Oracle Linux/Quick Reference

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
(check linux version)
 
(78 intermediate revisions by one user not shown)
Line 21: Line 21:
 
  ~$ useradd user
 
  ~$ useradd user
 
you can also add the user, define their home directory, and add them to a group in one line.
 
you can also add the user, define their home directory, and add them to a group in one line.
  <nowiki>~$ useradd username -d <customer_home_dir_path> -G <group_names></nowiki>
+
  <nowiki>~$ useradd username -d <user_home_dir_path> -G <group_names></nowiki>
 
set password for user
 
set password for user
 
  ~$ passwd user
 
  ~$ passwd user
Line 38: Line 38:
 
~$ getent group sudo
 
~$ getent group sudo
 
sudo:x:27:Bob,Joe</nowiki>
 
sudo:x:27:Bob,Joe</nowiki>
 +
 +
Remove a user from a group
 +
<nowiki>~$ sudo gpasswd -d user group</nowiki>
 +
 +
==permissions==
 +
{| class="mw-collapsible wikitable"
 +
! Permissions || Owner || Group || Others
 +
|-
 +
| 777 || rwx || rwx || rwx
 +
|-
 +
| 666 || rw- || rw- || rw-
 +
|-
 +
| 555 || r-x || r-x || r-x
 +
|-
 +
| 444 || r-- || r-- || r--
 +
|-
 +
| 333 || -wx || -wx || -wx
 +
|-
 +
| 222 || -w- || -w- || -w-
 +
|-
 +
| 111 || --x || --x || --x
 +
|-
 +
| 000 || --- || --- || ---
 +
|}
  
 
==determine packages installed & search==
 
==determine packages installed & search==
Line 54: Line 78:
 
  169.254.0.0    0.0.0.0        255.255.0.0    U        0 0          0 eth0
 
  169.254.0.0    0.0.0.0        255.255.0.0    U        0 0          0 eth0
  
==disable selinux==
+
==selinux==
Check Status
+
===Basics===
 +
;Users
 +
:selinux has a set of pre-built users which linux user accounts can be mapped to one or more of.
 +
;Roles
 +
:roles are like filters which sit between a user and a process. they define which users can access that process. users can enter or assume a role at any time if the role grants it.
 +
;Subjects
 +
:a process is called a subject and can affect objects
 +
;Objects
 +
:any requested resource is an object, such as files, directories, ports, tcp sockets, cursor, etc.
 +
;Permissions
 +
:the actions that a subject (process) can perform on an object.
 +
;Domains
 +
:the context within which an selinux subject can run, like a wrapper.  a domain can define what files, dirs, links, devices, ports, etc are accessible to the subject.
 +
;Types
 +
:the context for a file's context that stipulates the file's purpose, such as its meant for certain processes or belongs to a certain directory, or is owned by certain selinux user
 +
===security context===
 +
<code>'''ls -Z'''</code> shows the selinux security context of a process or file/dir.  <code>''mls''</code> is hidden by default.
 +
<nowiki>user:role:type:mls
 +
ie.
 +
ls -Z /var/www/html/index.html 
 +
-rw-r--r--  username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html</nowiki>
 +
 
 +
===Check Status===
 
  <nowiki>~$ $ sestatus
 
  <nowiki>~$ $ sestatus
 
SELinux status:                enabled
 
SELinux status:                enabled
Line 67: Line 113:
 
Max kernel policy version:      31</nowiki>
 
Max kernel policy version:      31</nowiki>
  
 +
===disable===
 
temporarily disable
 
temporarily disable
 
  <nowiki>~$ setenforce 0
 
  <nowiki>~$ setenforce 0
Line 75: Line 122:
 
  <nowiki>~$ /etc/selinux/config
 
  <nowiki>~$ /etc/selinux/config
 
  change SELinux=enforcing to SELinux=disabled</nowiki>
 
  change SELinux=enforcing to SELinux=disabled</nowiki>
 +
 +
===Restore labels in filesystem===
 +
In case you need to restore all the labels in the entire filesystem, here you go
 +
<nowiki>~$ sudo restorecon -Rv /</nowiki>
 +
 +
===Check audit log===
 +
'''NOTE:''' before you can use <code>audit2allow</code>, you may need to install the providing package.
 +
<nowiki>~$ sudo yum install policycoreutils-python</nowiki>
 +
Show denials within the last 10 minutes.  use <code>'''today'''</code> instead of ''recent'' to show the entire day.
 +
<nowiki>~$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent
 +
 +
time->Thu Jan  3 15:18:56 2019
 +
type=PROCTITLE msg=audit(1546546736.770:592): proctitle=2F7573722F6C69622F6A766D2F6A72652F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573722F73686172652F6A6176612F63
 +
type=SYSCALL msg=audit(1546546736.770:592): arch=c000003e syscall=83 success=no exit=-13 a0=7fd3d42251f0 a1=1ff a2=0 a3=7fd3dd052780 items=0 ppid=1 pid=6200 auid=4294967295 uid=53 gid=53 euid=53 suid=53 fsuid=53 egid=53 sgid=53 fsgid=53 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
 +
type=AVC msg=audit(1546546736.770:592): avc:  denied  { create } for  pid=6200 comm="java" name="jobs" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0</nowiki>
 +
 +
Using the audit ID, <code>''msg=audit()''</code>, find out specifics on the denial
 +
<nowiki>~$ sudo grep 1546546736.770:592 /var/log/audit/audit.log | audit2allow -a -w
 +
 +
type=AVC msg=audit(1546546736.770:592): avc:  denied  { create } for  pid=6200 comm="java" name="jobs" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
 +
Was caused by:
 +
Missing type enforcement (TE) allow rule.
 +
 +
You can use audit2allow to generate a loadable module to allow this access.</nowiki>
 +
;scontext
 +
:the context of the process that attempted the denied action
 +
;tconext
 +
:the context of the target the process attempt to access
 +
 +
You can also check the audit log using <code>sealert</code>, however this doesn't print the audit messages in chronological order.
 +
<nowiki>~$ sudo sealert -a /var/log/audit/audit.log</nowiki>
 +
 +
===listing rules, file contexts, users, and roles===
 +
Here is a quick example on how to list all the file system labels matching a string, in this example ''tomcat''
 +
<nowiki>~$ sudo semanage fcontext -l | grep tomcat</nowiki>
 +
List all file contexts
 +
<nowiki>~$ seinfo -t</nowiki>
 +
List all users
 +
<nowiki>~$ seinfo -u</nowiki>
 +
List all user roles
 +
<nowiki>~$ seinfo -r</nowiki>
 +
 +
===List ports associated with context===
 +
Using <code>''sepolicy''</code> you can list the ports associated with a selinux context
 +
<nowiki>~$ sepolicy network -t http_port_t
 +
http_port_t: tcp: 80,81,443,488,8008,8009,8443,9000</nowiki>
 +
Add port to the policy
 +
<nowiki>~$ semanage port -m -t http_port_t -p tcp 8080</nowiki>
 +
 +
===changing security context===
 +
There are a few ways to do this, but these are the (2) i'm currently familiar with.<br>
 +
Most of the time, only the type security context will need to be changed, like so:
 +
<nowiki>~$ sudo chcon -v --type=httpd_sys_content_t /html</nowiki>
 +
However, while the above offers persistence, it fails to offer is a way to retain the changed state if someone relabels the file system.
 +
<br>
 +
Alternatively, you can use this and also register the type security context change with selinux. This will not only be persistent after a restart, but also after relabeling the file system.
 +
<nowiki>~$ sudo semanage fcontext -a -t httpd_sys_content_t "/html"
 +
or delete
 +
~$ sudo semanage fcontext -d -t tomcat_var_lib_t "/data(/.*)?"</nowiki>
 +
Even better, you can clone the security contexts of an existing file or folder:
 +
<nowiki>sudo semanage fcontext -a -e {source} {destination}
 +
~$ sudo semanage fcontext -a -e /usr/share/tomcat/webapps /opt/jenkins </nowiki>
 +
 +
===Creating a SELinux Policy===
 +
I had to add an extra policy to allow git and tomcat access to resources.<br>
 +
I wanted to restrict changes to SELinux to only what was necessary, so I opted to repeat these steps until all
 +
<pre style="white-space: pre-wrap;"><nowiki>~$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent   
 +
    #look at recent SELinux events and find the ID of the denial.
 +
~$ sudo grep 1547056915.268:2946 /var/log/audit/audit.log | audit2allow -a -M local-git2   
 +
    #with the denial ID, use audit2allow to create a new set of policy files (one TE for human readable and one PP for an encoded version that can be inserted).  You can create a fresh one for each restriction you find and then manually combine them together.
 +
~$ cat local-git2.te
 +
    #Look at the TE file and (if you have an existing one already), compare it to see what needs to be added.
 +
~$ vim local-git.te
 +
    #Manually merge the changes you saw in the previous TE file.
 +
~$ sudo checkmodule -M -m -o local-git.mod local-git.te
 +
    #create the module from the TE file
 +
~$ sudo semodule_package -o local-git.pp -m local-git.mod
 +
    #create the PP file from the Module
 +
~$ sudo semodule -i local-git.pp
 +
    #Install the new policy file.
 +
</nowiki></pre>
 +
The resulting policy file was:
 +
<pre style="white-space: pre-wrap;"><nowiki>~$ cat local-git.te
 +
 +
module local-git 1.0;
 +
 +
require {
 +
type tomcat_t;
 +
type ssh_exec_t;
 +
type tomcat_cache_t;
 +
type tomcat_var_lib_t;
 +
class file execute;
 +
class file execute_no_trans;
 +
class file getattr;
 +
class file read;
 +
class file open;
 +
}
 +
 +
#============= tomcat_t ==============
 +
allow tomcat_t ssh_exec_t:file execute;
 +
allow tomcat_t tomcat_cache_t:file execute;
 +
allow tomcat_t tomcat_cache_t:file execute_no_trans;
 +
allow tomcat_t ssh_exec_t:file getattr;
 +
allow tomcat_t ssh_exec_t:file read;
 +
allow tomcat_t ssh_exec_t:file open;
 +
allow tomcat_t ssh_exec_t:file execute_no_trans;
 +
allow tomcat_t tomcat_var_lib_t:file execute;
 +
allow tomcat_t tomcat_var_lib_t:file execute_no_trans;</nowiki></pre>
 +
 +
===SELinux Boolean===
 +
List booleans
 +
<nowiki>~$ sudo getsebool -a</nowiki>
 +
 +
enable a boolean
 +
<nowiki>~$ sudo getsebool -a | grep nis_enabled
 +
~$ sudo setsebool -P nis_enabled on
 +
~$ sudo getsebool -a | grep nis_enabled</nowiki>
 +
 +
===troubleshoot selinux===
 +
First thing is to understand how to read the audit messages from selinux.
 +
<pre style="white-space: pre-wrap;"><nowiki>Raw Audit Messages
 +
type=AVC msg=audit(1546890349.633:735): avc:  denied  { execute } for  pid=5649 comm="git" name="ssh" dev="dm-0" ino=25530389 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=0</nowiki></pre>
 +
 +
;*<code>{ ''getattr'' }</code> | ie. <code>execute</code>
 +
:This item indicates the permission that was denied.
 +
;*<code>pid=''number''</code>
 +
:The process id of the process that attempted the access
 +
;*<code>comm="''git''"</code>
 +
:The executable that launched the process.
 +
;*<code>dev and no</code>
 +
:The device where the target resource resides and its inode address.
 +
;*<code>scontext="'''system_u:system_r:tomcat_t:s0'''"</code>
 +
:The SElinux context of the process that attempted the denied action.  In this case, it is the context of Tomcat, which is running in the <code>tomcat_t</code> domain.
 +
;*<code>tcontext="'''system_u:object_r:ssh_exec_t:s0'''"</code>
 +
:The SElinux context of the object (target) the process attempted tp access.  In this case,
  
 
==check linux version==
 
==check linux version==
 
  <nowiki>~$ rpm -qf /etc/redhat-release</nowiki>
 
  <nowiki>~$ rpm -qf /etc/redhat-release</nowiki>
 +
<nowiki>~$ cat /etc/os-release</nowiki>
 +
<nowiki>~$ uname -a</nowiki>
  
 
==release and renew ip (dhcp)==
 
==release and renew ip (dhcp)==
Line 84: Line 268:
 
renew
 
renew
 
  <nowiki>~$ sudo dhclient -v eth0</nowiki>
 
  <nowiki>~$ sudo dhclient -v eth0</nowiki>
 +
 +
==clone network adapter config==
 +
I found that i'm regularly adding new network adapters to vms (say to add an internal network) and wanted a single line way of copying the existing nic interface config and modifying it for the new interface.  I came up with the line below which starts off by defining an array with both the old and new interface names, in that order: <code>{old new}</code>
 +
<nowiki>~$ ints=(enp0s3 enp0s8) && sudo cat /etc/sysconfig/network-scripts/ifcfg-"${ints[0]}" | sed 's/UUID\=.\{38\}/UUID\=\"'$(uuidgen ${ints[1]})'\"/' | sed 's/DEVICE\=.\{8\}/DEVICE\=\"'$(echo ${ints[1]})'\"/' | sed 's/NAME\=.\{8\}/NAME\=\"'$(echo ${ints[1]})'\"/' | sudo tee /etc/sysconfig/network-scripts/ifcfg-"${ints[1]}" > /dev/null</nowiki>
 +
pretty simple, opens the existing old config file, generates new UUID and replaces the old, finds old device and name values and replaces with new, then finally creates a new file with all the changes.  Doesn't affect the old config file at all.
 +
 +
==change default name server on startup==
 +
if you are using both network manager and DHCP, you may have trouble specifying the default DNS server.  I found the best way to do this is by adding the file:
 +
<nowiki>~$ sudo vim /etc/dhcp/dhclient.conf
 +
prepend domain-name-servers 10.10.0.1;
 +
</nowiki>
  
 
==update hostname==
 
==update hostname==
Line 116: Line 311:
 
[https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=66854729 https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=66854729]
 
[https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=66854729 https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=66854729]
 
[https://www.jethrocarr.com/2010/11/17/automatically-creating-home-directories-at-login-time/ https://www.jethrocarr.com/2010/11/17/automatically-creating-home-directories-at-login-time/]
 
[https://www.jethrocarr.com/2010/11/17/automatically-creating-home-directories-at-login-time/ https://www.jethrocarr.com/2010/11/17/automatically-creating-home-directories-at-login-time/]
 +
[https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.html https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.html]
 +
===Requirements===
 +
To perform authentication, SSSD requires that the communication channel be encrypted.<br>
 +
<code>ldap://</code> requires TLS<br>
 +
<code>ldaps://</code> requires SSL
 +
 
===Install SSSD===
 
===Install SSSD===
  <nowiki>~$ sudo yum install sssd sssd-client</nowiki>
+
  <nowiki>~$ sudo yum install -y sssd sssd-client</nowiki>
 +
 
 
===Configure SSSD===
 
===Configure SSSD===
 
You can opt to manually edit the configuration file, like is seen in [https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-sssd-ldap.html this link].<br>
 
You can opt to manually edit the configuration file, like is seen in [https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-sssd-ldap.html this link].<br>
Line 130: Line 332:
 
Check to see if sssd has imported the groups from your ldap:
 
Check to see if sssd has imported the groups from your ldap:
 
  <nowiki>~$ getent group</nowiki>
 
  <nowiki>~$ getent group</nowiki>
Once you see the group name with the users you want to add, just edit the sudoers file
+
Once you see the group name with the users you want to add, just edit the sudoers file.<br>
 +
'''UPDATE:''' you may not see the group name in the group database, however it may still be viable to use.  As long as the name does not conflict with an existing group name in the local system, try adding it.
 
  <nowiki>~$ visudo</nowiki>
 
  <nowiki>~$ visudo</nowiki>
 
Make sure you add it like so:
 
Make sure you add it like so:
Line 136: Line 339:
 
#includedir /etc/sudoers.d
 
#includedir /etc/sudoers.d
 
%new_sudoer_group ALL = (ALL) ALL</nowiki>
 
%new_sudoer_group ALL = (ALL) ALL</nowiki>
 +
 +
===Force Home directory and Shell===
 +
<nowiki>~vim /etc/sssd/sssd.conf
 +
...
 +
override_homedir = /home/%u
 +
override_shell = /bin/bash</nowiki>
 +
 +
===Manual config implementation===
 +
If you decide to manually edit <code>/etc/sssd/sssd.config</code>, you will still need to update the PAM configuration to use sssd.  This is expected to be done with <code><b>authconfig</b></code>.<br>
 +
[https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/Configuring_Services.html Reference]
 +
<nowiki>~$ authconfig --update --enablesssd --enablesssdauth</nowiki>
 +
 +
===Test Configuration===
 +
This will show you if sssd is able to query the LDAP for the account/group.  It does '''NOT''' confirm that the PAM configuration has been updated.  See above.
 +
<nowiki>~$ getent passwd ldapuser02
 +
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash</nowiki>
  
 
==Add Service to auto start on boot==
 
==Add Service to auto start on boot==
Line 144: Line 363:
  
 
==Common packages to install on fresh (minimal) install==
 
==Common packages to install on fresh (minimal) install==
  <nowiki>~$ sudo yum install telnet net-tools vim tcpdump bind-utils redhat-lsb-core wget -y</nowiki>
+
  <nowiki>~$ sudo yum install -y telnet net-tools vim tcpdump bind-utils redhat-lsb-core wget nfs-utils policycoreutils-python setroubleshoot setools</nowiki>
 +
;<code>telnet</code>
 +
:standard telnet package
 +
;<code>net-tools</code>
 +
:contains obsolete networking applications such as <code>ifconfig</code>
 +
;<code>vim</code>
 +
:advanced text editor
 +
;<code>tcpdump</code>
 +
:packet capture utility
 +
;<code>bind-utils</code>
 +
:contains dns focused applications such as <code>dig</code>
 +
;<code>redhat-lsb-core</code>
 +
:provides LSB commands, such as <code>lsb_release -a</code> which gives you specific system information and build details.
 +
;<code>wget</code>
 +
:application to access and download internet content, such as http/https
 +
;<code>nfs-utils</code>
 +
:utilities for setting up, configuring, and managing nfs shares on linux
 +
;<code>policycoreutils-python</code>
 +
:contains selinux management utilities such as <code>semanage</code>
 +
;<code>setroubleshoot</code>
 +
:has selinux troubleshooting tools, like <code>sealert</code>
 +
;<code>setools</code>
 +
:policy analysis tool for selinux, such as <code>seinfo</code>
  
 
==bash for loop examples==
 
==bash for loop examples==
Line 163: Line 404:
 
From the server side we need to do the following:
 
From the server side we need to do the following:
 
  <nowiki>~$ sudo yum install nfs-utils
 
  <nowiki>~$ sudo yum install nfs-utils
 +
~$ systemctl enable nfs
 
~$ systemctl start nfs.service</nowiki>
 
~$ systemctl start nfs.service</nowiki>
 
Make the NFS share and assign permissions in <code>/etc/exports</code>
 
Make the NFS share and assign permissions in <code>/etc/exports</code>
Line 183: Line 425:
 
'''sync:''' Sync confirms requests to the shared directory only once the changes have been committed.<br>
 
'''sync:''' Sync confirms requests to the shared directory only once the changes have been committed.<br>
 
'''no_subtree_check:''' This option prevents the subtree checking. When a shared directory is the subdirectory of a larger file system, nfs performs scans of every directory above it, in order to verify its permissions and details. Disabling the subtree check may increase the reliability of NFS, but reduce security.<br>
 
'''no_subtree_check:''' This option prevents the subtree checking. When a shared directory is the subdirectory of a larger file system, nfs performs scans of every directory above it, in order to verify its permissions and details. Disabling the subtree check may increase the reliability of NFS, but reduce security.<br>
'''no_root_squash:''' This phrase allows root to connect to the designated directory.<br>
+
'''no_root_squash:''' This phrase allows root to connect to the designated directory, but also leaves a security vulnerability.<br>
 +
'''root_squash:''' This phrase allows files created on a mount from a client to be setup with nobody permissions.
  
 
===Client Side===
 
===Client Side===
Line 193: Line 436:
 
Export list for ansible1.r00tedvw.local:
 
Export list for ansible1.r00tedvw.local:
 
/nfsshare ansible3.r00tedvw.local,ansible2.r00tedvw.local</nowiki>
 
/nfsshare ansible3.r00tedvw.local,ansible2.r00tedvw.local</nowiki>
 +
 +
check a couple of other ways:
 +
<nowiki>~$ nfsstat -m
 +
/mnt/nfsshare from ansible1.r00tedvw.local:/nfsshare
 +
Flags: rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.0.3.4,local_lock=none,addr=10.0.3.6
 +
 +
~$ mount -v
 +
...
 +
ansible1.r00tedvw.local:/nfsshare on /mnt/nfsshare type nfs4 (rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.0.3.4,local_lock=none,addr=10.0.3.6)</nowiki>
  
 
====temporary mount====
 
====temporary mount====
Line 203: Line 455:
 
  <nowiki>~$ sudo -s
 
  <nowiki>~$ sudo -s
 
~$ echo "ansible1.r00tedvw.local:/nfsshare /mnt/nfsshare  nfs defaults 0 0" >> /etc/fstab</nowiki>
 
~$ echo "ansible1.r00tedvw.local:/nfsshare /mnt/nfsshare  nfs defaults 0 0" >> /etc/fstab</nowiki>
 +
 +
==Setup NTP server==
 +
very simple to configure a ntp client to maintain date/time on the server.
 +
<nowiki>~$ sudo yum install -y ntp
 +
~$ sudo echo '*/5 * * * * root /usr/sbin/ntpd -q -u ntp:ntp' | sudo tee /etc/cron.d/ntpd > /dev/null</nowiki>
 +
The default ntp servers, like <code>0.centos.pool.ntp.org</code>, do '''not''' work.  So let's change them to something more reliable.
 +
<nowiki>~$ sudo vim /etc/ntp.conf
 +
...
 +
server time1.google.com iburst
 +
server time2.google.com iburst
 +
server time3.google.com iburst
 +
server time4.google.com iburst
 +
 +
~$ sudo systemctl restart ntpd</nowiki>
 +
 +
'''Update:''' If you run into an issue like I did with virtual machines that may be turned off or go to sleep, they can have a very large time difference between the NTP server and the client.  This unfortunately causes the ntp client to panic and cease updating the time (great logic).  I corrected this issue by adding the following to the top of my configurations file, <code>/etc/ntp.conf</code>
 +
<nowiki>~$ sudo vim /etc/ntp.conf
 +
...
 +
# Do not die on large time jumps. Must be first in this file
 +
tinker panic 0</nowiki>
 +
Alternatively you can use the following to add the lines to the very top of the file.
 +
<nowiki>$ sudo sed -i '1i\
 +
# Do not die on large time jumps. Must be first in this file\
 +
tinker panic 0\
 +
' /etc/ntp.conf</nowiki>
 +
 +
With the ntpd service restarted, it should automatically sync with your NTP servers.  If not, you can check it manually:
 +
<nowiki>~$ ntpdate -q time1.google.com
 +
server 216.239.35.0, stratum 1, offset 0.009567, delay 0.05885
 +
2 Jan 15:51:04 ntpdate[5561]: adjust time server 216.239.35.0 offset 0.009567 sec</nowiki>
 +
 +
==firewalld==
 +
Here are some examples on how to use firewalld
 +
<nowiki>~$ sudo firewall-cmd --list-all-zones
 +
~$ sudo firewall-cmd --get-active-zone
 +
public
 +
  interfaces: eth0 enp0s3
 +
~$ sudo firewall-cmd --zone=public --add-port=8080/tcp
 +
~$ sudo firewall-cmd --zone=public --list-ports
 +
22/tcp 8080/tcp
 +
~$ sudo firewall-cmd --permanent --add-service=nfs
 +
~$ sudo firewall-cmd --permanent --add-service=mountd
 +
~$ sudo firewall-cmd --permanent --add-service=rpc-bind
 +
~$ sudo firewall-cmd --reload
 +
~$ sudo firewall-cmd --zone=internal --change-interface=eth1
 +
~$ sudo firewall-cmd --zone=public --list-services
 +
</nowiki>
 +
Find out what services use a specific port
 +
<nowiki>~$$ sudo grep -r 445 /usr/lib/firewalld/services/
 +
/usr/lib/firewalld/services/freeipa-trust.xml:  <port protocol="tcp" port="445"/>
 +
/usr/lib/firewalld/services/freeipa-trust.xml:  <port protocol="udp" port="445"/>
 +
/usr/lib/firewalld/services/samba-dc.xml:  <port protocol="tcp" port="445"/><!-- SMB over TCP -->
 +
/usr/lib/firewalld/services/samba.xml:  <port protocol="tcp" port="445"/></nowiki>
 +
 +
==rename filenames in bulk==
 +
Suppose you have a group of files which are mis-spelt and need to correct them in bulk.  You can use a for loop with mv combined with [http://tldp.org/LDP/abs/html/refcards.html#AEN22728 string operations] to manipulate the names.
 +
<nowiki>~$ ls
 +
SoftwareEnterpise_v2.6.1.27.exe SoftwareEnterpise_v2.7.0.188.exe
 +
~$for f in *.exe; do mv -- "$f" "${f/rpi/rpri}"; done
 +
~$ ls
 +
SoftwareEnterprise_v2.6.1.27.exe SoftwareEnterprise_v2.7.0.188.exe</nowiki>
 +
 +
==exit status==
 +
Extremely useful, the exit status of the last command is stored in an environment variable called '''<code>$?</code>'''<br>
 +
;0
 +
:prior command executed without error
 +
;1+
 +
:prior command executed with error.
 +
Ultimately the error status is determined by the application or script.  If the code does not catch the error or does not set the exit status properly, then calling on the exit status will not provide the desired results.
 +
<nowiki>ie.
 +
~$ cat networks                                                                                                                                         
 +
##
 +
# Networks Database
 +
##
 +
loopback 127 loopback-net
 +
~$ echo $?                                                                                                                                             
 +
0
 +
~$ cat networkss                                                                                                                                       
 +
cat: networkss: No such file or directory
 +
~$ echo $?                                                                                                                                         
 +
1
 +
</nowiki>
 +
 +
==get cpu/mem/hdd stats==
 +
one way to get it done.
 +
<nowiki>~$ sudo cat /proc/cpuinfo | grep "cpu cores" | head -n1 && sudo cat /proc/meminfo | grep "MemTotal" && echo "hdd: $(( (( $(sudo cat /sys/block/sda/size) / 2 )) / 1000000 )) GB"
 +
cpu cores : 4
 +
MemTotal:        8166112 kB
 +
hdd: 125 GB</nowiki>
 +
 +
==hyper-v daemon==
 +
for linux to report details, like IP address, to hyperv, you need a daemon running.
 +
<nowiki>~$ sudo yum install -y hyperv-daemons</nowiki>
 +
 +
==if then else==
 +
[https://www.shell-tips.com/bash/if-statement/#gsc.tab=0 Great explanation]

Latest revision as of 14:27, 19 December 2022

Contents

[edit] yum

update repo cache (agt-get update equivalent)

~$ yum check-update

update all packages

~$ yum update

install software

~$ yum install lynx

search for software

~$ yum search apache

remove software

~$ yum remove lynx

search for package by command

~$ yum whatprovides dig

search for installed packages

~$ yum list installed | grep nfs-utils

show available versions from repo with their details

~$ yum -v list nfs-utils --show-duplicates 

[edit] Add user & add to sudoers

add user

~$ useradd user

you can also add the user, define their home directory, and add them to a group in one line.

~$ useradd username -d <user_home_dir_path> -G <group_names>

set password for user

~$ passwd user

add to sudoers

~$ visudo
...
user ALL=(ALL) ALL

or use the wheel group. Uncomment it:

## Allow people in the group wheel to run all commands
%wheel     ALL=(ALL)     ALL

Add user to the group

~$ sudo usermod -a -G [group] [user]
i.e. sudo usermod -a -G sudo Joe

check to verify they are part of the group
~$ getent group sudo
sudo:x:27:Bob,Joe

Remove a user from a group

~$ sudo gpasswd -d user group

[edit] permissions

Permissions Owner Group Others
777 rwx rwx rwx
666 rw- rw- rw-
555 r-x r-x r-x
444 r-- r-- r--
333 -wx -wx -wx
222 -w- -w- -w-
111 --x --x --x
000 --- --- ---

[edit] determine packages installed & search

~$ rpm -qa | less | grep term

[edit] configure date/time

~$ sudo date -s "2 OCT 2006 18:00:00"

[edit] netstat

determine gateway

~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.45.9.1       0.0.0.0         UG        0 0          0 eth0
10.45.9.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0

[edit] selinux

[edit] Basics

Users
selinux has a set of pre-built users which linux user accounts can be mapped to one or more of.
Roles
roles are like filters which sit between a user and a process. they define which users can access that process. users can enter or assume a role at any time if the role grants it.
Subjects
a process is called a subject and can affect objects
Objects
any requested resource is an object, such as files, directories, ports, tcp sockets, cursor, etc.
Permissions
the actions that a subject (process) can perform on an object.
Domains
the context within which an selinux subject can run, like a wrapper. a domain can define what files, dirs, links, devices, ports, etc are accessible to the subject.
Types
the context for a file's context that stipulates the file's purpose, such as its meant for certain processes or belongs to a certain directory, or is owned by certain selinux user

[edit] security context

ls -Z shows the selinux security context of a process or file/dir. mls is hidden by default.

user:role:type:mls
ie. 
ls -Z /var/www/html/index.html  
-rw-r--r--  username username system_u:object_r:httpd_sys_content_t /var/www/html/index.html

[edit] Check Status

~$ $ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

[edit] disable

temporarily disable

~$ setenforce 0
or
~$ setenforce Permissive

permanently disable

~$ /etc/selinux/config
 change SELinux=enforcing to SELinux=disabled

[edit] Restore labels in filesystem

In case you need to restore all the labels in the entire filesystem, here you go

~$ sudo restorecon -Rv /

[edit] Check audit log

NOTE: before you can use audit2allow, you may need to install the providing package.

~$ sudo yum install policycoreutils-python

Show denials within the last 10 minutes. use today instead of recent to show the entire day.

~$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent

time->Thu Jan  3 15:18:56 2019
type=PROCTITLE msg=audit(1546546736.770:592): proctitle=2F7573722F6C69622F6A766D2F6A72652F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573722F73686172652F6A6176612F63
type=SYSCALL msg=audit(1546546736.770:592): arch=c000003e syscall=83 success=no exit=-13 a0=7fd3d42251f0 a1=1ff a2=0 a3=7fd3dd052780 items=0 ppid=1 pid=6200 auid=4294967295 uid=53 gid=53 euid=53 suid=53 fsuid=53 egid=53 sgid=53 fsgid=53 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1546546736.770:592): avc:  denied  { create } for  pid=6200 comm="java" name="jobs" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0

Using the audit ID, msg=audit(), find out specifics on the denial

~$ sudo grep 1546546736.770:592 /var/log/audit/audit.log | audit2allow -a -w

type=AVC msg=audit(1546546736.770:592): avc:  denied  { create } for  pid=6200 comm="java" name="jobs" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
scontext
the context of the process that attempted the denied action
tconext
the context of the target the process attempt to access

You can also check the audit log using sealert, however this doesn't print the audit messages in chronological order.

~$ sudo sealert -a /var/log/audit/audit.log

[edit] listing rules, file contexts, users, and roles

Here is a quick example on how to list all the file system labels matching a string, in this example tomcat

~$ sudo semanage fcontext -l | grep tomcat

List all file contexts

~$ seinfo -t

List all users

~$ seinfo -u

List all user roles

~$ seinfo -r

[edit] List ports associated with context

Using sepolicy you can list the ports associated with a selinux context

~$ sepolicy network -t http_port_t
http_port_t: tcp: 80,81,443,488,8008,8009,8443,9000

Add port to the policy

~$ semanage port -m -t http_port_t -p tcp 8080

[edit] changing security context

There are a few ways to do this, but these are the (2) i'm currently familiar with.
Most of the time, only the type security context will need to be changed, like so:

~$ sudo chcon -v --type=httpd_sys_content_t /html

However, while the above offers persistence, it fails to offer is a way to retain the changed state if someone relabels the file system.
Alternatively, you can use this and also register the type security context change with selinux. This will not only be persistent after a restart, but also after relabeling the file system.

~$ sudo semanage fcontext -a -t httpd_sys_content_t "/html"
or delete
~$ sudo semanage fcontext -d -t tomcat_var_lib_t "/data(/.*)?"

Even better, you can clone the security contexts of an existing file or folder:

sudo semanage fcontext -a -e {source} {destination} 
~$ sudo semanage fcontext -a -e /usr/share/tomcat/webapps /opt/jenkins 

[edit] Creating a SELinux Policy

I had to add an extra policy to allow git and tomcat access to resources.
I wanted to restrict changes to SELinux to only what was necessary, so I opted to repeat these steps until all

~$ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent    
     #look at recent SELinux events and find the ID of the denial.
~$ sudo grep 1547056915.268:2946 /var/log/audit/audit.log | audit2allow -a -M local-git2     
     #with the denial ID, use audit2allow to create a new set of policy files (one TE for human readable and one PP for an encoded version that can be inserted).  You can create a fresh one for each restriction you find and then manually combine them together.
~$ cat local-git2.te
     #Look at the TE file and (if you have an existing one already), compare it to see what needs to be added.
~$ vim local-git.te
     #Manually merge the changes you saw in the previous TE file.
~$ sudo checkmodule -M -m -o local-git.mod local-git.te
     #create the module from the TE file
~$ sudo semodule_package -o local-git.pp -m local-git.mod
     #create the PP file from the Module
~$ sudo semodule -i local-git.pp
     #Install the new policy file.

The resulting policy file was:

~$ cat local-git.te

module local-git 1.0;

require {
	type tomcat_t;
	type ssh_exec_t;
	type tomcat_cache_t;
	type tomcat_var_lib_t;
	class file execute;
	class file execute_no_trans;
	class file getattr;
	class file read;
	class file open;
}

#============= tomcat_t ==============
allow tomcat_t ssh_exec_t:file execute;
allow tomcat_t tomcat_cache_t:file execute;
allow tomcat_t tomcat_cache_t:file execute_no_trans;
allow tomcat_t ssh_exec_t:file getattr;
allow tomcat_t ssh_exec_t:file read;
allow tomcat_t ssh_exec_t:file open;
allow tomcat_t ssh_exec_t:file execute_no_trans;
allow tomcat_t tomcat_var_lib_t:file execute;
allow tomcat_t tomcat_var_lib_t:file execute_no_trans;

[edit] SELinux Boolean

List booleans

~$ sudo getsebool -a

enable a boolean

~$ sudo getsebool -a | grep nis_enabled
~$ sudo setsebool -P nis_enabled on
~$ sudo getsebool -a | grep nis_enabled

[edit] troubleshoot selinux

First thing is to understand how to read the audit messages from selinux.

Raw Audit Messages
type=AVC msg=audit(1546890349.633:735): avc:  denied  { execute } for  pid=5649 comm="git" name="ssh" dev="dm-0" ino=25530389 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=0
  • { getattr } | ie. execute
This item indicates the permission that was denied.
  • pid=number
The process id of the process that attempted the access
  • comm="git"
The executable that launched the process.
  • dev and no
The device where the target resource resides and its inode address.
  • scontext="system_u:system_r:tomcat_t:s0"
The SElinux context of the process that attempted the denied action. In this case, it is the context of Tomcat, which is running in the tomcat_t domain.
  • tcontext="system_u:object_r:ssh_exec_t:s0"
The SElinux context of the object (target) the process attempted tp access. In this case,

[edit] check linux version

~$ rpm -qf /etc/redhat-release
~$ cat /etc/os-release
~$ uname -a

[edit] release and renew ip (dhcp)

release

~$ sudo dhclient -v -r eth0

renew

~$ sudo dhclient -v eth0

[edit] clone network adapter config

I found that i'm regularly adding new network adapters to vms (say to add an internal network) and wanted a single line way of copying the existing nic interface config and modifying it for the new interface. I came up with the line below which starts off by defining an array with both the old and new interface names, in that order: {old new}

~$ ints=(enp0s3 enp0s8) && sudo cat /etc/sysconfig/network-scripts/ifcfg-"${ints[0]}" | sed 's/UUID\=.\{38\}/UUID\=\"'$(uuidgen ${ints[1]})'\"/' | sed 's/DEVICE\=.\{8\}/DEVICE\=\"'$(echo ${ints[1]})'\"/' | sed 's/NAME\=.\{8\}/NAME\=\"'$(echo ${ints[1]})'\"/' | sudo tee /etc/sysconfig/network-scripts/ifcfg-"${ints[1]}" > /dev/null

pretty simple, opens the existing old config file, generates new UUID and replaces the old, finds old device and name values and replaces with new, then finally creates a new file with all the changes. Doesn't affect the old config file at all.

[edit] change default name server on startup

if you are using both network manager and DHCP, you may have trouble specifying the default DNS server. I found the best way to do this is by adding the file:

~$ sudo vim /etc/dhcp/dhclient.conf
prepend domain-name-servers 10.10.0.1;

[edit] update hostname

Normally you only need to update the hostname in (1) place:

~$ sudo vim /etc/hostname
hostname.localhost

However, you may need to change it in these other places (or it may already be changed there)
Make sure your hostname is defined in /etc/sysconfig/network

HOSTNAME=server.fqdn.com

Also for the network config, put your FQDN in the hosts file @ /etc/hosts

127.0.0.1   server.fqdn.com
::1   server.fqdn.com
OR
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
ip.address	fqdn.hostname

[edit] check and change DNS servers

~$ sudo vi /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4

[edit] Install epel repo

~$ yum install epel-release

[edit] Add & configure LDAP authentication for SSH

[edit] references

https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-sssd-ldap.html
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=66854729 https://www.jethrocarr.com/2010/11/17/automatically-creating-home-directories-at-login-time/ https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/SSSD-Troubleshooting.html

[edit] Requirements

To perform authentication, SSSD requires that the communication channel be encrypted.
ldap:// requires TLS
ldaps:// requires SSL

[edit] Install SSSD

~$ sudo yum install -y sssd sssd-client

[edit] Configure SSSD

You can opt to manually edit the configuration file, like is seen in this link.
Or you can use authconfig to configure it for you, like so:

authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=<ldap_host> --enableldaptls --ldapbasedn=dc=my-company,dc=my-org --enableshadow --enablerfc2307bis --enablemkhomedir --enablecachecreds --update

You may need to start or restart the service

~$ sudo service sssd restart

[edit] Home Directories

Make sure you use the switch --enablemkhomedir when you use authconfig if you want users to have their own home directory.

[edit] Sudo access

If you want users to have sudo access, providing you already have a group in your LDAP, you can the group to your sudoers file.
Check to see if sssd has imported the groups from your ldap:

~$ getent group

Once you see the group name with the users you want to add, just edit the sudoers file.
UPDATE: you may not see the group name in the group database, however it may still be viable to use. As long as the name does not conflict with an existing group name in the local system, try adding it.

~$ visudo

Make sure you add it like so:

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
%new_sudoer_group ALL = (ALL) ALL

[edit] Force Home directory and Shell

~vim /etc/sssd/sssd.conf
...
override_homedir = /home/%u
override_shell = /bin/bash

[edit] Manual config implementation

If you decide to manually edit /etc/sssd/sssd.config, you will still need to update the PAM configuration to use sssd. This is expected to be done with authconfig.
Reference

~$ authconfig --update --enablesssd --enablesssdauth

[edit] Test Configuration

This will show you if sssd is able to query the LDAP for the account/group. It does NOT confirm that the PAM configuration has been updated. See above.

~$ getent passwd ldapuser02
ldapuser02:*:1001:1001:ldapuser02:/home/guests/ldapuser02:/bin/bash

[edit] Add Service to auto start on boot

[edit] list current state

~$ sudo chkconfig --list <service name; ie. mysqld>

[edit] set service to start on boot

~$ sudo chkconfig --level 345 <service name; ie. mysqld> on

[edit] Common packages to install on fresh (minimal) install

~$ sudo yum install -y telnet net-tools vim tcpdump bind-utils redhat-lsb-core wget nfs-utils policycoreutils-python setroubleshoot setools
telnet
standard telnet package
net-tools
contains obsolete networking applications such as ifconfig
vim
advanced text editor
tcpdump
packet capture utility
bind-utils
contains dns focused applications such as dig
redhat-lsb-core
provides LSB commands, such as lsb_release -a which gives you specific system information and build details.
wget
application to access and download internet content, such as http/https
nfs-utils
utilities for setting up, configuring, and managing nfs shares on linux
policycoreutils-python
contains selinux management utilities such as semanage
setroubleshoot
has selinux troubleshooting tools, like sealert
setools
policy analysis tool for selinux, such as seinfo

[edit] bash for loop examples

Get a list of file names with the full path, then for each, print the filename and path and then search for a string, printing any matching lines.

~$ for i in $(find / -name "*.ldif"); do echo $i && grep localdomain $i; done
/etc/openldap/slapd.d/cn=config.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=localhost,dc=localdomain
olcRootDN: cn=ldapadmin,dc=localhost,dc=localdomain
/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
 nal,cn=auth" read  by dn.base="cn=ldapadmin,dc=localhost,dc=localdomain" read  by * n
/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={10}ppolicy.ldif

[edit] Add NFS mount and share to clients

Done on CentOS Linux release 7.5.1804 (Core)

[edit] Server side

From the server side we need to do the following:

~$ sudo yum install nfs-utils
~$ systemctl enable nfs
~$ systemctl start nfs.service

Make the NFS share and assign permissions in /etc/exports

~$ sudo mkdir /nfsshare
$ sudo vim /etc/exports
/nfsshare ansible2.r00tedvw.local(ro,sync,no_root_squash)
/nfsshare ansible3.r00tedvw.local(ro,sync,no_root_squash)

Add the needed firewalld rules

~$ sudo firewall-cmd --permanent --add-service=nfs
~$ sudo firewall-cmd --permanent --add-service=mountd
~$ sudo firewall-cmd --permanent --add-service=rpc-bind
~$ sudo firewall-cmd --reload

[edit] NFS options

Some other options we can use in “/etc/exports” file for file sharing is as follows.

ro: With the help of this option we can provide read only access to the shared files i.e client will only be able to read.
rw: This option allows the client server to both read and write access within the shared directory.
sync: Sync confirms requests to the shared directory only once the changes have been committed.
no_subtree_check: This option prevents the subtree checking. When a shared directory is the subdirectory of a larger file system, nfs performs scans of every directory above it, in order to verify its permissions and details. Disabling the subtree check may increase the reliability of NFS, but reduce security.
no_root_squash: This phrase allows root to connect to the designated directory, but also leaves a security vulnerability.
root_squash: This phrase allows files created on a mount from a client to be setup with nobody permissions.

[edit] Client Side

~$ sudo yum install nfs-utils
~$ systemctl start nfs.service

check to make sure you can hit the NFS share and pull info

~$ showmount -e ansible1.r00tedvw.local
Export list for ansible1.r00tedvw.local:
/nfsshare ansible3.r00tedvw.local,ansible2.r00tedvw.local

check a couple of other ways:

~$ nfsstat -m
/mnt/nfsshare from ansible1.r00tedvw.local:/nfsshare
 Flags:	rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.0.3.4,local_lock=none,addr=10.0.3.6

~$ mount -v
...
ansible1.r00tedvw.local:/nfsshare on /mnt/nfsshare type nfs4 (rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.0.3.4,local_lock=none,addr=10.0.3.6)

[edit] temporary mount

Add the mount dir and map it.

~$ sudo mkdir /mnt/nfsshare
~$ sudo mount -t nfs ansible1.r00tedvw.local:/nfsshare /mnt/nfsshare

[edit] permanent map

add the mount to /etc/fstab

~$ sudo -s
~$ echo "ansible1.r00tedvw.local:/nfsshare /mnt/nfsshare  nfs defaults 0 0" >> /etc/fstab

[edit] Setup NTP server

very simple to configure a ntp client to maintain date/time on the server.

~$ sudo yum install -y ntp
~$ sudo echo '*/5 * * * * root /usr/sbin/ntpd -q -u ntp:ntp' | sudo tee /etc/cron.d/ntpd > /dev/null

The default ntp servers, like 0.centos.pool.ntp.org, do not work. So let's change them to something more reliable.

~$ sudo vim /etc/ntp.conf
...
server time1.google.com iburst
server time2.google.com iburst
server time3.google.com iburst
server time4.google.com iburst

~$ sudo systemctl restart ntpd

Update: If you run into an issue like I did with virtual machines that may be turned off or go to sleep, they can have a very large time difference between the NTP server and the client. This unfortunately causes the ntp client to panic and cease updating the time (great logic). I corrected this issue by adding the following to the top of my configurations file, /etc/ntp.conf

~$ sudo vim /etc/ntp.conf
...
# Do not die on large time jumps. Must be first in this file
tinker panic 0

Alternatively you can use the following to add the lines to the very top of the file.

$ sudo sed -i '1i\
# Do not die on large time jumps. Must be first in this file\
tinker panic 0\
' /etc/ntp.conf

With the ntpd service restarted, it should automatically sync with your NTP servers. If not, you can check it manually:

~$ ntpdate -q time1.google.com
server 216.239.35.0, stratum 1, offset 0.009567, delay 0.05885
 2 Jan 15:51:04 ntpdate[5561]: adjust time server 216.239.35.0 offset 0.009567 sec

[edit] firewalld

Here are some examples on how to use firewalld

~$ sudo firewall-cmd --list-all-zones
~$ sudo firewall-cmd --get-active-zone 
public
  interfaces: eth0 enp0s3
~$ sudo firewall-cmd --zone=public --add-port=8080/tcp
~$ sudo firewall-cmd --zone=public --list-ports
22/tcp 8080/tcp
~$ sudo firewall-cmd --permanent --add-service=nfs
~$ sudo firewall-cmd --permanent --add-service=mountd
~$ sudo firewall-cmd --permanent --add-service=rpc-bind
~$ sudo firewall-cmd --reload
~$ sudo firewall-cmd --zone=internal --change-interface=eth1
~$ sudo firewall-cmd --zone=public --list-services

Find out what services use a specific port

~$$ sudo grep -r 445 /usr/lib/firewalld/services/
/usr/lib/firewalld/services/freeipa-trust.xml:  <port protocol="tcp" port="445"/>
/usr/lib/firewalld/services/freeipa-trust.xml:  <port protocol="udp" port="445"/>
/usr/lib/firewalld/services/samba-dc.xml:  <port protocol="tcp" port="445"/><!-- SMB over TCP -->
/usr/lib/firewalld/services/samba.xml:  <port protocol="tcp" port="445"/>

[edit] rename filenames in bulk

Suppose you have a group of files which are mis-spelt and need to correct them in bulk. You can use a for loop with mv combined with string operations to manipulate the names.

~$ ls
SoftwareEnterpise_v2.6.1.27.exe SoftwareEnterpise_v2.7.0.188.exe 
~$for f in *.exe; do mv -- "$f" "${f/rpi/rpri}"; done
~$ ls
SoftwareEnterprise_v2.6.1.27.exe SoftwareEnterprise_v2.7.0.188.exe

[edit] exit status

Extremely useful, the exit status of the last command is stored in an environment variable called $?

0
prior command executed without error
1+
prior command executed with error.

Ultimately the error status is determined by the application or script. If the code does not catch the error or does not set the exit status properly, then calling on the exit status will not provide the desired results.

ie.
~$ cat networks                                                                                                                                          
##
# Networks Database
##
loopback	127		loopback-net
~$ echo $?                                                                                                                                               
0
~$ cat networkss                                                                                                                                         
cat: networkss: No such file or directory
~$ echo $?                                                                                                                                           
1

[edit] get cpu/mem/hdd stats

one way to get it done.

~$ sudo cat /proc/cpuinfo | grep "cpu cores" | head -n1 && sudo cat /proc/meminfo | grep "MemTotal" && echo "hdd: $(( (( $(sudo cat /sys/block/sda/size) / 2 )) / 1000000 )) GB"
cpu cores	: 4
MemTotal:        8166112 kB
hdd: 125 GB

[edit] hyper-v daemon

for linux to report details, like IP address, to hyperv, you need a daemon running.

~$ sudo yum install -y hyperv-daemons

[edit] if then else

Great explanation

Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Open Source Products
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
MagicMirror
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Politics
Volkswagen
Covid
NCDMV
Toolbox