Thursday, August 18, 2011

RHCE Exam , Precaution & Preparedness


1) Basically in RHCE exam selinux must be in enforcing mode
So use
Root#setenforce 1
Or
Change in
root#system-config-securitylevel
change selinux enforcing
Or
change in
vi /etc/selinux/config
SELINUX=enforcing
So be carefully for selinux error specially in Web server , smb share , ftp server ,
Examples
a) If your share a directory in SMB then for selinux security context
Use
root# ls -ldZ /path
for checking security context
&
Use
Root#chcon -t samba_share_t /path for change to samba share context
Note :-> If in exam you have to share user home directory through selinux then use
Root#setsebool -P samba_enable_home_dirs on
b) In other cases when we have to share or publish file taken from other location like in web pages taken from RHCE server in virtual hosing in web server & ftp server .
So it's quiet confusing to remember security context of all files
So in that case best way for preventing selinux error use
Root#restorecon -R -v /path
other way for for prompting selinux error on GUI please install
setroubleshoot-plugins
setroubleshoot-server
RPM's
2) The next is that in exam it's not mention about firewall
So your 1st work is to disable firewall
Change in
Root#system-config-securitylevel
Change firewall to disable
Otherwise it may create problems for your network services
Then apply IPTABLES rule
a) Majorly iptables rules would be for blocking(other than your network) services like ssh ,ftp ,pop3-pop3s , imap-imaps
So please apply correct iptables rule with correct port no (for port no use /etc/services file) & finally use
Root#Service iptables save
for reboot persistence
3) Next thing is that your all services would be reboot persistent & your root password would be as per your exam question paper.
So 1st check your all services are working after reboot then submit your exam to your exam instructor
4) Majorly I found that resizing LVM through command mode is quite tuff work (because majorly LVM would be user home directory & you have to apply user quota in same directory . so any mistake in LVM & quota would create CTRL + D error )
so I prefer you to resize LVM in graphical mode (& if you found that graphical tool of LVM is not installed in your system then please install system-config-lvm RPM via YUM repository )
5) Apart from that precaution god forbid if you face any unrecoverable error that cannot be recovered by you then you can reinstall your system by instructor but that installation time would consider with your exam time
6) & the most important is "don't loose confidence & be fear free" because only that will help you in exam hall
You know I faced problems while giving IP of my system, dovecot implementation & smb implementation
& only my fear free thought helped me to win in these issues


Last day one of my friend who was appearing in RHCE exam face a problem in troubleshooting section
That he was unable to modify /etc/passwd file

then i suggest him to use
lsattr /etc/passwd 

then he find
----i--------  /etc/passwd

& then he use

chattr -i /etc/passwd
so i am posting syntax & attributes for chattr command

SYNTAX & COMMAND FOR CHATTR
                
chattr - change file attributes on a Linux second extended file system
SYNOPSIS
chattr [ -RV ] [ -v version ] [ mode ] files...
DESCRIPTION
chattr changes the file attributes on a Linux second extended file system.

OPTIONS

-R
Recursively change attributes of directories and their contents. Symbolic links encountered during

recursive directory traversals are ignored.
-V
Be verbose with chattr's output and print the program version.
-v version
Set the file's version/generation number.

Opcodes
+
Add attribute.
-
 Remove attribute.
=
Assign attributes (removing unspecified attributes).


ATTRIBUTES

1) A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be

created to this file and no data can be written to the file. Only the superuser or a process pessessing

the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

2) A file with the `j' attribute has all of its data written to the ext3 journal before being written to

the file itself, if the filesystem is mounted with the "data=ordered" or "data=writeback" options. When

the filesystem is mounted with the "data=journalled" option all file data is already journalled and this

attribute has no effect. Only the superuser or a process possessing the CAP_SYS_RESOURCE capability can

set or clear this attribute.

3)  When a file with the `s' attribute set is deleted, its blocks are zeroed and written back to the disk.

4) When a file with the `S' attribute set is modified, the changes are written synchronously on the disk;

this is equivalent to the `sync' mount option applied to a subset of the files.

5) When a file with the `u' attribute set is deleted, its contents are saved. This allows the user to ask

for its undeletion.

6) A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a

process pessessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

7) A file with the `c' attribute set is automatically compressed on the disk by the kernel. A read from

this file returns uncompressed data. A write to this file compresses data before storing them on the

disk.

8) When a directory with the `D' attribute set is modified, the changes are written synchronously on the

disk; this is equivalent to the `dirsync' mount option applied to a subset of the files.

9) A file with the `d' attribute set is not candidate for backup when the "dump" program is run. 

GRUB 2 Features

GRUB 2 in default Boot Loader for Ubuntu and many other operating system now. Grub 2 introduces many new welcoming changes. Grub 2 is almost complete re-writing of Grub interface. Grub 2 in more modular and portable than its earlier version. It support dynamic loading of modules. If we talk about look, Grub2 is going to include Theme support. If you working on latest releases of Ubuntu you may become little bit confused because Grub2 working is diffrent from Grub 0.9(Old grub version). 
How GRUB 2 Works ?
Grub2 layout is totally diffrent. Grub2 places its core files on three locations./boot/grub/grub.cfg/etc/grub.d and /etc/default/grub. You may need to edit /etc/default/grub which contains customization and/or /etc/grub.d/ files which contain Menu information and booting scripts. You shouldn't edit grub.cfg file directly but when the update-grub command is run, it reads the contents of the grub file and the grub.d scripts and creates the grub.cfg file.

Connection tracking in linux

Connection tracking is done to know the state of specific connection.
Firewall that understand connection tacking and allow to implement
rule on that basis, is known as statefull firewall. Iptables can also
implement rules on tracked connection known as state, which can be
implemented through state match.
Connection tracking is done by special framework in the kernel known
as conntrack. conntarck can be internal in kernel or can be loaded as
module.
Suppose you are on linux machine and want to list packets tracked by
contrack, use following command
root# more /proc/net/ip_conntrack
.............
...............
All connection tracking is handled in the PREROUTING chain, except
locally generated packets which are handled in the OUTPUT chain.
Suppose you send a initial packet in stream it comes in OUTPUT chain
as NEW and once you receive acknowledgment of that it become to state
ESTABLISHED in PREROUTING chain.
One important thing one should keep in mind that
/proc/sys/net/ipv4/ip_conntrack_max determine how many packets will be
kept by conntrack.

REJECT vs DROP

As we know firewall gives generally three option to deal with packet
ACCEPT - Let the traffic move
DROP - Remote packet and generate no error
REJECT - Remove the packet and return an ICMP "Communication
administratively prohibited" (ICMP type 3, code 13) error packet

If we DROP packet in a rule that means we remove packet from wire
without informing sender about this in the case of REJECT we inform
sender.
Most of the firewall configured for DROP unwanted packets , the
argument in this favor are following
* This help to stealth the firewall, the logic is since firewall
returning no data so attacker can't determine who have a firewall.
This logic does not seem legitimate the reason is , attacker can be
sure about firewall if it found no data in return.
For example TCP ACK scan in nmap. This scan is used to
test weather a port is filtered by firewall or not. ACK test for, RST
packet after sending ACK packet if no packet received that means port
is filtered.
* The other argument is, using DROP helps in generating less traffic.
This sounds good but fact is far from that because TCP tries hard to
be reliable, so if first probe quietly dropped the sources tries with
more packets before concluding amything.
So my conclusion is that REJECT may be better option than DROP in
many situations.

Opportunistic Locking in samba

Samba support Dos and windows standard locking concept as a most primitive locks also known as Deny mode locks. Although we can switch off this lock using 'share modes = no' parameter is smb.conf .
Samba also support a locking mechanism known as Opportunistic Locking or oplocks in short. Oplocks allow a client to notify samba server that it will not only be exclusive writer of file, but also will cache its changes so that network files get speed up access. Oplocks improve performance . Suppose machine A is editing a file and machine B try to access at same time, in this case samba send oplock break to client A and client A stop caching and update with current state.
We can disable oplocks using following parameter in smb.conf
oplocks = no
We can also exclude some extensions files from oplock using
veto oplocks file = /*.idd/*.doc

Create chat server using nc.

Sometime we need to do chat to temporarily between two host. Chat server can created using nc command. For example you are on machine A (192.168.1.1) and issued following command
           root# nc -l 3333
That command will create a tcp port on 3333 on machine A.

   Now from machine B type following command to connect to port 3333 on machine A
                root# nc 192.168.1.1 3333
                                Now exchange messages by typing at prompt.

FDISK vs CFDISK vs SFDISK

As we know fdisk,sfdisk and cfdisk all these are disk manipulator command.
cfdisk is almost same as fdisk but graphical based because it use ncurse. If someone is not a system admin he should prefer cfdisk over fdisk.
According to fdisk man page.

sfdisk is for hackers only - the user
interface is terrible, but it is more correct than fdisk and more power-
ful than both fdisk and cfdisk. Moreover, it can be used noninterac-
tively
.
You can notice the real difference only after trying some hands in these tools.But surely sfdisk have some advantage over others. Try sfisk in following
ways to get some idea
root#sfdisk -s
root#sfdisk -l /dev/sda
root#sfdisk /dev/hdc -O hdd-partition-sectors.save

Sendmail vs Postfix vs Qmail vs Exim


We have choice in using MTA in linux. We can use sendmail, postfix, qmail or exim. The selection of MTA depends on many factor such as followings

* a good security record
* performance on high load
* flexible and easy to understand configuration files
* interact with databases in many formats
* can speak many of the SMTP variants in use
* quality third-party documentation is available
* there are significant user communities

Let us start with qmail(http://www.qmail.org/)
Security: Good record
Performance: Excellent
Out Since: 1996
Books are available for configuration, Not very simple to configure because it simply redesign the unix mail system concept. But the most important point is this software is not maintained and morever qmail is not purely a open source solution.

Postfix (http://www.postfix.org/) is like qmail but interface is like unix so easy to configure. postfix sits between qmail and exim.Postfix is less versatile than Exim, and this is largely due to its foremost design criteria being security. Personally in love postfix.
Security: Good record.
Performance: Excellent
Out Since: 1997
Community: Medium-sized 
Now sendmail(http://www.sendmail.org/). Sendmail is accused of many security loopholes in past. Now its a bit improved. Sendmail shipped as default MTA is many linux distro. Its easy to configure and suitable is enviroment where security is not top priority. Sendmail is most well known MTA
Security: Not good but still better from past versions
Out since: 1982
Performance: Ok for many
Community: Large 
Exim(http://www.exim.org/) is not very secure. Exim has its own filter language and very well documented.
Out since: 1995
Security: Quite good
Performance: Very good
Community: Large

A to Z guide to Google+

A – Another Social Networking site – Or should I say, another social networking site from Google. *phew* After Google Wave failed to create any waves and everyone asked Google Buzz to Buzz off, this is Google’s third attempt at taking Facebook head on (not considering Orkut as it 
was developed before Facebook became famous).

B – Businesses (separate acc. Strategy) – Google doesn’t want any company, business or product to have an account on Google+. Not right now, at least. They’re completely clear with their strategy and currently, all the accounts are only for Homo sapiens. Google+ has a separate strategy for businesses and they’re right now busy refining the last bits. In Product Manager, Christian Olsten’s words, “We have been watching Google+ take shape over the last week and we’ve seen some really great companies get involved. But frankly we know our product as it stands is not optimally suited to their needs. In fact, it was kind of an awkward moment for us when we asked Ford for his (or was it her?) gender!”

C – Circles – Google+ lets you add all your friends in different circles hence you can safely post that NSFW video and share it with your College Circle without worrying that your aunt from Amritsar will see it. You can also tell all your friends that you’re chilling in Goa while keeping your boss who’s in the Do-not-share-anything-with-Boss Circle, under the impression that you’re down with viral. Here are some other circles you can possibly use to categorise your friends. Facebook friends circle, Twitter friends circle, Real life friends circle, Colleagues-to-be-included-in-conversation-while-ranting-about-office circle, Family-members-you-can’t-tell-you-like-DK-Bose-song circle.

D – Direct Messages – One of the most unique feature of G+ is how to Direct Message or Inbox someone. Technically speaking, there is no ‘Inbox’ feature. You never go in that shell where you feel safe, secure and private to make personal conversations like Facebook, Twitter & Orkut. Everything stays on the Timeline. Only difference is, you share the post only with that particular person(s) instead of sharing it with ‘Public’ or a circle. It can be classified as Direct Message in a way, but it will take some time and plenty of near-misses getting used to it, as that security of conversing in private folder cocoon is out of the window.

image2

E – Equinox – Here, equinox can be referred to as that site which has found a balance between Facebook & Twitter and have engineered their way in combining best (functionalities) of both world, which in a parallel universe caters to the entire spectrum of users.

F – Following/followers – “People in your circles / People who’ve you in their circle” sounds more like “People you’re following / People who’re following you”. Google+’s friend list resemble Twitter more than Facebook.

G – Gtalk – Users have faced awkward situations where they’re being pinged on the Gtalk by people they’ve never added in the first place. Turns out, when you mutually add each other on G+, they get automatically added to your Gtalk. Given the fact that Google already has Gtalk, you don’t really expect them to program a new chat server, do you? 

H – Hahaha gifs
 - They logged on, they uploaded and they left. Since the first day, G+ has been littered with gifs and jpgs of how G+ has kicked FB’s butt. It’s either a cheap marketing ploy by Google where they’ve asked their employees to circulate these images or they’ve been created by anti-facebookers who’ve been waiting for someone to do come up with something that can rival FB.

I – Invitation – This yawn-worthy marketing tactic have now official earned a ‘cliché’ status. Like every new website/product wants you to think that they’re going to let only a select few mere mortals have the honour of testing their new thingy and to earn that once-in-a-lifetime opportunity, you will be required to cry out loud on Twitter and Facebook a million times to gain a so-called ‘invitation’ which will catapult you to Megatron levels of stardom and will change your life forever, even Google+ created the same noise where people were ready to give up their one limb to earn that coveted invitation to be one of the first people to have an account on Google+. Google+ created hype by giving out only a few thousand invitations in first few days which have now swelled to millions. In fact, Google did the same with Buzz and Wave. Grow up Google, instead of using such tactics, just make a great product, user base will take care of itself.

J - Just in time - G+ was launched on 28th June ‘11. Just 24 hours later, on 29th June, Myspace fell for just $35 million. MySpace was launched in 2003, a full year before Facebook, and it had peaked popularity in 2007 when it was valued at $12 billion. If symbolism is anything to go by, Google might just have launched G+ at a critical point of time. Just in time, as some would say.

K – Kleptomania – Maybe. Although, G+ has tried to stay away from the Facebook structure as much as possible and despite using terminologies as different from Facebook as possible, similarity to FB is pretty obvious. It's evident that G+ is nothing but a cross between Facebook and Twitter from features point of view.

L – Links – As of now, for an average user there is rarely anything to do on G+ apart from checking out tons of links that everyone is forwarding on G+. There are hardly any photos or any unique updates about friends which you haven’t read before on FB and/or twitter. It will take some time till the site gets populated and one can actually think of spending (read wasting) substantial amount of time on Google+.

M – Mute – All those people who’ve regretted congratulating a friend on his new relationship status after being bombarded with half a million notifications, will love this feature. In short, all of us. Mute allows us to mute notification about comments that people post on the same updates which we’ve commented on, hence, you will no longer feel shy to comment “RIP” on your friend’s “Getting married next week” update.

N – Nice, but not enough – Would G+ be able to overhaul Facebook can be answered in just 4 words, “(It's)Nice, but not enough.”

O – Omnipresent - Development of G+ has finally got Google, the omnipresent status. Google had every trick in the book, from Google Docs, Google Earth & Gmail to image sharing Flickr, video sharing YouTube & a blogging portal in Blogspot; a truly global social networking site was the only thing that was missing. With G+, it seems circle is complete. Although, some would argue that Google already had Orkut, but as mentioned, Google really wanted a GLOBAL social networking site and according to their Google Earth, the planet has 200+ countries and not just India & Brazil. Hence, G+.

P – Plus one – Plus One or +1 is equivalent to Facebook’s ‘Like’. But +1ing on Google+ won’t make it appear in your +1 section, so you needn’t worry that your family will come to know that you’ve +1ed Tara Reid’s Wardrobe Malfunction video unless you +1 it anywhere on net.

Q – Quintessentially minimalistic – Like everything Google, G+ too followed Google’s classic design philosophy and kept the site to bare minimum. Let’s enjoy the neatness and spaciousness that the site offers, till Adwords fills up the empty space.

R – Reality Check – Google+ is the fastest growing website but still it’s far from catching up with Facebook’s 750+ million users. And Facebook is just one step away from Gmail once @facebook.com mail id starts working in its full fledged avatar.

S – Sparks – There are no fan pages on G+ instead they have something known as Sparks which is essentially RSS feed of things that interests you, which may range from anything from “Aston Martin” to “Hot pics of Katrina Kaif”. Google seem to have employed some complex algorithm which probably takes into consideration page hits/rank from a little know search engine known as Google.com, to decide which news/links to throw up for your Sparks

T – 25 Million users – Google+ has already crossed the 25 million user mark is the fastest social networking website to reach this mark. Don’t get impressed by the fastest-social-networking-site-to-reach-25m-mark award, yet. Given Google’s might and the fact that it only took a Gmail account to register for Google+, it’s no surprise that they’ve achieved that feat in only a month’s time. The so-called “by invitation only” was only a marketing gimmick.

U – Unlimited photos – 1 album = 1000 photos. Unlimited albums = Unlimited Photos. Wohoo!!!

V – Video Chatting – Video Chat or Hangout as they call it, has to be G+ ‘s “deal maker”. The fact that one can video chat with up to 10 people at the same time is for sure a big plus.

W – Why should I be on G+? – That’s question you will be left asking yourself…So, what’s the point of G+? Well, let me ask you, what’s the point of any social networking site? Photos, Connectivity, News, Interaction, Staying in touch, Status Updates…. ? It’s the same with Google+. It’s just a case of old wine in new bottle. Facebook or Google+, or both. Whatever you suits you.

X – Chromosome X – Google+ does seem to have that air of prejudice where it already considers itself better than anything else. But, despite everything, it seems, Google has finally found that Chromosome X lying in some corner of their Mountain View Office which can possibly make G+ capable of throwing a serious challenge at the reigning Heavy Weight Champion - Facebook.

Y – Young – G+ is still in its early days, almost an infant from a social networking point of view. Although, initial signs may point at G+ to be a prodigy but it’s premature to call it a “Legend Killer”. Give it some time and let the kid breath and stop jumping to conclusions yet. Let the time speak…!

Z – Zuckerberg Mark – Mark Zuckerberg has been added in circles by highest no. of people 429868* on G+. This figure is more than the combined strength of Google founders Larry Page (250487*) & Sergey Brin’s (171456*) followers. That’s like someone crashing in your birthday party and becoming the most popular guy in the house. It seems Mr. Zuckerberg, whose bio reads “I make things”, is keeping an eye on the competition. No harm in being a little cautious, right Mark?