This section describes information related to the philosophy of
system administration that is specific to Red Hat Enterprise
Linux.
Automation of frequently-performed tasks under Red Hat
Enterprise Linux requires knowledge of several different types of
technologies. First are the commands that control the timing of
command or script execution. The cron and
at commands are most commonly used in
these roles.
Incorporating an easy-to-understand yet powerfully flexible time
specification system, cron can schedule
the execution of commands or scripts for recurring intervals
ranging in length from minutes to months. The crontab command is used to manipulate the files
controlling the cron daemon that actually
schedules each cron job for execution.
The at command (and the closely-related
command batch) are more appropriate for
scheduling the execution of one-time scripts or commands. These
commands implement a rudimentary batch subsystem consisting of
multiple queues with varying scheduling priorities. The priorities
are known as niceness levels (due to the
name of the command — nice). Both
at and batch are
perfect for tasks that must start at a given time but are not
time-critical in terms of finishing.
Next are the various scripting languages. These are the
"programming languages" that the average system administrator uses
to automate manual operations. There are many scripting languages
(and each system administrator tends to have a personal favorite),
but the following are currently the most common:
Over and above the obvious differences between these languages,
the biggest difference is in the way in which these languages
interact with other utility programs on a Red Hat Enterprise Linux
system. Scripts written with the bash
shell tend to make more extensive use of the many small utility
programs (for example, to perform character string manipulation),
while perl scripts perform more of these
types of operations using features built into the language itself.
A script written using python can fully
exploit the language's object-oriented capabilities, making complex
scripts more easily extensible.
This means that, in order to truly master shell scripting, you
must be familiar with the many utility programs (such as grep and sed) that are part
of Red Hat Enterprise Linux. Learning perl
(and python), on the other hand, tends to
be a more "self-contained" process. However, many perl language constructs are based on the syntax of
various traditional UNIX utility programs, and as such are familiar
to those Red Hat Enterprise Linux system administrators with shell
scripting experience.
In the areas of documentation and communication, there is little
that is specific to Red Hat Enterprise Linux. Since documentation
and communication can consist of anything from adding comments to a
text-based configuration file to updating a webpage or sending an
email, a system administrator using Red Hat Enterprise Linux must
have access to text editors, HTML editors, and mail clients.
Here is a small sample of the many text editors available under
Red Hat Enterprise Linux:
-
The gedit text editor
-
The Emacs text editor
-
The Vim text editor
The gedit text editor is a strictly
graphical application (in other words, it requires an active X
Window System environment), while vim and
Emacs are primarily text-based in
nature.
The subject of the best text editor has sparked debate for
nearly as long as computers have existed and will continue to do
so. Therefore, the best approach is to try each editor for
yourself, and use what works best for you.
For HTML editors, system administrators can use the Composer
function of the Mozilla Web browser. Of
course, some system administrators prefer to hand-code their HTML,
making a regular text editor a perfectly acceptable tool as
well.
As far as email is concerned, Red Hat Enterprise Linux includes
the Evolution graphical email client,
the Mozilla email client (which is also
graphical), and mutt, which is
text-based. As with text editors, the choice of an email client
tends to be a personal one; therefore, the best approach is to try
each client for yourself, and use what works best for you.
As stated earlier in this chapter, security cannot be an
afterthought, and security under Red Hat Enterprise Linux is more
than skin-deep. Authentication and access controls are
deeply-integrated into the operating system and are based on
designs gleaned from long experience in the UNIX community.
For authentication, Red Hat Enterprise Linux uses PAM —
Pluggable Authentication Modules. PAM makes it possible to
fine-tune user authentication via the configuration of shared
libraries that all PAM-aware applications use, all without
requiring any changes to the applications themselves.
Access control under Red Hat Enterprise Linux uses traditional
UNIX-style permissions (read, write, execute) against user, group,
and "everyone else" classifications. Like UNIX, Red Hat Enterprise
Linux also makes use of setuid and
setgid bits to temporarily confer expanded
access rights to processes running a particular program, based on
the ownership of the program file. Of course, this makes it
critical that any program to be run with setuid or setgid
privileges must be carefully audited to ensure that no exploitable
vulnerabilities exist.
Red Hat Enterprise Linux also includes support for access control lists. An access control list (ACL)
is a construct that allows extremely fine-grained control over what
users or groups may access a file or directory. For example, a
file's permissions may restrict all access by anyone other than the
file's owner, yet the file's ACL can be configured to allow only
user bob to write and group
finance to read the file.
Another aspect of security is being able to keep track of system
activity. Red Hat Enterprise Linux makes extensive use of logging,
both at a kernel and an application level. Logging is controlled by
the system logging daemon syslogd, which
can log system information locally (normally to files in the
/var/log/ directory) or to a remote
system (which acts as a dedicated log server for multiple
computers.)
Intrusion detection sytems (IDS) are powerful tools for any Red
Hat Enterprise Linux system administrator. An IDS makes it possible
for system administrators to determine whether unauthorized changes
were made to one or more systems. The overall design of the
operating system itself includes IDS-like functionality.
Because Red Hat Enterprise Linux is installed using the RPM
Package Manager (RPM), it is possible to use RPM to verify whether
any changes have been made to the packages comprising the operating
system. However, because RPM is primarily a package management
tool, its abilities as an IDS are somewhat limited. Even so, it can
be a good first step toward monitoring a Red Hat Enterprise Linux
system for unauthorized modifications.
