1,576
edits
Changes
no edit summary
[[Category:OPS235]]
{{Admon/caution|THIS IS AN OLD VERSION OF THE LAB|'''This is an archived version. Do not use this in your OPS235 course.'''}}
=LAB PREPARATION=
=Logical Volume Management (Continued) and User =Purpose / Group Management= ==Introduction== In this lab you're going to learn how to: :* Add a virtual hard disk and expand your vm's existing file system using LVM:* Administer (add, remove, modify) users on a Linux system.:* Save time while adding new users using a template of start-up files.:* Create and manage groups on a Linux system. == Required Materials (Bring to All Labs) == * CentOS 6.5 x86_64 Live DVD* CentOS 6.5 x86_64 Installation DVD1* SATA Hard Disk (in removable disk tray)* USB Memory Stick* Lab Logbook ==Prerequisites== * Completion and Instructor "Sign-off" Objectives of Lab 2: [[OPS235 Lab 3 - CentOS6]] 4==Linux Command Online Reference==Each Link below displays online manpages for each command (via [http://linuxmanpages.com/ http://linuxmanpages.com]): {|width="10040%" align="right" cellpadding="510"|'''LVM Information Utilities:'''|'''LVM Management Utilities:'''|'''Additional Utilities:'''
|- valign="top"
|
|
|}
A few additional tasks are user management and managing services.
|width== Investigation 2"10%" |[[Image: How do you install and remove software with RPM? ==ubs-key.png|thumb|left|85px|<b>USB key</b><br>(for backups)]]
== Investigation 3: How do you install and remove software with ''yum''? My Toolkit (CLI Reference)==
{{Admon|width="50%" cellpadding="15"|- valign="top"|width="10%" |<u>User Management:</u>[http://unixhelp.ed.ac.uk/CGI/man-cgi?useradd+8 useradd]<br>[http://noteunixhelp.ed.ac.uk/CGI/man-cgi?userdel+8 userdel]<br>[http://unixhelp.ed.ac.uk/CGI/man-cgi?usermod+8 usermod]<br>[http://unixhelp.ed.ac.uk/CGI/man-cgi?groupadd+8 groupadd]<br>[http://unixhelp.ed.ac.uk/CGI/man-cgi?groupdel+8 groupdel]|Internet Connectionwidth="10%" |In order for yum to work you require a connection to the Internet<u>Managing Services</u>[http://unixhelp.ed.ac.uk/CGI/man-cgi?chkconfig+8 chkconfig]<br>[http://unixhelp.ed.ac. Establish this connection by using the browser to log into SeneNET}uk/CGI/man-cgi?service+8 service]<br>[http://www.dsm.fordham.edu/cgi-bin/man-cgi.pl?topic=systemctl systemctl]<br>|width="10%" |<u>Miscellaneous</u>[http://man7.org/linux/man-pages/man5/passwd.5.html /etc/passwd]<br>[http://man7.org/linux/man-pages/man5/group.5.html /etc/group]<br>[http://man7.org/linux/man-pages/man5/shadow.5.html /etc/shadow]<br>[http://archive.linuxfromscratch.org/blfs-museum/1.0/BLFS-1.0/postlfs/skel.html /etc/skel]<br>[http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd init vs systemd]|}
= INVESTIGATION 1: User/Group Management =
User account management is a very important operation that a Linux sysadmin does on a consistent basis. The sysadmin not only needs to add or remove user accounts by issuing commands, but may need to automate user account creations a large number (batch) of potential employees. There are many features with the Linux command to create new users including: specification of a home directory, type of shell used, name, password and time-limit (referred to as "aging") for a new user account. Remove user accounts also have options such as removing the user account but keeping the home directory for reference or evidence of "wrong-doing"
== Investigation 4Part 1: The /etc/passwd file ==
# Look at the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/passwd </span></code></b> file.
# Make note of the contents of that file.
# Read about the file: http://man7.org/linux.die.net/man-pages/5man5/passwd .5.html
# Make sure you know what information each field contains.
# Why do you think there are so many users?
# The user IDs of real users (people) are different from the user IDs of system accounts. What is the pattern?
'''Answer the Part 1 observations / questions in your lab log book.''' == Investigation 5Part 2: Adding users ==
#Perform this part in your '''centos1''' VM.# Read the man page for the <b><code><span style="color:#3366CC;font-size:1.2em;">useradd </span></code></b> command.# Create a new user account for each of your pod mates, using three fictitious users (make-up their learn account name as a user nameuserids and full names. Give each user of these newly-created users a password.# Grep the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/passwd </span></code></b> file for each of the new users.#* What is the '''home ''' directory of each user?#* What '''group ''' is each user in?#* What else do other information can you know about each userprovide regarding these users?#* Where are the '''passwords ''' stored?# Look at the man page for '''/etc/shadow ''' using the command : <b><code><span style="color:#3366CC;font-size:1.2em;">man 5 shadow</span></code></b>#* Grep the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/shadow </span></code></b> file for each of the new users.
#* Make note of this information.
# Create two new dummy users, <b><code><span style="color:#3366CC;font-size:1.2em;">ops235_1 </span></code></b> and <b><code><span style="color:#3366CC;font-size:1.2em;">ops235_2</span></code></b>.
# Investigate the home directory of one of your new users.
#* What files are there? Be sure to include hidden files.
#* What do you think these files are used for?
#* How does the operating system determine which files are created in a new home account? The answer can be found here: <br>http://www.linuxhowtos.org/Tips%20and%20Tricks/using_skel.htm
#* Look at the files (including hidden files) in the template directory referred to in the article. Compare them to what is in a home directory for a new user. What do you notice?
#* Create a new file in this directory with the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">touch foo</span></code></b>#* Create a new user named <b><code><span style="color:#3366CC;font-size:1.2em;">foobar</span></code></b>, with the option to automatically create a home directory.
#* Look at the contents of foobar's home directory. What do you notice?
# Be sure to record your observations in your lab notes.
#Issue the man pages for the '''useradd''' command. Explain the purpose of using the '''-e''' option for the ''useradd'' command. Try to think what would be the purpose for a Linux sysadmin to use this option when creating new users.
#Remain in your '''centos1''' VM for this section.# Read the man page for the <b><code><span style="color:#3366CC;font-size:1.2em;">groupadd </span></code></b> and <b><code><span style="color:#3366CC;font-size:1.2em;">groupdel </span></code></b> commands.# Note which option allows you to set the Group ID number ('''GID''') when you create a new group.# Examine the file <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/group</span></code></b>
#* Which values of GID are reserved for system accounts?
#* Which values of GID are reserved for non-system user accounts?
#* What is the lowest available GID number for non-system users?
#* What is the default group name of a new user?
#* Add a new group named <b><code><span style="color:#3366CC;font-size:1.2em;">ops235 </span></code></b> with a GID of <b><code><span style="color:#3366CC;font-size:1.2em;">600</span></code></b>.#* You are angry The management at your organization have concerns regarding some irresponsible users on your system.#** Add a new group named idiots'''investigation'''.#** Look at '''/etc/group ''' and note the GID of idiotsgroup called '''investigation'''.#** What GID is given to a new group if if you do not specify it?#** Your anger In the file, add those users to the end of the concerned group (separate each user-name with a comma).#** Those individuals have explained their actions to management and the crisis has subsidedbeen resolved. Delete the idiots '''investigation''' group.#** Look at '''/etc/group ''' again and note the change. '''Answer the Part 3 observations / questions in your lab log book.''' == Part 4: Deleting / Modifying Users == #Remain in your '''centos1''' VM for this section.# Read the man page for the '''userdel''' command. Note which option automatically removes the users home directory when that user is deleted.# Delete the user '''ops235_1''' using the command <b><code><span style="color:#3366CC;font-size:1.2em;">userdel ops235_1</span></code></b># Delete the user '''ops235'''_2 using the same command with the option which removes the home directory of the user.# Check the contents of the /home directory. What do you notice?# Check the contents of the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/group</span></code></b> file. What do you notice?# Read the man page for the usermod command. Note which options change the user's full name, primary group, supplementary groups, and shell.# Create a new user account called '''noobie''' for the employee: '''"Really Green"''' . Assign a password for that newly created user.# Management has indicated that this employee be on on probation for 3 months. Use the '''usermod''' command to set the account for noobie to expire in 3 months from this day as part of the security policy of this organization.# Add each of your new users to the group ops235 (in other words, add ops235 to each user as a supplementary group).# Examine <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/group</span></code></b>. What has changed?# Use the '''usermod''' command to change the full name of the user account '''noobie''' from '''"Really Green"''' to '''"Outstanding Employee"'''. Examine the result of running that command in the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/passwd</span></code></b> file. What has changed?# Use the '''usermod''' command to extend the use of their account for 5 years as of today.# Be sure to record your observations in your lab notes. '''Answer the Part 4 observations / questions in your lab log book.''' =INVESTIGATION 2: Managing System Services and Run-levels= Many students may think that the following topic is small and "not a big deal". Those students may say, '''"How hard is running and stopping services?"''' The process may not be hard, but knowing how to stop, start, restart and check the status of services is absolutely critical to a Linux server. '''Aside from learning to trouble-shoot problems''' by checking the status of running services, '''understanding how to manage services is critical to help protect a Linux server from penetration''' (this term is referred to as "'''Hardening a system'''"). Sometimes it is "what we don't know" that can harm us. One key element in hardening a computer system is to disable non essential networkng services to allow IDSs ('''Intrusion Detection Systems''') to focus on a narrower range of policy violations. A Debian-based penetration testing distribution called '''Kali''' (formerly referred to as '''"BackTrax"''') allows sysadmins and security professionals to identify vulnerabilities in their computer systems, and thus improve (harden) their systems against penetration. Learning to monitor the status, enable and disable networking services underlies the '''Backtrax''' motto:<br><br>'''''"The quieter you are, then more you will hear..."'''''<br><br> === Part 1: How do we Manage System Services? === We have seen that maintaining unneeded '''packages can be a security risk''' due to the unnecessary increase in the complexity of your system. Similarly, it is also unnecessarily hazardous, and even more so, to leave unneeded services running. In this investigation, we will learn how to '''control services, and turn off those services that we think are not necessary to help reduce security risks'''. #Use your '''centos2''' VM for this part.<ol> <li value="2">Use the '''man''' pages to learn about the '''service''' command.</li><li>Issue the following Linux command: <ul> <li><b><code><span style="color:#3366CC;font-size:1.2em;">service --status-all</span></code></b></li> </ul> </li> <li>Note the services that are currently running.</li> <li>Use the command <b><code><span style="color:#3366CC;font-size:1.2em;">service iptables stop</span></code></b> to stop the service named '''iptables'''</li> <li>Run a command to verify that the '''iptables''' service has stopped.<br><br>'''NOTE:''' Although the service command seems to work, it is <u>'''deprecated'''</u> (i.e. "out-dated:). It has been replaced by using the [http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd#systemd_Command_Usage systemctl] command. This is a command based upon a newer method of starting and managing system services called [http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd systemd] (which replaces init - the "initialization table"). This method allows services to run more independently of each other, so that a service may be stopped without other dependent services to be stopped as well.<br><br>The most common '''systemctl''' commands are shown below (it is optional to include the filename extension '''.service''' after the service-name):<ul><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl list-units --all'''</span> (get a listing of all service names. Can pipe to grep to list service you are interested in)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl status service-name'''</span> (Confirm status of a service - running or not-running)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl stop service-name'''</span> (stop a service)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl start service-name'''</span> (start a service)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl restart service-name'''</span> (restart a service)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl enable service-name'''</span> (enable service so service runs upon system startup)</li><li><span style="font-family:courier;font-size:1.2em;font-weight:bold;">'''systemctl disable service-name'''</span> (disable service so it does NOT run upon system startup)<br><br></li></ul></li> <li>If you reboot now - the iptables service will be turned back on. We don't want it on though, it causes students headaches.<br>To turn it off permanently we need to use the '''systemctl''' command:<b><code><span style="color:#3366CC;font-size:1.2em;">systemctl disable iptables</span></code></b><br>(the '''chkconfig''' command used to be the way to enble/disable services, but is now deprecated).</li> <li>Use the '''systemctl''' command to verify that the '''iptables''' service is no longer running ('''hint:''' issue command, and pipe to grep "'''iptables'''"). <li>Reboot and confirm that it's no longer running.</li></ol> '''Answer Part 1 observations / questions in your lab log book.''' ===Part 2: How do we Manage Runlevels?=== Running servers in graphical mode will make your system most likely to be penetrated. The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install server versions of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the server (for security reasons). The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.
#Perform this part in both your '''centos2''' and '''centos3''' VMs.<ol> <li value="2">Issue the following Linux command: <ul> <li><b><code><span style= Investigation 7"color: Deleting users =#3366CC;font-size:1.2em;">runlevel</span></code></b></li> </ul> </li> <li>Note the difference in output between '''centos2''' and '''centos3'''.</li> <li>You can use the '''init''' command to change the current run-level. See a list of runlevels [https://www.centos.org/docs/5/html/5.2/Installation_Guide/s2-init-boot-shutdown-rl.html here].</li><li> Use the '''man''' command to learn how to use the '''init''' command. Use this command to change the current run-level in '''centos2''' to '''3'''. What happened?</li> <li>Issue the following Linux command: <ul> <li><b><code><span style="color:#3366CC;font-size:1.2em;">startx</span></code></b></li> </ul> </li> <li>What happens?</li> <li>Log-off your graphical system. You should return to your shell prompt.</li> <li>Using systemd requires a different method of setting text mode and graphical mode. You can refer to this link for future reference: [http://fedoraproject.org/wiki/Systemd#How_do_I_change_the_runlevel.3F How to Change Run-Levels with Systemd]</li><li>Restart your centos2 machine, and make certain that it runs in '''graphical''' mode</li> </li>Why would you want to make a graphical Linux system run in text-based mode?</li></ol>
<ol><li value="3">Open a Bash shell terminal and login as root.</li><li>Use the wget command to download the input file called user-data.txt by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">wget https://scs.senecac.on.ca/~murray.saul/user-data.txt</span></code></b></li><li>View the contents on the user-data.txt file to confirm there are 3 fields (username, fullname, and e-mail address)which are separated by the colon (:) symbol.<li><li>Use a text editor (such as <b><code><span style="color:#3366CC;font-size:1.2em;">vi</span></code></b> or <b><code><span style="color:#3366CC;font-size:1.2em;">nano</span></code></b>) to create a Bash Shell script called: <b><code><span style="color:#3366CC;font-size:1.2em;">createUsers.bash</span></code></b> in /root's home directory.</li><li>Enter the following text content into your text-editing session:</li></ol><code style= Investigation 8"color: Modifying #3366CC;font-family:courier;font-size:.9em;margin-left:20px;"><br>#!/bin/bash <br><br># createUsers.bash<br># Purpose: Generates a batch of user accounts (user data stored in a text file)<br>#<br># USAGE: /root/createUsers.bash [-i {input-path}] <br>#<br># Author: *** INSERT YOUR NAME ***<br># Date: *** CURRENT DATE ***<br><br>if [ $PWD != "/root" ] # only runs if in root's home directory<br>then<br> echo "You must be in root's home directory." >&2<br> exit 1<br>fi<br>if [ "$#" -eq 0 ] # if no arguments after command<br>then<br> echo "You must enter an argument" >&2<br> echo "USAGE: $0 [-i {input-path}]" >&2<br> exit 2<br>fi<br></code><br><ol><li value="6">Save your editing session, but remain in the text editor.</li><li>The code displayed below uses the getopt function set the input file pathname or check for invalid options or missing option text. Add the following code</li></ol><br><code style="color:#3366CC;font-family:courier;font-size:.9em;"><br>outputFlag="n"<br>while getopts i: name<br>do<br> case $name in<br> i) inputFile=$OPTARG ;;<br> :) echo "Error: You need text after options requiring text"<br> exit 1 ;;<br> \?) echo "Error: Incorrect option"<br> exit 1 ;;<br> esac<br>done<br></code><ol><li value="6">Save your editing session, but remain in the text editor.</li><li>The code displayed below uses logic to exit the script if the input file does not exist. Command substitution is used to store each line of the input file as a positional parameter. There is one subtle problem here: The full names of the users contain spaces which can create havoc when trying to set each line as a separate positional parameter. In this case the sed command is used to convert spaces to plus signs (+), which will be converted back later. Finally, a '''for''' loop is used to create each account ('''useradd''') and mail the user their account information ('''mail'''). Add the following code:</li></ol><br><code style="color:#3366CC;font-family:courier;font-size:.9em;"><br>if [ ! -f $inputFile ]<br>then<br> echo "The file pathname \"$inputFile\" is empty or does not exist" >&2<br> exit 2<br>fi<br><br>set $(sed 's/ /+/g' $inputFile) # temporarily convert spaces to + for storing lines as positional parameters<br><br>for x<br>do<br> userPassWd=$(date | md5sum | cut -d" " -f1)<br> useradd -m -c "$(echo $x | cut -d":" -f2 | sed 's/+/ /g')" -p $userPassWd $(echo $x | cut -d":" -f1)<br> mail -s "Server Account Information" $(echo $x | cut -d":" -f3) <<+<br> Here is your server account information:<br> servername: myserver.senecac.on.ca<br> username: $(echo $x | cut -d":" -f1)<br> password: $userPassWd<br> Regards,<br> IT Department<br>+<br>done<br><br>echo -e "\n\nAccounts have been created\n\n"<br>exit 0<br></code>
= Preparing for the = Practice For Quizzes , Tests, Midterm & Final Exam ==
# Describe all of the field in <code>'''/etc/passwd'''</code># What is the command to create a VGuser? PV? LVWhat option to create a home directory for that user? # What is the total size command to change the full name of the "main" VG on your systeman already-created user?# How do you create What is the command to delete a LVuser account?# How do you delete an LVWhat option allows for the user's home directory to be removed as well?# How would you add What is the disk partition <code>/dev/sdb7</code> command to your volume create a group "main"?# How would you increase What is the size of the root filesystem by 50 MBcommand (or steps) to include a user in a newly-created group?# What is the purpose of <code>'''/etc/fstabshadow'''</code>?# What is the purpose of <code>'''/etc/shadowskel'''</code>?# What does the term run-level mean?# How to set the run-level of a Linux system to text-based only? How to set to graphical mode?# What is the command to view the status of running services?# What is the command to start a service (like httpd, or sshd)?# What is the command to start a service?# Can a service be stopped and started by issuing just one command?
[[Category:OPS235]]
[[Category:OPS235 Labs]]