RED HAT SERVER HARDENING EXAM PREPARATION

(RH413)

Exam Instructions
Your domain subnet:
domain6.example.com and network is 172.24.0.0/24
Two Virtual Machines are given which belongs to your domain which is domain6.example.com
and the information of that two VMs are following

station1.domain6.example.com and IP Address is 172.24.6.100

station2.domain6.example.com and IP Address is 172.24.6.120

You have following questions to answer.

Question #1
Configure station1.domain6.example.com as centralized IPA server and create the following
users set default UID and GID from 5000 to 18000.

Create the below users defined in the below table:

User Name First Name Last Name UID GID Home Dir
mrahman Mustafijur Rahman 6001 6001 /home/remotehost/mrahman
aislam Ariful Islam 7001 7001 /home/remotehost/aislam
rhat Red Hat 9001 9001 /home/remotehost/rhat

Solution:
>Disable NetwokManager
/etc/init.d/NetworkManager stop
chkconfig NetworkManager off

>Open network configuration file and make some changes

#vim /etc/sysconfig/network-scripts/ifcfg-eth0

##Change with your requirement

BOOTPROTO=”static”
NM_CONTROLLED=”no”
IPADDR= 172.24.6.100
NETMASK=255.255.255.0
GATEWAY=172.24.6.254
DNS1=172.24.6.254
>Change /etc/hosts
vim /etc/hosts

##Change with your requirement

172.24.6.100 station1.domain6.example.com station1

>Restart Network and make auto start

/etc/init.d/network restart
chkconfig network on

>Install IPA server packages

yum install ipa-server

>Install IPA server instance

ipa-server-install --hostname=station1.domain6.example.com -n domain6.example.com -r
DOMAIN6.EXAMPLE.COM -p redhat13 -a redhat13 --idstart=5000 --idmax=18000 -U
OR
ipa-server-install --idstart=5000 --idmax=18000

##Input following values with your requirements

Server host name [station1.domain6.example.com]: Enter
Please confirm the domain name [domain6.example.com]: Enter
Please provide a realm name [DOMAIN6.EXAMPLE.COM]: Enter
Directory Manager password: redhat13
IPA admin password: redhat13
Continue to configure the system with these values? [no]: yes

>Restart ssh service to obtain Kerberos credentials.

/etc/init.d/sshd restart

>Verify IdM instance by verifying Kerberos authentication

kinit admin

>Verifying IPA access

ipa user-find admin
>Add all 3 users in IPA server
#First User
ipa user-add mrahman --first=Mustafijur --last=Rahman --homedir=/home/remotehost/mrahman
--uid=6001 --gidnumber=6001 --password
#Second User
ipa user-add aislam --first=Ariful --last=Islam --homedir=/home/remotehost/aislam --uid=7001
--gidnumber=7001 --password

#Third User
ipa user-add rhat --first=Red --last=Hat --homedir=/home/remotehost/rhat --uid=9001
--gidnumber=9001 --password

Question #2
Configure station2.domain6.example.com as IPA client of station1. So that home directory
automatically mount.

Solution:
>Install IPA client packages
yum -y install ipa-client

>Install IPA Client intance

ipa-client-install --mkhomedir

##Input following values with your requirements

Provide the domain name of your IPA server (ex: example.com): domain6.example.com
Provide your IPA server name (ex: ipa.example.com): station1.domain6.example.com
Proceed with fixed values and no DNS discovery? [no]: yes
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for admin@DOMAIN6.EXAMPLE.COM: redhat13

>Login to newly created user on station1 from station2

su - mrahman
su - aislam
su - rhat

Question #3
List all security packages and put the list to /root/rhsa.txt and update all security updates.
Solution:

>First create repo file

vim /etc/yum.repos.d/rhbase.repo

##Add below lines. Make changes with your requirements.

[rhbase]
name=YUM
baseurl=file:///mnt/Server ##Change baseurl with provided url in exam
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Save and exit

>Now clean all yum cache

yum clean all

>Install yum-plugin-security to view updates

yum install yum-plugin-security

>Check for update packages and store the information /root/rhsa.txt

yum updateinfo > /root/rhsa.txt

>Install only security updates

yum update --security

Question #4
Given three rpm from unknown source and install the suitable one.

Solution:
>Check the rpms which are suitable to install.
rpm -qp --scripts /net/instructor/var/ftp/pub/app1.rpm
rpm -qp --scripts /net/instructor/var/ftp/pub/app2.rpm
rpm -qp --scripts /net/instructor/var/ftp/pub/app3.rpm

>After find suitable rpm install the package. Suppose app2.rpm is suitable to install.
rpm -ivh /net/instructor/var/ftp/pub/app2.rpm

Question #5
Import GPG-KEY and verify which key is needed to verify.

Solution:
>Import given GPG-KEY. Suppose you have given a gpg key RPM-GPG-KEY-redhat-GLS in ftp
location.
rpm --import /net/instructor/var/ftp/pub/RPM-GPG-KEY-redhat-GLS

>Suppose you have given a ftp package and asked to verify the package with gpg-key. Now check
with below command.
rpm -vvK ftp://instructor/pub/packages/ftp-0.17-53.el6.x86_64.rpm 2>/dev/null

Question #6
Set default mask, so that zelane user create a file which will get permission as r-- r-- r-- and for
folder it will get permission of r-x r-x r-x

Solution:
>Login to user zelane
su - zelane

>Change .bash_profile for user zelane

vim .bash_profile

##Add below line at the bottom of the file

umask 222
Save and exit

>Run below command to reload .bash_profile setting

source ~/.bash_profile
OR
Logout and login again to user zelane

>Check umask value, this time it should be 222

umask

>Create a file and folder.

touch testfile.txt
mkdir testdir

>Check permissions for newly created file and directory. Is it match the given conditios?
ls -l

Question #7
Create a folder /engineering/data and give permission to musician group as read and write.

Solution:
>Create the directory /engineering/data
mkdir /engineering/data

>Check the partition or disk have acl permission

cat /etc/fstab
OR
tune2fs -l /dev/vda1
Note: Disk name (eg. /dev/vda1) may vary in exam.

>If acl not existing then apply it from /etc/fstab and remount the partition.
Suppose you have given a partition named /engineering, then do the following
Open /etc/fstab

vim /etc/fstab

##Add acl to /engineering

/dev/mapper/vg_server-lv_engineer /engineering ext4 defaults,acl 1 2
Save and exit.

>Remount the /engineering partition

mount -o remount,acl /engineering

>Now set acl on /engineering/data

setfacl -m g:musician:rw /engineering/data

>Check acl on /engineering/data

getfacl /engineering/data
Question #8
Delete a file /root/abc.txt

Solution:
>Check the file attribute of given file
lsattr /root/abc.txt

>If you found that the file is immutable ( i ) then change the file attribute
chattr -i /root/abc.txt

>Now remove the file

rm -rf /root/abc.txt

Question #9
Locate all special permission for /sbin directory and put them in /root/special.txt

Solution:
>Run below command to find all files with special permissions and stored in /root/special.txt
find /sbin -type f -perm /700 > /root/special.txt

Question #10
Configure password policy, so that all new users password expires after 3 days.

Solution:
>Open login.defs
vim /etc/login.defs
##Change as below
PASS_MAX_DAYS 3
Save and exit

Question #11
Configure station1 and station2, so that if any user fails to login 3 times, then that account
become locked for 2 mins.

Solution:
On station1.domain6.example.com
>Open system-auth
vim /etc/pam.d/system-auth

##Add below line

auth required pam_tally2.so deny=3 even_deny_root unlock_time=120
account required pam_tally2.so
Save and exit

> Open password-auth and do the same as system-auth

vim /etc/pam.d/system-auth

##Add below line

auth required pam_tally2.so deny=3 even_deny_root unlock_time=120
account required pam_tally2.so
Save and exit

>Check the applied rule by logging with any user with 3 times worng password
su - student

On station2.domain6.example.com
>Do the same as station1.example.com

Question #12
Configure a group admin so that all the users of that group get 2 mins cpu times when logged in a
session.
Solution:
>Open limits.conf
vim /etc/limits.conf

##Add below line

@admin - cpu 2
Save and exit.

Note: Here we use @ symbol before admin. Because only admin indicates a single user. @admin
indicates a group.

Question #13
Watch /root/413.txt, so that any write and execution can be monitored using 413-change

Solution:
>Open audit.rules
vim /etc/audit/audit.rules

##Add below line at the bottom of the file

-w /root/413.txt -p wx -k 413-change
Save and exit.

>Restart audit service and enable auto startup

/etc/init.d/auditd restart
chkconfig auditd on

>Now modify the file and check the audit log

cat /var/log/audit/audit.log |grep “413-change”
OR
ausearch -k “413-change” |aureport -f -i

Question #14
Configure firewall as per following conditions: (Both station1 and station 2)
i. Allow loopback communication
ii. Reject all source except the following services and from anywhere except
domain6.example.com
1. ssh allow from anywhere.
2. http from station1.
Solution:
On station1.domain6.example.com
>Open iptables
vim /etc/sysconfig/iptables

##Add below rules

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -s 172.24.0.0/24 -j ACCEPT
-A INPUT -j REJECT

>Restart iptables
/etc/init.d/iptables restart

On station2.domain6.example.com
>Open iptables
vim /etc/sysconfig/iptables

##Add below rules

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 172.24.0.0/24 -j ACCEPT
-A INPUT -j REJECT

>Restart iptables
/etc/init.d/iptables restart

Question #15
Configure a application so that when you /sbin/als then parameter it takes input as string and save
any place.
Additional information

/sbin/gls.sh user /usr/abc.dat file which is created fist time login.

Give dbmpr and root user the /usr/abc/dat file for modifying.
Question #16
Create a syslog server, so that it takes log from any remote host and create a rule so that any
message from remote host coming go to /var/log/remote.log

Solution:
>Open rsyslog.conf file
vim /etc/rsyslog.conf

##Uncomment below lines

$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514
Save and exit.

>Make a rule for incoming remote logs.

vim /etc/rsyslog.d/remote.conf

#Add below lines

:fromhost, !isequal, "127.0.0.1" /var/log/remote.log
:fromhost, !isequal, "127.0.0.1" ~
Save and exit

>Restart rsyslog servie

/etc/init.d/rsyslog restart

>Send some logs from remote host and check you receive logs.
tailf /var/log/remote.log

Question #17
Create a syslog client so that all the message goes to syslog host station1.domain.example.com.

Solution:
>Open rsyslog.conf file
vim /etc/rsyslog.conf

##Find and modify below lines

*.info;mail.none;authpriv.none;cron.none @station1.domain6.example.com
authpriv.* @station1.domain6.example.com
mail.* @station1.domain6.example.com
cron.* @station1.domain6.example.com
*.emerg @station1.domain6.example.com
uucp,news.crit @station1.domain6.example.com
local7.* @station1.domain6.example.com
Save and exit

>Restart rsyslog servie

/etc/init.d/rsyslog restart

>Send test log

logger This is test log

Question #18
Make a new logical volume with the remaining space in the vgsrv volume group, use LUKS to
encrypt it, and make sure it mounts unattended as /home at system boot.

Solution:
> Suppose you have a volume group vgsrv. Check the free space on that vg.
vgs

>Create a lv with available free space. Suppose we have 2GB free space.
lvcreate –L +2G -n lv_crypthome vgsrv

>Create a LUKS encrypted volume.

cryptsetup luksFormat /dev/vgsrv/lv_crypthome

>Open the encrypted volume

cryptsetup luksOpen /dev/vgsrv/lv_crypthome home

>Create an ext4 filesystem.

mkfs.ext4 /dev/mapper/lv_crypthome
>Mount the filesystem to /mnt and copy all data from /home
mount /dev/mapper/lv_crypthome /mnt
cp -pvrf /home/* /mnt

>Create a key file to unlock the encrypted volume.

dd if=/dev/urandom of=/root/luks-key.txt bs=4096 count=1
chmod 600 /root/luks-key.txt

>Apply the key to /dev/vgsrv/lv_crypthome

cryptsetup luksAddKey /dev/vgsrv/lv_crypthome /root/luks-key.txt

>Make sure the encrypted volume is opened automatically at boot time.

vim /etc/crypttab

##Add below line

home /dev/vgsrv/lv_crypthome /root/luks-key.txt
Save and exit.

>Update /etc/fstab entry for newly created encrypted volume.

vim /etc/fstab

##Modify the existing /home partition entry with yours

/dev/mapper/home /home ext4 defaults 1 2

>Reboot your PC to verify.

reboot

Question #19
Configure AIDE to only check /etc/rh413.txt for permission or ownership changes.

Solution:
>Install AIDE
yum install aide

>Open aide.conf
vim /etc/aide.conf
##In the selection line add the below rule
/etc/rh413.txt PERMS
Save and exit.

>Initialize AIDE
aide --init

>Rename the newly created database.

cd /var/lib/aide/
mv aide.db.new.gz aide.db.gz

>Now make some changes on /etc/rh413.txt and check for changes

aide --check

Question #19
Deny root ssh access for both from station1 and station2.

Solution:
>Open sshd_config
vim /etc/ssh/sshd_config

##Find below line and change as below

PermitRootLogin no
Save and exit.
>Restart sshd service
/etc/init.d/sshd restart