Difference between revisions of "OPS235 Lab 4"

From CDOT Wiki
Jump to: navigation, search
Line 200: Line 200:
 
===Part 2: How do we Manage Runlevels?===
 
===Part 2: How do we Manage Runlevels?===
  
Running servers in graphical mode will make your system most likely to be penetrated. The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install server versions of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the server (for security reasons).
+
Running Linux servers in graphical mode can make the server vulnerable to penetration (i.e. hacking). The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install '''server versions''' of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the '''Linux server''' (for security reasons since those servers are closest to the router and the Internet).
  
 
The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.
 
The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.

Revision as of 10:44, 28 September 2016


LAB PREPARATION

System administrators are required to add, remove and modify user accounts.
Linux system administrators need to know how to stop / disable Linux services.
Linux system administrators need to know how to start / enable Linux services.

Purpose / Objectives of Lab 4

There are many other tasks that a Linux system administrator must perform other than installing Linux and installing software.

User account management is a very important operation that a Linux sysadmin does on an continual basis. The sysadmin not only needs to add or remove user accounts by issuing commands, but may need to automate user account creations a large number (batch) of potential employees. There are many features with the Linux command to create new users including: specification of a home directory, type of shell used, name, password and time-limit (referred to as "aging") for a new user account. Removing user accounts also have options such as removing the user account but keeping the home directory for reference or evidence of "wrong-doing"

Another important operation for a Linux sysadmin is to manage services (eg. starting, restarting, stopping, disabling, enabling system services). Many students may think that the following topic is small and "not a big deal". Those students may say, "How hard is running and stopping services?"

The process may not be hard, but knowing how to stop, start, restart and check the status of services is absolutely critical to a Linux server. Aside from learning to trouble-shoot problems by checking the status of running services, understanding how to manage services is critical to help protect a Linux server from penetration (this term is referred to as "Hardening a system"). Sometimes it is "what we don't know" that can harm us. One key element in hardening a computer system is to disable non essential networkng services to allow IDSs (Intrusion Detection Systems) to focus on a narrower range of policy violations. A Debian-based penetration testing distribution called Kali (formerly referred to as "BackTrax") allows sysadmins and security professionals to identify vulnerabilities in their computer systems, and thus improve (harden) their systems against penetration. Learning to monitor the status, enable and disable networking services underlies the Backtrax motto: "The quieter you are, then more you will hear..."

Main Objectives:

  • Administer (add, remove, modify) users on a Linux system.
  • Save time while adding new users using a template of start-up files.
  • Create and manage groups on a Linux system.
  • Start, Restart and Stop services on a Linux system.
  • Enabled and Disable services on a Linux system.
  • Display the status of running services on a Linux system.
  • Create a Bash shell script to generate multiple user accounts from a text user database file


Minimum Required Materials
Linux Command Reference
Solid State Drive
USB key
(for backups)
Lab4 Log Book
User Management

useradd
userdel
usermod
groupadd
groupdel
chage

Managing Services
chkconfig
service
systemctl

Miscellaneous

/etc/passwd
/etc/group
/etc/shadow
/etc/skel
init vs systemd


INVESTIGATION 1: User/Group Management

In your ULI101 course, you learned to change permissions for directories and files relating to user, same group members and other group members. In this course, since you are the sysadmin with root privileges, you can create or remove users and groups as well as change the ownership of directories and files! We will now learn to perform key user account management operations in this section.


The /etc/passwd file contains records for users (system accounts and regular-user accounts). There are several fields including: Username, password link ("x" indicates hashed password stored in /etc/shadow file only accessible by root), user-id, primary group-id, user defined field (eg. Full Name), default home directory, and default shell.

Part 1: Studying the /etc/passwd file

The /etc/passwd file is a database that stores user accounts (both system and regular users). Since we will be learning to create, modify and remove users on our Linux system, we should study this file in order to understand how those user account management commands will affect this file.

Perform the following steps:
  1. Launch your c7host and centos1 VMs.
  2. Switch to your centos1 VM.
  3. Open a shell terminal and login as root.
  4. Look at the /etc/passwd file.
  5. Make note of the contents of that file.
  6. Read about the file: http://man7.org/linux/man-pages/man5/passwd.5.html
  7. Make sure you know what information each field contains.
  8. Why do you think there are so many users?
  9. Look at the names of the users. What do you think these user names represent? Are they people?
  10. What is the numeric user ID (UID) of the root user?
  11. The user IDs of real users (people) are different from the user IDs of system accounts. What is the pattern?


Another essential responsibility for Linux system administrators is to add, modify, and remove user accounts.

Part 2: Adding, Removing, and Modifying Users

In this section, we will now learn how to properly add user accounts, remove user accounts, and modify existing user account information.

Perform the following steps:
  1. Remain in your centos1 VM for this section.
  2. Read the man page for the useradd command.
  3. Create a new user called ops235_1 by issuing the command:
    useradd ops235_1
  4. Issue the command: grep ops235_1 /etc/passwd to see if that user account was created.
  5. View the /home directory to view the contents. Is the user ops235_1's home directory there?

    NOTE: In some versions of Linux, you may have to issue the -m option with the useradd command in order to create a home directory for that user.

  6. Issue the following command to create the user called ops235_2:
    useradd -m ops235_2
  7. View the /home directory to verify that the home directory for ops235_2 has been created. What does the -m option do for the useradd command?
  8. Issue the following command to remove the user called ops235_2: userdel ops235_2
  9. Issue the grep command with the /etc/passwd file to verify that the username ops235_2 was removed.
  10. View the contents of the /home directory. Was the home directory for user ops235_2 removed?
  11. Issue the following command to remove ops235_2's home directory: rm -rf /home/ops235_2
  12. Issue the userdel comamnd to remove the ops235_1 account with the -r option (and home directory regardless if it exists or not).
  13. Issue the useradd -m command to recreate the user called: ops235_1.
  14. Use the passwd command to set the password for the user ops235_1.
  15. View the contents for ops235_1's home directory and note the files.
  16. Create a new file in the /etc/skel directory with the following command: touch /etc/skel/foo
  17. Recreate the new user (with home directories automatically created) for ops235_2.
  18. Set the password for the user ops235_2.
  19. View the contents for ops235_2's home directory and note the files. What do you notice that is different. What do you think is the purpose of the /etc/skel directory?
  20. Be sure to record your observations in your lab notes.
  21. Issue the man pages for the useradd command. Explain the purpose of using the -e option for the useradd command.
  22. Issue the following command: chage -E 2018-05-31 ops235_1
  23. Issue the following command: usermod -c "New Name" ops235_2.
  24. View ops235_2's account information in the /etc/passwd file. What do you notice is different?
  25. Issue the following command to obtain information regarding the user called ops235_1: chage -l ops235_1. What do you think is the purpose of the chage command and the useradd command with the -e option?


When a file is created it is assigned an owner and a default (primary) group. The Linux system administrator can not only change a file's ownership, but also change the default group that file belongs to. In addition, the sysadmin can also add other users to a supplementary group that they have created via the usermod command. This is useful in setting "same group" permissions via the chmod command.

Part 3: Managing Groups

In this section, we will learn how to create, remove and modify groups in our Linux VM. You learned in ULI101 how to change permissions with the chmod command, but you didn't have admin privileges to create groups to allow directory and regular file sharing. Since you now have admin privileges with your VM, you can now create groups, and add users to this group to allow file-sharing among users.

Perform the following steps:
  1. Make certain that you are still in your centos1 VM.
  2. Close all application windows, and switch user accounts (within your centos1 VM) by clicking on the top right-hand side of the screen (power icon), click your regular username, click switch user, and login as "New Name" (i.e. ops235_2).
  3. Open a shell terminal.
  4. Create a file called information.txt in home directory of that user.
  5. Issue the following command: ls -l information.txt. Who owns that file? What primary group does that file belong to?
  6. Issue the command su - to login to your root account.
  7. Issue the following command to create a group called welcome: groupadd welcome
  8. Issue the command: grep welcome /etc/group file to confirm that the group welcome was created.
  9. Read the man page for the usermod command. Which option allow you to set the Group ID number (GID) when you create a new group? Which options allow you to both append and assign users to an existing group name?
  10. Issue two separate usermod commands to add both ops235_1 and ops235_2 to the newly-created welcome group.
  11. Verify that both ops235_1 and ops235_2 now belong to the welcome group.


Practical Example

Management has sent you (the Linux systadmin) that a "new" employee has been hired and will be on on probation for 3 months. As the Linux system administrator, they want you to perform the following steps:

  1. Remain in your centos1 VM for this section.
  2. Use the useradd command to create a user account called: noobie to expire in 3 months from this date as part of the security policy of this organization (issue man useradd to determine correct option to set expiry date).
  3. Set an appropriate password for this user account.
  4. Add this newly-created user to the newly-created welcome group.
  5. Examine /etc/group to verify that you made the correct operations.
  6. Use the usermod command to set the full name of the user account noobie to "Really Green". Examine the result of running that command in the /etc/passwd file. What has changed?

    Unfortunately, you were later informed that this "noobie" employee was caught stealing from the company. They want you to perform the following operations:

  7. Remove this account, but keep "noobie's" home directory for police investigation purposes.
  8. Verify that you correctly issued the correct commands.

Answer INVESTIGATION 1 observations / questions in your lab log book.


INVESTIGATION 2: Managing System Services and Run-levels

It is important for a Linux system administrator to be able to start/stop, enable/disable and check the status of services on their Linux server. Students will be commonly performing these operations in their OPS335 course when configuring and troubleshooting network services.

Part 1: How do we Manage System Services?

At the beginning of this lab we mentioned that running unneeded packages can be a security risk due to the unnecessary increase in the complexity of your system. Similarly, it is also unnecessarily hazardous, and even more so, to leave unneeded services running. In this investigation, we will learn how to control services, and turn off those services that we think are not necessary to help reduce security risks.

Although there is a command called: service that may appear to manager services on your Linux system, it is considered deprecated (i.e. "obsolete"). It has been replaced by using the systemctl command.

Perform the following steps:
  1. Remain in your centos1 VM for this section.
  2. To verify the status of your iptables service, issue the following command: systemctl status iptables
  3. Use the commands you used in Lab2 to stop and disable the iptables service.
  4. Issue a command to verify you disabled and stopped the iptables service.

    Note: There is a major difference between stopping a service and disabling a service: If a service is stopped but enabled, the service will start upon reboot. Therefore to prevent it being started upon boot-up, the service will need to be disabled as well!

  5. Issue the commands to start and enable the iptables service, and verify that it is started and enabled.

    Note: If you performed the commands correctly, the iptables service should be running, and will automatically run upon your Linux machine start-up.


Part 2: How do we Manage Runlevels?

Running Linux servers in graphical mode can make the server vulnerable to penetration (i.e. hacking). The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install server versions of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the Linux server (for security reasons since those servers are closest to the router and the Internet).

The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.

The purpose of Linux servers are to run network-based services (i.e. they "serve" the users that operating in that Linux/Unix system). It is common that these Linux servers are separated (for security purposes) and they are run in Command-Line mode only. Running these Linux/Unix servers in Graphics Mode will make them more vulnerable to penetration from hackers, etc. Therefore, it is common that the Linux servers are CLI only, but the Workstations that connect to them within the network are GUI. Therefore, it is important that a Linux/Unix system administrator understand to switch to these different "run-levels".
Perform the following steps:
  1. Remain in your centos1 VM for this section.
  2. Issue the following Linux command: runlevel
  3. You can use the init command to change the current run-level. See a list of runlevels here.
  4. Issue the init command to change the current run-level in centos1 to 3 by issuing the following command:
    init 3
  5. What did you notice?
  6. Issue the following Linux command: startx
    What happens? Why would you want to make a graphical Linux system run in text-based mode?
  7. Log-off your graphical system. You should return to your CLI shell prompt; therefore that command did not reset your run-level.
  8. Reissue the init command to change the current run-level back to 5
    Did it work?
  9. Issue the runlevel command to verify that the run-level is set to 5 (i.e. Graphical). You should notice a 3 followed by a 5. That is to indicate that the current run-level is 5, but previously, it was set to 3.

Answer INVESTIGATION 2 observations / questions in your lab log book.


INVESTIGATION 3: CREATING LINUX COMMANDS VIA SHELL SCRIPTS

Idea.png
Bash Shell Scripting Tips:

The case statement
  • The case statement is a control-flow statement that works in a similar way as the if-elif-else statement (but is more concise). This statement presents scenerios or "cases" based on values or regular expressions (not ranges of values like if-elif-else statements).

  • After action(s) are taken for a particular scenerio (or "case"), a break statement (;;) is used to "break-out" of the statement (and not perform other actions). A default case (*) is also used to catch exceptions.

  • Examples:

    read -p "pick a door (1 or 2): " pick
    case $pick in
      1) echo "You win a car!" ;;
      2) echo "You win a bag of dirt!" ;;
      *) echo "Not a valid entry"
         exit 1 ;;
    esac


    read -p "enter a single digit: " digit
    case $digit in
      [0-9]) echo "Your single digit is: $digit" ;;
             *) echo "not a valid single digit"
                 exit 1 ;;
    esac


The getopts function
  • The getopts function allows the shell scripter to create scripts that accept options (like options for Linux commands). This provides the Linux administrator with scripts that provide more flexibility and versatility. A built-in function called getopts (i.e. get command options) is used in conjunction with a while loop and a case statement to carry out actions based on if certain options are present when the shell script is run.

  • The variable $OPTARG can be used if an option accepts text (denoted in the getopts function with an option letter followed by a colon. Case statement exceptions use the :) and \?) cases for error handling.

  • Example:

    while getopts abc: name
    do
      case $name in
        a) echo "Action for option \"a\"" ;;
        b) echo "Action for option \"b\"" ;;
        c) echo "Action for option \"c\""
            echo Value is: $OPTARG" ;;
        :) echo "Error: You need text after -c option"
            exit 1 ;;
        \?) echo "Error: Incorrect option"
            exit 1 ;;
    esac

    done

Using getopts Function & case statement

We will now use shell scripting to help automate the task for a Linux adminstrator to create regular user accounts.

Perform the following steps:
  1. You will be using your c7host machine for this section.
  2. Open a shell terminal, and login as root.
  3. Change to the /root/bin directory.
  4. Download, study, and run the following shell script. Issue the command:
    wget https://scs.senecac.on.ca/~murray.saul/user-create.bash
  5. Try to understand what these Bash Shell scripts do, and then run the script as root to create just one user called test. After running the shell script, view the contents of the /home directory to confirm.


Although the zenity command is a "user-friendly" way to run shell scripts, Linux administrators usually create shell scripts that resemble common Linux commands. In this lab, you will learn to create a shell script using the getopts function to make your shell script behave more like actual Linux commands (including the use of options). Refer to the notes section on the right-hand-side for reference about the case statement and the getopts function.


  1. Open a Bash shell terminal and login as root.
  2. Change to the /root/bin directory.
  3. Use the wget command to download the input file called user-data.txt by issuing the command:
    wget https://scs.senecac.on.ca/~murray.saul/user-data.txt
  4. View the contents on the user-data.txt file to confirm there are 3 fields (username, fullname, and e-mail address)which are separated by the colon (:) symbol.
  5. Use a text editor (such as vi or nano) to create a Bash Shell script called: createUsers.bash in /root's home directory.
  6. Enter the following text content into your text-editing session:


#!/bin/bash

# createUsers.bash
# Purpose: Generates a batch of user accounts (user data stored in a text file)
#
# USAGE: /root/createUsers.bash [-i {input-path}]
#
# Author: *** INSERT YOUR NAME ***
# Date: *** CURRENT DATE ***

# Make certain user is logged in as root
if [ $USER != "root" ]
then
   echo "Note: You are required to run this program as root."
   exit 1
fi

if [ "$#" -eq 0 ] # if no arguments after command
then
 echo "You must enter an argument" >&2
 echo "USAGE: $0 [-i {input-path}]" >&2
 exit 2
fi

  1. Save your editing session, but remain in the text editor.
  2. The code displayed below uses the getopt function set the input file pathname or check for invalid options or missing option text. Add the following code



outputFlag="n"
while getopts i: name
do
 case $name in
   i) inputFile=$OPTARG ;;
   :) echo "Error: You need text after options requiring text"
       exit 1 ;;
   \?) echo "Error: Incorrect option"
        exit 1 ;;
 esac
done

  1. Save your editing session, but remain in the text editor.
  2. The code displayed below uses logic to exit the script if the input file does not exist. Command substitution is used to store each line of the input file as a positional parameter. There is one subtle problem here: The full names of the users contain spaces which can create havoc when trying to set each line as a separate positional parameter. In this case the sed command is used to convert spaces to plus signs (+), which will be converted back later. Finally, a for loop is used to create each account (useradd) and mail the user their account information (mail). Add the following code:



if [ ! -f $inputFile ]
then
  echo "The file pathname \"$inputFile\" is empty or does not exist" >&2
  exit 2
fi

set $(sed 's/ /+/g' $inputFile) # temporarily convert spaces to + for storing lines as positional parameters

for x
do
    userPassWd=$(date | md5sum | cut -d" " -f1)
    useradd -m -c "$(echo $x | cut -d":" -f2 | sed 's/+/ /g')" -p $userPassWd $(echo $x | cut -d":" -f1)
    mail -s "Server Account Information" $(echo $x | cut -d":" -f3) <<+
    Here is your server account information:
    servername: myserver.senecac.on.ca
    username: $(echo $x | cut -d":" -f1)
    password: $userPassWd
    Regards,
    IT Department
+
done

echo -e "\n\nAccounts have been created\n\n"
exit 0

  1. Save, set permissions, and then run that shell script for the input text file user-data.txt. Did it work? Try running the script without an argument - What did it do?
  2. You have completed lab4. Proceed to Completing The Lab, and follow the instructions for "lab sign-off".

Answer INVESTIGATION 3 observations / questions in your lab log book.

LAB 4 SIGN-OFF (SHOW INSTRUCTOR)

Important.png
Time for a new backup!
If you have successfully completed this lab, make a new backup of your virtual machines as well as your host machine.
Perform the Following Steps:
  1. Make certain that your c7host, centos1 and centos2 VMs are running.
  2. Switch to your c7host VM.
  3. Open a shell terminal, su - into root, and change to the /root/bin directory.
  4. Issue the Linux command: wget http://matrix.senecac.on.ca/~murray.saul/ops235/lab4-check.bash
  5. Give the lab4-check.bash file execute permissions (for the file owner).
  6. Run the shell script and if any warnings, make fixes and re-run shell script until you receive "congratulations" message.
  7. Arrange proof of the following on the screen:
    centos1 VM:
    • Demonstrate that this VM 's current run-level is set to 5.
    c7host machine
    • Run the lab4-check.bash script in front of your instructor (must have all  OK  messages)
    Lab4 log-book filled out.


Practice For Quizzes, Tests, Midterm & Final Exam

  1. Describe all of the field in /etc/passwd
  2. What is the command to create a user? What option to create a home directory for that user?
  3. What is the command to change the full name of an already-created user?
  4. What is the command to delete a user account? What option allows for the user's home directory to be removed as well?
  5. What is the command to create a group? What is the command (or steps) to include a user in a newly-created group?
  6. What is the purpose of /etc/shadow?
  7. What is the purpose of /etc/skel?
  8. What does the term run-level mean?
  9. How to set the run-level of a Linux system to text-based only? How to set to graphical mode?
  10. What is the command to view the status of running services?
  11. What is the command to start a service (like httpd, or sshd)?
  12. What is the command to stop a service (like httpd, or sshd)?
  13. What is the difference between starting a service and enabling a service?
  14. Can a service be stopped and started by issuing just one command?
  15. What is the purpose of the case statement in shell scripting?
  16. What is the purpose of the getopts function in shell scripting?
  17. What type of shell script would be best to automatically create 1200 user accounts (which a list of usernames are stored in a text-file)?