Friday 22 July 2011

Linux Server Hardening


chmod 711 /
chmod 711 /home
chmod 711 /etc
chmod 711 /var
chmod 711 /usr/etc
chmod 711 /usr/local/etc
chmod 711 /var/log
chmod 711 /sbin
chmod 711 /usr/sbin
chmod 711 /usr/local/sbin

chmod 644 /etc/motd

groupadd deva
chmod 750 /usr/bin/wget
chown root:deva /usr/bin/wget
chmod 750 /usr/bin/perlcc
chown root:deva /usr/bin/perlcc
chmod 750 /usr/bin/byacc
chown root:deva /usr/bin/byacc
chmod 750 /usr/bin/yacc
chown root:deva /usr/bin/yacc
chmod 750 /usr/bin/cc
chown root:deva /usr/bin/cc
chmod 750 /usr/bin/gcc
chown root:deva /usr/bin/gcc

chmod 700 /bin/dmesg
chmod 700 /bin/mount
chmod 700 /bin/rpm
chmod 700 /usr/bin/write
chmod 700 /usr/bin/talk
chmod 700 /usr/bin/ipcrm
chmod 700 /usr/bin/ipcs
chmod 700 /usr/bin/free
chmod 700 /usr/bin/locate
chmod 700 /usr/bin/wall
chmod 700 /usr/bin/finger
chmod 700 /sbin/arp
chmod 700 /sbin/ifconfig
chmod 700 /usr/sbin/repquota
chmod 700 /usr/sbin/tcpdump
chmod 700 /usr/bin/nmap
chmod 700 /usr/bin/wget
chmod 700 /usr/bin/perlcc
chmod 700 /usr/bin/byacc
chmod 700 /usr/bin/yacc
chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/who
chmod 700 /usr/bin/w
chmod 700 /usr/bin/nc

chmod 1733 /tmp/.ICE-unix
chmod 1733 /tmp/.X11-unix
chmod 660 /var/run/utmp

chmod 000 /usr/bin/rcp
chmod 000 /usr/bin/links
chmod 000 /usr/bin/scp
chmod 000 /usr/bin/elinks
chmod 700 /usr/bin/lwp-*
chmod 000 /usr/bin/GET
chmod 700 /usr/bin/curl
chmod 700 /usr/bin/*++*
chmod 700 /usr/bin/*cc*
chmod 700 /usr/bin/yum
chmod 700 /usr/bin/up2date
chmod 700 /usr/sbin/up2date


chmod u-s /usr/bin/at
chmod u-s /usr/bin/chage
chmod u-s /usr/bin/chfn
chmod u-s /usr/bin/chsh
chmod u-s /usr/bin/crontab
chmod u-s /usr/bin/expiry
chmod u-s /usr/bin/gpasswd
chmod u-s /usr/bin/lppasswd
chmod u-s /usr/bin/newgrp
chmod u-s /usr/bin/rcp
chmod u-s /usr/bin/rlogin
chmod u-s /usr/bin/rsh
chmod u-s /usr/libexec/ssh-keysign

Thursday 21 July 2011

Linux System Administration



 What is the RPM tool?
 How to verify Red Hat Linux packages?
 How to verify UnitedLinux packages?

 How to install packages?
 How to upgrade packages?
 How to remove packages?.


What is the RPM tool?
The Red Hat Package Management (RPM) utility has become a Linux product standard. It is a robust tool for packaging, installing, upgrading and removing software on Linux.
The <package> and <package_dependency> are composite names in the examples. A Linux RPM package is made up of three components. They are a name, version number and build number. They are referred to as <package> or <package_dependency> in the examples below.

Name - Version - Build
pdksh - 5.2.14 - 13
While they are numerous RPM features, the key tasks are installing, upgrading and removing packages. User & group administration is covered in the following sections.


How to verify Red Hat Linux packages?
Red Hat provides a webpage to lookup patches. As a rule, only download patches from the Red Hat site.
Once a patch is downloaded, the rpm utility can be used to examine any conflicts. Conflicts typically occur when a utility replaces a common dependency, like a file. A common file conflict error is linked to documentation files in the man pages.
The rpm command has the capability to view many aspects of packages and configuration, documentation and library files. Below is a summary of query capabilities of the rpm utility.

Options Utility provided
 -qa Lists all installed packages. Generally, the results are piped into a grep for a partial string related to a package.
 -qf file Lists the package that owns a file. It is required to provide the full qualified path and file name.
 -q package Lists information about a package.
 -qi package Lists information about a package.
 -qR package Lists libraries and commands that a package depends on.
 -ql package Lists files in a package.
 -qd package Lists documentation files in a package.
 -qc package Lists configuration files in a package.



How to verify UnitedLinux packages?
UnitedLinux provides a webpage to lookup patches. As a rule, only download patches from the UnitedLinux site.
Once a patch is downloaded, the rpm utility can be used to examine any conflicts. Conflicts typically occur when a utility replaces a common dependency, like a file. A common file conflict error is linked to documentation files in the man pages.
The rpm command has the capability to view many aspects of packages and configuration, documentation and library files. Below is a summary of query capabilities of the rpm utility.

Options Utility provided
 -qa Lists all installed packages. Generally, the results are piped into a grep for a partial string related to a package.
 -qf file Lists the package that owns a file. It is required to provide the full qualified path and file name.
 -qi package Lists information about a package.
 -qR package Lists libraries and commands that a package depends on.
 -ql package Lists files in a package.
 -qd package Lists documentation files in a package.
 -qc package Lists configuration files in a package.



How to install packages?
The RPM utility installation uses a -i argument for installation. It fails when there is a missing dependency. So, it is important to use a -ivh argument, which provides verbose response and progress hash marks.
When a package has a dependency on another package, there are two options. One is to install the dependent package first. The other is to install a package with any dependent packages at the same time.
It is possible that a package may be older than the release date of an operating system, like Red Hat Advanced Server (AS) 2.1. The release problem between vendors is very complex in the Linux market.
An example of the complexity can be illustrated by the standard release of Perl 5.6.1 on Red Hat Linux AS 2.1. While it was not the current version of Perl at time of release, it was the current release of the consumer version of Red Hat Linux 7.2. Since Red Hat Linux AS 2.1 shipped a scalable and enhanced version of Red Hat Linux 7.2, patches to that release were held to a minimum. Perl 5.8 depends on XML utilities, which depend on Berkeley Software Distribution (BSD) database library for C that shipped on the consumer Red Hat Linux 7.3 media.
When installing packages, the machine architecture must be less than or equal to the physical machine. The machine architecture is found by using the uname -m command.
The >package< and >package_dependency< are composite names in the examples. A Linux RPM package is made up of three components. They are a name, version number and build number. For convenience, they are referred to as >package< or >package_dependency< in the syntax examples noted below.

  • Installing packages.
 # rpm [-i install] [-v verbose] [-h hash_marks] \
 > [package]
 # rpm -ivh <package>.`>.`uname -m`.rpm
   - OR -
 # rpm -ivh <package>.`>.`uname -m`.rpm \
 > <package_dependency>.`>.`uname -m`.rpm



How to upgrade packages?
The RPM utility upgrade uses a -u or -U argument. The -U is the preferred argument since it automatically installs the package if it is not already installed. Using the -h argument, enables progress hash mark display.
When a package has a dependency on another package, there are two options. One is to install or upgrade the dependency package first. The other is to upgrade a package with any dependency packages at the same time, using the -U argument that installs previously uninstalled packages.
As a rule any package may be equal to or older than the machine architecture. The machine architecture is found by using the uname -m command. Syntax examples are noted below.

  • Upgrade existing packages.
 # rpm [-u upgrade] [-v verbose] [-h hash_marks] \
 > [package]
 # rpm -uvh <package>.`>.`uname -m`.rpm
   - OR -
 # rpm -uvh <package>.`>.`uname -m`.rpm \
 > <package_dependency>.`>.`uname -m`.rpm
  • Upgrade or Install packages.
 # rpm [-U upgrade] [-v verbose] [-h hash_marks] \
 > [package]
 # rpm -Uvh <package>.`>.`uname -m`.rpm
   - OR -
 # rpm -Uvh <package>.`>.`uname -m`.rpm \
 > <package_dependency>.`>.`uname -m`.rpm



How to remove packages?
The RPM utility removal uses a -e argument. Using the -v argument is optional but recommended when removing packages.
Before removing packages, it is critical to test because it is possible to remove a critical package and crash the operating system. If a package is a dependency to another package, it cannot be removed first. There are two options when a dependency is encountered. One is to remove the package dependency first. The other removes packages and dependencies at the same time. Syntax examples are noted below.

  • Removing packages.
 # rpm [-e erase] [-v verbose] [package]  # rpm -ev <package>
   - OR -
 # rpm -ev <package> \
 > <package_dependency>.`>.`uname -m`.rpm



  • User & Group Administration

 Why is user & group administration important?
 What are the available shell environments?
 Command-line syntax.

   Add a user.
   Modify a user.
   Delete a user.

   Add a group.
   Modify a group.
   Delete a group.
 Red Hat GUI.

   Add a user.
   Modify a user.
   Delete a user.

   Add a group.
   Modify a group.
   Delete a group.
 UnitedLinux GUI.

   Add a user.
   Modify a user.
   Delete a user.

   Add a group.
   Modify a group.
   Delete a group.


Why is user & group administration important?
If user and group accounts are not setup properly, it may be difficult for users to work effectively. Correct configuration can save hours of troubleshooting.
A list of problems introduced by poor system administration are noted below.

  • Login shell configuration may be incomplete.
  • Login shell assignment may be incorrect.
  • Account expiration and policy may be inconsistent.
  • Group assignments may be incorrect.
  • Passwords may be set incorrectly.



Command syntax to find available shells.
The chsh utility enables a user to change shell environments. Using the -l option enables a user to determine the available shells. An example of the syntax requirements are noted below.

  • Finding available shell environments.
 # chsh [-s shell] [-l] [username]  # chsh -l



Command-line syntax.
The following sections cover the command-line syntax to add, modify and delete users and groups.



Command-line: Add a user.
The useradd utility is the only way to successfully add a user with a custom default group.
Creating a user with a custom default group is done by passing the -n and the -g option. The -g option requires a valid group name as an argument. If a user is created with the -n option and without the -g option, the user name will be the default or users group, which has a Group ID of 100. The group should exist before attempting to add a user to the group.
An example of the syntax requirements and recommended steps for adding users are noted below. For reference, the useradd utility only allows encrypted passwords and using a non-encrypted password will make the account inaccessible. Therefore, users are typically added by scripts that create the user and then assign an initial password.

  • Adding a user.
 # useradd [-u uid] [-g initial_group] [-G group[,...]] \
 > [-d home_directory] [-s shell] [-c comment] \
 > [-m [-k skeleton_directory]] [-f inactive_time] \
 > [-e expire_date] -n username
 # useradd -u 502 -g dba -G users,root \
 > -d /u02/oracle -s /bin/tcsh -c "Oracle Account" \
 > -f 7 -e 12/31/03 -n jdoe
  • Enabling a password as the root user.
 # passwd username
 Changing password for user <username>
 New password:



Command-line: Modify a user.
An example of the syntax requirements and recommended steps for modifying users are noted below. For reference, the usermod utility only allows encrypted passwords and using a non-encrypted password will make the account inaccessible. Therefore, users are modified at the command-line by scripts that change usermod and the passwd command. Both commands are shown below.

  • Modifying a user.
 # usermod [-u uid] [-g initial_group] [-G group[,...]] \
 > [-d home_directory] [-s shell] [-c comment] \
 > [-l new_username ] [-f inactive_time] [-e expire_date]
 > username
 # usermod -u 502 -g dba -G users,root
 > -d /u02/oracle -s /bin/bash -c "Senior DBA"
 > -l sdba -f 7 -e 12/31/03 jdoe
  • Changing a password as the root user.
 # passwd username
 Changing password for user <username>
 New password:



Command-line: Delete a user.
An example of the syntax requirements are noted below. While the -r option should be used, there are exceptions. In some cases not using it allows an audit of user accounts in the old home directory.
After reviewing the old home directory and removing or preserving the contents, the /var/opt/mail/username file should be removed.

  • Deleting a user.
 # userdel [-r] username  # userdel -r sdba



Command-line: Add a group.
An example of the syntax requirements are noted below. The -r option is used to create a system group account with a GID below 100. If a group already exists an error is raised unless the -f option is used to suppress it.

  • Creating a group.
 # groupadd [-g gid] [-rf] groupname  # groupadd -g 500 dba



Command-line: Modify a group.
An example of the syntax requirements are noted below.

  • Modifying a group.
 # groupmod [-g gid] [-n new_group_name] groupname  # groupmod -g 500 -n dba oinstall



Command-line: Delete a group.
An example of the syntax requirements are noted below.

  • Deleting a group.
 # groupdel groupname  # groupdel dba



Red Hat GUI.
The following sections cover the GUI navigation steps to add, modify and delete users and groups.


   Add a user.
   Modify a user.
   Delete a user.

   Add a group.
   Modify a group.
   Delete a group.
Red Hat Linux manages GUI access to user and group accounts with the Red Hat User Manager utility. It can be accessed by setting up the X-windows display and typing redhat-config-users at the command-line prompt. If started by other than the root user, the following input dialog box will prompt for the root password.

If started by the root user or when a root password is provided, the utility will display in an X-window. The utility will be displayed as shown below.




GUI: Add a user.
Red Hat Linux manages GUI access to user and group accounts with the Red Hat User Manager utility. Adding a user starts by clicking the New User button from the Red Hat Linux User Manager form. The Create New User screen is shown below.

  Steps to Enter a User.
  • Enter a user name without any whitespace.
  • Enter a full or account name for the user, which may contain whitespaces.
  • Enter a case sensitive password twice.
  • Select a login shell for the user.
  • While the default is to create a /home/username directory, a different directory may be entered.
  • The "Create new group for this user" checkbox should be UNCHECKED. If the button is left checked, the user's default group will be the same as the user name for the account. If the checkbox is unchecked, all users are assigned the default group. The default group has a Group ID of 101.
  • If csh or tcsh are selected as the login shell, the system administrator will need to manually create .login and .cshrc files.




GUI: Modify a user.
Red Hat Linux manages GUI access to user and group accounts with the Red Hat User Manager utility. Modify a user by clicking the Users tab and clicking the Properties button from the Red Hat Linux User Manager form.
User data, account information, password information and group assignments can be modified using the User properties form. Default group assignment for a user cannot be changed with the User Properties form. The command-line tool must be used to change the default group.
Four panels of the User Properties screen are shown below, starting with the default User Data panel. Each contains a brief synopsis of functionality.

  1. User Properties: User Data.
  Modifying user data.
  • User name may be changed.
  • Full or account name for the user may be changed.
  • Passwords may be changed.
  • Home directory may be changed.
  • Login shell may be changed.
  • If csh or tcsh are selected as the login shell, the system administrator will need to manually create .login and .cshrc files.
  1. User Properties: Account Info.
  Modifying user account information.
  • Account expiration dates may be enabled and set.
  • User accounts may be locked.
  1. User Properties: Password Info.
  Modifying user password information.
  • Enable passwords for expiration. Passwords expiration is enabled by default but disabled by setting the number of days before allowing, forcing or accessing to zero.
  • Set number of days before allowing a change in password.
  • Set number of days before forcing a change in password.
  • Set number of days before warning of a required change.
  • Set number of days before unaccessed account becomes inactive.
  1. User Properties: Groups.
  Modifying user groups.
  • The default user group cannot be changed with the form panel.
  • Checking a box enables a group for the user.
  • Unchecking a box disables a group for the user, unless it is the default user group for that user.



GUI: Delete a user.
Deleting a user is always a task that should be done carefully. The Red Hat User Manager makes it more risky for casual use. If the user is not selected before clicking the Delete button, it is possible that the adm user may be deleted. If the adm user is deleted and goes unnoticed, rebooting the system will be problematic. Therefore, follow these rule.

  1. Select the user that should be deleted.
  2. Validate the correct user is active in the display.
  3. Click the Delete button.

NOTE:
If a mistake is made with a system account, DO NOT make any further changes in the Red Hat User Manager utility! Connect to the system as the root user and physically copy the deleted row from the /etc/passwd.OLD file into the /etc/passwd file. It is unlikely at this point that the account is deleted from the shadow passwd file but check the /etc/passwd- file. If it is missing the row recover it from the passwd.OLD file.




GUI: Add a group.
Red Hat Linux manages GUI access to user and group accounts with the Red Hat User Manager utility. Adding a group starts by clicking the New Group button from the Red Hat Linux User Manager form. The Create New Group screen is shown below.

  Add a group.
  • Enter the new group name.



GUI: Modify a group.
Red Hat Linux manages GUI access to user and group accounts with the Red Hat User Manager utility. Modifying a group by clicking the Groups tab and clicking the Properties button from the Red Hat Linux User Manager form.
Group name and group member assignments can be modified using the Group properties form. Two panels of the Group Properties screen are shown below, starting with the default Group Data panel. Each contains a brief synopsis of functionality.

  1. Group Properties: Modify Group Name.
  Modifying a group name.
  • Enter the new group name.
  1. Group Properties: Modify Group Users.
  Modifying a group members.
  • Add a new user to a group by checking the box for the user.
  • Delete a new user to a group by unchecking the box for the user.



GUI: Delete a group.
Deleting a group is always a task that should be done carefully. The Red Hat User Manager makes it more risky for casual use. If the group is not selected before clicking the Delete button, it is possible that the first group displayed in the form may be deleted. Therefore, follow these rule.

  1. Select the group that should be deleted.
  2. Validate the correct group is active in the display.
  3. Click the Delete button.
If a mistake is made with a system account, DO NOT make any further changes in the Red Hat User Manager utility! Connect to the system as the root user and physically copy the deleted row from the /etc/group.OLD file into the /etc/passwd file. It is unlikely at this point that the group is deleted from the shadow passwd file but check the /etc/group- file. If it is missing the row recover it from the group.OLD file.




UnitedLinux GUI.
The following sections cover the GUI navigation steps to add, modify and delete users and groups.


   Add a user.
   Modify a user.
   Delete a user.

   Add a group.
   Modify a group.
   Delete a group.
UnitedLinux manages GUI access to user and group accounts with the YaST utility. It can be accessed by setting up the X-windows display and typing yast2 at the command-line prompt. If started by other than the root user, the following input dialog box will appear to advise the user that they lack rights and permissions.

If started by the root user, the utility will display in an X-window. The utility will be displayed as shown below.




GUI: Add a user.
UnitedLinux manages GUI access to user and group accounts with the YaST utility. Adding a user starts by clicking the Security and User menu selection on the left menu panel.
There are six steps to create a new user. They are shown below.

  1. Edit & create users: User Add.
  Adding a user.
  • Click the add button to start the process.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: User Entry.
  Entering a user.
  • Enter a first name.
  • Enter a last name.
  • Enter a user name without any whitespace. Click on the suggestion button for system generated user name.
  • Enter a case sensitive password twice.
  • Click the details button to modify standard assigned UID, home directory, login shell, default group or additional group membership.
  • Click the Password setting button to change default password rules for a user.
  1. Edit & create users: User Details.
  Changing user defauls.
  • Change the UID if desired.
  • Change the home directory if desired.
  • Select login shell for the user.
  • Select default group for the user.
  • Click checkboxes to add or remove additional group memberships. If creating an Oracle or Application Manager user, it is CRITICAL to leave the user as a member of the video group to run X windows.
  1. Edit & create users: User Creation.
  Creating a user.
  • Click create button to build user account.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: User Completion.
  Completing new user setup.
  • Click the finish button to add the new user.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: User Confirmation.
  Accepting new account creation.
  • Click the OK button to complete the process.



GUI: Modify a user.
UnitedLinux manages GUI access to user and group accounts with the YaST utility. Modifying a user starts by clicking the Security and User menu selection on the left menu panel.
There are several possible edits available, as shown below.

  1. Edit & create users: User Selection.
  Selecting a user account to modify.
  • Select a user by clicking the users name.
  • Edit a user by clicking the edit button.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: User Edit.
  Modifying user data.
  • User first name may be changed.
  • User last name may be changed.
  • User login name may be changed.
  • Passwords may be changed.
  • Click the next button to effect changes.
  1. Edit & create users: User Details.
  Modifying user account information.
  • Change the home directory if desired.
  • Change login shell for the user.
  • Change default group for the user.
  • Click checkboxes to add or remove additional group memberships. If creating an Oracle or Application Manager user, it is CRITICAL to leave the user as a member of the video group to run X windows.
  • Click the next button to effect changes.
  1. Edit & create users: Password Info.
  Modifying user password information.
  • Set number of days before warning of a a password expiration.
  • Set number of days after expiration that a password will work.
  • Set maximum number of days for a password.
  • Set minimum number of days for a password.
  • Set expiration date. The default is January 1, 1970. When the date preceeds the current working date, the system counts days until it reaches the maximum number of days for a password.
  • Click the next button to effect changes.
  1. Edit & create users: User Completion.
  Completing user modification.
  • Click the finish button to modify user preferences.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: User Confirmation.
  Accepting new account creation.
  • Click the OK button to complete the process.



GUI: Delete a user.
UnitedLinux manages GUI access to user and group accounts with the YaST utility. Deleting a user starts by clicking the Security and User menu selection on the left menu panel. The four steps to delete a user are shown below.

  1. Edit & create users: User Selection.
  Selecting a user account.
  • Select a user by clicking the users name.
  • Delete a user by clicking the delete button.
  1. Edit & create users: User Deletion.
  Deleting user account directory.
  • Check the delete home directory checkbox to remove the users home directory and files.
  • Click the OK button to effect changes.
  1. Edit & create users: User Completion.
  Completing new user setup.
  • Click the finish button to delete user.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: User Confirmation.
  Accepting new account creation.
  • Click the OK button to complete the process.



GUI: Add a group.
UnitedLinux manages GUI access to user and group accounts with the YaST utility. Adding a user starts by clicking the Security and User menu selection on the left menu panel.

  1. Edit & create groups: Group Add.
  Adding a group.
  • Click the group administration radio button to change from the default user administration to group administration.
  • Click the add button to start the process.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create groups: Group Entry.
  Entering a group.
  • Enter a group name. The group name must be between five and eight characters in length.
  • Accept the default GID or override the value.
  • Enter a case sensitive password twice.
  • Click the user checkboxes that should be added to the new group.
  1. Edit & create groups: Group Creation.
  Completing new group setup.
  • Click finish button to build group account.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: Group Confirmation.
  Accepting new group creation.
  • Click the OK button to complete the process.



GUI: Modify a group.
UnitedLinux manages GUI access to user and group accounts with the YaST utility. Editing a user starts by clicking the Security and User menu selection on the left menu panel.

  1. Edit & create groups: Group Add.
  Selecting a group.
  • Click the group administration radio button to change from the default user administration to group administration.
  • Select the group name.
  • Click the edit button to start the process.
  1. Edit & create groups: Group Edit.
  Modifying a group.
  • Change the group name if desired.
  • Change GID if desired.
  • Enter a case sensitive password twice.
  • Click the user checkboxes to add or remove users from the group.
  • Click the next button to move forward.
  1. Edit & create groups: Group Changes.
  Completing group modification(s).
  • Click finish button to edit group account.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: User Confirmation.
  Accepting group modification(s).
  • Click the OK button to complete the process.



GUI: Delete a group.
UnitedLinux manages GUI access to user and group accounts with the YaST utility. Deleting a user starts by clicking the Security and User menu selection on the left menu panel.
Before attempting to delete a group, YaST requires all users be removed from the group. If a group has users when the delete button is selected, it will raise the following dialog message.


  1. Edit & create groups: Group Delete.
  Selecting a group.
  • Click the group administration radio button to change from the default user administration to group administration.
  • Select the group name.
  • Click the delete button to start the process.
  1. Edit & create groups: Group Delete Confirmation.
  Confirming a group delete.
  • Click the Yes button to delete the group.
  • Click the No button to not delete the group.
  1. Edit & create groups: Group Deletion.
  Completing a group deletion.
  • Click finish button to delete group account.
  • Alternatively, click abort button to lose changes.
  • Alternatively, click back button to return to previous user and group administration screen. All changes will be lost.
  1. Edit & create users: User Confirmation.
  Accepting a group deletion.
  • Click the OK button to complete the process.

  • Java Administration
Java administration in Red Hat Linux is covered in the following three sections.
 Why is Java administration important?
A synopsis of issues requiring action.
 How do you verify Java installation?
A description of how to verify Java packages, versions and default/user access setups.
 How do you configure, replace or upgrade Java?
A step-by-step approach to replacement, upgrade and configuration of Java.

  • File System Management

 How to verify file systems.

   Display a disk.
   Display a partition size.
 How to modify a file system.

Existing file systems can be verified by fdisk two ways. They are disk device and partitions. The syntax for each is noted below.

# fdisk -lu <device_name>
# fdisk -lu hda
Disk hda: 255 heads, 63 sectors, 14946 cylinders
Units = sectors of 1 * 512 bytes

Device Boot    Start       End    Blocks   Id  System
  hda1   *        63    208844    104391   83  Linux
  hda2        208845   4289354   2040255   82  Linux swap
  hda3       4289355  24772229  10241437+  83  Linux
  hda4      24772230 240107489 107667630    f  Win95 Ext'd (LBA)
  hda5      24772293  35005634   5116671   83  Linux
  hda6      35005698 240107489 102550896   83  Linux

# fdisk -s <partition_name>
# fdisk -s hda6
102550896

There are two utilities that can be used to modify Linux file systems. They are:
  • fdisk
  • e2fsck

The fdisk utility can be used to fix a file system. Identify the disk device that has a problem and then use the interactive mode by using the syntax below.
# fdisk -u <device>
# fdisk -u hda
Below is the menu that will be presented by the fdisk utility.
Command (m for help): m
Command action
   a   toggle a bootable flag
   b   edit bsd disklabel
   c   toggle the dos compatibility flag
   d   delete a partition
   l   list known partition types
   m   print this menu
   n   add a new partition
   o   create a new empty DOS partition table
   p   print the partition table
   q   quit without saving changes
   s   create a new empty Sun disklabel
   t   change a partition's system id
   u   change display/entry units
   v   verify the partition table
   w   write table to disk and exit
   x   extra functionality (experts only)

Command (m for help):



The e2fsck utility can automatically repair most ext2 file system issues automatically. However, it cannot be used on the newer ext3 standard. The syntax below enables e2fsck to automatically repair a file system.
# e2fsck -p <device>
# e2fsck -p hda


  • Performance Monitoring
Performance monitoring enables effective machine management and enables data collection to tune performance.


 Monitoring system status.
How to collect point-in-time statistics.
 Monitoring running processes.
How to verify & monitor running processes.

 Monitoring memory utilization.

How to monitor the memory subsystem.
 
 Monitoring CPU usage.
How to monitor CPU usage.

 Monitoring disk usage & performance.

How to monitor disk usage.

 Monitoring network traffic.

How to audit and monitor network traffic.




Monitoring system status.
Analyzing system performance should begin the highest level first and then drill down into the detail. There are three system level tools that enable quick inspection of system performance.

 Uptime utility.
 Graphical xload utility.
 System Activity Reporter (sar) utility.
 Monitor per Process Statistics (mpstat) utility.

The highest level view is the uptime utility, which provides average loads since the last boot of the machine. If a machine has been running for a long time, then the uptime report of activity may be of limited value. For example, if the load on the machine has changed since the last boot one or more times, then uptime will report averages that may be of little value.
 # uptime
   1:58pm up 15 days, 4:03, 6 users, load average: 0.40, 0.52, 0.39


Visual inspection of current load activity during peak demand may help identify problems. This can be done with the X-Windows xload utility. The syntax below provides a way to improve graphic rendering of the performance with each horizontal bar representing 10% of system resources.
 # xload -scale 10 -update 1 -fg darkblue -hl tan


Stepping down into system level performance can be done with the System Activity Reporter (sar) utility. sar enables many views but a high level CPU utilization may be found with the -u argument. The sar output with a -u argument provides four views. The percentage of user and system level execution, the percentage of nice process execution and the idle time for the machine. The nice percentage is the frequency that user level processes ran without the system scheduler having to raise their priority.

# sar -u 5 5
01:56:12 PM       CPU     %user     %nice   %system     %idle
01:56:17 PM       all      0.20      0.00      2.00     97.80
01:56:22 PM       all      0.00      0.00      2.60     97.40
01:56:27 PM       all     40.40      0.00     17.60     42.00
01:56:38 PM       all     14.82      0.00     85.18      0.00
01:56:43 PM       all     40.24      0.00      6.18     53.59
Average:          all     18.29      0.00     35.11     46.60


Stepping down into system level performance can be done with the Monitor per Process Statistics (mpstat) utility. mpstat enables a CPU level view and aggregate CPU view of performance. The -P argument may only be used on a multiprocessor machine but the absence of an argument will work on a single processor machine. Syntax for both are noted below. The mpstat output provides similar functionality to the sar command. The percentage of user and system level execution, the percentage of nice process execution and the idle time for the machine. The nice percentage is the frequency that user level processes ran without the system scheduler having to raise their priority. An addition feature is the number of instructions processed by a CPU or set of CPUs.

  • Single processor syntax.
# mpstat 5 5
[root@mmclaugh-linux /]# mpstat 5 5
Linux 2.4.9-e.16 (mmclaugh-linux)       08/21/2003

01:55:58 PM  CPU   %user   %nice %system   %idle    intr/s
01:56:03 PM  all    0.00    0.00    0.00  100.00    114.00
01:56:08 PM  all    0.00    0.00    0.00  100.00    114.20
01:56:13 PM  all    0.00    0.00    0.20   99.80    119.80
01:56:18 PM  all    0.00    0.00    0.00  100.00    121.20
01:56:23 PM  all    0.00    0.00    0.00  100.00    158.80
Average:     all    0.00    0.00    0.04   99.96    125.60
  • Multiple processor syntax for a single CPU.
The -P argument identifies the CPU target for analysis. CPUs are numbered from 0 to the number of CPUs minus one.
# mpstat -P 0 5 5
[root@ap611ses /]# mpstat -P 0 5 5
Linux 2.4.9-e.12.2enterprise (ap611ses)         08/21/2003

01:27:43 PM  CPU   %user   %nice %system   %idle    intr/s
01:27:48 PM    0    0.00    0.00    0.00   50.00    209.60
01:27:53 PM    0    0.00    0.00    0.00   50.00    206.20
01:27:58 PM    0    0.00    0.00    0.00   50.00    212.90
01:28:03 PM    0    0.80    0.00    0.70   48.50    404.80
01:28:08 PM    0    0.10    0.00    1.10   48.80    273.10
Average:       0    0.18    0.00    0.36   49.46    261.32



Monitoring running processes.
The ps utility is the comprehensive tool to examine running processes. While the GUI gtop utility provides similar views of running processes.


 Command-line approach.
 GUI Interface approach.


Command-line investigation of running processes is utilmately where most zombie and long-running processes will be identified and resolved. The ps utility is very powerful and argument complex. For example, a view of the top ten cumulative time processes is available with the following syntax.
# ps -el O-k | head -11
F S   UID   PID  PPID  C PRI  NI ADDR    SZ WCHAN  TTY        TIME CMD
 100 S     0  1145  1144  1  75   0    - 21585 schedu ?        443:35 /etc/X11/X
 000 S   500 11130 11081  2  75   0    -  1921 schedu pts/3     22:49 gtop
 000 S   501  8867     1  0  75   0    - 83345 semop  ?          1:11 ora_qmn0_dr
 000 R   501 11446 31086 13  85  10    -  2674 -      ?          0:10 ripples -ro
 000 S   501  8949  8946  0  76   0    - 82908 schedu ?          0:04 /u02/oracle
 000 S   501 31084     1  0  75   0    -  4849 schedu ?          0:13 nautilus st
 040 S   501  8946  8943  0  75   0    -  4772 schedu ?          0:07 /u02/oracle
 040 S   501  8931  8916  0  80   5    - 15618 schedu pts/5      0:02 [dbsnmp]
 000 S   501  8950  8946  0  76   0    - 45710 schedu ?          0:02 /u02/oracle

The GUI version of the Linux top utility is gtop. It can be invoked from the console station or from the X-Windows command-line. On the GNOME desktop, start with the Main Menu Button and navigate to Programs, System and System Monitor. Starting it on the X-Windows command-line is done by using the gtop command. Processes are displayed in the default Processes panel. There are two views and three filters that may be applied in gtop. All filters are disabled by default.

  • Processes panel filters.
View only TTY, hide or view idle and/or system processes.
  • Processes panel view.
View all or user processes.

The default view of processes is shown below.




Monitoring memory utilization.
Memory monitoring has many nuances and Linux provides command-line and GUI monitoring tools. The vmstat, free and swapon utilities are command-line only tools. However, the GUI monitoring tool does provide quick insights into how memory is used.


 Command-line approach.

   The vmstat utility.
   The free utility.
   The swapon utility.
 GUI Interface approach.


The vmstat, free and swapon utilities are the comprehensive tools to examine memory.

The vmstat utility examines virtual memory management and helps to isolate problems. The vmstat command returns some key values to help identify load problems. A short list is provided below.
  1. If the swap value (column swpd) is not zero and is low, it is an indication the system is swapping heavily. A zero value in the column means the system is not swapping. If a system is swapping heavily, use the ps command to identify if a specific process is performing poorly.
  2. If the process (procs) column w is not zero and the swap columns si and so are positive in a sample set, the system is continuously swapping. This indicates that the load is too heavy for the memory, which can be validated by the free command.
  3. If the process columns r and b are high, it indicates that one or more jobs are moving slowly through the scheduling queue.
# vmstat 5 5
procs                      memory    swap          io     system         cpu
 r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us  sy  id
 1  0  0      0  16732 256412 923808   0   0     2     8   22    28   2   1   3
 4  0  0      0  16732 256416 923808   0   0     0    27  130   798   0   4  96
 1  0  0      0  18060 256420 923808   0   0     0    11  134   995   0   6  94
 1  0  0      0  18048 256420 923808   0   0     0    26  128   774   1   4  95
 4  0  0      0  18048 256420 923808   0   0     0    16  134  1087   1   5  94

The free utility enables a snapshot of system memory. The first line shows physical memory. The second line shows memory adjusted for memory buffering. The last line shows swap available, used and free.
# free
total       used       free     shared    buffers     cached
Mem:       1543844    1532740      11104     129692     257892     919884
-/+ buffers/cache:     354964    1188880
Swap:      2040244          0    2040244


The swapon utility provide a view of the device, priority and use of swap.
# swapon -s
Filename                        Type            Size    Used    Priority
/dev/hda2                       partition       2040244 0       -1


The GUI version of the Linux top utility is gtop. It can be invoked from the console station or from the X-Windows command-line. On the GNOME desktop, start with the Main Menu Button and navigate to Programs, System and System Monitor. Starting it on the X-Windows command-line is done by using the gtop command. The default panel for the System Monitor is Processes. Memory can be accessed by clicking on the Memory Usage tab. The View menu option enables the user to toggle between resident, shared, total, virtual and swap views of memory.




Monitoring CPU usage.
The top or gtop utilities provide most information necessary to manage the load impact of running processes.


 Command-line approach.
 GUI Interface approach.


Command-line investigation of running processes is utilmately where most zombie and long-running processes will be identified and resolved. The command-line top utility returns output like the following. It is refreshed every five seconds to reflect the highest draw on system resources. Below is an example of the top utility output.


The GUI version of the Linux top utility is gtop. It can be invoked from the console station or from the X-Windows command-line. On the GNOME desktop, start with the Main Menu Button and navigate to Programs, System and System Monitor. Starting it on the X-Windows command-line is done by using the gtop command.
  • The gtop tool monitors CPU in a graphic format. Memory is depicted in the following color schema.
Color Activity
Yellow User processes, user requests for resources.
Light Gray Nice processes, performing well within their assigned priorities.
Dark Gray System processes, requested by the system or by user processes.
Black Idle CPU
  • The default gtop panel processes displays the CPU utilization graph.



Monitoring disk usage & performance.


 Command-line approach.

   The df utility.
   The du utility.
   The iostat utility.
 GUI Interface approach.


Command-line tools are effective to identify and probe disk use and access. Beyond basic use, they require detail knowledge of the machine architecture and operating system.

The df (disk free) utility reports the amount of available disk space. Complete detail is available with the -k argument but a more readable version can be had with the -h argument.
# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda5             4.8G  174M  4.3G   4% /
/dev/hda1              99M   13M   80M  14% /boot
/dev/hdb1             5.8G   33M  5.4G   1% /home
none                 1006M     0 1005M   0% /dev/shm
/dev/hda3             9.6G  631M  8.5G   7% /tmp
/dev/hdb5              97G   33M   91G   1% /u01
/dev/hda6              96G   19G   73G  20% /u02
/dev/hdb3             3.8G  1.8G  1.9G  48% /usr
/dev/hdb2             3.8G   75M  3.5G   3% /var


The du (disk usage) utility reports the amount of used disk space. Detailed file usage information is available by directory but is often not too useful. Good summary information for a set of directories is possible. For example, the following syntax provides a snapshot of space used from the root directory.
#  du -mh --max-depth=1
16k     ./lost+found
8.7M    ./boot
352k    ./dev
368k    ./home
898M    ./proc
599M    ./tmp
24k     ./u01
19G     ./u02
1.8G    ./usr
43M     ./var
8.5M    ./etc
5.9M    ./bin
4.0k    ./initrd
75M     ./lib
8.0k    ./mnt
4.0k    ./opt
41M     ./root
11M     ./sbin
4.0k    ./misc
22G     .


The iostat (Input/Output statistics) utility enables drilling down into I/O performance. Without arguments iostat provides a summary view into the CPU activity and devices. The -x argument shows detail for devices and slices within devices.
# iostat
Linux 2.4.9-e.16 (mmclaugh-linux)       08/15/2003

avg-cpu:  %user   %nice    %sys   %idle
           0.31    0.00    1.49   98.21

Device:        tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
dev3-0        5.82        38.43        47.59     136848     169460
dev3-1        4.04        34.12        25.47     121500      90688



The Red Hat Linux gtop tool is rather limited in analyzing disk performance. The df and du utilities are available in high-level views as shown below. There is no equivalent graphical tool to represent the iostat output.



Monitoring network traffic.


 The ifconfig utility.
 The netstat utility.


The ifconfig utility is the best place to start analyzing network performance. RX and TX packets may be quickly examined for errors, drops and overruns. If the numbers are high, use the netstat utility as the next analysis tool.
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:04:75:C1:1A:46
          inet addr:138.1.145.183  Bcast:138.1.147.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2953365 errors:0 dropped:0 overruns:7 frame:0
          TX packets:493705 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:866676842 (826.5 Mb)  TX bytes:401224184 (382.6 Mb)
          Interrupt:11 Base address:0xa000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:98 errors:0 dropped:0 overruns:0 frame:0
          TX packets:98 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6330 (6.1 Kb)  TX bytes:6330 (6.1 Kb)


  • Start at the raw packet traffic level when analyzing network traffic. This can be done with netstat utility and the -i argument as shown below.
# netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500   0 4121254      0      0      1  279521      0      0      0 BMRU
lo    16436   0      54      0      0      0      54      0      0      0 LRU

  • Using netstat without any arguments provide a listing of all active Intranet and Internet connections for TCP, UDP and UNIX domain sockets. If there are non-zero values in the Send-Q column and repeated sampling indicates the value is increasing, then the network may be saturated.
# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      2 mmclaugh-linux.u:telnet dhcp-cosprings1-ge:4351 ESTABLISHED
tcp        0      0 mmclaugh-linux.us:32772 ap113tta.us.oracle:6232 ESTABLISHED
tcp        0      0 mmclaugh-linux.u:telnet ap103ses.us.oracl:37342 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State       I-Node Path
unix  13     [ ]         DGRAM                  1002   /dev/log
unix  2      [ ]         DGRAM                  25992193
unix  3      [ ]         STREAM     CONNECTED   59797  /tmp/orbit-root/orb-3492
unix  3      [ ]         STREAM     CONNECTED   59785
unix  3      [ ]         STREAM     CONNECTED   59796  /tmp/orbit-root/orb-1323