Difference between revisions of "OPS235 Lab 4 - CentOS7"

From CDOT Wiki
Jump to: navigation, search
 
(143 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
[[Category:OPS235]]
 
[[Category:OPS235]]
 +
{{Admon/caution|THIS IS AN OLD VERSION OF THE LAB|'''This is an archived version. Do not use this in your OPS235 course.'''}}
 +
=LAB PREPARATION=
 +
 +
==Purpose / Objectives of Lab 4==
 +
{| width="40%" align="right" cellpadding="10"
 +
|- valign="top"
 +
|
 +
[[Image:users.png|thumb|right|150px|System administrators are required to add, remove and modify user accounts.]]
 +
|
 +
[[Image:on-off.png|thumb|right|135px|In order to perform maintenance, system administrators need to know how to stop and start services for a Linux system.  ]]
 +
|}
  
=Logical Volume Management (Continued) and User / Group Management=
 
  
==Introduction==
+
There are many other tasks that a Linux system administrator must perform other than installing Linux and installing software.
  
In this lab you're going to learn how to:
+
A few additional tasks are user management and managing services.
  
:* Add a virtual hard disk and expand your vm's existing file system using LVM
 
:* Administer (add, remove, modify) users on a Linux system.
 
:* Save time while adding new users using a template of start-up files.
 
:* Create and manage groups on a Linux system.
 
  
== Required Materials (Bring to All Labs) ==
+
<u>Main Objectives</u>:
 +
<br>
 +
:* Administer '''(add, remove, modify) users''' on a Linux system.
 +
:* Save time while adding new users using a template of '''start-up files'''.
 +
:* Create and manage '''groups''' on a Linux system.
 +
:* '''Start and Stop services''' on a Linux system.
 +
:* Display the '''status of running services''' on a Linux system.
  
* CentOS 6.5 x86_64 Live DVD
 
* CentOS 6.5 x86_64 Installation DVD1
 
* SATA Hard Disk (in removable disk tray)
 
* USB Memory Stick
 
* Lab Logbook
 
  
==Prerequisites==
 
  
* Completion and Instructor "Sign-off" of Lab 2: [[OPS235 Lab 3 - CentOS6]]
+
==Minimum Required Materials==
  
==Linux Command Online Reference==
+
{|cellpadding="15" width="40%"
Each Link below displays online manpages for each command (via [http://linuxmanpages.com/ http://linuxmanpages.com]):
 
  
{|width="100%" cellpadding="5"
 
|'''LVM Information Utilities:'''
 
|'''LVM Management Utilities:'''
 
|'''Additional Utilities:'''
 
 
|- valign="top"
 
|- valign="top"
|
+
 
*[http://linuxmanpages.com/man8/vgs.8.php vgs]
+
|width="10%" | [[Image:harddrive.png|thumb|left|85px|<b>Removable Hard Disk Pack</b> (SATA)]]
*[http://linuxmanpages.com/man8/lvs.8.php lvs]
+
 
*[http://linuxmanpages.com/man8/pvs.8.php pvs]
+
|width="10%" |[[Image:ubs-key.png|thumb|left|85px|<b>USB key</b><br>(for backups)]]
*[http://linuxmanpages.com/man8/vgdisplay.8.php vgdisplay]
+
 
*[http://linuxmanpages.com/man8/lvdisplay.8.php lvdisplay]
+
|width="10%" |[[Image:log-book.png|thumb|left|70px|<b>Lab4 Log Book</b>]]
*[http://linuxmanpages.com/man8/pvdisplay.8.php pvdisplay]
+
 
|
 
*[http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-system-config-lvm.html system-config-lvm] (Tutorial)
 
*[http://linuxmanpages.com/man8/lvextend.8.php lvextend]
 
*[http://linuxmanpages.com/man8/resize2fs.8.php resize2fs]
 
*[http://linuxmanpages.com/man8/lvcreate.8.php lvcreate]
 
*[http://linuxmanpages.com/man8/lvreduce.8.php lvreduce]
 
*[http://linuxmanpages.com/man8/pvcreate.8.php pvcreate]
 
*[http://linuxmanpages.com/man8/vgextend.8.php vgextend]
 
|
 
*[http://linuxmanpages.com/man8/mount.8.php mount]
 
*[http://linuxmanpages.com/man8/umount.8.php umount]
 
*[http://linuxmanpages.com/man8/useradd.8.php useradd]
 
*[http://linuxmanpages.com/man8/userdel.8.php userdel]
 
*[http://linuxmanpages.com/man8/usermod.8.php usermod]
 
*[http://linuxmanpages.com/man8/groupadd.8.php groupadd]
 
*[http://linuxmanpages.com/man8/groupdel.8.php groupdel]
 
 
|}
 
|}
  
==Resources on the web==
+
==My Toolkit (CLI Reference)==
Additional links to tutorials and HOWTOs:
 
  
:* [[Logical Volume Management]] ('''Note:''' It is recommended to return to this guide as a reference when performing the next several investigations)
+
{|width="50%" cellpadding="15"
:* [http://www.thegeekstuff.com/2011/05/ext2-ext3-ext4/ Linux File Systems (ext2/ext3/ext4)]
+
|- valign="top"
:* [http://tldp.org/HOWTO/Partition/fdisk_partitioning.html Partitioning with fdisk]
+
|width="10%" |<u>User Management:</u>
:* [http://www.linux-tutorial.info/modules.php?name=MContent&pageid=282 Mounting / Unmounting File-systems]
+
[http://unixhelp.ed.ac.uk/CGI/man-cgi?useradd+8 useradd]<br>
:* [http://www.itwire.com/business-it-news/open-source/14446-uid-and-gid-the-basics-of-linux-user-admin UID and GID explained]
+
[http://unixhelp.ed.ac.uk/CGI/man-cgi?userdel+8 userdel]<br>
 +
[http://unixhelp.ed.ac.uk/CGI/man-cgi?usermod+8 usermod]<br>
 +
[http://unixhelp.ed.ac.uk/CGI/man-cgi?groupadd+8 groupadd]<br>
 +
[http://unixhelp.ed.ac.uk/CGI/man-cgi?groupdel+8 groupdel]
 +
|width="10%" |<u>Managing Services</u>
 +
[http://unixhelp.ed.ac.uk/CGI/man-cgi?chkconfig+8 chkconfig]<br>
 +
[http://unixhelp.ed.ac.uk/CGI/man-cgi?service+8 service]<br>
 +
[http://www.dsm.fordham.edu/cgi-bin/man-cgi.pl?topic=systemctl systemctl]<br>
 +
|width="10%" |<u>Miscellaneous</u>
 +
[http://man7.org/linux/man-pages/man5/passwd.5.html /etc/passwd]<br>
 +
[http://man7.org/linux/man-pages/man5/group.5.html /etc/group]<br>
 +
[http://man7.org/linux/man-pages/man5/shadow.5.html /etc/shadow]<br>
 +
[http://archive.linuxfromscratch.org/blfs-museum/1.0/BLFS-1.0/postlfs/skel.html /etc/skel]<br>
 +
[http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd init vs systemd]
 +
|}
  
  
= Software Package Management =
+
= INVESTIGATION 1: User/Group Management =
  
== Investigation 1: How do you query the RPM database? ==
+
User account management is a very important operation that a Linux sysadmin does on a consistent basis. The sysadmin not only needs to add or remove user accounts by issuing commands, but may need to automate user account creations a large number (batch) of potential employees. There are many features with the Linux command to create new users including: specification of a home directory, type of shell used, name, password and time-limit (referred to as "aging") for a new user account. Remove user accounts also have options such as removing the user account but keeping the home directory for reference or evidence of "wrong-doing"
  
RPM maintains a database of installed software. This information is very useful to system administrators. In the previous lab you queried that database using RPM with the -q argument. When you query the RPM database, you can separately specify:
+
In your ULI101 course, you learned to change permissions for directories and files relating to user, same group members and other group members. In this course, since you are the sysadmin with root privileges, you can create or remove groups as well as change the ownership of directories and files! We will now learn to perform key user account management operations in this section.
:* Do an <u>operational task</u> on one or more packages (like installing or removing a package), using a '''select-option'''
 
:* What <u>information</u> you want about those packages, using a '''query-option'''
 
  
'''Perform the following steps:'''
+
== Part 1: The /etc/passwd file ==
  
(Perform investigations 1 - 3 in your host machine (c6host)
+
# Look at the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/passwd</span></code></b> file.
 +
# Make note of the contents of that file.
 +
# Read about the file: http://man7.org/linux/man-pages/man5/passwd.5.html
 +
# Make sure you know what information each field contains.
 +
# Why do you think there are so many users?
 +
# Look at the names of the users. What do you think these user names represent? Are they people?
 +
# What is the numeric user ID (UID) of the root user?
 +
# The user IDs of real users (people) are different from the user IDs of system accounts. What is the pattern?
  
# Using information from the man page for <code>rpm</code>, fill in this information:
+
'''Answer the Part 1 observations / questions in your lab log book.'''
  
{|width="100%" border="1" cellpadding="5"
+
== Part 2: Adding users ==
|-
 
!Option
 
!Meaning
 
!Select or query option?
 
!Example command
 
|-
 
| -a
 
|Select all packages
 
|select-option
 
|
 
|-
 
| -l
 
|
 
|
 
|
 
|-
 
| -i
 
|Show the package information.
 
|
 
|
 
|-
 
| -f filename
 
|
 
|
 
|
 
|-
 
|packagename
 
|Select just this package
 
|select-option
 
|
 
|}
 
  
'''Answer the Investigation 1 observations / table contents in your lab log book.'''
 
  
== Investigation 2: How do you install and remove software with RPM? ==
+
#Perform this part in your '''centos1''' VM.
 +
# Read the man page for the <b><code><span style="color:#3366CC;font-size:1.2em;">useradd</span></code></b> command.
 +
# Create three fictitious users (make-up their userids and full names. Give each of these newly-created users a password.
 +
# Grep the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/passwd</span></code></b> file for each of the new users.
 +
#* What is the '''home''' directory of each user?
 +
#* What '''group''' is each user in?
 +
#* What other information can you provide regarding these users?
 +
#* Where are the '''passwords''' stored?
 +
# Look at the man page for '''/etc/shadow''' using the command: <b><code><span style="color:#3366CC;font-size:1.2em;">man 5 shadow</span></code></b>
 +
#* Grep the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/shadow</span></code></b> file for each of the new users.
 +
#* Make note of this information.
 +
# Create two new dummy users, <b><code><span style="color:#3366CC;font-size:1.2em;">ops235_1</span></code></b> and <b><code><span style="color:#3366CC;font-size:1.2em;">ops235_2</span></code></b>.
 +
# Investigate the home directory of one of your new users.
 +
#* What files are there? Be sure to include hidden files.
 +
#* What do you think these files are used for?
 +
#* How does the operating system determine which files are created in a new home account? The answer can be found here:<br>http://www.linuxhowtos.org/Tips%20and%20Tricks/using_skel.htm
 +
#* Look at the files (including hidden files) in the template directory referred to in the article. Compare them to what is in a home directory for a new user. What do you notice?
 +
#* Create a new file in this directory with the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">touch foo</span></code></b>
 +
#* Create a new user named <b><code><span style="color:#3366CC;font-size:1.2em;">foobar</span></code></b>, with the option to automatically create a home directory.
 +
#* Look at the contents of foobar's home directory. What do you notice?
 +
# Be sure to record your observations in your lab notes.
 +
#Issue the man pages for the '''useradd''' command. Explain the purpose of using the '''-e''' option for the ''useradd'' command. Try to think what would be the purpose for a Linux sysadmin to use this option when creating new users.
  
# Use the graphical file manager (Nautilus) to change to the directory on your Installation DVD. Go to the sub-directory called '''Packages'''. It should contain a file called: <code>lynx-2.8.6-27.el6.x86_64.rpm</code>
+
'''Answer the Part 2 observations / questions in your lab log book.'''
# Execute the following command: <code>rpm -i lynx-2.8.6-27.el6.x86_64.rpm</code>
 
# Issue an RPM query to check that lynx is installed. Record this command in your lab log-book.
 
# Issue the following command: <code>rpm -e lynx</code>
 
# Issue an RPM query to verify that lynx is no longer installed. Record this command in your lab log-book.
 
# Issue the following command:  <code>rpm -i elinks-0.12.rpm</code>. Did it work? Explain in your lab log-book why this command may not have worked.
 
  
'''Answer the Investigation 2 observations / questions in your lab log book.'''
+
== Part 3: Managing Groups ==
  
== Investigation 3: How do you install and remove software with ''yum''? ==
+
#Remain in your '''centos1''' VM for this section.
 +
# Read the man page for the <b><code><span style="color:#3366CC;font-size:1.2em;">groupadd</span></code></b> and <b><code><span style="color:#3366CC;font-size:1.2em;">groupdel</span></code></b> commands.
 +
# Note which option allows you to set the Group ID number ('''GID''') when you create a new group.
 +
# Examine the file <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/group</span></code></b>
 +
#* Which values of GID are reserved for system accounts?
 +
#* Which values of GID are reserved for non-system user accounts?
 +
#* What is the lowest available GID number for non-system users?
 +
#* What is the default group name of a new user?
 +
#* Add a new group named <b><code><span style="color:#3366CC;font-size:1.2em;">ops235</span></code></b> with a GID of <b><code><span style="color:#3366CC;font-size:1.2em;">600</span></code></b>.
 +
#* The management at your organization have concerns regarding some irresponsible users on your system.
 +
#** Add a new group named '''investigation'''.
 +
#** Look at '''/etc/group''' and note the GID of group called '''investigation'''.
 +
#** What GID is given to a new group if you do not specify it?
 +
#** In the file, add those users to the end of the concerned group (separate each user-name with a comma).
 +
#** Those individuals have explained their actions to management and the crisis has been resolved. Delete the '''investigation''' group.
 +
#** Look at '''/etc/group''' again and note the change.
  
{{Admon/note|Internet Connection|In order for yum to work you require a connection to the Internet. Establish this connection by using the browser to log into SeneNET}}
+
'''Answer the Part 3 observations / questions in your lab log book.'''
  
# Change to your home directory.
+
== Part 4: Deleting / Modifying Users ==
  
<ol>
+
#Remain in your '''centos1''' VM for this section.
<li value="2">Issue the command:  <code>yum install elinks</code> and answer <code>y</code> to the question about installation.
+
# Read the man page for the '''userdel''' command. Note which option automatically removes the users home directory when that user is deleted.
  <ol type="a">
+
# Delete the user '''ops235_1''' using the command <b><code><span style="color:#3366CC;font-size:1.2em;">userdel ops235_1</span></code></b>
  <li>Where did ''yum'' get the elinks software?</li>
+
# Delete the user '''ops235'''_2 using the same command with the option which removes the home directory of the user.
  <li>Why could ''yum'' install elinks when rpm couldn't?</li>
+
# Check the contents of the /home directory. What do you notice?
  </ol>
+
# Check the contents of the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/group</span></code></b> file. What do you notice?
</li>
+
# Read the man page for the usermod command. Note which options change the user's full name, primary group, supplementary groups, and shell.
<li>Issue an RPM query to verify that elinks is installed. Record this command in your lab log-book.</li>
+
# Create a new user account called '''noobie''' for the employee: '''"Really Green"''' . Assign a password for that newly created user.
<li>Issue the command: <code>yum remove elinks</code></li>
+
# Management has indicated that this employee be on on probation for 3 months. Use the '''usermod''' command to set the account for noobie to expire in 3 months from this day as part of the security policy of this organization.
<li>Issue an RPM query to verify that elinks is no longer installed. Record this command in your lab log-book.</li>
+
# Add each of your new users to the group ops235 (in other words, add ops235 to each user as a supplementary group).
<li>Issue this command: <code>yum info cups</code></li>
+
# Examine <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/group</span></code></b>. What has changed?
</ol>
+
# Use the '''usermod''' command to change the full name of the user account '''noobie''' from '''"Really Green"''' to '''"Outstanding Employee"'''. Examine the result of running that command in the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/passwd</span></code></b> file. What has changed?
::* Based on the result, do you think that cups is a useful package for your system? If not, try removing it.
+
# Use the '''usermod''' command to extend the use of their account for 5 years as of today.
<ol>
+
# Be sure to record your observations in your lab notes.
<li value="8">Unused and unneeded software can present a security risk and ties up disk space needlessly. Find at least 4 other packages (for example: games, sound & video, etc) that you're not using on your system, and remove them. Be careful to ensure that removing those packages does not also remove other software that you do need.</li>
 
</ol>
 
  
'''Answer the Investigation 3 observations / questions in your lab log book.'''
+
'''Answer the Part 4 observations / questions in your lab log book.'''
  
==Archiving Files / Compiling Software from Source Code==
 
  
Archive files are often used to contain source code for software; in this lab you will also be compiling software from a source code archive.
+
=INVESTIGATION 2: Managing System Services and Run-levels=
  
{{Admon/note|Do not Shut-Down VMs Until Instructed|You will be running all 3 VMs eventually when performing this tutorial, Leave all VMs running until you are instructed to shut them down at the end of this lab.|}}
+
Many students may think that the following topic is small and "not a big deal". Those students may say, '''"How hard is running and stopping services?"'''
  
===Investigation 1: How do you create an archive file?===
+
The process may not be hard, but knowing how to stop, start, restart and check the status of services is absolutely critical to a Linux server. '''Aside from learning to trouble-shoot problems''' by checking the status of running services, '''understanding how to manage services is critical to help protect a Linux server from penetration''' (this term is referred to as "'''Hardening a system'''"). Sometimes it is "what we don't know" that can harm us. One key element in hardening a computer system is to disable non essential networkng services to allow IDSs ('''Intrusion Detection Systems''') to focus on a narrower range of policy violations. A Debian-based penetration testing distribution called '''Kali''' (formerly referred to as '''"BackTrax"''') allows sysadmins and security professionals to identify vulnerabilities in their computer systems, and thus improve (harden) their systems against penetration. Learning to monitor the status, enable and disable networking services underlies the '''Backtrax''' motto:<br><br>'''''"The quieter you are, then more you will hear..."'''''<br><br>
{{Admon/note|Use centos3|Perform these steps in the '''centos3''' virtual machine.}}
 
  
#Boot up your '''centos3''' VM.
+
=== Part 1: How do we Manage System Services? ===
#Change your working directory to <code>/usr/share/doc/sudo*</code>
 
#Use the tar (tape archiver) command to create an archive file named <code>/tmp/archive1.tar</code>
 
#*<code>tar cvf /tmp/archive1.tar .</code>
 
  
{{Admon/important | Warning! | Don't miss the '''.''' at the end of the <code>tar</code> commands below! It specifies what should go into the archive: the contents of the current directory.}}
+
We have seen that maintaining unneeded '''packages can be a security risk''' due to the unnecessary increase in the complexity of your system. Similarly, it is also unnecessarily hazardous, and even more so, to leave unneeded services running. In this investigation, we will learn how to '''control services, and turn off those services that we think are not necessary to help reduce security risks'''.
  
 +
#Use your '''centos2''' VM for this part.
 
<ol>
 
<ol>
   <li value="4">What do the options c, v, and f mean?</li>
+
   <li value="2">Use the '''man''' pages to learn about the '''service''' command.</li><li>Issue the following Linux command:
  <li>Record the archive file size.</li>
+
      <ul>
  <li>Compress the file using <code>gzip</code>:
+
        <li><b><code><span style="color:#3366CC;font-size:1.2em;">service --status-all</span></code></b></li>
    <ul>
+
      </ul>
      <li><code>gzip /tmp/archive1.tar</code></li>
 
    </ul>
 
 
   </li>
 
   </li>
   <li>Record the archive file size after compression.</li>
+
   <li>Note the services that are currently running.</li>
   <li>Make sure you're still in <code>/usr/share/doc/sudo*</code> and then create a compressed archive:
+
   <li>Use the command <b><code><span style="color:#3366CC;font-size:1.2em;">service iptables stop</span></code></b> to stop the service named '''iptables'''</li>
<ul>
+
  <li>Run a command to verify that the '''iptables''' service has stopped.<br><br>'''NOTE:''' Although the service command seems to work, it is <u>'''deprecated'''</u> (i.e. "out-dated:). It has been replaced by using the [http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd#systemd_Command_Usage systemctl] command. This is a command based upon a newer method of starting and managing system services called [http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd systemd] (which replaces init - the "initialization table"). This method allows services to run more independently of each other, so that a service may be stopped without other dependent services to be stopped as well.<br><br>The most common '''systemctl''' commands are shown below (it is optional to include the filename extension '''.service''' after the service-name):<ul><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl list-units --all'''</span> &nbsp; (get a listing of all service names. Can pipe to grep to list service you are interested in)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl status service-name'''</span> &nbsp; (Confirm status of a service - running or not-running)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl stop service-name'''</span> &nbsp; (stop a service)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl start service-name'''</span> &nbsp; (start a service)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl restart service-name'''</span> &nbsp; (restart a service)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl enable service-name'''</span> &nbsp; (enable service so service runs upon system startup)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl disable service-name'''</span> &nbsp; (disable service so it does NOT run upon system startup)<br><br></li></ul></li>
      <li><code>tar cvzf /tmp/archive2.tgz .</code></li>
+
   <li>If you reboot now - the iptables service will be turned back on. We don't want it on though, it causes students headaches.<br>To turn it off permanently we need to use the '''systemctl''' command:<b><code><span style="color:#3366CC;font-size:1.2em;">systemctl disable iptables</span></code></b><br>(the '''chkconfig''' command used to be the way to enble/disable services, but is now deprecated).</li>
    </ul>
+
  <li>Use the '''systemctl''' command to verify that the '''iptables''' service is no longer running ('''hint:''' issue command, and pipe to grep "'''iptables'''").
  </li>
+
  <li>Reboot and confirm that it's no longer running.</li>
  <li>What does the <code>z</code> option do?</li>
 
   <li>Compare the sizes of <code>/tmp/archive1.tar.gz</code> and <code>/tmp/archive2.tgz</code>. Why are they so close in size?</li>
 
 
</ol>
 
</ol>
  
'''Answer the Investigation 1 observations / questions in your lab log book.'''
+
'''Answer Part 1 observations / questions in your lab log book.'''
 
 
===Investigation 2: How do you restore files from an archive?===
 
{{Admon/note|Remain in your centos3 VM|Perform these steps in the '''centos3''' virtual machine.}}
 
#Create the directory <code>/tmp/extract1</code>
 
#Change to the <code>/tmp/extract1</code> directory.
 
#Move the file archive1.tar.gz to your current directory.
 
#Unzip the first archive you created:
 
#*<code>gunzip archive1.tar.gz</code>
 
#Extract the files from the first archive:
 
#*<code>tar xvf archive1.tar</code>
 
#Are all the files there?
 
#Compare <code>/tmp/extract1/README</code> and <code>/usr/share/doc/sudo*/README</code>. Are they exactly the same? Why?
 
#Create the directory <code>/tmp/extract2</code>
 
#Move the file archive2.tgz to the <code>/tmp/extract2</code> directory.
 
#Extract the files from the second archive:
 
#*<code>tar xvzf /tmp/extract2/archive2.tgz</code>
 
#Note that this time a separate <code>gunzip</code> command was not needed. Why?
 
#Repeat the previous command, leaving out the option "z". Does it work? Why?
 
#Compare the <code>README</code> file in this directory with the original file. Are they exactly the same?
 
 
 
'''Answer the Investigation 2 observations / questions in your lab log book.'''
 
  
===Investigation 3: How do you build software from source code?===
+
===Part 2: How do we Manage Runlevels?===
  
Now that you know how to create and decompress "zipped tarball archives", we will demonstrate how to install applications from websites containing these types of archives. Although this method is not as "user-friendly" as using the yum or rpm command, this method is useful if the application is NOT contained in regular software repositories...
+
Running servers in graphical mode will make your system most likely to be penetrated. The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install server versions of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the server (for security reasons).
{{Admon/note|Use centos2|Perform these steps in the '''centos2''' virtual machine.}}
 
  
In order to build software from source code, you must have the appropriate software development tools (such as make and gcc) and libraries (such as GTK) installed. The required tools will vary depending on the computer languages used in the software being built.
+
The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.
  
# Issue the following command to install a basic set of development tools and libraries:<br /><code>yum groupinstall "Development Tools" "Development Libraries"</code>
 
  
{{Admon/note|Installing Development Libraries|In the future, remember the above procedure whenever installing software from source. Sometimes, you need to install additional tools or libraries in order to compile a particular software package}}
 
  
 +
#Perform this part in both your '''centos2''' and '''centos3''' VMs.
 
<ol>
 
<ol>
   <li value="3">Go to the directory <code>/tmp</code></li>
+
   <li value="2">Issue the following Linux command:
   <li>Use the <code>wget</code> command to download the "tar ball" that contains the source code for the NLED text editor. <code>wget</code> is a command-line tool to download files from the web using the http or ftp protocols.
+
      <ul>
 +
        <li><b><code><span style="color:#3366CC;font-size:1.2em;">runlevel</span></code></b></li>
 +
      </ul>
 +
  </li>
 +
   <li>Note the difference in output between '''centos2''' and '''centos3'''.</li>
 +
  <li>You can use the '''init''' command to change the current run-level. See a list of runlevels [https://www.centos.org/docs/5/html/5.2/Installation_Guide/s2-init-boot-shutdown-rl.html here].</li><li> Use the '''man''' command to learn how to use the '''init''' command. Use this command to change the current run-level in '''centos2''' to '''3'''. What happened?</li>
 +
  <li>Issue the following Linux command:
 
     <ul>
 
     <ul>
       <li><code>wget http://cdot.senecac.on.ca/software/nled/nled_2_52_src.tgz</code></li>
+
       <li><b><code><span style="color:#3366CC;font-size:1.2em;">startx</span></code></b></li>
 
     </ul>
 
     </ul>
  </li>
 
  <li>Extract the files. Change to the newly-extracted directory (<code>/tmp/nled-2.52</code>)</li>
 
  <li>Check to see if there is a file named <code>configure</code>. If so, run it; if not, skip this step. (Most but not all source code archives contain this file)</li>
 
  <li>Check to see if there is a file named <code>Makefile</code> or <code>makefile</code>. If so, type the command:
 
    <ul>
 
      <li><code>make</code></li>
 
      <li>Did the command work? Why? Use the <code>yum</code> command to install the package '''gcc'''. What do you think the package ''gcc'' does?</li>
 
    </ul>
 
  <li>Reissue the <code>make</code> command. Where you successful? What does <code>make</code> do?</li>
 
  <li>Issue the command as root: <code>yum list ncurses</code>. What do you see? Issue the command at root: <code>yum search ncurses</code>. What do you observe?</li>
 
  <li>In this case, you need to install the ncurses development libraries as well. Issue the following command as root: <code>yum install ncurses-devel.x86_64</code>. Now issue the command: <code>make</code></li>
 
  <li>Some software distributed as source code can automatically install itself. Try this command:
 
    <ul>
 
      <li><code>make install</code></li>
 
    </ul>
 
 
   </li>
 
   </li>
   <li>Most but not all source code archives include the capability of installing themselves this way.</li>
+
   <li>What happens?</li>
   <li>If the command <code>make install</code> does not work (how can you tell? What command did you learn from ULI101 to confirm that this command cannot be run from the command line?), copy the <code>nled</code> program manually:
+
   <li>Log-off your graphical system. You should return to your shell prompt.</li>
    <ul>
+
  <li>Using systemd requires a different method of setting text mode and graphical mode. You can refer to this link for future reference:  
      <li><code>cp nled /usr/local/bin</code></li>
+
[http://fedoraproject.org/wiki/Systemd#How_do_I_change_the_runlevel.3F How to Change Run-Levels with Systemd]</li><li>Restart your centos2 machine, and make certain that it runs in '''graphical''' mode</li>
    </ul>
+
   </li>Why would you want to make a graphical Linux system run in text-based mode?</li>
  </li>
 
  <li>Test <code>nled</code> to make sure it works.</li>
 
   <li>Why did copying the nled executable to /usr/local/bin allow the nled command to be run by name anywhere in the command prompt?</li>
 
 
</ol>
 
</ol>
  
'''Answer the Investigation 3 observations / questions in your lab log book.'''
 
= User/Group Management =
 
  
== Investigation 4: The /etc/passwd file ==
+
'''Answer Part 2 observations / questions in your lab log book.'''
  
# Look at the /etc/passwd file.
 
# Make note of the contents of that file.
 
# Read about the file: http://linux.die.net/man/5/passwd
 
# Make sure you know what information each field contains.
 
# Why do you think there are so many users?
 
# Look at the names of the users. What do you think these user names represent? Are they people?
 
# What is the numeric user ID (UID) of the root user?
 
# The user IDs of real users (people) are different from the user IDs of system accounts. What is the pattern?
 
  
== Investigation 5: Adding users ==
+
= INVESTIGATION 3: LOOKING AHEAD =
  
{{Admon/note|Use centos1|Perform these steps in the '''centos1''' system.}}
+
==Automating Routine Tasks (Shell Scripting)==
 +
{|width="40%" align="right" cellpadding="10"
 +
|- valign="top"
 +
|
 +
{{Admon/tip|Bash Shell Scripting Tips:|<br><ul><li>'''The case statement:'''<br><br>The case statement is a control-flow statement that works in a similar way as the if-elif-else statement (but is more concise). This statement presents scenerios or "cases" based on values or regular expressions (not ranges of values like if-elif-else statements). After action(s) are taken for a particular scenerio (or "case"), a break statement (''';;''') is used to "break-out" of the statement (and not perform other actions). A default case (*) is also used to catch exceptions.<br><br><u>'''Examples (try in shell script):'''</u><br><br>''read -p "pick a door (1 or 2): " pick<br>case $pick in<br>&nbsp; 1) echo "You win a car!" ;;<br>&nbsp; 2) echo "You win a bag of dirt!" ;;<br>&nbsp; *) echo "Not a valid entry"<br>&nbsp;&nbsp;&nbsp;&nbsp; exit 1 ;;<br>esac''<br><br>''read -p "enter a single digit: " digit<br>case $digit in<br>&nbsp; [0-9]) echo "Your single digit is: $digit" ;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  *)&nbsp;echo "not a valid single digit"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  exit 1 ;;<br>esac''<br><br></li><li>'''The getopts function:'''<br><br></li></ul>The getopts function allows the shell scripter to create scripts that accept options (like options for Linux commands). This provides the Linux administrator with scripts that provide more flexibility and versatility. A built-in function called '''getopts''' (i.e. get command options) is used in conjunction with a '''while''' loop and a '''case''' statement to carry out actions based on if certain options are present when the shell script is run. The variable '''$OPTARG''' can be used if an option accepts text (denoted in the getopts function with an option letter followed by a colon. Case statement exceptions use the ''':)''' and '''\?)''' cases for error handling.<br><br>'''<u>Example of getopts</u>''' (try in script and run with options)<br><br>''while getopts abc: name<br>do<br>&nbsp; case $name in<br>&nbsp; &nbsp; a) echo "Action for option \"a\"" ;;<br>&nbsp; &nbsp; b) echo "Action for option \"b\"" ;;<br>&nbsp; &nbsp; c) echo "Action for option \"c\""<br>&nbsp; &nbsp; &nbsp; &nbsp; echo Value is: $OPTARG" ;;<br>&nbsp; &nbsp; :) echo "Error: You need text after -c option"<br>&nbsp; &nbsp; &nbsp; &nbsp; exit 1 ;;<br>&nbsp; &nbsp; \?) echo "Error: Incorrect option"<br>&nbsp; &nbsp; &nbsp; &nbsp; exit 1 ;;<br>esac''<br>done<br><br>}}
 +
|}
  
# Read the man page for the useradd command.
+
We will now use shell scripting to help automate the task for a Linux adminstrator to create regular user accounts.
# Create a new user account for each of your pod mates, using their learn account name as a user name. Give each user a password.
 
# Grep the /etc/passwd file for each of the new users.
 
#* What is the home directory of each user?
 
#* What group is each user in?
 
#* What else do you know about each user?
 
#* Where are the passwords stored?
 
# Look at the man page for /etc/shadow using the command man 5 shadow
 
#* Grep the /etc/shadow file for each of the new users.
 
#* Make note of this information.
 
# Create two new dummy users, ops235_1 and ops235_2.
 
# Investigate the home directory of one of your new users.
 
#* What files are there? Be sure to include hidden files.
 
#* What do you think these files are used for?
 
#* How does the operating system determine which files are created in a new home account? The answer can be found here: http://www.linuxhowtos.org/Tips%20and%20Tricks/using_skel.htm
 
#* Look at the files (including hidden files) in the template directory referred to in the article. Compare them to what is in a home directory for a new user. What do you notice?
 
#* Create a new file in this directory with the following command: <code>touch foo</code>
 
#* Create a new user named foobar, with the option to automatically create a home directory.
 
#* Look at the contents of foobar's home directory. What do you notice?
 
# Be sure to record your observations in your lab notes.
 
  
{{Admon/note|Use centos3|Perform these steps in the '''centos3''' virtual machine.}}
 
# Add your matrix account user to '''centos3'''.
 
  
== Investigation 6: Managing Groups ==
+
#You will be using your '''c7host''' machine for this section.
 +
#Download, study, and run the following shell script. Issue the command:<br><b><code><span style=" pointer-events:none;cursor:default;color:#3366CC;font-size:1.2em;">wget https://scs.senecac.on.ca/~murray.saul/user-create.bash</span></code></b>
 +
#Try to understand what these Bash Shell scripts do, and then run the script as root. After running the shell script, view the contents of the '''/home''' directory to confirm.
  
{{Admon/note|Use centos1|Perform these steps in the '''centos1''' virtual machine.}}
 
  
# Read the man page for the groupadd and groupdel commands.
+
Although the '''zenity''' command is a "user-friendly" way to run shell scripts, Linux administrators usually create shell scripts that resemble common Linux commands. In this lab, you will learn to create a shell script using the getopts function to make your shell script behave more like actual Linux commands (including the use of options). Refer to the notes section on the right-hand-side for reference about the '''case''' statement and the '''getopts''' function.
# Note which option allows you to set the Group ID number (GID) when you create a new group.
 
# Examine the file /etc/group
 
#* Which values of GID are reserved for system accounts?
 
#* Which values of GID are reserved for non-system user accounts?
 
#* What is the lowest available GID number for non-system users?
 
#* What is the default group name of a new user?
 
#* Add a new group named ops235 with a GID of 600.
 
#* You are angry at some irresponsible users on your system.
 
#** Add a new group named idiots.
 
#** Look at /etc/group and note the GID of idiots.
 
#** What GID is given to a new group if if you do not specify it?
 
#**  Your anger has subsided. Delete the idiots group.
 
#** Look at /etc/group again and note the change.
 
  
Be sure to record your observations in your lab notes.
 
  
== Investigation 7: Deleting users ==
+
<ol><li value="3">Open a Bash shell terminal and login as root.</li><li>Use the wget command to download the input file called user-data.txt by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">wget https://scs.senecac.on.ca/~murray.saul/user-data.txt</span></code></b></li><li>View the contents on the user-data.txt file to confirm there are 3 fields (username, fullname, and e-mail address)which are separated by the colon (:) symbol.<li><li>Use a text editor (such as <b><code><span style="color:#3366CC;font-size:1.2em;">vi</span></code></b> or <b><code><span style="color:#3366CC;font-size:1.2em;">nano</span></code></b>) to create a Bash Shell script called: <b><code><span style="color:#3366CC;font-size:1.2em;">createUsers.bash</span></code></b> in /root's home directory.</li><li>Enter the following text content into your text-editing session:</li></ol>
 +
<code style="color:#3366CC;font-family:courier;font-size:.9em;margin-left:20px;">
 +
<br>
 +
&#35;!/bin/bash <br>
 +
<br>
 +
&#35; createUsers.bash<br>
 +
&#35; Purpose: Generates a batch of user accounts (user data stored in a text file)<br>
 +
&#35;<br>&#35; USAGE: /root/createUsers.bash [-i {input-path}] <br>
 +
&#35;<br>
 +
&#35; Author: *** INSERT YOUR NAME ***<br>
 +
&#35; Date:  *** CURRENT DATE ***<br>
 +
<br>
 +
if [ $PWD != "/root" ]  # only runs if in root's home directory<br>
 +
then<br>&nbsp;echo "You must be in root's home directory." >&2<br>
 +
&nbsp;exit 1<br>
 +
fi<br>
 +
if [ "$#" -eq 0 ] #  if no arguments after command<br>
 +
then<br>
 +
&nbsp;echo "You must enter an argument" >&2<br>
 +
&nbsp;echo "USAGE: $0 [-i {input-path}]" >&2<br>
 +
&nbsp;exit 2<br>
 +
fi<br>
 +
</code>
 +
<br>
 +
<ol><li value="6">Save your editing session, but remain in the text editor.</li><li>The code displayed below uses the getopt function set the input file pathname or check for invalid options or missing option text. Add the following code</li></ol>
 +
<br>
 +
<code style="color:#3366CC;font-family:courier;font-size:.9em;">
 +
<br>
 +
outputFlag="n"<br>
 +
while getopts i: name<br>
 +
do<br>
 +
&nbsp;case $name in<br>
 +
&nbsp; &nbsp;i) inputFile=$OPTARG ;;<br>
 +
&nbsp; &nbsp;:) echo "Error: You need text after options requiring text"<br>
 +
&nbsp; &nbsp; &nbsp; &nbsp;exit 1 ;;<br>
 +
&nbsp; &nbsp;\?) echo "Error: Incorrect option"<br>
 +
&nbsp; &nbsp; &nbsp; &nbsp; exit 1 ;;<br>
 +
&nbsp;esac<br>
 +
done<br>
 +
</code>
 +
<ol><li value="6">Save your editing session, but remain in the text editor.</li><li>The code displayed below uses logic to exit the script if the input file does not exist. Command substitution is used to store each line of the input file as a positional parameter. There is one subtle problem here: The full names of the users contain spaces which can create havoc when trying to set each line as a separate positional parameter. In this case the sed command is used to convert spaces to plus signs (+), which will be converted back later. Finally, a '''for''' loop is used to create each account ('''useradd''') and mail the user their account information ('''mail'''). Add the following code:</li></ol>
 +
<br>
 +
<code style="color:#3366CC;font-family:courier;font-size:.9em;">
 +
<br>
 +
if [ ! -f $inputFile ]<br>
 +
then<br>
 +
&nbsp; echo "The file pathname \"$inputFile\" is empty or does not exist" >&2<br>
 +
&nbsp; exit 2<br>
 +
fi<br>
 +
<br>
 +
set $(sed 's/ /+/g' $inputFile)  # temporarily convert spaces to + for storing lines as positional parameters<br>
 +
<br>
 +
for x<br>
 +
do<br>
 +
&nbsp; &nbsp; userPassWd=$(date | md5sum | cut -d" " -f1)<br>
 +
&nbsp; &nbsp; useradd -m -c "$(echo $x | cut -d":" -f2 | sed 's/+/ /g')" -p $userPassWd $(echo $x | cut -d":" -f1)<br>
 +
&nbsp; &nbsp; mail -s "Server Account Information" $(echo $x | cut -d":" -f3) <<+<br>
 +
&nbsp; &nbsp; Here is your server account information:<br>
 +
&nbsp; &nbsp; servername: myserver.senecac.on.ca<br>
 +
&nbsp; &nbsp; username:  $(echo $x | cut -d":" -f1)<br>
 +
&nbsp; &nbsp; password: $userPassWd<br>
 +
&nbsp; &nbsp; Regards,<br>
 +
&nbsp; &nbsp; IT Department<br>
 +
+<br>
 +
done<br>
 +
<br>
 +
echo -e "\n\nAccounts have been created\n\n"<br>
 +
exit 0<br>
 +
</code>
  
{{Admon/note|Use centos1|Perform these steps in the '''centos1''' virtual machine.}}
+
<ol>
 
+
<li value="8">Save, set permissions, and then run that shell script for the input text file '''user-data.txt'''. Did it work? Try running the script without an argument - What did it do? </li><li>You have completed lab4. Proceed to Completing The Lab, and follow the instructions for "lab sign-off".</li></ol>
# Read the man page for the userdel command. Note which option automatically removes the users home directory when that user is deleted.
 
  
# Delete the user ops235_1 using the command <code>userdel ops235_1</code>
+
'''Answer Investigation 3 observations / questions in your lab log book.'''
# Delete the user ops235_2 using the same command with the option which removes the home directory of the user.
 
# Check the contents of the /home directory. What do you notice?
 
# Check the contents of the /etc/group file. What do you notice?
 
  
Be sure to record your observations in your lab notes.
+
= LAB 4 SIGN-OFF (SHOW INSTRUCTOR) =
 
+
{{Admon/important|If you have successfully completed this lab, make a new backup of your virtual machines as well as your host machine.|}}
== Investigation 8: Modifying users ==
 
 
 
{{Admon/note|Use centos1|Perform these steps in the '''centos1''' virtual machine.}}
 
 
 
# Read the man page for the usermod command. Note which options change the user's full name, primary group, supplementary groups, and shell.
 
 
 
# Add each of your new users to the group ops235 (in other words, add ops235 to each user as a supplementary group).
 
# Examine <code>/etc/group</code>. What has changed?
 
# Use the usermod command to associate each of your pod mates' full name to their user name. With each change, examine their entries in the <code>/etc/passwd</code> file. What has changed?
 
# Be sure to record your observations in your lab notes.
 
  
= Completing the lab =
+
'''Arrange proof of the following on the screen:'''
  
{{Admon/important|Time for a new backup!|If you have successfully completed this lab, make a new backup of your virtual machines. Remember to also make a backup of the new second virtual disk drive on ''centos1'' -- you now have two virtual disks on ''centos1'', and therefore two image files, and therefore will need two backup files.}}
+
<ol><li><span style="color:green;font-size:1.5em;">&#x2713;</span> '''centos1''' VM:<blockquote><ul><li>Account created on '''centos1''' VM</li><li> List contents of '''/etc/group''' file (ops235 group)</li><li>List contents of '''/etc/passwd''' file (created accounts)</li></ul></blockquote><li><span style="color:green;font-size:1.5em;">&#x2713;</span> '''centos2''' VM:<blockquote><ul><li>Display current run-level status on '''centos2''' VM</li></ul></blockquote></li></li><li><span style="color:green;font-size:1.5em;">&#x2713;</span>'''c7host''' machine<blockquote><ul><li>Creation of your bash shell script called '''createUsers.bash'''</li></ul></blockquote></li><li><span style="color:green;font-size:1.5em;">&#x2713;</span> '''Lab4''' log-book filled out.</li></ol>
  
Arrange proof of the following on the screen:
 
# Two PVs on '''centos1'''.
 
# Separate <code>/home</code> filesystem (on an LV) in '''centos1'''.
 
# Account created on '''centos3''' matching your Matrix account.
 
# List contents of '''/etc/group''' file (ops235 group).
 
# List contents of '''/etc/passwd''' file (created accounts).
 
# Fresh backup of the virtual machines.
 
  
= Preparing for the Quizzes =
+
== Practice For Quizzes, Tests, Midterm &amp; Final Exam ==
  
# What is a VG? PV? LV?  
+
# Describe all of the field in <code>'''/etc/passwd'''</code>
# What is the total size of the "main" VG on your system?
+
# What is the command to create a user? What option to create a home directory for that user?
# How do you create a LV?
+
# What is the command to change the full name of an already-created user?
# How do you delete an LV?
+
# What is the command to delete a user account? What option allows for the user's home directory to be removed as well?
# How would you add the disk partition <code>/dev/sdb7</code> to your volume group "main"?
+
# What is the command to create a group? What is the command (or steps) to include a user in a newly-created group?
# How would you increase the size of the root filesystem by 50 MB?
+
# What is the purpose of <code>'''/etc/shadow'''</code>?
# What is the purpose of <code>/etc/fstab</code>?
+
# What is the purpose of <code>'''/etc/skel'''</code>?
# What is the purpose of <code>/etc/shadow</code>?
+
# What does the term run-level mean?
 +
# How to set the run-level of a Linux system to text-based only? How to set to graphical mode?
 +
# What is the command to view the status of running services?
 +
# What is the command to start a service (like httpd, or sshd)?
 +
# What is the command to start a service?
 +
# Can a service be stopped and started by issuing just one command?
  
 
[[Category:OPS235]]
 
[[Category:OPS235]]
 
[[Category:OPS235 Labs]]
 
[[Category:OPS235 Labs]]

Latest revision as of 11:31, 24 September 2018

Stop (medium size).png
THIS IS AN OLD VERSION OF THE LAB
This is an archived version. Do not use this in your OPS235 course.

LAB PREPARATION

Purpose / Objectives of Lab 4

System administrators are required to add, remove and modify user accounts.
In order to perform maintenance, system administrators need to know how to stop and start services for a Linux system.


There are many other tasks that a Linux system administrator must perform other than installing Linux and installing software.

A few additional tasks are user management and managing services.


Main Objectives:

  • Administer (add, remove, modify) users on a Linux system.
  • Save time while adding new users using a template of start-up files.
  • Create and manage groups on a Linux system.
  • Start and Stop services on a Linux system.
  • Display the status of running services on a Linux system.


Minimum Required Materials

Removable Hard Disk Pack (SATA)
USB key
(for backups)
Lab4 Log Book

My Toolkit (CLI Reference)

User Management:

useradd
userdel
usermod
groupadd
groupdel

Managing Services

chkconfig
service
systemctl

Miscellaneous

/etc/passwd
/etc/group
/etc/shadow
/etc/skel
init vs systemd


INVESTIGATION 1: User/Group Management

User account management is a very important operation that a Linux sysadmin does on a consistent basis. The sysadmin not only needs to add or remove user accounts by issuing commands, but may need to automate user account creations a large number (batch) of potential employees. There are many features with the Linux command to create new users including: specification of a home directory, type of shell used, name, password and time-limit (referred to as "aging") for a new user account. Remove user accounts also have options such as removing the user account but keeping the home directory for reference or evidence of "wrong-doing"

In your ULI101 course, you learned to change permissions for directories and files relating to user, same group members and other group members. In this course, since you are the sysadmin with root privileges, you can create or remove groups as well as change the ownership of directories and files! We will now learn to perform key user account management operations in this section.

Part 1: The /etc/passwd file

  1. Look at the /etc/passwd file.
  2. Make note of the contents of that file.
  3. Read about the file: http://man7.org/linux/man-pages/man5/passwd.5.html
  4. Make sure you know what information each field contains.
  5. Why do you think there are so many users?
  6. Look at the names of the users. What do you think these user names represent? Are they people?
  7. What is the numeric user ID (UID) of the root user?
  8. The user IDs of real users (people) are different from the user IDs of system accounts. What is the pattern?

Answer the Part 1 observations / questions in your lab log book.

Part 2: Adding users

  1. Perform this part in your centos1 VM.
  2. Read the man page for the useradd command.
  3. Create three fictitious users (make-up their userids and full names. Give each of these newly-created users a password.
  4. Grep the /etc/passwd file for each of the new users.
    • What is the home directory of each user?
    • What group is each user in?
    • What other information can you provide regarding these users?
    • Where are the passwords stored?
  5. Look at the man page for /etc/shadow using the command: man 5 shadow
    • Grep the /etc/shadow file for each of the new users.
    • Make note of this information.
  6. Create two new dummy users, ops235_1 and ops235_2.
  7. Investigate the home directory of one of your new users.
    • What files are there? Be sure to include hidden files.
    • What do you think these files are used for?
    • How does the operating system determine which files are created in a new home account? The answer can be found here:
      http://www.linuxhowtos.org/Tips%20and%20Tricks/using_skel.htm
    • Look at the files (including hidden files) in the template directory referred to in the article. Compare them to what is in a home directory for a new user. What do you notice?
    • Create a new file in this directory with the following command: touch foo
    • Create a new user named foobar, with the option to automatically create a home directory.
    • Look at the contents of foobar's home directory. What do you notice?
  8. Be sure to record your observations in your lab notes.
  9. Issue the man pages for the useradd command. Explain the purpose of using the -e option for the useradd command. Try to think what would be the purpose for a Linux sysadmin to use this option when creating new users.

Answer the Part 2 observations / questions in your lab log book.

Part 3: Managing Groups

  1. Remain in your centos1 VM for this section.
  2. Read the man page for the groupadd and groupdel commands.
  3. Note which option allows you to set the Group ID number (GID) when you create a new group.
  4. Examine the file /etc/group
    • Which values of GID are reserved for system accounts?
    • Which values of GID are reserved for non-system user accounts?
    • What is the lowest available GID number for non-system users?
    • What is the default group name of a new user?
    • Add a new group named ops235 with a GID of 600.
    • The management at your organization have concerns regarding some irresponsible users on your system.
      • Add a new group named investigation.
      • Look at /etc/group and note the GID of group called investigation.
      • What GID is given to a new group if you do not specify it?
      • In the file, add those users to the end of the concerned group (separate each user-name with a comma).
      • Those individuals have explained their actions to management and the crisis has been resolved. Delete the investigation group.
      • Look at /etc/group again and note the change.

Answer the Part 3 observations / questions in your lab log book.

Part 4: Deleting / Modifying Users

  1. Remain in your centos1 VM for this section.
  2. Read the man page for the userdel command. Note which option automatically removes the users home directory when that user is deleted.
  3. Delete the user ops235_1 using the command userdel ops235_1
  4. Delete the user ops235_2 using the same command with the option which removes the home directory of the user.
  5. Check the contents of the /home directory. What do you notice?
  6. Check the contents of the /etc/group file. What do you notice?
  7. Read the man page for the usermod command. Note which options change the user's full name, primary group, supplementary groups, and shell.
  8. Create a new user account called noobie for the employee: "Really Green" . Assign a password for that newly created user.
  9. Management has indicated that this employee be on on probation for 3 months. Use the usermod command to set the account for noobie to expire in 3 months from this day as part of the security policy of this organization.
  10. Add each of your new users to the group ops235 (in other words, add ops235 to each user as a supplementary group).
  11. Examine /etc/group. What has changed?
  12. Use the usermod command to change the full name of the user account noobie from "Really Green" to "Outstanding Employee". Examine the result of running that command in the /etc/passwd file. What has changed?
  13. Use the usermod command to extend the use of their account for 5 years as of today.
  14. Be sure to record your observations in your lab notes.

Answer the Part 4 observations / questions in your lab log book.


INVESTIGATION 2: Managing System Services and Run-levels

Many students may think that the following topic is small and "not a big deal". Those students may say, "How hard is running and stopping services?"

The process may not be hard, but knowing how to stop, start, restart and check the status of services is absolutely critical to a Linux server. Aside from learning to trouble-shoot problems by checking the status of running services, understanding how to manage services is critical to help protect a Linux server from penetration (this term is referred to as "Hardening a system"). Sometimes it is "what we don't know" that can harm us. One key element in hardening a computer system is to disable non essential networkng services to allow IDSs (Intrusion Detection Systems) to focus on a narrower range of policy violations. A Debian-based penetration testing distribution called Kali (formerly referred to as "BackTrax") allows sysadmins and security professionals to identify vulnerabilities in their computer systems, and thus improve (harden) their systems against penetration. Learning to monitor the status, enable and disable networking services underlies the Backtrax motto:

"The quieter you are, then more you will hear..."

Part 1: How do we Manage System Services?

We have seen that maintaining unneeded packages can be a security risk due to the unnecessary increase in the complexity of your system. Similarly, it is also unnecessarily hazardous, and even more so, to leave unneeded services running. In this investigation, we will learn how to control services, and turn off those services that we think are not necessary to help reduce security risks.

  1. Use your centos2 VM for this part.
  1. Use the man pages to learn about the service command.
  2. Issue the following Linux command:
    • service --status-all
  3. Note the services that are currently running.
  4. Use the command service iptables stop to stop the service named iptables
  5. Run a command to verify that the iptables service has stopped.

    NOTE: Although the service command seems to work, it is deprecated (i.e. "out-dated:). It has been replaced by using the systemctl command. This is a command based upon a newer method of starting and managing system services called systemd (which replaces init - the "initialization table"). This method allows services to run more independently of each other, so that a service may be stopped without other dependent services to be stopped as well.

    The most common systemctl commands are shown below (it is optional to include the filename extension .service after the service-name):
    • systemctl list-units --all   (get a listing of all service names. Can pipe to grep to list service you are interested in)
    • systemctl status service-name   (Confirm status of a service - running or not-running)
    • systemctl stop service-name   (stop a service)
    • systemctl start service-name   (start a service)
    • systemctl restart service-name   (restart a service)
    • systemctl enable service-name   (enable service so service runs upon system startup)
    • systemctl disable service-name   (disable service so it does NOT run upon system startup)

  6. If you reboot now - the iptables service will be turned back on. We don't want it on though, it causes students headaches.
    To turn it off permanently we need to use the systemctl command:systemctl disable iptables
    (the chkconfig command used to be the way to enble/disable services, but is now deprecated).
  7. Use the systemctl command to verify that the iptables service is no longer running (hint: issue command, and pipe to grep "iptables").
  8. Reboot and confirm that it's no longer running.

Answer Part 1 observations / questions in your lab log book.

Part 2: How do we Manage Runlevels?

Running servers in graphical mode will make your system most likely to be penetrated. The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install server versions of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the server (for security reasons).

The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.


  1. Perform this part in both your centos2 and centos3 VMs.
  1. Issue the following Linux command:
    • runlevel
  2. Note the difference in output between centos2 and centos3.
  3. You can use the init command to change the current run-level. See a list of runlevels here.
  4. Use the man command to learn how to use the init command. Use this command to change the current run-level in centos2 to 3. What happened?
  5. Issue the following Linux command:
    • startx
  6. What happens?
  7. Log-off your graphical system. You should return to your shell prompt.
  8. Using systemd requires a different method of setting text mode and graphical mode. You can refer to this link for future reference: How to Change Run-Levels with Systemd
  9. Restart your centos2 machine, and make certain that it runs in graphical mode
  10. Why would you want to make a graphical Linux system run in text-based mode?


Answer Part 2 observations / questions in your lab log book.


INVESTIGATION 3: LOOKING AHEAD

Automating Routine Tasks (Shell Scripting)

Idea.png
Bash Shell Scripting Tips:

  • The case statement:

    The case statement is a control-flow statement that works in a similar way as the if-elif-else statement (but is more concise). This statement presents scenerios or "cases" based on values or regular expressions (not ranges of values like if-elif-else statements). After action(s) are taken for a particular scenerio (or "case"), a break statement (;;) is used to "break-out" of the statement (and not perform other actions). A default case (*) is also used to catch exceptions.

    Examples (try in shell script):

    read -p "pick a door (1 or 2): " pick
    case $pick in
      1) echo "You win a car!" ;;
      2) echo "You win a bag of dirt!" ;;
      *) echo "Not a valid entry"
         exit 1 ;;
    esac


    read -p "enter a single digit: " digit
    case $digit in
      [0-9]) echo "Your single digit is: $digit" ;;
             *) echo "not a valid single digit"
                 exit 1 ;;
    esac


  • The getopts function:

The getopts function allows the shell scripter to create scripts that accept options (like options for Linux commands). This provides the Linux administrator with scripts that provide more flexibility and versatility. A built-in function called getopts (i.e. get command options) is used in conjunction with a while loop and a case statement to carry out actions based on if certain options are present when the shell script is run. The variable $OPTARG can be used if an option accepts text (denoted in the getopts function with an option letter followed by a colon. Case statement exceptions use the :) and \?) cases for error handling.

Example of getopts (try in script and run with options)

while getopts abc: name
do
  case $name in
    a) echo "Action for option \"a\"" ;;
    b) echo "Action for option \"b\"" ;;
    c) echo "Action for option \"c\""
        echo Value is: $OPTARG" ;;
    :) echo "Error: You need text after -c option"
        exit 1 ;;
    \?) echo "Error: Incorrect option"
        exit 1 ;;
esac

done

We will now use shell scripting to help automate the task for a Linux adminstrator to create regular user accounts.


  1. You will be using your c7host machine for this section.
  2. Download, study, and run the following shell script. Issue the command:
    wget https://scs.senecac.on.ca/~murray.saul/user-create.bash
  3. Try to understand what these Bash Shell scripts do, and then run the script as root. After running the shell script, view the contents of the /home directory to confirm.


Although the zenity command is a "user-friendly" way to run shell scripts, Linux administrators usually create shell scripts that resemble common Linux commands. In this lab, you will learn to create a shell script using the getopts function to make your shell script behave more like actual Linux commands (including the use of options). Refer to the notes section on the right-hand-side for reference about the case statement and the getopts function.


  1. Open a Bash shell terminal and login as root.
  2. Use the wget command to download the input file called user-data.txt by issuing the command:
    wget https://scs.senecac.on.ca/~murray.saul/user-data.txt
  3. View the contents on the user-data.txt file to confirm there are 3 fields (username, fullname, and e-mail address)which are separated by the colon (:) symbol.
  4. Use a text editor (such as vi or nano) to create a Bash Shell script called: createUsers.bash in /root's home directory.
  5. Enter the following text content into your text-editing session:


#!/bin/bash

# createUsers.bash
# Purpose: Generates a batch of user accounts (user data stored in a text file)
#
# USAGE: /root/createUsers.bash [-i {input-path}]
#
# Author: *** INSERT YOUR NAME ***
# Date: *** CURRENT DATE ***

if [ $PWD != "/root" ] # only runs if in root's home directory
then
 echo "You must be in root's home directory." >&2
 exit 1
fi
if [ "$#" -eq 0 ] # if no arguments after command
then
 echo "You must enter an argument" >&2
 echo "USAGE: $0 [-i {input-path}]" >&2
 exit 2
fi

  1. Save your editing session, but remain in the text editor.
  2. The code displayed below uses the getopt function set the input file pathname or check for invalid options or missing option text. Add the following code



outputFlag="n"
while getopts i: name
do
 case $name in
   i) inputFile=$OPTARG ;;
   :) echo "Error: You need text after options requiring text"
       exit 1 ;;
   \?) echo "Error: Incorrect option"
        exit 1 ;;
 esac
done

  1. Save your editing session, but remain in the text editor.
  2. The code displayed below uses logic to exit the script if the input file does not exist. Command substitution is used to store each line of the input file as a positional parameter. There is one subtle problem here: The full names of the users contain spaces which can create havoc when trying to set each line as a separate positional parameter. In this case the sed command is used to convert spaces to plus signs (+), which will be converted back later. Finally, a for loop is used to create each account (useradd) and mail the user their account information (mail). Add the following code:



if [ ! -f $inputFile ]
then
  echo "The file pathname \"$inputFile\" is empty or does not exist" >&2
  exit 2
fi

set $(sed 's/ /+/g' $inputFile) # temporarily convert spaces to + for storing lines as positional parameters

for x
do
    userPassWd=$(date | md5sum | cut -d" " -f1)
    useradd -m -c "$(echo $x | cut -d":" -f2 | sed 's/+/ /g')" -p $userPassWd $(echo $x | cut -d":" -f1)
    mail -s "Server Account Information" $(echo $x | cut -d":" -f3) <<+
    Here is your server account information:
    servername: myserver.senecac.on.ca
    username: $(echo $x | cut -d":" -f1)
    password: $userPassWd
    Regards,
    IT Department
+
done

echo -e "\n\nAccounts have been created\n\n"
exit 0

  1. Save, set permissions, and then run that shell script for the input text file user-data.txt. Did it work? Try running the script without an argument - What did it do?
  2. You have completed lab4. Proceed to Completing The Lab, and follow the instructions for "lab sign-off".

Answer Investigation 3 observations / questions in your lab log book.

LAB 4 SIGN-OFF (SHOW INSTRUCTOR)

Important.png
If you have successfully completed this lab, make a new backup of your virtual machines as well as your host machine.

Arrange proof of the following on the screen:

  1. centos1 VM:
    • Account created on centos1 VM
    • List contents of /etc/group file (ops235 group)
    • List contents of /etc/passwd file (created accounts)
  2. centos2 VM:
    • Display current run-level status on centos2 VM
  3. c7host machine
    • Creation of your bash shell script called createUsers.bash
  4. Lab4 log-book filled out.


Practice For Quizzes, Tests, Midterm & Final Exam

  1. Describe all of the field in /etc/passwd
  2. What is the command to create a user? What option to create a home directory for that user?
  3. What is the command to change the full name of an already-created user?
  4. What is the command to delete a user account? What option allows for the user's home directory to be removed as well?
  5. What is the command to create a group? What is the command (or steps) to include a user in a newly-created group?
  6. What is the purpose of /etc/shadow?
  7. What is the purpose of /etc/skel?
  8. What does the term run-level mean?
  9. How to set the run-level of a Linux system to text-based only? How to set to graphical mode?
  10. What is the command to view the status of running services?
  11. What is the command to start a service (like httpd, or sshd)?
  12. What is the command to start a service?
  13. Can a service be stopped and started by issuing just one command?