Administration

By

Mohd Yasin Abd Karim

yasin@yasin.my

Administration

• Becoming the Super User (the su Command)• Administrative GUI Tools• Many commands are intended only for root.• /sbin — This contains commands for modifying your disk

partitions (such as fdisk), changing boot procedures (grub), and changing system states (init).

• /usr/sbin —This contains commands for managing user accounts (such as useradd) and checking network traffic (wireshark). Commands that run as daemon processes are also contained in this directory. (Look for commands that end in d, such as sshd, pppd, and crond.)

Administrative Config Files

• Almost everything you set up for your particular computer — user accounts, network addresses, or GUI preferences — is stored in plaintext files.

$HOME

• All users store information in their home directories that directs how their login accounts behave. Most configuration files in $HOME begin with a dot (.), so they don’t appear as a user’s directory when you use a standard ls command (you need to type ls –a to see them)

/etc• adjtime—Holds data to adjust the hardware clock (see the hwclock

man page).• aliases —Can contain distribution lists used by the Linux mail

service.• bashrc—Sets system-wide defaults for bash shell users. (By

default, it sets the shell prompt to include the current user name, hostname, current directory, and other values.)

• cdrecord.conf —Contains defaults used for recording CDs.• crontab—Sets cron environment and times for running automated

tasks.• csh.cshrc (or cshrc)—Sets system-wide defaults for csh (C shell)

users.• dovecot—Contains information needed to support the dovecot

IMAPv4/POP3 mail service.

/etc

• esd.conf —Sets options used by the Enlightenment Sound Daemon to mix multiple audio streams into a single audio output.

• exports—Contains a list of local directories that are available to be shared by remote computers using the Network File System (NFS).

• fstab—Identifies the devices for common storage media (hard disk, floppy, CD-ROM, etc.) and locations where they are mounted in the Linux system. This is used by the mount command to choose which file systems to mount.

/etc• group—Identifies group names and group IDs (GIDs) that are defined in the

systems. Group permissions in Linux are defined by the second of three sets of rwx (Read, Write, Execute) bits associated with each file and directory.

• gshadow—Contains shadow passwords for groups.• host.conf — Sets the locations in which domain names (e.g., redhat.com)

are searched for on TCP/IP networks (such as the Internet). By default, the local hosts file is searched, then any nameserver entries in resolv.conf.

• hosts—Contains IP addresses and hostnames that you can reach from your computer. (Usually this file is used just to store names of computers on your LAN or small private network.)

• hosts.allow—Lists host computers that are allowed to use certain TCP/IP services from the local computer.

• hosts.deny—Lists host computers that are not allowed to use certain TCP/IP services from the local computer (doesn’t exist by default).

/etc

• inittab—Contains information that defines which programs start and stop when Linux boots, shuts down, or goes into different states (runlevels) in between. This is the most basic configuration file for starting Linux.

• issue—Contains the lines that are displayed when a terminal is ready to let you log in to your system from a local terminal, or the console in text mode.

• issue.net— Contains login lines that are displayed to users who try to log in to the Linux system from a computer on the network using the telnet service.

• mail.rc —Sets system-wide parameters associated with using mail.

• man.config—Used by the man command to determine the default path to the location of man pages.

/etc

• modprobe.conf — Contains aliases and options related to loadable kernel modules

• used by your computer.• mtab—Contains a list of file systems that are

currently mounted.• mtools.conf —Contains settings used by DOS

tools in Linux.• named.conf —Contains DNS settings if you are

running your own DNS server.• ntp.conf —Includes information needed to run

the Network Time Protocol (NTP).

/etc

• passwd— Stores account information for all valid users for the system. Also includes other information, such as the home directory and default shell.

• printcap—Contains definitions for the printers configured for your computer.

• profile —Sets system-wide environment and start-up programs for all users. This file is read when the user logs in.

• protocols—Sets protocol numbers and names for a variety of Internet services.

• redhat-release—Contains a string identifying the current CentOS release.

/etc

• resolv.conf — Identifies the locations of DNS name server computers that are used by TCP/IP to translate Internet host.domain names into IP addresses.

• rpc —Defines remote procedure call names and numbers.

• services— Defines TCP/IP services and their port assignments.

• shadow—Contains encrypted passwords for users who are defined in the passwd file. (This is viewed as a more secure way to store passwords than the original encrypted password in the passwd file. The passwd file needs to be publicly readable, whereas the shadow file can be unreadable by all but the root user.)

/etc• shells —Lists the shell command-line interpreters (bash, sh, csh,

etc.) that are available on the system, as well as their locations.• sudoers—Sets commands that can be run by users, who may not

otherwise have permission to run the command, using the sudo command. In particular, this file is used to provide selected users with root permission.

• syslog.conf —Defines what logging messages are gathered by the syslogd daemon and what files they are stored in. (Typically, log messages are stored in files contained in the /var/log directory.)

• termcap—Lists definitions for character terminals, so that character-based applications know what features are supported by a given terminal. Graphical terminals and applications have made this file obsolete to most people. (Termcap was the BSD UNIX way of storing terminal information; UNIX System V used definitions in /usr/share/terminfo files.)

/etc/X11

• Contains subdirectories that each contain system-wide configuration files used by X and different X window managers available for Linux. The xorg.conf file (which makes your computer and monitor usable with X) and configuration directories containing files used by xdm and xinit to start X are in here.

/etc

• /etc/amanda —Contains files and directories that allow the amanda facility to do network backups of other Linux and UNIX systems.

• /etc/cron* — Directories in this set contain files that define how the crond utility runs applications on a daily (cron.daily), hourly (cron.hourly), monthly (cron.monthly), or weekly (cron.weekly) schedule.

• /etc/cups —Contains files that are used to configure the CUPS printing service.

/etc

• /etc/default —Contains files that set default values for various utilities. For example, the file for the useradd command defines the default group number, home directory, password expiration date, shell, and skeleton directory (/etc/skel) that are used when creating a new user account.

• /etc/httpd —Contains a variety of files used to configure the behavior of your Apache Web server (specifically, the httpd daemon process).

• /etc/init.d — Contains links to the run-level scripts. These scripts are linked from files in the /etc/rc?.d directories to have each service associated with a script started or stopped for the particular run level. The ? is replaced by the run-level number (0 through 6).

/etc

• /etc/mail —Contains files used to configure your sendmail mail service.

• /etc/pcmcia — Contains configuration files that allow you to have a variety of PCMCIA cards configured for your computer. (PCMCIA slots are those openings on your laptop that allow you to have credit card–sized cards attached to your computer. You can attach such devices as modems and external CD-ROMs.)

• /etc/postfix —Contains configuration files for the postfix mail transport agent.

• /etc/ppp —Contains several configuration files used to set up Point-to-Point protocol (so that you can have your computer dial out to the Internet).

/etc• /etc/rc?.d —There is a separate rc?.d directory for each valid

system state: rc0.d (shutdown state), rc1.d (single-user state), rc2.d (multiuser state), rc3.d (multiuser plus networking state), rc4.d (user-defined state), rc5.d (multiuser, networking, plus GUI login state), and rc6.d (reboot state).

• /etc/security —Contains files that set a variety of default security conditions for your computer. These files are part of the pam (pluggable authentication modules) package.

• /etc/skel —Any files contained in this directory are automatically copied to a user’s home directory when that user is added to the system. By default, most of these files are dot (.) files, such as .kde (a directory for setting KDE desktop defaults) and .bashrc (for setting default values used with the bash shell).

/etc• /etc/squid —Contains configuration files for the Squid proxy caching server.• /etc/sysconfig —Contains important system configuration files that are

created and• maintained by various system services (including iptables, samba, and most

networking services).• /etc/uucp —Contains configuration files used with Taylor UUCP (a

nonstandard version of the uucp facility that is used to create modem, direct line, and other serial connections with other computers).

• /etc/vsftpd —Contains configuration files used to set up the vsftpd FTP server.

• /etc/xinetd.d —Contains a set of files, each of which defines a network service that the xinetd daemon listens for on a particular port. When the xinetd daemon process receives a request for a service, it uses the information in these files to determine which daemon processes to start to handle the request.

Administrative Log Files

• keep track of itself.• monitor your system to see if people are

trying to access your computer illegally.• General system logging is done by

syslogd.• As root user, you can view log files with

the less command or watch messages as they enter log file using the tail command (tail -f /var/log/messages).

Ongoingjob as a Linux system administrator• Configuring Hardware —Often when you

add hardware to your CentOS computer, that hardware will be automatically detected and configured by tools. can use commands such as lsmod, modprobe, insmod, and rmmod to configure the right modules to get the hardware working.

• To see what HAL knows about your system, run the lshal command:

Ongoingjob as a Linux system administrator• Managing File Systems and Disk Space

—You must keep track of the disk space being consumed, especially if your CentOS system is shared by multiple users. At some point, you may need to add a hard disk or track down what is eating up your disk space (you can use commands like find, du, and df to do this).

Ongoingjob as a Linux system administrator• Monitoring System Performance —You

may have a runaway process on your system, or you may just be experiencing slow performance. Tools that come with CentOS can help you determine how much of your CPU and memory are being consumed.

Mounting/umount Removable Media

• CD-ROM—If you are mounting a CD-ROM that is in the standard ISO 9960 format (as most software CD-ROMs are), you can mount that CD-ROM by placing it in your CD-ROM drive and typing the following:

• # mount /mnt/cdrom

• Floppy Disk

• # mount /mnt/floppy

Checking System Space

• Checking Disk Space with Disk Usage Analyzer

• Displaying System Space with df

• To produce output in a more human-readable form, use the -h option as follows: $ df -h

Checking Disk Usage with du

• The du command is a good way to check how much space is being used by a particular user (du /home/user1)

• To make the output more friendly (in kilobytes, megabytes, and gigabytes), use the –h

• $ du -h /home/jake

Watch Computer Usage with System Monitor

• System Monitor graphically displays your system’s CPU and memory usage.

• Monitoring CPU Usage with top

• By adding the -S option to top, you can have the display show you the cumulative CPU time that the process

Using Security Enhanced Linux

• When you first install CentOS, you have the opportunity to enable or disable SELinux.

• Targeted policies focus on services with vulnerable daemon processes

• Targeted policies limit the impact that an attack on the following services can have on your server as a whole: Apache (Web server), Samba (Windows file and print sharing), FTP (file transfer protocol), NFS (network file system), and others

Policies in SELinux

• Enforcing —The current SELinux policy is turned on and its policies are enforced.

• Permissive —The current SELinux policy is on, but not enforced (so you only see warning messages describing how the policy would be enforced).

• Disabled —SELinux is off, so only standard Linux permissions are enforced (as they always were on systems not including SELinux).

Tools in SELinux

• SELinux Troubleshooter

• SELinux Policy Generation Tool

• SELinux Administration Window

• SELinux Commands (ftpd_selinux, httpd_selinux, kerberos_selinux, named_selinux, nfs_selinux, nis_selinux, rsync_selinux, and ypbind_selinux).

Creating User Account

• Command Line

• GUI with User Manager

Adding Users with useradd

• # useradd -c "Robert Jones" -m robert• -c "comment“• -d home_dir• -e expire_date• -g group• -m Automatically create the user’s home

directory• -p passwd• # passwd robert

Adding Users with User Manager

• A graphical window for adding, changing, and deleting user accounts, you can use the User Manager window.

Adding User Accounts to Servers

• To prevent a remote user from logging in and accessing a shell via ssh or another login service, you can set the default shell for a user to nologin.

• # useradd -s /sbin/nologin yason• A common practice with Web hosting is to

allow a user to place content on the server• # useradd -s /sbin/nologin -d

/var/www/html webuser

Resetting a User’s Password

• # passwd yason• # chage -M 30 -d 0 yason• The -M 30 option tells the system to expire

yason’s password every 30 days. The -d 0 option tricks the system into thinking that her password has not been changed since January 1, 1970.

• Keep in mind that using chage activates password aging for any account on which it is used.

Modifying User Accounts with usermod

• # usermod -l mike -c "Mike Barnes" -m -d /home/mike yason

Modifying User Accounts with User Manager

• Modifying User Accounts with User Manager

Deleting User Accounts

• Deleting User Accounts with userdel

• # userdel yason

• To wipe out her home directory along with her account, type this:

• # userdel -r yason

• Deleting User Accounts with User Manager

System Startup and Shutdown

• During system startup, a series of scripts is run to start the services that you need.

• Service Configuration window.

Thank you

• http://www.yasin.my