If you are serious about security, there is one place where you need to go: it’s the aqueduct project website.
There, you will find all the security configuration guidances to strengthen your RHEL servers.
Even better, as it takes a lot of efforts to improve the security level of an already built server, Major Hayden’s website provides a ready-to-use CentOS 6 kickstart file compliant with the CIS (Center for Internet Security) guidance. This way, with very limited changes in this file (partition sizes, physical or virtualized drives), you will get a server that you can rely on.
To those, like me, who don’t feel very comfortable with ACL (Access Control List), I advise them to look at this SuSE article from 2003 that almost explains everything about this subject.
Everything started in 2009, when two researchers from the MIT, J.Arnold and F.Kaashoek, wrote an academic paper about “Automatic Rebootless Kernel Updates”.
In this paper, they explained the state of the art in kernel hot patching and what approaches they took to improve it.
Being able to patch a kernel without rebooting brings several advantages:
- you avoid downtime in mission critical environments,
- you can apply security patches to your kernel without waiting for maintenance windows, this way, you avoid most of the security risks,
- you make the life of your administration and application support teams much better.
Some time later, the two researchers created a company called Ksplice with other MIT colleagues.
In 2011, the Oracle company bought this start-up and started selling patches through a subscription program.
Today, besides the Oracle Ksplice initiative, there is a race between the Suse and RedHat companies to integrate this feature in the Linux kernel and provide the related tools in their respective distribution.
Through kGraft, Suse has already a working solution waiting for Linux kernel acceptance when RedHat is still struggling to stabilize its own version. Whoever wins, a GPL solution should be available before the end of this year. This is a definitive achievement.
With RHEL7, RedHat decided to stop any 32-bit version of its distribution.
Anticipating the market evolution, the company is now working on a 64-bit ARM architecture called AArch64.
Yesterday, Jon Masters, RedHat ARM architect, gave a conference showing a demo of RHEL7 running on a 64-bit ARM server. This distribution should be released before the end of the year.
Source: Richard W.M. Jones’ blog.
To those who are wondering if they will have time to take their exams before the arrival of the RHEL 7 certification program, RHCSA & RHCE exams for RHEL 6 are still scheduled in Europe until december 12, 2014.
Source: Red Hat website.
In RHEL 6, service management was sometimes slightly painful.
Each time you wanted to start or enable a service, you had to perfectly remember its name.
For example, when you wanted to set up a ntp client, you had to install the NTP package:
# yum install ntp
Then, you had to enable the service:
# chkconfig ntpd on
Finally, you had to start the service:
# service ntpd start
As the package name was different from the service name, you had to remember both names and sometimes use commands like:
# chkconfig | grep ntp
With RHEL 7, Systemd involves new commands but you get exactly the same steps (by the way, package name and service name are still different in this case):
You have to install the NTP package:
# yum install ntp
Then, you have to enable the service:
# systemctl enable ntpd
Finally, you have to start the service:
# systemctl start ntpd
The improvement appears when using the systemctl command: you get bash completion!
According to Ben Breard, you get this feature by default except in the minimal installation configuration.
When not sure about the service name, type the beginning of its name and press the tab key!
Start by getting the service status:
# systemctl status ntpd
Then start/stop/enable/disable it according to your needs.
For those who already passed the RHCE, they should know that Red Hat has recently stopped the RHCSS certification and three of the following associated exams:
- Red Hat Certificate of Expertise in Security: Network Services (EX333),
- Red Hat Certificate of Expertise in Directory Services and Authentication (EX423),
- Red Hat Certificate of Expertise in SELinux Policy Administration (EX429).
Source: Red Hat website.
After the Debian technical committee’s decision to adopt Systemd as system management daemon several days ago and the choice by the Ubuntu manager, Mark Shuttleworth, to follow the same direction, it’s now clear that every Linux system administrator needs to learn Systemd as soon as possible.
As RHEL7 is also based on Systemd, you will not waste your time reading my introduction to Systemd.
Even though Kerberos understanding doesn’t seem to be critical for passing the RHCE exam, it is still in the objectives list. For this reason and because I’m fundamentally curious, I have written some instructions to configure a Kerberos client and set up a KDC (Kerberos Distribution Server).
Besides Kerberos configuration, I learned one thing: be careful when writing your /etc/hosts file with services like Kerberos. They only accept the following sequence: ip address, full qualified domaine name, name alias. Otherwise, because of reverse host resolution, they just don’t work!
For those who are interested in RHEL 7 Beta performance, Phoronix published a benchmark only two days after its release in December.
The progresses made at the kernel level (3.10 kernel), at the compiler level (gcc 4.8.2) and at the graphic level (new Linux kernel Direct Rendering Manager drivers) are some of the reasons of the clear advantage taken by RHEL 7 Beta against RHEL 6.5.
If you want to know more, read the Phoronix RHEL 7 Beta benchmark.