Saturday, September 10, 2011

Bash Vim Shortcuts For Maximum Productivity

SkyHi @ Saturday, September 10, 2011
It may or may not surprise you to know that the bash shell has a very rich array of convenient shortcuts that can make your life, working with the command line, a whole lot easier. This ability to edit the command line using shortcuts is provided by the GNU Readline library. This library is used by many other *nix application besides bash, so learning some of these shortcuts will not only allow you to zip around bash commands with absurd ease :), but can also make you more proficient in using a variety of other *nix applications that use Readline. I don’t want to get into Readline too deeply so I’ll just mention one more thing. By default Readline uses emacs key bindings, although it can be configured to use the vi editing mode, I however prefer to learn the default behavior of most applications (I find it makes my life easier not having to constantly customize stuff). If you’re familiar with emacs then many of these shortcuts will not be new to you, so these are mostly for the rest of us :).

Command Editing Shortcuts

  • Ctrl + a – go to the start of the command line
  • Ctrl + e – go to the end of the command line
  • Ctrl + k – delete from cursor to the end of the command line
  • Ctrl + u – delete from cursor to the start of the command line
  • Ctrl + w – delete from cursor to start of word (i.e. delete backwards one word)
  • Ctrl + y – paste word or text that was cut using one of the deletion shortcuts (such as the one above) after the cursor
  • Ctrl + xx – move between start of command line and current cursor position (and back again)
  • Alt + b – move backward one word (or go to start of word the cursor is currently on)
  • Alt + f – move forward one word (or go to end of word the cursor is currently on)
  • Alt + d – delete to end of word starting at cursor (whole word if cursor is at the beginning of word)
  • Alt + c – capitalize to end of word starting at cursor (whole word if cursor is at the beginning of word)
  • Alt + u – make uppercase from cursor to end of word
  • Alt + l – make lowercase from cursor to end of word
  • Alt + t – swap current word with previous
  • Ctrl + f – move forward one character
  • Ctrl + b – move backward one character
  • Ctrl + d – delete character under the cursor
  • Ctrl + h – delete character before the cursor
  • Ctrl + t – swap character under cursor with the previous one

Command Recall Shortcuts

  • Ctrl + r – search the history backwards
  • Ctrl + g – escape from history searching mode
  • Ctrl + p – previous command in history (i.e. walk back through the command history)
  • Ctrl + n – next command in history (i.e. walk forward through the command history)
  • Alt + . – use the last word of the previous command

Command Control Shortcuts

  • Ctrl + l – clear the screen
  • Ctrl + s – stops the output to the screen (for long running verbose command)
  • Ctrl + q – allow output to the screen (if previously stopped using command above)
  • Ctrl + c – terminate the command
  • Ctrl + z – suspend/stop the command

Bash Bang (!) Commands

Bash also has some handy features that use the ! (bang) to allow you to do some funky stuff with bash commands.
  • !! - run last command
  • !blah – run the most recent command that starts with ‘blah’ (e.g. !ls)
  • !blah:p – print out the command that !blah would run (also adds it as the latest command in the command history)
  • !$ – the last word of the previous command (same as Alt + .)
  • !$:p – print out the word that !$ would substitute
  • !* – the previous command except for the last word (e.g. if you type ‘find some_file.txt /‘, then !* would give you ‘find some_file.txt‘)
  • !*:p – print out what !* would substitute
There is one more handy thing you can do. This involves using the ^^ ‘command’. If you type a command and run it, you can re-run the same command but substitute a piece of text for another piece of text using ^^ e.g.:
$ ls -al
total 12
drwxrwxrwx+ 3 Administrator None    0 Jul 21 23:38 .
drwxrwxrwx+ 3 Administrator None    0 Jul 21 23:34 ..
-rwxr-xr-x  1 Administrator None 1150 Jul 21 23:34 .bash_profile
-rwxr-xr-x  1 Administrator None 3116 Jul 21 23:34 .bashrc
drwxr-xr-x+ 4 Administrator None    0 Jul 21 23:39 .gem
-rwxr-xr-x  1 Administrator None 1461 Jul 21 23:34 .inputrc
$ ^-al^-lash
ls -lash
total 12K
   0 drwxrwxrwx+ 3 Administrator None    0 Jul 21 23:38 .
   0 drwxrwxrwx+ 3 Administrator None    0 Jul 21 23:34 ..
4.0K -rwxr-xr-x  1 Administrator None 1.2K Jul 21 23:34 .bash_profile
4.0K -rwxr-xr-x  1 Administrator None 3.1K Jul 21 23:34 .bashrc
   0 drwxr-xr-x+ 4 Administrator None    0 Jul 21 23:39 .gem
4.0K -rwxr-xr-x  1 Administrator None 1.5K Jul 21 23:34 .inputrc
Here, the command was the ^-al^-lash which replaced the –al with –lash in our previous ls command and re-ran the command again.
There is lots, lots more that you can do when it comes to using shortcuts with bash. But, the shortcuts above will get you 90% of the way towards maximum bash productivity. If you think that I have missed out on an essential bash shortcut that you can’t live without (I am sure I have), then please let me know and I’ll update the post. As usual, feel free to subscribe to my feed for more tips and opinions on all things software development.

REFERENCES
http://www.skorks.com/2009/09/bash-shortcuts-for-maximum-productivity/

Migration Planning Guide RHEL 6

SkyHi @ Saturday, September 10, 2011
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Migration_Planning_Guide/index.html

RHEL6 and SElinux

SkyHi @ Saturday, September 10, 2011
One of the most important packages to run successfully RHEL6 and SElinux is the setroubleshoot package. It includes useful tools like the setroubleshoot daemon and utils like sealert, sestatus…..
So lets see whats the sestatus of my system:

[root@rhel1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Ok so assuming i want to set up an ftp server. I know my configuration is correct. Permissions on the directories are set etc… But ftp still do not let me write to the directory.  So i need to have a tool which shows me the audit.log of selinux. This can be done with sealert.

If you only have a console available and no X-Window System you can use the command
#sealert -a /var/log/audit/audit.log > myselinuxerrors.txt
or if you have gui

#sealert -b
Mostly you will find hints like
To let anonymous users write to a ftp directory set allow_ftpd_anon_write to 1
to do this just set
#setsebool -P allow_ftpd_anon_write=1

REFERENCES
http://www.salsaunited.net/blog/?p=48

RHEL6 SELinux cheat sheet

SkyHi @ Saturday, September 10, 2011
Lot of admin turn SELinux off because it looks complicated. Here is a cheat sheet to make your life easier
Two important documentations about Selinux can be found here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/index.html
—————————————————————————–
If you work on Centos or Redhat, install the following packages on your system:
setroubleshoot.noarch : Helps troubleshoot SELinux problems
setroubleshoot-plugins.noarch : Analysis plugins for use with setroubleshoot
setroubleshoot-server.noarch : SELinux troubleshoot server


[root@client1 ~]# yum install setroubleshoot
Start the setroubleshootd daemon:


[root@client1 ~]#setroubleshootd
—————————————————————————–
Get the status of selinux:
[root@client1 ~]#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Check for permissive or enforcing mode: 


[root@client1 ~]#getenforce
If you get back a 1 selinux is turned on if you get back a 0 its turned off.
Switch selinux modes from permissive to enforcing and back: 


[root@client1 ~]#setenforce 1 (will set enforcing mode)


[root@client1 ~]#setenforce 0 (will set permissive mode)
—————————————————————————–
Selinux AVC Log files:
All selinux logs can be found in /var/log/audit/audit.log
SELinux logfiles looks very crytpy without the tool sealert. Here an extract of the log without and with the command sealert:


[root@client1 ~]#less /var/log/audit/audit.log
type=DAEMON_START msg=audit(1304542876.396:4843): auditd start, ver=1.7.18 format=raw kernel=2.6.18-238.el5 auid=4294967295 pid=2553 subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1304542876.570:4): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1


[root@client1 ~]# sealert -a /var/log/audit/audit.log | less
found 1 alerts in /var/log/audit/audit.log
——————————————————————————–
Summary:
SELinux is preventing nagios (nagios_t) “getattr” to /var/nagios/objects.cache
(var_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by nagios. It is not expected that this access
is required by nagios and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/nagios/objects.cache,
restorecon -v ‘/var/nagios/objects.cache’
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access – see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
—————————————————————————–
SELinux bool variables:
Each service has its own ruleset. The Selinux bools can be found with the command getsebool
Here and example for the httpd service


[root@client1 ~]# getsebool -a | grep httpd
allow_httpd_anon_write –> off
allow_httpd_sys_script_anon_write –> off
httpd_builtin_scripting –> on
httpd_can_network_connect –> off
httpd_can_network_connect_db –> off
httpd_can_network_relay –> off
httpd_can_sendmail –> on
If you would start the apache server you would not be able to connect to it, because the httpd_can_network_connect is turned off. 


Set sebool to on:
[root@client1 ~]# setsebool -P httpd_can_network_connect =on
Now you are able to start the apache server and connect to it.


Selinux Manpage

[root@client1 ~]#man httpd_selinux
—————————————————————————–
Restore default security context of files or directories (File labeling):
Check filecontext:
[root@client1 ~]# ls -Z
drwxr-xr-x root root root:object_r:httpd_sys_content_t nagvis
drwxr-xr-x root root root:object_r:httpd_sys_content_t nconf


[root@client1 ~]# restorecon -v /var/www/html/index.html 


[root@client1 ~]# restorecon -Rv /var/www/html/index.html
 
To check if a restore is needed:
[root@client1 ~]# restorecon -Rv -n /var/www/html


Set new security context not persistent:
[root@client1 ~]# chcon -Rv –type=httpd_sys_content_t /html


Set new security context not persistent:
[root@client1 ~]# semanage fcontext -a -t httpd_sys_content_t “/html(/.*)?”
—————————————————————————–
Open non standard ports for httpd service:
[root@client1 ~]# semanage port -a -t http_port_t – p tcp 81


List all the ports managed permitted by selinux
[root@client1 ~]# semanage port -l
—————————————————————————–
Create selinux rule:
[root@client1 ~]# grep security_context_t /var/log/audit/audit.log | audit2allow -m nagios1 > nagios.te


now review the rules in the .te file.
Create selinux module:
[root@client1 ~]# grep security_context_t /var/log/audit/audit.log | audit2allow -M nagios1


Install the module:
[root@client1 ~]# semodule -i nagios1.pp




REFERENCES
http://www.salsaunited.net/blog/?p=89