Chapter 4 Cheat Sheet

umask

  • RHEL doesn't allow configuration of umask to allow new files created with executable permissions.
  • Default umask driven by /etc/bashrc, can be overridden with ~/.bashrc file.
  • For files, umask = 666 - umask value; for directories, umask = 777 - umask.

chmod

  • (1 = execute, 2 = write, 4 = read; 1 = sticky bit, 2 = sgid, 4 = suid).
  • Sticky bit: only user/root can delete/rename files. A t replaces x in other field from ls -l output.
  • SGID: all files created in directory will be owned by group (directory must be writeable by group). An s replaces x in group field from ls -l output.
  • SUID: allows executable to be run as user owner of the file. An s replaces x in user field from ls -l output.

chown

  • Change user owner of a file:
    • chown <user> <file>
  • Change group owner of a file:
    • chown .<group> <file>
  • Change both user/group owner for a file:
    • chown <user>.<group> <file>

lsattr/chattr

  • List the attributes of a file:
    • lsattr <file/directory>
  • Make a file immutable (cannot be deleted or renamed, no link can be created to this file and no data can be written to the file):
    • chattr -/+i <file>

ACLs

  • Filesystem must be mounted with ACLs enabled:
    • Temporary: mount -o remount,acl /mountpoint
    • Persistent: Add acl under options for mount in /etc/fstab
  • Get ACL information for a file:
    • getfacl <file/directory>
  • Give user or group permissions to a file or directory:
    • setfacl -m <u:user:(rwx) or g:group:(rwx)> <file/directory>
  • Remove user or group permissions to a file or directory:
    • setfacl -x <u:user or g:group> <file/directory>
  • Remove all extended ACL entries:
    • setfacl -b <file/directory>
  • Remove default ACL entries:
    • setfacl -k <file/directory>
  • Create ACL mask for file or directory:
    • setfacl -m mask:r-- <file>
  • Directories must have x permissions for user's to work with files in the directory, even if they have ACL access to the file.

iptables

  • Three Chains: Input, Output, Forward.
  • /etc/services
    • contains list of services and their default ports and protocol.
  • /etc/sysconfig/iptables
    • contains iptables rules.
  • Controlling iptables service:
    • service iptables stop/start/save/restart
    • chkconfig iptables off/on
  • system-config-firewall (GUI tool)
  • system-config-firewall-tui (CLI tool)
  • Show current rules:
    • iptables -L -n
  • Flush existing rules:
    • iptables -F
  • Block incoming connections from IP address:
    • iptables -A INPUT -s <IP> -j DROP
  • Block incoming connections from IP address to web server:
    • iptables -A INPUT -s <IP> -p tcp --dport 80 -j DROP
  • Block outgoing connections to IP address:
    • iptables -A OUTPUT -d <IP> -j DROP
  • Allow incoming traffic on port 53 (DNS server:)
    • iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
    • iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
  • Allow incoming traffic on a range of ports:
    • iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
  • Allow incoming traffic from computers on the local network to port 80:
    • iptables -A INPUT -s <IP>/<mask> -m state --state NEW -p tcp --dport 80 -j ACCEPT
  • Allow all incoming packets destined for the localhost interface to be accepted:
    • iptables -A INPUT -i lo -j ACCEPT
  • Allow all incoming packets related to an established connection:
    • iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  • Set the default policy for chain:
    • iptables -P <INPUT/OUTPUT/FORWARD <DROP/ACCEPT>
  • If adding rules from the command line, typically use -I instead of -A. Using -I inputs the rule into the chain, -A will append to the chain. Often, the last rule in a chain is to DROP all other packets, and if we append, our rule is added after this rule, thus making our rule ineffective.

SELinux

  • Three modes: enforcing, permissive, disabled.
  • Get status:
    • sestatus
  • Change mode
    • Temporary: setenforce <status>
    • Persistent: edit /etc/sysconfig/linux
  • Each user is mapped to an SELinux user via SELinux policy. This allows Linux users to inherit the restrictions on SELinux users. The follow SELinux policies are defined:
    • guest_u - no GUI; no networking; no su/sudo.
    • xguest_u - yes GUI; networking only with Firefox; no su/sudo.
    • user_u - yes GUI; yes networking; no su/sudo.
    • staff_u - yes GUI; yes networking; yes sudo; no su.
    • unconfined_u - full system access.
  • See the current mapping for SELinux users:
    • semanage login -l
  • In RHEL 6, new users are mapped to the SELinux __default__ login by default, which is mapped to unconfined_u. Change the default with the following:
    • semanage login -m -s <SELinux user> __default__
  • See the current mapping for a user:
    • id -Z (as the user)
  • Add mapping for a single user:
    • semanage login -a -s SELinux user> <user>
  • Delete mapping for a single user:
    • semanage login -d <user>
  • List SELinux booleans:
    • getsebool -a (lists all booleans)
    • getsebool <directive> (list status of directive)
    • semanage boolean -l (explains what each boolean means)
  • Turn a boolean on/off:
    • Temporary: setsebool <directive> on/off
    • Persistent: setsebool -P <directive> on/off
  • /etc/selinux/targeted/contexts/file/file_contexts
    • contains the default contexts for files.
  • List context for a specific file/directory:
    • ls -lZ <file/directory>
  • List all available file/directory contexts:
    • seinfo -t
  • List default file/directory context for a file:
    • matchpathcon <file/directory>
  • Change file/directory context back to default:
    • restorecon -Rv <file/directory>
  • Different ways to change the context for a file/directory (does not survive a relabel if file/directory does not exist in the file_contexts file):
    • chcon -u <user> -t <type> <file/directory> (-R for recursive; does not survive relabel)
    • chcon -R --reference <file/directory> <file/directory> (does not survive relabel)
  • Add file/directory to file_contexts file (survives a relabel):
    • semanage fcontext -a -t <type> "<file/directory>"
  • View contexts for running processes:
    • ps auZ
  • /var/log/audit:
    • Contains logs related to SELinux
  • Troubleshoot SELinux problems:
    • sealert -a /var/log/audit/audit.log (CLI)
    • sealert -b (GUI; requires setools-gui and policycoreutils-gui)

Comments

Post a Comment

Popular posts from this blog

Introduction

The following pages contain my notes from studying Michael Jang's RHCSA/RHCE Red Hat Linux Certification Study Guide. Jang's book is incredibly helpful, explaining each objective in great detail. My notes are quite simple in comparison, thus they are merely a supplement to the book. I highly recommend purchasing and studying the book if you plan on taking the exams. Read This Before Continuing! Before we can begin with the lessons, we must first set up a lab where we will be doing all of our studying. A note before we continue: The study lab uses KVM (virtual machines), therefore you will need a CPU that supports hardware virtualization. You can find out if your CPU supports hardware virtualization by checking the manufacturer website for your CPU. For example, if we check the product details for AMD's Phenom N930 , we will see that there is a "Yes" liste d next to "AMD's Virtualization Technology," which means that the CPU supports har...
Read more