following requirements:

a. Your mail server should access mail from remote hosts and localhost. b. Harry must be able to receive mail from remote hosts c. Mail delivered to harry should spool into the default mail spool for harry i.e. /var/spool/mail/harry. Solution: QUE 18:- Configure a POP3 server. Allow only example.com network and deny all for POP3 server. Solution: -

# yum install dovecot

Open dovecot.conf file and uncomment a line

# vim /etc/dovecot/dovecot.conf
Protocols = imap pop3 lmtp

# chkconfig dovecot on # service dovecot restart # vim /etc/hosts.deny

dovecot: ALL EXCEPT .example.com
QUE 19.1:- Configure mail aliases. User jerry should get the mail of principal. Solution: -

# vim /etc/aliases
Principal: jerry

# newaliases
QUE 19.2:-Configure an email alias from your MTA such that mail sent to admin is received by the local user Natasha. Solution: -

Shell Scripting
QUE 21.1:- Using Bash shell Scripts write a shell scripts for the following: 1) Type a redhat than display your output linux 2) Type a linux than display your output redhat 3) If both option are not using than display your output redhat linux Solution: -

# vim scripts
echo please type redhat or linux: read c case $c in redhat) echo linux ;; linux) echo redhat ;; *) echo redhat linux ;; esac

# sh scripts
QUE 21.2:- Write a shell script as naming bar.sh stored on /root which meet following requirements: 1. When we give input as foo, it should print bar 2. If we give input as bar, it should print foo 3. If we give any other input rather than foo or bar, it should print /root/bar.sh foo|bar as an error. Solution: -