rhce real lab
TRANSCRIPT
RHCE Exam
A단계 : 4개의 Compulsory문제 + 5개의 일반문제로 구성(최소 3개 이상은 풀어야 함)
단 Compulsory문제는 1시간안에 다 풀어야 합니다.
B단계 : Troubleshootng 문제.
A단계를 시작합니다. (총 80점 입니다.)
●Compulsory 1:(T01) the examiner can log into your system as root using the password
rW9ySX. The home directory must be /root. (compulsory)
1. Single usermod로 부팅하기
<e>키를 누른다. <e>키를 누른다.
줄 맨 끝에 S 또는 1일 입력하고 Enter. “B”키를 눌러 부팅한다.
2. sh-3.2# passwd
다른 점검 사항 : 패스워드 만료 기간을 알아본 후 변경한다.
참고) 명령어 chage에 대한 설명
Chage(change user password expire information)
사용자 패스워드 만기일을 설정하고 변경하는 명령어입니다.
시스템을 보안하는 것으로 패스워드를 관리하는데에 쓰이는 명령어 입니다. 이것은 사용자 aging
정보를 설정/변경하는 명령어입니다.
Chage 명령어 옵션
-d : 패스워드의 마지막 변경 날짜를 YYYY-MM-DD형태로 나타낸다.
-E : 사용자 게정이 더 이상 접근이 불가능한 날짜를 지정한다.
-I : 계정의 패스워드가 만기가 되어, 계정을 사용할 수 없게 되는 날짜를 지정하고 그 이후에 패
스워드를 잠금 상태로 만든다.
-M : 패스워드가 유효한 최대 날짜를 지정한다.
-m : 패스워드가 설정이 되면 그 이후에 다시 변경가능한 날을 지정
-W : 패스워드가 만기가 되기전에 안내 메시지를 보낼 날짜를 지정한다.
-ㅣ[계정명] : 사용자의 패스워드 만기 정보를 보여준다.
사용법
1) Chage –l 계정명
아래 그림은 strong이란 계정 사용자의 aging 정보를 보여주고 있습니다.
Last password change
마지막으로 패스워드를 변경한 날을 알려줍니다.
패스워드를 변경한 적이 없다면 처음 계정을 생성 했을 시에 패스워드를 설정하였던 날로 설정됩
니다.
Password expires
패스워드 만료기간을 알려줍니다.
기준은 패스워드를 변경한 날이며, 몇일 이후에 패스워드르 만료할 것이낙에 대해 보여줍니다.
다른 점검 사항 : /etc/nologin파일 삭제 및 /etc/rc.local 파일 확인.
3. home 디렉토리를 반드시 /root로 설정해야 한다.
Reboot
●Compulsory 2:(T02) ping 172.25.254.254 is successful, and your system uses static
networking as described in /root/network.txt (compulsory)
1. netstat –ar로 default gateway항목 설정 유무확인
2. default gateway 설정
●Compulsory 3:(T03) dig server1.my133t.org successfully resolves that hostname using DNS
(compulsory)
1. dig는 DNS lookup utility이다. DNS설정 파일인 /etc/resolve.conf 점검.
●Compulsory 4:(T09) your system has a new 100MB physical partition mounted under
/mnt/new with a 100MB ext3 _lesystem. Note: because partition sizes are seldom exactly what is
speci_ed when they are created, anything within the range of 90 to 110MB is acceptable
(compulsory).
1. 약 100MB의 새로운 파일 시스템을 생성하여, /mnt/new로 마운트한다.
Compusory 문제가 다 끝났습니다.
시스템을 한번 리부팅하고, 감독관에게 평가를 부탁합니다.
여기서 부터는 NON Compusory 문제입니다.
●Services:(T05) the requirement described in /root/services is met (어떤 사용자의 홈디렉토리는 공유 디렉토리이다. 하지만 showmount –e로 확인시 공유 디렉토리가
보이지 않는다. 사용자의 공유 홈 디렉토리에 Access 할 수 있도록 만드시오.)
1. /etc/exports에 공유 디렉토리가 설정되어 있는지 확인
2. NFS관련 데몬들이 실행 중인지 확인.
3. 정상적으로 공유 폴더가 보이는지 확인.
●Wildcard:(T06) the requirement described in /root/wildcard is met (그래픽 로그인이 가능하도록 설정.)
1. /etc/inittab 파일에서 id 설정을 5로 변경.
추가문제
●Xserver mouse 설정이 안되어서 X serer부팅이 불가능할 때. 1. System-config-display로 설정변경. 또는 /etc/X11/xorg.conf 설정 변경.
마우스 설정 관련 에러가 발생하면 system-config-mouse로 설정 변경
2. 마우스 관련 드라이버 설치가 필요할 수도 있다. (Applications-Add/Remove Software)
3. /tmp폴더가 full 찼거나 폴더가 없는 경우.
4. Quota 설정 제한이 있는 경우. 필요 없는 파일을 삭제 합니다.
5. xfs 서비스의 실행 유무.
reboot
●Storage:(T10) the requirement described in /root/lvm is met One Logical Volume named lv1 is created under vg0. The Initial Size of that Logical Volume is
100MB. Now you required the size 500MB. Successfully make the size of that Logical Volume 500M
without losing any data. AS well as size should be increased online.
1. LVM 파티션 확인.
2. Phycal Volume 및 Volume Group 확인.
3. Logical Volume 확인.
4. Logical Volume 확장.
●Wildcard:(T06) the requirement described in /root/wildcard is met neo user tried by: dd if=/dev/zero of=/home/neo/somefile bs=1024 coutn=70 files created
successfully. Again neo tried to create file having 70K using following command:
dd if=/dev/zero of=/home/neo/somefiles bs=1024 count=70 but he is unable to create the file.
Make the user can create the file less then 70k.
Neo 계정으로 로그인 하여 quota를 테스트해 본다.
Old version 문제.
●Your are a system administrator. Using log files make it very easy to identify problems. Now
there are 50server running as Mail, Web, Proxy, DNS etc. You want to centralize the log from all
servers onto a LOG Server. How will you configure the LOG server?
●There is one partition named /dev/hda14 mounted on /data. The owner of /data is root user and
root group. Permission is set to full the owner user, read and execute to the group member and no
permission to others. Now you should give the full permission to user usesr1 without changing
pervious permission.
●The examiner told you that the password of root is rehdat. When you tried to login display the
error message and redisplayed the login screen. You changed the root password, again unable to
login as a root. How will you make successfully login as a root.
1. Compusory 1번 문제 참고하고 /etc/securetty에서 주석 처리된 부분이나 삭제된 부분을 확인한다.
●There are more then 400 Computers in your Office. You are appointed as a system Administrator.
But you don’t have router. So, you are going to use your one linux server as a router. How will you
enable IP packets forward?
1. echo 1 > /proc/sys/net/ipv4/ip_forward
2. 영구적 변경을 위해서 /etc/systctl.conf 파일을 수정해 준다.
3. 다음 명령어를 사용하여 새 구성 파일을 커널에 동기화 합니다.
시스템을 재부팅 합니다. 관리자에게 점검을 부탁 합니다. 다음 B단계로 넘어가면 다시 A단계 문제를
풀수 없으니, 반드시 신중하게 결정해서 B단계로 넘어 가도록 합니다.
B단계 Troubleshooting 문제를 시작합니다. (총 20점 입니다.)
강사가 제공하는 CD로 부팅하거나, NFS를 통해 새로 OS를 설치 하고 나면 시스템이 정상
적으로 부팅되지 않을 것입니다. 이것을 중간에 어떠한 수정도 없이runlevel 3 이나 5로 부
팅이 된다면 20점을 얻게 되며, sulogin으로 부팅만 가능하게 된다면 10점을 얻게 되며, 시
스템이 OS로 전혀 부팅할 수 없으면 0점을 받게 됩니다. 이 단계에서는 복구 환경을 지원
하는 부트 CD가 주어집니다.
●시스템 부팅시 Kernel panic이 발생하며 시스템 중지
1. 복구 CD를 이용하여 rescue 모드로 부팅.
복구모드로 부팅시 ‘chroot /mnt/sysimage can’t mounted라는 메시지가 뜨면 그것은 /boot에서 커
널을 찾을 수 없거나 /etc/fstab에 에러가 있는 것이다.
Vi /mnt/sysimage/root/etc/fstab
LABEL=root / ext3 defaults 1 1
LABEL=/ / ext3 defaults 1 1 로 변경.
복구 모드로 부팅시 ‘chroot /mnt/sysimage mounted successfully’와 같은 메시지가 뜨면 /etc/fstab
이나 커널과는 관련이 없다. 이것은 initrd 파일이 없을 수도 있다. 다음과 같이 새로운 img파일을 생
성해 준다.
/sbin/mkinitrd /boot/initrd-2.0.36-3.img 2.0.36-3
2. /mnt/sysimage/etc/fstab파일 점검. /mnt/sysimag/boot/grub/menu.lst 점검
**LABEL이 정확하게 설정되어 있는지 맞지 않게 설정되어 있다면 다시 설정한다.
e2label /dev/sda /1
정상적인 runlevel로 부팅이 되지 않을 때 /etc/inittab의 rc 다음의 숫자를 확인한다.
Section 1 문제가 모두 끝났습니다. 시스템을 rebooting하고 점검을 받습니다.
Section 2는 총 3시간 30분입니다.
●Install Red Hat Enterprise Linux on the examination system using the following source for the
installation media: 부팅가능한 CD를 통해 NFS로 설치합니다. NFS server1.example.com:/var/ftp/pub
●Once your system is installed the distribution is available via YUM:
YUM http://server1.example.com/pub/Server
The examiner will provide a suitable boot medium to begin the installation.
●Installation options should be chosen as follows:
-eth0을 DHCP를 사용하도록 구성.
-어떠한 옵션도 설정하지 않고 Master Boot Record (MBR)에 부트 로더를 설치합니다.
-root 패스워드를 rW9ySX로 설정합니다.
-지역시간은 시험자의 지역 현재 시간으로 설정합니다. 시스템 시계에 UTC를 설정합니다.
- 인스톨 넘버 입력은 SKIP합니다.
- Red Hat Network의 register에 등록하지 않습니다.
-설치를 시작 하기 전 다음 섹션에 나오는 파티셔닝 정보를 확인합니다.
●Complete the form at http://server1.example.com/cgi-bin/enroll. Provide your name as you
wish to have it appear on your certi_cate (should you earn it) and the email address you wish for
us to use when contacting you with your results. Red Hat Global Learning Services requires this
information to process and report your results.
1. 설치전에 CMOS setup으로 들어가서 메모리 용량을 확인한다.
2. SELinux는 반드시 enforcing모드로 설정하고 Firewall은 disable로 설정한다.
●Partition the system's primary hard drive using the following scheme:
/boot 256 MB
/ 1024 MB
/home 512 MB
/usr 2048 MB
/var 512 MB
swap 1.5 - 2 times memory reported in /proc/meminfo
/shared Use the remaining space to create a RAID 0 set on /dev/md0
If you do not know how to create the RAID 0 set for /shared, you must create it as a separate
directory.
You may create the RAID 0 set at install time or post-installation as you prefer.
●SELinux must be running in the Enforcing mode.
OS설치후 fdisk를 이용하여 0xfd(Linux RAID)의 디스크 파티션을 생성 후 partprobe 실행.
mdadm –C /dev/md0 --chunk=64 –-level0 --raid-device=3 /dev/sda{1,2,3}
mdadm --detail /dev/md0
mke2fs –j /dev/md0
/etc/fstab에 등록.
Cat /proc/mdstat
Firewal은 반드시 disable로 설정.
SELinux는 반드시 enforcing 모드로 설정.
OS 설치가 끝났습니다.
●Create the following users, groups, and group memberships:
- A group named sysusers
- A user andrew who belongs to sysusers as a secondary group
- A user susan who also belongs to sysusers as a secondary group
- A user brad who does not have access to an interactive shell on the system, and who is not a
member of sysusers
- andrew, susan, and brad should all have the password of password
●Create a collaborative directory /shared/sysusers with the following characteristics:
- Group ownership of /shared/sysusers is sysusers
- The directory should be readable, writable, and accessible to members of sysusers, but not to
any other user. (It is understood that root has access to all _les and directories on the system.)
- Files created in /shared/sysusers automatically have group ownership set to the sysusers
Group
●Install the appropriate kernel update from ftp://server1.example.com/pub/updates. The
following criteria must also be met:
- The updated kernel is the default kernel when the system is rebooted
- The original kernel remains available and bootable on the system
●Enable IP forwarding on your machine.
●Setup the default local print queue to forward jobs to the IPP (CUPS) print queue stationx on
server1.example.com, where x is your station number. Configure this printer as a \Generic – text
only" print queue.
Note: The queue stationx on server1 dumps print jobs into the _le http://server1/printers/stationx.
This file can be examined to confirm that you have configured the print queue correctly.
●The user andrew must configure a cron job that runs daily at 15:25 local time and executes
-/bin/echo hello
[root@localhost ~]# service crond restart
●Bind to the NIS domain RHCE provided by 172.24.254.254 for user authentication. Note the
following:
- nisuserx should be able to log into your system, where x is your station number, but will not
have a home directory until you have completed the autofs requirement below
- All NIS users have a password of password
NIS 서버측 ypserv, ypbind, rpc.yppasswdd, portmap 서비스가 실행되어야 한다.
NIS 클라이언트측 ypbind, portmap 서버스가 실행되어야 한다.
관련 file /etc/sysconfig/network, /etc/yp.conf, /etc/nsswitch.conf, /etc/sysconfig/authconfig
/etc/pam.d/system-auth-ac
●Configure autofs to automount the home directories of NIS users. Note the following:
- server1.example.com (172.24.254.254) NFS-exports /rhome/stationx to your system, where
x is your station number
- nisuserx's home directory is server1.example.com:/rhome/stationx/nisuserx
- nisuserx's home directory should be automounted locally beneath /rhome as /rhome/nisuserx
- home directories must be writable by their users
- While you are able to log in as any of the users nisuser1 through nisuser20, the only home
directory that is accessible from your system is nisuserx.
Example: station100 would configure the automounter such that nisuser100's home directory
/rhome/nisuser100 gets mounted automatically upon login. The NFS share would be
server1.example.com:/rhome/station100/nisuser100.
**/rhome/station/& nisuserX( x is your system number)
nisuserX –fstype=nfs,rw,intr 172.24.254.254:/rhome/station/nisusersX
password is password
●Copy the file /etc/fstab to /var/tmp. Configure the permissions of /var/tmp/fstab so that:
-the file /var/tmp/fstab is owned by the root user.
- the file /var/tmp/fstab belongs to the group root.
- the file /var/tmp/fstab should not be executable by anyone.
- the user andrew is able to read and write /var/tmp/fstab.
- the user susan can neither write nor read /var/tmp/fstab.
- all other users (current or future) have the ability to read /var/tmp/fstab.
●Configure your system so that it is an NTP client of server1.example.com.
RHCE (Network Services and Security) Requirements You will note that some requirements specify that a service should not be available from the
DNS domain my133t.org (that's m-y-one-three-three-t). All systems in that domain are in the
172.25.0.0/255.255.0.0 subnet, and all systems in that subnet are in my133t.org.
●Configure SSH access as follows:
-susan has remote SSH access to your machine from within example.com
-Clients within my133t.org should NOT have access to ssh on your system
●Configure POP3 email on your system according to these criteria:
-brad must be able to retrieve email from your machine using POP3 from within example.com
-Clients within the my133t.org domain should not have access to your POP3 service
●Configure FTP access on your system:
-Clients within the example.com domain should have anonymous FTP access to your machine
-Clients outside example.com should NOT have access to your FTP service
●Share the /shared directory via SMB:
- Your SMB server must be a member of the SMBGROUP workgroup
- The share's name must be shared
- The shared share must be available to example.com domain clients only
- The shared share must be browseable
- susan must have read access to the share, authenticating with the same password password, if
necessary
●Implement a web server for the site http://stationX.example.com, then perform the following
steps:
- Download ftp://server1.example.com/pub/rhce/station.html
- Rename the downloaded file to index.html
- Copy this index.html to the DocumentRoot of your web server
- Do NOT make any modifications to the content of index.html
●Export your /shared directory via NFS to the example.com domain only.
Note: because you will not have root access, you will not be able to directly mount your exported
/shared directory using your guest account on the system provided for testing. However, the
automounter on the system has been configured such that it will automount your /shared
directory under /home/guestx/nfs/stationx, where x is your station number. Consequently,
successful execution of ls /home/guestx/nfs/stationx indicates that the automounter was able to
automount your NFS share.
●Cofigure an email alias for your MTA such that mail sent to acctmgr is received by the local
user andrew.
●Configure SMTP mail service according to the following requirements:
- Your mail server should accept mail from remote hosts and localhost
- susan must be able to receive mail from remote hosts
- Mail delivered to susan should spool into the default mail spool for susan, /var/spool/mail/susan.
Additional RHCE Requirements
Perform any two of the following steps. Completion of more than two will not result in extra
credit. If time allows, you may wish to complete more than the minimum just in case one of your
tasks does not meet our specifications. Please note that these additional items are part of your
RHCE-specific score.
●Provide SSL-encapsulated IMAP access (IMAPS):
- IMAPS must be available to brad from example.com
- IMAPS must NOT be available to other networks or domains.
- The SSL certificate for the IMAPS server must be created as follows:
* Use the defaults for Country, State, Locality, and Organization Name
* Set Organizational Unit to GLS
* Set Common Name to stationx.example.com
* Set Email Address to [email protected]
Iptables 작동시
#iptables –A INPUT –s! 172.24.0.0/24 –p tcp –deport 110 –J REJECT
#iptables –A INPUT –s! 172.24.0.0/24 –p udp –deport 110 –J REJECT
#iptables –A INPUT –s! 172.24.0.0/24 –p tcp –deport 993 –J REJECT
#iptables –A INPUT –s! 172.24.0.0/24 –p udp –deport 993 –J REJECT
#iptables –l INPUT –I lo –J ACCEPT
#service iptables save
#service iptables restart
#chkconfig iptables on
IMAP 작동확인
Mutt –f imap://user@server[:port]
Mutt –f imaps://user@server[:port]
Openssl s_client –connect station1.example.com:993
●Implement a web proxy server bound to port 8080.
- Clients within example.com should have access to your proxy server
- Clients outside of example.com should NOT have access to your proxy server
●Extend your web server to include a virtual host for the site http://wwwx.example.com/, where
x is your station number, then perform the following steps:
- Set the DocumentRoot to /var/www/virtual
- Download ftp://server1.example.com/pub/rhce/www.html
- Rename the downloaded file to index.html
- Place this index.html in the DocumentRoot of the virtual host
- Do NOT make any modifications to the content of index.html
- Ensure that susan is able to create content in /var/www/virtual
Note: The original web site http://stationX.example.com must still be accessable. DNS resolution
for the hostname wwwx.example.com is already provided by the name server on
server1.example.com.
