List PID of the respective User and Hide others

If you are using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) you can hide process from other users. Only root can see all process and user only see their own process. All you have to do is remount the /proc filesystem with the Linux kernel hardening hidepid option.

Say hello to hidepid option

This option defines how much info about processes we want to be available for non-owners. The values are as follows:

hidepid=0 – The old behavior – anybody may read all world-readable /proc/PID/* files (default).

hidepid=1 – It means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users.

hidepid=2 It means hidepid=1 plus all /proc/PID/ will be invisible to other users. It compicates intruder’s task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.

Linux kernel protection: Hiding processes from other users

Type the following mount command:

# mount -o remount,rw,hidepid=2 /proc

Edit /etc/fstab, enter:

# vi /etc/fstab

Update/append/modify proc entry as follows so that protection get enabled automatically at server boot-time:

proc    /proc    proc    defaults,hidepid=2     0     0

Save and close the file.

$ ps -ef

$ sudo -s

# mount -o remount,rw,hidepid=2 /proc

$ ps -ef

$ top

How to Enable chroot in DNS

A chroot jail is a way to isolate a process and its children from the rest of the system. It should only be used for processes that don't run as root, as root users can break out of the jail very easily.

The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the chroot() system call to change the root directory to be at the base of this new tree and start the process running in that chroot'd environment. Since it can't actually reference paths outside the modified root, it can't perform operations (read/write etc.) maliciously on those locations.

On Linux, using a bind mounts is a great way to populate the chroot tree. Using that, you can pull in folders like /lib and /usr/lib while not pulling in /user, for example. Just bind the directory trees you want to directories you create in the jail directory.

Setup Bind DNS Server in Chroot Jail on CentOS 7

1. Install Bind Chroot DNS server :

# yum install bind-chroot -y

2. Initialize the /var/named/chroot environment by running:

# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

Difference Between for Loop and While Loop

While loop iterates until the condition is no longer true. For loop can be used for fixed number of iterations. While loop can be used when you don’t know in advance how many iterations you need.

While loop is like a combination of an if statement and for loop.While loop iterates while a condition is true. When the condition resolved to false, while loop stops.

Syntax of While

while [test_condition]

do

  commands

done

Syntax of for

a) In Bash format

for variable in list_of_items

do

   commands

done   

b) In C format

Max=upper_limit

for ((i=1; i<=max; i++)

do

  commands

done

Difference between NFS v2, v3 and v4

S.No	Feature	NFS v2	NFS v3	NFS v4
1	Authentication	AUTH_SYS	AUTH_SYS	Kerberos
2	Parallel NFS	NO	No	Yes
3	State	Stateless	Stateless	Statefull
4	RPC Call Type	Single	Single	Compound
5	Exports			All exports can be mounted together in a directory tree structure as part of a pseudo-filesystem
6	Locking	NLM	NLM	Inbuilt in NFSv4 Protocol

Breif Explanantions

1) Authentication

Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner

2) Parallel NFS

That is, when a server implements pNFS, a client is able to access data through multiple servers concurrently. It supports three storage protocols or layouts: files, objects, and blocks.

3) State

A data structure change_info is returned by CREATE, LINK, OPEN, and REMOVE calls so the clients become aware about concurrent operations done on the NFS directories and files by the other clients. Clients can perform efficient caching and discard cache depending on the change_info

4) RPC Call type

This mix of a typical NFS set of RPC calls in versions prior to NFSv4 requires each RPC call is a separate transaction over the wire. NFSv4 avoids the expense of single RPC requests and the attendant latency issues and allows these calls to be bundled together. For instance, a lookup, open, read and close can be sent once over the wire, and the server can execute the entire compound call as a single entity. The effect is to reduce latency considerably for multiple operations.

5) Exports

In NFS v4 Servers, rather than exporting multiple file systems, export a single "pseudo file system," formed from multiple actual file systems, and customized for each client.

6) Locking

NFSv3 relied on Network Lock Manager (NLM) for file locking . NLM was itself a separate protocol, so file locking glued together rather than being a core part of the file access protocol. NFSv4 changes that.

From Client : nfsstat -m

Use of Dot in DNS Zone File

When a period is at the end of a value it tells name server that we do not want the domain name added to the end of that value.

If we leave the dot out, then the domain name will be added to the domain to the end of the value.

For Eg:

Correct Entries

example.com.    NS    ns1.example.com.

example.com.    NS    ns1

Incorrect Entries

example.com.    NS    ns1.example.com

Above Line will again try to add domain.com in the end it will become like ns1.example.com.example.com.

In simple if there  is a dot at the end of a name in a resource record or directive, the name is qualified and it is the whole name including the host, and it is a Fully Qualified Domain Name – FQDN and the resource record is unchanged.

If there is NO dot at the end of the name then the name is unqualified and DNS adds the value of the domain in the end.

In the absence of an $ORIGIN directive the zone name from the named.conf file for this zone is used as an $ORIGIN directive.

What is Origin Directive

$ORIGIN

Appends the domain name to unqualified records, such as those records without dot in the resource record.

For example, a zone file may contain the following line:

$ORIGIN example.com.

Any names used in resource records that do not end in a trailing period (.) are appended with example.com.

Note : The use of the $ORIGIN directive is unnecessary if the zone is specified in /etc/named.conf because the zone name is used as the value for the $ORIGIN directive by default.

What is udev

Udev is the device manager for the Linux 2.6 kernel that creates/removes device nodes in the /dev directory dynamically. Udev provides a persistent device naming system through the /dev directory, making it easier to identify the device.

/dev/disk/by-id: Contains persistent symbolic links created by Udev for the hard disks attached to a system. Persistent device naming helps to identify the hardware device without much trouble.

Flow

Kernel (uevent) .......> udevd ........> udev ........> modprobe [loads driver (kernel Module)]

udev daemon runs in user space. The udev daemon (udevd) reads the rules files at system startup and stores the rules in memory. If the kernel discovers a new device or an existing device goes offline, the kernel sends an event action (uevent) notification to udevd, which matches the in-memory rules against the device attributes in /sys to identify the device. As part of device event handling, rules can specify additional programs that should run to configure a device. 

What is udev rules

Udev reads the rules and stores them in the memory. udev daemon parses the rules in /etc/udev/rules.d/ for every device state change in the kernel.  It will create the device nodes and symbolic links for the devices as specified in the rules.

Rules path 

a) /lib/udev/rules.d

Contains default rules files. Do not edit these files.

b) /etc/udev/rules.d/*.rules

Contains customized rules files. You can modify these files.

c) /dev/.udev/rules.d/*.rules

Contains temporary rules files. Do not edit these files.

The data in the rules has the major/minor number pair and other device specific data such as device/vendor id, device serial number etc. The Udev rule can match all this data to change the name of the device node, create symbolic links or register the network link.

Why Do We Need It ?

In the older kernels, the /dev directory contained statics device files. But with dynamic device creation, device nodes for only those devices which are actually present in the system are created. Let us see the disadvantages of the static /dev directory, which led to the development of Udev.

In the static model of device node creation, no method was available to identify the hardware devices actually present in the system. So, device nodes were created for all the devices that Linux was known to support at the time. The huge mess of device nodes in /dev made it difficult to identify the devices actually present in the system.

Sample udev rule file

# Enter raw device bindings here.

#

# An example would be:

#   ACTION=="add", KERNEL=="sda", RUN+="/bin/raw /dev/raw/raw1 %N"

# to bind /dev/raw/raw1 to /dev/sda, or

#   ACTION=="add", ENV{MAJOR}=="8", ENV{MINOR}=="1", RUN+="/bin/raw /dev/raw/raw2 %M %m"

# to bind /dev/raw/raw2 to the device with major 8, minor 1.

The following example shows how a network device is getting renamed in a system.

[[root@test rules.d]# cat 70-persistent-net.rules

# This file was automatically generated by the /lib/udev/write_net_rules

# program, run by the persistent-net-generator.rules rules file.

#

# You can modify it, as long as you keep each rule on a single

# line, and change only the value of the NAME= key.

# PCI device 0x15ad:0x07b0 (vmxnet3)

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:56:8c:37:88", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

# PCI device 0x15ad:0x07b0 (vmxnet3)

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:56:8c:14:b9", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"

[root@test rules.d]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:50:56:8C:37:88

eth1      Link encap:Ethernet  HWaddr 00:50:56:8C:14:B9 

Crontab

As every one is aware that cron is an utlity to schedule routine tasks. In this Chapter we will see how to schedule a job using cron for particular time

Crontab Format :  Min Hour Day Month Day of the week <command>  

[0 & 7 - Sunday, 1 - Monday]

Configuration Files

Log path : /var/log/cron

User cron location : /var/spool/cron/<username> - 

System cron location : /etc/cron.d/ 

Some Examples

*/10 **** - will run for every 10 minutes

30 11,16 - will run the job and 11:30 and 4:30 PM

About Cron.allow and Cron.deny

a) If only cron.allow file is there - Users listed only in this file can create and modify cron jobs for them

b) If only cron.deny file is there - Apart from Users listed in this file everyone can create and modify cron jobs for them

Test Case: In a server there is a no cron.allow and only cron.deny was there without any entries. I (test user) was able to create cron job for me. But as soon as after the creation of cron.allow(empty file) test user was not able to add the cron jobs.

c) If both the files are not there - If both the files are not there without any entries then only root is allowed

d) Entry in both  - users will be allowed

About cron.d

If we want system users to execute scripts daily, weekly and monthly. Then wee need to put our script under /etc/cron.d/<daily/weekly/monthly> Files in this will be executed based on the time configured in /etc/crontab

Note: When adding a cron configuration in /etc/cron.d/ or in /etc/crontab you have to add the username before the command.

In a large IT department, where several people might look after a server, then the directory /etc/cron.d is probably the best place to install. Adding that the files in /etc/cron.d/ are, in effect, all root-owned 

Special Keywords

@reboot – Run at the time of boot

@yearly - Run once a year, "0 0 1 1 *"

@monthly - Run once a month, "0 0 1 * *"

@weekly - Run once a week, "0 0 * * 0"

@daily - Run once a day, "0 0 * * *"

@hourly - Run once an hour, "0 * * * *"

One Line Tips

1) env -i :  To ignore environmental variables in Shell Script

2) ls -n : To list filenames with UID and GID instead of username and groupname

3) Ctrl + c, : Sends SIGINT (2)

4) Ctrl + z : Sends SIGTSTP (20) 

5) kill -9  : Send signal 9 SIGKILL. Default kill signal is 15 (SIGTERM)

6) man -k <man page regex>  : To search for a valid man page name.

7) pwdx <PID>  : Reports the current working directory of a Process

8) lsblk  : list block devices with output [ NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT ]

9) blkid  : Command-line utility to print block device attributes. Like UUID, LABEL, Partition type

10) e2label  : Check/Change the label on an ext2/ext3/ext4 filesystem. Syntax : e2label device [ new-label ]

11) ?  : What does question mark mean in Linux : It is a single character wild card

12) tar -r - To Append a new file to existing archive

13) tar -u - To update the archive with a new file and update the old files if anything new.

14) ftp> dir -Rl <filename>  Will transfer the list of files recursively to <filename> to local folder.

zip -ur existing.zip myFolder