01.

Configure SELinux

Configure your systems that should be running in Enforcing

#getenforce
#vim /etc/SELinux/config
#SELINUX=enforcing
#init 6
#getenforce

02.Configure Repository
Create a Repository for your virtual machines. The url is
http://content.example.com/rhel7.0/x86_64/dvd

#vim /etc/yum.repos.d/xxx.repo
[7777]
name=xxx
baseurl= as of question
gpgcheck=0
save
#yum clean all
#yum repolist

03.ssh configuration
Configure SSH access on your virtual hosts as follows.
Clients within hacker.org should NOT have access to ssh on your systems.

#yum install -y openssh-server

#firewall-cmd --permanent --add-service=ssh
#firewall-cmd --reload

#firewall-cmd --permanent --add-rich-rule "rule family=ipv4 source

address=172.16.0.0/24 service name=ssh reject"
#firewall-cmd --reload
#firewall-cmd --list-rich-rules

04.Configure Port Forwarding

Configure serverX to forward traffic incoming on port 5243/tcp from
source network 172.25.X.0/255.255.255.0 to port on 80/tcp.

#firewall-cmd --permanent --add-rich-rule "rule family=ipv4 source

address=172.25.18.0/24 forward-port port=5243 protocol=tcp to-
port=80"
success?????
#firewall-cmd --reload
#firewall-cmd --list-rich-rules

05.Customize user environment

Create a command called qstat on both serverX and desktopX.
It should able to execute the following command (ps -eo
pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,comm)

#vim /etc/bashrc
qstat(){
---------------line form the question-----------
}
save
#source /etc/bashrc
#qstat
06.Configure ipv6 network

Configure ethO with a static ipv6 addresses as follows.

Configure a Static IPv6 address in serverX as 2001::db8:00:1/64.
Configure a Static IPv6 address in desktopX as 2001::db8:00:2/64.
Both machines are able to communicate within the network 2001:db8:X.
The changes should be permanent even after the reboot.
Both systems must maintain the current IPV4 address and can communicate

#nmcli device status

#nmcli connection modify "System eth0" ipv6.addresses
2001::bd8::06:1/64 ipv6.method ststic connection.autoconnect yes"
#nmcli connection up "System eth0"
#ip address show eth0

#nmcli device status

#nmcli connection modify "System eth0" ipv6.addresses
2001::bd8::06:2/64 ipv6.method ststic connection.autoconnect yes"
#nmcli connection up "System eth0"
#ip address show eth0

07.Link Aggregation
Configure your serverX and desktopX which watches for link changes and
selects an active port for data transfers.
serverX should have the address as 192.168.X.10/255.255.255.0.
desktopX should have the address as 192.168.X.11/255.255.255.0. (Note:
where Xis your station number)

#nmcli connection add type team ifname teamX con-name xxxx

config'{"runner":{"name":"activebackup"}}'
#nmcli connection show
---help to get the code-- #man teamd.conf | grep activebackup
#nmcli connection modify XXXX ipv4.addresses 192.168.6.100/24
ipv4.method static connection.autoconnect yes
#nmcli connection up XXXX
#ip address state teamX
#nmcli connection add type team-slave ifname slave1 con-name port1
master teamx
#nmcli connection add type team-slave ifname slave2 con-name port2
master teamx
#nmcli connection up XXXX
#nmcli connection show
#teamdctl team6 state

08.0.0 SMTP Configuration

Your ServerX system should accept new email Message over SMTP from the
172.25.X.0/24 subnet.All Messages not addressed to @serverX.example.com
or @localhost[.localdomain]
should be forwarded to the SMTP smarthost running on desktopX.example.com

--package name : postfix, config file /etc/postfix/main.cf

#yum install postfix -y
#firewall-cmd --permanent --add-service=smtp
#firewall-cmd --reload
#cp /etc/postfix/main.cf /etc/postfix/main.cf.bd
#vim/etc/postfix/main.cf
---changes are
inet_interface=all
 mynetowrks= -----as of give networks---
mydestination=serverX.example.com,
localhost[.localdomai],localhost
relayhost=desktopX.example.com
myorigin=example.com
#systemctl restart postfix
#systemctl enable postfix
---testing mail relay-----
#mail [email protected]
subject:xxxxxxx
yyyyyyy
.
EOT
#mail

08.0.1 SMTP Configuration

Configure the SMTP mail service on serverX which relay the mail
only from local system through desktopX.example.com, all outgoing mail
have their sender domain as example.com.
-Ensure that mail should not store locally.
-Verify the mail server is working by sending mail to student user.
-Check the mail on desktopX on /var/spool/mail/student

#vim/etc/postfix/main.cf
inet_interfaces=localhost
mydestination=

09.NFS Server

Configure serverX with the following requirements.

Share the /nfsshare directory within the example.com domain clients
only, share must be writable.
Share the /nfssecure, enable krb5p security to secure access to the
NFS share from URL
http://classroom.example.com/pub/keytabs/serverX.keytab
Create a directory named as protected under /nfssecure.
The exported directory should have read/write access from all
subdomains of the example.com domain.
Ensure the directory /nfssecure/protected should be owned by the user
harry with read/write permission.

#yum install nfs-utils -y

#firewall-cmd --permanent --add-service={nfs,mountd,rpc-bind)
#firewall-cmd --reload
#mkdir /nfsshare
#setfacl -m u:nfsnobody:rwx /nfsshare/
#vim /etc/exports
/nfsshare 172.25.15.0/24(rw,sync)
#exportfs -r
#systemctl restart nfs
#showmount -e serverX.example.com

#mkdir /nfssecure
#vim /etc exports
nfssecure 172.25.15.0/24(rw,sync,sec=krb5p)
#wget <link address> /etc/krb5.keytab
#systemctl restart nfs-server nfs-secure-server
#mkdir /nfssecure/protected
#chown ldapuserX /nfssecure/protected
#setfact -m u:ldapuserX:rwx /nfssecure
10. Mount /nfsshare directory on desktopX under /public directory
persistently at system boot time.
Mount /nfssecure/protected with krb5p secured share on desktopX
beneath /secure/protected provided with keytab
http://content.example.com/pub/keytabs/desktopX.keytab
The user harry able to write files on /secure directory.

# mkdir nfsshare
# vim /etc/fstab
server15.example.com:/nfsshare /public nfs defaults 0 0
# mount -a

# wget http://classroom.example.com/pub/keytabs/desktop15.keytab -O
/etc/krb5.keytab
#systemctl restart nfs-secure
#systemctl enable nfs-secure
# mkdir /secure/protected -p
# vim /etc/fstab
server15.example.com:/nfssecure/protected /secure/protected
nfs defaults,sec=krb5p 0 0

# mount -a

11.Configure SMB access

Share the /sambadir directory via SMB on serverX

- Your SMB server must be a member of the TESTGROUP workgroup
- The share's name must be data
- The data share must be available to example.com domain clients
only.
- The data share must be browseable
- susan must have read access to the share, authenticating with the
same password password, if necessary.
- Configure the serverX to share /opstack with SMB share name must be
cluster.
- The user ldapuserX has readable, writeable, accesseable to the
/opstack SMB share.
- The user ldapuser20 has read access to the /opstack SMB share.
- Both users should have the SMB passwd "redhat".

###
yum install samba
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload
firewall-cmd --list-services
mkdir /sambadir
semanage fcontext -a -t samba_share_t '/sambadir(/.*)?'
restorecon -R /sambadir/

#vim /etc/samba/smb.conf

workgroup = TESTGROUP

[data]
path=/sambadir
hosts allow=172.25.15.
browsable=yes
read only=yes
valid users=susan
#useradd susan
#id susan
#smbpasswd -a susan
password
#pdbedit -L
# systemctl restart smb nmb
to check smbclient -U susan //server15/data

#mkdir /opstack
semanage fcontext -at samba_share_t '/opstack(/.*)?'
# restorecon -RV /opstack/
# vim /etc/samba/smb.conf

[cluster]
path=/opstack
read only=yes
valid users=ldapuser15, ldapuser20
write list=ldapuser15

# testparm
# smbpasswd -a ldapuser15
# smbpasswd -a ldapuser20
# pdbedit -L
# setfacl -m u:ldapuser15:rwx,u:ldapuser20:rw /opstack/
# smbclient-U ldapuser15 //server15/cluster

12.smb multiuser mount

Mount the samba share /opstack permanently beneath /mnt/smbspace on
desktopX as a multiuser mount.
The samba share should be mounted with the credentials of ldapuser20.

mkdir /mnt/samba

For Mount To Another Host [Temporary]

================================
mount -t cifs //server15/data /mnt/ -o user=user1
mount -t cifs //server15/data /mnt/ -o user=user1,pass=redhat

mount -t cifs //server15/data /mnt/ -o credentials=/root/samba.txt

vim /root/samba.txt
user=user1
pass=redhat

In Fstab
==================
//server15/data /mnt/samba cifs
defaults,credentials=/root/samba.txt 0 0
or
//server15/data /mnt/samba cifs defaults,user=user1,pass=redhat 0
0

Mount Multi User Mode

==========================

//server15/data /mnt cifs

defaults,credentials=/root/samba.txt,multiuser,sec=ntlmssp 0 0
13. Webserver

Implement a webserver for the site http://serverX.example.com

Download the webpage from
http://content.example.com/pub/rhce/rhce.htmll
Rename the downloaded file in to index.html.
copy the file into your webserver document root.
Do not make any modification with the content of the index.html
Clients within hacker.org should NOT access the webserver on your
systems

1 yum install -y httpd

2 yum install -y httpd-manual.noarch
3 firewall-cmd --permanent --add-service=http
4 firewall-cmd --reload
5 wget http://content.example.com/pub/rhce/rhce.htmll -O
/var/www/html/index.html
6 vim /etc/httpd/conf/httpd.conf
7 systemctl restart httpd
8 systemctl enable httpd
9 firewall-cmd --permanent --add-rich-rule "rule family=ipv4 source
address=172.16.0.0/24 service name=http reject"
10 firewall-cmd --reload

14.secure webserver

configure the website https://serverX.example.com with TLS

SSLCertificate file
http://classroom.example.com/pub/tls/certs/serverX.crt
SSLCertificatekeyfile
http://classroom.example.com/pub/tls/private/serverX.key
SSL CA certificate file http://classroom.example.com/pub/example-
ca.crt.

# yum install -y mod_ssl.x86_64

# firewall-cmd --permanent --add-service=https
# firewall-cmd --reload
# cd /etc/httpd/conf.d/
# ls
# vim ssl.conf
SSLHonorCipherOrder on
SSLCertificateFile /etc/pki/tls/certs/server16.crt
SSLCertificateKeyFile /etc/pki/tls/private/server16.key
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt

### wget all the file location wise

# httpd -t
# systemctl restart httpd.service
# firefox https://server16.example.com

15.webpage restriction

Create a folder topsecret in your web server Document Root

Download http://content.example.com/pub/rhce/restrict.html
Rename the file into index.html
The content of topsecret directory should be visible to everyone browsing
from your local system but should not be accessible from other location

# mkdir /var/www/html/topsecret

#wget http://content.example.com/pub/rhce/restrict.html -O
/var/www/html/topsecret/index.html

#cd /etc/httpd/conf.d
#vim /etc/httpd/conf.d/server16.conf

<VirtualHost *:80>
ServerName server16.example.com
DocumentRoot /var/www/html
</VirtualHost>

<Directory "/var/www/html/topsecret">
require host server16.example.com localhost
</Directory>

#httpd -t
#systemctl restart httpd.service
#systemctl enable httpd.service
#firefox http://server16.example.com/topsecret

16.Virtual hosting

Setup a virtual host with an alternate document root.

Extend your web to include a virtual for the site
http://wwwX.example.com
Set the document root as /virtual
Download http://content.example.com/pub/rhce/www.html
Place this document root of the virtual host
Rename the file as index.html
Note: The other websites configures for your server must still
accessible.
wwwX.example.com is already provide by the name server on example.com

# man semanage fcontext [for help about semanage]

# mkdir /virtual
# semanage fcontext -a -t httpd_sys_content_t "/virtual(/.*)?"
# restorecon -Rv /virtual/

# wget http://content.example.com/pub/rhce/www.html -O
/virtual/index.html
# cd /etc/httpd/conf.d/
# ls
# vim server16.conf

<VirtualHost *:80>
ServerName server16.example.com
DocumentRoot /var/www/html
</VirtualHost>

<Directory "/var/www/html/topsecter">
require host server16.example.com localhost
</Directory>
<VirtualHost *:80>
ServerName www16.example.com
DocumentRoot /virtual
</VirtualHost>

<Directory "/virtual">
require all granted
</Directory>

#httpd -t
#systemctl restart httpd.service
#firefox http://www16.example.com/

17.dynamic web page configuration

configure website http://webappX.example.com:9189/myapp on serverX with
the docurnentroot /dynamic Site should executes appweb.wsgi.
Page is already provided on
http://classroom.example.com/content/pub/rhce/appweb.wsgi content of the
script should not be modified.

#yum install -y mod_wsgi.x86_64

#firewall-cmd --permanent --add-port=9189/tcp
#firewall-cmd --reload
#man semanage port
#semanage port -a -t http_port_t -p tcp 9189
#semanage port -l |grep http
#mkdir /dynamic
#semanage fcontext -a -t httpd_sys_content_t '/dynamic(/.*)?'
#restorecon -R /dynamic/
#ls -ldZ /dynamic
# cd /dynamic/
#wget -N http://classroom.example.com/content/pub/appweb.wsgi
#vim /etc/httpd/conf.d/server16.conf

<VirtualHost *:9189>
ServerName webapp16.example.com
DocumentRoot /dynamic
WSGIScriptAlias /myapp /dynamic/appweb.wsgi
</VirtualHost>

<Directory "/dynamic">
require all granted
</Directory>
listen 9189

# httpd -t
# systemctl restart httpd.service
# firefox http://webapp16.example.com:9189/myapp

18.script1

create a script on serverX called /root/random with following

details.
When run as /root/random postconf, should bring the output as
"postroll"
 When run as /root/random postroll, should bring the output as
"postroll"
When run with any other argument or without argument, should bring
the stderr as "/root/random postconflpostroll"

19.script2

Create a script on serverX called /root/createusers

When this script is called with the testfile argument, it should add
all the users from the file
ownload the file from http://content.example.com/pub/testfile
All users should have the login shell as /bin/false, password not
required.
When this script is called with anyother argument, it should print
the message as "Input File Not Found"
When this script is run without any argument, it should display
"Usage: /root/createusers"
NOTE: If the users are added no need to delete.

20.Configure SCSI storage

Create a new lGB target on your serverX.example.com.

The block device name should be data block
The server should export an iscsi disk called iqn.2014-
10.com.example:·serverX.

# yum install -y targetcli.noarch

# firewall-cmd --permanent --add-port=3260/tcp
# firewall-cmd --reload

------------lvcreate 1G/1100M-----------------

targetcli
/> cd
/backstores/block> create name=data dev=/dev/vg16/iscsi
/iscsi> create wwn=iqn.2014-10.com.example:server16
/iscsi/iqn.20...r16/tpg1/acls> create iqn.2014-10.com.example:abc
/iscsi/iqn.20...r16/tpg1/luns> create /backstores/block/data
/iscsi/iqn.20.../tpg1/portals> create ip_address=172.25.16.11
ip_port=3260
go to root
/> saveconfig
/>exit
#systemctl status targetcli
#systemctl restart targetcli
#systemctl enable targetcli

21.SCSI initiator

The serverX.example.com provides an iscsi port(3260). connect the

disk with desktopX.example.com and configure filesystem with the
following requirements.
Create 800MB partition on ISCSI block device and assign the
filesystem as xfs.
Mount the volume under /mnt/initiator at the system boot time.
The filesystem should contains the copy of
http://content.example.com/pub/iscsi.txt.
The file sould be owned by root with 0644 permission.
NOTE: content of the file should not be modified.
# yum install iscsi-initiator-utils.i686
# vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2014-10.com.example:abc
# iscsiadm -m discovery -t st -p server16
# lsblk
sda 8:0 0 1G 0 disk
# systemctl restart iscsi
# lsblk
# systemctl enable iscsi
# man iscsiadm
# fdisk /dev/sda
# partprobe
# lsblk
# mkfs.xfs /dev/sda1
# mkdir /mnt/initiator
# blkid
# vi /etc/fstab
# mount -a
# df -hT
# cd /mnt/initiator/
# wget http://content.example.com/pub/iscsi.txt
# chmod 0644 /mnt/initiator/iscsi.txt
# ls -la

note- if any wrong have to restart the demon iscsid , for any help about
discovery - man iscsiadm
#systemctl restart iscsid

22.MariaDB
Restore a database on serverX from the backup file
http://classroom.example.com/materials/mariadb/inventory.dump
The database name should be Inventory. It should be access only within
the localhost.
Set a password for root user as "redhat". Other than the root user, the
user andrew able to read the query from the above mentioned database.
The user should be authenticated with the password as "redhat".

# yum install maridb* -y

# systemctl restart mariadb
# systemctl enable mariadb
# systemctl status mariadb
# mysql_secure_installation
#set root user password
#delete anonymous use
#disallow root login
#remove test database
#reload database

#mysql -u root -p
show databases;
use mysql
select host,user,password from user;
#create database inventory;

#wget http://classroom.example.com/materials/mariadb/inventory.dump

# mysql -u root -p Inventory < inventory.dump

create user andrew@localhost identified by 'redhat';
grant select on Inventory.* to andrew@localhost;
flush privileges;
 mysql -u andrew -p
password
show databases;
use Inventory
show tables;
select * from product;

23.MariDB2
Database queries using the database on the system serverX, and use the
appropriate SQL query to answer the following questions:
1. who is the seller of Ssd category products?
2. what is the number types of Lenovo's product in the inventory?

select id from category where name='Ssd';

select id_manufacturer from product where id_category=3;
select seller from manufacturer where id=1;

select id from manufacturer where name='Lenovo';

select count(*) from product where id_manufacturer=4;