LPIC-102 learning notes

# LPIC-102 ## 105.1 ### 105.1 Lesson 2 - `readonly`: assing a variable to readonly - `export` turn a variable to global so that child shells can access them - `env -i bash`: clear most of environment variables (cleanest as possible) ## 105.2 Customize or write simple scripts # 106 User Interfaces and Desktops ## 106.1 Install and configure X11 ### X Windows Architecture - X Windows System is a software stack - Primary X protocol in Linux: X.org v11 = X11, this is the protocol for communication between X client and X server ![](https://i.imgur.com/wXM8bIt.png) - A display manager: provides graphical login to a system, launched after the computer boots and start an X server session. Responsible for keeping X server up and running (GDM, SDDM, LightDM) - Running X server has a display name: `hostname:displaynumber.screennumber` ![](https://i.imgur.com/KGfSBNH.png) ### X Server Configuration ### Wayland - Newer display protocol designed to replace the X Windows System - No server, request is made to kernel via Wayland protocol -> forward to `Wayland compositor` ## 106.2 Graphical Desktops - The X Window System alone provides only simple interface features, so desktop environments extend the user experience in the graphical windowed interface ### Desktop Environment - Probably the most important component of a desktop environment, the `window manager` controls window placement and decorations - DE provides: ![](https://i.imgur.com/sgkhgfQ.png) ### Desktop Interoperability - A large body of specifications for desktop interoperability is maintained by the freedesktop.org organization - Directories locations: Where the personal settings and other user-specific files are located. - Desktop entries: Desktop entries are text files ending with .desktop which are used by the desktop environment to gather information about the available desktop applications and how to use them - Application autostart - Drag and drop - Trash can - Icon themes ### Non-Local Access - XDMCP: Complicated, not secure, slow - VNC: not secure in transport, used in conjunction with SSH or VPN - RDP: mainly WIndows OS - SPICE ## 106.3 Accessibility # 107 Administrative Tasks ## 107.1 Manage user and group accounts and related system files ### Modifying User Accounts - `usermod` command ### Deleting User Accounts - `userdel` command, `-r`: remove home dir, user's mail spool ### Skeleton dir - `/etc/skel`: new home directories are built based on this dir ### `/etc/login.defs` - This is the file specifies the configuration parameters that control the creation of users and groups ### The `chage` command - Change password aging information of a user ### Filter user and group from database ![](https://i.imgur.com/KBo1q8Z.png) - `getenv` command can only access the databases configured in the `/etc/nsswitch.conf` file ## 107.2 Automate system administration tasks by scheduling jobs ### Schedule Jobs with Cron - `cron` is a daemon that runs continuously and wakes up every minute to check a set of tables to find tasks and execute - These tables are `crontabs` and contains `cronjobs` - `anacron`: jobs run when machine is off (next time it is turned on) ### User Crontabs - General location `/var/spool/cron`, name specified by the user who created them ### System Crontabs - System cron jobs, run by root user - `/etc/cron.d` files and `/etc/crontab` ![](https://i.imgur.com/zDMNkAC.png) ### Particular Time Specifications - `@reboot` - `@hourly` - `@daily` - `@weekly`... ### Crontab Variables - `HOME`: The directory where cron invokes the commands (by default the user’s home directory). - `MAILTO`: Where stdout and stderr is sent - `PATH`, `SHELL` ![](https://i.imgur.com/4vTox9f.png) ### Configure Access to Job Scheduling - `/etc/cron.allow` and `/etc/cron.deny` files are used to set `crontab restrictions`, allow or deny scheduling cronjobs for different users ![](https://i.imgur.com/1NysbIE.png) ### An alternative to Cron - `systemd` timers - `timers` are systemd unit files with `.timer` suffix ![](https://i.imgur.com/57V2jp7.png) - `systemctl enable foobar.timer`, `systemctl start foobar.timer` - Timers are logged to the systemd journal, `journalctl` - `journalctl -u <username>` view log of user ### Schedule Jobs with `at` - `at` command is used for one time task scheduling, run by `atd` daemon ![](https://i.imgur.com/5d9yiEs.png) - Stdout and stderr is sent to user's email - `atq` is similar to `at -l` commands, show list of jobs information - `atrm <job id>` deletes the job, similar to `at -d` - Configure access: `/etc/at.allow` and `/etc/at.deny` ### An Alternative to `at` ![](https://i.imgur.com/L0VvykV.png) ![](https://i.imgur.com/BCCI5dD.png) ## 107.3 Localisation and internationalisation ### Time Zones - The default timezone for the system: `/etc/timezone` - `timedatectl` - `tzselect` timezone select - `TZ` variable can be use to set timezone: `TZ='Africa/Cairo' date` ### Language and Character Encoding - Known as `locales`, using variable `LANG` - `localectl` - System locale settings are configured in `/etc/locale.conf` ### Encoding Conversion ![](https://i.imgur.com/5MZSNTK.png) # 108: Essential System Services ## 108.1 Maintain system time - Computer has `system time` and `hardware time` (RTC), during boot, the system time is set from the hardware clock - On most modern OS, `system time` and `hardware time` are synchronized to `network time` (implemented by NTP) ### Local Versus Universal Time - `system clock`: set to UTC. `local time` of user: UTC time +- offset, daylight savings (timezone) ### Date - `date +%s`: epoch time - `date --date='@1564013011'`: set date for a specific time ![](https://i.imgur.com/Y8BeeMn.png) ### Hardware Clock - `hwclock`: view system time ### Setting Date and Time - `timedatectl`: (both system and hardware time) - `timedatectl set-timezone Africa/Cairo` - `timedatectl set-ntp no`: disable NTP - `hwclock`: - `ln -s /usr/share/zoneinfo/Canada/Eastern /etc/localtime`: set localtime - `hwclock --systohc`: sync system time to hardware clock - `hwclock --set --date "4/12/2019 11:15:19"` -> `hwclock --hctosys`: reverse process - `date --set="11 Nov 2011 11:11:11"` -> `hwclock --systohc` ### `timedatectl` NTP - Use a SNTP client. Depends on `systemd-timesyncd` - `timedatectl show-timesync --all`: check NTP sync status ### NTP Daemon - `ntpd`: allow to be a consumer and provider NTP to other machines (port 123) ### NTP Configuration - In file `/etc/ntp.conf` ![](https://i.imgur.com/n9a5VAU.png) - Provider is selected random from the pool ### ntp.pool.org - `npt.pool.org`: community pool for NTP (shouldn't be used if need the correct time is really important or can be business harmed) - `ntpdate`: if the offset is > 17 mins (insane time), NTP daemon will not make change to system time. `systemctl stop ntpd` -> `ntpdate pool.ntp.org` to perform a sync - `ntpq`: A utility for monitoring the status of NTP (with ntpd) ![](https://i.imgur.com/pa68vvs.png) - `chrony`: using `chronyd` daemon ![](https://i.imgur.com/W9G0S5u.png) ## 108.2 System logging - Lesson 1 - One of the most commong logging facilities `rsyslog` ### System logging - Logging has traditionally been handled by 3 services: `syslog`, `syslog-ng` (new gen), `rsyslog` (rocket-fast system log) stored in `/var/log` - `rsyslog` uses cient-server model, uses `rsyslogd` daemon and `klogd` (kernel logs), `/etc/rsyslog.conf` #### Log Types ![](https://i.imgur.com/QErugYl.png) ![](https://i.imgur.com/5XvnbPA.png) ![](https://i.imgur.com/rMq4iIl.png) ![](https://i.imgur.com/uabMbGy.png) #### Reading logs - `zless`, `zmore`: same as `less` or `more` but for logs that are compress with `gzip` ![](https://i.imgur.com/0GgIhuf.png) - Special case for reading logs - `who` or `w` (`/var/log/wtmp`) - `utmpdump` or `last -f` (`/var/log/btmp`) - `faillog` (`/var/log/faillog`) - `lastlog` (`/var/log/lastlog`) #### How Messages are Turned into Logs ![](https://i.imgur.com/7LJ0sRO.png) #### Facilities, Priorities and Actions - Rsyslog config is in 3 parts: MODULES (loading modules), GLOBAL DIRECTIVES, RULES - `logger`: log message to `/var/log/syslog` or `/var/log/messages` (for remote client rsyslog) #### `rsyslog` as a Central Log Server - Uncomment module and port for listening TCP connection in rsyslog and restart rsyslog - Configure filter and template #### The Log Rotation Mechanism - Use `logrotate`, run as an automated process or cron job daily (`/etc/cron.daily/logrotate`) - Configuration file: `/etc/logrotate.conf` #### The kernel ring buffer - A fixed size data structure for storing kernel messages on boot (before `rsyslogd` available) - `dmesg`: prints kernel ring buffer ## 108.2 System logging - Lesson 2 ### The System Journal: `systemd-journald` - `systemd-journald`: service takes care of receiving logging from variety of sources - `/etc/systemd/journald.conf`: configuration file #### Filtering the Journal Data - `journalctl` - Can be filterd by PID, program, time, boot-time, priority,... - `systemd-cat`: allow to send stdin, stdout and stderr to journal #### Persistent Journal Storage - 3 options for location of journal: - turned off - Keep in memory `/run/log/journal` - Make it persistent `/var/log/journal` - If `/var/log/journal` does not exist, the program writes to `/run/log/journal` - Can be modified by setting the Storage variable in `/etc/systemd/journald.conf` - Storage=volatile: in mem `/run/log/journal` - Storage=persistent: `/var/log/journal`, created if not exist - Storage=auto: not created if not exist `/var/log/journal` - Storage=none - If .journal files are corrupted or the daemon stop unsafe, these files are renamed into .journal~ #### Deleting Old Journal Data: Journal Size - `journalctl --disk-usage`: check disk usage of journal files - Use `System...` and `Runtime...` for tweaking the behaviour for storage for journal ![](https://i.imgur.com/hVHciUB.png) - `journalctl --vacuum-time=1months`: delete journal logs in 1 month - `--rotate`: immediately rotate journal log files - `--sync`: write unwritten log data to disk #### Retrieving Journal Data from a Rescue System - `journalctl -D /path/to/dir`: journalctl search for journal files in a specified location - `-m` or `--merge`: merge journal files to local journal files - `--file`: specify a particular file - `--root`: root dir is passed #### Forwarding Log Data to a Traditional syslog Daemon - Method - Fowarding messages to the socket file `/run/systemd/journal/syslog` for syslogd to read, ForwardToSyslog=yes - `syslog` daemon behaving like `journalctl`, reading log messages directly from journal files - Can also be fowarded to console, other users through wall,... ## 108.3 Mail Transfer Agent (MTA) basics - Each user has their own `inbox`, new incoming messages are added by MTA ### Local and Remote MTA - When an MTA daemon running, local users can send an email to other local users or to users on a remote machine - Maintain outbox queue of messages to be sent - Communicate with remote MTA daemons through SMTP - Maintain individual inbox for every local account, messages are stored in `mbox`: a single text file containing all email messages in sequence ### Linux MTAs - Traditional: `Sendmail`, other common: Postfix, qmail, Exim ![](https://i.imgur.com/LAD9bwz.png) ### `mail` command and Mail User Agents (MUA) - 2 modes: - Normal: read - Send: send (when used with email address) ### Delivery Customization - An email alias is a virtual email recipient - Aliases file: `/etc/aliases` - Structures: `<alias>: <destination` - A full path (starting with /) to a file - appended - A command to process, must start with a pipe chracter: `subscribe: |"bash subscribe.sh"` - As include file, multiple destinations `:include:/var/local/destinations` - External address - Another alias - Unprivileged local user can define aliases for their own mailbox by editing the `.forward` in home dir. Only destination part is necessary ## 108.4 Manage printers and printing - Common Unix Printing System (CUPS) allows for printing and printer management - A user submits a file to be printed - CUPS daemon `cupsd`, spools the print job - CUPS ultilizes filters that are installed on the system to generate a fomartted file that the printer can use - CUPS then sends the re-formatted file to the printer ### The CUPS Service - Configuration file: `/etc/cups/cupsd.conf` - `/etc/cups/printers.conf`: each printer that is configured to be used by CUPS # 109: Networking Fundamentals ## 109.2 Persistent network configuration - Lesson 1 ### The Network Interface - `ip link show`: list network interfaces on system - `nmcli device`: list nics ### Interface Names - Name prefix: - en: Ethernet - ib: IfiniBand - sl: Serial line (slip) - wl: WLAN - ww: WWAN - Rules to name network interfaces: - After the index provided by the BIOS or by the firmware of embedded device `eno1` - Name the interface after the PCI express slot index, `ens1` - Name the interface after its address at the corresponding bus `enp3s5` - Name the interface after the interface's MAC, `enx3480fjdf` - Legacy convention `eth0` ### Interface Management - `ìfconfig` is deprecated, use `ip` instead - Network interfaces managed by `ifup` and `ifdown` and are listed in `/etc/network/interfaces` - Interfaces can be assgined to DHCP or static network - Multiple configuration for one iface can be used to configure multiple addresses or ip4 and ip6 ### Local and Remote Names - System use `/etc/hostname` as its local name - `hostnamectl set-hostname storage` -> write hostname to `/etc/hostname` - `hostnamectl` can set two other types of hostnames: - Pretty hostname: `hostnamectl --pretty set-hostname "LAN Shared Storage"` - Transient hostname: used when the static hostname is not set or it is default to `localhost` - Host file: `/etc/hosts` - Nameserver file: `/etc/resolv.conf` ![](https://i.imgur.com/v4m4bWe.png) ## 109.2 Persistent network configuration - Lesson 2 ### NetworkManager - Prioritizes wired connections over wireless connections - NM daemon controls the network intefaces not mentioned in the `/etc/network/interfaces` - CLI client: `nmcli` and `nmtui` - `nmcli` seperates network related properties in categories called `objects` ![](https://i.imgur.com/6NLqW6S.png) ![](https://i.imgur.com/fKc2Itk.png) - Can be used to connect or disconnect network, bring interface up and down ### systemd-networkd - On system running `systemd` - `/lib/systemd/network`: system network, `/run/systemd/network`: volatile, `/etc/systemd/network`: local administration network dir - Priority: etc > run > lib - Suffix: - `netdev`: network devices - `.link`: low level configuration for network interface - `.network`: setup network addresses and routes ## 109.3 Basic network troubleshooting ### Configuring an Interface - `ip link`: list interface links available for config, similar to `ls /sys/class/net` - Configure interface: `ip addr add 192.168.5.5/24 dev enp0s8` - The `ip link` command can be used to configure low level or protocol settings such as VLANs, ARP, MTUs or disabling interfaces - `ip link set dev eth0 down` - `ip link show dev eth0` - `ip link set eth0 mtu 2000` - `ip route`: show route table (similar to `netstat -r`, `route`) ![](https://i.imgur.com/I8OS8yY.png) - Adding a route: `ip route add <network> <default gateway>`, and `ip route del ...` ### Using traceroute - By default, `traceroute` sends 3 UDP packets to port 33434, incrementing each time it sends a packet - `traceroute -I`: send ICMP echo requests -> more effective (root) - `traceroute -T -p 80`: TCP and port (root) - `tracepath`: similar to `traceroute`, used to discover the MTU -> smallest MTU on transfer path ### Viewing Current Connections and Listeners - `ss -tulnp`: list TCP and UDP listening ports and PID - `Recv-Q`: is the number of packets a socket has received but not passed off to its program - `Send-Q`: is the number of packets a socket has sent that have not been acknowledged by the receiver ## 109.4 Configure client side DNS ### Name Resolution Process - Using function in C library (glibc) Read `/etc/nsswitch.conf` how to resolve that type of name ### DNS - DNS has three record classes, IN (internet addresses TCP/IP), HS (Hesiod) things like passwd and group entries, CH (ChaosNet) not used anymore - For nameservers -> `/etc/resolv.conf` - `search`: any hostname without domain portion will be appended this part as domain - `domain`: set local domain name, default to after `.` of machin's host name - Mutually exclusive (the last will be taken) - `systemd-resolved`: provides mDNS, DNS, and LLMNR. It listens for DNS requests on 127.0.0.53. It forwards DNS requests to servers in `resolve.conf` ### Name Resolution Tools - `getent`: display entries from name service databases retrieve records from any source in `/etc/nsswitch.conf` - `getent hosts` - `getent -s dns hosts google.com` -> DNS - `host` - `host <domain>`: return A, AAAA and MX records - `host -t <RECORD TYPE> <domain>` - `host -t <RECORD TYPE> <DOMAIN> <NAME SERVER>` - `dig` # 110: Security ## 110.1 Perform security administration tasks ### Password management and Aging - `passwd -S`: status of password - `-l`, `-u`, `-e`, `-d`: lock, unlock, force user update password, delete user's password - `chage -l <user>`: list password information for user - `chage <user>`: interactively change age of password ### Discovering Open Ports - `lsof`: list open files - `lsof -i`: list internet network files - `lsof -i@<address>` - `lsof -i :<port>` filter by port - `fuser`: file's user - knowing what processes are accessing what files - `fuser .`: check on the current working directory - `fuser -v .`: verbose - Check for port and protocol ![](https://i.imgur.com/lpSb3a5.png) - `fuser -k 80/tcp`: to kill process on that port - `netstat` and `nmap` ### Limits on Users Logins, Processes and Memory Usage - `ulimit`: has 2 mode soft and hard limit `-S` and `-H` - `ulimit -a`: show all hard limitations - Hard limit can only be increased by root, normal users can increase soft limit -> hard limit and decrease hard limit - `/etc/security/limits.conf`: persistence limits ### Dealing with Logged in Users - `last`: last logged in users - `last <username>` - `lastb`: bad login attempt ### Basic `sudo` Configuration and Usage - `su -`: the dash keep the target user environment - Default directory for sudo config `/etc/sudoers` ## 110.2 Setup host security ### How to Use a Superdaemon to Listen for Incoming Network Connections - Superdaemon: used to listen for incoming network connections and start the appropriate service on demand (because of small resources amount) - `inetd` and `xinetd` - Current system: use `systemd.socket` ### TCP Wrappers as Sort of a Simple Firewall ![](https://i.imgur.com/DXMAAai.png) ## 110.3 Securing data with encryption ### Key-based login - Use `ssh-agent` and `ssh-add`: secure the private key and passphrase in a secure area of memory -> don't have to type passphrase everytime, and it's deleted after the machine reboot ### The Role of OpenSSH Server Host Keys ![](https://i.imgur.com/45P4bgJ.png) - The server uses these host keys to identify itself to client as required - `ssh-keygen -l -f <key_path>`: view fingerprint of keys (add `-v` to view custom art) ### Perform Basic GnuPG Configuration, Usage and Revocation - `gpg --gen-key`: generating key pair - GPG configuration - `opengp-revocs.d`: revocation certificate that was created along with the key pair - `private-keys-v1.d`: directory for private keys - `pubring.kbx`: public keyring, stores own and many other public keys - `trustdb.gpg`: trust db - `gpg --list-keys`: display content of public keyring - `gpg --export <USER-ID>`: export public key (--armor for ASCII armored output) - Use `--keyserver` for interacting with keyserver - To revoke the key - `gpg --output revocation_file.asc --gen-revoke <USER-ID>` - `gpg --import revocation_file.asc`: merge certificate with the key -> revoke ### Use GPG to Encrypt, Decrypt, Sign and Verify files - `gpg --import <pub key>`: import pub key - `gpg --output <encrypted file> --recipient <recipient name> --armor --encrypt <unencrypted file>`: encrypt with pub key imported (in recipient) - Decrypt with private key: `gpg --decrypt <encrypted file>` - `gpg --output message.sig --sign message`: sign files with private key - `gpg --verify message.sig`: verify the file with pub key imported - GPG-Agent: is a daemon that manages private keys for GPG.