Commands
Want to pass the RHCSA9 exam? This section of the RHCSA9 Exam Series: Operate Running Systems will review how to operate running systems–a key skill
Are you a Linux professional looking to master the skills to manage security in RHCSA? In this article, we’ll show you how to configure firewall settings, manage file permissions, set up key-based authentication for SSH, and much more!
As a Linux professional, passing the Red Hat Certified System Administrator (RHCSA) 9 exam is a crucial step in your career. One of the topics covered in the exam is the “Manage Security” section, which focuses on configuring and managing security settings on a Linux system. In this article, we will discuss the key aspects of this section and provide examples of how to accomplish each task.
Photo by Tima Miroshnichenko from Pexels
One of the critical tasks of a Linux administrator is to ensure that the system is secure by configuring the firewall settings. The RHCSA exam expects candidates to have a good understanding of firewalld, which is the default firewall management tool in Red Hat Enterprise Linux 9 (RHEL 9).
To configure the firewall settings, you need to use the firewall-cmd command, which is a command-line interface to manage the firewall. For example, to allow incoming traffic on port 80 (HTTP), you can run the following command:
$ sudo firewall-cmd --add-port=80/tcp --permanent
This command adds a new rule to the firewall to allow incoming traffic on port 80. The “–permanent” option makes sure that the rule persists across reboots. Another example is to block incoming traffic on a specific port. For instance, to block incoming traffic on port 22 (SSH), you can run the following command:
$ sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="22" reject' --permanent
This command adds a new rule to the firewall to block incoming traffic on port 22 from the IP range 192.168.1.0/24.
Linux is known for its robust security features, which includes file permissions. As a Linux administrator, you need to ensure that the default file permissions are set correctly to prevent unauthorized access to sensitive data.
The RHCSA exam expects candidates to know how to manage default file permissions using the umask command. For example, to set the default file permissions to 644 (rw-r–r–), you can run the following command:
$ umask 022
This command sets the umask value to 022, which means that the default file permissions for new files will be 644. Another example is to set the default file permissions to 660 (rw-rw—-) for directories. To accomplish this, you can run the following command:
$ umask 002
This command sets the umask value to 002, which means that the default file permissions for new directories will be 770.
SSH is a popular remote access protocol used by Linux administrators to access servers remotely. The RHCSA exam expects candidates to know how to configure key-based authentication, which is a more secure way of accessing remote servers.
To configure key-based authentication, you need to generate a public/private key pair using the ssh-keygen command. For example, to generate a new key pair, you can run the following command:
$ ssh-keygen -t rsa
This command generates a new RSA key pair in the default location (~/.ssh/id_rsa). Once you have generated the key pair, you need to copy the public key to the remote server’s authorized_keys file. For example, to copy the public key to the remote server, you can run the following command:
$ ssh-copy-id user@remote-server
This command copies the public key to the remote server’s authorized_keys file, allowing you to access the server without entering a password.
SELinux (Security-Enhanced Linux) is a Linux kernel security module that provides a mandatory access control mechanism. The RHCSA exam expects candidates to know how to configure SELinux by setting enforcing and permissive modes.
To set SELinux in enforcing mode, you can run the following command:
$ sudo setenforce 1
This command sets SELinux to enforcing mode, which means that it will enforce the security policies defined by the policy rules. To set SELinux in permissive mode, you can run the following command:
$ sudo setenforce 0
This command sets SELinux to permissive mode, which means that it will log policy violations but will not enforce them.
Another critical task of a Linux administrator is to identify and troubleshoot SELinux policy violations. The RHCSA exam expects candidates to know how to list and identify SELinux file and process context.
To list the SELinux file and process context, you can use the ls -Z command. For example, to list the context of a file, you can run the following command:
$ ls -Z /path/to/file
This command lists the SELinux context of the file, including the user, role, type, and level. To list the SELinux context of a running process, you can use the ps -eZ command. For example, to list the context of all running processes, you can run the following command:
$ ps -eZ
This command lists the SELinux context of all running processes, including the user, role, type, and level.
When you change the SELinux context of a file or directory, you may encounter issues with file access or system functionality. The RHCSA exam expects candidates to know how to restore the default SELinux file contexts.
To restore the default SELinux file contexts, you can use the restorecon command. For example, to restore the default context of a file, you can run the following command:
$ sudo restorecon /path/to/file
This command restores the default SELinux context of the file. To restore the default SELinux context of a directory and its contents recursively, you can run the following command:
$ sudo restorecon -R /path/to/directory
This command restores the default SELinux context of the directory and all its contents.
SELinux also provides a mechanism for managing network port labels, which can be used to restrict network access to specific ports. The RHCSA exam expects candidates to know how to manage SELinux port labels.
To add a new port label, you can use the semanage command. For example, to add a new label for port 12345, you can run the following command:
$ sudo semanage port -a -t port_type -p tcp 12345
This command adds a new port label for port 12345, which can be used to restrict network access to that port. To remove a port label, you can use the semanage command with the -d option. For example, to remove the label for port 12345, you can run the following command:
$ sudo semanage port -d -p tcp 12345
This command removes the port label for port 12345.
SELinux also provides a set of boolean settings that can be used to modify the system’s security policies. The RHCSA exam expects candidates to know how to use boolean settings.
To view the list of available boolean settings, you can use the getsebool command. For example, to list all boolean settings related to the httpd service, you can run the following command:
$ sudo getsebool -a | grep httpd
This command lists all boolean settings related to the httpd service. To modify a boolean setting, you can use the setsebool command. For example, to enable the httpd_can_network_connect boolean setting, you can run the following command:
$ sudo setsebool -P httpd_can_network_connect on
This command enables the httpd_can_network_connect boolean setting, which allows the httpd service to connect to the network.
As a Linux administrator, it is essential to diagnose and address routine SELinux policy violations. The RHCSA exam expects candidates to know how to diagnose and troubleshoot SELinux policy violations.
One way to diagnose SELinux policy violations is to check the SELinux audit log using the ausearch command. For example, to list all SELinux policy violations for the last 24 hours, you can run the following command:
$ sudo ausearch -m avc -ts yesterday
This command lists all SELinux policy violations for the last 24 hours. To address an SELinux policy violation, you can use the audit2allow command to generate a custom policy module that allows the violated operation.
For example, if the SELinux policy violation was caused by a denied read operation, you can run the following command to generate a custom policy module that allows the read operation:
$ sudo grep denied /var/log/audit/audit.log | audit2allow -M mypol
This command generates a custom policy module named mypol that allows the read operation. You can then load the module using the semodule command:
$ sudo semodule -i mypol.pp
This command installs the mypol policy module.
The Manage Security section of the RHCSA exam covers critical Linux security concepts and tools. As a Linux administrator, it is essential to have a solid understanding of these topics to secure your systems effectively. By mastering these skills and practicing them regularly, you will be well prepared to pass the RHCSA exam and become a competent Linux administrator.
Was this article helpful to you? If so, leave us a comment below. We appreciate your feedback!
Related Posts
Want to pass the RHCSA9 exam? This section of the RHCSA9 Exam Series: Operate Running Systems will review how to operate running systems–a key skill
Looking to enhance your Linux skillset? RHCSA 9 Container Management Skills introduces a new section on container management, making it a must-have competency for any
Are you ready to take on the RHCSA 9 exam? Our comprehensive guide on creating and configuring file systems in RHCSA will equip you with