1.

Change selinux mode

=>
Vi /etc/selinux/config
SELINUX=enforcing
Reboot
getenforce

2. Configure SSH access as follows:

natasha has remote SSH access to your machine from within example.com
Clients with my133t.org should NOT have access to SSH on your system
=>
Configure SSH
OPENSSH is installed by default, if not,
yum install openssh
systemctl enable sshd
vim /etc/hosts.deny (ADD THE FOLLOWING)
shhd: *.my133t.org
or
firewall-cmd permanent add-rich-rule=rule family=ipv4 source address=172.24.0.0/24
service name=ssh reject
systemctl restart sshd
firewall-cmd reload

3. Create a new customized environment for your users

Create a new custom command userstat whose output should be similar to /bin/ps Ao
pid,tt,user,fname,rsz
Make sure userstat command should be available by default for all users on both the systems.

Vi /etc/profile
alias userstat =/bin/ps Ao pid,tt,user,fname,rsz
4. Configure port forwarding on your server.

The traffic coming from desktop on pot 415/tcp should be forwarded to port 22/tcp on your
system

In man page of firewalld.richlanguage at example 5th

Firewall-cmd --permanent add-rich rule family=ipv4 source address =172.125.0.10
forward-port to-add=172.25.0.11 to-port=22 protocol=tcp port=415
Filewall-cmd reload
5. Configure a new network teaming link on both the system. (## this is same as your networking
bonding)

Both systems has a network interfaces eno1 and eno2

This two interface should be slaved for new teaming decvice called team1 ( make sure team1
should remain active even if one of the interface goes down )

Assign the given ip address for team1 on 1st system 192.168.ZZX.XXZ

Assign the given ip address for team1 on 2nd system 192.168.XX.XXX

=>

nmcli conn add con-name team1 type team ifname team1 config { runner : { name :
activebackup } }
nmcli con show
nmcli con add con-name team1-slave1 ifname eno1 type team-slave master team1
nmcli con add con-name team1-slave2 ifname en21 type team-slave master team1
Nmcli con modify team1 ipv4.address 192.168.0.100/24 ipv4.method manual
Systemctl restart network.service
Test :-
Nmcli device disconnect eno2
Teamdctl team1 state

6. Configure the following IPV6 ip address for interface eth0 on your both the system.
a. IPV6 address for system1 XXXXXXXX/64
b. IPV6 address for system2 XXXXRRDDX/64
=>
Lab ipv6 setup ( setting up for ipv6 lab )
Vi /etc/sysconfig/network-script/ifcfg-eth0
IPV6INIT=yes
Nmcli conn mod System eth0 ipv6.address XXXXXX/64 ipv6.method manual
Systemctl restart network.service

7. Configure internet web server for your domain:

Download from ftp://instructor.example.com/pub/rhce/station.html
Rename the downloaded file to index.html
Copy this index.html file to the DocumentRoot of your web server
Do NOT make any modifications to the content of index.html
=>

APACHE
yum install httpd*
systemctl enable httpd
cd /var/www/html
wget ftp://instructor.example.com/pub/rhce/station.html
mv station.html index.html
vim /etc/httpd/conf.d/quetion7.conf (Make the following entry)
<VirtualHost <IP>:80>
 ServerName station.domainX.example.com
ServerAdmin root@domainX.example.com
DocumentRoot /var/www/html
ErrorLog log/domainX.example.com_error.log
AccessLog logs/ domainX.example.com_access.log
</VirtualHost>

Httpd t (check for syntax)

Systemctl restart|enable httpd
Curl k http://server.example.com

8. Create one more Virtual Hosting:

Virtual host for the site: http://wwwX.example.com, where X is your station number, then
performs the following:
Set the DocumentRoot to /var/www/virtual
Download ftp://instructor.example.com/pub/rhce/www.html
Rename the downloaded file to index.html
Place this index.html in the DocumentRoot of the virtual host
Do NOT make any changes to the content of this file
Ensure that harry is able to create content in /var/www/virtual
NOTE: the original website: http://wwwX.example.com must still be accessable, DNS
resolution for the hostname wwwX.example.com is already provided by NameServer on
instructor.example.com
Ensure harry is able to create content in /var/www/virtual dir
=>
mkdir /var/www/virtual
cd /var/www/virtual
wget ftp://instructor.example.com/pub/rhce/www.html
mv www.html index.html
vim /etc/httpd/conf/httpd.conf (Make the following entry)
uncomment NameVirtualHost
<VirtualHost <IP>:80>
ServerName wwwX.domainX.example.com
ServerAlias wwwX
DocumentRoot /var/www/html
</VirtualHost>
Useradd harry
Setfacl m u:harry:rwx /var/www/virtual
httpd t (TO VERIFY THE SYNTAX IN CONFIGURATION)
systemctl restart httpd

9. secure web service configure tls encryption for the web server http://serverx.example.com
Assigned certificate for web server is available at classroom:/server.cert , required key for this
certificate file is available at classroom:/server.key the certificate for signing authority is
provided at the classroom:/ca.cert
=>
First we have to make default we server refer Q.7
 Yum install mod_ssl*
Cd /etc/pki/tls/certs/
Wget classroom:/ca.cert
Wget classroom:/tls/ca.cert
Cd /etc/pki/tls/private/
Wget classroom:/tls/private/server/
Chmod 0600 serverx.key
Grep v ^# /etc/httpd/conf.d/ssl.conf > /etc/httpd/conf.d/server.conf ( excluding # lines )
Vi /etc/httpd/conf.d/serverx.conf

<virtualHost *:443>
ServerName demo.example.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/demo.example.com.cert
SSLCertificateKeyFile /etc/pki/tls/private/demo.example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.cert
</virtualHost>

Firewall-cmd permanent add-server=https add-port=443/tcp

Firewall-cmd &httpd restart

Now Open firefox new tab and enter below url,

https://serverx.example.com
add exception
view
comman name (CN) server.example.com

10. Create a directory in document root name as secret

Download ftp://instructor.example.com/pub/rhce/secret.html
Place the document root in configuration file as /var/www/html/secret
This Website should be accessible on your local host and should not be accessed on others
=>

Yum install httpd httpd-manual y

And after download above file from server move to document root i.e. /var/www/html/secrete/
Vi /etc/httpd/conf/httpd.conf
<Directory /var/www/html/secret>
AllowOverride none
Order Deny,allow
Deny from all
Allow from 172.24.X.11
 </Directory>
<VirtualHost 172.24.X.11:80>
ServerAdmin root@server2.example.com
DocumentRoot /var/www/html
Bla blab la
</VirtualHost>

Systemctl restart httpd

Test,
Now try to open http://server2.example.com/secret
Error Forbidden

Now open our sever m/c firefox & type url http://server2.example.com /server

11. Configure dynamic web content server on port 8877 and download webapp.wcgi and make
document root /var/www/webapp/webapp.wsgi
=>
Yum install http* mod_wsgi* -y
Wget classroom:webapp.html
Ls Z /var/www/webapp/webapp.wsgi/
Restorecon RvvF /var/www/webapp/webapp.wsgi
Semanage port L | grep I 8877 (if not then add firewall rule)
Vi /etc/httpd/conf/httpd.conf
Listen 8877

In <VirtualHost:8877>
WSGIScriptAlias /var/www/webapp/webapp.wsgi
</virtualhost>

Firewall-cmd permanent add-port=8877/tcp

Firewall-cmd reload
Systemctl restart httpd

12. Make script bar.sh in root directory such that if entered redhat = echo fedora and fedora =
redhat else for all other words ./root/bar.sh redhat|fedora as standerd error.
=>
#!/bin/bash
if [ $1 == fedora ];then
echo redhat
elif [$1 == redhat]; then
echo fedora
 else
echo fedora|redhat error
fi
13. Configure NFS, export /public directory with read only assess to desktop, export /protected
directory with read write access to desktop, access to /protected is authenticate by using
kerbaros you can keytab file from classroom:/keytabs , create secure directory inside the
/protected directory, user smita have read and write access on secure directory.
=>
Lab nfskrb5 setup
Yum install nfs* krb* -y
Mkdir /protected /public
Wget O /etc/krb5.keytab classroom:/keytab
Vi /etc/exports
/public 172.25.X.10/24 (ro,sync)
/protected 172.25.X.10/24 (rw,sync,sec=krb5p)
Firewall-cmd permanent add-service=nfs
Firewall-cmd reload
Systemctl enable|restart nfs-secure-server.service
Systemctl enable|restart nfs-server.service
Exportfs avr
Mkdir /protected/secure
Useradd smith
Passwd smith
Setfacl m u:smita:rwx /protected/secure
Systemctl Restart nfs-server

14. To make it permanent mount nfs on /mnt/data, access to /protected is authenticate by

kerborose which was exported from serverx
=>
Lab nfskrb5 setup
yum install nfs* krb5* -y
mkdir /mnt/data /protected
Wget O /etc/krb5.keytab classroom:/keytab
vi /etc/fstab
172.25.X.11:/public /mnt/data nfs defaults,ro,sec=sys,_netdev 0 0
172.25.X.11:/protected /mnt/protected nfs defaults,ro,sec=krb5p,_netdev 0 0
mount a
Test, switch user smita ( or krb user provided in exam ) and try to create file.
Ssh ldapuserx@localhost
Cd /protected
Touch abc
15. Share /comman directory via smb from your serverx. Share name must be samba. Samba share
must be brows able. User Natasha should have read access on it authenticate with password
postroll. Sarah should have read and write access on share & authenticate with the postroll.
=>
Mkdir /comman
Useradd sarah Natasha
Yum inastall samba* y
Vi /etc/samba/smb.conf
Workgroup= STAFF
[Samba]
Path=/comman
Valid users=Natasha, sarah
Write list=sarah
Browsable=yes
Host allow=172.25.X.11
systemctl restart|enables smb.service
Ls ldZ /comman
Getenforce ( check SE Linux status )
Chcon R t samba_share_t /comman
Yum install samba-client* -y
Smbpasswd a Natasha|sarah
New smb password postroll
Systemctl enable|restart smb nmb
Firewall-cmd permanent add-service=samba
Firewall-cmd reload
Setfacl m u:sarah:rwx /comman

@Client side
Yum install samba-client* cifs-utils* -y
Mkdir /mnt/comman
Mount.cifs o username=sarah //server/samba /mnt/common
Password=postroll

16. The samba share must be permanently mounted on DesktopX machine on /mnt/samba
directory and this share must be allow anyone who can authenticate sarah.
=>
Yum install samba-client* cifs-utils* -y
Mkdir /mnt/samba
Useradd sarah
Vi /etc/samba/userlist.txt
Username=sarah
Password=postroll
 chcon system_u:object_r:samba_etc_t:s0 /etc/samba/userlist.txt
Vi /etc/fstab
//server/samba /mnt/samba cifs creds=/etc/samba/userlist.txt
,multiuser,sec=ntlmssp 0 0
Mount a
Su sarah
Smbclient L //172.25.10.11/gabber U Natasha
Cifscreds add server
Password: postroll
Df h
17. Configure iscsi target on server machine.
ISCSI diskname is iqn:2015-06.com.example:server. Iscsi should use default port as 3260. Target
should use 3G backing volume named as datavol. Target should be available to only desktop
machine.
=>
Yum install targetcli y
Systemctl start|enable target
Firewall-cmd permanent add-port=3260/tcp
Firewall-cmd reload
Create partition of 3G via fdisk /dev/vdb1
Now create VG and then LV of 3G named as datavol
Targetcli
Ls cd
Backstores/block create data /dev/vg01/datavol (LV path)
Ls
Iscsi/create iqn: 2015-06.com.example:server
Ls
Iscsi/create iqn:2015-06.com.example:server/tpgl/acl create Iscsi/create iqn:2015-
06.com.example:desktop
Ls
Iscsi/create iqn:2015-06.com.example:server/tpgl/lun create /backstores/block/data
Ls
Iscsi/create iqn:2015-06.com.example:server/tpgl/portal create 172.25.X.11
ip_port=3260
Ls
Saveconfig
Exit

Systemctl enable|restart target.service

Firewall-cmd permanent add-port=3260/tcp & reload firewall
Test
Iscsiadm m discovery t st p 172.25.X.11
18. Configure desktop machine for iscsi initiator.
Iscsi device should be automatically mount on booting time. Iscsi should contain a block of
200mb and should have xfs file system on it. The partition must be mounted on /mnt/iscsi & It
should be automatically mounted.
=>
Yum install iscsi-initiator-utils y
Vi /etc/iscsi/initiatorname.iscsi
InitiatorName= iqn:2015-06.com.example:desktop
Systemctl restart|enable|reload iscsid
Iscsiadm m discovery t st p 172.25.X.11 ( server IP )
Iscsiadm m node T iqn:2015-06.com.example:server p 192.25..X.11 L (login)
Lsblk or dmesg
Now create 200mb partition type 83
Mkfs.xfs /dev/sda1
Blkid ( and copy the UUID of sda1)
Vi /etc/fstab
UUID:<ID> /mnt/iscsi xfs defaults,_netdev 00
Iscsiadm m node T iqn:2015-06.com.example:server p 192.25..X.11 u (logout)
19. Configure mail access on both the systems as follows. System should not accept mail from
external sources. Mail sent locally from both systems get routed through example.com. mail
send from systems shows up as coming from server.example.com
=>
At server:
Lab smtp-nullclient setup
Yum install nfs-utils* postfix* -y
Systemctl enable|start postfix
Vi /etc/postfix/main.cf
Myhostname=server.example.com
Mydomain=example.com
Relayhost=$Mydomain
Myorigin=$Mydomain
Inet_interfaces=localhost, $Myhostname
Restart postfix and reload
Mailx s test root@desktop.example.com
On client :-
Lab smtp-nullclient setup
Mail
20. Create a mariaDB database by using dump file. Create a database named as legacy and import
dump file into database. Dump file provided on classroom:mariadb.dump. create user with
smita and grant select assess on legacy database.
=>
 Lab mariadb setup
Yum groupinstall mariadb mariadb-client y
Systemctl enable|start mariadb
Firewall-cmd permanent add-service=mysql
Firewall-cmd reload
Mysql u root
Show databases;
Create database legacy;
Exit
Mysql u root legacy < /home/student/mariadb.dump
Mysql u root
Show database;
Use legacy;
Maria [Legacy]> create user smith@% identified by smith;
Maria [Legacy]>grant select on legacy.* to smith@%
Exit
Mysql-secure-installation
Set root password? y
New password: redhat
Mysql u smith p
Enter password: smith
Maria [Legacy]>show databases;
Maria [Legacy]>use legacy;
Maria [Legacy]>create table focus(id int(21));
It will give you error as only select rights granted on tables
21. Ans the following questions file /root/mariadb.txt. 1. Count the no. of product with are having
id_category=2
=>
Log in to legacy db.
Mysql u root p redhat
Select product.name, category.name
From product INNER JOIN Category ON category.name =servers:;
Or
Select count(id_category) from product where id_category=2