1.10. Red Hat Enterprise Linux-Specific Information

This section describes information related to the philosophy of system administration that is specific to Red Hat Enterprise Linux.

1.10.1. Automation

Automation of frequently-performed tasks under Red Hat Enterprise Linux requires knowledge of several different types of technologies. First are the commands that control the timing of command or script execution. The cron and at commands are most commonly used in these roles.

Incorporating an easy-to-understand yet powerfully flexible time specification system, cron can schedule the execution of commands or scripts for recurring intervals ranging in length from minutes to months. The crontab command is used to manipulate the files controlling the cron daemon that actually schedules each cron job for execution.

The at command (and the closely-related command batch) are more appropriate for scheduling the execution of one-time scripts or commands. These commands implement a rudimentary batch subsystem consisting of multiple queues with varying scheduling priorities. The priorities are known as niceness levels (due to the name of the command — nice). Both at and batch are perfect for tasks that must start at a given time but are not time-critical in terms of finishing.

Next are the various scripting languages. These are the "programming languages" that the average system administrator uses to automate manual operations. There are many scripting languages (and each system administrator tends to have a personal favorite), but the following are currently the most common:

Over and above the obvious differences between these languages, the biggest difference is in the way in which these languages interact with other utility programs on a Red Hat Enterprise Linux system. Scripts written with the bash shell tend to make more extensive use of the many small utility programs (for example, to perform character string manipulation), while perl scripts perform more of these types of operations using features built into the language itself. A script written using python can fully exploit the language's object-oriented capabilities, making complex scripts more easily extensible.

This means that, in order to truly master shell scripting, you must be familiar with the many utility programs (such as grep and sed) that are part of Red Hat Enterprise Linux. Learning perl (and python), on the other hand, tends to be a more "self-contained" process. However, many perl language constructs are based on the syntax of various traditional UNIX utility programs, and as such are familiar to those Red Hat Enterprise Linux system administrators with shell scripting experience.

1.10.2. Documentation and Communication

In the areas of documentation and communication, there is little that is specific to Red Hat Enterprise Linux. Since documentation and communication can consist of anything from adding comments to a text-based configuration file to updating a webpage or sending an email, a system administrator using Red Hat Enterprise Linux must have access to text editors, HTML editors, and mail clients.

Here is a small sample of the many text editors available under Red Hat Enterprise Linux:

The gedit text editor is a strictly graphical application (in other words, it requires an active X Window System environment), while vim and Emacs are primarily text-based in nature.

The subject of the best text editor has sparked debate for nearly as long as computers have existed and will continue to do so. Therefore, the best approach is to try each editor for yourself, and use what works best for you.

For HTML editors, system administrators can use the Composer function of the Mozilla Web browser. Of course, some system administrators prefer to hand-code their HTML, making a regular text editor a perfectly acceptable tool as well.

As far as email is concerned, Red Hat Enterprise Linux includes the Evolution graphical email client, the Mozilla email client (which is also graphical), and mutt, which is text-based. As with text editors, the choice of an email client tends to be a personal one; therefore, the best approach is to try each client for yourself, and use what works best for you.

1.10.3. Security

As stated earlier in this chapter, security cannot be an afterthought, and security under Red Hat Enterprise Linux is more than skin-deep. Authentication and access controls are deeply-integrated into the operating system and are based on designs gleaned from long experience in the UNIX community.

For authentication, Red Hat Enterprise Linux uses PAM — Pluggable Authentication Modules. PAM makes it possible to fine-tune user authentication via the configuration of shared libraries that all PAM-aware applications use, all without requiring any changes to the applications themselves.

Access control under Red Hat Enterprise Linux uses traditional UNIX-style permissions (read, write, execute) against user, group, and "everyone else" classifications. Like UNIX, Red Hat Enterprise Linux also makes use of setuid and setgid bits to temporarily confer expanded access rights to processes running a particular program, based on the ownership of the program file. Of course, this makes it critical that any program to be run with setuid or setgid privileges must be carefully audited to ensure that no exploitable vulnerabilities exist.

Red Hat Enterprise Linux also includes support for access control lists. An access control list (ACL) is a construct that allows extremely fine-grained control over what users or groups may access a file or directory. For example, a file's permissions may restrict all access by anyone other than the file's owner, yet the file's ACL can be configured to allow only user bob to write and group finance to read the file.

Another aspect of security is being able to keep track of system activity. Red Hat Enterprise Linux makes extensive use of logging, both at a kernel and an application level. Logging is controlled by the system logging daemon syslogd, which can log system information locally (normally to files in the /var/log/ directory) or to a remote system (which acts as a dedicated log server for multiple computers.)

Intrusion detection sytems (IDS) are powerful tools for any Red Hat Enterprise Linux system administrator. An IDS makes it possible for system administrators to determine whether unauthorized changes were made to one or more systems. The overall design of the operating system itself includes IDS-like functionality.

Because Red Hat Enterprise Linux is installed using the RPM Package Manager (RPM), it is possible to use RPM to verify whether any changes have been made to the packages comprising the operating system. However, because RPM is primarily a package management tool, its abilities as an IDS are somewhat limited. Even so, it can be a good first step toward monitoring a Red Hat Enterprise Linux system for unauthorized modifications.