CentOS Guide - based on the RHCSA exam objectives.txt - Notepad

CentOS Guide - based on the RHCSA exam objectives

Configure a CentOS installation to run as a hypervisor

Install the below group packages:
yum groupinstall virtualization "virtualization platform" "virtualization client" "virtualization tools"

Next you need to start libvirtd (turn it on by default with chkconfig) and configure your virtual network. I like to create my VM guests using a kickstart file. This is a quick and easy way to automatically install CentOS. The path below is the default location for VM disks. You need to specify qcow2 if you want to do snapshots of your guest VMs. Size is in GB. Location refers to the CentOS installer and -x indicates the location of the kickstart file. Note, I have found in the past that I have had to stop the iptables service running on the host that has the kickstart file to allow clients to access the kickstart file. Also, make sure your installer and kickstart files have 755 permissions. An easy way to configure a kickstart file via the GUI is to use system-config-kickstart. If you want your guests to access any external networks such as the Internet, modify /etc/sysctl.conf on the host and set net.ipv4.ip_forward=1

Install a guest using a kickstart file:
virt-install --name server02.nickbeare.com --ram 512 --disk path=/var/lib/libvirt/images/server02.qcow2,format=qcow2,bus=virtio,cache=none,size=8 --location= -x ks=

Some useful KVM commands to control VMs
virt-manager - opens the GUI Virtual Machine Manager to manage VMs.
virsh list --all - list all VMs regardless of state.
virsh list --autostart - list all VMs that have autostart enabled.
virsh list --with-snapshot --all - list all VMs that have snapshots. Leave off --all to show only running VMs..
virsh list --without-snapshot -all - list all VMs that don't have snapshots. Leave of --all to view only running VMs..
virsh start example.nickbeare.com - start a VM.
virsh reboot example.nickbeare.com - gracefully restart a VM.
virsh shutdown example.nickbeare.com - gracefully shutdown a VM.
virsh autostart example.nickbeare.com - set a guest to turn on automatically when the host boots. You can turn this off by adding --disable at the end of the command.
virsh destroy example.nickbeare.com - force a VM to shutdown, like cutting the power to a machine.
virt-top - show the current CPU/memory utilisation of all hosts and their uptime.
virt-clone -o original.nickbeare.com -n new.nickbeare.com -f /var/lib/libvirt/images/new.qcow2 - clones the original VM and creates a new VM with its HD stored in the location indicated in -f. There is also a --auto-clone flag for this command.
virsh pool-list - shows active VM pools.
virsh vol-list --pool pool_name - shows all of the guest virtual hard drives stored in that pool.
virsh undefine example.nickbeare.com - remove a guest from virt-manager.
virsh vol-delete --pool pool_name example.nickbeare.com.img - delete the virtual hard drive.
virsh snapshot-create-as whitehat.example.net base_snapshot - takes a snapshot of a guest and names the snapshot base_snapshot. Note, the VM must be powered down and I have only got snapshots to work on qcow2 format.
virsh snapshot-list gamma.example.net - list all snapshots on a guest.
virsh snapshot-delete gamma.example.net run5 - delete a snapshot. In this example the snapshot is named run5.
virsh snapshot-revert gamma.example.net run5 - revert gamma to a stored snapshot named run5.

Launch a bash session from GRUB

Sometimes you can get stuck in a situation where you are unable to boot your system due to an issue with a configuration file such as /etc/fstab or /boot/grub/grub.conf. You can launch an interactive session by typing 'a' at the GRUB boot menu and adding the below line. Note, this doesn't seem to work if /etc/inittab is set to boot into run level 5.

You will notice that / is mounted, but only as read only. You can mount it as read write by typing:
mount -o remount /

You can also mount other directories such as /boot:
mount /boot

Install a usable desktop

yum groupinstall desktop "desktop platform" "x window system" "fonts"

Searching with find

The below command searches the root directory for a file named inittab (case insensitive). Note you can use regular expressions here for the file name.
find / -type f -iname inittab

The following command searches the /opt directory for a directory named nick.
find /opt -type d -name nick

You can also search for files using locate. Note, you need to run updatedb if you want to index new files. locate is a fast way of finding files.
yum install mlocate
locate /etc/inittab

Setting up VNC

Run the below command to install VNC server. The client is named tigervnc.
yum install tigervnc-server

Edit the below configuration file:

The below config file changes configure 4 vnc sessions for users nick, vnc, root and bob. Note, the arguments relate to the appropriately numbered VNC connection. The number also relate to port number eg nick's connection runs on port 5901, root runs on 5903. VNC runs on port 5900 under the TCP protocol.
VNCSERVERS="1:nick 2:vnc 3:root 4:bob"
VNCSERVERARGS[1]="-geometry 800x600"
VNCSERVERARGS[2]="-geometry 800x600"
VNCSERVERARGS[3]="-geometry 800x600"
VNCSERVERARGS[4]="-geometry 800x600"

Start the VNC service:
service vncserver start

List active VNC server sessions:
vncserver -list

Show help:
vncserver -h

Remember to set the vncpasswd for each individual user who has a session using the vncpasswd command.

You can start a particular vnc session by calling the appropriate session number:
vncserver :1

You can also kill it:
vncserver -kill :1

Minimalist text based browser

yum install elinks
elinks nickbeare.com

Setting the correct date and time

Install ntpdate and ntp:
yum install ntp ntpdate

You can install and use tzselect to select your timezone. Call the program using tzselect and follow the prompts to select the correct timezone.

The next step is to sync your time with an ntp server (make sure ntpd is stopped):
ntpdate pool.ntp.org

Next start your ntpd service and turn it on by default (chkconfig). This will ensure your system continues to keep the correct time.
service ntpd start

Physical Volumes, Volume Groups and Logical Volumes

List physical volumes:

Add a physical volume:
pvcreate /dev/sda1

List volume groups:

Create a volume group:
vgcreate vg_name /dev/sda1

Extend a volume group:
vgextend vg_name /dev/sda2

List all logical volumes:

Create a logical volume named lv_volume1 under vg_name and make it 10Gb in size.
lvcreate -n lv_volume1 -L 10G vg_name

Resize an existing logical volume to 10Gb:
lvresize -L 10G vg_server/lv_home

Extend an existing logical volume by 50Gb:
lvextend -L +50G /dev/vg_server/lv_volume1

Note, after you extend or resize a logical volume you will need to run resize2fs /dev/vg_server/lv_name for the change to take effect.

To rename lvold in volume group vg02 to lvnew:
lvrename /dev/vg02/lvold vg02/lvnew

An alternate syntax to rename this logical volume is:
lvrename vg02 lvold lvnew

Making SWAP space

mkswap /dev/sda3
swapon /dev/sda3
swapon -s

Show the UUID for a drive

blkid /dev/vg_lappy/lv_root

Label a ext filesystem with a name

e2label /dev/sda1 label_name
You can use the label name in /etc/fstab to automatically mount filesystems (just like with UUIDs) eg:
LABEL=label_name /some_dir ext4 rw,acl 0 0


Has 3 modes listed in /etc/selinux/config. Modifications made here will not take place until a reboot:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.

View the current SELinux mode using sestatus. You can turn enforcing mode on and off using setenforce 0 (permissive mode) and setenforce 1 (enforcing mode).

List all SELinux rules:
getsebool -a

Usually you pipe this into grep to find rules you are interested in:
getsebool -a | grep httpd

Turn a rule on. You can use on or off, or 1 or 0 (1=on)
setsebool -P httpd_read_user_content on

You can see all changed SELinux rules in the below file:
cat /etc/selinux/targeted/modules/active/booleans.local
# This file is auto-generated by libsemanage
# Do not edit directly.

List SELinux file labels using -Z (you can also use this for processes), note the user_home_t section:
[root@localhost nick]# ls -Z /var/www/html/index.html
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 /var/www/html/index.html

Set a label on a file or folder:
chcon -t httpd_sys_content_t /var/www/html/index.html

You can do this recursively. I like to use the verbose flag -v
chcon -vRt httpd_sys_content_t /var/www/html/index.html

You can reference the SELinux label on another folder/file and apply it to a target:
[root@host ~]# chcon -vR --reference /root/Public test/
changing security context of `test/tes.txt'
changing security context of `test/'

Recover original labels for a folder and its contents:
restorecon -Rv /var/www/

Note to allow users to ftp to their home directories you need to run:
setsebool -P ftp_home_dir 1

Troubleshooting SELinux
Sometimes things will just not work no matter what you do. To determine if SELinux is causing your issue you can use a program called setroubleshoot there is also setroubleshoot-server
yum install setroubleshoot

After installing setroubleshoot you need to restart the audit daemon
service auditd restart

Now that setroubleshoot is installed, if SELinux blocks anything from now on, detailed logging, including an actual command to fix the problem, will be appended to the /var/log/messages log.

Turning services on by default

Turn httpd on in all run levels:
chkconfig httpd on

Turn httpd on in only run levels 3 and 5:
chkconfig httpd --level 35 on

List all run level startup options for httpd:
chkconfig httpd --list

You can view all of the installed services in /etc/init.d
The services that run at startup for each run level are defined in the /etc/rcx.d directories. K stands for killing a service and S stands for starting the service. The numbers after the letter indicate the order in which this occurs.

Configuring firewall rules with iptables

system-config-firewall-tui is a simple and effective way to configure iptables. However, learning to write iptables commands is very useful. iptables is a service and can be started via service iptables start. It should be turned on by default via chkconfig. When you add a rule and you want that rule to survive a reboot or service restart, make sure you type service iptables save followed by service iptables restart to confirm that your rule has been saved. To see active iptables rules from the iptables configuration file type cat /etc/sysconfig/iptables

The below command allows all hosts to access port 22. Note, the number 1 places the rule at the start of the /etc/sysconfig/iptables rules. The order of iptables rules is important because they are processed in order. There is an implicit deny all statement at the end.
iptables -I INPUT 1 -p tcp -m tcp --dport 22 -j ACCEPT

The following rule allows only host to access port 22. Note, if I changed the the IP to the whole class C network would be permitted access.
iptables -I INPUT 1 -s -p tcp -m tcp --dport 22 -j ALLOW

Run the below command to list the line numbers of corresponding rules. This information is useful when you want to replace or delete rules.
iptables -L --line-numbers

Replace an existing rule. Note the use of the line number, 3 in this example.
iptables -R INPUT 3 -s -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT

Delete a rule. In this example we delete the rule on line 3.
iptables -D INPUT 3

Show well known ports and services

cat /etc/services


ACLs over-rule standard file permissions. You can check a file or folder to see if acls exist by running ls -l, a + symbol will exist at the end of the permissions if an acl is set. To view more information about the acl type getfacl file.txt.

The below command grants the user nick rw access over /home/folder, and it gives a group name groupie r access on /home/folder:
setfacl -m u:nick:rw,g:groupie:r /home/folder

The -b flag removes an entire acl from a folder/file:
setfacl -b /home/folder

Remove just an individual reference within an acl:
setfacl -x u:bob virsh.txt

Set the default acl on a folder, d flag. All newly created direct children (one level down) will have the same acl. Existing children are not affected.:
setfacl -m d:u:user1:rw /home/folder

Remove a default acl:
setfacl -k /home/folder

User administration

The below commands handle the bulk of user administration eg creating users and groups, setting password expiry dates etc. The man commands are essential when dealing with these commands.

useradd - create a user. Important related files include /etc/passwd and /etc/shadow. Noteworthy flags include:
-s - sets the users shell. Eg if you don't want them to have an interactive login useradd -s /bin/false username or -s /bin/nologin
-G - add the user to secondary groups eg useradd -G group1,group2 username
-b -m - used to specify an alternative home base directory and create it eg useradd -b /opt -m username

usermod - change a user. Noteworthy flags:
-e - set the expiry date for a user account eg usermod -e YYYY/MM/DD username
-u - change the user's UID eg usermod -u 3000 username

Adding groups. Refer to the man page for groupadd for more info. The /etc/group file is quite useful for viewing group membership. This file can be manually edited to add users to groups. The commands id username and groups username will both show what groups a user is a member of.

You can set and view password information using chage.
chage -l username - lists password information relating to a user account.
chage -d 0 username - force a user to change their password at login.
chage -M 30 -m 2 username - sets passwords to expire after 30 days and prevents users from changing their password more than once every 2 days.

Locking and unlocking accounts. You can tell an account is locked by looking at the /etc/shadow file. If the encrypted password, which begins after the username, begins with a ! then the account is locked. A !! means no password is set. A user with a locked account will not be able to log in.

Lock an account:
usermod -L username

Unlock an account:
usermod -U username


Hard links are persistant and refer to the inode. This means that they will still work even if the target file is moved or deleted. Soft links refer to the target file and will break if that file is moved or deleted.

Hard link:
ln folder/target hardlink_file
Soft link:
ln -s folder/target softlink_file

yum and rpm

Installing packages with yum will resolve software dependencies and download the files from your repository:
yum install firefox

You can also download the installer locally and then install. Dependencies are still resolved.
yumdownloader firefox
yum localinstall firefox-17.0.10-1.el6.centos.x86_64.rpm

You can also install packages with rpm, but dependencies will not be resolved.
rpm -ivh firefox-17.0.10-1.el6.centos.x86_64.rpm

Removing packages with yum
yum erase firefox

Removing packages with rpm
rpm -e firefox

List all installed software with rpm
rpm -qa | sort | more

Search for a particular piece of installed software.
rpm -qa | grep firefox

Adding a software repository

A repository is where yum will look to download packages. To add your own repository you need to add a .repo file to /etc/yum.repos.d/ I have included a sample file below. Note, if your repository is offered via http or ftp your base url would be baseurl=http://repo.com or baseurl=ftp://repo.com respectively. Note, after adding a repository you should run yum clean all To list your current repo files type yum repolist


Archiving and compression

The below tar command uses gzip compression and archives the entire folder named documents and its contents.
tar -zcvf archive.tar.gz Documents/

The following command archives and compresses two files into a single file using bzip2 compression.
tar -jcvf archive.tar.bz2 file1.txt file2.txt

View the contents of a compressed archive. Also works with uncompressed archives.
tar -tvf archive.tar.bz2

Decompressing bzip and gzip files:
bunzip2 file.tar.bz2
gunzip file.tar.gz

Tar can store acls, selinux and extended attributes.
tar --selinux --xattrs --acls -zcvf archive.tar.gz myfolder/

Decompress using tar (the -x flag).
tar -zxvf archive.tar.gz
tar -jxvf archive.tar.bz2

You can also use the popular Windows zip compression.
yum install zip

Adding multiple files to a zip file.
[nick@localhost new]$ zip newzip.zip win.txt win2.txt
adding: win.txt (stored 0%)
adding: win2.txt (stored 0%)

Add a folder and its children to a zip file.
[nick@localhost new]$ zip -r zippedfile.zip papers/
adding: papers/ (stored 0%)
adding: papers/new3.txt (stored 0%)
adding: papers/new.txt (stored 0%)
adding: papers/new2.txt (stored 0%)

Uncompress a zip file.
unzip zippedfile.zip

Network configuration

When setting a static IP make sure you turn off the NetworkManager service:
service NetworkManager stop
chkconfig NetworkManager off

Modify your network card settings for eth0 etc in /etc/sysconfig/network-scripts/ifcfg-eth0

Edit /etc/sysconfig/network Make sure networking is turned on. You put your default gateway and hostname here.

Enter your DNS servers in /etc/resolv.conf

Once you have completed your configuration you can bounce the interface:
ifdown eth0; ifup eth0
OR, restart the network service which restarts all network interfaces:
service network restart

You can enter name resolution in your hosts file and set resolution to be used before DNS. To add a host just append a line like the below to /etc/hosts whitehat white.example.net

Make sure /etc/nsswitch.conf is configured to check the host file before the DNS nameserver in regards to name resolution. The below line is configured by default in /etc/nsswitch.conf Files comes before dns (files indicates /etc/hosts, dns referes to the nameservers in /etc/resolv.conf
hosts: files dns

Updating the kernel

Updating your kernel using RPM. Note that there is a kernel.firmware dependency. Make sure that you do not use the -U flag (upgrade). This will REPLACE your current kernel! You will want to keep the old kernel in case the new one doesn't work as expected.
rpm -ivh kernel-firmware-2.6.32-220.17.1.el6.noarch.rpm

You can also install the new kernel, whilst keeping your old one, using yum. Remember to set the default kernel accordingly in /boot/grub/grub.conf You can check to see if there is a newer kernel version using yum info kernel
yum install kernel

Change the default run level

Edit /etc/inittab The below line will set the computer to start in run level 3 by default.

Editing the GRUB configuration file

This file is located at /boot/grub/grub.conf
The default flag indicates which kernel will be loaded by default. Each title section indicates a kernel, so default=0 will start the first title (kernel) in the list, default=1 would start the second title in the list and so on.

When the computer boots users can modify GRUB arguments by hitting the a or e key at the GRUB boot menu. You can prevent users from making amendments by setting a password. Enter password=some_password at the beginning of your grub file near default, timeout etc. The timeout flag refers to how many seconds will pass before the default kernel is loaded.

You can also set a password on a particular kernel so that users will need to enter the correct password to start that kernel. Just add password=some_password underneath the title flag for the particular kernel you want to lock down.

Resetting the root password

At the GRUB boot menu select your desired kernel and hit the a key. Scroll to the end of the kernel argument and hit space and enter either 1 or single
You will now have root access to the machine and can reset the root password.

Ctrl + Alt + Del

By default ctrl+alt+del restarts the computer, which is dangerous on servers. To disable this edit the /etc/init/control-alt-delete.conf file and add # to comment out the shutdown command. You should create a file named control-alt-delete.override in the same directory if you want to override the settings in this file, for example if you want to set ctrl+alt+del to restart the computer instead.


Mount an ISO
mount -o loop /home/nick_beare/Downloads/CentOS-6.5-x86_64-bin-DVD1.iso /mnt/DVD

Mount an NFS share. Note, -o nfsvers=3 specifies the nfs version to use.
mount -t nfs -o nfsvers=3 123.456.123.123:/opt/source /mnt/my_destination

Mount a CIFS share
mount -t cifs -o username=USERNAME,password=PASSWD,domain=DOMAIN // /mnt/my_destination

Mounting an ext4 filesystem
mount -t ext4 /dev/sda1 /mnt/my_destination

The mount command shows all currently mounted drives.
mount -a will attempt to mount all drives listed in /etc/fstab, the file where drives to be mounted at startup are defined. Lines in /etc/fstab use a particular format. An easy way to add a currently mounted drive into /etc/fstab is to consult /etc/mtab This file lists all currently mounted drives in the /etc/fstab format. I like to use variations of the below command to add lines to /etc/fstab:
cat /etc/mtab | grep /dev/sda5 >> /etc/fstab

Creating partitions with fdisk

fdisk -l - lists all disks
fdisk /dev/sda - replace sda with the relevant drive. This will allow you to access the below options in fdisk.
p - shows the partition table of the selected drive.
n - create a new partition
p or e - you can have up to 4 primary (p) partitions. Extended (e) partitions allow you to create logical partitions starting from sda5.
Enter the partition number
Select the first cylinder
Enter the size of the partition eg +400M
l - selection the partition type from the available menu eg 83 for Linux (ext).
Type p to confirm your intended changes followed by w to write them to disk.
When you return to the command line type partprobe /dev/sdx Sometimes you may have to unmount other partitions on the drive to allow the partition table to be read.

Making filesystems

Once you have a partition you need to write a filesystem to it to make it mountable. Physical and logical partitions aren't treated any differently when writing filesystems to them. Type the below command to write an ext4 filesystem. Note mkfs allows you to write other filesystems such as vfat.
mkfs.ext4 /dev/sda1

You can check the consistancy of your file systems with e2fsck /dev/sda. Note do NOT run this on a mounted filesystem!

Listing and killing processes

ps -aux shows all current processes belonging to all users. Nice once to use with grep eg ps -aux | grep process_name
pgrep firefox shows all processes with firefox in their name.
pkill firefox kills all process with firefox in their name.
kill -9 6892 kills process 6982 forcibly. Leave off the -9 to kill the process politely (sigterm 15).

Process nice levels

Nice levels refer to the priority that is given to processes. Priority refers to dedication of the CPU to a particular process. The default nice levels for processes is 0. -20 is the highest priority and positive 19 is the lowest. In the below example I start a process with a nice level of -20 and then renice it to 19. The -elf switches confirm the current nice level of the process.

[root@host ~]# nice -n -20 firefox
[1] 7588

[root@host ~]# ps -elf | grep firefox
4 S root 7588 2410 7 60 -20 - 184452 poll_s 07:15 pts/0 00:00:00 /usr/lib64/firefox/firefox

[root@host ~]# renice -n 19 7588
7588: old priority -20, new priority 19

[root@host ~]# ps -elf | grep firefox
4 S root 7588 2410 12 99 19 - 194986 poll_s 07:15 pts/0 00:01:04 /usr/lib64/firefox/firefox


The top command shows how hard the system is working. You can see CPU and memory utilisation for particular processes. You can sort on these headings by moving accross with the less than and greater than keys. You can also view memory utilisation with the free -m command. Within top in the CPU row at the beginning of the output, there is an attribute called wa. This refers to wait time of the CPU, as in the CPU is waiting for things to be written to disk. High disk I/O will lead to high wait time for the CPU. To check I/O you need to yum install iotop. Run the program by typing iotop. iotop will show the I/O of individual commands and who is running them.


crond is the cron daemon. You can copy scripts directly into the /etc/cron.hourly daily, weekly and monthly folders and have them run on that schedule. Begin your scripts with #!/bin/bash if you write in bash. The #! stands for hash bang. Make sure you also reference commands in your scripts with their full path, eg cp would be /bin/cp. You can confirm the full location of commands by running whereis enter_command_here.

You can also add cron jobs directly to /etc/crontab. The file has nice help information within it as listed below. Note when using /etc/crontab you need to specify a username for the task to run as.
.---------------- minute (0 - 59)
| .------------- hour (0 - 23)
| | .---------- day of month (1 - 31)
| | | .------- month (1 - 12) OR jan,feb,mar,apr ...
| | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
| | | | |
* * * * * user-name command to be executed

Users can also have their own personal crontab files. In the below example root creates (-e, also used for editing crontab files), lists (-l) and then deletes (-r) a crontab files for user bob. Note, bob could perform the same tasks with his own crontab file, the '-u bob' part would just need to be left off. User crontab files are stored in /var/spool/cron
[root@host ~]# crontab -u bob -e
[root@host ~]# crontab -u bob -l
* * * * * echo "bob"
[root@host ~]# crontab -u bob -r

Encrypting drives with LUKS

Encrypt a drive or partition using:
cryptsetup luksFormat /dev/sda3

Type yes in UPPERCASE letters to confirm the encryption. This process wipes everything on the disk.
Enter your LUKS passphrase. You will use this to access the encrypted drive so don't forget it!

Unencrypt the drive:
cryptsetup luksOpen /dev/sda3 your_name

Enter your pass phrase. Note, the name that you specified above will now appear in /dev/mapper/ This is what you refer to when making your file system on the unencrypted drive and mounting it.

Make a filesystem on the unencrypted drive and mount it.
mkfs.ext4 /dev/mapper/your_name
mount /dev/mapper/your_name /mnt/encrypted

To mount the encrypted drive automatically at startup you need to make a reference to /dev/mapper/your_name in the /etc/fstab file as you would with any other drive. However, you also need to edit /etc/crypttab to unencrypt the drive at startup. The file is blank and you need to add your_name /dev/sda3 none. The your_name is the name you specified when using luksFormat, then it's the device name, none refers to not using a key for the password (you will need to type it in manually at startup).

Instead of entering a passphrase at boot to unlock your luks encrypted volume, you can do this automatically using a key. First create the key.
dd if=/dev/random of=/root/luks.key bs=32 count=1
Associate the key with the luks encrypted volume:
cryptsetup luksAddKey /dev/sda3 /root/luks.key
Edit the /etc/crypttab file to load the volume using the key at startup:
echo "your_name /dev/sda3 /root/luks.key" > /etc/crypttab

Redirecting standard error and standard output

Redirect standard error to a file
[nick@localhost input]$ ls bob
ls: cannot access bob: No such file or directory
[nick@localhost input]$ ls bob 2> newfile.txt
[nick@localhost input]$ cat newfile.txt
ls: cannot access bob: No such file or directory

Redirect standard error and standard output to a file
ls bob > output2.txt 2>&1

LDAP authentication

You can enter LDAP authentication details by running authconfig-tui. Tick the 'Use LDAP' and 'Use LDAP Authentication' checkboxes and then enter your server name (can be an IP address) and Distinguished Name (DN). You can check the TLS box to use Transport Layer Security, this can require a certificate. You need to install nss-pam-ldapd and openldap to use LDAP authentication. Changes that you make using this tool will appear in the LDAP configuration file /etc/openldap/ldap.conf.

SUID, SGID, and Sticky Bits

SUID is a permission that is set on files, they have no effect on folders. They allow users to execute a binary file with the same permissions as the file's owner (includes root). Examples of files with SUID set include the binary passwd, ping and crontab files. You can set the SUID using chmod

The numerical way, SUID equals 4:
chmod 4755 file.txt

The symbolic way, SUID is s in the executable bit location. If the executable bit is off then SUID is a capital S.
chmod u+s file.txt

SGID can be used to make collaborative folders. It can also be used on files to have a similar effect as a SUID, but with group permissions. When set on folders, all files created under the folder will have the same group permissions as the parent folder, no matter which user creates the files. This allows multiple users to share a folder and access each others documents. You can set the SGID using chmod.

The numerical way, SGID equals 2:
chmod 2755 /home/shared

The symbolic way, note when the executable bit is not set SGID is displayed as a capital S just like the SUID:
chmod g+s /home/shared

Sticky bits
Sticky bits are mainly set on directories. If the sticky bit is set for a directory, only the owner of that directory or the owner of a file can delete or rename a file within that directory. This prevents users from deleting each other's file. This can be used in conjuction with SGID to have a combined effect. You can set the sticky bit using chmod.

The numerical way, the sticky bit equals one.
chmod 1755 /home/shared

The symbolic way, the sticky bit is represented as a t, when the executable bit is not set it is T:
chmod +t /home/shared


System logs are located in /var/log such as the cron (cron jobs are logged here), secure (includes failed and successful SSH logons), and boot logs (most recent startup log). Most things are located in the /var/log/messages log.