Jump to: navigation, search

OPS235 Lab 4

1,799 bytes added, 15:42, 9 October 2019
Using getopts Function & case statement
{| width="40%" align="right" cellpadding="10"
There are many other tasks that a Linux system administrator must perform other than installing Linux and installing software.
User account management is a very important operation that a Linux sysadmin does on a consistent an continual basis. The sysadmin not only needs to add or remove user accounts by issuing commands, but may need to automate user account creations a large number (batch) of potential employees. There are many features with the Linux command to create new users including: specification of a home directory, type of shell used, name, password and time-limit (referred to as "aging") for a new user account. Removing user accounts also have options such as removing the user account but keeping the home directory for reference or evidence of "wrong-doing"
Another important operation for a Linux sysadmin is to manage services (eg. starting, restarting, stopping, disabling, enabling system services).
Many students may think that the following topic is small and "not a big deal". Those students may say, '''"How hard is running and stopping services?"'''
The process may not be hard, but knowing how to stop, start, restart and check the status of services is absolutely critical to a Linux server. '''Aside from learning to trouble-shoot problems''' by checking the status of running services, '''understanding how to manage services is critical to help protect a Linux server from penetration''' (this term is referred to as "'''Hardening a system'''"). Sometimes it is "what we don't know" that can harm us. One key element in hardening a computer system is to disable non essential networkng services to allow IDSs ('''Intrusion Detection Systems''') to focus on a narrower range of policy violations. A Debian-based penetration testing distribution called '''Kali''' (formerly referred to as '''"BackTrax"''') allows sysadmins and security professionals to identify vulnerabilities in their computer systems, and thus improve (harden) their systems against penetration. Learning to monitor the status, enable and disable networking services underlies the '''Backtrax''' motto: '''''"The quieter you are, then more you will hear..."'''''<br><br>
<u>Main Objectives</u>:
:* Display the '''status of running services''' on a Linux system.
:* Create a Bash shell script to '''generate multiple user accounts''' from a text user database file
{|width="80%" cellspacing="0"
|style="padding-left:20px;" |User Management
[http / useradd]<br>[http / userdel]<br>[http / usermod]<br>[http / groupadd]<br>[http / groupdel]<br>
[ chage]<br><br>
Managing Services<br>
[ chkconfig]<br>
[ service]<br>
[ systemctl]<br>
|style="padding-left:20px;" |Miscellaneous
[ init vs systemd]
= INVESTIGATION 1: User/Group Management =
In your ULI101 course, you learned to change permissions for directories and files relating to user, same group members and other group members. In this course, since you are the sysadmin with root privileges, you can create or remove users and groups as well as change the ownership of directories and files! We will now learn to perform key user account management operations in this section.
# Launch your '''c7host''' and '''centos1''' VMs.
# Switch to your '''centos1''' VM.
# Open a shell terminal and login as '''root'''.
# Look at the <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/passwd</span></code></b> file.
# Remain in your '''centos1''' VM for this section.
# Read the man page for the <b><code><span style="color:#3366CC;font-size:1.2em;">useradd</span></code></b> command.
# Create a new user called '''ops235_1''' by issuing the command: <br><b><code><span style="color:#3366CC;font-size:1.2em;">useradd ops235_1</span></code></b>
# Issue the command: <b><code><span style="color:#3366CC;font-size:1.2em;">grep ops235_1 /etc/passwd</span></code></b> to see if that user account was created.
# View the '''/home''' directory to view the contents. Is the user ops235_1's home directory there?<br><br>'''NOTE:''' In some versions of Linux, you may have to issue the '''-m ''' option with the useradd command in order to create a home directory for that user.<br><br># Issue the following command to create the user called ops235_2: <br><b><code><span style="color:#3366CC;font-size:1.2em;">useradd -m ops235_2</span></code></b>
# View the '''/home''' directory to verify that the home directory for '''ops235_2''' has been created. What does the -m option do for the useradd command?
# Issue the following command to remove the user called ops235_2: <b><code><span style="color:#3366CC;font-size:1.2em;">userdel ops235_2</span></code></b>
# Issue the grep command with the /etc/passwd file to verify that the username ops235_2 was removed.
# View the contents of the '''/home''' directory. Was the home directory for user '''ops235_2''' removed?
# Issue the following command to remove ops235_2's home directory: <b><code><span style="color:#3366CC;font-size:1.2em;">rm -rf /home/ops235_2</span></code></b>
# Issue the '''userdel''' comamnd to remove the '''ops235_1''' account with the '''-r option''' (and home directory regardless if it exists or not).
# Issue the useradd -m command to recreate the user called: '''ops235_1'''.
# Use the '''passwd''' command to set the password for the user '''ops235_1'''.
# View the <u>contents</u> for '''ops235_1's''' home directory and note the files.
# Look at Create a new file in the man page for '''/etc/shadowskel''' using the command: <b><code><span style="color:#3366CC;font-size:1.2em;">man 5 shadow</span></code></b># Create a new file in the /etc/skel directory with the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">touch /etc/skel/foo</span></code></b>
# Recreate the new user (with home directories automatically created) for '''ops235_2'''.
# Set the password for the user '''ops235_2'''.
# Be sure to record your observations in your lab notes.
#Issue the man pages for the '''useradd''' command. Explain the purpose of using the '''-e''' option for the ''useradd'' command.
#Issue the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">chage -E 20182019-0512-31 ops235_1</span></code></b>#Issue the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">usermod -c "New Name" ops235_2</span></code></b>. #View ops235_2's account information in the '''/etc/passwd''' file. What do you notice is different?# Issue the following command to obtain information regarding the user called ops235_1: <b><code><span style="color:#3366CC;font-size:1.2em;">chage -l ops235_1</span></code></b>. What do you think is the purpose of the chage command and the useradd command with the '''-e ''' option?
=== Part 3: Managing Groups ===
In this section, we will learn how to create, remove and modify groups in our Linux VM. You learned in ULI101 how to change permissions with the '''chmod''' command, but you didn't have admin privileges to '''create groups ''' to allow directory and regular file sharing. Since you now have admin privileges with your VM, you can now create groups, and add users to this group to allow file-sharing among users.
:'''Perform the following steps:'''
#Make certain that you are still in your '''centos1''' VM.#Close your terminalall application windows, and switch user accounts (within your centos1 VM) by clicking on the top right-hand side of the screen (power icon), click '''your regular username''', click '''switch user''', and login as '''"New Name" ''' (i.e. ops235_2).
#Open a shell terminal.
#Create a file called '''information.txt''' in home directory of that user.
#Issue the command <b><code><span style="color:#3366CC;font-size:1.2em;">su -</span></code></b> to login to your root account.
#Issue the following command to create a group called '''welcome''': <b><code><span style="color:#3366CC;font-size:1.2em;">groupadd welcome</span></code></b>
#Issue the command: <b><code><span style="color:#3366CC;font-size:1.2em;">grep welcome /etc/group</span></code></b> file to confirm that the group '''welcome''' was created.
# Read the man page for the <b><code><span style="color:#3366CC;font-size:1.2em;">usermod</span></code></b> command. Which option allow you to set the Group ID number ('''GID''') when you create a new group? Which options allow you to both append and assign users to an existing group name?
# Issue the two separate '''usermod''' command commands to add both '''ops235_1''' and '''ops235_2''' to the newly-created '''welcome ''' group.
# Verify that both ops235_1 and ops235_2 now belong to the '''welcome''' group.
===Practical Example===
Management has indicated sent you (the Linux systadmin) that the a "noobienew" employee has been hired and will be on on probation for 3 months. As the Linux system administrator, they want you to perform the following steps:
# Remain in your '''centos1''' VM for this section.
# Use the '''useradd''' command to create a user account called: '''noobie''' to expire in 3 months from this date as part of the security policy of this organization(issue man useradd to determine correct option to set expiry date).
# Set an appropriate password for this user account.
# Add this newly-created user to the newly-created '''welcome''' group.
=== Part 1: How do we Manage System Services? ===
We have seen At the beginning of this lab we mentioned that maintaining running unneeded '''packages can be a security risk''' due to the unnecessary increase in the complexity of your system. Similarly, it is also unnecessarily hazardous, and even more so, to leave unneeded services running. In this investigation, we will learn how to '''control services, and turn off those services that we think are not necessary to help reduce security risks'''.
Although there is a command called: '''service''' that may appear to manager services on your Linux system, it is considered <u>'''deprecated'''</u> (i.e. "obsolete"). It has been replaced by using the [ systemctl] command.
# To verify the status of your iptables service, issue the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">systemctl status iptables</span></code></b>
# Use the commands you used in Lab2 to '''stop''' and '''disable''' the iptables service.
# Issue a command to verify you '''disabled''' and '''stopped''' the iptables service.<br><br>'''Note:''' There is a major difference between stopping a service and disabling a service: If a service is stopped but enabled, the service will start upon reboot. Therefore to prevent it being started upon boot-up, the service will need to be disabled as well!<br><br># Issue the commands to '''start''' and '''enable''' the iptables service, and '''verify''' that it is <u>started</u> and <u>enabled</u>.<br><br>'''Note:''' If you performed the commands correctly, the iptables service should be running, and will automatically run upon your Linux machine start-up.   ===Part 2: How do we Manage Runlevels?===
Running Linux servers in graphical mode can make the server vulnerable to penetration (i.e. a potential break-in to the server from unauthorized intruders). The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install '''server versions''' of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the '''Linux server''' (for security reasons since those servers are closest to the router and the Internet).
The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.
{| width="50%" align="right" cellpadding="10"
|- valign="top"
[[Image:grub2_1.png|thumb|right|600px|The purpose of '''Linux servers''' are to run network-based services (i.e. they '''"serve"''' the users that operating in that Linux/Unix system). It is common that these Linux servers are separated (for security purposes) and they are '''run in Command-Line mode only'''. Running these Linux/Unix servers in '''Graphics Mode will make them more vulnerable to penetration from hackers, etc.''' Therefore, it is common that the Linux servers are CLI <u>only</u>, but the Workstations that connect to them within the network are GUI. Therefore, it is important that a Linux/Unix system administrator understand to switch to these different "run-levels". ]]
===Part 2: How do we Manage Runlevels?===
Running servers in graphical mode will make your system most likely to be penetrated. The X-windows framework can be vulnerable to attacks when these servers are connected to the Internet. This is why when you install server versions of Linux, they work in text-based mode only. Desktop versions of Linux are then installed on workstations (working in graphical mode) that connect to the server (for security reasons).
The Linux sysadmin can also change the run-level (or state) of a graphical Linux server to run in text-based mode and run the graphical mode by issuing a command when graphic mode is required. The run-level term is now deprecated in Fedora, and will likely be deprecated in RHEL/CentOS at some point as well, but for now this is what the industry is using.
:'''Perform the following steps:'''
# Remain in your '''centos1''' VM for this section.
# Issue the following Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">runlevel</span></code></b><br><br>'''Note:''' You should see two separate characters (like N 5). The number on the right is the current run-level 5 (which is graphical mode). The number or character on the left if the previous run level (which is N which means there was no previous run level since it was a "new" install).<br><br>
# You can use the '''init''' command to change the current run-level. See a list of runlevels [ here].
# Issue the '''init''' command to change the current run-level in '''centos1''' to '''3'''by issuing the following command:<br><b><code><span style="color:#3366CC;font-size:1. 2em;">init 3</span></code></b># What happeneddid you notice?# Issue the following Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">startx</span></code></b><br>What happens? Why would you want to make a graphical Linux system run in text-based mode?# Log-off your graphical system. You should return to your CLI shell promptand change to root user. You should notice at this point that the command '''startx''' did not reset your run-level.# Reissue the '''init ''' command to change the current run-level back to '''5'''<br>Did it work? Why would you want # Issue the runlevel command to verify that the run-level is set to make '''5''' (i.e. Graphical). You should notice a '''3 followed by a graphical Linux system 5'''. That is to indicate that the '''current''' run in text-based mode?level is 5, but <u>previously</u>, it was set to 3.
'''Answer INVESTIGATION 2 observations / questions in your lab log book.'''
#Open a shell terminal, and login as root.
#Change to the '''/root/bin''' directory.
#Download, study, and run the following shell script. Issue the command:<br><b><code><span style=" pointer-events:none;cursor:default;color:#3366CC;font-size:1.2em;">wget</span></code></b>
#Try to understand what these Bash Shell scripts do, and then run the script as root to create just one user called '''test'''. After running the shell script, view the contents of the '''/home''' directory to confirm.
<ol><li value="36">Open a Bash shell terminal and login as root.</li><li>Change to the '''/root/bin''' directory.</li><li>Use the wget command to download the input file called user-data.txt by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">wget</span></code></b></li><li>View the contents on the user-data.txt file to confirm there are 3 fields (username, fullname, and e-mail address)which are separated by the colon (:) symbol.</li><li>Use a text editor (such as <b><code><span style="color:#3366CC;font-size:1.2em;">vi</span></code></b> or <b><code><span style="color:#3366CC;font-size:1.2em;">nano</span></code></b>) to create a Bash Shell script called: <b><code><span style="color:#3366CC;font-size:1.2em;">createUsers.bash</span></code></b> in the /root's home /bin directory.</li><li>Enter the following text content into your text-editing session:</li></ol>
<code style="color:#3366CC;font-family:courier;font-size:.9em;margin-left:20px;font-weight:bold;">
<ol><li value="612">Save your editing session, but remain in the text editor.</li><li>The code displayed below uses the getopt function set the input file pathname or check for invalid options or missing option text. Add the following code</li></ol>
<code style="color:#3366CC;font-family:courier;font-size:.9em;font-weight:bold;">
<ol><li value="614">Save your editing session, but remain in the text editor.</li><li>The code displayed below uses logic to exit the script if the input file does not exist. Command substitution is used to store each line of the input file as a positional parameter. There is one subtle problem here: The full names of the users contain spaces which can create havoc when trying to set each line as a separate positional parameter. In this case the sed command is used to convert spaces to plus signs (+), which will be converted back later. Finally, a '''for''' loop is used to create each account ('''useradd''') and mail the user their account information ('''mail'''). Add the following code:</li></ol>
<code style="color:#3366CC;font-family:courier;font-size:.9em;font-weight:bold;">
<li value="816">Save, set permissions, and then run that shell script for the input text file '''user-data.txt'''. Did it work? Try running the script without an argument - What did it do? </li><li>You have completed lab4. Proceed to Completing The Lab, and follow the instructions for "lab sign-off".</li></ol>
'''Answer INVESTIGATION 3 observations / questions in your lab log book.'''
# Switch to your '''c7host''' VM.
# Open a shell terminal, '''su -''' into root, and change to the '''/root/bin''' directory.
# Issue the Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">wget http</span></code></b>
# Give the '''lab4-check.bash''' file execute permissions (for the file owner).
# Run the shell script and if any warnings, make fixes and re-run shell script until you receive "congratulations" message.
#Arrange proof of the following on the screen:<br><span style="color:green;font-size:1.5em;">&#x2713;</span> '''centos1''' VM:<blockquote><ul><li>Demonstrate that this VM 's current run-level is set to '''5'''.</ul></blockquote><span style="color:green;font-size:1.5em;">&#x2713;</span>'''c7host''' machine<blockquote><ul><li>Run the '''lab4-check.bash''' script in front of your instructor (must have all <b><code><span style="color:#66cc00;border:thin solid black;font-size:1.2em;">&nbsp;OK&nbsp;</span></code></b> messages)</li></ul></blockquote><span style="color:green;font-size:1.5em;">&#x2713;</span> '''Lab4''' log-book filled out.
= Practice For Quizzes, Tests, Midterm &amp; Final Exam =
[[Category:OPS235 Labs]]
[[Category:CentOS 7]]

Navigation menu