Red Hat Certification – RHCE - Course Outline

2012-06-13
it
#authconfig, #centos, #certification, #encryption, #firewall, #gnupg, #gpg, #http, #proxy, #iptables, #ipv6, #ldap, #linux, #masquerade, #nat, #openssl, #pam, #pki, #red, #hat, #rhce, #routing, #squid, #ssh, #keygen, #sssd, #studying, #web

Howdy!

In case you saw my previous posts I've been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I've missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I'm taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I'll go through the ones I find more interesting below:

Network Resource Access Controls

Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

IPv6: Dynamic Interface Configuration
IPv6: StaticInterface Configuration
IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

Netfilter Overview -Rules: General Considerations -Connection Tracking -Network Address Translation (NAT) -IPv6 and ip6tables

Web Services

Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
# add this line in the right place:
acl localnet src 192.168.1.1/32
# allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 <www.guldmyr.com/ip.php>

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

Simple Mail Transport Protocol -Sendmail SMTP Restrictions -Sendmail Operation

Securing Data

-The Need For Encryption

Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message. You can use GnuPG (cli command is 'gpg') to encrypt and decrypt a file symmetrically. Arguments:

--symmetric/-c == symmetric cipher (CAST5 by default) --force-mdc == if you don't have this you'll get "message was not integrity protected"

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
# (enter password)
# this creates a /tmp/file.gpg
# beware that /tmp/file still exists
# to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

-Asymmetric Encryption

Uses a key-pair. A public key and a private key. A message encrypted with the public key can only be decrypted with the private key. A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
`gpg --decrypt /tmp/file`
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else's public key?

-Public Key Infrastructures - PKI

Consists of:

CA - certificate authority - issues and verifies digital certiciates
RA - registration authoriy - verifies user identity requesting info from the CA
central directory - used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

Account Management -Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
PAM Operation -Utilities and Authentication

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:

/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf