Configuring SUSE Linux... · The VIM Editor Section 5 Remote Administration Section 6 System Initialization Section 7 Overview of SUSE Linux Enterprise Section 2 The Linux File System

Int roduct ionSection 1

Overview of SUSE Linux Ent erpr ise

Section 2

The Linux File Syst emSection 3

Work w it h t he Com m and Line

Section 4

The VIM Edit orSection 5

Rem ot e Adm inist rat ion

Section 6

Syst em Init ial izat ionSection 7

Process Managem entSection 8

Configuring SUSE Linux Enterprise

Exam Preparat ion

Course Navigation

Next Sect ions

https://www.lucidchart.com/documents/view/76fc854b-0268-457f-adb3-39e106151ad3

https://www.lucidchart.com/documents/view/88202c4f-3776-42f0-92db-a85e4ffb1a1e

https://www.lucidchart.com/documents/view/07ec2548-70fb-43eb-986a-2bef2c64c981

https://www.lucidchart.com/documents/view/dae1dac4-c78a-452c-ae6b-dc8214ebfd82

https://www.lucidchart.com/documents/view/0bebfe80-22f4-40ab-b2b1-ae454e9cfce2

https://www.lucidchart.com/documents/view/c90ecedc-5899-4f13-a67a-f3998130414a

https://www.lucidchart.com/documents/view/b1f25471-8caf-49f5-acb6-7ac996434b4a

https://www.lucidchart.com/documents/view/3052745c-5cc1-4db1-9e87-4ab4ec71fbb1

https://www.lucidchart.com/documents/view/ecaac99e-49e5-4f06-ae6c-ba8ef2d747ba

Exam Preparat ion

Course Navigation

Previous Sect ions

Sof t ware Managem ent

Section 10

Net work Managem entSection 11

St orage Managem entSection 12

Adm inist rat ion and Monit or ing

Section 13

Inst all ing SUSE Linux Ent erpr iseSection 14

ConclusionSection 15

Ident it y and Secur it ySection 9

Configuring SUSE Linux Enterprise

https://www.lucidchart.com/documents/view/ecaac99e-49e5-4f06-ae6c-ba8ef2d747ba

https://www.lucidchart.com/documents/view/63286c5d-2735-473b-bc7e-7bf2e35cc09a

https://www.lucidchart.com/documents/view/641955d9-5c20-457a-9a13-646a1c48d904

https://www.lucidchart.com/documents/view/534dec3c-02eb-4e0a-934c-9f7cee739298

https://www.lucidchart.com/documents/view/a84ccba5-34a4-492f-a567-fb7382d56b48

https://www.lucidchart.com/documents/view/44c9a7d5-4a9c-4d80-a907-a4ef87ed79b7

https://www.lucidchart.com/documents/view/552b8423-4801-4861-be42-5c9dc654c949

https://www.lucidchart.com/documents/view/53ce5db1-5c71-451b-8226-a07515863343

Remote AdministrationCourse Navigation



Section 6



Section 2



Section 4

Understanding Remote Administration with OpenSSH

Using the SSH Utilit ies

Configuring SSH


Understanding Remote Administration with VNC

Back t o Main

Topics in t h is sect ion include:

- Underst anding Rem ot e Adm inist rat ion (SSH)

- Using t he SSH Ut i l i t ies

- Conf igur ing SSH Servers

- Underst anding Rem ot e Adm inist rat ion (VNC)

Next







https://www.lucidchart.com/documents/view/6656ad1c-09a2-4bd9-a311-fde89ca63fcc




Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Underst anding Rem ot e Adm inist rat ion w it h OpenSSH


In t he Beginning Was Telnet ....

- Telnet is wide-open, no encryption or modern security options

- All Telnet traffic was susceptible to sniffing- SSH (Secure SHell) was the answer

OpenSSH Overview

- Developed to be a secure replacement for Telnet- Replaces telnet, rcp, rlogin, rsh etc.- Based on Public/Private Key Encryption

OpenSSH Feat ures

- Remote login- Drop-ship commands- Multi-system copying- Secure communication- Easy to use- Advanced features

Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

The SSH v2 Process Visually

A secure, encrypted session is established6

Client Authentication is accomplished5

Diffie-Hellman session key is agreed upon4

Client stores public key in ~/.ssh/known_hosts3

Server replies with Host Public Key2

Client init iates connection via ssh on port 221

Connection



Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Using t he SSH Ut i l i t ies

SSH Client Ut i l i t ies

ssh Terminal utility replacing rsh

scp Secure rcp replacement

sf t p Secure ftp replacement

$ ssh bonzo@r emot ehostThe aut hent i c i t y of host ' 172. 16. 242. 129' can' t be est abl i shed.ECDSA key f i nger pr i nt i s SHA256: BeUV1zQi GC6+bdUC34Gl GCj 3T9SFJS72++xO+I UW1Yw.Ar e you sur e you want t o cont i nue connect i ng ( yes/ no) ?

<The r emot e publ i c key wi l l be put i n t he l ocal user ' s ~/ . ssh/ knownhost s>

$ scp / home/ r oss/ f i l e1 zakkw@r emot ehost : ~/ di r 1<Copi es a f i l e f r om your host t o r emot e, i nt o / home/ zakk/ di r 1>

$ sf t p mar com@r emot ehost<Vi r t ual l y i dent i cal t o f t p, j ust over por t 22>

Exam ples



Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Get t ing Keys f rom Host s

ssh- keyscan Manually get SSH host key

$ ssh- keyscan - t r sa r emot ehost# 172. 16. 242. 129: 22 SSH- 2. 0- OpenSSH_7. 6172. 16. 242. 129 ssh- r sa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+F0/ t XI 9GcP2br sEpH8AEmnOY2gzLE3a8hAi ye5f xEf W3pHSP38Jf uZt 0st R51j cY8Mf opJ3Vgi sMQKHdXwi K4I RTm2kKg/ i 3Z/ u+i yMxzs9y

<The keyscan r et ur ns t he r sa key f or t he r emot e ser ver , whi ch you can t hen check agai nst a known r ecor d or >> r edi r ect t o t he ~/ . ssh/ known_host s f i l e>

Exam ples

- Normally the first t ime you connect via the SSH protocol, you are prompted to accept the key

- What if you just want to check the remote key matches before you attach?

Caut ionary Not e:

- You may be tempted to keyscan all known hosts and add them automatically to your known_hosts file

- This will almost guarantee a "Man-in-the-Middle" attack will succeed.

- Better record a server 's key when installed and check the current key against the known using scripting




Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Generat ing Key Pairs

ssh- keygen Generate key pairs

$ ssh- keygen - t r saGener at i ng publ i c/ pr i vat e r sa key pai r .Ent er f i l e i n whi ch t o save t he key ( / home/ cl oud_user / . ssh/ i d_r sa) :Ent er passphr ase ( empt y f or no passphr ase) :Ent er same passphr ase agai n:Your i dent i f i cat i on has been saved i n / home/ cl oud_user / . ssh/ i d_r sa.Your publ i c key has been saved i n / home/ cl oud_user / . ssh/ i d_r sa. pub.The key f i nger pr i nt i s :SHA256: Ham0yxQSaAJdqj 12pqRkhj Tadsadf f f C50B6oozI DBkEDNydH0k cl oud_user @r ossbr unson1c. myl abser ver . comThe key' s r andomar t i mage i s:+- - - [ RSA 2048] - - - - +| ^Xo. . . +E. || BX+ooo + . || * . * o. o + o || X= + + = . || =+= . S . || . o o . || o || || |+- - - - [ SHA256] - - - - - +

Exam ples

- Can choose rsa or dsa, both have benefits- RSA faster for encrypting and verifying signatures- DSA faster for keygen, decryption, genning signatures




Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Conf igur ing SSH

Conf igur ing t he SSH Client environm ent

no Stores the key automatically (security risk!)

- Overall system configuration for ssh clients- / et c/ ssh/ ssh_conf i g

- Local user configuration for ssh client- ~/ . ssh/ conf i g

yes Will only connect if key is pre-shared (secure)

ask Default, ask to store if not already known

St r ict Host KeyCheck ing Secur it y Opt ion

- This option sets how keys are added to the user 's known_host s file

- For secure environments this can lock the users to known and approved hosts only

accept - new Auto add keys, won't connect to changed



Conf igur ing SSH

Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Conf igur ing t he SSH Server environm ent

DenyUser s Allow all BUT these users

- Overall system configuration for ssh clients- / et c/ ssh/ sshd_conf i g

Al l owUser s Deny all BUT these users

Pr ot ocol Which version to allow (v2 is default)

Im por t ant Conf igurat ion Opt ions

- Note: Remember to restart the sshd daemon/service after changing the configuration file

Por t Specify the SSH port (can be several)

UsePAM Use the Pluggable Auth Module option

Conf igur ing SSH



Conf igur ing SSH

Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Set t ing up Key-Based Aut hent icat ion

- Allows you to use a passphrase for SSH actions- Must be set up properly, don't use for root- Uses ssh-add & ssh-agent to wrap your session

Generate a key pair (ssh-keygen)1

Upload the Public key to a remote server2

Verify the Public key works3

Add your credentials to the ssh-agent4

Connect w/o password to the remote server5

Glory in your success6

Conf igur ing SSH



Conf igur ing SSH

Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Loading up your credent ials

ssh- agent loads the ssh-agent, may require - s

$ eval ` ssh- agent - s '$ ssh- addEnt er passphr ase f or / home/ cl oud_user / . ssh/ i d_r sa:I dent i t y added: / home/ cl oud_user / . ssh/ i d_r sa

<The eval i s used t o wr ap t he ssh- agent ar ound your cur r ent shel l envi r onment , t hen t he ssh- add l oads your i dent i t y i nt o t he agent , whi ch i nt er cept s aut hent i cat i on r equest s f or you. >

Exam ple

- If constantly typing your password is getting tedious- Load your identity into the ssh-agent with ssh-add- Let the agent provide your identity for you- All you need to do is use your passphrase to start

ssh- add loads the ssh-agent with your identity

Conf igur ing SSH



Conf igur ing SSH

Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Underst anding Rem ot e Adm inist rat ion w it h VNC

Rem ot e Managem ent Overview

- Management via the Graphical Desktop- Uses Virtual Network Computing (VNC)- Consists of a VNC Server and VNC Client

VNC Server

- YaST -> Network Services -> Remote Management (VNC)

- Three Options- Default is off, If needed often, choose:

- Allow Rem ot e Adm inist rat ion w it h Session Managem ent

- Firewall configuration included

Conf igur ing SSH




Next











Section 6



Section 2



Section 4



Configuring SSH



Back t o Main

Client Access Opt ions

- Most VNC clients will work - RealVNC app is recommended for Mac/Windows- SLES ships with supported vncviewer app- Use IP address and port 5901

- Browser access requires Java enabled- ht t p: / / host . domai n. xxx: 5801

VNC t hrough an SSH Tunnel

- More stable to use SSH tunneling- Use SSH to establish a tunnel from your system to

the remote system- Performs authentication in PKI, not VNC

- Establishing the tunnel is easy- ssh - L 5901: l ocal host : 5901 user @I P/ FQDN

- Then just point the client application to:- l ocal host : 5901


Conf igur ing SSH











System Init ializationCourse Navigation



Section 6




Section 2



Section 4

Understanding the GRUB2 Bootloader

Understanding the Boot Process

Defining and Describing `systemd`

Back t o Main

Underst anding t he Boot Process


- Underst anding t he Boot Process

- Underst anding t he GRUB2 Boot Loader

- Def in ing and Descr ibing syst em d

Next











Section 6




Section 2



Section 4




Back t o Main


Boot ing SUSE Linux Syst em s

- GRUB2 is the default bootloader- Booting occurs in subsequent stages

POSTUEFI/BIOS

St age 1 (boot .im g)

St age 2 (/ boot / grub/ * )

Kernelin it ram fs

Boot loader

Hardware

syst em d

St age 1.5 (core.im g)

udevUnderst anding t he Boot Process

Next











Section 6




Section 2



Section 4




Back t o Main


in it ram fs is:

- A small cpio archive used by the kernel- A mini-Linux system for loading the real system- Contains needed drivers to access the real root

filesystem

Once in it ram fs is loaded:

- The needed modules/drivers are loaded- udev provides the needed devices- Transfers control from the initramfs init process

to the real filesystem systemd init process

I f your hardware changes:

- The initramfs must be updated- SLES will detect the needed modules

- To generate an initramfs for the running system: $ mkinitrd

- To generate a new init executable: $ mkinitrd -R

- Specify addit ional modules for initramfs in:INITRD_MODULES in /etc/sysconfig/kernel


Next











Section 6




Section 2



Section 4




Back t o Main

Underst anding t he GRUB2 Boot loader


GRUB = Grand Unif ied Boot loader

- Version 2 = most current- Version 1 = GRUB Legacy

GRUB2 Dif ferences f rom GRUB Legacy

- Configuration file changes- Updated filesystem support (BtrFS)- Translatable and theme-able UI- Module support expanded- Bash-like console for troubleshooting/discovery

gr ub2- mkconf i g Generate new grub.cfg file

gr ub2- menul st 2cf g Convert an old menu.lst file to cfg

gr ub2- scr i pt - check Check GRUB files for syntax errors

gr ub2- mkr escue Create a bootable rescue image

GRUB2 Com m ands

gr ub2- once Set next boot to a given non-default entry


Next











Section 6




Section 2



Section 4




Back t o Main

GRUB2 Conf igurat ion Files

Replaces legacy menu.lst, contains the menu items. Auto-generated by grub2-mkconfig, not intended to be manually edited.

/ boot / grub2/grub.cfg

Optional, used as an include file to grub.cfg at boot t ime.

/ boot / grub2/cust om .cfg

User and environment sett ings for GRUB2, backgrounds/themes.

/ et c/default / grub

Used by grub2-mkconfig, melded into the grub.cfg, executed in order: 00, 10.

/ et c/grub.d/ *

SUSE-specific config file for use with YaST and new kernel versions.

/ et c/ sysconf ig/boot loaderUnderst anding t he

GRUB2 Boot loader



Next











Section 6




Section 2



Section 4




Back t o Main

Edit ing Menu Ent r ies Dur ing Boot

- System changes can foil grub at boot- Edit ing only takes effect for that boot ? not permanent- Tab-complete for all options

Start system boot1

Press e to start edit ing2

Navigate to desired change area3

Make change to parameters/general options4

Press ESC to discard any changes and boot5

Press F10 to boot with edits in effect

OR




Next











Section 6




Section 2



Section 4




Back t o Main

Def in ing and Descr ibing `syst em d`

syst em d is:

- System/service and session manager for Linux- Compatible with SysV and LSB scripts- Replaces Sys V init functions in SLES 15

syst em d Feat ures:

- Highly parallel service startups- Targets are the new runlevels (mostly)- Daemons activated on demand- Auto-restart failed daemons- Uses cgroups to control processes

Things t o rem em ber about syst em d:

- PID 1 used to be init, now it 's syst emd- While a replacement for Sys V init

- Fully compatible with it

- Unit files are analogous to service scripts- Targets are one-to-many groups of units- Not a perfect 1:1 match to Sys V, but close- Responsible for all user-space processes




Next











Section 6




Section 2



Section 4




Back t o Main

syst em d Unit s are:

- Service units are similar to Sys V init scripts- Services most common, but many types- Are managed by syst emct l

Devi ce Device file known to kernel (.device)

Tar get Group of syst emd units (.target)

Ser vi ce System service (.service)

Mount Filesystem mount point (.mount)

Type Descr ipt ion Ext .

Pat h File or directory in filesystem (.path)

Socket Inter-process comm socket (.socket)





Next











Section 6




Section 2



Section 4




Back t o Main

syst em d Unit File Direct or ies

- A given set of unit files are installed- Can be overridden by runtime unit files- Fine-tuning can happen with syst emct l enabl e

Default RPM-installed unit files that will be overwritten when update/fixes occur

/ usr / l ib/ syst em d/syst em

Unit files created at runtime, takes precedence over the unit files in / usr / l i b/ syst emd/ syst em

/ run/ syst em d/syst em

Unit files created by using the syst emct l enabl e command. Takes precedence over the unit files in the / r un/ syst emd/ syst em directory.

/ et c/ syst em d/syst em





Next











Section 6




Section 2



Section 4




Back t o Main

Anat om y of a Unit File

- Units are how to define something for syst emd- More standard and easy to use than LSB headers- Much smaller than the usual init script

Dissect ing t he cron.service Unit File

Descr i pt i on Public name of the unit (systemctl, etc.)

Bef or e This unit to be started before these units

Af t er Units listed will be started before this unit

Rest ar t Keywords to define when restart happens

Requi r edBy Will fail to activate if unit(s) not active/on

Want edBy Nice to have, but won't cause unit issuesDef in ing and Descr ibing `syst em d`




Next











Section 6




Section 2



Section 4




Back t o Main

Underst and and Manage Target s

- Targets are groups of units that are similar to runlevels- Targets help set the system to a given state

2/ 3/ 4 multi-user.target

1 rescue.target

0 poweroff.target

5 graphical.target

Runlevel syst em d Target

6 reboot.target

$ syst emct l get - def aul t<Di spl ays t he def aul t t ar get >

$ syst emct l i sol at e nameof . t ar get<I sol at e r emoves al l but t hat t ar get ' s pr ocesses, Al l owI sol at e must be enabl ed, s i mi l ar t o r unl evel >

$ syst emct l set - def aul t nameof . t ar get<Set s t he def aul t t ar get , t hen use i sol at e or syst emct l def aul t t o change t o def aul t t ar get >

Query and Set Target s





Next











Section 6




Section 2



Section 4




Back t o Main

Managing Service Unit s

$ syst emct l opt i on nameof . ser vi ce<st ar t , st op, r est ar t , r el oad, st at us, enabl e, di sabl e>

$ syst emct l l i s t - uni t s t ype=ser vi ce - - al l<shows onl y act i ve, - - al l or - a f or ever y>

$ syst emct l opt i on nameof . ser vi ce<i s- act i ve, i s- enabl ed shows ser vi ce st at e >

$ syst emct l st at us nameof . ser vi ce<shows huge amount of i nf or mat i on, see demo>

$ syst emct l l i s t - dependenci es par am cr on <Shows what st ar t s bef or e, af t er cr on>

Key syst emct l Opt ions

- Using the syst emct l command- Many keywords to know and use- Offers Tab-Complete for your assistance!





Next











Section 6




Section 2



Section 4




Back t o Main

syst em d and Cont rol Groups

Visualize and Manage cgroups

- syst emd depends heavily on cgroups functionality- Hierarchical structure of all processes- Can be used to control kernel-supplied restrictions

- Memory (RAM), CPU Percentages, I/O bandwidth

Why Is This im por t ant ?

- cgr oups help syst emd track a service's processes- See a service's (and all processes) utilization easily- Kill a process and all sub-processes in one shot

- No more hunting for abandoned processes!

syst emd- cgl s See cgroups in a hierarchical manner

syst emd- cgt op See the most active cgroups

Kill a service and all sub-processes

$ syst emct l k i l l nameof . ser vi ce<Sends SI GTERM t o t he ser vi ce' s pr ocesses>

$ syst emct l k i l l - s SI GWHATEV nameof . ser vi ce<Speci f i es t he SI Gnal sent t o pr ocesses>





Next











Section 6




Section 2



Section 4




Back t o Main

Wrapping I t Up

- syst emd is here to stay and works well- Become proficient with syst emct l- Remember Tab-Complete for help












Process Management

Back t o Main

Course Navigation

Understanding Background Processes

Understanding Process Administration

Understanding Process Scheduling




Section 4



Section 6



Underst anding Process Adm inist rat ion



- Underst anding Process Adm inist rat ion

- Underst anding Background Processes

- Underst anding Process Scheduling

Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Def in ing Processes

- A process is the active execution of the otherwise passive collection of code that makes up a program

user Has a controlling terminal (ex: chr onyc)

daemon No controlling terminal (ex: chr onyd)

Types of Processes

Relat ionships Bet ween Processes

- All processes are descended from PID 1- All others have a PID and a PPID

- Process IDs are unique to a process

- Parent processes spawn and manage children- Removing a process normally removes its children

orphan Parent ends, init adopts orphan process

zombie Process ends, parent does not update status

Orphans and Zom bies



Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



View ing Processes

- Processes are executing code- Have working sets of memory, environment, etc.- Can be viewed natively in / pr oc/ PI D

- Where PID is the process ID numeric

Manually View ing

- Use l s in the / pr oc/ PI D tree- Use cat on the files- Tedious in the extreme

ps Displays process info, many options (aux, ef )

pstree Shows processes as a hierarchy, very prolific

Process Info Com m ands

top Updates process info until interrupted, can manage

pidstat Shows process statistics, such as disk activity



Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Signaling Processes

- We manage processes with signals- Many signals, some common, lots are obscure- Default is always SI GTERM (15)

1 SI GHUP Hangup (a.k.a., bounce, stop and restart)

9 SI GKI LL Kills a process (forcibly removed)

15 SI GTERM Politely requests a process end itself

19 SI GSTOP Stops a process, doesn't remove

# Signal Descr ipt ion

18 SI GCONT Continue a SI GSTOP'd process

kill Kills process(es) by PID (15 is default, or specify)

killall Kills all processes by name (15 is default, or specify)

Signaling Com m ands

pkill Same as pgrep, but can kill (send signals)

top Mostly for display, can be used to signal processes



Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Pr ior it izing Processes

- Process priorit ies are counterintuit ive- Minus numerics are HIGHER priority- Posit ive numerics are LOWER priority

Why Change Pr ior it ies?

- Systems run many processes- Only so many resources- Some processes don't play well with others

Set In it ial ly or Alt er Lat er?

- If a program is a known resource abuser, nice it- If a program is misbehaving, renice it

nice By default, sets a process to run at lesser priority

renice By default, alters a running process to lower priority

Not es about n ice and renice

- Can specify a priority with -n - Only root can increase a priority above normal- Some processes will stall or not work properly if

their priority is decreased too much



Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Underst anding Background Processes

What Are Jobs and What Is Their Purpose?

- Processes become jobs when:- They are suspended- Set to run in the background

- Necessary for use with single sessions- Can run multiple non-interactive commands

- Can be replaced by scr een and others

& Suffix a command with & to start in background

Ctrl-z Interrupts (pauses) a running foreground program

Jobs-Relat ed Com m ands/Operat ors

bg Sends an interrupted program to run in background

fg Foregrounds last active or use specific job queue ID

jobs Displays the jobs queue

Not es about Jobs

- Can specify a job by queue number ie: f g 1- A + symbol indicates the default entry to act on

- Example: f g acts on the + entry by default



Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Using screen t o Manage Sessions

- scr een sessions are jobs on rocket fuel- Much more functional than nohup- Can use for any program, local or remote- Lets you leave programs running and log out

How screen Is St ruct ured

Exam ple Usage Scenar io

- You are remotely administering a system and a procedure requires more hours than one day, but security procedures require you to log out at the end of the day

- Connect via ssh, start a scr een session, invoke the command, disconnect the session, sign out, and go home

- Reconnect via ssh next day, reconnect the session, and continue the procedure




Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



St ar t ing Sim ple w it h screen Sessions

- scr een can start simple and go super complex

$ scr een - d - m t op<Starts t op in a new detached session, returns to shell>

$ scr een - l i s tTher e i s a scr een on:22323. . myser ver ( Det ached)1 Socket i n / r un/ uscr eens/ S- cl oud_user .<The leading numerals are the PID of the session>

$ scr een - r PI D<Reattaches to the session, if multiples use PID>

Ct r l - a d<While in session, detaches the session, return to shell>




Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Work ing w it h screen Windows

- scr een opens a session with one window by default- Press Ct r l-a " to view all windows in a session- Use arrow keys to select, Ent er to select window- Window numbers are persistent until close

- Ex: Close window 1 and only 0 and 2 remain

Ct r l-a A Prompts for window tit le

Ct r l-a " Shows selectable window list

Ct r l-a ' Presents a prompt for a window #

Ct r l-a k Kill (y/n) current window and go to previous

Swit ching Bet ween Windows (in a Session)

Ct r l-a N Display window # and name

- Each window can contain a command/program - Windows are locked to a given session- Invoking scr een within a screen session window

- Just adds another window




Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Underst anding Process Scheduling

Scheduling Tasks Overview

- System administration can be tedious- Forgetting things like backups can cause issues

- Figure a process out, then automate it

at Schedule a command to run once in the future

cron Schedule commands to run in patterns

Task Scheduler Opt ions

Types of Tasks

- Once- Now and then- Every t ime




Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Scheduling Tasks w it h at

- Schedules tasks one time in the future- Great for reminders or one-offs- Anything more complex requires cron- Installed by default, disabled by default

atd systemd-managed service, systemctl to enable

at Command to submit jobs to the daemon

at Daem on and Com m ands

atq Query the daemon for the queue of tasks

atrm Remove jobs from the task queue

batch Submits jobs based on system load average





Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Scheduling Tasks w it h cron

- Schedules tasks at any frequency/ interval- Extremely atomic control of schedule options- Separate system and per-user cr ont abs

- cr ont ab = cron table, file to schedule tasks

cron The cron daemon, systemd-managed service

crontab Command to edit and submit task schedules

at Daem on and Com m ands

run-crons Executes cron jobs in the .hourly/ .weekly, etc.

/etc/sysconfig/cron Overall cron configuration file

/etc/crontab System-specific crontab (root-editable)

/etc/cron.d Directory for system-related crontab files





Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



Underst anding cront ab Ent r ies

- Understanding crontab entries is cr it ical- Misconfiguration can be problematic

- Ex: Five-minute duration job set to run every minute

$ cr ont ab - e

Exam ple cront ab Ent ry

0 12 * * * user / hom e/ rossb/ run.sh

Minut e of hour

Hour of day

Day of m ont h

Mont h of year

Day of week

User t o run as

Absolut e pat h t o scr ipt





Next









Process Management

Back t o Main

Course Navigation







Section 4



Section 6



How cron Processes Tasks

/ usr / l ib/ syst em d/syst em /cron.service

/usr / bin/ cron

/usr / bin/ cront ab

/usr / l ib/ cron/ run-crons

/et c/ sysconf ig/ cron

/ var / spool/ cron/ last run/ cron.int erval

/ et c/ cront ab /et c/ cron.d/ * / var / spool/ cron/ t abs

cron

.ho

urly

cron

.da

ily

cron

.we

ek

ly

cron

.mo

nth

ly

controls

edits

execexec exec

exec

reads

consultsexec













Identity and Security

Back t o Main

Course Navigation

Understanding File System Permissions

Understanding User Management

Understanding Privilege Delegation



Section 4



Section 6




Section 10

Underst anding User Managem ent


- Underst anding User Managem ent

- Underst anding File Syst em Perm issions

- Underst anding Pr ivi lege Delegat ion

Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10


User and Group Overview

- UIDs define users ? number paired with a name- GIDs define groups ? number paired with a name- All users must have a primary group- Group membership helps manage access, etc.

100- 499 Depends on the distribution, similar to 1-99

1- 99 System accounts (for service ownership)

0 Root user of the system

>1000 regular non-privileged accounts

UID Descr ipt ion

100- 499 System groups (allocated as needed)

1- 99 System groups (members inherit access)

0 Root group

>1000 Standard groups

GID Descr ipt ion


Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

User and Group Dat a Files

/ et c/ shadow (640) Password and account aging file

/ et c/ passwd (644) User account definit ion file

File Perm Descr ipt ion

/ et c/ gr oup (644) Group account definit ion file

ross : x : 501 : 100 : Ross B : / hom e/ ross : / bin/bash

Usernam e

Password

User ID (UID)

Pr im ary Group ID

Com m ent /GECOS

Hom e Direct ory

Shell

passwd File Fields



Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

ross:NcrYptedPw:60:30:120:14:365: :

Login nam e

Encrypt ed password

Last passwd change

Minim um pw age

Maxim um pw age

Password warning per iod

Password inact ivit y per iod

shadow File Fields

Account expirat ion dat e

users:x:100:username1,username2

Usernam e

Password

GID (Group ID)

Secondary group m em bers

group File Fields



Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Managing Users and Groups via CLI

- Creating users and groups is a foundational skill- Set the environment properly, make it easier- Root, by default, is the only one that can add either- Configure / et c/ sudoer s to delegate

Using / et c/ skel Proper ly

- Adding user copies / et c/ skel to home directory- Include anything you want all new users to have- Can use specialty skel directories by role

useradd Adds new users, many options

usermod Modifies existing user accounts, account lock, etc.

Com m ands for Managing Users

userdel Deletes existing user accounts, home dir opt.

passwd Sets or changes user passwords



Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Managing Groups via CLI

- Groups are simpler by nature- / et c/ gr oup defines secondary group membership- Primary groups are set in the / et c/ passwd- Primary group overrides any set in / et c/ gr oups

groupadd Adds new groups

groupmod Modifies existing group accounts

Com m ands for Managing Groups

groupdel Deletes existing group accounts

gpasswd Sets or changes group passwords



Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Managing Users and Groups via GUI

- YaST makes it easier and harder- Useful if you want to delegate to account manager

- Command line is much faster- YaST ensures passwd file integrity



Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Underst anding File Syst em Perm issions

Files and Direct or ies

- Directories are special f i les that can contain:- All file types, regular and special- Other Directory files (sub-directories)

- Remember filenames lead to inodes, then data

Decoding File Inform at ion

dr wxr - xr - x 1 r ossb user s 168 Jul 1 21: 12 ceasar- r w- r - - r - - 1 ner do user s 656 Mar 7 10: 14 i des

gro

up

typ

e

lin

k c

ou

nt

use

r o

wn

er

gro

up

ow

ne

r

file

siz

e

last

mo

dif

ied

da

te

last

mo

dif

ied

tim

e

ob

ject

na

me

oth

er

use

r

How Perm issions are Read

- Permissions are read from lef t t o r ight- Checks if user owner, then member of group owner

- First match stops, and is effective permissions

r w- r w- r - -

1 ner do user s



Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

What Perm issions Mean for Access

x File can be executed (script or binary)

w File contents can be changed

r File contents can be read (opened)

File Perm issions

x Directory can be traversed, entered into, moved through

w Can create/delete entries, modify permissions, etc.

r Directory contents can be viewed (l s)

Direct ory Perm issions

S G T 4 2 1421 421 421- - - - - - - - - 7 7 7

4777 f i l e1

Speci al Bi t s >Regul ar Per ms >

Oct al Per ms >

$ chmod




Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10




Perm issions Can Be Set or Alt ered

- Setting permissions is a destructive act- Whatever they were, you overwrite them

- Altering permissions is a surgical procedure- You change only what you need to

chmod Set or alter permissions (regular/special)

The chm od com m and

$ chmod 777 f i l e1- r wxr wxr wx 1 c l oud_user user s 175 Dec 7 03: 53 f i l e1<Set t i ng f or ces over wr i t i ng of exi st i ng per mi ssi ons>

Set t ing Perm ission Exam ple

$ chmod u=r w, g- w f i l e1- r w- r - - r - - 1 c l oud_user user s 175 Dec 7 03: 53 f i l e1<Set user t o r w, r emoves w f r om gr oup, ot her i s same>

$ chmod u=a, g+x, o=r f i l e1- r wxr - xr - - 1 c l oud_user user s 175 Dec 7 03: 54 f i l e1<Set s r wx f or user , adds x t o gr oup and set s ot her t o r onl y>

Alt er ing Perm ission Exam ples

Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10




File and Direct ory Ownership

- All files and directories have both user & group owners- Primary group sets group owner by default

- Shared directories use SGID to force ownership

chown Change owner or group or both (owner:group)

Changing Ownership

$ chown r oot : user s f i l e1- r w- r w- r - - 1 r oot user s 175 Dec 7 03: 53 f i l e1<change bot h wi t h user : gr oup, col on or dot ok>

$ chown r ossb f i l e1- r w- r w- r - - 1 r ossb user s 175 Dec 7 03: 54 f i l e1<changi ng user owner , no separ at or necessar y>

$ chown : wheel f i l e1- r w- r w- r - - 1 r ossb wheel 175 Dec 7 03: 55 f i l e1<changi ng gr oup onl y r equi r es separ at or >

$ chgr p user s f i l e1- r w- r w- r - - 1 r ossb user s 175 Dec 7 03: 56 f i l e1<changi ng gr oup onl y r equi r es separ at or >

Exam ples of changes

chgrp Only changes group ownership

Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Special Bit s Def ined

- Gives an object special attributes- Use to enhance regular permissions- Most misunderstood type of permissions

It allows executing files with the permission of the user owner rather than the user who is executing the file. Can be misused, but is required for some utilit ies to work properly.

SUID ( 4- - - )

This allows executing files with the permission of the group owner. When set on a directory, it forces its group ownership to all created objects, files and sub-directories both.

SGID ( 2- - - )

For use with the SGID bit, it prevents users from deleting files if they are not the user owner of it , the r oot user, or the directory owner. This was historically used to keep programs in active RAM.

St icky ( 1- - - )




Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

User Mask (um ask)

- Subtracts from default directory/file permissions- Set in the shell environment or manually- Requires knowing default permission values

777 Default Directory Permissions

666 Default File Permissions

Default Perm issions

Default Directory 777Umask value 022

- - - -Effective Perms 755<All directories created are reduced to 755 permissions>

Default File 666Umask value 022

- - - -Effective Perms 644<All files created are reduced to 644 permissions>

Calculat ing um ask




Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Using Access Cont rol List s

- Tradit ional permissions can't do it all- ACL's are in addition to regular permissions- Allows individual/group access as non-owners

Minimal Match only the tradit ional POSIX permissions

Extended Preserves POSIX, adds extended access entries

Types of ACL's




Access Defines the current access permissions

Default Sets a directory's inheritance to child objects

Types of ACL's

Mask Sets an upper limit on effective rights

- Problems can happen with multiple group ACL's- A Mask is designed as a safety cap on access

- You can't get more access than the Mask values

Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Mask ing Perm issions

- Masks are like a filter you pour permissions through- They do not limit the user or group owner 's permissions- Limits the named user and named group

Decoding t he Mask Ent r ies

Ent r y Type For mat Per mi ssi ons

named user user : r oss: r w- r w-

named gr oup gr oup: acl : r w- r w-

mask mask: : r - x r - x

. ef f ect i ve r - -

Using Masks Appropr iat ely

- A Minimal ACL (POSIX) does not have a mask- An Extended ACL must have a mask- When a Minimal ACL is added to, the group owner

permissions become the Mask- A mask is an uppper limit of permissions

- Effective permissions is always the most restrictive




Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Displaying ACL's

- Use the get f acl command to display ACLs:- If no Extended ACL, shows Minimal ACL- If Extended ACL, shows all ACL entries

Display a file's Minimal ACL:$ get f acl f i l e1# f i l e: f i l e1# owner : c l oud_user# gr oup: user suser : : r w-gr oup: : r - -ot her : : r - -

Display a directory's Minimal ACL:$ get f acl di r 1# f i l e: di r 1# owner : c l oud_user# gr oup: user suser : : r wxgr oup: : r - xot her : : r - x

get f acl Exam ples

POSIX




POSIX

Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Set t ing Ext ended ACLs - Files

- Use the set f acl command to change ACLs- Easiest modification is to add a user/group access - Will show in l s - l with an added "+" sign

Set a file to have a named user added to the ACL:$ set f acl - m user : ner do: r w f i l e1# f i l e: f i l e1# owner : c l oud_user# gr oup: user suser : : r w-user : ner do: r w-gr oup: : r - -mask: : r w-ot her : : r - -

I ndi cat i on of an Ext ended ACL:$ l s - l f i l e1

- r w- r w- r - - + 1 c l oud_user user s 0 <. . > f i l e1

set f acl Exam ple

added

Ext ended ACL Pr esent




Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Set t ing Ext ended ACLs - Direct or ies

Set a directory to have a named group added to the ACL:$ set f acl - m gr oup: docker : r w di r 1# f i l e: di r 1# owner : c l oud_user# gr oup: user suser : : r w-gr oup: : r - xgr oup: docker : r w-mask: : r w-ot her : : r - -

Set t i ng a di r ect or y def aul t ACL:$ set f acl - dm u: : r wx, g: : r w, o: : r di r 1# f i l e: di r 1# owner : c l oud_user# gr oup: user suser : : r wxgr oup: : r - xot her : : r - xdef aul t : user : : r wxdef aul t : gr oup: : r wxdef aul t : ot her : : r - -

Exam ple

added




added

Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Clear ing ACLs

Exam ple

Showing the target file's ACL:$ get f acl f i l e1<. . . >user : ner do: r w-<. . . >

Remove a named user from an ACL$ set f acl - x u: ner do f i l e1$ set f acl - b f i l e1# f i l e: f i l e1# owner : c l oud_user# gr oup: user suser : : r w-gr oup: : r - -ot her : : r - -

- b Remove all Extended ACL Entries (back to Minimal)

- x Selectively delete named User/Group entries

ACL Rem oval Opt ions




Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Underst anding Pr ivi lege Delegat ion

Changing User and Group Ident it y

- User accounts are limited in abilit ies by default- The r oot user decides who you can become and how- Elevated privileges are temporary by default

su Use for non-login shell, or su - for login shell

sg Allows user to switch to other effective group

Tradit ional Com m ands for Elevat ing Pr ivi leges

newgrp Similar to sg command




sudo Full privilege elevation suite, detailed abilit ies

Advanced Pr ivi lege Elevat ion

Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Using t he sudo Ut i l i t y

- Requires r oot to setup access- Logs usage for later inspection- Prevents regular users from needing the r oot

password- Highly-configurable, many options (oh so many)

sudo The main command, used by anyone

/etc/sudoers Configuration file for sudo

Com m ands Relat ed t o sudo

visudo Used to configure /etc/sudoers safely

sudoedit Same as sudo - e, limits edit ing rights, much safer than using sudo vi m f i l e

How Passwords are Handled

- By default, sudo asks for the r oot user password- Can be configured to ask for invok ing user 's password

- Best practice:- Require invoking user password for all sudo access- Grant access via aliases (easy to add/remove)- Log all sudo use and review logs often





Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Default Ent r ies in / et c/ sudoer s

- Systems ship with a default access entry: r oot ALL=( ALL: ALL) ALL

- Only r oot (or user with the r oot password) can run all commands

- If a non-r oot runs r oot commands, they're prompted for the r oot password

root ALL=(ALL:ALL) ALL

User running sudo

On what host (s)

As what user (sudo -u)

As what group (sudo -g)

Decoding a sudo Access Ent ry

Com m ands t hey can run





Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10





Exam ple

user ( s) host ( s) = user ( s) command( s)

1. Open the / et c/ sudoer s file:$ sudo vi sudo

2. Find the User pr i v i l ege speci f i cat i on Section##r oot ALL=( ALL) ALLcl oud_user ALL=( ALL) ALL

3. Add the following line and press Ent er , r ossb ALL=( ALL) / usr / sbi n/ user add, / usr / sbi n/ user mod

4. Save and exit v i sudo

5. Test the functionality

Sim ple Addit ions t o / et c/ sudoers

- Remember to use vi sudo- Be as simple as possible- Who on what system can run what commands

Next










Back t o Main

Course Navigation






Section 4



Section 6




Section 10

Underst anding sudo Aliases

- Four types of aliases exist.- Think of them as access variables you can refer to.- These can restrict all the way down to command

options.- It 's possible to easily confuse yourself and others.

Host Named set of hosts to allow users access on

Command Named set of commands to grant access to

User Named set of users you want to grant access by

Runas Lists of users a command can be run as (non-root)

Using sudo Aliases

User _Al i as PWMGRS = r oss, ur sul akCmnd_Al i as PWTOOLS = / usr / bi n/ passwd, / usr / bi n/ chageHost _Al i as PWHOSTS = host 1PWMGRS PWHOSTS = ( r oot ) PWTOOLS

Explanation: The users (r oss,ur sul ak) can use the commands (passwd,chage) as the user (r oot ) only on the host (host 1).













Documents

Configuring SUSE Linux... · The VIM Editor Section 5 Remote Administration Section 6 System Initialization Section 7 Overview of SUSE Linux Enterprise Section 2 The Linux File System