RHCSA Study Guide RHEL 6

0
by on February 9, 2013 at 9:29 pm

If you are considering obtaining a certification in Linux to advance your career, a great certificate to hold is the Red Hat Certified System Administrator (RHCSA).  Red Hat is the premier enterprise Linux distribution, used in countless production environments worldwide.  Red Hat certifications require a candidate to sit for a practical exam; there are no multiple choice questions, you must actually configure a live system.

Please excuse the formatting of this post.  I am working to clean it up.
Throughout the web, you can find a collection of study guides for the RHCSA.  I have created my own, which is a collection of my own notes and the notes of others.  I highly recommend using the following book:
RHCSA/RHCE Red Hat Linux Certification Study Guide (Exams EX200 & EX300), 6th Edition (Certification Press)

Current exam objectives can be found here:  http://www.redhat.com/training/courses/ex200/examobjective

SELinux user guide:  http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3028666

User experiences / tips from the web:

1. Do not disable the firewall.
2. Yes, SELINUX must be in enforcing mode. Also, many of your configurations like samba(cifs, etc) will also be testing your knowledge of selinux.
3. Setup 2 or 3 machines, and practice, practice, and then practice some more.
4. The biggest challenge on both exams will be your ability to manage your time. This is even more important now because both exams are given on virtual machines…and also the actual test instructions will be on the screen. This means you will be flipping through different windows very often, which can be a huge time waster if you are not careful.
5. Oh yes….you must be very comfortable with RHEL 6 KVM setup. And just to be fair to Red Hat…they kind of gave us the hint…it is right there on both objectives…you must know how to use a KVM virtual machine.
6 . Here is the kicker – you must know how to restrict access to machines and servers. Iptables can do a decent job of this but please don’t forget about tcp_wrappers and the /etc/hosts.deny and /etc/hosts.allow config files. Again, nothing new here because it is right there in the Red Hat objects. Essentially, if you can’t restrict access to machines and services properly then you are guaranteed to fail the RHCE exam, because most of that exam is about network services.
7. Almost forget this one…Know how to setup/configure iscsi. Again, it is right there in the objectives.
8. Yes, as mentioned above setup at least 2 machines – better if they are virtual and practice, practice, practice, practice…..9. 2 hours seems like a lot of time for the RHCE, but it goes by pretty quickly, so make sure you are well organized, and save every second that you can, even if it means using lots of cut & paste.
Consider resetting SElinux to it’s default context recursively. know how to change a context using a reference context, and how to list all the aviallbe boolians and grep through them. Installing setroubleshoot may be a very good idea, and of course make sure you restart the audit deamon and syslog deamon afterwards. One might want to flush the firewall rules, and only block what needs to be blocked to achieve the test objectives. Dont forget to SAVE you new firewall config so that it is persistant across a reboot.

 

My recommendations if you want to take it:
- Be calm, you have enough time
- Keep it simple. None of the solutions is complex.
- Read the tasks properly. Ask the tutor if unclear.
- Take a look at the system-config-* commands (time savers!)
- Remember to test not only inside the VM but from your Host too (important!)Should you fail, ask for a re-takers rebate. The tutor told me that this is available (at least in Germany) if you ask for it. They don’t seem to advertise it though.
i went for my RHCSA this morning but failed by 40 marks. I went for the training, and true while alot of pointers were given, they seem to differ from what is given here. Like for Selinux, my instructor said that it was OK to set it to permissive as long as it wasn’t disabled! I mean when i first started, right after resetting root password the first thing I did was to do a getenforce. I screwed up with my LDAP and autofs, because they had like 2-3 questions just based on that and you have to make sure that your network interface is setup correctly at the very beginning of the exam, as well your yum repo and yum install everything, from ftp, httpd, kernel update to policycoreutil-phyton package for the boolean parameters to work. some questions were relatively easy, others I had to spend time doing it.

Other people’s study guides

http://rhce.co/rhel6/Main_Page

http://sanketpadawe.blogspot.com/p/rhcsa-objectives.html

http://blog.tuxforge.com/rhcsa-exam/

http://controlprotocol.blogspot.com/2012/05/rhcsa-cheat-sheet.html

https://github.com/texastwister/OpenRHCE

Exam objectives

Red Hat reserves the right to add, modify, and remove objectives. Such changes will be made public in advance through revisions to this document.

RHCSA exam candidates should be able to accomplish the tasks below without assistance. These have been grouped into several categories.

Understand and use essential tools

  • Access a shell prompt and issue commands with correct syntax.
  • Use input-output redirection (>, >>, |, 2>, etc.).
  • Use grep and regular expressions to analyze text.
  • Access remote systems using ssh and VNC.
code here
  • Log in and switch users in multiuser runlevels.
  • Archive, compress, unpack, and uncompress files using tar, star, gzip, and bzip2.

 

Need star info here
  • Create and edit text files.
  • Create, delete, copy, and move files and directories.
  • Create hard and soft links.
  • List, set, and change standard ugo/rwx permissions.
  • Locate, read, and use system documentation including man, info, and files in /usr/share/doc.

Note: Red Hat may use applications during the exam that are not included in Red Hat Enterprise Linux for the purpose of evaluating candidate’s abilities to meet this objective.

Operate running systems

  • Boot, reboot, and shut down a system normally.
  • Boot systems into different runlevels manually.
  • Use single-user mode to gain access to a system.
  • Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes.

 

code here
  • Locate and interpret system log files.
  • Access a virtual machine’s console.
Virtual Machine Text Console
With libguestfs-tools installed and the VM in question shut-down, from the host:
# virt-edit {VMname} /boot/grub/menu.lst
There, append to the kernel line:
console=tty0 console=ttyS0 .
After saving, the following commands should allow a console based view
of the boot process and a console login:
# virsh start {VMname} ; virsh console {VMname} : ^] to disconnect from console.
  • Start and stop virtual machines.

virsh start <vm name>

virsh shutdown <vm name> : Graceful shutdown

virsh destroy <vm name> : Power off virtual machine.

virsh autostart <vm name> : Start vm at boot.

  • Start, stop, and check the status of network services.

Configure local storage

  • List, create, delete, and set partition type for primary, extended, and logical partitions.
  • Create and remove physical volumes, assign physical volumes to volume groups, and create and delete logical volumes.
Create and remove physical volumes

#pvcreate /dev/sdb1

#pvremove /dev/sdb1

 

Assign physical volumes to volume groups

#vgcreate -s size vgname /dev/sdb

 

Create and delete logical volumes

#lvcreate -L size -n lvname vgname

#lvremove /dev/vgname/lvname

  • Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot.

cryptsetup luksFormat /dev/sdb1 : Format any available partition.
cryptsetup luksOpen /dev/sdb1 newname : label the partition as ‘newname’
mkfs.ext4 /dev/mapper/newname : Now format that partition with ext4
Now in /etc/crypttab enter
newname /dev/sdb1 (this will prompt for decryption password during bootup on the default console.)
Finally in /etc/fstab enter
/dev/mapper/newname /mountpoint ext4 defaults 1 2
or if permanent changes are not required then
mount /dev/mapper/newname /mountpoint
umount /mountpoint
Use cryptsetup luksClose <name> to remove the decryption mapping

  • Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label.
‘To find uuid type

#blkid devicename

‘devicename can be /dev/sdb1 etc

 

‘Then go in /etc/fstab and enter

UUID=… /mountpoint ext4 defaults 0 0

‘where u will get uuid value from blkid command

‘Also ext4 can be replaced by type of file system

  • Add new partitions and logical volumes, and swap to a system non-destructively.

 

Using a file for SWAP

Overview of process for adding SWAP space using a file:

• create a pre-allocated file of the desired size:

dd if=/dev/zero of=/path/to/<swapfile> bs=1M count=<size in MB>

 

• Initialize as swap with mkswap /path/to/<swapfile>

• Add an /etc/fstab line:

/path/to/<swapfile> swap swap defaults 0 0

• Activate the new swap space with: swapon -a

Create and configure file systems

  • Create, mount, unmount, and use ext2, ext3, and ext4 file systems.
  • Mount, unmount, and use LUKS-encrypted file systems.
1) Select free device, such as /dev/sdb2 or logical volume.

cryptsetup luksFormat /dev/sdb2

‘enter the password that will be used for decryption and answer prompts.

cryptsetup luksOpen /dev/sdb2 newname

‘ this creates new device /dev/mapper/newname

mkfs.ext4 /dev/mapper/newname

mount /dev/mapper/newname /mnt

  • Mount and unmount CIFS and NFS network file systems.
CIFS

mount -t cifs //<servername>/<sharename> /mnt/point/ -o username=<username>,password=<password>,domain=<domain>

#umount /mountpoint

 

NFS

#mount -t nfs hostname:/mountpoint /mountpoint

#umount /mountpoint

  • Configure systems to mount ext4, LUKS-encrypted, and network file systems automatically.
‘All these entries should be in /etc/fstab (obviously)

/dev/sda1 / ext4 defaults 1 1

‘For logical volumes, the preferred format is /dev/mapper/vg_name-LVName

 

‘NFS:

nfsserver:/mount_dir /mountpoint nfs defaults 0 0

 

‘CIFS:

//server/mount /mnt cifs defaults,username=user,password=password,domain=domain.local

 

‘LUKS

‘ first, in /etc/crypttab add

newname /dev/sdb2 none

‘ next, in /etc/fstab add

/dev/mapper/newname /mnt ext4 defaults 1 2

 

This section also includes know how to use autofs (automounter) by editing /etc/auto.master and related files.

  • Extend existing unencrypted ext4-formatted logical volumes.
For extending lvm /dev/vgname/lvname

#e2fsck -f /dev/vgname/lvname

#lvextend -L size /dev/vgnamae/lvname

#resize2fs /dev/vgname/lvname

  • Create and configure set-GID directories for collaboration.
chgrp groupname /path/to/file

chmod g+s /path/to

  • Create and manage Access Control Lists (ACLs).
#getfacl filename

(will show file permissions)

 

#setfacl -m u:user:rw- filename

(Gives user read,write permission over filename

 

#setfacl -x u:user filename   :   remove all permissions for user in acl.

#setfacl -b filename   :  remove all acl entries.

 

#ll

show files which have acces control lists applied (“+” sign in last collumn)

Example: -rw-rw-r–+

  • Diagnose and correct file permission problems.

 

I’m banking on this one being as uncomplicated as it sounds…

Deploy, configure, and maintain systems

  • Configure networking and hostname resolution statically or dynamically.

Network Configuration Files

/etc/hosts : Static hostname-to-IP resolution.
/etc/resolv.conf : Client configuration for DNS.
/etc/sysconfig/network : Main system networking config file. Enables/disables networking in general, sets the hostname, and configures routing.
Note:/etc/sysconfig/networking/ is used by system-config-network and should not be manually edited.
/etc/sysconfig/network-scripts/ifcfg-<ifname> : Config file for each configured interface.
/etc/sysconfig/network-scripts/route-<name> : Config file for static routes (where needed)

Reference configuration settings: /usr/share/doc/initscripts-9.03.17/sysconfig.txt

 

  • Schedule tasks using cron.
crontab -e

crontab -eu user

min hour day month dayofweek command.

  • Configure systems to boot into a specific runlevel automatically.
  • Install Red Hat Enterprise Linux automatically using Kickstart.
Add ks=http://locationofmyfile.com/directory/ks.cfg to install line.
  • Configure a physical machine to host virtual guests.
  • Install Red Hat Enterprise Linux systems as virtual guests.
  • Configure systems to launch virtual machines at boot.
  • Configure network services to start automatically at boot.
  • Configure a system to run a default configuration HTTP server.
  • Configure a system to run a default configuration FTP server.
yum install vsftpd

service vsftpd start

‘this should allow anonymous login by default, if not, edit /etc/vsftpd/vsftpd.conf

  • Install and update software packages from Red Hat Network, a remote repository, or from the local file system.

Redhat network updates (requires subscription)
rhn_register

Configuration of repositories other than the RHN is accomplished through text configuration files located in the directory:
/etc/yum.repos.d/
• A configuration file for each repository (or group of related repos) should
be created in /etc/yum.repos.d/
• The name of each repo config file should end in “.repo”.

Yum Repository Mandatory Configuration Items
Repository ID: Short name for identifying this repository in reports
[MyRepo]
Name: Longer description of this repository
name=My Custom Repository
Baseurl: Description of protocol and location needed to locate the repo files.
baseurl=ftp://192.168.5.200/pub/rhel6

Yum Repository Common Optional Configuration Items
gpgcheck: Defines whether yum should attempt to validate package signatures. “0″ = “off”, “1″ = “on”.
gpgcheck=1
gpgkey: Defines (via URL) where the keys for signature validation are located (typically file:///etc/pki/rpm-gpg/<key name>)
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled (Optional) Defines whether this repository should be currently active. “0″ = “off”, “1″ = “on”.
enabled=1

 

RPM Cheat Sheet
# rpm -i[v,h] name-ver-rel.arch.rpm : Installs a package
rpm -U[v,h] name-ver-rel.arch.rpm : Upgrades a package if an older version was previously installed. Otherwise, simply installs the new version.
rpm -F[v,h] name-ver-rel.arch.rpm : Upgrades a package if an older version is installed. Otherwise, does nothing — does not install new packages if no older version was installed.

Upgrading a Kernel
Always use #rpm -i …

Uninstalling
# rpm -e name[-ver][-rel]

RPM over a Network
# rpm -ivh ftp://{Host}/path/to/packagename-ver-rel.arch.rpm
# rpm -ivh http://{Host}/path/to/packagename-ver-rel.arch.rpm
And wildcard “globbing” is allowed:
# rpm -ivh http://{Host}/path/to/packagename*

rpm -qa lists all installed packages.
rpm -q pkg Reports the version of the package.
rpm -qf /path/file Reports which package provided the file.
rpm -qc pkg Lists all configuration files of the package.
rpm -qd pkg Lists all documentation of the package.
rpm -qi pkg Reports a description of the package.
rpm -ql pkg Lists all files contained in the package.
rpm -qR pkg Lists all dependencies.
rpm -q –scripts Lists the scripts that run when installing/removing.
rpm -q{c|d|i|l|R}p /path/to/packagename-ver-rel-arch.rpm Reports the same info as above, but pulls info from the .rpm file instead of the rpm database.
rpm -V (or –verify) Validate Package Signatures

Import GPG key, check sigs.
1. Import the Red Hat GPG public key (It can be found on the installation CD or in the /etc/pki/rpm-gpg/ directory):
# rpm –import /media/disk/RPM-GPG-KEY-redhat-release
or:
# rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
2. Check the signature of the package in question:
# rpm –checksig /path/to/package-ver-rel.arch.rpm

View a list of the packages originally installed on the system:
# less /root/install.log
View a list of the packages installed through yum:
# less /var/log/yum.log
Query the RPM database for the packages installed right now:
rpm -qa

  • Update the kernel package appropriately to ensure a bootable system.
rpm -ivh kernel_package_name
  • Modify the system bootloader.

 

grub-md5-crypt is the command to make a hashed grub password.

Add password –md5 <hash> to stanza in /boot/grub/grub.conf

Manage users and groups

  • Create, delete, and modify local user accounts.

Structure of /etc/passwd
Name:Password:UID:GID:Comments:Homedir:Shell

Structure of /etc/shadow
Name:Password:Lstchg:May:Must:Warn:Disable:Expire

Structure of /etc/group
Name:Password:GID:Users

Structure of /etc/gshadow
Name:Password:Admins:Members

  • Change passwords and adjust password aging for local user accounts.

chage <username>

 

  • Create, delete, and modify local groups and group memberships.
gpasswd

newgrp

sg

groupmod

groups

 

  • Configure a system to use an existing LDAP directory service for user and group information.
authconfig-tui

authconfig-gtk

authconfig

Extra Info

System-wide Shell Config Files

/etc/profile
Executed with each user login. Sets paths, variables, etc. Runs scripts in /etc/profile.d.
/etc/profile.d
Scripts that extend /etc/profile, usually added by applications.
/etc/bashrc
System-wide functions and aliases

 

Common environment files:

.bashrc : User alias and functions
.bash_logout : 
.bash_profile : User paths, variables, environment settings

 

Manage security

  • Configure firewall settings using system-config-firewall or iptables.

rule : A one-line rule defining a packet type and how it should be handled.
chain : A list of rules. Default Chains: INPUT OUTPUT FORWARD
targetACCEPT DROP REJECT LOG
table : A list of rules aggregating all of the chains and rules taking a particular path through the network stack.
policy : A default rule that applies in the absence of other rules.
tracking statesNEW ESTABLISHED RELATED INVALID
eg: -m state –state ESTABLISHED,RELATED

iptables –line-numbers -L : List all rules with line numbering
iptables -A <chain> <rule> -j <target> append to end of chain
iptables -I <chain> <rule> -j <target> insert at beginning of chain
iptables -D <chain> <rule#> Delete rule number.
iptables -P <chain> <target> set default policy
iptables -F <chain> flush all rules

Example Rules:
source: -s 192.0.2.0/24
destination: -s d 10.0.0.1
protocol/port: -p upd –sport 68 –dport 67
Inbound interface: -i ETH0 Outbound interface: -o ETH0

service iptables save : permanently save rules (otherwise they will be lost after reboot)
iptables-save /path/to/file : save current rules to file
iptables-restore /path/to/file : restore rules from file

  • Set enforcing and permissive modes for SELinux.

setenforce 0|1 : 0 for permissive, 1 for enforcing. This will not survive a reboot.

vi /etc/sysconfig/selinux : permanently change SELinux config. Setting to disabled will cause entire file system to be relabeled file by file after SELinux is turned back on. This takes a very long time, so it’s best to not do this.

  • List and identify SELinux file and process context.

View SELinux contexts of processes:
ps -eZ, ps -axZ, ps -Zc <process name>, etc.
View SELinux contexts of files and directories:
ls -Zd /path/to/dir/, ls -Z /path/to/file, etc.
View SELinux contexts of users:
id -Z

Policy context rules are stored in
/etc/selinux/targeted/context/files/file_contexts and /etc/selinux/targeted/context/files/file_contexts.local

semanage fcontext -[a|d|m] -f <ftype> -t <context> ‘<regex>’

e.g.: semanage fcontext -a -t virt_image_t “/virtstorage(/.*)?”

 

  • Restore default file contexts.
restorecon -R -v /dir/  :  note the last slash.  -R = recursive (all child files and directories) -v = verbose.
  • Use boolean settings to modify system SELinux settings.
  • Booleans are plain text files located in /selinux/booleans
  • semanage boolean -l : List booleans with basic descriptions (very useful with grep)
  • setsebool [-P] <boolean_name> : set SE boolean, -P to make permanent (survive reboot)
  • Use the graphical tool: system-config-selinux
  • Diagnose and address routine SELinux policy violations.

Many targeted services have specialised man pages dealing with SELinux configuration.
Display these pages with:
# man -k ‘_selinux’

Installing setroubleshoot-server sends SELinux error messages to /var/log/messages. These can be further parsed with sealert.
audit2why and audit2allow can be used to parse the messages in /var/log/audit/audit.log and explain why access was denied, and how to modify your configuration to allow it.

semanage port -l : list SELinux port settings.


SELinux Packages and utilities

coreutils : Always installed. Provides some default elements of SELinux.
policycoreutils : Provides restorecon, secon, setfiles, et al.
libselinux-utils : Provides getenforce, setenforce, getsebool, setsebool, et al.
policycoreutils-gui : Provides system-config-selinux and sepolgen, et al.
policycoreutils-python : Provides semanage, audit2allow, audit2why, et al.
setroubleshoot : Provides seapplet
setroubleshoot-server : Provides sealert, sedispatch, setroubleshootd, et al.

 

in Distros, Red Hat

You can skip to the end and leave a response. Pinging is currently not allowed.

Categories