The process may not be hard, but knowing how to stop, start, restart and check the status of services is absolutely critical to a Linux server. '''Aside from learning to trouble-shoot problems''' by checking the status of running services, '''understanding how to manage services is critical to help protect a Linux server from penetration''' (this term is referred to as "'''Hardening a system'''"). Sometimes it is "what we don't know" that can harm us. One key element in hardening a computer system is to disable non essential networkng services to allow IDSs ('''Intrusion Detection Systems''') to focus on a narrower range of policy violations. A Debian-based penetration testing distribution called '''Kali''' (formerly referred to as '''"BackTraxBackTrack"''') allows sysadmins and security professionals to identify vulnerabilities in their computer systems, and thus improve (harden) their systems against penetration. Learning to monitor the status, enable and disable networking services underlies the '''BacktraxBacktrack''' motto: '''''"The quieter you are, then more you will hear..."'''''<br><br>

# Issue the '''userdel''' comamnd command to remove the '''ops245_1''' account with , but this time include the '''-r option''' (and to also remove the home directory regardless if it exists or not).

#Issue Look in the man pages for the '''useradd''' command. Explain the purpose of using the '''-e''' option for the ''useradd'' command.#Issue the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">sudo chage -E 20212024-12-31 ops245_1</span></code></b>

=== Part 1: Finding out why Your First User can do Anything? ===

You've already observed that your first user can use sudo to execute any command, but what about their account actually makes that possible.?

<li>View (but do not edit) the contents of '''/etc/suduoerssudoers'''. Search for your user account. You won't find them.</li><li>Check the contents of '''/etc/passwd ''' and '''/etc/group ''' for entries with your user account. Is there anything different between your account and '''ops245_1'''?</li><li>You should find that your user is part of a secondary group. What group is it? Are they part of that group on '''centos3'''?</li><li>The '''wheel''' group represents administrators with complete sudo privileges. Go back to '''/etc/sudoers ''' and read the entry for '''wheel'''. It should look something like this:<br />

<li>On centos3, add your user to '''wheel ''' as a secondary group so you can use sudo the same way there that you can on your other machines.</li>

<li>We don't want '''ops245_2''' to manage services, that's a job for '''ops245_1''', but we do want them to manage user accounts. So log back in as your regular user and create a sudeors file for '''ops245_2''' and set it so that they can run the useradd, usermod, userdel, groupadd, groupmod, and groupdel commands through sudo.</li><b><code><span style="color:#3366CC;font-size:1.2em;">ops245_2 ALL=(ALL) /usr/sbin/useradd<br />ops245_2 ALL=(ALL) /usr/sbin/usermod<br />ops245_2 ALL=(ALL) /usr/sbin/userdel<br />ops245_2 ALL=(ALL) /usr/sbin/groupadd<br />ops245_2 ALL=(ALL) /usr/sbin/groupmod<br />ops245_2 ALL=(ALL) /usr/sbin/groupdel<br /></span></code></b>

Although there is a command called: '''service''' that may appear to manager manage services on your Linux system, it is considered <u>'''deprecated'''</u> (i.e. "obsolete"). It has been replaced by using the [http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd#systemd_Command_Usage systemctl] command.

# Issue the commands to '''start''' and '''enable''' the iptables service, and '''verify''' that it is <u>started</u> and <u>enabled</u>.<br><br>'''Note:''' If you performed the commands correctly, the iptables service should be running, and will automatically run upon your Linux machine start-up.  

The Linux sysadmin can also change the run-level target (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The You may also encounter this capability described as run-level levels, but that term is now deprecated in Fedora, and will likely be deprecated in /RHEL/CentOS at some point as well, but for now this is what the industry is using.

# Try the same command on your '''centos3''' VM and observe how the output differs. Go back to your '''centos3centos1''' VM.# You can use the '''systemctl isolate''' command to change the current run-leveltarget. See a list of runlevels targets [https://www.centos.org/docs/5/html/5.2/Installation_Guide/s2-init-boot-shutdown-rl.html here].# Change the current run-level target in '''centos1''' to '''multi-user.target''' by issuing the following command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">sudo systemctl isolate multi-user.target</span></code></b>

# Issue the <b><code><span style="color:#3366CC;font-size:1.2em;">sudo systemctl set-default multi-user.target</span></code></b> command (with elevated permissions) to change the current defatult run-level default target in '''centos1''' to '''multi-user.target''', then reboot your machine. What do you notice?

= INVESTIGATION 4: CREATING USERS VIA USING ARGUMENTS IN SHELL SCRIPTS= 

{|width="40%" align="right" cellpadding="10"|- valign="top"|{{Admon/tip|Bash Shell Scripting Tips:|<br>'''T<u>he case statement</u>'''<ul><li>The case statement is a control-flow statement that works in a similar way as the if-elif-else statement (but is more concise). This statement presents scenerios or "cases" based on values or regular expressions (not ranges of values like if-elif-else statements).<br><br></li><li>After action(s) are taken for a particular scenerio (or "case"), a break statement (''';;''') is used to "break-out" of the statement (and not perform other actions). A default case (*) is also used to catch exceptions.<br><br></li><li>Examples:<br><br>''read -p "pick a door (1 or 2): " pick<br>case $pick in<br>&nbsp; 1) echo "You win a car!" ;;<br>&nbsp; 2) echo "You win a bag of dirt!" ;;<br>&nbsp; *) echo "Not a valid entry"<br>&nbsp;&nbsp;&nbsp;&nbsp; exit 1 ;;<br>esac''<br><br>''read -p "enter a single digit: " digit<br>case $digit in<br>&nbsp; [0-9]) echo "Your single digit is: $digit" ;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *)&nbsp;echo "not a valid single digit"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit 1 ;;<br>esac''<br><br></li></ul>'''<u>The getopts function</u>'''<ul><li>The getopts function allows the shell scripter Using argparse to create scripts that accept options (like options for Linux commands). This provides Obtain Positional Arguments from the Linux administrator with scripts that provide more flexibility and versatility. A built-in function called '''getopts''' (i.e. get command options) is used in conjunction with a '''while''' loop and a '''case''' statement to carry out actions based on if certain options are present when the shell script is run.<br><br></li><li> The variable '''$OPTARG''' can be used if an option accepts text (denoted in the getopts function with an option letter followed by a colon. Case statement exceptions use the ''':)''' and '''\?)''' cases for error handling.<br><br><li>Example:<br><br>''while getopts abc: name<br>do<br>&nbsp; case $name in<br>&nbsp; &nbsp; a) echo "Action for option \"a\"" ;;<br>&nbsp; &nbsp; b) echo "Action for option \"b\"" ;;<br>&nbsp; &nbsp; c) echo "Action for option \"c\""<br>&nbsp; &nbsp; &nbsp; &nbsp; echo Value is: $OPTARG" ;;<br>&nbsp; &nbsp; :) echo "Error: You need text after -c option"<br>&nbsp; &nbsp; &nbsp; &nbsp; exit 1 ;;<br>&nbsp; &nbsp; \?) echo "Error: Incorrect option"<br>&nbsp; &nbsp; &nbsp; &nbsp; exit 1 ;;<br>esac''<br>done<br><br></li></ul>}}|}===Using getopts Function &amp; case statementCommand Line===

We In this investigation we will now use shell scripting python's argparse module to help automate make our scripts more automation-capable by reducing (or eliminating) how much interactivity we need from the task for a Linux adminstrator to create regular user accounts.

#<ol><li>You will be using your '''c7host''' machine for this section.</li>#Open a shell terminal, and login as root.#<li>Change to the your '''/root/bin''' directory.#Download, study, and run the following shell script. Issue the command:<br/li><bli><code><span style="cursor:default;color:#3366CC;font-size:1Use your '''tarchiver.2em;">wget https:py''' (from lab 3) as a command to make a tar archive of //icttmp called mytmp.senecacollegetar.ca/~ops235/labs/user-create.bash</span></code><br /b>#Try You'll notice that even after hitting enter to understand what these Bash Shell scripts do, and then run the command, you still needed to give more data to your script as root (to tell it which directory you wanted to archive, what to create just one user called '''test'''. After running the shell scriptcall it, view the contents of the '''/home''' directory and what compression to confirmuse).<br />  Although Requiring this much interaction from the '''zenity''' command is a "user-friendly" way to run shell scripts, Linux administrators usually create shell scripts means that resemble common Linux commandsthis script is not very good for automation. In We can't schedule this labscript to automatically run, you will learn because we (or another admin) need to be present to create a shell script using the getopts function type answers to make your shell script behave more like actual Linux commands (including the use prompts.</li><li>Make a copy of options)your tarchiver. Refer to the notes section on the right-hand-side for reference about the '''case''' statement py script and the call it '''getoptstarchiver2.py''' function.  <ol><li value="6">Open a Bash shell terminal and login as root We will work with tarchiver2.py for the rest of this investigation.</li><li>Change to Import the '''/root/bin''' directoryargparse module into tarchiver2.py.</li><li>Use Add the wget command following lines to download your script, after the import, but before you prompt the input file called user-data.txt by issuing the commandfor anything:<br/><b><code><span styleparser ="color:#3366CC;font-size:1argparse.2em;">wget https://ict.senecacollege.ca/~ops235/labs/user-data.txtArgumentParser()<br/span>args = parser.parse_args()</code><br /b></li><li>View This creates an argument parser and makes it read all the contents on command line arguments the user-dataentered.txt file to confirm there are 3 fields (username However, fullnamewe haven't defined any that we expect yet, and eso all this will do is display a default help message if the user runs our script with -mail address)which are separated by the colon (:) symbolh.</li><li>Use a text editor (such as Try that now:<bbr /><code><span style="color:#3366CC;fonttarchiver2.py -size:1.2em;">vi</span>h</code></bli> or <bli><code><span style="color:#3366CC;font-size:1For argparse to be really useful, we need to tell it to expect some command line arguments (and then do something with them).2em;">nano<br /span></code></b>) to create a Bash Shell Modify your script calledso the argparse portion of it looks like this: <bbr /><code><span styleparser ="color:#3366CC;font-size:1argparse.2em;">createUsers.bashArgumentParser()<br/span></code></b> in the /root/bin directoryparser.</li><li>Enter the following text content into your text-editing session:</li></ol><code styleadd_argument("dest",help="color:#3366CC;font-family:courier;font-size:The name you would like to give the archive.9em;margin-left:20px;font-weight:bold;">)<br>&#35;!/bin/bash <br><br>&#35; createUsersargs = parser.bash<br>&#35; Purpose: Generates a batch of user accounts parse_args(user data stored in a text file)<br>&#35;<br>&#35; USAGE: /root/createUsers.bash [-i {input-path}] <brcode>&#35;<br/>&#35; AuthorAnd replace the line where you prompt the user for the destination archive name with: *** INSERT YOUR NAME ***<br>&#35; Date: *** CURRENT DATE ***<br/><brcode>&#35; Make certain user is logged in as rootdestination = args.dest<br/code>if [ $USER != "root" ]<br/>then<br>&nbsp; &nbsp;echo "Note: You are required Instead of '''destination''', use the variable name were already using to store the value you were getting from the user. That way you won't have to run this program as rootchange it in the rest of your script."<br/li>&nbsp; &nbsp;exit 1<brli>fiTry using your script to make another archived copy of /tmp, this time calling it '''secondtmp.tar'''.<br/><br>if [ "$#" -eq 0 ] # If you didn't provide secondtmp.tar on the command line when you ran the command, you'll notice that your script complained. if no arguments after command<br>then<br>&nbsp;echo "You must enter an argument" >&2<br>&nbsp;echo "USAGETry running: $0 [-i {input-path}]" >&2<br/>&nbsp;exit 2<brcode>fi<br>tarchiver2.py secondtmp.tar</code><br/li><ol><li value="12">Save your editing sessionYou should still be getting prompted about the directory you want to archive, and whether or not you want compression, but remain in you are now telling the script that the text editorcreated archive should be called secondtmp.tar.</li><li>The code displayed below uses Run the script again, but this time give the archive a different name of your own choice. Your script is part way to being automatable: the getopt function user can set the input file pathname or check name of the created archive before the script runs. We just need to make this possible for invalid options or missing option textthe rest of the required data. Add the following code</li></ol><brli><code style="color:#3366CC;font-family:courier;font-size:Add a second parser.9em;font-weight:bold;"><br>outputFlag="n"<br>while getopts i: add_argument line to your script so that you can also obtain the name<br>do<br>&nbsp;case $name in<br>&nbsp; &nbsp;i) inputFile=$OPTARG ;;<br>&nbsp; &nbsp;:) echo "Error: of the directory to archive from the command line. You need text can choose if it should go before or after options requiring text"the name of the archive. Just remember to use a different argument name, and an appropriate help message.<br/li>&nbsp; &nbsp; &nbsp; &nbsp;exit 1 ;;<brli>&nbsp; &nbsp;\?) echo "Error: Incorrect option"Replace the line in your script that prompts the user for the name of the directory with code that will retrieve the value the user entered on the command line.<br>&nbsp; &nbsp; &nbsp; &nbsp; exit 1 ;;<br/li>&nbsp;esac<brli>doneRun you script to make sure it works.<br></code><ol><li value="14">Save your editing sessionYou should now be able to enter both the directory to archive, but remain in and the name of the resulting archive on the text editorcommand line, and should only be prompted about compression.</li><li>The code displayed below uses logic All that is left to exit finish the script if the input file does not exist. Command substitution is used to store each line of replace the input file as a positional parameter. There is one subtle problem here: The full names of the users contain spaces which can create havoc when trying to set each prompts for compression with command line as a separate positional parameteroptions. In You could do this case the sed command is used by adding a third argument and requiring it to convert spaces to plus signs include a compression type, or by creating a mutually exclusive group with three arguments in it (+one for each compression type), which will be converted back later. Finally, a Neither of these is more '''forcorrect''' loop is used than the other. Pick which one you would like to create each account ('''useradd''') try and mail finish the user their account information ('''mail''')script with it. Add the following code:</li></ol><brli><code style="color:#3366CC;font-family:courier;font-size:.9em;font-weight:bold;"><br>When you are finished, you should be able to specify the directory to archive, the name of the archive to create, and the compression type (if [ ! -f $inputFile ]<br>then<br>&nbsp; echo "The file pathname \"$inputFile\" is empty or does not exist" >&2<br>&nbsp; exit 2<br>fi<br><br>set $(sed 's/ /+/g' $inputFileany) from the command line. # temporarily convert spaces to + The user should no longer be prompted for storing lines as positional parametersanything after hitting <br><br>for x<br>do<brcode>&nbsplt; enter&nbspgt; userPassWd=$(date | md5sum | cut -d" " -f1)<br>&nbsp; &nbsp; useradd -m -c "$(echo $x | cut -d":" -f2 | sed 's/+/ /g')" -p $userPassWd $(echo $x | cut -d":" -f1)<brcode>&nbsp; &nbsp; mail -s "Server Account Information" $(echo $x | cut -d":" -f3) <<+<br>&nbsp; &nbsp; Here is your server account information:<br>&nbsp; &nbsp; servername: myserver.senecac.on.ca<br>&nbsp; &nbsp; username: $(echo $x | cut -d":" -f1)<br>&nbsp; &nbsp; password: $userPassWd<br>&nbsp; &nbsp; Regards,<br>&nbsp; &nbsp; IT Department<br>+<br>done<br><br>echo -e "\n\nAccounts have been created\n\n"<br>exit 0<br/li></codeol>

<ol><li value="16">Save, set permissions, and then run that shell script for the input text file '''user-data.txt'''. Did it work? Try running the script without an argument - What did it do? </li><li>You have completed lab4. Proceed to Completing The Lab, and follow the instructions for "lab sign-off".</li></ol>

# Open a shell terminal, enter a root session, and change to the your '''/root/bin''' directory.# Issue the Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">wget https://ictraw.githubusercontent.com/OPS245/labs/main/lab4-check.senecacollegebash</span></code></b><!--<br />For Andrew's sections use this script instead:<b><code><span style="color:#3366CC;font-size:1.ca2em;">wget http://~peterlittlesvr.callaghanca/ops245/labs/lab4-check-andrew.bash</span></code></b>-->

#Take a screenshot of the proof in the previous step, and upload it , your tarchiver2.py script, your log book, and the file generated by '''lab4-check.bash''' to blackboard.