Thursday, March 18, 2021

Reboot gaurd

There is shutdown restricted for the below users in /etc/shutdown.allow file in CentOS6 & 7 servers.
 

[root@Babbage ANALYSIS4]# cat /etc/shutdown.allow
prasanna.paul
 

There is reboot and shutdown guard configured in all CentOS 7 servers as a part of security measure.
The below two files have to be created for reboot or shutdown guard in CentOS7. This will help us to avoid accidental reboots or shutdowns through
commands.
 

vi /etc/systemd/system/reboot-guard.service
[Unit]
Description=Reboot Guard
[Service]
ExecStart=/bin/true
[Install]
RequiredBy=shutdown.target
 

vi /etc/systemd/system/start-reboot-guard.service
[Unit]
Description=Start Reboot Guard
[Service]ExecStart=/bin/systemctl enable reboot-guard
[Install]
WantedBy=multi-user.target
The below commands used to enable the reboot guard in the OS.
systemctl daemon-reload
systemctl enable reboot-guard start-reboot-guard
 

To disable the reboot/shutdown-guard provide the below command.
systemctl disable reboot-guard

RHEL - example sample questions

EXAM 2-1/2 Hrs

RHCSA

Your network setup

Your Domainname:- example.com Other Domainname:- remote.test

Your Network 172.25.X.0/255.255.255.0 Other Network 172.24.1.0/255.255.255.0

Hostname serverX.example.com

IP Address 172.25.X.11 Note:- Where your system represent your system number 1 to 20

Netmask 255.255.255.0

Gateway 172.25.254.254

Nameserver 172.25.254.254

FTP/HTTP Server Name:- classroom.example.com Server IP Address:- 172.25.254.254

NFS Share Folder /content/rhel7.0/x86_64/dvd FTP/HTTP Yum Path 172.25.254.254/content/rhel7.0/x86_64/dvd

Your root user password is your host name serverX for example host name server11.example.com, so password is server11

1. Increase the logical volume size of 15 extent on /home directory.

2. To create a new 500 MB physical partition mounted on /common with xfs filesystem. Note because partition sizes are seldom exactly what is specified when you are created, anything with range of 475MB to 525 MB is acceptable

3. Create the following users,groups and group memberships: a) A group named admin. b) A user harry who belongs to admin as a secondary group. c) A user natasha who belongs to admin as a secondary group. d) A user sarah who does not have access to an interactive shell on the system and who is not member of admin. e)b) A user sandy who belongs to admin as a secondary group. e) harry,natasha,sarah,sandy should all have password of password.

4. Create a collaborative directory /common/admin with the following characterstics:

i) Group ownership of /common/admin is admin.

ii) The directory should be readable,writable and accessible to members of admin,but not to any other user.

(It is understood that root has access to all files and directories on the system.)

iii) Files created in /common/admin automatically have group ownership set to the admin group.

5. Harry set his own job schedule on 12.30 at noon print /bin/echo on "hello".

6.Install the appropriate kernel update from http://classroom.example.com/content/rhel7.0/x86_64/errata/ The following criteria must also be met: i) The updated kernel is the default kernel when the system is rebooted . ii) The original kernel remains available and bootable on the system.

7. create a swap partition 512MB size.

8. Create a web server to include a host for the site http://serverX.example.com/,where X is your station number, then perform the following steps:

a) Set DocumentRoot to /var/www/html b) The apache hosting file is contain path http://classroom.example.com/htmlfile .

9. Bind to the LDAP domain example.com provided by classroom.example.com for user. authentication.Note the following: i) ldapuserX should be able to log into your system, where X is your server number, but will not have a home directory until you have completed the autofs requirement below. ii) All ldap users have a password of password .

iii) Note:your ldap user TLS certificate path http://classroom.example.com/pub/example-ca.crt.

10. Configure autofs to automount the home directories of LDAP users. Note the following: i) classroom.example.com (172.25.254.254) NFS -exports /home/guests to your system, ii) ldapuserX's home directory is classroom.example.com:/home/guests/ldapuserX. where X is your station number . iii) ldapuserX's home directory should be automounted locally mapped to /home as /home/guests. iv) home directories must be writable by their users. v) While you are able to log in as any of the users ldapuser1 through ldapuser20, the only home directory that is accessible from your system is ldapuserx. Example: station100 would configure the automounter such that ldapuser100's home directory /home/guests gets mounted automatically upon login.

11. Copy the file /etc/fstab to /var/tmp. Configure the permission of /var/tmp/fstab so that:

i) The file /var/tmp/fstab is owned by root user.

ii) The file /var/tmp/fstab is belongs to the group root.

iii) The file /var/tmp/fstab is should not be executable by anyone.

iv) The user harry is able to read and write by /var/tmp/fstab.

v) The user natasha can neither read nor write /var/tmp/fstab.

vi) All other users (current / future) have the ability to read /var/tmp/fstab.

12. Configure your system so that it is an NTP client of classroom.example.com.

13. Find the owner of the file sandy to copy the file to given path of /root/find.user.

14. Create one logical volume named database and it should be on datastore volume group with size 50 extent.

(i) the datastore volume group extend should be 16MiB. (ii)mount the logical volume under mount point /mnt/database.

15. To create a new user with UID 1326 alies.

16. To Enable FTP service on your stystem and anonymous user's can download options avilable on your server

17. To find the string "home" in /etc/passwd and searching string as been stored in /root/search.txt

18. The initial size of that logical volume database is 800MB. Make successfully reduce the size of logical volume 500MB without losing any data.

EX300 EXAM TRAINING - sample questions


EX300 EXAM TRAINING
     * Configure selinux. - Configure your systems that should be running in Enforcing.      * Configure repository. - Create a Repository for your virtual machines. The URI is http://classroom.example.com/content/rhel7.0/x86_64/dvd      * SSH configuration. - Configure SSH access on your virtual hosts as follows. - Clients within my22ilt.org should NOT have access to ssh on your systems      * Configure port forwarding. - Configure serverX.example.com to forward traffic incoming on port 22/tcp from desktopX.example.com to port on 5243/tcp.      * Simple Command. - Create a command called qstat on both serverX and desktopX. - It should able to execute the following command (ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm) - The command shoud be executable by all users.      * Configure ipv6 network. - Configure eth0 with a static ipv6 addresses as follows. - Configure a Static IPv6 address in serverX as fddb:fe2a:ab1e::c0a8:64/64. - Configure a Static IPv6 address in desktopX as fddb:fe2a:ab1e::c0a8:02/64.      * Link aggregation - Configure serverX system which watches for link changes and selects an active port for data transfers. - serverX should have the address as 192.168.0.10/255.255.255.0.      * SMTP Configuration. - Configure the SMTP mail service on serverX and desktopX which only relay mail from local system through classroom.example.com, all outgoing mail have their sender domain as example.com. Ensure that mail should not store locally. - Verify the mail server is working by sending mail to a natasha user. - Check the mail on both serverX and desktopX with the below URL http://station.network0.example.com/serverX http://station.network0.example.com/desktopX      * NFS server. - Configure serverX with the following requirements. - Share the /common directory with the example.com domain clients only, share must be writable. - Share the /restricted/protected, enable krb5p security to secure access to the NFS share from URL http://classroom.example.com/pub/keytabs/serverX.keytab The exported directory should have read/write access from all sub-domains of the example.com domain. Ensure the directory /restricted/protected should be owned by the user ldapuserX with read/write permission.      * Configure nfs mount. - Mount /common directory on desktopX under /public directory persistently at system boot time. - Mount /restricted/protected with krb5p secured share on desktopX beneath /secure provided with keytab http://classroom.example.com/pub/keytabs/desktopX.keytab      * Configure smb access on serverX. - Share the /common directory via SMB: – Your SMB server must be a member of the SMBGROUP workgroup – The share’s name must be common – The common share must be available to example.com domain clients only – The common share must be browseable – susan must have read access to the share, authenticating with the same password password, if necessary - Configure the serverX to share /cloudshare with SMB share name must be OPENGROUP. - The user frankenstein has read/write acces to the /cloudshare SMB share. - The user martin has read access to the /cloudshare SMB share. - Both users should have the SMB passwd "SaniTago".      * Mount the smb share. - Mount the samba share /cloudshare permanently beneath /mnt/smbspace on desktopX as a multiuser mount. - the samba share should be mounted with the credentials of frankenstein.      * Webserver. - Implement a webserver for the site http://serverX.example.com - Download the webpage from http://classroom.example.com/pub/rhce/rhce.html - rename the downloaded file in to index.html. - copy the file into the document root. - Do not make any modification with the content of the index.html.      * secured webserver. - configure the website https://serverX.example.com with TLS - SSLCertificate file http://classroom.example.com/pub/tls/certs/serverX.crt - SSLCertificatekeyfile http://classroom.example.co/pub/tls/private/serverX.key - SSL CA certificate file http://classroom.example.com/pub/example-ca.crt      * Secure directory. - Implement website for http://serverX.example.com/owndir – Create a directory named as "owndir" under the document root of webserver. – Download http://classroom.example.com/pub/rhce/restrict.html. – rename the file into index.html. – The content of the restricted should be visible to everyone browsing from your local system but should not be accessible from other location.      * Virtual Web Hosting. - Setup a virtual host with an alternate document root.Extend your web to include a virtual for the site http://wwwX.example.com – Set the document root as /var/www/vhosts – Download http://classroom.example.com/pub/rhce/vhost.html – rename it as index.html – place this document root of the virtual host - Note: The other websites configures for your server must still accessible. wwwX.example.com is already provide by the name server on example.com      * Dynamic Webpage Configuration. - configure website http://webappX.example.com:8961 on serverX system with the documentroot /var/www/dynamic/ - Site should executes webapp.wsgi. - Page is already provided on http://classroom.example.com/pub/webapp.wsgi - Content of the script should not be modified.      * Script1 - create a script called /root/conditional with following details. - When run as /root/conditional postconf, should bring the output as "postroll" - When run as /root/conditional postroll, should bring the output as "postconf" - When run with any other argument or without argument, should bring as "/root/condition postconf|postroll"      * Script2 - Create a script called /root/makeusers - When this script is called with the testfile argument, it should add all the users from the file - Download the file from http://classroom.example.com/pub/testfile - All users should have the login shell as /bin/false, password not required. - When this script is called with anyother argument, it should print the message as "Input File Not Found" - When this script is run without any argument, it should display "Usage: /root/makeusers " - NOTE: If the users are added no need to delete.      * Configure SCSI storage. - Create a new 3GB iscsi_block target on your systemX.example.com. - The server should export an iscsi disk called iqn.2014-08.com.example:systemX. - This target should only be allowed to clients with an IQN of iqn.2014-08.com.example:desktopX.      * ISCSI Initiator - The serverX.example.com provides an iscsi port(3260). connect the disk with desktopX.example.com and configure filesystem with the following requirements. - Create 800MB partition on ISCSI block device and assign the filesystem as xfs. - Mount the volume under /mnt/initiator at the system boot time. - The filesystem should contains the copy of . - The file sould be owned by root with 0644 permission. - NOTE: content of the file should not be modified.      * Mariadb - Configure mariadb on system1, - On system1, mariadb has corrupted due to some issues. anyhow you have the logical backup file http://classroom.example.com/pub/mariadb.mdb - Install a new mariadb server and restore the database from the above provided file with a root password of "redhat". - Create a database called student - A new ticket has been assigned to you to create new local access accounts with the following information.
User Accepts connection from host Password Privileges
andrew localhost Redhat Read access for student database
     * Mariadb Query. - Enter a correct username where UID is "1010" from the table "contact"
                - Enter a password where HOME_DIR is "/home/manisha" from the table "contact"