• yum history
  • yum history undo NUM
  • yum history redo NUM
  • yum provides "*/foocmd"

Network Filesystems

Workbook 2, chapter 7 (providing file-based storage), page 173

• Protecting NFS Exports - page 181
  • Make sure you have the packages installed before you run authconfig, otherwise it may configure a next-best alternative and not do what you think it should do when you reconfigure with authconfig after the fact.
  • yum install sssd auhconfig-gtk krb5-workstation autofs
  • authconfig-gtk or authconfig-tui
  • Domain is example.com
  • Realm name is EXAMPLE.COM
  • KDC admin and server name is classroom.example.com
  • CA certificate is located on http://classroom.example.com/pub/example-ca.crt
  • LDAP user's home on NFS server classroom.example.com:/home/guests
  • LDAP user's name is ldapuserX where X is your station number

# /etc/auto.master
/home/guests /etc/auto.ldapguests

# /etc/auto.ldapguests
* -fstype=nfs,rw,async,hard,intr classroom.example.com:/home/guests/&

• Performing a Multi-User SMB Mount - page 202
  • yum -y install cifs-utils
  • cifscreds add REMOTE_HOSTNAME - Assumes the current local username
  • mount -o multiuser,sec=ntlmspp,username=MYUSERNAME //serverX/myshare /mnt/multiuser
• Filesystem ACLs
  • getfacl, setfacl, chacl

Firewalld Direct Rules

Workbook 2, chapter 3 (network port security), page 71.

• Direct are rules that are specified with --direct argument, allowing more flexibilty to create the underlaying iptables rules.
  • Direct rules are handled first, before any other rules in any firewalld zones.
  • Direct rules still behave the same with regards to the firewalld-cmd --permanent argument.

Firewalld Rich Rules

• Rich rules are similar to direct rules, specified with --add-rich-rule, but are applied to a specific firewalld zone (or the default zone if no zone is specified by with --zone=ZONE argument.
  • Rich rules still behave the same with regards to the firewalld-cmd --permanent argument.
• firewall-cmd --permanent --zone=dmz --add-rich-rule='rule family=ipv4 source address=172.25.N.10/32 service name=http log level=notice prefix="NEW HTTP " limit value="3/s" accept'

Firewalld Port Masquerading & Forwarding

• http://unix.stackexchange.com/questions/21967/difference-between-snat-and-masquerade

The SNAT target requires you to give it an IP address to apply to all the outgoing packets. The MASQUERADE target lets you give it an interface, and whatever address is on that interface is the address that is applied to all the outgoing packets. In addition, with SNAT, the kernel's connection tracking keeps track of all the connections when the interface is taken down and brought back up; the same is not true for the MASQUERADE target.

• firewall-cmd --permanent --zone=ZONE --add-masquerade - Will masquerate any packets sent to the firewall from clients defined in the sources for that zone (both interfaces and subnets) that are not addressed to the firewall host itself.
  • Using --add-rich-rule gives you more control over what client source addresses will me masqueraded: firewall-cmd --permanent --zone=ZONE --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 masquerade'
• firewall-cmd --permanent --zone=ZONE --add-forward-port="port=ORIGINAL_PORTNUMBER:proto=PROTO[:toport=NEWDEST_PORTNUMBER][:toaddr=NEWDEST_IP]
  • Forwarding may also use --add-rich-rule like so: firewall-cmd --permanent --zone=ZONE --add-rich-rule='rule family=ipv4 source address=192.168.0.0/26 forward-port port=80 protocol=tcp to-port=8080'

SELinux

Workbook 2, chapter 3 (network port security), page 81.

• Configure via GUI system-config-selinux (from the policycoreutils-gui).
• Check, disable and enable temporarily: getenforce, setenforce 0 and setenforce 1.
• Permanent state configuration in /etc/selinux/config or /etc/sysconfig/selinux.
• See SELinux status with sestatus command.
• semanage fcontext -l - List file context definitions
• semanage port -l - List port context definitions
• Find SELinux violations in /var/log/messages.
  • Use sealert to find out the details.
  • sealert -a /var/log/audit/audit.log
  • https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html
• Example to add a port to an SELinux type/label semanage port -a -t http_port_t -p tcp 8089
• Man pages: semanage(8), semanage-port(8), system-config-linux(8).
• yum -y install selinx-policy-devel for a large number of SELinux port type/label definitions.

Workbook 1, chapter 5 (SELinux permissions), page 111.

• SELinux context has 4 parts; user:role:type:category.

[root@cp1 ~]# ls -Z anaconda-ks.cfg
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg

• getsebool -a and setsebool
  • setsebool BOOLEAN on
  • setsebool -P BOOLEAN on - persist change through reboots
  • semanage boolean -l
• chcon and restorecon
• semanage fcontext -a -t admin_home_t '/common(/.*)?' - sets the default type context for /common and all files and sub-directories to be admin_home_t
• runcon will run a process under a specific context.

MariaDB

Workbook 2, page 226.

• yum groupinstall mariadb mariadb-client
• mysql_secure_installation
• echo -e "[mysqld]\nskip-networking=1\n" > /etc/my.cnf.d/skip-networking.cnf
• help create user, help grant ...
• flush privileges;
• flush tables with read lock; unlock tables;