Académique Documents
Professionnel Documents
Culture Documents
This document attempts to provide answers to all study points on the RHCE and RHCT Exam
Preparation Guide in a single-page (and thus, printable) format. This is not a “brain dump” or an
attempt to cheat the RH302 exam in any way. These are just my self-study notes. Use them at your
own risk.
Note: Study points last updated on 2009-08-11. This list may become out of date without notice
(especially after I pass the test ).
updated by Dino Conti on 2010-06-25
Table of Contents
RHCE "Cheat Sheet"............................................................................................................................1
Testing Environment with Sun VirtualBox......................................................................................4
Prerequisite skills for RHCT and RHCE.........................................................................................4
use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view,
and investigate files and directories............................................................................................4
use grep, sed, and awk to process text streams and files.............................................................4
use a terminal-based text editor, such as vim or nano, to modify text files................................4
use input/output redirection........................................................................................................4
understand basic principles of TCP/IP networking, including IP addresses, netmasks, and
gateways for IPv4 and IPv6........................................................................................................5
use su to switch user accounts.....................................................................................................5
use passwd to set passwords.......................................................................................................5
use tar, gzip, and bzip2................................................................................................................5
configure an email client on Red Hat Enterprise Linux..............................................................5
use text and/or graphical browser to access HTTP/HTTPS URLs.............................................5
use lftp to access FTP URLs.......................................................................................................5
HELP in RHEL5.........................................................................................................................5
RHCT skills.....................................................................................................................................6
Troubleshooting and System Maintenance.................................................................................6
boot systems into different run levels for troubleshooting and system maintenance.............6
diagnose and correct misconfigured networking....................................................................6
diagnose and correct hostname resolution problems..............................................................6
configure the X Window System and a desktop environment...............................................6
add new partitions, filesystems, and swap to existing systems..............................................7
partitions............................................................................................................................7
filesystems.........................................................................................................................7
swap...................................................................................................................................8
use standard command-line tools to analyze problems and configure system.......................8
Installation and Configuration....................................................................................................8
perform network OS installation............................................................................................8
implement a custom partitioning scheme...............................................................................8
configure printing...................................................................................................................8
configure the scheduling of tasks using cron and at...............................................................9
cron....................................................................................................................................9
at/batch...............................................................................................................................9
attach system to a network directory service, such as NIS or LDAP...................................10
configure autofs....................................................................................................................10
add and manage users, groups, quotas, and File Access Control Lists................................10
users......................................................................................................................................11
groups...................................................................................................................................11
quotas...............................................................................................................................11
Access Control Lists........................................................................................................12
configure filesystem permissions for collaboration.............................................................12
install and update packages using rpm.................................................................................12
properly update the kernel package......................................................................................13
configure the system to update/install packages from remote repositories using yum or pup
..............................................................................................................................................13
create yum repository from installation DVD.................................................................13
modify the system bootloader..............................................................................................14
implement software RAID at install-time and run-time.......................................................14
use /proc/sys and sysctl to modify and set kernel run-time parameters...............................14
use scripting to automate system maintenance tasks............................................................15
configure NTP for time synchronization with a higher-stratum server................................15
RHCE skills...................................................................................................................................15
Troubleshooting and System Maintenance...............................................................................15
use the rescue environment provided by first installation CD.............................................15
diagnose and correct boot failures arising from bootloader, module, and filesystem errors15
grub errors........................................................................................................................16
kernel errors.....................................................................................................................16
diagnose and correct problems with network services (see Installation and Configuration
below for a list of these services).........................................................................................16
add, remove, and resize logical volumes..............................................................................17
diagnose and correct networking services problems where SELinux contexts are interfering
with proper operation...........................................................................................................17
Installation and Configuration..................................................................................................18
HTTP/HTTPS.......................................................................................................................19
install...............................................................................................................................19
selinux..............................................................................................................................19
start at boot......................................................................................................................19
basic config......................................................................................................................19
host-based security...........................................................................................................20
user-based security...........................................................................................................20
verify service functionality..............................................................................................20
SMB......................................................................................................................................20
install...............................................................................................................................20
selinux..............................................................................................................................21
start at boot......................................................................................................................21
basic config......................................................................................................................21
host-based security...........................................................................................................22
user-based security...........................................................................................................22
verify service functionality..............................................................................................22
NFS.......................................................................................................................................23
install...............................................................................................................................23
start at boot......................................................................................................................23
basic config......................................................................................................................23
host-based security...........................................................................................................23
user-based security...........................................................................................................23
verify service functionality..............................................................................................23
FTP.......................................................................................................................................24
install...............................................................................................................................24
selinux..............................................................................................................................24
start at boot......................................................................................................................24
basic config......................................................................................................................24
host-based security...........................................................................................................24
user-based security...........................................................................................................24
verify service functionality..............................................................................................24
Web proxy............................................................................................................................24
install...............................................................................................................................24
selinux..............................................................................................................................24
start at boot......................................................................................................................25
host-based security...........................................................................................................25
parental control with blocklist.........................................................................................25
user-based security...........................................................................................................25
verify service functionality..............................................................................................25
SMTP....................................................................................................................................26
to enable masquerading in sendmail................................................................................26
install...............................................................................................................................27
start at boot......................................................................................................................27
basic config......................................................................................................................27
host-based security...........................................................................................................28
user-based security...........................................................................................................28
verify service functionality..............................................................................................28
IMAP, IMAPS, and POP3....................................................................................................28
install...............................................................................................................................28
start at boot......................................................................................................................28
basic config......................................................................................................................28
create custom ssl cert: .....................................................................................................28
host-based security...........................................................................................................28
user-based security...........................................................................................................29
verify service functionality..............................................................................................29
SSH.......................................................................................................................................29
install...............................................................................................................................29
start at boot......................................................................................................................29
Generate Public / Private key pair...................................................................................29
user-based security...........................................................................................................29
host-based security...........................................................................................................29
verify service functionality..............................................................................................29
DNS (caching name server, slave name server)...................................................................30
install...............................................................................................................................30
start at boot......................................................................................................................30
basic config......................................................................................................................30
host-based security...........................................................................................................31
user-based security...........................................................................................................31
verify service functionality..............................................................................................31
NTP......................................................................................................................................31
install...............................................................................................................................31
start at boot......................................................................................................................31
host-based security...........................................................................................................31
user-based security...........................................................................................................31
verify service functionality..............................................................................................31
configure hands-free installation using Kickstart.................................................................32
implement logical volumes at install-time...........................................................................32
use iptables to implement packet filtering and/or NAT........................................................32
packet filtering.................................................................................................................32
NAT.................................................................................................................................32
setup for router to internet...............................................................................................33
use PAM to implement user-level restrictions......................................................................33
module documentation.....................................................................................................33
module configuration.......................................................................................................33
pam_listfile.so example...................................................................................................34
Additional Notes............................................................................................................................34
tcp_wrappers.............................................................................................................................34
Troubleshooting........................................................................................................................34
unable to log in.....................................................................................................................34
use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create,
remove, view, and investigate files and directories
use grep, sed, and awk to process text streams and files
use a terminal-based text editor, such as vim or nano, to modify text files
# extract (tar/gzip)
tar xvzf <file>.tgz
# compress (tar/bzip)
tar cvjf <file>.tbz <directory>
# extract (tar/bzip)
tar xvjf <file>.tbz
HELP in RHEL5
man <command>
command --info
RHCT skills
Troubleshooting and System Maintenance
RHCTs should be able to:
boot systems into different run levels for troubleshooting and system maintenance
append the desired runlevel to grub's kernel line:
• 1-5 runs appropriate rc and init scripts
• single only runs rc.sysinit
• emergency skips all rc and init scripts
x environment config:
• /etc/sysconfig/desktop
• /etc/X11/xinit/xinitrc
• /etc/X11/xinit/Xclients
• ~/.xinitrc
• ~./Xclients
redhat display config tool:
system-config-display [--reconfig]
partitions
manage partitions:
fdisk <device>
n new partition
m menu
p print partition table
t toggle partition type
d delete partition
w write changes to disk
q quit
filesystems
make filesystems:
mkfs.<ext2|ext3> mkfs -t ext3 /dev/sda5
label filesystems:
e2label <partition> <label>
blkid list UUID and Labels of partitions
manage filesystem settings:
tune2fs <partition>
dumpe2fs <partition>
mkdir /test
mount -o acl /dev/sda5 /test mount with ACL support user created
filesystems
mount -o remount,rw /
swap
note that it's possible to create a swap file instead of a partition:
dd if=/dev/zero of=<file> bs=1024 count=<size>
configure printing
printing support is provided by cups:
service cups start
chkconfig cups on
redhat printer config tool: system-config-printer
cron
make sure vixie cron is installed and running:
yum install vixie-cron
service crond start
chkconfig crond on
crontab format:
<minute> <hour> <day of month> <month> <day of week> <command>
24 13 * * * /home/user/script
at/batch
make sure at is installed and running:
yum install at
service atd start
chkconfig atd on
batch
at> <command>
# list jobs
atq
remove jobs
atrm <job>
configure autofs
make sure the autofs service is running:
service autofs start
chkconfig autofs on
create /etc/auto.test:
blah example.com:/pub/something
* example:/home/&
# redhat defaults
ls /net/<hostname>
ls /misc/cd
add and manage users, groups, quotas, and File Access Control Lists
redhat user/group config tool: system-config-users
users
/etc/passwd file format:
username:password:uid:gid:gecos:homedir:shell
chage <user>
chage -M 30 user set password to expire in 30 days
userdel <user>
pwck
groups
/etc/group file format:
groupname:password:gid:members
quotas
install quota package :
yum install quota
enable/disable quotas
quotaon <device>
quotaoff <device>
edit quotas
edquota -u <user>
edquota -g <group>
check/report quotas
quota <user>
repquota -aug
remount device:
mount -o remount,acl <mount point>
manage acls:
# set acls
setfacl -m [d:]u:<user>:<r|w|x|-> <file>
setfacl -m [d:]g:<group>:<r|w|x|-> <file>
# get acls
getfacl <file>
# remove acls
setfacl -x u:<user> <file>
setfacl -x g:<user> <file>
setfacl --remove-all <file>
setfacl --remove-default <file>
# freshen
rpm -Fvh <package>.rpm
# remove
rpm -e <package>
# verify a file
rpm -Vf > <full path of file>
while inside the rescue environment, use the –root option to specify the real location of your root
file system (e.g. –root=/mnt/sysimage).
configure the system to update/install packages from remote repositories using yum or pup
yum config goes in /etc/yum.repos.d/
[id]
name=my repo
baseurl=http://example.com/centos/
enabled=1
[rhel-cd]
name=Red Hat Enterprise Linux $releasever - $basearch - Debug
baseurl=file:/mnt/cdrom/Server/
#baseurl=file:///media/RHEL_5.4\ i386\ DVD/Server/
enabled=1
gpgcheck=0
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
stop array:
mdadm --stop /dev/md0
cat /proc/mdstat
use /proc/sys and sysctl to modify and set kernel run-time parameters
config is in /etc/sysctl.conf
# search through parameters
sysctl -a | grep <whatever>
# apply changes from config file immediately
sysctl -p
• config is in /etc/ntp.conf
synchronization configuration example:
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
apply changes:
service ntpd restart
chkconfig ntpd on
verify changes:
ntpq -p
RHCE skills
Troubleshooting and System Maintenance
RHCEs must demonstrate the RHCT skills listed above, and should be able to:
diagnose and correct boot failures arising from bootloader, module, and filesystem errors
check in order:
1. mbr
2. /boot/grub/grub.conf
3. /etc/fstab
4. /etc/inittab
5. /etc/rc.d/rc.sysinit
6. /etc/rc.d/rc*.d
7. /etc/rc.d/init.d/*
8. /etc/rc.d/rc.local
grub errors
• in general, use the last line before the error message to see where grub error'd out
• to find correct value for root option, type find /grub/stage1 at the grub command line (
remember that all file names in grub.conf are relative to the root option)
• check for missing files in kernel and/or initrd lines
kernel errors
• missing/corrupt initrd file results in: kernel panic - not syncing: vfs: unable to mount root
fs on unknown-block
• invalid root parameter for kernel results in: setuproot: error mounting /proc: No such file
or directory
reinstall grub to mbr:
grub-install <device>
or
grub
grub> find /grub/stage1
grub> root (hd0,0)
grub> setup (hd0)
grub> quit
copy and paste this into /boot/grub/grub.conf ( 2 options – protect editing of GRUB during boot or
protect selection of kernel image – for testing )
recreate initrd:
mkinitrd <filename> <kernel version>
diagnose and correct problems with network services (see Installation and Configuration
below for a list of these services)
see what's listening on what port:
netstat -ntaupe
add, remove, and resize logical volumes
redhat lvm config tool:
yum install system-config-lvm
system-config-lvm
lvm vgs
lvm pvs
lvm vgsan
lvm pvscan
lvm lvscan
mkdir /mnt/sysimage
diagnose and correct networking services problems where SELinux contexts are interfering
with proper operation.
enable/disable selinux in /etc/sysconfig/selinux:
SELINUX=enforcing
SELINUXTYPE=targeted
install selinux troubleshooter:
yum install setroubleshoot
service setroubleshoot start
chkconfig setroubleshoot on
# manual
chcon -R -u <user> <file>
chcon -R -t <type> <file>
install
yum install httpd mod_ssl httpd-manual
selinux
make new DocumentRoot match default DocumentRoot ( this applies to any directory that
apache will serve files from):
chcon -R --reference /var/www /www
start at boot
chkconfig httpd on
basic config
edit /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/dino.pem
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
host-based security
firewall config:
protocol ports
tcp 80, 443
hosts are allowed by default and must be explicitly denied:
<Directory /var/www/html>
Order deny,allow
Deny from 192.168.0.0/255.255.255.0
Deny from badguys.example.com
</Directory>
user-based security
create web password file:
htpasswd -c /etc/httpd/webusers testuser1
htpasswd /etc/httpd/webusers testuser2
SMB
install
yum install samba samba-client
selinux
allow samba to share home directories:
setsebool -P samba_enable_home_dirs=1
start at boot
chkconfig smb on
basic config
redhat samba config tool:
yum install system-config-samba
system-config-samba
set workgroup/domain:
workgroup = <workgroup>
security modes:
# connections check local pwdb (default)
security = user
# used when samba was not capable of being a domain member server (DO NOT USE)
security = server
encrypt passwords = yes
password server = <netbios name of dc>
share options:
[<share name>]
# path for share
path = <path>
# share is visible
browseable = <yes|no>
# rw enabled
writeable = <yes|no>
join domain:
net rpc join -U root
fstab example:
//<hostname>/<share> <mountpoint> cifs user=<username>,pass=<password>
0 0
mount.cifs and umount.cifs need to be chmod'ed u+s in order to be used by non-root users
host-based security
firewall config:
protocol ports
tcp 139, 445
udp 137, 138
hosts allow/deny can be used per-server or per-share:
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0
user-based security
account maintenance:
# add account (local linux account must exist first, or be translated via
/etc/samba/smbusers):
smbpasswd -a <username>
# enable/disable account:
smbpasswd -e <username>
smbpasswd -d <username>
# remove account:
smbpasswd -x <username>
browse shares:
smbclient //<hostname>/<share> -U <username>
test allow/deny statements for a host:
testparm /etc/samba/smb.conf <hostname> <ip address>
NFS
install
yum install portmap nfs-utils
start at boot
chkconfig portmap on
chkconfig nfs on
chkconfig nfslock on
chkconfig netfs on
basic config
redhat config tool:
yum install system-config-nfs
system-config-nfs
format of /etc/exports:
<mountpoint> <host>(<options>) [<host>(<options>) ...]
host-based security
edit /etc/sysconfig/nfs and restart nfs to set static ports
firewall config:
# see ports
rpcinfo -p
user-based security
use standard file permissions
install
yum install vsftpd
selinux
allow local users to log in and cd into home directories:
setsebool -P ftp_home_dir=1
start at boot
chkconfig vsftpd on
basic config
host-based security
user-based security
Web proxy
install
yum install squid
selinux
allow squid to connect to the network (this is recommended, but was not needed in my testing):
setsebool -P squid_connect_any=1
start at boot
chkconfig squid on
host-based security
firewall config:
protocol ports
tcp 3128
Edit /etc/squid/squid.conf
visible_hostname www.quake.lan
user-based security
Install ncsa_auth
htpasswd /etc/squid/passwd username create username / password file
Edit /etc/squid/squid.conf
edit /etc/mail/sendmail.mc
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
LOCAL_DOMAIN(`example.com')dnl
build new sendmail.cf :
make -C /etc/mail
edit /etc/mail/access
Connect:192.168.0 RELAY allow relay from local LAN
edit /etc/mail/local-host-names
example.com domains hosted on our server
quake.lan
edit /etc/mail/virtualusertable
cikku@test.lan admin@example.com virtual users mappings
/etc/aliases
root: admin aliases to other accounts
tony: mark
MASQUERADE_AS(`mydomain.com')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(mydomainalias.com)dnl
MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
install
yum install postfix
alternatives --config mta
service sendmail stop
start at boot
chkconfig postfix on
basic config
listen on public interfaces:
inet_interfaces = all
user-based security
use smtp auth?
install
yum install dovecot
start at boot
chkconfig dovecot on
basic config
enable protocols:
protocols = imap imaps pop3 pop3s
or
mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem.orig
mv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem.orig
cd /etc/pki/tls/certs/
make dovecot.pem
cp dovecot.pem /etc/pki/dovecot/certs/
cp dovecot.pem /etc/pki/dovecot/private/
host-based security
use iptables with -[!]s option
protocol ports
tcp 143, 110, 995, 993
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
user-based security
use pam_listfile in /etc/pam.d/dovecot
SSH
install
yum install openssh-server
start at boot
chkconfig sshd on
user-based security
allow/deny user access:
AllowUsers user1 user2 user3@example.com
DenyUsers user4 user5 user6@example.com
host-based security
install
yum install bind-chroot caching-nameserver system-config-bind
start at boot
chkconfig named on
system-config-bind
Now start editing DNS Server options > right click on DNS Server > EDIT
New > View > name: External > From ACL : any
to ACL : any
Once saved all other settings are migrated into the View.
Right click on DNS Server or View > Add Zone > Class : Internet
Origin Type : Forward
quake.lan
Zone Type : master
go on quake.lan > right click > Add > A,MX,CNAME,PTR records
basic config
copy sample config:
cp -a /var/named/chroot/etc/named.caching-nameserver.conf
/var/named/chroot/etc/named.conf
caching-only nameserver:
• edit listen-on directives (comment out to listen on all interfaces)
• edit allow-query directives (comment out allow queries from everyone)
• edit match-clients and match-destinations directives to allow recursive queries from other
hosts
slave nameserver:
• get slave example from /usr/share/doc/bind-*/sample/etc/named.conf
host-based security
firewall config:
protocol ports
tcp 53
udp 53
allow-query example:
allow-query { 192.168.0.0/16; localnets; };
user-based security
N/A
NTP
install
yum install ntp
start at boot
chkconfig ntpd on
host-based security
firewall config:
protocol ports
udp 123
allow other servers to sync with us:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
user-based security
N/A
packet filtering
packet filtering example:
-A <chain> -p <tcp/udp> -m <tcp/udp> [-s[!] <source address>] --dport
<destination port> -j ACCEPT
NAT
enable ip forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
inbound dnat:
iptables -t nat -A PREROUTING -p <tcp/udp> --dport <destination port> -j DNAT
--to-dest <private server>:<port>
outbound dnat:
iptables -t nat -A OUTPUT -p <tcp/udp> --dport <destination port> -j DNAT --to-
dest <private server>:<port>
masquerading:
iptables -t nat -A POSTROUTING -o <outbound interface> -j MASQUERADE
snat:
iptables -t nat -A POSTROUTING -j SNAT --to-source <public server>:<port>
Setup RH Firewall with default settings using eth0 to Internet while eth1 to LAN.
vi /etc/sysct.conf and set net.ipv4.ip_forward = 1
add following rules from CLI:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.188.133:80
module documentation
• /usr/share/doc/pam-*/txts
module configuration
• /etc/pam.d
• /etc/security
<module interface> <control flag> <module name> <module arguments>
module
description
interface
user authentication (e.g. verifies password, set group membership or kerberos
auth
tickets, etc.)
verifies that access is allowed (e.g. expired account?, check group membership,
account
etc.)
password handles password changes
session manages user sessions (e.g. mount home dir, create mailbox, logging, etc.)
control flag description
required must pass, continue testing on failure
requisite must pass, stop testing on failure
sufficient failure is ignored, but if passing so far, return success at this point
optional pass or failure is irrelevant
include include another file
pam_listfile.so example
allow/deny users if listed in /etc/special:
auth required pam_listfile.so onerr=success item=user sense=<allow|deny>
file=/etc/special
Additional Notes
tcp_wrappers
file format:
<daemon list> : <client list> [except <client list>] [: <option>]
search order:
1. /etc/hosts.allow
2. /etc/hosts.deny
3. allow by default
searching stops on first match
Troubleshooting
unable to log in
• password wrong or expired?
• account locked?
• shell set to /sbin/nologin, /bin/false, etc.?
• root user and PermitRootLogin no in /etc/ssh/sshd_config?
• root user and terminal not listed in /etc/securetty?
• non-root user and /etc/nologin exists?
• check pam_listfile restrictions