OPS235 Lab 4 - CentOS7
Contents
LAB PREPARATION
Purpose / Objectives of Lab 1
There are many other tasks that a Linux system administrator must perform other than installing Linux and installing software.
A few additional tasks are user management and managing services.
Main objectives:
- Administer (add, remove, modify) users on a Linux system.
- Save time while adding new users using a template of start-up files.
- Create and manage groups on a Linux system.
- Start and Stop services on a Linux system.
- Display the status of running services on a Linux system.
Minimum Required Materials
My Toolkit (CLI Reference)
User Management: | Managing Services | Miscellaneous |
INVESTIGATION 1: User/Group Management
User account management is a very important operation that a Linux sysadmin does on a consistent basis. The sysadmin not only needs to add or remove user accounts by issuing commands, but may need to automate user account creations a large number (batch) of potential employees. There are many features with the Linux command to create new users including: specification of a home directory, type of shell used, name, password and time-limit (referred to as "aging") for a new user account. Remove user accounts also have options such as removing the user account but keeping the home directory for reference or evidence of "wrong-doing"
In your ULI101 course, you learned to change permissions for directories and files relating to user, same group members and other group members. In this course, since you are the sysadmin with root privileges, you can create or remove groups as well as change the ownership of directories and files! We will now learn to perform key user account management operations in this section.
Part 1: The /etc/passwd file
- Look at the
/etc/passwd
file. - Make note of the contents of that file.
- Read about the file: http://man7.org/linux/man-pages/man5/passwd.5.html
- Make sure you know what information each field contains.
- Why do you think there are so many users?
- Look at the names of the users. What do you think these user names represent? Are they people?
- What is the numeric user ID (UID) of the root user?
- The user IDs of real users (people) are different from the user IDs of system accounts. What is the pattern?
Answer the Part 1 observations / questions in your lab log book.
Part 2: Adding users
- Perform this part in your centos1 VM.
- Read the man page for the
useradd
command. - Create three fictitious users (make-up their userids and full names. Give each of these newly-created users a password.
- Grep the
/etc/passwd
file for each of the new users.- What is the home directory of each user?
- What group is each user in?
- What other information can you provide regarding these users?
- Where are the passwords stored?
- Look at the man page for /etc/shadow using the command:
man 5 shadow
- Grep the
/etc/shadow
file for each of the new users. - Make note of this information.
- Grep the
- Create two new dummy users,
ops235_1
andops235_2
. - Investigate the home directory of one of your new users.
- What files are there? Be sure to include hidden files.
- What do you think these files are used for?
- How does the operating system determine which files are created in a new home account? The answer can be found here:
http://www.linuxhowtos.org/Tips%20and%20Tricks/using_skel.htm - Look at the files (including hidden files) in the template directory referred to in the article. Compare them to what is in a home directory for a new user. What do you notice?
- Create a new file in this directory with the following command:
touch foo
- Create a new user named
foobar
, with the option to automatically create a home directory. - Look at the contents of foobar's home directory. What do you notice?
- Be sure to record your observations in your lab notes.
- Issue the man pages for the useradd command. Explain the purpose of using the -e option for the useradd command. Try to think what would be the purpose for a Linux sysadmin to use this option when creating new users.
Answer the Part 2 observations / questions in your lab log book.
Part 3: Managing Groups
- Remain in your centos1 VM for this section.
- Read the man page for the
groupadd
andgroupdel
commands. - Note which option allows you to set the Group ID number (GID) when you create a new group.
- Examine the file
/etc/group
- Which values of GID are reserved for system accounts?
- Which values of GID are reserved for non-system user accounts?
- What is the lowest available GID number for non-system users?
- What is the default group name of a new user?
- Add a new group named
ops235
with a GID of600
. - The management at your organization have concerns regarding some irresponsible users on your system.
- Add a new group named investigation.
- Look at /etc/group and note the GID of group called investigation.
- What GID is given to a new group if you do not specify it?
- In the file, add those users to the end of the concerned group (separate each user-name with a comma).
- Those individuals have explained their actions to management and the crisis has been resolved. Delete the investigation group.
- Look at /etc/group again and note the change.
Answer the Part 3 observations / questions in your lab log book.
Part 4: Deleting / Modifying Users
- Remain in your centos1 VM for this section.
- Read the man page for the userdel command. Note which option automatically removes the users home directory when that user is deleted.
- Delete the user ops235_1 using the command
userdel ops235_1
- Delete the user ops235_2 using the same command with the option which removes the home directory of the user.
- Check the contents of the /home directory. What do you notice?
- Check the contents of the
/etc/group
file. What do you notice? - Read the man page for the usermod command. Note which options change the user's full name, primary group, supplementary groups, and shell.
- Create a new user account called noobie for the employee: "Really Green" . Assign a password for that newly created user.
- Management has indicated that this employee be on on probation for 3 months. Use the usermod command to set the account for noobie to expire in 3 months from this day as part of the security policy of this organization.
- Add each of your new users to the group ops235 (in other words, add ops235 to each user as a supplementary group).
- Examine
/etc/group
. What has changed? - Use the usermod command to change the full name of the user account noobie from "Really Green" to "Outstanding Employee". Examine the result of running that command in the
/etc/passwd
file. What has changed? - Use the usermod command to extend the use of their account for 5 years as of today.
- Be sure to record your observations in your lab notes.
Answer the Part 4 observations / questions in your lab log book.
INVESTIGATION 2: Managing Run-Levels and System Services
Many students may think that the following topic is small and "not a big deal". Those students may say, "How hard is running and stopping services?"
The process may not be hard, but knowing how to stop, start, restart and check the status of services is absolutely critical to a Linux server. Aside from learning to trouble-shoot problems by checking the status of running services, understanding how to manage services is critical to help protect a Linux server from penetration (this term is referred to as "Hardening a system"). Sometimes it is "what we don't know" that can harm us. One key element in hardening a computer system is to disable non essential networkng services to allow IDSs (Intrusion Detection Systems) to focus on a narrower range of policy violations. A Debian-based penetration testing distribution called Kali (formerly referred to as BackTrax) allows sysadmins and security professionals to identify vulnerabilities in their computer systems, and thus improve (harden) their systems against penetration. Learning to monitor the status, enable and disable networking services underlies the Backtrax motto:
"The quieter you are, then more you will hear..."
Part 1: How do we Manage System Services?
We have seen that maintaining unneeded packages can be a security risk due to the unnecessary increase in the complexity of your system. Similarly, it is also unnecessarily hazardous, and even more so, to leave unneeded services running. In this investigation, we will learn how to control services, and turn off those services that we think are not necessary to help reduce security risks.}}
- Use your centos2 VM for this part.
- Use the man pages to learn about the service command.
- Issue the following Linux command:
service --status-all
- Note the services that are currently running.
- Use the command
service iptables stop
to stop the service named iptables - Run a command to verify that the iptables service has stopped.
- A newer method of managing services is by using systemd. It has the ability to manage dependent service in parallel and allow one service to be stopped without disrupting the other services. Here is a link that briefly explains how to use systemd and the systemctl command:
- If you reboot now - the iptables service will be turned back on. We don't want it on though, it causes students headaches. To turn it off permanently we need to use the chkconfig command:
chkconfig iptables off
- Use the systemctl command (from the link above - showing examples) to verify that the iptables service is off (hint: issue command, and pipe to grep "iptables").
- Reboot and confirm that it's no longer running.
Answer Part 1 observations / questions in your lab log book.
Part 2: How do we Manage Runlevels?
Running servers in graphical mode will make your system most likely to be penetrated. The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install server versions of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the server (for security reasons).
The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.
- Perform this part in both your centos2 and centos3 VMs.
- Issue the following Linux command:
runlevel
- Note the difference in output between centos2 and centos3.
- You can use the init command to change the current run-level. See a list of runlevels here. Use the
man
command to learn how to use the init command. Use this command to change the current runlevel in centos2 to 3. What happened? What happens after your reboot? - Change the default run-level on centos2 to 3. What happens now after you reboot?
- Issue the following Linux command:
startx
- What happens?
- Log-off your graphical system. You should return to your shell prompt.
- Change the default run-level for centos2 back to 5 and reboot to make sure it works.
Answer Part 2 observations / questions in your lab log book.
INVESTIGATION 3: LOOKING AHEAD
Automating Routine Tasks (Shell Scripting)
We will now use shell scripting to help automate the task for a Linux adminstrator to create regular user accounts.
- Use the
wget
command to download, study, and run the following shell scripts on-line:https://scs.senecac.on.ca/~murray.saul/user-create.bash
- Try to understand what these Bash Shell scripts do, and then run the script as root. After running the shell script, view the contents of the /home directory to confirm.
Although the zenity command is a "user-friendly" way to run shell scripts, Linux administrators usually create shell scripts that resemble common Linux commands. In this lab, you will learn to create a shell script using the getopts function to make your shell script behave more like actual Linux commands (including the use of options). Refer to the notes section on the right-hand-side for reference about the case statement and the getopts function.
- Open a Bash shell terminal and login as root.
- Use the wget command to download the input file called user-data.txt
- View the contents on the user-data.txt file to confirm there are 3 fields (username, fullname, and e-mail address).
- Use a text editor (such as
vi
ornano
) to create a Bash Shell script called:createUsers.bash
in /root's home directory. - Enter the following text content into your text-editing session:
#!/bin/bash
# createUsers.bash
# Purpose: Generates a batch of user accounts (user data stored in a text file)
#
# USAGE:
#
# /root/createUsers.bash [-i {input-path}]
#
# Author: *** INSERT YOUR NAME ***
# Date: *** CURRENT DATE ***
if [ $HOME != "root" ] # only runs if logged in as root
then
echo "You must be logged in as root." >&2
exit 1
fi
- Save your editing session, but remain in the text editor.
- The code displayed below uses the getopt function set the input file pathname or check for invalid options or missing option text. Add the following code
outputFlag="n"
while getopts i:n:a:g:o: name
do
case $name in
i) inputFile=$OPTARG ;;
:) echo "Error: You need text after options requiring text"
exit 1 ;;
\?) echo "Error: Incorrect option"
exit 1 ;;
esac
- Save your editing session, but remain in the text editor.
- The code displayed below uses logic to exit the script if the input file does not exist. Command substitution is used to store each line of the input file as a positional parameter. There is one subtle problem here: The full names of the users contain spaces which can create havoc when trying to set each line as a separate positional parameter. In this case the sed command is used to convert spaces to plus signs (+), which will be converted back later. Finally, a for loop is used to create each account (useradd) and mail the user their account information (mail). Add the following code:
if [ ! -f $inputFile ]
then
echo "The file pathname \"$inputFile\" is empty or does not exist" >&2
exit 2
fi
set $(sed 's/ /+/g' $inputfile) # temporarily convert spaces to + for storing lines as positional parameters
for x
do
useradd -m -c "$(echo $x | cut -d":" -f2 | sed 's/+/ /g')" -p $(date | md5sum | cut -d" " -f1) $(echo $x | cut -d":" -f1)
mail -s "Server Account Information" $(echo $x | cut -d":" -f3) <<+
Here is your server account information:
servername: myserver.senecac.on.ca
username: $(echo $x | cut -d":" -f1)
password: $(date | md5sum | cut -d" " -f1)
Regards,
IT Department
+
done
echo -e "\n\nAccounts have been created\n\n"
exit 0
- Save, set permissions, and then run that shell script for the input text file user-data.txt. Did it work? Try running the script without an argument - What did it do?
- You have completed lab4. Proceed to Completing The Lab, and follow the instructions for "lab sign-off".
Answer Investigation 3 observations / questions in your lab log book.
LAB 4 SIGN-OFF (SHOW INSTRUCTOR)
Arrange proof of the following on the screen:
- ✓ Account created on centos1 VM.
- ✓ List contents of /etc/group file (ops235 group) on centos1 VM.
- ✓ List contents of /etc/passwd file (created accounts) on centos1 VM.
- ✓ Display current run-level status on centos2 VM.
- ✓ Creation of your bash shell script called createUsers.bash
Preparing for the Quizzes
- Describe all of the field in
/etc/passwd
- What is the command to create a user? What option to create a home directory for that user?
- What is the command to change the full name of an already-created user?
- What is the command to delete a user account? What option allows for the user's home directory to be removed as well?
- What is the command to create a group? What is the command (or steps) to include a user in a newly-created group?
- What is the purpose of
/etc/shadow
? - What is the purpose of
/etc/skel
? - What does the term run-level mean?
- How to set the run-level of a Linux system to text-based only? How to set to graphical mode?
- What is the command to view the status of running services?
- What is the command to start a service (like httpd, or sshd)?
- What is the command to start a service?
- Can a service be stopped and started by issuing just one command?