Red Hat Certification – RHCE - Course Outline


Howdy!

In case you saw my previous posts I've been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I've missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I'm taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I'll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr ip route route add netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration -IPv6: StaticInterface Configuration -IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

-Netfilter Overview -Rules: General Considerations -Connection Tracking -Network Address Translation (NAT) -IPv6 and ip6tables

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid vi /etc/squid/squid.conf

add this line in the right place:

acl localnet src 192.168.1.1/32

allow port 3128 TCP in the firewall (use very strict access here)

service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol -Sendmail SMTP Restrictions -Sendmail Operation

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message. You can use GnuPG (cli command is 'gpg') to encrypt and decrypt a file symmetrically. Arguments:

--symmetric/-c == symmetric cipher (CAST5 by default) --force-mdc == if you don't have this you'll get "message was not integrity protected"

There are many more things you can specify.

echo "awesome secret message" > /tmp/file gpg --symmetric --force-mdc /tmp/file

(enter password)

this creates a /tmp/file.gpg

beware that /tmp/file still exists

to decrypt:

gpg --decrypt /tmp/file.gpg gpg: 3DES encrypted data gpg: encrypted with 1 passphrase awesome secret message

-Asymmetric Encryption

Uses a key-pair. A public key and a private key. A message encrypted with the public key can only be decrypted with the private key. A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called 'labber':

gpg --gen-key

in this interactive dialog enter username: labber, e-mail and password

this doesn't always work, might take _long_time_, eventually I just tried on another machine

echo "secret message" > /tmp/file gpg -e -r labber /tmp/file

enter password

gpg --decrypt /tmp/file

enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else's public key?

-Public Key Infrastructures - PKI

Consists of:

  • CA - certificate authority - issues and verifies digital certiciates
  • RA - registration authoriy - verifies user identity requesting info from the CA
  • central directory - used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management -Account Information (Name Service) -Name Service Switch (NSS) -Pluggable Authentication Modules (PAM) -PAM Operation -Utilities and Authentication

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files: /etc/sysconfig/authconfig /etc/pam.d/ /etc/sssd/sssd.conf