RedHat.EX300 - GRATIS EXAM...chcon –R –t samba_share_t /common/ smbpasswd -a andy systemctl...

https://www.gratisexam.com/

RedHat.EX300.40q

Number: EX300Passing Score: 800Time Limit: 120 minFile Version: 1.0

Red Hat Certified Engineer – RHCE (v6+v7)



Exam A

QUESTION 1

Cofigure SELINUX

Modify the state of selinux to Enforcing mode Use VIM /etc/selinux

Correct Answer: See ExplanationSection: (none)Explanation

Explanation/Reference:vim /etc/selinux/configSELINUX=enforcing:wqreboot

QUESTION 2Configure the SSH Access as required: Users can visit your two virtual machine systems via clients of domain group3.example.com through SSH remote

https://www.gratisexam.com


Explanation/Reference:Modify file /etc/hosts.allow Add a line: sshd: 172.24.11. Modify file /etc/hosts.deny Add a line: sshd: 172.25.0. Both of them need to be configured

Explanation:There is a solution 2: Add a firewall


firewall-cmd –zone=block --add-source=172.25.11.0/24 --permanent firewall-cmd –reload

Both of them need to be configured

QUESTION 3

Custom User EnvironmentCreate a custom command on system1 and system2 named as qstat, this custome command will execute the following commands: /bin/ps - Ao pid,tt,user,fname,rsz

This command is valid for all users in the system


Explanation/Reference:vim /etc/bashrc // restart and keep valid alias qstat=’/bin/ps -Ao pid,tt,user,fname,rsz’ :wqsource /etc/bashrc

alias // check if there is a qstat qstat // execute

QUESTION 4Configure port forwarding on the system1, as required: 1. Systems in the network 172.24.11.0/24, local port 5423 will be ported to 80 when visiting system1 This setting must be valid permanently


Explanation/Reference:Use Graphical interface to configure Use firewall-config to open the Graphical interface in CLI Adjust the configuration: drop-down menu to permanent Adding a strategy to the port forward of the publicregion


systemctl restart firewalld.service // reload the firewall strategy

QUESTION 5

Configure the Link AggreationConfigure a link between systeml. group3.example.com and system2. group3.example.com as required: This link use interface eth1 and eth This link still can work when one interface failed This link use the following address 172.16.3.20/255.255.255.0 in systeml This link use the following address 172.16.3.25/255.255.255.0 in in system2 This link remains normal after the system is restarted




Explanation/Reference:If forget how to write the name, can search examples in /var/share/doc/team-1.9/example_configs/ nmcli connection add con-name team0 type team ifname team0 config '{"runner":{"name":"activebackup"}}'nmcli con modify team0 ipv4.addresses '172.16.11.25/24'nmcli connection modify team0 ipv4.method manualnmcli connection add type team-slave con-name team0-p1 ifname eth1master team0nmcli connection add type team-slave con-name team0-p2 ifname eth2master team0nmcli connection up team0nmcli con up team0-p1nmcli con up team0-p2

QUESTION 6

Configure IPV6 Address Configure interface eth0 on your test system, using the following IPV6 addresses:

：：：system1 address should be: 2003 acl8 305/64 ：：：system2 address should be: 2003 acl8 30a/64

：Both the two systems must can communicate with systems in network 2003 acl8/64 Addresses must be valid after the restart Both the two systems must keep the current IPV4 address and can communicate


Explanation/Reference:nmcli con mod eth0 ipv6.addresses “2003:ac18::305/64”nmcli con mod eth0 ipv6.method manualsystemctl restart networknmcli con mod eth0 ipv6.addresses “2003:ac18::30a/64”nmcli con mod eth0 ipv6.method manualsystemctl restart networkping6 2003:ac18::30a

QUESTION 7

Configure the local mail serviceConfigure the mail service on system1 and system2, as required: 1. These systems do not accept external send mails


2. Any mails sent locally are automatically routed to rhgls.domain11.example.com 3. Mails sent from these systems will be displayed from rhgls.domain11.example.com 4. You can send mail to local user ‘authur’ to test your configuration systemrhgls.domain11.example.com 5. Have already configured to transfer this user’s mails to the following URL rhgls.domain11.example.com/received_mail/11


Explanation/Reference:postconf -e local_transport=err:XX vim /etc/postfix/main.cf relayhost=[rhgls.domain11.exmaple.com] postconf -e myorigin=domain11.example.com systemctl restart postfix echo aaa | mail -S hello dave

Open rhgls.domain11.example.com/received_mail/11 in the browser

QUESTION 8

Share directories via SMBConfigure the SMB service on the system1 Your SMB server must be a member of the work group STAFF Share /common and share name must be common Only clients of domain11.example.com can access the common share Common must be able to browse User andy must be able to read the content of the share, if necessary, verfication code is redhat


Explanation/Reference:system1: yum -y install samba samba-clientfirewall-cmd --add-service=samba –permanentfirewall-cmd --add-service=mountd –permanentsystemctl restart firewalldvim /etc/samba/smb.confworkgroup = STAFF[common]


path = /commonhosts allow = 172.24.11.browseable = yes:wq mkdir /commonchcon –R –t samba_share_t /common/smbpasswd -a andysystemctl start smbsystemctl enable sambasystem2:yum install –y cifs-utils samba-client

QUESTION 9

Configure Multi-User Mount Share the directory /devops through SMB on the systeml, as required: 1. Share name is devops 2. The shared directory devops just can be used by clients in domain11.example.com 3. The shared directory devop must be able to be browsed 4. User silene must can be able to access this share through read, access code is redhat5. User akira must can be able to access this share through read and write, access code is redhat 6. This share permanently mount to system2. domain11.example.com the user /mnt/dev, make user silene as authentication any users can get temporary writepermissions from akira


Explanation/Reference:：system1

mkdir /devopschcon -R -t samba_share_t /devops/chmod o+w /devops/vim /etc/samba/smb.conf[devops]path = /devopshosts allow = 172.24.11.browseable = yeswritable = nowrite list = akira:wqsystemctl restart smbsmbpasswd -a silenesmbpasswd -a akira


system2 mkdir /mnt/devsmbclient -L /system1/ -U silenevim /etc/fstab

//system1/devops /mnt/dev cifsdefaults,multiuser,username=silene,password=redhat,sec=ntlmssp 0 0df –hT

QUESTION 10

Mount a NFS Share Mount a NFS share to system1.domain11.example.com on the system2, as required: 1. Mount the /public to the directory /mnt/nfsmount 2. Mount the /protected to the directory /mnt/nfssecure, in a security way, key download URL: http://host.domain11.example.com/materials/nfs_client.keytab 3. User deepak can creat files on /mnt/nfssecure/project 4. These file systemes automatically hang up when the system is started


Explanation/Reference:system2: showmount –e system1mkdir -p /mnt/nfsmountvim /etc/fstabsystem1:/public/mnt/nfsmount nfs defaults 0 0mount –adf –hmkdir /mnt/nfssecurewget -O /etc/krb5.keytab

http://host.domain11.example.com/materials/nfs_client.keytabvim /etc/fstabsystem1:/protected /mnt/nfssecure nfs defaults,sec=krb5p,v4.2 0 0:wqmount -a

QUESTION 11

Configure NFS service


Configure the NFS service on the system1, as required: 1. Share the directory /public in read only way, just can be accessed by systems in domain11.example.com at the same time 2. Share the directory /protected in rad and write way, Kerberos security encryption required, you can use the key provided by the following URL: http://host.domain11.example.com/materials/nfs_server.keytab 3. Directory /protected should contain the sub directory named project and deepak;4. User deepak can access /protected/project in read and write ways



Explanation/Reference:system1: vim /etc/exports/protected 172.24.11.0/24(rw,sync,sec=krb5p)/public 172.24.11.0/24(ro,sync)wget -O /etc/krb5.keytab

http://host.domain11.example.com/materials/nfs_server.keytabvim /etc/sysconfig/nfs RPCNFSDARGS="-V 4.2 "

:wqsystemctl restart nfssystemctl start nfs-secure-serversystemctl enable nfs-secure-serverexportfs –rashowmount –efirewall-cmd --add-service=nfs –permanentfirewall-cmd --add-service=rpc-bind –permanentfirewall-cmd --add-service=mountd–permanentsystemc tl restart fiewalldmkdir -p /protected/projectchown deepak /protected/project/ll /protected/chcon -R -t public_content_t /protected/project/

QUESTION 12


Implement a web serverConfigure a site http://systeml. domain11.example.com/ on the system1, then executes the following steps: 1. From http://rhgls. domain11.example.com/materials/station.html 2. Download a file, rename the file as index.htm, do not modify the file content 3. Copy the file index.html to the DocumentRoot directory of your web server 4. Clients from the domain group3.example.com can access the web service 5. Clients from my133t.org refuse to access the web service


Explanation/Reference:yum groupinstall web\* -y systemctl start httpdsystemctl enable httpdvim /etc/httpd/conf/httpd.conf/ServerName ServerName server1.domain11.example.com:80systemctl restart httpdwget -O index.html

http://rhgls.domain11.example.com/materials/station.htmlfirewall-config


systemctl restart firewalld

QUESTION 13

Configure security web service Configure a TLS for site http://systeml.domain11.example.com, encrypt a signed certificate from http://host.domain11.example.com/materials/system1.crt Get the certificate key from http://host.domain11.example.com/materials/system1.key Get the signature authorization information of the certificate from http://host.domain11.example.com/materials/domain11.crt


Explanation/Reference:


<virtualhost *:80>documentroot /var/www/htmlservername system1.domain11.example.com</virtualhost><virtualhost *:443> documentroot /var/www/htmlservername system1.domain11.example.comSSLEngine onSSLCertificateFile /etc/pki/tls/certs/server1.crt SSLCertificateKeyFile /etc/pki/tls/private/server1.keySSLCertificateChainFile /etc/pki/tls/certs/domain11.crt <virtualhost>systemctl restart httpdfirewall-cmd --add-service=https –permanentsystemctl restart firewalld

QUESTION 14

Configure the Virtual Host Expand your web server on the system1, create a virtual host for site http://www.domain11.example.com Then Executes the following steps: 1. Setting the DocumentRoot to /var/www/virtual 2. From http://rhgls.domain11.example.com/materials/www.html 3. Download a file, rename as index.html, don’t modify file index.html content 4. Put the file index.html under the directory DocumentRoot of Virtual Host 5. Ensure that user andy can create files under directory /var/www/virtual Note: original site http://systeml.domian11.example.com/ must still be able to be accessed, Name server domain11.example.com provide the domain name resolution for host name


Explanation/Reference:mkdir –p /var/www/ virtualcd /var/www/ virtuawget –O index.html

http://rhgls.domain11.example.com/materials/www.htmlvim /etc/httpd/conf/httpd.conf<virtualhost *:80>documentroot /var/www/virtual

servername www.domain11.example.com</virtualhost>setfacl -m u:andy:rwx /var/www/virtual


su andytouch /var/www/virtual/11.html

QUESTION 15

Configure Web Content Access Create a directory private under directory DocumentRoot of web server on the system1, as required: 1. Download a file copy to this directory from http://rhgls.domain11.example.com/materials/private.html and rename it as index.html. 2. Don’t make any changes to this file content 3. Any users from the system1 can browse the content of the private, but cannot access this directory content from other systems


Explanation/Reference:mkdir /var/www/virtual/privatemkdir /var/www/html/privatecd /var/www/virtual/privatewget -O index.html

http://rhgls.domain11.example.com/materials/private.html cd /var/www/html/private wget -O index.html http://rhgls.domain11.example.com/materials/private.html<Directory "/var/www/html/private"> AllowOverride none Require all denied Require local </Directory> <Directory "/var/www/virtual/private">AllowOverride none Require local Require all denied </Directory>

QUESTION 16

Dynamic WEB content Configure to provide dynamic web content on the system1, as required: 1. Dynamic content provided by a virtual machine named dynamic.domain11.example.com 2. Virtual host listening on port 89093. Download a script from http://rhgls.domain11.example.com/materials/webapp.wsgi, then put it in the right place, don’t modify the file content in any situations 4. Dynamically generated web page should be received when clients access http://dynamic.domain11example.com:8909/ 5. This http:// dynamic.domain11.example.com:8909/ must be able to be accessed by all system of domain11.example.com

Correct Answer: See Explanation


Section: (none)Explanation

Explanation/Reference:yum -y install mod_wsgivim /etc/httpd/conf/httpd.confListen 80Listen 8909 <virtualhost *:8909>servername dynamic.domain11.example.com WSGIScriptAlias / /var/www/html/webapp.wsgi </virtualhost>cd /var/www/html

wget http://rhgls.domain11.example.com/materials/webapp.wsgi systemctl restart firewalldsemanage port -a -t http_port_t -p tcp 8909systemctl restart httpd

QUESTION 17

Create a scriptCreate a script named /root/foo.sh on the system1, make it provide the following characteristics: When running /root/foo.sh redhat, the output is fedora When running /root/foo.sh fedora, the output is redhat When there is no parameter or parameter is not redhat or fedora, the following information generated by the error output: /root/foo.sh redhat:fedora




Explanation/Reference:cd ~vim foo.sh#~/bin/bashcase $1 inredhat)echo fedora;;fedora) echo redhat ;;*)echo 'root/foo.sh redhat:fedora'esac:wqchmod +x foo.sh./foo.sh redhat./foo.sh fedora./foo.sh 1

QUESTION 18

Create a script to add usersCreate a script named /root/mkusers on the system1, this script can achieve to add local users for the system1, and user names of these users are all from a filewhich contains the usernames list, and meet the following requirements at the same time: 1. This script is required to provide a parameter; this parameter is the file which contains the usernames list

：2. This script need provide the following message: Usage /root/mkusers if it does not provide a parameter, then exit and return the corresponding value 3. This script need provide the following message: Input file not found if it provides a name that does not exist, then exit and return the corresponding value 4. Create a user shell log into /bin/false 5. This script does not need to set password for users 6. You can get the usernames list from the following URL as a test: http://rhgls. domain11.example.com/materials/ userlist





Explanation/Reference:vim mkusers.sh#! /bin/bashif [ $# -eq 0 ];thenecho 'Usage:/root/mkusers'exit 1 fiif [ ! -f $1 ]; thenecho 'Input file not found' exit fiwhile read linedouseradd -s /bin/false $linedone < $1:wqchmod +x mkusers.sh

wget http://rhgls.domain11.example.com/materials/userlist ./mkusers.sh userlist

QUESTION 19

Configure the ISCS Server Configure the system1 provide a ISCSI service disk named iqn.2014-09.com.example.domain11:system1 and meet the following requirements at the same time: 1. Server Port 3260 2. Use iscsi_store as its back-end volume, its size is 3G 3. This service just can be accessed by system2.domian11.example.com


Explanation/Reference:fdisk /dev/sdapartprobe /dev/sdayum install -y targetcli\*targetclicd backstores/block/ create block1 /dev/sda3cd /iscsicreate iqn.2014-09.com.example.domain11:system1


cd iqn.2014-09.com.example.domain11:system1/cd tpg1/acls/ create iqn.2014-09.com.example.domain11:systemluns/ create /backstores/block/block1portals/ create system1.domain11.example.comexitsystemctl start targetsystemctl enable targetfirewall-config

systecmctl restart firewalld

QUESTION 20

Configure ISCISI ClientsConfigure the system2 to make it can link to iqn.2014-09.com.example.domain11:system1 provided by the system, meet the following requirements at the sametime:1. ISCISI devices automatically loads during the system start-up 2. Block device ISCISI contains a 2100MIB partition, and formatted as ext4 3. This partition mount to the /mnt/data, mount automatically during the system start-up



Explanation/Reference:yum install -y iscsi-initiator-utils.i686vim /etc/iscsi/initiatorname.iscsiInitiatorName=iqn.2014-09.com.example.domain11:systemsystemctl start iscsidsystemctl is-active iscsidiscsiadm --mode discoverydb --type sendtargets --portal 172.24.11.10–discoveriscsiadm --mode node --targetname iqn.2014-09.com.example.domain11:system1 --portal 172.24.11.10:3260 –loginfdisk –lfdisk /dev/sdbmkfs.ext4 /dev/sdb1partprobemkdir /mnt/datavim /etc/fstab /dev/sdb1 /mnt/data ext4 _netdev 0 0

QUESTION 21

Configure a database Create a Maria DB database named Contacts, meet the following requirements at the same time: 1. Database should contain the contents of the database replication, URL for copying files is: http://rhgls.domain11.example.com/materials/users.mdb 2. Database just can be accessed by localhost 3. In addition to user, database juat can be searched by user Luigi, user password is redhat 4. Password for user root i redhat, do not allow an empty passwordlogin at the same time


Explanation/Reference:yum install -y mariadb*systemctl start mariadbsystemctl enable mariadbcd /

wget http://rhgls.domain11.example.com/materials/users.mdbmysqlcreate database Contacts;show databases;use Contactssource /users.mdbshow tables;grant select on Contacts .* to Luigi@'localhost' identified by


'redhat';Exitmysqladmin -uroot -p password 'redhat' two entersmysql -uroot -p Password input redatmysql -uLuigi -p Password input redat

QUESTION 22

Database Query Using database Contacts on the system1, and using the corresponding SQL to search and answer the following questions: 1. Password is tangerine’s people name? 2. How many people’s name is John and live is Shanghai at the same time?


Explanation/Reference:mysql -uroot -p

show tables; // view table structuredesc table name // view table fieldselect bid,password from pass where password='tangerine'; // check password ID numberselect * from name where aid='3' ; // Find out names through password IDselect * from name where firstname='John'; // search people in same nameselect * from loc where loction='Santa Clara'; // seach people live in the same city

QUESTION 23In accordance with the following requirements to deploy ssh login service: 1. harry belongs to example.com which can remote login your systems. 2. However, users of remote.test can not use ssh login to your machine.


Explanation/Reference:[root@server1 ~]# grep sshd /etc/hosts.allow sshd:.example.com

[root@server1 ~]# grep sshd /etc/hosts.deny sshd:.remote.test

Notice:tcp_wrappers has two configuration files and their priority level is /etc/hosts.allow->/etc/hosts.deny


QUESTION 24Via nfs service share the /common directory in your system, just doine ONE share in example.com domain.


Explanation/Reference:[root@server1 ~]# grep common /etc/exports

/common *.example.com(ro,sync)

QUESTION 25According to the following requirements, deploying your ftp login rule: 1. Users in example.com domain must be able to login to your ftp server as an anonymous user. 2. But users outside the example.com domain are unable to login to your server



Explanation/Reference:[root@server1 ~]# grep vsftpd /etc/hosts.deny vsftpd:.example.com [root@server1 ~]# grep vsftpd /etc/hosts.deny vsftpd:ALL /etc/vsftpd/vsftpd.conf:

anonymous_enable=YES

QUESTION 26Deploying your exam system: linking to the iscsi target in the instructor.example.com and distinguish it well, then formatted as ext3 file system. You must can beable to mout the file system of the iscsi target to the /mnt/iscsi directory in your own system and make this file system can automatically mount (permanently mount)after system restart.

Correct Answer: See ExplanationSection: (none)


Explanation

Explanation/Reference:[root@server1 ~]# iscsiadm --mode discoverydb --type sendtargets -portal instructor.example.com --discover 192.168.0.254:3260,1 iqn.2010-09.com.example:rdisks.server1 [root@server1 ~]# iscsiadm --mode node -targetname iqn.2010-09.com.example:rdisks.server1 --portalinstructor.example.com --login Logging in to [iface: default, target: iqn.2010-09.com.example:rdisks.server1, portal: 192.168.0.254,3260] (multiple) Login to [iface: default, target: iqn.2010-09.com.example:rdisks.server1, portal:

192.168.0.254,3260] successful.

Note: This part also need to be formatted and modify /etc/fstab mount

QUESTION 27In accordance with the following requirements, sharing /common directory through smb service:-- your sub service must be in the SAMBA working-set -- the shared name of common is common -- the common share just can be shared by the customers in the example.com domain -- the common must can be available for browsing -- mary must can login to the smb share and for read operation, “password” is the secret code if it need to be verified.


Explanation/Reference:[root@server1 iscsi]# grep -v "^\s*#" /etc/samba/smb.conf | grep -v "^\s*;" | grep -v "^\s*$" [global] workgroup = SAMBA server string = Samba Server Version %v hosts allow = 127. 192.168.0. security = user passdb backend = tdbsam [common] comment = Public Stuff path = /common public = no browseable = yes printable = no read only = mary Add SMB Mary users smbpasswd -a mary

Modify the security context of /common directory chcon -R -t samba_share_t /common

QUESTION 28Arrange a web service address is: http://serverX.example.com, X is the number of your exam machine. Deploy it in accordance with the following requirements:


：Download ftp //instructor.example.com/pub/rhce/server.html Can not do any modification to file document server.html Rename file document server.html as index.html Copy the file document server.html to DocumentRoot


Explanation/Reference:[root@server1 common]# cd /var/www/html/ [root@server1 html]# lftp instructor.example.com lftp instructor.example.com:~> cd pub/rhce cd ok, cwd=/pub/rhce lftp instructor.example.com:/pub/rhce> get server.html 20 bytes transferred [root@server1 html]# mv server.html index.html [root@server1 html]# restorecon -Rv /var/www/html/ [root@server1 html]# /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]

[root@server1 html]# chkconfig httpd on

QUESTION 29：Expand your web service including a virtual hosting, address is http://wwwX.example.com, X is the number of your exam machine. However, requiring you do as

the following: -- Set up the DocumentRoot of this virtual hosting as /var/http/virtual

：-- Download ftp //instructor.example.com/pub/rhce/www.html -- Rename www.html file document as index.html -- Move this file document to this virtual hosting's DocumentRoot -- Don't do any changes to this document -- Making sure that harry users are able to create project in /var/http/virtual Attention: Original web address is http://serverX.example.com must also can be browsed. The DNS of the Server instructor.example.com has already beenanalyzed as the domain wwwX.example.com.


Explanation/Reference:[root@server1 html]# mkdir -p /var/http/virtual [root@server1 html]# cd /var/http/virtual/ [root@server1 virtual]# lftp instructor.example.com lftp instructor.example.com:~> cd pub/rhce lftp

instructor.example.com:/pub/rhce> get www.html


17 bytes transferred lftp instructor.example.com:/pub/rhce> quit

[root@server1 virtual]# mv www.html index.html [root@server1 virtual]# useradd harry [root@server1 virtual]# chgrp harry . [root@server1 virtual]# chmod 775. Edit /etc/httpd/conf/httpd.conf, add the follow content: NameVirtualHost *:80 <VirtualHost *:80> DocumentRoot /var/http/virtual ServerName www1.example.com <Directory /var/http/virtual/limited> Options Indexes MultiViews FollowSymlinks order deny,allow deny from all allowfrom 192.168.0. </Directory> </VirtualHost> <VirtualHost *:80> DocumentRoot /var/www/html/

ServerName server1.example.com Notice: The priority level of order deny, allow is deployed: The back is higher than in front of the priority. It means allow -> deny

QUESTION 30Creating a directory /var/http/virtual/limited, Just limiting the local user to enter and browse the shared web page in this directory and users can’t access thiswebpage if they are not the local user.


Explanation/Reference:The deploy of <Directory> in the seventh question has been done.

QUESTION 31Deploy your SMTP mail service and complete it by the following requirements: -- Your mail service must can receive the local and remote mails -- harry must can receive the remote mail -- The mail which is delivered to mary should be put into the mail /var/spool/mail/mary



Explanation/Reference:Modify /etc/postfix/main.cf, open the following parameters: inet_interfaces = all [root@server1 virtual]# /etc/init.d/postfix restart Shutting down postfix: [ OK ] Starting postfix: [ OK ]

[root@server1 virtual]# chkconfig postfix on

QUESTION 32Configure a mail alias to your MTA, for example, send emails to harry but mary actually is receiving emails.


Explanation/Reference:Modify /etc/aliases,add: harry: mary harry

After completing modification: [root@server1 virtual]# newaliases

Notice: This problem is a trap. The ninth questions require harry must be able to receive remote emails but the tenth problems requires mary to receive harry’s emails. Soharry must be added when you are deploying aliaes.

QUESTION 33Create a Shell script /root/program: The shell script will come back to “user” parameter when you are entering “kernel” parameter.The shell script will come back to “kernel” when you are entering “user” parameter.It will output the standard error when this script “usage:/root/program kernel|user” don’t input any parameter or the parameter you inputted is entered as therequirements.


Correct Answer: See ExplanationSection: (none)


Explanation

Explanation/Reference:[root@server1 virtual]# cat /root/program #!/bin/bash param1="$1" if [ "$param1" == "kernel" ]; then echo "user" elif [ "$param1" == "user" ]; then echo "kernel" else echo "usage:/root/program kernel|user" fi

[root@server1 ~]# chmod +x /root/program

QUESTION 34Given the kernel of a permanent kernel parameters: sysctl=1.

It can be shown on cmdline after restarting the system. Kernel of /boot/grub/grub.conf should be added finally, as:


Explanation/Reference:Kernel of /boot/grub/grub.conf should be added finally, as: kernel /vmlinuz-2.6.32-279.1.1.el6.x86_64 ro root=/dev/mapper/vgsrv-root rd_LVM_LV=vgsrv/root rd_NO_LUKS LANG=en_US.UTF-8rd_LVM_LV=vgsrv/swap rd_NO_MD

SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYTABLE=us rd_NO_DM rhgb quiet rhgb quiet sysctl=1 KEYBOARDTYPE=pc

QUESTION 35Forbidden the Mary user configuration tasks in your system.


Explanation/Reference:Modify the /etc/cron.deny, add: [root@server1 ~]# cat /etc/cron.deny mary


Conclusions: 1. I find that it is common to add various service access limits in the exam RHCE. The exercises like: require one network segment can be accessed anothernetwork segments can not be accessed, the following are some conclusions for various service:

tcp_wrappers:/etc/hosts.allow,/etc/hosts.deny

tcp_wrappers can filter the TCP’s accessing service. TCP whether has the filtering function which depends on this service whether use the function library oftcp_wrappers, or this service whether has the xinetd process of starting function of tcp_wrappers. tcp_wrappers’s main configuration file is /etc/hosts.allow,/etc/hosts.deny. And the priority of the documents in hosts. allow is higher than hosts. deny. Visit will be passed if no match was found. sshd,vsftpd can use the filtering service of tcp_wrappers.

Configuration example: sshd:.example.com 192.168.0. 192.168.0.0/255.255.255.0 150.203. EXCEPT 150.203.6.66 Notice: The two configuration files’ syntax can refer to hosts_access(5) and hosts_options(5)sshd_config

There are four parameters in this configuration file: DenyUsers, AllowUsers, DenyGroups, AllowGroups, they are used to limit some users or user groups toproceed Remote Login through the SSH. These parameters’ priority level is DenyUsers->AllowUsers->DenyGroups->AllowGroups Configuration example: AllowUsers tim [email protected] kim@*.example.com

httpd Service Through the /etc/httpd/conf/httpd.conf in parameters, can add <Directory> to control the url access. Just as: <VirtualHost *:80> DocumentRoot /var/http/virtual ServerName www1.example.com <Directory /var/http/virtual/limited> Options Indexes MultiViews FollowSymlinks order deny,allow deny from all allow from 192.168.0. </Directory>

</VirtualHost> Notice: So pay attention, deny’s and allow’s priority level in order deny,allow is: the backer has the higher priority level. But here, allow’s priority has a higher priority level.

nfs Service nfs service directly control the visits through file /etc/exports, just as: /common *.example.com(rw,sync) 192.168.0.0/24(ro,sync)

samba Service Parameter hosts allow in /etc/samba/smb.conf which is used as Access Control,just as: hosts allow = 192.168.0. 192.168.1.0/255.255.255.0 .example.com 2. Paying attention to use Mount parameters: _netdev,defaults when you are mounting ISCSI disk.


3. Stop the NetworkManager

/etc/init.d/NetworkManager stop chkconfig NetworkManager off

5. When you are deploying ifcfg-ethX, add parameters: PEERDNS=no

6. Empty the firewall in RHCSA, RHCE: iptables -F iptables -X iptables -Z /etc/init.d/iptables save

7. Narrow lv steps: 1.umount /dev/mapper/lv 2.e2fsck -f /dev/mapper/lv 3.resize2fs /dev/mapper/lv 100M 4.lvreduce -L 50M /dev/mapper/lv 5.mount -a

8. Mount the using command - swap which is newly added in /etc/fstab 9. If Verification is not passed when you are installing software, can import public key: rpm import /etc/pki/rpm…/…release and so on. In yum.repo, you also candeploy gpgkey, for example, gpgkey=/etc/pki/rpm…/…release 10. When you are using “Find” command to search and keep these files, paying attention to use cp -a to copy files if you use user name and authority as yoursearching methods.

QUESTION 36Please set the selinux status as enforcing.


Explanation/Reference:# getenforce 1 # vim /etc/sysconfig/selinux SELINUX=enforcing

QUESTION 37Please open the ip_forward, and take effect permanently.


Explanation/Reference:


# vim /etc/sysctl.confnet.ipv4.ip_forward = 1

# sysctl -w (takes effect immediately)

If no “sysctl.conf” option, use these commands: # sysctl -a |grep net.ipv4 # sysctl -P net.ipv4.ip_forward = 1

# sysctl -w

QUESTION 38Configure ssh to allow user harry to access, reject the domain t3gg.com (172.25.0.0/16) to access.


Explanation/Reference:# yum install -y sshd # chkconfig sshd on# vim /etc/hosts.denysshd: 172.25.0.0/16 # service sshd restart

Use iptables:

# chkconfig iptables on # iptables -F # iptables -X # iptables -Z # iptables -nvL # iptables -A INPUT -s 172.25.0.0/16 -p tcp --dport 22 -j REJECT # services iptables save # iptables -nvL

# cat /etc/services (check port)

QUESTION 39Configure the ftp to allow anonymously download the directory /var/ftp/pub, and reject the domain t3gg.com to access.



Explanation/Reference: # yum install -y vsftpd # chkconfig vsftpd on # services vsftpd start # vim /etc/hosts.denyvsftpd: 172.25.0.0/16

OR # iptables -A INPUT -s 172.25.0.0/16 -p tcp -dport 20:21 -j REJECT # services iptables save

QUESTION 40Shutdown the /root/cdrom.iso under /opt/data, and set as boot automatically mount.


Explanation/Reference: # cd /opt/ # mkdir data # mount -t iso9660 -o loop /root/cdrom.iso /opt/data # vim /etc/fstab/root/cdrom.iso /opt/data iso9660 defaults,loop 0 0 # mount -a # mount

vi /etc/fstab 192.168.0.254:/data / common nfs defaults 0 0 reboot the system.


RedHat.EX300 - GRATIS EXAM...chcon –R –t samba_share_t /common/ smbpasswd -a andy systemctl...

Documents

Transcript of RedHat.EX300 - GRATIS EXAM...chcon –R –t samba_share_t /common/ smbpasswd -a andy systemctl...