Beruflich Dokumente
Kultur Dokumente
Security Feature
1
SU
SUDO
Disable services
Key-baseauthentication
Disabling Interactive
Startup
Password security
password ageing
Disallowing Root
Access
10
Enabling automatic
logouts
11
12
How to implement
1. Add username as a member of wheel group in /etc/group file to whome su access to be allowed.
2. Remove hash from line "#auth required pam _wheel.so use_uid" from /etc/pam.d/su file
T o prevent users from starting up the system interactively, as root, disable the PROMPT parameter in the
/etc/sysconfig/init file:
PROMPT=no
T here are two primary programs used to specify password aging under Red Hat Enterprise Linux: the chage command or the graphical User Manager
Shadow passwords must be enabled to use the chage command.
The -M option of the chage command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in
chage -M 90 <username> ( T o disable password expiration, it is traditional to use a value of 99999 after the -M option (this equates to a little over 27
Use the following command to enter interactive mode
change <username>
Force immediate password expiration by running the following command as root.
change -d 0 <username>
Option Description
-d days Specifies the number of days since January 1, 1970 the password
was changed.
-E date Specifies the date on which the account is locked, in the format YYYYMMDD. Instead of the date, the number of days since January 1, 1970
can also be used.
-I days Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after
-l Lists current account aging settings.
-m days Specify the minimum number of days after which the user must change
passwords. If the value is 0, the password does not expire.
-M days Specify the maximum number of days for which the password is valid.
When the number of days specified by this option plus the number of
days specified with the -d option is less than the current day, the user
must change passwords before using the account.
-W days Specifies the number of days before the password expiration date to
warn the user.
You can also use the graphical User Manager application to create password aging policies, as follows. Note: you need Administrator privileges to perfo
1. Click the System menu on the Panel, point to Administration and then click Users and Groups
to display the User Manager. Alternatively, type the command system -config-users at a shell
prompt.
2. Click the Users tab, and select the required user in the list of users.
3. Click Properties on the toolbar to display the User Properties dialog box (or choose
Properties on the File menu).
4. Click the Password Info tab, and select the check box for Enable password expiration.
5. Enter the required value in the Days before change required field, and click OK.
T o prevent users from logging in directly as root, the system administrator can set the root account's shell to /sbin/nologin in the /etc/passwd file.
T o prevent root logins via the SSH protocol, edit the SSH daemon's configuration file, /etc/ssh/sshd_config, and change the line that reads: Perm itRoo
Make sure the screen package is installed. You can do so by running the following command as root : yum i nstal l screen OR rpm -qa | grep -i screen.
As root, add the following line at the beginning of the /etc/profile file to make sure the processing of this file cannot be interrupted: trap "" 1 2 3 15.
Add the following lines at the end of the /etc/profile file to start a screen session each time a user logs in to a virtual console or remotely:
SCREENEXEC="screen"
if [ -w $ (tty) ]; then
trap "exec $ SCREENEXEC" 1 2 3 15
echo -n 'Starting session in 10 seconds'
sleep 10
exec $ SCREENEXEC
fi
Note that each time a new session starts, a message will be displayed and the user will have to wait ten seconds. T o adjust the time to wait before st
command.
Add the following lines to the /etc/screenrc configuration file to close the screen session after a given period of inactivity: idle 120 quit autodetach off.
Alternatively, you can configure the system to only lock the session by using the following lines instead: idle 120 lockscreen autodetach off.
T his way, a password will be required to unlock the session. The changes take effect the next time a user logs in to the system
Via SU OR SUDO configuration
Lin
Sr.No.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Commands
dmidecode
rhn_register
yum update package_name
yum update all
yum list installed
yum list all
yum install package_name
yum groupinstall groupname or groupid / yum install @group
yum remove package_name
yum groupremove groupname
yum grouplist
yum repolist
yum info package_name
yum history or yum history list
yum history list all
yum history summary
yum history info id
yum history addon-info id
yum -q history addon-info id saved_tx > fi l e_name
20
21
22
23
24
25
chkconfig
ip route add X.X.X.X
26
27
28
29
30
31
32
33
ifup / ifdown
runlevel
pvs,pvdisplay,pvscan
lvmdiskscan
pvchange -x n /dev/sdk1
34
35
36
37
38
39
pvchange -x y /dev/sdk1
pvresize
pvremove
vgs
vgchange -l 128 vg00
lvchange
40
41
vgsplit
vgspl i t bi gvg smal l vg /dev/ram15
42
43
vgcfgbackup
44
45
vgcfgrestore
vgrename
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
63
64
65
66
67
68
Linux commands
Use
To show system information
To register system to the RHN
To update specific package
To update all packages
To list all installed packages on the system
To Lists all installed and available packages
To install specific package
To install a package group by passing its full group name or groupid
To remove specific package
To remove a package group
To Lists all package groups
To Lists the repository ID, name, and number of packages it provides for each enabled repository
T o display information about one or more packages
T o display a list of twenty most recent transactions, as root
T o display all transactions
To display a summary of all past transactions
T o examine a particular transaction or transactions in more detail
To display additional information for a certain transaction
T o store the transaction details to a file, type the following at a shell prompt as root
Once you copy this file to the target system, you can repeat the transaction by using the following com
To check the last updated/installed history with time stamp and ID.
It 'll rollback the privicelly installed or updated rpms by using the ID.
T o start new transaction history. T his will create a new, empty database file in the /var/lib/yum /histo
transaction history will be kept, but will not be accessible as long as a newer database file is present i
yum log file
To configure which services are to be started in selected runlevels
To specify in which runlevel to start a selected service, as well as to list all available services along wit
setting
To add static route - host specific
To add a static route to a network, where X.X.X.X is the IP address of the network in dotted decimal no
network prefix. The network prefix is the number of enabled bits in the subnet mask.
Global default gateway configuration is stored in the /etc/sysconfig/network file. This file specifies gate
information for all network interfaces
This is a sample route-eth0 file using the IP command arguments format. The default gateway is 192.1
eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:
T his command allows the allocation of physical extents on /dev/sdk1 which has been previously disa
to change the size of an underlying block device for any reason to update LVM with the new size
If a device is no longer required for use by LVM, you can remove the LVM label
check whether an existing volume group is a clustered volume group
changes the maximum number of logical volumes of volume group vg00 to 128
You can deactivate individual logical volumes
T o split the physical volumes of a volume group and create a new volume group, use the vgsplit
command
T he example splits off the new volume group sm allvg from the original volume group bigvg
T o combine two volume groups into a single volume group, use the vgm erge command. You can mer
an inactive "source" volume with an active or an inactive "destination" volume if the physical extent s
of the volume are equal and the physical and logical volume summaries of both volume groups fit into
destination volume groups limits.
T he following command merges the inactive volume group m y_vg into the active or inactive volume
group databases giving verbose runtime information
By default, the metadata backup is stored in
the /etc/lvm /backup file and the metadata archives are stored in the /etc/lvm /archives file. You
can manually back up the metadata to the /etc/lvm /backup file with the vgcfgbackup command
T he vgcfrestore command restores the metadata of a volume group from the archive to all the
physical volumes in the volume groups
to rename an existing volume group
Either of the commands renames the existing volume group vg02 to m y_volum e_group
creates a logical volume 10 gigabytes in size in the volume group vg1
T he following command creates a logical volume called mylv that uses 60% of the total
space in volume group testvg
You can also use the -l argument of the lvcreate command to specify the percentage of the
remaining free space in a volume group as the size of the logical volume. T he following command
creates a logical volume called yourlv that uses all of the unallocated space in the volume group
testvg.
T he following command converts the linear logical volume vg00/lvol1 to a mirrored logical volume
T he following command converts the mirrored logical volume vg00/lvol1 to a linear logical volume,
removing the mirror leg
iptables -L
Examples of iptables :
1. Rejects all traffic from the 192.168.75.0 subnet, and it sends a "destination unreachable" error mes
client that tried to connect.
2. To stop users from the computer with an IP address of 192.168.25.200 from "pinging" your system.
Saves firewall configuration to a file
To check the iptables service status
To activate iptables service
To set the date
To set the time
To set the clock to use UTC
To check whether selected ntpserver is available
To sync the date with ntp server
To check the physical connectivity of the LAN Card
To list disk devices
To change the networke interface card speed to full
To change the networke interface card speed to full
To check the interface card speed and helth.
To check the file system type
Sr.No.
1
2
3
4
5
6
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Commands
yum check-update
yum update package_name
yum history
yum update
yum search term
yum list ( and related commands )
yum list all
yum
yum
yum
yum
yum
install /usr/sbin/named
install @group
groupinstall group-name
groupinstall groupid
provides "*/file_name"
remove package-name
remove package-name package-name
history
history
history
history
history
history
history
list
list all
list start_id..end_id
list glob_expression
list 1..5
summary
summary id
[main]
cachedir=/var/cache/yum /$ basearch/$ releasever (default )
keepcache=0
debuglevel=2 ( vaule between 1 t o10, setting higher value gives more detailed information. settin
means disabled debug)
logfile=/var/log/yum .log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
Creating a yum repository
yum install createrepo
/mnt/local_repo
createrepo --database /mnt/local_repo
yum check-update --security
yum update --security
yum update-minimal --security
yum install httpd --downloadonly
# cat /etc/yum/pluginconf.d/downloadonly.conf
[main]
enabled=1
yum-plugin-security, yum security
Use
T o see which installed packages on your system have updates available, use the following comma
T o update a single package, run the following command as root
To view yum transaction history use the command
To update all packages and their dependencies, simply enter yum update (without any arguments)
To search all RPM package names, descriptions and summaries by using the command
Provides information about packages, package groups, and repositories
Lists all installed and available packages.
Lists all packages installed on your system. The rightmost column in the output lists the repository
was retrieved.
Lists all available packages in all enabled repositories
Lists all package groups
Lists the repository ID, name, and number of packages it provides for each enabled repository
To display information about package
If you are installing packages on a multilib system, such as an AMD64 or Intel64 machine, you can
specify the architecture of the package (as long as it is available in an enabled repository) by appe
.arch to the package name
Using glob expressions
If you know the name of the binary you want to install, but not its package name, you can give yum
install the path name
Install package group
Install package group
Install by group ID
is a common and useful trick to find the package(s) that contain file_name
T o uninstall a particular package, as well as any packages that depend on it, run the following com
To uninstall multiple packages at a time.
nts: package names, global expression, package files, package provides
To remove package group
To remove package group
T o display a list of twenty most recent transactions, as root, either run yum history with no
additional arguments
T o display all transactions, add the all keyword
T o display only transactions in a given range
To list only transactions regarding a particular package or packages
List of the first five transactions
To display summary of all past transactions
To display summary of single transaction
To examine particular transaction in more detail ( If id is omit, then by default last transaction is ex
For additional info
T o revert a transaction
To repeat a particular transaction
To Store a transaction details to a file
After copying the above file to the target system, transaction can be repeated by executing the com
version should be same on the source and atrget system )
To verify the rpmdb version
This command will create new empty database under /var/lib/yum/history directory. The old transa
but will not be accessible as long as newer database file is present in the directory.
Yum configuration file location
Individual repositories located under.
To update those packages which are affected by security advisories. will update all packages affect
by a security advisory to the latest version of that package available
updates them to the latest packages which were released as part of a security advisory
to download the latest version of the httpd package, without installing it:
By default, packages downloaded using the --downloadonly option are saved in one of the
subdirectories of the /var/cache/yum directory, depending on the Red Hat Enterprise Linux
variant and architecture.
to specify an alternate directory to save the packages
To download only the security updates without installing it
zypper se <pkname>
zypper info <pkname>
zypper in <pkname>
zypper remove <pkname>
zypper se -t pattern
zypper in -t pattern <bundle>
zypper lr
zypper -v in --from <reponame> <pkgname>
zypeer in <pkgname> -<pkgname>
zypper mr --enable <reponame>
zypper mr --disable <reponame>
zypper re -s (refresh all repos)
zypper reps -E
zypper patch
zypper list-patches