Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chap 11 System Admin: Core Concepts. A well-maintained system… Runs quickly enough so users don’t get frustrated Has enough storage to accommodate users’

Published byMarlene Lee Modified over 8 years ago

Similar presentations

Presentation on theme: "Chap 11 System Admin: Core Concepts. A well-maintained system… Runs quickly enough so users don’t get frustrated Has enough storage to accommodate users’"— Presentation transcript:

1 Chap 11 System Admin: Core Concepts

2 A well-maintained system… Runs quickly enough so users don’t get frustrated Has enough storage to accommodate users’ reasonable needs Provides a working environment appropriate to each user’s abilities and requirements Is secure from malicious and accidental acts altering its performance or compromising the security of the data it holds Is backed up regularly Has recent copies of necessary softqare Is easier to administer than a poorly maintained system

3 System admin and Superuser Root (superuser) –Can add users, partition hard drives, change system configuration files. Sudo can be used to give specific users permission to perform tasks that are normally reserved for superuser. –Rwx file and directory access permissions do not affect root. Superuser can red from, write to, and execute all files. –Root can change a password without knowing the old password –# –/bin and /usr/bin contain utilities used often by root. Included in root’s path Other users must access by absolute path name.

4 Ways to gain or grant su privileges Bringing up the system in single user mode Log in as root Su when logged in as a regular user and respond with root password Sudo can give users superuser privilege for a limited amount of time on a per-user and per-command basis. User can create a setuid. Remember that when an ordinary user executes a file that is owned by root and has setuid permissions, the program has full root privileges. Examples: passwd, at, crontab

5 Disabling setuid Setuid can be disabled at the file system level by mounting a file system with the nosuid option.

6 Root Security Concerns /etc/securetty file controls which terminals a user can log in on as root. /etc/security/access.conf file specifies login controls (see example) RHEL and Fedora Core prohibit the login of root over the Internet. Implemented by the PAM securetty module. /etc/security/access.conf must contain the names of all users and terminals/workstations that you want a user to be able to log in as root. Initially every line is commented out. Root can log in over a network using ssh.

7 System Administration Tools su user – can create a shell of execute a program as the specified user Recommendation: use /bin/su in case someone has compromised your system with a fake su command Su spawns a new shell, but does not re-run the PATH statement or change the environment Su – or su –l recreates the root environment as well as running the path

8 consolehelper The consolehelper utility makes it easier for a non-root user to run root system programs. PAM, which authenticates users, can be set to trust all console users, to require user passwords, or to require root passwords before granting trust. For example, a user can log in to the console as himself and run halt without knowing the root password.

9 kill kill -15 pid - use first Kill -9 pid- use only as a last resort because of the inherent dangers Top can also be used to kill a process by using the k option Pidof vi Killall xeyes vi

10 Rescue Mode Used to fix a system that is not booting normally 1.Boot from rescue or installation cd 2.At the boot: prompt, press enter 3.linux rescue In rescue mode, you can change or replace configuration files, check and repair partitions using fsck and more

11 Avoiding Trojan Horses Make sure that PATH variable doesn’t contain : at the beginning or end of the path string Make sure that there are no :: anywhere in the string

12 Checking for setuid files find / -perm -4000 –exec ls –lh {} \; 2>/dev/null

13 SELinux Traditional Linux Security, called Discretionary Access Control (DAC) is based on users and groups. SELinux (Security Enhanced Linux) was developed by the US National Security Agency and implements Mandatory Access Control (MAC) in the linux kernel. MAC enforces security policies that limit what a user or program can do. IT defines a security policy that controls some or all objects, such as files, devices, sockets, and ports, and some or all subjects such as processes.

14 SELinux Using SELinux, you can grant a process only the permissions that it needs to be functional, following the principle of “least privilege” Kernel processes MAC after it processes DAC rules

15 SELinux States Enforcing/Active – default state. SELinux security policy is enforced. No user or program will be able to do anything not permitted by the security policy Permissive/Warn – diagnostic state, wherein SELinux sends warning messages to a log but does not enforce the security policy; can easily change to enforcing or disabled Disabled – no policy is loaded

16 Degradation Running SELinux in permissive or enforcing state degrades system performance between 5 and 10 percent.

17 SELinux Policies Targeted – applies SeLinux MAC controls only to certain targeted processes. Daemons and system processes that do not have a specified policy are controlled by traditional Linux DACs. Strict – applies SELinux MAC controls to all processes. Very, very restrictive

18 Turning off SELinux Modify the /etc/selinux/config file so that it includes the line SELINUX=disabled and reboot or use system-config-securitylevel

19 The SELinux Configuation FIle /etc/selinux/config file which has a link to /etc/sysconfig/selinux, controls the state of SELinux on the local system Although you can modify this file, it may be more straightforward to work with system- config-securitylevel

20 To Display the state of SELinux sestatus

21 System-config-securitylevel utility The system-config-securitylevel utility displays the Security Level Configuration window which controls SeLinux. TO run this utility, enter system-config- securitylevel from a command line in a graphical environment

22 Booting the System Booting is actually loading the kernel into system RAM and starting it running. As the last step of the boot procedure, Linux runs the init program as PID 1. The init program is the first genuine process to run after booting and is the parent of all system processes. /etc/inittab holds initdefault entry that tells init what runlevel to bring the system to. 3 – text login, 5 – GUI

23 levelNameLoginNetworkFilesystems 0halt 1Single userTextDownmounted 2Multiuser without NFS TextUpmounted 3MultiuserTextUpMounted 4User defined 5Multiuser with X GUIUpMounted 6reboot

24 Init Scripts: start and stop system services First script that runs is /etc/rc.d/rc.sysinit which performs basic system configuration. Next, the /etc/rc.d/rc init script runs the scripts for the services that need to be started when you first bring the system up and that need to be started or stopped. The rc scripts are shell scripts located in the /etc/rc.d/init.d directory and run via symbolic links in the /etc/rc.d/rcn.d directories where n is the runlevel the system is entering.

25 Rc scripts /etc/rc.d/rcn.d directory contains scripts whose names begin with K (Kill) and scripts whose names begin with S (start). When entering a new runlevel, each K script is executed sequentially with a parameter of stop and each S is executed with a parameter of start

26 /etc/rc.d/init.d Each script should point to a link in /etc/rc.d/rcn.d. The script names are functional and can be used with the start or stop parameter to control these processes

27 To start/stop system services /etc/rc.d/init.d/nfs stop /etc/rc.d/init.d/network start /etc/rc.d/init.d/network restart

28 /etc/rc.d/rc.local This file is executed after the other init scripts. Put commands that customize the system in rc.local

29 service RHEL provides service, a utility that reports on or changes the status of any of the system services in /etc/rc.d/init.d /sbin/service nfs stop /sbin/service network start /sbin/service network restart

30 chkconfig Chkconfig configures services. Can add, remove, list startup information, and check the directory hierarchy. (configures /etc/rc.d) – changes configuration only, not currently running services! To see list of services configured at each run level, chkconfig –list (2 dashes!) To turn on httpd at runlevels 2, 3, and 4, chkconfig –level 234 httpd on

31

32 Chkconfig cont. If you omit the levels, chkconfig defaults to levels 2, 3, 4, and 5. chkconfig sshd off Will turn off sshd for runlevels 2, 3, 4, and 5 Chkconfig sets up the configuration file so that the services specified will be started at boot-up time.

33 Chkconfig cont. Chkconfig will not turn off services immediately. You must restart the system for changes to take effect. To start or stop services immediately, service sshd stop

34 Using chkconfig video

35 To change modes while running /sbin/telinit 1 – changes to runlevel 1 telinit 3 - changes to runlevel 3 runlevel –Displays the current runlevel

36 Shutdown options To stop the system: shutdown –h now To reboot the system: shutdown –r now

37 rpcinfo Rpcinfo displays information about programs registered with portmap and makes RPC calls to programs to see if they are alive. –p (probe) lists all RPC programs on host or local system if no host is specified –n (port number) –u (udp) –-t (tcp) rpcinfo –p hostname

38 Rpcinfo cont Because the portmap daemon holds info about which servers are running on the local system and which port each server is running on, only trusted systems should have access to this information. You can lock it down by adding ‘portmap: hostIP’ to the hosts.allow and by placing ‘portmap: ALL’ in the hosts.deny

39 Xinetd Superserver More secure than inetd. Listens for network connections. When one is made, it launches a server daemon and forwards the data from the socket to the daemon’s standard input. /etc/xinetd.conf

40 Pam Linux Pluggable Authentication Modules allow a system administrator to determine how applications use authentication to verity the identity of a user. /etc/pam.d/login

41 TCP Wrappers When you open a local system to access from remote systems, you must ensure that the following are met: –Open the local system only to systems you want to allow to access it –Allow each remote system to access only the data you want it to access. –Allow each remote system to access data only in the proper manner

42 TCP wrappers TCP wrappers can be used for any daemon that is linked against libwrap.a. They rely on the /etc/hosts.allow and the /etc/hosts.deny file for access control. If deamon/client pair matches a line in hosts.allow, access is granted If Daemon/clilent pair matches a line in hosts.deny, access is denied. If no match in either, access is granted.

43 cron Cron is a system scheduler. It uses the crond daemon and the crontab to allow you to run repetitive tasks at the time and date specified by a user in the user’s crontab file. Entries run with the user’s ID and privileges and are stored as the username. Cron wakes up every minute to check to see if there are jobs that need to be run.

44 Cron example to create or modify the configuration file use: –crontab -e This will allow you to edit your own crontab using vi to view the contents of the file use: –crontab -l to delete the file use: –crontab –r Your configuration file is stored in the directory: /var/spool/crontabs under your username. The crond daemon checks the crontab files every minute to determine if a task should be launched in that minute. Each line in a crontab file has 6 fields: –minute –hour –day of the month –month –day of the week

Download ppt "Chap 11 System Admin: Core Concepts. A well-maintained system… Runs quickly enough so users don’t get frustrated Has enough storage to accommodate users’"

Similar presentations

Linux Users and Groups Management

Linux Users and Groups Management
Basic Unix system administration

Basic Unix system administration
Booting and Shuting Down WeeSan Lee. Roadmap Bootstrapping Boot Loaders Startup/Init Scripts Reboot & Shutdown Q&A.

Booting and Shuting Down WeeSan Lee. Roadmap Bootstrapping Boot Loaders Startup/Init Scripts Reboot & Shutdown Q&A.
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.

Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
Chapter 9: Understanding System Initialization The Complete Guide To Linux System Administration.

Chapter 9: Understanding System Initialization The Complete Guide To Linux System Administration.
Week 8 System Initialization and X Windows. Objectives  Summarize the major steps necessary to boot a Linux system  Configure the LILO and GRUB boot.

Week 8 System Initialization and X Windows. Objectives  Summarize the major steps necessary to boot a Linux system  Configure the LILO and GRUB boot.
Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.

Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.
Linux+ Guide to Linux Certification, Third Edition

Linux+ Guide to Linux Certification, Third Edition
5-9/12/2005 CPE 101 1 How to format your computer and re-install Windows XP.

5-9/12/2005 CPE How to format your computer and re-install Windows XP.
Chapter 10 Linux 10.1 User Interface Administration

Chapter 10 Linux 10.1 User Interface Administration
Starting and Stopping Linux. Boot Process BIOS initializes hardware –Loads the boot sector MBR loads the bootloader –Point to kernel Kernel initializes.

Starting and Stopping Linux. Boot Process BIOS initializes hardware –Loads the boot sector MBR loads the bootloader –Point to kernel Kernel initializes.
Processes & Daemons Chapter IV / Part III. Commands Internal commands: alias, cd, echo, pwd, time External commands, code is in a file: grep, ls, more.

Processes & Daemons Chapter IV / Part III. Commands Internal commands: alias, cd, echo, pwd, time External commands, code is in a file: grep, ls, more.
System Startup and Shutdown

System Startup and Shutdown
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
Linux System Administration LINUX SYSTEM ADMINISTRATION.

Linux System Administration LINUX SYSTEM ADMINISTRATION.
Linux Filesystem Management

Linux Filesystem Management
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Booting and boot levels

Booting and boot levels
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
System Startup & Shutdown Objectives –to interpret the Unix startup and shutdown configuration files –to be able to create a customised run level Contents.

System Startup & Shutdown Objectives –to interpret the Unix startup and shutdown configuration files –to be able to create a customised run level Contents.

Similar presentations

Ads by Google