Difference between revisions of "CentOS Linux Distribution Reference"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
(Created page with "== CentOS boot screen- show messages == CentOS 6 comes with a splash screen that displays a progress bar as it boots. You can hit any key during the boot process to make the boo...")
 
 
(11 intermediate revisions by one user not shown)
Line 33: Line 33:
 
  # gzip -d foo.tgz
 
  # gzip -d foo.tgz
 
  # tar xvf foo.tar
 
  # tar xvf foo.tar
 +
 +
== iptables/netfilter ==
 +
 +
see if iptables is actually running
 +
 +
# lsmod | grep table
 +
# iptables -L
 +
 +
Save new IP tables entered- writes the current iptables configuration to /etc/sysconfig/iptables
 +
 +
# /sbin/service iptables save
 +
 +
Do not use 'service iptables save'
 +
 +
== adding new users to system ==
 +
 +
set up all the defaults for useradd
 +
 +
# cd /etc/skel
 +
 +
set all the profile defaults, such as in .bash_profile
 +
 +
# vi /etc/login.defs
 +
 +
Every new user is assigned to an initial (or primary) group. Two conventions exist.
 +
 +
Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.
 +
 +
The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).
 +
 +
NOTE: When using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.
 +
 +
ref: http://en.wikibooks.org/wiki/Ict-innovation/LPI/107.1
 +
 +
== /sbin/nologin vs /bin/false ==
 +
 +
When /sbin/nologin is set as the shell, if user with that shell logs in, they'll get a polite message saying 'This account is currently not available.'. This message can be changed with the file /etc/nologin.txt.
 +
 +
/bin/false is just a binary that immediately exits, returning false, when its called, so when someone who has false as shell logs in, they're immediately logged out when false exits. Setting the shell to /bin/true has the same affect of not allowing someone to log in but false is probably used as a convention over true since its much better at conveying the concept that person doesn't have a shell.
 +
 +
Looking at nologin's man page, it says it was created in 4.4 BSD (early 1990s) so it came long after false was created. The use of false as a shell is probably just a convention carried over from the early days of UNIX.
 +
 +
nologin is the more user friendly option, with a customizable message given to the user trying to login, so you would theoretically want to use that but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in.
 +
 +
{{:CentOS_Linux_Distribution_Enable_Telnet}}
 +
 +
== SELinux ==
 +
 +
[[SELinux]] users and roles are not related to the actual system users and roles.
 +
 +
All processes and files have an SELinux security context.  The -Z switch will work with most utilities to show SELinux security contexts (e.g, 'ls -Z', 'ps axZ' etc)
 +
 +
_u user system_u
 +
_r role object_r
 +
_t type httpd_sys_content_t
 +
 +
 +
    User: system_u
 +
    Role: object_r
 +
    Type: httpd_sys_content_t
 +
    Level: s0
 +
 +
To manage directory and file SELinux contexts ensure that the semanage software is installed.
 +
 +
# setenforce 0 turn off SELinux enforcement
 +
# setenforce 1 enable
 +
 +
With setenforce 0 SELinux is not actively restrictive, however, still monitors and reports file system violations.  Use this mode for diagnostics.
 +
 +
== OPENSSL Certificate ==
 +
 +
SSL certificates are valid for certain period of time, usually 365 days.  They must be renewed once expired.
 +
 +
Validate certificate by issuing the following command:
 +
 +
# openssl verify my-cert.pem
 +
 +
my-cert.pem: OK
 +
 +
Expired:
 +
 +
# openssl verify my-cert.pem
 +
 +
error 10 at 0 depth lookup:certificate has expired
 +
OK
 +
 +
Renewal of expired certificate consists of two steps: revoke old one, sign certificate request.
 +
 +
== Limiting Access to TCP-wrapped Services ==
 +
 +
To determine if a client machine is allowed to connect to a service, TCP wrappers reference the following two files, which are commonly referred to as hosts access files:
 +
 +
/etc/hosts.allow
 +
/etc/hosts.deny
 +
 +
Changes to hosts.allow or hosts.deny take effect immediately without restarting network services.
 +
 +
Both /etc/hosts.allow and /etc/hosts.deny uses the following format:
 +
 +
daemon_list : client_list [ : shell_command ]
 +
 +
<daemon list> is a comma-separated list of process names (not service names) or the ALL wildcard.
 +
 +
== vi editor vim syntax highlighting ==
 +
 +
On CentOS the command 'vi' and 'vim' by default, both open the vim editor (vim enhanced), however, with some differences.  The vi command utilizes what is known as 'Small version without GUI' while executing the vim command utilizes 'Huge version without GUI', both when executed from the console respectively.  You can test this by using the :version command within the vim editor.  Another way to see the differences is to execute the following from the shell:
 +
 +
  vi --version | fgrep  syntax
 +
  vim --version | fgrep  syntax
 +
 +
If -syntax is on the line, you don't have syntax highlighting compiled in.  If +syntax is on the line, then it does.  Note that on CentOS you will see different options for vi as opposed to vim.  Unlike some Fedora versions, and variants like Trustix, it is not an issue with only vim minimum installed, this is not the case.  See by the version output on CentOS both are using vim enhanced.
 +
 +
The vi command points to /bin/vi while the vim command points to /usr/bin/vim yet they both use vim enhanced.  The fastest solution is to do the following:
 +
 +
mv /bin/vi /bin/vi.small
 +
ln -s /usr/bin/vim /bin/vi
 +
 +
If your system doesn't have the vim enhanced package installed, simply install with yum; 'yum install vim-enhanced'
 +
 +
== Startup Troubleshooting ==
 +
=== failed to start crash recovery kernel arming ===
 +
Problems after power loss or crash, the crash kernel error message.  You can fix by making simple change to grub and reboot.
 +
vi /etc/default/grub
 +
change "crash kernel=auto" to "crash kernel=512M" then type the following command
 +
grub2-mkconfig -o /boot/grub2/grub.cfg
 +
 +
=== sshd or other service wont start because system clock is wrong ===
 +
Some useful commands to correct system clock so services run correctly.
 +
hwclock -r shows cmos time
 +
date +%Y%m%d -s "20170618" set the linux date
 +
date +%T -s "19:25:00" set the linux time
 +
hwclock -w force cmos clock to match linux clock
 +
hwclock -hctosys force linux clock to match cmos clock
 +
 +
=== sshd or other service wont start because of selinux ===
 +
You can disable selinux and then try to start the service.  This will allow you to test and determine if selinux is
 +
the culprit so that you can make adjustments to selinux.
 +
setenforce 0
 +
sestatus
 +
If you need selinux to remain permissive after reboot for testing purposes,
 +
  vi /etc/selinux/config
 +
Change
 +
#SELINUX=enforcing
 +
SELINUX=permissive
 +
 +
=== system uses postfix to receive email ===
 +
You can manually start postfix
 +
systemctl start postfix
 +
systemctl status postfix
 +
 +
=== system uses dovecot for secure socket pop and imap ===
 +
You can manually start dovecot
 +
systemctl start dovecot
 +
systemctl status dovecot
 +
 +
 +
 +
 +
 +
  
  
Line 41: Line 201:
 
[[Category:Computer Technology]]
 
[[Category:Computer Technology]]
 
[[Category:Linux]]
 
[[Category:Linux]]
 +
[[Category:Linux Distributions]]

Latest revision as of 11:23, 5 March 2018

CentOS boot screen- show messages

CentOS 6 comes with a splash screen that displays a progress bar as it boots. You can hit any key during the boot process to make the boot splash screen disappear and display what its doing when its booting.

To make CentOS 6 display the details about what its doing while it boots, first make a backup of the file at /etc/grub.conf

Open /etc/grub.conf in vi and look for the line(s) that begin with ‘kernel’. At the end of them you’ll see ‘rhgb’ and ‘quiet’. Remove both of those words from grub.conf. After saving, reboot the server.

 title CentOS Linux (2.6.32-71.29.1.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-71.29.1.el6.x86_64 ro root=UUID=c209fbd2-0738-4672-b225-6a5c09f65ad2 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet initrd /initramfs-2.6.32-71.29.1.el6.x86_64.img

source: http://blog.nexcess.net/2011/08/22/making-the-centos-6-boot-splash-screen-more-verbose/

yum versus rpm

RPM is a package manager while YUM is a frontend that can be used with RPM. YUM deals with more dependencies whereas RPM all too frequently does not.

You can 'yum' to install a package and dependencies (additional packages needed to make your package work.)

CentOS How to install lrzsz offering rz and sz commands

# yum install lrzsz

In any unix environment you can extract tzg files

# gtar xzvf foo.tgz

or using gzip and tar

# gzip -d foo.tgz
# tar xvf foo.tar

iptables/netfilter

see if iptables is actually running

# lsmod | grep table
# iptables -L

Save new IP tables entered- writes the current iptables configuration to /etc/sysconfig/iptables

# /sbin/service iptables save

Do not use 'service iptables save'

adding new users to system

set up all the defaults for useradd

# cd /etc/skel

set all the profile defaults, such as in .bash_profile

# vi /etc/login.defs

Every new user is assigned to an initial (or primary) group. Two conventions exist.

Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.

The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).

NOTE: When using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.

ref: http://en.wikibooks.org/wiki/Ict-innovation/LPI/107.1

/sbin/nologin vs /bin/false

When /sbin/nologin is set as the shell, if user with that shell logs in, they'll get a polite message saying 'This account is currently not available.'. This message can be changed with the file /etc/nologin.txt.

/bin/false is just a binary that immediately exits, returning false, when its called, so when someone who has false as shell logs in, they're immediately logged out when false exits. Setting the shell to /bin/true has the same affect of not allowing someone to log in but false is probably used as a convention over true since its much better at conveying the concept that person doesn't have a shell.

Looking at nologin's man page, it says it was created in 4.4 BSD (early 1990s) so it came long after false was created. The use of false as a shell is probably just a convention carried over from the early days of UNIX.

nologin is the more user friendly option, with a customizable message given to the user trying to login, so you would theoretically want to use that but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in.

Want to install telnet?

telnet server is not recommended for security reasons, plain text over tcp/ip

# yum install telnet telnet-server -y

How about telnet client? It is not installed by default.

#yum intall telnet -y

The package is Package telnet.i686

Enable TELNET as ROOT on GUEST CentOS system

Simply edit the file /etc/securetty and add the following to the end of the file:

pts/0
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9

This will allow up to 10 telnet sessions to the server as root. note: Just one is probably fine

ref: http://www.idevelopment.info/data/Unix/Linux/LINUX_TelnetFTPAsRoot.shtml

SELinux

SELinux users and roles are not related to the actual system users and roles.

All processes and files have an SELinux security context. The -Z switch will work with most utilities to show SELinux security contexts (e.g, 'ls -Z', 'ps axZ' etc)

_u	user	system_u
_r	role	object_r
_t	type	httpd_sys_content_t


   User: system_u
   Role: object_r
   Type: httpd_sys_content_t
   Level: s0

To manage directory and file SELinux contexts ensure that the semanage software is installed.

# setenforce 0		turn off SELinux enforcement
# setenforce 1		enable

With setenforce 0 SELinux is not actively restrictive, however, still monitors and reports file system violations. Use this mode for diagnostics.

OPENSSL Certificate

SSL certificates are valid for certain period of time, usually 365 days. They must be renewed once expired.

Validate certificate by issuing the following command:

# openssl verify my-cert.pem
my-cert.pem: OK

Expired:

# openssl verify my-cert.pem
error 10 at 0 depth lookup:certificate has expired
OK

Renewal of expired certificate consists of two steps: revoke old one, sign certificate request.

Limiting Access to TCP-wrapped Services

To determine if a client machine is allowed to connect to a service, TCP wrappers reference the following two files, which are commonly referred to as hosts access files:

/etc/hosts.allow
/etc/hosts.deny

Changes to hosts.allow or hosts.deny take effect immediately without restarting network services.

Both /etc/hosts.allow and /etc/hosts.deny uses the following format:

daemon_list : client_list [ : shell_command ]

<daemon list> is a comma-separated list of process names (not service names) or the ALL wildcard.

vi editor vim syntax highlighting

On CentOS the command 'vi' and 'vim' by default, both open the vim editor (vim enhanced), however, with some differences. The vi command utilizes what is known as 'Small version without GUI' while executing the vim command utilizes 'Huge version without GUI', both when executed from the console respectively. You can test this by using the :version command within the vim editor. Another way to see the differences is to execute the following from the shell:

 vi --version | fgrep  syntax
 vim --version | fgrep  syntax

If -syntax is on the line, you don't have syntax highlighting compiled in. If +syntax is on the line, then it does. Note that on CentOS you will see different options for vi as opposed to vim. Unlike some Fedora versions, and variants like Trustix, it is not an issue with only vim minimum installed, this is not the case. See by the version output on CentOS both are using vim enhanced.

The vi command points to /bin/vi while the vim command points to /usr/bin/vim yet they both use vim enhanced. The fastest solution is to do the following:

mv /bin/vi /bin/vi.small
ln -s /usr/bin/vim /bin/vi

If your system doesn't have the vim enhanced package installed, simply install with yum; 'yum install vim-enhanced'

Startup Troubleshooting

failed to start crash recovery kernel arming

Problems after power loss or crash, the crash kernel error message. You can fix by making simple change to grub and reboot.

vi /etc/default/grub

change "crash kernel=auto" to "crash kernel=512M" then type the following command

grub2-mkconfig -o /boot/grub2/grub.cfg

sshd or other service wont start because system clock is wrong

Some useful commands to correct system clock so services run correctly.

hwclock -r				shows cmos time
date +%Y%m%d -s "20170618"		set the linux date 
date +%T -s "19:25:00"			set the linux time
hwclock -w				force cmos clock to match linux clock
hwclock -hctosys			force linux clock to match cmos clock

sshd or other service wont start because of selinux

You can disable selinux and then try to start the service. This will allow you to test and determine if selinux is the culprit so that you can make adjustments to selinux.

setenforce 0
sestatus

If you need selinux to remain permissive after reboot for testing purposes,

 vi /etc/selinux/config

Change

#SELINUX=enforcing
SELINUX=permissive

system uses postfix to receive email

You can manually start postfix

systemctl start postfix
systemctl status postfix

system uses dovecot for secure socket pop and imap

You can manually start dovecot

systemctl start dovecot
systemctl status dovecot