1.11. Red Hat Linux-Specific Information

This section describes information related to the philosophy of system administration that is specific to Red Hat Linux.

1.11.1. Automation

Automation of frequently-performed tasks under Red Hat Linux requires knowledge of several different types of technologies. First are the commands that control the timing of command or script execution. The cron and at commands are most commonly used in these roles.

Incorporating an easy-to-understand yet powerfully flexible time specification system, cron can schedule the execution of commands or scripts for recurring intervals ranging in length from minutes to months. The crontab command is used to manipulate the files that control the cron daemon that actually schedules each cron job for execution.

The at command (and the closely-related command batch) are more appropriate for scheduling the execution of one-time scripts or commands. These commands implement a rudimentary batch subsystem consisting of multiple queues with varying scheduling priorities (known as niceness levels, due to the name of the command — nice — used to change priorities of running programs). Both at and batch are perfect for tasks that must start at a given time, but are not time-critical in terms of finishing.

Next are the various scripting languages. These are the "programming languages" that the average system administrator uses to automate manual operations. There are many scripting languages (and each system administrator tends to have a personal favorite), but the following are currently the most common:

Over and above the obvious differences between these languages, the biggest difference is in the way in which these languages interact with other utility programs on a Red Hat Linux system. Shell scripts tend to make more extensive use of the many small utility programs (for example, to perform character string manipulation), while perl scripts perform more of these types of operations using features built into the language itself.

This means that, in order to truly master shell scripting, you will need to be familiar with the many utility programs (such as grep and sed) that are part of Red Hat Linux. Learning perl, on the other hand, is a more "self-contained" process. However, many perl language constructs are based on the syntax of various traditional UNIX utility programs, and as such will be familiar to those Red Hat Linux system administrators with shell scripting experience.

1.11.2. Documentation and Communication

In the areas of documentation and communication, there is little that is specific to Red Hat Linux. Since documentation and communication can consist of anything from adding comments to a text-based configuration file to updating a webpage or sending an email, a system administrator using Red Hat Linux will need access to text editors, HTML editors, and mail clients.

Here is a small sample of the many text editors available under Red Hat Linux:

The gedit text editor is a strictly graphical application (in other words, it requires an active X Window System environment), while vim and Emacs are primarily text-based in nature.

The subject of the best text editor has sparked debate for nearly as long as computers have existed, and will continue to do so. Therefore, the best approach is to try each editor for yourself, and use what works best for you.

For HTML editors, system administrators can use the Composer function of the Mozilla Web browser, or Quanta, a standalone HTML editor. Of course, some system administrators prefer to hand-code their HTML, making a regular text editor a perfectly acceptable tool as well.

As far as email is concerned, Red Hat Linux includes the Evolution graphical email client, the Mozilla email client (which is also graphical), and the text-based email clients pine and mutt. As with text editors, the choice of an email client tends to be a personal one; therefore, the best approach is to try each client for yourself, and use what works best for you.

1.11.3. Security

As stated earlier in this chapter, security cannot be an afterthought, and security under Red Hat Linux is more than skin-deep. Authentication and access controls are deeply-integrated into the operating system, and are based on designs gleaned from long experience in the UNIX community.

For authentication, Red Hat Linux uses PAM — Pluggable Authentication Modules. PAM makes it possible to fine-tune user authentication via the configuration of shared libraries that all PAM-aware applications use, all without requiring any changes to the applications themself.

Access control under Red Hat Linux uses traditional UNIX-style permissions (read, write, execute) against user, group, and "everyone else" classifications. Like UNIX, Red Hat Linux also makes use of setuid and setgid bits to temporarily confer expanded access rights to processes running a particular program, based on the ownership of the program file. Of course, this makes it critical that any program to be run with setuid or setgid privileges must be carefully audited to ensure that no exploitable vulnerabilities exist.

Another aspect of security is being able to keep track of system activity. Red Hat Linux makes extensive use of logging, both at a kernel and an application level. Logging is controlled by the system logging daemon syslogd, which can log system information locally (normally to files in the /var/log directory) or to a remote system (which can be a dedicated log server for multiple computers).

Intrusion detection sytems (IDS) are powerful tools for any Red Hat Linux system administrator. An IDS makes it possible for system administrators to determine whether unauthorized changes were made to one or more systems. Red Hat Linux includes a dedicated IDS (Tripwire) but the overall design of the operating system itself includes IDS-like functionality.

Because Red Hat Linux is installed using the RPM Package Manager (RPM), it is a straightforward process to verify whether any changes have been made to any of the packages comprising the operating system itself. In addition, RPM makes use of cryptographically-based digital signatures that are capable of ensuring the authenticity of any signed package. All packages produced by Red Hat are signed and make use of this feature. However, because RPM's primary mission is as a package management tool, its abilities as an IDS are somewhat limited. Even so, it can be a good first step toward monitoring a Red Hat Linux system for unauthorized modifications.

Tripwire is a tool that was designed specifically as an IDS; as such, it is more powerful and flexible than using RPM as an IDS. Tripwire constructs a database of baselines, which are snapshots of the system configuration at specific points in time. By tracking changes to the baseline, Tripwire is able to show system configuration changes as a function of time — a handy way of reconstructing the chronology of an intrusion.

But solid intrusion detection is of no value if the IDS itself is vulnerable to tampering. Tripwire avoids this problem by encrypting its configuration files, making unauthorized modifications impossible.