Edição 8
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
mount Commandproc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Commandsmb.conf Filehttpdhttpd.conf/etc/openldap/schema/ Directorysysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directorycommandcat testfile command to view the contents of a file, named testfile, in the current working directory.
file name.bashrc file in your home directory contains bash shell definitions and aliases for your own use.
/etc/fstab file contains information about different system devices and file systems.
webalizer RPM if you want to use a Web server log file analysis program.
ls seguido de umcaractere e finalmente pressione a tecla Tab. Seu terminal mostrará a lista de arquivos no diretório que começar com esta letra.
computer outputls command displays the contents of a directory. For example:
Desktop about.html logs paulwesterberg.png Mail backupfiles mail reports
prompt$
#
[stephen@maturin stephen]$
leopard login:
user inputtext is displayed in this style:
text command at the boot: prompt.
<replaceable><version-number> é apresentado neste estilo:
/usr/src/kernels/<version-number>/, where <version-number> is the version and type of kernel installed on this system.
/usr/share/doc/ contains additional documentation for packages installed on your system.
http://bugzilla.redhat.com/bugzilla/) against the component Deployment_Guide.
parted utility to manage partitions and access control lists (ACLs) to customize file permissions.
Índice
mount Commandproc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Command/usr/ partition as read-only. This second point is important because the directory contains common executables and should not be changed by users. Also, since the /usr/ directory is mounted as read-only, it can be mounted from the CD-ROM or from another machine via a read-only NFS mount.
/boot/ Directory/boot/ directory contains static files required to boot the system, such as the Linux kernel. These files are essential for the system to boot properly.
/boot/ directory. Doing so renders the system unbootable.
/dev/ Directory/dev/ directory contains device nodes that either represent devices that are attached to the system or virtual devices that are provided by the kernel. These device nodes are essential for the system to function properly. The udev daemon takes care of creating and removing all these device nodes in /dev/.
/dev directory and subdirectories are either character (providing only a serial stream of input/output) or block (accessible randomly). Character devices include mouse, keyboard, modem while block devices include hard disk, floppy drive etc. If you have GNOME or KDE installed in your system, devices such as external drives or cds are automatically detected when connected (e.g via usb) or inserted (e.g via CD or DVD drive) and a popup window displaying the contents is automatically displayed. Files in the /dev directory are essential for the system to function properly.
/dev| File | Description |
|---|---|
| /dev/hda | The master device on primary IDE channel. |
| /dev/hdb | The slave device on primary IDE channel. |
| /dev/tty0 | The first virtual console. |
| /dev/tty1 | The second virtual console. |
| /dev/sda | The first device on primary SCSI or SATA channel. |
| /dev/lp0 | The first parallel port. |
/etc/ Directory/etc/ directory is reserved for configuration files that are local to the machine. No binaries are to be placed in /etc/. Any binaries that were once located in /etc/ should be placed into /sbin/ or /bin/.
/etc are the X11/ and skel/:
/etc |- X11/ |- skel/
/etc/X11/ directory is for X Window System configuration files, such as xorg.conf. The /etc/skel/ directory is for "skeleton" user files, which are used to populate a home directory when a user is first created. Applications also store their configuration files in this directory and may reference them when they are executed.
/lib/ Directory/lib/ directory should contain only those libraries needed to execute the binaries in /bin/ and /sbin/. These shared library images are particularly important for booting the system and executing commands within the root file system.
/media/ Directory/media/ directory contains subdirectories used as mount points for removable media such as usb storage media, DVDs, CD-ROMs, and Zip disks.
/mnt/ Directory/mnt/ directory is reserved for temporarily mounted file systems, such as NFS file system mounts. For all removable media, please use the /media/ directory. Automatically detected removable media will be mounted in the /media directory.
/mnt directory must not be used by installation programs.
/opt/ Directory/opt/ directory provides storage for most application software packages.
/opt/ directory creates a directory bearing the same name as the package. This directory, in turn, holds files that otherwise would be scattered throughout the file system, giving the system administrator an easy way to determine the role of each file within a particular package.
sample is the name of a particular software package located within the /opt/ directory, then all of its files are placed in directories inside the /opt/sample/ directory, such as /opt/sample/bin/ for binaries and /opt/sample/man/ for manual pages.
/opt/ directory, giving that large package a way to organize itself. In this way, our sample package may have different tools that each go in their own sub-directories, such as /opt/sample/tool1/ and /opt/sample/tool2/, each of which can have their own bin/, man/, and other similar directories.
/proc/ Directory/proc/ directory contains special files that either extract information from or send information to the kernel. Examples include system memory, cpu information, hardware configuration etc.
/proc/ and the many ways this directory can be used to communicate with the kernel, an entire chapter has been devoted to the subject. For more information, refer to Capítulo 4, The proc File System.
/sbin/ Directory/sbin/ directory stores executables used by the root user. The executables in /sbin/ are used at boot time, for system administration and to perform system recovery operations. Of this directory, the FHS says:
/sbincontains binaries essential for booting, restoring, recovering, and/or repairing the system in addition to the binaries in/bin. Programs executed after/usr/is known to be mounted (when there are no problems) are generally placed into/usr/sbin. Locally-installed system administration programs should be placed into/usr/local/sbin.
/sbin/:
arp,clock,halt,init,fsck.*,grub,ifconfig,mingetty,mkfs.*,mkswap,reboot,route,shutdown,swapoff,swapon
/srv/ Directory/srv/ directory contains site-specific data served by your system running Red Hat Enterprise Linux. This directory gives users the location of data files for a particular service, such as FTP, WWW, or CVS. Data that only pertains to a specific user should go in the /home/ directory.
/sys/ Directory/sys/ directory utilizes the new sysfs virtual file system specific to the 2.6 kernel. With the increased support for hot plug hardware devices in the 2.6 kernel, the /sys/ directory contains information similarly held in /proc/, but displays a hierarchical view of specific device information in regards to hot plug devices.
/usr/ Directory/usr/ directory is for files that can be shared across multiple machines. The /usr/ directory is often on its own partition and is mounted read-only. At a minimum, the following directories should be subdirectories of /usr/:
/usr |- bin/ |- etc/ |- games/ |- include/ |- kerberos/ |- lib/ |- libexec/ |- local/ |- sbin/ |- share/ |- src/ |- tmp -> ../var/tmp/
/usr/ directory, the bin/ subdirectory contains executables, etc/ contains system-wide configuration files, games is for games, include/ contains C header files, kerberos/ contains binaries and other Kerberos-related files, and lib/ contains object files and libraries that are not designed to be directly utilized by users or shell scripts. The libexec/ directory contains small helper programs called by other programs, sbin/ is for system administration binaries (those that do not belong in the /sbin/ directory), share/ contains files that are not architecture-specific, src/ is for source code.
/usr/local/ DirectoryThe/usr/localhierarchy is for use by the system administrator when installing software locally. It needs to be safe from being overwritten when the system software is updated. It may be used for programs and data that are shareable among a group of hosts, but not found in/usr.
/usr/local/ directory is similar in structure to the /usr/ directory. It has the following subdirectories, which are similar in purpose to those in the /usr/ directory:
/usr/local |- bin/ |- etc/ |- games/ |- include/ |- lib/ |- libexec/ |- sbin/ |- share/ |- src/
/usr/local/ directory is slightly different from that specified by the FHS. The FHS says that /usr/local/ should be where software that is to remain safe from system software upgrades is stored. Since software upgrades can be performed safely with RPM Package Manager (RPM), it is not necessary to protect files by putting them in /usr/local/. Instead, the /usr/local/ directory is used for software that is local to the machine.
/usr/ directory is mounted as a read-only NFS share from a remote host, it is still possible to install a package or program under the /usr/local/ directory.
/var/ Directory/usr/ as read-only, any programs that write log files or need spool/ or lock/ directories should write them to the /var/ directory. The FHS states /var/ is for:
...variable data files. This includes spool directories and files, administrative and logging data, and transient and temporary files.
/var/ directory:
/var
|- account/
|- arpwatch/
|- cache/
|- crash/
|- db/
|- empty/
|- ftp/
|- gdm/
|- kerberos/
|- lib/
|- local/
|- lock/
|- log/
|- mail -> spool/mail/
|- mailman/
|- named/
|- nis/
|- opt/
|- preserve/
|- run/
+- spool/
|- at/
|- clientmqueue/
|- cron/
|- cups/
|- exim/
|- lpd/
|- mail/
|- mailman/
|- mqueue/
|- news/
|- postfix/
|- repackage/
|- rwho/
|- samba/
|- squid/
|- squirrelmail/
|- up2date/
|- uucp
|- uucppublic/
|- vbox/
|- tmp/
|- tux/
|- www/
|- yp/messages and lastlog, go in the /var/log/ directory. The /var/lib/rpm/ directory contains RPM system databases. Lock files go in the /var/lock/ directory, usually in directories for the program using the file. The /var/spool/ directory has subdirectories for programs in which data files are stored.
/var/lib/rpm/ directory. For more information on RPM, refer to the chapter Capítulo 11, Gerenciamento de Pacotes com RPM.
/var/cache/yum/ directory contains files used by the Package Updater, including RPM header information for the system. This location may also be used to temporarily store RPMs downloaded while updating the system. For more information about Red Hat Network, refer to Capítulo 14, Product Subscriptions and Entitlements.
/etc/sysconfig/ directory. This directory stores a variety of configuration information. Many scripts that run at boot time use the files in this directory. Refer to Capítulo 30, The sysconfig Directory for more information about what is within this directory and the role these files play in the boot process.
mount Commandmount or umount command respectively. This chapter describes the basic usage of these commands, and covers some advanced topics such as moving a mount point or creating shared subtrees.
mount command with no additional arguments:
mountdeviceondirectorytypetype(options)
sysfs, tmpfs, and others. To display only the devices with a certain file system type, supply the -t option on the command line:
mount-ttype
mount command to list the mounted file systems, see Exemplo 2.1, “Listing Currently Mounted ext3 File Systems”.
ext3 File Systems/ and /boot partitions are formatted to use ext3. To display only the mount points that use this file system, type the following at a shell prompt:
~]$ mount -t ext3
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
/dev/vda1 on /boot type ext3 (rw)mount command in the following form:
mount[option…]devicedirectory
mount command is run, it reads the content of the /etc/fstab configuration file to see if the given file system is listed. This file contains a list of device names and the directory in which the selected file systems should be mounted, as well as the file system type and mount options. Because of this, when you are mounting a file system that is specified in this file, you can use one of the following variants of the command:
mount[option…]directorymount[option…]device
root, you must have permissions to mount the file system (see Seção 2.2.2, “Specifying the Mount Options”).
mount detects the file system automatically. However, there are certain file systems, such as NFS (Network File System) or CIFS (Common Internet File System), that are not recognized, and need to be specified manually. To specify the file system type, use the mount command in the following form:
mount-ttypedevicedirectory
mount command. For a complete list of all available file system types, consult the relevant manual page as referred to in Seção 2.4.1, “Installed Documentation”.
| Type | Description |
|---|---|
ext2
|
The ext2 file system.
|
ext3
|
The ext3 file system.
|
iso9660
|
The ISO 9660 file system. It is commonly used by optical media, typically CDs.
|
jfs
|
The JFS file system created by IBM.
|
nfs
|
The NFS file system. It is commonly used to access files over the network.
|
nfs4
|
The NFSv4 file system. It is commonly used to access files over the network.
|
ntfs
|
The NTFS file system. It is commonly used on machines that are running the Windows operating system.
|
udf
|
The UDF file system. It is commonly used by optical media, typically DVDs.
|
vfat
|
The FAT file system. It is commonly used on machines that are running the Windows operating system, and on certain digital media such as USB flash drives or floppy disks.
|
/dev/sdc1 device and that the /media/flashdisk/ directory exists, you can mount it to this directory by typing the following at a shell prompt as root:
~]# mount -t vfat /dev/sdc1 /media/flashdiskmount-ooptions
mount will incorrectly interpret the values following spaces as additional parameters.
| Option | Description |
|---|---|
async
| Allows the asynchronous input/output operations on the file system. |
auto
|
Allows the file system to be mounted automatically using the mount -a command.
|
defaults
|
Provides an alias for async,auto,dev,exec,nouser,rw,suid.
|
exec
| Allows the execution of binary files on the particular file system. |
loop
| Mounts an image as a loop device. |
noauto
|
Disallows the automatic mount of the file system using the mount -a command.
|
noexec
| Disallows the execution of binary files on the particular file system. |
nouser
|
Disallows an ordinary user (that is, other than root) to mount and unmount the file system.
|
remount
| Remounts the file system in case it is already mounted. |
ro
| Mounts the file system for reading only. |
rw
| Mounts the file system for both reading and writing. |
user
|
Allows an ordinary user (that is, other than root) to mount and unmount the file system.
|
/media/cdrom/ directory exists, you can mount the image to this directory by running the following command as root:
~]# mount -o ro,loop Fedora-14-x86_64-Live-Desktop.iso /media/cdrommount command implements the --bind option that provides a means for duplicating certain mounts. Its usage is as follows:
mount--bindold_directorynew_directory
mount--rbindold_directorynew_directory
mount--make-sharedmount_point
mount--make-rsharedmount_point
mount--make-slavemount_point
mount--make-rslavemount_point
/media directory to appear in /mnt as well, but you do not want any mounts in the /mnt directory to be reflected in /media. To do so, as root, first mark the /media directory as “shared”:
~]#mount --bind /media /media~]#mount --make-shared /media
/mnt, but mark it as “slave”:
~]#mount --bind /media /mnt~]#mount --make-slave /mnt
/media also appears in /mnt. For example, if you have non-empty media in your CD-ROM drive and the /media/cdrom/ directory exists, run the following commands:
~]#mount /dev/cdrom /media/cdrom~]#ls /media/cdromEFI GPL isolinux LiveOS ~]#ls /mnt/cdromEFI GPL isolinux LiveOS
/mnt directory are not reflected in /media. For instance, if you have a non-empty USB flash drive that uses the /dev/sdc1 device plugged in and the /mnt/flashdisk/ directory is present, type: :
~]#mount /dev/sdc1 /mnt/flashdisk~]#ls /media/flashdisk~]#ls /mnt/flashdisken-US publican.cfg
mount--make-privatemount_point
mount--make-rprivatemount_point
root:
~]#mount --bind /media /media~]#mount --make-shared /media~]#mount --bind /media /mnt
/mnt directory as “private”, type:
~]# mount --make-private /mnt/media appears in /mnt. For example, if you have non-empty media in your CD-ROM drive and the /media/cdrom/ directory exists, run the following commands:
~]#mount /dev/cdrom /media/cdrom~]#ls /media/cdromEFI GPL isolinux LiveOS ~]#ls /mnt/cdrom~]#
/mnt directory are not reflected in /media. For instance, if you have a non-empty USB flash drive that uses the /dev/sdc1 device plugged in and the /mnt/flashdisk/ directory is present, type:
~]#mount /dev/sdc1 /mnt/flashdisk~]#ls /media/flashdisk~]#ls /mnt/flashdisken-US publican.cfg
mount--make-unbindablemount_point
mount--make-runbindablemount_point
/media directory from being shared, as root, type the following at a shell prompt:
~]#mount --bind /media /media~]#mount --make-unbindable /media
~]# mount --bind /media /mnt
mount: wrong fs type, bad option, bad superblock on /media/,
missing code page or other error
In some cases useful info is found in syslog - try
dmesg | tail or somount--moveold_directorynew_directory
/mnt/userdirs/, as root, you can move this mount point to /home by using the following command:
~]# mount --move /mnt/userdirs /home~]#ls /mnt/userdirs~]#ls /homejill joe
umount command:
umountdirectoryumountdevice
root, you must have permissions to unmount the file system (see Seção 2.2.2, “Specifying the Mount Options”). See Exemplo 2.9, “Unmounting a CD” for an example usage.
umount command will fail with an error. To determine which processes are accessing the file system, use the fuser command in the following form:
fuser-mdirectory
/media/cdrom/ directory, type:
~]$ fuser -m /media/cdrom
/media/cdrom: 1793 2013 2022 2435 10532c 10672c/media/cdrom/ directory, type the following at a shell prompt:
~]$ umount /media/cdromman 8 mount — The manual page for the mount command that provides a full documentation on its usage.
man 8 umount — The manual page for the umount command that provides a full documentation on its usage.
man 5 fstab — The manual page providing a thorough description of the /etc/fstab file format.
e2fsck program. This is a time-consuming process that can delay system boot time significantly, especially with large volumes containing a large number of files. During this time, any data on the volumes is unreachable.
mkfs.
e2label.
tune2fs allows you to convert an ext2 filesystem to ext3.
e2fsck para verificar seu sistema de arquivo antes e depois de usar o tune2fs. Uma instalação padrão do Red Hat Enterprise Linux usa o ext3 para todos os sistemas de arquivo.
ext2 para ext3, autentique-se como root e digite:
tune2fs -j <block_device><block_device> contém o sistema de arquivo ext2 que você desejar converter.
/dev/mapper/VolGroup00-LogVol02.
/dev/hdbX, where hdb is a storage device name and X is the partition number.
df command to display mounted file systems.
/dev/mapper/VolGroup00-LogVol02
mkinitrd program. For information on using the mkinitrd command, type man mkinitrd. Also, make sure your GRUB configuration loads the initrd.
umount /dev/mapper/VolGroup00-LogVol02tune2fs -O ^has_journal /dev/mapper/VolGroup00-LogVol02e2fsck -y /dev/mapper/VolGroup00-LogVol02mount -t ext2 /dev/mapper/VolGroup00-LogVol02 /mount/point/mount/point pelo ponto de montagem da partição.
.journal file at the root level of the partition by changing to the directory where it is mounted and typing:
rm -f .journal/etc/fstab file.
proc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Command/proc/ directory — also called the proc file system — contains a hierarchy of special files which represent the current state of the kernel — allowing applications and users to peer into the kernel's view of the system.
/proc/ directory, one can find a wealth of information detailing the system hardware and any processes currently running. In addition, some of the files within the /proc/ directory tree can be manipulated by users and applications to communicate configuration changes to the kernel.
/proc/ directory contains another type of file called a virtual file. It is for this reason that /proc/ is often referred to as a virtual file system.
/proc/interrupts, /proc/meminfo, /proc/mounts, and /proc/partitions provide an up-to-the-moment glimpse of the system's hardware. Others, like the /proc/filesystems file and the /proc/sys/ directory provide system configuration information and interfaces.
/proc/ide/ contains information for all physical IDE devices. Likewise, process directories contain information about each running process on the system.
cat, more, or less commands on files within the /proc/ directory, users can immediately access enormous amounts of information about the system. For example, to display the type of CPU a computer has, type cat /proc/cpuinfo to receive output similar to the following:
processor : 0 vendor_id : AuthenticAMD cpu family : 5 model : 9 model name : AMD-K6(tm) 3D+ Processor stepping : 1 cpu MHz : 400.919 cache size : 256 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr mce cx8 pge mmx syscall 3dnow k6_mtrr bogomips : 799.53
/proc/ file system, some of the information is easily understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include lspci, apm, free, and top.
/proc/ directory are readable only by the root user.
/proc/ directory are read-only. However, some can be used to adjust settings in the kernel. This is especially true for files in the /proc/sys/ subdirectory.
echo command and a greater than symbol (>) to redirect the new value to the file. For example, to change the hostname on the fly, type:
echo www.example.com > /proc/sys/kernel/hostname cat /proc/sys/net/ipv4/ip_forward returns either a 0 or a 1. A 0 indicates that the kernel is not forwarding network packets. Using the echo command to change the value of the ip_forward file to 1 immediately turns packet forwarding on.
/proc/sys/ subdirectory is /sbin/sysctl. For more information on this command, refer to Seção 4.4, “Using the sysctl Command”
/proc/sys/ subdirectory, refer to Seção 4.3.9, “ /proc/sys/ ”.
proc File System/proc/ directory.
/proc/apm apm command. If a system with no battery is connected to an AC power source, this virtual file would look similar to the following:
1.16 1.2 0x07 0x01 0xff 0x80 -1% -1 ?
apm -v command on such a system results in output similar to the following:
APM BIOS 1.2 (kernel driver 1.16ac) AC on-line, no system battery
apm is able do little more than put the machine in standby mode. The apm command is much more useful on laptops. For example, the following output is from the command cat /proc/apm on a laptop while plugged into a power outlet:
1.16 1.2 0x03 0x01 0x03 0x09 100% -1 ?
apm file changes to something like the following:
1.16 1.2 0x03 0x00 0x00 0x01 99% 1792 min
apm -v command now yields more useful data, such as the following:
APM BIOS 1.2 (kernel driver 1.16) AC off-line, battery status high: 99% (1 day, 5:52)
/proc/buddyinfo DMA row references the first 16 MB on a system, the HighMem row references all memory greater than 4 GB on a system, and the Normal row references all memory in between.
/proc/buddyinfo:
Node 0, zone DMA 90 6 2 1 1 ... Node 0, zone Normal 1650 310 5 0 0 ... Node 0, zone HighMem 2 0 0 1 1 ...
/proc/cmdline /proc/cmdline file looks like the following:
ro root=/dev/VolGroup00/LogVol00 rhgb quiet 3
ro on the kernel boot line overrides any instances of rw.
/proc/cmdline output, the root filesystem image is located on the first logical volume (LogVol00) of the first LVM volume group (VolGroup00). On a system not using Logical Volume Management, the root file system might be located on /dev/sda1 or /dev/sda2, meaning on either the first or second partition of the first SCSI or SATA disk drive, depending on whether we have a separate (preceding) boot or swap partition on that drive.
/etc/inittab shows that the default runlevel is set to 5 with a line like this:
id:5:initdefault:
/proc/cpuinfo /proc/cpuinfo:
processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Xeon(TM) CPU 2.40GHz stepping : 7 cpu MHz : 2392.371 cache size : 512 KB physical id : 0 siblings : 2 runqueue : 0 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm bogomips : 4771.02
processor — Provides each processor with an identifying number. On systems that have one processor, only a 0 is present.
cpu family — Authoritatively identifies the type of processor in the system. For an Intel-based system, place the number in front of "86" to determine the value. This is particularly helpful for those attempting to identify the architecture of an older system such as a 586, 486, or 386. Because some RPM packages are compiled for each of these particular architectures, this value also helps users determine which packages to install.
model name — Displays the common name of the processor, including its project name.
cpu MHz — Shows the precise speed in megahertz for the processor to the thousandths decimal place.
cache size — Displays the amount of level 2 memory cache available to the processor.
siblings — Displays the number of sibling CPUs on the same physical CPU for architectures which use hyper-threading.
flags — Defines a number of different qualities about the processor, such as the presence of a floating point unit (FPU) and the ability to process MMX instructions.
/proc/crypto /proc/crypto file looks like the following:
name : sha1 module : kernel type : digest blocksize : 64 digestsize : 20 name : md5 module : md5 type : digest blocksize : 64 digestsize : 16
/proc/devices Character devices: 1 mem 4 /dev/vc/0 4 tty 4 ttyS 5 /dev/tty 5 /dev/console 5 /dev/ptmx 7 vcs 10 misc 13 input 29 fb 36 netlink 128 ptm 136 pts 180 usb Block devices: 1 ramdisk 3 ide0 9 md 22 ide1 253 device-mapper 254 mdp
/proc/devices includes the major number and name of the device, and is broken into two major sections: Character devices and Block devices.
/usr/share/doc/kernel-doc-<version>/Documentation/devices.txt/proc/dma /proc/dma files looks like the following:
4: cascade
/proc/execdomains 0-0 Linux [kernel]
PER_LINUX execution domain, different personalities can be implemented as dynamically loadable modules.
/proc/fb /proc/fb for systems which contain frame buffer devices looks similar to the following:
0 VESA VGA
/proc/filesystems /proc/filesystems file looks similar to the following:
nodev sysfs nodev rootfs nodev bdev nodev proc nodev sockfs nodev binfmt_misc nodev usbfs nodev usbdevfs nodev futexfs nodev tmpfs nodev pipefs nodev eventpollfs nodev devpts ext2 nodev ramfs nodev hugetlbfs iso9660 nodev mqueue ext3 nodev rpc_pipefs nodev autofs
nodev are not mounted on a device. The second column lists the names of the file systems supported.
mount command cycles through the file systems listed here when one is not specified as an argument.
/proc/interrupts /proc/interrupts looks similar to the following:
CPU0 0: 80448940 XT-PIC timer 1: 174412 XT-PIC keyboard 2: 0 XT-PIC cascade 8: 1 XT-PIC rtc 10: 410964 XT-PIC eth0 12: 60330 XT-PIC PS/2 Mouse 14: 1314121 XT-PIC ide0 15: 5195422 XT-PIC ide1 NMI: 0 ERR: 0
CPU0 CPU1 0: 1366814704 0 XT-PIC timer 1: 128 340 IO-APIC-edge keyboard 2: 0 0 XT-PIC cascade 8: 0 1 IO-APIC-edge rtc 12: 5323 5793 IO-APIC-edge PS/2 Mouse 13: 1 0 XT-PIC fpu 16: 11184294 15940594 IO-APIC-level Intel EtherExpress Pro 10/100 Ethernet 20: 8450043 11120093 IO-APIC-level megaraid 30: 10432 10722 IO-APIC-level aic7xxx 31: 23 22 IO-APIC-level aic7xxx NMI: 0 ERR: 0
XT-PIC — This is the old AT computer interrupts.
IO-APIC-edge — The voltage signal on this interrupt transitions from low to high, creating an edge, where the interrupt occurs and is only signaled once. This kind of interrupt, as well as the IO-APIC-level interrupt, are only seen on systems with processors from the 586 family and higher.
IO-APIC-level — Generates interrupts when its voltage signal is high until the signal is low again.
/proc/iomem 00000000-0009fbff : System RAM 0009fc00-0009ffff : reserved 000a0000-000bffff : Video RAM area 000c0000-000c7fff : Video ROM 000f0000-000fffff : System ROM 00100000-07ffffff : System RAM 00100000-00291ba8 : Kernel code 00291ba9-002e09cb : Kernel data e0000000-e3ffffff : VIA Technologies, Inc. VT82C597 [Apollo VP3] e4000000-e7ffffff : PCI Bus #01 e4000000-e4003fff : Matrox Graphics, Inc. MGA G200 AGP e5000000-e57fffff : Matrox Graphics, Inc. MGA G200 AGP e8000000-e8ffffff : PCI Bus #01 e8000000-e8ffffff : Matrox Graphics, Inc. MGA G200 AGP ea000000-ea00007f : Digital Equipment Corporation DECchip 21140 [FasterNet] ea000000-ea00007f : tulip ffff0000-ffffffff : reserved
/proc/ioports /proc/ioports provides a list of currently registered port regions used for input or output communication with a device. This file can be quite long. The following is a partial listing:
0000-001f : dma1 0020-003f : pic1 0040-005f : timer 0060-006f : keyboard 0070-007f : rtc 0080-008f : dma page reg 00a0-00bf : pic2 00c0-00df : dma2 00f0-00ff : fpu 0170-0177 : ide1 01f0-01f7 : ide0 02f8-02ff : serial(auto) 0376-0376 : ide1 03c0-03df : vga+ 03f6-03f6 : ide0 03f8-03ff : serial(auto) 0cf8-0cff : PCI conf1 d000-dfff : PCI Bus #01 e000-e00f : VIA Technologies, Inc. Bus Master IDE e000-e007 : ide0 e008-e00f : ide1 e800-e87f : Digital Equipment Corporation DECchip 21140 [FasterNet] e800-e87f : tulip
/proc/kcore /proc/ files, kcore displays a size. This value is given in bytes and is equal to the size of the physical memory (RAM) used plus 4 KB.
gdb, and is not human readable.
/proc/kcore virtual file. The contents of the file scramble text output on the terminal. If this file is accidentally viewed, press Ctrl+C to stop the process and then type reset to bring back the command line prompt.
/proc/kmsg /sbin/klogd or /bin/dmesg.
/proc/loadavg uptime and other commands. A sample /proc/loadavg file looks similar to the following:
0.20 0.18 0.12 1/80 11206
/proc/locks /proc/locks file for a lightly loaded system looks similar to the following:
1: POSIX ADVISORY WRITE 3568 fd:00:2531452 0 EOF 2: FLOCK ADVISORY WRITE 3517 fd:00:2531448 0 EOF 3: POSIX ADVISORY WRITE 3452 fd:00:2531442 0 EOF 4: POSIX ADVISORY WRITE 3443 fd:00:2531440 0 EOF 5: POSIX ADVISORY WRITE 3326 fd:00:2531430 0 EOF 6: POSIX ADVISORY WRITE 3175 fd:00:2531425 0 EOF 7: POSIX ADVISORY WRITE 3056 fd:00:2548663 0 EOF
FLOCK signifying the older-style UNIX file locks from a flock system call and POSIX representing the newer POSIX locks from the lockf system call.
ADVISORY or MANDATORY. ADVISORY means that the lock does not prevent other people from accessing the data; it only prevents other attempts to lock it. MANDATORY means that no other access to the data is permitted while the lock is held. The fourth column reveals whether the lock is allowing the holder READ or WRITE access to the file. The fifth column shows the ID of the process holding the lock. The sixth column shows the ID of the file being locked, in the format of MAJOR-DEVICE:MINOR-DEVICE:INODE-NUMBER /proc/mdstat /proc/mdstat looks similar to the following:
Personalities : read_ahead not set unused devices: <none>
md device is present. In that case, view /proc/mdstat to find the current status of mdX RAID devices.
/proc/mdstat file below shows a system with its md0 configured as a RAID 1 device, while it is currently re-syncing the disks:
Personalities : [linear] [raid1] read_ahead 1024 sectors md0: active raid1 sda2[1] sdb2[0] 9940 blocks [2/2] [UU] resync=1% finish=12.3min algorithm 2 [3/3] [UUU] unused devices: <none>
/proc/meminfo /proc/ directory, as it reports a large amount of valuable information about the systems RAM usage.
/proc/meminfo virtual file is from a system with 256 MB of RAM and 512 MB of swap space:
MemTotal: 255908 kB MemFree: 69936 kB Buffers: 15812 kB Cached: 115124 kB SwapCached: 0 kB Active: 92700 kB Inactive: 63792 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 255908 kB LowFree: 69936 kB SwapTotal: 524280 kB SwapFree: 524280 kB Dirty: 4 kB Writeback: 0 kB Mapped: 42236 kB Slab: 25912 kB Committed_AS: 118680 kB PageTables: 1236 kB VmallocTotal: 3874808 kB VmallocUsed: 1416 kB VmallocChunk: 3872908 kB HugePages_Total: 0 HugePages_Free: 0 Hugepagesize: 4096 kB
free, top, and ps commands. In fact, the output of the free command is similar in appearance to the contents and structure of /proc/meminfo. But by looking directly at /proc/meminfo, more details are revealed:
MemTotal — Total amount of physical RAM, in kilobytes.
MemFree — The amount of physical RAM, in kilobytes, left unused by the system.
Buffers — The amount of physical RAM, in kilobytes, used for file buffers.
Cached — The amount of physical RAM, in kilobytes, used as cache memory.
SwapCached — The amount of swap, in kilobytes, used as cache memory.
Active — The total amount of buffer or page cache memory, in kilobytes, that is in active use. This is memory that has been recently used and is usually not reclaimed for other purposes.
Inactive — The total amount of buffer or page cache memory, in kilobytes, that are free and available. This is memory that has not been recently used and can be reclaimed for other purposes.
HighTotal and HighFree — The total and free amount of memory, in kilobytes, that is not directly mapped into kernel space. The HighTotal value can vary based on the type of kernel used.
LowTotal and LowFree — The total and free amount of memory, in kilobytes, that is directly mapped into kernel space. The LowTotal value can vary based on the type of kernel used.
SwapTotal — The total amount of swap available, in kilobytes.
SwapFree — The total amount of swap free, in kilobytes.
Dirty — The total amount of memory, in kilobytes, waiting to be written back to the disk.
Writeback — The total amount of memory, in kilobytes, actively being written back to the disk.
Mapped — The total amount of memory, in kilobytes, which have been used to map devices, files, or libraries using the mmap command.
Slab — The total amount of memory, in kilobytes, used by the kernel to cache data structures for its own use.
Committed_AS — The total amount of memory, in kilobytes, estimated to complete the workload. This value represents the worst case scenario value, and also includes swap memory.
PageTables — The total amount of memory, in kilobytes, dedicated to the lowest page table level.
VMallocTotal — The total amount of memory, in kilobytes, of total allocated virtual address space.
VMallocUsed — The total amount of memory, in kilobytes, of used virtual address space.
VMallocChunk — The largest contiguous block of memory, in kilobytes, of available virtual address space.
HugePages_Total — The total number of hugepages for the system. The number is derived by dividing Hugepagesize by the megabytes set aside for hugepages specified in /proc/sys/vm/hugetlb_pool. This statistic only appears on the x86, Itanium, and AMD64 architectures.
HugePages_Free — The total number of hugepages available for the system. This statistic only appears on the x86, Itanium, and AMD64 architectures.
Hugepagesize — The size for each hugepages unit in kilobytes. By default, the value is 4096 KB on uniprocessor kernels for 32 bit architectures. For SMP, hugemem kernels, and AMD64, the default is 2048 KB. For Itanium architectures, the default is 262144 KB. This statistic only appears on the x86, Itanium, and AMD64 architectures.
/proc/misc 63 device-mapper 175 agpgart 135 rtc 134 apm_bios
/proc/modules /proc/modules file output:
/sbin/lsmod command.
nfs 170109 0 - Live 0x129b0000 lockd 51593 1 nfs, Live 0x128b0000 nls_utf8 1729 0 - Live 0x12830000 vfat 12097 0 - Live 0x12823000 fat 38881 1 vfat, Live 0x1287b000 autofs4 20293 2 - Live 0x1284f000 sunrpc 140453 3 nfs,lockd, Live 0x12954000 3c59x 33257 0 - Live 0x12871000 uhci_hcd 28377 0 - Live 0x12869000 md5 3777 1 - Live 0x1282c000 ipv6 211845 16 - Live 0x128de000 ext3 92585 2 - Live 0x12886000 jbd 65625 1 ext3, Live 0x12857000 dm_mod 46677 3 - Live 0x12833000
Live, Loading, or Unloading are the only possible values.
oprofile.
/proc/mounts rootfs / rootfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 none /dev ramfs rw 0 0 /dev/mapper/VolGroup00-LogVol00 / ext3 rw 0 0 none /dev ramfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 /sys /sys sysfs rw 0 0 none /dev/pts devpts rw 0 0 usbdevfs /proc/bus/usb usbdevfs rw 0 0 /dev/hda1 /boot ext3 rw 0 0 none /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0
/etc/mtab, except that /proc/mount is more up-to-date.
ro) or read-write (rw). The fifth and sixth columns are dummy values designed to match the format used in /etc/mtab.
/proc/mtrr /proc/mtrr file may look similar to the following:
reg00: base=0x00000000 ( 0MB), size= 256MB: write-back, count=1 reg01: base=0xe8000000 (3712MB), size= 32MB: write-combining, count=1
/proc/mtrr file can increase performance more than 150%.
/usr/share/doc/kernel-doc-<version>/Documentation/mtrr.txt/proc/partitions major minor #blocks name 3 0 19531250 hda 3 1 104391 hda1 3 2 19422585 hda2 253 0 22708224 dm-0 253 1 524288 dm-1
major — The major number of the device with this partition. The major number in the /proc/partitions, (3), corresponds with the block device ide0, in /proc/devices.
minor — The minor number of the device with this partition. This serves to separate the partitions into different physical devices and relates to the number at the end of the name of the partition.
#blocks — Lists the number of physical disk blocks contained in a particular partition.
name — The name of the partition.
/proc/pci /proc/pci can be rather long. A sampling of this file from a basic system looks similar to the following:
Bus 0, device 0, function 0: Host bridge: Intel Corporation 440BX/ZX - 82443BX/ZX Host bridge (rev 3). Master Capable. Latency=64. Prefetchable 32 bit memory at 0xe4000000 [0xe7ffffff]. Bus 0, device 1, function 0: PCI bridge: Intel Corporation 440BX/ZX - 82443BX/ZX AGP bridge (rev 3). Master Capable. Latency=64. Min Gnt=128. Bus 0, device 4, function 0: ISA bridge: Intel Corporation 82371AB PIIX4 ISA (rev 2). Bus 0, device 4, function 1: IDE interface: Intel Corporation 82371AB PIIX4 IDE (rev 1). Master Capable. Latency=32. I/O at 0xd800 [0xd80f]. Bus 0, device 4, function 2: USB Controller: Intel Corporation 82371AB PIIX4 USB (rev 1). IRQ 5. Master Capable. Latency=32. I/O at 0xd400 [0xd41f]. Bus 0, device 4, function 3: Bridge: Intel Corporation 82371AB PIIX4 ACPI (rev 2). IRQ 9. Bus 0, device 9, function 0: Ethernet controller: Lite-On Communications Inc LNE100TX (rev 33). IRQ 5. Master Capable. Latency=32. I/O at 0xd000 [0xd0ff]. Bus 0, device 12, function 0: VGA compatible controller: S3 Inc. ViRGE/DX or /GX (rev 1). IRQ 11. Master Capable. Latency=32. Min Gnt=4.Max Lat=255.
lspci -vb/proc/slabinfo /proc/slabinfo file manually, the /usr/bin/slabtop program displays kernel slab cache information in real time. This program allows for custom configurations, including column sorting and screen refreshing.
/usr/bin/slabtop usually looks like the following example:
Active / Total Objects (% used) : 133629 / 147300 (90.7%) Active / Total Slabs (% used) : 11492 / 11493 (100.0%) Active / Total Caches (% used) : 77 / 121 (63.6%) Active / Total Size (% used) : 41739.83K / 44081.89K (94.7%) Minimum / Average / Maximum Object : 0.01K / 0.30K / 128.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 44814 43159 96% 0.62K 7469 6 29876K ext3_inode_cache 36900 34614 93% 0.05K 492 75 1968K buffer_head 35213 33124 94% 0.16K 1531 23 6124K dentry_cache 7364 6463 87% 0.27K 526 14 2104K radix_tree_node 2585 1781 68% 0.08K 55 47 220K vm_area_struct 2263 2116 93% 0.12K 73 31 292K size-128 1904 1125 59% 0.03K 16 119 64K size-32 1666 768 46% 0.03K 14 119 56K anon_vma 1512 1482 98% 0.44K 168 9 672K inode_cache 1464 1040 71% 0.06K 24 61 96K size-64 1320 820 62% 0.19K 66 20 264K filp 678 587 86% 0.02K 3 226 12K dm_io 678 587 86% 0.02K 3 226 12K dm_tio 576 574 99% 0.47K 72 8 288K proc_inode_cache 528 514 97% 0.50K 66 8 264K size-512 492 372 75% 0.09K 12 41 48K bio 465 314 67% 0.25K 31 15 124K size-256 452 331 73% 0.02K 2 226 8K biovec-1 420 420 100% 0.19K 21 20 84K skbuff_head_cache 305 256 83% 0.06K 5 61 20K biovec-4 290 4 1% 0.01K 1 290 4K revoke_table 264 264 100% 4.00K 264 1 1056K size-4096 260 256 98% 0.19K 13 20 52K biovec-16 260 256 98% 0.75K 52 5 208K biovec-64
/proc/slabinfo that are included into /usr/bin/slabtop include:
OBJS — The total number of objects (memory blocks), including those in use (allocated), and some spares not in use.
ACTIVE — The number of objects (memory blocks) that are in use (allocated).
USE — Percentage of total objects that are active. ((ACTIVE/OBJS)(100))
OBJ SIZE — The size of the objects.
SLABS — The total number of slabs.
OBJ/SLAB — The number of objects that fit into a slab.
CACHE SIZE — The cache size of the slab.
NAME — The name of the slab.
/usr/bin/slabtop program, refer to the slabtop man page.
/proc/stat /proc/stat, which can be quite long, usually begins like the following example:
cpu 259246 7001 60190 34250993 137517 772 0 cpu0 259246 7001 60190 34250993 137517 772 0 intr 354133732 347209999 2272 0 4 4 0 0 3 1 1249247 0 0 80143 0 422626 5169433 ctxt 12547729 btime 1093631447 processes 130523 procs_running 1 procs_blocked 0 preempt 5651840 cpu 209841 1554 21720 118519346 72939 154 27168 cpu0 42536 798 4841 14790880 14778 124 3117 cpu1 24184 569 3875 14794524 30209 29 3130 cpu2 28616 11 2182 14818198 4020 1 3493 cpu3 35350 6 2942 14811519 3045 0 3659 cpu4 18209 135 2263 14820076 12465 0 3373 cpu5 20795 35 1866 14825701 4508 0 3615 cpu6 21607 0 2201 14827053 2325 0 3334 cpu7 18544 0 1550 14831395 1589 0 3447 intr 15239682 14857833 6 0 6 6 0 5 0 1 0 0 0 29 0 2 0 0 0 0 0 0 0 94982 0 286812 ctxt 4209609 btime 1078711415 processes 21905 procs_running 1 procs_blocked 0
cpu — Measures the number of jiffies (1/100 of a second for x86 systems) that the system has been in user mode, user mode with low priority (nice), system mode, idle task, I/O wait, IRQ (hardirq), and softirq respectively. The IRQ (hardirq) is the direct response to a hardware event. The IRQ takes minimal work for queuing the "heavy" work up for the softirq to execute. The softirq runs at a lower priority than the IRQ and therefore may be interrupted more frequently. The total for all CPUs is given at the top, while each individual CPU is listed below with its own statistics. The following example is a 4-way Intel Pentium Xeon configuration with multi-threading enabled, therefore showing four physical processors and four virtual processors totaling eight processors.
page — The number of memory pages the system has written in and out to disk.
swap — The number of swap pages the system has brought in and out.
intr — The number of interrupts the system has experienced.
btime — The boot time, measured in the number of seconds since January 1, 1970, otherwise known as the epoch.
/proc/swaps /proc/swaps may look similar to the following:
Filename Type Size Used Priority /dev/mapper/VolGroup00-LogVol01 partition 524280 0 -1
/proc/ directory, /proc/swaps provides a snapshot of every swap file name, the type of swap space, the total size, and the amount of space in use (in kilobytes). The priority column is useful when multiple swap files are in use. The lower the priority, the more likely the swap file is to be used.
/proc/sysrq-trigger echo command to write to this file, a remote root user can execute most System Request Key commands remotely as if at the local terminal. To echo values to this file, the /proc/sys/kernel/sysrq must be set to a value other than 0. For more information about the System Request Key, refer to Seção 4.3.9.3, “ /proc/sys/kernel/ ”.
/proc/uptime /proc/uptime is quite minimal:
350735.47 234388.90
/proc/version gcc in use, as well as the version of Red Hat Enterprise Linux installed on the system:
Linux version 2.6.8-1.523 (user@foo.redhat.com) (gcc version 3.4.1 20040714 \ (Red Hat Enterprise Linux 3.4.1-7)) #1 Mon Aug 16 13:27:03 EDT 2004
/proc/ /proc/ directory.
/proc/ directory contains a number of directories with numerical names. A listing of them may be similar to the following:
dr-xr-xr-x 3 root root 0 Feb 13 01:28 1 dr-xr-xr-x 3 root root 0 Feb 13 01:28 1010 dr-xr-xr-x 3 xfs xfs 0 Feb 13 01:28 1087 dr-xr-xr-x 3 daemon daemon 0 Feb 13 01:28 1123 dr-xr-xr-x 3 root root 0 Feb 13 01:28 11307 dr-xr-xr-x 3 apache apache 0 Feb 13 01:28 13660 dr-xr-xr-x 3 rpc rpc 0 Feb 13 01:28 637 dr-xr-xr-x 3 rpcuser rpcuser 0 Feb 13 01:28 666
/proc/ process directory vanishes.
cmdline — Contains the command issued when starting the process.
cwd — A symbolic link to the current working directory for the process.
environ — A list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters.
exe — A symbolic link to the executable of this process.
fd — A directory containing all of the file descriptors for a particular process. These are given in numbered links:
total 0 lrwx------ 1 root root 64 May 8 11:31 0 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 1 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 2 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 3 -> /dev/ptmx lrwx------ 1 root root 64 May 8 11:31 4 -> socket:[7774817] lrwx------ 1 root root 64 May 8 11:31 5 -> /dev/ptmx lrwx------ 1 root root 64 May 8 11:31 6 -> socket:[7774829] lrwx------ 1 root root 64 May 8 11:31 7 -> /dev/ptmx
maps — A list of memory maps to the various executables and library files associated with this process. This file can be rather long, depending upon the complexity of the process, but sample output from the sshd process begins like the following:
08048000-08086000 r-xp 00000000 03:03 391479 /usr/sbin/sshd 08086000-08088000 rw-p 0003e000 03:03 391479 /usr/sbin/sshd 08088000-08095000 rwxp 00000000 00:00 0 40000000-40013000 r-xp 0000000 03:03 293205 /lib/ld-2.2.5.so 40013000-40014000 rw-p 00013000 03:03 293205 /lib/ld-2.2.5.so 40031000-40038000 r-xp 00000000 03:03 293282 /lib/libpam.so.0.75 40038000-40039000 rw-p 00006000 03:03 293282 /lib/libpam.so.0.75 40039000-4003a000 rw-p 00000000 00:00 0 4003a000-4003c000 r-xp 00000000 03:03 293218 /lib/libdl-2.2.5.so 4003c000-4003d000 rw-p 00001000 03:03 293218 /lib/libdl-2.2.5.so
mem — The memory held by the process. This file cannot be read by the user.
root — A link to the root directory of the process.
stat — The status of the process.
statm — The status of the memory in use by the process. Below is a sample /proc/statm file:
263 210 210 5 0 205 0
status — The status of the process in a more readable form than stat or statm. Sample output for sshd looks similar to the following:
Name: sshd State: S (sleeping) Tgid: 797 Pid: 797 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: VmSize: 3072 kB VmLck: 0 kB VmRSS: 840 kB VmData: 104 kB VmStk: 12 kB VmExe: 300 kB VmLib: 2528 kB SigPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 8000000000001000 SigCgt: 0000000000014005 CapInh: 0000000000000000 CapPrm: 00000000fffffeff CapEff: 00000000fffffeff
S (sleeping) or R (running)), user/group ID running the process, and detailed data regarding memory usage.
/proc/self/ /proc/self/ directory is a link to the currently running process. This allows a process to look at itself without having to know its process ID.
/proc/self/ directory produces the same contents as listing the process directory for that process.
/proc/bus/ /proc/bus/ by the same name, such as /proc/bus/pci/.
/proc/bus/ vary depending on the devices connected to the system. However, each bus type has at least one directory. Within these bus directories are normally at least one subdirectory with a numerical name, such as 001, which contain binary files.
/proc/bus/usb/ subdirectory contains files that track the various devices on any USB buses, as well as the drivers required for them. The following is a sample listing of a /proc/bus/usb/ directory:
total 0 dr-xr-xr-x 1 root root 0 May 3 16:25 001 -r--r--r-- 1 root root 0 May 3 16:25 devices -r--r--r-- 1 root root 0 May 3 16:25 drivers
/proc/bus/usb/001/ directory contains all devices on the first USB bus and the devices file identifies the USB root hub on the motherboard.
/proc/bus/usb/devices file:
T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2 B: Alloc= 0/900 us ( 0%), #Int= 0, #Iso= 0 D: Ver= 1.00 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=0000 ProdID=0000 Rev= 0.00 S: Product=USB UHCI Root Hub S: SerialNumber=d400 C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=255ms
/proc/driver/ rtc which provides output from the driver for the system's Real Time Clock (RTC), the device that keeps the time while the system is switched off. Sample output from /proc/driver/rtc looks like the following:
rtc_time : 16:21:00 rtc_date : 2004-08-31 rtc_epoch : 1900 alarm : 21:16:27 DST_enable : no BCD : yes 24hr : yes square_wave : no alarm_IRQ : no update_IRQ : no periodic_IRQ : no periodic_freq : 1024 batt_status : okay
/usr/share/doc/kernel-doc-<version>/Documentation/rtc.txt.
/proc/fs cat /proc/fs/nfsd/exports displays the file systems being shared and the permissions granted for those file systems. For more on file system sharing with NFS, refer to Capítulo 20, Sistema de Arquivo de Rede (NFS - Network File System).
/proc/ide/ /proc/ide/ide0 and /proc/ide/ide1. In addition, a drivers file is available, providing the version number of the various drivers used on the IDE channels:
ide-floppy version 0.99. newide ide-cdrom version 4.61 ide-disk version 1.18
/proc/ide/piix file which reveals whether DMA or UDMA is enabled for the devices on the IDE channels:
Intel PIIX4 Ultra 33 Chipset. ------------- Primary Channel ---------------- Secondary Channel ------------- enabled enabled ------------- drive0 --------- drive1 -------- drive0 ---------- drive1 ------ DMA enabled: yes no yes no UDMA enabled: yes no no no UDMA enabled: 2 X X X UDMA DMA PIO
ide0, provides additional information. The channel file provides the channel number, while the model identifies the bus type for the channel (such as pci).
/dev/ directory. For instance, the first IDE drive on ide0 would be hda.
/proc/ide/ directory.
cache — The device cache.
capacity — The capacity of the device, in 512 byte blocks.
driver — The driver and version used to control the device.
geometry — The physical and logical geometry of the device.
media — The type of device, such as a disk.
model — The model name or number of the device.
settings — A collection of current device parameters. This file usually contains quite a bit of useful, technical information. A sample settings file for a standard IDE hard disk looks similar to the following:
name value min max mode ---- ----- --- --- ---- acoustic 0 0 254 rw address 0 0 2 rw bios_cyl 38752 0 65535 rw bios_head 16 0 255 rw bios_sect 63 0 63 rw bswap 0 0 1 r current_speed 68 0 70 rw failures 0 0 65535 rw init_speed 68 0 70 rw io_32bit 0 0 3 rw keepsettings 0 0 1 rw lun 0 0 7 rw max_failures 1 0 65535 rw multcount 16 0 16 rw nice1 1 0 1 rw nowerr 0 0 1 rw number 0 0 3 rw pio_mode write-only 0 255 w unmaskirq 0 0 1 rw using_dma 1 0 1 rw wcache 1 0 1 rw
/proc/irq/ /proc/irq/prof_cpu_mask file is a bitmask that contains the default values for the smp_affinity file in the IRQ directory. The values in smp_affinity specify which CPUs handle that particular IRQ.
/proc/irq/ directory, refer to the following installed documentation:
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt/proc/net/ /proc/net/ directory:
arp — Lists the kernel's ARP table. This file is particularly useful for connecting a hardware address to an IP address on a system.
atm/ directory — The files within this directory contain Asynchronous Transfer Mode (ATM) settings and statistics. This directory is primarily used with ATM networking and ADSL cards.
dev — Lists the various network devices configured on the system, complete with transmit and receive statistics. This file displays the number of bytes each interface has sent and received, the number of packets inbound and outbound, the number of errors seen, the number of packets dropped, and more.
dev_mcast — Lists Layer2 multicast groups on which each device is listening.
igmp — Lists the IP multicast addresses which this system joined.
ip_conntrack — Lists tracked network connections for machines that are forwarding IP connections.
ip_tables_names — Lists the types of iptables in use. This file is only present if iptables is active on the system and contains one or more of the following values: filter, mangle, or nat.
ip_mr_cache — Lists the multicast routing cache.
ip_mr_vif — Lists multicast virtual interfaces.
netstat — Contains a broad yet detailed collection of networking statistics, including TCP timeouts, SYN cookies sent and received, and much more.
psched — Lists global packet scheduler parameters.
raw — Lists raw device statistics.
route — Lists the kernel's routing table.
rt_cache — Contains the current routing cache.
snmp — List of Simple Network Management Protocol (SNMP) data for various networking protocols in use.
sockstat — Provides socket statistics.
tcp — Contains detailed TCP socket information.
tr_rif — Lists the token ring RIF routing table.
udp — Contains detailed UDP socket information.
unix — Lists UNIX domain sockets currently in use.
wireless — Lists wireless interface data.
/proc/scsi/ /proc/ide/ directory, but it is for connected SCSI devices.
/proc/scsi/scsi, which contains a list of every recognized SCSI device. From this listing, the type of device, as well as the model name, vendor, SCSI channel and ID data is available.
Attached devices: Host: scsi1 Channel: 00 Id: 05 Lun: 00 Vendor: NEC Model: CD-ROM DRIVE:466 Rev: 1.06 Type: CD-ROM ANSI SCSI revision: 02 Host: scsi1 Channel: 00 Id: 06 Lun: 00 Vendor: ARCHIVE Model: Python 04106-XXX Rev: 7350 Type: Sequential-Access ANSI SCSI revision: 02 Host: scsi2 Channel: 00 Id: 06 Lun: 00 Vendor: DELL Model: 1x6 U2W SCSI BP Rev: 5.35 Type: Processor ANSI SCSI revision: 02 Host: scsi2 Channel: 02 Id: 00 Lun: 00 Vendor: MegaRAID Model: LD0 RAID5 34556R Rev: 1.01 Type: Direct-Access ANSI SCSI revision: 02
/proc/scsi/, which contains files specific to each SCSI controller using that driver. From the previous example, aic7xxx/ and megaraid/ directories are present, since two drivers are in use. The files in each of the directories typically contain an I/O address range, IRQ information, and statistics for the SCSI controller using that driver. Each controller can report a different type and amount of information. The Adaptec AIC-7880 Ultra SCSI host adapter's file in this example system produces the following output:
Adaptec AIC7xxx driver version: 5.1.20/3.2.4
Compile Options:
TCQ Enabled By Default : Disabled
AIC7XXX_PROC_STATS : Enabled
AIC7XXX_RESET_DELAY : 5
Adapter Configuration:
SCSI Adapter: Adaptec AIC-7880 Ultra SCSI host adapter
Ultra Narrow Controller PCI MMAPed
I/O Base: 0xfcffe000
Adapter SEEPROM Config: SEEPROM found and used.
Adaptec SCSI BIOS: Enabled
IRQ: 30
SCBs: Active 0, Max Active 1, Allocated 15, HW 16, Page 255
Interrupts: 33726
BIOS Control Word: 0x18a6
Adapter Control Word: 0x1c5f
Extended Translation: Enabled
Disconnect Enable Flags: 0x00ff
Ultra Enable Flags: 0x0020
Tag Queue Enable Flags: 0x0000
Ordered Queue Tag Flags: 0x0000
Default Tag Queue Depth: 8
Tagged Queue By Device array for aic7xxx
host instance 1: {255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255}
Actual queue depth per device for aic7xxx host instance 1: {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}
Statistics:
(scsi1:0:5:0) Device using Narrow/Sync transfers at 20.0 MByte/sec, offset 15
Transinfo settings: current(12/15/0/0), goal(12/15/0/0), user(12/15/0/0)
Total transfers 0 (0 reads and 0 writes)
< 2K 2K+ 4K+ 8K+ 16K+ 32K+ 64K+ 128K+
Reads: 0 0 0 0 0 0 0 0
Writes: 0 0 0 0 0 0 0 0
(scsi1:0:6:0) Device using Narrow/Sync transfers at 10.0 MByte/sec, offset 15
Transinfo settings: current(25/15/0/0), goal(12/15/0/0), user(12/15/0/0)
Total transfers 132 (0 reads and 132 writes)
< 2K 2K+ 4K+ 8K+ 16K+ 32K+ 64K+ 128K+
Reads: 0 0 0 0 0 0 0 0
Writes: 0 0 0 1 131 0 0 0/proc/sys/ /proc/sys/ directory is different from others in /proc/ because it not only provides information about the system but also allows the system administrator to immediately enable and disable kernel features.
/proc/sys/ directory. Changing the wrong setting may render the kernel unstable, requiring a system reboot.
/proc/sys/.
-l option at the shell prompt. If the file is writable, it may be used to configure the kernel. For example, a partial listing of /proc/sys/fs looks like the following:
-r--r--r-- 1 root root 0 May 10 16:14 dentry-state -rw-r--r-- 1 root root 0 May 10 16:14 dir-notify-enable -r--r--r-- 1 root root 0 May 10 16:14 dquot-nr -rw-r--r-- 1 root root 0 May 10 16:14 file-max -r--r--r-- 1 root root 0 May 10 16:14 file-nr
dir-notify-enable and file-max can be written to and, therefore, can be used to configure the kernel. The other files only provide feedback on current settings.
/proc/sys/ file is done by echoing the new value into the file. For example, to enable the System Request Key on a running kernel, type the command:
echo 1 > /proc/sys/kernel/sysrqsysrq from 0 (off) to 1 (on).
/proc/sys/ configuration files contain more than one value. To correctly send new values to them, place a space character between each value passed with the echo command, such as is done in this example:
echo 4 2 45 > /proc/sys/kernel/acctecho command disappear when the system is restarted. To make configuration changes take effect after the system is rebooted, refer to Seção 4.4, “Using the sysctl Command”.
/proc/sys/ directory contains several subdirectories controlling different aspects of a running kernel.
/proc/sys/dev/ cdrom/ and raid/. Customized kernels can have other directories, such as parport/, which provides the ability to share one parallel port between multiple device drivers.
cdrom/ directory contains a file called info, which reveals a number of important CD-ROM parameters:
CD-ROM information, Id: cdrom.c 3.20 2003/12/17 drive name: hdc drive speed: 48 drive # of slots: 1 Can close tray: 1 Can open tray: 1 Can lock tray: 1 Can change speed: 1 Can select disk: 0 Can read multisession: 1 Can read MCN: 1 Reports media changed: 1 Can play audio: 1 Can write CD-R: 0 Can write CD-RW: 0 Can read DVD: 0 Can write DVD-R: 0 Can write DVD-RAM: 0 Can read MRW: 0 Can write MRW: 0 Can write RAM: 0
/proc/sys/dev/cdrom, such as autoclose and checkmedia, can be used to control the system's CD-ROM. Use the echo command to enable or disable these features.
/proc/sys/dev/raid/ directory becomes available with at least two files in it: speed_limit_min and speed_limit_max. These settings determine the acceleration of RAID devices for I/O intensive tasks, such as resyncing the disks.
/proc/sys/fs/ binfmt_misc/ directory is used to provide kernel support for miscellaneous binary formats.
/proc/sys/fs/ include:
dentry-state — Provides the status of the directory cache. The file looks similar to the following:
57411 52939 45 0 0 0
dquot-nr — Lists the maximum number of cached disk quota entries.
file-max — Lists the maximum number of file handles that the kernel allocates. Raising the value in this file can resolve errors caused by a lack of available file handles.
file-nr — Lists the number of allocated file handles, used file handles, and the maximum number of file handles.
overflowgid and overflowuid — Defines the fixed group ID and user ID, respectively, for use with file systems that only support 16-bit group and user IDs.
super-max — Controls the maximum number of superblocks available.
super-nr — Displays the current number of superblocks in use.
/proc/sys/kernel/ acct — Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log. By default, the file looks like the following:
4 2 30
cap-bound — Controls the capability bounding settings, which provides a list of capabilities for any process on the system. If a capability is not listed here, then no process, no matter how privileged, can do it. The idea is to make the system more secure by ensuring that certain things cannot happen, at least beyond a certain point in the boot process.
/lib/modules/<kernel-version>/build/include/linux/capability.h.
ctrl-alt-del — Controls whether Ctrl+Alt+Delete gracefully restarts the computer using init (0) or forces an immediate reboot without syncing the dirty buffers to disk (1).
domainname — Configures the system domain name, such as example.com.
exec-shield — Configures the Exec Shield feature of the kernel. Exec Shield provides protection against certain types of buffer overflow attacks.
0 — Disables Exec Shield.
1 — Enables Exec Shield. This is the default value.
exec-shield-randomize — Enables location randomization of various items in memory. This helps deter potential attackers from locating programs and daemons in memory. Each time a program or daemon starts, it is put into a different memory location each time, never in a static or absolute memory address.
0 — Disables randomization of Exec Shield. This may be useful for application debugging purposes.
1 — Enables randomization of Exec Shield. This is the default value. Note: The exec-shield file must also be set to 1 for exec-shield-randomize to be effective.
hostname — Configures the system hostname, such as www.example.com.
hotplug — Configures the utility to be used when a configuration change is detected by the system. This is primarily used with USB and Cardbus PCI. The default value of /sbin/hotplug should not be changed unless testing a new program to fulfill this role.
modprobe — Sets the location of the program used to load kernel modules. The default value is /sbin/modprobe which means kmod calls it to load the module when a kernel thread calls kmod.
msgmax — Sets the maximum size of any message sent from one process to another and is set to 8192 bytes by default. Be careful when raising this value, as queued messages between processes are stored in non-swappable kernel memory. Any increase in msgmax would increase RAM requirements for the system.
msgmnb — Sets the maximum number of bytes in a single message queue. The default is 16384.
msgmni — Sets the maximum number of message queue identifiers. The default is 16.
osrelease — Lists the Linux kernel release number. This file can only be altered by changing the kernel source and recompiling.
ostype — Displays the type of operating system. By default, this file is set to Linux, and this value can only be changed by changing the kernel source and recompiling.
overflowgid and overflowuid — Defines the fixed group ID and user ID, respectively, for use with system calls on architectures that only support 16-bit group and user IDs.
panic — Defines the number of seconds the kernel postpones rebooting when the system experiences a kernel panic. By default, the value is set to 0, which disables automatic rebooting after a panic.
printk — This file controls a variety of settings related to printing or logging error messages. Each error message reported by the kernel has a loglevel associated with it that defines the importance of the message. The loglevel values break down in this order:
0 — Kernel emergency. The system is unusable.
1 — Kernel alert. Action must be taken immediately.
2 — Condition of the kernel is considered critical.
3 — General kernel error condition.
4 — General kernel warning condition.
5 — Kernel notice of a normal but significant condition.
6 — Kernel informational message.
7 — Kernel debug-level messages.
printk file:
6 4 1 7
random/ directory — Lists a number of values related to generating random numbers for the kernel.
rtsig-max — Configures the maximum number of POSIX real-time signals that the system may have queued at any one time. The default value is 1024.
rtsig-nr — Lists the current number of POSIX real-time signals queued by the kernel.
sem — Configures semaphore settings within the kernel. A semaphore is a System V IPC object that is used to control utilization of a particular process.
shmall— Sets the total amount of shared memory pages that can be used at one time, system-wide. By default, this value is 2097152.
shmmax — Sets the largest shared memory segment size allowed by the kernel. By default, this value is 33554432. However, the kernel supports much larger values than this.
shmmni — Sets the maximum number of shared memory segments for the whole system. By default, this value is 4096.
sysrq — Activates the System Request Key, if this value is set to anything other than zero (0), the default.
<system request code> . Replace <system request code> with one of the following system request codes:
r — Disables raw mode for the keyboard and sets it to XLATE (a limited keyboard mode which does not recognize modifiers such as Alt, Ctrl, or Shift for all keys).
k — Kills all processes active in a virtual console. Also called Secure Access Key (SAK), it is often used to verify that the login prompt is spawned from init and not a Trojan copy designed to capture usernames and passwords.
b — Reboots the kernel without first unmounting file systems or syncing disks attached to the system.
c — Crashes the system without first unmounting file systems or syncing disks attached to the system.
o — Shuts off the system.
s — Attempts to sync disks attached to the system.
u — Attempts to unmount and remount all file systems as read-only.
p — Outputs all flags and registers to the console.
t — Outputs a list of processes to the console.
m — Outputs memory statistics to the console.
0 through 9 — Sets the log level for the console.
e — Kills all processes except init using SIGTERM.
i — Kills all processes except init using SIGKILL.
l — Kills all processes using SIGKILL (including init). The system is unusable after issuing this System Request Key code.
h — Displays help text.
/usr/share/doc/kernel-doc-<version>/Documentation/sysrq.txt for more information about the System Request Key.
sysrq-key — Defines the key code for the System Request Key (84 is the default).
sysrq-sticky — Defines whether the System Request Key is a chorded key combination. The accepted values are as follows:
0 — Alt+SysRq and the system request code must be pressed simultaneously. This is the default value.
1 — Alt+SysRq must be pressed simultaneously, but the system request code can be pressed anytime before the number of seconds specified in /proc/sys/kernel/sysrq-timer elapses.
sysrq-timer — Specifies the number of seconds allowed to pass before the system request code must be pressed. The default value is 10.
tainted — Indicates whether a non-GPL module is loaded.
0 — No non-GPL modules are loaded.
1 — At least one module without a GPL license (including modules with no license) is loaded.
2 — At least one module was force-loaded with the command insmod -f.
threads-max — Sets the maximum number of threads to be used by the kernel, with a default value of 2048.
version — Displays the date and time the kernel was last compiled. The first field in this file, such as #3, relates to the number of times a kernel was built from the source base.
/proc/sys/net/ ethernet/, ipv4/, ipx/, and ipv6/. By altering the files within these directories, system administrators are able to adjust the network configuration on a running system.
/proc/sys/net/ directories are discussed.
/proc/sys/net/core/ directory contains a variety of settings that control the interaction between the kernel and networking layers. The most important of these files are:
message_burst — Sets the amount of time in tenths of a second required to write a new warning message. This setting is used to mitigate Denial of Service (DoS) attacks. The default setting is 50.
message_cost — Sets a cost on every warning message. The higher the value of this file (default of 5), the more likely the warning message is ignored. This setting is used to mitigate DoS attacks.
message_burst and message_cost are designed to be modified based on the system's acceptable risk versus the need for comprehensive logging.
netdev_max_backlog — Sets the maximum number of packets allowed to queue when a particular interface receives packets faster than the kernel can process them. The default value for this file is 300.
optmem_max — Configures the maximum ancillary buffer size allowed per socket.
rmem_default — Sets the receive socket buffer default size in bytes.
rmem_max — Sets the receive socket buffer maximum size in bytes.
wmem_default — Sets the send socket buffer default size in bytes.
wmem_max — Sets the send socket buffer maximum size in bytes.
/proc/sys/net/ipv4/ directory contains additional networking settings. Many of these settings, used in conjunction with one another, are useful in preventing attacks on the system or when using the system to act as a router.
/proc/sys/net/ipv4/ directory:
icmp_destunreach_rate, icmp_echoreply_rate, icmp_paramprob_rate, and icmp_timeexeed_rate — Set the maximum ICMP send packet rate, in 1/100 of a second, to hosts under certain conditions. A setting of 0 removes any delay and is not a good idea.
icmp_echo_ignore_all and icmp_echo_ignore_broadcasts — Allows the kernel to ignore ICMP ECHO packets from every host or only those originating from broadcast and multicast addresses, respectively. A value of 0 allows the kernel to respond, while a value of 1 ignores the packets.
ip_default_ttl — Sets the default Time To Live (TTL), which limits the number of hops a packet may make before reaching its destination. Increasing this value can diminish system performance.
ip_forward — Permits interfaces on the system to forward packets to one other. By default, this file is set to 0. Setting this file to 1 enables network packet forwarding.
ip_local_port_range — Specifies the range of ports to be used by TCP or UDP when a local port is needed. The first number is the lowest port to be used and the second number specifies the highest port. Any systems that expect to require more ports than the default 1024 to 4999 should use a range from 32768 to 61000.
tcp_syn_retries — Provides a limit on the number of times the system re-transmits a SYN packet when attempting to make a connection.
tcp_retries1 — Sets the number of permitted re-transmissions attempting to answer an incoming connection. Default of 3.
tcp_retries2 — Sets the number of permitted re-transmissions of TCP packets. Default of 15.
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ ip-sysctl.txt/proc/sys/net/ipv4/ directory.
/proc/sys/net/ipv4/ directory and each covers a different aspect of the network stack. The /proc/sys/net/ipv4/conf/ directory allows each system interface to be configured in different ways, including the use of default settings for unconfigured devices (in the /proc/sys/net/ipv4/conf/default/ subdirectory) and settings that override all special configurations (in the /proc/sys/net/ipv4/conf/all/ subdirectory).
/proc/sys/net/ipv4/neigh/ directory contains settings for communicating with a host directly connected to the system (called a network neighbor) and also contains different settings for systems more than one hop away.
/proc/sys/net/ipv4/route/. Unlike conf/ and neigh/, the /proc/sys/net/ipv4/route/ directory contains specifications that apply to routing with any interfaces on the system. Many of these settings, such as max_size, max_delay, and min_delay, relate to controlling the size of the routing cache. To clear the routing cache, write any value to the flush file.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt/proc/sys/vm/ /proc/sys/vm/ directory:
block_dump — Configures block I/O debugging when enabled. All read/write and block dirtying operations done to files are logged accordingly. This can be useful if diagnosing disk spin up and spin downs for laptop battery conservation. All output when block_dump is enabled can be retrieved via dmesg. The default value is 0.
block_dump is enabled at the same time as kernel debugging, it is prudent to stop the klogd daemon, as it generates erroneous disk activity caused by block_dump.
dirty_background_ratio — Starts background writeback of dirty data at this percentage of total memory, via a pdflush daemon. The default value is 10.
dirty_expire_centisecs — Defines when dirty in-memory data is old enough to be eligible for writeout. Data which has been dirty in-memory for longer than this interval is written out next time a pdflush daemon wakes up. The default value is 3000, expressed in hundredths of a second.
dirty_ratio — Starts active writeback of dirty data at this percentage of total memory for the generator of dirty data, via pdflush. The default value is 40.
dirty_writeback_centisecs — Defines the interval between pdflush daemon wakeups, which periodically writes dirty in-memory data out to disk. The default value is 500, expressed in hundredths of a second.
laptop_mode — Minimizes the number of times that a hard disk needs to spin up by keeping the disk spun down for as long as possible, therefore conserving battery power on laptops. This increases efficiency by combining all future I/O processes together, reducing the frequency of spin ups. The default value is 0, but is automatically enabled in case a battery on a laptop is used.
/usr/share/doc/kernel-doc-<version>/Documentation/laptop-mode.txt
lower_zone_protection — Determines how aggressive the kernel is in defending lower memory allocation zones. This is effective when utilized with machines configured with highmem memory space enabled. The default value is 0, no protection at all. All other integer values are in megabytes, and lowmem memory is therefore protected from being allocated by users.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt
max_map_count — Configures the maximum number of memory map areas a process may have. In most cases, the default value of 65536 is appropriate.
min_free_kbytes — Forces the Linux VM (virtual memory manager) to keep a minimum number of kilobytes free. The VM uses this number to compute a pages_min value for each lowmem zone in the system. The default value is in respect to the total memory on the machine.
nr_hugepages — Indicates the current number of configured hugetlb pages in the kernel.
/usr/share/doc/kernel-doc-<version>/Documentation/vm/hugetlbpage.txt
nr_pdflush_threads — Indicates the number of pdflush daemons that are currently running. This file is read-only, and should not be changed by the user. Under heavy I/O loads, the default value of two is increased by the kernel.
overcommit_memory — Configures the conditions under which a large memory request is accepted or denied. The following three modes are available:
0 — The kernel performs heuristic memory over commit handling by estimating the amount of memory available and failing requests that are blatantly invalid. Unfortunately, since memory is allocated using a heuristic rather than a precise algorithm, this setting can sometimes allow available memory on the system to be overloaded. This is the default setting.
1 — The kernel performs no memory over commit handling. Under this setting, the potential for memory overload is increased, but so is performance for memory intensive tasks (such as those executed by some scientific software).
2 — The kernel fails requests for memory that add up to all of swap plus the percent of physical RAM specified in /proc/sys/vm/overcommit_ratio. This setting is best for those who desire less risk of memory overcommitment.
overcommit_ratio — Specifies the percentage of physical RAM considered when /proc/sys/vm/overcommit_memory is set to 2. The default value is 50.
page-cluster — Sets the number of pages read in a single attempt. The default value of 3, which actually relates to 16 pages, is appropriate for most systems.
swappiness — Determines how much a machine should swap. The higher the value, the more swapping occurs. The default value, as a percentage, is set to 60.
/usr/share/doc/kernel-doc-<version>/Documentation/, which contains additional information.
/proc/sysvipc/ msg), semaphores (sem), and shared memory (shm).
/proc/tty/ drivers file is a list of the current tty devices in use, as in the following example:
serial /dev/cua 5 64-127 serial:callout serial /dev/ttyS 4 64-127 serial pty_slave /dev/pts 136 0-255 pty:slave pty_master /dev/ptm 128 0-255 pty:master pty_slave /dev/ttyp 3 0-255 pty:slave pty_master /dev/pty 2 0-255 pty:master /dev/vc/0 /dev/vc/0 4 0 system:vtmaster /dev/ptmx /dev/ptmx 5 2 system /dev/console /dev/console 5 1 system:console /dev/tty /dev/tty 5 0 system:/dev/tty unknown /dev/vc/%d 4 1-63 console
/proc/tty/driver/serial file lists the usage statistics and status of each of the serial tty lines.
ldiscs file, and more detailed information is available within the ldisc/ directory.
/proc/<PID>/ /proc/sys/vm/panic_on_oom. When set to 1 the kernel will panic on OOM. A setting of 0 instructs the kernel to call a function named oom_killer on an OOM. Usually, oom_killer can kill rogue processes and the system will survive.
/proc/sys/vm/panic_on_oom.
~]#cat /proc/sys/vm/panic_on_oom1 ~]#echo 0 > /proc/sys/vm/panic_on_oom~]#cat /proc/sys/vm/panic_on_oom0
oom_killer score. In /proc/<PID>/ there are two tools labelled oom_adj and oom_score. Valid scores for oom_adj are in the range -16 to +15. To see the current oom_killer score, view the oom_score for the process. oom_killer will kill processes with the highest scores first.
oom_killer will kill it.
~]#cat /proc/12465/oom_score79872 ~]#echo -5 > /proc/12465/oom_adj~]#cat /proc/12465/oom_score78
oom_killer for that process. In the example below, oom_score returns a value of 0, indicating that this process would not be killed.
~]#cat /proc/12465/oom_score78 ~]#echo -17 > /proc/12465/oom_adj~]#cat /proc/12465/oom_score0
badness() is used to determine the actual score for each process. This is done by adding up 'points' for each examined process. The process scoring is done in the following way:
CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities have their scores reduced.
oom_adj file.
oom_score value will most probably be a non-privileged, recently started process that, along with its children, uses a large amount of memory, has been 'niced', and handles no raw I/O.
sysctl Command/sbin/sysctl command is used to view, set, and automate kernel settings in the /proc/sys/ directory.
/proc/sys/ directory, type the /sbin/sysctl -a command as root. This creates a large, comprehensive list, a small portion of which looks something like the following:
net.ipv4.route.min_delay = 2 kernel.sysrq = 0 kernel.sem = 250 32000 32 128
/proc/sys/net/ipv4/route/min_delay file is listed as net.ipv4.route.min_delay, with the directory slashes replaced by dots and the proc.sys portion assumed.
sysctl command can be used in place of echo to assign values to writable files in the /proc/sys/ directory. For example, instead of using the command
echo 1 > /proc/sys/kernel/sysrqsysctl command as follows:
~]# sysctl -w kernel.sysrq="1"
kernel.sysrq = 1/proc/sys/ is helpful during testing, this method does not work as well on a production system as special settings within /proc/sys/ are lost when the machine is rebooted. To preserve custom settings, add them to the /etc/sysctl.conf file.
init program runs the /etc/rc.d/rc.sysinit script. This script contains a command to execute sysctl using /etc/sysctl.conf to determine the values passed to the kernel. Any values added to /etc/sysctl.conf therefore take effect each time the system boots.
proc file system.
proc file system is installed on the system by default.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt — Contains assorted, but limited, information about all aspects of the /proc/ directory.
/usr/share/doc/kernel-doc-<version>/Documentation/sysrq.txt — An overview of System Request Key options.
/usr/share/doc/kernel-doc-<version>/Documentation/sysctl/ — A directory containing a variety of sysctl tips, including modifying values that concern the kernel (kernel.txt), accessing file systems (fs.txt), and virtual memory use (vm.txt).
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt — A detailed overview of IP networking options.
/) partition exists on two 40G drives, you have 80G total but are only able to access 40G of that 80G. The other 40G acts like a mirror of the first 40G.
/dev/hda and /dev/hdb) to illustrate the creation of simple RAID 1 and RAID 0 configurations, and detail how to create a simple RAID configuration by implementing multiple RAID devices.
/boot partition as a software RAID device, leaving the root partition (/), /home, and swap as regular file systems. Figura 5.4, “RAID 1 Partitions Ready, Pre-Device and Mount Point Creation” shows successfully allocated space for the RAID 1 configuration (for /boot), which is now ready for RAID device and mount point creation:
/boot, you must choose RAID level 1, and it must use one of the first two drives (IDE first, SCSI second). If you are not creating a separate RAID partition of /boot, and you are making a RAID partition for the root file system (that is, /), it must be RAID level 1 and must use one of the first two drives (IDE first, SCSI second).
/), home partition (/home), or swap.
/proc/mdstat special file. To list these devices, display the content of this file by typing the following at a shell prompt:
cat/proc/mdstat
root:
mdadm--querydevice…
mdadm--detailraid_device…
mdadm--examinecomponent_device…
mdadm --detail command displays information about a RAID device, mdadm --examine only relays information about a RAID device as it relates to a given component device. This distinction is particularly important when working with a RAID device that itself is a component of another RAID device.
mdadm --query command, as well as both mdadm --detail and mdadm --examine commands allow you to specify multiple devices at once.
/dev/md0 is a RAID device by typing the following at a shell prompt:
~]# mdadm --query /dev/md0
/dev/md0: 125.38MiB raid1 2 devices, 0 spares. Use mdadm --detail for more detail.
/dev/md0: No md super block found, not an md component.~]# mdadm --detail /dev/md0
/dev/md0:
Version : 0.90
Creation Time : Tue Jun 28 16:05:49 2011
Raid Level : raid1
Array Size : 128384 (125.40 MiB 131.47 MB)
Used Dev Size : 128384 (125.40 MiB 131.47 MB)
Raid Devices : 2
Total Devices : 2
Preferred Minor : 0
Persistence : Superblock is persistent
Update Time : Thu Jun 30 17:06:34 2011
State : clean
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0
UUID : 49c5ac74:c2b79501:5c28cb9c:16a6dd9f
Events : 0.6
Number Major Minor RaidDevice State
0 3 1 0 active sync /dev/hda1
1 3 65 1 active sync /dev/hdb1~]$ cat /proc/mdstat
Personalities : [raid0] [raid1]
md0 : active raid1 hdb1[1] hda1[0]
128384 blocks [2/2] [UU]
md1 : active raid0 hdb2[1] hda2[0]
1573888 blocks 256k chunks
md2 : active raid0 hdb3[1] hda3[0]
19132928 blocks 256k chunks
unused devices: <none>root:
mdadm--createraid_device--level=level--raid-devices=numbercomponent_device…
mdadm(8) manual page.
~]# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sdb /dev/sdb1/dev/md3 as a new RAID level 1 array from /dev/sda1 and /dev/sdb1, run the following command:
~]# mdadm --create /dev/md3 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1
mdadm: array /dev/md3 started.root:
mdadmraid_device--failcomponent_device
mdadmraid_device--removecomponent_device
mdadmraid_device--addcomponent_device
/dev/md3, with the following layout (that is, the RAID device created in Exemplo 5.2, “Creating a new RAID device”):
~]# mdadm --detail /dev/md3 | tail -n 3
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1/dev/sdb1 device as faulty:
~]# mdadm /dev/md3 --fail /dev/sdb1
mdadm: set /dev/sdb1 faulty in /dev/md3~]# mdadm /dev/md3 --remove /dev/sdb1
mdadm: hot removed /dev/sdb1~]# mdadm /dev/md3 --add /dev/sdb1
mdadm: added /dev/sdb1root:
mdadmraid_device--addcomponent_device
mdadm--growraid_device--raid-devices=number
/dev/md3, with the following layout (that is, the RAID device created in Exemplo 5.2, “Creating a new RAID device”):
~]# mdadm --detail /dev/md3 | tail -n 3
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1/dev/sdc, has been added and has exactly one partition. To add it to the /dev/md3 array, type the following at a shell prompt:
~]# mdadm /dev/md3 --add /dev/sdc1
mdadm: added /dev/sdc1/dev/sdc1 as a spare device. To change the size of the array to actually use it, type:
~]# mdadm --grow /dev/md3 --raid-devices=3root:
mdadm--stopraid_device
mdadm--removeraid_device
mdadm--zero-superblockcomponent_device…
/dev/md3, with the following layout (that is, the RAID device created in Exemplo 5.4, “Extending a RAID device”):
~]# mdadm --detail /dev/md3 | tail -n 4
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1
2 8 33 2 active sync /dev/sdc1~]# mdadm --stop /dev/md3
mdadm: stopped /dev/md3/dev/md3 device by running the following command:
~]# mdadm --remove /dev/md3~]# mdadm --zero-superblock /dev/sda1 /dev/sdb1 /dev/sdc1mdadm command only apply to the current session, and will not survive a system restart. At boot time, the mdmonitor service reads the content of the /etc/mdadm.conf configuration file to see which RAID devices to start. If the software RAID was configured during the graphical installation process, this file contains directives listed in Tabela 5.1, “Common mdadm.conf directives” by default.
| Option | Description |
|---|---|
ARRAY
|
Allows you to identify a particular array.
|
DEVICE
|
Allows you to specify a list of devices to scan for a RAID component (for example, “/dev/hda1”). You can also use the keyword
partitions to use all partitions listed in /proc/partitions, or containers to specify an array container.
|
MAILADDR
| Allows you to specify an email address to use in case of an alert. |
ARRAY lines are presently in use regardless of the configuration, run the following command as root:
mdadm--detail--scan
/etc/mdadm.conf file. You can also display the ARRAY line for a particular device:
mdadm--detail--briefraid_device
mdadm--detail--briefraid_device>>/etc/mdadm.conf
/etc/mdadm.conf contains the software RAID configuration created during the system installation:
# mdadm.conf written out by anaconda DEVICE partitions MAILADDR root ARRAY /dev/md0 level=raid1 num-devices=2 UUID=49c5ac74:c2b79501:5c28cb9c:16a6dd9f ARRAY /dev/md1 level=raid0 num-devices=2 UUID=76914c11:5bfa2c00:dc6097d1:a1f4506d ARRAY /dev/md2 level=raid0 num-devices=2 UUID=2b5d38d0:aea898bf:92be20e2:f9d893c5
/dev/md3 device as shown in Exemplo 5.2, “Creating a new RAID device”, you can make it persistent by running the following command:
~]# mdadm --detail --brief /dev/md3 >> /etc/mdadm.confmdadm man page — A manual page for the mdadm utility.
mdadm.conf man page — A manual page that provides a comprehensive list of available /etc/mdadm.conf configuration options.
| Amount of RAM in the System | Recommended Amount of Swap Space |
|---|---|
| 4GB of RAM or less | a minimum of 2GB of swap space |
| 4GB to 16GB of RAM | a minimum of 4GB of swap space |
| 16GB to 64GB of RAM | a minimum of 8GB of swap space |
| 64GB to 256GB of RAM | a minimum of 16GB of swap space |
| 256GB to 512GB of RAM | a minimum of 32GB of swap space |
free and cat /proc/swaps commands to verify how much and where swap is in use.
/dev/VolGroup00/LogVol01 is the volume you want to extend):
swapoff -v /dev/VolGroup00/LogVol01lvm lvresize /dev/VolGroup00/LogVol01 -L +256Mmkswap /dev/VolGroup00/LogVol01swapon -vacat /proc/swapsfree
/dev/VolGroup00/LogVol02 is the swap volume you want to add):
lvm lvcreate VolGroup00 -n LogVol02 -L 256Mmkswap /dev/VolGroup00/LogVol02/etc/fstab file:
/dev/VolGroup00/LogVol02 swap swap defaults 0 0
swapon -vacat /proc/swapsfree
count being equal to the desired block size:
dd if=/dev/zero of=/swapfile bs=1024 count=65536mkswap /swapfileswapon /swapfile/etc/fstab to include the following entry:
/swapfile swap swap defaults 0 0
cat /proc/swaps or free.
/dev/VolGroup00/LogVol01 is the volume you want to reduce):
swapoff -v /dev/VolGroup00/LogVol01lvm lvreduce /dev/VolGroup00/LogVol01 -L -512Mmkswap /dev/VolGroup00/LogVol01swapon -vacat /proc/swapsfree
/dev/VolGroup00/LogVol02 is the swap volume you want to remove):
swapoff -v /dev/VolGroup00/LogVol02lvm lvremove /dev/VolGroup00/LogVol02/etc/fstab file:
/dev/VolGroup00/LogVol02 swap swap defaults 0 0
cat /proc/swapsfree
partedparted allows users to:
parted package is included when installing Red Hat Enterprise Linux. To start parted, log in as root and type the command parted /dev/sda at a shell prompt (where /dev/sdaumount command and turn off all the swap space on the hard drive with the swapoff command.
parted commands” contains a list of commonly used parted commands. The sections that follow explain some of these commands and arguments in more detail.
parted commands| Comando | Descrição |
|---|---|
check
| Executa uma verificação simples do sistema de arquivo |
cp
|
Copia o sistema de arquivo de uma partição para outra; de e para são os menores números das partições
|
help
| Exibe uma lista dos comandos disponíveis |
mklabel
| Cria uma etiqueta de disco para a tabela de partições |
mkfs
|
Cria um sistema de arquivo do tipo file-system-type
|
mkpart
| Cria uma partição sem criar um novo sistema de arquivo |
mkpartfs
| Cria uma partição e o sistema de arquivo especificado |
move
| Move a partição |
name
| Nomeia a partição somente para etiquetas de disco do Mac e PC98 |
print
| Exibe a tabela de partições |
quit
|
Quit parted
|
rescue start-mb end-mb
|
Recupera uma partição perdida de start-mb para end-mb
|
resize
|
Redimensiona a partição de start-mb para end-mb
|
rm
| Remove a partição |
select
| Seleciona um dispositivo diferente para configurar |
set
|
Define a bandeira de uma partição; o estado é ligado (on) ou desligado (off)
|
toggle [
|
Toggle the state of FLAG on partition NUMBER
|
unit
|
Set the default unit to UNIT
|
parted, use the command print to view the partition table. A table similar to the following appears:
Model: ATA ST3160812AS (scsi) Disk /dev/sda: 160GB Sector size (logical/physical): 512B/512B Partition Table: msdos Number Start End Size Type File system Flags 1 32.3kB 107MB 107MB primary ext3 boot 2 107MB 105GB 105GB primary ext3 3 105GB 107GB 2147MB primary linux-swap 4 107GB 160GB 52.9GB extended root 5 107GB 133GB 26.2GB logical ext3 6 133GB 133GB 107MB logical ext3 7 133GB 160GB 26.6GB logical lvm
number. For example, the partition with minor number 1 corresponds to /dev/sda1. The Start and End values are in megabytes. Valid Type are metadata, free, primary, extended, or logical. The Filesystem is the file system type, which can be any of the following:
Filesystem of a device shows no value, this means that its file system type is unknown.
parted, where /dev/sda is the device on which to create the partition:
parted /dev/sdaprintmkpart primary ext3 1024 2048mkpartfs command instead, the file system is created after the partition is created. However, parted does not support creating an ext3 file system. Thus, if you wish to create an ext3 file system, use mkpart and create the file system with the mkfs command as described later.
print command to confirm that it is in the partition table with the correct partition type, file system type, and size. Also remember the minor number of the new partition so that you can label it. You should also view the output of
cat /proc/partitionsmkfs -t ext3 /dev/sda6/dev/sda6 and you want to label it /work:
e2label /dev/sda6 /workmkdir /work/etc/fstab/etc/fstab file to include the new partition. The new line should look similar to the following:
LABEL=/work /work ext3 defaults 1 2
LABEL= followed by the label you gave the partition. The second column should contain the mount point for the new partition, and the next column should be the file system type (for example, ext3 or swap). If you need more information about the format, read the man page with the command man fstab.
defaults, the partition is mounted at boot time. To mount the partition without rebooting, as root, type the command:
mount /workparted, where /dev/sda is the device on which to remove the partition:
parted /dev/sdaprintrm. For example, to remove the partition with minor number 3:
rm 3print command to confirm that it is removed from the partition table. You should also view the output of
cat /proc/partitions/etc/fstab file. Find the line that declares the removed partition, and remove it from the file.
parted, where /dev/sda is the device on which to resize the partition:
parted /dev/sdaprintresize command followed by the minor number for the partition, the starting place in megabytes, and the end place in megabytes. For example:
resize 3 1024 2048print command to confirm that the partition has been resized correctly, is the correct partition type, and is the correct file system type.
df to make sure the partition was mounted and is recognized with the new size.
lvm help at a command prompt.
LVM commands| Comando | Descrição |
|---|---|
dumpconfig
| Dump the active configuration |
formats
| List the available metadata formats |
help
| Display the help commands |
lvchange
| Change the attributes of logical volume(s) |
lvcreate
| Create a logical volume |
lvdisplay
| Display information about a logical volume |
lvextend
| Add space to a logical volume |
lvmchange
| Due to use of the device mapper, this command has been deprecated |
lvmdiskscan
| List devices that may be used as physical volumes |
lvmsadc
| Collect activity data |
lvmsar
| Create activity report |
lvreduce
| Reduce the size of a logical volume |
lvremove
| Remove logical volume(s) from the system |
lvrename
| Rename a logical volume |
lvresize
| Resize a logical volume |
lvs
| Display information about logical volumes |
lvscan
| List all logical volumes in all volume groups |
pvchange
| Change attributes of physical volume(s) |
pvcreate
| Initialize physical volume(s) for use by LVM |
pvdata
| Display the on-disk metadata for physical volume(s) |
pvdisplay
| Display various attributes of physical volume(s) |
pvmove
| Move extents from one physical volume to another |
pvremove
| Remove LVM label(s) from physical volume(s) |
pvresize
| Resize a physical volume in use by a volume group |
pvs
| Display information about physical volumes |
pvscan
| List all physical volumes |
segtypes
| List available segment types |
vgcfgbackup
| Backup volume group configuration |
vgcfgrestore
| Restore volume group configuration |
vgchange
| Change volume group attributes |
vgck
| Check the consistency of a volume group |
vgconvert
| Change volume group metadata format |
vgcreate
| Create a volume group |
vgdisplay
| Display volume group information |
vgexport
| Unregister a volume group from the system |
vgextend
| Add physical volumes to a volume group |
vgimport
| Register exported volume group with system |
vgmerge
| Merge volume groups |
vgmknodes
| Create the special files for volume group devices in /dev/ |
vgreduce
| Remove a physical volume from a volume group |
vgremove
| Remove a volume group |
vgrename
| Rename a volume group |
vgs
| Display information about volume groups |
vgscan
| Search for all volume groups |
vgsplit
| Move physical volumes into a new volume group |
version
| Display software and driver version information |
quota RPM must be installed to implement disk quotas. /etc/fstab file.
/etc/fstab file. Add the usrquota and/or grpquota options to the file systems that require quotas:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 /dev/VolGroup00/LogVol02 /home ext3 defaults,usrquota,grpquota 1 2 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 . . .
/home file system has both user and group quotas enabled.
/home partition was created during the installation of Red Hat Enterprise Linux. The root (/) partition can be used for setting quota policies in the /etc/fstab file.
usrquota and/or grpquota options, remount each file system whose fstab entry has been modified. If the file system is not in use by any process, use one of the following methods:
umount command followed by the mount command to remount the file system.(See the man page for both umount and mount for the specific syntax for mounting and unmounting various filesystem types.)
mount -o remount <file-system> command (where <file-system> /home file system, the command to issue is mount -o remount /home.
quotacheck command.
quotacheck command examines quota-enabled file systems and builds a table of the current disk usage per file system. The table is then used to update the operating system's copy of disk usage. In addition, the file system's disk quota files are updated.
aquota.user and aquota.group) on the file system, use the -c option of the quotacheck command. For example, if user and group quotas are enabled for the /home file system, create the files in the /home directory:
quotacheck -cug /home-c especifica que os arquivos de quota devem ser criados para cada sistema de arquivo que tenha quotas habilitadas; a opção -u pede a verificação de quotas de usuário e a opção -g pede a verificação de quotas de grupo.
-u ou -g for especificada, somente o arquivo de quota do usuário é criado. Se especificar somente a opção -g, somente o arquivo de quota do grupo é criado.
quotacheck -avuga — Verifica todos os sistemas de arquivo montados localmente com quotas habilitadas
v — Exibe informações verbais de status enquanto a verificação de quotas procede
u — Verifica informações de quotas de disco do usuário
g — Verifica informações de quotas de disco do grupo
quotacheck has finished running, the quota files corresponding to the enabled quotas (user and/or group) are populated with data for each quota-enabled locally-mounted file system such as /home.
edquota command.
edquota username/etc/fstab for the /home partition (/dev/VolGroup00/LogVol02 in the example below) and the command edquota testuser is executed, the following is shown in the editor configured as the default for the system:
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 0 0 37418 0 0
EDITOR environment variable is used by edquota. To change the editor, set the EDITOR environment variable in your ~/.bash_profile file to the full path of the editor of your choice.
inodes column shows how many inodes the user is currently using. The last two columns are used to set the soft and hard inode limits for the user on the file system.
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 500000 550000 37418 0 0
quota testuserdevel group (the group must exist prior to setting the group quota), use the command:
edquota -g develDisk quotas for group devel (gid 505): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440400 0 0 37418 0 0
quota -g develedquota -tedquota operam em uma quota de usuário ou de grupo específico, a opção -t opera em todos os sistemas de arquivos com quotas habilitadas.
quotaoff -vaug-u ou -g, somente as quotas de usuário são desabilitadas. Se especificar só a opção -g, somente as quotas de grupo são desabilitadas. A mudança para -v apresenta informação de status de verbosidade durante a execução do comando.
quotaon command with the same options.
quotaon -vaug/home, use the following command:
quotaon -vug /home-u ou -g, somente as quotas de usuário são habilitadas. Se especificar só a opção -g, somente as quotas de grupo são habilitadas.
repquota utility. For example, the command repquota /home produces this output:
*** Report for user quotas on device /dev/mapper/VolGroup00-LogVol02
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 36 0 0 4 0 0
kristin -- 540 0 0 125 0 0
testuser -- 440400 500000 550000 37418 0 0-a), use o comando:
repquota -a-- displayed after each user is a quick way to determine whether the block or inode limits have been exceeded. If either soft limit is exceeded, a + appears in place of the corresponding -; the first - represents the block limit, and the second represents the inode limit.
grace columns are normally blank. If a soft limit has been exceeded, the column contains a time specification equal to the amount of time remaining on the grace period. If the grace period has expired, none appears in its place.
quotacheck include:
/etc/cron.daily/ or /etc/cron.weekly/ directory—or schedule one using the crontab -e command—that contains the touch /forcequotacheck command. This creates an empty forcequotacheck file in the root directory, which the system init script looks for at boot time. If it is found, the init script runs quotacheck. Afterward, the init script removes the /forcequotacheck file; thus, scheduling this file to be created periodically with cron ensures that quotacheck is run during the next reboot.
cron.
quotacheck is to (re-)boot the system into single-user mode to prevent the possibility of data corruption in quota files and run:
~]# quotaoff -vaug /<file_system>~]# quotacheck -vaug /<file_system>~]# quotaon -vaug /<file_system>
quotacheck on a machine during a time when no users are logged in, and thus have no open files on the file system being checked. Run the command quotacheck -vaug <file_system> ; this command will fail if quotacheck cannot remount the given <file_system> as read-only. Note that, following the check, the file system will be remounted read-write.
quotacheck on a live file system mounted read-write is not recommended due to the possibility of quota file corruption.
cron.
acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
cp and mv commands copy or move any ACLs associated with files and directories.
mount -t ext3 -o acl <device-name> <partition>mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work/etc/fstab file, the entry for the partition can include the acl option:
LABEL=/work /work ext3 acl 1 2
--with-acl-support. Não são necessárias bandeiras especiais ao acessar ou montar uma partilha do Samba.
no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl option via the command line or the /etc/fstab file.
setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:
setfacl -m <rules> <files><rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
u:<uid>:<perms>g:<gid>:<perms>m:<perms>o:<perms><perms>) must be a combination of the characters r, w, and x for read, write, and execute.
setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.
setfacl -m u:andrius:rw /project/somefile-x option and do not specify any permissions:
setfacl -x <rules> <files>setfacl -x u:500 /project/somefiled: before the rule and specify a directory instead of a file name.
/share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /sharegetfacl command. In the example below, the getfacl is used to determine the existing ACLs for a file.
getfacl home/john/picture.png# file: home/john/picture.png # owner: john # group: john user::rw- group::r-- other::r--
[john@main /]$ getfacl home/sales/
# file: home/sales/
# owner: john
# group: john
user::rw-
user:barryg:r--
group::r--
mask::r--
other::r--
default:user::rwx
default:user:john:rwx
default:group::r-x
default:mask::rwx
default:other::r-xtar and dump commands do not backup ACLs.
star utility is similar to the tar utility in that it can be used to generate archives of files; however, some of its options are different. Refer to Tabela 9.1, “Command Line Options for star” for a listing of more commonly used options. For all available options, refer to the star man page. The star package is required to use this utility.
star| Opção | Descrição |
|---|---|
-c
| Cria um arquivo de documentação. |
-n
|
Não extrai os arquivos; use juntamente a -x para exibir o que a extração dos arquivos faz.
|
-r
| Substitui arquivos na documentação. Os arquivos são gravados no fim do arquivo de documentação, substituindo todos os arquivos com a mesma localidade e nome. |
-t
| Exibe o conteúdo do arquivo de documentação. |
-u
| Atualiza o arquivo de documentação. Estes arquivos são gravados no fim da documentação, caso já não existam na documentação ou se os arquivos são mais novos que aqueles com o mesmo nome na documentação. Esta opção funciona somente se a documentação é um arquivo ou uma fita com blocos de tamanhos diferentes que pode ser acessada em qualquer ponto. |
-x
|
Extrai arquivos da documentação. Se usado com -U e um arquivo da documentação for mais antigo que o correspondente no sistema de arquivo, o arquivo não é extraído.
|
-help
| Exibe as opções mais importantes. |
-xhelp
| Exibe as opções menos importantes. |
-/
| Não remova as barras iniciais dos nomes de arquivos ao extraí-los de uma documentação. Por default, elas são removidas quando os arquivos são extraídos. |
-acl
| Ao criar ou extrair, documentar ou armazenar todas as ACLs associadas a arquivos e diretórios. |
ext_attr attribute. This attribute can be seen using the following command:
tune2fs -l <filesystem-device>ext_attr attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set.
e2fsck utility included in version 1.22 and higher of the e2fsprogs package (including the versions in Red Hat Enterprise Linux 2.1 and 4) can check a file system with the ext_attr attribute. Older versions refuse to check it.
acl man page — Description of ACLs
getfacl man page — Discusses how to get file access control lists
setfacl man page — Explains how to set file access control lists
star man page — Explains more about the star utility and its many options
/boot partition. The /boot partition cannot be on a logical volume group because the boot loader cannot read it. If the root (/) partition is on a logical volume, create a separate /boot partition which is not a part of a volume group.
/home and / and file system types, such as ext2 or ext3. When "partitions" reach their full capacity, free space from the volume group can be added to the logical volume to increase the size of the partition. When a new hard drive is added to the system, it can be added to the volume group, and partitions that are logical volumes can be increased in size.
system-config-lvm utility to create your own LVM configuration post-installation. The next two sections focus on using Disk Druid during installation to complete this task. The third section introduces the LVM utility (system-config-lvm) which allows you to manage your LVM volumes in X windows or graphically.
/dev/sda and /dev/sdb) are used in the following examples. They detail how to create a simple configuration using a single LVM volume group with associated logical volumes during installation.
/boot partition resides on its own non-LVM partition. In the following example, it is the first partition on the first drive (/dev/sda1). Bootable partitions cannot reside on LVM logical volumes.
VolGroup00) is created, which spans all selected drives and all remaining space available. In the following example, the remainder of the first drive (/dev/sda2), and the entire second drive (/dev/sdb1) are allocated to the volume group.
LogVol00 and LogVol01) are created from the newly created spanned volume group. In the following example, the recommended swap space is automatically calculated and assigned to LogVol01, and the remainder is allocated to the root file system, LogVol00.
/home or /var, so that each file system has its own independent quota configuration limits.
/boot Partition
/boot partition cannot reside on an LVM volume because the GRUB boot loader cannot read it.
/boot Partition Displayed
/boot Partition Displayed
/, /home, and swap space. Remember that /boot cannot be a logical volume. To add a logical volume, click the button in the Logical Volumes section. A dialog window as shown in Figura 10.10, “Creating a Logical Volume” appears.
system-config-lvmsystem-config-lvm from a terminal.
/boot - (Ext3) file system. Displayed under 'Uninitialized Entities'. (DO NOT initialize this partition). LogVol00 - (LVM) contains the (/) directory (312 extents). LogVol02 - (LVM) contains the (/home) directory (128 extents). LogVol03 - (LVM) swap (28 extents).
/dev/hda2 while /boot was created in /dev/hda1. The system also consists of 'Uninitialized Entities' which are illustrated in Figura 10.17, “Uninitialized Entities”. The figure below illustrates the main window in the LVM utility. The logical and the physical views of the above configuration are illustrated below. The three logical volumes exist on the same physical volume (hda2).
/ (root) directory, this task will not be successful as the volume cannot be unmounted.
/boot. Uninitialized entities are illustrated below.
/dev/hda6 was selected as illustrated below.
/mnt/backups. This is illustrated in the figure below.
rpm -qd lvm2 — This command shows all the documentation available from the lvm package, including man pages.
lvm help — This command shows all LVM commands available.
Índice
rpm package. For the end user, RPM makes system updates easy. Installing, uninstalling, and upgrading RPM packages can be accomplished with short commands. RPM maintains a database of installed packages and their files, so you can invoke powerful queries and verifications on your system. If you prefer a graphical interface, you can use the Package Management Tool to perform many RPM commands. Refer to Capítulo 12, Package Management Tool for details.
.tar.gz files.
rpm --help or man rpm. You can also refer to Seção 11.5, “Recursos Adicionais” for more information on RPM.
foo-1.0-1.i386.rpm. The file name includes the package name (foo), version (1.0), release (1), and architecture (i386). To install a package, log in as root and type the following command at a shell prompt:
rpm -ivh foo-1.0-1.i386.rpmrpm -Uvh foo-1.0-1.i386.rpmPreparing... ########################################### [100%] 1:foo ########################################### [100%]
error: V3 DSA signature: BAD, key ID 0352860f
error: Header V3 DSA signature: BAD, key ID 0352860f
NOKEY such as:
warning: V3 DSA signature: NOKEY, key ID 0352860f
rpm -ivh instead. Refer to Capítulo 42, Atualizando o Kernel Manualmente for details.
Preparing... ########################################### [100%] package foo-1.0-1 is already installed
--replacepkgs option, which tells RPM to ignore the error:
rpm -ivh --replacepkgs foo-1.0-1.i386.rpmPreparing... ########################################### [100%] file /usr/bin/foo from install of foo-1.0-1 conflicts with file from package bar-2.0.20
--replacefiles option:
rpm -ivh --replacefiles foo-1.0-1.i386.rpmerror: Failed dependencies:
bar.so.2 is needed by foo-1.0-1
Suggested resolutions:
bar-2.0.20-3.i386.rpmrpm -ivh foo-1.0-1.i386.rpm bar-2.0.20-3.i386.rpmPreparing... ########################################### [100%] 1:foo ########################################### [ 50%] 2:bar ########################################### [100%]
-q --whatprovides option combination to determine which package contains the required file.
rpm -q --whatprovides bar.so.2--nodeps.
rpm -e foofoo, not the name of the original package file foo-1.0-1.i386.rpm. To uninstall a package, replace foo with the actual package name of the original package.
error: Failed dependencies: foo is needed by (installed) bar-2.0.20-3.i386.rpm
--nodeps.
rpm -Uvh foo-2.0-1.i386.rpmfoo package. Note that -U will also install a package even when there are no previous versions of the package installed.
-U para instalar pacotes do kernel porque o RPM substitui o pacote do kernel anterior. Isso não afeta um sistema rodando, mas se o novo kernel não for capaz de inicializar durante sua próxima reinicialização, não haverá outro kernel para inicializar.
-i option adds the kernel to your GRUB boot menu (/etc/grub.conf). Similarly, removing an old, unneeded kernel removes the kernel from GRUB.
saving /etc/foo.conf as /etc/foo.conf.rpmsave
package foo-2.0-1 (which is newer than foo-1.0-1) is already installed
--oldpackage option:
rpm -Uvh --oldpackage foo-1.0-1.i386.rpmrpm -Fvh foo-1.2-1.i386.rpmrpm -Fvh *.rpm/var/lib/rpm/, e é usado para consultar quais pacotes estão instalados, quais são suas versões e quaisquer mudanças em arquivos no pacote desde a instalação, entre outros.
-q option. The rpm -q package name command displays the package name, version, and release number of the installed package package name rpm -q foo to query installed package foo might generate the following output:
foo-2.0-1
-q to further refine or qualify your query:
-a — queries all currently installed packages.
-f <filename> — queries the RPM database for which package owns f<filename> . When specifying a file, specify the absolute path of the file (for example, rpm -qf /bin/ls ).
-p <packagefile> — queries the uninstalled package <packagefile> -i displays package information including name, description, release, size, build date, install date, vendor, and other miscellaneous information.
-l displays the list of files that the package contains.
-s displays the state of all the files in the package.
-d displays a list of files marked as documentation (man pages, info pages, READMEs, etc.).
-c displays a list of files marked as configuration files. These are the files you edit after installation to adapt and customize the package to your system (for example, sendmail.cf, passwd, inittab, etc.).
-v to the command to display the lists in a familiar ls -l format.
rpm -V verifies a package. You can use any of the Verify Options listed for querying to specify the packages you wish to verify. A simple use of verifying is rpm -V foo, which verifies that all the files in the foo package are as they were when they were originally installed. For example:
rpm -Vf /usr/bin/foo/usr/bin/foo é o caminho completo para o arquivo usado para consultar um pacote.
rpm -Varpm -Vp foo-1.0-1.i386.rpmc denotes a configuration file) and then the file name. Each of the eight characters denotes the result of a comparison of one attribute of the file to the value of that attribute recorded in the RPM database. A single period (.) means the test passed. The following characters denote specific discrepancies:
5 — MD5 checksum
S — file size
L — symbolic link
T — file modification time
D — device
U — user
G — group
M — mode (includes permissions and file type)
? — unreadable file
<rpm-file> pelo nome do arquivo do pacote RPM):
rpm -K --nosignature <rpm-file><rpm-file>: md5 OK-K with -Kvv in the command.
x.
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaserpm -qa gpg-pubkey*gpg-pubkey-37017186-45761324
rpm -qi followed by the output from the previous command:
rpm -qi gpg-pubkey-37017186-45761324<rpm-file> pelo nome do arquivo do pacote RPM):
rpm -K <rpm-file>md5 gpg OK. This means that the signature of the package has been verified, and that it is not corrupt.
rpm -Varpm -qf /usr/bin/ggvggv-2.6.0-2
/usr/bin/paste. You would like to verify the package that owns that program, but you do not know which package owns paste. Enter the following command,
rpm -Vf /usr/bin/pasterpm -qdf /usr/bin/free/usr/share/doc/procps-3.2.3/BUGS /usr/share/doc/procps-3.2.3/FAQ /usr/share/doc/procps-3.2.3/NEWS /usr/share/doc/procps-3.2.3/TODO /usr/share/man/man1/free.1.gz /usr/share/man/man1/pgrep.1.gz /usr/share/man/man1/pkill.1.gz /usr/share/man/man1/pmap.1.gz /usr/share/man/man1/ps.1.gz /usr/share/man/man1/skill.1.gz /usr/share/man/man1/slabtop.1.gz /usr/share/man/man1/snice.1.gz /usr/share/man/man1/tload.1.gz /usr/share/man/man1/top.1.gz /usr/share/man/man1/uptime.1.gz /usr/share/man/man1/w.1.gz /usr/share/man/man1/watch.1.gz /usr/share/man/man5/sysctl.conf.5.gz /usr/share/man/man8/sysctl.8.gz /usr/share/man/man8/vmstat.8.gz
rpm -qip crontabs-1.10-7.noarch.rpmName : crontabs Relocations: (not relocatable) Version : 1.10 Vendor: Red Hat, Inc. Release : 7 Build Date: Mon 20 Sep 2004 05:58:10 PM EDT Install Date: (not installed) Build Host: tweety.build.redhat.com Group : System Environment/Base Source RPM: crontabs-1.10-7.src.rpm Size : 1004 License: Public Domain Signature : DSA/SHA1, Wed 05 Jan 2005 06:05:25 PM EST, Key ID 219180cddb42a60e Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : Root crontab files used to schedule the execution of programs. Description : The crontabs package contains root crontab files. Crontab is the program used to install, uninstall, or list the tables used to drive the cron daemon. The cron daemon checks the crontab files to see when particular commands are scheduled to be executed. If commands are scheduled, then it executes them.
crontabs RPM installs. You would enter the following:
rpm -qlp crontabs-1.10-5.noarch.rpm/etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab /usr/bin/run-parts
rpm --help — This command displays a quick reference of RPM parameters.
man rpm — The RPM man page gives more detail about RPM parameters than the rpm --help command.
rpm command does.
rpm -e --nodeps or rpm -U --nodeps can.
system-config-packages or pirut at shell prompt.
).
) appears beside its checkbox. This indicates that the package is queued for download and installation. You can select multiple packages to download and install; once you have made your selection, click the button.
). This indicates that the package is queued for removal; you can also select multiple packages to be removed at the same time. Once you have selected the packages you want to remove, click the button.
yum searches numerous repositories for packages and their dependencies so they may be installed together in an effort to alleviate dependency issues. Red Hat Enterprise Linux 5.8 uses yum to fetch packages and install RPMs.
up2date is now deprecated in favor of yum (Yellowdog Updater Modified). The entire stack of tools which installs and updates software in Red Hat Enterprise Linux 5.8 is now based on yum. This includes everything, from the initial installation via Anaconda to host software management tools like pirut.
yum also allows system administrators to configure a local (i.e. available over a local network) repository to supplement packages provided by Red Hat. This is useful for user groups that use applications and packages that are not officially supported by Red Hat.
yum repository also saves bandwidth for the entire network. Further, clients that use local yum repositories do not need to be registered individually to install or update the latest packages from Red Hat Network.
createrepo package:
~]# yum install createrepo/mnt/local_repo for example).
createrepo on that directory (for example, createrepo /mnt/local_repo). This will create the necessary metadata for your Yum repository.
yum Commandsyum commands are typically run as yum <command> <package name/s> . By default, yum will automatically attempt to check all configured repositories to resolve all package dependencies during an installation/upgrade.
yum commands. For a complete list of available yum commands, refer to man yum.
yum install <package name/s> yum update <package name/s> yum will attempt to update all installed packages.
--obsoletes option is used (i.e. yum --obsoletes <package name/s> , yum will process obsolete packages. As such, packages that are obsoleted across updates will be removed and replaced accordingly.
yum check-update yum returns a list of all package updates from all repositories if any are available.
yum remove <package name/s> yum provides <file name> yum search <keyword> yum localinstall <absolute path to package name/s> yum to install a package located locally in the machine.
yum Optionsyum options are typically stated before specific yum commands; i.e. yum <options> <command> <package name/s> . Most of these options can be set as default using the configuration file.
yum options. For a complete list of available yum options, refer to man yum.
-y -t yum to be "tolerant" of errors with regard to packages specified in the transaction. For example, if you run yum update package1 package2 and package2 is already installed, yum will continue to install package1.
--exclude=<package name> yum yum is configured through /etc/yum.conf. The following is an example of a typical /etc/yum.conf file:
[main] cachedir=/var/cache/yum keepcache=0 debuglevel=2 logfile=/var/log/yum.log distroverpkg=redhat-release tolerant=1 exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 metadata_expire=1800 [myrepo] name=RHEL 5 $releasever - $basearch baseurl=http://local/path/to/yum/repository/ enabled=1
/etc/yum.conf file is made up of two types of sections: a [main] section, and a repository section. There can only be one [main] section, but you can specify multiple repositories in a single /etc/yum.conf.
[main] Options[main] section is mandatory, and there must only be one. For a complete list of options you can use in the [main] section, refer to man yum.conf.
[main] section.
cachedir yum should store its cache and database files. By default, the cache directory of yum is /var/cache/yum.
keepcache=<1 or 0> keepcache=1 instructs yum to keep the cache of headers and packages after a successful installation. keepcache=1 is the default.
reposdir=<absolute path to directory of .repo files> .repo files are located. .repo files contain repository information (similar to the [repository] section of /etc/yum.conf).
yum collects all repository information from .repo files and the [repository] section of the /etc/yum.conf file to create a master list of repositories to use for each transaction. Refer to Seção 13.4.2, “ [repository] Options” for more information about options you can use for both the [repository] section and .repo files.
reposdir is not set, yum uses the default directory /etc/yum.repos.d.
gpgcheck=<1 or 0> gpgcheck=0, which disables GPG checking.
[main] section of the /etc/yum.conf file, it sets the GPG checking rule for all repositories. However, you can also set this on individual repositories instead; i.e., you can enable GPG checking on one repository while disabling it on another.
assumeyes=<1 or 0> yum should prompt for confirmation of critical actions. The default if assumeyes=0, which means yum will prompt you for confirmation.
assumeyes=1 is set, yum behaves in the same way that the command line option -y does.
tolerant=<1 or 0> tolerant=1), yum will be tolerant of errors on the command line with regard to packages. This is similar to the yum command line option -t.
tolerant=0 (not tolerant).
exclude=<package name/s> retries=<number of retries> yum should attempt to retrieve a file before returning an error. Setting this to 0 makes yum retry forever. The default value is 6.
[repository] Options[repository] section of the /etc/yum.conf file contains information about a repository yum can use to find packages during package installation, updating and dependency resolution. A repository entry takes the following form:
[repository ID] name=repository namebaseurl=url, file or ftp://path to repository
.repo files (for example, rhel5.repo). The format of repository information placed in .repo files is identical with the [repository] of /etc/yum.conf.
.repo files are typically placed in /etc/yum.repos.d, unless you specify a different repository path in the [main] section of /etc/yum.conf with reposdir=. .repo files and the /etc/yum.conf file can contain multiple repository entries.
repository ID]name=repository name baseurl=http, file or ftp://path repodatadirectory of a repository is located. If the repository is local to the machine, use baseurl=file://path to local repository . If the repository is located online using HTTP, use baseurl=http://link . If the repository is online and uses FTP, use baseurl=ftp://link .
baseurl line by prepending it as username:password@link. For example, if a repository on http://www.example.com/repo/ requires a username of "user" and a password os "password", then the baseurl link can be specified as baseurl=http://user:password@www.example.com/repo/.
man yum.conf.
gpgcheck=<1 or 0> gpgcheck=0, which disables GPG checking.
gpgkey=URL yum needs a public key to verify a package and the required key was not imported into the RPM database.
yum will automatically import the key from the specified URL. You will be prompted before the key is installed unless you set assumeyes=1 (in the [main] section of /etc/yum.conf) or -y (in a yum transaction).
exclude=<package name/s> exclude option in the [main] section of /etc/yum.conf. However, it only applies to the repository in which it is specified.
includepkgs=<package name/s> exclude. When this option is set on a repository, yum will only be able to see the specified packages in that repository. By default, all packages in a repository are visible to yum.
yum Variablesyum commands and yum configuration files (i.e. /etc/yum.conf and .repo files).
$releasever distroverpkg. This defaults to the version of the redhat-release package.
$arch os.uname() in Python.
$basearch $arch=i686 then $basearch=i386.
$YUM0-9 yum to unit content delivery with subscription management. The Subscription Manager handles only the subscription-system associations. yum or other package management tools handle the actual content delivery. Capítulo 13, YUM (Yellowdog Updater Modified) describes how to use yum.
yum plug-ins that come with the Subscription Manager tools.
root because of the nature of the changes to the system. However, Red Hat Subscription Manager connects to the subscription service as a user account for the Customer Service Portal.
firstboot process for configuring content and updates, but the system can be registered at any time through the Red Hat Subscription Manager GUI or CLI. New subscriptions, new products, and updates can be viewed and applied to a system through the Red Hat Subscription Manager tools.
yum service through the Red Hat Subscription Manager yum plug-in.
yum.
root.
[root@server1 ~]# subscription-manager-gui
subscription-manager tool. This tools has the following format:
[root@server1 ~]# subscription-manager command [options]subscription-manager help and manpage have more information.
| Command | Description |
|---|---|
| register | Registers or identifies a new system to the subscription service. |
| unregister | Unregisters a machine, which strips its subscriptions and removes the machine from the subscription service. |
| subscribe | Allocates a specific subscription to the machine. |
| redeem | Autosubscribes a machine to a pre-specified subscription that was purchased from a vendor, based on its hardware and BIOS information. |
| refresh |
Pulls the latest entitlement data from the server. Normally, the system polls the entitlement server at a set interval (4 hours by default) to check for any changes in the available subscriptions. The refresh command checks with the entitlement server right then, outside the normal interval.
|
| unsubscribe | Removes a specific subscription or all subscriptions from the machine. |
| list | Lists all of the subscriptions that are compatible with a machine, either subscriptions that are actually consumed by the machine or unused subscriptions that are available to the machine. |
| identity | Handles the identity certificate and registration ID for a system. This command can be used to return the current UUID or generate a new identity certificate. |
| facts | Lists the system information, like the release version, number of CPUs, and other architecture information. |
| clean |
Removes all of the subscription and identity data from the local system, without affecting the consumer information in the subscription service. Any of the subscriptions consumed by the system are still consumed and are not available for other systems to use. The clean command is useful in cases where the local entitlement information is corrupted or lost somehow, and the system will be reregistered using the register --consumerid=EXISTING_ID command.
|
| orgs, repos, environments | Lists all of the configured organizations, environments, and content repositories that are available to the given user account or system. These commands are used to view information in a multi-org infrastructure. They are not used to configure the local machine or multi-org infrastructure. |
libvirt-rhsm, checks VMWare, KVM, and Xen processes and then relays that information to Subscription Manager and any configured subscription service (Certificate-based Red Hat Network or a local Subscription Asset Manager). Each guest machine on a host is assigned a guest ID, and that guest ID is both associated with the host and used to generate the identity certificate for the guest when it is registered.
system type of consumer.
system, meaning that each individual server subscribes to its own entitlements for its own use. There is another type of consumer, though, which is available for server groups, the domain type. domain-based entitlements are not allocated to a single system; they are distributed across the group of servers to govern the behavior of that group of servers. (That server group is called a domain.)
system consumer and added to the inventory individually.
domain entitlements apply to the behavior of the entire server group, not to any one system.
domain entitlements using the Red Hat Subscription Manager tools, and the entitlement certificate is replicated between the domain servers.
subscription-manager-gui
rhsm.conf configuration file points to the local subscription service (in the hostname parameter) and the local content server (in the baseurl parameter). The Subscription Manager configuration is described in Seção 14.14, “Configuring the Subscription Service”.
subscription-manager-gui
.zip file. Save the file to some kind of portable media, like a flash drive.
certificates.zip file. Unzip the directories until the PEM files for the entitlement certificates are available.
import command. For example:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
cert.pem file directly into the /etc/pki/consumer directory. For example:
cp /tmp/downloads/cert.pem /etc/pki/consumer
register command with the user account information required to authenticate to the Certificate-Based Red Hat Network (the credentials used to access subscription service or the Customer Portal). When the system is successfully authenticated, it echoes back the newly-assigned consumer ID and the user account name which registered it.
register options are listed in Tabela 14.2, “register Options”.
[root@server1 ~]# subscription-manager register --username admin-example --password secret
7d133d55-876f-4f47-83eb-0ee931cb0a97 admin-example (the new consumer UUID and the account used for registration)--org option in addition to the username and password. The given user must also have the access permissions to add systems to that organization. (See Seção 14.12, “Working with Subscription Asset Manager” for information about organizations and Subscription Asset Manager.)
[root@server1 ~]# subscription-manager register --username admin-example --password secret--org="IT Department"7d133d55-876f-4f47-83eb-0ee931cb0a97 admin-example(the new consumer UUID and the account used for registration)
[root@server1 ~]# subscription-manager register --username admin-example --password secret --org="IT Department" --environment=Dev1,ITallregister command returns a Remote Server error.
register command has an option, --autosubscribe, which allows the system to be registered to the subscription service and immediately subscribed to the subscription which best matches its architecture in a single step.
[root@server1 ~]# subscription-manager register --username admin-example --password secret --autosubscribe--activationkey option.
--org option, but in multi-org environments, the --org option is required. The organization is not defined as part of the activation key. See Seção 14.12, “Working with Subscription Asset Manager” for information about activation keys and Subscription Asset Manager.
# subscription-manager register --activationkey=1234abcd --org="IT Dept"| Options | Description | Required |
|---|---|---|
| --username=name | Gives the content server user account name. | Required |
| --password=password | Gives the password for the user account. | Required |
| --org=name | Gives the organization to which to join the system. | Required, except for hosted environments |
| --environment=name | Registers the consumer to an environment within an organization. | Optional |
| --name=machine_name | Sets the name of the consumer (machine) to register. This defaults to be the same as the hostname. | Optional |
| --autosubscribe | Automatically subscribes this system to the best-matched compatible subscription. This is good for automated setup operations, since the system can be configured in a single step. | Optional |
| --activation_key | Applies existing subscriptions as part of the registration process. The subscriptions are pre-assigned by a vendor or by a systems administrator using Subscription Asset Manager. | Optional |
| --force | Registers the system even if it is already registered. Normally, any register operations will fail if the machine is already registered. | Optional |
unregister command. This removes the system's entry from the subscription service, unsubscribes it from any subscriptions, and, locally, deletes its identity and entitlement certificates.
unregister.
[root@server1 ~]# subscription-manager unregister
register command. This command passes the original UUID for a system to issue a request to the subscription service to receive a new certificate using the same UUID. This essentially renews its previous registration.
register command uses the original ID to identify itself to the subscription service and restore its previous subscriptions.
[root@server1 ~]# subscription-manager register --username admin-example --password secret --consumerid=7d133d55-876f-4f47-83eb-0ee931cb0a97
| Options | Description | Required |
|---|---|---|
| --consumerid | Gives the consumer UUID used by an existing consumer. The system's consumer entry must exist in the Red Hat subscription service for the reregister operation to succeed. | Required |
| --username=name | Gives the content server user account name. | Optional |
| --password=password | Gives the password for the user account. | Optional |
rhn-migrate-classic-to-rhsm
install-num-migrate-to-rhsm
[root@server ~]# yum install subscription-manager-migration subscription-manager-migration-datarhn-migrate-classic-to-rhsm script.
rhn-migrate-classic-to-rhsm script has this syntax:
rhn-migrate-classic-to-rhsm [--force|--cli-only|--help|--no-auto]
[root@server ~]# subscription-manager facts --list | grep migr migration.classic_system_id: 09876 migration.migrated_from: rhn_hosted_classic
rhn-migrate-classic-to-rhsm tool migrates the system profile and then opens the Subscription Manager GUI so that administrators can assign subscriptions to the system.
[root@server ~]# rhn-migrate-classic-to-rhsm RHN Username: jsmith@example.com Password:
Retrieving existing RHN classic subscription information ... +----------------------------------+ System is currently subscribed to: +----------------------------------+ rhel-i386-client-5
/etc/pki/product directory.
List of channels for which certs are being copied rhel-i386-client-5 Product Certificates copied successfully to /etc/pki/product !!
Preparing to unregister system from RHN classic ... System successfully unregistered from RHN Classic.
Attempting to register system to Certificate-based RHN ... The system has been registered with id: abcd1234 System server.example.com successfully registered to Certificate-based RHN. Launching the GUI tool to manually subscribe the system ...
rhn-migrate-classic-to-rhsm can automatically subscribe the system to matching subscriptions.
--cli-only option tells the rhn-migrate-classic-to-rhsm to register the system with the autosubscribe option, so all of the migration process occurs in the command line.
[root@server ~]# rhn-migrate-classic-to-rhsm --cli-only RHN Username: jsmith@example.com Password: .... Attempting to auto-subscribe to appropriate subscriptions ... Installed Product Current Status: ProductName: Red Hat Enterprise Linux Desktop Status: Subscribed Please visit https://access.redhat.com/management/consumers/abcd1234 to view the details, and to make changes if necessary.
rhn-migrate-classic-to-rhsm tool can be used simply to unregister a system from RHN Classic. This still copies over the product certificates for the classic channels to configure the system in the style of certificate-based subscriptions, but it does not register the machine with subscription service.
--no-auto option.
[root@server ~]# rhn-migrate-classic-to-rhsm --no-auto RHN Username: jsmith@example.com Password: Retrieving existing RHN classic subscription information ... +----------------------------------+ System is currently subscribed to: +----------------------------------+ rhel-i386-client-5 List of channels for which certs are being copied rhel-i386-client-5 Product Certificates copied successfully to /etc/pki/product !! Preparing to unregister system from RHN classic ... System successfully unregistered from RHN Classic.
rhn-migrate-classic-to-rhsm uses the information in /etc/sysconfig/rhn/systemid to get the previous registration information and map channels to certificates. If a system is disconnected, it may not have a systemid file.
/etc/sysconfig/rhn/install-num file.
[root@server ~]# python /usr/lib/python2.4/site-packages/instnum.py da3122afdb7edd23 Product: RHEL Client Type: Installer Only Options: Eval FullProd Workstation Allowed CPU Sockets: Unlimited Allowed Virtual Instances: Unlimited Package Repositories: Client Workstation key: 14299426 "da3122" checksum: 175 "af" options: 4416 "Eval FullProd Workstation" socklimit: -1 "Unlimited" virtlimit: -1 "Unlimited" type: 2 "Installer Only" product: 1 "client" {"Workstation": "Workstation", "Base": "Client"}
install-num-migrate-to-rhsm script identifies the channels that a disconnected system is subscribed to and then copies in the appropriate product certificates. Simply run the command:
[root@server ~]# install-num-migrate-to-rhsm/etc/pki/product directory.
[root@server ~]# subscription-manager facts --list | grep migr migration.migrated_from: install_number
/usr/share/rhsm/product/RHEL-5/channel-cert-mapping.txt) uses simple keys to map the values:
channel_name:product_name-hash-product_cert.pem
rhel-i386-client-workstation-5: Client-Workstation-i386-b0d4c042-6e31-45a9-bd94-ff0b82e43b1a-71.pem
.pem and the product certificate is copied into the /etc/pki/product directory. For the rhel-i386-client-workstation-5, this migrates to the 71.pem product certificate (the last two digits of the mapping).
jbappplatform-4.3.0-fp-i386-server-5-rpm: none
subscription-manager-gui
subscription-manager-gui
--pool option.
[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567
subscribe command are listed in Tabela 14.4, “subscribe Options”.
list command:
[root@server1 ~]# subscription-manager list --available
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 10
Expires: 2011-09-20--auto option (which is analogous to the --autosubscribe option with the register command).
[root@server1 ~]# subscription-manager subscribe --auto
| Options | Description | Required |
|---|---|---|
| --pool=pool-id | Gives the ID for the subscription to subscribe the machine to. |
Required, unless --auto is used
|
| --auto | Automatically subscribes the system to the best-match subscription or subscriptions. | Optional |
| --quantity | Subscribes multiple counts of an entitlement to the system. This is used to cover subscriptions that define a count limit, like using two 2-socket server subscriptions to cover a 4-socket machine. | Optional |
unsubscribe command with the --all unsubscribes the system from every product and subscription pool it is currently subscribed to.
[root@server1 ~]# subscription-manager unsubscribe --all
unsubscribe command to remove only that product subscription.
cert.pem file or by using the list command. For example:
[root@server1 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: High availability (cluster suite)
ContractNumber: 0
SerialNumber: 11287514358600162
Active: True
Begins: 2010-09-18
Expires: 2011-11-18--serial option to specify the certificate.
[root@server1 ~]# subscription-manager unsubscribe --serial=11287514358600162
--quantity option. The quantity taken applies to the product in the --pool option:
[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567 --quantity=2
.zip file. Save the file to some kind of portable media, like a flash drive.
certificates.zip file. Unzip the directories until the PEM files for the subscription certificates are available.
import command:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
subscription-manager-gui
.pem file of the product certificate.
subscription-manager-gui
redeem command, with an email address to send the redemption email to when the process is complete.
# subscription-manager redeem --email=jsmith@example.com# subscription-manager redeem --email=jsmith@example.com --org="IT Dept"
list command to display different areas of the subscriptions and products on the system.
| Option | Description |
|---|---|
| --installed (or nothing) |
Lists all of the installed and subscribed product on the system. If no option is given with list, it is the same as using the --installed argument.
|
| --consumed | Lists all of the subscriptions allocated to the system. |
| --available [--all] |
Using --available alone lists all of the compatible, active subscriptions for the system. Using --available --all lists all options, even ones not compatible with the system or with no more available quantities.
|
| --ondate=YYYY-MM-DD |
Shows subscriptions which are active and available on the specified date. This is only used with the --available option. If this is not used, then the command uses the current date.
|
| --installed | Lists all of the products that are installed on the system (and whether they have a subscription) and it lists all of the product subscriptions which are assigned to the system (and whether those products are installed). |
list command shows all of the subscriptions that are currently allocated to the system by using the --consumed option.
[root@server1 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
ContractNumber: 1458961
SerialNumber: 171286550006020205
Active: True
Begins: 2009-01-01
Expires: 2011-12-31list command shows all of the subscriptions that are compatible with and available to the system using the --available option. To include every subscription the organization has — both the ones that are compatible with the system and others for other platforms — use the --all option with the --available. The --ondate option shows only subscriptions which are active on that date, based on their activation and expiry dates.
[root@server1 ~]# subscription-manager list --available --all
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 10
Expires: 2011-09-20
ProductName: RHEL Workstation
ProductId: MKT-rhel-workstation-mkt
PoolId: 5e09a31f95885cc4
Quantity: 10
Expires: 2011-09-20
[snip]--installed option correlates the products that are actually installed on the system (and their subscription status) and the products which could be installed on the system based on the assigned subscriptions (and whether those products are installed).
[root@server1 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux
Status: Not Subscribed
Expires:
Subscription:
ContractNumber:
AccountNumber:
ProductName: Awesome OS Server
Status: Not Installed
Expires: 2012-02-20
Subscription: 54129829316535230
ContractNumber: 39
AccountNumber: 12331131231
yum. Subscription Manager has its own yum plug-ins: product-id for subscription-related information for products and subscription-manager which is used for the content repositories.
baseurl parameter of the rhsm.conf file.
[root@server ~]# yum repolist all repo id repo name status rhel-5-server Red Hat Enterprise Linux 5Server - enabled: 1,749 rhel-5-server-beta Red Hat Enterprise Linux 5Server Be enabled: 869 rhel-5-server-optional-rpms Red Hat Enterprise Linux 5Server Op disabled rhel-5-server-supplementary Red Hat Enterprise Linux 5Server Su disabled
rhel-5-server-optional-rpms and rhel-5-server-supplementary, respectively.
yum-config-manager command:
[root@server ~]# yum-config-manager --enable rhel-5-server-optional-rpms
yum. This uses the --enablerepo repo_name option. For example:
# yum install rubygems --enablerepo=rhel-5-server-optional-rpms Loaded plugins:product-id, refresh-packagekit,subscription-managerUpdating Red Hat repositories. ....
yum is described in Capítulo 13, YUM (Yellowdog Updater Modified).
[root@server ~]# subscription-manager list
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
Status: Not Subscribed
Expires:
SerialNumber:
ContractNumber:
AccountNumber:
rhsmcertd. This daemon checks the certificate validity dates daily. If a subscription is within 24 hours of expiring, then Subscription Manager will check for any available compatible subscriptions and automatically re-subscribes the system, much like auto-subscribing during registration.
autoheal parameter to the Subscription Manager configuration.
vim /etc/rhsm/rhsm.conf
[rhsmcertd] area, add the autoheal line, and set the value to true.
[rhsmcertd]
certFrequency = 240
healFrequency = 1440
autoheal = trueconfig command:
[root@server1 ~]# subscription-manager config --rhsmcertd.autoheal=true
healFrequency parameter to zero means that Subscription Manager simply uses the default time setting.
# vim /etc/rhsm/rhsm.conf
[rhsmcertd] section, set the healFrequency parameter to the time, in minutes, to check for changed subscriptions.
[rhsmcertd] certFrequency = 240 healFrequency = 1440
rhsmcertd daemon to reload the configuration.
# service rhsmcertd start
hostname parameter in the [server] area in the rhsm.conf configuration file. The content delivery network URL is configured in the baseurl parameter in the [rhsm] area. These values can be reset using the config command. For example:
[root@server1 ~]# subscription-manager config --server.hostname=sam.example.com --rhsm.baseurl=sam.example.com
config command is covered in Seção 14.14.2, “Using the config Command”.
orgs, environments, and repos commands list the organization, environment, and repository information for the system, depending on the organization and environments it belongs to.
[root@server1 ~]# subscription-manager orgs --username=jsmith --password=secret
+-------------------------------------------+
admin Organizations
+-------------------------------------------+
OrgName: Admin Owner
OrgKey: admin
OrgName: Dev East
OrgKey: deveast
OrgName: Dev West
OrgKey: devwest
[root@server1 ~]# subscription-manager environments --username=jsmith --password=secret --org=admin
+-------------------------------------------+
Environments
+-------------------------------------------+
Name: Locker
Description: None
Name: Dev
Description:
Name: Prod
Description:
[root@server1 ~]# subscription-manager repos --list
+----------------------------------------------------------+
Entitled Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
RepoName: never-enabled-content
RepoId: never-enabled-content
RepoUrl: https://content.example.com/repos/optional
Enabled: 0
RepoName: always-enabled-content
RepoId: always-enabled-content
RepoUrl: https://content.example.com/repos/dev
Enabled: 1
RepoName: content
RepoId: content-label
RepoUrl: https://content.example.com/repos/prod
Enabled: 1.pem file.
https://access.redhat.com/
certificates.zip file. Unzip the directories until the PEM files for the entitlement certificates are available.
import command:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
refresh command updates all of the subscription information that is available to the consumer. This removes expired subscriptions and adds new subscriptions to the list. This does not subscribe the machine, but it does pull in the newest data for administrators to use.
[root@server1 ~]# subscription-manager refresh
rhsm.conf configuration file. There are other support files that either influence the Red Hat Subscription Manager service or can help administrators better use the Subscription Manager.
| File or Directory | Description |
|---|---|
| /etc/rhsm | The primary Red Hat Subscription Manager configuration directory. |
| /etc/rhsm/rhsm.conf | The Red Hat Subscription Manager configuration file. This is used by both the GUI and the CLI. |
| /etc/rhsm/facts |
Any user-defined JSON files that override or add system facts to determine entitlement compatibility. Any facts files must end in .facts.
|
| /var/lib/rhsm/cache/installed_products.json | A master list of installed products, which is sent by Subscription Manager to a hosted content service, such as Subscription Asset Manager. |
| /var/lib/rhsm/facts/facts.facts | The default system facts filed, gathered by the Subscription Manager. |
| /var/lib/rhsm/packages/ | The package profile cache (a list of installed products) which is gathered and periodically updated by the Subscription Manager. |
| /var/log/rhsm | The Red Hat Subscription Manager log directory. |
| /var/log/rhsm/rhsm.log | The log for the Red Hat Subscription Manager tools. |
| /var/log/rhsm/rhsmcertd.log |
The log for the Red Hat Subscription Manager daemon, rhsmcertd.
|
| /etc/pki/consumer | The directory which contains the identity certificates used by the system to identify itself to the subscription service. |
| /etc/pki/consumer/cert.pem | The base-64 consumer identity certificate file. |
| /etc/pki/consumer/key.pem | The base-64 consumer identity key file. |
| /etc/pki/entitlement | The directory which contains the entitlement certificates for the available subscriptions. |
/etc/pki/product/product_serial#.pem
| The product certificates for installed software products. |
| /var/run/subsys/rhsm | Runtime files for Red Hat Subscription Manager |
| /etc/init.d/rhsmcertd | The subscription certificate daemon. |
| /etc/cron.daily/rhsm-complianced and /usr/libexec/rhsm-complianced | Files to run daily checks and notifications for subscription validity. |
| /etc/yum/pluginconf.d/rhsmplugin.conf |
The configuration file to include the Red Hat Subscription Manager plug-in in the yum configuration.
|
| /usr/share/rhsm | All of the Python and script files used by both Red Hat Subscription Manager tool to perform subscription tasks. |
| /usr/share/rhsm/gui | All of the Python script and image files used to render the Red Hat Subscription Manager GUI. |
rhsm.conf. This file configures several important aspects of how Red Hat Subscription Manager interacts with both entitlements and content services:
rhsm.conf file is divided into three sections. Two major sections defined the subscription service ([server]) and content and product delivery ([rhsm]). The third section relates to the rhsmcertd daemon. Each assertion is a simple attribute= value pair. Any of the default values can be edited; all possible attributes are present and active in the default rhsm.conf file.
# Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname = subscription.rhn.redhat.com # Server prefix: prefix = /subscription # Server port: port = 443 # Set to 1 to disable certificate validation: insecure = 0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # Server CA certificate location: ca_cert_dir = /etc/rhsm/ca/ # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl= https://cdn.redhat.com # Default CA cert to use when generating yum repo configs: repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir = /etc/pki/product entitlementCertDir = /etc/pki/entitlement consumerCertDir = /etc/pki/consumer [rhsmcertd] # Frequency of certificate refresh (in minutes): certFrequency = 240 # Frequency of autoheal check (1440 min = 1 day): healFrequency = 1440
| Parameter | Description | Default Value |
|---|---|---|
| [server] Parameters | ||
| hostname | Gives the IP address or fully-qualified domain name of the subscription service. | subscription.rhn.redhat.com |
| prefix | Gives the directory, in the URL, to use to connect to the subscription service. | /subscription |
| port | Gives the port to use to connect to the subscription service. | 443 |
| insecure | Sets whether to use a secure (0) or insecure (1) connection for connections between the Subscription Manager clients and the subscription service. | 0 |
| ssl_verify_depth | Sets how far back in the certificate chain to verify the certificate. | 3 |
| proxy_hostname | Gives the hostname of the proxy server. This is required. | |
| proxy_port | Gives the port of the proxy server. This is required. | |
| proxy_user | Gives the user account to use to access the proxy server. This may not be required, depending on the proxy server configuration. | |
| proxy_password | Gives the password credentials to access the proxy server. This may not be required, depending on the proxy server configuration. | |
| ca_cert_dir | Gives the location for the CA certificate for the CA which issued the subscription service's certificates. This allows the client to identify and trust the subscription service for authentication for establishing an SSL connection. | /etc/rhsm/ca |
| [rhsm] Parameters | ||
| baseurl | Gives the full URL to access the content delivery system. | https://cdn.redhat.com |
| repo_ca_cert | Identifies the default CA certificate to use to set the yum repo configuration. | %(ca_cert_dir)sredhat-uep.pem |
| showIncompatiblePools |
Sets whether to display subscription pools which are not compatible with the system's architecture but which have been purchased by an organization. By default, Subscription Manager only displays subscriptions which are compatible with, and therefore available to, the system.
This parameter only applies to the Subscription Manager GUI. Incompatible subscriptions can be displayed in the CLI by using the
--all option with the list command.
| 0 |
| productCertDir | Sets the root directory where the product certificates are stored and can be accessed by Subscription Manager. | /etc/pki/product |
| consumerCertDir | Sets the directory where the identity certificate for the system is stored and can be accessed by Subscription Manager. | /etc/pki/consumer |
| entitlementCertDir | Sets the directory where the entitlement certificates for the system are stored and can be accessed by Subscription Manager. Each subscription has its own entitlement certificate. | /etc/pki/entitlement |
| [rhsmcertd] Parameters | ||
| certFrequency | Sets the interval, in minutes, to check and update entitlement certificates used by Subscription Manager. | 240 |
| healFrequency | Sets the interval, in minutes, to check for change subscriptions and installed products and to allocate subscriptions, as necessary, to maintain subscription status for all products. | 240 |
subscription-manager has a subcommand that can change the rhsm.conf configuration file. Almost all of the connection information used by Subscription Manager to access the subscription server, content server, and any proxies is set in the configuration file, as well as general configuration parameters like the frequency Subscription Manager checks for entitlements updates. There are major divisions in the rhsm.conf file, such as [server] which is used to configure the subscription server. When changing the Subscription Manager configuration, the settings are identified with the format section.parameter and then the new value. For example:
server.hostname=newsubscription.example.com
config command:
[root@server1 ~]# subscription-manager config --section.parameter=newValue
[root@server1 ~]# subscription-manager config --server.hostname=subscription.example.com
rhsm.conf file parameters are listed in Tabela 14.7, “rhsm.conf Parameters”. This is most commonly used to change connection settings:
config command also has a --remove option. This deletes the the current value for the parameter without supplying a new parameter. A blank value tells Subscription Manager to use any default values that are set for that parameter rather than a user-defined value. For example:
[root@server1 ~]# subscription-manager config --remove=rhsm.certFrequency The default value for rhsm.certFrequency will now be used.
[root@server1 ~]# subscription-manager config --remove=server.proxy You have removed the value in section server for parameter proxy.
subscription-manager-gui
rhsm.conf file; this is the same as configuring it in the Subscription Manager GUI. The proxy configuration is stored and used for every connection between the subscription service and the local system.
vim /etc/rhsm/rhsm.conf
[server] section that relate to the HTTP proxy. All parameters are described in Tabela 14.7, “rhsm.conf Parameters”. There are four parameters directly related to the proxy:
proxy_hostname for the IP address or fully-qualified domain name of the proxy server; this is required.
proxy_hostname argument blank means that no HTTP proxy is used.
proxy_port for the proxy server port.
proxy_user for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
proxy_password for the password for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
[server] # an http proxy server to use proxy_hostname = proxy.example.com # port for http proxy server proxy_port = 443 # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password =
subscription-manager.
| Argument | Description | Required for a Proxy Connection? |
|---|---|---|
| --proxy | Gives the proxy server to connect to, in the format hostname:port. | Yes |
| --proxyuser | Gives the username to use to authenticate. This is only required if user authentication is required. | No |
| --proxypass | Gives the password to use with the user account. This is only required if user authentication is required. | No |
subscription-manager operation. For example:
[root@server1 ~]# subscription-manager subscribe --pool=ff8080812bc382e3012bc3845ca000cb --proxy=proxy.example.com:8443 --proxyuser=jsmith --proxypass=secret
rhsm.conf file. The subscription service connection settings are in the [server] section of the configuration file.
vim /etc/rhsm/rhsm.conf
[server] section that relate to the subscription service connection. All parameters are described in Tabela 14.7, “rhsm.conf Parameters”. There are three parameters directly related to the connection:
hostname for the IP address or fully-qualified domain name of the machine
prefix for the subscription service directory
port for the subscription service port
[server] hostname=entitlements.server.example.com prefix=/candlepin port=8443
vim /etc/rhsm/rhsm.conf
baseurl directive in the [rhsm] section. This is the full URL to the service.
[rhsm] # Content base URL: baseurl= http://content.example.com/content
vim /etc/rhsm/rhsm.conf
[server] section that relate to a secure connection. All parameters are described in Tabela 14.7, “rhsm.conf Parameters”. There are three parameters directly related to the connection:
insecure to set whether to use a secure (0) or insecure (1) connection
ca_cert_dir for the directory location for the CA certificate for authentication and verification
port for the subscription service port; this should be an SSL port if a secure connection is required
[server]
port=8443
insecure = 1
ca_cert = /etc/rhsm/carhsmcertd, runs as a service on the system. The daemon, by default, starts with the system, and it can be started, stopped, or checked with the service command.
service rhsmcertd status rhsmcertd (pid 13084) is running...
chkconfig”. When a system reboots, some services can be automatically restarted. chkconfig also defines startup settings for different run levels of the server.
chkconfig. By default, the Red Hat Subscription Manager daemon, rhsmcertd, is configured to run at levels 3, 4, and 5, so that the service is started automatically when the server reboots.
chkconfig. For example, to enable run level 2:
chkconfig --level 2345 rhsmcertd on
rhsmcertd from the start list, change the run level settings off:
chkconfig --level 2345 rhsmcertd off
service and chkconfig settings.
system-config-services package must be installed for the wizard to be available.
rhsmcertd item in the list of services on the left, and then edit the service as desired.
/var/log/rhsm directory:
rhsm.log shows every invocation and result of running the Subscription Manager GUI or CLI
rhsmcertd.log shows every time a new certificate is generated, which happens on a schedule defined by the certFrequency parameter in the rhsm.conf file.
rhsm.log log contains the sequence of every Python call for every operation invoked through the Subscription Manager tools. Each entry has this format:
YYYY-MM-DD HH:MM:SS,process_id [MESSAGE_TYPE] call python_script response
rhsm.log relates to the Python script or function that was called, there can be multiple log entries for a single operation.
2010-10-01 17:27:57,874 [INFO] _request() @connection.py:97 - status code: 200 2010-10-01 17:27:57,875 [INFO] perform() @certlib.py:132 - updated: Total updates: 0 Found (local) serial# [] Expected (UEP) serial# [] Added (new) <NONE> Deleted (rogue): <NONE> Expired (not deleted): <NONE> Expired (deleted): <NONE> 2010-10-01 17:27:57,878 [INFO] __init__() @connection.py:193 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/pki/CA/candlepin.pem, insecure = True 2010-10-01 17:27:57,878 [INFO] __init__() @connection.py:196 - Connection Established: host: candlepin1.devlab.phx1.redhat.com, port: 443, handler: /candlepin
rhsmcertd.log file are much simpler. The log only records when the rhsmcertd daemon starts or stops and every time a certificate is updated.
Fri Oct 1 13:27:44 2010: started: interval = 240 minutes Fri Oct 1 13:27:50 2010: certificates updated
--all option:
[root@server1 ~]# subscription-manager list --available --all
rhsm.conf configuration file.
vim /etc/rhsm/rhsm.conf
showIncompatiblePools directive in the [rhsm] section. A value of 0 shows only compatible entitlements.
[rhsm]
# Content base URL:
showIncompatiblePools = 1/etc/redhat-release or /etc/sysconfig. In both the Red Hat Subscription Manager GUI and CLI, the facts are represented as simple attribute: value pairs.
subscription-manager-gui
facts with the --list option.
[root@server1 ~]# subscription-manager facts --list cpu.architecture: i686 cpu.core(s)_per_socket: 4 cpu.cpu(s): 4 cpu.cpu_family: 6 cpu.cpu_mhz: 2000.010 cpu.cpu_op-mode(s): 32-bit, 64-bit cpu.cpu_socket(s): 1 cpu.l1d_cache: 32K cpu.l1i_cache: 32K cpu.l2_cache: 6144K cpu.model: 23 cpu.stepping: 6 cpu.thread(s)_per_core: 1 cpu.vendor_id: GenuineIntel cpu.virtualization: VT-x distribution.id: Santiago distribution.name: Red Hat Enterprise Linux Workstation distribution.version: 5 dmi.baseboard.manufacturer: IBM dmi.baseboard.product_name: Server Blade ... [snip] ...
--update option with the facts command.
[root@server1 ~]# subscription-manager facts --update
/var/lib/rhsm/facts/facts.facts. These facts are stored as attribute: value pairs, in a comma-separated list.
{"fact1": "value1","fact2": "value2"}/etc/rhsm/facts directory. These JSON files can override existing facts or even add new facts to be used by the subscription service.
vim /etc/rhsm/facts/my-example.facts {"uname.machine": "x86","kernel_version": "2.6.32","physical_location": "MTV colo rack 5"}
identity command. Although not required, using the --force option will require the username and password and will cause the Subscription Manager to prompt for the credentials if they are not passed in the command:
[root@server1 ~]# subscription-manager identity --regenerate --force Username: jsmith@example.com Password: Identity certificate has been regenerated.
identity command to return the current UUID. The UUID is the Current identity is value.
[root@server1 ~]# subscription-manager identity Current identity is: 63701087-f625-4519-8ab2-633bb50cb261 name: server1.example.com org name: 6340056 org id: 8a85f981302cbaf201302d89931e059a
list --installed command with the command-line tools.
rhsmcertd, checks the system periodically — once when it is first registered and then when it runs a refresh operation every four hours — to get the most current list of installed products. When the system is registered and then whenever there is a change to the package list, Subscription Manager sends an updated package profile to the subscription service.
/var/lib/rhsm/packages/.
subscription-manager script. Information like the consumer ID or subscription pool ID is pulled up and referenced automatically in the Red Hat Subscription Manager UI, but it has to be entered manually in the command line.
| Information | Description | Operations Used In | Find It In ... |
|---|---|---|---|
| Consumer ID | A unique identifier for each system that is registered to the subscription service. | identity |
The simplest method is to use the identity command to return the current UUID.
[root@server1 ~]# subscription-manager identity Current identity is: 63701087-f625-4519-8ab2-633bb50cb261 name: consumer-1.example.com org name: 6340056 org id: 8a85f981302cbaf201302d89931e059aThe Subject CN element of the identity certificate for the system, /etc/pki/consumer/cert.pem. The UUID can also be returned by using openssl to pretty-print the certificate.
openssl x509 -text -in /etc/pki/consumer/cert.pem Certificate: ... snip ... Subject: CN=7d133d55 876f 4f47 83eb 0ee931cb0a97 |
| Pool ID | An identifier for a specific set of subscriptions. This set is created when subscriptions are purchased. Whenever a system needs to subscribe to a product, it references a pool ID to identify which purchased set of subscriptions to use. | subscribe |
The PoolID value given for a product when listing available subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +----------------------+ Available Subscriptions +----------------------+ ProductName: Red Hat Enterprise Linux, Standard (up to 2 sockets) 3 year ProductId: MCT0346F3 PoolId: ff8080812bc382e3012bc3845ca000cb Quantity: 2 Expires: 2011-02-28 |
| Product certificate serial number | The identification used for a specific, installed product. A certificate with a unique serial number is generated when a product is installed; this serial number is used to identify that specific product installation when managing subscriptions. | unsubscribe |
The SerialNumber line in the product subscription information. This can be returned by running list --consumed.
[root@server1 ~]# subscription-manager list --consumed +-----------------------------+ Consumed Product Subscriptions +-----------------------------+ ProductName: High availability (cluster suite) ContractNumber: 0 SerialNumber: 11287514358600162 .... |
| Product ID | The internal identifier used to identify a type of product. |
The ProductID value given for a product when listing available subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +----------------------+ Available Subscriptions +----------------------+ ProductName: RHEL for Physical Servers ProductId: MKT-rhel-server ... snip ... |
.pem formatted file. This file format stores both keys and certificates in a base-64 blob. For example:
-----BEGIN CERTIFICATE----- MIIDaTCCAtKgAwIBAgICBZYwDQYJKoZIhvcNAQEFBQAwSzEqMCgGA1UEAxMhY2Fu ZGxlcGluMS5kZXZsYWIucGh4MS5yZWRoYXQuY29tMQswCQYDVQQGEwJVUzEQMA4G A1UEBxMHUmFsZWlnaDAeFw0xMDEwMDYxNjMyMDVaFw0xMTEwMDYyMzU5NTlaMC8x LTArBgNVBAMMJDQ4ODFiZDJmLTg2OGItNDM4Yy1hZjk2LThiMWQyODNkYWZmYzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNyLw6+IMtjY03F7Otxj2GL GTz5VKx1kfWY7q4OD4w+XlBHTkt+2tQV9S+4TFkUZ7XoI80LDL/BONpy/gq5c5cw yKvjv2gjSS/pihgYNXc5zUOIfSj1vb3fHGHOkzdCcZMyWq1z0N/zaLClp/zP/pcM og4NTAg2niNPjFYvkQ+oIl16WmQpefM0y0SY7N7oJd2T8dZjOiuLV2cVZLfwjrwG 9UpkT2J03g+n1ZA9q95ibLD5NVOdTy9+2lfRhdDViZaVoFiQXvg86qBHQ0ieENuF a6bCvGgpTxcBuVXmsnl2+9dnMiwoDqPZp1HB6G2uNmyNe/IvkTOPFJ/ZVbtBTYUC AwEAAaOB8zCB8DARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMHsGA1Ud IwR0MHKAFGiY1N2UtulxcMFy0j6gQGLTyo6CoU+kTTBLMSowKAYDVQQDEyFjYW5k bGVwaW4xLmRldmxhYi5waHgxLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYD VQQHEwdSYWxlaWdoggkA1s54sVacN0EwHQYDVR0OBBYEFGbB5fqOzh32g4Wqrwhc /96IupIgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdEQQWMBSkEjAQMQ4wDAYD VQQDDAV4ZW9wczANBgkqhkiG9w0BAQUFAAOBgQANxHRsev4fYfnHO9kYcHo4UeK7 owN+fq92gl76iRHRnhzkPlhWL+uV2tyqGG9zJASOX+qEDOqN5sVAB4iNQTDGiUbK z757igD2hsQ4ewv9Vq3QtnajWnfdaUZH919GgWs09Etg6ucsKwgfx1fqjSRLBbOo lZuvBTYROOX6W2vKXw== -----END CERTIFICATE-----
openssl or pk12util can be used to extract and view information from these certificates, in a pretty-print format. The product- and subscription-related information is extracted and viewable in the Red Hat Subscription Manager GUI or command-line tools.
| Certificate Type | Description | Default Location |
|---|---|---|
| Consumer Identity Certificate | Used to identify the system (consumer) to the subscription service. This contains a unique ID which is assigned to the system when it is registered to the system. The identity certificate itself is generated by the subscription service when the system is registered and then sent to the consumer. | /etc/pki/consumer |
| Entitlement Certificate | Contains a list of products that are available to a system to install, based on the subscriptions that the system has been subscribed to. The entitlement certificate defines the software products, the content delivery location, and validity dates. The presence of an entitlement certificate means that the system has consumed one of the quantities from the subscription. | /etc/pki/entitlement |
| Product Certificate | Contains the information about a product after it has been installed. |
/etc/pki/product/product_serial#.pem
|
| CA Certificate | A certificate for the certificate authority which issued the SSL server certificate used by the subscription service. This must be installed on a system for the system to use SSl to connect to the subscription service. | /etc/rhsm/ca/candlepin-ca.pem |
| Satellite Certificate | An XML-formatted certificate which contains a product list. This is used by local Satellite 5.x systems, not the newer subscription service. |
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1430 (0x596)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=entitlement.server.example.com, C=US, L=Raleigh
Validity
Not Before: Oct 6 16:32:05 2010 GMT
Not After : Oct 6 23:59:59 2011 GMT
Subject: CN=4881bd2f-868b-438c-af96-8b1d283daffc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a3:72:2f:0e:be:20:cb:63:63:4d:c5:ec:eb:71:
8f:61:8b:19:3c:f9:54:ac:75:91:f5:98:ee:ae:0e:
0f:8c:3e:5e:50:47:4e:4b:7e:da:d4:15:f5:2f:b8:
4c:59:14:67:b5:e8:23:cd:0b:0c:bf:c1:38:da:72:
fe:0a:b9:73:97:30:c8:ab:e3:bf:68:23:49:2f:e9:
8a:18:18:35:77:39:cd:43:88:7d:28:f5:bd:bd:df:
1c:61:ce:93:37:42:71:93:32:5a:ad:73:d0:df:f3:
68:b0:a5:a7:fc:cf:fe:97:0c:a2:0e:0d:4c:08:36:
9e:23:4f:8c:56:2f:91:0f:a8:22:5d:7a:5a:64:29:
79:f3:34:cb:44:98:ec:de:e8:25:dd:93:f1:d6:63:
3a:2b:8b:57:67:15:64:b7:f0:8e:bc:06:f5:4a:64:
4f:62:74:de:0f:a7:d5:90:3d:ab:de:62:6c:b0:f9:
35:53:9d:4f:2f:7e:da:57:d1:85:d0:d5:89:96:95:
a0:58:90:5e:f8:3c:ea:a0:47:43:48:9e:10:db:85:
6b:a6:c2:bc:68:29:4f:17:01:b9:55:e6:b2:79:76:
fb:d7:67:32:2c:28:0e:a3:d9:a7:51:c1:e8:6d:ae:
36:6c:8d:7b:f2:2f:91:33:8f:14:9f:d9:55:bb:41:
4d:85
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Authority Key Identifier:
keyid:68:98:D4:DD:94:B6:E9:71:70:C1:72:D2:3E:A0:40:62:D3:CA:8E:82
DirName:/CN=entitlement.server.example.com/C=US/L=Raleigh
serial:D6:CE:78:B1:56:9C:37:41
X509v3 Subject Key Identifier:
66:C1:E5:FA:8E:CE:1D:F6:83:85:AA:AF:08:5C:FF:DE:88:BA:92:20
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DirName:/CN=admin-example
Signature Algorithm: sha1WithRSAEncryption
0d:c4:74:6c:7a:fe:1f:61:f9:c7:3b:d9:18:70:7a:38:51:e2:
bb:a3:03:7e:7e:af:76:82:5e:fa:89:11:d1:9e:1c:e4:3e:58:
56:2f:eb:95:da:dc:aa:18:6f:73:24:04:8e:5f:ea:84:0c:ea:
8d:e6:c5:40:07:88:8d:41:30:c6:89:46:ca:cf:be:7b:8a:00:
f6:86:c4:38:7b:0b:fd:56:ad:d0:b6:76:a3:5a:77:dd:69:46:
47:f7:5f:46:81:6b:34:f4:4b:60:ea:e7:2c:2b:08:1f:c7:57:
ea:8d:24:4b:05:b3:a8:95:9b:af:05:36:11:38:e5:fa:5b:6b:
ca:5f*.pem file stored in the entitlement certificates directory, /etc/pki/entitlement. The name of the *.pem file is a generated numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:da:6c:06:90:7f:ff
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=candlepin1.devlab.phx1.redhat.com, C=US, L=Raleigh
Validity
Not Before: Oct 8 17:55:28 2010 GMT
Not After : Oct 2 23:59:59 2011 GMT
Subject: CN=8a878c912b875189012b8cfbc3f2264a
... [snip] ...1.3.6.1.4.1.2312.9.2.product_#.config_#: ..config_value
2 indicates that it is a product entry. product_# is a unique ID which identifies the specific product or variant. config_# relates to the installation information for that product, like its content server or the quantity available.
1.3.6.1.4.1.2312.9. The subsequent numbers identify different subscription areas:
.2. is the product-specific information
.1. is the subscription information
.4. contains the contract information, like its ID number and start and end dates
.5. contains the consumer information, like the consumer ID which installed a product
content repository type
1.3.6.1.4.1.2312.9.2.30393.1:
..yum
product
1.3.6.1.4.1.2312.9.2.30393.1.1:
.HRed Hat Enterprise Linux High Availability (for RHEL Entitlement) (RPMs)
channel name
1.3.6.1.4.1.2312.9.2.30393.1.2:
.Dred-hat-enterprise-linux-high-availability-for-rhel-entitlement-rpms
vendor
1.3.6.1.4.1.2312.9.2.30393.1.5:
..Red Hat
download URL
1.3.6.1.4.1.2312.9.2.30393.1.6:
.Q/content/dist/rhel/entitlement/releases/$releasever/$basearch/highavailability/os
key download URL
1.3.6.1.4.1.2312.9.2.30393.1.7:
.2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
flex quantity
1.3.6.1.4.1.2312.9.2.30393.1.4:
..0
quantity
1.3.6.1.4.1.2312.9.2.30393.1.3:
..25
repo enabled setting
1.3.6.1.4.1.2312.9.2.30393.1.8:
..1*.pem file stored in the entitlement certificates directory, /etc/pki/product/product_serial#.pem. The name of the *.pem file is a generated numeric identifier that is generated by the subscription service. As with entitlement tracking, the generated ID is an inventory number, used to track installed products and associate them with systems within the subscription service.
<rhn-cert-field name="configuration_area">value</rhn-cert-field>
name argument identifies what entity is being configured. This can be the organization which ordered the subscription (name="owner"), the start and end dates for the entitlement (name="issued" and name="expires"), or the entitlement itself. A system entitlement uses the name argument to set the service being entitled; every content entitlement is set as a name="channel-family" type, with the specific product identified in an additional family argument.
name argument, while the value is between the tags. The last lines of the certificate also set metadata for the subscription, including the version of the Satellite and the signature that signs the XML document (and allows the XML file to be used as a certificate).
<rhn-cert-field name="product">RHN-SATELLITE-001</rhn-cert-field> <rhn-cert-field name="owner">Example Corp</rhn-cert-field> <rhn-cert-field name="issued">2009-04-07 10:18:33</rhn-cert-field> <rhn-cert-field name="expires">2009-11-25 00:00:00</rhn-cert-field> ... [snip] ... <rhn-cert-field name="satellite-version">5.3</rhn-cert-field> <rhn-cert-field name="generation">2</rhn-cert-field> <rhn-cert-signature> -----BEGIN PGP SIGNATURE----- Version: Crypt::OpenPGP 1.03 iQBGBAARAwAGBQJJ22C+AAoJEJ5ynaAAAAkyyZ0An18+4hK5Ozt4HWieFvahsTnF aPcaAJ0e5neOfdDZRLOgDE+Tp/Im3Hc3Rg== =gqP7 -----END PGP SIGNATURE----- </rhn-cert-signature>
name="slot" field lists how many total systems are allowed to use this Satellite certificate to receive content. It is a global quantity.
<rhn-cert-field name="slots">119</rhn-cert-field>
name argument and then setting the quantity as the value within the tags.
<rhn-cert-field name="provisioning-slots">117</rhn-cert-field> <rhn-cert-field name="monitoring-slots">20</rhn-cert-field> <rhn-cert-field name="virtualization_host">67</rhn-cert-field>
rhel-server family, while a specific Virtualization Server subscription provides an additional rhel-server-vt family..
<rhn-cert-field name="channel-families" quantity="95" family="rhel-server"/> <rhn-cert-field name="channel-families" quantity="67" family="rhel-server-vt"/>
rhel-* family, because that refers to the platform the product is supported on. In this example, Red Hat Directory Server is in the rhel-rhdirserv family.
<rhn-cert-field name="channel-families" quantity="3" family="rhel-rhdirserv"/>
<rhn-cert-field name="channel-families" quantity="212" family="rhn-tools"/>
Índice
smb.conf Filehttpdhttpd.conf/etc/openldap/schema/ Directory/etc/sysconfig/network-scripts/ directory. The scripts used to activate and deactivate these network interfaces are also located here. Although the number and type of interface files can differ from system to system, there are three categories of files that exist in this directory:
/etc/hosts 127.0.0.1) as localhost.localdomain. For more information, refer to the hosts man page.
/etc/resolv.conf resolv.conf man page.
/etc/sysconfig/network /etc/sysconfig/network”.
/etc/sysconfig/network-scripts/ifcfg-<interface-name> /etc/sysconfig/networking/ directory is used by the Network Administration Tool (system-config-network) and its contents should not be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion.
ifcfg-<name> , where <name> refers to the name of the device that the configuration file controls.
ifcfg-eth0, which controls the first Ethernet network interface card or NIC in the system. In a system with multiple NICs, there are multiple ifcfg-eth<X> files (where <X> is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
ifcfg-eth0 file for a system using a fixed IP address:
DEVICE=eth0 BOOTPROTO=none ONBOOT=yes NETWORK=10.0.1.0 NETMASK=255.255.255.0 IPADDR=10.0.1.27 USERCTL=no
ifcfg-eth0 file for an interface using DHCP looks different because IP information is provided by the DHCP server:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
system-config-network) is an easy way to make changes to the various network interface configuration files (refer to Capítulo 16, Configuração de Rede for detailed instructions on using this tool).
BONDING_OPTS=<parameters> /etc/sysconfig/network-scripts/ifcfg-bond<N> (see Seção 15.2.3, “Channel Bonding Interfaces”). These parameters are identical to those used for bonding devices in /sys/class/net/<bonding device>/bonding, and the module parameters for the bonding driver as described in bonding Module Directives.
BONDING_OPTS in ifcfg-<name> , do not use /etc/modprobe.conf to specify options for the bonding device.
BOOTPROTO=<protocol> <protocol> none — No boot-time protocol should be used.
bootp — The BOOTP protocol should be used.
dhcp — The DHCP protocol should be used.
BROADCAST=<address> <address> ipcalc.
DEVICE=<name> <name> DHCP_HOSTNAME=<name> <name>DNS{1,2}=<address> <address> /etc/resolv.conf if the PEERDNS directive is set to yes.
ETHTOOL_OPTS=<options> <options> ethtool. For example, if you wanted to force 100Mb, full duplex:
ETHTOOL_OPTS="autoneg off speed 100 duplex full"
ETHTOOL_OPTS to set the interface speed and duplex settings. Custom initscripts run outside of the network init script lead to unpredictable results during a post-boot network service restart.
autoneg off option. This needs to be stated first, as the option entries are order-dependent.
GATEWAY=<address> <address> is the IP address of the network router or gateway device (if any).
HOTPLUG=<answer> <answer> is one of the following:
yes — This device should be activated when it is hot-plugged (this is the default option).
no — This device should not be activated when it is hot-plugged.
HOTPLUG=no option can be used to prevent a channel bonding interface from being activated when a bonding kernel module is loaded.
HWADDR=<MAC-address> <MAC-address> is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive must be used in machines containing more than one NIC to ensure that the interfaces are assigned the correct device names regardless of the configured load order for each NIC's module. This directive should not be used in conjunction with MACADDR.
IPADDR=<address> <address> LINKDELAY=<time> <time> is the number of seconds to wait for link negotiation before configuring the device.
MACADDR=<MAC-address> <MAC-address> is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive is used to assign a MAC address to an interface, overriding the one assigned to the physical NIC. This directive should not be used in conjunction with HWADDR.
MASTER=<bond-interface> <bond-interface> SLAVE directive.
NETMASK=<mask> <mask> NETWORK=<address> <address> ipcalc.
ONBOOT=<answer> <answer> yes — This device should be activated at boot-time.
no — This device should not be activated at boot-time.
PEERDNS=<answer> <answer> yes — Modify /etc/resolv.conf if the DNS directive is set. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SLAVE=<answer> <answer> yes — This device is controlled by the channel bonding interface specified in the MASTER directive.
no — This device is not controlled by the channel bonding interface specified in the MASTER directive.
MASTER directive.
SRCADDR=<address> <address> USERCTL=<answer> <answer> yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
ifcfg file for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is ipsec1, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec1.
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X
X.X.X.X is the publicly routable IP address of the destination IPsec router.
DST=<address> <address> is the IP address of the IPsec destination host or router. This is used for both host-to-host and network-to-network IPsec configurations.
DSTNET=<network> <network> is the network address of the IPsec destination network. This is only used for network-to-network IPsec configurations.
SRC=<address> <address> is the IP address of the IPsec source host or router. This setting is optional and is only used for host-to-host IPsec configurations.
SRCNET=<network> <network> is the network address of the IPsec source network. This is only used for network-to-network IPsec configurations.
TYPE=<interface-type> <interface-type> is IPSEC. Both applications are part of the ipsec-tools package.
/usr/share/doc/initscripts-<version-number>/sysconfig.txt (replace <version-number> with the version of the initscripts package installed) for configuration parameters.
racoon IKEv1 key management daemon negotiates and configures a set of parameters for IPSec. It can use preshared keys, RSA signatures, or GSS-API. If racoon is used to automatically manage key encryption, the following options are required:
IKE_METHOD=<encryption-method> <encryption-method> is either PSK, X509, or GSSAPI. If PSK is specified, the IKE_PSK parameter must also be set. If X509 is specified, the IKE_CERTFILE parameter must also be set.
IKE_PSK=<shared-key> <shared-key> is the shared, secret value for the PSK (preshared keys) method.
IKE_CERTFILE=<cert-file> <cert-file> is a valid X.509 certificate file for the host.
IKE_PEER_CERTFILE=<cert-file> <cert-file> is a valid X.509 certificate file for the remote host.
IKE_DNSSEC=<answer> <answer> is yes. The racoon daemon retrieves the remote host's X.509 certificate via DNS. If a IKE_PEER_CERTFILE is specified, do not include this parameter.
setkey man page. For more information about racoon, refer to the racoon and racoon.conf man pages.
bonding kernel module and a special network interface called a channel bonding interface. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
/etc/sysconfig/network-scripts/ directory called ifcfg-bond<N> , replacing <N> with the number for the interface, such as 0.
DEVICE= directive must be bond<N> , replacing <N> with the number for the interface.
ifcfg-bond0:
DEVICE=bond0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="<bonding parameters separated by spaces>"MASTER= and SLAVE= directives to their configuration files. The configuration files for each of the channel-bonded interfaces can be nearly identical.
eth0 and eth1 may look like the following example:
DEVICE=eth<N>
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no<N> with the numerical value for the interface.
/etc/modprobe.conf:
alias bond<N> bonding<N> with the number of the interface, such as 0.
/etc/modprobe.conf file. Instead, specify them as a space-separated list in the BONDING_OPTS="<bonding parameters>" directive in the ifcfg-bond<N> interface file.
debug parameter, which cannot be used on a per-device basis, and which should therefore be specified in /etc/modprobe.conf as follows:
options bonding debug=1
ifcfg-<if-name>:<alias-value> naming scheme.
ifcfg-eth0:0 file could be configured to specify DEVICE=eth0:0 and a static IP address of 10.0.0.2, serving as an alias of an Ethernet interface already configured to receive its IP information via DHCP in ifcfg-eth0. Under this configuration, eth0 is bound to a dynamic IP address, but the same physical network card can receive requests via the fixed, 10.0.0.2 IP address.
ifcfg-<if-name>-<clone-name> . While an alias file allows multiple addresses for an existing interface, a clone file is used to specify additional options for an interface. For example, a standard DHCP Ethernet interface called eth0, may look similar to this:
DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp
USERCTL directive is no if it is not specified, users cannot bring this interface up and down. To give users the ability to control the interface, create a clone by copying ifcfg-eth0 to ifcfg-eth0-user and add the following line to ifcfg-eth0-user:
USERCTL=yes
eth0 interface using the /sbin/ifup eth0-user command because the configuration options from ifcfg-eth0 and ifcfg-eth0-user are combined. While this is a very basic example, this method can be used with a variety of options and interfaces.
ifcfg-ppp<X> <X> is a unique number corresponding to a specific interface.
wvdial, the Network Administration Tool or Kppp is used to create a dialup account. It is also possible to create and edit this file manually.
ifcfg-ppp0 file:
DEVICE=ppp0 NAME=test WVDIALSECT=test MODEMPORT=/dev/modem LINESPEED=115200 PAPNAME=test USERCTL=true ONBOOT=no PERSIST=no DEFROUTE=yes PEERDNS=yes DEMAND=no IDLETIMEOUT=600
ifcfg-sl0.
DEFROUTE=<answer> <answer> yes — Set this interface as the default route.
no — Do not set this interface as the default route.
DEMAND=<answer> <answer> yes — This interface allows pppd to initiate a connection when someone attempts to use it.
no — A connection must be manually established for this interface.
IDLETIMEOUT=<value> <value> INITSTRING=<string> <string> LINESPEED=<value> <value> 57600, 38400, 19200, and 9600.
MODEMPORT=<device> <device> MTU=<value> <value> 576 results in fewer packets dropped and a slight improvement to the throughput for a connection.
NAME=<name> <name> PAPNAME=<name> <name> PERSIST=<answer> <answer> yes — This interface should be kept active at all times, even if deactivated after a modem hang up.
no — This interface should not be kept active at all times.
REMIP=<address> <address> WVDIALSECT=<name> <name> /etc/wvdial.conf. This file contains the phone number to be dialed and other important information for the interface.
ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo, should never be edited manually. Doing so can prevent the system from operating correctly.
ifcfg-irlan0 ifcfg-plip0 ifcfg-tr0 /etc/sysconfig/network-scripts/ directory: /sbin/ifdown and /sbin/ifup.
ifup and ifdown interface scripts are symbolic links to scripts in the /sbin/ directory. When either of these scripts are called, they require the value of the interface to be specified, such as:
ifup eth0ifup and ifdown interface scripts are the only scripts that the user should use to bring up and take down network interfaces.
/etc/rc.d/init.d/functions and /etc/sysconfig/network-scripts/network-functions. Refer to Seção 15.5, “Network Function Files” for more information.
/etc/sysconfig/network-scripts/ directory:
ifup-aliases ifup-ippp and ifdown-ippp ifup-ipsec and ifdown-ipsec ifup-ipv6 and ifdown-ipv6 ifup-ipx ifup-plip ifup-plusb ifup-post and ifdown-post ifup-ppp and ifdown-ppp ifup-routes ifdown-sit and ifup-sit ifup-sl and ifdown-sl ifup-wireless /etc/sysconfig/network-scripts/ directory can cause interface connections to act irregularly or fail. Only advanced users should modify scripts related to a network interface.
/sbin/service command on the network service (/etc/rc.d/init.d/network), as illustrated the following command:
service network <action><action> can be either start, stop, or restart.
service network statusroute command to display the IP routing table.
/etc/sysconfig/network-scripts/route-interface file. For example, static routes for the eth0 interface would be stored in the /etc/sysconfig/network-scripts/route-eth0 file. The route-interface file has two formats: IP command arguments and network/netmask directives.
default viaX.X.X.Xdevinterface
X.X.X.X is the IP address of the default gateway. The interface is the interface that is connected to, or can reach, the default gateway.
X.X.X.X/XviaX.X.X.Xdevinterface
X.X.X.X/X is the network number and netmask for the static route. X.X.X.X and interface are the IP address and interface for the default gateway respectively. The X.X.X.X address does not have to be the default gateway IP address. In most cases, X.X.X.X will be an IP address in a different subnet, and interface will be the interface that is connected to, or can reach, that subnet. Add as many static routes as required.
route-eth0 file using the IP command arguments format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:
default via 192.168.0.1 dev eth0 10.10.10.0/24 via 192.168.0.1 dev eth0 172.16.1.0/24 via 192.168.0.1 dev eth0
10.10.10.0/24 via 10.10.10.1 dev eth1
ifup command: "RTNETLINK answers: File exists" or 'Error: either "to" is a duplicate, or "X.X.X.X" is a garbage.', where X.X.X.X is the gateway, or a different IP address. These errors can also occur if you have another route to another network using the default gateway. Both of these errors are safe to ignore.
route-interface files. The following is a template for the network/netmask format, with instructions following afterwards:
ADDRESS0=X.X.X.XNETMASK0=X.X.X.XGATEWAY0=X.X.X.X
ADDRESS0=X.X.X.X is the network number for the static route.
NETMASK0=X.X.X.X is the netmask for the network number defined with ADDRESS0=X.X.X.X .
GATEWAY0=X.X.X.X is the default gateway, or an IP address that can be used to reach ADDRESS0=X.X.X.X
route-eth0 file using the network/netmask directives format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks. However, as mentioned before, this example is not necessary as the 10.10.10.0/24 and 172.16.1.0/24 networks would use the default gateway anyway:
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=192.168.0.1 ADDRESS1=172.16.1.0 NETMASK1=255.255.255.0 GATEWAY1=192.168.0.1
ADDRESS0, ADDRESS1, ADDRESS2, and so on.
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=10.10.10.1
/etc/sysconfig/network-scripts/network-functions file contains the most commonly used IPv4 functions, which are useful to many interface control scripts. These functions include contacting running programs that have requested information about changes in the status of an interface, setting hostnames, finding a gateway device, verifying whether or not a particular device is down, and adding a default route.
/etc/sysconfig/network-scripts/network-functions-ipv6 file exists specifically to hold this information. The functions in this file configure and delete static IPv6 routes, create and remove tunnels, add and remove IPv6 addresses to an interface, and test for the existence of an IPv6 address on an interface.
/usr/share/doc/initscripts-<version>/sysconfig.txt /usr/share/doc/iproute-<version>/ip-cref.ps ip command, which can be used to manipulate routing tables, among other things. Use the ggv or kghostview application to view this file.
/etc/hosts file used to store additional hostnames and IP address combinations.
system-config-network at a shell prompt (for example, in an XTerm or a GNOME terminal). If you type the command, the graphical version is displayed if X is running; otherwise, the text-based version is displayed.
system-config-network-cmd --help as root to view all of the options.
Modem as shown in Figura 16.7, “Modem Device”.
system-config-network for iniciado na máquina local, é provável que você não possa iniciar outro aplicativo X11. Caso isto aconteça, reautentique para uma nova sessão de desktop.
/etc/hosts file. This file contains IP addresses and their corresponding hostnames.
/etc/hosts file before using the name servers (if you are using the default Red Hat Enterprise Linux configuration). If the IP address is listed in the /etc/hosts file, the name servers are not used. If your network contains computers whose IP addresses are not listed in DNS, it is recommended that you add them to the /etc/hosts file.
/etc/hosts file, go to the Hosts tab, click the button on the toolbar, provide the requested information, and click OK. Select > or press Ctrl+S to save the changes to the /etc/hosts file. The network or network services do not need to be restarted since the current version of the file is referred to each time an address is resolved.
localhost entry. Even if the system does not have a network connection or have a network connection running constantly, some programs need to connect to the system via the localhost loopback interface.
/etc/host.conf file. The line order hosts, bind specifies that /etc/hosts takes precedence over the name servers. Changing the line to order bind, hosts configures the system to resolve hostnames and IP addresses using the name servers first. If the IP address cannot be resolved through the name servers, the system then looks for the IP address in the /etc/hosts file.
eth0_office, so that it can be recognized more easily. Once you have finished editing your new profile, make sure to save it by clicking from the menu. If you forget to save after creating a profile, that profile will be lost.
eth0_office in a profile called Office and want to activate the logical device if the profile is selected, uncheck the eth0 device and check the eth0_office device.
eth0.
eth0 to activate in the Office profile only and to activate a PPP (modem) device in the Home profile only. Another example is to have the Common profile activate eth0 and an Away profile activate a PPP device for use while traveling.
netprofile=<profilename> option. For example, if the system uses GRUB as the boot loader and /boot/grub/grub.conf contains:
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.9-5.EL.img<profilename> é o nome do perfil a ser ativado no momento da inicialização):
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 \
netprofile=<profilename> \ rhgb quiet
initrd /initrd-2.6.9-5.EL.imgsystem-control-network) to select a profile and activate it. The activate profile section only appears in the Network Device Control interface if more than the default Common interface exists.
<profilename> pelo nome do perfil):
system-config-network-cmd --profile <profilename> --activateeth0 —to use a static IP address (DHCP does not work with aliases), go to the Devices tab and click . Select the Ethernet card to configure with an alias, set the static IP address for the alias, and click to create it. Since a device already exists for the Ethernet card, the one just created is the alias, such as eth0:1.
eth0 device. Notice the eth0:1 device — the first alias for eth0. The second alias for eth0 would have the device name eth0:2, and so on. To modify the settings for the device alias, such as whether to activate it at boot time and the alias number, select it from the list and click the button.
/sbin/ifconfig. The output should show the device and the device alias with different IP addresses:
eth0 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.5 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:161930 errors:1 dropped:0 overruns:0 frame:0 TX packets:244570 errors:0 dropped:0 overruns:0 carrier:0 collisions:475 txqueuelen:100 RX bytes:55075551 (52.5 Mb) TX bytes:178108895 (169.8 Mb) Interrupt:10 Base address:0x9000 eth0:1 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.42 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:10 Base address:0x9000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5998 errors:0 dropped:0 overruns:0 frame:0 TX packets:5998 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1627579 (1.5 Mb) TX bytes:1627579 (1.5 Mb)
/tmp/network-config, execute the following command as root:
system-config-network-cmd -e > /tmp/network-configsystem-config-network-cmd -i -c -f /tmp/network-config-i significa importar os dados; a opção -c pede para limpar a configuração existente antes de importar; e a opção -f especifica que o arquivo a importar é o que vem a seguir.
httpd if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
xinetd and the services in the /etc/rc.d/init.d hierarchy (also known as SysV services) can be configured to start or stop using three different applications:
xinetd services can not be started, stopped, or restarted using this program.
chkconfigxinetd services can not be started, stopped, or restarted using this utility.
/etc/rc.d by hand or editing the xinetd configuration files in /etc/xinetd.d.
iptables to configure an IP firewall. If you are a new Linux user, note that iptables may not be the best solution for you. Setting up iptables can be complicated, and is best tackled by experienced Linux system administrators.
iptables is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, iptables can provide it for you. Refer to Seção 46.8.1, “Netfilter 6 ” and Seção 46.8.3, “Usando IPTables” for more information about iptables.
system-config-securitylevel), which allows you to select the security level for your system, similar to the Firewall Configuration screen in the installation program.
/etc/rc.d/rc<x>.d, where <x> is the number of the runlevel.
/etc/inittab file, which contains a line near the top of the file similar to the following:
id:5:initdefault:
xinetd (as well as any program with built-in support for libwrap) can use TCP wrappers to manage access. xinetd can use the /etc/hosts.allow and /etc/hosts.deny files to configure access to system services. As the names imply, hosts.allow contains a list of rules that allow clients to access the network services controlled by xinetd, and hosts.deny contains rules to deny access. The hosts.allow file takes precedence over the hosts.deny file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to hosts_access in section 5 of the man pages (man 5 hosts_access) for details.
xinetdxinetd, which is a secure replacement for inetd. The xinetd daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more.
xinetd runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service.
xinetd is /etc/xinetd.conf, but the file only contains a few defaults and an instruction to include the /etc/xinetd.d directory. To enable or disable an xinetd service, edit its configuration file in the /etc/xinetd.d directory. If the disable attribute is set to yes, the service is disabled. If the disable attribute is set to no, the service is enabled. You can edit any of the xinetd configuration files or change its enabled status using the Services Configuration Tool, ntsysv, or chkconfig. For a list of network services controlled by xinetd, review the contents of the /etc/xinetd.d directory with the command ls /etc/xinetd.d.
/etc/rc.d/init.d directory are started at boot time (for runlevels 3, 4, and 5) and which xinetd services are enabled. It also allows you to start, stop, and restart SysV services as well as reload xinetd.
system-config-services at a shell prompt (for example, in an XTerm or a GNOME terminal).
/etc/rc.d/init.d directory as well as the services controlled by xinetd. Click on the name of the service from the list on the left-hand side of the application to display a brief description of that service as well as the status of the service. If the service is not an xinetd service, the status window shows whether the service is currently running. If the service is controlled by xinetd, the status window displays the phrase xinetd service.
xinetd service, the action buttons are disabled because they cannot be started or stopped individually.
xinetd service by checking or unchecking the checkbox next to the service name, you must select > from the pulldown menu (or the button above the tabs) to reload xinetd and immediately enable/disable the xinetd service that you changed. xinetd is also configured to remember the setting. You can enable/disable multiple xinetd services at a time and save the changes when you are finished.
rsync to enable it in runlevel 3 and then save the changes. The rsync service is immediately enabled. The next time xinetd is started, rsync is still enabled.
xinetd services, xinetd is reloaded, and the changes take place immediately. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.
xinetd service to start at boot time for the currently selected runlevel, check the box beside the name of the service in the list. After configuring the runlevel, apply the changes by selecting > from the pulldown menu. The runlevel configuration is changed, but the runlevel is not restarted; thus, the changes do not take place immediately.
httpd service from checked to unchecked and then select , the runlevel 3 configuration changes so that httpd is not started at boot time. However, runlevel 3 is not reinitialized, so httpd is still running. Select one of following options at this point:
httpd service — Stop the service by selecting it from the list and clicking the button. A message appears stating that the service was stopped successfully.
telinit x (where x is the runlevel number; in this example, 3.). This option is recommended if you change the Start at Boot value of multiple services and want to activate the changes immediately.
httpd service. You can wait until the system is rebooted for the service to stop. The next time the system is booted, the runlevel is initialized without the httpd service running.
xinetd-managed service on or off. You can also use ntsysv to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the --level option. For example, the command ntsysv --level 345 configures runlevels 3, 4, and 5.
xinetd are immediately affected by ntsysv. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command service <daemon> stop (where <daemon> is the name of the service you want to stop; for example, httpd). Replace stop with start or restart to start or restart the service.
chkconfigchkconfig command can also be used to activate and deactivate services. The chkconfig --list command displays a list of system services and whether they are started (on) or stopped (off) in runlevels 0-6. At the end of the list is a section for the services managed by xinetd.
chkconfig --list command is used to query a service managed by xinetd, it displays whether the xinetd service is enabled (on) or disabled (off). For example, the command chkconfig --list rsync returns the following output:
rsync on
rsync is enabled as an xinetd service. If xinetd is running, rsync is enabled.
chkconfig --list to query a service in /etc/rc.d, that service's settings for each runlevel are displayed. For example, the command chkconfig --list httpd returns the following output:
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
chkconfig can also be used to configure a service to be started (or not) in a specific runlevel. For example, to turn nscd off in runlevels 3, 4, and 5, use the following command:
chkconfig --level 345 nscd offxinetd are immediately affected by chkconfig. For example, if xinetd is running while rsync is disabled, and the command chkconfig rsync on is executed, then rsync is immediately enabled without having to restart xinetd manually. Changes for other services do not take effect immediately after using chkconfig. You must stop or start the individual service with the command service <daemon> stop (where <daemon> is the name of the service you want to stop; for example, httpd). Replace stop with start or restart to start or restart the service.
ntsysv, chkconfig, xinetd, and xinetd.conf.
man 5 hosts_access — The man page for the format of host access control files (in section 5 of the man pages).
xinetd webpage. It contains sample configuration files and a more detailed list of features.
named in Red Hat Enterprise Linux. You can manage it via the Services Configuration Tool (system-config-service).
bob.sales.example.com
.). In this example, com defines the top level domain for this FQDN. The name example is a sub-domain under com, while sales is a sub-domain under example. The name furthest to the left, bob, identifies a specific machine hostname.
/usr/sbin/named daemon. BIND also includes an administration utility called /usr/sbin/rndc. More information about rndc can be found in Seção 18.4, “Using rndc ”.
/etc/named.conf named daemon
/var/named/ directorynamed working directory which stores zone, statistic, and cache files
bind-chroot package, the BIND service will run in the /var/named/chroot environment. All configuration files will be moved there. As such, named.conf will be located in /var/named/chroot/etc/named.conf, and so on.
caching-nameserver package, the default configuration file is /etc/named.caching-nameserver.conf. To override this default configuration, you can create your own custom configuration file in /etc/named.conf. BIND will use the /etc/named.conf custom file instead of the default configuration file after you restart.
/etc/named.conf named.conf file is a collection of statements using nested options surrounded by opening and closing ellipse characters, { }. Administrators must be careful when editing named.conf to avoid syntax errors as many seemingly minor errors prevent the named service from starting.
named.conf file is organized similar to the following example:
<statement-1>["<statement-1-name>"] [<statement-1-class>] {<option-1>;<option-2>;<option-N>; };<statement-2>["<statement-2-name>"] [<statement-2-class>] {<option-1>;<option-2>;<option-N>; };<statement-N>["<statement-N-name>"] [<statement-N-class>] {<option-1>;<option-2>;<option-N>; };
/etc/named.conf:
acl Statementacl statement (or access control statement) defines groups of hosts which can then be permitted or denied access to the nameserver.
acl statement takes the following form:
acl<acl-name>{<match-element>; [<match-element>; ...] };
<acl-name> with the name of the access control list and replace <match-element> with a semi-colon separated list of IP addresses. Most of the time, an individual IP address or IP network notation (such as 10.0.1.0/24) is used to identify the IP addresses within the acl statement.
any — Matches every IP address
localhost — Matches any IP address in use by the local system
localnets — Matches any IP address on any network to which the local system is connected
none — Matches no IP addresses
options statement), acl statements can be very useful in preventing the misuse of a BIND nameserver.
options statement to define how they are treated by the nameserver:
acl black-hats {
10.0.2.0/24;
192.168.0.0/24;
};
acl red-hats {
10.0.1.0/24;
};
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-recursion { red-hats; };
};black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access.
include Statementinclude statement allows files to be included in a named.conf file. In this way, sensitive configuration data (such as keys) can be placed in a separate file with restrictive permissions.
include statement takes the following form:
include "<file-name>"<file-name> is replaced with an absolute path to a file.
options Statementoptions statement defines global server configuration options and sets defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and much more.
options statement takes the following form:
options {
<option>;
[<option>; ...]
};<option> directives are replaced with a valid option.
allow-query allow-recursion allow-query, this option applies to recursive queries. By default, all hosts are allowed to perform recursive queries on the nameserver.
blackhole directory named working directory if different from the default value, /var/named/.
forwarders forward forwarders directive.
first — Specifies that the nameservers listed in the forwarders directive be queried before named attempts to resolve the name itself.
only — Specifies that named does not attempt name resolution itself in the event that queries to nameservers specified in the forwarders directive fail.
listen-on named listens for queries. By default, all interfaces are used.
listen-on directive:
options {
listen-on { 10.0.1.1; };
};10.0.1.1) are accepted.
notify named notifies the slave servers when a zone is updated. It accepts the following options:
yes — Notifies slave servers.
no — Does not notify slave servers.
explicit — Only notifies slave servers specified in an also-notify list within a zone statement.
pid-file named.
root-delegation-only root-delegation-only example specifies an exclude list of TLDs from whom undelegated responses are expected and trusted:
options {
root-delegation-only exclude { "ad"; "ar"; "biz"; "cr"; "cu"; "de"; "dm"; "id";
"lu"; "lv"; "md"; "ms"; "museum"; "name"; "no"; "pa";
"pf"; "se"; "sr"; "to"; "tw"; "us"; "uy"; };
};statistics-file named statistics are saved to the /var/named/named.stats file.
bind.conf man page for more details.
zone Statementzone statement defines the characteristics of a zone, such as the location of its configuration file and zone-specific options. This statement can be used to override the global options statements.
zone statement takes the following form:
zone<zone-name><zone-class>{<zone-options>; [<zone-options>; ...] };
<zone-name> is the name of the zone, <zone-class> is the optional class of the zone, and <zone-options> is a list of options characterizing the zone.
<zone-name> attribute for the zone statement is particularly important. It is the default value assigned for the $ORIGIN directive used within the corresponding zone file located in the /var/named/ directory. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file.
caching-nameserver package, the default configuration file will be in /etc/named.rfc1912.zones.
zone statement defines the namespace for example.com, use example.com as the <zone-name> so it is placed at the end of hostnames within the example.com zone file.
zone statement options include the following:
allow-query allow-transfer allow-update named service.
file named working directory that contains the zone's configuration data.
masters type slave.
notify named notifies the slave servers when a zone is updated. This directive accepts the following options:
yes — Notifies slave servers.
no — Does not notify slave servers.
explicit — Only notifies slave servers specified in an also-notify list within a zone statement.
type delegation-only — Enforces the delegation status of infrastructure zones such as COM, NET, or ORG. Any answer that is received without an explicit or implicit delegation is treated as NXDOMAIN. This option is only applicable in TLDs or root zone files used in recursive or caching implementations.
forward — Forwards all requests for information about this zone to other nameservers.
hint — A special type of zone used to point to the root nameservers which resolve queries when a zone is not otherwise known. No configuration beyond the default is necessary with a hint zone.
master — Designates the nameserver as authoritative for this zone. A zone should be set as the master if the zone's configuration files reside on the system.
slave — Designates the nameserver as a slave server for this zone. Also specifies the IP address of the master nameserver for the zone.
zone-statistics named to keep statistics concerning this zone, writing them to either the default location (/var/named/named.stats) or the file listed in the statistics-file option in the server statement. Refer to Seção 18.2.2, “Other Statement Types” for more information about the server statement.
zone Statements/etc/named.conf file of a master or slave nameserver involves adding, modifying, or deleting zone statements. While these zone statements can contain many options, most nameservers require only a small subset to function efficiently. The following zone statements are very basic examples illustrating a master-slave nameserver relationship.
zone statement for the primary nameserver hosting example.com (192.168.0.1):
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};example.com, the type is set to master, and the named service is instructed to read the /var/named/example.com.zone file. It also tells named not to allow any other hosts to update.
zone statement for example.com is slightly different from the previous example. For a slave server, the type is set to slave and in place of the allow-update line is a directive telling named the IP address of the master server.
zone statement for example.com zone:
zone "example.com" {
type slave;
file "example.com.zone";
masters { 192.168.0.1; };
};zone statement configures named on the slave server to query the master server at the 192.168.0.1 IP address for information about the example.com zone. The information that the slave server receives from the master server is saved to the /var/named/example.com.zone file.
named.conf:
controls rndc command to administer the named service.
/etc/named.conf ” to learn more about how the controls statement is structured and what options are available.
key "<key-name>" rndc command. Two options are used with key:
algorithm <algorithm-name> — The type of algorithm used, such as dsa or hmac-md5.
secret "<key-value>" — The encrypted key.
/etc/rndc.conf ” for instructions on how to write a key statement.
logging channel option within the logging statement, a customized type of log can be constructed — with its own file name (file), size limit (size), versioning (version), and level of importance (severity). Once a customized channel is defined, a category option is used to categorize the channel and begin logging when named is restarted.
named logs standard messages to the syslog daemon, which places them in /var/log/messages. This occurs because several standard channels are built into BIND with various severity levels, such as default_syslog (which handles informational logging messages) and default_debug (which specifically handles debugging messages). A default category, called default, uses the built-in channels to do normal logging without any special configuration.
server named should respond to remote nameservers, especially with regard to notifications and zone transfers.
transfer-format option controls whether one resource record is sent with each message (one-answer) or multiple resource records are sent with each message (many-answers). While many-answers is more efficient, only newer BIND nameservers understand it.
trusted-keys view "<view-name>" match-clients option specifies the IP addresses that apply to a particular view. Any options statement may also be used within a view, overriding the global options already configured for named. Most view statements contain multiple zone statements that apply to the match-clients list. The order in which view statements are listed is important, as the first view statement that matches a particular client's IP address is used.
view statement.
named.conf:
// — When placed at the beginning of a line, that line is ignored by named.
# — When placed at the beginning of a line, that line is ignored by named.
/* and */ — When text is enclosed in these tags, the block of text is ignored by named.
named working directory (/var/named/) by default. Each zone file is named according to the file option data in the zone statement, usually in a way that relates to the domain in question and identifies the file as containing zone data, such as example.com.zone.
bind-chroot package, the BIND service will run in the /var/named/chroot environment. All configuration files will be moved there. As such, you can find the zone files in /var/named/chroot/var/named.
;) in zone files.
$) followed by the name of the directive. They usually appear at the top of the zone file.
$INCLUDE named to include another zone file in this zone file at the place where the directive appears. This allows additional zone settings to be stored apart from the main zone file.
$ORIGIN
$ORIGIN example.com.
.) are appended with example.com.
$ORIGIN directive is unnecessary if the zone is specified in /etc/named.conf because the zone name is used as the value for the $ORIGIN directive by default.
$TTL A
<host> IN A <IP-address> <host> value is omitted, then an A record points to a default IP address for the top of the namespace. This system is the target for all non-FQDN requests.
A record examples for the example.com zone file:
server1 IN A 10.0.1.3 IN A 10.0.1.5
example.com are pointed to 10.0.1.3 or 10.0.1.5.
CNAME named that any requests sent to the <alias-name> should point to the host, <real-name>. CNAME records are most commonly used to point to services that use a common naming scheme, such as www for Web servers.
<alias-name> IN CNAME <real-name> A record binds a hostname to an IP address, while a CNAME record points the commonly used www hostname to it.
server1 IN A 10.0.1.5 www IN CNAME server1
MX
IN MX <preference-value> <email-server-name>
<preference-value> allows numerical ranking of the email servers for a namespace, giving preference to some email systems over others. The MX resource record with the lowest <preference-value> is preferred over the others. However, multiple email servers can possess the same value to distribute email traffic evenly among them.
<email-server-name> may be a hostname or FQDN.
IN MX 10 mail.example.com. IN MX 20 mail2.example.com.
mail.example.com email server is preferred to the mail2.example.com email server when receiving email destined for the example.com domain.
NS NS record:
IN NS <nameserver-name>
<nameserver-name> should be an FQDN.
IN NS dns1.example.com. IN NS dns2.example.com.
PTR PTR records are primarily used for reverse name resolution, as they point IP addresses back to a particular name. Refer to Seção 18.3.4, “Reverse Name Resolution Zone Files” for more examples of PTR records in use.
SOA SOA resource record is the first resource record in a zone file.
SOA resource record:
@ IN SOA<primary-name-server><hostmaster-email>(<serial-number><time-to-refresh><time-to-retry><time-to-expire><minimum-TTL>)
@ symbol places the $ORIGIN directive (or the zone's name, if the $ORIGIN directive is not set) as the namespace being defined by this SOA resource record. The hostname of the primary nameserver that is authoritative for this domain is the <primary-name-server> directive, and the email of the person to contact about this namespace is the <hostmaster-email> directive.
<serial-number> directive is a numerical value incremented every time the zone file is altered to indicate it is time for named to reload the zone. The <time-to-refresh> directive is the numerical value slave servers use to determine how long to wait before asking the master nameserver if any changes have been made to the zone. The <serial-number> directive is a numerical value used by the slave servers to determine if it is using outdated zone data and should therefore refresh it.
<time-to-retry> directive is a numerical value used by slave servers to determine the length of time to wait before issuing a refresh request in the event that the master nameserver is not answering. If the master has not replied to a refresh request before the amount of time specified in the <time-to-expire> directive elapses, the slave servers stop responding as an authority for requests concerning that namespace.
<minimum-TTL> directive is the amount of time other nameservers cache the zone's information. However, in BIND 9, the <minimum-TTL> directive defines how long negative answers are cached for. Caching of negative answers can be set to a maximum of 3 hours (3H).
M), hours (H), days (D), and weeks (W). The table in Tabela 18.1, “Seconds compared to other time units” shows an amount of time in seconds and the equivalent time in another format.
| Seconds | Other Time Units |
|---|---|
60
|
1M
|
1800
|
30M
|
3600
|
1H
|
10800
|
3H
|
21600
|
6H
|
43200
|
12H
|
86400
|
1D
|
259200
|
3D
|
604800
|
1W
|
31536000
|
365D
|
SOA resource record might take when it is populated with real values.
@ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day
$ORIGIN example.com. $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day ; ; IN NS dns1.example.com. IN NS dns2.example.com. dns1 IN A 10.0.1.1 IN AAAA aaaa:bbbb::1 dns2 IN A 10.0.1.2 IN AAAA aaaa:bbbb::2 ; ; @ IN MX 10 mail.example.com. IN MX 20 mail2.example.com. mail IN A 10.0.1.5 IN AAAA aaaa:bbbb::5 mail2 IN A 10.0.1.6 IN AAAA aaaa:bbbb::6 ; ; ; This sample zone file illustrates sharing the same IP addresses ; for multiple services: ; services IN A 10.0.1.10 IN AAAA aaaa:bbbb::10 IN A 10.0.1.11 IN AAAA aaaa:bbbb::11 ftp IN CNAME services.example.com. www IN CNAME services.example.com. ; ;
SOA values are used. The authoritative nameservers are set as dns1.example.com and dns2.example.com, which have A records that tie them to 10.0.1.1 and 10.0.1.2, respectively.
MX records point to mail and mail2 via A records. Since the mail and mail2 names do not end in a trailing period (.), the $ORIGIN domain is placed after them, expanding them to mail.example.com and mail2.example.com. Through the related A resource records, their IP addresses can be determined.
www.example.com (WWW), are pointed at the appropriate servers using a CNAME record.
zone statement in the named.conf similar to the following:
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
PTR resource records are used to link the IP addresses to a fully qualified domain name.
PTR record:
<last-IP-digit> IN PTR <FQDN-of-system> <last-IP-digit> is the last number in an IP address which points to a particular system's FQDN.
10.0.1.1 through 10.0.1.6 are pointed to corresponding FQDNs. It can be located in /var/named/example.com.rr.zone.
$ORIGIN 1.0.10.in-addr.arpa. $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day ; @ IN NS dns1.example.com. ; 1 IN PTR dns1.example.com. 2 IN PTR dns2.example.com. ; 5 IN PTR server1.example.com. 6 IN PTR server2.example.com. ; 3 IN PTR ftp.example.com. 4 IN PTR ftp.example.com.
zone statement in the named.conf file similar to the following:
zone "1.0.10.in-addr.arpa" IN {
type master;
file "example.com.rr.zone";
allow-update { none; };
};
zone statement, except for the zone name. Note that a reverse name resolution zone requires the first three blocks of the IP address reversed followed by .in-addr.arpa. This allows the single block of IP numbers used in the reverse name resolution zone file to be associated with the zone.
rndc rndc which allows command line administration of the named daemon from the localhost or a remote host.
named daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf and the rndc configuration file, /etc/rndc.conf.
bind-chroot package, the BIND service will run in the /var/named/chroot environment. All configuration files will be moved there. As such, the rndc.conf file is located in /var/named/chroot/etc/rndc.conf.
rndc utility does not run in a chroot environment, /etc/rndc.conf is a symlink to /var/named/chroot/etc/rndc.conf.
/etc/named.conf rndc to connect to a named service, there must be a controls statement in the BIND server's /etc/named.conf file.
controls statement, shown in the following example, allows rndc to connect from the localhost.
controls {
inet 127.0.0.1
allow { localhost; } keys { <key-name>; };
};
named to listen on the default TCP port 953 of the loopback address and allow rndc commands coming from the localhost, if the proper key is given. The <key-name> specifies a name in the key statement within the /etc/named.conf file. The next example illustrates a sample key statement.
key "<key-name>" { algorithm hmac-md5; secret "<key-value>"; };
<key-value> uses the HMAC-MD5 algorithm. Use the following command to generate keys using the HMAC-MD5 algorithm:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name>
<key-value> area can be found in the <key-file-name> /etc/named.conf is world-readable, it is advisable to place the key statement in a separate file, readable only by root, and then use an include statement to reference it. For example:
include "/etc/rndc.key";
named daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible.
query-source (and query-source-v6) directive, or one randomly chosen at startup. When a static query source port is used, TXID offers insufficient protection against spoofed replies and allows an attacker to efficiently perform cache-poisoning attacks. To address this issue, BIND was updated to allow the use of a randomly-selected source port for each DNS query, making it more difficult for an attacker to spoof replies, when the query packets cannot be detected. A security update [3] was released for all the affected Red Hat Enterprise Linux versions. Additionally, the default configuration provided by the caching-nameserver package was updated to no longer specify a fixed query source port.
53 as a query source port, and only allow DNS queries from that port on the firewall.
/etc/rndc.conf key is the most important statement in /etc/rndc.conf.
key "<key-name>" { algorithm hmac-md5; secret "<key-value>"; };
<key-name> and <key-value> should be exactly the same as their settings in /etc/named.conf.
/etc/named.conf, add the following lines to /etc/rndc.conf.
options {
default-server localhost;
default-key "<key-name>";
};
rndc configuration file can also specify different keys for different servers, as in the following example:
server localhost {
key "<key-name>";
};
/etc/rndc.conf file.
/etc/rndc.conf file, refer to the rndc.conf man page.
rndc command takes the following form:
rndc <options> <command> <command-options>
rndc on a properly configured localhost, the following commands are available:
halt — Stops the named service immediately.
querylog — Logs all queries made to this nameserver.
refresh — Refreshes the nameserver's database.
reload — Reloads the zone files but keeps all other previously cached responses. This command also allows changes to zone files without losing all stored name resolutions.
reload command.
stats — Dumps the current named statistics to the /var/named/named.stats file.
stop — Stops the server gracefully, saving any dynamic update and Incremental Zone Transfers (IXFR) data before exiting.
/etc/rndc.conf file. The following options are available:
-c <configuration-file> — Specifies the alternate location of a configuration file.
-p <port-number> — Specifies a port number to use for the rndc connection other than the default port 953.
-s <server> — Specifies a server other than the default-server listed in /etc/rndc.conf.
-y <key-name> — Specifies a key other than the default-key option in /etc/rndc.conf.
rndc man page.
named to provide name resolution services or to act as an authority for a particular domain or sub-domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS service.
view statement in named.conf, BIND can present different information depending on which network a request originates from.
view statement uses the match-clients option to match IP addresses or entire networks and give them special options and zone data.
A6 zone records.
lwresd lightweight resolver daemon on all network clients. This daemon is a very efficient, caching-only nameserver which understands the new A6 and DNAME records used under IPv6. Refer to the lwresd man page for more information.
/etc/named.conf file.
named to refuse to start.
.) in zone files after all FQDNs and omit them on hostnames.
named appends the name of the zone or the $ORIGIN value to complete it.
named daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible. For important security information regarding fixed UDP source ports, refer to Seção 18.4.1.1, “Firewall Blocking Communication”
<version-number> with the version of bind installed on the system:
/usr/share/doc/bind-<version-number>/ /usr/share/doc/bind-<version-number>/arm/ /usr/share/doc/bind-<version-number>/draft/ /usr/share/doc/bind-<version-number>/misc/ migration document for specific changes they must make when moving to BIND 9. The options file lists all of the options implemented in BIND 9 that are used in /etc/named.conf.
/usr/share/doc/bind-<version-number>/rfc/ man rndc — Explains the different options available when using the rndc command to control a BIND nameserver.
man named — Explores assorted arguments that can be used to control the BIND nameserver daemon.
man lwresd — Describes the purpose of and options available for the lightweight resolver daemon.
man named.conf — A comprehensive list of options available within the named configuration file.
man rndc.conf — A comprehensive list of options available within the rndc configuration file.
telnet or rsh. A related program called scp replaces older programs designed to copy files between hosts, such as rcp. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
openssh) as well as the OpenSSH server (openssh-server) and client (openssh-clients) packages. Note, the OpenSSH packages require the OpenSSL package (openssl) which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.
openssh-server package is required and is dependent on the openssh package.
/etc/ssh/sshd_config. The default configuration file should be sufficient for most purposes. If you want to configure the daemon in ways not provided by the default sshd_config, read the sshd man page for a list of the keywords that can be defined in the configuration file.
/sbin/service sshd start. To stop the OpenSSH server, use the command /sbin/service sshd stop. If you want the daemon to start automatically at boot time, refer to Capítulo 17, Controlando Acesso aos Serviços for information on how to manage services.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
/etc/ssh/ssh_host*key* files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.
telnet
rsh
rlogin
vsftpd
chkconfig, the ncurses-based program /usr/sbin/ntsysv, or the Services Configuration Tool (system-config-services) graphical application. All of these tools require root level access.
chkconfig, /usr/sbin/ntsysv, and the Services Configuration Tool, refer to Capítulo 17, Controlando Acesso aos Serviços.
ssh, scp, and sftp) and one for the server daemon (sshd).
/etc/ssh/ directory:
moduli — Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication.
ssh_config — The system-wide default SSH client configuration file. It is overridden if one is also present in the user's home directory (~/.ssh/config).
sshd_config — The configuration file for the sshd daemon.
ssh_host_dsa_key — The DSA private key used by the sshd daemon.
ssh_host_dsa_key.pub — The DSA public key used by the sshd daemon.
ssh_host_key — The RSA private key used by the sshd daemon for version 1 of the SSH protocol.
ssh_host_key.pub — The RSA public key used by the sshd daemon for version 1 of the SSH protocol.
ssh_host_rsa_key — The RSA private key used by the sshd daemon for version 2 of the SSH protocol.
ssh_host_rsa_key.pub — The RSA public key used by the sshd for version 2 of the SSH protocol.
~/.ssh/ directory:
authorized_keys — This file holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.
id_dsa — Contains the DSA private key of the user.
id_dsa.pub — The DSA public key of the user.
id_rsa — The RSA private key used by ssh for version 2 of the SSH protocol.
id_rsa.pub — The RSA public key used by ssh for version 2 of the SSH protocol
identity — The RSA private key used by ssh for version 1 of the SSH protocol.
identity.pub — The RSA public key used by ssh for version 1 of the SSH protocol.
known_hosts — This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server.
known_hosts file using a text editor. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.
ssh_config and sshd_config man pages for information concerning the various directives available in the SSH configuration files.
openssh-clients and openssh packages installed on the client machine.
ssh Commandssh command is a secure replacement for the rlogin, rsh, and telnet commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.
ssh is similar to using telnet. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.netssh to a remote machine, you will see a message similar to the following:
The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)?
yes to continue. This will add the server to your list of known hosts (~/.ssh/known_hosts) as seen in the following message:
Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.
ssh username@penguin.example.netssh -l username penguin.example.net.
ssh command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is ssh hostname command. For example, if you want to execute the command ls /usr/share/doc on the remote machine penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net ls /usr/share/doc/usr/share/doc will be displayed, and you will return to your local shell prompt.
scp Commandscp command can be used to transfer files between machines over a secure, encrypted connection. It is similar to rcp.
scp <localfile> username@tohostname:<remotefile><localfile> specifies the source including path to the file, such as /var/log/maillog. The <remotefile> specifies the destination, which can be a new filename such as /tmp/hostname-maillog. For the remote system, if you do not have a preceding /, the path will be relative to the home directory of username, typically /home/username/.
shadowman to the home directory of your account on penguin.example.net, type the following at a shell prompt (replace username with your username):
scp shadowman username@penguin.example.net:shadowmanshadowman to /home/username/shadowman on penguin.example.net. Alternately, you can leave off the final shadowman in the scp command.
scp username@tohostname:<remotefile> <newlocalfile><arquivoremoto> especifica a fonte incluindo a localidade, e o <novoarquivolocal> especifica o destino com a localidade.
downloads/ to an existing directory called uploads/ on the remote machine penguin.example.net, type the following at a shell prompt:
scp downloads/* username@penguin.example.net:uploads/sftp Commandsftp utility can be used to open a secure, interactive FTP session. It is similar to ftp except that it uses a secure, encrypted connection. The general syntax is sftp username@hostname.com. Once authenticated, you can use a set of commands similar to those used by FTP. Refer to the sftp man page for a list of these commands. To read the man page, execute the command man sftp at a shell prompt. The sftp utility is only available in OpenSSH version 2.5.0p1 and higher.
-Y option and running an X program on a local machine.
ssh -Y <user>@example.comsystem-config-printer &ssh -L local-port:remote-hostname:remote-port username@hostnamemail.example.com using POP3 through an encrypted connection, use the following command:
ssh -L 1100:mail.example.com:110 mail.example.commail.example.com server.
mail.example.com is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
ssh -L 1100:mail.example.com:110 other.example.comother.example.com. Then, other.example.com connects to port 110 on mail.example.com to check for new mail. Note, when using this technique only the connection between the client system and other.example.com SSH server is secure.
No parameter for the AllowTcpForwarding line in /etc/ssh/sshd_config and restarting the sshd service.
ssh, scp, or sftp to connect to a remote machine, you can generate an authorization key pair.
~/.ssh/authorized_keys2, ~/.ssh/known_hosts2, and /etc/ssh_known_hosts2 are obsolete. SSH Protocol 1 and 2 share the ~/.ssh/authorized_keys, ~/.ssh/known_hosts, and /etc/ssh/ssh_known_hosts files.
.ssh directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.
ssh-keygen -t rsa~/.ssh/id_rsa. Enter a passphrase different from your account password and confirm it by entering it again.
~/.ssh/id_rsa.pub. The private key is written to ~/.ssh/id_rsa. Never distribute your private key to anyone.
.ssh directory using the following command:
chmod 755 ~/.ssh~/.ssh/id_rsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on the other machine.
authorized_keys file using the following command:
chmod 644 ~/.ssh/authorized_keysssh-agent with a GUI”. If you are not running the X Window System, skip to Seção 19.7.3.5, “Configuring ssh-agent”.
ssh-keygen -t dsa~/.ssh/id_dsa. Enter a passphrase different from your account password and confirm it by entering it again.
~/.ssh/id_dsa.pub. The private key is written to ~/.ssh/id_dsa. It is important never to give anyone the private key.
.ssh directory with the following command:
chmod 755 ~/.ssh~/.ssh/id_dsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on the other machine.
authorized_keys file using the following command:
chmod 644 ~/.ssh/authorized_keysssh-agent with a GUI”. If you are not running the X Window System, skip to Seção 19.7.3.5, “Configuring ssh-agent”.
ssh-keygen -t rsa1~/.ssh/identity). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.
~/.ssh/identity.pub. The private key is written to ~/.ssh/identity. Do not give anyone the private key.
.ssh directory and your key with the commands chmod 755 ~/.ssh and chmod 644 ~/.ssh/identity.pub.
~/.ssh/identity.pub into the file ~/.ssh/authorized_keys on the machine to which you wish to connect. If the file ~/.ssh/authorized_keys does not exist, you can copy the file ~/.ssh/identity.pub to the file ~/.ssh/authorized_keys on the remote machine.
ssh-agent with a GUI”. If you are not running GNOME, skip to Seção 19.7.3.5, “Configuring ssh-agent”.
ssh-agent with a GUIssh-agent utility can be used to save your passphrase so that you do not have to enter it each time you initiate an ssh or scp connection. If you are using GNOME, the gnome-ssh-askpass package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any ssh or scp connection made during that GNOME session. If you are not using GNOME, refer to Seção 19.7.3.5, “Configuring ssh-agent”.
gnome-ssh-askpass installed; you can use the command rpm -q openssh-askpass to determine if it is installed or not. If it is not installed, install it from your Red Hat Enterprise Linux CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network.
/usr/bin/ssh-add in the Startup Command text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for ssh-add is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click to exit the program.
ssh, scp, or sftp.
ssh-agentssh-agent can be used to store your passphrase so that you do not have to enter it each time you make a ssh or scp connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (refer to Seção 19.7.3.4, “Configuring ssh-agent with a GUI”), this procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.
exec /usr/bin/ssh-agent $SHELLssh-addssh, scp, sftp, sshd, and ssh-keygen man pages — These man pages include information on how to use these commands as well as all the parameters that can be used with them.
portmap, rpc.lockd, and rpc.statd daemons. NFSv4 listens on the well-known TCP port 2049, which eliminates the need for portmap interaction. The mounting and locking protocols have been incorporated into the V4 protocol which eliminates the need for interaction with rpc.lockd and rpc.statd. The rpc.mountd daemon is still required on the server, but is not involved in any over-the-wire operations.
-p command line option that can set the port, making firewall configuration easier.
/etc/exports, to determine whether the client is allowed to access any of the exported file systems. Once access is granted, all file and directory operations are available to the user.
rpc.nfsd process now allow binding to any specified port during system start up. However, this can be error prone if the port is unavailable or conflicts with another daemon.
portmap service. To share or mount NFS file systems, the following services work together, depending on which version of NFS is implemented:
nfs — (/sbin/service nfs start) starts the NFS server and the appropriate RPC processes to service requests for shared NFS file systems.
nfslock — (/sbin/service nfslock start) is a mandatory service that starts the appropriate RPC processes to allow NFS clients to lock files on the server.
portmap — accepts port reservations from local RPC services. These ports are then made available (or advertised) so the corresponding remote RPC services access them. portmap responds to requests for RPC services and sets up connections to the requested RPC service.
rpc.mountd — This process receives mount requests from NFS clients and verifies the requested file system is currently exported. This process is started automatically by the nfs service and does not require user configuration.
rpc.nfsd — Allows explicit NFS versions and protocols the server advertises to be defined. It works with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the nfs service.
rpc.lockd — allows NFS clients to lock files on the server. If rpc.lockd is not started, file locking will fail. rpc.lockd implements the Network Lock Manager (NLM) protocol. This process corresponds to the nfslock service. This is not used with NFSv4.
rpc.statd — This process implements the Network Status Monitor (NSM) RPC protocol which notifies NFS clients when an NFS server is restarted without being gracefully brought down. This process is started automatically by the nfslock service and does not require user configuration. This is not used with NFSv4.
rpc.rquotad — This process provides user quota information for remote users. This process is started automatically by the nfs service and does not require user configuration.
rpc.idmapd — This process provides NFSv4 client and server upcalls which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, the /etc/idmapd.conf must be configured. This service is required for use with NFSv4.
mount command. The format of the command is as follows:
mount -t <nfs-type> -o <options> <host>:</remote/export> </local/directory><nfs-type> with either nfs for NFSv2 or NFSv3 servers, or nfs4 for NFSv4 servers. Replace <options> with a comma separated list of options for the NFS file system (refer to Seção 20.4, “Common NFS Mount Options” for details). Replace <host> with the remote host, </remote/export> with the remote directory being mounted, and </local/directory> with the local directory where the remote file system is to be mounted.
mount man page for more details.
mount command, the file system must be remounted manually after the system is rebooted. Red Hat Enterprise Linux offers two methods for mounting remote file systems automatically at boot time: the /etc/fstab file or the autofs service.
/etc/fstab/etc/fstab file. The /etc/fstab file is referenced by the netfs service at boot time, so lines referencing NFS shares have the same effect as manually typing the mount command during the boot process. Each line in this file must state the hostname of the NFS server, the directory on the server being exported, and the directory on the local machine where the NFS share is to be mounted. You must be root to modify the /etc/fstab file.
/etc/fstab is as follows:
<server>:</remote/export> </local/directory> <nfs-type> <options> 0 0<server></remote/export></local/directory><nfs-type>nfs for NFSv2 or NFSv3 servers, or nfs4 for NFSv4 servers. Finally, replace <options> with a comma separated list of options for the NFS file system (see Seção 20.4, “Common NFS Mount Options” for details). Note that the mount point must exist before /etc/fstab is read, otherwise the mount fails.
/etc/fstab line to mount an NFS export:
server:/usr/local/pub /pub nfs defaults 0 0
/etc/fstab on the client system, type the command mount /pub at a shell prompt, and the mount point /pub is mounted from the server. The mount point /pub must exist on the client machine before this command can be executed.
/etc/fstab configuration file and its contents, refer to the fstab manual page.
autofs/etc/fstab is that, regardless of how infrequently a user accesses the NFS mounted file system, the system must dedicate resources to keep the mounted file system in place. This is not a problem with one or two mounts, but when the system is maintaining mounts to many systems at one time, overall system performance can be affected. An alternative to /etc/fstab is to use the kernel-based automount utility. An automounter consists of two components. One is a kernel module that implements a file system, while the other is a user-space daemon that performs all of the other functions. The automount utility can mount and unmount NFS file systems automatically (on demand mounting) therefore saving system resources. The automount utility can be used to mount other file systems including AFS, SMBFS, CIFS and local file systems.
autofs uses /etc/auto.master (master map) as its default primary configuration file. This can be changed to use another supported network source and name using the autofs configuration (in /etc/sysconfig/autofs) in conjunction with the Name Service Switch mechanism. An instance of the version 4 daemon was run for each mount point configured in the master map and so it could be run manually from the command line for any given mount point. This is not possible with version 5 because it uses a single daemon to manage all configured mount points, so all automounts must be configured in the master map. This is in line with the usual requirements of other industry standard automounters. Mount point, hostname, exported directory, and options can all be specified in a set of files (or other supported network sources) rather than configuring them manually for each host. Please ensure that you have the autofs package installed if you wish to use this service.
autofs version 5?/net/<host>" as a multi-mount map entry. When using the "-hosts" map, an 'ls' of "/net/<host>" will mount autofs trigger mounts for each export from <host> and mount and expire them as they are accessed. This can greatly reduce the number of active mounts needed when accessing a server with a large number of exports.
/etc/sysconfig/autofs) provides a mechanism to specify the autofs schema that a site implements, thus precluding the need to determine this via trial and error in the application itself. In addition, authenticated binds to the LDAP server are now supported, using most mechanisms supported by the common LDAP server implementations. A new configuration file has been added for this support: /etc/autofs_ldap_auth.conf. The default configuration file is self-documenting, and uses an XML format.
nsswitch) configuration./- /tmp/auto_dcthon /- /tmp/auto_test3_direct /- /tmp/auto_test4_direct
autofs Configuration/etc/auto.master, also referred to as the master map which may be changed as described in the introduction section above. The master map lists autofs-controlled mount points on the system, and their corresponding configuration files or network sources known as automount maps. The format of the master map is as follows:
<mount-point> <map-name> <options>
mount-point is the autofs mount point such as /home.
map-name is the name of a map source which contains a list of mount points, and the file system location from which those mount points should be mounted. The syntax for a map entry is described below.
options if supplied, will apply to all entries in the given map provided they don't themselves have options specified. This behavior is different from autofs version 4 where the options where cumulative. This has been changed to meet our primary goal of mixed environment compatibility.
/etc/auto.master file:
~]$ cat /etc/auto.master
/home /etc/auto.misc<mount-point> [<options>] <location>
<mount-point> is the autofs mount point. This can be a single directory name for an indirect mount or the full path of the mount point for direct mounts. Each direct and indirect map entry key (<mount-point> above) may be followed by a space separated list of offset directories (sub directory names each beginning with a "/") making them what is known as a mutli-mount entry.
~]$ cat /etc/auto.misc
payroll -fstype=nfs personnel:/dev/hda3
sales -fstype=ext3 :/dev/hda4sales and payroll from the server called personnel). The second column indicates the options for the autofs mount while the third column indicates the source of the mount. Following the above configuration, the autofs mount points will be /home/payroll and /home/sales. The -fstype= option is often omitted and is generally not needed for correct operation.
service autofs startservice autofs restart/home/payroll/2006/July.sxc, the automount daemon automatically mounts the directory. If a timeout is specified, the directory will automatically be unmounted if the directory is not accessed for the timeout period.
/sbin/service/autofs statusautofs Common Tasks/etc/nsswitch.conf file has the following directive:
automount: files nis
auto.master map file contains the following:
/home auto.home
auto.home map contains the following:
beth fileserver.example.com:/export/home/beth joe fileserver.example.com:/export/home/joe * fileserver.example.com:/export/home/&
/etc/auto.home does not exist.
/etc/auto.master map:
/home /etc/auto.home2 +auto.master
/etc/auto.home2 map contains the entry:
* labserver.example.com:/export/home/&
/home will contain the contents of /etc/auto.home2 instead of the NIS auto.home map.
auto.home map with a few entries, create a /etc/auto.home file map, and in it put your new entries and at the end, include the NIS auto.home map. Then the /etc/auto.home file map might look similar to:
mydir someserver:/export/mydir +auto.home
auto.home map listed above, an ls of /home would now give:
~]$ ls /home
beth joe mydirautofs knows not to include the contents of a file map of the same name as the one it is reading and so moves on to the next map source in the nsswitch configuration.
openldap package should be installed automatically as a dependency of the automounter. To configure LDAP access, modify /etc/openldap/ldap.conf. Ensure that BASE and URI are set appropriately for your site. Please also ensure that the schema is set in the configuration.
rfc2307bis. To use this schema it is necessary to set it in the autofs configuration (/etc/sysconfig/autofs) by removing the comment characters from the schema definition. For example:
DEFAULT_MAP_OBJECT_CLASS="automountMap" DEFAULT_ENTRY_OBJECT_CLASS="automount" DEFAULT_MAP_ATTRIBUTE="automountMapName" DEFAULT_ENTRY_ATTRIBUTE="automountKey" DEFAULT_VALUE_ATTRIBUTE="automountInformation"
automountKey replaces the cn attribute in the rfc2307bis schema. An LDIF of a sample configuration is described below:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectclass=automountMap)(automountMapName=auto.master)) # requesting: ALL # # auto.master, example.com dn: automountMapName=auto.master,dc=example,dc=com objectClass: top objectClass: automountMap automountMapName: auto.master # extended LDIF # # LDAPv3 # base <automountMapName=auto.master,dc=example,dc=com> with scope subtree # filter: (objectclass=automount) # requesting: ALL # # /home, auto.master, example.com dn: automountMapName=auto.master,dc=example,dc=com objectClass: automount cn: /home automountKey: /home automountInformation: auto.home # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectclass=automountMap)(automountMapName=auto.home)) # requesting: ALL # # auto.home, example.com dn: automountMapName=auto.home,dc=example,dc=com objectClass: automountMap automountMapName: auto.home # extended LDIF # # LDAPv3 # base <automountMapName=auto.home,dc=example,dc=com> with scope subtree # filter: (objectclass=automount) # requesting: ALL # # foo, auto.home, example.com dn: automountKey=foo,automountMapName=auto.home,dc=example,dc=com objectClass: automount automountKey: foo automountInformation: filer.example.com:/export/foo # /, auto.home, example.com dn: automountKey=/,automountMapName=auto.home,dc=example,dc=com objectClass: automount automountKey: / automountInformation: filer.example.com:/export/&
<mount-point> <maptype1> <mapname1> <options1> -- <maptype2> <mapname2> <options2> -- ...
/home file /etc/auto.home -- nis auto.home/etc/nsswitch.conf must list:
automount: files nis
/etc/auto.master should contain:
/home auto.home
/etc/auto.home should contain:
<entries for the home directory> +auto.home
/etc/auto.home and the nis auto.home map are combined.
/etc/nsswitch.conf. The map is read if it exists and its contents are merged into one large auto.master map.
nsswitch.conf is consulted. If it is desirable to merge the contents of multiple master maps, included maps can be used. Consider the following example:
/etc/nsswitch.conf: automount: files nis
/etc/auto.master: /home /etc/auto.home +auto.master
auto.master and the NIS-based auto.master. However, because included map entries are only allowed in file maps, there is no way to include both an NIS auto.master and an LDAP auto.master.
auto.master.ldap we could also add "+auto.master.ldap" to the file based master map and provided that "ldap" is listed as a source in our nsswitch configuration it would also be included.
mount commands, /etc/fstab settings, and autofs.
hard or soft — Specifies whether the program using a file via an NFS connection should stop and wait (hard) for the server to come back online, if the host serving the exported file system is unavailable, or if it should report an error (soft).
hard is specified, the user cannot terminate the process waiting for the NFS communication to resume unless the intr option is also specified.
soft is specified, the user can set an additional timeo=<value> option, where <value>intr — Allows NFS requests to be interrupted if the server goes down or cannot be reached.
nfsvers=2 or nfsvers=3 — Specifies which version of the NFS protocol to use. This is useful for hosts that run multiple NFS servers. If no version is specified, NFS uses the highest supported version by the kernel and mount command. This option is not supported with NFSv4 and should not be used.
noacl — Turns off all ACL processing. This may be needed when interfacing with older versions of Red Hat Enterprise Linux, Red Hat Linux, or Solaris, since the most recent ACL technology is not compatible with older systems.
nolock — Disables file locking. This setting is occasionally required when connecting to older NFS servers.
noexec — Prevents execution of binaries on mounted file systems. This is useful if the system is mounting a non-Linux file system via NFS containing incompatible binaries.
nosuid — Disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program.
port=num — Specifies the numeric value of the NFS server port. If num0 (the default), then mount queries the remote host's portmapper for the port number to use. If the remote host's NFS daemon is not registered with its portmapper, the standard NFS port number of TCP 2049 is used instead.
rsize=num and wsize=num — These settings speed up NFS communication for reads (rsize) and writes (wsize) by setting a larger data block size, in bytes, to be transferred at one time. Be careful when changing these values; some older Linux kernels and network cards do not work well with larger block sizes. For NFSv2 or NFSv3, the default values for both parameters is set to 8192. For NFSv4, the default values for both parameters is set to 32768.
sec=mode — Specifies the type of security to utilize when authenticating an NFS connection.
sec=sys is the default setting, which uses local UNIX UIDs and GIDs by means of AUTH_SYS to authenticate NFS operations.
sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.
sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
sec=krb5p uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also has the most performance overhead involved.
tcp — Specifies for the NFS mount to use the TCP protocol.
udp — Specifies for the NFS mount to use the UDP protocol.
mount and nfs man pages.
portmap service must be running. To verify that portmap is active, type the following command as root:
service portmap statusportmap service is running, then the nfs service can be started. To start an NFS server, as root type:
service nfs startnfslock also has to be started for both the NFS client and server to function properly. To start NFS locking as root type: /sbin/service nfslock start. If NFS is set to start at boot, please ensure that nfslock also starts by running chkconfig --list nfslock. If nfslock is not set to on, this implies that you will need to manually run the /sbin/service nfslock start each time the computer starts. To set nfslock to automatically start on boot, type the following command in a terminal chkconfig nfslock on.
service nfs stoprestart option is a shorthand way of stopping and then starting NFS. This is the most efficient way to make configuration changes take effect after editing the configuration file for NFS.
service nfs restartcondrestart (conditional restart) option only starts nfs if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
service nfs condrestartservice nfs reloadnfs service does not start automatically at boot time. To configure the NFS to start up at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to Capítulo 17, Controlando Acesso aos Serviços for more information regarding these tools.
system-config-nfs), manually editing its configuration file (/etc/exports), or using the /usr/sbin/exportfs command.
system-config-nfs in a terminal. The NFS Server Configuration tool window is illustrated below.
/tmp.
insecure.
insecure_locks.
no_subtree_check.
sync. If this is not selected, the async option is used.
no_wdelay.
nohide option on or off. When the nohide option is off, nested directories are revealed. The clients can therefore navigate through a filesystem from the parent without noticing any changes.
mountpoint option which allows a directory to be exported only if it has been mounted.
fsid=X option. This is mainly used in a clustered setup. Using a consistent filesystem ID in all clusters avoids having stale NFS filehandles.
no_root_squash.
all_squash.
anonuid.
anongid.
/etc/exports.bak. The new configuration is written to /etc/exports.
/etc/exports configuration file. Thus, the file can be modified manually after using the tool, and the tool can be used after modifying the file manually (provided the file was modified with correct syntax).
/etc/exports and using the /usr/sbin/exportfs command to export NFS file systems.
/etc/exports file controls what directories the NFS server exports. Its format is as follows:
directoryhostname(options)
sync or async (sync is recommended). If sync is specified, the server does not reply to requests before the changes made by the request are written to the disk.
/misc/export speedy.example.com(sync)
speedy.example.com to mount /misc/export with the default read-only permissions, but,
/misc/export speedy.example.com(rw,sync)
speedy.example.com to mount /misc/export with read/write privileges.
/etc/exports file. If there are no spaces between the hostname and the options in parentheses, the options apply only to the hostname. If there is a space between the hostname and the options, the options apply to the rest of the world. For example, examine the following lines:
/misc/export speedy.example.com(rw,sync) /misc/export speedy.example.com (rw,sync)
speedy.example.com read-write access and denies all other users. The second line grants users from speedy.example.com read-only access (the default) and allows the rest of the world read-write access.
/etc/exports, you must inform the NFS daemon of the change, or reload the configuration file with the following command:
service nfs reload/etc/sysconfig/nfs configuration file to control which ports the required RPC services run on. Refer to and read Seção 30.1.22, “/etc/sysconfig/nfs” for instructions on how to configure a firewall to allow NFS.
*.example.com includes one.example.com but does not include one.two.example.com.
a.b.c.d/z, onde a.b.c.d é a rede e z é o número de bits na máscara de rede (ex.: 192.168.0.0/24). Um outro formato aceitável é a.b.c.d/netmask, onde a.b.c.d é a rede e netmask é a máscara de rede (ex.: 192.168.100.8/255.255.255.0).
@group-name, onde group-name é o nome do grupo de rede NIS.
/etc/exports Configuration File/etc/exports file controls which file systems are exported to remote hosts and specifies options. Blank lines are ignored, comments can be made by starting a line with the hash mark (#), and long lines can be wrapped with a backslash (\). Each exported file system should be on its own individual line, and any lists of authorized hosts placed after an exported file system must be separated by space characters. Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis. Valid host types are gss/krb5, gss/krb5i, and gss/krb5p.
<export><host1>(<options>)<hostN>(<options>)...
<export> with the directory being exported, replace <host1> with the host or network to which the export is being shared, and replace <options> with the options for that host or network. Additional hosts can be specified in a space separated list.
* or ? character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards should not be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fail.
*.example.com as a wildcard allows sales.example.com to access an exported file system, but not bob.sales.example.com. To match both possibilities both *.example.com and *.*.example.com must be specified.
192.168.0.0/28 allows the first 16 IP addresses, from 192.168.0.0 to 192.168.0.15, to access the exported file system, but not 192.168.0.16 and higher.
@<group-name>, to be used. This effectively puts the NIS server in charge of access control for this exported file system, where users can be added and removed from an NIS group without affecting /etc/exports.
/etc/exports file only specifies the exported directory and the hosts permitted to access it, as in the following example:
/exported/directory bob.example.com
bob.example.com can mount /exported/directory/. Because no options are specified in this example, the following default NFS options take effect:
ro — Mounts of the exported file system are read-only. Remote hosts are not able to make changes to the data shared on the file system. To allow hosts to make changes to the file system, the read/write (rw) option must be specified.
wdelay — Causes the NFS server to delay writing to the disk if it suspects another write request is imminent. This can improve performance by reducing the number of times the disk must be accessed by separate write commands, reducing write overhead. The no_wdelay option turns off this feature, but is only available when using the sync option.
root_squash — Prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=<uid-value>,anongid=<gid-value>), where <uid-value><gid-value>no_acl option when exporting the file system.
rw option is not specified, then the exported file system is shared as read-only. The following is a sample line from /etc/exports which overrides two default options:
/another/exported/directory 192.168.0.3(rw,sync)
192.168.0.3 can mount /another/exported/directory/ read/write and all transfers to disk are committed to the disk before the write request by the client is completed.
exports man page for details on these lesser used options.
/etc/exports file is very precise, particularly in regards to use of the space character. Remember to always separate exported file systems from hosts and hosts from one another with a space character. However, there should be no other space characters in the file except on comment lines.
/home bob.example.com(rw) /home bob.example.com (rw)
bob.example.com read/write access to the /home directory. The second line allows users from bob.example.com to mount the directory as read-only (the default), while the rest of the world can mount it read/write.
exportfs Command/etc/exports file. When the nfs service starts, the /usr/sbin/exportfs command launches and reads this file, passes control to rpc.mountd (if NFSv2 or NFSv3) for the actual mounting process, then to rpc.nfsd where the file systems are then available to remote users.
/usr/sbin/exportfs command allows the root user to selectively export or unexport directories without restarting the NFS service. When given the proper options, the /usr/sbin/exportfs command writes the exported file systems to /var/lib/nfs/xtab. Since rpc.mountd refers to the xtab file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.
/usr/sbin/exportfs:
-r — Causes all directories listed in /etc/exports to be exported by constructing a new export list in /etc/lib/nfs/xtab. This option effectively refreshes the export list with any changes that have been made to /etc/exports.
-a — Causes all directories to be exported or unexported, depending on what other options are passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file systems specified in /etc/exports.
-o file-systems — Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with additional file systems to be exported. These file systems must be formatted in the same way they are specified in /etc/exports. Refer to Seção 20.7, “The /etc/exports Configuration File” for more information on /etc/exports syntax. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported.
-i — Ignores /etc/exports; only options given from the command line are used to define exported file systems.
-u — Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, type exportfs -r.
-v — Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the exportfs command is executed.
/usr/sbin/exportfs command, it displays a list of currently exported file systems.
/usr/sbin/exportfs command, refer to the exportfs man page.
exportfs with NFSv4exportfs command is used in maintaining the NFS table of exported file systems. When typed in a terminal with no arguments, the exportfs command shows all the exported directories.
MOUNT protocol, which was used with the NFSv2 and NFSv3 protocols, the mounting of file systems has changed.
fsid=0 option.
mkdir /exportsmkdir /exports/optmkdir /exports/etcmount --bind /usr/local/opt /exports/optmount --bind /usr/local/etc /exports/etcexportfs -o fsid=0,insecure,no_subtree_check gss/krb5p:/exportsexportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/optexportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/etc
--bind option which creates unbreakable links.
/home /home/sam /home/john /home/joe
/home *(rw,fsid=0,sync)
mount server:/home /mnt/homels /mnt/home/joe
mount -t nfs4 server:/ /mnt/homels /mnt/home/joe
server:/home" and "server:/". To make the exports configurations compatible for all version, one needs to export (read only) the root filesystem with an fsid=0. The fsid=0 signals the NFS server that this export is the root.
/ *(ro,fsid=0) /home *(rw,sync,nohide)
mount server:/home /mnt/home" and "mount -t nfs server:/home /mnt/home" will work as expected.
portmap service via TCP wrappers. Access to ports used by portmap, rpc.mountd, and rpc.nfsd can also be limited by creating firewall rules with iptables.
portmap, refer to Seção 46.9, “IPTables”.
rpc.svcgssd and rpc.gssd inter operate, refer to http://www.citi.umich.edu/projects/nfsv4/gssd/.
su - command to become a user who could access particular files via the NFS share.
nfsnobody account. Never turn off root squashing.
all_squash option, which makes every user accessing the exported file system take the user ID of the nfsnobody user.
portmapportmap service for backward compatibility.
portmapper maps RPC services to the ports they are listening on. RPC processes notify portmap when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts portmap on the server with a particular RPC program number. The portmap service redirects the client to the proper port number so it can communicate with the requested service.
portmap to make all connections with incoming client requests, portmap must be available before any of these services start.
portmap service uses TCP wrappers for access control, and access control rules for portmap affect all RPC-based services. Alternatively, it is possible to specify access control rules for each of the NFS RPC daemons. The man pages for rpc.mountd and rpc.statd contain information regarding the precise syntax for these rules.
portmapportmap provides coordination between RPC services and the port numbers used to communicate with them, it is useful to view the status of current RPC services using portmap when troubleshooting. The rpcinfo command shows each RPC-based service with port numbers, an RPC program number, a version number, and an IP protocol type (TCP or UDP).
portmap, issue the following command as root:
rpcinfo -pprogram vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 32774 nlockmgr 100021 3 udp 32774 nlockmgr 100021 4 udp 32774 nlockmgr 100021 1 tcp 34437 nlockmgr 100021 3 tcp 34437 nlockmgr 100021 4 tcp 34437 nlockmgr 100011 1 udp 819 rquotad 100011 2 udp 819 rquotad 100011 1 tcp 822 rquotad 100011 2 tcp 822 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 1 udp 836 mountd 100005 1 tcp 839 mountd 100005 2 udp 836 mountd 100005 2 tcp 839 mountd 100005 3 udp 836 mountd 100005 3 tcp 839 mountd
portmap is unable to map RPC requests from clients for that service to the correct port. In many cases, if NFS is not present in rpcinfo output, restarting NFS causes the service to correctly register with portmap and begin working. For instructions on starting NFS, refer to Seção 20.5, “Starting and Stopping NFS”.
rpcinfo command. Refer to the rpcinfo man page for more information.
-o udp option to mount when mounting the NFS-exported file system on the client system.
/etc/fstab file (client side), and automatically via autofs configuration files, such as /etc/auto.master and /etc/auto.misc (server side with NIS).
mount -o udp shadowman.example.com:/misc/export /misc/local/etc/fstab (client side):
server:/usr/local/pub /pub nfs rsize=8192,wsize=8192,timeo=14,intr,udp
myproject -rw,soft,intr,rsize=8192,wsize=8192,udp penguin.example.net:/proj52
-o udp option is not specified, the NFS-exported file system is accessed via TCP.
NFS stale file handles messages.
/usr/share/doc/nfs-utils-<version-number>/ — Replace <version-number> with the version number of the NFS package installed. This directory contains a wealth of information about the NFS implementation for Linux, including a look at various NFS configurations and their impact on file transfer performance.
man mount — Contains a comprehensive look at mount options for both NFS server and client configurations.
man fstab — Gives details for the format of the /etc/fstab file used to mount file systems at boot-time.
man nfs — Provides details on NFS-specific file system export and mount options.
man exports — Shows common options used in the /etc/exports file when exporting NFS file systems.
smb.conf Filesmbd, nmbd, and winbindd). Two services (smb and windbind) control how the daemons are started, stopped, and other service-related features. Each daemon is listed in detail, as well as which specific service has control over it.
smbd smbd server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. The default ports on which the server listens for SMB traffic are TCP ports 139 and 445.
smbd daemon is controlled by the smb service.
nmbd nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137.
nmbd daemon is controlled by the smb service.
winbindd winbind service resolves user and group information on a server running Windows NT 2000 or Windows Server 2003. This makes Windows user / group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind service is controlled separately from the smb service.
winbindd daemon is controlled by the winbind service and does not require the smb service to be started in order to operate. Winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers, further discussion of winbind is beyond the scope of this manual.
smb: in the File > Open Location bar of Nautilus to view the workgroups.
<servername> and <sharename> with the appropriate values):
smb://<servername>/<sharename>mount -t cifs -o <username>,<password> //<servername>/<sharename> /mnt/point/<sharename> from <servername> in the local directory /mnt/point/. For more information about mounting a samba share, refer to man mount.cifs.
/etc/samba/smb.conf) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network.
/etc/samba/ directory. Any changes to these files not made using the application are preserved.
system-config-samba RPM package installed. To start the Samba Server Configuration Tool from the desktop, go to the (on the Panel) > > > or type the command system-config-samba at a shell prompt (for example, in an XTerm or a GNOME terminal).
workgroup and server string options in smb.conf.
security option. Select one of the following types of authentication.
net utility, which is part of the samba-client package. Refer to the net man page for details. This option does not configure Samba to be an ADS Controller. Specify the realm of the Kerberos server in the Kerberos Realm field.
EXAMPLE.COM.
/etc/krb5.conf file.
encrypted passwords option. Refer to Seção 21.4.3, “Encrypted Passwords” for more information about encrypted Samba passwords.
guest account option.
/etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the command service smb restart.
smb.conf file:
workgroup =WORKGROUPNAMEserver string =BRIEF COMMENT ABOUT SERVER
WORKGROUPNAME with the name of the Windows workgroup to which this machine should belong. The BRIEF COMMENT ABOUT SERVER is optional and is used as the Windows comment about the Samba system.
smb.conf file (after modifying it to reflect your needs and your system):
[sharename] comment =Insert a comment herepath =/home/share/valid users =tfox carolepublic = no writable = yes printable = no create mask = 0765
tfox and carole to read and write to the directory /home/share, on the Samba server, from a Samba client.
service smb startnet join command before starting the smb service.
service smb stoprestart option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally.
service smb restartcondrestart (conditional restart) option only starts smb on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
smb.conf file is changed, Samba automatically reloads it after a few minutes. Issuing a manual restart or reload is just as effective.
service smb condrestartsmb.conf file can be useful in case of a failed automatic reload by the smb service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command as root:
service smb reloadsmb service does not start automatically at boot time. To configure Samba to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to Capítulo 17, Controlando Acesso aos Serviços for more information regarding these tools.
smb.conf File/etc/samba/smb.conf configuration file. Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
smb.conf file for a successful configuration.
smb.conf file shows a sample configuration needed to implement anonymous read-only file sharing. The security = share parameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The security directive is a global Samba parameter located in the [global] configuration section of the smb.conf file.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Documentation Samba Server path = /export read only = Yes guest only = Yes
smb.conf file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only directive to no. The force user and force group directives are also added to enforce the ownership of any newly placed files specified in the share.
force user) and group (force group) in the smb.conf file.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Data path = /export force user = docsbot force group = users read only = No guest ok = Yes
smb.conf file shows a sample configuration needed to implement an anonymous print server. Setting browseable to no as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV using NetBIOS, the client can have access to the printer if the client is also part of the DOCS workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver directive is set to Yes. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share printcap name = cups disable spools= Yes show add printer wizard = No printing = cups [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes use client driver = Yes browseable = Yes
smb.conf file shows a sample configuration needed to implement a secure read/write print server. Setting the security directive to user forces Samba to authenticate client connections. Notice the [homes] share does not have a force user or force group directive as the [public] share does. The [homes] share uses the authenticated user details for any files created as opposed to the force user and force group in [public].
[global] workgroup = DOCS netbios name = DOCS_SRV security = user printcap name = cups disable spools = Yes show add printer wizard = No printing = cups [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes [printers] comment = All Printers path = /var/spool/samba printer admin = john, ed, @admins create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = Yes
smb.conf file shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos realm parameter is shown in all caps (for example realm = EXAMPLE.COM). Since Windows 2000/2003 requires Kerberos for Active Directory authentication, the realm directive is required. If Active Directory and Kerberos are running on different servers, the password server directive may be required to help the distinction.
[global] realm = EXAMPLE.COM security = ADS encrypt passwords = yes # Optional. Use only if Samba cannot determine the Kerberos server automatically. password server = kerberos.example.com
smb.conf file on the member server
/etc/krb5.conf file, on the member server
kinit administrator@EXAMPLE.COMkinit command is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, kinit obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the /etc/krb5.conf file, and the kinit command, refer to Seção 46.6, “Kerberos”.
net ads join -S windows1.example.com -U administrator%passwordwindows1 was automatically found in the corresponding Kerberos realm (the kinit command succeeded), the net command connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.
security = ads and not security = user is used, a local password backend such as smbpasswd is not needed. Older clients that do not support security = ads are authenticated as if security = domain had been set. This change does not affect functionality and allows local users not previously in the domain.
smb.conf file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the smb.conf file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
[global] workgroup = DOCS netbios name = DOCS_SRV security = domain [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes
smb.conf file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003, the smb.conf file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.
smb.conf file, join the domain before starting Samba by typing the following command as root:
net rpc join -U administrator%password-S option, which specifies the domain server hostname, does not need to be stated in the net rpc join command. Samba uses the hostname specified by the workgroup directive in the smb.conf file instead of it being stated explicitly.
tdbsam tdbsam password database backend. Planned to replace the aging smbpasswd backend, tdbsam has numerous improvements that are explained in more detail in Seção 21.8, “Samba Account Information Databases”. The passdb backend directive controls which backend is to be used for the PDC.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
passdb backend = tdbsam
security = user
add user script = /usr/sbin/useradd -m "%u"
delete user script = /usr/sbin/userdel -r "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/sbin/usermod -G "%g" "%u"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u"
# The following specifies the default logon script
# Per user logon scripts can be specified in the user
# account using pdbedit logon script = logon.bat
# This sets the default profile path.
# Set per user paths with pdbedit
logon drive = H:
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon/scripts
browseable = No
read only = No
# For profiles to work, create a user directory under the
# path shown.
mkdir -p /var/lib/samba/profiles/john
[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
browseable = No
guest ok = Yes
profile acls = Yes
# Other resource shares ... ...tdbsam follow these steps:
smb.conf file as shown in the example above.
smbpasswd -a root
Provide the password here.smb service.
groupadd -f usersgroupadd -f nobodygroupadd -f ntadmins
net groupmap add ntgroup="Domain Users" unixgroup=usersnet groupmap add ntgroup="Domain Guests" unixgroup=nobodynet groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U roottdbsam authentication backend. LDAP is recommended in these cases.
security = user directive is not listed in the smb.conf file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
smb.conf, the security = user directive that sets user-level security is:
[GLOBAL] ... security = user ...
smb.conf:
[GLOBAL] ... security = domain workgroup = MARKETING ...
smb.conf, the following directives make Samba an Active Directory member server:
[GLOBAL] ... security = ADS realm = EXAMPLE.COM password server = kerberos.example.com ...
smb.conf, the following directives enable Samba to operate in server security mode:
[GLOBAL] ... encrypt passwords = Yes security = server password server = "NetBIOS_of_Domain_Controller" ...
/etc/passwd type backends. With a plain text backend, all usernames and passwords are sent unencrypted between the client and the Samba server. This method is very unsecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method.
smbpasswd smbpasswd backend utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. The smbpasswd backend lacks the storage of the Windows NT/2000/2003 SAM extended controls. The smbpasswd backend is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. The tdbsam backend solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution.
ldapsam_compat ldapsam_compat backend allows continued OpenLDAP support for use with upgraded versions of Samba. This option normally used when migrating to Samba 3.0.
tdbsam tdbsam backend provides an ideal database backend for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The tdbsam backend includes all of the smbpasswd database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003-based systems.
tdbsam backend is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns.
ldapsam ldapsam backend provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers using the OpenLDAP slurpd daemon. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises.
/usr/share/doc/samba-<version>/LDAP/samba.schema has changed. This file contains the attribute syntax definitions and objectclass definitions that the ldapsam backend will need in order to function properly.
ldapsam backend for your Samba server, you will need to configure slapd to include this schema file. Refer to Seção 26.5, “The /etc/openldap/schema/ Directory” for directions on how to do this.
openldap-server package installed if you want to use the ldapsam backend.
mysqlsam mysqlsam backend uses a MySQL-based database backend. This is useful for sites that already implement MySQL. At present, mysqlsam is now packed in a module separate from Samba, and as such is not officially supported by Samba.
/etc/hosts) or DNS, must be used.
smb.conf for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration.
smb.conf file in which the Samba server is serving as a WINS server:
[global] wins support = Yes
smb.conf Settingssmb.conf configuration for CUPS support:
[global] load printers = Yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba/print printer = IBMInfoP browseable = No public = Yes guest ok = Yes writable = No printable = Yes printer admin = @ntadmins [print$] comment = Printer Drivers Share path = /var/lib/samba/drivers write list = ed, john printer admin = ed, john
print$ share contains printer drivers for clients to access if not available locally. The print$ share is optional and may not be required depending on the organization.
browseable to Yes enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain/workgroup.
findsmb program is a Perl script which reports information about SMB-aware systems on a specific subnet. If no subnet is specified the local subnet is used. Items displayed include IP address, NetBIOS name, workgroup or domain name, operating system, and version.
findsmb as any valid user on a system:
~]# findsmb
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
------------------------------------------------------------------
10.1.59.25 VERVE [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.59.26 STATION22 [MYGROUP] [Unix] [Samba 3.0.2-7.FC1]
10.1.56.45 TREK +[WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.94 PIXEL [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.57.137 MOBILE001 [WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.141 JAWS +[KWIKIMART] [Unix] [Samba 2.2.7a-security-rollup-fix]
10.1.56.159 FRED +[MYGROUP] [Unix] [Samba 3.0.0-14.3E]
10.1.59.192 LEGION *[MYGROUP] [Unix] [Samba 2.2.7-security-rollup-fix]
10.1.56.205 NANCYN +[MYGROUP] [Unix] [Samba 2.2.7a-security-rollup-fix]net utility is similar to the net utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The <protocol> ads, rap, or rpc for specifying the type of server connection. Active Directory uses ads, Win9x/NT3 uses rap, and Windows NT4/2000/2003 uses rpc. If the protocol is omitted, net automatically tries to determine it.
wakko:
~]# net -l share -S wakko
Password:
Enumerating shared resources (exports) on remote server:
Share name Type Description
---------- ---- -----------
data Disk Wakko data share
tmp Disk Wakko tmp share
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)wakko:
~]# net -l user -S wakko
root password:
User name Comment
-----------------------------
andriusb Documentation
joe Marketing
lisa Salesnmblookup program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies.
~]# nmblookup trek
querying trek on 10.1.59.255
10.1.56.45 trek<00>pdbedit program manages accounts located in the SAM database. All backends are supported including smbpasswd, LDAP, NIS+, and the tdb database library.
~]#pdbedit -a kristinnew password: retype new password: Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]#pdbedit -v -L kristinUnix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]#pdbedit -Landriusb:505: joe:503: lisa:504: kristin:506: ~]#pdbedit -x joe~]#pdbedit -Landriusb:505: lisa:504: kristin:506:
rpcclient program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.
smbcacls program modifies Windows ACLs on files and directories shared by the Samba server.
smbclient program is a versatile UNIX client which provides functionality similar to ftp.
smbcontrol <options> <destination> <messagetype> <parameters>
smbcontrol program sends control messages to running smbd or nmbd daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q' is entered.
smbpasswd program manages encrypted passwords. This program can be run by a superuser to change any user's password as well as by an ordinary user to change their own Samba password.
smbspool program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool can work with non-CUPS printers as well.
smbstatus program displays the status of current connections to a Samba server.
smbtar program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar command, the two are not compatible.
testparm program checks the syntax of the smb.conf file. If your smb.conf file is in the default location (/etc/samba/smb.conf) you do not need to specify the location. Specifying the hostname and IP address to the testparm program verifies that the hosts.allow and host.deny files are configured correctly. The testparm program also displays a summary of your smb.conf file and the server's role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read.
~]#testparmLoad smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions<enter># Global parameters [global] workgroup = MYGROUP server string = Samba Server security = SHARE log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [tmp] comment = Wakko tmp path = /tmp guest only = Yes [html] comment = Wakko www path = /var/www/html force user = andriusb force group = users read only = No guest only = Yes
wbinfo program displays information from the winbindd daemon. The winbindd daemon must be running for wbinfo to work.
/usr/share/doc/samba-<version-number>/ — All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation.
dhcp package contains an ISC DHCP server. First, install the package as the superuser:
~]# yum install dhcpdhcp package creates a file, /etc/dhcpd.conf, which is merely an empty configuration file:
~]# cat /etc/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample/usr/share/doc/dhcp-<version>/dhcpd.conf.sample. You should use this file to help you configure /etc/dhcpd.conf, which is explained in detail below.
/var/lib/dhcpd/dhcpd.leases to store the client lease database. Refer to Seção 22.2.2, “Banco de Dados de Aluguel” for more information.
ddns-update-style ad-hoc;
ddns-update-style interim;
dhcpd.conf man page for details about the different modes.
service dhcpd restart.
omshell command provides an interactive way to connect to, query, and change the configuration of a DHCP server. By using omshell, all changes can be made while the server is running. For more information on omshell, refer to the omshell man page.
routers, subnet-mask, domain-name, domain-name-servers, and time-offset options are used for any host statements declared below it.
subnet can be declared, a subnet declaration must be included for every subnet in the network. If it is not, the DHCP server fails to start.
range declared. Clients are assigned an IP address within the range.
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
range 192.168.1.10 192.168.1.100;
}shared-network declaration as shown in Exemplo 22.2, “Declaração de Rede Compartilhada”. Parameters within the shared-network, but outside the enclosed subnet declarations, are considered to be global parameters. The name of the shared-network must be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment.
group declaration is used to apply global parameters to a group of declarations. For example, shared networks, subnets, and hosts can be grouped.
group {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}
host raleigh {
option host-name "raleigh.example.com";
hardware ethernet 00:A1:DD:74:C3:F2;
fixed-address 192.168.1.6;
}
}range 192.168.1.10 and 192.168.1.100 to client systems.
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "example.com";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
}hardware ethernet parameter within a host declaration. As demonstrated in Exemplo 22.5, “Endereço IP Estático usando DHCP”, the host apex declaration specifies that the network interface card with the MAC address 00:A0:78:8E:9E:AA always receives the IP address 192.168.1.4.
host-name can also be used to assign a host name to the client.
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}cp /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample /etc/dhcpd.conf<version-number> is the DHCP version number).
dhcp-options man page.
/var/lib/dhcpd/dhcpd.leases stores the DHCP client lease database. Do not change this file. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.
dhcpd.leases file is renamed dhcpd.leases~ and the temporary lease database is written to dhcpd.leases.
dhcpd.leases file does not exist, but it is required to start the service. Do not create a new lease file. If you do, all old leases are lost which causes many problems. The correct solution is to rename the dhcpd.leases~ backup file to dhcpd.leases and then start the daemon.
dhcpd.leases file exists. Use the command touch /var/lib/dhcpd/dhcpd.leases to create the file if it does not exist.
named service automatically checks for a dhcpd.leases file.
/sbin/service dhcpd start. To stop the DHCP server, use the command /sbin/service dhcpd stop.
/etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS:
# Command line options here DHCPDARGS=eth0
/etc/sysconfig/dhcpd include:
-p <portnum> — Specifies the UDP port number on which dhcpd should listen. The default is port 67. The DHCP server transmits responses to the DHCP clients at a port number one greater than the UDP port specified. For example, if the default port 67 is used, the server listens on port 67 for requests and responses to the client on port 68. If a port is specified here and the DHCP relay agent is used, the same port on which the DHCP relay agent should listen must be specified. Refer to Seção 22.2.4, “Agente DHCP Relay” for details.
-f — Runs the daemon as a foreground process. This is mostly used for debugging.
-d — Logs the DHCP server daemon to the standard error descriptor. This is mostly used for debugging. If this is not specified, the log is written to /var/log/messages.
-cf <filename> — Specifies the location of the configuration file. The default location is /etc/dhcpd.conf.
-lf <filename> — Specifies the location of the lease database file. If a lease database file already exists, it is very important that the same file be used every time the DHCP server is started. It is strongly recommended that this option only be used for debugging purposes on non-production machines. The default location is /var/lib/dhcpd/dhcpd.leases.
-q — Do not print the entire copyright message when starting the daemon.
dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.
/etc/sysconfig/dhcrelay with the INTERFACES directive.
service dhcrelay start.
/etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.
/etc/sysconfig/network file should contain the following line:
NETWORKING=yes
NETWORKING variable must be set to yes if you want networking to start at boot time.
/etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Red Hat Enterprise Linux does not support this feature.)
PEERDNS=<answer> , where <answer> yes — Modify /etc/resolv.conf with information from the server. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SRCADDR=<address> , where <address> USERCTL=<answer> , where <answer> yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
dhclient and dhclient.conf man pages.
/etc/sysconfig/dhcpd and /etc/dhcpd.conf files.
/etc/sysconfig/dhcpd file to specify which network interfaces the DHCP daemon listens on. The following /etc/sysconfig/dhcpd example specifies that the DHCP daemon listens on the eth0 and eth1 interfaces:
DHCPDARGS="eth0 eth1";
eth0, eth1, and eth2 -- and it is only desired that the DHCP daemon listens on eth0, then only specify eth0 in /etc/sysconfig/dhcpd:
DHCPDARGS="eth0";
/etc/dhcpd.conf file, for a server that has two network interfaces, eth0 in a 10.0.0.0/24 network, and eth1 in a 172.16.0.0/24 network. Multiple subnet declarations allow different settings to be defined for multiple networks:
ddns-update-styleinterim; default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; }
subnet 10.0.0.0 netmask 255.255.255.0 subnet declaration is required for every network your DHCP server is serving. Multiple subnets require multiple subnet declarations. If the DHCP server does not have a network interface in a range of a subnet declaration, the DHCP server does not serve that network.
subnet declaration, and no network interfaces are in the range of that subnet, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: No subnet declaration for eth0 (0.0.0.0). dhcpd: ** Ignoring requests on eth0. If this is not what dhcpd: you want, please write a subnet declaration dhcpd: in your dhcpd.conf file for the network segment dhcpd: to which interface eth1 is attached. ** dhcpd: dhcpd: dhcpd: Not configured to listen on any interfaces!
option subnet-mask 255.255.255.0; option subnet-mask option defines a subnet mask, and overrides the netmask value in the subnet declaration. In simple cases, the subnet and netmask values are the same.
option routers 10.0.0.1; option routers option defines the default gateway for the subnet. This is required for systems to reach internal networks on a different subnet, as well as external networks.
range 10.0.0.5 10.0.0.15; range option specifies the pool of available IP addresses. Systems are assigned an address from the range of specified IP addresses.
dhcpd.conf(5) man page.
/etc/dhcpd.conf, the DHCP daemon fails to start.
/etc/sysconfig/dhcpd and /etc/dhcpd.conf files.
/etc/dhcpd.conf example creates two subnets, and configures an IP address for the same system, depending on which network it connects to:
ddns-update-styleinterim; default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; } host example0 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 10.0.0.20; } host example1 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 172.16.0.20; }
host example0 host declaration defines specific parameters for a single system, such as an IP address. To configure specific parameters for multiple hosts, use multiple host declarations.
host declarations, and as such, this name can anything, as long as it is unique to other host declarations. To configure the same system for multiple networks, use a different name for each host declaration, otherwise the DHCP daemon fails to start. Systems are identified by the hardware ethernet option, not the name in the host declaration.
hardware ethernet 00:1A:6B:6A:2E:0B; hardware ethernet option identifies the system. To find this address, run the ifconfig command on the desired system, and look for the HWaddr address.
fixed-address 10.0.0.20; fixed-address option assigns a valid IP address to the system specified by the hardware ethernet option. This address must be outside the IP address pool specified with the range option.
option statements do not end with a semicolon, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
/etc/dhcpd.conf line 20: semicolon expected. dhcpd: } dhcpd: ^ dhcpd: /etc/dhcpd.conf line 38: unexpected end of file dhcpd: dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host declarations configure a single system, that has multiple network interfaces, so that each interface receives the same IP address. This configuration will not work if both network interfaces are connected to the same network at the same time:
host interface0 {
hardware ethernet 00:1a:6b:6a:2e:0b;
fixed-address 10.0.0.18;
}
host interface1 {
hardware ethernet 00:1A:6B:6A:27:3A;
fixed-address 10.0.0.18;
}
interface0 is the first network interface, and interface1 is the second interface. The different hardware ethernet options identify each interface.
host declarations, remembering to:
fixed-address for the network the host is connecting to.
host declaration unique.
host declaration is not unique, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: /etc/dhcpd.conf line 31: host interface0: already exists dhcpd: } dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host interface0 declarations defined in /etc/dhcpd.conf.
dhcpd man page — Describes how the DHCP daemon works.
dhcpd.conf man page — Explains how to configure the DHCP configuration file; includes some examples.
dhcpd.leases man page — Explains how to configure the DHCP leases file; includes some examples.
dhcp-options man page — Explains the syntax for declaring DHCP options in dhcpd.conf; includes some examples.
dhcrelay man page — Explains the DHCP Relay Agent and its configuration options.
/usr/share/doc/dhcp-<version>/ — Contains sample files, README files, and release notes for current versions of the DHCP service.
httpdhttpd.conf/etc/httpd/conf/httpd.conf) to aid those who require a custom configuration or need to convert a configuration file from the older Apache HTTP Server 1.3 format.
LoadModule line will need to be updated.
mod_userdir module will only act on requests if you provide a UserDir directive indicating a directory name. If you wish to maintain the procedures used in version 2.0, add the directive UserDir public_html in your configuration file.
httpd.conf file adding the necessary mod_ssl directives. Use apachectl start as apachectl startssl is unavailable in version 2.2. You can view an example of SSL configuration for httpd in conf/extra/httpd-ssl.conf.
service httpd configtest which will detect configuration errors.
/etc/httpd/conf/httpd.conf.rpmnew and the original version 1.3 httpd.conf is left untouched. It is entirely up to you whether to use the new configuration file and migrate the old settings to it, or use the existing file as a base and modify it to suit; however, some parts of the file have changed more than others and a mixed approach is generally the best. The stock configuration files for both version 1.3 and 2.0 are divided into three sections.
/etc/httpd/conf/httpd.conf file is a modified version of the newly installed default and a saved a copy of the original configuration file is available, it may be easiest to invoke the diff command, as in the following example (logged in as root):
diff -u httpd.conf.orig httpd.conf | lessrpm2cpio and cpio commands, as in the following example:
rpm2cpio apache-<version-number>.i386.rpm | cpio -i --make<version-number> with the version number for the apache package.
apachectl configtestBindAddress and Port directives no longer exist; their functionality is now provided by a more flexible Listen directive.
Port 80 was set in the 1.3 version configuration file, change it to Listen 80 in the 2.0 configuration file. If Port was set to some value other than 80, then append the port number to the contents of the ServerName directive.
Port 123 ServerName www.example.com
Listen123 ServerName www.example.com:123
prefork, worker, and perchild. Currently only the prefork and worker MPMs are available, although the perchild MPM may be available at a later date.
prefork MPM. The prefork MPM accepts the same directives as Apache HTTP Server 1.3, so the following directives may be migrated directly:
StartServers
MinSpareServers
MaxSpareServers
MaxClients
MaxRequestsPerChild
worker MPM implements a multi-process, multi-threaded server providing greater scalability. When using this MPM, requests are handled by threads, conserving system resources and allowing large numbers of requests to be served efficiently. Although some of the directives accepted by the worker MPM are the same as those accepted by the prefork MPM, the values for those directives should not be transferred directly from an Apache HTTP Server 1.3 installation. It is best to instead use the default values as a guide, then experiment to determine what values work best.
worker MPM, create the file /etc/sysconfig/httpd and add the following directive:
HTTPD=/usr/sbin/httpd.worker
AddModule and ClearModuleList directives no longer exist. These directives where used to ensure that modules could be enabled in the correct order. The Apache HTTP Server 2.0 API allows modules to specify their ordering, eliminating the need for these two directives.
LoadModule lines are no longer relevant in most cases.
LoadModule lines for modules packaged in their own RPMs (mod_ssl, php, mod_perl, and the like) are no longer necessary as they can be found in their relevant files within the /etc/httpd/conf.d/ directory.
HAVE_XXX definitions are no longer defined.
httpd.conf contains the following directive:
Include conf.d/*.conf
mod_perl, php, and mod_ssl).
ServerType — The Apache HTTP Server can only be run as ServerType standalone making this directive irrelevant.
AccessConfig and ResourceConfig — These directives have been removed as they mirror the functionality of the Include directive. If the AccessConfig and ResourceConfig directives are set, replace them with Include directives.
Include directives should be placed at the end of the httpd.conf, with the one corresponding to ResourceConfig preceding the one corresponding to AccessConfig. If using the default values, include them explicitly as conf/srm.conf and conf/access.conf files.
<VirtualHost> container. Values here also provide defaults for any <VirtualHost> containers defined.
UserDir MappingUserDir directive is used to enable URLs such as http://example.com/~bob/ to map to a subdirectory within the home directory of the user bob, such as /home/bob/public_html/. A side-effect of this feature allows a potential attacker to determine whether a given username is present on the system. For this reason, the default configuration for Apache HTTP Server 2.0 disables this directive.
UserDir mapping, change the directive in httpd.conf from:
UserDir disable
UserDir public_htmlAgentLog
RefererLog
RefererIgnore
CustomLog and LogFormat directives.
FancyIndexing directive has now been removed. The same functionality is available through the FancyIndexing option within the IndexOptions directive.
VersionSort option to the IndexOptions directive causes files containing version numbers to be sorted in a more natural way. For example, httpd-2.0.6.tar appears before httpd-2.0.36.tar in a directory index page.
ReadmeName and HeaderName directives have changed from README and HEADER to README.html and HEADER.html.
CacheNegotiatedDocs directive now takes the argument on or off. Existing instances of CacheNegotiatedDocs should be replaced with CacheNegotiatedDocs on.
ErrorDocument directive, the message should be enclosed in a pair of double quotation marks ", rather than just preceded by a double quotation mark as required in Apache HTTP Server 1.3.
ErrorDocument 404 "The document was not found
ErrorDocument setting to Apache HTTP Server 2.0, use the following structure:
ErrorDocument 404 "The document was not found"
ErrorDocument directive example.
<VirtualHost> containers should be migrated in the same way as the main server section as described in Seção 23.2.2.2, “Main Server Configuration”.
/etc/httpd/conf.d/ssl.conf.
mod_include. This opens up a tremendous number of possibilities with regards to how modules can be combined to achieve a specific goal.
mod_perl). Under Apache HTTP Server 2.0, the request is initially handled by the core module — which serves static files — and is then filtered by mod_perl.
PATH_INFO directive is used for a document which is handled by a module that is now implemented as a filter, as each contains trailing path information after the true file name. The core module, which initially handles the request, does not by default understand PATH_INFO and returns 404 Not Found errors for requests that contain such information. As an alternative, use the AcceptPathInfo directive to coerce the core module into accepting requests with PATH_INFO.
AcceptPathInfo on
suexec Modulemod_suexec module uses the SuexecUserGroup directive, rather than the User and Group directives, which is used for configuring virtual hosts. The User and Group directives can still be used in general, but are deprecated for configuring virtual hosts.
<VirtualHost vhost.example.com:80> User someone Group somegroup </VirtualHost>
<VirtualHost vhost.example.com:80> SuexecUserGroup someone somegroup </VirtualHost>
mod_ssl Modulemod_ssl has been moved from the httpd.conf file into the /etc/httpd/conf.d/ssl.conf file. For this file to be loaded, and for mod_ssl to work, the statement Include conf.d/*.conf must be in the httpd.conf file as described in Seção 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”.
ServerName directives in SSL virtual hosts must explicitly specify the port number.
<VirtualHost _default_:443> # General setup for the virtual host ServerName ssl.example.name ... </VirtualHost>
<VirtualHost _default_:443>
# General setup for the virtual host
ServerName ssl.host.name:443
...
</VirtualHost>SSLLog and SSLLogLevel directives have been removed. The mod_ssl module now obeys the ErrorLog and LogLevel directives. Refer to ErrorLog and LogLevel for more information about these directives.
mod_proxy Module<Proxy> block rather than a <Directory proxy:>.
mod_proxy has been split out into the following three modules:
mod_cache
mod_disk_cache
mod_mem_cache
mod_proxy module, but it is advisable to verify each directive before migrating any cache settings.
mod_include Modulemod_include module is now implemented as a filter and is therefore enabled differently. Refer to Seção 23.2.2.4, “Modules and Apache HTTP Server 2.0” for more about filters.
AddType text/html .shtml AddHandler server-parsed .shtml
AddType text/html .shtml
AddOutputFilter INCLUDES .shtmlOptions +Includes directive is still required for the <Directory> container or in a .htaccess file.
mod_auth_dbm and mod_auth_db Modulesmod_auth_db and mod_auth_dbm, which used Berkeley Databases and DBM databases respectively. These modules have been combined into a single module named mod_auth_dbm in Apache HTTP Server 2.0, which can access several different database formats. To migrate from mod_auth_db, configuration files should be adjusted by replacing AuthDBUserFile and AuthDBGroupFile with the mod_auth_dbm equivalents, AuthDBMUserFile and AuthDBMGroupFile. Also, the directive AuthDBMType DB must be added to indicate the type of database file in use.
mod_auth_db configuration for Apache HTTP Server 1.3:
<Location /private/> AuthType Basic AuthName "My Private Files" AuthDBUserFile /var/www/authdb require valid-user </Location>
<Location /private/> AuthType Basic AuthName "My Private Files"AuthDBMUserFile/var/www/authdbAuthDBMType DBrequire valid-user </Location>
AuthDBMUserFile directive can also be used in .htaccess files.
dbmmanage Perl script, used to manipulate username and password databases, has been replaced by htdbm in Apache HTTP Server 2.0. The htdbm program offers equivalent functionality and, like mod_auth_dbm, can operate a variety of database formats; the -T option can be used on the command line to specify the format to use.
dbmmanage to htdbm” shows how to migrate from a DBM-format database to htdbm format using dbmmanage.
dbmmanage to htdbm| Action | dbmmanage command (1.3) | Equivalent htdbm command (2.0) |
|---|---|---|
| Add user to database (using given password) |
dbmmanage authdb add username password
|
htdbm -b -TDB authdb username password
|
| Add user to database (prompts for password) |
dbmmanage authdb adduser username
|
htdbm -TDB authdb username
|
| Remove user from database |
dbmmanage authdb delete username
|
htdbm -x -TDB authdb username
|
| List users in database |
dbmmanage authdb view
|
htdbm -l -TDB authdb
|
| Verify a password |
dbmmanage authdb check username
|
htdbm -v -TDB authdb username
|
-m and -s options work with both dbmmanage and htdbm, enabling the use of the MD5 or SHA1 algorithms for hashing passwords, respectively.
htdbm, the -c option must be used.
mod_perl Modulemod_perl has been moved from httpd.conf into the file /etc/httpd/conf.d/perl.conf. For this file to be loaded, and hence for mod_perl to work, the statement Include conf.d/*.conf must be included in httpd.conf as described in Seção 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”.
Apache:: in httpd.conf must be replaced with ModPerl::. Additionally, the manner in which handlers are registered has been changed.
mod_perl configuration:
<Directory /var/www/perl> SetHandler perl-script PerlHandler Apache::Registry Options +ExecCGI </Directory>
mod_perl for Apache HTTP Server 2.0:
<Directory /var/www/perl>
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
</Directory>mod_perl 1.x should work without modification with mod_perl 2.x. XS modules require recompilation and may require minor Makefile modifications.
mod_python Modulemod_python has moved from httpd.conf to the /etc/httpd/conf.d/python.conf file. For this file to be loaded, and hence for mod_python to work, the statement Include conf.d/*.conf must be in httpd.conf as described in Seção 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”.
httpd.conf into the file /etc/httpd/conf.d/php.conf. For this file to be loaded, the statement Include conf.d/*.conf must be in httpd.conf as described in Seção 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”.
register_globals to On in the file /etc/php.ini.
mod_authz_ldap Modulemod_authz_ldap module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The mod_ssl module is required when using the mod_authz_ldap module.
mod_authz_ldap module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental mod_auth_ldap module. Refer to the mod_auth_ldap module documentation online at http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for details on the status of this module.
/etc/httpd/conf.d/authz_ldap.conf file configures the mod_authz_ldap module.
/usr/share/doc/mod_authz_ldap-<version>/index.html (replacing <version> with the version number of the package) or http://authzldap.othello.ch/ for more information on configuring the mod_authz_ldap third party module.
httpdhttpd package, review the Apache HTTP Server's documentation available online at http://httpd.apache.org/docs/2.2/.
httpd RPM installs the /etc/init.d/httpd script, which can be accessed using the /sbin/service command.
httpd using the apachectl control script sets the environmental variables in /etc/sysconfig/httpd and starts httpd. You can also set the environment variables using the init script.
apachectl control script as root type:
apachectl starthttpd using /sbin/service httpd start. This starts httpd but does not set the environment variables. If you are using the default Listen directive in httpd.conf, which is port 80, you will need to have root privileges to start the apache server.
apachectl stophttpd using /sbin/service httpd stop. The restart option is a shorthand way of stopping and then starting the Apache HTTP Server.
apachectl restartservice httpd restartErrorLog if it encounters an error while starting.
httpd service does not start automatically at boot time. If you would wish to have Apache startup at boot time, you will need to add a call to apachectl in your startup files within the rc.N directory. A typical file used is rc.local. As this starts Apache as root, it is recommended to properly configure your security and authentication before adding this call.
httpd service to start up at boot time, using an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program.
apachectl statusmod_status however needs to be enabled in your httpd.conf configuration file for this to work. For more details on mod_status can be found on http://httpd.apache.org/docs/2.2/mod/mod_status.html.
/etc/httpd/conf/httpd.conf configuration file for the Apache HTTP Server. It does not use the old srm.conf or access.conf configuration files; leave them empty. Through the graphical interface, you can configure directives such as virtual hosts, logging attributes, and maximum number of connections. To start the HTTD Configuration Tool, click on System > Administration > Server Settings > HTTP.
/etc/httpd/conf/httpd.conf configuration file by hand if you wish to use this tool. The HTTP Configuration Tool generates this file after you save your changes and exit the program. If you want to add additional modules or configuration options that are not available in HTTP Configuration Tool, you cannot use this tool.
DocumentRoot and cgi-bin directories.
ServerName directive in httpd.conf. The ServerName directive sets the hostname of the Web server. It is used when creating redirection URLs. If you do not define a server name, the Web server attempts to resolve it from the IP address of the system. The server name does not have to be the domain name resolved from the IP address of the server. For example, you might set the server name to www.example.com while the server's real DNS name is foo.example.com.
ServerAdmin directive in httpd.conf. If you configure the server's error pages to contain an email address, this email address is used so that users can report a problem to the server's administrator. The default value is root@localhost.
Listen directive in httpd.conf. By default, Red Hat configures the Apache HTTP Server to listen to port 80 for non-secure Web communications.
httpd can be started as a regular user.
DirectoryIndex directive. The DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
http://www.example.com/this_directory/, they are going to get either the DirectoryIndex page, if it exists, or a server-generated directory list. The server tries to find one of the files listed in the DirectoryIndex directive and returns the first one it finds.
If it does not find any of these files and if Options Indexes is set for that directory, the server generates and returns a list, in HTML format, of the subdirectories and files in the directory.
ErrorDocument directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the Error Code column. To override this default configuration, select the error code and click the Edit button. Choose to display the default short error message. Choose to redirect the client to an external URL and enter a complete URL, including the http://, in the Location field. Choose to redirect the client to an internal URL and enter a file location under the document root for the Web server. The location must begin the a slash (/) and be relative to the Document Root.
404.html, copy 404.html to DocumentRoot/../error/404.htmlDocumentRoot is the Document Root directory that you have defined (the default is /var/www/html/). If the Document Root is left as the default location, the file should be copied to /var/www/error/404.html. Then, choose as the Behavior for 404 - Not Found error code and enter /error/404.html as the .
ServerAdmin directive.
mod_ssl enables encryption of the HTTP protocol over SSL. SSL (Secure Sockets Layer) protocol is used for communication and encryption over TCP/IP networks. The SSL tab enables you to configure SSL for your server. To configure SSL you need to provide the path to your:
SSLCertificateFile directive which points the path to the PEM (Privacy Enhanced Mail)-encoded server certificate file.
SSLCertificateKeyFile directive which points the path to the PEM-encoded server private key file.
SSLCertificateChainFile directive which points the path to the certificate file containing all the server's chain of certificates.
SSLOptions with the following options:
SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAIN_n where n is a number 0,1,2,3,4... These files are used for more certificate checks by CGI scripts.
SSLRequireSSL and SSLRequire directives indicate access is forbidden.
mod_ssl which also performs safe parameter checks. It is recommended to enable OptRenegotiate on a per directory basis.
/var/log/httpd/access_log file and the error log to the /var/log/httpd/error_log file.
TransferLog directive.
LogFormat directive. Refer to http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat for details on the format of this directive.
ErrorLog directive.
LogLevel directive.
HostnameLookups directive. Choosing No Reverse Lookup sets the value to off. Choosing Reverse Lookup sets the value to on. Choosing Double Reverse Lookup sets the value to double.
mod_env module to configure the environment variables which are passed to CGI scripts and SSI pages. Use the Environment Variables page to configure the directives for this module.
MAXNUM to 50, click the button inside the Set for CGI Script section, as shown in Figura 23.8, “Environment Variables”, and type MAXNUM in the Environment Variable text field and 50 in the Value to set text field. Click to add it to the list. The Set for CGI Scripts section configures the SetEnv directive.
env at a shell prompt. Click the button inside the Pass to CGI Scripts section and enter the name of the environment variable in the resulting dialog box. Click to add it to the list. The Pass to CGI Scripts section configures the PassEnv directive.
UnsetEnv directive.
<Directory> directive.
Options directive within the <Directory> directive. You can configure the following options:
#exec and #include commands in CGI scripts.
DirectoryIndex (such as index.html) exists in the requested directory.
Order directive with the left-hand side options. The Order directive controls the order in which allow and deny directives are evaluated. In the Allow hosts from and Deny hosts from text field, you can specify one of the following:
all to allow access to all hosts.
192.168.1.0/255.255.255.0
10.3.0.0/16
.htaccess file take precedence.
httpd.conf/etc/httpd/conf/httpd.conf. The httpd.conf file is well-commented and mostly self-explanatory. The default configuration works for most situations; however, it is a good idea to become familiar some of the more important configuration options.
/etc/httpd/conf/httpd.conf and then either reload, restart, or stop and start the httpd process as outlined in Seção 23.3, “Starting and Stopping httpd”.
httpd.conf, make a copy the original file. Creating a backup makes it easier to recover from mistakes made while editing the configuration file.
httpd.conf to verify there are no typos.
/var/log/httpd/error_log. The error log may not be easy to interpret, depending on your level of expertise. However, the last entries in the error log should provide useful information.
httpd.conf. These descriptions are not exhaustive. For more information, refer to the Apache documentation online at http://httpd.apache.org/docs/2.2/.
mod_ssl directives, refer to the documentation online at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html.
AccessFileName names the file which the server should use for access control information in each directory. The default is .htaccess.
AccessFileName directive, a set of Files tags apply access control to any file beginning with a .ht. These directives deny Web access to any .htaccess files (or other files which begin with .ht) for security reasons.
Action specifies a MIME content type and CGI script pair, so that when a file of that media type is requested, a particular CGI script is executed.
FancyIndexing as an IndexOptions parameter, the AddDescription directive can be used to display user-specified descriptions for certain files or file types in a server generated directory listing. The AddDescription directive supports listing specific files, wildcard expressions, or file extensions.
AddEncoding names file name extensions which should specify a particular encoding type. AddEncoding can also be used to instruct some browsers to uncompress certain files as they are downloaded.
AddHandler maps file extensions to specific handlers. For example, the cgi-script handler can be matched with the extension .cgi to automatically treat a file ending with .cgi as a CGI script. The following is a sample AddHandler directive for the .cgi extension.
AddHandler cgi-script .cgi
cgi-bin to function in any directory on the server which has the ExecCGI option within the directories container. Refer to Directory for more information about setting the ExecCGI option for a directory.
AddHandler directive is used to process server-parsed HTML and image-map files.
AddIcon specifies which icon to show in server generated directory listings for files with certain extensions. For example, the Web server is set to show the icon binary.gif for files with .bin or .exe extensions.
compressed.gif icon next to MIME encoded x-compress and x-gzip files in server generated directory listings.
text.gif next to files with a mime-type of text, in server generated directory listings.
AddLanguage associates file name extensions with specific languages. This directive is useful for Apache HTTP Servers which serve content in multiple languages based on the client Web browser's language settings.
AddType directive to define or override a default MIME type and file extension pairs. The following example directive tells the Apache HTTP Server to recognize the .tgz file extension:
AddType application/x-tar .tgz
Alias setting allows directories outside the DocumentRoot directory to be accessible. Any URL ending in the alias automatically resolves to the alias' path. By default, one alias for an icons/ directory is already set up. An icons/ directory can be accessed by the Web server, but the directory is not in the DocumentRoot.
Allow specifies which client can access a given directory. The client can be all, a domain name, an IP address, a partial IP address, a network/netmask pair, and so on. The DocumentRoot directory is configured to Allow requests from all, meaning everyone has access.
AllowOverride directive sets whether any Options can be overridden by the declarations in an .htaccess file. By default, both the root directory and the DocumentRoot are set to allow no .htaccess overrides.
BrowserMatch directive allows the server to define environment variables and take appropriate actions based on the User-Agent HTTP header field — which identifies the client's Web browser type. By default, the Web server uses BrowserMatch to deny connections to specific browsers with known problems and also to disable keepalives and HTTP header flushes for browsers that are known to have problems with those actions.
#) from the beginning of the line is sufficient. The following, however, is a list of some of the more important cache-related directives.
CacheEnable — Specifies whether the cache is a disk, memory, or file descriptor cache. By default CacheEnable configures a disk cache for URLs at or below /.
CacheRoot — Specifies the name of the directory containing cached files. The default CacheRoot is the /var/httpd/proxy/ directory.
CacheSize — Specifies how much space the cache can use in kilobytes. The default CacheSize is 5 KB.
CacheMaxExpire — Specifies how long HTML documents are retained (without a reload from the originating Web server) in the cache. The default is 24 hours (86400 seconds).
CacheLastModifiedFactor — Specifies the creation of an expiry (expiration) date for a document which did not come from its originating server with its own expiry set. The default CacheLastModifiedFactor is set to 0.1, meaning that the expiry date for such documents equals one-tenth of the amount of time since the document was last modified.
CacheDefaultExpire — Specifies the expiry time in hours for a document that was received using a protocol that does not support expiry times. The default is set to 1 hour (3600 seconds).
NoProxy — Specifies a space-separated list of subnets, IP addresses, domains, or hosts whose content is not cached. This setting is most useful for Intranet sites.
CacheNegotiatedDocs is set to on, this function is disabled and proxy servers are allowed to cache such documents.
CustomLog identifies the log file and the log file format. By default, the access log is recorded to the /var/log/httpd/access_log file while errors are recorded in the /var/log/httpd/error_log file.
CustomLog format is the combined log file format, as illustrated here:
remotehost rfc931 user date "request" status bytes referrer user-agentDefaultIcon specifies the icon displayed in server generated directory listings for files which have no other icon specified. The unknown.gif image file is the default.
DefaultType sets a default content type for the Web server to use for documents whose MIME types cannot be determined. The default is text/plain.
Deny works similar to Allow, except it specifies who is denied access. The DocumentRoot is not configured to Deny requests from anyone by default.
<Directory /path/to/directory> and </Directory> tags create a container used to enclose a group of configuration directives which apply only to a specific directory and its subdirectories. Any directive which is applicable to a directory may be used within Directory tags.
/), using the Options (refer to Options) and AllowOverride (refer to AllowOverride) directives. Under this configuration, any directory on the system which needs more permissive settings has to be explicitly given those settings.
Directory container is configured for the DocumentRoot which assigns less rigid parameters to the directory tree so that the Apache HTTP Server can access the files residing there.
Directory container can be also be used to configure additional cgi-bin directories for server-side applications outside of the directory specified in the ScriptAlias directive (refer to ScriptAlias for more information).
Directory container must set the ExecCGI option for that directory.
/home/my_cgi_directory, add the following Directory container to the httpd.conf file:
<Directory /home/my_cgi_directory> Options +ExecCGI </Directory>
AddHandler directive must be uncommented to identify files with the .cgi extension as CGI scripts. Refer to AddHandler for instructions on setting AddHandler.
DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
example/this_directory/, they get either the DirectoryIndex page, if it exists, or a server-generated directory list. The default for DirectoryIndex is index.html and the index.html.var type map. The server tries to find either of these files and returns the first one it finds. If it does not find one of these files and Options Indexes is set for that directory, the server generates and returns a listing, in HTML format, of the subdirectories and files within the directory, unless the directory listing feature is turned off.
DocumentRoot is the directory which contains most of the HTML files which are served in response to requests. The default DocumentRoot, for both the non-secure and secure Web servers, is the /var/www/html directory. For example, the server might receive a request for the following document:
http://example.com/foo.html/var/www/html/foo.htmlDocumentRoot so that it is not shared by the secure and the non-secure Web servers, refer to Seção 23.7, “Virtual Hosts”.
ErrorDocument directive associates an HTTP response code with a message or a URL to be sent back to the client. By default, the Web server outputs a simple and usually cryptic error message when an error occurs. The ErrorDocument directive forces the Web server to instead output a customized message or page.
".
ErrorLog specifies the file where server errors are logged. By default, this directive is set to /var/log/httpd/error_log.
ExtendedStatus directive controls whether Apache generates basic (off) or detailed server status information (on), when the server-status handler is called. The server-status handler is called using Location tags. More information on calling server-status is included in Location.
Group is set to apache.
HeaderName names the file which, if it exists in the directory, is prepended to the start of server generated directory listings. Like ReadmeName, the server tries to include it as an HTML document if possible or in plain text if not.
HostnameLookups can be set to on, off, or double. If HostnameLookups is set to on, the server automatically resolves the IP address for each connection. Resolving the IP address means that the server makes one or more connections to a DNS server, adding processing overhead. If HostnameLookups is set to double, the server performs a double-reverse DNS look up adding even more processing overhead.
HostnameLookups is set to off by default.
IfDefine tags surround configuration directives that are applied if the "test" stated in the IfDefine tag is true. The directives are ignored if the test is false.
IfDefine tags is a parameter name (for example, HAVE_PERL). If the parameter is defined, meaning that it is provided as an argument to the server's start-up command, then the test is true. In this case, when the Web server is started, the test is true and the directives contained in the IfDefine tags are applied.
<IfModule> and </IfModule> tags create a conditional container which are only activated if the specified module is loaded. Directives within the IfModule container are processed under one of two conditions. The directives are processed if the module contained within the starting <IfModule> tag is loaded. Or, if an exclamation point ! appears before the module name, the directives are processed only if the module specified in the <IfModule> tag is not loaded.
ServerRoot.
mod_ssl, mod_perl, and php, the following directive must be included in Section 1: Global Environment of httpd.conf:
Include conf.d/*.conf
IndexIgnore lists file extensions, partial file names, wildcard expressions, or full file names. The Web server does not include any files which match any of those parameters in server generated directory listings.
IndexOptions controls the appearance of server generated directing listings, by adding icons, file descriptions, and so on. If Options Indexes is set (refer to Options), the Web server generates a directory listing when the Web server receives an HTTP request for a directory without an index.
DirectoryIndex directive (usually, index.html). If an index.html file is not found, Apache HTTP Server creates an HTML directory listing of the requested directory. The appearance of this directory listing is controlled, in part, by the IndexOptions directive.
FancyIndexing. This means that a user can re-sort a directory listing by clicking on column headers. Another click on the same header switches from ascending to descending order. FancyIndexing also shows different icons for different files, based upon file extensions.
AddDescription option, when used in conjunction with FancyIndexing, presents a short description for the file in server generated directory listings.
IndexOptions has a number of other parameters which can be set to control the appearance of server generated directories. The IconHeight and IconWidth parameters require the server to include HTML HEIGHT and WIDTH tags for the icons in server generated webpages. The IconsAreLinks parameter combines the graphical icon with the HTML link anchor, which contains the URL link target.
KeepAlive sets whether the server allows more than one request per connection and can be used to prevent any one client from consuming too much of the server's resources.
Keepalive is set to off. If Keepalive is set to on and the server becomes very busy, the server can quickly spawn the maximum number of child processes. In this situation, the server slows down significantly. If Keepalive is enabled, it is a good idea to set the KeepAliveTimeout low (refer to KeepAliveTimeout for more information about the KeepAliveTimeout directive) and monitor the /var/log/httpd/error_log log file on the server. This log reports when the server is running out of child processes.
KeepAliveTimeout sets the number of seconds the server waits after a request has been served before it closes the connection. Once the server receives a request, the Timeout directive applies instead. The KeepAliveTimeout directive is set to 15 seconds by default.
LanguagePriority sets precedence for different languages in case the client Web browser has no language preference set.
Listen command identifies the ports on which the Web server accepts incoming requests. By default, the Apache HTTP Server is set to listen to port 80 for non-secure Web communications and (in the /etc/httpd/conf.d/ssl.conf file which defines any secure servers) to port 443 for secure Web communications.
httpd can be started as a regular user.
Listen directive can also be used to specify particular IP addresses over which the server accepts connections.
LoadModule is used to load Dynamic Shared Object (DSO) modules. More information on the Apache HTTP Server's DSO support, including instructions for using the LoadModule directive, can be found in Seção 23.6, “Adding Modules”. Note, the load order of the modules is no longer important with Apache HTTP Server 2.0. Refer to Seção 23.2.2.1.3, “Dynamic Shared Object (DSO) Support” for more information about Apache HTTP Server 2.0 DSO support.
<Location> and </Location> tags create a container in which access control based on URL can be specified.
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from <.example.com>
</Location><.example.com> with the second-level domain name for the Web server.
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from <.example.com>
</Location><.example.com> with the second-level domain name for the Web server.
LogFormat directive configures the format of the various Web server log files. The actual LogFormat used depends on the settings given in the CustomLog directive (refer to CustomLog).
CustomLog directive is set to combined:
%h (remote host's IP address or hostname) HostnameLookups is set to on, the client hostname is recorded unless it is not available from DNS.
%l (rfc931) %u (authenticated user) %t (date) %r (request string) %s (status) %b (bytes) %\"%{Referer}i\" (referrer) %\"%{User-Agent}i\" (user-agent) LogLevel sets how verbose the error messages in the error logs are. LogLevel can be set (from least verbose to most verbose) to emerg, alert, crit, error, warn, notice, info, or debug. The default LogLevel is warn.
MaxKeepAliveRequests is set to 100 by default, which should be appropriate for most situations.
NameVirtualHost directive associates an IP address and port number, if necessary, for any name-based virtual hosts. Name-based virtual hosting allows one Apache HTTP Server to serve different domains without using multiple IP addresses.
NameVirtualHost configuration directive and add the correct IP address. Then add additional VirtualHost containers for each virtual host as is necessary for your configuration.
Options directive controls which server features are available in a particular directory. For example, under the restrictive parameters specified for the root directory, Options is only set to the FollowSymLinks directive. No features are enabled, except that the server is allowed to follow symbolic links in the root directory.
DocumentRoot directory, Options is set to include Indexes and FollowSymLinks. Indexes permits the server to generate a directory listing for a directory if no DirectoryIndex (for example, index.html) is specified. FollowSymLinks allows the server to follow symbolic links in that directory.
Options statements from the main server configuration section need to be replicated to each VirtualHost container individually. Refer to VirtualHost for more information.
Order directive controls the order in which allow and deny directives are evaluated. The server is configured to evaluate the Allow directives before the Deny directives for the DocumentRoot directory.
PidFile names the file where the server records its process ID (PID). By default the PID is listed in /var/run/httpd.pid.
<Proxy *> and </Proxy> tags create a container which encloses a group of configuration directives meant to apply only to the proxy server. Many directives which are allowed within a <Directory> container may also be used within <Proxy> container.
#) from the beginning of the <IfModule mod_proxy.c> line, the ProxyRequests, and each line in the <Proxy> stanza. Set the ProxyRequests directive to On, and set which domains are allowed access to the server in the Allow from directive of the <Proxy> stanza.
ReadmeName names the file which, if it exists in the directory, is appended to the end of server generated directory listings. The Web server first tries to include the file as an HTML document and then tries to include it as plain text. By default, ReadmeName is set to README.html.
Redirect can be used to map the file location to a new URL. The format is as follows:
Redirect /<old-path>/<file-name>http://<current-domain>/<current-path>/<file-name>
<old-path> with the old path information for <file-name> and <current-domain> and <current-path> with the current domain and path information for <file-name>.
<file-name> at the old location is automatically redirected to the new location.
mod_rewrite module included with the Apache HTTP Server. For more information about configuring the mod_rewrite module, refer to the Apache Software Foundation documentation online at http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html.
ScriptAlias directive defines where CGI scripts are located. Generally, it is not good practice to leave CGI scripts within the DocumentRoot, where they can potentially be viewed as text documents. For this reason, a special directory outside of the DocumentRoot directory containing server-side executables and scripts is designated by the ScriptAlias directive. This directory is known as a cgi-bin and is set to /var/www/cgi-bin/ by default.
cgi-bin/ directory. For instructions on doing so, refer to AddHandler and Directory.
ServerAdmin directive to the email address of the Web server administrator. This email address shows up in error messages on server-generated Web pages, so users can report a problem by sending email to the server administrator.
ServerAdmin is set to root@localhost.
ServerAdmin is to set it to webmaster@example.com. Once set, alias webmaster to the person responsible for the Web server in /etc/aliases and run /usr/bin/newaliases.
ServerName specifies a hostname and port number (matching the Listen directive) for the server. The ServerName does not need to match the machine's actual hostname. For example, the Web server may be www.example.com, but the server's hostname is actually foo.example.com. The value specified in ServerName must be a valid Domain Name Service (DNS) name that can be resolved by the system — do not make something up.
ServerName directive:
ServerName www.example.com:80
ServerName, be sure the IP address and server name pair are included in the /etc/hosts file.
ServerRoot directive specifies the top-level directory containing website content. By default, ServerRoot is set to "/etc/httpd" for both secure and non-secure servers.
ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default.
ServerSignature can be set to EMail which adds a mailto:ServerAdmin HTML tag to the signature line of auto-generated responses. ServerSignature can also be set to Off to stop Apache from sending out its version number and module information. Please also check the ServerTokens settings.
ServerTokens directive determines if the Server response header field sent back to clients should include details of the Operating System type and information about compiled-in modules. By default, ServerTokens is set to Full which sends information about the Operating System type and compiled-in modules. Setting the ServerTokens to Prod sends the product name only and is recommended as many hackers check information in the Server header when scanning for vulnerabilities. You can also set the ServerTokens to Min (minimal) or to OS (operating system).
SuexecUserGroup directive, which originates from the mod_suexec module, allows the specification of user and group execution privileges for CGI programs. Non-CGI requests are still processed with the user and group specified in the User and Group directives.
SuexecUserGroup directive replaced the Apache HTTP Server 1.3 configuration of using the User and Group directives inside the configuration of VirtualHosts sections.
Timeout defines, in seconds, the amount of time that the server waits for receipts and transmissions during communications. Timeout is set to 300 seconds by default, which is appropriate for most situations.
TypesConfig names the file which sets the default list of MIME type mappings (file name extensions to content types). The default TypesConfig file is /etc/mime.types. Instead of editing /etc/mime.types, the recommended way to add MIME type mappings is to use the AddType directive.
AddType, refer to AddType.
on, this directive configures the Apache HTTP Server to reference itself using the value specified in the ServerName and Port directives. When UseCanonicalName is set to off, the server instead uses the value used by the requesting client when referring to itself.
UseCanonicalName is set to off by default.
User directive sets the username of the server process and determines what files the server is allowed to access. Any files inaccessible to this user are also inaccessible to clients connecting to the Apache HTTP Server.
User is set to apache.
UserDir is the subdirectory within each user's home directory where they should place personal HTML files which are served by the Web server. This directive is set to disable by default.
public_html in the default configuration. For example, the server might receive the following request:
http://example.com/~username/foo.html/home/username/public_html/foo.html/home/username/ is the user's home directory (note that the default path to users' home directories may vary).
public_html directories (0755 also works). Files that are served in a users' public_html directories must be set to at least 0644.
<VirtualHost> and </VirtualHost> tags create a container outlining the characteristics of a virtual host. The VirtualHost container accepts most configuration directives.
VirtualHost container is provided in httpd.conf, which illustrates the minimum set of configuration directives necessary for each virtual host. Refer to Seção 23.7, “Virtual Hosts” for more information about virtual hosts.
/etc/httpd/conf.d/ssl.conf.
/etc/httpd/conf.d/ssl.conf file can be configured to enable secure Web communications using SSL and TLS.
SetEnvIf sets environment variables based on the headers of incoming connections. It is not solely an SSL directive, though it is present in the supplied /etc/httpd/conf.d/ssl.conf file. It's purpose in this context is to disable HTTP keepalive and to allow SSL to close the connection without a closing notification from the client browser. This setting is necessary for certain browsers that do not reliably shut down the SSL connection.
IfModule container is necessary to define the server-pool for the MPM in use.
prefork and worker MPMs.
MaxClients sets a limit on the total number of server processes, or simultaneously connected clients, that can run at one time. The main purpose of this directive is to keep a runaway Apache HTTP Server from crashing the operating system. For busy servers this value should be set to a high value. The server's default is set to 150 regardless of the MPM in use. However, it is not recommended that the value for MaxClients exceeds 256 when using the prefork MPM.
MaxRequestsPerChild sets the total number of requests each child server process serves before the child dies. The main reason for setting MaxRequestsPerChild is to avoid long-lived process induced memory leaks. The default MaxRequestsPerChild for the prefork MPM is 4000 and for the worker MPM is 0.
prefork MPM. They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server processes based on the number of incoming requests. The server checks the number of servers waiting for a request and kills some if there are more than MaxSpareServers or creates some if the number of servers is less than MinSpareServers.
MinSpareServers value is 5; the default MaxSpareServers value is 20. These default settings should be appropriate for most situations. Be careful not to increase the MinSpareServers to a large number as doing so creates a heavy processing load on the server even when traffic is light.
worker MPM. They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server threads based on the number of incoming requests. The server checks the number of server threads waiting for a request and kills some if there are more than MaxSpareThreads or creates some if the number of servers is less than MinSpareThreads.
MinSpareThreads value is 25; the default MaxSpareThreads value is 75. These default settings should be appropriate for most situations. The value for MaxSpareThreads must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild, else the Apache HTTP Server automatically corrects it.
StartServers directive sets how many server processes are created upon startup. Since the Web server dynamically kills and creates server processes based on traffic load, it is not necessary to change this parameter. The Web server is set to start 8 server processes at startup for the prefork MPM and 2 for the worker MPM.
http-manual package is installed, documentation about DSOs can be found online at http://localhost/manual/mod/.
LoadModule directive within /etc/httpd/conf/httpd.conf. If the module is provided by a separate package, the line must appear within the modules configuration file in the /etc/httpd/conf.d/ directory. Refer to LoadModule for more information.
http.conf, Apache HTTP Server must be reloaded or restarted, as referred to in Seção 23.3, “Starting and Stopping httpd”.
httpd-devel package which contains the include files, the header files, as well as the APache eXtenSion (/usr/sbin/apxs) application, which uses the include files and the header files to compile DSOs.
/usr/sbin/apxs to compile the module sources outside the Apache source tree. For more information about using the /usr/sbin/apxs command, refer to the Apache documentation online at http://httpd.apache.org/docs/2.2/dso.html as well as the apxs man page.
/usr/lib/httpd/modules/ directory. For RHEL platforms using default-64-bit userspace (x86_64, ia64, ?) this path will be /usr/lib64/httpd/modules/. Then add a LoadModule line to the httpd.conf, using the following structure:
LoadModule <module-name> <path/to/module.so><module-name> is the name of the module and <path/to/module.so> is the path to the DSO.
httpd.conf as an example.
#NameVirtualHost *:80 # #<VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost>
NameVirtualHost line by removing the hash mark (#) and replace the asterisk (*) with the IP address assigned to the machine.
<VirtualHost> container.
<VirtualHost> line, change the asterisk (*) to the server's IP address. Change the ServerName to a valid DNS name assigned to the machine, and configure the other directives as necessary.
<VirtualHost> container is highly customizable and accepts almost every directive available within the main server configuration.
Listen directive in the global settings section of /etc/httpd/conf/httpd.conf file.
httpd” for further instructions.
mod_ssl security module enabled to use the OpenSSL library and toolkit. The combination of these three components are referred to in this section as the secure Web server or just as the secure server.
mod_ssl module is a security module for the Apache HTTP Server. The mod_ssl module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP Server — the ability to encrypt communications. In contrast, regular HTTP communications between a browser and a Web server are sent in plain text, which could be intercepted and read by someone along the route between the browser and the server.
mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in the /etc/httpd/conf/httpd.conf file. This statement is included by default in the default Apache HTTP Server configuration file.
httpdhttpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_sslmod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
opensslopenssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.
https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the navigation bar.
/etc/pki/tls/private/server.key/etc/pki/tls/certs/server.crthttpsd.key) and certificate (httpsd.crt) are located in /etc/httpd/conf/. Move and rename your key and certificate so that the secure server can use them. Use the following two commands to move and rename your key and certificate files:
mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/server.keymv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/server.crt
service httpd startcd command to change to the /etc/pki/tls/ directory. Remove the fake key and certificate that were generated during the installation with the following commands:
rm private/server.keyrm certs/server.crt
crypto-utils package contains the genkey utility which you can use to generate keys as the name implies. To create your own private key, please ensure the crypto-utils package is installed. You can view more options by typing man genkey in your terminal. Assuming you wish to generate keys for www.example.com using the genkey utility, type in the following command in your terminal:
genkey www.example.commake based process is no longer shipped with RHEL 5. This will start the genkey graphical user interface. The figure below illustrates the first screen. To navigate, use the keyboard arrow and tab keys. This windows indicates where your key will be stored and prompts you to proceed or cancel the operation. To proceed to the next step, select Next and press the Return (Enter) key.
genkey www.example.com on a server that already has an existing key pair for the particular hostname, an error message will be displayed as illustrated below. You need to delete your existing key file as indicated to generate a new key pair.
/etc/pki/tls/certs/www.example.com.crt
/etc/httpd/conf.d/ssl.conf. Change the SSLCertificateFile and SSLCertificateKey lines to be.
SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.keyNote that the “www.example.com” part should match the argument passed on the
genkey command.
mod_ssl.
vsftpd.
vsftpd — A fast, secure FTP daemon which is the preferred FTP server for Red Hat Enterprise Linux. The remainder of this chapter focuses on vsftpd.
vsftpdvsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd is the only stand-alone FTP server distributed with Red Hat Enterprise Linux, due to its ability to handle large numbers of connections efficiently and securely.
vsftpd has three primary aspects:
libcap library, tasks that usually require full root privileges can be executed more safely from a less privileged process.
chroot jail — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered a chroot jail. For example, if the directory /var/ftp/ is the primary shared directory, vsftpd reassigns /var/ftp/ to the new root directory, known as /. This disallows any potential malicious hacker activities for any directories not contained below the new root directory.
vsftpd deals with requests:
vsftpd launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks.
chroot jail — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allows the attacker access to the shared files.
vsftpdvsftpd RPM installs the daemon (/usr/sbin/vsftpd), its configuration and related files, as well as FTP directories onto the system. The following lists the files and directories related to vsftpd configuration:
/etc/rc.d/init.d/vsftpd — The initialization script (initscript) used by the /sbin/service command to start, stop, or reload vsftpd. Refer to Seção 24.4, “Starting and Stopping vsftpd” for more information about using this script.
/etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file specifies the requirements a user must meet to login to the FTP server. For more information, refer to Seção 46.4, “Módulos de Autenticação Plugáveis (Pluggable Authentication Modules - PAM)”.
/etc/vsftpd/vsftpd.conf — The configuration file for vsftpd. Refer to Seção 24.5, “vsftpd Configuration Options” for a list of important options contained within this file.
/etc/vsftpd.ftpusers — A list of users not allowed to log into vsftpd. By default, this list includes the root, bin, and daemon users, among others.
/etc/vsftpd.user_list — This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd.user_list is used to grant access to users, the usernames listed must not appear in /etc/vsftpd.ftpusers.
/var/ftp/ — The directory containing files served by vsftpd. It also contains the /var/ftp/pub/ directory for anonymous users. Both directories are world-readable, but writable only by the root user.
vsftpdvsftpd RPM installs the /etc/rc.d/init.d/vsftpd script, which can be accessed using the /sbin/service command.
service vsftpd startservice vsftpd stoprestart option is a shorthand way of stopping and then starting vsftpd. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd.
service vsftpd restartcondrestart (conditional restart) option only starts vsftpd if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
service vsftpd condrestartvsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to Capítulo 17, Controlando Acesso aos Serviços for more information regarding these tools.
vsftpdvsftpd is by running multiple copies of the daemon, each with its own configuration file.
vsftpd to answer requests on different IP addresses, multiple copies of the daemon must be running. The first copy must be run using the vsftpd initscripts, as outlined in Seção 24.4, “Starting and Stopping vsftpd”. This copy uses the standard configuration file, /etc/vsftpd/vsftpd.conf.
/etc/vsftpd/ directory, such as /etc/vsftpd/vsftpd-site-2.conf. Each configuration file must be readable and writable only by root. Within each configuration file for each FTP server listening on an IPv4 network, the following directive must be unique:
listen_address=N.N.N.NN.N.N.N with the unique IP address for the FTP site being served. If the site is using IPv6, use the listen_address6 directive instead.
vsftpd daemon must be launched from a root shell prompt using the following command:
vsftpd /etc/vsftpd/<configuration-file> [amp ]<configuration-file> with the unique name for the server's configuration file, such as /etc/vsftpd/vsftpd-site-2.conf.
anon_root
local_root
vsftpd_log_file
xferlog_file
vsftpd's configuration file, refer to Seção 24.5, “vsftpd Configuration Options”.
/etc/rc.local file.
vsftpd Configuration Optionsvsftpd may not offer the level of customization other widely available FTP servers have, it offers enough options to fill most administrator's needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
vsftpd is handled by its configuration file, /etc/vsftpd/vsftpd.conf. Each directive is on its own line within the file and follows the following format:
<directive>=<value>
<directive> with a valid directive and <value> with a valid value.
<directive>, equal symbol, and the <value> in a directive.
#) and are ignored by the daemon.
vsftpd.conf.
vsftpd, refer to Seção 46.2, “Segurança do Servidor”.
/etc/vsftpd/vsftpd.conf. All directives not explicitly found within vsftpd's configuration file are set to their default value.
vsftpd daemon.
listen — When enabled, vsftpd runs in stand-alone mode. Red Hat Enterprise Linux sets this value to YES. This directive cannot be used in conjunction with the listen_ipv6 directive.
NO.
listen_ipv6 — When enabled, vsftpd runs in stand-alone mode, but listens only to IPv6 sockets. This directive cannot be used in conjunction with the listen directive.
NO.
session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). Refer to Seção 46.4, “Módulos de Autenticação Plugáveis (Pluggable Authentication Modules - PAM)” for more information. If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.
YES.
anonymous_enable — When enabled, anonymous users are allowed to log in. The usernames anonymous and ftp are accepted.
YES.
banned_email_file — If the deny_email_enable directive is set to YES, this directive specifies the file containing a list of anonymous email passwords which are not permitted access to the server.
/etc/vsftpd.banned_emails.
banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
cmds_allowed — Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.
deny_email_enable — When enabled, any anonymous user utilizing email passwords specified in the /etc/vsftpd.banned_emails are denied access to the server. The name of the file referenced by this directive can be specified using the banned_email_file directive.
NO.
ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.
vsftpd displays its standard banner.
local_enable — When enabled, local users are allowed to log into the system.
YES.
pam_service_name — Specifies the PAM service name for vsftpd.
ftp. On Red Hat Enterprise Linux 5.8, this option is set to vsftpd in the configuration file.
tcp_wrappers — When enabled, TCP wrappers are used to grant access to the server. If the FTP server is configured on multiple IP addresses, the VSFTPD_LOAD_CONF option can be used to load different configuration files based on the IP address being requested by the client.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless the username is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
YES.
userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
userlist_file — Specifies the file referenced by vsftpd when the userlist_enable directive is enabled.
/etc/vsftpd.user_list and is created during installation.
anonymous_enable directive must be set to YES.
anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
NO.
anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in.
anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory which has write permissions.
NO.
anon_world_readable_only — When enabled, anonymous users are only allowed to download world-readable files.
YES.
ftp_username — Specifies the local user account (listed in /etc/passwd) used for the anonymous FTP user. The home directory specified in /etc/passwd for the user is the root directory of the anonymous FTP user.
ftp.
no_anon_password — When enabled, the anonymous user is not asked for a password.
NO.
secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users.
/etc/vsftpd.email_passwords. The file format is one password per line, with no trailing white spaces.
NO.
local_enable directive must be set to YES.
chmod_enable — When enabled, the FTP command SITE CHMOD is allowed for local users. This command allows the users to change the permissions on files.
YES.
chroot_list_enable — When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in.
chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.
NO.
chroot_list_file — Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES.
/etc/vsftpd.chroot_list.
chroot_local_user — When enabled, local users are change-rooted to their home directories after logging in.
NO.
chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.
guest_enable — When enabled, all non-anonymous users are logged in as the user guest, which is the local user specified in the guest_username directive.
NO.
guest_username — Specifies the username the guest user is mapped to.
ftp.
local_root — Specifies the directory vsftpd changes to after a local user logs in.
local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
022.
passwd_chroot_enable — When enabled in conjunction with the chroot_local_user directive, vsftpd change-roots local users based on the occurrence of the /./ in the home directory field within /etc/passwd.
NO.
user_config_dir — Specifies the path to a directory containing configuration files bearing the name of local system users that contain specific setting for that user. Any directive in the user's configuration file overrides those found in /etc/vsftpd/vsftpd.conf.
dirlist_enable — When enabled, users are allowed to view directory lists.
YES.
dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is .message by default.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
force_dot_files — When enabled, files beginning with a dot (.) are listed in directory listings, with the exception of the . and .. files.
NO.
hide_ids — When enabled, all directory listings show ftp as the user and group for each file.
NO.
message_file — Specifies the name of the message file when using the dirmessage_enable directive.
.message.
text_userdb_names — When enabled, text usernames and group names are used in place of UID and GID entries. Enabling this option may slow performance of the server.
NO.
use_localtime — When enabled, directory listings reveal the local time for the computer instead of GMT.
NO.
download_enable — When enabled, file downloads are permitted.
YES.
chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.
NO.
chown_username — Specifies the ownership of anonymously uploaded files if the chown_uploads directive is enabled.
root.
write_enable — When enabled, FTP commands which can change the file system are allowed, such as DELE, RNFR, and STOR.
YES.
vsftpd's logging behavior.
dual_log_enable — When enabled in conjunction with xferlog_enable, vsftpd writes two files simultaneously: a wu-ftpd-compatible log to the file specified in the xferlog_file directive (/var/log/xferlog by default) and a standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default).
NO.
log_ftp_protocol — When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO, all FTP commands and responses are logged. This directive is useful for debugging.
NO.
syslog_enable — When enabled in conjunction with xferlog_enable, all logging normally written to the standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default) is sent to the system logger instead under the FTPD facility.
NO.
vsftpd_log_file — Specifies the vsftpd log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must either be set to NO or, if xferlog_std_format is set to YES, dual_log_enable must be enabled. It is important to note that if syslog_enable is set to YES, the system log is used instead of the file specified in this directive.
/var/log/vsftpd.log.
xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default). If xferlog_std_format is set to YES, file transfer information is logged but connections are not, and the log file specified in xferlog_file (/var/log/xferlog by default) is used instead. It is important to note that both log files and log formats are used if dual_log_enable is set to YES.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
xferlog_file — Specifies the wu-ftpd-compatible log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must be set to YES. It is also used if dual_log_enable is set to YES.
/var/log/xferlog.
xferlog_std_format — When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file transfer log is written to the file specified in the xferlog_file directive (/var/log/xferlog by default). It is important to note that this file only logs file transfers and does not log connections to the server.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
wu-ftpd FTP server, the xferlog_std_format directive is set to YES under Red Hat Enterprise Linux. However, this setting means that connections to the server are not logged.
vsftpd format and maintain a wu-ftpd-compatible file transfer log, set dual_log_enable to YES.
wu-ftpd-compatible file transfer log is not important, either set xferlog_std_format to NO, comment the line with a hash mark (#), or delete the line entirely.
vsftpd interacts with the network.
accept_timeout — Specifies the amount of time for a client using passive mode to establish a connection.
60.
anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.
0, which does not limit the transfer rate.
connect_from_port_20 When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some FTP clients.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.
60.
data_connection_timeout — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.
300.
ftp_data_port — Specifies the port used for active data connections when connect_from_port_20 is set to YES.
20.
idle_session_timeout — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.
300.
listen_address — Specifies the IP address on which vsftpd listens for network connections.
vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. Refer to Seção 24.4.1, “Starting Multiple Copies of vsftpd” for more information about multihomed FTP servers.
listen_address6 — Specifies the IPv6 address on which vsftpd listens for network connections when listen_ipv6 is set to YES.
vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. Refer to Seção 24.4.1, “Starting Multiple Copies of vsftpd” for more information about multihomed FTP servers.
listen_port — Specifies the port on which vsftpd listens for network connections.
21.
local_max_rate — Specifies the maximum rate data is transferred for local users logged into the server in bytes per second.
0, which does not limit the transfer rate.
max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
0, which does not limit connections.
max_per_ip — Specifies the maximum of clients allowed to connected from the same source IP address.
0, which does not limit connections.
pasv_address — Specifies the IP address for the public facing IP address of the server for servers behind Network Address Translation (NAT) firewalls. This enables vsftpd to hand out the correct return address for passive mode connections.
pasv_enable — When enabled, passive mode connects are allowed.
YES.
pasv_max_port — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
0, which does not limit the highest passive port range. The value must not exceed 65535.
pasv_min_port — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
0, which does not limit the lowest passive port range. The value must not be lower 1024.
pasv_promiscuous — When enabled, data connections are not checked to make sure they are originating from the same IP address. This setting is only useful for certain types of tunneling.
NO.
port_enable — When enabled, active mode connects are allowed.
YES.
vsftpd, refer to the following resources.
/usr/share/doc/vsftpd-<version-number>/ directory — Replace <version-number> with the installed version of the vsftpd package. This directory contains a README with basic information about the software. The TUNING file contains basic performance tuning tips and the SECURITY/ directory contains information about the security model employed by vsftpd.
vsftpd related man pages — There are a number of man pages for the daemon and configuration files. The following lists some of the more important man pages.
man vsftpd — Describes available command line options for vsftpd.
man vsftpd.conf — Contains a detailed list of options available within the configuration file for vsftpd.
man 5 hosts_access — Describes the format and options available within the TCP wrappers configuration files: hosts.allow and hosts.deny.
vsftpd project page is a great place to locate the latest documentation and to contact the author of the software.
/usr/sbin/sendmail) is the default SMTP program under Red Hat Enterprise Linux. However, a simpler mail server application called Postfix (/usr/sbin/postfix) is also available.
/usr/lib/cyrus-imapd/pop3d and is provided by the cyrus-imapd package. When using a POP server, email messages are downloaded by email client applications. By default, most POP email clients are automatically configured to delete the message on the email server after it has been successfully transferred, however this setting usually can be changed.
ipop3s service or by using the /usr/sbin/stunnel program. Refer to Seção 25.6.1, “Securing Communication” for more information.
/usr/lib/cyrus-imapd/imapd and is provided by the cyrus-imapd package. When using an IMAP mail server, email messages remain on the server where users can read or delete them. IMAP also allows client applications to create, rename, or delete mail directories on the server to organize and store email.
imaps service, or by using the /usr/sbin/stunnel program. Refer to Seção 25.6.1, “Securing Communication” for more information.
imap-login and pop3-login daemons which implement the IMAP and POP3 protocols are included in the dovecot package. The use of IMAP and POP is configured through dovecot; by default dovecot runs only IMAP. To configure dovecot to use POP:
/etc/dovecot.conf to have the line:
protocols = imap imaps pop3 pop3s
service dovecot restartchkconfig dovecot ondovecot only reports that it started the IMAP server, but also starts the POP3 server.
dovecot configuration file /etc/pki/dovecot/dovecot-openssl.conf as you prefer. However in a typical installation, this file does not require modification.
/etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem.
/usr/share/doc/dovecot-1.0/examples/mkcert.sh script which creates the dovecot self signed certificates. The certificates are copied in the /etc/pki/dovecot/certs and /etc/pki/dovecot/private directories. To implement the changes, restart dovecot (/sbin/service dovecot restart).
dovecot can be found online at http://www.dovecot.org.
mail or Procmail.
mutt.
/usr/sbin/sendmail.
/etc/mail/sendmail.cf. Avoid editing the sendmail.cf file directly. To make configuration changes to Sendmail, edit the /etc/mail/sendmail.mc file, back up the original /etc/mail/sendmail.cf, and use the following alternatives to generate a new configuration file:
/etc/mail (make all -C /etc/mail) to create a new /etc/mail/sendmail.cf configuration file. All other generated files in /etc/mail (db files) will be regenerated if needed. The old makemap commands are still usable. The make command will automatically be used by service sendmail start | restart | reload if the make package is installed.
m4 macro processor to create a new /etc/mail/sendmail.cf.
/etc/mail/ directory including:
access — Specifies which systems can use Sendmail for outbound email.
domaintable — Specifies domain name mapping.
local-host-names — Specifies aliases for the host.
mailertable — Specifies instructions that override routing for particular domains.
virtusertable — Specifies a domain-specific form of aliasing, allowing multiple virtual domains to be hosted on one machine.
/etc/mail/, such as access, domaintable, mailertable and virtusertable, must actually store their information in database files before Sendmail can use any configuration changes. To include any changes made to these configurations in their database files, run the following command:
makemap hash /etc/mail/<name> < /etc/mail/<name>
<name> is replaced with the name of the configuration file to convert.
example.com domain delivered to bob@other-example.com
, add the following line to the virtusertable file:
@example.com bob@other-example.com
virtusertable.db file must be updated using the following command as root:
makemap hash /etc/mail/virtusertable < /etc/mail/virtusertablevirtusertable.db file containing the new configuration.
/etc/mail/sendmail.cf file.
sendmail.cf file, it is a good idea to create a backup copy.
/etc/mail/sendmail.mc file as the root user. When finished, use the m4 macro processor to generate a new sendmail.cf by executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cfm4 macro processor is installed with Sendmail but is part of the m4 package.
/etc/mail/sendmail.cf file, restart Sendmail for the changes to take effect. The easiest way to do this is to type the following command:
service sendmail restartsendmail.cf file does not allow Sendmail to accept network connections from any host other than the local computer. To configure Sendmail as a server for other clients, edit the /etc/mail/sendmail.mc file, and either change the address specified in the Addr= option of the DAEMON_OPTIONS directive from 127.0.0.1 to the IP address of an active network device or comment out the DAEMON_OPTIONS directive all together by placing dnl at the beginning of the line. When finished, regenerate /etc/mail/sendmail.cf by executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf/etc/mail/sendmail.mc file must be reconfigured and a new /etc/mail/sendmail.cf must be generated.
/usr/share/sendmail-cf/README file before editing any files in the directories under the /usr/share/sendmail-cf directory, as they can affect the future configuration of /etc/mail/sendmail.cf files.
mail.example.com that handles all of their email and assigns a consistent return address to all outgoing mail.
user@example.com instead of user@host.example.com.
/etc/mail/sendmail.mc:
FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`bigcorp.com.')dnl MASQUERADE_DOMAIN(`bigcorp.com.')dnl MASQUERADE_AS(bigcorp.com)dnl
sendmail.cf using m4, this configuration makes all mail from inside the network appear as if it were sent from bigcorp.com.
x.edu) to accept messages from one party (y.com) and sent them to a different party (z.net). Now, however, Sendmail must be configured to permit any domain to relay mail through the server. To configure relay domains, edit the /etc/mail/relay-domains file and restart Sendmail.
/etc/mail/access file can be used to prevent connections from unwanted hosts. The following example illustrates how this file can be used to both block and specifically allow access to the Sendmail server:
badspammer.com ERROR:550 "Go away and do not spam us anymore" tux.badspammer.com OK 10.0 RELAY
badspammer.com is blocked with a 550 RFC-821 compliant error code, with a message sent back to the spammer. Email sent from the tux.badspammer.com sub-domain, is accepted. The last line shows that any email sent from the 10.0.*.* network can be relayed through the mail server.
/etc/mail/access.db is a database, use makemap to activate any changes. Do this using the following command as root:
makemap hash /etc/mail/access < /etc/mail/access/usr/share/sendmail-cf/README for more information and examples.
aliases and virtusertables, on different mail servers that work together to support a medium- to enterprise-level organization. In short, LDAP abstracts the mail routing level from Sendmail and its separate configuration files to a powerful LDAP cluster that can be leveraged by many different applications.
/etc/mail/sendmail.mc to include the following:
LDAPROUTE_DOMAIN('yourdomain.com')dnl
FEATURE('ldap_routing')dnl/usr/share/sendmail-cf/README for detailed LDAP routing configuration instructions and examples.
/etc/mail/sendmail.cf file by running m4 and restarting Sendmail. Refer to Seção 25.3.1.3, “Common Sendmail Configuration Changes” for instructions.
/usr/sbin/postfix. This daemon launches all related processes needed to handle mail delivery.
/etc/postfix/ directory. The following is a list of the more commonly used files:
access — Used for access control, this file specifies which hosts are allowed to connect to Postfix.
aliases — A configurable list required by the mail protocol.
main.cf — The global Postfix configuration file. The majority of configuration options are specified in this file.
master.cf — Specifies how Postfix interacts with various processes to accomplish mail delivery.
transport — Maps email addresses to relay hosts.
/etc/postfix/main.cf file does not allow Postfix to accept network connections from a host other than the local computer. For instructions on configuring Postfix as a server for other clients, refer to Seção 25.3.2.2, “Basic Postfix Configuration”.
/etc/postfix/ directory, it may be necessary to restart the postfix service for the changes to take effect. The easiest way to do this is to type the following command:
service postfix restart/etc/postfix/main.cf file with a text editor, such as vi.
mydomain line by removing the hash mark (#), and replace domain.tld with the domain the mail server is servicing, such as example.com.
myorigin = $mydomain line.
myhostname line, and replace host.domain.tld with the hostname for the machine.
mydestination = $myhostname, localhost.$mydomain line.
mynetworks line, and replace 168.100.189.0/28 with a valid network setting for hosts that can connect to the server.
inet_interfaces = all line.
inet_interfaces = localhost line.
postfix service.
/etc/postfix/main.cf. Additional resources including information about LDAP and SpamAssassin integration are available online at http://www.postfix.org/.
.fetchmailrc file in the user's home directory.
.fetchmailrc file, Fetchmail checks for email on a remote server and downloads it. It then delivers it to port 25 on the local machine, using the local MTA to place the email in the correct user's spool file. If Procmail is available, it is launched to filter the email and place it in a mailbox so that it can be read by an MUA.
.fetchmailrc file is much easier. Place any desired configuration options in the .fetchmailrc file for those options to be used each time the fetchmail command is issued. It is possible to override these at the time Fetchmail is run by specifying that option on the command line.
.fetchmailrc file contains three classes of configuration options:
.fetchmailrc file, followed by one or more server options, each of which designate a different email server that Fetchmail should check. User options follow server options for each user account checking that email server. Like server options, multiple user options may be specified for use with a particular server as well as to check multiple email accounts on the same server.
.fetchmailrc file by the use of a special option verb, poll or skip, that precedes any of the server information. The poll action tells Fetchmail to use this server option when it is run, which checks for email using the specified user options. Any server options after a skip action, however, are not checked unless this server's hostname is specified when Fetchmail is invoked. The skip option is useful when testing configurations in .fetchmailrc because it only checks skipped servers when specifically invoked, and does not affect any currently working configurations.
.fetchmailrc file looks similar to the following example:
set postmaster "user1" set bouncemail poll pop.domain.com proto pop3 user 'user1' there with password 'secret' is user1 here poll mail.domain2.com user 'user5' there with password 'secret2' is user1 here user 'user7' there with password 'secret3' is user1 here
postmaster option) and all email errors are sent to the postmaster instead of the sender (bouncemail option). The set action tells Fetchmail that this line contains a global option. Then, two email servers are specified, one set to check using POP3, the other for trying various protocols to find one that works. Two users are checked using the second server option, but all email found for any user is sent to user1's mail spool. This allows multiple mailboxes to be checked on multiple servers, while appearing in a single MUA inbox. Each user's specific information begins with the user action.
.fetchmailrc file. Omitting the with password '<password>' section causes Fetchmail to ask for a password when it is launched.
fetchmail man page explains each option in detail, but the most common ones are listed here.
set action.
daemon <seconds> — Specifies daemon-mode, where Fetchmail stays in the background. Replace <seconds> with the number of seconds Fetchmail is to wait before polling the server.
postmaster — Specifies a local user to send mail to in case of delivery problems.
syslog — Specifies the log file for errors and status messages. By default, this is /var/log/maillog.
.fetchmailrc after a poll or skip action.
auth <auth-type> — Replace <auth-type> with the type of authentication to be used. By default, password authentication is used, but some protocols support other types of authentication, including kerberos_v5, kerberos_v4, and ssh. If the any authentication type is used, Fetchmail first tries methods that do not require a password, then methods that mask the password, and finally attempts to send the password unencrypted to authenticate to the server.
interval <number> — Polls the specified server every <number> port <port-number> — Replace <port-number> with the port number. This value overrides the default port number for the specified protocol.
proto <protocol> — Replace <protocol> with the protocol, such as pop3 or imap, to use when checking for messages on the server.
timeout <seconds> — Replace <seconds> with the number of seconds of server inactivity after which Fetchmail gives up on a connection attempt. If this value is not set, a default of 300 seconds is assumed.
user option (defined below).
fetchall — Orders Fetchmail to download all messages in the queue, including messages that have already been viewed. By default, Fetchmail only pulls down new messages.
fetchlimit <number> — Replace <number> with the number of messages to be retrieved before stopping.
flush — Deletes all previously viewed messages in the queue before retrieving new messages.
limit <max-number-bytes> — Replace <max-number-bytes> with the maximum size in bytes that messages are allowed to be when retrieved by Fetchmail. This option is useful with slow network links, when a large message takes too long to download.
password '<password>' — Replace <password> with the user's password.
preconnect "<command>" — Replace <command> with a command to be executed before retrieving messages for the user.
postconnect "<command>" — Replace <command> with a command to be executed after retrieving messages for the user.
ssl — Activates SSL encryption.
user "<username>" — Replace <username> with the username used by Fetchmail to retrieve messages. This option must precede all other user options.
fetchmail command mirror the .fetchmailrc configuration options. In this way, Fetchmail may be used with or without a configuration file. These options are not used on the command line by most users because it is easier to leave them in the .fetchmailrc file.
fetchmail command with other options for a particular purpose. It is possible to issue command options to temporarily override a .fetchmailrc setting that is causing an error, as any options specified at the command line override configuration file options.
fetchmail command can supply important information.
--configdump — Displays every possible option based on information from .fetchmailrc and Fetchmail defaults. No email is retrieved for any users when using this option.
-s — Executes Fetchmail in silent mode, preventing any messages, other than errors, from appearing after the fetchmail command.
-v — Executes Fetchmail in verbose mode, displaying every communication between Fetchmail and remote email servers.
-V — Displays detailed version information, lists its global options, and shows settings to be used with each user, including the email protocol and authentication method. No email is retrieved for any users when using this option.
.fetchmailrc file.
-a — Fetchmail downloads all messages from the remote email server, whether new or previously viewed. By default, Fetchmail only downloads new messages.
-k — Fetchmail leaves the messages on the remote email server after downloading them. This option overrides the default behavior of deleting messages after downloading them.
-l <max-number-bytes> — Fetchmail does not download any messages over a particular size and leaves them on the remote email server.
--quit — Quits the Fetchmail daemon process.
.fetchmailrc options can be found in the fetchmail man page.
/bin/mail command to send email containing log messages to the root user of the local system.
sendmail is the default MTA. The Mail Transport Agent Switcher allows for the selection of either sendmail, postfix, or exim as the default MTA for the system.
system-switch-mail RPM package must be installed to use the text-based version of the Mail Transport Agent Switcher program. If you want to use the graphical version, the system-switch-mail-gnome package must also be installed. system-switch-mail at a shell prompt (for example, in an XTerm or GNOME terminal).
system-switch-mail-nox.
mail. Both of the applications are considered LDAs and both move email from the MTA's spool file into the user's mailbox. However, Procmail provides a robust filtering system.
mail command, consult its man page.
/etc/procmailrc or of a .procmailrc file (also called an rc file) in the user's home directory invokes Procmail whenever an MTA receives a new message.
rc file. If a message matches a recipe, then the email is placed in a specified file, is deleted, or is otherwise processed.
/etc/procmailrc and rc files in the /etc/procmailrcs directory for default, system-wide, Procmail environmental variables and recipes. Procmail then searches for a .procmailrc file in the user's home directory. Many users also create additional rc files for Procmail that are referred to within the .procmailrc file in their home directory.
rc files exist in the /etc/ directory and no .procmailrc files exist in any user's home directory. Therefore, to use Procmail, each user must construct a .procmailrc file with specific environment variables and rules.
.procmailrc in the following format:
<env-variable>="<value>"
<env-variable> <value> DEFAULT — Sets the default mailbox where messages that do not match any recipes are placed.
DEFAULT value is the same as $ORGMAIL.
INCLUDERC — Specifies additional rc files containing more recipes for messages to be checked against. This breaks up the Procmail recipe lists into individual files that fulfill different roles, such as blocking spam and managing email lists, that can then be turned off or on by using comment characters in the user's .procmailrc file.
.procmailrc file may look like this:
MAILDIR=$HOME/Msgs INCLUDERC=$MAILDIR/lists.rc INCLUDERC=$MAILDIR/spam.rc
INCLUDERC line with a hash mark character (#).
LOCKSLEEP — Sets the amount of time, in seconds, between attempts by Procmail to use a particular lockfile. The default is eight seconds.
LOCKTIMEOUT — Sets the amount of time, in seconds, that must pass after a lockfile was last modified before Procmail assumes that the lockfile is old and can be deleted. The default is 1024 seconds.
LOGFILE — The file to which any Procmail information or error messages are written.
MAILDIR — Sets the current working directory for Procmail. If set, all other Procmail paths are relative to this directory.
ORGMAIL — Specifies the original mailbox, or another place to put the messages if they cannot be placed in the default or recipe-required location.
/var/spool/mail/$LOGNAME is used.
SUSPEND — Sets the amount of time, in seconds, that Procmail pauses if a necessary resource, such as swap space, is not available.
SWITCHRC — Allows a user to specify an external file containing additional Procmail recipes, much like the INCLUDERC option, except that recipe checking is actually stopped on the referring configuration file and only the recipes on the SWITCHRC-specified file are used.
VERBOSE — Causes Procmail to log more information. This option is useful for debugging.
LOGNAME, which is the login name; HOME, which is the location of the home directory; and SHELL, which is the default shell.
procmailrc man page.
:0<flags>: <lockfile-name>*<special-condition-character><condition-1>*<special-condition-character><condition-2>*<special-condition-character><condition-N><special-action-character><action-to-perform>
<flags> <lockfile-name> * character can further control the condition.
<action-to-perform> { }, that are performed on messages which match the recipe's conditions. Nesting blocks can be nested inside one another, providing greater control for identifying and performing actions on messages.
A — Specifies that this recipe is only used if the previous recipe without an A or a flag also matched this message.
a — Specifies that this recipe is only used if the previous recipe with an A or a flag also matched this message and was successfully completed.
B — Parses the body of the message and looks for matching conditions.
b — Uses the body in any resulting action, such as writing the message to a file or forwarding it. This is the default behavior.
c — Generates a carbon copy of the email. This is useful with delivering recipes, since the required action can be performed on the message and a copy of the message can continue being processed in the rc files.
D — Makes the egrep comparison case-sensitive. By default, the comparison process is not case-sensitive.
E — While similar to the A flag, the conditions in the recipe are only compared to the message if the immediately preceding the recipe without an E flag did not match. This is comparable to an else action.
e — The recipe is compared to the message only if the action specified in the immediately preceding recipe fails.
f — Uses the pipe as a filter.
H — Parses the header of the message and looks for matching conditions. This occurs by default.
h — Uses the header in a resulting action. This is the default behavior.
w — Tells Procmail to wait for the specified filter or program to finish, and reports whether or not it was successful before considering the message filtered.
W — Is identical to w except that "Program failure" messages are suppressed.
procmailrc man page.
:) after any flags on a recipe's first line. This creates a local lockfile based on the destination file name plus whatever has been set in the LOCKEXT global environment variable.
* character at the beginning of a recipe's condition line:
! — In the condition line, this character inverts the condition, causing a match to occur only if the condition does not match the message.
< — Checks if the message is under a specified number of bytes.
> — Checks if the message is over a specified number of bytes.
! — In the action line, this character tells Procmail to forward the message to the specified email addresses.
$ — Refers to a variable set earlier in the rc file. This is often used to set a common mailbox that is referred to by various recipes.
| — Starts a specified program to process the message.
{ and } — Constructs a nesting block, used to contain additional recipes to apply to matching messages.
grep man page.
:0: new-mail.spool
LOCKEXT environment variable. No condition is specified, so every message matches this recipe and is placed in the single spool file called new-mail.spool, located within the directory specified by the MAILDIR environment variable. An MUA can then view messages in this file.
rc files to direct messages to a default location.
:0 * ^From: spammer@domain.com /dev/null
spammer@domain.com are sent to the /dev/null device, deleting them.
/dev/null for permanent deletion. If a recipe inadvertently catches unintended messages, and those messages disappear, it becomes difficult to troubleshoot the rule.
/dev/null.
:0: * ^(From|CC|To).*tux-lug tuxlug
tux-lug@domain.com mailing list are placed in the tuxlug mailbox automatically for the MUA. Note that the condition in this example matches the message if it has the mailing list's email address on the From, CC, or To lines.
~/.procmailrc file:
INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc
/etc/mail/spamassassin/spamassassin-default.rc contains a simple Procmail rule that activates SpamAssassin for all incoming email. If an email is determined to be spam, it is tagged in the header as such and the title is prepended with the following pattern:
*****SPAM*****
:0 Hw * ^X-Spam-Status: Yes spam
spam.
spamd) and client application (spamc). Configuring SpamAssassin this way, however, requires root access to the host.
spamd daemon, type the following command as root:
service spamassassin startsystem-config-services), to turn on the spamassassin service. Refer to Capítulo 17, Controlando Acesso aos Serviços for more information about initscript utilities.
~/.procmailrc file. For a system-wide configuration, place it in /etc/procmailrc:
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
mutt.
mutt offer SSL-encrypted email sessions.
/etc/pki/tls/certs/ directory and type the following commands as root:
rm -f cyrus-imapd.pem make cyrus-imapd.pem/etc/pki/tls/certs/ directory, and type the following commands as root:
rm -f ipop3d.pem make ipop3d.pemimapd.pem and ipop3d.pem files before issuing each make command.
/sbin/service xinetd restart command to restart the xinetd daemon which controls imapd and ipop3d.
stunnel command can be used as an SSL encryption wrapper around the standard, non-secure daemons, imapd or pop3d.
stunnel program uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and protect the connections. It is best to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
/etc/pki/tls/certs/ directory, and type the following command:
make stunnel.pemstunnel command to start the imapd mail daemon using the following command:
/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapdpop3d using the stunnel command, type the following command:
/usr/sbin/stunnel -d 995 -l /usr/sbin/pop3d pop3dstunnel, read the stunnel man page or refer to the documents in the /usr/share/doc/stunnel-<version-number> / directory, where <version-number> is the version number for stunnel.
sendmail and sendmail-cf packages.
/usr/share/sendmail-cf/README — Contains information on m4, file locations for Sendmail, supported mailers, how to access enhanced features, and more.
sendmail and aliases man pages contain helpful information covering various Sendmail options and the proper configuration of the Sendmail /etc/mail/aliases file.
/usr/share/doc/postfix-<version-number> — Contains a large amount of information about ways to configure Postfix. Replace <version-number> with the version number of Postfix.
/usr/share/doc/fetchmail-<version-number> — Contains a full list of Fetchmail features in the FEATURES file and an introductory FAQ document. Replace <version-number> with the version number of Fetchmail.
/usr/share/doc/procmail-<version-number> — Contains a README file that provides an overview of Procmail, a FEATURES file that explores every program feature, and an FAQ file with answers to many common configuration questions. Replace <version-number> with the version number of Procmail.
procmail — Provides an overview of how Procmail works and the steps involved with filtering email.
procmailrc — Explains the rc file format used to construct recipes.
procmailex — Gives a number of useful, real-world examples of Procmail recipes.
procmailsc — Explains the weighted scoring technique used by Procmail to match a particular recipe to a message.
/usr/share/doc/spamassassin-<version-number>/ — Contains a large amount of information pertaining to SpamAssassin. Replace <version-number> with the version number of the spamassassin package.
.procmailrc files and use Procmail scoring to decide if a particular action should be taken.
/etc/openldap/schema/ Directory/etc/openldap/schema/ directory. For more information, refer to Seção 26.5, “The /etc/openldap/schema/ Directory”.
[<id>] dn: <distinguished name> <attrtype>: <attrvalue> <attrtype>: <attrvalue> <attrtype>: <attrvalue>
<attrtype>: <attrvalue> pairs as needed. A blank line indicates the end of an entry.
<attrtype> and <attrvalue> pairs must be defined in a corresponding schema file to use this information.
< and a > is a variable and can be set whenever a new LDAP entry is created. This rule does not apply, however, to <id>. The <id> is a number determined by the application used to edit the entry.
openldap — Contains the libraries necessary to run the OpenLDAP server and client applications.
openldap-clients — Contains command line tools for viewing and modifying directories on an LDAP server.
openldap-servers — Contains the servers and other utilities necessary to configure and run an LDAP server.
openldap-servers package: the Standalone LDAP Daemon (/usr/sbin/slapd) and the Standalone LDAP Update Replication Daemon (/usr/sbin/slurpd).
slapd daemon is the standalone LDAP server while the slurpd daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The slurpd daemon is only used when dealing with multiple LDAP servers.
openldap-servers package installs the following utilities into the /usr/sbin/ directory:
slapadd — Adds entries from an LDIF file to an LDAP directory. For example, the command /usr/sbin/slapadd -l ldif-input reads in the LDIF file, ldif-input/usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldapslapcat — Pulls entries from an LDAP directory in the default format, Sleepycat Software's Berkeley DB system, and saves them in an LDIF file. For example, the command /usr/sbin/slapcat -l ldif-output outputs an LDIF file called ldif-outputslapindex — Re-indexes the slapd directory based on the current content. This tool should be run whenever indexing options within /etc/openldap/slapd.conf are changed.
slappasswd — Generates an encrypted user password value for use with ldapmodify or the rootpw value in the slapd configuration file, /etc/openldap/slapd.conf. Execute the /usr/sbin/slappasswd command to create the password.
slapd by issuing the /sbin/service ldap stop command before using slapadd, slapcat or slapindex. Otherwise, the integrity of the LDAP directory is at risk.
openldap-clients package installs tools into /usr/bin/ which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:
ldapadd — Adds entries to an LDAP directory by accepting input via a file or standard input; ldapadd is actually a hard link to ldapmodify -a.
ldapdelete — Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
ldapmodify — Modifies entries in an LDAP directory, accepting input via a file or standard input.
ldappasswd — Sets the password for an LDAP user.
ldapsearch — Searches for entries in an LDAP directory using a shell prompt.
ldapcompare — Opens a connection to an LDAP server, binds, and performs a comparison using specified parameters.
ldapwhoami — Opens a connection to an LDAP server, binds, and performs a whoami operation.
ldapmodrdn — Opens a connection to an LDAP server, binds, and modifies the RDNs of entries.
ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
nss_ldap, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.
nss_ldap package provides the following modules (where <version> refers to the version of libnss_ldap in use):
/lib/libnss_ldap-<version>.so
/lib/security/pam_ldap.so
nss_ldap package provides the following modules for Itanium or AMD64 architectures:
/lib64/libnss_ldap-<version>.so
/lib64/security/pam_ldap.so
libnss_ldap-<version>.so module allows applications to look up users, groups, hosts, and other information using an LDAP directory via the Nameservice Switch (NSS) interface of glibc. NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.
pam_ldap module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.
php-ldap package adds LDAP support to the PHP4 HTML-embedded scripting language via the /usr/lib/php4/ldap.so module. This module allows PHP4 scripts to access information stored in an LDAP directory.
mod_authz_ldap module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The mod_ssl module is required when using the mod_authz_ldap module.
mod_authz_ldap module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental mod_auth_ldap module, which is not included with Red Hat Enterprise Linux. Refer to the Apache Software Foundation website online at http://www.apache.org/ for details on the status of this module.
/etc/openldap/ directory. The following is a brief list highlighting the most important directories and files:
/etc/openldap/ldap.conf — This is the configuration file for all client applications which use the OpenLDAP libraries such as ldapsearch, ldapadd, Sendmail, Evolution, and Gnome Meeting.
/etc/openldap/slapd.conf — This is the configuration file for the slapd daemon. Refer to Seção 26.6.1, “Editing /etc/openldap/slapd.conf” for more information.
/etc/openldap/schema/ directory — This subdirectory contains the schema used by the slapd daemon. Refer to Seção 26.5, “The /etc/openldap/schema/ Directory” for more information.
nss_ldap package is installed, it creates a file named /etc/ldap.conf. This file is used by the PAM and NSS modules supplied by the nss_ldap package. Refer to Seção 26.7, “Configuring a System to Authenticate Using OpenLDAP” for more information.
/etc/openldap/schema/ Directory/etc/openldap/schema/ directory holds LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. The /etc/openldap/schema/redhat/ directory holds customized schemas distributed by Red Hat for Red Hat Enterprise Linux.
/etc/openldap/slapd.conf using include lines, as shown in this example:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema
local.schema file in the /etc/openldap/schema/ directory. Reference this new schema within slapd.conf by adding the following line below the default include schema lines:
include /etc/openldap/schema/local.schema
local.schema file. Many organizations use existing attribute types from the schema files installed by default and add new object classes to the local.schema file.
openldap, openldap-servers, and openldap-clients RPMs.
/etc/openldap/slapd.conf file to specify the LDAP domain and server. Refer to Seção 26.6.1, “Editing /etc/openldap/slapd.conf” for more information.
slapd with the command:
service ldap startchkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool to configure LDAP to start at boot time. For more information about configuring services, refer to Capítulo 17, Controlando Acesso aos Serviços.
ldapadd.
ldapsearch to determine if slapd is accessing the information correctly.
/etc/openldap/slapd.confslapd LDAP server, modify its configuration file, /etc/openldap/slapd.conf, to specify the correct domain and server.
suffix line names the domain for which the LDAP server provides information and should be changed from:
suffix "dc=your-domain,dc=com"
suffix "dc=example,dc=com"
rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as in the following example:
rootdn "cn=root,dc=example,dc=com"
rootpw line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
slappasswd/etc/openldap/slapd.conf on one of the rootpw lines and remove the hash mark (#).
rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2urootpw directive specified in /etc/openldap/slapd.conf, are sent over the network unencrypted, unless TLS encryption is enabled.
/etc/openldap/slapd.conf and refer to the man page for slapd.conf.
rootpw directive should be commented out after populating the LDAP directory by preceding it with a hash mark (#).
/usr/sbin/slapadd command line tool locally to populate the LDAP directory, use of the rootpw directive is not necessary.
/usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore, the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldapopenldap-servers package.
openldap, openldap-clients, and nss_ldap packages need to be installed on all LDAP client machines.
/etc/openldap/slapd.conf file on the LDAP server to make sure it matches the specifics of the organization. Refer to Seção 26.6.1, “Editing /etc/openldap/slapd.conf” for instructions about editing slapd.conf.
/etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.
system-config-authentication) and select Enable LDAP Support under the User Information tab.
/etc/nsswitch.conf must be edited to use LDAP.
system-config-authentication) and select Enable LDAP Support under the User Information tab.
/etc/nsswitch.conf by hand, add ldap to the appropriate lines.
passwd: files ldap shadow: files ldap group: files ldap
system-config-authentication) and select Enable LDAP Support under the Authentication tab. For more about configuring PAM, refer to Seção 46.4, “Módulos de Autenticação Plugáveis (Pluggable Authentication Modules - PAM)” and the PAM man pages.
/usr/share/openldap/migration/ directory contains a set of shell and Perl scripts for migrating authentication information into an LDAP format.
migrate_common.ph file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like:
$DEFAULT_MAIL_DOMAIN = "example";$DEFAULT_BASE = "dc=example,dc=com";
README and the migration-tools.txt files in the /usr/share/openldap/migration/ directory provide more details on how to migrate the information.
| Existing name service | Is LDAP running? | Script to Use |
|---|---|---|
/etc flat files
| yes |
migrate_all_online.sh
|
/etc flat files
| no |
migrate_all_offline.sh
|
| NetInfo | yes |
migrate_all_netinfo_online.sh
|
| NetInfo | no |
migrate_all_netinfo_offline.sh
|
| NIS (YP) | yes |
migrate_all_nis_online.sh
|
| NIS (YP) | no |
migrate_all_nis_offline.sh
|
/usr/sbin/slapcat -l ldif-output. This outputs an LDIF file called ldif-output/usr/sbin/slapadd -l ldif-output.
/usr/share/docs/openldap-<versionnumber>/ directory — Contains a general README document and miscellaneous information.
man ldapadd — Describes how to add entries to an LDAP directory.
man ldapdelete — Describes how to delete entries within an LDAP directory.
man ldapmodify — Describes how to modify entries within an LDAP directory.
man ldapsearch — Describes how to search for entries within an LDAP directory.
man ldappasswd — Describes how to set or change the password of an LDAP user.
man ldapcompare — Describes how to use the ldapcompare tool.
man ldapwhoami — Describes how to use the ldapwhoami tool.
man ldapmodrdn — Describes how to modify the RDNs of entries.
man slapd — Describes command line options for the LDAP server.
man slurpd — Describes command line options for the LDAP replication server.
man slapadd — Describes command line options used to add entries to a slapd database.
man slapcat — Describes command line options used to generate an LDIF file from a slapd database.
man slapindex — Describes command line options used to regenerate an index based upon the contents of a slapd database.
man slappasswd — Describes command line options used to generate user passwords for LDAP directories.
man ldap.conf — Describes the format and options available within the configuration file for LDAP clients.
man slapd.conf — Describes the format and options available within the configuration file referenced by both the LDAP server applications (slapd and slurpd) and the LDAP administrative tools (slapadd, slapcat, and slapindex).
system-config-authentication at a shell prompt (for example, in an XTerm or a GNOME terminal).
ypbind package must be installed for this option to work. If NIS support is enabled, the portmap and ypbind services are started and are also enabled to start at boot time.
openldap-clients package must be installed for this option to work.
hesiod package must be installed for this option to work.
man hesiod. You can also refer to the hesiod.conf man page (man hesiod.conf) for more information on LHS and RHS.
krb5-server package must be installed, and Kerberos must be configured properly.
winbind should use. For more information about domain controllers, please refer to Seção 21.6.3, “Domain Controller”.
winbindd daemon uses the value chosen here to to specify the login shell for that user.
winbind service, refer to winbindd under Seção 21.2, “Samba Daemons and Related Services”.
kadmind.
krb5-libs and krb5-workstation packages must be installed for this option to work. For more information about Kerberos, refer to Seção 46.6, “Kerberos”.
openldap-clients package must be installed for this option to work.
pam_pkcs11 and coolkey packages must be installed for this option to work. For more information about smart cards, refer to Seção 46.3.1.3, “Cartões Inteligentes Suportados” under Seção 46.3, “Single Sign-on (SSO)”.
nscd) and configure it to start at boot time.
nscd package must be installed for this option to work. For more information about nscd, refer to its man page using the command man nscd.
/etc/shadow file instead of /etc/passwd. Shadow passwords are enabled by default during installation and are highly recommended to increase the security of the system.
shadow-utils package must be installed for this option to work. For more information about shadow passwords, refer to Seção 35.6, “Senhas Shadow”.
authconfig man page or by typing authconfig --help at a shell prompt.
| Opção | Descrição |
|---|---|
--enableshadow
| Habilitar senhas shadow |
--disableshadow
| Desabilitar senhas shadow |
--enablemd5
| Habilitar senhas MD5 |
--disablemd5
| Desabilitar senhas MD5 |
--enablenis
| Habilitar o NIS |
--disablenis
| Desabilitar o NIS |
--nisdomain=
| Especificar o domínio NIS |
--nisserver=
| Especificar o servidor NIS |
--enableldap
| Habilitar o LDAP para informações de usuários |
--disableldap
| Desabilitar o LDAP para informações de usuários |
--enableldaptls
| Habilitar o uso do TLS com o LDAP |
--disableldaptls
| Desabilitar o uso do TLS com o LDAP |
--enableldapauth
| Habilitar o LDAP para autenticação |
--disableldapauth
| Desabilitar o LDAP para autenticação |
--ldapserver=
| Especificar o servidor LDAP |
--ldapbasedn=
| Especificar a base DN do LDAP |
--enablekrb5
| Habilitar o Kerberos |
--disablekrb5
| Desabilitar o Kerberos |
--krb5kdc=
| Especificar o KDC do Kerberos |
--krb5adminserver=
| Especificar o servidor de administração do Kerberos |
--krb5realm=
| Especificar o reino do Kerberos |
--enablekrb5kdcdns
| Enable use of DNS to find Kerberos KDCs |
--disablekrb5kdcdns
| Disable use of DNS to find Kerberos KDCs |
--enablekrb5realmdns
| Enable use of DNS to find Kerberos realms |
--disablekrb5realmdns
| Disable use of DNS to find Kerberos realms |
--enablesmbauth
| Habilitar o SMB |
--disablesmbauth
| Desabilitar o SMB |
--smbworkgroup=
| Especificar o grupo de trabalho SMB |
--smbservers=
| Especificar os servidores SMB |
--enablewinbind
| Enable winbind for user information by default |
--disablewinbind
| Disable winbind for user information by default |
--enablewinbindauth
| Enable winbindauth for authentication by default |
--disablewinbindauth
| Disable winbindauth for authentication by default |
--smbsecurity=
| Security mode to use for Samba and winbind |
--smbrealm=
|
Default realm for Samba and winbind when security=ads
|
--smbidmapuid=
| UID range winbind assigns to domain or ADS users |
--smbidmapgid=
| GID range winbind assigns to domain or ADS users |
--winbindseparator=
|
Character used to separate the domain and user part of winbind usernames if winbindusedefaultdomain is not enabled
|
--winbindtemplatehomedir=
| Directory that winbind users have as their home |
--winbindtemplateprimarygroup=
| Group that winbind users have as their primary group |
--winbindtemplateshell=
| Shell that winbind users have as their default login shell |
--enablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are domain users |
--disablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are not domain users |
--winbindjoin=
| Joins the winbind domain or ADS realm now as this administrator |
--enablewins
| Enable WINS for hostname resolution |
--disablewins
| Disable WINS for hostname resolution |
--enablehesiod
| Habilitar o Hesiod |
--disablehesiod
| Desabilitar o Hesiod |
--hesiodlhs=
| Especificar o LHS do Hesiod |
--hesiodrhs=
| Especificar o RHS do Hesiod |
--enablecache
|
Enable nscd
|
--disablecache
|
Disable nscd
|
--nostart
|
Do not start or stop the portmap, ypbind, or nscd services even if they are configured
|
--kickstart
| Não exibir a interface de usuário |
--probe
| Detectar e exibir defaults da rede |
.conf file. The default file is /etc/sssd/sssd.conf, although alternative files can be passed to SSSD by using the -c option with the sssd command:
# sssd -c /etc/sssd/customfile.conf
[domain/LDAP]. The configuration file uses simple key = value lines to set the configuration. Comment lines are set by either a hash sign (#) or a semicolon (;)
[section] # Comment line key1 = val1 key10 = val1,val2
service command or the /etc/init.d/sssd script can start SSSD. For example:
# service sssd start
chkconfig command:
[root@server ~]# chkconfig sssd on
sssd.conf file. on sections. The [sssd] section also lists the services that are active and should be started when sssd starts within the services directive.
sssd_nss module. This is configured in the [nss] section of the configuration.
sssd_pam PAM module. This is configured in the [pam] section of the configuration.
monitor, a special service that monitors and starts or restarts all other SSSD services. Its options are specified in the [sssd] section of the /etc/sssd/sssd.conf configuration file.
lookup family order option in the sssd.conf configuration file.
sssd_nss, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.
sssd.conf file.
# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam[nss] section, change any of the NSS parameters. These are listed in Tabela 28.1, “SSSD [nss] Configuration Parameters”.
[nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
service sssd restart
| Parameter | Value Format | Description |
|---|---|---|
| enum_cache_timeout | integer | Specifies how long, in seconds, sssd_nss should cache requests for information about all users (enumerations). |
| entry_cache_nowait_percentage | integer |
Specifies how long sssd_nss should return cached entries before refreshing the cache. Setting this to zero (0) disables the entry cache refresh.
This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds — 75% of the interval.
The allowed values for this option are 0 to 99, which sets the percentage based on the
entry_cache_timeout value. The default value is 50%.
|
| entry_negative_timeout | integer | Specifies how long, in seconds, sssd_nss should cache negative cache hits. A negative cache hit is a query for an invalid database entries, including non-existent entries. |
| filter_users, filter_groups | string |
Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as root.
|
| filter_users_in_groups | Boolean |
Sets whether users listed in the filter_users list appear in group memberships when performing group lookups. If set to FALSE, group lookups return all users that are members of that group. If not specified, this value defaults to TRUE, which filters the group member lists.
|
sssd_pam, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
/etc/pam.d/system-auth-ac file, which is symlinked to /etc/pam.d/system-auth. Any changes made to /etc/pam.d/system-auth are overwritten the next time that authconfig is run.
/etc/pam.d/system-auth symlink.
[root@server ~]# rm /etc/pam.d/system-auth rm: remove symbolic link `/etc/pam.d/system-auth'? y
/etc/pam.d/system-auth-local file. One easy way to do this is simply to copy the /etc/pam.d/system-auth-ac file.
[root@server ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-local
/etc/pam.d/system-auth-local file and /etc/pam.d/system-auth.
[root@server ~]# ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
/etc/pam.d/system-auth-local file, and add all of the SSSD modules to the PAM configuration:
#%PAM-1.0 ... auth sufficient pam_sss.so use_first_pass auth required pam_deny.so ... account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so ... password sufficient pam_sss.so use_authtok password required pam_deny.so ... session sufficient pam_sss.so session required pam_unix.so
include statements, as necessary.
sssd.conf file.
# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam[pam] section, change any of the PAM parameters. These are listed in Tabela 28.2, “SSSD [pam] Configuration Parameters”.
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
service sssd restart
| Parameter | Value Format | Description |
|---|---|---|
| offline_credentials_expiration | integer |
Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (0), which is unlimited.
|
| offline_failed_login_attempts | integer |
Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (0), which is unlimited.
|
| offline_failed_login_delay | integer |
Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (0), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5).
|
jsmith in the ldap.example.com domain and jsmith in the ldap.otherexample.com domain. SSSD allows requests using fully-qualified domain names, so requesting information for jsmith@ldap.example.com returns the the proper user account. Specifying only the username returns the user for whichever domain comes first in the lookup order.
filter_users option, which excludes the specified users from being returned in a search.
| Identification Provider | Authentication Provider |
|---|---|
| LDAP | LDAP |
| LDAP | Kerberos |
| proxy | LDAP |
| proxy | Kerberos |
| proxy | proxy |
domains = LOCAL,Name[domain/Name] id_provider =typeauth_provider =typeprovider_specific = valueglobal = value
| Parameter | Value Format | Description |
|---|---|---|
| id_provider | string |
Specifies the data provider identity backend to use for this domain. The supported identity backends are:
|
| auth_provider | string |
Sets the authentication provider used for the domain. The default value for this option is the value of id_provider. The supported authentication providers are ldap, ipa, krb5 (Kerberos), proxy, and none.
|
| min_id,max_id | integer |
Optional. Specifies the UID and GID range for the domain. If a domain contains entries that are outside that range, they are ignored. The default value for min_id is 1; the default value for max_id is 0, which is unlimited.
Importante
The default min_id value is the same for all types of identity provider. If LDAP directories are using UID numbers that start at one, it could cause conflicts with users in the local /etc/passwd file. To avoid these conflicts, set min_id to 1000 or higher as possible.
|
| enumerate | Boolean |
Optional. Specifies whether to list the users and groups of a domain. Enumeration means that the entire set of available users and groups on the remote source is cached on the local machine. When enumeration is disabled, users and groups are only cached as they are requested.
Atenção
When enumeration is enabled, reinitializing a client results in a complete refresh of the entire set of available users and groups from the remote source. Similarly, when SSSD is connected to a new server, the entire set of available users and groups from the remote source is pulled and cached on the local machine. In a domain with a large number of clients connected to a remote source, this refresh process can harm the network performance because of frequent queries from the clients. If the set of available users and groups is large enough, it degrades client performance as well.
false, which disables enumeration.
|
| cache_credentials | Boolean |
Optional. Specifies whether to store user credentials in the local SSSD domain database cache. The default value for this parameter is false. Set this value to true for domains other than the LOCAL domain to enable offline authentication.
|
| entry_cache_timeout | integer | Optional. Specifies how long, in seconds, SSSD should cache positive cache hits. A positive cache hit is a successful query. |
| use_fully_qualified_names | Boolean |
Optional. Specifies whether requests to this domain require fully-qualified domain names. If set to true, all requests to this domain must use fully-qualified domain names. It also means that the output from the request displays the fully-qualified name. Restricting requests to fully-qualified user names allows SSSD to differentiate between domains with users with conflicting usernames.
If
use_fully_qualified_names is set to false, it is possible to use the fully-qualified name in the requests, but only the simplified version is displayed in the output.
SSSD can only parse names based on the domain name, not the realm name. The same name can be used for both domains and realms, however.
|
sssd-ldap(5).
| Parameter | Description |
|---|---|
| ldap_uri | Gives a comma-separated list of the URIs of the LDAP servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection. This can be detected from the DNS SRV records if it is not given. |
| ldap_search_base | Gives the base DN to use for performing LDAP user operations. |
| ldap_tls_reqcert |
Specifies how to check for SSL server certificates in a TLS session. There are four options:
|
| ldap_tls_cacert |
Gives the full path and file name to the file that contains the CA certificates for all of the CAs that SSSD recognizes. SSSD will accept any certificate issued by these CAs.
This uses the OpenLDAP system defaults if it is not given explicitly.
|
| ldap_referrals |
Sets whether SSSD will use LDAP referrals, meaning forwarding queries from one LDAP database to another. SSSD supports database-level and subtree referrals. For referrals within the same LDAP server, SSSD will adjust the DN of the entry being queried. For referrals that go to different LDAP servers, SSSD does an exact match on the DN. Setting this value to true enables referrals; by default, referrals are enabled.
|
| ldap_schema |
Sets what version of schema to use when searching for user entries. This can be either rfc2307 or rfc2307bis. The default is rfc2307.
In RFC 2307, group objects use a multi-valued attribute,
memberuid, which lists the names of the users that belong to that group. In RFC 2307bis, group objects use the member attribute, which contains the full distinguished name (DN) of a user or group entry. RFC 2307bis allows nested groups usning the member attribute. Because these different schema use different definitions for group membership, using the wrong LDAP schema with SSSD can affect both viewing and managing network resources, even if the appropriate permissions are in place.
For example, with RFC 2307bis, all groups are returned when using nested groups or primary/secondary groups.
$ id uid=500(myserver) gid=500(myserver) groups=500(myserver),510(myothergroup)
If SSSD is using RFC 2307 schema, only the primary group is returned.
This setting only affects how SSSD determines the group members. It does not change the actual user data.
|
| ldap_search_timeout |
Sets the time, in seconds, that LDAP searches are allowed to run before they are canceled and cached results are returned. This defaults to five when the enumerate value is false and defaults to 30 when enumerate is true.
When an LDAP search times out, SSSD automatically switches to offline mode.
|
| ldap_network_timeout | Sets the time, in seconds, SSSD attempts to poll an LDAP server after a connection attempt fails. The default is six seconds. |
| ldap_opt_timeout | Sets the time, in seconds, to wait before aborting synchronous LDAP operations if no response is received from the server. This option also controls the timeout when communicating with the KDC in case of a SASL bind. The default is five seconds. |
sssd.conf file. For example:
domains = LOCAL,LDAP1,AD,PROXYNIS
ldap_uri option:
# An LDAP domain [domain/LDAP] enumerate = false cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_uri = ldaps://ldap.example.com:636 ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls option to use Start TLS and then ldap_tls_cacert to identify the CA certificate which issued the SSL server certificates.
# An LDAP domain [domain/LDAP] enumerate = false cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
cacertdir_rehash function to create the appropriate symlinks.
sssd-ldap(5).
# Example LDAP domain where the LDAP server is an Active Directory 2003 server. [domain/AD] description = LDAP domain with AD server enumerate = false ; id_provider = ldap auth_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = secret ldap_user_object_class = person ldap_user_name = msSFU30Name ldap_user_uid_number = msSFU30UidNumber ldap_user_gid_number = msSFU30GidNumber ldap_user_home_directory = msSFU30HomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = msSFU30Name ldap_group_gid_number = msSFU30GidNumber
sssd-ldap(5).
# Example LDAP domain where the LDAP server is an Active Directory 2003 R2 or an Active Directory 2008 server. [domain/AD] description = LDAP domain with AD server ; debug_level = 9 enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/test.cer ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = secret ldap_pwd_policy = none ldap_user_object_class = user ldap_group_object_class = group
ldap_uri option instead of the server name may cause the TLS/SSL connection to fail. TLS/SSL certificates contain the server name, not the IP address. However, the subject alternative name field in the certificate can be used to include the IP address of the server, which allows a successful secure connection using an IP address.
-signkey) is the key of the issuer of whatever CA originally issued the certificate. If this is done by an external CA, it requires a separate PEM file; if the certificate is self-signed, then this is the certificate itself. For example:
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem
/etc/pki/tls/openssl.cnf configuration file to include the server's IP address under the [ v3_ca ] section:
subjectAltName = IP:10.0.0.10
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem
-extensions option sets which extensions to use with the certificate. For this, it should be v3_ca to load the appropriate section.
old_cert.pem file into the new_cert.pem file to keep all relevant information in one file.
krb5_kpasswd option to specify where the password changing service is running or if it is running on a non-default port. If the krb5_kpasswd option is not defined, SSSD tries to use the Kerberos KDC to change the password.
# A domain with identities provided by LDAP and authentication by Kerberos [domain/KRBDOMAIN] enumerate = false id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap-tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt auth_provider = krb5 krb5_server = 192.168.1.1, kerberos.example.com krb5_realm = EXAMPLE.COM krb5_kpasswd = kerveros.admin.example.com krb5_auth_timeout = 15
| Parameter | Description |
|---|---|
| chpass_provider | Specifies which service to use for password change operations. This is assumed to be the same as the authentication provider. To use Kerberos, set this to krb5. |
| krb5_server |
Gives a comma-separated list of IP addresses or hostnames of Kerberos servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection.
When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify UDP as the connection protocol, and then falls back to TCP.
|
| krb5_realm | Identies the Kerberos realm served by the KDC. |
| krb5_lifetime | Requests a Kerberos ticket with the specified lifetime in seconds (s), minutes (m), hours (h) or days (d). |
| krb5_renewable_lifetime | Requests a renewable Kerberos ticket with a total lifetime that is specified in seconds (s), minutes (m), hours (h) or days (d). |
| krb5_renew_interval | Sets the time, in seconds, for SSSD to check if tickets should be renewed. Tickets are renewed automatically once they exceed half their lifetime. If this option is missing or set to zero, then automatic ticket renewal is disabled. |
| krb5_store_password_if_offline |
Sets whether to store user passwords if the Kerberos authentication provider is offline, and then to use that cache to request tickets when the provider is back online. The default is false, which does not store passwords.
|
| krb5_kpasswd | Lists alternate Kerberos kadmin servers to use if the change password service is not running on the KDC. |
| krb5_ccname_template |
Gives the directory to use to store the user's credential cache. This can be templatized, and the following tokens are supported:
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX |
| krb5_ccachedir |
Specifies the directory to store credential caches. This can be templatized, using the same tokens as krb5_ccname_template, except for %d and %P. If %u, %U, %p, or %h are used, then SSSD creates a private directory for each user; otherwise, it creates a public directory.
|
| krb5_auth_timeout | Gives the time, in seconds, before an online authentication or change password request is aborted. If possible, the authentication request is continued offline. The default is 15 seconds. |
| Parameter | Description |
|---|---|
| proxy_pam_target |
Specifies the target to which PAM must proxy as an authentication provider.. The PAM target is a file containing PAM stack information in the default PAM directory, /etc/pam.d/.
This is used to proxy an authentication provider.
Importante
Ensure that the proxy PAM stack does not recursively include pam_sss.so.
|
| proxy_lib_name |
Specifies which existing NSS library to proxy identity requests through.
This is used to proxy an identity provider.
|
proxy_lib_name parameter. This library can be anything as long as it is compatible with the given authentication service. For a Kerberos authentication provider, it must be a Kerberos-compatible library, like NIS.
[domain/PROXY_KRB5] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM id_provider = proxy proxy_lib_name = nis enumerate = true cache_credentials = true
proxy_pam_target parameter. This library must be a PAM module that is compatible with the given identity provider. For example, this uses a PAM fingerprint module with LDAP:
[domain/LDAP_PROXY] id_provider = ldap ldap_uri = ldap://example.com ldap_search_base = dc=example,dc=com auth_provider = proxy proxy_pam_target = sssdpamproxy enumerate = true cache_credentials = true
sssdpamproxy, so create a /etc/pam.d/sssdpamproxy file and load the PAM/LDAP modules:
auth required pam_frprint.so account required pam_frprint.so password required pam_frprint.so session required pam_frprint.so
proxy_pam_target for the authentication PAM module and proxy_lib_name for the service, like NIS or LDAP.
[domain/PROXY_PROXY] auth_provider = proxy id_provider = proxy proxy_lib_name = ldap proxy_pam_target = sssdproxyldap enumerate = true cache_credentials = true
/etc/pam.d/sssdproxyldap file which requires the pam_ldap.so module:
auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
/etc/nslcd.conf file, the configuration file for the LDAP name service daemon, to contain the information for the LDAP directory:
uid nslcd gid ldap uri ldaps://ldap.example.com:636 base dc=example,dc=com ssl on tls_cacertdir /etc/openldap/cacerts
simple_allow_users and simple_allow_groups, which grant access explicitly to specific users (either the given users or group members) and deny access to everyone else. It is also possible to create deny lists (which deny access only to explicit people and implicitly allow everyone else access).
[domain/example.com] access_provider = simple simple_allow_users = jsmith,bjensen simple_allow_groups = itgroup
simple as an access provider.
ldap_access_filter) specifies which users are granted access to the specified host. The user filter must be used or all users are denied access.
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
authorizedService attribute.
/etc/sssd/sssd.conf file. The servers are listed in order of preference. This list can contain any number of servers.
ldap_uri = ldap://ldap0.example.com, ldap://ldap1.example.com, ldap://ldap2.example.com
ldap://ldap0.example.com, is the primary server. If this server fails, SSSD first attempts to connect to ldap1.example.com and then ldap2.example.com.
_service._protocol._domain TTL priority weight port hostname
/var/lib/sss/db/ directory.
exampleldap, the cache file is named cache_exampleldap.ldb.
resolv.conf file. This file is typically only read once, and so any changes made to this file are not automatically applied. This can cause NFS locking to fail on the machine where the NSCD service is running, unless that service is manually restarted.
/etc/nscd.conf file and rely on the SSSD cache for the passwd, group, and netgroup entries.
/etc/nscd.conf file:
enable-cache hosts yes enable-cache passwd no enable-cache group no enable-cache netgroup no
/var/log/sssd/ directory. SSSD produces a log file for each domain, as well as an sssd_pam.log and an sssd_nss.log file.
/var/log/secure file logs authentication failures and the reason for the failure.
debug_level parameter for each section in the sssd.conf file for which to product extra logs. For example:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
debug_level = 9# sssd -d4 [sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [confdb_get_domains] (0): No domains configured, fatal error! [sssd] [get_monitor_config] (0): No domains configured.
/etc/sssd/sssd.conf file and create at least one domain.
[sssd] [get_monitor_config] (0): No services configured!
/etc/sssd/sssd.conf file and configure at least one service provider.
services entry in the /etc/sssd/sssd.conf file. If services are listed in multiple entries, only the last entry is recognized by SSSD.
# service sssd status
[nss] section of the /etc/sssd/sssd.conf file. Especially check the filter_users and filter_groups attributes.
/etc/nsswitch.conf file.
use_fully_qualified_domains attribute to TRUE in the /etc/sssd/sssd.conf file. This differentiates between different users in different domains with the same name.
[root@clientF11 tmp]# passwd user1000 Changing password for user user1000. New password: Retype new password: New Password: Reenter new Password: passwd: all authentication tokens updated successfully.
use_authtok option is correctly configured in your /etc/pam.d/system-auth file.
Índice
sysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directoryhalt, poweroff, and reboot.
/etc/inittab specifies that your system is set to shutdown and reboot in response to a Ctrl+Alt+Del key combination used at the console. To completely disable this ability, comment out the following line in /etc/inittab by putting a hash mark (#) in front of it:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
-a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
-a flag tells shutdown to look for the /etc/shutdown.allow file.
shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using Ctrl+Alt+Del . The format of the shutdown.allow file is a list of usernames, one per line, like the following:
stephen jack sophie
shutdown.allow file, the users stephen, jack, and sophie are allowed to shutdown the system from the console using Ctrl+Alt+Del . When that key combination is used, the shutdown -a command in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system continues; if not, an error message is written to the system console instead.
shutdown.allow, refer to the shutdown man page.
rm -f /etc/security/console.apps/*poweroff, halt, and reboot, which are accessible from the console by default.
rm -f /etc/security/console.apps/poweroffrm -f /etc/security/console.apps/haltrm -f /etc/security/console.apps/reboot
pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
:0 or mymachine.example.com:1.0, or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
/etc/security/console.perms.d/50-default.perms. Para editar permissões de arquivo e dispositivos, recomenda-se criar um novo arquivo padrão em /etc/security/console.perms.d/ contendo suas configurações de preferência para um conjunto específico de arquivos ou dipositivos. O nome de um arquivo novo padrão deve iniciar com um número mais alto do que 50 (por exemplo, 51-default.perms) para que sobrescreva o 50-default.perms.
51-default.perms no/etc/security/console.perms.d/:
touch /etc/security/console.perms.d/51-default.permsperms, 50-default.perms. A primeira seção define classes de dispositivos, com linhas semelhantes às seguintes:
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*<cdrom> se refere ao drive de CD-ROM. Para adicionar um novo dispositivo, não o defina no arquivo padrão 50-default.perms, ao invés de definí-lo em 51-default.perms. Por exemplo, para definir um scanner, adicione a seguinte linha ao 51-default.perms:
<scanner>=/dev/scanner /dev/usb/scanner*
/dev/scanner is really your scanner and not some other device, such as your hard drive.
/etc/security/console.perms por linhas similares a:
<console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0640 root <console> 0600 <cdrom> 0600 root.disk
51-default.perms:
<console> 0600 <scanner> 0600 root
/dev/scanner device with the permissions of 0600 (readable and writable by you only). When you log out, the device is owned by root, and still has the permissions 0600 (now readable and writable by root only).
50-default.perms. Para editar permissões para um dispositivo já definido em 50-default.perms, adicione a definição da permissão desejada para aquele dispositivo em 51-default.perms. Isto irá sobrescrever quais permissões são definidas em 50-default.perms.
/sbin/ or /usr/sbin/, so the application that you wish to run must be there. After verifying that, perform the following steps:
foo program, to the /usr/bin/consolehelper application:
cd /usr/binln -s consolehelper foo
/etc/security/console.apps/foo:
touch /etc/security/console.apps/foofoo service in /etc/pam.d/. An easy way to do this is to copy the PAM configuration file of the halt service, and then modify the copy if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo/usr/bin/foo is executed, consolehelper is called, which authenticates the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper asks for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it does precisely what is specified in /etc/pam.d/foo) and then runs /usr/sbin/foo with root permissions.
pam_timestamp and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.
pam package. To enable this feature, add the following lines to your PAM configuration file in etc/pam.d/:
auth include config-util account include config-util session include config-util
/etc/pam.d/system-config-* configuration files. Note that these lines must be added below any other auth sufficient session optional lines in your PAM configuration file.
pam_timestamp is successfully authenticated from the Applications (the main menu on the panel), the
icon is displayed in the notification area of the panel if you are running the GNOME or KDE desktop environment. After the authentication expires (the default is five minutes), the icon disappears.
floppy Groupfloppy group. Add the user(s) to the floppy group using the tool of your choice. For example, the gpasswd command can be used to add user fred to the floppy group:
gpasswd -a fred floppyfred pode acessar o drive de disquete do sistema pelo console.
sysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directory/etc/sysconfig/ directory contains a variety of system configuration files for Red Hat Enterprise Linux.
/etc/sysconfig/ directory, their function, and their contents. The information in this chapter is not intended to be complete, as many of these files have a variety of options that are only used in very specific or rare circumstances.
/etc/sysconfig/ Directory/etc/sysconfig/ directory. Files not listed here, as well as extra file options, are found in the /usr/share/doc/initscripts-<version-number>/sysconfig.txt file (replace <version-number> with the version of the initscripts package). Alternatively, looking through the initscripts in the /etc/rc.d/ directory can prove helpful.
/etc/sysconfig/ directory, then the corresponding program may not be installed.
/etc/sysconfig/amd/etc/sysconfig/amd file contains various parameters used by amd; these parameters allow for the automatic mounting and unmounting of file systems.
/etc/sysconfig/apmd/etc/sysconfig/apmd file is used by apmd to configure what power settings to start/stop/change on suspend or resume. This file configures how apmd functions at boot time, depending on whether the hardware supports Advanced Power Management (APM) or whether the user has configured the system to use it. The apm daemon is a monitoring program that works with power management code within the Linux kernel. It is capable of alerting users to low battery power on laptops and other power-related settings.
/etc/sysconfig/arpwatch/etc/sysconfig/arpwatch file is used to pass arguments to the arpwatch daemon at boot time. The arpwatch daemon maintains a table of Ethernet MAC addresses and their IP address pairings. By default, this file sets the owner of the arpwatch process to the user pcap and sends any messages to the root mail queue. For more information regarding available parameters for this file, refer to the arpwatch man page.
/etc/sysconfig/authconfig/etc/sysconfig/authconfig file sets the authorization to be used on the host. It contains one or more of the following lines:
USEMD5=<value>, where <value>yes — MD5 is used for authentication.
no — MD5 is not used for authentication.
USEKERBEROS=<value>, where <value>yes — Kerberos is used for authentication.
no — Kerberos is not used for authentication.
USELDAPAUTH=<value>, where <value>yes — LDAP is used for authentication.
no — LDAP is not used for authentication.
/etc/sysconfig/autofs/etc/sysconfig/autofs file defines custom options for the automatic mounting of devices. This file controls the operation of the automount daemons, which automatically mount file systems when you use them and unmount them after a period of inactivity. File systems can include network file systems, CD-ROMs, diskettes, and other media.
/etc/sysconfig/autofs file may contain the following:
LOCALOPTIONS="<value>", where <value> is a string for defining machine-specific automount rules. The default value is an empty string ("").
DAEMONOPTIONS="<value>", where <value> is the timeout length in seconds before unmounting the device. The default value is 60 seconds ("--timeout=60").
UNDERSCORETODOT=<value>, where <value> is a binary value that controls whether to convert underscores in file names into dots. For example, auto_home to auto.home and auto_mnt to auto.mnt. The default value is 1 (true).
DISABLE_DIRECT=<value>, where <value> is a binary value that controls whether to disable direct mount support, as the Linux implementation does not conform to the Sun Microsystems' automounter behavior. The default value is 1 (true), and allows for compatibility with the Sun automounter options specification syntax.
/etc/sysconfig/clock/etc/sysconfig/clock file controls the interpretation of values read from the system hardware clock.
UTC=<value>, where <value>true or yes — The hardware clock is set to Universal Time.
false or no — The hardware clock is set to local time.
ARC=<value>, where <value>false or no — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
SRM=<value>, where <value>false or no — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
ZONE=<filename> — The time zone file under /usr/share/zoneinfo that /etc/localtime is a copy of. The file contains information such as:
ZONE="America/New York"
ZONE é lido pelo Time and Date Properties Tool (system-config-date), e editando manualmente ele não muda o sistema de fuso horário.
CLOCKMODE=<value>, where <value>GMT — The clock is set to Universal Time (Greenwich Mean Time).
ARC — The ARC console's 42-year time offset is in effect (for Alpha-based systems only).
/etc/sysconfig/desktop/etc/sysconfig/desktop file specifies the desktop for new users and the display manager to run when entering runlevel 5.
DESKTOP="<value>", where "<value>" is one of the following:
GNOME — Selects the GNOME desktop environment.
KDE — Selects the KDE desktop environment.
DISPLAYMANAGER="<value>", where "<value>" is one of the following:
GNOME — Selects the GNOME Display Manager.
KDE — Selects the KDE Display Manager.
XDM — Selects the X Display Manager.
/etc/sysconfig/dhcpd/etc/sysconfig/dhcpd file is used to pass arguments to the dhcpd daemon at boot time. The dhcpd daemon implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP and BOOTP assign hostnames to machines on the network. For more information about what parameters are available in this file, refer to the dhcpd man page.
/etc/sysconfig/exim/etc/sysconfig/exim file allows messages to be sent to one or more clients, routing the messages over whatever networks are necessary. The file sets the default values for exim to run. Its default values are set to run as a background daemon and to check its queue each hour in case something has backed up.
DAEMON=<value>, where <value>yes — exim should be configured to listen to port 25 for incoming mail. yes implies the use of the Exim's -bd options.
no — exim should not be configured to listen to port 25 for incoming mail.
QUEUE=1h which is given to exim as -q$QUEUE. The -q option is not given to exim if /etc/sysconfig/exim exists and QUEUE is empty or undefined.
/etc/sysconfig/firstboot/sbin/init program calls the etc/rc.d/init.d/firstboot script, which in turn launches the Setup Agent. This application allows the user to install the latest updates as well as additional applications and documentation.
/etc/sysconfig/firstboot file tells the Setup Agent application not to run on subsequent reboots. To run it the next time the system boots, remove /etc/sysconfig/firstboot and execute chkconfig --level 5 firstboot on.
/etc/sysconfig/gpm/etc/sysconfig/gpm file is used to pass arguments to the gpm daemon at boot time. The gpm daemon is the mouse server which allows mouse acceleration and middle-click pasting. For more information about what parameters are available for this file, refer to the gpm man page. By default, the DEVICE directive is set to /dev/input/mice.
/etc/sysconfig/hwconf/etc/sysconfig/hwconf file lists all the hardware that kudzu detected on the system, as well as the drivers used, vendor ID, and device ID information. The kudzu program detects and configures new and/or changed hardware on a system. The /etc/sysconfig/hwconf file is not meant to be manually edited. If edited, devices could suddenly show up as being added or removed.
/etc/sysconfig/i18n/etc/sysconfig/i18n file sets the default language, any supported languages, and the default system font. For example:
LANG="en_US.UTF-8" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16"
/etc/sysconfig/init/etc/sysconfig/init file controls how the system appears and functions during the boot process.
BOOTUP=<value>, where <value>color — The standard color boot display, where the success or failure of devices and services starting up is shown in different colors.
verbose — An old style display which provides more information than purely a message of success or failure.
RES_COL=<value>, where <value>MOVE_TO_COL=<value>, where <value>RES_COL line via the echo -en command.
SETCOLOR_SUCCESS=<value>, where <value>echo -en command. The default color is set to green.
SETCOLOR_FAILURE=<value>, where <value>echo -en command. The default color is set to red.
SETCOLOR_WARNING=<value>, where <value>echo -en command. The default color is set to yellow.
SETCOLOR_NORMAL=<value>, where <value>echo -en.
LOGLEVEL=<value>, where <value>syslogd daemon overrides this setting once started.
PROMPT=<value>, where <value>yes — Enables the key check for interactive mode.
no — Disables the key check for interactive mode.
/etc/sysconfig/ip6tables-config/etc/sysconfig/ip6tables-config file stores information used by the kernel to set up IPv6 packet filtering at boot time or whenever the ip6tables service is started.
ip6tables rules. Rules also can be created manually using the /sbin/ip6tables command. Once created, add the rules to the /etc/sysconfig/ip6tables file by typing the following command:
service ip6tables saveip6tables, refer to Seção 46.9, “IPTables”.
/etc/sysconfig/iptables-config/etc/sysconfig/iptables-config file stores information used by the kernel to set up packet filtering services at boot time or whenever the service is started.
iptables rules. The easiest way to add rules is to use the Security Level Configuration Tool (system-config-securitylevel) application to create a firewall. These applications automatically edit this file at the end of the process.
/sbin/iptables command. Once created, add the rule(s) to the /etc/sysconfig/iptables file by typing the following command:
service iptables saveiptables, refer to Seção 46.9, “IPTables”.
/etc/sysconfig/irda/etc/sysconfig/irda file controls how infrared devices on the system are configured at startup.
IRDA=<value>, where <value>yes — irattach runs and periodically checks to see if anything is trying to connect to the infrared port, such as another notebook computer trying to make a network connection. For infrared devices to work on the system, this line must be set to yes.
no — irattach does not run, preventing infrared device communication.
DEVICE=<value>, where <value>/dev/ttyS2.
DONGLE=<value>, where <value>actisys+.
DISCOVERY=<value>, where <value>yes — Starts irattach in discovery mode, meaning it actively checks for other infrared devices. This must be turned on for the machine to actively look for an infrared connection (meaning the peer that does not initiate the connection).
no — Does not start irattach in discovery mode.
/etc/sysconfig/keyboard/etc/sysconfig/keyboard file controls the behavior of the keyboard. The following values may be used:
KEYBOARDTYPE="sun|pc" where sun means a Sun keyboard is attached on /dev/kbd, or pc means a PS/2 keyboard connected to a PS/2 port.
KEYTABLE="<file>", where <file>KEYTABLE="us". The files that can be used as keytables start in /lib/kbd/keymaps/i386 and branch into different keyboard layouts from there, all labeled <file>.kmap.gz/lib/kbd/keymaps/i386 that matches the KEYTABLE setting is used.
/etc/sysconfig/kudzu/etc/sysconfig/kuzdu file triggers a safe probe of the system hardware by kudzu at boot time. A safe probe is one that disables serial port probing.
SAFE=<value>, where <value>yes — kuzdu does a safe probe.
no — kuzdu does a normal probe.
/etc/sysconfig/named/etc/sysconfig/named file is used to pass arguments to the named daemon at boot time. The named daemon is a Domain Name System (DNS) server which implements the Berkeley Internet Name Domain (BIND) version 9 distribution. This server maintains a table of which hostnames are associated with IP addresses on the network.
ROOTDIR="</some/where>", where </some/where>named runs. This chroot environment must first be configured. Type info chroot for more information.
OPTIONS="<value>", where <value>named except -t. In place of -t, use the ROOTDIR line above.
named man page. For detailed information on how to configure a BIND DNS server, refer to Capítulo 18, Berkeley Internet Name Domain (BIND). By default, the file contains no parameters.
/etc/sysconfig/network/etc/sysconfig/network file is used to specify information about the desired network configuration. The following values may be used:
NETWORKING=<value>, where <value>yes — Networking should be configured.
no — Networking should not be configured.
HOSTNAME=<value>, where <value>hostname.expample.com, but can be whatever hostname is necessary.
GATEWAY=<value>, where <value>GATEWAYDEV=<value>, where <value>eth0. Configure this option if you have multiple interfaces on the same subnet, and require one of those interfaces to be the preferred route to the default gateway.
NISDOMAIN=<value>, where <value>NOZEROCONF=<valor>, onde configurar o <valor>true exibe a rota zeroconf.
/etc/sysconfig/nfs/etc/sysconfig/nfs file to control which ports the required RPC services run on.
/etc/sysconfig/nfs may not exist by default on all systems. If it does not exist, create it and add the following variables (alternatively, if the file exists, un-comment and change the default entries as required):
MOUNTD_PORT=xx with an unused port number.
STATD_PORT=xx with an unused port number.
LOCKD_TCPPORT=xx with an unused port number.
LOCKD_UDPPORT=xx with an unused port number.
/var/log/messages. Normally, NFS will fail to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs restart the NFS service by running the service nfs restart command. Run the rpcinfo -p command to confirm the changes.
MOUNTD_PORT="x"
STATD_PORT="x"
LOCKD_TCPPORT="x"
LOCKD_UDPPORT="x"
/etc/sysconfig/ntpd/etc/sysconfig/ntpd file is used to pass arguments to the ntpd daemon at boot time. The ntpd daemon sets and maintains the system clock to synchronize with an Internet standard time server. It implements version 4 of the Network Time Protocol (NTP). For more information about what parameters are available for this file, use a Web browser to view the following file: /usr/share/doc/ntp-<version>/ntpd.htm (where <version> is the version number of ntpd). By default, this file sets the owner of the ntpd process to the user ntp.
/etc/sysconfig/radvd/etc/sysconfig/radvd file is used to pass arguments to the radvd daemon at boot time. The radvd daemon listens for router requests and sends router advertisements for the IP version 6 protocol. This service allows hosts on a network to dynamically change their default routers based on these router advertisements. For more information about available parameters for this file, refer to the radvd man page. By default, this file sets the owner of the radvd process to the user radvd.
/etc/sysconfig/samba/etc/sysconfig/samba file is used to pass arguments to the smbd and the nmbd daemons at boot time. The smbd daemon offers file sharing connectivity for Windows clients on the network. The nmbd daemon offers NetBIOS over IP naming services. For more information about what parameters are available for this file, refer to the smbd man page. By default, this file sets smbd and nmbd to run in daemon mode.
/etc/sysconfig/selinux/etc/sysconfig/selinux file contains the basic configuration options for SELinux. This file is a symbolic link to /etc/selinux/config.
/etc/sysconfig/sendmail/etc/sysconfig/sendmail file allows messages to be sent to one or more clients, routing the messages over whatever networks are necessary. The file sets the default values for the Sendmail application to run. Its default values are set to run as a background daemon and to check its queue each hour in case something has backed up.
DAEMON=<value>, where <value>yes — Sendmail should be configured to listen to port 25 for incoming mail. yes implies the use of Sendmail's -bd options.
no — Sendmail should not be configured to listen to port 25 for incoming mail.
QUEUE=1h which is given to Sendmail as -q$QUEUE. The -q option is not given to Sendmail if /etc/sysconfig/sendmail exists and QUEUE is empty or undefined.
/etc/sysconfig/spamassassin/etc/sysconfig/spamassassin file is used to pass arguments to the spamd daemon (a daemonized version of Spamassassin) at boot time. Spamassassin is an email spam filter application. For a list of available options, refer to the spamd man page. By default, it configures spamd to run in daemon mode, create user preferences, and auto-create whitelists (allowed bulk senders).
/etc/sysconfig/squid/etc/sysconfig/squid file is used to pass arguments to the squid daemon at boot time. The squid daemon is a proxy caching server for Web client applications. For more information on configuring a squid proxy server, use a Web browser to open the /usr/share/doc/squid-<version>/ directory (replace <version> with the squid version number installed on the system). By default, this file sets squid to start in daemon mode and sets the amount of time before it shuts itself down.
/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-securitylevel file contains all options chosen by the user the last time the Security Level Configuration Tool (system-config-securitylevel) was run. Users should not modify this file by hand. For more information about the Security Level Configuration Tool, refer to Seção 46.8.2, “Configurações Básicas de Firewall ”.
/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-selinux file contains all options chosen by the user the last time the SELinux Administration Tool (system-config-selinux) was run. Users should not modify this file by hand. For more information about the SELinux Administration Tool and SELinux in general, refer to Seção 47.2, “Introdução ao SELinux”.
/etc/sysconfig/system-config-users/etc/sysconfig/system-config-users file is the configuration file for the graphical application, User Manager. This file is used to filter out system users such as root, daemon, or lp. This file is edited by the > pull-down menu in the User Manager application and should never be edited by hand. For more information on using this application, refer to Seção 35.1, “Configuração de Usuário e Grupo”.
/etc/sysconfig/system-logviewer/etc/sysconfig/system-logviewer file is the configuration file for the graphical, interactive log viewing application, Log Viewer. This file is edited by the > pull-down menu in the Log Viewer application and should not be edited by hand. For more information on using this application, refer to Capítulo 38, Arquivos de Registro.
/etc/sysconfig/tux/etc/sysconfig/tux file is the configuration file for the Red Hat Content Accelerator (formerly known as TUX), the kernel-based Web server. For more information on configuring the Red Hat Content Accelerator, use a Web browser to open the /usr/share/doc/tux-<version>/tux/index.html file (replace <version> with the version number of TUX installed on the system). The parameters available for this file are listed in /usr/share/doc/tux-<version>/tux/parameters.html.
/etc/sysconfig/vncservers/etc/sysconfig/vncservers file configures the way the Virtual Network Computing (VNC) server starts up.
VNCSERVERS=<value>, where <value>"1:fred", to indicate that a VNC server should be started for user fred on display :1. User fred must have set a VNC password using the vncpasswd command before attempting to connect to the remote VNC server.
/etc/sysconfig/xinetd/etc/sysconfig/xinetd file is used to pass arguments to the xinetd daemon at boot time. The xinetd daemon starts programs that provide Internet services when a request to the port for that service is received. For more information about available parameters for this file, refer to the xinetd man page. For more information on the xinetd service, refer to Seção 46.5.3, “xinetd”.
/etc/sysconfig/ Directory/etc/sysconfig/.
apm-scripts//etc/sysconfig/apm-scripts/apmcontinue which is called at the end of the script. It is also possible to control the script by editing /etc/sysconfig/apmd.
cbq/networking/system-config-network), and its contents should not be edited manually. For more information about configuring network interfaces using the Network Administration Tool, refer to Capítulo 16, Configuração de Rede.
network-scripts/ifcfg-eth0 for the eth0 Ethernet interface.
ifup and ifdown.
ifup-isdn and ifdown-isdn.
network-scripts directory, refer to Capítulo 15, Network Interfaces.
rhn//etc/sysconfig/ directory. The following source contains more comprehensive information.
/usr/share/doc/initscripts-<version-number>/sysconfig.txt — This file contains a more authoritative listing of the files found in the /etc/sysconfig/ directory and the configuration options available for them. The <version-number> in the path to this file corresponds to the version of the initscripts package installed.
system-config-date, system-config-time, or dateconfig at a shell prompt (for example, in an XTerm or a GNOME terminal).
system-config-keyboard at a shell prompt.
Xorg binary) listens for connections from X client applications via a network or local loopback interface. The server communicates with the hardware, such as the video card, monitor, keyboard, and mouse. X client applications exist in the user-space, creating a graphical user interface (GUI) for the user and passing user requests to the X server.
/usr/ instead of /usr/X11R6. The /etc/X11/ directory contains configuration files for X client and server applications. This includes configuration files for the X server itself, the xfs font server, the X display managers, and many other base components.
/etc/fonts/fonts.conf. For more on configuring and adding fonts, refer to Seção 33.4, “Fontes”.
system-config-display), particularly for devices that are not detected manually.
/etc/X11/xorg.conf. For information about the structure of this file, refer to Seção 33.3, “Arquivos de Configuração de Servidor X”.
kwinmetacitymetacity.
mwmmwm) é um gestor de janela independente e básico. Como é criado para ser um gestor de janela independente, ele não deve ser usado junto com um GNOME ou KDE. Para rodar este gestor de janela, você irá precisar instalar o pacote openmotif.
twmtwm que oferece o conjunto de ferramentas mais básico do que qualquer gestor de janelas, pode ser usado tanto como independente ou com um ambiente de desktop. É instalado como parte de um lançamento X11R7.1.
xinit -e <path-to-window-manager> at the prompt.
<path-to-window-manager>whichwindow-manager-name, onde window-manager-name~]#which twm/usr/bin/twm ~]#xinit -e /usr/bin/twm
twm, o segundo comando inicia o twm.
startx na janela de comandos.
/usr/bin/Xorg). Arquivos de configuração associados estão armazenados no diretório /etc/X11/ ( como um link simbólico — X — que se refere ao /usr/bin/Xorg). O arquivo se configuração para o servidor X é /etc/X11/xorg.conf.
/usr/lib/xorg/modules/ contém módulos do servidor X que podem ser carregados dinamicamente em tempo de execução. Por padrão, somente alguns módulos no /usr/lib/xorg/modules/ são carregados automaticamente pelo servidor X.
/etc/X11/xorg.conf. For more information about loading modules, refer to Seção 33.3.1.5, “Module”.
xorg.conf/etc/X11/xorg.conf file, it is useful to understand the various sections and optional parameters available, especially when troubleshooting.
/etc/X11/xorg.conf file is comprised of many different sections which address specific aspects of the system hardware.
Section "<section-name>" line (where <section-name> is the title for the section) and ends with an EndSection line. Each section contains lines that include option names and one or more option values. These are sometimes enclosed in double quotes (").
#) are not read by the X server and are used for human-readable comments.
/etc/X11/xorg.conf file accept a boolean switch which turns the feature on or off. Acceptable boolean values are:
1, on, true, or yes — Turns the option on.
0, off, false, or no — Turns the option off.
/etc/X11/xorg.conf file. More detailed information about the X server configuration file can be found in the xorg.conf man page.
ServerFlagsServerFlags section contains miscellaneous global X server settings. Any settings in this section may be overridden by options placed in the ServerLayout section (refer to Seção 33.3.1.3, “ServerLayout” for details).
ServerFlags section is on its own line and begins with the term Option followed by an option enclosed in double quotation marks (").
ServerFlags section:
Section "ServerFlags" Option "DontZap" "true" EndSection
"DontZap" "<boolean>" — When the value of <boolean> is set to true, this setting prevents the use of the Ctrl+Alt+Backspace key combination to immediately terminate the X server.
"DontZoom" "<boolean>" — When the value of <boolean> is set to true, this setting prevents cycling through configured video resolutions using the Ctrl+Alt+Keypad-Plus and Ctrl+Alt+Keypad-Minus key combinations.
ServerLayoutServerLayout section binds together the input and output devices controlled by the X server. At a minimum, this section must specify one output device and one input device. By default, a monitor (output device) and keyboard (input device) are specified.
ServerLayout section:
Section "ServerLayout" Identifier "Default Layout" Screen 0 "Screen0" 0 0 InputDevice "Mouse0" "CorePointer" InputDevice "Keyboard0" "CoreKeyboard" EndSection
ServerLayout section:
Identifier — Specifies a unique name for this ServerLayout section.
Screen — Specifies the name of a Screen section to be used with the X server. More than one Screen option may be present.
Screen entry:
Screen 0 "Screen0" 0 0
Screen entry (0) indicates that the first monitor connector or head on the video card uses the configuration specified in the Screen section with the identifier "Screen0".
Screen section with the identifier "Screen0" can be found in Seção 33.3.1.9, “Screen”.
Screen entry with a different number and a different Screen section identifier is necessary .
"Screen0" give the absolute X and Y coordinates for the upper-left corner of the screen (0 0 by default).
InputDevice — Specifies the name of an InputDevice section to be used with the X server.
InputDevice entries: one for the default mouse and one for the default keyboard. The options CorePointer and CoreKeyboard indicate that these are the primary mouse and keyboard.
Option "<option-name>" — An optional entry which specifies extra parameters for the section. Any options listed here override those listed in the ServerFlags section.
<option-name> with a valid option listed for this section in the xorg.conf man page.
ServerLayout no arquivo /etc/X11/xorg.conf. No entanto, por padrão, o servidor somente lê o primeiro que ele encontra.
ServerLayout, ela pode especificar como um argumento de linha de comando ao iniciar uma sessão X.
FilesFiles section sets paths for services vital to the X server, such as the font path. This is an optional section, these paths are normally detected automatically. This section may be used to override any automatically detected defaults.
Files section:
Section "Files" RgbPath "/usr/share/X11/rgb.txt" FontPath "unix/:7100" EndSection
Files section:
RgbPath — Specifies the location of the RGB color database. This database defines all valid color names in X and ties them to specific RGB values.
FontPath — Specifies where the X server must connect to obtain fonts from the xfs font server.
FontPath is unix/:7100. This tells the X server to obtain font information using UNIX-domain sockets for inter-process communication (IPC) on port 7100.
ModulePath — An optional parameter which specifies alternate directories which store X server modules.
Module/usr/lib/xorg/modules/:
extmod
dbe
glx
freetype
type1
record
dri
ModulePath parameter in the Files section. Refer to Seção 33.3.1.4, “Files” for more information on this section.
Module para /etc/X11/xorg.conf instui o servidor X para carregar os módulos listados nesta seção ao invés dosmódulos padrão.
Module section:
Section "Module" Load "fbdevhw" EndSectioninstructs the X server to load the
fbdevhw instead of the default modules.
Module ao /etc/X11/xorg.conf, você precisará especificar quaisquer módulos padrão que você quiser para carregar, assim como módulos extras.
InputDeviceInputDevice section configures one input device for the X server. Systems typically have at least one InputDevice section for the keyboard. It is perfectly normal to have no entry for a mouse, as most mouse settings are automatically detected.
InputDevice section for a keyboard:
Section "InputDevice"
Identifier "Keyboard0"
Driver "kbd"
Option "XkbModel" "pc105"
Option "XkbLayout" "us"
EndSectionInputDevice section:
Identifier — Specifies a unique name for this InputDevice section. This is a required entry.
Driver — Specifies the name of the device driver X must load for the device.
Option — Specifies necessary options pertaining to the device.
xorg.conf:
Protocol — Specifies the protocol used by the mouse, such as IMPS/2.
Device — Specifies the location of the physical device.
Emulate3Buttons — Specifies whether to allow a two-button mouse to act like a three-button mouse when both mouse buttons are pressed simultaneously.
xorg.conf man page for a list of valid options for this section.
MonitorMonitor section configures one type of monitor used by the system. This is an optional entry as well, as most monitors are now automatically detected.
Monitor section for a monitor:
Section "Monitor" Identifier "Monitor0" VendorName "Monitor Vendor" ModelName "DDC Probed Monitor - ViewSonic G773-2" DisplaySize 320 240 HorizSync 30.0 - 70.0 VertRefresh 50.0 - 180.0 EndSection
Monitor section of /etc/X11/xorg.conf. Inappropriate values can damage or destroy a monitor. Consult the monitor's documentation for a listing of safe operating parameters.
Monitor section:
Identifier — Specifies a unique name for this Monitor section. This is a required entry.
VendorName — An optional parameter which specifies the vendor of the monitor.
ModelName — An optional parameter which specifies the monitor's model name.
DisplaySize — An optional parameter which specifies, in millimeters, the physical size of the monitor's picture area.
HorizSync — Specifies the range of horizontal sync frequencies compatible with the monitor in kHz. These values help the X server determine the validity of built-in or specified Modeline entries for the monitor.
VertRefresh — Specifies the range of vertical refresh frequencies supported by the monitor, in kHz. These values help the X server determine the validity of built in or specified Modeline entries for the monitor.
Modeline — An optional parameter which specifies additional video modes for the monitor at particular resolutions, with certain horizontal sync and vertical refresh resolutions. Refer to the xorg.conf man page for a more detailed explanation of Modeline entries.
Option "<option-name>" — An optional entry which specifies extra parameters for the section. Replace <option-name> with a valid option listed for this section in the xorg.conf man page.
DeviceDevice section configures one video card on the system. While one Device section is the minimum, additional instances may occur for each video card installed on the machine.
Device section for a video card:
Section "Device" Identifier "Videocard0" Driver "mga" VendorName "Videocard vendor" BoardName "Matrox Millennium G200" VideoRam 8192 Option "dpms" EndSection
Device section:
Identifier — Specifies a unique name for this Device section. This is a required entry.
Driver — Specifies which driver the X server must load to utilize the video card. A list of drivers can be found in /usr/share/hwdata/videodrivers, which is installed with the hwdata package.
VendorName — An optional parameter which specifies the vendor of the video card.
BoardName — An optional parameter which specifies the name of the video card.
VideoRam — An optional parameter which specifies the amount of RAM available on the video card in kilobytes. This setting is only necessary for video cards the X server cannot probe to detect the amount of video RAM.
BusID — An entry which specifies the bus location of the video card. On systems with only one video card a BusID entry is optional and may not even be present in the default /etc/X11/xorg.conf file. On systems with more than one video card, however, a BusID entry must be present.
Screen — An optional entry which specifies which monitor connector or head on the video card the Device section configures. This option is only useful for video cards with multiple heads.
Device sections must exist and each of these sections must have a different Screen value.
Screen entry must be an integer. The first head on the video card has a value of 0. The value for each additional head increments this value by one.
Option "<option-name>" — An optional entry which specifies extra parameters for the section. Replace <option-name> with a valid option listed for this section in the xorg.conf man page.
"dpms" (for Display Power Management Signaling, a VESA standard), which activates the Service Star energy compliance setting for the monitor.
ScreenScreen section binds one video card (or video card head) to one monitor by referencing the Device section and the Monitor section for each. While one Screen section is the minimum, additional instances may occur for each video card and monitor combination present on the machine.
Screen section:
Section "Screen" Identifier "Screen0" Device "Videocard0" Monitor "Monitor0" DefaultDepth 16 SubSection "Display" Depth 24 Modes "1280x1024" "1280x960" "1152x864" "1024x768" "800x600" "640x480" EndSubSection SubSection "Display" Depth 16 Modes "1152x864" "1024x768" "800x600" "640x480" EndSubSection EndSection
Screen section:
Identifier — Specifies a unique name for this Screen section. This is a required entry.
Device — Specifies the unique name of a Device section. This is a required entry.
Monitor — Specifies the unique name of a Monitor section. This is only required if a specific Monitor section is defined in the xorg.conf file. Normally, monitors are automatically detected.
DefaultDepth — Specifies the default color depth in bits. In the previous example, 16 (which provides thousands of colors) is the default. Only one DefaultDepth is permitted, although this can be overridden with the Xorg command line option -depth <n>,where <n>SubSection "Display" — Specifies the screen modes available at a particular color depth. The Screen section can have multiple Display subsections, which are entirely optional since screen modes are automatically detected.
Option "<option-name>" — An optional entry which specifies extra parameters for the section. Replace <option-name> with a valid option listed for this section in the xorg.conf man page.
DRIDRI section specifies parameters for the Direct Rendering Infrastructure (DRI). DRI is an interface which allows 3D software applications to take advantage of 3D hardware acceleration capabilities built into most modern video hardware. In addition, DRI can improve 2D performance via hardware acceleration, if supported by the video card driver.
xorg.conf irá sobrescrever os padrões.
DRI section:
Section "DRI" Group 0 Mode 0666 EndSection
xfs.
/etc/fonts/fonts.conf configuration file, which should not be edited by hand.
~/.gtkrc.mine:
style "user-font" {
fontset = "<font-specification>"
}
widget_class "*" style "user-font"<font-specification> with a font specification in the style used by traditional X applications, such as -adobe-helvetica-medium-r-normal--*-120-*-*-*-*-*-*. A full list of core fonts can be obtained by running xlsfonts or created interactively using the xfontsel command.
/usr/share/fonts/ directory. It is a good idea to create a new subdirectory, such as local/ or similar, to help distinguish between user-installed and default fonts.
.fonts/ directory in the user's home directory.
fc-cache command to update the font information cache, as in the following example:
fc-cache <path-to-font-directory><path-to-font-directory> with the directory containing the new fonts (either /usr/share/fonts/local/ or /home/<user>/.fonts/).
fonts:/// into the Nautilus address bar, and dragging the new font files there.
.gz extension, it is compressed and cannot be used until uncompressed. To do this, use the gunzip command or double-click the file and drag the font to a directory in Nautilus.
xfs) to provide fonts to X client applications.
FontPath directive within the Files section of the /etc/X11/xorg.conf configuration file. Refer to Seção 33.3.1.4, “Files” for more information about the FontPath entry.
xfs server on a specified port to acquire font information. For this reason, the xfs service must be running for X to start. For more about configuring services for a particular runlevel, refer to Capítulo 17, Controlando Acesso aos Serviços.
xfs Configuration/etc/rc.d/init.d/xfs script starts the xfs server. Several options can be configured within its configuration file, /etc/X11/fs/config.
alternate-servers — Specifies a list of alternate font servers to be used if this font server is not available. A comma must separate each font server in a list.
catalogue — Specifies an ordered list of font paths to use. A comma must separate each font path in a list.
:unscaled immediately after the font path to make the unscaled fonts in that path load first. Then specify the entire path again, so that other scaled fonts are also loaded.
client-limit — Specifies the maximum number of clients the font server services. The default is 10.
clone-self — Allows the font server to clone a new version of itself when the client-limit is hit. By default, this option is on.
default-point-size — Specifies the default point size for any font that does not specify this value. The value for this option is set in decipoints. The default of 120 corresponds to a 12 point font.
default-resolutions — Specifies a list of resolutions supported by the X server. Each resolution in the list must be separated by a comma.
deferglyphs — Specifies whether to defer loading glyphs (the graphic used to visually represent a font). To disable this feature use none, to enable this feature for all fonts use all, or to turn this feature on only for 16-bit fonts use 16.
error-file — Specifies the path and file name of a location where xfs errors are logged.
no-listen — Prevents xfs from listening to particular protocols. By default, this option is set to tcp to prevent xfs from listening on TCP ports for security reasons.
xfs is used to serve fonts over the network, remove this line.
port — Specifies the TCP port that xfs listens on if no-listen does not exist or is commented out.
use-syslog — Specifies whether to use the system error log.
xfsxfs), follow these steps:
/usr/share/fonts/local/ using the following command as root:
mkdir /usr/share/fonts/local//usr/share/fonts/local/ directory is necessary, it must be added to the xfs path using the following command as root:
chkfontpath --add /usr/share/fonts/local//usr/share/fonts/local/ directory
ttmkfdir -d /usr/share/fonts/local/ -o /usr/share/fonts/local/fonts.scalexfs font server configuration file by issuing the following command as root:
service xfs reloadstartx. The startx command is a front-end to the xinit command, which launches the X server (Xorg) and connects X client applications to it. Because the user is already logged into the system at runlevel 3, startx does not launch a display manager or authenticate users. Refer to Seção 33.5.2, “Nível de Execução 5” for more information about display managers.
startx command is executed, it searches for the .xinitrc file in the user's home directory to define the desktop environment and possibly other X client applications to run. If no .xinitrc file is present, it uses the system default /etc/X11/xinit/xinitrc file instead.
xinitrc script then searches for user-defined files and default system files, including .Xresources, .Xmodmap, and .Xkbmap in the user's home directory, and Xresources, Xmodmap, and Xkbmap in the /etc/X11/ directory. The Xmodmap and Xkbmap files, if they exist, are used by the xmodmap utility to configure the keyboard. The Xresources file is read to assign specific preference values to applications.
xinitrc script executes all scripts located in the /etc/X11/xinit/xinitrc.d/ directory. One important script in this directory is xinput.sh, which configures settings such as the default language.
xinitrc script attempts to execute .Xclients in the user's home directory and turns to /etc/X11/xinit/Xclients if it cannot be found. The purpose of the Xclients file is to start the desktop environment or, possibly, just a basic window manager. The .Xclients script in the user's home directory starts the user-specified desktop environment in the .Xclients-default file. If .Xclients does not exist in the user's home directory, the standard /etc/X11/xinit/Xclients script attempts to start another desktop environment, trying GNOME first and then KDE followed by twm.
GNOME — The default display manager for Red Hat Enterprise Linux, GNOME allows the user to configure language settings, shutdown, restart or log in to the system.
KDE — KDE's display manager which allows the user to shutdown, restart or log in to the system.
xdm — A very basic display manager which only lets the user log in to the system.
prefdm script determines the preferred display manager by referencing the /etc/sysconfig/desktop file. A list of options for this file is available in this file:
/usr/share/doc/initscripts-<version-number>/sysconfig.txt<version-number> is the version number of the initscripts package.
/etc/X11/xdm/Xsetup_0 file to set up the login screen. Once the user logs into the system, the /etc/X11/xdm/GiveConsole script runs to assign ownership of the console to the user. Then, the /etc/X11/xdm/Xsession script runs to accomplish many of the tasks normally performed by the xinitrc script when starting X from runlevel 3, including setting system and user resources, as well as running the scripts in the /etc/X11/xinit/xinitrc.d/ directory.
GNOME or KDE display managers by selecting it from the menu item (accessed by selecting System (on the panel) > > > ). If the desktop environment is not specified in the display manager, the /etc/X11/xdm/Xsession script checks the .xsession and .Xclients files in the user's home directory to decide which desktop environment to load. As a last resort, the /etc/X11/xinit/Xclients file is used to select a desktop environment or window manager to use in the same way as runlevel 3.
:0) and logs out, the /etc/X11/xdm/TakeConsole script runs and reassigns ownership of the console to the root user. The original display manager, which continues running after the user logged in, takes control by spawning a new display manager. This restarts the X server, displays a new login window, and starts the entire process over again.
/usr/share/doc/gdm-<version-number>/README (where <version-number> is the version number for the gdm package installed) and the xdm man page.
/usr/share/X11/doc/ — contains detailed documentation on the X Window System architecture, as well as how to get additional information about the Xorg project as a new user.
man xorg.conf — Contains information about the xorg.conf configuration files, including the meaning and syntax for the different sections within the files.
man Xorg — Describes the Xorg display server.
system-config-display at a shell prompt (for example, in an XTerm or GNOME terminal). If the X Window System is not running, a small version of X is started to run the program.
system-config-users RPM package installed. To start the User Manager from the desktop, go to System (on the panel) > > . You can also type the command system-config-users at a shell prompt (for example, in an XTerm or a GNOME terminal).
/bin/bash. The default home directory is /home/<username>/. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting Create home directory.
/etc/skel/ directory into the new home directory.
system-config-users). For more information on User Manager, refer to Seção 35.1, “Configuração de Usuário e Grupo”.
useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts
groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
gpasswd — Industry-standard method of administering the /etc/group file
pwck, grpck — Tools used for the verification of the password, group, and associated shadow files
pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords
useradd are detailed in Tabela 35.1, “useradd Command Line Options”.
useradd Command Line Options| Opção | Descrição |
|---|---|
-c '<comment>'
|
<comment> pode ser substituída por qualquer faixa. Esta opção é geralmente usada para especificar o nome completo de um usuário.
|
-d <home-dir>
|
Home directory to be used instead of default /home/
|
-e <date>
| Data para a conta a ser desabilitada no formato YYYY-MM-DD |
-f <days>
|
Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
|
-g <group-name>
| Nome do grupo ou número do grupo para o grupo padrão do usuário. O grupo deve existir antes de ser especificado aqui. |
-G <group-list>
| Lista de nomes de grupos adicionais (além do padrão), separado por vírgulas, do qual o usuário é membro. Os grupos devem existir antes de serem especificados aqui. |
-m
| Criar o diretório pessoal se não existir. |
-M
| Não criar o diretório pessoal. |
-n
| Não criar o grupo privado de usuário para o mesmo. |
-r
| Criar uma conta de sistema com um UID menor do que 500 e sem um diretório pessoal. |
-p <password>
|
The password encrypted with crypt
|
-s
|
User's login shell, which defaults to /bin/bash
|
-u <uid>
| ID de usuário para o usuário, que deve ser único e maior do que 499. |
groupadd:
groupadd <group-name>groupadd are detailed in Tabela 35.2, “groupadd Command Line Options”.
groupadd Command Line Options| Opção | Descrição |
|---|---|
-g <gid>
| ID de Grupo para o grupo, que deve ser único e maior do que 499. |
-r
| Criar um grupo de sistema com um GID menor do que 500. |
-f
|
Quando usado com -g <gid> e já existir o <gid>, ogroupadd escolherá outro <gid> único para o grupo.
|
chage command with an option from Tabela 35.3, “chage Command Line Options”, followed by the username.
chage command. For more information, see Seção 35.6, “Senhas Shadow”.
chage Command Line Options| Opção | Descrição |
|---|---|
-m <days>
| Especifica uma quantia mínima de dias que o usuário deve trocar sua senha. Se o valor for 0, a senha não irá expirar. |
-M <days>
|
Especifica a quantia máxima de dias que uma senha é válida. Quando os dias especificados por esta opção mais os dias especificados na opção -d forem menores do que o dia atual, o usuário deve trocar as senhas antes de usar a conta.
|
-d <days>
| Especifica quantas vezes a senha foi trocada desde 1 de Janeiro de 1970 |
-I <days>
| Especifica quantos dias inativos se passaram desde que a senha expirou, antes de bloquear a conta. Se o valor for 0, a conta não será bloqueada após a senha expirar. |
-E <date>
| Especifica a data em que a conta foi bloqueada, no formato AAAA-MM-DD. Ao invés da data, também pode ser usada a quantia de dias desde 1 de Janeiro de 1970. |
-W <days>
| Especifica quantos dias antes da senha expirar, o usuário deve ser avisado. |
-l
| Lists current account aging settings. |
chage command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed interactively.
python command. It displays the following:
Python 2.4.3 (#1, Jul 21 2006, 08:46:09) [GCC 4.1.1 20060718 (Red Hat 4.1.1-9)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>>
<password> com a senha para criptografar <salt> e com uma combinação aleatória de ao menos 2 dos seguintes caractéres: qualquer um alfanumérico, a barra (/) ou um ponto (.):
import cryptprint crypt.crypt("<password>","<salt>")
'12CsGd8FRcMSM'.
<encrypted-password> com a saída criptografada do interpretador de Python):
usermod -p "<encrypted-password>" <username>usermod -p "" usernamechage -d 0 usernameuseradd juan is issued on a system that has shadow passwords enabled:
juan is created in /etc/passwd. The line has the following characteristics:
juan.
x for the password field indicating that the system is using shadow passwords.
juan is set to /home/juan/.
/bin/bash.
juan is created in /etc/shadow. The line has the following characteristics:
juan.
!!) appear in the password field of the /etc/shadow file, which locks the account.
-p flag, it is placed in the /etc/shadow file on the new line for the user.
juan is created in /etc/group. A group with the same name as a user is called a user private group. For more information on user private groups, refer to Seção 35.1.1, “Adicionando um Novo Usuário”.
/etc/group has the following characteristics:
juan.
x appears in the password field indicating that the system is using shadow group passwords.
juan in /etc/passwd.
juan is created in /etc/gshadow. The line has the following characteristics:
juan.
!) appears in the password field of the /etc/gshadow file, which locks the group.
juan is created in the /home/ directory. This directory is owned by user juan and group juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are denied.
/etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory.
juan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.
/etc/passwd file by an Everything installation. The groupid (GID) in this table is the primary group for the user. See Seção 35.4, “Grupos Padrão” for a listing of standard groups.
| Usuário | UID | GID | Diretório Pessoal | Shell |
|---|---|---|---|---|
| root | 0 | 0 |
/root
|
/bin/bash
|
| bin | 1 | 1 |
/bin
|
/sbin/nologin
|
| daemon | 2 | 2 |
/sbin
|
/sbin/nologin
|
| adm | 3 | 4 |
/var/adm
|
/sbin/nologin
|
| lp | 4 | 7 |
/var/spool/lpd
|
/sbin/nologin
|
| sync | 5 | 0 |
/sbin
|
/bin/sync
|
| fechar | 6 | 0 |
/sbin
|
/sbin/shutdown
|
| saltar | 7 | 0 |
/sbin
|
/sbin/halt
|
| correio | 8 | 12 |
/var/spool/mail
|
/sbin/nologin
|
| notícias | 9 | 13 |
/etc/news
| |
| uucp | 10 | 14 |
/var/spool/uucp
|
/sbin/nologin
|
| operador | 11 | 0 |
/root
|
/sbin/nologin
|
| jogos | 12 | 100 |
/usr/games
|
/sbin/nologin
|
| gopher | 13 | 30 |
/var/gopher
|
/sbin/nologin
|
| ftp | 14 | 50 |
/var/ftp
|
/sbin/nologin
|
| ninguém | 99 | 99 |
/
|
/sbin/nologin
|
| rpm | 37 | 37 |
/var/lib/rpm
|
/sbin/nologin
|
| vcsa | 69 | 69 |
/dev
|
/sbin/nologin
|
| dbus | 81 | 81 |
/
|
/sbin/nologin
|
| ntp | 38 | 38 |
/etc/ntp
|
/sbin/nologin
|
| canna | 39 | 39 |
/var/lib/canna
|
/sbin/nologin
|
| nscd | 28 | 28 |
/
|
/sbin/nologin
|
| rpc | 32 | 32 |
/
|
/sbin/nologin
|
| postfix | 89 | 89 |
/var/spool/postfix
|
/sbin/nologin
|
| carteiro | 41 | 41 |
/var/mailman
|
/sbin/nologin
|
| chamado | 25 | 25 |
/var/named
|
/bin/false
|
| amanda | 33 | 6 |
var/lib/amanda/
|
/bin/bash
|
| postgres | 26 | 26 |
/var/lib/pgsql
|
/bin/bash
|
| exim | 93 | 93 |
/var/spool/exim
|
/sbin/nologin
|
| sshd | 74 | 74 |
/var/empty/sshd
|
/sbin/nologin
|
| rpcuser | 29 | 29 |
/var/lib/nfs
|
/sbin/nologin
|
| nsfnobody | 65534 | 65534 |
/var/lib/nfs
|
/sbin/nologin
|
| pvm | 24 | 24 |
/usr/share/pvm3
|
/bin/bash
|
| apache | 48 | 48 |
/var/www
|
/sbin/nologin
|
| xfs | 43 | 43 |
/etc/X11/fs
|
/sbin/nologin
|
| gdm | 42 | 42 |
/var/gdm
|
/sbin/nologin
|
| htt | 100 | 101 |
/usr/lib/im
|
/sbin/nologin
|
| mysql | 27 | 27 |
/var/lib/mysql
|
/bin/bash
|
| webalizer | 67 | 67 |
/var/www/usage
|
/sbin/nologin
|
| correio nulo | 47 | 47 |
/var/spool/mqueue
|
/sbin/nologin
|
| smmsp | 51 | 51 |
/var/spool/mqueue
|
/sbin/nologin
|
| squid | 23 | 23 |
/var/spool/squid
|
/sbin/nologin
|
| ldap | 55 | 55 |
/var/lib/ldap
|
/bin/false
|
| netdump | 34 | 34 |
/var/crash
|
/bin/bash
|
| pcap | 77 | 77 |
/var/arpwatch
|
/sbin/nologin
|
| radiusd | 95 | 95 |
/
|
/bin/false
|
| radvd | 75 | 75 |
/
|
/sbin/nologin
|
| quagga | 92 | 92 |
/var/run/quagga
|
/sbin/login
|
| wnn | 49 | 49 |
/var/lib/wnn
|
/sbin/nologin
|
| dovecot | 97 | 97 |
/usr/libexec/dovecot
|
/sbin/nologin
|
/etc/group file.
| Grupo | GID | Membros |
|---|---|---|
| root | 0 | root |
| bin | 1 | root, bin, daemon |
| daemon | 2 | root, bin, daemon |
| sys | 3 | root, bin, adm |
| adm | 4 | root, adm, daemon |
| tty | 5 | |
| disco | 6 | root |
| lp | 7 | daemon, lp |
| mem | 8 | |
| kmem | 9 | |
| wheel | 10 | root |
| correio | 12 | mail, postfix, exim |
| notícias | 13 | notícias |
| uucp | 14 | uucp |
| man | 15 | |
| jogos | 20 | |
| gopher | 30 | |
| dip | 40 | |
| ftp | 50 | |
| bloquear | 54 | |
| ninguém | 99 | |
| users | 100 | |
| rpm | 37 | |
| utmp | 22 | |
| floppy | 19 | |
| vcsa | 69 | |
| dbus | 81 | |
| ntp | 38 | |
| canna | 39 | |
| nscd | 28 | |
| rpc | 32 | |
| postdrop | 90 | |
| postfix | 89 | |
| carteiro | 41 | |
| exim | 93 | |
| chamado | 25 | |
| postgres | 26 | |
| sshd | 74 | |
| rpcuser | 29 | |
| nfsnobody | 65534 | |
| pvm | 24 | |
| apache | 48 | |
| xfs | 43 | |
| gdm | 42 | |
| htt | 101 | |
| mysql | 27 | |
| webalizer | 67 | |
| correio nulo | 47 | |
| smmsp | 51 | |
| squid | 23 | |
| ldap | 55 | |
| netdump | 34 | |
| pcap | 77 | |
| quaggavt | 102 | |
| quagga | 92 | |
| radvd | 75 | |
| slocate | 21 | |
| wnn | 49 | |
| dovecot | 97 | |
| radiusd | 95 |
/etc/bashrc file. Traditionally on UNIX systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.
/usr/share/emacs/site-lisp/ directory. Some people are trusted to modify the directory, but certainly not everyone is trusted. First create an emacs group, as in the following command:
groupadd emacsemacs group, type:
chown -R root.emacs /usr/share/emacs/site-lispgpasswd command:
gpasswd -a <username> emacschmod 775 /usr/share/emacs/site-lispemacs). Use the following command:
chmod 2775 /usr/share/emacs/site-lispemacs group can create and edit files in the /usr/share/emacs/site-lisp/ directory without the administrator having to change file permissions every time users write new files.
shadow-utils package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
/etc/passwd file to /etc/shadow, which is readable only by the root user.
/etc/login.defs file to enforce security policies.
shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow file, any commands which create or modify password aging information do not work.
chage
gpasswd
/usr/sbin/usermod -e or -f options
/usr/sbin/useradd -e or -f options
man chage — A command to modify password aging policies and account expiration.
man gpasswd — A command to administer the /etc/group file.
man groupadd — A command to add groups.
man grpck — A command to verify the /etc/group file.
man groupdel — A command to remove groups.
man groupmod — A command to modify group membership.
man pwck — A command to verify the /etc/passwd and /etc/shadow files.
man pwconv — A tool to convert standard passwords to shadow passwords.
man pwunconv — A tool to convert shadow passwords to standard passwords.
man useradd — A command to add users.
man userdel — A command to remove users.
man usermod — A command to modify users.
man 5 group — The file containing group information for the system.
man 5 passwd — The file containing user information for the system.
man 5 shadow — The file containing passwords and account expiration information for the system.
system-config-printer at a shell prompt.
) beside a Workgroup to expand it. From the expanded list, select a printer.
computer name/printer share. In Figura 36.5, “Adicionando uma Impressora SMB ”, the computer name is dellbox, while the printer share is r2.
guest para servidores Windows ou nobody para servidores Samba.
lpq. As últimas linhas se parecerão com o seguinte:
lpqRank Owner/ID Class Job Files Size Time active user@localhost+902 A 902 sample.txt 2050 01:20:46
lpq and then use the command lprm job number. For example, lprm 902 would cancel the print job in Exemplo 36.1, “Exemplo de saída do lpq”. You must have proper permissions to cancel a print job. You can not cancel print jobs that were started by other users unless you are logged in as root on the machine to which the printer is attached.
lpr sample.txt imprimirá o arquivo texto sample.txt. O filtro de impressão determina qual o tipo do arquivo e converte-o em um formato que a impressora possa entender.
map lpr — The manual page for the lpr command that allows you to print files from the command line.
man lprm — A página do manual para o utilitário de linha de comando para remover tarefas de impressão da fila de impressão.
man mpage — A página do manual para o utilitário de linha de comando para imprimir páginas múltiplas em uma folha de papel.
man cupsd — A página do manual para o daemon da impressora CUPS.
man cupsd.conf — A página do manual para o arquivo de configuração do daemon da impressora CUPS.
man classes.conf — A página do manual para o arquivo de configuração de classe do CUPS.
locate command is updated daily. A system administrator can use automated tasks to perform periodic backups, monitor the system, run custom scripts, and more.
cron, at, and batch.
vixie-cron RPM package must be installed and the crond service must be running. To determine if the package is installed, use the rpm -q vixie-cron command. To determine if the service is running, use the command /sbin/service crond status.
/etc/crontab, contains the following lines:
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly 42 4 1 * * root run-parts /etc/cron.monthly
SHELL variable tells the system which shell environment to use (in this example the bash shell), while the PATH variable defines the path used to execute commands. The output of the cron tasks are emailed to the username defined with the MAILTO variable. If the MAILTO variable is defined as an empty string (MAILTO=""), email is not sent. The HOME variable can be used to set the home directory to use when executing commands or scripts.
/etc/crontab file represents a task and has the following format:
minute hour day month dayofweek command
minute — any integer from 0 to 59
hour — any integer from 0 to 23
day — any integer from 1 to 31 (must be a valid day if a month is specified)
month — any integer from 1 to 12 (or the short name of the month such as jan or feb)
dayofweek — any integer from 0 to 7, where 0 or 7 represents Sunday (or the short name of the week such as sun or mon)
command — the command to execute (the command can either be a command such as ls /proc >> /tmp/proc or the command to execute a custom script)
1-4 means the integers 1, 2, 3, and 4.
3, 4, 6, 8 indicates those four specific integers.
/<integer>. For example, 0-59/2 can be used to define every other minute in the minute field. Step values can also be used with an asterisk. For instance, the value */3 can be used in the month field to run the task every third month.
/etc/crontab file, the run-parts script executes the scripts in the /etc/cron.hourly/, /etc/cron.daily/, /etc/cron.weekly/, and /etc/cron.monthly/ directories on an hourly, daily, weekly, or monthly basis respectively. The files in these directories should be shell scripts.
/etc/cron.d/ directory. All files in this directory use the same syntax as /etc/crontab. Refer to Exemplo 37.1, “Exemplos de crontab” for examples.
# record the memory usage of the system every monday # at 3:30AM in the file /tmp/meminfo 30 3 * * mon cat /proc/meminfo >> /tmp/meminfo # run custom script the first day of every month at 4:10AM 10 4 1 * * /root/scripts/backup.sh
crontab utility. All user-defined crontabs are stored in the /var/spool/cron/ directory and are executed using the usernames of the users that created them. To create a crontab as a user, login as that user and type the command crontab -e to edit the user's crontab using the editor specified by the VISUAL or EDITOR environment variable. The file uses the same format as /etc/crontab. When the changes to the crontab are saved, the crontab is stored according to username and written to the file /var/spool/cron/username.
/etc/crontab file, the /etc/cron.d/ directory, and the /var/spool/cron/ directory every minute for any changes. If any changes are found, they are loaded into memory. Thus, the daemon does not need to be restarted if a crontab file is changed.
/etc/cron.allow and /etc/cron.deny files are used to restrict access to cron. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The cron daemon (crond) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to add or delete a cron task.
cron.allow exists, only users listed in it are allowed to use cron, and the cron.deny file is ignored.
cron.allow does not exist, users listed in cron.deny are not allowed to use cron.
/sbin/service crond start. To stop the service, use the command /sbin/service crond stop. It is recommended that you start the service at boot time. Refer to Capítulo 17, Controlando Acesso aos Serviços for details on starting the cron service automatically at boot time.
at command is used to schedule a one-time task at a specific time and the batch command is used to schedule a one-time task to be executed when the systems load average drops below 0.8.
at or batch, the at RPM package must be installed, and the atd service must be running. To determine if the package is installed, use the rpm -q at command. To determine if the service is running, use the command /sbin/service atd status.
at time, where timehora pode ser um dos seguintes:
/usr/share/doc/at-<version>/timespec text file.
at command with the time argument, the at> prompt is displayed. Type the command to execute, press Enter, and type Ctrl+D . Multiple commands can be specified by typing each command followed by the Enter key. After typing all the commands, press Enter to go to a blank line and type Ctrl+D . Alternatively, a shell script can be entered at the prompt, pressing Enter after each line in the script, and typing Ctrl+D on a blank line to exit. If a script is entered, the shell used is the shell set in the user's SHELL environment, the user's login shell, or /bin/sh (whichever is found first).
atq to view pending jobs. Refer to Seção 37.2.3, “Visualizando Trabalhos Pendentes” for more information.
at command can be restricted. For more information, refer to Seção 37.2.5, “Controlando o Acesso a At e Batch” for details.
batch command.
batch command, the at> prompt is displayed. Type the command to execute, press Enter, and type Ctrl+D . Multiple commands can be specified by typing each command followed by the Enter key. After typing all the commands, press Enter to go to a blank line and type Ctrl+D . Alternatively, a shell script can be entered at the prompt, pressing Enter after each line in the script, and typing Ctrl+D on a blank line to exit. If a script is entered, the shell used is the shell set in the user's SHELL environment, the user's login shell, or /bin/sh (whichever is found first). As soon as the load average is below 0.8, the set of commands or script is executed.
atq to view pending jobs. Refer to Seção 37.2.3, “Visualizando Trabalhos Pendentes” for more information.
batch command can be restricted. For more information, refer to Seção 37.2.5, “Controlando o Acesso a At e Batch” for details.
at and batch jobs, use the atq command. The atq command displays a list of pending jobs, with each job on a line. Each line follows the job number, date, hour, job class, and username format. Users can only view their own jobs. If the root user executes the atq command, all jobs for all users are displayed.
at and batch include:
at and batch Command Line Options| Opção | Descrição |
|---|---|
-f
| Lê os comandos ou script a partir de um arquivo ao invés de especificá-los na janela de comandos. |
-m
| Envia e-mail ao usuário quando o trabalho estiver completo. |
-v
| Exibe a hora em que o trabalho será executado. |
/etc/at.allow and /etc/at.deny files can be used to restrict access to the at and batch commands. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The at daemon (atd) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to execute the at or batch commands.
at and batch commands, regardless of the access control files.
at.allow exists, only users listed in it are allowed to use at or batch, and the at.deny file is ignored.
at.allow does not exist, users listed in at.deny are not allowed to use at or batch.
at service, use the command /sbin/service atd start. To stop the service, use the command /sbin/service atd stop. It is recommended that you start the service at boot time. Refer to Capítulo 17, Controlando Acesso aos Serviços for details on starting the cron service automatically at boot time.
cron man page — overview of cron.
crontab man pages in sections 1 and 5 — The man page in section 1 contains an overview of the crontab file. The man page in section 5 contains the format for the file and some example entries.
/usr/share/doc/at-<version>/timespec contains more detailed information about the times that can be specified for cron jobs.
at man page — description of at and batch and their command line options.
syslogd. A list of log messages maintained by syslogd can be found in the /etc/syslog.conf configuration file.
/var/log/ directory. Some applications such as httpd and samba have a directory within /var/log/ for their log files.
logrotate package contains a cron task that automatically rotates log files according to the /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d/ directory. By default, it is configured to rotate every week and keep four weeks worth of previous log files.
Vi or Emacs. Some log files are readable by all users on the system; however, root privileges are required to read most log files.
gnome-system-log at a shell prompt.
Índice
stap.
stapprobes para maiores detalhes. Todos estes eventos são nomeados utilizando uma sintáxe unificada que parece identificadores com parâmetros parada por ponto.
| Evento | Descrição |
|---|---|
begin
| O início da sessão systemtap |
final
| O final da sessão sistemtap |
kernel.function("sys_open")
| A entrada para a função chamada sys_abrir no kernel. |
syscall.close.return
| O retorno da chamada de sistema fechada. |
module("ext3").statement(0xdeadbeef)
| A instrução direcionada no driver ext3filesystem. |
timer.ms(200)
| Um timer que inicia a cada 200 milisegundos. |
net/socket.c no kernel. O ponto da sonda kernel.function deixa você expressar isto facilmente, uma vez que o systemtap examina as informações depuradas do kernel para relatar o código do objeto ao código de fonte. Funciona como um depurador: se você puder nomear ou acomodá-lo, você poderá sondá-lo. Utilize o kernel.function("*@net/socket.c") para as entradas de funções e o kernel.function("*@net/socket.c").return para as saídas. Note o uso de curingas no nome da função, e a parte @FILENAME subsequente. Você também pode colocar curingas no nome de arquivo e até mesmo adicionar "dois pontos" (:) e um número de linha se você quiser restringir a procura de forma precisa. Como o systemtap irá colocar uma sonda separada em todos os lugares que combinar com um ponto de sonda, alguns curingas podem se expandir para cem, mil sondas, portanto tenha cuidado com o que você pede.
probe apresenta um ponto de sonda, ou uma lista deles separada por vírgula. Os seguintes {e}colchetes fecham o manipulador para todos os pontos de sonda listados.
stap -v FILE. Finalize-o a qualquer momento com ^C. (A opção - v informa ao systemtap para imprimir mais mensagens verbais durante seu processo. Tente a opção -h para ver mais opções).
ps ax command displays a list of current system processes, including processes owned by other users. To display the owner alongside each process, use the ps aux command. This list is a static list; in other words, it is a snapshot of what was running when you invoked the command. If you want a constantly updated list of running processes, use top as described below.
ps output can be long. To prevent it from scrolling off the screen, you can pipe it through less:
ps aux | lessps command in combination with the grep command to see if a process is running. For example, to determine if Emacs is running, use the following command:
ps ax | grep emacstop command displays currently running processes and important information about them including their memory and CPU usage. The list is both real-time and interactive. An example of output from the top command is provided as follows:
top - 15:02:46 up 35 min, 4 users, load average: 0.17, 0.65, 1.00
Tasks: 110 total, 1 running, 107 sleeping, 0 stopped, 2 zombie
Cpu(s): 41.1% us, 2.0% sy, 0.0% ni, 56.6% id, 0.0% wa, 0.3% hi, 0.0% si
Mem: 775024k total, 772028k used, 2996k free, 68468k buffers
Swap: 1048568k total, 176k used, 1048392k free, 441172k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4624 root 15 0 40192 18m 7228 S 28.4 2.4 1:23.21 X
4926 mhideo 15 0 55564 33m 9784 S 13.5 4.4 0:25.96 gnome-terminal
6475 mhideo 16 0 3612 968 760 R 0.7 0.1 0:00.11 top
4920 mhideo 15 0 20872 10m 7808 S 0.3 1.4 0:01.61 wnck-applet
1 root 16 0 1732 548 472 S 0.0 0.1 0:00.23 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.03 events/0
4 root 6 -10 0 0 0 S 0.0 0.0 0:00.02 khelper
5 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
29 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
47 root 16 0 0 0 0 S 0.0 0.0 0:01.74 pdflush
50 root 11 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
30 root 15 0 0 0 0 S 0.0 0.0 0:00.05 khubd
49 root 16 0 0 0 0 S 0.0 0.0 0:01.44 kswapd0top, press the q key.
top commands” contains useful interactive commands that you can use with top. For more information, refer to the top(1) manual page.
top commands| Comando | Descrição |
|---|---|
| Space | Atualizar a tela imediatamente |
| h | Exibir uma tela de ajuda |
| k | Matar (kill) um processo. Você deve indicar o ID do processo e o sinal a ser enviado para ele. |
| n | Alterar o número de processos exibidos. Você deve indicar o número. |
| u | Ordenar por usuário. |
| M | Ordenar por uso da memória. |
| P | Ordenar por uso da CPU. |
top, you can use the GNOME System Monitor. To start it from the desktop, select > > or type gnome-system-monitor at a shell prompt (such as an XTerm). Select the Process Listing tab.
free command displays the total amount of physical memory and swap space for the system as well as the amount of memory that is used, free, shared, in kernel buffers, and cached.
total used free shared buffers cached Mem: 645712 549720 95992 0 176248 224452 -/+ buffers/cache: 149020 496692 Swap: 1310712 0 1310712
free -m shows the same information in megabytes, which are easier to read.
total used free shared buffers cached Mem: 630 536 93 0 172 219 -/+ buffers/cache: 145 485 Swap: 1279 0 1279
free, you can use the GNOME System Monitor. To start it from the desktop, go to > > or type gnome-system-monitor at a shell prompt (such as an XTerm). Click on the Resources tab.
df command reports the system's disk space usage. If you type the command df at a shell prompt, the output looks similar to the following:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
11675568 6272120 4810348 57% / /dev/sda1
100691 9281 86211 10% /boot
none 322856 0 322856 0% /dev/shmdf -h. The -h argument stands for human-readable format. The output looks similar to the following:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
12G 6.0G 4.6G 57% / /dev/sda1
99M 9.1M 85M 10% /boot
none 316M 0 316M 0% /dev/shm/dev/shm. This entry represents the system's virtual memory file system.
du command displays the estimated amount of space being used by files in a directory. If you type du at a shell prompt, the disk usage for each of the subdirectories is displayed in a list. The grand total for the current directory and subdirectories are also shown as the last line in the list. If you do not want to see the totals for all the subdirectories, use the command du -hs to see only the grand total for the directory in human-readable format. Use the du --help command to see more options.
gnome-system-monitor at a shell prompt (such as an XTerm). Select the File Systems tab to view the system's partitions. The figure below illustrates the File Systems tab.
hwbrowser at a shell prompt. As shown in Figura 40.4, “Hardware Browser”, it displays your CD-ROM devices, diskette drives, hard drives and their partitions, network devices, pointing devices, system devices, and video cards. Click on the category name in the left menu, and the information is displayed.
hal-device-manager. Depending on your installation preferences, the graphical menu above may start this application or the Hardware Browser when clicked. The figure below illustrates the Device Manager window.
lspci command to list all PCI devices. Use the command lspci -v for more verbose information or lspci -vv for very verbose output.
lspci can be used to determine the manufacturer, model, and memory size of a system's video card:
00:00.0 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06) 00:00.1 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06) 00:01.0 VGA compatible controller: S3 Inc. Savage 4 (rev 04) 00:02.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 08) 00:0f.0 ISA bridge: ServerWorks OSB4 South Bridge (rev 50) 00:0f.1 IDE interface: ServerWorks OSB4 IDE Controller 00:0f.2 USB Controller: ServerWorks OSB4/CSB5 OHCI USB Controller (rev 04) 01:03.0 SCSI storage controller: Adaptec AIC-7892P U160/m (rev 02) 01:05.0 RAID bus controller: IBM ServeRAID Controller
lspci is also useful to determine the network card in your system if you do not know the manufacturer or model number.
ps --help — Displays a list of options that can be used with ps.
top manual page — Type man top to learn more about top and its many options.
free manual page — type man free to learn more about free and its many options.
df manual page — Type man df to learn more about the df command and its many options.
du manual page — Type man du to learn more about the du command and its many options.
lspci manual page — Type man lspci to learn more about the lspci command and its many options.
oprofile RPM package must be installed to use this tool.
--separate=library seja usada.
opreport does not associate samples for inline functions' properly — opreport uses a simple address range mechanism to determine which function an address is in. Inline function samples are not attributed to the inline function but rather to the function the inline function was inserted into.
opcontrol --reset to clear out the samples from previous runs.
oprofile package.
| Comando | Decrição |
|---|---|
ophelp
|
Exibe eventos disponíveis do processador do sistema junto a uma breve descrição de cada.
|
opimport
|
Converte o arquivo do banco de dados de amostras de um formato diferente para o formato nativo do sistema. Use esta opção somente ao analisar um banco de dados de amostras de uma arquitetura diferente.
|
opannotate
|
Creates annotated source for an executable if the application was compiled with debugging symbols. Refer to Seção 41.5.4, “Using opannotate” for details.
|
opcontrol
|
Configures what data is collected. Refer to Seção 41.2, “Configurando o OProfile” for details.
|
opreport
|
Retrieves profile data. Refer to Seção 41.5.1, “Using
opreport” for details.
|
oprofiled
|
Roda como um daemon para gravar dados da amostra no disco periodicamente.
|
opcontrol utility to configure OProfile. As the opcontrol commands are executed, the setup options are saved to the /root/.oprofile/daemonrc file.
opcontrol --setup --vmlinux=/usr/lib/debug/lib/modules/`uname -r`/vmlinuxdebuginfo package must be installed (which contains the uncompressed kernel) in order to monitor the kernel.
opcontrol --setup --no-vmlinuxoprofile kernel module, if it is not already loaded, and creates the /dev/oprofile/ directory, if it does not already exist. Refer to Seção 41.6, “Understanding /dev/oprofile/” for details about this directory.
oprofile module can be loaded from it.
| Processador |
cpu_type
| Número de Contadores |
|---|---|---|
| Pentium Pro | i386/ppro | 2 |
| Pentium II | i386/pii | 2 |
| Pentium III | i386/piii | 2 |
| Pentium 4 (não-hyper-threaded) | i386/p4 | 8 |
| Pentium 4 (hyper-threaded) | i386/p4-ht | 4 |
| Athlon | i386/athlon | 4 |
| AMD64 | x86-64/hammer | 4 |
| Itanium | ia64/itanium | 4 |
| Itanium 2 | ia64/itanium2 | 4 |
| TIMER_INT | timer | 1 |
| IBM eServer iSeries and pSeries | timer | 1 |
| ppc64/power4 | 8 | |
| ppc64/power5 | 6 | |
| ppc64/970 | 8 | |
| IBM eServer S/390 and S/390x | timer | 1 |
| IBM eServer zSeries | timer | 1 |
timer is used as the processor type if the processor does not have supported performance monitoring hardware.
timer is used, events cannot be set for any processor because the hardware does not have support for hardware performance counters. Instead, the timer interrupt is used for profiling.
timer is not used as the processor type, the events monitored can be changed, and counter 0 for the processor is set to a time-based event by default. If more than one counter exists on the processor, the counters other than counter 0 are not set to an event by default. The default events monitored are shown in Tabela 41.3, “Eventos Default”.
| Processador | Default Event for Counter | Decrição |
|---|---|---|
| Pentium Pro, Pentium II, Pentium III, Athlon e AMD64 | CPU_CLK_UNHALTED | O relógio do processador não é desligado (halted) |
| Pentium 4 (HT and non-HT) | GLOBAL_POWER_EVENTS | O tempo durante o qual o processador não é parado |
| Itanium 2 | CPU_CYCLES | Ciclos da CPU |
| TIMER_INT | (nenhum) | Amostra de cada interrupção do timer |
| ppc64/power4 | CYCLES | Processor Cycles |
| ppc64/power5 | CYCLES | Processor Cycles |
| ppc64/970 | CYCLES | Processor Cycles |
ls -d /dev/oprofile/[0-9]*ophelpopcontrol:
opcontrol --event=<event-name>:<sample-rate><event-name> with the exact name of the event from ophelp, and replace <sample-rate> with the number of events between samples.
cpu_type is not timer, each event can have a sampling rate set for it. The sampling rate is the number of events between each sample snapshot.
opcontrol --event=<event-name>:<sample-rate><sample-rate> pelo número de eventos a aguardar antes de fazer o 'sampling' novamente. Quanto menor a contagem, mais frequentes as amostras. Para eventos que ocorrem esporadicamente, pode-se precisar de uma contagem menor para capturar as instâncias do evento.
ophelp command. The values for each unit mask are listed in hexadecimal format. To specify more than one unit mask, the hexadecimal values must be combined using a bitwise or operation.
opcontrol --event=<event-name>:<sample-rate>:<unit-mask>opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:0opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:1opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:<kernel>:0opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:<kernel>:1opcontrol --separate=<choice><choice> pode ser uma das seguintes:
none — do not separate the profiles (default)
library — generate per-application profiles for libraries
kernel — generate per-application profiles for the kernel and kernel modules
all — generate per-application profiles for libraries and per-application profiles for the kernel and kernel modules
--separate=library é usada, o nome do arquivo de amostras inclui os nomes dos executáveis, assim como o nome da biblioteca.
oprofile is restarted.
opcontrol --startUsing log file /var/lib/oprofile/oprofiled.log Daemon started. Profiler running.
/root/.oprofile/daemonrc are used.
oprofiled, is started; it periodically writes the sample data to the /var/lib/oprofile/samples/ directory. The log file for the daemon is located at /var/lib/oprofile/oprofiled.log.
opcontrol --shutdown<name> por um nome descritivo único para a sessão corrente:
opcontrol --save=<name>/var/lib/oprofile/samples/name/ is created and the current sample files are copied to it.
oprofiled, collects the samples and writes them to the /var/lib/oprofile/samples/ directory. Before reading the data, make sure all data has been written to this directory by executing the following command as root:
opcontrol --dump/bin/bash becomes:
\{root\}/bin/bash/\{dep\}/\{root\}/bin/bash/CPU_CLK_UNHALTED.100000opreport
opannotate
oparchive can be used to address this problem.
opreportopreport tool provides an overview of all the executables being profiled.
Profiling through timer interrupt TIMER:0| samples| %| ------------------ 25926 97.5212 no-vmlinux 359 1.3504 pi 65 0.2445 Xorg 62 0.2332 libvte.so.4.4.0 56 0.2106 libc-2.3.4.so 34 0.1279 libglib-2.0.so.0.400.7 19 0.0715 libXft.so.2.1.2 17 0.0639 bash 8 0.0301 ld-2.3.4.so 8 0.0301 libgdk-x11-2.0.so.0.400.13 6 0.0226 libgobject-2.0.so.0.400.7 5 0.0188 oprofiled 4 0.0150 libpthread-2.3.4.so 4 0.0150 libgtk-x11-2.0.so.0.400.13 3 0.0113 libXrender.so.1.2.2 3 0.0113 du 1 0.0038 libcrypto.so.0.9.7a 1 0.0038 libpam.so.0.77 1 0.0038 libtermcap.so.2.0.8 1 0.0038 libX11.so.6.2 1 0.0038 libgthread-2.0.so.0.400.7 1 0.0038 libwnck-1.so.4.9.0
opreport man page for a list of available command line options, such as the -r option used to sort the output from the executable with the smallest number of samples to the one with the largest number of samples.
opreport on a Single Executableopreport:
opreport <mode> <executable><executable> deve ser a localidade completa do executável a ser analisado. O <mode> deve ser um dos seguintes:
-lopreport -l /lib/tls/libc-<version>.so:
samples % symbol name 12 21.4286 __gconv_transform_utf8_internal 5 8.9286 _int_malloc 4 7.1429 malloc 3 5.3571 __i686.get_pc_thunk.bx 3 5.3571 _dl_mcount_wrapper_check 3 5.3571 mbrtowc 3 5.3571 memcpy 2 3.5714 _int_realloc 2 3.5714 _nl_intern_locale_data 2 3.5714 free 2 3.5714 strcmp 1 1.7857 __ctype_get_mb_cur_max 1 1.7857 __unregister_atfork 1 1.7857 __write_nocancel 1 1.7857 _dl_addr 1 1.7857 _int_free 1 1.7857 _itoa_word 1 1.7857 calc_eclosure_iter 1 1.7857 fopen@@GLIBC_2.1 1 1.7857 getpid 1 1.7857 memmove 1 1.7857 msort_with_tmp 1 1.7857 strcpy 1 1.7857 strlen 1 1.7857 vfprintf 1 1.7857 write
-r em conjunto com a opção -l.
-i <symbol-name>opreport -l -i __gconv_transform_utf8_internal /lib/tls/libc-<version>.so:
samples % symbol name 12 100.000 __gconv_transform_utf8_internal
-d-l. For example, the following output is from the command opreport -l -d __gconv_transform_utf8_internal /lib/tls/libc-<version>.so:
vma samples % symbol name 00a98640 12 100.000 __gconv_transform_utf8_internal 00a98640 1 8.3333 00a9868c 2 16.6667 00a9869a 1 8.3333 00a986c1 1 8.3333 00a98720 1 8.3333 00a98749 1 8.3333 00a98753 1 8.3333 00a98789 1 8.3333 00a98864 1 8.3333 00a98869 1 8.3333 00a98b08 1 8.3333
-l, exceto que, para cada símbolo, é exibido um endereço usado da memória virtual. Para cada endereço da memória virtual, são apresentados o número de amostras e a porcentagem de amostras realativa ao número total de amostras do símbolo.
-x<symbol-name>session:<name>/var/lib/oprofile/samples/ directory.
~]$ opreport /ext3
CPU: AMD64 processors, speed 797.948 MHz (estimated)
Counted DATA_CACHE_ACCESSES events (Data cache accesses) with a unit mask of 0x00 (No unit mask) count 500000
Counted DATA_CACHE_MISSES events (Data cache misses) with a unit mask of 0x00 (No unit mask) count 500000
DATA_CACHE_ACC...|DATA_CACHE_MIS...|
samples| %| samples| %|
------------------------------------
148721 100.000 1493 100.000 ext3~]# ln -s /lib/modules/`uname -r`/kernel/fs/ext3/ext3.ko /ext3
Then the detailed information can be obtained with:
~]# opreport image:/ext3 -l|more
warning: could not check that the binary file /ext3 has not been modified since the profile was taken. Results may be inaccurate.
CPU: AMD64 processors, speed 797.948 MHz (estimated)
Counted DATA_CACHE_ACCESSES events (Data cache accesses) with a unit mask of 0x00 (No unit mask) count 500000
Counted DATA_CACHE_MISSES events (Data cache misses) with a unit mask of 0x00 (No unit mask) count 500000
samples % samples % symbol name
16728 11.2479 7 0.4689 ext3_group_sparse
16454 11.0637 4 0.2679 ext3_count_free_blocks
14583 9.8056 51 3.4159 ext3_fill_super
8281 5.5681 129 8.6403 ext3_ioctl
7810 5.2514 62 4.1527 ext3_write_info
7286 4.8991 67 4.4876 ext3_ordered_writepage
6509 4.3767 130 8.7073 ext3_new_inode
6378 4.2886 156 10.4488 ext3_new_block
5932 3.9887 87 5.8272 ext3_xattr_block_list
...opannotateopannotate tool tries to match the samples for particular instructions to the corresponding lines in the source code. The resulting files generated should have the samples for the lines at the left. It also puts in a comment at the beginning of each function listing the total samples for the function.
-g option. By default, Red Hat Enterprise Linux packages are not compiled with this option.
opannotate is as follows:
opannotate --search-dirs <src-dir> --source <executable>opannotate man page for a list of additional command line options.
/dev/oprofile//dev/oprofile/ directory contains the file system for OProfile. Use the cat command to display the values of the virtual files in this file system. For example, the following command displays the type of processor OProfile detected:
cat /dev/oprofile/cpu_type/dev/oprofile/ for each counter. For example, if there are 2 counters, the directories /dev/oprofile/0/ and dev/oprofile/1/ exist.
count — The interval between samples.
enabled — If 0, the counter is off and no samples are collected for it; if 1, the counter is on and samples are being collected for it.
event — The event to monitor.
kernel — If 0, samples are not collected for this counter event when the processor is in kernel-space; if 1, samples are collected even if the processor is in kernel-space.
unit_mask — Defines which unit masks are enabled for the counter.
user — If 0, samples are not collected for the counter event when the processor is in user-space; if 1, samples are collected even if the processor is in user-space.
cat command. For example:
cat /dev/oprofile/0/countopreport can be used to determine how much processor time an application or service uses. If the system is used for multiple services but is under performing, the services consuming the most processor time can be moved to dedicated systems.
CPU_CLK_UNHALTED event can be monitored to determine the processor load over a given period of time. This data can then be used to determine if additional processors or a faster processor might improve system performance.
oprof_start command as root at a shell prompt. To use the graphical interface, you will need to have the oprofile-gui package installed.
/root/.oprofile/daemonrc, and the application exits. Exiting the application does not stop OProfile from sampling.
oprof_start interface
vmlinux file for the kernel to monitor in the Kernel image file text field. To configure OProfile not to monitor the kernel, select No kernel image.
oprofiled daemon log includes more information.
opcontrol --separate=kernel command. If Per-application shared libs samples files is selected, OProfile generates per-application profiles for libraries. This is equivalent to the opcontrol --separate=library command.
opcontrol --dump command.
/usr/share/doc/oprofile-<version>/oprofile.html — OProfile Manual
oprofile man page — Discusses opcontrol, opreport, opannotate, and ophelp
Índice
yum command. The Package Management Tool automatically queries the Red Hat Enterprise Linux servers and determines which packages need to be updated on your machine, including the kernel. This chapter is only useful for those individuals that require manual updating of kernel packages, without using the yum command.
yum is highly recommended by Red Hat for installing upgraded kernels.
yum, refer to Capítulo 14, Product Subscriptions and Entitlements.
kernel — Contains the kernel for multi-processor systems. For x86 system, only the first 4GB of RAM is used. As such, x86 systems with over 4GB of RAM should use the kernel-PAE.
kernel-devel — Contains the kernel headers and makefiles sufficient to build modules against the kernel package.
kernel-PAE (only for i686 systems) — This package offers the following key configuration option (in addition to the options already enabled for the kernel package):
kernel-hugemem package) is able to reliably address all 64GB of memory. Additionally, the Red Hat Enterprise Linux 5 PAE variant does not allow 4GB of addressable memory per-process like the Red Hat Enterprise Linux 4 kernel-hugemem variant does. However, the x86_64 kernel does not suffer from any of these limitations, and is the suggested Red Hat Enterprise Linux 5 architecture to use with large-memory systems.
kernel-PAE-devel — Contains the kernel headers and makefiles required to build modules against the kernel-PAE package.
kernel-doc — Contains documentation files from the kernel source. Various portions of the Linux kernel and the device drivers shipped with it are documented in these files. Installation of this package provides a reference to the options that can be passed to Linux kernel modules at load time.
/usr/share/doc/kernel-doc-<version>/ directory.
kernel-headers — Inclui os arquivos de cabeçalho C que especificam a interface entre o kernel Linux e as bibliotecas de userspace e programas. Os arquivos de cabeçalho definem as estruturas e constâncias que são necessárias para construir a maioria dos programas padrão.
kernel-xen — Inclui a versão do kernel do Linux que é necessária para rodar o componente de Virtualização.
kernel-xen-devel — Contém cabeçalhos do kernel e makefiles necessários para construir módulos no pacote kernel-xen.
kernel-source package has been removed and replaced with an RPM that can only be retrieved from Red Hat Network. This *.src.rpm package must then be rebuilt locally using the rpmbuild command. For more information on obtaining and installing the kernel source package, refer to the latest updated Release Notes (including all updates) at http://www.redhat.com/docs/manuals/enterprise/
/sbin/mkbootdisk `uname -r` at a shell prompt.
mkbootdisk man page for more options. You can create bootable media via CD-Rs, CD-RWs, and USB flash drives, provided that your system BIOS also supports it.
rpm -qa | grep kernel at a shell prompt:
kernel-2.6.9-5.EL kernel-devel-2.6.9-5.EL kernel-utils-2.6.9-5.EL kernel-doc-2.6.9-5.EL kernel-smp-2.6.9-5.EL kernel-smp-devel-2.6.9-5.EL kernel-hugemem-devel-2.6.9-5.EL
kernel package. Refer to Seção 42.1, “Visão Geral dos Pacotes do Kernel” for descriptions of the different packages.
<variant>-<version>.<arch>.rpm, where <variant> is one of either PAE, xen, and so forth. The <arch> is one of the following:
x86_64 for the AMD64 and Intel EM64T architectures
ia64 for the Intel® Itanium™ architecture
ppc64 for the IBM® eServer™ pSeries™ architecture
s390 for the IBM® S/390® architecture
s390x for the IBM® eServer™ System z® architecture
i686 for Intel® Pentium® II, Intel® Pentium® III, Intel® Pentium® 4, AMD Athlon®, and AMD Duron® systems
-i argument with the rpm command to keep the old kernel. Do not use the -U option, since it overwrites the currently installed kernel, which creates boot loader problems. For example:
rpm -ivh kernel-<kernel version>.<arch>.rpm
/etc/fstab, an initial RAM disk is needed. The initial RAM disk allows a modular kernel to have access to modules that it might need to boot from before the kernel has access to the device where the modules normally reside.
mkinitrd command. However, this step is performed automatically if the kernel and its associated packages are installed or upgraded from the RPM packages distributed by Red Hat; in such cases, you do not need to create the initial RAM disk manually. To verify that an initial RAM disk already exists, use the command ls -l /boot to make sure the initrd-<version>.img file was created (the version should match the version of the kernel just installed).
vmlinux file are combined into one file, which is created with the addRamDisk command. This step is performed automatically if the kernel and its associated packages are installed or upgraded from the RPM packages distributed by Red Hat, Inc.; thus, it does not need to be executed manually. To verify that it was created, use the command ls -l /boot to make sure the /boot/vmlinitrd-<kernel-version> file already exists (the <kernel-version> kernel RPM package configures the boot loader to boot the newly installed kernel (except for IBM eServer iSeries systems). However, it does not configure the boot loader to boot the new kernel by default.
/boot/grub/grub.conf contains a title section with the same version as the kernel package just installed
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda2
# initrd /initrd-version.img
#boot=/dev/hda
default=1 timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=LABEL=/
initrd /initrd-2.6.9-5.EL.img
title Red Hat Enterprise Linux (2.6.9-1.906_EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-1.906_EL ro root=LABEL=/
initrd /initrd-2.6.9-1.906_EL.img/boot/ partition was created, the paths to the kernel and initrd image are relative to /boot/.
default variable to the title section number for the title section that contains the new kernel. The count starts with 0. For example, if the new kernel is the first title section, set default to 0.
/boot/efi/EFI/redhat/elilo.conf as the configuration file. Confirm that this file contains an image section with the same version as the kernel package just installed:
prompt timeout=50 default=old image=vmlinuz-2.6.9-5.EL
label=linux
initrd=initrd-2.6.9-5.EL.img read-only
append="root=LABEL=/" image=vmlinuz-2.6.9-1.906_EL
label=old
initrd=initrd-2.6.9-1.906.img read-only
append="root=LABEL=/"default variable to the value of the label for the image section that contains the new kernel.
/etc/zipl.conf as the configuration file. Confirm that the file contains a section with the same version as the kernel package just installed:
[defaultboot] default=old target=/boot/
[linux]
image=/boot/vmlinuz-2.6.9-5.EL
ramdisk=/boot/initrd-2.6.9-5.EL.img
parameters="root=LABEL=/"
[old]
image=/boot/vmlinuz-2.6.9-1.906_EL
ramdisk=/boot/initrd-2.6.9-1.906_EL.img
parameters="root=LABEL=/"default variable to the name of the section that contains the new kernel. The first line of each section contains the name in brackets.
/sbin/zipl as root to enable the changes.
/boot/vmlinitrd-<kernel-version> file is installed when you upgrade the kernel. However, you must use the dd command to configure the system to boot the new kernel:
cat /proc/iSeries/mf/side to determine the default side (either A, B, or C).
<versão-do-kernel> é a versão do kernel novo e <lado> é o lado do comando anterior:
dd if=/boot/vmlinitrd-<kernel-version> of=/proc/iSeries/mf/<side>/vmlinux bs=8k
/etc/aboot.conf as the configuration file. Confirm that the file contains an image section with the same version as the kernel package just installed:
boot=/dev/sda1 init-message=Welcome to Red Hat Enterprise Linux! Hit <TAB> for boot options
partition=2 timeout=30 install=/usr/lib/yaboot/yaboot delay=10 nonvram
image=/vmlinux--2.6.9-5.EL
label=old
read-only
initrd=/initrd--2.6.9-5.EL.img
append="root=LABEL=/"
image=/vmlinux-2.6.9-5.EL
label=linux
read-only
initrd=/initrd-2.6.9-5.EL.img
append="root=LABEL=/"default and set it to the label of the image stanza that contains the new kernel.
kernel-smp-unsupported-<kernel-version> and kernel-hugemem-unsupported-<kernel-version> . Replace <kernel-version> with the version of the kernel installed on the system. These packages are not installed by the Red Hat Enterprise Linux installation program, and the modules provided are not supported by Red Hat, Inc.
module-init-tools package is installed. Use these commands to determine if a module has been loaded successfully or when trying different modules for a piece of new hardware.
/sbin/lsmod displays a list of currently loaded modules. For example:
Module Size Used by tun 11585 1 autofs4 21573 1 hidp 16193 2 rfcomm 37849 0 l2cap 23873 10 hidp,rfcomm bluetooth 50085 5 hidp,rfcomm,l2cap sunrpc 153725 1 dm_mirror 29073 0 dm_mod 57433 1 dm_mirror video 17221 0 sbs 16257 0 i2c_ec 5569 1 sbs container 4801 0 button 7249 0 battery 10565 0 asus_acpi 16857 0 ac 5701 0 ipv6 246113 12 lp 13065 0 parport_pc 27493 1 parport 37001 2 lp,parport_pc uhci_hcd 23885 0 floppy 57317 1 sg 34653 0 snd_ens1371 26721 1 gameport 16073 1 snd_ens1371 snd_rawmidi 24897 1 snd_ens1371 snd_ac97_codec 91360 1 snd_ens1371 snd_ac97_bus 2753 1 snd_ac97_codec snd_seq_dummy 4293 0 snd_seq_oss 32705 0 serio_raw 7493 0 snd_seq_midi_event 8001 1 snd_seq_oss snd_seq 51633 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event snd_seq_device 8781 4 snd_rawmidi,snd_seq_dummy,snd_seq_oss,snd_seq snd_pcm_oss 42849 0 snd_mixer_oss 16833 1 snd_pcm_oss snd_pcm 76485 3 snd_ens1371,snd_ac97_codec,snd_pcm_oss snd_timer 23237 2 snd_seq,snd_pcm snd 52933 12 snd_ens1371,snd_rawmidi,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer soundcore 10145 1 snd i2c_piix4 8909 0 ide_cd 38625 3 snd_page_alloc 10569 1 snd_pcm i2c_core 21697 2 i2c_ec,i2c_piix4 pcnet32 34117 0 cdrom 34913 1 ide_cd mii 5825 1 pcnet32 pcspkr 3521 0 ext3 129737 2 jbd 58473 1 ext3 mptspi 17353 3 scsi_transport_spi 25025 1 mptspi mptscsih 23361 1 mptspi sd_mod 20929 16 scsi_mod 134121 5 sg,mptspi,scsi_transport_spi,mptscsih,sd_mod mptbase 52193 2 mptspi,mptscsih
/sbin/lsmod output is less verbose and easier to read than the output from viewing /proc/modules.
/sbin/modprobe command followed by the kernel module name. By default, modprobe attempts to load the module from the /lib/modules/<kernel-version>/kernel/drivers/ subdirectories. There is a subdirectory for each type of module, such as the net/ subdirectory for network interface drivers. Some kernel modules have module dependencies, meaning that other modules must be loaded first for it to load. The /sbin/modprobe command checks for these dependencies and loads the module dependencies before loading the specified module.
modprobe e100e100 module.
/sbin/modprobe executes them, use the -v option. For example:
modprobe -v e100insmod /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko Using /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko Symbol version prefix 'smp_'
/sbin/insmod command also exists to load kernel modules; however, it does not resolve dependencies. Thus, it is recommended that the /sbin/modprobe command be used.
/sbin/rmmod command followed by the module name. The rmmod utility only unloads modules that are not in use and that are not a dependency of other modules in use.
rmmod e100e100 kernel module.
modinfo. Use the command /sbin/modinfo to display information about a kernel module. The general syntax is:
modinfo [options] <module>-d, which displays a brief description of the module, and -p, which lists the parameters the module supports. For a complete list of options, refer to the modinfo man page (man modinfo).
/etc/modprobe.conf file. However, it is sometimes necessary to explicitly force the loading of a module at boot time.
/etc/rc.modules file at boot time, which contains various commands to load modules. The rc.modules should be used, and not rc.local because rc.modules is executed earlier in the boot process.
foo module at boot time (as root):
echo modprobe foo >> /etc/rc.moduleschmod +x /etc/rc.modules
e100 driver with the e100_speed_duplex=4 option.
modinfo command is also useful for listing various information about a kernel module, such as version, dependencies, parameter options, and aliases.
| Hardware | Module | Parameters |
|---|---|---|
| 3ware Storage Controller and 9000 series |
3w-xxxx.ko, 3w-9xxx.ko
| |
| Adaptec Advanced Raid Products, Dell PERC2, 2/Si, 3/Si, 3/Di, HP NetRAID-4M, IBM ServeRAID, and ICP SCSI driver |
aacraid.ko
|
nondasd — Control scanning of hba for nondasd devices. 0=off, 1=on
dacmode — Control whether dma addressing is using 64 bit DAC. 0=off, 1=on
commit — Control whether a COMMIT_CONFIG is issued to the adapter for foreign arrays. This is typically needed in systems that do not have a BIOS. 0=off, 1=on
startup_timeout — The duration of time in seconds to wait for adapter to have it's kernel up and running. This is typically adjusted for large systems that do not have a BIOS
aif_timeout — The duration of time in seconds to wait for applications to pick up AIFs before deregistering them. This is typically adjusted for heavily burdened systems.
numacb — Request a limit to the number of adapter control blocks (FIB) allocated. Valid values are 512 and down. Default is to use suggestion from Firmware.
acbsize — Request a specific adapter control block (FIB) size. Valid values are 512, 2048, 4096 and 8192. Default is to use suggestion from Firmware.
|
| Adaptec 28xx, R9xx, 39xx AHA-284x, AHA-29xx, AHA-394x, AHA-398x, AHA-274x, AHA-274xT, AHA-2842, AHA-2910B, AHA-2920C, AHA-2930/U/U2, AHA-2940/W/U/UW/AU/, U2W/U2/U2B/, U2BOEM, AHA-2944D/WD/UD/UWD, AHA-2950U2/W/B, AHA-3940/U/W/UW/, AUW/U2W/U2B, AHA-3950U2D, AHA-3985/U/W/UW, AIC-777x, AIC-785x, AIC-786x, AIC-787x, AIC-788x , AIC-789x, AIC-3860 |
aic7xxx.ko
|
verbose — Enable verbose/diagnostic logging
allow_memio — Allow device registers to be memory mapped
debug — Bitmask of debug values to enable
no_probe — Toggle EISA/VLB controller probing
probe_eisa_vl — Toggle EISA/VLB controller probing
no_reset — Supress initial bus resets
extended — Enable extended geometry on all controllers
periodic_otag — Send an ordered tagged transaction periodically to prevent tag starvation. This may be required by some older disk drives or RAID arrays.
tag_info:<tag_str> — Set per-target tag depth
global_tag_depth:<int> — Global tag depth for every target on every bus
seltime:<int> — Selection Timeout (0/256ms,1/128ms,2/64ms,3/32ms)
|
| IBM ServeRAID |
ips.ko
| |
| LSI Logic MegaRAID Mailbox Driver |
megaraid_mbox.ko
|
unconf_disks — Set to expose unconfigured disks to kernel (default=0)
busy_wait — Max wait for mailbox in microseconds if busy (default=10)
max_sectors — Maximum number of sectors per IO command (default=128)
cmd_per_lun — Maximum number of commands per logical unit (default=64)
fast_load — Faster loading of the driver, skips physical devices! (default=0)
debug_level — Debug level for driver (default=0)
|
| Emulex LightPulse Fibre Channel SCSI driver |
lpfc.ko
|
lpfc_poll — FCP ring polling mode control: 0 - none, 1 - poll with interrupts enabled 3 - poll and disable FCP ring interrupts
lpfc_log_verbose — Verbose logging bit-mask
lpfc_lun_queue_depth — Max number of FCP commands we can queue to a specific LUN
lpfc_hba_queue_depth — Max number of FCP commands we can queue to a lpfc HBA
lpfc_scan_down — Start scanning for devices from highest ALPA to lowest
lpfc_nodev_tmo — Seconds driver will hold I/O waiting for a device to come back
lpfc_topology — Select Fibre Channel topology
lpfc_link_speed — Select link speed
lpfc_fcp_class — Select Fibre Channel class of service for FCP sequences
lpfc_use_adisc — Use ADISC on rediscovery to authenticate FCP devices
lpfc_ack0 — Enable ACK0 support
lpfc_cr_delay — A count of milliseconds after which an interrupt response is generated
lpfc_cr_count — A count of I/O completions after which an interrupt response is generated
lpfc_multi_ring_support — Determines number of primary SLI rings to spread IOCB entries across
lpfc_fdmi_on — Enable FDMI support
lpfc_discovery_threads — Maximum number of ELS commands during discovery
lpfc_max_luns — Maximum allowed LUN
lpfc_poll_tmo — Milliseconds driver will wait between polling FCP ring
|
| HP Smart Array | cciss.ko | |
| LSI Logic MPT Fusion | mptbase.ko mptctl.ko mptfc.ko mptlan.ko mptsas.ko mptscsih.ko mptspi.ko |
mpt_msi_enable — MSI Support Enable
mptfc_dev_loss_tmo — Initial time the driver programs the transport to wait for an rport to return following a device loss event.
mpt_pt_clear — Clear persistency table
mpt_saf_te — Force enabling SEP Processor
|
| QLogic Fibre Channel Driver | qla2xxx.ko |
ql2xlogintimeout — Login timeout value in seconds.
qlport_down_retry — Maximum number of command retries to a port that returns a PORT-DOWN status
ql2xplogiabsentdevice — Option to enable PLOGI to devices that are not present after a Fabric scan.
ql2xloginretrycount — Specify an alternate value for the NVRAM login retry count.
ql2xallocfwdump — Option to enable allocation of memory for a firmware dump during HBA initialization. Default is 1 - allocate memory.
extended_error_logging — Option to enable extended error logging.
ql2xfdmienable — Enables FDMI registrations.
|
| NCR, Symbios and LSI 8xx and 1010 | sym53c8xx |
cmd_per_lun — The maximum number of tags to use by default
tag_ctrl — More detailed control over tags per LUN
burst — Maximum burst. 0 to disable, 255 to read from registers
led — Set to 1 to enable LED support
diff — 0 for no differential mode, 1 for BIOS, 2 for always, 3 for not GPIO3
irqm — 0 for open drain, 1 to leave alone, 2 for totem pole
buschk — 0 to not check, 1 for detach on error, 2 for warn on error
hostid — The SCSI ID to use for the host adapters
verb — 0 for minimal verbosity, 1 for normal, 2 for excessive
debug — Set bits to enable debugging
settle — Settle delay in seconds. Default 3
nvram — Option currently not used
excl — List ioport addresses here to prevent controllers from being attached
safe — Set other settings to a "safe mode"
|
ethtool or mii-tool. Only after these tools fail to work should module parameters be adjusted. Module parameters can be viewed using the modinfo command.
ethtool, mii-tool, and modinfo.
| Hardware | Module | Parameters |
|---|---|---|
| 3Com EtherLink PCI III/XL Vortex (3c590, 3c592, 3c595, 3c597) Boomerang (3c900, 3c905, 3c595) |
3c59x.ko
|
debug — 3c59x debug level (0-6)
options — 3c59x: Bits 0-3: media type, bit 4: bus mastering, bit 9: full duplex
global_options — 3c59x: same as options, but applies to all NICs if options is unset
full_duplex — 3c59x full duplex setting(s) (1)
global_full_duplex — 3c59x: same as full_duplex, but applies to all NICs if full_duplex is unset
hw_checksums — 3c59x Hardware checksum checking by adapter(s) (0-1)
flow_ctrl — 3c59x 802.3x flow control usage (PAUSE only) (0-1)
enable_wol — 3c59x: Turn on Wake-on-LAN for adapter(s) (0-1)
global_enable_wol — 3c59x: same as enable_wol, but applies to all NICs if enable_wol is unset
rx_copybreak — 3c59x copy breakpoint for copy-only-tiny-frames
max_interrupt_work — 3c59x maximum events handled per interrupt
compaq_ioaddr — 3c59x PCI I/O base address (Compaq BIOS problem workaround)
compaq_irq — 3c59x PCI IRQ number (Compaq BIOS problem workaround)
compaq_device_id — 3c59x PCI device ID (Compaq BIOS problem workaround)
watchdog — 3c59x transmit timeout in milliseconds
global_use_mmio — 3c59x: same as use_mmio, but applies to all NICs if options is unset
use_mmio — 3c59x: use memory-mapped PCI I/O resource (0-1)
|
| RTL8139, SMC EZ Card Fast Ethernet, RealTek cards using RTL8129, or RTL8139 Fast Ethernet chipsets |
8139too.ko
| |
| Broadcom 4400 10/100 PCI ethernet driver |
b44.ko
|
b44_debug — B44 bitmapped debugging message enable value
|
| Broadcom NetXtreme II BCM5706/5708 Driver |
bnx2.ko
|
disable_msi — Disable Message Signaled Interrupt (MSI)
|
| Intel Ether Express/100 driver |
e100.ko
|
debug — Debug level (0=none,...,16=all)
eeprom_bad_csum_allow — Allow bad eeprom checksums
|
| Intel EtherExpress/1000 Gigabit |
e1000.ko
|
TxDescriptors — Number of transmit descriptors
RxDescriptors — Number of receive descriptors
Speed — Speed setting
Duplex — Duplex setting
AutoNeg — Advertised auto-negotiation setting
FlowControl — Flow Control setting
XsumRX — Disable or enable Receive Checksum offload
TxIntDelay — Transmit Interrupt Delay
TxAbsIntDelay — Transmit Absolute Interrupt Delay
RxIntDelay — Receive Interrupt Delay
RxAbsIntDelay — Receive Absolute Interrupt Delay
InterruptThrottleRate — Interrupt Throttling Rate
SmartPowerDownEnable — Enable PHY smart power down
KumeranLockLoss — Enable Kumeran lock loss workaround
|
| Myricom 10G driver (10GbE) |
myri10ge.ko
|
myri10ge_fw_name — Firmware image name
myri10ge_ecrc_enable — Enable Extended CRC on PCI-E
myri10ge_max_intr_slots — Interrupt queue slots
myri10ge_small_bytes — Threshold of small packets
myri10ge_msi — Enable Message Signalled Interrupts
myri10ge_intr_coal_delay — Interrupt coalescing delay
myri10ge_flow_control — Pause parameter
myri10ge_deassert_wait — Wait when deasserting legacy interrupts
myri10ge_force_firmware — Force firmware to assume aligned completions
myri10ge_skb_cross_4k — Can a small skb cross a 4KB boundary?
myri10ge_initial_mtu — Initial MTU
myri10ge_napi_weight — Set NAPI weight
myri10ge_watchdog_timeout — Set watchdog timeout
myri10ge_max_irq_loops — Set stuck legacy IRQ detection threshold
|
| NatSemi DP83815 Fast Ethernet |
natsemi.ko
|
mtu — DP8381x MTU (all boards)
debug — DP8381x default debug level
rx_copybreak — DP8381x copy breakpoint for copy-only-tiny-frames
options — DP8381x: Bits 0-3: media type, bit 17: full duplex
full_duplex — DP8381x full duplex setting(s) (1)
|
| AMD PCnet32 and AMD PCnetPCI |
pcnet32.ko
| |
| PCnet32 and PCnetPCI |
pcnet32.ko
|
debug — pcnet32 debug level
max_interrupt_work — pcnet32 maximum events handled per interrupt
rx_copybreak — pcnet32 copy breakpoint for copy-only-tiny-frames
tx_start_pt — pcnet32 transmit start point (0-3)
pcnet32vlb — pcnet32 Vesa local bus (VLB) support (0/1)
options — pcnet32 initial option setting(s) (0-15)
full_duplex — pcnet32 full duplex setting(s) (1)
homepna — pcnet32 mode for 79C978 cards (1 for HomePNA, 0 for Ethernet, default Ethernet
|
| RealTek RTL-8169 Gigabit Ethernet driver |
r8169.ko
|
media — force phy operation. Deprecated by ethtool (8).
rx_copybreak — Copy breakpoint for copy-only-tiny-frames
use_dac — Enable PCI DAC. Unsafe on 32 bit PCI slot.
debug — Debug verbosity level (0=none, ..., 16=all)
|
| Neterion Xframe 10GbE Server Adapter |
s2io.ko
| |
| SIS 900/701G PCI Fast Ethernet |
sis900.ko
|
multicast_filter_limit — SiS 900/7016 maximum number of filtered multicast addresses
max_interrupt_work — SiS 900/7016 maximum events handled per interrupt
sis900_debug — SiS 900/7016 bitmapped debugging message level
|
| Adaptec Starfire Ethernet driver |
starfire.ko
|
max_interrupt_work — Maximum events handled per interrupt
mtu — MTU (all boards)
debug — Debug level (0-6)
rx_copybreak — Copy breakpoint for copy-only-tiny-frames
intr_latency — Maximum interrupt latency, in microseconds
small_frames — Maximum size of receive frames that bypass interrupt latency (0,64,128,256,512)
options — Deprecated: Bits 0-3: media type, bit 17: full duplex
full_duplex — Deprecated: Forced full-duplex setting (0/1)
enable_hw_cksum — Enable/disable hardware cksum support (0/1)
|
| Broadcom Tigon3 |
tg3.ko
|
tg3_debug — Tigon3 bitmapped debugging message enable value
|
| ThunderLAN PCI |
tlan.ko
|
aui — ThunderLAN use AUI port(s) (0-1)
duplex — ThunderLAN duplex setting(s) (0-default, 1-half, 2-full)
speed — ThunderLAN port speen setting(s) (0,10,100)
debug — ThunderLAN debug mask
bbuf — ThunderLAN use big buffer (0-1)
|
| Digital 21x4x Tulip PCI Ethernet cards SMC EtherPower 10 PCI(8432T/8432BT) SMC EtherPower 10/100 PCI(9332DST) DEC EtherWorks 100/10 PCI(DE500-XA) DEC EtherWorks 10 PCI(DE450) DEC QSILVER's, Znyx 312 etherarray Allied Telesis LA100PCI-T Danpex EN-9400, Cogent EM110 |
tulip.ko
|
io io_port
|
| VIA Rhine PCI Fast Ethernet cards with either the VIA VT86c100A Rhine-II PCI or 3043 Rhine-I D-Link DFE-930-TX PCI 10/100 |
via-rhine.ko
|
max_interrupt_work — VIA Rhine maximum events handled per interrupt
debug — VIA Rhine debug level (0-7)
rx_copybreak — VIA Rhine copy breakpoint for copy-only-tiny-frames
avoid_D3 — Avoid power state D3 (work-around for broken BIOSes)
|
alias and, possibly, options lines for each card in /etc/modprobe.conf.
bonding kernel module and a special network interface, called a channel bonding interface. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
/etc/modprobe.conf:
alias bond<N> bonding<N> with the interface number, such as 0. For each configured channel bonding interface, there must be a corresponding entry in /etc/modprobe.conf.
miimon or arp_interval and the arp_ip_target parameters. Refer to Seção 43.5.2.1, “bonding Module Directives” for a list of available options and how to quickly determine the best ones for your bonded interface.
BONDING_OPTS="<bonding parameters>" directive in your bonding interface configuration file (ifcfg-bond0 for example). Parameters to bonded interfaces can be configured without unloading (and reloading) the bonding module by manipulating files in the sysfs file system.
sysfs is a virtual file system that represents kernel objects as directories, files and symbolic links. sysfs can be used to query for information about kernel objects, and can also manipulate those objects through the use of normal file system commands. The sysfs virtual file system has a line in /etc/fstab, and is mounted under /sys. All bonded interfaces can be configured dynamically by interacting with and manipulating files under the /sys/class/net/ directory.
ifcfg-bond0 and inserted SLAVE=yes and MASTER=bond0 directives in the bonded interfaces following the instructions in Seção 15.2.3, “Channel Bonding Interfaces”, you can proceed to testing and determining the best parameters for your bonded interface.
ifconfig bond<N> up as root:
ifconfig bond0 upifcfg-bond0 bonding interface file, you will be able to see bond0 listed in the output of running ifconfig (without any options):
~]# ifconfig
bond0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 52:54:00:26:9E:F1
inet addr:192.168.122.251 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe26:9ef1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:207 errors:0 dropped:0 overruns:0 frame:0
TX packets:205 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:70374 (68.7 KiB) TX bytes:25298 (24.7 KiB)
[output truncated]~]# cat /sys/class/net/bonding_masters
bond0/sys/class/net/bond<N>/bonding/ directory. First, the bond you are configuring must be taken down:
ifconfig bond0 downecho 1000 > /sys/class/net/bond0/bonding/miimonbalance-alb mode, you could run either:
echo 6 > /sys/class/net/bond0/bonding/modeecho balance-alb > /sys/class/net/bond0/bonding/modeifconfig bond<N> up . If you decide to change the options, take the interface down, modify its parameters using sysfs, bring it back up, and re-test.
BONDING_OPTS= directive of the /etc/sysconfig/network-scripts/ifcfg-bond<N> file for the bonded interface you are configuring. Whenever that bond is brought up (for example, by the system during the boot sequence if the ONBOOT=yes directive is set), the bonding options specified in the BONDING_OPTS will take effect for that bond. For more information on configuring bonded interfaces (and BONDING_OPTS), refer to Seção 15.2.3, “Channel Bonding Interfaces”.
bonding module. For more in-depth information on configuring channel bonding and the exhaustive list of bonding module parameters, install the kernel-doc package and then locating and opening the included bonding.txt file:
yum -y install kernel-docnano -w $(rpm -ql kernel-doc | grep bonding.txt)
arp_interval=<time_in_milliseconds> arp_interval and arp_ip_target parameters are specified, or, alternatively, the miimon parameter is specified. Failure to do so can cause degradation of network performance in the event that a link fails.
mode=0 or mode=1 (the two load-balancing modes), the network switch must be configured to distribute packets evenly across the NICs. For more information on how to accomplish this, refer to /usr/share/doc/kernel-doc-<kernel_version>/Documentation/networking/bonding.txt
0 by default, which disables it.
arp_ip_target=<ip_address> [,<ip_address_2>,...<ip_address_16> ] arp_interval parameter is enabled. Up to 16 IP addresses can be specified in a comma separated list.
arp_validate=<value> none. Other valid values are active, backup, and all.
debug=<number> 0 — Debug messages are disabled. This is the default.
1 — Debug messages are enabled.
downdelay=<time_in_milliseconds> miimon parameter. The value is set to 0 by default, which disables it.
<value> slow or 0 — Default setting. This specifies that partners should transmit LACPDUs every 30 seconds.
fast or 1 — Specifies that partners should transmit LACPDUs every 1 second.
miimon=<time_in_milliseconds> ethtool <interface_name> | grep "Link detected:"<interface_name> with the name of the device interface, such as eth0, not the bond interface. If MII is supported, the command returns:
Link detected: yes
0 (the default), turns this feature off. When configuring this setting, a good starting point for this parameter is 100.
arp_interval and arp_ip_target parameters are specified, or, alternatively, the miimon parameter is specified. Failure to do so can cause degradation of network performance in the event that a link fails.
mode=<value> <value> is one of:
balance-rr or 0 — Sets a round-robin policy for fault tolerance and load balancing. Transmissions are received and sent out sequentially on each bonded slave interface beginning with the first one available.
active-backup or 1 — Sets an active-backup policy for fault tolerance. Transmissions are received and sent out via the first available bonded slave interface. Another bonded slave interface is only used if the active bonded slave interface fails.
balance-xor or 2 — Sets an XOR (exclusive-or) policy for fault tolerance and load balancing. Using this method, the interface matches up the incoming request's MAC address with the MAC address for one of the slave NICs. Once this link is established, transmissions are sent out sequentially beginning with the first available interface.
broadcast or 3 — Sets a broadcast policy for fault tolerance. All transmissions are sent on all slave interfaces.
802.3ad or 4 — Sets an IEEE 802.3ad dynamic link aggregation policy. Creates aggregation groups that share the same speed and duplex settings. Transmits and receives on all slaves in the active aggregator. Requires a switch that is 802.3ad compliant.
balance-tlb or 5 — Sets a Transmit Load Balancing (TLB) policy for fault tolerance and load balancing. The outgoing traffic is distributed according to the current load on each slave interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed slave.
balance-alb or 6 — Sets an Active Load Balancing (ALB) policy for fault tolerance and load balancing. Includes transmit and receive load balancing for IPV4 traffic. Receive load balancing is achieved through ARP negotiation.
num_unsol_na=<number> 0 - 255; the default value is 1. This option affects only the active-backup mode.
primary=<interface_name> eth0, of the primary device. The primary device is the first of the bonding interfaces to be used and is not abandoned unless it fails. This setting is particularly useful when one NIC in the bonding interface is faster and, therefore, able to handle a bigger load.
active-backup mode. Refer to /usr/share/doc/kernel-doc-<kernel-version>/Documentation/networking/bonding.txt for more information.
primary_reselect=<value> always or 0 (default) — The primary slave becomes the active slave whenever it comes back up.
better or 1 — The primary slave becomes the active slave when it comes back up, if the speed and duplex of the primary slave is better than the speed and duplex of the current active slave.
failure or 2 — The primary slave becomes the active slave only if the current active slave fails and the primary slave is up.
primary_reselect setting is ignored in two cases:
primary_reselect policy via sysfs will cause an immediate selection of the best active slave according to the new policy. This may or may not result in a change of the active slave, depending upon the circumstances
updelay=<time_in_milliseconds> miimon parameter. The value is set to 0 by default, which disables it.
use_carrier=<number> miimon should use MII/ETHTOOL ioctls or netif_carrier_ok() to determine the link state. The netif_carrier_ok() function relies on the device driver to maintains its state with netif_carrier_on/off ; most device drivers support this function.
netif_carrier_on/off .
1 — Default setting. Enables the use of netif_carrier_ok().
0 — Enables the use of MII/ETHTOOL ioctls.
netif_carrier_on/off .
xmit_hash_policy=<value> balance-xor and 802.3ad modes. Possible values are:
0 or layer2 — Default setting. This option uses the XOR of hardware MAC addresses to generate the hash. The formula used is:
(<source_MAC_address>XOR<destination_MAC>) MODULO<slave_count>
1 or layer3+4 — Uses upper layer protocol information (when available) to generate the hash. This allows for traffic to a particular network peer to span multiple slaves, although a single connection will not span multiple slaves.
((<source_port>XOR<dest_port>) XOR ((<source_IP>XOR<dest_IP>) AND0xffff) MODULO<slave_count>
layer2 transmit hash policy.
2 or layer2+3 — Uses a combination of layer2 and layer3 protocol information to generate the hash.
(((<source_IP>XOR<dest_IP>) AND0xffff) XOR (<source_MAC>XOR<destination_MAC>)) MODULO<slave_count>
lsmod man page — description and explanation of its output.
insmod man page — description and list of command line options.
modprobe man page — description and list of command line options.
rmmod man page — description and list of command line options.
modinfo man page — description and list of command line options.
/usr/share/doc/kernel-doc-<version>/Documentation/kbuild/modules.txt — how to compile and use kernel modules. Note you must have the kernel-doc package installed to read this file.
kdump is an advanced crash dumping mechanism. When enabled, the system is booted from the context of another kernel. This second kernel reserves a small amount of memory, and its only purpose is to capture the core dump image in case the system crashes. Since being able to analyze the core dump helps significantly to determine the exact cause of the system failure, it is strongly recommended to have this feature enabled.
kdump service in Red Hat Enterprise Linux, and provides a brief overview of how to analyze the resulting core dump using the crash debugging utility.
kdump Servicekdump service, you must have the kexec-tools package installed. Refer to Parte II, “Gerenciamento de Pacotes” for more information on how to install new packages in Red Hat Enterprise Linux.
kdump service: at the first boot, using the Kernel Dump Configuration graphical utility, and doing so manually on the command line. It also describes how to test the configuration to verify that everything works as expected.
kdump service.
kdump configuration screen
kdump crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB.
kdump daemon at boot time, select the Enable kdump? check box. This will enable the service for runlevels 2, 3, 4, and 5, and start it for the current session. Similarly, unselecting the check box will disable it for all runlevels and stop the service immediately.
kdump kernel, click the up and down arrow buttons next to the Kdump Memory field to increase or decrease the value. Notice that the Usable System Memory field changes accordingly showing you the remaining memory that will be available to the system.
system-config-kdump at a shell prompt (for example, xterm or GNOME Terminal). Unless you are already authenticated, you will be prompted to enter the superuser password.
kdump as well as to enable or disable starting the service at boot time. When you are done, click to save the changes. The system reboot will be requested.
kdump crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB.
kdump daemon at boot time, select the Enable kdump check box. This will enable the service for runlevels 2, 3, 4, and 5, and start it for the current session. Similarly, unselecting the check box will disable it for all runlevels and stop the service immediately.
kdump kernel, click the up and down arrow buttons next to the New kdump Memory field to increase or decrease the value. Notice that the Usable Memory field changes accordingly showing you the remaining memory that will be available to the system.
/dev/sdb1). When you are done, click to confirm your choice.
hostname:directory form (for example, penguin.example.com:/export). Clicking the button will confirm your changes. Finally, edit the value of the Path field to customize the destination directory (for instance, cores).
username@hostname form (for example, john@penguin.example.com). Clicking the button will confirm your changes. Finally, edit the value of the Path field to customize the destination directory (for instance, /export/cores).
vmcore dump file, kdump allows you to specify an external application (that is, a core collector) to compress the data, and optionally leave out all irrelevant information. Currently, the only fully supported core collector is makedumpfile.
-c parameter is listed after the makedumpfile command in the Core Collector field (for example, makedumpfile -c).
-d value parameter after the makedumpfile command in the Core Collector field. The value is a sum of values of pages you want to omit as described in Tabela 44.1, “Supported filtering levels”. For example, to remove both zero and free pages, use makedumpfile -d 17.
makedumpfile for a complete list of available options.
kdump fails to create a core dump, select the appropriate option from the Default Action pulldown list. Available options are (the default action), (to reboot the system), (to present a user with an interactive shell prompt), and (to halt the system).
kdump on the Command Line~]$ su -
Password:kdump kernel, open the /boot/grub/grub.conf file in a text editor and add the crashkernel=<size>M@16M parameter to the list of kernel options as shown in Exemplo 44.1, “A sample /boot/grub/grub.conf file”.
/boot/grub/grub.conf file# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda3
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-274.3.1.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-274.3.1.el5 ro root=/dev/sda3 crashkernel=128M@16M
initrd /initrd-2.6.18-274.3.1.el5.imgkdump crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB, as lower values proved to be unreliable. For more information on minimum memory requirements for Red Hat Enterprise Linux, refer to the Required minimums section of the Red Hat Enterprise Linux comparison chart.
vmcore file in the /var/crash/ directory of the local file system. To change this, open the /etc/kdump.conf configuration file in a text editor and edit the options as described below.
#path /var/crash line, and replace the value with a desired directory path. Optionally, if you wish to write the file to a different partition, follow the same procedure with the #ext3 /dev/sda3 line as well, and change both the file system type and the device (a device name, a file system label, and UUID are all supported) accordingly. For example:
ext3 /dev/sda4 path /usr/local/cores
#raw /dev/sda5 line, and replace the value with a desired device name. For example:
raw /dev/sdb1
#net my.server.com:/export/tmp line, and replace the value with a valid hostname and directory path. For example:
net penguin.example.com:/export/cores
#net user@my.server.com line, and replace the value with a valid username and hostname. For example:
net john@penguin.example.com
vmcore dump file, kdump allows you to specify an external application (that is, a core collector) to compress the data, and optionally leave out all irrelevant information. Currently, the only fully supported core collector is makedumpfile.
/etc/kdump.conf configuration file in a text editor, remove the hash sign (“#”) from the beginning of the #core_collector makedumpfile -c --message-level 1 line, and edit the command line options as described below.
-c parameter. For example:
core_collector makedumpfile -c
-d value parameter, where value is a sum of values of pages you want to omit as described in Tabela 44.1, “Supported filtering levels”. For example, to remove both zero and free pages, use the following:
core_collector makedumpfile -d 17 -c
makedumpfile for a complete list of available options.
| Option | Description |
|---|---|
1
| Zero pages |
2
| Cache pages |
4
| Cache private |
8
| User pages |
16
| Free pages |
kdump fails to create a core dump, the root file system is mounted and /sbin/init is run. To change this behavior, open the /etc/kdump.conf configuration file in a text editor, remove the hash sign (“#”) from the beginning of the #default shell line, and replace the value with a desired action as described in Tabela 44.2, “Supported actions”. For example:
default halt
| Option | Action |
|---|---|
reboot
| Reboot the system, losing the core in the process. |
halt
| After failing to capture a core, halt the system. |
shell
| Run the msh session from within the initramfs, allowing a user to record the core manually. |
kdump daemon at boot time, type the following at a shell prompt:
~]# chkconfig kdump on2, 3, 4, and 5. Similarly, typing chkconfig kdump off will disable it for all runlevels. To start the service in the current session, use the following command:
~]# service kdump start
No kdump initial ramdisk found. [WARNING]
Rebuilding /boot/initrd-2.6.18-194.8.1.el5kdump.img
Starting kdump: [ OK ]kdump enabled, and make sure that the service is running:
~]# service kdump status
Kdump is operational~]#echo 1 > /proc/sys/kernel/sysrq~]#echo c > /proc/sysrq-trigger
YYYY-MM-DD-HH:MM/vmcore/var/crash/ by default).
vmcore dump file, you must have the crash and kernel-debuginfo packages installed. To do so, type the following at a shell prompt:
~]# yum install --enablerepo=rhel-debuginfo crash kernel-debuginfonetdump, diskdump, xendump, or kdump. When started, it presents you with an interactive prompt very similar to the GNU Debugger (GDB).
crash /var/crash/timestamp/vmcore /usr/lib/debug/lib/modules/kernel/vmlinuxkernel version should be the same as the one that was captured by kdump. To find out which kernel you are currently running, use the uname -r command.
crash utility~]#crash /var/crash/2010-08-04-17\:55/vmcore \/usr/lib/debug/lib/modules/2.6.18-194.8.1.el5/vmlinuxcrash 4.1.2-4.el5_5.1 Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Red Hat, Inc. Copyright (C) 2004, 2005, 2006 IBM Corporation Copyright (C) 1999-2006 Hewlett-Packard Co Copyright (C) 2005, 2006 Fujitsu Limited Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. Copyright (C) 2005 NEC Corporation Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. This program is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Enter "help copying" to see the conditions. This program has absolutely no warranty. Enter "help warranty" for details. GNU gdb 6.1 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... KERNEL: /usr/lib/debug/lib/modules/2.6.18-194.8.1.el5/vmlinux DUMPFILE: /var/crash/2010-08-04-17:55/vmcore CPUS: 1 DATE: Wed Aug 4 17:50:41 2010 UPTIME: 00:56:53 LOAD AVERAGE: 0.47, 0.47, 0.55 TASKS: 128 NODENAME: localhost.localdomain RELEASE: 2.6.18-194.el5 VERSION: #1 SMP Tue Mar 16 21:52:43 EDT 2010 MACHINE: i686 (2702 Mhz) MEMORY: 1 GB PANIC: "SysRq : Trigger a crashdump" PID: 6042 COMMAND: "bash" TASK: f09c7000 [THREAD_INFO: e1ba9000] CPU: 0 STATE: TASK_RUNNING (SYSRQ) crash>
exit.
log command at the interactive prompt.
crash> log
Linux version 2.6.18-194.el5 (mockbuild@x86-007.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Tue Mar 16 21:52:43 EDT 2010
BIOS-provided physical RAM map:
BIOS-e820: 0000000000010000 - 000000000009fc00 (usable)
BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 000000003fff0000 (usable)
BIOS-e820: 000000003fff0000 - 0000000040000000 (ACPI data)
BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved)
127MB HIGHMEM available.
896MB LOWMEM available.
Using x86 segment limits to approximate NX protection
On node 0 totalpages: 262128
DMA zone: 4096 pages, LIFO batch:0
Normal zone: 225280 pages, LIFO batch:31
HighMem zone: 32752 pages, LIFO batch:7
DMI 2.5 present.
Using APIC driver default
... several lines omitted ...
SysRq : Trigger a crashdumphelp log for more information on the command usage.
bt command at the interactive prompt. You can use bt pid to display the backtrace of the selected process.
crash> bt
PID: 6042 TASK: f09c7000 CPU: 0 COMMAND: "bash"
#0 [e1ba9d10] schedule at c061c738
#1 [e1ba9d28] netlink_getsockopt at c05d50bb
#2 [e1ba9d34] netlink_queue_skip at c05d40d5
#3 [e1ba9d40] netlink_sock_destruct at c05d506d
#4 [e1ba9d84] sock_recvmsg at c05b6cc8
#5 [e1ba9dd4] enqueue_task at c041eed5
#6 [e1ba9dec] try_to_wake_up at c041f798
#7 [e1ba9e10] vsnprintf at c04efef2
#8 [e1ba9ec0] machine_kexec at c0419bf0
#9 [e1ba9f04] sys_kexec_load at c04448a1
#10 [e1ba9f4c] tty_audit_exit at c0549f06
#11 [e1ba9f50] tty_audit_add_data at c0549d5d
#12 [e1ba9f84] do_readv_writev at c0476055
#13 [e1ba9fb8] system_call at c0404f10
EAX: ffffffda EBX: 00000001 ECX: b7f7f000 EDX: 00000002
DS: 007b ESI: 00000002 ES: 007b EDI: b7f7f000
SS: 007b ESP: bf83f478 EBP: bf83f498
CS: 0073 EIP: 009ac402 ERR: 00000004 EFLAGS: 00000246help bt for more information on the command usage.
ps command at the interactive prompt. You can use ps pid to display the status of the selected process.
crash> ps
PID PPID CPU TASK ST %MEM VSZ RSS COMM
0 0 0 c068a3c0 RU 0.0 0 0 [swapper]
1 0 0 f7c81aa0 IN 0.1 2152 616 init
... several lines omitted ...
6017 1 0 e39f6550 IN 1.2 40200 13000 gnome-terminal
6019 6017 0 e39f6000 IN 0.1 2568 708 gnome-pty-helpe
6020 6017 0 f0421550 IN 0.1 4620 1480 bash
6021 1 0 f7f69aa0 ?? 1.2 40200 13000 gnome-terminal
6039 6020 0 e7e84aa0 IN 0.1 5004 1300 su
> 6042 6039 0 f09c7000 RU 0.1 4620 1464 bashhelp ps for more information on the command usage.
vm command at the interactive prompt. You can use vm pid to display information on the selected process.
crash> vm
PID: 6042 TASK: f09c7000 CPU: 0 COMMAND: "bash"
MM PGD RSS TOTAL_VM
e275ee40 e2b08000 1464k 4620k
VMA START END FLAGS FILE
e315d764 1fe000 201000 75 /lib/libtermcap.so.2.0.8
e315de9c 201000 202000 100073 /lib/libtermcap.so.2.0.8
c9b040d4 318000 46a000 75 /lib/libc-2.5.so
e315da04 46a000 46c000 100071 /lib/libc-2.5.so
e315d7b8 46c000 46d000 100073 /lib/libc-2.5.so
e315de48 46d000 470000 100073
e315dba8 9ac000 9ad000 8040075
c9b04a04 a2f000 a4a000 875 /lib/ld-2.5.so
c9b04374 a4a000 a4b000 100871 /lib/ld-2.5.so
e315d6bc a4b000 a4c000 100873 /lib/ld-2.5.so
e315d908 fa1000 fa4000 75 /lib/libdl-2.5.so
e315db00 fa4000 fa5000 100071 /lib/libdl-2.5.so
e315df44 fa5000 fa6000 100073 /lib/libdl-2.5.so
e315d320 ff0000 ffa000 75 /lib/libnss_files-2.5.so
e315d668 ffa000 ffb000 100071 /lib/libnss_files-2.5.so
e315def0 ffb000 ffc000 100073 /lib/libnss_files-2.5.so
e315d374 8048000 80f5000 1875 /bin/bash
c9b045c0 80f5000 80fa000 101873 /bin/bash
... several lines omitted ...help vm for more information on the command usage.
files command at the interactive prompt. You can use files pid to display files opened by the selected process.
crash> files
PID: 6042 TASK: f09c7000 CPU: 0 COMMAND: "bash"
ROOT: / CWD: /root
FD FILE DENTRY INODE TYPE PATH
0 e33be480 e609bf70 f0e1d880 CHR /dev/pts/1
1 e424d8c0 d637add8 f7809b78 REG /proc/sysrq-trigger
2 e33be480 e609bf70 f0e1d880 CHR /dev/pts/1
10 e33be480 e609bf70 f0e1d880 CHR /dev/pts/1
255 e33be480 e609bf70 f0e1d880 CHR /dev/pts/1help files for more information on the command usage.
man kdump.conf/etc/kdump.conf configuration file containing the full documentation of available options.
man kexeckexec containing the full documentation on its usage.
man crash/usr/share/doc/kexec-tools-version/kexec-kdump-howto.txtkdump and kexec installation and usage.
kexec and kdump configuration.
Índice
nmap seguido do nome ou endereço IP da máquina que você deseja escanear.
nmap foo.example.comStarting nmap V. 3.50 ( www.insecure.org/nmap/ ) Interesting ports on localhost.localdomain (127.0.0.1): (The 1591 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 111/tcp open sunrpc 443/tcp open https 515/tcp open printer 950/tcp open oftep-rpc 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 71.825 seconds
| Exploit | Descrição | Notas | |||
|---|---|---|---|---|---|
| Senhas em Branco ou Padrão | Deixar senhas administrativas em branco ou usar a senha padrão provida pelo fabricante. Isto é mais comum em hardware, como roteadores e firewalls, porém alguns dos serviços que rodam no Linux podem conter senhas padrão de administrador (apesar do Red Hat Enterprise Linux 5 não incluí-las). |
| |||
| Chaves Compartilhadas Padrão | Serviços seguros às vezes incluem chaves de segurança padrão com a finalidade de facilitar o exercício de desenvolvimento ou testes de avaliação. Se estas chaves permanecerem inalteradas e estiverem localizadas em um ambiente de produção na Internet, quaisquer usuários com as mesmas chaves padrão tem acesso àquele recurso de chave compartilhada assim como a quaisquer informações importantes lá contidas. |
| |||
| Falsificação (Spoofing) do IP | A remote machine acts as a node on your local network, finds vulnerabilities with your servers, and installs a backdoor program or Trojan horse to gain control over your network resources. |
| |||
| Eavesdropping | Coleta não autorizada de dados que trafegam entre dois nós ativos em uma rede através da prática do eavesdropping na conexão entre estes dois nós. |
| |||
| Vulnerabilidades em Serviços | Um atacante encontra uma falha ou uma deficiência em um serviço executado através da Internet; através desta vulnerabilidade, o atacante compromete o sistema inteiro e quaisquer dados que este possa conter; e pode possivelmente comprometer outros sistemas na rede. |
| |||
| Vulnerabilidades em Aplicações | Attackers find faults in desktop and workstation applications (such as e-mail clients) and execute arbitrary code, implant Trojan horses for future compromise, or crash systems. Further exploitation can occur if the compromised workstation has administrative privileges on the rest of the network. |
| |||
| Ataques de Negação de Serviço (DoS) | Um atacante ou grupo de atacantes executam uma ação coordenada contra os recursos de rede ou de servidores de uma organização através do envio de pacotes não autorizados para o host alvo (servidor, roteador, ou estação de trabalho). Isto força o recurso a tornar-se indisponível a usuários legítimos. |
|
/tmp/updates, and save all the downloaded packages to it.
/mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system):
rpm --import /mnt/cdrom/RPM-GPG-KEY-redhat-releaserpm -qa gpg-pubkey*gpg-pubkey-37017186-45761324
rpm -qi command followed by the output from the previous command, as in this example:
rpm -qi gpg-pubkey-37017186-45761324rpm -K /tmp/updates/*.rpmgpg OK. If it doesn't, make sure you are using the correct Red Hat public key, as well as verifying the source of the content. Packages that do not pass GPG verifications should not be installed, as they may have been altered by a third party.
rpm -Uvh /tmp/updates/*.rpmrpm -ivh /tmp/updates/<kernel-package><pacote-de-kernel> pelo nome do RPM do kernel.
rpm -e <old-kernel-package><pacote-de-kernel-antigo> pelo nome do RPM do kernel antigo.
glibc, which are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using the updated library must be halted and relaunched.
lsof command as in the following example:
lsof /usr/lib/libwrap.so*tcp_wrappers package is updated.
sshd, vsftpd, and xinetd.
/sbin/service command as in the following example:
service <service-name> restart<service-name> with the name of the service, such as sshd.
xinetd Servicesxinetd super service only run when a there is an active connection. Examples of services controlled by xinetd include Telnet, IMAP, and POP3.
xinetd each time a new request is received, connections that occur after an upgrade are handled by the updated software. However, if there are active connections at the time the xinetd controlled service is upgraded, they are serviced by the older version of the software.
xinetd controlled service, upgrade the package for the service then halt all processes currently running. To determine if the process is running, use the ps command and then use the kill or killall command to halt current instances of the service.
imap packages are released, upgrade the packages, then type the following command as root into a shell prompt:
ps -aux | grep imapkill <PID>kill -9 <PID><PID> with the process identification number (found in the second column of the ps command) for an IMAP session.
killall imapdcat.
grub-md5-crypt/boot/grub/grub.conf. Abra o arquivo e, abaixo da linha de comando timeout na seção principal do documento, adicione a seguinte linha:
password --md5 <hash-da-senha>/boot/grub/grub.conf deve ser editada.
title do sistema operacional ao qual você deseja adicionar segurança, e adicione abaixo desta uma linha contendo a diretiva lock.
title DOS lock
password deve constar na seção principal do arquivo /boot/grub/grub.conf. Do contrário, um atacante poderá acessar a interface de edição do GRUB e remover a linha lock.
lock na estrofe, seguida de uma linha para a senha.
title DOS lock password --md5 <password-hash>/etc/passwd file, which makes the system vulnerable to offline password cracking attacks. If an intruder can gain access to the machine as a regular user, they can copy the /etc/passwd file to their own machine and run any number of password cracking programs against it. If there is an insecure password in the file, it is only a matter of time before the password cracker discovers it.
/etc/shadow, legível somente pelo usuário root.
otrattw,tghwg.
n por 9 e a letra d pelo símbolo arroba (@):
o7r@77w,7ghwg.
F.
o7r@77w,7gHwg.
passwd, which is Pluggable Authentication Manager (PAM) aware and therefore checks to see if the password is too short or otherwise easy to crack. This check is performed using the pam_cracklib.so PAM module. Since PAM is customizable, it is possible to add more password integrity checkers, such as pam_passwdqc (available from http://www.openwall.com/passwdqc/) or to write a new module. For a list of available PAM modules, refer to http://www.kernel.org/pub/linux/libs/pam/modules.html. For more information about PAM, refer to Seção 46.4, “Módulos de Autenticação Plugáveis (Pluggable Authentication Modules - PAM)”.
chage ou o aplicativo gráfico Gerenciador de Usuários (system-config-users).
-M do comando chage especifica a validade máxima de uma senha (em número de dias). Por exemplo, para fazer com que a senha de um usuário vença em 90 dias, use o seguinte comando:
chage -M 90 <nome-de-usuário><nome-de-usuário> pelo nome de usuário correspondente. Para fazer com que a senha nunca vença, é comum usar o valor 99999 após a opção -M (isto equivale a um pouco mais do que 273 anos).
chage em modo interativo para modificar o vencimento e detalhes de várias senhas ao mesmo tempo. Use o seguinte comando para entrar em modo interativo:
chage <nome-de-usuário>~]# chage davido
Changing the aging information for davido
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 90
Last Password Change (YYYY-MM-DD) [2006-08-18]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
~]#system-config-users na janela de comandos.
sudo ou o su. Um programa setuid roda com o ID (UID) do proprietário do programa, ao invés de usar o ID do usuário executando o programa. Tais programas são identificados por um s na seção do proprietário em uma listagem, como no exemplo seguinte:
-rwsr-xr-x 1 root root 47324 May 1 08:09 /bin/su
s pode ser maiúsculo ou minúsculo. Se for maiúsculo, significa que o bit de permissão adjacente não foi definido.
pam_console.so, some activities normally reserved only for the root user, such as rebooting and mounting removable media are allowed for the first user that logs in at the physical console (refer to Seção 46.4, “Módulos de Autenticação Plugáveis (Pluggable Authentication Modules - PAM)” for more information about the pam_console.so module.) However, other important system administration tasks, such as altering network settings, configuring a new mouse, or mounting network devices, are not possible without administrative privileges. As a result, system administrators must decide how much access the users on their network should receive.
/sbin/nologin in the /etc/passwd file.
| Efeitos | Não Afeta |
|---|---|
|
Prevents access to the root shell and logs any such attempts. The following programs are prevented from accessing the root account:
|
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are not prevented from accessing the root account:
|
/etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to their machine as root via Telnet, which transmits the password in plain text over the network.
/etc/securetty file only allows the root user to log in at the console physically attached to the machine. To prevent the root user from logging in, remove the contents of this file by typing the following command at a shell prompt as root:
echo > /etc/securettysecuretty support in the KDM, GDM, and XDM login managers, add the following line:
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
/etc/pam.d/gdm
/etc/pam.d/gdm-autologin
/etc/pam.d/gdm-fingerprint
/etc/pam.d/gdm-password
/etc/pam.d/gdm-smartcard
/etc/pam.d/kdm
/etc/pam.d/kdm-np
/etc/pam.d/xdm
/etc/securetty em branco não impede que o usuário root autentique-se remotamente usando o conjunto de ferramentas OpenSSH porque o console só é aberto após a autenticação.
| Efeitos | Não Afeta |
|---|---|
|
Impede acesso à conta do root através do console ou rede. Os seguintes programas não tem acesso à conta do root:
|
Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. The following programs are not prevented from accessing the root account:
|
/etc/ssh/sshd_config, and change the line that reads:
#PermitRootLogin yes
PermitRootLogin no
| Efeitos | Não Afeta |
|---|---|
|
Impede o acesso root através do conjunto de ferramentas Open SSH. Os seguintes programas não tem acesso à conta do root:
|
Programs that are not part of the OpenSSH suite of tools.
|
/lib/security/pam_listfile.so module, allows great flexibility in denying specific accounts. The administrator can use this module to reference a list of users who are not allowed to log in. To limit root access to a system service, edit the file for the target service in the /etc/pam.d/ directory and make sure the pam_listfile.so module is required for authentication.
vsftpd FTP server in the /etc/pam.d/vsftpd PAM configuration file (the \ character at the end of the first line is not necessary if the directive is on a single line):
auth required /lib/security/pam_listfile.so item=user \ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
/etc/vsftpd.ftpusers e recusar a qualquer usuário lá listado o acesso ao serviço. O administrador pode alterar o nome deste arquivo e pode manter listas separadas para cada serviço ou usar uma lista central para recusar o acesso a múltiplos serviços.
/etc/pam.d/pop e /etc/pam.d/imap para clientes de e-mail ou /etc/pam.d/ssh para clientes SSH.
| Efeitos | Não Afeta |
|---|---|
|
Prevents root access to network services that are PAM aware. The following services are prevented from accessing the root account:
|
Programas e serviços que não ofereçam integração com o PAM.
|
su ou o sudo.
susu, o mesmo precisa entrar com a senha root e, após a autenticação, recebe uma solicitação de janela da root.
su, o usuário é o usuário root e tem acesso administrativo total ao sistema[16]. Além disso, ao se tornar um usuário root, é possível que ele use o comando su para assumir a identidade de qualquer outro usuário no sistema sem precisar entrar com a respectiva senha.
usermod -G wheel <nome-de-usuário><nome-de-usuário> pelo nome do usuário sendo adicionado ao grupo wheel.
system-config-users na janela de comandos.
su (/etc/pam.d/su) em um editor de texto e remova o comentário # da seguinte linha:
auth required /lib/security/$ISA/pam_wheel.so use_uid
wheel usem o programa.
wheel de acordo com a configuração padrão.
sudosudo oferece outra abordagem para permitir que usuários tenham acesso administrativo. Quando um usuário confiável precede um comando administrativo com sudo, o sistema pede que o usuário entre a sua própria senha. Então, após a autenticação, e assumindo que seja permitido, o comando administrativo é executado como se o usuário fosse o root.
sudo é o seguinte:
sudo <comando><comando> seria substituído por um comando normalmente reservado apenas ao usuário root, como, por exemplo, mount.
sudo devem tomar cuidado extra para fazer o logout antes de deixarem suas máquinas, já que é possível usar o comando novamente sem precisar indicar a senha, por um período de cinco minutos. Esta configuração pode ser alterada através do arquivo de configuração /etc/sudoers.
sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled, as shown in Seção 46.1.4.2, “Impedindo Acesso Root”.
sudo também oferece um registro detalhado da seqüência de eventos. Cada autenticação bem-sucedida é registrada no arquivo /var/log/messages e os comandos submetidos são registrados com o nome do usuário no arquivo /var/log/secure.
sudo é que um administrador pode permitir que usuários acessem diferentes comandos específicos de acordo com suas necessidades.
sudo, o /etc/sudoers, devem usar o comando visudo.
visudo e adicione uma linha similar na seguinte na seção de especificação de privilégios do usuário:
juan ALL=(ALL) ALL
juan pode usar o sudo em qualquer máquina e executar qualquer comando.
sudo:
%users localhost=/sbin/shutdown -h now
/sbin/shutdown -h now desde que o faça pelo console.
sudoers tem uma lista detalhada das opções para este arquivo.
cupsd — O servidor de impressão padrão do Red Hat Enterprise Linux.
lpd — Um servidor de impressão alternativo.
xinetd — Um super servidor que controla conexões à uma gama de servidores subordinados, como gssftp e telnet.
sendmail — O Agente de Transporte de Correio (Mail Transport Agent ou MTA) Sendmail é habilitado pela configuração padrão, mas somente escuta por conexões a partir do localhost.
sshd — O servidor OpenSSH, um substituto seguro para o Telnet.
cupsd rodando. O mesmo vale para o portmap. Se você não monta volumes NFSv3 ou não usa o NIS (o serviço ypbind), então o portmap deve ser desabilitado.
system-config-services), ntsysv, and chkconfig. For information on using these tools, refer to Capítulo 17, Controlando Acesso aos Serviços.
netdump, passam o conteúdo da memória não criptografado através da rede. Despejos de memória podem conter senhas ou, pior ainda, informações de bancos de dados ou outras informações confidenciais.
finger e rwhod revelam informações sobre os usuários do sistema.
rlogin, rsh, telnet, and vsftpd.
rlogin, rsh, and telnet) should be avoided in favor of SSH. Refer to Seção 46.1.7, “Ferramentas de Comunicação com Segurança Aprimorada” for more information about sshd.
finger
authd (chamado de identd em lançamentos anteriores do Red Hat Enterprise Linux)
netdump
netdump-server
nfs
rwhod
sendmail
smb (Samba)
yppasswdd
ypserv
ypxfrd
system-config-securitylevel). This tool creates broad iptables rules for a general-purpose firewall using a control panel interface.
iptables is probably a better option. Refer to Seção 46.8, “Firewalls” for more information. Refer to Seção 46.9, “IPTables” for a comprehensive guide to the iptables command.
telnet e rsh. OpenSSH inclui um serviço de rede chamado sshd, e três aplicações cliente de linha de comandos:
ssh — Um cliente de acesso seguro a consoles remotos.
scp — Um comando seguro de cópia remota.
sftp — Um cliente pseudo-ftp seguro que permite seções interativas de transferência de arquivos.
sshd service is inherently secure, the service must be kept up-to-date to prevent security threats. Refer to Seção 45.5, “Atualizações de Segurança” for more information.
xinetd, um super servidor que oferece acesso adicional, registro, vinculação, redirecionamento e controle de utilização de recursos.
xinetd to create redundancy within service access controls. Refer to Seção 46.8, “Firewalls” for more information about implementing firewalls with iptables commands.
xinetd.
hosts_options para obter uma lista completa das funcionalidades e linguagem de controle do TCP Wrapper.
banner.
vsftpd. Para começar, crie um arquivo de banner. Pode estar em qualquer lugar do sistema, mas deve levar o mesmo nome que o daemon. Neste exemplo, o arquivo é chamado /etc/banners/vsftpd e contém as seguintes linhas:
220-Hello, %c 220-All activity on ftp.example.com is logged. 220-Inappropriate use will result in your access privileges being removed.
%c oferece uma gama de informações do cliente, tais como nome de usuário e nome de host ou nome de usuário e endereço IP, para intimidar ainda mais a conexão.
/etc/hosts.allow:
vsftpd : ALL : banners /etc/banners/
spawn.
/etc/hosts.deny, a tentativa de conexão a partir daquela rede é negada e registrada em um arquivo especial:
ALL : 206.182.68.0 : spawn /bin/ 'date' %c %d >> /var/log/intruder_alert
%d traz o nome do serviço que o atacante estava tentando acessar.
spawn no arquivo /etc/hosts.allow.
spawn executa qualquer comando de linha, crie um script especial para notificar o administrador ou para executar uma série de comandos quando um determinado cliente tentar conectar ao servidor.
severity.
emerg nos arquivos de registro ao invés do sinal padrão, info, e negue a conexão.
/etc/hosts.deny:
in.telnetd : ALL : severity emerg
authpriv padrão, mas eleva a prioridade do valor padrão info para emerg, o que envia mensagens de registro diretamente ao console.
xinetd para configurar um serviço armadilha e usá-lo para controlar níveis de recursos disponíveis para quaisquer serviços xinetd. Estabelecer limites de recursos para serviços pode ajudar a frustrar ataques de Negação de Serviço (Denial of Service, ou DoS). Consulte as páginas man para o xinetd e o xinetd.conf para uma lista de opções disponíveis.
xinetd é sua habilidade em adicionar hosts à uma lista global no_access. Aos hosts desta lista são negadas as conexões subseqüentes aos serviços gerenciados pelo xinetd por um determinado período ou até o xinetd ser reiniciado. Isto é feito usando o atributo SENSOR. Esta técnica é uma maneira fácil de bloquear hosts que tentarem scanear o servidor.
SENSOR é escolher um serviço que você não planeja utilizar. Neste exemplo, usamos o Telnet.
/etc/xinetd.d/telnet e altere a linha flags para:
flags = SENSOR
deny_time = 30
deny_time são FOREVER (sempre), que mantém o banimento efetivo até que o xinetd seja reiniciado, e NEVER (nunca), que permite a conexão e a registra.
disable = no
SENSOR ser uma boa maneira de detectar e parar conexões de hosts perigosos, há duas desvantagens:
SENSOR pode montar um ataque de Negação de Serviço contra determinados hosts forjando seus endereços IP e conectando à porta proibida.
xinetd é sua habilidade em controlar a quantidade de recursos que os serviços sob seu controle podem utilizar.
cps = <number_of_connections> <wait_period> — Limita a taxa de conexões de entrada. Esta diretiva leva dois argumentos:
<number_of_connections> — O número de conexões por segundo a serem manuseadas. Se a taxa de conexões de entrada for mais alta que isto, o serviço torna-se temporariamente desabilitado. O valor padrão é cinqüenta (50).
<wait_period> — O número de segundos a esperar antes de reabilitar o serviço após o mesmo tenha sido desabilitado. O intervalo padrão é dez (10) segundos.
instances = <number_of_connections> — Determina o número total de conexões permitidas a um serviço. Esta diretiva aceita tanto um valor inteiro como UNLIMITED.
per_source = <number_of_connections> — Determina as conexões permitidas a um serviço por cada host. Esta diretiva aceita tanto um valor inteiro como UNLIMITED.
rlimit_as = <number[K|M]> — Determina a quantidade de espaço de endereço de memória que o serviço pode ocupar em kilobytes ou megabytes. Esta diretiva aceita tanto um valor inteiro como UNLIMITED.
rlimit_cpu = <number_of_seconds> — Determina o tempo em segundos durante o qual um serviço pode ocupar a CPU. Esta diretiva aceita tanto um valor inteiro como UNLIMITED.
xinetd sobrecarregue o sistema, resultando em negação de serviço.
portmap é um daemon de atribuição dinâmica de portas para serviços RPC, como o NIS e o NFS. Tem mecanismos de autenticação fracos e tem habilidade para delegar uma vasta gama de portas para os serviços que controla. Por estas razões, é difícil de proteger.
portmap afeta somente as implementações do NFSv2 e NFSv3, já que o NFSv4 não o requer mais. Se você planeja implementar um servidor NFSv2 ou NFSv3, o portmap é necessário e a seção seguinte é válida.
portmap já que este não possui uma forma de autenticação própria.
portmap, é uma boa idéia adicionar regras do iptables ao servidor e restringir o acesso à redes específicas.
portmap) a partir da rede 192.168.0.0/24. O segundo permite conexões TCP à mesma porta a partir do host local. Isto é necessário para o serviço sgi_fam usado pelo Nautilus. Todos os outros pacotes são descartados.
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROPiptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT
iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROPypserv,--> which is used in conjunction with portmap and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.
/usr/sbin/rpc.yppasswdd — Também chamado de serviço yppasswdd, esse daemon permite que os usuários alterem suas senhas NIS.
/usr/sbin/rpc.ypxfrd — Também chamado de serviço ypxfrd, esse daemon é responsável pelas transferências de mapa do NIS através da rede.
/usr/sbin/yppush — Essa aplicação propaga bancos de dados NIS alterados para servidores NIS múltiplos.
/usr/sbin/ypserv — Este é o servidor daemon do NIS.
portmap service as outlined in Seção 46.2.2, “Protegendo o Portmap”, then address the following issues, such as network planning.
/etc/passwd:
ypcat -d <NIS_domain> -h <DNS_hostname> passwd/etc/shadow digitando o seguinte comando:
ypcat -d <NIS_domain> -h <DNS_hostname> shadow/etc/shadow não estará armazenado em um mapa NIS.
o7hfawtgmhwg.domain.com. Similarmente, crie um nome diferente de domínio NIS randomizado . Isto dificulta bastante o acesso de um atacante ao servidor NIS.
/var/yp/securenets/var/yp/securenets estiver vazio, ou não existir (como é o caso logo após uma instalação padrão), o NIS escuta à todas as redes. Uma das primeiras coisas a serem feitas é colocar pares de rede/máscara de rede no arquivo para que o ypserv apenas responda à pedidos de redes apropriadas.
/var/yp/securenets:
255.255.255.0 192.168.0.0
/var/yp/securenets.
rpc.yppasswdd — o daemon que permite a usuários alterarem suas senhas de autenticação. Atribuir portas para os outros dois daemons do servidor NIS, rpc.ypxfrd e ypserv, permite criar regras de firewall para proteger futuramente os daemons do servidor NIS contra intrusos.
/etc/sysconfig/network:
YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835"
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 834 -j DROPiptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 835 -j DROPiptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 834 -j DROPiptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 835 -j DROP
/etc/shadow através da rede. Se um intruso obtiver acesso a um domínio NIS e bisbilhotar o tráfego de rede, os hashes de senha e nomes de usuários podem ser discretamente coletados. Com tempo suficiente, um programa de quebra de senhas pode adivinhar senhas fáceis e um atacante pode obter acesso a uma conta válida na rede.
portmap service as outlined in Seção 46.2.2, “Protegendo o Portmap”. NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module. Information on portmap is still included, since Red Hat Enterprise Linux supports NFSv2 and NFSv3, both of which utilize portmap.
/etc/exports. Cuidado para não adicionar espaços extras ao editar este arquivo.
/etc/exports compartilha o diretório /tmp/nfs/ com o host bob.example.com com permissões de leitura e escrita.
/tmp/nfs/ bob.example.com(rw)
/etc/exports compartilha o mesmo diretório com o host bob.example.com com permissão somente-leitura, e o compartilha com o mundo com permissões leitura e escrita devido um único caractere de espaço após o nome de host.
/tmp/nfs/ bob.example.com (rw)
showmount para checar o que está sendo compartilhado:
showmount -e <hostname>no_root_squashnfsnobody, uma conta de usuário sem privilégios. Isto muda o proprietário de todos os arquivos criados pelo root para nfsnobody, que previne o carregamento de programas com o setuid definido.
no_root_squash is used, remote root users are able to change any file on the shared file system and leave applications infected by Trojans for other users to inadvertently execute.
FollowSymLinks /.
IndexesUserDirUserDir é desabilitada por padrão porque esta pode confirmar a presença de uma conta de usuário no sistema. Para possibilitar a navegação pelos diretórios do usuário no servidor, use as seguintes diretivas:
UserDir enabled UserDir disabled root
/root/. Para adicionar usuários à lista de contas desativadas, adicione uma lista de usuários delimitada por espaço na linha UserDir disabled.
IncludesNoExecchown root<directory_name>chmod 755<directory_name>
gssftpd — Um FTP daemon kerberizado baseado no xinetd que não passa informações de autenticação através da rede.
tux) — Um servidor Web de espaço de kernel com capacidades de FTP.
vsftpd — Uma implementação auto-suficiente do serviço FTP orientada à segurança.
vsftpd.
vsftpd, adicione a seguinte diretiva ao arquivo /etc/vsftpd/vsftpd.conf:
ftpd_banner=<insira_saudação_aqui><insira_saudação_aqui> na diretiva acima pelo texto de sua mensagem de saudação.
/etc/banners/. O arquivo de banners para conexões FTP, neste exemplo, é /etc/banners/ftp.msg. O exemplo abaixo mostra como este arquivo se parece:
########## Hello, all activity on ftp.example.com is logged. #########
220 as specified in Seção 46.2.1.1.1, “TCP Wrappers e Banners de Conexão”.
vsftpd, adicione a seguinte diretiva ao arquivo /etc/vsftpd/vsftpd.conf:
banner_file=/etc/banners/ftp.msg
/etc/vsftpd/vsftpd.conf, or else every attempt to connect to vsftpd will result in the connection being closed immediately and a 500 OOPS: cannot open banner <path_to_banner_file> error message.
banner_file directive in /etc/vsftpd/vfsftpd.conf takes precedence over any ftpd_banner directives in the configuration file: if banner_file is specified, then ftpd_banner is ignored.
/var/ftp/ ativa a conta anônima.
vsftpd. Este pacote define uma árvore de diretório para usuários anônimos e configura as permissões dos diretórios para somente-leitura para usuários anônimos.
/var/ftp/pub/.
mkdir /var/ftp/pub/uploadchmod 730 /var/ftp/pub/uploaddrwx-wx--- 2 root ftp 4096 Feb 13 20:05 upload
vsftpd, adicione a seguinte linha ao arquivo /etc/vsftpd/vsftpd.conf:
anon_upload_enable=YES
vsftpd, adicione a seguinte diretiva a /etc/vsftpd/vsftpd.conf:
local_enable=NO
sudo privileges, the easiest way is to use a PAM list file as described in Seção 46.1.4.2, “Impedindo Acesso Root”. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.
vsftpd, adicione o nome do usuário a /etc/vsftpd.ftpusers.
/etc/mail/sendmail.cf by editing the /etc/mail/sendmail.mc and using the m4 command.
/etc/mail/sendmail.mc, a efetividade de ataques deste tipo é limitada.
confCONNECTION_RATE_THROTTLE — O número de conexões que o servidor pode receber por segundo. Por padrão, o Sendmail não limita o número de conexões. Se um limite for definido e alcançado, conexões subseqüentes terão que esperar.
confMAX_DAEMON_CHILDREN — O número máximo de processos filho que podem ser gerados pelo servidor. Por padrão, o Sendmail não determina um número limite de processos filho. Se um limite for definido e alcançado, conexões futuras terão que esperar.
confMIN_FREE_BLOCKS — O número mínimo de blocos livres que devem estar disponíveis para que o servidor aceite correspondência. O valor padrão é 100 blocos.
confMAX_HEADERS_LENGTH — O tamanho máximo aceitável (em bytes) para o cabeçalho de uma mensagem.
confMAX_MESSAGE_SIZE — O tamanho máximo aceitável (em bytes) para qualquer mensagem.
/var/spool/mail/, em um volume NFS compartilhado.
SECRPC_GSS não utiliza a autenticação baseada no UID. Entretanto, é uma boa idéia não colocar o diretório spool de correspondência em volumes NFS compartilhados.
/etc/passwd devem ser definidos para /sbin/nologin (com a possível exceção do usuário root).
netstat -an ou lsof -i. Este método é menos confiável já que estes programas não conectam à máquina pela rede, mas checam o que está sendo executado no sistema. Por esta razão, estas aplicações são alvos freqüentes de substituição por atacantes. Desta maneira, os crackers tentam cobrir seus passos se abrirem portas de rede não autorizadas através da substituição do netstat e do lsof pelas suas próprias versões modificadas.
nmap.
nmap -sT -O localhostStarting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-09-24 13:49 EDT Interesting ports on localhost.localdomain (127.0.0.1): (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 113/tcp open auth 631/tcp open ipp 834/tcp open unknown 2601/tcp open zebra 32774/tcp open sometimes-rpc11 Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) Uptime 12.857 days (since Sat Sep 11 17:16:20 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 5.190 seconds
portmap devido à presença do serviço sunrpc. No entanto, também há um serviço misterioso na porta 834. Para verificar se a porta está associada à lista oficial de serviços conhecidos, digite:
cat /etc/services | grep 834netstat ou lsof. Para verificar a porta 834 usando netstat, use o seguinte comando:
netstat -anp | grep 834tcp 0 0 0.0.0.0:834 0.0.0.0:* LISTEN 653/ypbind
netstat afirma que um cracker que abrir clandestinamente uma porta num sistema violado provavelmente não permitirá que esta seja revelada através deste comando. A opção [p] também revela o id do processo (PID) do serviço que abriu a porta. Neste caso, a porta aberta pertence ao ypbind (NIS), que é um serviço RPC administrado juntamente ao serviço portmap.
lsof revela informações similares ao netstat já que é capaz de ligar portas abertas a serviços:
lsof -i | grep 834ypbind 653 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 655 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 656 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 657 0 7u IPv4 1319 TCP *:834 (LISTEN)
lsof, do netstat, do nmap, e do services para maiores informações.
nss-tools estão carregados.
certutil -A -d /etc/pki/nssdb -n "root ca cert" -t "CT,C,C" \-i ./ca_cert_in_base64_format.crt
/etc/pam_pkcs11/pam_pkcs11.conf e procure pela seguinte linha:
enable_ocsp = false;
enable_ocsp = true;
/etc/pam_pkcs11/cn_map.
cn_map:
MY.CAC_CN.123454 -> myloginid
MY.CAC_CN.123454 é o Nome Comum em seu CAC e myloginid é seu ID de registro UNIX
pklogin_finder debugpklogin_finder no modo depurador, enquanto um cartão inteligente registrado estiver conectado, ela tentará enviar informações sobre a validade dos certificados. Se a tarefa for bem sucedida, ela tentará mapear um ID de registro dos certificados que estiverem no cartão.
about:config para exibir a lista de opções de configuração atual.
negociate para restringir a lista de opções.
.exemplo.com.
kinit para recuperar os tickets do Kerberos. Para obter a lista de permissões disponíveis, digite klist. A seguir veja um exemplo do resultado destes comandos:
~]$kinitPassword for user@EXAMPLE.COM: ~]$klistTicket cache: FILE:/tmp/krb5cc_10920 Default principal: user@EXAMPLE.COM Valid starting Expires Service principal 10/26/06 23:47:54 10/27/06 09:47:54 krbtgt/USER.COM@USER.COM renew until 10/26/06 23:47:54 Kerberos 4 ticket cache: /tmp/tkt10920 klist: You have no tickets cached
export NSPR_LOG_MODULES=negotiateauth:5export NSPR_LOG_FILE=/tmp/moz.log
/tmp/moz.log, e poderão lhe dar algumas pistas para a solução do problema. Por exemplo:
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken() -1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure Não foram encontrados cache de credenciais
kinit.
kinit com êxito a partir de sua máquina mas não conseguir autenticá-lo, procure por algo como isto no arquivo de registro:
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken() -1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure Server not found in Kerberos database
/etc/krb5.conf. Por exemplo:
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM
/etc/pam.d/ contém os arquivos de configuração do PAM para cada aplicativo que use o PAM. Em versões mais antigas do PAM, o /etc/pam.conf era usado, mas este arquivo agora está obsoleto e é usado apenas se o diretório /etc/pam.d/ não existir.
/etc/pam.d/. Cada arquivo neste diretório tem o mesmo nome que o serviço ao qual ele controla o acesso.
/etc/pam.d/. Por exemplo, o programa login define o seu nome de serviço como login e instala o arquivo de configuração do PAM /etc/pam.d/login.
<interface de módulo><sinalizador de controle><nome do módulo><argumentos do módulo>
auth — Esta interface de módulo autentica usuários. Por exemplo, ela pede por uma senha e então verifica a sua validade. Módulos com essa interface também podem estabelecer credenciais, tais como a associação à grupos, ou tickets do Kerberos.
account — Esta interface de módulo verifica se o acesso é permitido. Por exemplo, ela pode verificar se uma conta de usuário venceu ou se um usuário tem permissão para se autenticar durante um determinado período do dia.
password — Esta interface de módulo é usada para mudar as senhas dos usuários.
session — Esta interface de módulo configura e gerencia sessões de usuários. Módulos com esta interface também podem desempenhar tarefas adicionais que são necessárias para permitir acesso, como montar o diretório pessoal e disponibilizar a caixa de correio de um usuário.
pam_unix.so fornece todas as quatro interfaces de módulo.
auth required pam_unix.so
auth do módulo pam_unix.so.
reboot normalmente usa vários módulos agregados, o que pode ser verificado no seu arquivo de configuração do PAM:
~]# cat /etc/pam.d/reboot
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_console.so
#auth include system-auth
account required pam_permit.soauth sufficient pam_rootok.so — Esta linha usa o módulo pam_rootok.so para determinar se o usuário atual é o root, verificando se a UID do usuário é 0. Se este teste for bem sucedido, nenhum outro módulo é consultado e o comando é executado. Se este teste falhar, o próximo módulo é consultado.
auth required pam_console.so — Esta linha usa o módulo pam_console.so para tentar autenticar o usuário. Se este usuário já estiver autenticado no console, o pam_console.so verifica se existe um arquivo no diretório /etc/security/console.apps/ com o mesmo nome do serviço em si (reboot). Se tal arquivo existir, a autenticação é efetuada com sucesso e o controle é passado ao próximo módulo.
#auth include system-auth — Esta linha é apenas um comentário e não é processada.
account required pam_permit.so — Esta linha usa o módulo pam_permit.so para permitir que o usuário root ou qualquer um que esteja conectado ao console possa reinicializar o sistema.
required — O resultado do módulo deve ser bem sucedido para que a autenticação continue. Se o teste falhar à esta altura, o usuário não é notificado até que os resultados dos testes de todos os módulos, que façam referência àquela interface, estejam completos.
requisite — O resultado do módulo deve ser bem sucedido para que a autenticação continue. Entretanto, se um teste falhar à esta altura, o usuário é notificado imediatamente com uma mensagem refletindo o primeiro teste de módulo required ou requisite que tenha falhado.
sufficient — O resultado do módulo é ignorado se falhar. Entretanto, se o resultado de um módulo sinalizado como sufficient é de sucesso e nenhum módulo prévio sinalizado como required falhou, então nenhum outro resultado é necessário e o usuário é autenticado ao servidor.
optional — O resultado do módulo é ignorado. Um módulo sinalizado como optional torna-se necessário à autenticação bem sucedida apenas quando nenhum outro módulo faz referência à interface.
required são chamados não é crítica. Apenas os sinalizadores de controle sufficient e requisite fazem com que a ordem torne-se importante.
pam.d e a documentação do PAM, disponível no diretório /usr/share/doc/pam-<número-da-versão>/, onde <número-da-versão> é o número da versão do PAM no seu sistema, descrevem esta nova sintaxe em detalhes.
/lib64/security/, o nome do diretório é omitido porque o aplicativo é vinculado à versão certa do libpam, o qual é capaz de encontrar a versão correta do módulo.
pam_userdb.so usa informações armazenadas em um arquivo Berkeley DB para autenticar o usuário. O Berkeley DB é um sistema banco de dados de código aberto incorporado a vários aplicativos. O módulo leva um argumento db de forma que o Berkeley DB saiba qual banco de dados usar para o serviço requisitado.
pam_userdb.so típica em uma configuração PAM. O <caminho-para-o-arquivo> é o caminho completo para o arquivo de banco de dados Berkeley DB:
auth required pam_userdb.so db=<path-to-file>/var/log/secure.
#%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so
#) no início da linha.
auth required pam_securetty.so — Este módulo garante que se o usuário está tentando se autenticar como root, o tty ao qual o usuário está tentando se autenticar, está listado no arquivo /etc/securetty, se tal arquivo existir.
Autenticação Incorreta.
auth required pam_unix.so nullok — Este módulo solicita que o usuário forneça uma senha e então verifica a senha, se ela existir, no /etc/shadow, usando a informação contida no /etc/passwd..
pam_unix.so module automatically detects whether the user's password is in the passwd file or the shadow file. Refer to Seção 35.6, “Senhas Shadow” for more information.
auth required pam_nologin.so — Este é o último passo da autenticação, e verifica se o arquivo /etc/nologin existe. Se existir, e o usuário não for o root, a autenticação iráfalhar.
auth são verificados, mesmo se o primeiro módulo auth falhe. Isto impede que o usuário fique sabendo em qual estágio a sua autenticação falhou. Tal informação nas mãos de um atacante pode permitir que ele deduza mais facilmente como violar a segurança do sistema.
account required pam_unix.so — Este módulo executa quaisquer verificações de conta necessárias. Por exemplo, se senhas shadow foram habilitadas, a interface account do módulo pam_unix.so verifica se a conta venceu ou se o usuário não mudou sua senha dentro do período de carência permitido.
password required pam_cracklib.so retry=3 — Se uma senha estiver vencida, o componente de senha do módulo pam_cracklib.so solicita o fornecimento de uma nova senha. Logo após, testa a nova senha para ver se a mesma pode ser facilmente determinada por um programa de quebra de senhas baseado em um dicionário.
retry=3 especifica que se o teste falhar na primeira vez, o usuário tem mais duas chances para criar uma senha mais robusta.
password required pam_unix.so shadow nullok use_authtok — Esta linha especifica que se o programa mudar a senha do usuário, deve fazê-lo usando a interface password do módulo pam_unix.so.
shadow faz com que o módulo crie senhas shadow ao atualizar a senha de um usuário.
nullok faz com que o módulo permita que o usuário mude a sua senha a partir de uma senha em branco, caso contrário, uma senha em branco é tratada como um bloqueio para a conta.
use_authtok, fornece um bom exemplo da importância da ordem ao agregar módulos PAM. Este argumento faz com que o módulo não solicite que o usuário forneça uma nova senha. Ao invés disto, aceita qualquer senha que tenha sido registrada anteriormente por um módulo de senha. Desta forma, todas as novas senhas devem passar o teste pam_cracklib.so para senhas seguras antes de serem aceitas.
session required pam_unix.so — A última linha faz com que a interface session do módulo pam_unix.so gerencie a sessão. Este módulo registra o nome de usuário e o tipo de serviço em /var/log/secure no início e no fim de cada sessão. Este módulo pode ser suplementado com funcionalidades adicionais ao ser agregado a outros módulos de sessão.
/usr/share/doc/pam-<número-da-versão>/, onde <número-da-versão> é o número da versão do PAM instalado no seu sistema.
pam_timestamp.so. É importante entender como este mecanismo funciona, uma vez que se um usuário abandona um terminal enquanto o pam_timestamp.so estiver em funcionamento, deixa a máquina vulnerável à manipulação por parte de qualquer um que tenha acesso físico ao console.
pam_timestamp.so cria um arquivo de carimbo de data e hora. Por padrão, este arquivo é criado no diretório /var/run/sudo/. Se o arquivo de carimbo de data e hora já existir, programas administrativos gráficos não solicitam uma senha. Ao invés disto, o módulo pam_timestamp.so atualiza o arquivo de carimbo de data e hora, reservando mais cinco minutos de acesso administrativo inquestionável ao usuário.
/var/run/sudo/<user>. Para a área de trabalho, o arquivo relevante é o unknown:root. Se o mesmo estiver presente e o seu carimbo de data e hora tiver sido feito há menos do que cinco minutos, as credencias são válidas.
ssh, use o comando /sbin/pam_timestamp_check -k root para destruir o arquivo de carimbo de data e hora.
/sbin/pam_timestamp_check -k root da mesma janela de terminal de onde o aplicativo com privilégios foi lançado.
pam_timestamp.so para poder usar o comando /sbin/pam_timestamp_check -k. Não autentique-se como root para usar este comando.
pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/nullpam_timestamp_check para maiores informações sobre a destruição de um arquivo de carimbo de data e hora usando o pam_timestamp_check.
pam_timestamp.so aceita várias diretivas. Veja a seguir as duas opções mais utilizadas:
timestamp_timeout — Especifica o período (em segundos) durante o qual o arquivo de carimbo de data e hora é válido. O valor padrão é 300 (cinco minutos).
timestampdir — Especifica o diretório no qual o arquivo de carimbo de data e hora é armazenado. O valor padrão é /var/run/sudo/.
pam_timestamp.so module.
pam_console.so.
pam_console.so é invocado pelos programas login ou pelos programas gráficos de autenticação, gdm, kdm, e xdm. Se este usuário for o primeiro a se autenticar no console físico — também chamado de usuário do console — o módulo dá ao usuário a propriedade sobre uma gama de dispositivos normalmente de propriedade do root. O usuário do console torna-se o dono destes dispositivos até que a última sessão local para aquele usuário termine. Após este usuário ter feito o logoff, a propriedade dos dispositivos reverte novamente para o usuário root.
pam_console.so editando os seguintes arquivos:
/etc/security/console.perms
/etc/security/console.perms.d/50-default.perms
50-default.perms, você deve criar um novo arquivo (por exemplo, xx-name.perms51-default.perms). Isto sobrescreverá os valores padrão no arquivo 50-default.perms.
<console> e <xconsole> no /etc/security/console.perms para os seguintes valores:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0 <xconsole>=:0\.[0-9] :0
<xconsole> e mudar a diretiva <console> para o seguinte valor:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]*
/etc/security/console.apps/.
/sbin e /usr/sbin.
/sbin/halt
/sbin/reboot
/sbin/poweroff
pam_console.so seja obrigatória para o seu uso.
pam — Boas informações introdutórias sobre o PAM, incluindo a estrutura e a finalidade dos arquivos de configuração do PAM.
/etc/pam.conf como arquivos de configuração individuais no diretório /etc/pam.d/. Por padrão, o Red Hat Enterprise Linux usa os arquivos de configuração individuais no diretório /etc/pam.d/, ignorando o /etc/pam.conf, caso exista.
pam_console — Descreve a finalidade do módulo pam_console.so, assim como a sintaxe adequada para uma entrada num arquivo de configuração do PAM.
console.apps — Descreve o formato e as opções disponíveis para o arquivo de configuração /etc/security/console.apps, o qual define quais aplicativos são acessíveis pelo usuário do console atribuído pelo PAM.
console.perms — Descreve o formato e as opções disponíveis par o arquivo de configuração /etc/security/console.perms, o qual especifica as permissões do usuário do console atribuídas pelo PAM.
pam_timestamp — Descreve o módulo pam_timestamp.so.
/usr/share/doc/pam-<número-da-versão> — Contém um System Administrator's Guide (Guia do Administrador de Sistemas), um Module Writer's Manual (Manual do Autor de Módulos), e o Application Developer's Manual (Manual do Desenvolvedor de Aplicativos), assim como uma cópia da norma DCE-RFC 86.0 do PAM, onde <número-da-versão> é o número da versão do PAM.
/usr/share/doc/pam-<número-da-versão>/txts/README.pam_timestamp — Contém informações sobre o módulo PAM pam_timestamp.so, onde <número-da-versão> é o número da versão do PAM.
iptables filtra pacotes de rede não desejáveis na stack de rede do kernel. O TCP Wrappers adiciona uma camada de proteção adicional aos serviços de rede que o utilizam, definindo quais hosts tem ou não têm a permissão para conectar a serviços de rede "embrulhados" (wrapped). Um exemplo de tal serviço de rede embrulhado é o super servidor xinetd. Este serviço é chamado de super servidor porque ele controla conexões a um subconjunto de serviços de rede e refina ainda mais o controle de acesso.
xinetd in controlling access to network services and reviews how these tools can be used to enhance both logging and utilization management. Refer to Seção 46.9, “IPTables” for information about using firewalls with iptables.
tcp_wrappers) faz parte da instalação padrão e oferece controle de de acesso a serviços de rede baseado no host. O componente mais importante do pacote é a biblioteca /usr/lib/libwrap.a. Em termos gerais, um serviço que use o TCP Wrappers é um que foi compilado com vinculação à biblioteca libwrap.a.
/etc/hosts.allow e /etc/hosts.deny) para determinar se um cliente tem permissão para conectar. Na maioria dos casos, o serviço então usa o daemon syslog (syslogd) para escrever o nome do cliente fazendo o pedido e o serviço requisitado em /var/log/secure ou /var/log/messages.
libwrap.a porque o TCP Wrappers é uma adição valiosa ao arsenal de segurança de qualquer administrador de sistemas. Algumas destas aplicações incluem o /usr/sbin/sshd, o /usr/sbin/sendmail, e o /usr/sbin/xinetd.
libwrap.a, digite o seguinte comando como usuário root.
ldd <binary-name> | grep libwrap<nome-do-binário> pelo nome do binário de serviço de rede.
libwrap.a.
/usr/sbin/sshd está vinculado à libwrap.a:
~]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00655000)
~]#/etc/hosts.allow
/etc/hosts.deny
/etc/hosts.allow. — O serviço usuário do TCP Wrappers analisa o arquivo /etc/hosts.allow seqüencialmente e aplica a primeira regra especificada para aquele serviço. Se encontra uma regra correspondente, permite a conexão. Caso contrário, continua com o próximo passo.
/etc/hosts.deny. — O serviço TCP Wrappers analisa o arquivo /etc/hosts.deny seqüencialmente. Se encontra uma regra correspondente, nega a conexão. Caso contrário, permite acesso ao serviço.
hosts.allow tem precedência sobre as regras especificadas em hosts.deny porque elas são aplicadas primeiro. Conseqüentemente, se o acesso a um serviço for permitido em hosts.allow, uma regra negando o acesso aquele mesmo serviço em hosts.deny é ignorada.
hosts.allow ou hosts.deny tem efeito imediato sem precisar reiniciar serviços de rede.
/var/log/messages ou /var/log/secure. Isto também aplica-se à regras que usem mais de uma linha sem usar o caractere de barra invertida. O seguinte exemplo ilustra a parte relevante de uma mensagem de registro para a falha de uma regra devido a qualquer uma destas circunstâncias.
warning: /etc/hosts.allow, line 20: missing newline or line too long
/etc/hosts.allow e do /etc/hosts.deny é idêntico. Cada regra deve ser especificada na sua própria linha. Linhas em branco ou que comecem com uma cerquilha (#) são ignoradas.
<lista-de-daemons>:<lista-de-clientes>[:<opção>:<opção>: ...]
<daemon list> — A comma-separated list of process names (not service names) or the ALL wildcard. The daemon list also accepts operators (refer to Seção 46.5.2.1.4, “Operadores”) to allow greater flexibility.
<client list> — A comma-separated list of hostnames, host IP addresses, special patterns, or wildcards which identify the hosts affected by the rule. The client list also accepts operators listed in Seção 46.5.2.1.4, “Operadores” to allow greater flexibility.
<opção> — Uma ação opcional, ou lista de ações opcionais separadas por vírgulas, executadas quando a regra é invocada. Campos de opção suportam a expansão, lançam comandos shell, permitem ou negam o acesso, e alteram o comportamento da autenticação.
vsftpd : .example.com
vsftpd) a partir de qualquer host no domínio example.com. Se esta regra aparece no hosts.allow, a conexão é aceita. Se esta regra aparece no hosts.deny, a conexão é rejeitada.
sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log \ : deny
sshd) is attempted from a host in the example.com domain, execute the echo command to append the attempt to a special log file, and deny the connection. Because the optional deny directive is used, this line denies access even if it appears in the hosts.allow file. Refer to Seção 46.5.2.2, “Campos de Opção” for a more detailed look at available options.
ALL — Corresponde a tudo. Pode ser usado tanto com a lista de daemons como com a lista de clientes.
LOCAL — Faz a correspondência de qualquer host que não contenha um ponto (.), como, por exemplo, localhost.
KNOWN — Faz a correspondência de qualquer host onde o nome e endereço do host ou o usuário são conhecidos.
UNKNOWN — Faz a correspondência de qualquer host onde o nome ou endereço do host são desconhecidos, ou o usuário é desconhecido.
PARANOID — Faz a correspondência de qualquer host onde o nome de host não corresponde ao endereço do host.
KNOWN, UNKNOWN, e PARANOID devem ser usados com cuidado porque eles baseiam-se na operação correta de um servidor DNS para operar corretamente. Qualquer interrupção à resolução de nomes pode impedir que usuários legítimos ganhem acesso a um serviço.
example.com:
ALL : .example.com
192.168.x.x:
ALL : 192.168.
192.168.0.0 a 192.168.1.255:
ALL : 192.168.0.0/255.255.254.0
3ffe:505:2:1:: a 3ffe:505:2:1:ffff:ffff:ffff:ffff:
ALL : [3ffe:505:2:1::]/64
example.com:
ALL : *.example.com
/etc/telnet.hosts para todas as conexões Telnet:
in.telnetd : /etc/telnet.hosts
hosts_access(5) para maiores informações.
portmap não suporta a busca por hosts, o que significa que o portmap não pode usar nomes de hosts para identificar hosts. Conseqüentemente, regras de controle de acesso para o portmap no hosts.allow ou no hosts.deny devem usar endereços IP, ou a palavra-chave ALL para a especificação de hosts.
portmap podem não entrar em vigor imediatamente. Talvez você precise reiniciar o serviço portmap.
portmap para operar. Portanto, esteja ciente destas limitações.
EXCEPT. Este operador pode ser usado tanto na lista de daemons como na lista de clientes de uma regra.
EXCEPT permite exceções específicas para correspondências mais genéricas na mesma regra.
hosts.allow, todos os hosts example.com, exceto cracker.example.com, têm permissão para se conectar a todos os serviços:
ALL: .example.com EXCEPT cracker.example.com
hosts.allow, clientes da rede 192.168.0.x podem usar todos os serviços, exceto o FTP:
ALL EXCEPT vsftpd: 192.168.0.
EXCEPT. Isto permite que outros administradores inspecionem os arquivos apropriados para determinar quais hosts tem ou não permissão para acessar serviços sem ter que lidar com operadores EXCEPT.
severity.
example.com são registradas no alvo padrão authpriv syslog (uma vez que nenhum valor de alvo é especificado) com prioridade emerg:
sshd : .example.com : severity emerg
severity. O seguinte exemplo registra qualquer tentativa de conexão SSH a partir de hosts no domínio example.com no alvo local0 com prioridade alert:
sshd : .example.com : severity local0.alert
syslogd) seja configurado para registrar no alvo local0. Consulte a página man syslog.conf para informações sobre configuração de alvos de registro personalizados.
allow ou deny como opção final.
client-1.example.com, mas negam conexões a partir de client-2.example.com:
sshd : client-1.example.com : allow sshd : client-2.example.com : deny
hosts.allow ou hosts.deny. Alguns administradores consideram isto uma maneira mais fácil de organizar regras de acesso.
spawn — Lança um comando do shell como um processo filho. Esta diretiva pode executar tarefas como usar o /usr/sbin/safe_finger para obter mais informações sobre o cliente fazendo o pedido ou criar arquivos de registro especiais usando o comando echo.
example.com são silenciosamente registrados em um arquivo especial:
in.telnetd : .example.com \ : spawn /bin/echo `/bin/date` from %h>>/var/log/telnet.log \ : allow
twist — Substitui o serviço requisitado por um comando específico. Esta diretiva é normalmente usada para estabelecer armadilhas para invasores (também chamadas de "potes de mel"), e também pode ser usada para enviar mensagens a clientes que estejam se conectando. A diretiva twist deve aparecer no final da linha da regra.
example.com recebem mensagens criadas com o comando echo:
vsftpd : .example.com \ : twist /bin/echo "421 This domain has been black-listed. Access denied!"
hosts_options.
spawn e twist, oferecem informações sobre o cliente, o servidor, e os processos envolvidos.
%a — Retorna o endereço IP do cliente.
%A — Retorna o endereço IP do servidor.
%c — Retorna uma variedade de informações sobre clientes, como o nome de usuário e o nome de host, ou o nome de usuário e o endereço IP.
%d — Retorna o nome do processo do daemon.
%h — Retorna o nome de host do cliente (ou endereço IP, caso o nome de host não esteja disponível).
%H — Retorna o nome de host do servidor (ou endereço IP, caso o nome de host não esteja disponível).
%n — Retorna o nome de host do cliente. Caso não esteja disponível, retorna unknown. Se o nome e endereço de host do cliente não corresponderem, retorna paranoid.
%N — Retorna o nome de host do servidor. Caso não esteja disponível, retorna unknown. Se o nome e endereço de host do servidor não corresponderem, retorna paranoid.
%p — Retorna o ID do processo do daemon.
%s — Retorna vários tipos de informações sobre o servidor, como o processo do daemon e o host ou endereço IP do servidor.
%u — Retorna o nome de usuário do cliente. Caso não esteja disponível, retorna unknown.
spawn para identificar o host cliente em um arquivo personalizado.
sshd) são tentadas a partir de um host no domínio example.com, o comando echo é executado para registrar a tentativa, incluindo o nome de host (obtido através do uso da expansão %h), em um arquivo especial:
sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \ : deny
example.com são informados que eles foram banidos do servidor.
vsftpd : .example.com \ : twist /bin/echo "421 %h has been banned from this server!"
hosts_access (man 5 hosts_access) e a página man do hosts_options.
xinetd é um super serviço usuário do TCP Wrappers que controla o acesso a um subconjunto de serviços de rede populares, incluindo o FTP, o IMAP, e o Telnet. O xinetd também oferece opções de configuração específicas a serviços para o controle de acesso, registro aprimorado, vinculação, redirecionamento, e controle de utilização de recursos.
xinetd, o super serviço recebe o pedido e verifica a existência de quaisquer regras de controle de acesso do TCP Wrappers .
xinetd verifica se a conexão é permitida sob as suas próprias regras de acesso para o serviço em questão. O xinetd também verifica se o serviço pode ter mais recursos alocados e certifica-se de que o serviço não está violando nenhuma regra definida.
xinetd então inicia uma instância do serviço e passa o controle da conexão para o mesmo. Após a conexão ter sido estabelecida, o xinetd não participa mais da comunicação entre o cliente e o servidor.
xinetd são os seguintes:
/etc/xinetd.conf — O arquivo de configuração global do xinetd.
/etc/xinetd.d/ — O diretório contendo todos os arquivos de serviços específicos.
/etc/xinetd.conf contém opções de configuração gerais que afetam todos os serviços sob o controle do xinetd. É lido quando o serviço xinetd é iniciado pela primeira vez, portanto, para que configurações entrem em vigor, você precisa reiniciar o serviço xinetd. Veja a seguir um exemplo de arquivo /etc/xinetd.conf:
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.dxinetd:
instances — Especifica o número máximo de pedidos simultâneos que o xinetd pode processar.
log_type — Configura xinetd para que use o alvo de registro authpriv, o qual escreve entradas de registro no arquivo /var/log/secure. A inclusão de uma diretiva como FILE /var/log/xinetdlog criaria um arquivo de registro personalizado chamado xinetdlog no diretório /var/log/.
log_on_success — Configura o xinetd para que registre tentativas de conexão bem-sucedidas. Por padrão, o endereço IP do host remoto e o ID do processo do servidor processando o pedido são registrados.
log_on_failure — Configura o xinetd para que registre tentativas de conexão mal-sucedidas ou recusadas.
cps — Configura o xinetd para que permita não mais do que 25 por segundo para qualquer serviço. Se este limite for excedido, o serviço é aposentado por 30 seconds.
includedir /etc/xinetd.d/ — Includes options declared in the service-specific configuration files located in the /etc/xinetd.d/ directory. Refer to Seção 46.5.4.2, “O Diretório /etc/xinetd.d/” for more information.
log_on_success and log_on_failure settings in /etc/xinetd.conf are further modified in the service-specific configuration files. More information may therefore appear in a given service's log file than the /etc/xinetd.conf file may indicate. Refer to Seção 46.5.4.3.1, “Opções de Registro” for further information.
/etc/xinetd.d/ contém os arquivos de configuração para cada serviço gerenciado pelo xinetd, e os nomes dos arquivos relacionados ao serviço. Assim como o xinetd.conf, este diretório é lido apenas quando o serviço xinetd é iniciado. Para que quaisquer alterações sejam efetivadas, o administrador deve reiniciar o serviço xinetd.
/etc/xinetd.d/ usa a mesma convenção do que o /etc/xinetd.conf. A razão principal pela qual a configuração de cada serviço é armazenada em uma arquivo separado é para facilitar a personalização e reduzir o risco de interferência na configuração de outros serviços.
/etc/xinetd.d/krb5-telnet:
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
disable = yes
}telnet:
service — Especifica o nome do serviço, normalmente um dos nomes listados no arquivo /etc/services.
flags — Estabelece uma série de atributos para a conexão. O REUSE informa ao xinetd para reutilizar o soquete para uma conexão Telnet.
REUSE é obsoleto, uma vez que todos os serviços agora o usam implicitamente..
socket_type — Estabelece o tipo de soquete de rede para stream.
wait — Especfica se o serviço é single-thread (yes) ou multi-thread (no).
user — Especifica o ID do usuário sob o qual o processo está rodando.
server — Especifica qual executável binário deve ser lançado.
log_on_failure — Especifica os parâmetros de registro para log_on_failure além daquela já definidos em xinetd.conf.
disable — Especifica se o serviço está desabilitado (yes) ou habilitado (no).
xinetd.conf para mais informações sobre o uso destas opções.
xinetd. Esta seção destaca algumas das opções mais usadas.
/etc/xinetd.conf e para os arquivos de configuração de serviço específicos no diretório /etc/xinetd.d/.
ATTEMPT — Registra o fato de que uma tentativa mal-sucedida foi feita (log_on_failure).
DURATION — Registra a duração do uso do serviço é usado por um sistema remoto (log_on_success).
EXIT — Registra o estado de saída ou sinal de término do serviço (log_on_success).
HOST — Registra o endereço IP do host remoto (log_on_failure e log_on_success).
PID — Registra o ID do processo do servidor recebendo o pedido (log_on_success).
USERID — Registra o usuário remoto usando o método definido no RFC 1413 para serviços multi-thread de fluxo (log_on_failure andlog_on_success).
xinetd.conf.
xinetd services can choose to use the TCP Wrappers hosts access rules, provide access control via the xinetd configuration files, or a mixture of both. Refer to Seção 46.5.2, “Arquivos de Configuração do TCP Wrappers” for more information about TCP Wrappers hosts access control files.
xinetd para controlar o acesso a serviços.
xinetd reiniciar o serviço.
xinetd afeta apenas os serviços controlados pelo xinetd.
xinetd difere do método usado pelo TCP Wrappers. Enquanto o TCP Wrappers organiza toda a configuração de acesso em dois arquivos, /etc/hosts.allow e /etc/hosts.deny, o controle de acesso do xinetd é encontrado no arquivo de configuração de cada serviço no diretório /etc/xinetd.d/.
xinetd:
only_from — Permite que apenas os hosts especificados usem o serviço.
no_access — Não permite que os hosts listados usem o serviço
access_times — Especifica o intervalo de tempo durante o qual um determinado serviço pode ser usado. O intervalo de tempo deve ser especificado no formato 24 horas, HH:MM-HH:MM.
only_from e no_access podem usar uma lista de endereços IP ou nomes de host, ou podem especificar um rede inteira. Assim como o TCP Wrappers, a combinação do controle de acesso através do xinetd com a configuração aprimorada de registros pode aumentar a segurança através do bloqueio de pedidos a partir de hosts e do registro detalhado de cada tentativa de conexão.
/etc/xinetd.d/telnet pode ser usado para bloquear acesso ao Telnet a partir de um determinado grupo de rede e para restringir o intervalo de tempo total que até mesmo usuários com permissão podem permanecer conectados:
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
no_access = 172.16.45.0/24
log_on_success += PID HOST EXIT
access_times = 09:45-16:15
}10.0.1.0/24, como 10.0.1.2 tenta o acesso ao serviço Telnet, recebe a seguinte mensagem:
Conexão fechada pelo host remoto.
/var/log/messages da seguinte maneira:
Sep 7 14:58:33 localhost xinetd[5285]: FAIL: telnet address from=172.16.45.107 Sep 7 14:58:33 localhost xinetd[5283]: START: telnet pid=5285 from=172.16.45.107 Sep 7 14:58:33 localhost xinetd[5283]: EXIT: telnet status=0 pid=5285 duration=0(sec)
xinetd, é importante entender a relação entre os dois mecanismos de controle de acesso.
xinetd quando um cliente solicita uma conexão:
xinetd acessa as regras de acesso a hosts o TCP Wrappers usando uma chamada da biblioteca libwrap.a. Se uma regra de negação (deny rule) corresponde ao cliente, a conexão é abandonada. Se um regra de permissão (allow rule) corresponde ao cliente, a conexão é passada para o xinetd.
xinetd verifica as suas próprias regras de controle de acesso tanto para o serviço xinetd como para o serviço requisitado. Se uma regra de negação corresponder ao cliente, a conexão é abandonada. Caso contrário, o xinetd inicia uma instância do serviço requisitado e passa o controle da conexão para aquele serviço.
xinetd. A má configuração pode causar efeitos indesejáveis.
xinetd oferecem suporte à vinculação do serviço a um endereço IP e o redirecionamento de pedidos de entrada para aquele serviço para outro endereço IP, nome de host, ou porta.
bind nos arquivos de configuração de serviço específicos e liga o serviço a um endereço IP no sistema. Quando configurado, a opção bind permite apenas que pedidos ao endereço IP correto acessem o serviço. Você pode usar este método para vincular vários serviços à várias interfaces de rede conforme for necessário.
redirect aceita um endereço IP ou nome de host seguido por um número de porta. A opção configura o serviço para que redirecione quaisquer pedidos por este serviço para host e número de porta especificados. Esta funcionalidade pode ser usada para fazer o redirecionamento para outra porta no sistema, para redirecionar o pedido para um endereço IP diferente na mesma máquina, mandar o pedido para um sistema e um número de porta totalmente diferentes, ou qualquer combinação destas opções. Um usuário que esteja conectando a um sistema pode portanto ser redirecionado para outro sistema sem interrupção.
xinetd pode realizar este redirecionamento através da geração de um processo que mantém-se vivo por toda a duração da conexão entre a máquina cliente que fez o pedido e o host oferecendo o serviço, transferindo dados entre os dois sistemas.
bind e redirect são mais evidentes quando usadas ao mesmo tempo. Ao vincular um serviço a um endereço IP específico em um sistema, e então redirecionar pedidos por este serviço para uma segunda máquina que apenas a primeira máquina saiba que exista, um sistema interno pode ser usado para oferecer serviços para uma rede totalmente diferente. Alternativamente, estas opções podem ser usadas para limitar a exposição de um serviço específico em uma máquina com diversas bases a um endereço IP conhecido, bem como para redirecionar quaisquer pedidos por aquele serviço para outra máquina configurada especialmente para esta finalidade.
service telnet
{
socket_type = stream
wait = no
server = /usr/kerberos/sbin/telnetd
log_on_success += DURATION USERID
log_on_failure += USERID
bind = 123.123.123.123
redirect = 10.0.1.13 23
}bind e redirect neste arquivo garantem que o serviço Telnet na máquina é vinculado ao endereço IP externo (123.123.123.123), o qual faz a interface com a Internet. Além disso, quaisquer pedidos por serviços Telnet enviados ao 123.123.123.123 são redirecionados através de um segundo adaptador de rede para um endereço IP interno (10.0.1.13) que apenas o firewall e sistemas internos podem acessar. O firewall então envia a conexão entre os dois sistemas, e o sistema que está se conectando pensa que está conectado ao 123.123.123.123, quando na verdade está conectado à uma máquina diferente.
xinetd são configurados com as opções bind e redirect, o gateway pode fazer o papel de proxy entre sistemas externos e uma máquina interna específica configurada para oferecer o serviço. Além disso, as várias opções de controle de acesso e registro do xinetd também estão disponíveis para proteção adicional.
xinetd pode adicionar um nível de proteção básico contra ataques de Negação de Serviço (Denial of Service - DoS). Veja a seguir uma lista de diretivas que podem ajudar a limitar a efetividade de tais ataques:
per_source — Define o número máximo de instâncias para um serviço por endereço IP fonte. Aceita apenas valores inteiros como argumento e pode ser usado tanto no xinetd.conf como nos arquivos de configuração de serviço específicos no diretório xinetd.d/.
cps — Define o número máximo de conexões por segundo. esta diretiva usa dois argumentos (valores inteiros), separados por um espaço. O primeiro argumento é o número máximo de conexões por segundo permitidas ao serviço. O segundo argumento é o número de segundos que o xinetd deve deixar passar antes de reabilitar o serviço. A diretiva aceita apenas valores inteiros como argumento, e pode ser usada tanto no arquivo xinetd.conf como nos arquivos de configuração de serviço específicos no diretório xinetd.d/.
max_load — Define o uso da CPU ou o limiar de carga média para um serviço. A diretiva aceita um número de ponto flutuante como argumento.
uptime, who, e procinfo para mais informações sobre a carga média (load average).
xinetd. Consulte a página man do xinetd.conf para mais informações.
xinetd estão disponíveis na documentação do sistema e na Internet.
xinetd, xinetd, controle de acesso.
/usr/share/doc/tcp_wrappers-<version>/ — este diretório contém o arquivo README que discute como o TCP Wrappers funciona e os vários riscos existentes em relação à falsificação de nomes e endereços de host .
/usr/share/doc/xinetd-<versão>/ — Este diretório contém um arquivo README que discute aspectos de controle de acesso e uma amostra de arquivo de configuração sample.conf com várias idéias sobre como modificar arquivos de configuração de serviço específicos no diretório /etc/xinetd.d/.
xinetd — Uma série de páginas man existem para os vários aplicativos e arquivos de configuração relacionados ao TCP Wrappers e ao xinetd. Veja a seguir algumas das páginas man mais importantes:
man xinetd — A página man para o xinetd.
man 5 hosts_access — A página man dos arquivos de controle de acesso hosts do TCP Wrappers.
man hosts_options — A página man para os campos de opções do TCP Wrappers.
man xinetd.conf — A página man com a listagem das opções de configuração do xinetd.
xinetd, contendo amostras de arquivos de configuração, uma lista completa de funcionalidades, e uma FAQ bem útil.
xinetd para atingir metas de segurança específicas.
/etc/passwd ou o /etc/shadow, para um banco de dados de senhas Kerberos pode ser entediante, pois não há um mecanismo automatizado para executar esta tarefa. Para mais informações, consulte a Questão 2.23 no FAQ online do Kerberos:
kinit. O arquivo keytab padrão é o /etc/krb5.keytab. O servidor de administração do KDC, /usr/kerberos/sbin/kadmind, é o único serviço que usa qualquer outro arquivo (usa o /var/kerberos/krb5kdc/kadm5.keytab).
kinit permite que um principal que já tenha se conectado obtenha o ticket de concessão de ticket (TGT) inicial e armazene-o no cache. Para mais informações sobre o uso do comando kinit, consulte sua página man.
root[/instance]@REALM. Para um usuário típico, a raiz (root) é a mesmo que seu ID de autenticação. A instance (instância) é opcional. Se o principal tiver uma instância, a mesma será separada da raiz por uma barra ("/"). Uma faixa vazia ("") é considerada uma instância válida (a qual difere da instância padrão NULL), mas usá-la pode ser confuso. Todos os principais em um território (realm) têm suas próprias chaves que, para os usuários, são derivadas de uma senha, ou são definidas randomicamente para os serviços.
kinit após o usuário se logar.
kinit no cliente,descriptografa então o TGT usando a chave do usuário, computada a partir da senha do usuário. A chave do usuário é usada somente na máquina cliente e não é enviada através da rede.
ntpd. Consulte /usr/share/doc/ntp-<version-number>/index.html para detalhes sobre como configurar servidores Protocolo de Horário de Rede (NTP), onde <version-number> é o número da versão do pacote ntp instalado no seu sistema.
/usr/share/doc/krb5-server-<version-number> para mais informações (onde <version-number> é o número da versão do pacote krb5-server instalado no seu sistema).
pam_krb5 (oferecido no pacote pam_krb5) está instalado. O pacote pam_krb5 contém arquivos de amostra de configuração que permitem a serviços como o login e o gdm autenticarem usuários e obterem as credenciais iniciais usando suas senhas. Se o acesso a serviços de rede é sempre executado usando serviços kerberizados ou serviços que usam GSS-API, como o IMAP, a rede pode ser considerada razoavelmente segura.
ntp para este propósito. Consulte o /usr/share/doc/ntp-<version-number>/index.html (onde <version-number> é o número da versão do pacote ntp instalado no seu sistema) para obter detalhes sobre a configuração de servidores de Protocolo de Horário de Rede e http://www.ntp.org para informações adicionais sobre NTP.
krb5-libs, krb5-server, e krb5-workstation na máquina dedicada que executa o KDC. Essa máquina precisa ser muito segura — se possível, não deve executar nenhum outro serviço além do KDC.
/etc/krb5.conf e /var/kerberos/krb5kdc/kdc.conf para refletir o nome do território e o mapeamento de domínio-território. Um território simples pode ser construído substituindo as instâncias de EXEMPLO.COM e exemplo.com pelo nome de domínio correto — certificando de manter os nomes em caixas alta e baixa no formato correto — e alterando o KDC de kerberos.exemplo.com para o nome do servidor do Kerberos. Por convenção, todos os nomes de território são escritos em caixa alta e todos os nomes DNS de máquinas e de domínio são escritos em caixa baixa. Para uma explanação completa sobre os formatos destes arquivos, consulte as respectivas páginas man.
kdb5_util em uma janela de comandos:
/usr/kerberos/sbin/kdb5_util create -screate cria o banco de dados usado para armazenar as chaves para o território do Kerberos. A opção -s força a criação de um arquivo stash no qual a chave do servidor mestre está armazenada. Se não houver nenhum arquivo stash a partir do qual pode-se ler a chave, o servidor do Kerberos (krb5kdc) pede ao usuário a senha do servidor mestre (que pode ser usada para recriar a chave) toda vez que este iniciar.
/var/kerberos/krb5kdc/kadm5.acl. Este arquivo é usado pelo kadmind para determinar quais principais têm acesso administrativo ao banco de dados do Kerberos e seus níveis de acesso. A maioria das empresas podem fazer isso com uma única linha:
*/admin@EXAMPLE.COM *
kadmind no servidor, qualquer usuário pode acessar seus serviços, executando kadmin em quaisquer clientes ou servidores no território. Entretanto, somente os usuários listados no arquivo kadm5.acl podem modificar o banco de dados de qualquer maneira, exceto alterar suas próprias senhas.
kadmin se comunica com o servidor kadmind através da rede e usa o Kerberos para autenticação. Por este motivo, o primeiro principal já deve existir antes de conectar ao servidor através da rede para administrá-lo. Crie o primeiro principal com o comando kadmin.local, que é especificamente desenvolvido para ser usado na mesma máquina que o KDC e não utiliza o Kerberos para autenticação.
kadmin.local no terminal do KDC para criar o primeiro principal:
/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"service krb5kdc startservice kadmin startservice krb524 start
addprinc do kadmin. O kadmin e o kadmin.local são interfaces de linha de comando do KDC. Conseqüentemente, muitos comandos — como o addprinc — tornam-se disponíveis após o lançamento do programa kadmin. Consulte a página man do kadmin para mais informações.
kinit para obter um ticket e armazená-lo em um arquivo cache de credenciais. Em seguida, use o klist para visualizar a lista de credenciais no cache e use o kdestroy para destruir o cache e as credenciais ali contidas.
kinit tenta autenticar usando o nome de login da conta usada ao logar no sistema (não no servidor do Kerberos). Se este nome não corresponde a um principal no banco de dados do Kerberos, o kinit emite uma mensagem de erro. Se isto ocorrer, forneça ao kinit o nome correto do principal como um argumento na linha de comando (kinit <principal>).
krb5.conf válido para cada cliente. Apesar de se preferir os métodos de instalação remota ssh e slogin para sistemas de clientes, as versões kerberizadas de rsh e rlogin também requerem algumas alterações de configuração.
krb5-libs e krb5-workstation em todas as máquinas cliente. Forneça um arquivo /etc/krb5.conf válido para cada cliente (geralmente este pode ser o mesmo arquivo krb5.conf usado pelo KDC).
ssh ou rsh e rlogin kerberizados, ela deve ter seu principal da host no banco de dados de Kerberos. Os programas de servidores sshd,kshd e klogind também precisam de acesso às chaves para o principal dos serviços da host. Além disso, para usar os serviços rsh e rlogin, esta estação de trabalho deve ter um pacote xinetd instalado.
kadmin adiciona um principal para a estação de trabalho no KDC. Neste caso, a instância é o nome da máquina (estação de trabalho). Use a opção -randkey para o comando addprinc do kadmin para criar o principal e atribuí-lo com uma chave randômica:
addprinc -randkey host/blah.example.comkadmin na própria estação de trabalho, e usando o comando ktadd no kadmin:
ktadd -k /etc/krb5.keytab host/blah.example.comssh — usa a GSS-API para autenticar usuários aos servidores, caso a configuração do client e server tenham o GSSAPIAuthentication habilitado. Se o client também possuir um GSSAPIDelegateCredentials habilitado, as credenciais do usuário serão disponibilizadas no sistema remoto.
rsh e rlogin — Para usar as versões kerberizadas do rsh e do rlogin, habilite klogin, eklogin, e kshell.
krb5-telnet deve estar habilitado.
ftp. Certifique-se de definir a instância para o nome da máquina do servidor FTP, e então habilite o gssftp.
cyrus-imap usa o Kerberos 5 se o pacote cyrus-sasl-gssapi também estiver instalado. O pacote cyrus-sasl-gssapi contém os plugins do Cyrus SASL os quais oferecem suporte à autenticação usando a GSS-API. O Cyrus IMAP deve funcionar adequadamente com o Kerberos conquanto o usuário cyrus possa encontrar a chave apropriada em /etc/krb5.keytab, e a root (raiz) para o principal esteja configurada para imap (criada com kadmin).
cyrus-imap pode ser o pacote dovecot, o qual também é incluído no Red Hat Enterprise Linux. Este pacote contém um servidor IMAP mas até o momento não suporta a GSS-API e o Kerberos.
gserver usa um principal com uma raiz (root) cvs e é idêntico ao CVS pserver em todos os outros aspectos.
foo.example.org → EXAMPLE.ORG
foo.example.com → EXAMPLE.COM
foo.hq.example.com → HQ.EXAMPLE.COM
krb5.conf. For example:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
kadmind ( também é o servidor administrativo do território), e um ou mais KDCs (KDCs escravos) mantém cópias de somente leitura do banco de dados e roda o kpropd.
krb5.conf e kdc.conf de KDC mestre sejam copiados para o KDC escravo.
kadmin.local a partir de uma janela root no KDC mestre e use seu comando add_principal para criar uma entrada nova para o serviço host do KDC mestre. Depois disso, use seu comando ktadd para ajustar simultaneamente uma chave aleatória para o serviço e armazene a chave aleatória no arquivo keytab padrão do mestre. Esta chave será usada pelo comando kprop para autenticar servidores de escravo. Você precisará fazer isto somente uma vez, não importanto quantos servidores de escravos você instalar.
~]#kadmin.local -r EXAMPLE.COMAuthenticating as principal root/admin@EXAMPLE.COM with password. kadmin:add_principal -randkey host/masterkdc.example.comPrincipal "host/host/masterkdc.example.com@EXAMPLE.COM" created. kadmin:ktadd host/masterkdc.example.comEntry for principal host/masterkdc.example.com with kvno 3, encryption type Triple DES cbc mode with \ HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type ArcFour with HMAC/md5 \ added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type DES with HMAC/sha1 added \ to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/masterkdc.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 \ added to keytab WRFILE:/etc/krb5.keytab. kadmin:quit
kadmin.local a partir de uma janela root no KDC escravo e use seu comando add_principal para criar uma entrada nova para o serviço host do KDC escravo. Depois disso, use o comando ktadd do kadmin para ajustar simultaneamente uma chave aleatória para o serviço e armazenar a chave aleatória no arquivo keytab padrão do escravo. Esta chave será usada pelo comando kprop para autenticar clients.
~]#kadmin -p jimbo/admin@EXAMPLE.COM -r EXAMPLE.COMAuthenticating as principal jimbo/admin@EXAMPLE.COM with password. Password for jimbo/admin@EXAMPLE.COM: kadmin:add_principal -randkey host/slavekdc.example.comPrincipal "host/slavekdc.example.com@EXAMPLE.COM" created. kadmin:ktadd host/slavekdc.example.com@EXAMPLE.COMEntry for principal host/slavekdc.example.com with kvno 3, encryption type Triple DES cbc mode with \ HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added \ to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type DES with HMAC/sha1 added \ to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/slavekdc.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added \ to keytab WRFILE:/etc/krb5.keytab. kadmin:quit
kprop do escravo com um banco de dados de território novo. Para restringir acesso, o serviço kprop no KDC escravo somente aceitará atualizações de clients que tiverem nomes principais listados no /var/kerberos/krb5kdc/kpropd.acl. Adicione o nome de serviço host do KDC mestre a este arquivo.
~]# echo host/masterkdc.example.com@EXAMPLE.COM > /var/kerberos/krb5kdc/kpropd.acl/var/kerberos/krb5kdc/.k5.REALM), copie para o KDC escravo usando qualquer método seguro disponível, ou crie um banco de dados fictício e um arquivo stash no KDC escravo executando o kdb5_util create -s (o banco de dados fictíco será sobrescrito pela primeira propagação de banco de dados com sucesso) e fornecendo a mesma senha.
kprop. Depois, verifique novamente se o serviço kadmin está desabilitado.
kprop(/var/kerberos/krb5kdc/slave_datatrans) e use o comando kprop para transferir seu conteúdo para o KDC escravo.
~]#/usr/kerberos/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans~]#kprop slavekdc.example.com
kinit, certifique-se que um sistema cliente contendo um krb5.conf que liste apenas o KDC escravo na sua lista de KDCs para o seu território, pode obter, corretamente, credenciais iniciais a partir do KDC escravo.
kprop para transferir o banco de dados para cada KDC escravo, um de cada vez, e configure o serviço cron para executar o script periodicamente.
A.EXAMPLE.COM possa acessar um serviço no território B.EXAMPLE.COM, ambos devem ter uma chave de um principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM e ambas as chaves devem possuir o mesmo número de versão da chave associado a eles.
~]#kadmin -r A.EXAMPLE.COMkadmin:add_principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COMEnter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Re-enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM" created. kadmin:quit~]#kadmin -r B.EXAMPLE.COMkadmin:add_principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COMEnter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Re-enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM": Principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM" created. kadmin:quit
get_principal para se certificar que ambas as entradas possuem números de versões de chaves que combinem (valores kvno) e tipos de criptografia.
-randkey do comando add_principal para atribuir uma chave aleatória ao invés de uma senha, despejar uma nova entrada a partir do banco de dados do primeiro território e importá-la para o segundo. Isto não irá funcionar, a não ser que as chaves mestras dos bancos de dados do território sejam idênticas, pois as chaves contidas em um despejo de banco de dados são criptografadas por si só, usando a chave mestra.
A.EXAMPLE.COM podem agora autenticar serviços no território B.EXAMPLE.COM. Ou seja, o território B.EXAMPLE.COM pode agora confiar no território A.EXAMPLE.COM ou ainda em outras palavras, B.EXAMPLE.COM agora confia no A.EXAMPLE.COM.
B.EXAMPLE.COM pode confiar em clientes do A.EXAMPLE.COM para se autenticarem em serviços no território B.EXAMPLE.COM, mas na verdade não importa se os clientes no território B.EXAMPLE.COM são confiáveis para se autenticarem em serviços no território A.EXAMPLE.COM ou não. Para estabelecer confiança no inverso, ambos os territórios deveriam precisar compartilhar chaves para o serviço krbtgt/A.EXAMPLE.COM@B.EXAMPLE.COM (observe a ordem inversa dos dois territórios comparado ao exemplo acima).
A.EXAMPLE.COM puderem autenticar serviços no B.EXAMPLE.COM, e clientes do B.EXAMPLE.COM puderem autenticar serviços no C.EXAMPLE.COM, então os clientes do A.EXAMPLE.COM também podem autenticar serviços em C.EXAMPLE.COM, até mesmo se C.EXAMPLE.COM não confiar em A.EXAMPLE.COM. Isto significa que, em uma rede de trabalho com territórios múltiplos que precisem confiar uns nos outros, fazendo boas escolhas sobre quais relacionamentos confiar para configurar, podem reduzir relativamente os esforços requeridos.
service/server.example.com@EXAMPLE.COM
EXAMPLE.COM é o nome do território.
domain_realm do /etc/krb5.conf para mapear tanto um hostname (server.example.com) quanto um nome de domínio DNS (.example.com) para o nome de um território (EXAMPLE.COM).
A.EXAMPLE.COM, B.EXAMPLE.COM e EXAMPLE.COM. Quando um cliente no território A.EXAMPLE.COM, tentar autenticar o serviço em B.EXAMPLE.COM, ele irá, por padrão, primeiro tentar obter credenciais para o território EXAMPLE.COM, e depois usar estas credenciais para obter outras, para usar no territórioB.EXAMPLE.COM.
A.EXAMPLE.COM, autenticando um serviço em B.EXAMPLE.COM:
A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM
A.EXAMPLE.COM e EXAMPLE.COM compartilha chave para krbtgt/EXAMPLE.COM@A.EXAMPLE.COM
EXAMPLE.COM e B.EXAMPLE.COM compartilha uma chave para krbtgt/B.EXAMPLE.COM@EXAMPLE.COM
SITE1.SALES.EXAMPLE.COM, autenticando um serviço em EVERYWHERE.EXAMPLE.COM:
SITE1.SALES.EXAMPLE.COM → SALES.EXAMPLE.COM → EXAMPLE.COM → EVERYWHERE.EXAMPLE.COM
SITE1.SALES.EXAMPLE.COM e SALES.EXAMPLE.COM compartilham uma chave para krbtgt/SALES.EXAMPLE.COM@SITE1.SALES.EXAMPLE.COM
SALES.EXAMPLE.COM e EXAMPLE.COMcompartilham uma chave para krbtgt/EXAMPLE.COM@SALES.EXAMPLE.COM
EXAMPLE.COM e EVERYWHERE.EXAMPLE.COM compartilham uma chave para krbtgt/EVERYWHERE.EXAMPLE.COM@EXAMPLE.COM
DEVEL.EXAMPLE.COM e PROD.EXAMPLE.ORG):
DEVEL.EXAMPLE.COM → EXAMPLE.COM → COM → ORG → EXAMPLE.ORG → PROD.EXAMPLE.ORG
DEVEL.EXAMPLE.COM e EXAMPLE.COMcompartilham uma chave para krbtgt/EXAMPLE.COM@DEVEL.EXAMPLE.COM
EXAMPLE.COM e COM compartilham uma chave para krbtgt/COM@EXAMPLE.COM
COM e ORG compartilham uma chave para krbtgt/ORG@COM
ORG e EXAMPLE.ORG compartilham uma chave para krbtgt/EXAMPLE.ORG@ORG
EXAMPLE.ORG e PROD.EXAMPLE.ORG compartilham uma chave para krbtgt/PROD.EXAMPLE.ORG@EXAMPLE.ORG
capaths do /etc/krb5.conf, para que os clientes que tiverem credenciais para um território, possam procurar qual território é o próximo na corrente que irá finalmente levar à autenticação dos servidores.
capaths é relativamente direta: cada entrada na seção é nomeada com o nome de um território com cliente. Dentro desta subseção, o conjunto de territórios intermediários do qual o cliente deve obter credenciais, está listado como valores de chaves que corresponde a um território que possui um serviço. se não existir territórios intermediários, utiliza-se o valor "."
[capaths]
A.EXAMPLE.COM = {
B.EXAMPLE.COM = .
C.EXAMPLE.COM = B.EXAMPLE.COM
D.EXAMPLE.COM = B.EXAMPLE.COM
D.EXAMPLE.COM = C.EXAMPLE.COM
}A.EXAMPLE.COM podem obter credenciais cross-realm para B.EXAMPLE.COM diretamente do KDC A.EXAMPLE.COM.
C.EXAMPLE.COM, eles precisarão obter credenciais do território B.EXAMPLE.COM (a existência de um krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM é crucial) e então usar estascredenciais para obter credenciais a serem usadas no território C.EXAMPLE.COM (usando krbtgt/C.EXAMPLE.COM@B.EXAMPLE.COM).
D.EXAMPLE.COM eles primeiro precisarão obter credenciais do território B.EXAMPLE.COM, e então credenciais do território C.EXAMPLE.COM, antes de finalmente obter as credenciais para uso no território D.EXAMPLE.COM.
A.EXAMPLE.COM podem obter credenciais cross-realm diretamente de um território B.EXAMPLE.COM. Sem o "." indicando isto, o cliente tentaria usar um caminho hierárquico, neste caso:
A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM
/usr/share/doc/krb5-server-<version-number>/ (onde <version-number> é o número da versão do pacote krb5-server instalado no seu sistema.
/usr/share/doc/krb5-workstation-<version-number>/(onde <version-number> é o número da versão do pacote krb5-workstation instaladono seu sistema).
man kerberos — Uma introdução ao sistema Kerberos que descreve o funcionamento das credenciais e fornece recomendações para obter e destruir tickets do Kerberos. O final da página man referencia diversas páginas man relacionadas.
man kinit — Descreve como usar este comando para obter e criar o cache de um ticket-granting ticket.
man kdestroy — Descreve como usar este comando para destruir credenciais do Kerberos.
man klist — Descreve como usar este comando para listar credenciais cacheadas do Kerberos.
man kadmin — Descreve como usar este comando para administrar o banco de dados do Kerberos V5.
man kdb5_util — Descreve como usar este comando para criar e executar funções administrativas de nível baixo no banco de dados do Kerberos V5.
man krb5kdc — Descreve as opções de linha de comando disponíveis para o Kerberos V5 KDC.
man kadmind — Descreve as opções de linha de comando do servidor de administração do Kerberos V5.
man krb5.conf — Descreve o formato e as opções do arquivo de configuração da biblioteca do Kerberos V5.
man kdc.conf — Descreve o formato e as opções disponíveis do arquivo de configuração do AS e do KDC do Kerberos V5.
racoon é responsável pela distribuição e troca de chaves IKE. Consulte a página man do racoon para maiores informações sobre este daemon.
ipsec-tools em todas os hosts IPsec (se usar uma configuração host-a-host) ou roteadores IPsec (se usar uma configuração rede-a-rede). O pacote RPM contém bibliotecas, daemons e arquivos de configuração essenciais para auxiliar na configuração da conexão IPsec , incluindo:
/sbin/setkey — manipula o gerenciamento da chave e atributos de segurança do IPsec no kernel. Este executável é controlado pelo daemon de gerenciamento da chave racoon. Para mais informações, consulte a página man (8) do setkey.
/usr/sbin/racoon — the IKE key management daemon, used to manage and control security associations and key sharing between IPsec-connected systems.
/etc/racoon/racoon.conf — o arquivo de configuração do daemon do racoon usado para configurar vários aspectos da conexão IPsec, incluindo métodos de autenticação e algoritmos de criptografia usados na conexão. Para uma lista completa das diretivas disponíveis, consulte a página man (5) do racoon.conf.
system-config-network para iniciar a Ferramenta de Administração de Rede.
ipsec0. If required, select the check box to automatically activate the connection when the computer starts. Click to continue.
racoon gerencia a chave de criptografia. O pacote ipsec-tools deve ser instalado se você quiser usar criptografia automática.
ifconfig <device><device> é o dispositivo Ethernet que você deseja usar para a conexão VPN.
eth0 Link encap:Ethernet HWaddr 00:0C:6E:E8:98:1D
inet addr:172.16.44.192 Bcast:172.16.45.255 Mask:255.255.254.0inet addr:.
service network restart
/etc/sysconfig/network-scripts/ifcfg-<nickname>
/etc/sysconfig/network-scripts/keys-<nickname>
/etc/racoon/<remote-ip>.conf
/etc/racoon/psk.txt
/etc/racoon/racoon.conf também é criado.
/etc/racoon/racoon.conf é modificado para incluir o <ip-remoto>.confipsec1. Este nome é usado para identificar a conexão IPsec e para distinguí-la de outros dispositivos ou conexões.
racoon.
Key_Value01 e os usuários concordam em deixar que o racoon gere automaticamente e compartilhe uma chave de autenticação entre cada host. Usuários de ambos os hosts decidem chamar suas conexões de ipsec1.
ipsec1, e portanto o arquivo resultante é chamado /etc/sysconfig/network-scripts/ifcfg-ipsec1.
DST=X.X.X.X
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSKX.X.X.X pelo endereço IP da estação de trabalho B, enquanto esta deve substituir X.X.X.X pelo endereço IP da estação de trabalho A. Esta conexão não está configurada para iniciar na inicialização (ONBOOT=no) e usa o método de autenticação de chave pré-compartilhada (IKE_METHOD=PSK).
/etc/sysconfig/network-scripts/keys-ipsec1) que ambas estações de trabalho precisam para autenticarem-se entre si. O conteúdo deste arquivo deve ser idêntico nas duas estações de trabalho, e somente o usuário root deve poder acessar ou gravar (read or write) este arquivo.
IKE_PSK=Key_Value01
keys-ipsec1 para que somente o usuário root possa acessá-lo ou editá-lo, execute o seguinte comando após criar o arquivo:
chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1keys-ipsec1 nas duas estações de trabalho. As duas chaves devem ser idênticas para que a conexão funcione apropriadamente.
X.X.X.X.confX.X.X.X é substituído pelo endereço IP do host IPsec remoto. Note que este arquivo é gerado automaticamente quando o túnel IPsec é ativado e não deve ser editado diretamente.
remote X.X.X.X
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}X.X.X.XX.X.X.X.
/etc/racoon/racoon.conf devem ser idênticos em todos os nós IPsec, exceto pela declaração include "/etc/racoon/X.X.X.X.conf". Esta declaração (e o arquivo que referencia) é gerada quando o túnel IPsec é ativado. Para a Estação de Trabalho A, X.X.X.X na declaração include é o endereço IP da Estação de Trabalho B. O oposto vale para a Estação de Trabalho B. Veja a seguir um arquivo racoon.conf típico quando a conexão IPsec é ativada.
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf";racoon.conf padrão inclui localidades definidas para a configuração do IPsec, arquivos de chaves pré-compartilhadas e certificados. Os campos sainfo anonymous descrevem a SA da fase 2 entre os nós IPsec — a natureza da conexão IPsec (incluindo os algoritmos suportados de criptografia usados) e o método de troca de chaves. A lista a seguir define os campos da fase 2:
modp1024) dos grupos de troca de chave criptográfica Diffie-Hellman. O grupo 2 usa uma exponenciação modular de 1024 bits, evitando que atacantes descriptografem transmissões IPsec anteriores, mesmo que uma chave privada seja comprometida.
ifup <nickname>tcpdump utility to view the network packets being transferred between the hosts and verify that they are encrypted via IPsec. The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example:
~]# tcpdump -n -i eth0 host <targetSystem>
IP 172.16.45.107 > 172.16.44.192: AH(spi=0x0954ccb6,seq=0xbb): ESP(spi=0x0c9f2164,seq=0xbb)
ipsec1. Este nome é usado para identificar a conexão IPsec e para distinguí-la de outros dispositivos ou conexões.
racoon
system-config-network para iniciar a Ferramenta de Administração de Rede.
ipsec0. If required, select the check box to automatically activate the connection when the computer starts. Click to continue.
racoon gerencia a chave de criptografia. O pacote ipsec-tools deve ser instalado se você quiser usar criptografia automática.
192.168.1.0 se estiver configurando o ipsec1, e use 192.168.2.0 se estiver configurando o ipsec0.
/etc/sysctl.conf and set net.ipv4.ip_forward to 1.
sysctl -p /etc/sysctl.confr3dh4tl1nux, e os administradores de A e B concordam em deixar que o racoon gere automaticamente e compartilhe uma chave de autenticação entre cada um dos roteadores IPsec. O administrador da LAN A decide nomear a conexão IPsec como ipsec0, enquanto o administrador da LAN B nomeia a conexão IPsec como ipsec1.
ifcfg para uma conexão IPsec rede-a-rede para a LAN A. O nome único para identificar a conexão neste exemplo é ipsec0, portanto o arquivo resultante é nomeado como /etc/sysconfig/network-scripts/ifcfg-ipsec0.
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.1.254
DSTGW=192.168.2.254
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X/etc/sysconfig/network-scripts/keys-ipsecX (onde X é 0 para a LAN A e 1 para a LAN B), que as duas redes usam para autenticarem-se entre si. O conteúdo destes arquivos deve ser idêntico e somente o usuário root deve poder acessar ou gravar este arquivo.
IKE_PSK=r3dh4tl1nux
keys-ipsecX para que somente o usuário root possa acessá-lo ou editá-lo, execute o seguinte comando após criar o arquivo:
chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1keys-ipsecX nos dois roteadores IPsec. As duas chaves devem ser idênticas para que a conexão funcione apropriadamente.
/etc/racoon/racoon.conf da conexão IPsec. Note que a linha include na parte inferior do arquivo é automaticamente gerada e aparece somente se o túnel IPsec está rodando.
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf"X.X.X.X.confX.X.X.X é o endereço IP do roteador IPsec remoto). Note que este arquivo é gerado automaticamente quando o túnel IPsec é ativado e não deve ser editado diretamente.
remote X.X.X.X
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2 ;
}
}/etc/sysctl.conf and set net.ipv4.ip_forward to 1.
sysctl -p /etc/sysctl.confifup ipsec0ifup na conexão IPsec. Para visualizar uma lista de rotas da rede, execute o seguinte comando:
ip route listtcpdump utility on the externally-routable device (eth0 in this example) to view the network packets being transferred between the hosts (or networks), and verify that they are encrypted via IPsec. For example, to check the IPsec connectivity of LAN A, use the following command:
tcpdump -n -i eth0 host lana.example.com12:24:26.155529 lanb.example.com > lana.example.com: AH(spi=0x021c9834,seq=0x358): \ lanb.example.com > lana.example.com: ESP(spi=0x00c887ad,seq=0x358) (DF) \ (ipip-proto-4)
ifup <nickname><apelido> é o apelido configurado anteriormente, como por exemplo, ipsec0.
ifdown <nickname>| Método | Descrição | Vantagens | Desvantagens | ||||||
|---|---|---|---|---|---|---|---|---|---|
| NAT | Conversão de Endereços de Rede (Network Address Translation - NAT) insere sub-redes IP internas por trás de um ou um pequeno grupo de endereços IP públicos, mascarando todos os pedidos para uma fonte ao invés de várias. |
|
| ||||||
| Filtro de Pacotes | Um firewall de filtragem de pacotes lê cada pacote de dados que passa por dentro e por fora de uma LAN. Pode ler e processar pacotes pela informação do cabeçalho e filtrar o pacote baseado em conjuntos de regras programáveis implementadas pelo administrador do firewall. O kernel do Linux tem a funcionalidade embutida de filtragem de pacotes através do sub-sistema Netfilter do kernel. |
|
| ||||||
| Proxy | Firewalls de proxy filtram todos os pedidos de um determinado protocolo ou tipo dos clientes LAN para uma máquina proxy, que então faz estes pedidos à Internet representando o cliente local. Uma máquina proxy atua como um buffer entre usuários remotos maldosos e as máquinas dos clientes internos da rede. |
|
|
iptables.
iptables, uma ferramenta de linha de comando similar na sintáxe aos seus predecendentes, ipchains.
ipchains requer um jogo regras intrínsecas para: filtrar caminhos de fontes, filtrar caminhos de destino, filtrar ambas as fontes e portas de conexão de destino.
iptables usa o sub-sistema do Netfilter para melhorar a conexão, inspeção e processamento de rede. O iptables inclui registro avançado, ações pré e pós-roteamento, conversão de endereços de rede e encaminhamento de porta; tudo em apenas uma interface de linha de comando.
iptables. For more detailed information, refer to Seção 46.9, “IPTables”.
system-config-securitylevel
iptables rules.
/etc/sysconfig/iptables. Se você escolher Disabilitado e clicar em , estas configurações e regras de firewall serão perdidas.
httpd.
vsftpd.
openssh-server.
telnet-server.
fetchmail. Para permitir o envio de correio de sua máquina, selecione este ítem. Note que um servidor SMTP configurado de maneira imprópria, pode permitir que máquinas remotas usem seu servidor para enviar spam.
iptables. For example, to allow IRC and Internet printing protocol (IPP) to pass through the firewall, add the following to the Other ports section:
194:tcp,631:tcp
iptables e escritas para o arquivo /etc/sysconfig/iptables. O serviço iptables também é iniciado, assim o firewall é imediatamente ativado após salvar as opções selecionadas. Se o Desabilitar firewall foi selecionado, o arquivo /etc/sysconfig/iptables é removido e o serviço iptables é bloqueado imediatamente.
/etc/sysconfig/system-config-securitylevel file so that the settings can be restored the next time the application is started. Do not edit this file by hand.
iptables service is not configured to start automatically at boot time. Refer to Seção 46.8.2.6, “Ativando o Serviço IPTables” for more information.
iptables estiver rodando. Para iniciá-lo manualmente, use o seguinte comando:
service iptables restartiptables inicie por padrão sempre que o sistema é inicializado, use o seguinte comando:
chkconfig --level 345 iptables onipchains não está incluso no Red Hat Enterprise Linux. No entanto, se o ipchains for instalado (por exemplo, se uma houve uma atualização e o sistema já possuia o ipchains instalado previamente.), os serviços ipchains e iptables não devem ser ativado simultaneamente. Para assegurar-se de que o serviço ipchains está desabilitado e configurado para não iniciar em tempo de inicialização, use os seguintes dois comandos:
service ipchains stopchkconfig --level 345 ipchains off
iptables é iniciá-lo. Isto pode ser feito com o comando:
service iptables startip6tables devem ser desligados para usar o serviço iptables. Se você desativar o serviço ip6tables, lembre-se de desativar a rede IPv6 também. Nunca deixe um dispositivo de rede ativo sem um firewall compatível.
ip6tables inicie por padrão sempre que o sistema for inicializado, use o seguinte comando:
chkconfig --level 345 iptables oniptables inicie sempre que o sistema é inicializado em nível de execução 3,4 ou 5.
iptables ilustram a sintáxe básica do comando:
iptables -A <chain> -j <target>-A especifica que a regra seja anexada à <chain>. Cada corrente é composta de uma ou mais regras, e portanto também conhecida como um conjunto de regras.
-j <target> especifica o alvo da regra, ou seja, o que fazer se um pacote combina com a regra. Exemplos de alvos internos são ACCEPT, DROP e REJECT.
iptables também contém um informações sobre correntes disponíveis, opções e alvos.
iptables é composta por uma norma padrão e mais de uma regra que funcione de comum acordo com a norma padrão para definir um conjunto de regras gerais para o firewall.
iptables -P INPUT DROPiptables -P OUTPUT DROP
iptables -P FORWARD DROPiptables são transitórias. Se o sistema ou o serviço iptables forem reiniciados as regras serão automaticamente liberadas e redefinidas. Para salvar as regras de modo que elas sejam carregadas posteriormente, quando o serviço iptables for iniciado, use o seguinte comando:
service iptables save/etc/sysconfig/iptables e são aplicadas sempre que o serviço é iniciado, reiniciado ou quando a máquina é reinicializada.
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPTiptables, a ordem é muito importante.
-I. Por exemplo:
iptables -I INPUT 1 -i lo -p all -j ACCEPTiptables para aceitar conexões de clientes SSH remotos. Por exemplo, as seguintes regras permitem um acesso remoto SSH:
iptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables.
FORWARD e NATiptables oferece um roteamento e envio de políticas que podem ser implementadas para evitar uso anormal de recursos de rede.
FORWARD permite que um administrador controle onde os pacotes podem ser roteados em uma LAN. Por exemplo: para permitir o encaminhamento para a LAN inteira (assumindo que o firewall/porta de comunicação tenha um endereço IP interno na eth 1), as seguintes regras podem ser definidas:
iptables -A FORWARD -i eth1 -j ACCEPTiptables -A FORWARD -o eth1 -j ACCEPT
eth1.
sysctl -w net.ipv4.ip_forward=1/etc/sysctl.conf como se segue:
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
sysctl.conf:
sysctl -p /etc/sysctl.confiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE-t nat) e especifica a corrente POSTROUTING embutida para a NAT (-A POSTROUTING) no dispositivo de rede externa do firewall (-o eth0).
-j MASQUERADE é especificado para mascarar o endereço IP privado de um nó com endereço IP externo do firewall/gateway
-j DNAT da corrente PREROUTING na NAT para especificar um endereço IP e porta de destino para onde encaminhar os pacotes de entrada requisitando uma conexão.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPTiptables também podem ser definidas para rotear tráfego para determinadas máquinas, como um servidor dedicado HTTP ou FTP, numa zona desmilitarizada (DMZ). A DMZ é uma sub-rede local especial dedicada a prover serviços num meio público como a Internet.
PREROUTING para encaminhar os pacotes ao destino apropriado:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.2:80iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROPiptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROPDROP eREJECT ao lidar com as regrasadicionadas.
REJECT nega acesso e retorna um erro connection refused (conexão negada) para usuários que tentarem se conectar ao serviço. A ação DROP (derrubar) um alvo, como o nome sugere, derruba os pacotes sem nenhum aviso.
REJECT.
iptables inclui um módulo que permite que osadministradores inspecionem e restrinjam conexões a serviços disponíveis numa rede interna, usando um método chamado registro de conexão (connection tracking). O registro de conexão armazena as conexões numa tabela, que possibilita os administradores permitir ou negar acesso baseado nos seguintes estados de conexão:
NEW (novo) — Um pacote requisitando uma nova conexão, como um pedido HTTP.
ESTABLISHED (estabelecido) — Um pacote que é parte de uma conexão existente.
RELATED (relacionado) — Um pacote solicitando uma nova conexão, mas que é parte de uma conexão existente. Por exemplo, conexões FTP usam a porta 21 para estabelecer conexão, mas os dados são transferidos para uma porta diferente (geralmente para a 20).
INVALID (inválido) — Um pacote que não faz parte de nenhuma das conexões da tabela de registro das conexões.
iptables com qualquer protocolo de rede, mesmo que o próprio protocolo seja sem estado (como o UDP). O exemplo a seguir mostra uma regra que usa o registro de conexão para encaminhar somente os pacotes associados a uma conexão estabelecida:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPTip6tables. Em Red Hat Enterprise Linux 5, os serviços IPv4 e IPv6 são habilitados por padrão.
iptables em todos os aspectos, exceto pelo fato do ip6tables suportar endereços de 128 bits. Por exemplo: as conexões SSH em um servidor de rede ciente do IPv6 podem ser possibilitadas pela seguinte regra:
ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPTiptables command, including definitions for many command options.
iptables também contém um breve resumo das várias opções.
iptables.
iptables. Inclui tópicos como a análise de registros de firewalls, criação de regras de firewall e a personalização de seu firewall com ferramentas gráficas como lokkit.
ipchains do kernel 2.2, assim como o Netfilter e iptables. Tópicos adicionais de segurança, como questões de acesso remoto e sistemas de detecção de intrusão também são abordados.
ipchains para a filtragem de pacotes e usava listas de regras para pacotes a cada passo do processo de filtragem. O kernel 2.4 introduziu iptables (também chamado de netfilter), que é similar ao ipchains mas expande significativamente o âmbito e o controle disponíveis para a filtragem de pacotes de rede.
ipchains e iptables, explica várias opções disponíveis com os comandos do iptables, e detalha como regras de filtragem podem ser preservadas entre reinicializações do sistema.
iptables rules and setting up a firewall based on these rules.
iptables, mas o iptables, não pode ser usado se o ipchains já estiver rodando. Se o ipchains estiver presente durante a inicialização do sistema, o kernel emite um erro e falha em iniciar o iptables.
ipchains não é afetada por esses erros.
filter — A tabela padrão usada para lidar com pacotes de rede.
nat — Usada para alterar pacotes que criem uma nova conexão, e também usado para Conversão de Endereços de Rede (Network Address Translation - NAT).
mangle — Usada para tipos específicos de alterações de pacotes.
netfilter.
filter são as seguintes:
nat são as seguintes:
mangle são as seguintes:
/etc/sysconfig/iptables ou /etc/sysconfig/ip6tables.
iptables inicia antes de qualquer serviço relacionado ao DNS durante a inicialização de um sistema Linux. Isto significa que regras de firewall podem apenas fazer referência a endereços IP numéricos (por exemplo, 192.168.0.1). Nestas regras, endereços não numéricos (por exemplo, host.exemplo.com) produzirão erros.
ACCEPT para um pacote correspondente, o pacote ignora o resto das verificações de regras e ganha a permissão para continuar até o seu destino. Se uma regra especifica um alvo DROP, o pacote é negado acesso ao sistema e nada é mandado de volta ao host que emitiu o pacote. Se uma regra especifica um alvo QUEUE, o pacote é passado ao espaço do usuário. Se uma regra especifica o alvo opcional REJECT, o pacote é descartado, mas um pacote de erro é enviado ao emissor do pacote.
ACCEPT, DROP, REJECT, ou QUEUE. Se nenhuma das regras da cadeia é aplicável ao pacote, o mesmo é tratado de acordo com a diretiva padrão.
iptables configura estas tabelas, e cria novas tabelas se necessário.
ipchains quanto o iptables usam cadeias de regras que operam dentro do kernel do Linux filtrando pacotes com base na correspondência à certas regras ou conjuntos de regras. Entretanto, o iptables representa uma forma mais extensível de filtrar pacotes, dando ao administrador maior controle sem precisar agregar complexidades desnecessárias ao sistema.
ipchains e o iptables:
iptables, each filtered packet is processed using rules from only one chain rather than multiple chains. ipchains teria que passar pelas cadeias INPUT, FORWARD, e OUTPUT para continuar até o seu destino. Entretanto, o iptables apenas envia pacotes à cadeia INPUT se eles forem destinados ao sistema local, e apenas envia pacotes à cadeia OUTPUT se eles foram gerados pelo sistema local. Assim sendo, é importante colocar a regra projetada para apanhar um certo pacote dentro da cadeia que realmente lida com aquele pacote.
ipchains, pacotes que correspondessem a uma regra em uma cadeia podiam ser direcionados ao alvo DENY. Este alvo deve ser modificado para DROP no iptables.
ipchains, a ordem das opções de uma regra não importa.
iptables tem uma sintaxe mais rigorosa. O comando iptables solicita que o protocolo (ICMP, TCP, ou UDP) seja especificado antes das portas de origem ou destino.
-i) podem apenas ser usadas em cadeias INPUT ou FORWARD. Da mesma forma, interfaces de saída (opção -o) podem apenas ser usadas em cadeias FORWARD ou OUTPUT.
iptables. As seguintes características de um pacote são as mais usadas como critérios:
iptables devem ser agrupadas de maneira lógica, com base no propósito e condições da regra, para que a mesma seja válida. O resto desta seção explica opções geralmente usadas com o comando iptables.
iptables tem a seguinte estrutura:
iptables [-t<table-name>]<command><chain-name>\<parameter-1><option-1>\<parameter-n><option-n>
<nome-da-tabela> — Especifica à qual tabela a regra pertence. Se omitido, a tabela filter é usada.
<comando> — Especifica a ação a ser executada, como acrescentar ou remover uma regra.
<nome-da-cadeia> — Especifica a cadeia a ser editada, criada, ou removida.
<parâmetro>-<opção> — Parametros e ações associadas especificando como proceder quando um pacote corresponde à uma regra.
iptables pode mudar bastante, de acordo com o seu propósito.
iptables -D <chain-name> <line-number>
iptables, é importante lembrar que alguns parâmetros e opções necessitam parâmetros e opções adicionais para construir uma regra válida. Isto pode produzir um efeito cascata. A regra não é válida até que todos os parâmetros e opções que necessitem de outro grupo de opções estejam concluídos.
iptables -h para ver uma lista abrangente de estruturas de comandos iptables.
iptables execute uma ação específica. Apenas uma opção de linha de comando é permitida em cada comando iptables. Com a exceção do comando help, todos os comandos são escritos em letras maiúsculas.
iptables são os seguintes:
-A — Acrescenta a regra ao final da cadeia especificada. Ao contrário da opção -I descrita abaixo, -A não aceita um número inteiro como argumento. Esta opção sempre acrescenta a regra ao final da cadeia especificada.
-C — Verifica uma regra específica antes de adicioná-la à cadeia especificada pelo usuário. Este comando pode lhe ajudar a construir regras complexas do iptables pedindo que você digite parâmetros e opções adicionais.
-D <número-inteiro> | <regra> — Remove uma regra da cadeia específica através de um número (por exemplo, 5 para a quinta regra da cadeia), ou através da especificação da regra. A especificação de uma regra deve corresponder exatamente à uma regra existente.
-E — Renomeia uma cadeia definida pelo usuário. Uma cadeia definida pelo usuário é qualquer uma que não seja uma das padrões ou pré-existentes (consulte a opção -N abaixo, para maiores informações sobre a criação de cadeias definidas pelo usuário). Esta é uma mudança apenas cosmética, e não afeta a estrutura da tabela.
Match not found (Correspondente não encontrado). Você não pode renomear as cadeias padrão.
-F — Esvazia a cadeia selecionada, o que na verdade remove todas as regras da cadeia. Se nenhuma cadeia for selecionada, este comando esvazia todas as regras de todas as cadeias.
-h — Oferece uma lista de estruturas de comandos, assim como um breve resumo dos parâmetros e opções dos comandos.
-I [<número-inteiro>] — Insere uma regra na cadeia especificada no lugar especificado pelo argumento inteiro definido pelo usuário. Se nenhum argumento é especificado, a regra é inserida no topo da cadeia.
-A ou -I.
-I como argumento. Se você especificar um número existente ao adicionar uma regra à uma cadeia, o iptables adiciona a nova regra antes (ou acima) da regra existente.
-L — Lista todas as regras da cadeia especificada após o comando. Para listar todas as regras em todas as cadeias na tabela padrão filter, não especifique uma cadeia ou tabela. Caso contrário, a seguinte sintaxe deve ser usada para listar as regras de uma específica cadeia em uma específica tabela:
iptables -L <chain-name> -t <table-name>-L command option, which provide rule numbers and allow more verbose rule descriptions, are described in Seção 46.9.3.6, “Opções de Listagem”.
-N — Cria uma nova cadeia com um nome especificado pelo usuário. O nome da cadeia deve ser exclusivo, caso contrário uma mensagem de erro é exibida.
-P — Estabelece a diretiva padrão para a cadeia especificada, de modo que quando pacotes passam pela cadeia toda sem encontrar uma regra correspondente, os mesmos são enviados para o alvo específico, como ACCEPT ou DROP.
-R — Substitui uma regra na cadeia especificada. O número da regra deve ser especificado após o nome da cadeia. A primeira regra em uma cadeia corresponde à regra número um.
-X — Remove uma cadeia especificada pelo usuário. Você não pode remover uma cadeia padrão.
-Z — Configura os contadores de bytes e de pacotes de todas as tabelas para zero.
iptables, incluindo aqueles usados para adicionar, remover, inserir ou substituir regras em uma cadeia específica, requerem vários parâmetros para construir uma regra de filtragem de pacotes.
-c — Restaura os contadores para uma dada regra. Este parâmetro aceita as opções PKTS e BYTES para especificar quais contadores devem ser restaurados.
-d — Estabelece o nome de host, endereço IP, ou rede de destino de um pacote que corresponda à uma regra. Ao fazer a correspondência de uma rede, os seguintes formatos de endereços IP e máscaras de rede são suportados:
N.N.N.N/M.M.M.MN.N.N.N é o intervalo de endereços IP e M.M.M.M é a máscara de rede.
N.N.N.N/MN.N.N.N é o intervalo de endereços IP e M é a máscara de bits.
-f — Aplica esta regra apenas a pacotes fragmentados.
!) após este parâmetro para especificar que a regra seja aplicada apenas a pacotes não fragmentados.
-i — Estabelece a interface de rede de entrada, como eth0 ou ppp0. Com o iptables, este parâmetro opcional pode ser usado apenas com as cadeias INPUT e FORWARD quando usado com a tabela filter e a cadeia PREROUTING quando usado com as tabelas nat e mangle.
!) — Reverte a diretiva, o que significa que quaisquer interfaces especificadas são excluídas desta regra.
+) — Um caractere curinga usado para fazer a correspondência de todas as interfaces que correspondam à string especificada. Por exemplo, o parâmetro -i eth+ aplicaria esta regra a quaisquer interfaces Ethernet, mas excluiria quaisquer outras interfaces, como ppp0.
-i é usado, mas nenhuma interface é especificada, todas as interfaces são afetadas pela regra.
-j — Pula para o alvo especificado quando um pacote corresponde à uma regra específica.
ACCEPT, DROP, QUEUE, e RETURN.
iptables do Red Hat Enterprise Linux. Alvos válidos nestes módulos incluem LOG, MARK, e REJECT, entre outros. Consulte a página man do iptables para maiores informações sobre estes e outros alvos.
-o — Estabelece as interfaces de rede de saída para uma regra. Esta opção é válida apenas para as cadeias OUTPUT e FORWARD na tabela filter, e para a cadeia POSTROUTING nas tabelas nat e mangle. Este parâmetro aceita as mesmas opções que o parâmetro de interfaces de rede de entrada (-i).
-p <protocolo> — Estabelece o protocolo IP afetado pela regra. Pode ser icmp, tcp, udp, ou all (todos), ou pode ser um valor numérico, representando um destes ou um protocolo diferente. Você também pode usar quaisquer dos protocolos listados no arquivo /etc/protocols.
all" significa que a regra aplica-se a todos os protocolos suportados. Se nenhum protocolo é listado com esta regra, o "all" é usado.
-s — Estabelece a origem para um determinado pacote usando a mesma sintaxe do parâmetro de destino (-d).
iptables. Por exemplo, -p <nome-do-protocolo> habilita opções para o protocolo especificado. Note que você também pode usar a ID do protocolo, ao invés do seu nome. Veja, por exemplo, os seguintes exemplos, cada um dos quais tem o mesmo efeito:
iptables -A INPUT -p icmp --icmp-type any -j ACCEPTiptables -A INPUT -p 5813 --icmp-type any -j ACCEPT
/etc/services. Por questões de legibilidade, é recomendável usar os nomes dos serviços ao invés dos números de portas.
/etc/services para prevenir a edição não autorizada. Se este arquivo for editável, crackers podem usá-lo para habilitar portas na sua máquina as quais você tenha decidido deixar fechadas. Para proteger este arquivo, digite os seguintes comandos como root:
chown root.root /etc/serviceschmod 0644 /etc/serviceschattr +i /etc/services
-p tcp):
--dport — Estabelece a porta de destino para o pacote.
:). Por exemplo: -p tcp --dport 3000:3200. O maior intervalo válido aceitável é 0:65535.
!) após a opção --dport para causar a correspondência de todos os pacotes que não usem aquele serviço ou porta de rede.
/etc/services.
--destination-port equivale a --dport.
--sport — Estabelece a porta de origem do pacote usando as mesmas opções que --dport. A opção de correspondência --source-port equivale a --sport.
--syn — Aplica-se a todos os pacotes TCP concebidos para iniciar a comunicação, normalmente chamados de pacotes SYN. Pacotes que carreguem dados não são manuseados.
!) após a opção --syn para causar a correspondência de todos os pacotes que não sejam SYN.
--tcp-flags <tested flag list> <set flag list> — Permite que pacotes TCP que tenham bits (sinalizadores) específicos definidos, correspondam a uma regra.
--tcp-flags aceita dois parâmetros. O primeiro parâmetro é a máscara, uma lista de sinalizadores separados por vírgulas a serem examinados no pacote. O segundo parâmetro é uma lista de sinalizadores separados por vírgulas que devem ser definidos para que a regra corresponda.
ACK
FIN
PSH
RST
SYN
URG
ALL
NONE
iptables que contenha a seguinte especificação corresponde apenas a pacotes TCP que tenham o sinalizador SYN definido e os sinalizadores ACK e FIN não definidos:
--tcp-flags ACK,FIN,SYN SYN
!) após --tcp-flags para reverter o efeito da opção de correspondência.
--tcp-option — Tenta corresponder à opções específicas de TCP que possam ser estabelecidas dentro de um pacote específico. Esta opção de correspondência também pode ser revertida usando o ponto de exclamação (!).
-p udp):
--dport — Especifica a porta de destino para o pacote UDP, usando o nome do serviço, número da porta, ou intervalo de números de portas. A opção de correspondência --destination-port equivale --dport.
--sport — Especifica a porta de origem para o pacote UDP, usando o nome do serviço, número da porta, ou intervalo de números de portas. A opção de correspondência --source-port equivale a --sport.
--dport e --sport, separe os dois números usando dois pontos (:). Por exemplo: -p tcp --dport 3000:3200. O maior intervalo válido aceitável é 0:65535.
-p icmp):
--icmp-type — Estabelece o nome ou o número do tipo de ICMP a corresponder à regra. Uma lista de nomes de ICMP válidos pode ser obtida digitando o comando iptables -p icmp -h.
iptables.
-m <nome-do-módulo>, onde <nome-do-módulo> é o nome do módulo.
limit — Coloca um limite no número de pacotes que podem corresponder à uma dada regra.
LOG, o módulo limit pode prevenir que uma enxurrada de pacotes correspondentes encham o arquivo de registro do sistema com mensagens repetitivas ou utilizem recursos do sistema demasiadamente.
LOG target.
limit habilita as seguintes opções:
--limit — Estabelece o número máximo de eventos de correspondência para um determinado período de tempo, especificado como um par <valor>/<período>--limit 5/hour permite cinco eventos de correspondência à regra por hora.
3/hour é usado.
--limit-burst — Estabelece um limite ao número de pacotes que podem corresponder à uma regra ao mesmo tempo.
--limit.
state — Habilita a correspondência de estados.
state habilita as seguintes opções:
--state — Faz a correspondência de um pacote com os seguintes estados de conexão:
ESTABLISHED — O pacote correspondente é associado a outros pacotes em uma conexão estabelecida. Você deve aceitar este estado se você quiser manter uma conexão entre um cliente e um servidor.
INVALID — O pacote correspondente não pode ser atrelado à uma conexão conhecida.
NEW — O pacote correspondente ou está criando uma nova conexão ou faz parte de uma conexão de duas mãos não vista antes. Você precisa aceitar este estado se você quiser permitir novas conexões a um serviço.
RELATED — O pacote correspondente está iniciando uma nova conexão relacionada de alguma forma à uma conexão existente. Um exemplo disto é o FTP, o qual usa uma conexão para controle de tráfego (porta 21), e uma conexão separada para transferência (porta 20).
-m state --state INVALID,NEW.
mac — Habilita a correspondência de hardware usando endereços MAC.
mac habilita a seguinte opção:
--mac-source — Faz a correspondência usando um endereço MAC da placa de interface de rede que enviou o pacote. Para excluir um endereço MAC de uma regra, coloque um ponto de exclamação (!) após a opção de correspondência --mac-source.
iptables para mais opções de correspondência disponíveis aos diversos módulos.
<cadeia-definida-pelo-usuário>ACCEPT — Permite que o pacote chegue até o seu destino ou até outra cadeia.
DROP — Descarta o pacote sem responder ao solicitante. O sistema que enviou o pacote não fica sabendo da falha.
QUEUE — O pacote é enfileirado para ser posteriormente manuseado por um aplicativo do espaço do usuário.
RETURN — Para de verificar o pacote contra regras na cadeia atual. Se o pacote com o alvo RETURN corresponde à uma regra numa cadeia chamada a partir de outra cadeia, o pacote é devolvido à primeira cadeia para que a mesma continue com a verificação de regras a partir de onde tinha parado. Se a regra RETURN for usada em uma cadeia padrão e o pacote não puder retornar à sua cadeia anterior, o alvo padrão para a cadeia atual é usado.
LOG — Faz um registro de todos os pacotes que correspondem à esta regra. Uma vez que os pacotes são registrados pelo kernel, o arquivo /etc/syslog.conf determina onde estas entradas de registro são escritas. Por padrão, elas são colocadas no arquivo /var/log/messages.
LOG para especificar a forma como os registros são feitos:
--log-level — estabelece o nível de prioridade de um evento de registro. Consulte a página man do syslog.conf para uma lista de níveis de prioridade.
--log-ip-options — Registra quaisquer opções configuradas no cabeçalho de um pacote IP.
--log-prefix — Coloca uma string de até 29 caracteres antes da linha do registro quando o mesmo for escrito. Isto pode ser útil ao usar filtros de syslog junto com o registro de pacotes.
log-prefix.
--log-tcp-options — Registra quaisquer opções configuradas no cabeçalho de um pacote TCP.
--log-tcp-sequence — Escreve o número de seqüência TCP do pacote no registro do sistema.
REJECT — Manda um pacote de erro de volta ao sistema remoto e descarta o pacote.
REJECT aceita --reject-with <tipo> (onde <tipo> é o tipo de rejeição), permitindo que informações mais detalhadas sejam retornadas com o pacote de erro. Caso nenhuma outra opção seja usada, a mensagem port-unreachable é o tipo de erro padrão utilizado. Consulte a página man do iptables para uma lista completa de opções para <tipo>nat, ou para alteração de pacotes usando a tabela mangle, podem ser encontrados na página man do iptables.
iptables -L [<nome-da-cadeia>], oferece uma visão geral bem básica das cadeias atuais da tabela padrão filter. Opções adicionais oferecem mais informações:
-v — Gera informações detalhadas da saída, como o número de pacotes e bytes processado por cada cadeia, o número de pacotes e bytes que tenham correspondido a cada regra, e quais interfaces aplicam-se à uma dada regra.
-x — Expande números para seus valores exatos. Em um sistema de alta utilização, o número de pacotes e bytes processados por uma dada cadeia ou regra pode ser abreviado para Kilobytes, Megabytes (Megabytes) ou Gigabytes. Esta opção força a exibição do número por completo.
-n — Exibe endereços IP e números de porta em formato numérico, ao invés do formato padrão de nome de host e serviço de rede.
--line-numbers — Lista regras em cada cadeia precedidas por um número representando sua ordem numérica na cadeia. Esta opção é útil ao tentar remover uma regra específica de uma cadeia ou determinar onde inserir uma regra em uma cadeia.
-t <nome-da-tabela> — Especifica o nome de uma tabela. Se omitido, a tabela padrão filter é usada.
-x.
~]#iptables -L OUTPUT -v -n -xChain OUTPUT (policy ACCEPT 64005 packets, 6445791 bytes) pkts bytes target prot opt in out source destination 1593 133812 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ~]#iptables -L OUTPUT -v -nChain OUTPUT (policy ACCEPT 64783 packets, 6492K bytes) pkts bytes target prot opt in out source destination 1819 153K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ~]#
iptables são armazenadas na memória. Se o sistema for reiniciado antes que o conjunto de regras do iptables seja salvo, todas as regras são perdidas. Para que as regras do netfilter persistam entre reinicializações do sistema, as mesmas precisam ser salvas. Para salvar as regras do netfilter, digite o seguinte comando como root:
service iptables saveiptables, o qual roda o programa /sbin/iptables-save e escreve a configuração atual do iptables em /etc/sysconfig/iptables. O arquivo existente /etc/sysconfig/iptables é salvo como /etc/sysconfig/iptables.save.
iptables restaura as regras salvas em /etc/sysconfig/iptables usando o comando /sbin/iptables-restore.
iptables antes de submetê-la ao arquivo /etc/sysconfig/iptables, é possível copiar regras do iptables encontradas em versões deste arquivo em um outro sistema para este arquivo. Isto permite a distribuição de grupos de regras do iptables para várias máquinas de forma rápida.
iptables em um arquivo específico para distribuição, backup, ou outros propósitos. Para salvar suas regras do iptables, digite o seguinte comando como root:
iptables-save > <filename><filename> is a user-defined name for your ruleset.
/etc/sysconfig/iptables para outras máquinas, digite /sbin/service iptables restart para que as novas regras façam efeito.
iptables (/sbin/iptables), o qual é usado para manipular as tabelas e cadeias que fazem parte da funcionalidade do iptables, e o service iptables (/sbin/iptables service), o qual é usado para habilitar e desabilitar o iptables em si.
iptables no Red Hat Enterprise Linux:
system-config-securitylevel) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to Seção 46.8.2, “Configurações Básicas de Firewall ” for more information.
/sbin/service iptables <opção> — Usado para manipular várias funções do iptables usando o seu script de inicialização. As seguintes opções estão disponíveis:
start — Se uma firewall estiver configurada (ou seja, /etc/sysconfig/iptables existir), todas as instâncias do iptables atualmente rodando são totalmente paradas e então reiniciadas usando o comando /sbin/iptables-restore. Esta opção apenas funciona caso o módulo de kernel ipchains não esteja carregado. Para verificar se este módulo encontra-se carregado, digite o seguinte comando como root:
lsmod | grep ipchains/sbin/rmmod para remover o módulo.
stop — Se uma firewall estiver rodando, as regras da firewall armazenadas na memória são liberadas, e todos os módulos e auxiliares do iptables são descarregados.
IPTABLES_SAVE_ON_STOP no arquivo de configuração /etc/sysconfig/iptables-config tiver seu valor padrão alterado para yes, as regras atuais são salvas em /etc/sysconfig/iptables e quaisquer regras existentes são movidas para o arquivo /etc/sysconfig/iptables.save.
iptables-config file.
restart — Se uma firewall estiver rodando, as regras da firewall armazenadas na memória são liberadas, e a firewall é reiniciada se estiver configurada em /etc/sysconfig/iptables. Esta opção funciona apenas se o módulo ipchains do kernel estiver carregado.
IPTABLES_SAVE_ON_RESTART no arquivo de configuração /etc/sysconfig/iptables-config tiver seu valor padrão alterado para yes, as regras atuais são salvas em /etc/sysconfig/iptables e quaisquer regras existentes são movidas para o arquivo /etc/sysconfig/iptables.save.
iptables-config file.
status — Exibe o estado da firewall e lista todas as regras ativas.
/etc/sysconfig/iptables-config file and change the value of IPTABLES_STATUS_NUMERIC to no. Refer to Seção 46.9.5.1, “Arquivo de Configuração de Scripts de Controle do IPTables” for more information about the iptables-config file.
panic — Limpa todas as regras da firewall. A diretiva de todas as tabelas configuradas é mudada para DROP.
save — Saves firewall rules to /etc/sysconfig/iptables using iptables-save. Refer to Seção 46.9.4, “Salvando Regras do IPTables” for more information.
ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, refer to Seção 46.9.6, “IPTables e IPv6”.
iptables é controlado pelo arquivo de configuração /etc/sysconfig/iptables-config. A seguir está uma lista de diretivas encontradas neste arquivo:
IPTABLES_MODULES — Especifica uma lista, separada por espaços, de módulos adicionais do iptables a serem carregados quando uma firewall for ativada. Estes podem incluir rastreamento de conexão e auxiliares de NAT.
IPTABLES_MODULES_UNLOAD — Descarrega módulos ao reiniciar e parar. Esta diretiva aceita os seguintes valores:
yes — O valor padrão. Esta opção deve ser usada para que um estado correto para as ações de parar ou reiniciar uma firewall possa ser atingido.
no — Esta opção deve ser usada apenas se houverem problemas ao descarregar os módulos do netfilter.
IPTABLES_SAVE_ON_STOP — Salva as regras atuais da firewall em /etc/sysconfig/iptables quando a firewall for parada. Esta diretiva aceita os seguintes valores:
yes — Salva regras existentes em /etc/sysconfig/iptables quando a firewall for parada, movendo a versão anterior para o arquivo /etc/sysconfig/iptables.save.
no — O valor padrão. Não salva regras existentes quando a firewall for parada.
IPTABLES_SAVE_ON_RESTART — Salva as regras atuais da firewall quando a firewall for reiniciada. Esta diretiva aceita os seguintes valores:
yes — Salva regras existentes em /etc/sysconfig/iptables quando a firewall for reiniciada, movendo a versão anterior para o arquivo /etc/sysconfig/iptables.save.
no — O valor padrão. Não salva regras existentes quando a firewall for reiniciada.
IPTABLES_SAVE_COUNTER — Salva e restaura todos os contadores de pacotes e de bytes em todas as cadeias e regras. Esta diretiva aceita os seguintes valores:
yes — Salva o valor dos contadores.
no — O valor padrão. Não salva o valor dos contadores.
IPTABLES_STATUS_NUMERIC — Exibe a saída de endereços IP em formato numérico ao invés de domínios e nomes de host. Esta diretiva aceita os seguintes valores:
yes — O valor padrão. Retorna apenas endereços IP numa saída de estado.
no — Retorna domínios ou nomes de host numa saída de estado.
iptables-ipv6 estiver instalado, o netfilter do Red Hat Enterprise Linux pode filtrar a versão da próxima geração do protocolo de Internet, o IPv6. O comando usado para manipular o netfilter IPv6 é o ip6tables.
iptables, entretanto, a tabela nat ainda não é suportada. Isto significa que ainda não é possível executar tarefas de conversão de endereços IPv6 de rede, como masquerading e encaminhamento de portas.
ip6tables são salvas no arquivo /etc/sysconfig/ip6tables. As regras anteriores salvas pelos scripts de inicialização do ip6tables são salvas no arquivo /etc/sysconfig/ip6tables.save.
ip6tables são armazenadas em /etc/sysconfig/ip6tables-config, e os nomes para cada diretiva variam um pouco em relação aos nomes das diretivas do iptables.
IPTABLES_MODULES no arquivo iptables-config equivale à diretiva IP6TABLES_MODULES no arquivo ip6tables-config.
iptables.
man iptables — Contém uma descrição do iptables, assim como uma lista abrangente de alvos, opções, e extensões de correspondência.
iptables, incluindo uma FAQ focada em problemas específicos e vários guias úteis escritos pelo Rusty Russell, o mantenedor da firewall IP do Linux. Os documentos HOWTO do site cobrem tópicos como conceitos básicos de rede, filtragem de pacotes no kernel, e configurações de NAT.
iptables básicos.
avc: denied detalhada em /var/log/messages caso a permissão seja negada. O contexto de segurança de entidades e objetos é obtido a partir da política instalada, a qual também fornece a informação para povoar a matriz do servidor de segurança.
/selinux/ contém comandos que são normalmente usados pelo subsistema do kernel. Este tipo de sistema de arquivos é similar ao pseudo-sistema de arquivos /proc/.
/selinux/:
-rw-rw-rw- 1 root root 0 Sep 22 13:14 access dr-xr-xr-x 1 root root 0 Sep 22 13:14 booleans --w------- 1 root root 0 Sep 22 13:14 commit_pending_bools -rw-rw-rw- 1 root root 0 Sep 22 13:14 context -rw-rw-rw- 1 root root 0 Sep 22 13:14 create --w------- 1 root root 0 Sep 22 13:14 disable -rw-r--r-- 1 root root 0 Sep 22 13:14 enforce -rw------- 1 root root 0 Sep 22 13:14 load -r--r--r-- 1 root root 0 Sep 22 13:14 mls -r--r--r-- 1 root root 0 Sep 22 13:14 policyvers -rw-rw-rw- 1 root root 0 Sep 22 13:14 relabel -rw-rw-rw- 1 root root 0 Sep 22 13:14 user
cat no arquivo enforce revela ou um 1, para modo imposição, ou um 0, para modo permissivo.
/etc/.
/etc/sysconfig/selinuxsystem-config-selinux), or manually editing the configuration file (/etc/sysconfig/selinux).
/etc/sysconfig/selinux é o arquivo de configuração principal usado para habilitar ou desabilitar o SELinux, determinar qual política deve ser imposta no sistema, e como impor tal política.
/etc/sysconfig/selinux contém um link simbólico para o verdadeiro arquivo de configuração, o /etc/selinux/config.
SELINUX=enforcing|permissive|disabled — Define o estado de nível superior do SELinux em um sistema.
enforcing — A política de segurança do SELinux é imposta.
permissive — O sistema SELinux emite avisos mas não impõe a política.
avc: denied para cada nível de diretório lido. Em modo imposição, o SELinux pararia assim que a primeira negação ocorresse, prevenindo que mensagens de erro adicionais ocorressem.
disabled — O SELinux é totalmente desabilitado. O SELinux é desvinculado do kernel, e o pseudo-sistema de arquivos torna-se não registrado.
/.autorelabel e reinicializar a máquina. Isto faz com que a etiquetagem ocorra bem cedo durante o processo de inicialização, antes de qualquer processo estar rodando no sistema. O uso deste procedimento significa que processos não podem acidentalmente criar arquivos ou iniciar no contexto errado.
fixfiles relabel para reetiquetar o sistema de arquivos antes de habilitar o SELinux. Entretanto, este método não é recomendável porque uma vez que for concluído, ainda é possível que processos rodem no contexto errado. Tais processos podem criar arquivos que também possuam o contexto errado.
SELINUXTYPE=targeted|strict — Especifica a política que o SELinux deve impor.
targeted — Apenas os daemons de rede visados (targeted) são protegidos.
dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, e syslogd. O resto do sistema roda no domínio unconfined_t. Este domínio permite que entidades e objetos com aquele contexto de segurança operem usando a segurança padrão do Linux.
/etc/selinux/targeted/src/policy/domains/program. Estes arquivos estão sujeitos à mudanças à medida que novas versões do Red Hat Enterprise Linux são lançadas.
system-config-selinux).
1 disables SELinux protection for the daemon. For example, you can set dhcpd_disable_trans to 1 to prevent init, which executes apps labeled dhcpd_exec_t, from transitioning to the dhcpd_t domain.
getsebool -a para listar todos os Booleanos do SELinux. Veja a seguir um exemplo sobre o uso do comando setsebool para configurar um Booleano do SELinux. A opção -P faz com que a mudança torne-se permanente. Sem esta opção, o Booleano mudaria para 1 na reinicialização.
setsebool -P dhcpd_disable_trans=0strict — Total proteção do SELinux para todos os daemons. Contextos de segurança são definidos para todas as entidades e objetos, e todas as ações são processadas pelo servidor de imposição de políticas.
SETLOCALDEFS=0|1 — Controla como definições locais (usuários e Booleanos) são estabelecidas. Use 1 para fazer com que estas definições sejam controladas pelo load_policy de arquivos em /etc/selinux/<nome-da-política>, ou use 0 para fazer com que sejam controladas pelo semanage.
/etc/selinux//etc/selinux/ é a localização principal de todos os arquivos de política, bem como do principal arquivo de configuração.
/etc/selinux/:
-rw-r--r-- 1 root root 448 Sep 22 17:34 config drwxr-xr-x 5 root root 4096 Sep 22 17:27 strict drwxr-xr-x 5 root root 4096 Sep 22 17:28 targeted
strict/ e targeted/, são os diretórios específicos onde os arquivos de política com o mesmo nome (ou seja, strict e targeted) são armazenados.
/usr/sbin/setenforce — Modifica, em tempo real, o modo de execução do SELinux.
setenforce 1 — O SELinux roda em modo imposição.
setenforce 0 — O SELinux roda em modo permissivo.
setenforce adequado em /etc/sysconfig/selinux ou passar o parâmetro selinux=0 para o kernel, ou em /etc/grub.conf ou durante a inicialização.
/usr/sbin/sestatus -v — Exibe o estado detalhado de um sistema rodando o SELinux. O exemplo a seguir mostra um trecho da saída do sestatus -v:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted Process contexts: Current context: user_u:system_r:unconfined_t:s0 Init context: system_u:system_r:init_t:s0 /sbin/mingetty system_u:system_r:getty_t:s0
/usr/bin/newrole — Roda um novo shell em um novo contexto ou papel. A política deve permitir a transição para o novo papel..
policycoreutils-newrole instalado, o qual é necessário às políticas strict e MLS.
/sbin/restorecon — Estabelece o contexto de segurança de um ou mais arquivos através da marcação de atributos estendidos com o arquivo ou contexto de segurança apropriado.
/sbin/fixfiles — Verifica ou corrige o banco de dados de contextos de segurança no sistema de arquivos.
setools ou policycoreutils para mais informações sobre todos os utilitários binários disponíveis. Para visualizar o conteúdo de um pacote, use o seguinte comando:
rpm -ql <package-name>
/usr/share/doc/setools-<número-da-versão>/ Toda a documentação para os utilitários contidos no pacote setools. Isto inclui todos os scripts auxiliares arquivos de configuração, e a documentação em si.
<x> series of Linux kernels. This module stored PSIDs in a normal file, and SELinux was able to support more file systems. This solution was not optimal for performance, and was inconsistent across platforms. Finally, the SELinux code was integrated upstream to the 2.6.x kernel, which has full support for LSM and has extended attributes (xattrs) in the ext3 file system. SELinux was moved to using xattrs to store security context information. The xattr namespace provides useful separation for multiple security modules existing on the same system.
"segurança.", é utilizado para módulos de segurança e o nome segurança.selinux é utilizado para armazenar rótulos de segurança SELinuxde forma persistente nos arquivos. O conteúdo desta função irá variar, dependendo do arquivo ou diretório que você inspecione e da política que a máquina esteja impondo.
getxattr(2) sempre retorna à versão do rótulo canonicalizado do kernel.
ls -Z para visualizar o rótulo de categoria de um arquivo:
~]# ls -Z gravityControl.txt
-rw-r--r-- user user user_u:object_r:tmp_t:Moonbase_Plans gravityControl.txtgefattr(1) para visualizar o valor de categoria interna (c10):
~]# getfattr -n security.selinux gravityControl.txt
# file: gravityControl.txt
security.selinux="user_u:object_r:tmp_t:s0:c10\000"semanage user -l command to list SELinux users:
~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 s0-s0:c0.c1023 system_r sysadm_r user_r
system_u user s0 s0-s0:c0.c1023 system_r
user_u user s0 s0-s0:c0.c1023 system_r sysadm_r user_ruser_u). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.
semanage login -a command to assign Linux users to SELinux user identities:
~]#semanage login -a james~]#semanage login -a daniel~]#semanage login -a olga
~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
james user_u s0
daniel user_u s0
root root s0-s0:c0.c1023
olga user_u s0setrans.conf file. The system administrator edits this file to manage and maintain the required categories.
chcat -L command to list the current categories:
~]# chcat -L
s0
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh/etc/selinux/<selinuxtype>/setrans.conf file. For the example introduced above, add the Marketing, Finance, Payroll, and Personnel categories as follows (this example uses the targeted policy, and irrelevant sections of the file have been omitted):
~]# vi /etc/selinux/targeted/setrans.conf
s0:c0=Marketing
s0:c1=Finance
s0:c2=Payroll
s0:c3=Personnelchcat -L command to check the newly-added categories:
~]# chcat -L
s0:c0 Marketing
s0:c1 Finance
s0:c2 Payroll
s0:c3 Personnel
s0
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHighsetrans.conf file, you need to restart the MCS translation service before those changes take effect. Use the following command to restart the service:
~]# service mcstrans restartchcat command to assign MCS categories to SELinux logins:
~]#chcat -l -- +Marketing james~]#chcat -l -- +Finance,+Payroll daniel~]#chcat -l -- +Personnel olga
chcat command with additional command-line arguments to list the categories that are assigned to users:
~]# chcat -L -l daniel james olga
daniel: Finance,Payroll
james: Marketing
olga: Personnel# Create a user account for the company director (Karl) ~]#useradd karl~]#passwd karlChanging password for user karl. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # Assign the user account to an SELinux login ~]#semanage login -a karl# Assign all the MCS categories to the new login ~]#chcat -l -- +Marketing,+Finance,+Payroll,+Personnel karl
chcat command to verify the addition of the new user:
~]# chcat -L -l daniel james olga karl
daniel: Finance,Payroll
james: Marketing
olga: Personnel
karl: Marketing,Finance,Payroll,Personnel[daniel@dhcp-133 ~]$ echo "Financial Records 2006" > financeRecords.txtls -Z command to check the initial security context of the file:
[daniel@dhcp-133 ~]$ ls -Z financeRecords.txt
-rw-r--r-- daniel daniel user_u:object_r:user_home_t financeRecords.txtuser_home_t) and has no categories assigned to it. We can add the required category using the chcat command. Now when you check the security context of the file, you can see the category has been applied.
[daniel@dhcp-133 ~]$chcat -- +Finance financeRecords.txt[daniel@dhcp-133 ~]$ls -Z financeRecords.txt-rw-r--r-- daniel daniel root:object_r:user_home_t:Finance financeRecords.txt
[daniel@dhcp-133 ~]$chcat -- +Payroll financeRecords.txt[daniel@dhcp-133 ~]$ls -Z financeRecords.txt-rw-r--r-- daniel daniel root:object_r:user_home_t:Finance,Payroll financeRecords.txt
[olga@dhcp-133 ~]$ cat financeRecords.txt
cat: financeRecords.txt: Permission Deniedsemanage and chcat for more information on the available options for these commands.
Confidencialidade: — Uma função hierárquica, tal como "Segredo" ou "Top Secret".
Categorias: — Um conjunto de funções não hierárquicas tais como "Somente EUA" ou "UFO".
user_home_t.
unconfined_t possuem um arquivo executável com um tipo, como o sbin_t. A partir da perpectiva do SELinux, isto significa que são todos equivalentes em relação a o que podem e não podem fazer no sistema.
/usr/bin/postgres possui o tipo postgresql_exec_t. Todos os daemons alvo possuem seus próprios tipo *_exec_t para seus aplicativos executáveis. De fato, todo o conjunto de executáveis PostgreSQL tais como createlang, pg_dump, epg_restore possuem o mesmo tipo, postgresql_exec_t, e transitam para o mesmo domínio postgresql_t, na execução.
$AUDIT_LOG. No Red Hat Enterprise Linux, isto está configurado para /var/log/messages. A política é compilada em formato binário para carregar no servidor de segurança kernel e cada vez que o servidor de segurança toma uma decisão, ele é colocado no cache no AVC para optimizar o desempenho.
init, as explained in Seção 47.7.3, “A Função da Política no Processo de Inicialização”. Ultimately, every system operation is determined by the policy and the type-labeling of the files.
m4 para capturar conjuntos comuns de regras de nível baixo. Diversos macros m4 estão definidos na política existente, que facilita a escrita da nova política. Estas regras são processadas previamente em várias regras adicionais como parte da construção do arquivo policy.conf, o qual é compilado na política binária.
newrole, or by requiring a new process execution in the new domain. This movement between domains is referred to as a transition.
selinux-policy-<policyname> e fornece um arquivo de política binária.
selinux-policy-devel for instalado.
/etc/selinux/targeted/ — este é o diretório raiz para a política alvo e contém a árvore binária.
/etc/selinux/targeted/policy/ — this is the location of the binary policy file policy.<xx>. In this guide, the variable SELINUX_POLICY is used for this directory.
/etc/selinux/targeted/contexts/ — este é o local das informações de contexto de segurança e arquivos de configuração, que são usados durante o tempo de execução por diversos aplicativos.
/etc/selinux/targeted/contexts/files/ — contains the default contexts for the entire file system. This is referenced by restorecon when performing relabeling operations.
/etc/selinux/targeted/contexts/users/ — na política alvo, somente o arquivo raiz se encontra neste diretório. Estes arquivos são usados para determinar contexto quando um usuário se autenticar. Por exemplo, para o usuário root, o contexto é user_u:system_r:unconfined_t.
/etc/selinux/targeted/modules/active/booleans* — é aqui que os Booleanos de tempo de execução são configurados.
getsebool, setsebool ferramentas semanage para manipular os Booleanos de tempo de execução.
selinux-policy-devel inclui todos os arquivos de interface para construir a política. Recomenda-se que aqueles que construirem a política, usem estes arquivos para construir módulos.
/usr/share/selinux/devel/include e possui arquivos make instalados em/usr/share/selinux/devel/Makefile.
libselinux oferece uma gama de funções que retornam os caminhos aos arquivos de diretórios e configurações distintos. Isto anula a necessidade dos aplicativos de codificarem estritamente os caminhos, especialmente quando a localização da política depende da configuração de SELINUXTYPE em /etc/selinux/config.
/etc/selinux/strict.
man 3 selinux_binary_policy_pathlibselinux-devel instalado.
libselinux e funções afins, não está no escopo deste documento.
init realiza operações essenciais no início do processo de inicialização para manter a sincronização entre a etiquetagem e a imposição de política.
/sbin/init mounts /proc/, e então procura pelo tipo de sistema de arquivo selinuxfs. Se for encontrado, significa que SELinux está habilitado no kernel.
init não encontrar o SELinux no kernel, ou se estiver desabilitado através do parâmetro de inicialização selinux=0, ou ainda se o /etc/selinux/config especificar que SELINUX=disabled, o processo de inicialização procede com um sistema não-SELinux.
init sets the enforcing status if it is different from the setting in /etc/selinux/config. This happens when a parameter is passed during the boot process, such as enforcing=0 or enforcing=1. The kernel does not enforce any policy until the initial policy is loaded.
/selinux/ será montado.
init checks /selinux/policyvers for the supported policy version. The version number in /selinux/policyvers is the latest policy version your kernel supports. init inspects /etc/selinux/config to determine which policy is active, such as the targeted policy, and loads the associated file at $SELINUX_POLICY/policy.<version>.
init tenta carregar o arquivo da política caso o arquivo de política seja uma versão anterior. Isto oferece compatibilidade com versões de políticas anteriores.
/etc/selinux/targeted/booleans forem diferentes daqueles compilados na política, o init modifica a política na memória baseada nas configurações locais anteriores ao carregamento da política no kernel.
init então reexecuta a si mesmo para que possa transitar para um domínio diferente, caso seja definido pela política. Para a política alvo, não há transição definida e portanto o init fica no domínio unconfined_t
init continua com seu processo normal de inicialização.
init re-executes itself is to accommodate stricter SELinux policy controls. The objective of re-execution is to transition to a new domain with its own granular rules. The only way that a process can enter a domain is during execution, which means that such processes are the only entry points into the domains.
init, tal como o init_t, será solicitado um método mudar da inicial SID, tal como o kernel, e corrigir o domínio em tempo de execução para init. Como é bem provável que esta transição pode aconteça, o init é codificado para se reexecutar após o carregamento de política.
init acontece caso a regra de domain_auto_trans(kernel_t, init_exec_t, <target_domain_t>) estiver na política. Esta regra informa que uma transição automática acontece em qualquer execução no domínio kernel_t que executa um arquivo do tipo init_exec_t. Quando esta execução acontece, o novo processo é atribuído ao domínio <target_domain_t>init_t.
filesystem para arquivos de sistema, file para arquivos, e dir para diretórios. Cada classe possui seu próprio conjunto associado de permissões.
filesystem pode montar, desmontar, obter funções, ajustar quotas, reetiquetar e assim por diante. A classe file possui arquivos de permissões comuns, tais como ler, escrever, obter e ajustar funções, bloquiar, reetiquetar, ligar, renomear, acrescentar.
tcp_socket para soquetes TCP, netif para interfaces de rede, enode para nós de rede.
netif por exemplo, pode enviar e receber TCP, UDP e soquetes raw (tcp_recv, tcp_send, udp_send, udp_recv, rawip_recv, e rawip_send.)
unconfined_t domain except for the specific targeted daemons. Objects that are in the unconfined_t domain have no restrictions and fall back to using standard Linux security, that is, DAC. The daemons that are part of the targeted policy run in their own domains and are restricted in every operation they perform on the system. This way daemons that are exploited or compromised in any way are contained and can only cause limited damage.
http e ntp são protegidos na política alvo padrão, e rodam nos domínios httpd_t e ntpd_t respectivamente. O daemon ssh, no entanto, não é protegido nesta política, e consequentemente roda no domínio unconfined_t
user_u:system_r:httpd_t 25129 ? 00:00:00 httpd user_u:system_r:ntpd_t 25176 ? 00:00:00 ntpd system_u:system_r:unconfined_t 25245 ? 00:00:00 sshd
dhcpd; httpd; mysqld; named; nscd; ntpd; portmap; postgres; snmpd; squid; syslogd; ewinbind.
unconfined_t existe em todas as funções, que reduz de forma significante a usabilidade das funções na política alvo. Usos mais extensivos de funções, requerem uma mudança para um paradigma de política severa, onde todos os processos rodam em um domínio considerado individual.
system_r and object_r. The initial role is system_r, and everything else inherits that role. The remaining roles are defined for compatibility purposes between the targeted policy and the strict policy.[20]
object_r, é uma função implícita e não encontrada na fonte da política. Como as funções são criadas e populadas por tipos que utilizam uma ou mais declarações na política, não há nenhum arquivo que declare todas as funções. (Lembre-se que a própria política é gerada a partir de um número de arquivos separados).
system_rsystem_r (28 types)
dhcpd_t
httpd_helper_t
httpd_php_t
httpd_suexec_t
httpd_sys_script_t
httpd_t
httpd_unconfined_script_t
initrc_t
ldconfig_t
mailman_cgi_t
mailman_mail_t
mailman_queue_t
mysqld_t
named_t
ndc_t
nscd_t
ntpd_t
pegasus_t
portmap_t
postgresql_t
snmpd_t
squid_t
syslogd_t
system_mail_t
unconfined_t
winbind_helper_t
winbind_t
ypbind_tuser_runconfined_t.
object_robject_r, e sua função é somente usada como um espaço reservado no rótulo.
sysadm_rstaff_r. Se isto for verdade, use o comando newrole -r sysadm_r para mudar a função de administrador de sistemas SELinux, para desempenhar as tarefas de administração de sistemas. Na política alvo, o sysadm_r é retido por compatibilidade:
sysadm_r (6 types)
httpd_helper_t
httpd_sys_script_t
initrc_t
ldconfig_t
ndc_t
unconfined_tuser_u identity was chosen because libselinux falls back to user_u as the default SELinux user identity. This occurs when there is no matching SELinux user for the Linux user who is logging in. Using user_u as the single user in the targeted policy makes it easier to change to the strict policy. The remaining users exist for compatibility with the strict policy.[21]
root. Você pode notar o root como a identidade de usuário em um conteúdo de processo. Isto ocorre quando o usuário SELinux root inicia os daemons a partir da linha de comando, ou reinicia um daemon originalmente iniciado por um init.
system_r already had existing authorization for the daemon domains, simplifying the process. This was done because no mechanism currently exists to alias roles.
unconfined_t along with the rest of the system except the targeted daemons.
avc: denied message.
mv and cp may have unexpected results.
cp follows the default behavior of creating a new file based on the domain of the creating process and the type of the target directory. Unless there is a specific rule to set the label, the file inherits the type from the target directory.
-Z user:role:type option to specify the required label for the new file.
-p (or --preserve=mode,ownership,timestamps) option preserves the specified attributes and, if possible, additional attributes such as links.
touch bar foo ls -Z bar foo -rw-rw-r-- auser auser user_u:object_r:user_home_t bar -rw-rw-r-- auser auser user_u:object_r:user_home_t foo
cp command without any additional command-line arguments, a copy of the file is created in the new location using the default type of the creating process and the target directory. In this case, because there is no specific rule that applies to cp and /tmp, the new file has the type of the parent directory:
cp bar /tmp ls -Z /tmp/bar -rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/bar
tmp_t is the default type for temporary files.
-Z option to specify the label for the new file:
cp -Z user_u:object_r:user_home_t foo /tmp ls -Z /tmp/foo -rw-rw-r-- auser auser user_u:object_r:user_home_t /tmp/foo
mv retains the original type associated with the file. Care should be taken using this command as it can cause problems. For example, if you move files with the type user_home_t into ~/public_html, then the httpd daemon is not able to serve those files until you relabel them. Refer to Seção 48.1.3, “Relabeling a File or Directory” for more information about file labeling.
| Command | Behavior |
|---|---|
mv
|
The file retains its original label. This may cause problems, confusion, or minor insecurity. For example, the tmpwatch program running in the sbin_t domain might not be allowed to delete an aged file in the /tmp directory because of the file's type.
|
cp
|
Makes a copy of the file using the default behavior based on the domain of the creating process (cp) and the type of the target directory.
|
cp -p
| Makes a copy of the file, preserving the specified attributes and security contexts, if possible. The default attributes are mode, ownership, and timestamps. Additional attributes are links and all. |
cp -Z
|
Makes a copy of the file with the specified labels. The -Z option is synonymous with --context.
|
-Z option is equivalent to --context, and can be used with the ps, id, ls, and cp commands. The behavior of the cp command with respect to SELinux is explained in Tabela 48.1, “Behavior of mv and cp Commands”.
ps command. Most of the processes are running in the unconfined_t domain, with a few exceptions.
[user@localhost ~]$ ps auxZ LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND system_u:system_r:init_t root 1 0.0 0.1 2032 620 ? Ss 15:09 0:00 init [5] system_u:system_r:kernel_t root 2 0.0 0.0 0 0 ? S 15:09 0:00 [migration/0] system_u:system_r:kernel_t root 3 0.0 0.0 0 0 ? SN 15:09 0:00 [ksoftirqd/0] user_u:system_r:unconfined_t user 3122 0.0 0.6 6908 3232 ? S 16:47 0:01 /usr/libexec/gconfd-2 5 user_u:system_r:unconfined_t user 3125 0.0 0.1 2540 588 ? S 16:47 0:00 /usr/bin/gnome-keyring-daemon user_u:system_r:unconfined_t user 3127 0.0 1.4 33612 6988 ? Sl 16:47 0:00 /usr/libexec/gnome-settings-daemon user_u:system_r:unconfined_t user 3144 0.1 1.4 16528 7360 ? Ss 16:47 0:01 metacity --sm-client-id=default1 user_u:system_r:unconfined_t user 3148 0.2 2.9 79544 14808 ? Ss 16:47 0:03 gnome-panel --sm-client-id default2
-Z option with the id command to determine a user's security context. Note that with this command you cannot combine -Z with other options.
[root@localhost ~]# id -Z user_u:system_r:unconfined_t
-Z option with the id command to inspect the security context of a different user. That is, you can only display the security context of the currently logged-in user:
[user@localhost ~]$ id uid=501(user) gid=501(user) groups=501(user) context=user_u:system_r:unconfined_t [user@localhost ~]$ id root uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [user@localhost ~]$ id -Z root id: cannot display context when selinux not enabled or when displaying the id of a different user
-Z option with the ls command to group common long-format information. You can display mode, user, group, security context, and filename information.
cd /etc ls -Z h* -d drwxr-xr-x root root system_u:object_r:etc_t hal -rw-r--r-- root root system_u:object_r:etc_t host.conf -rw-r--r-- root root user_u:object_r:etc_t hosts -rw-r--r-- root root system_u:object_r:etc_t hosts.allow -rw-r--r-- root root system_u:object_r:etc_t hosts.canna -rw-r--r-- root root system_u:object_r:etc_t hosts.deny drwxr-xr-x root root system_u:object_r:hotplug_etc_t hotplug drwxr-xr-x root root system_u:object_r:etc_t hotplug.d drwxr-xr-x root root system_u:object_r:httpd_sys_content_t htdig drwxr-xr-x root root system_u:object_r:httpd_config_t httpd
~/public_html directories, or when writing scripts that work in directories outside of /home.
/usr/sbin/mysqld has the wrong security label, and you address this by using a relabeling operation such as restorecon, you must restart mysqld after the relabeling operation. Setting the executable file to have the correct type (mysqld_exec_t) ensures that it transitions to the proper domain when started.
chcon command to change a file to the correct type. You need to know the correct type that you want to apply to use this command. The directories and files in the following example are labeled with the default type defined for file system objects created in /home:
cd ~ ls -Zd public_html/ drwxrwxr-x auser auser user_u:object_r:user_home_t public_html/ ls -Z web_files/ -rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
public_html directory, they retain the original type:
mv web_files/* public_html/ ls -Z public_html/ -rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
httpd has permissions to read, presuming the Apache HTTP Server is configured for UserDir and the Boolean value httpd_enable_homedirs is enabled.
chcon -R -t httpd_user_content_t public_html/ ls -Z public_html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 1.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 2.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 3.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 4.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t 5.html -rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t index.html ls -Z public_html/ -d drwxrwxr-x auser auser user_u:object_r:httpd_user_content_t public_html/
chcon system_u:object_r:shlib_t foo.so. Otherwise, you will receive an error about applying a partial context to an unlabeled file.
restorecon command to restore files to the default values according to the policy. There are two other methods for performing this operation that work on the entire file system: fixfiles or a policy relabeling operation. Each of these methods requires superuser privileges. Cautions against both of these methods appear in Seção 48.2.2, “Relabeling a File System”.
ls -Z /tmp/
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file1
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file2
-rw-rw-r-- auser auser user_u:object_r:tmp_t /tmp/file3
mv /tmp/{1,2,3} archives/
mv public_html/* archives/
ls -Z archives/
-rw-rw-r-- auser auser user_u:object_r:tmp_t file1
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file1.html
-rw-rw-r-- auser auser user_u:object_r:tmp_t file2
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file2.html
-rw-rw-r-- auser auser user_u:object_r:tmp_t file3
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file3.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file4.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t file5.html
-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t index.html
archives/ directory already has the default type because it was created in the user's home directory:
ls -Zd archives/ drwxrwxr-x auser auser user_u:object_r:user_home_t archives/
restorecon command to relabel the files uses the default file contexts set by the policy, so these files are labeled with the default label for their current directory.
/sbin/restorecon -R archives/ ls -Z archives/ -rw-rw-r-- auser auser system_u:object_r:user_home_t file1 -rw-rw-r-- auser auser system_u:object_r:user_home_t file1.html -rw-rw-r-- auser auser system_u:object_r:user_home_t file2 -rw-rw-r-- auser auser system_u:object_r:user_home_t file2.html -rw-rw-r-- auser auser system_u:object_r:user_home_t file3 -rw-rw-r-- auser auser system_u:object_r:user_home_t file3.html -rw-rw-r-- auser auser system_u:object_r:user_home_t file4.html -rw-rw-r-- auser auser system_u:object_r:user_home_t file5.html -rw-rw-r-- auser auser system_u:object_r:user_home_t index.html
tar or star utilities to create archives that retain SELinux security contexts. The following example uses star to demonstrate how to create such an archive. You need to use the appropriate -xattr and -H=exustar options to ensure that the extra attributes are captured and that the header for the *.star file is of a type that fully supports xattrs. Refer to the man page for more information about these and other options.
ls -Z public_html/ web_files/ public_html/: -rw-rw-r-- auser auser ...httpd_user_content_t 1.html -rw-rw-r-- auser auser ...httpd_user_content_t 2.html -rw-rw-r-- auser auser ...httpd_user_content_t 3.html -rw-rw-r-- auser auser ...httpd_user_content_t 4.html -rw-rw-r-- auser auser ...httpd_user_content_t 5.html -rw-rw-r-- auser auser ...httpd_user_content_t index.html web_files/: -rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t index.html
star -xattr -H=exustar -c -f all_web.star public_html/ web_files/ star: 11 blocks + 0 bytes (total of 112640 bytes = 110.00k).
ls command with the -Z option to validate the security context:
ls -Z all_web.star -rw-rw-r-- auser auser user_u:object_r:user_home_t \ all_web.star
/tmp. If there is no specific policy to make a derivative temporary type, the default behavior is to acquire the tmp_t type.
cp all_web.star /tmp/ cd /tmp/ ls -Z all_web.star -rw-rw-r-- auser auser user_u:object_r:tmp_t all_web.star
star and it restores the extended attributes:
star -xattr -x -f all_web.star star: 11 blocks + 0 bytes (total of 112640 bytes = 110.00k). ls -Z /tmp/public_html/ /tmp/web_files/ /tmp/public_html/: -rw-rw-r-- auser auser ...httpd_sys_content_t 1.html -rw-rw-r-- auser auser ...httpd_sys_content_t 2.html -rw-rw-r-- auser auser ...httpd_sys_content_t 3.html -rw-rw-r-- auser auser ...httpd_sys_content_t 4.html -rw-rw-r-- auser auser ...httpd_sys_content_t 5.html -rw-rw-r-- auser auser ...httpd_sys_content_t index.html /tmp/web_files/: -rw-rw-r-- auser auser user_u:object_r:user_home_t 1.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 2.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 3.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 4.html -rw-rw-r-- auser auser user_u:object_r:user_home_t 5.html -rw-rw-r-- auser auser user_u:object_r:user_home_t \ index.html
star, the archive expands on that same path. For example, an archive made with this command restores the files to /var/log/httpd/:
star -xattr -H=exustar -c -f httpd_logs.star /var/log/httpd/
star issues a warning if the files in the path are newer than the ones in the archive.
sestatus command provides a configurable view into the status of SELinux. The simplest form of this command shows the following information:
~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted-v option includes information about the security contexts of a series of files that are specified in /etc/sestatus.conf:
~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: user_u:system_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:s0-s0:c0.c1023
File contexts:
Controlling term: user_u:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t-b displays the current state of booleans. You can use this in combination with grep or other tools to determine the status of particular booleans:
~]# sestatus -b | grep httpd | grep on$
httpd_builtin_scripting on
httpd_disable_trans on
httpd_enable_cgi on
httpd_enable_homedirs on
httpd_unified oninit process to perform the relabeling, ensuring that applications have the correct labels when they are started and that they are started in the right order. If you relabel a file system without rebooting, some processes may continue running with an incorrect context. Manually ensuring that all the daemons are restarted and running in the correct context can be difficult.
touch /.autorelabelreboot
init.rc checks for the existence of /.autorelabel. If this file exists, SELinux performs a complete file system relabel (using the /sbin/fixfiles -f -F relabel command), and then deletes /.autorelabel.
fixfiles command, or to relabel based on the RPM database:
fixfiles command:
fixfiles relabelfixfiles -R <packagename> restorefixfiles to restore contexts from packages is safer and quicker.
fixfiles on the entire file system without rebooting may make the system unstable.
fixfiles relabel prompts for approval to empty /tmp/ because it is not possible to reliably relabel /tmp/. Since fixfiles is run as root, temporary files that applications are relying upon are erased. This could make the system unstable or behave unexpectedly.
nfs_t type, which is not a type that httpd_t is allowed to execute.
nfs_t, try mounting the home directories with a different context:
mount -t nfs -o context=user_u:object_r:user_home_dir_t \fileserver.example.com:/shared/homes/ /home
httpd can execute scripts. If you do this for user home directories, it gives the Apache HTTP Server increased access to those directories. Remember that a mountpoint label applies to the entire mounted file system.
root_t, tmp_t, and usr_t that grant read access for a directory. These types are suitable for directories that do not contain any confidential information, and that you want to be widely readable. They could also be used for a parent directory of more secured directories with different contexts.
avc: denied message, there are some common problems that arise with directory traversal. For example, many programs run a command equivalent to ls -l / that is not necessary to their operation but generates a denial message in the logs. For this you need to create a dontaudit rule in your local.te file.
path=/ component. This path is not related to the label for the root file system, /. It is actually relative to the root of the file system on the device node. For example, if your /var/ directory is located on an LVM (Logical Volume Management [22]) device, /dev/dm-0, the device node is identified in the message as dev=dm-0. When you see path=/ in this example, that is the top level of the LVM device dm-0, not necessarily the same as the root file system designation /.
setenforce command to change between permissive and enforcing modes at runtime. Use setenforce 0 to enter permissive mode; use setenforce 1 to enter enforcing mode.
sestatus command displays the current mode and the mode from the configuration file referenced during boot:
~]# sestatus | grep -i mode
Current mode: permissive
Mode from config file: permissive~]#setenforce 1~]#sestatus | grep -i modeCurrent mode: enforcing Mode from config file: permissive
named daemon and SELinux, you can turn off enforcing for just that daemon.
getsebool command to get the current status of the boolean:
~]# getsebool named_disable_trans
named_disable_trans --> off~]#setsebool named_disable_trans 1~]#getsebool named_disable_transnamed_disable_trans --> on
-P option to make the change persistent across reboots.
~]# getsebool -a | grep disable.*on
httpd_disable_trans=1
mysqld_disable_trans=1
ntpd_disable_trans=1setsebool command:
setsebool -P httpd_disable_trans=1 mysqld_disable_trans=1 ntpd_disable_trans=1togglesebool <boolean_name> to change the value of a specific boolean:
~]#getsebool httpd_disable_transhttpd_disable_trans --> off ~]#togglesebool httpd_disable_transhttpd_disable_trans: active
setenforce(1), getenforce(1), and selinuxenabled(1) commands.
/etc/sysconfig/selinux file. This file is a symlink to /etc/selinux/config. The configuration file is self-explanatory. Changing the value of SELINUX or SELINUXTYPE changes the state of SELinux and the name of the policy to be used the next time the system boots.
~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0Disabled, Enforcing or Permissive, and then click .
Enabled to Disabled or vice versa, you need to restart the machine for the change to take effect.
/etc/sysconfig/selinux.
/etc/sysconfig/selinux:
SELINUXTYPE=<policyname><policyname> is the policy name directory under /etc/selinux/. This assumes that you have the custom policy installed. After changing the SELINUXTYPE parameter, run the following commands:
touch /.autorelabelreboot
/etc/selinux.
mount -o context= command to set a single context for an entire file system. This might be a file system that is already mounted and that supports xattrs, or a network file system that obtains a genfs label such as cifs_t or nfs_t.
httpd_sys_content_t:
mount -t nfs -o context=system_u:object_r:httpd_sys_content_t \server1.example.com:/shared/scripts /var/www/cgi
httpd and SELinux problems, reduce the complexity of your situation. For example, if you have the file system mounted at /mnt and then symbolically linked to /var/www/html/foo, you have two security contexts to be concerned with. Because one security context is of the object class file and the other of type lnk_file, they are treated differently by the policy and unexpected behavior may occur.
runcon command to run a command in a specific context. This is useful for scripting or for testing policy, but care should be taken to ensure that it is implemented correctly.
~/bin/contexttest is a user-defined script.)
runcon -t httpd_t ~/bin/contexttest -ARG1 -ARG2runcon user_u:system_r:httpd_t ~/bin/contexttestgetenforcesetenforce [ Enforcing | Permissive | 1 | 0 ]1 or Enforcing tells SELinux to enter enforcing mode. The option 0 or Permissive tells SELinux to enter passive mode. Access violations are still logged, but not prevented.
selinuxenabled0 if SELinux is enabled, and 1 if SELinux is disabled.
~]#selinuxenabled~]#echo $?0
getsebool [-a] [boolean_name]-a) or a specific boolean (<boolean_name>).
setsebool [-P] <boolean_name> value | bool1=val1 bool2=val2 ...-P option makes the changes persistent across reboots.
togglesebool boolean ...newrole command to run a new shell with the specified type and/or role. Changing roles is typically only meaningful in the strict policy; the targeted policy is generally restricted to a single role. Changing types may be useful for testing, validation, and development purposes.
newrole -r <role_r> -t <type_t> [-- [ARGS]...]ARGS are passed directly to the shell specified in the user's entry in the /etc/passwd file.
newrole command is part of the policycoreutils-newrole package, which is required if you install the strict or MLS policy. It is not installed by default in Red Hat Enterprise Linux.
audit=1 à sua linha de inicialização kernel, tanto no arquivo /etc/grub.conf quanto no menu GRUB no tempo de inicialização.
httpd é negado o acesso do ~/public_html pois o diretório não está rotulado como conteúdo da Web. Note que o tempo e o carimbo com números em série no campo de auditoria (...), são idênticos. Isto facilita rastrear um evento em específico nos logs de auditoria:
Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
avc: denied { getattr } for pid=2239 exe=/usr/sbin/httpd \
path=/home/auser/public_html dev=hdb2 ino=921135 \
scontext=user_u:system_r:httpd_t \
tcontext=system_u:object_r:user_home_t tclass=dirJan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \ syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \ a3=bfecc0d4 items=1 pid=2239 loginuid=-1 uid=48 gid=48 euid=48 \ suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \ item=0 name=/home/auser/public_html inode=921135 dev=00:00
/var/log/messages, such as /var/log/audit/audit.log.
selinux-policy-targeted-sources e somente então criar um arquivo local.te no diretório /etc/selinux/targeted/src/policy/domains/misc. Você poderia usar o utilitário audit2allow para traduzir as mensagens AVC em regras de permissão e então reconstruir e recarregar a política.
selinux-policy-XYZ.src.rpm. Um pacote extra, selinux-policy-devel também foi adicionado, o qual oferece funcionalidade de padronização extra.
semodule.
semodule é a ferramenta utilizada para gerenciar o SELinux módulos de política, incluindo instalar, atualizar, listar e remover módulos. Você também pode utilizar o semodule para forçar uma reconstrução de política a partir do módulo armazenar e/ou forçar uma recarga de política sem desempenhar qualquer outra transação. O semodule age nos pacotes de módulo, criados pelo semodule_package. Geralmente, estes arquivos possuem um sufixo .pp (pacote de política), embora não seja obrigatório.
semodule -l:
~]# semodule -l
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
dcc 1.1.0
evolution 1.1.0
iscsid 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
pyzor 1.1.0
razor 1.1.0
ricci 1.0.0
smartmon 1.1.0/usr/share/selinux/targeted/ contém diversos arquivos de pacote de política (*.pp). Estes arquivos estão inclusos no rpm selinux-policy e são utilizados para construir o arquivo de política.
ypbind init, que executa o comando setsebool, que por sua vez, tenta utilizar o terminal. Isto gera a seguinte negação:
type=AVC msg=audit(1164222416.269:22): avc: denied { use } for pid=1940 comm="setsebool" name="0" dev=devpts ino=2 \
scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fdaudit2allow possui agora a habilidade de construir módulos de política . Use o seguinte comando para construir um módulo de política baseado em conteúdo específico do arquivo audit.log:
ausearch -m AVC --comm setsebool | audit2allow -M mysemanage
audit2allow construiu um arquivo de imposição (mysemanage.te). Depois, ele executou o comando checkmodule para compilar um arquivo de módulo (mysemanage.mod). Por último, ele usa o comando semodule_package para criar um pacote de política (mysemanage.pp). O comando semodule_package combina arquivos de política diferentes (geralmente somente o módulo e potencialmente um arquivo de contexto) no pacote de política.
cat para inspecionar o conteúdo do arquivo TE:
~]# cat mysemanag.te
module mysemanage 1.0;
require {
class fd use;
type init_t;
type semanage_t;
role system_r;
};
allow semanage_t init_t:fd use;module, que identifica o nome do módulo e versão. O nome do módulo deve ser único. Se você criar um módulo semanage usando o nome de um módulo pré-existente, o sistema tentaria substituir o pacote do módulo existente por uma versão nova. A última parte da linha do módulo é a versão. O semodule pode atualizar pacotes de módulo e checar a versão atualizada em relação à versão instalada atualmente.
require. Este, informa o carregador de política, quais tipos, classes e papéis são necessários na política de sistema, antes que este módulo possa ser instalado. Se qualquer um destes campos forem indefinidos, o comando semodule irá falhar.
dontaudit, pois semodule não precisa acessar o descritor do arquivo.
semodule para carregar o pacote de política:
~]# semodule -i mysemanage.ppmysemanage.pp) para outras máquinas e instalá-lo utilizando o semodule.
audit2allow exibe a saída do comando que ele executou para criar um pacote de política onde você possa editar o arquivo TE. Isto significa que você pode adicionar novas regras como solicitado ou mudar a regra de permissão para dontaudit. Você pode então recompilar e reempacotar o pacote de política para ser novamente instalado.
Índice
| Histórico de Revisões | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Revisão 10-0 | Thu Jul 21 2011 | |||||||||||
| ||||||||||||
| Revisão 9-0 | Thu Jan 13 2011 | |||||||||||
| ||||||||||||
| Revisão 8-0 | Thu July 30 2010 | |||||||||||
| ||||||||||||
| Revisão 7-0 | Wed Sep 30 2009 | , , | ||||||||||
| ||||||||||||
| Revisão 7-0 | Mon Sep 14 2009 | |||||||||||
| ||||||||||||
| Revisão 6-0 | Wed Sep 02 2009 | |||||||||||
| ||||||||||||
| Revisão 5-0 | Wed Jan 28 2009 | |||||||||||
| ||||||||||||