LPIC-1102ExamTopics

Exam Goals

Overview:

105: Kernel

106: Bootvorgang, Initialisierung, Herunterfahren und Runlevel

107: Drucken

108: Dokumentation

109: Shells, Scripting, Programmieren und Kompilieren

111: Administrative Tätigkeiten

112: Netzwerkgrundlagen

113: Netzwerkdienste

114: Sicherheit

Thema 105: Kernel

1.105.1 Verwalten/Abfragen des Kernel und der Kernelmodulen zur

Laufzeit (exam weight 4) 

      /lib/modules/kernel-version/modules.dep /etc/modules.conf
      /etc/modprobe.conf depmod insmod lsmod rmmod modinfo modprobe uname

Kernel modules have suffix ".ko" or earlier ".o".

Important files:

In the file /etc/modules.conf you find lines like 

 alias eth0 ne
substitution for the name ne. Afterwards we can load the module

ne.o (ne2000 compatible network cards) with 

 insmod eth0

Initial ramd disk to load necessary drivers before mounting root partition. 

 $uname -r 2.6.20-9-386

 $uname -a Linux hubble 2.6.20-9-386 #2 Mon Feb 26 02:58:41 UTC 2007
 i686 GNU/Linux

 lsmod
shows modules that are currently loaded. If you search for an entry

and it does not appear in this list we have three reasons for that: # driver is statically bounded into the kernel # the module is not already loaded # support of this driver is disabled 

 depmod
creates file "/lib/modules/kernelversion/modules.dep" that is needed by

"modprobe" to solve dependencies and to load further needed modules. 

 modinfo
gives useful information about a module 
 modinfo snd_intel8x0 filename:
 /lib/modules/2.6.20-9-386/kernel/sound/pci/snd-intel8x0.ko license: GPL
 description:    Intel 82801AA,82901AB,i810,i820,i830,i840,i845,MX440;
 SiS 7012; Ali 5455 author:         Jaroslav Kysela
 <perex@suse.cz> srcversion:     AA31A3EE9F1A48F58F3C37C alias:
 pci:v000010B9d00005455sv*sd*bc*sc*i*

 -F (Field)
ask for specific data e.g. "depends" or "filename"

Load and unload modules

 insmod
old method 
 modprobe
better way

"insmod" wants the complete path to the module. Depends the module of further modules which are not already loaded the call will fail.

"modprobe" solves dependencies and loads all needed modules. It is also not necessary to give the full path to the module but only the name. 

 modprobe -v msdos

To unload modules use "rmmod" or modprobe with parameter "-r". Like insmod rmmod does not go further in dependencies but only remove the given module. "modprobe" looks after modules that are of no further use and removes them all.

To give parameters to modules you can make entries in the file "/etc/modules.conf". For example: 

 options rtl4711 io=0x200 irq=9
loads module rtl4711 with parameters for i/o and interrupt

configuration.

Lines with "pre-install", "post-install", "pre-remove" and "post-remove" are to show modprobe what to do before or after loading a arbitrary module. For example you can stop a daemon before loading a module and start the daemon again after the loading.

In modules.conf you can also give aliases: 

 alias eth0 3c501 alias eth1 3c509

1.105.2 Konfiguration, Erstellung und Installation eines angepassten

Kernels und Kernel-Modulen (exam weight 3) 

      /usr/src/linux/* /usr/src/linux/.config
      /lib/modules/kernel-version/* /boot/* make make Ziele: all,
      config, menuconfig, xconfig, gconfig oldconfig, modules, install,
      modules_install, depmod, rpm-pkg, binrpm-pkg, deb-pkg

Building a kernel

 make config
old and boring method 
 make menuconfig
needs ncurses-dev 
 make xconfig
based on qt 
 make gconfig
for gtk user

Copy old version ".config" to the new kernel directory and type "make oldconfig".

Kernel version 2.4 uses "make bzImage" and 2.6 uses "make", then "make modules". "make install" brings kernel to the right position if you use lilo. The last step includes rewriting of the mbr sector. Grub user copy "arch/386/boot/bzImage" to /boot and adjust menu.lst. To copy modules to the right position use "make modules_install". The modules will be copy to "/lib/modules/version".

Thema 106 !! Bootvorgang, Initialisierung, Herunterfahren und Runlevel

1.106.1 Start of the system (weight: 3)

Beschreibung: Die Kandidaten sollen in der Lage sein, das System durch den Startprozess zu führen.

Wichtigste Wissensgebiete: Boot-Loader-Befehlen und Kernel-Optionen beim Systemstart übergeben. Systemstartmeldungen in den Logdateien überprüfen.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: 

 /var/log/messages /etc/modules.conf /etc/modprobe.conf dmesg LILO GRUB

After Lilo or Grub load the kernel and possibly a virtual ram disk into the memory the star process runs through a set of start scripts, which are following the System-V-Standard. 

 #/etc/lilo.conf boot = /dev/hda change-rules reset read-only lba32
 prompt timeout=80 message=/boot/message default = linux

 image = /boot/vmlinuz label=linux root=/dev/hda8 vga=792
 initrd=/boot/initrd append=/hdc=ide-scsi acpi=off"

 other=/dev/hda1 label=windows

To activate the configuration you have to call "/sbin/lilo" which creates "/etc/lilo.conf". To give kernel parameters use the "append=..." line e.g. appen="hdc=ide-scsi acpi=off".

GRUB uses the file /boot/grub/menu.lst" for its properties. The file "/boot/grub/device.map" defines the numeration of the hard disks. To install grub use "/usr/sbin/grub-install" with the device file as parameter e.g. "/dev/hda" if you want to install grub into the boot sector of your first ide disk. 

 title		Ubuntu, kernel 2.6.20.1
 root		(hd0,1)
 kernel		/boot/vmlinuz-2.6.20.1 root=UUID=9cf0a2f1-fd6a-47ea-9001-47e2b2241907 ro quiet splash
 initrd		/boot/initrd.img-2.6.20.1
 savedefault

 title		Ubuntu, kernel 2.6.20.1 (recovery mode)
 root		(hd0,1)
 kernel		/boot/vmlinuz-2.6.20.1 root=UUID=9cf0a2f1-fd6a-47ea-9001-47e2b2241907 ro single
 initrd		/boot/initrd.img-2.6.20.1

 title		Ubuntu, memtest86+
 root		(hd0,1)
 kernel		/boot/memtest86+.bin

 title		Windows 95/98/NT/2000
 root		(hd0,1)
 makeactive
 chainloader	+1

To give kernel parameters with grub use the line "kernel=..." and appends the parameters with space as delimiter. If a boot screen hides the kernel messages while the start process you can investigate them later with "dmesg". After the system is up the logging messages lie in "/var/log/messages" or "/var/log/syslog" or "/var/log/syslog-ng". 

 last william
shows login timestamps from /var/log/wtmp 
 lastb william
shows false login trys from /var/log/btmp

If not then edit /etc/login.defs to activate this mechanism. 

 dmesg
shows kernel messages. Even the messages which occurs before syslogd has started its work. 
 linux acpi=no idescsi=/dev/hdc
first image name then parameters devided by space character. If a parameter gets more than one option, the values will be devided by comma.

1.106.2 Ändern des Runlevel, Herunterfahren und Neustart des Systems

(weight: 3)

Beschreibung: Die Kandidaten sollen in der Lage sein, die Runlevel des Systems zu verwalten. Dieses Lernziel beinhaltet auch den Wechsel in den Single-User-Modus, das Herunterfahren oder den Neustart des Systems. Die Kandidaten sollen in der Lage sein, andere Benutzer vor dem Wechsel des Runlevels zu benachrichtigen und Prozesse ordentlich zu beenden. Dieses Lernziel beinhaltet ebenfalls auch die Festlegung des Standard-Runlevel.

Wichtigste Wissensgebiete: Festlegung des Standard-Runlevel. Herunterfahren und Neustart des Systems auf der Befehlszeile. Wechseln zwischen Runlevel einschließlich Einzelbenutzermodus. Benachrichtigen der Benutzer bevor ein Runlevelwechsel stattfindet oder vor anderen wichtigen Systemereignissen. Ordentliches Beenden von Prozessen.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: 

 /etc/inittab shutdown init

The line 

 id:5:initdefault:

in the file "/etc/inittab" defines the standard runlevel (here 5). Normally the run levels have numeration 0 until 6 where 0 is for shutdown and 6 for reboot. Run level 1 is for default tasks and repair mode and runs in single user mode.

Most often run-level 5 is for a common system with graphical login and run-level 3 for almost the same but without X. The scripts in the folders "/etc/rcN.d" are for the tasks in the particular run-level where N stands for the run-level number 0-6. The prefix "S" stands for start script and "K" means stop or kill script. It depends of this prefix if the script gets parameter "start" or "stop". The number after the prefix defines the order of the scripts. If you do not want to adjust the scripts manually you can use the program "chkconfig". The parameter "restart" stops and starts again a program. To force the process to load its configuration again you can use "killall -HUP asdf".

In folder "/var/run" you find pids of the running processes. "checkproc" tests if a process exists with a program name equal to the parameter. "pidof" is a likewise tool.

The start of the virtual consoles is defined in "/etc/inittab". Entries like: 

 1:2345:respawn:/sbin/mingetty --noclear tty1
 2:2345:respawn:/sbin/mingetty tty2

There are three fields devided with a delimiter ":". First field is a unique identifier. Second a list of run-level numbers where the command from the fourth field is going to execute (here run-level 2-5). The "mingetty" is the program for login screen at the text consoles and ttyN is the device that they should use.

To change a run-level use "/sbin/init".

An example for a start script: 

 #!/bin/sh # or bash case "$1" in
     start)
        echo "Starting asdf" /usr/bin/asdf & pidof asdf >
        /var/run/asdf.pid ;;
     stop)
        echo "Shutting down asdf" killall asdf /bin/rm /var/run/asdf.pid
        ;;
     restart)
        $0 stop $0 start ;;
     status)
        if /sbin/checkproc /usr/bin/asdf 2> /dev/null # if pidof asdf >
        /dev/null then
          echo "asdf is up"
        else
          echo "asdf is down"
        fi ;;
 esac

 telinit 2
switchs the run level from default to 2. 
 shutdown -h +10
shuts down the computer in 10 minutes and sends the user a message via shell. New login trys will be prevented. 
 shutdown -r
reboot instead a halt. 
 shutdown -h 23:00
shutdown at 23 o'clock. 
 shutdown -c
cancel a running shutdown.

107: Drucken

1.107.2 Verwaltung von Druckern und Druckerwarteschlangen (weight: 1)

Beschreibung: Die Kandidaten sollen in der Lage sein, Druckerwarteschlangen und Druckaufträge von Benutzern zu verwalten.

Wichtigste Wissensgebiete: Konfiguration und Überwachung eines Druckerservers. Verwalten von Druckerwarteschlangen der Benutzer. Lösen allgemeiner Druckerprobleme. Liste wichtiger Dateien, Verzeichnisse und Anwendungen: 

 lpq
shows queue of the printer 
 lpr
 lp
print files per console. Parameters may be the printer an number of copys. 
 lpc
control program 
 lprm <job id>
removes distinct jobs from printer queue.

The printer for these commands is per default the default printer. With parameter "-P <name>" you can give a different printer queue.

If you type in "lpc" you get a new console where you can give some commands: 

 disable <printer> 
 enable <printer>
 stop <printer>
 start <printer>
 down <printer>
 up <printer>
 topq <printer> <id> <id> ...
moves job to the top of the queue. 
 exit / quit
ends session.

For "lprng" you can configure the printers per "/etc/printcap". For "cups" the data is in "/etc/cups/printers.conf" and "/etc/cups/cupsd.conf"

1.107.3 Druck von Dateien (weight: 1)

Beschreibung: Die Kandidaten sollen in der Lage sein, Druckerwarteschlangen zu verwalten und Druckaufträge zu verändern.

Wichtigste Wissensgebiete: Hinzufügen und Löschen von Druckaufträgen in konfigurierten Druckerwarteschlangen. Konvertieren von Text in Postscript für den Ausdruck.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

1.107.4 Installation und Konfiguration von lokalen und Netzwerkdruckern (weight:1)

Beschreibung: Die Kandidaten sollen in der Lage sein, lokale und Netzwerkdrucker zu konfigurieren und zu installieren.

Wichtigste Wissensgebiete: Installieren eines Druckerdämons. Installation und Konfiguration eines Druckerfilters. Lokale und Netzwerkdrucker für ein Linux-System verfügbar machen, einschließlich Postscript-, Nicht-Postscript- und Samba-Druckern.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

The spooler serves the data to the printer in ascii format or postscript. The input filter as apsfilter or magincfilter analyze the input data create a postscript job. If the printer does not understand postscript we use "ghostscript" which translate postscript into a form the printer understands. "apsfilter" creates always postscript data. If necessary the postscript will be translated into a special form with ghostscript.

The definition of the input filter lies in the file "/etc/printcap" and there at the entry "if=..." (input filter).

What is the difference between start/stop and enable/disable commands of lpc?

If a queue is disabled no further jobs can be placed into the queue. The available jobs will be finished. The stop command

will halt the printer but the queue will be untouched so the users can place further jobs into it.

How do you change the order of the print jobs?

With the lpc command topq.

A GDI printer is a "windows printer". It is able to print only with special driver and these were written for windows os. The use of this kind of printer under linux is not possible, yet.

With 

 lpr -Pnodefaultqueue -#3 file.pdf
you prints the file file.pdf three times through pipe with name "nodefaultqueue".
"-K" or "-#" gives the number of copies.
"-P" gives the name of the queue if it is not the default queue.

printing of several pages onto one

 apt-get install mpage

The mpage command reads plain text or PostScript files and manipulates the text size to fit multiple print pages on single sheets of paper. This tool requires a PostScript printer to print the results. 

 mpage -bA4 -2 docu.ps
where the values can be 1 2 4 or 8 and means that you get up to 8 pages onto a single sheet.

108: Dokumentation

1.108.1 Nutzung und Verwaltung lokaler Systemdokumentation (weight:4)

Beschreibung: Die Kandidaten sollen in der Lage sein, man und das Material unter /usr/share/doc/ zu nutzen und zu administrieren.

Wichtigste Wissensgebiete:

Auffinden relevanter Man-Pages.

Durchsuchen der Man-Pages-Sektionen.

Auffinden von Befehlen und zugehöriger Man-Pages.

Konfiguration des Zugriffs auf die Man-Sourcen und das Man-System.

Vorbereiten von Man-Pages für den Ausdruck.

Nutzen der Systemdokumentation in /usr/share/doc/ und Festlegen, welche Dokumentation dort gehalten wird.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

1.108.2 Finden von Linux-Dokumentation im Internet (weight:3)

Beschreibung: Die Kandidaten sollen in der Lage sein, Linux-Dokumentation im Internet zu finden und zu nutzen.

Wichtigste Wissensgebiete:

Nutzen von Linux-Dokumentationen aus verschiedenen Quellen, wie Linux Documentation Project (LDP), Webseiten von Herstellern und Drittanbietern, Newsgroups, Newsgroup-Archive und Mailinglisten.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

1.108.5 Benachrichtigen von Benutzern über systembezogene Ereignisse (weight:1)

Beschreibung: Die Kandidaten sollen in der Lage sein, Benutzer über aktuelle Angelegenheiten des Systems zu informieren.

Wichtigste Wissensgebiete: Automatisierung von Kommunikation mit Benutzern über Login-Nachrichten.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

"whatis" searchs the man pages for the given pattern. Simlarly works the command "apropros". It searchs addtionally the short description for the given pattern.

The command "man" differs between five level of documentation. It is recommened that you know these levels. 1 Executable programs or shell commands 2 System calls (functions provided by the kernel) 3 Library calls (functions within program libraries) 4 Special files (usually found in /dev) 5 File formats and conventions eg /etc/passwd 6 Games 7 Miscellaneous (including macro packages and conventions), e.g. man(7), groff(7) 8 System administration commands (usually only for root) 9 Kernel routines [Non standard]

LDP means "Linux Documentation Project".

message of the day means the file /etc/motd. This text will be viewed every time you login per shell.

The file /etc/issue is the text which will be viewed before the login prompt and is often similar to "Welcome to ...". The net version has the name /etc/issue.net.

109: Shells, Scripting, Programmieren und Kompilieren

1.109.1 Anpassung und Benutzung Shell-Umgebung (weight: 5)

Beschreibung: Die Kandidaten sollen in der Lage sein, Shell-Umgebungsvariablen an die Bedürfnisse der Benutzer anzupassen.

Wichtigste Wissensgebiete: etzen von Umgebungsvariablen (z.B. PATH) beim Login oder beim Starten neuer Shells (Spawning). Schreiben von BASH-Funktionen für häufig genutzte Befehlsfolgen.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: 

 variable=value
 a="aasdf"
 echo $a
 echo

We have shell and enviroment variables. With the command "export" you can declare a already defined shell variable to an enviroment variable. The command "env" returns all the exported variables. With "set" you get exported variables and the shell variables. With "export -n variable" you can annihilate the earlier export or makes an enviroment variable to a shell variable. With "unset" you can kill the variable.

The difference between login shells and shells which only execute a script is the start up process. The login shell processes first the "/etc/profile" file, then "~/.bash_profile" or "~/.bash_login" or "~/.profile" dependent which one was first founded. A normal shell first executes "/etc/bash.bashrc" and "~/.bashrc" if it exists. At the end of a shell it will be executed the file "~/.bash_logout"

1.109.2 Anpassen oder Schreiben einfacher Scripts (weight: 3)

Beschreibung: Die Kandidaten sollen in der Lage sein, existierende Scripts anzupassen oder einfache neue BASH-Scripts zu schreiben.

Wichtigste Wissensgebiete:

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

Under linux it is not possible to get root rights with the use of the sticky bit. You can set the bit but it will be futile.

if ... then ... elif ... else ... fi

 if test -a /etc/fstab;
 then
   echo "asdf";
 else
   echo "kkkkk";
 fi

Equivalent to "test -a /etc/fstab" is "[ -a /etc/fstab ]".

Test options: 

 -a file
existing 
 -d file
file a dir 
 -f file
file exist and is regular file 
 -r file
file exist and is readable from user that called the script 
 -w file
same as read but writing 
 -x
same as read but executing 
 -z string
empty string 
 -n string
string is not empty 
 str==str2
 str!=str2
 str -lt str2
 str -gt str2

for and while loops

 $for i in 1 2 3;do echo $i;done
 $while true;do echo "I was here";done
 $ for i in $(seq 1 1000);do echo $i;done

backticks and brackets

The backtick method is the older one. To replace a string with its result use `...`: 

 now=`date +%F`

The newer method is 

 now=$(date +%F)

and has the advantage that you can use nested forms.

With "seq" you can give a sequence of numbers: 

 for i in $(seq 1 1000);do echo $i;done

What is happening when we execute the following script? 

 #!/bin/bash
 cd ..

Response: nothing, because the shell will execute the script with a new shell, then it goes up a directory and ends its execution. Therefore it lands again at the start directory. Such a functionality can only be made by a shell function: 

 up() { cd ..; }

Attend the space between "{" and the first command. It is not for well form related but syntactical.

With $1, $2 and so on you can touch the arguments to the script. $0 is the name of the script and $@ the whole set of arguments.

With $$ you can access the process id of the script. 

 $ echo My id is $$
 My id is 5027

 $? is the errorcode of the last process.

Very useful is also the variable $! which is assigned with the value of the process id of the last started background process. 

 $ find / -name "*.txt" -print &
 $ kill $!
kills the find process. 
 $* all arguments in one string
 $@ all arguments in an array of strings
 $# number of arguments in the command line
 $_ last argument of the process which was called at last

Automatic variables: 

 $RANDOM  radom number between 0 and 32767
 $LINENO
 $OLDPWD
 $OPTARG
 $PPID
 $PWD
 $REPLY   is set by command read if no variable is given
 $SECONDS number of seconds since last start or login of the current shell

Getting the options from command line

getopts delivers the options and even wrong parameters. 

 while getopts abc:D: opt
 do
   case $opt in
     a) echo "Option a wurde angegeben";;
     b) echo "Option b wurde angegeben";;
     c) echo "Option c wurde angegeben: $OPTARG";;
     D) echo "Option D wurde angegeben: $OPTARG";;
    esac
 done

parameters beyond $9

 echo "the 20th argument: ${20}"

comparison of numbers

 [ "$var1" = "$var2" ]
 [ "$var1" != "$var2" ]
 [ -z "$var2" ]     # var empty?
 [ -n "$var3" ]     # var not empty?

Thema 111: Administrative Tätigkeiten

1.111.1 Benutzer-, Gruppenkonten und die dazugehörenden Systemdateien verwalten (weight: 4)

Beschreibung: Die Kandidaten sollen in der Lage sein, Benutzerkonten hinzuzufügen, zu löschen, zu deaktivieren und zu verändern.

Wichtigste Wissensgebiete: Hinzufügen, Verändern oder Löschen von Benutzern und Gruppen. Benutzer- und Gruppeninformationen in den Passwort/Gruppen-Datenbanken verwalten. Richtige Handhabung der Shadow-Passwort/Gruppen-Datenbanken mit den passenden Tools. Anlegen und Verwalten von speziellen und eingeschränkten Benutzerkonten.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: /etc/passwd /etc/shadow /etc/group /etc/gshadow chage gpasswd groupadd groupdel groupmod passwd useradd userdel usermod

The structure of the file /etc/passwd are simple. Every line has the following form: 

 accountname:password:UID:GID:realname:homedir:shell

Important for exam are the following fields with their individual meaning.

The structure of the file /etc/shadow as follows: 

 Position Example Meaning
  1       user    user name
  2       asdf    password hash
  3       1234    date of the last password change in days since Jan, 1st 1970
  4         0     minimaal age of password change to prevent too many changes
  5        100    maximal age of a password to prevent ancient passwords
  6         7     7 days before his/her password expires the user gets a warning message
  7         1     after one day after the password did expire the account will be disabled
  8       1234    date when the account will be expired
  9        void   reserved

"group" and "gshadow" are for the group passwords.

useradd
 useradd -m <username>
creates user and even the home directory. 
 useradd -r <username>
creates an account for daemons or such things. For user who do not login per shell. 
 -d <home dir>
 -s <login shell>
 -u <user id>
 -g <group id>
 -c <gecos>
real name field what is also called GECOS field and frequently used for save special information. c for common
usermod

to edit a user account. 

 usermod -L devil
deactivates user devil, same as 
 passwd -l devil
uderdel

to remove a user account.

chage

to change the aging i.e. to set the dates when accounts will be disabled, expired and so on.

shadow system

The hash values of the passwords are stored in the file /etc/shadow not in /etc/passwd. 

 pwconv
converts old passwd file into one without hashs.

To create a new user with an home directory as in /etc/skel stored: 

 useradd -m <username>

To use a different directory as template instead of skel: 

 useradd -k /etc/mydirtemplate <username>

To set a user into a group use: 

 useradd -g <gid>

To set the comment part of passwd file: 

 useradd -c <comments>

1.111.2 Optimierung der Benutzerumgebung und der systemweiten Umgebungsvariablen (weight: 3)

Beschreibung: Die Kandidaten sollen in der Lage sein, globale und benutzerbezogene Profile zu verändern.

Wichtigste Wissensgebiete: Umgebungsvariablen setzen. Pflege der Skeleton-Verzeichnisse für neue Benutzerkonten. Setzen des Suchpfades für Befehle auf die richtigen Verzeichnisse.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: /etc/profile /etc/skel env export set unset

env

lists all enviroment variables. 

 HISTSIZE
size of the bash history 
 PAGER
to show you text-files pagewise e.g. less or more 
 EDITOR
the default editor e.g. vim 
 TERM
profile name for adjustment of terminals. That is important for remote sessions on other hosts.
Order of property files

First /etc/profile, then .profile. For bash there are "/etc/bashrc" and ".bashrc".

The view of the prompt

can be adjusted with enviroment variables PS1, PS2, PS4.

skel

especially the directory "/etc/skel" is the template directory for new directories will be created for users.

1.111.3 Konfigurieren und Nutzen der Systemlogdateien um administrativen und sicherheitsbezogene Aufgaben zu bewältigen (weight: 3)

Beschreibung: Die Kandidaten sollen in der Lage sein, Systemlogdateien zu konfigurieren und zu verwalten.

Wichtigste Wissensgebiete: Art und Menge der aufgezeichneten Information festlegen. Logdateien auf besondere Aktivitäten manuell durchsuchen. Logdateien überwachen. Automatische Rotation und Archivierung von Logdateien. Nachvollziehen von Problemen, die in den Logdateien aufgezeichnet wurden.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: /etc/syslog.conf /var/log/* logrotate tail -f

syslogd

config file:/etc/syslog.conf

The advantage is that only one process writes into the log file instead of hundreds of processes which want all log some things.

Facilities:
Priorities: (with increasing importance, none means that nothing can be reported because of a crash or something)

A log message will be classify in dependence of its facility for example auth and its priority for example warn or err. 

 kern.warn;*.err;authpriv.non /dev/tty9
writes the following messages on console tty9: all messages from facility kern with priority warn and higher, all facilities if their priority is err or higher and nothing will be reported from facility authpriv. 
 *.=warn;*.=err -/var/log/warn
the equal sign declares that only messages of this priority are wanted no other priorities. Same for err priority. The "-" sign before the path of the filename means that a blockwise writing should be used. That make sense for writing into a file since that is very slow. Minus before a path to a console does not give you advantages. 
 man 5 syslog.conf
for a lot of examples.

1.111.4 Automatisierung von Systemadministrationsaufgaben durch Festlegung der späteren Ausführung von Jobs (weight:4)

Beschreibung: Die Kandidaten sollen in der Lage sein, cron und anacron zu nutzen, um Jobs regelmäßig und at um sie zu einem bestimmten Zeitpunkt zu starten.

Wichtigste Wissensgebiete: cron- und at-Jobs verwalten. Konfiguration des Benutzerzugriffs auf cron- und at-Dienste.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: 

 /etc/anacrontab
 /etc/at.deny
 /etc/at.allow
 /etc/crontab
 /etc/cron.allow
 /etc/cron.deny
 /var/spool/cron/*
 at
 atq
 atrm
 crontab

 crontab -e
to create jobs for the user himself.

minute, hour, day of month, month, day of week, command

The weekday sunday has the number 0 and 7.

"*/5" means beginning with the start of the daemon a recurence time of 5 minutes. "4/5" begins the period at minute 4 even if the daemon has to wait 59 minutes.

Restriction for working time can be 8-17 for hour field. 4/5 means starting at the fourth minute, then every five minutes or hour or day and so on. You can also enumerate like this: 0,5,10,15,20

Which user is allowed to make cron entries lies in "/etc/cron.allow" and "/etc/cron.deny". If the cron.deny file contains user jim, he is not allowed to make entries with "crontab -e". 

 crontab -l
to list all your cron jobs 
 crontab -r
to remove your cron job list. 
 crontab -u <user>
With -u can root user edit and view cron tables from a particular user.
at
 echo "/usr/bin/aplay alarm-clock.wav" | at 09:55 24.05.2008
plays the file at 9:55 on May 5th.

"at" creates jobs for a special date. With "atq" you can list the jobs you have already created and with "atrm" you can remove jobs from queue. 

 at -f commandlist_in_file 9:00am +2days
starts the execution of the command list stored in the file given by -f at 9 o'clock in two days.

1.111.5 Eine effektive Datensicherungsstrategie pflegen (weight:3)

Beschreibung: Die Kandidaten sollen in der Lage sein, eine Backup-Strategie zu planen und Dateisysteme automatisch auf verschiedenen Medien zu sichern.

Wichtigste Wissensgebiete: Raw-Devices in einer Datei sichern und umgekehrt. Durchführung partieller und manueller Backups. Integritätsprüfung eines Backups. Backups partiell oder vollständig wiederherstellen.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: cpio (copy files to and from archives) dd dump (for backups. It evaluate the column before last in file /etc/fstab.) restore (restores the backups that were created with "dump") tar

There are three diffrent types of backups:

  1. full backup
  2. differential backup (only difference to the last full backup)
  3. incremental backup (only difference to the last backup whatever its type was.

1.111.6 Pflege der Systemzeit (weight:4)

Beschreibung: Die Kandidaten sollen in der Lage sein, die Systemzeit zu pflegen und die Uhr über NTP zu synchronisieren.

Wichtigste Wissensgebiete: Systemdatum und -zeit setzen. BIOS-Uhr auf die korrekte UTC-Zeit setzen. Konfiguration der richtigen Zeitzone. NTP-Konfiguration, einschließlich der Korrektur von Gangabweichungen.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen: /usr/share/zoneinfo /etc/timezone /etc/localtime /etc/ntp.conf /etc/ntp.drift date hwclock ntpd ntpdate 

 ntpdate -s time.nist.gov pool.ntp.org

 ntpq -p -n
 ntpq -c peers -n
 ntpq -n
list the peers known to the server by ip address. 
 ntptrace
to see where the local system is synchronizing its lock to.

1.112 Network basics

1.112.1 TCP/IP basics (weight 4)

Wichtigste Wissensgebiete:

Verständnis der IP-Adressen, einschließlich aber nicht beschränkt auf: Netzwerkmasken, zum Beispiel: Bestimmen des Netzwerkteils und der Broadcast-Adresse eines Host ausgehend von dessen IP-Adresse und Subnet-Maske in "Dotted Quad"- (durch Punkte getrennte Vierergruppe) oder Kurzschreibweise oder auch die Bestimmung der IP- und Broadcast-Adresse und Subnetzmaske, wenn eine IP-Adresse und die Anzahl der für den Netzwerkanteil genutzten Bits gegeben sind. Verständnis der Netzwerkklassen und der klassenlosen Subnetze (CIDR) sowie der reservierten Adressen für private Netzwerke Verständnis der Funktion und Anwendung der Default-Route. Verständnis der grundlegenden Internet-Protokolle (IP, ICMP, TCP, UDP) und der üblichen TCP- und UDP-Ports (20, 21, 23, 25, 53, 80, 110, 119, 139, 143, 161). Grundsätzliches Wissen über die Unterschiede zwischen IPv4 und IPv6.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

There are two addresses in the IP range that are reserved. The first is the base IP for the subnet most often the lowerst number (.0). The second one is the broadcast address which is most often the highest number (.255). If we have 256 IP Addresses for use then we can only use 254 for hosts: .1 until .254 

 255.255.255.0    /24  Hostanzahl 254
 255.255.255.128  /25  Hostanzahl 126
 255.255.255.192  /26  Hostanzahl  62
 255.255.255.224  /27  Hostanzahl  30
 255.255.255.240  /28  Hostanzahl  14
 255.255.255.248  /29  Hostanzahl   6 
 255.255.255.252  /30  Hostanzahl   2
 255.255.255.254  /31  Hostanzahl   0
 255.255.255.255  /32  Hostanzahl   1

Subnetz /32 is most often used for "single host route" for example to an host over PPP protocol. 

 traceroute www.testdomain.com
tests the count of hops to this domain. With help of IP and ICMP there will be packages sent with "time to live" parameters 1,2,3,... until the package reach the destination. Therefore the hosts between the local host and the destination can be identified.
Portlist
  20 ftp data
  21 ftp control
  22 ssh
  23 telnet
  25 smtp
  53 dns
  80 http
 110 pop3
 119 nntp
 137 netbios-ns
 139 netbios-ssn
 143 imap4
 161 snmp
 515 printer

We want four different subnets with 64 IP addresses per subnet. Which subnet mask fits to this task? 

 256 - 64 = 192 (that means we use the first to bits seen from the left: 128+64)

IP range: 

 00  0 - 63
 01  64 - 127
 10  128 - 191
 11  192 - 255

1.112.3 Configuration of TCP/IP and solving problems ( weight 7)

Wichtigste Wissensgebiete:

Manuelle und automatische Konfiguration der Netzwerkschnittstellen und Routing-Tabellen, sowie Hinzufügen, Starten, Stoppen, Neustarten, Löschen und Rekonfigurieren von Netzwerkschnittstellen. Ändern, Anzeigen und Konfigurieren einer Routingtabelle und manuelle Korrektur einer falsch gesetzten Default-Route. Konfiguration eines DHCP-Clients. Grundsätzliche TCP/IP-Host-Konfiguration. Problemlösung im Zusammenhang mit der Netzwerk-Konfiguration.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:
 netstat -p
prints pid and process name 
 netstat -r
routing mode

"/etc/nsswitch.conf" defines if or if the host should not look at local files to resolve domain names. A content example: 

 hosts: files dns
 networks: files dns

Enable IP forwarding when the router is set up with two or more network cards and should be used as router. 

 echo "1" > /proc/sys/net/ipv4/ip_forward

 tcpdump -vvA  tcp and port 80
 tcpdump -vvA src host 4.7.1.1 and tcp and port 80
for verbose and ascii output (-A) of tcp packages on port 80.

1.112.4 Configure Linux as PPP client (weight 3)

Wichtigste Wissensgebiete:

Definition der Chat-Sequenz für den Verbindungsaufbau (für ein vorgegebenes Login-Beispiel) und Einrichtung von automatisch beim Verbindungsaufbau auszuführenden Befehlen. Aufbau und Beendigung einer PPP-Verbindung über Modem, ISDN oder ADSL mit den geeigneten Scripts. PPP für die automatische Neuwahl nach Verbindungsabbruch konfigurieren.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

The ppp daemon uses the program "chat" and "chat scripts". The scripts are files with two fields. One for text strings the daemon should wait for and if this string arrives it sends the string from the second field as answer.

Connect as normal user: 

 $ ppd call <providername>

or 

 # pppd "chat -f <scriptname>" /dev/ttyS2 115200

1.113 network services

1.113.1 configuration of inetd, xinetd and proper services. (weight:4)

Wichtigste Wissensgebiete:

Festlegen von Diensten, die über (x)inetd erreichbar sein sollen. Manuelles Starten, Stoppen und Neustarten von Internet-Diensten. Konfiguration grundlegender Netzwerkdienste einschließlich ssh und ftp. Einrichtung von Diensten die unter einem anderen als dem Default-Benutzernamen in der (x)inetd-Konfiguration laufen sollen. Grundsätzliches Wissen über tcpwrappers, um einzelnen Hosts Zugriff zu erlauben oder zu verbieten.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:
 lsof -i
shows the open ports of the local machine with view of the process which opens it and additionally useful information. 
 COMMAND   PID     USER   FD   TYPE   DEVICE SIZE NODE NAME
 apache2  1624 www-data    3u  IPv4 29100978       TCP *:www (LISTEN)
 apache2  1624 www-data    4u  IPv4 29100980       TCP lvps87-230-10-253.dedicated.hosteurope.de:https  (LISTEN)
 apache2  3528 www-data    3u  IPv4 29100978       TCP *:www (LISTEN)

 lsof -Pnl -i

to suppress conversion of ports to services, network addresses to names, user id to user names. 

 lsof /cdrom
lists all processes which use the cdrom directory 
 lsof -t /cdrom
lists only the process ids. With help of this command you can delete the whole processes which use the cdrom with 
 kill $(lsof -t /cdrom)

1.113.2 configuration of a mail transfer agent (MTA) (weight:4)

Wichtigste Wissensgebiete:

Anpassung einfacher Parameter in den Konfigurationsdateien eines MTA. Anlegen von E-Mail-Aliasen. Verwalten der E-Mail-Queue. Starten und Stoppen des MTA. Einrichten einer E-Mail-Weiterleitung. Prüfen und Schließen eines "Open Relay" auf einem E-Mailserver. Grundsätzliche Problemlösung bei einem MTA.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

The file "/etc/aliases" maps local email accounts to other accounts. For example: 

 mailer-daemon: postmaster

After insertion of a new alias you have to start the program newaliases to convert the ascii file /etc/aliases into a binary file /etc/aliases.db or something like that.

1.113.3 apache web server (weight:4)

RedirectMatch

For the case that your site move to a different server you want to redirect all access tries from the old address to new address. This problem is easy to solve with the RedirectMatch directive. 

 RedirectMatch permanent ^/subfolderwheresitelies/(.*)$ http://newserver.org/subfolderdest/$1
redirect all accesses to subfolder subfolderwheresitelies to the new address and appends the sub path to the new address.
site access control
     <Directory "/var/www/restr">
       AuthType Basic
       AuthName "restriction"
       AuthUserFile /etc/apache2/htpasswd
       Require user secureuser
     </Directory>

 htpasswd -c /etc/apache2/htpasswd

 htpasswd /etc/apache2/htpasswd secureuser
Wichtigste Wissensgebiete:

Einfache Parameter in den Konfigurationsdateien von Apache verändern. Starten und Stoppen des httpd und Neustart nach Konfigurationsveränderungen. Automatischen Start des httpd beim Bootprozess einrichten.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

In httpd.conf defines DocumentRoot the root directory for the web documents. ServerRoot means the base directory of the webserver. There lies the cgi-bin, icons and help files. The program apachectl starts the server again or ends the instances of the server. It also check the configuration files. Further parameters are:

1.113.4 NFS and SAMBA (weight:4)

Wichtigste Wissensgebiete:

Einbinden von Netzwerkdateisystemen via NFS. Konfiguration von NFS um lokale Dateisysteme zu exportieren. Start, Stopp und Neustart des NFS-Servers. Installieren und Konfigurieren von Samba mit dem vorhandenen GUI-Tools (swat) oder durch Editieren der /etc/smb.conf (Hinweis: Dieses Gebiet schließt fortgeschrittenes Wissen über NT-Domänen bewusst aus, beinhaltet jedoch das einfache Benutzen gemeinsamer Home-Verzeichnisse und Drucker sowie die Konfiguration des nmbd als WINS-Client).

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:
nfs

"sync" option at file /etc/exports replies only to requests after the changes have been committed to stable storage. "async" replies before any changes made by risking data inconsistency in case of crash or something else.

In file /etc/exports you have to place the user rights in brackets directly behind the host or network address without any spaces.

To load a new export use exportfs -r where r stands for reexport.

showmount shows mount information for an NFS server.

NFS uses remote procedure calls (short: RPC) to serve the calls. RPC sets up on tcp/ip with program portmap. To test if the portmap program runs use 

 rpcinfo -p
lists all services which are bound to RPC. 
       # sample /etc/exports file
       /               master(rw) trusty(rw,no_root_squash)
       /projects       proj*.local.domain(rw)
       /usr            *.local.domain(ro) @trusted(rw)
       /home/joe       pc001(rw,all_squash,anonuid=150,anongid=100)
       /pub            (ro,insecure,all_squash)
       /srv/www        -sync,rw server @trusted @external(ro)
Samba
 security= share , user , server, domain
 browseable=yes
 encrypt passwords=no
 guest account = nobody
 public = yes or guest ok = yes
access without giving a password is possible

The service that resolves the windows names has the name nmbd. Two properties are possible: 

 [global]
 wins server=192.168.47.11
wins questions will be diverted to this ip.

oder 

 wins support=yes
the samba server is simultaneously the wins resolver.

DNS (weight:4)

Wichtigste Wissensgebiete:

Konfiguration der Namensauflösung und Problemlösung bei lokalen Caching-Only-Nameservern. Verständnis der Domainregistrierungen und des DNS-Prozesses. Verständnis der Konfigurationsdateien von BIND8 und BIND9.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

To resolve domain names the following programs can be used:

To reverse the process, in words to get the domain name of a given ip use 

 dig -x <ip>

SSH (weight:4)

Wichtigste Wissensgebiete:

Einfache OpenSSH-Installation und -Problemlösung durchführen. sshd für den automatischen Start beim Booten konfigurieren.

Liste wichtiger Dateien, Verzeichnisse und Anwendungen:

Config File /etc/ssh/sshd_config:

to prevent the old remote login which was uncrypted 
 ssh-keygen -t rsa
creates files id_rsa (private key) and id_rsa.pub (public key). The public key can be copied to a remote host to the access possible without a password which is very comfortable. The id_rsa.pub content will be appended at the file .ssh/authorized_keys and afterwards the login is possible without password.

1.114 security

1.114.1 Accomplishment of administration tasks

 find / -type f -perm +6000 -xdev -exec ls {} \;
 -xdev
do not abadon the current file system. This is very useful to disable searching network mounts or windows partitions and speed up the search significantly. 
 -type f d l (l for links)
 -perm +6000
first digit is for SUID (=4), SGID (=2), sticky-bit (=1). 
 -perm 4644
searchs for files with 644 rights and additionally the suid bit. 
 -perm -6000
logical and operation finds all files with at least sgid and suid bit. For example it would find 6775 or 775 but not 0775 
 -perm +6000
logical or operation finds all files with set suid or sgid bit. For example it finds 2xxx, 4xxx or 6xxx files but not 0xxx or 1xxx.
iptables
 iptables -A FORWARD -d 192.168.47.11 --dport 80 --sport 1024: -j ACCEPT
 -A add to rules
 -d destination
one host address or subnet addres like 192.168.47.0/25 or 0/0 for arbitrary ip number. 
 -dport destination port
 -sport source port. Intervals are be given by 1000:2000 or 1000: for 1000-65535 or :2000 for 0-2000.
umask

To make it easier with umask numbers remind yourself that for files is the base number 666 and for directories 777. This number minus the umask yields in the user rights for the new file or directory. 

 umask 022
666-022=644 
 umask 644
666-644=022 ! With this rights you are not able to do anything with the new file.