Labs

Question 1

serverb is relocated to Jamaica. update the time zone and view the recorded log events.

Answer 1

tzselect

sudo timedatectl set-timezone America/Jamaica

journalctl --since 06:49:00 --until 07:19:00

Question 2

Configure rsyslog to write the Logging test authpriv.alert message to the /var/log/auth-errors file.

Answer 2

echo "authpriv.alert  /var/log/auth-errors"  >> /var/rsyslog.d/auth-erros.conf

sudo systemctl restart rsyslog

logger -p authpriv.alert "Logging test authpriv.alert"

sudo tail /var/log/auth-errors

Question 3

On serverb, synchronize /etc directory from servera to the /configsync directory.

Answer 3

rsync -av root@servera:/etc /configsync

Question 4

Create a configfile-backup-servera.tar.gz archive with the /configsync directory contents.

Answer 4

tar -czf configfile-backup-servera.tar.gz /configsync

Question 5

Securely copy /root/configfile-backup-servera.tar.gz from serverb to the /home/student directory on workstation.

Answer 5

sftp student@workstation

put configfile-backup-servera.tar.gz

bye

Question 6

Extract the content of configfile-backup-servera.tar.gz to /tmp/savedconfig/

Answer 6

mkdir /tmp/savedconfig && cd $_

tar -xzf ~/configfile-backup-servera.tar.gz

Question 7

Change the current tuning profile for serverb to balanced. List the information for the balanced tuning profile when it is the current tuning profile.

Answer 7

dnf list tuned

dnf install -y tuned

sudo tuned-adm list

sudo tune-adm profile balanced

sudo tuned-adm profile_info

Question 8

Two processes on serverb are consuming a high percentage of CPU usage. Adjust each process’s nice level to 10.

Answer 8

ps aux --sort=pcpu

ps -o pid,pcpu,nice,comm

sudo renice -n 10 1079 1095

Question 9

Open http://serverb/lab.html web page. You see an error message. Research and identify the SELinux issue that prevents Apache from serving web content.

Answer 9

less /var/log/messages

sealert -l 35c9e452-2552-4ca3-8217-493b72ba6d0b

ausearch -m AVC -ts recent

Question 10

Display the SELinux context of the new HTTP document directory and the original HTTP document directory. Resolve the SELinux issue that prevents the Apache server from serving web content.

Answer 10

ls -dZ /lab-content /var/www/html

semanage fcontext -a
-t httpd_sys_content_t '/lab-content(/.*)?'

restorecon -R /lab-content/

Question 11

serverb has several unused disks. On first, create a GPT partition label and a 2 GB GPT partition named backup.

Configure the backup partition to host an XFS file system.

Answer 11

lsblk

parted /dev/vdb mklabel gpt

parted /dev/vdb mkpart backup 1028s 2GB

mkds.xfs /dev/vdb

udevadm settle

Question 12

Initialize the two 512 MB partitions as swap spaces, and configure them to activate at boot. Set the swap space on the swap2 partition to be preferred over the other.

Answer 12

mkswap /dev/vdb2
mkswap /dev/vdb3

swapon /dev/vdb2
swapon /dev/vdb3

UUID=87976166-4697-47b7-86d1-73a02f0fc803   swap    swap  pri=10    0 0
UUID=4d9b847b-98e0-4d4e-9ef7-dfaaf736b942   swap    swap  pri=20    0 0

systemctl daemon-reload

swapon -a

swap --show

Question 13

Create a 512 MiB partition on the /dev/vdb disk. Initialize this partition as a physical volume, and extend the serverb_01_vg volume group to use this partition.

Answer 13

parted /dev/vdb unit MiB print

parted /dev/vdb mkpart primary 514MiB 1026MiB

udevadm settle

pvcreate /dev/vdb2

vgextend serverb_01_vg /dev/vdb2

lvextend -L 768M /dev/serverb_01_vg/serverb_01_lv

xfs_growfs /storage/data1

Question 14

Create serverb_02_lv LV with 128 MiB. Create the XFS file system on the newly created volume. Mount the newly created logical volume on the /storage/data2 directory.

Answer 14

lvcreate -n serverb_02_lv -L 128M serverb_01_vg

mkfs -t xfs /dev/serverb_01_vg/serverb_02_lv

mkdir /storage/data2

/etc/fstab: /dev/serverb_01_vg/serverb_02_lv /storage/data2 xfs defaults 0 0

systemctl daemon-reload

mount /storage/data2

df -h /storage/data1

lvdisplay /dev/serverb_01_vg/serverb_01_lv

Question 15

Configure an automounter indirect map on servera with exports from serverb. Create an indirect map with files that are named /etc/auto.master.d/shares.autofs for the master map and /etc/auto.shares for the mapping file. Use the /remote directory as the main mount point on servera.

Answer 15

/remote /etc/auto.shares

* -rw,sync,fstype=nfs4 serverb.lab.example.com:/shares/&

systemctl enable --now autofs

Question 16

Change the default systemd target on the serverb machine for the system to automatically start a graphical interface when it boots.

Answer 16

systemctl set-default graphical.target

Question 17

Log in to the serverb machine to determine what is preventing access to the web servers.

Answer 17

systemctl status httpd.service

sudo sealert -a /var/log/audit/audit.log

Question 18

Configure SELinux and FirewallD to allow the httpd service to listen on the 1001/TCP port.

Answer 18

sudo semanage port -l | grep 'http'

sudo semanage port -a -t http_port_t -p tcp 1001

sudo systemctl enable --now httpd

sudo firewall-cmd --permanent --zone=public 
--add-port=1001/tcp

sudo firewall-cmd --reload

Question 19

Install podman and skopeo

Answer 19

sudo dnf install container-tools

Question 20

registry.lab.example.com stores the rhel8/mariadb-103 image with several tags.

• Use podsvc user to list available tags
• Note the tag with lowest version number.
• Use admin and redhat321 to authenticate to the registry.
• Use /tmp/registries.conf as a template for the registry configuration.

Answer 20

ssh podsvc@serverb

mkdir -p ~/.config/containers/

cp /tmp/registries.conf  ~/.config/containers/

podman login registry.lab.example.com

skopeo inspect
docker://registry.lab.example.com/rhel8/mariadb-103

Question 21

1. Create dir /home/podsvc/db_data
2. Configure it so containers have read/write access.
3. Create the inventorydb detached container.
   * Use the rhel8/mariadb-103 image,
   * Use the tag with the lowest version number
   * Map port 3306 in the container to port 13306 on the host.
   * Mount /home/podsvc/db_data on the host as /var/lib/mysql/data in the container.

Answer 21

podman run -d --name db_01 -p 13306:3306 \
-e MYSQL_USER=operator1 \
-e MYSQL_PASSWORD=redhat \
-e MYSQL_DATABASE=inventory \
-e MYSQL_ROOT_PASSWORD=redhat \
registry.lab.example.com/rhel8/mariadb-103:1-86

mkdir /home/podsvc/db_data

podman exec -it db_01 cat /etc/passwd

podman stop db_01

podman rm db_01

podman unshare chown 27:27 /home/podsvc/db_data

podman run -d --name inventorydb -p 13306:3306 \
-e MYSQL_USER=operator1 \
-e MYSQL_PASSWORD=redhat \
-e MYSQL_DATABASE=inventory \
-e MYSQL_ROOT_PASSWORD=redhat \
-v /home/podsvc/db_data:/var/lib/mysql/data:Z \
registry.lab.example.com/rhel8/mariadb-103:1-86

~/containers-review/testdb.sh

Question 22

Configure systemd so that inventorydb container starts automatically when the system boots.

Answer 22

mkdir -p ~/.config/systemd/user/

cd ~/.config/systemd/user/

podman generate systemd --name inventorydb --files --new

podman stop inventorydb

podman rm inventorydb

systemctl --user daemon-reload

systemctl --user enable --now container-inventorydb.service

loginctl enable-linger

Question 23

Identify the UUID for /dev/vdb1, and mount it manually using its UUID on /mnt/freespace.

Answer 23

lsblk -fp /dev/vdb

mkdir /mnt/freespace

mount UUID="44bfb7c8-970c-4d0b-b53d-90ae31cb27ca" /mnt/freespace

Question 24

Generate a disk usage report for the /usr/share directory. Save the result in the /mnt/freespace/results.txt file.

Answer 24

du /usr/share > /mnt/freespace/results.txt

Question 25

Locate all the files that match the rsyslog.conf keyword, and store the result in the /mnt/freespace/search1.txt file.

Answer 25

updatedb

locate rsyslog.conf > /mnt/freespace/search1.txt

Question 26

Store in the /mnt/freespace/search2.txt file the search result of all files in the /usr/share directory that are greater than 50 MB and less than 100 MB.

Answer 26

find /usr/share -size +50M -size -100M 
/mnt/freespace/search2.txt

Question 27

On serverb , configure a software repository to obtain updates. Name the repository errata and configure the repository in the /etc/yum.repos.d/errata.repo file. Configure the errata.repo file to use the http://content.example.com/rhel9.0/x86_64/rhcsa-practice/errata repository. Do not verify GPG signatures.

Answer 27

vi /etc/yum.repos.d/errata.repo

[errata]
name=Red Hat Updates
baseurl=http://content.example.com/rhel9.0/x86_64/rhcsa-practice/errata
enabled=1
gpgcheck=0

Question 28

Create a connection with a static network configuration by using the settings in the table.
~~~
Connection name: lab
Interface name: enX
Mac: 52:54:00:00:fa:0b MAC address
IP address 172.25.250.11/24
Gateway address 172.25.250.254
DNS address 172.25.250.254
~~~

Answer 28

ip link

nmcli con add con-name lab ifname eth0 type ethernet 
ipv4.method manual ipv4.dns 172.25.250.254 
ipv4.addresses 172.25.250.11/24 ipv4.gateway 172.25.250.254

Question 29

Configure the new connection to start automatically. Other connections should not start automatically.

Answer 29

nmcli con mod "lab" connection.autoconnect yes

nmcli con mod "System eth0" connection.autoconnect no

Question 30

Modify the new connection to use also the 10.0.1.1/24 IP address.

Answer 30

nmcli con mod "lab" +ipv4.addresses 10.0.1.1/24

Question 31

Configure the hosts file so that you can reference the 10.0.1.1 IP address with the private name.

Answer 31

echo "10.0.1.1 private" >> /etc/hosts

Question 32

Generate keys for ssh login

Answer 32

ssh-keygen

Question 33

Send the public key of the SSH key pair to the production1 user on the serverb machine.

Answer 33

ssh-copy-id production1@serverb

Question 34

Configure the sshd service on serverb to prevent users from logging in as the root user.

Answer 34

vi /etc/ssh/sshd_config

PermitRootLogin no

systemctl reload sshd.service

Question 35

Configure the sshd service on serverb to allow users to authenticate with SSH keys only, rather than with their passwords.

Answer 35

vi /etc/ssh/sshd_config

PasswordAuthentication no
PubkeyAuthentication yes

systemctl reload sshd.service

Question 36

Create a /home/techdocs directory and Set permissions on the /home/techdocs directory. On the /home/techdocs directory, configure setgid; read, write, and execute permissions for the owner/user and group; and no permissions for other users.

Answer 36

chmod 2770 /home/techdocs

chmod g+s,u=rwx,g=rwx,o=

Question 37

Modify the /etc/login.defs file to adjust the default umask for login shells. Normal users should have a umask setting that allows the user and group to create, write, and execute files and directories, and preventing other users from viewing, modifying, or executing new files and directories.

Answer 37

vi /etc/login.defs

UMASK           007

Question 38

On serverb machine, ensure that newly created users must change their passwords every 30 days.

Answer 38

vi /etc/login.defs

PASS_MAX_DAYS 30

Question 39

Create consultant1 user with the consultants group as supplementary group.

Answer 39

useradd -G consultants consultant1

Question 40

Set the consultant1 account to expire in 90 days from the current day.

Answer 40

date -d "+90 days" +%F

chage -E 2022-06-08 consultant1

Question 41

Change the password policy for user consultant2 to require a new password every 15 days.

Answer 41

chage -M 15 consultant2

Question 42

force user consultant1 to change its password on the first login.

Answer 42

chage -d 0 consultant1

Question 43

NFS mount fedora:/shares/public to /public persistently

Answer 43

fedora:/shares/public  /public  nfs  rw,sync  0 0