24.6. Administrative Tasks (Topic 1.111) 24.6.1. Objective 1: Manage Users and Group Accounts and Related System Files 24.6.1.1. passwd and group User account information is stored in /etc/passwd. Each line in /etc/passwd contains a username, password, UID, GID, user's name, home directory, and default shell. Group information is stored in /etc/group. Each line in /etc/group contains a group name, group password, GID, and group member list. passwd and group are world-readable. 24.6.1.2. Shadow files To prevent users from obtaining encrypted passwords from passwd and group, shadow files are implemented. Encrypted passwords are moved to a new file, which is readable only by root. The shadow file for /etc/passwd is /etc/shadow. The shadow file for /etc/group is /etc/gshadow. 24.6.1.3. User and group management commands The following commands are commonly used for manual user and group management :
useradd user Create the account user.
usermod user Modify the user account.
userdel user Delete the user account.
groupadd group Add group.
groupmod group Modify the parameters of group.
groupdel group Delete group.
passwd username Interactively set the password for username.
gpasswd groupname Interactively set the password for groupname.
pwconv Convert a standard password file to a shadow configuration.
pwunconv Revert from a shadow password configuration.
grpconv Convert a standard group file to a shadow configuration.
grpunconv Revert from a shadow group configuration.
chage user Modify password aging and expiration settings for user. 24.6.2. Objective 2: Tune the User Environment and System Environment Variables 24.6.2.1. Configuration scripts The bash shell uses systemwide configuration scriptssuch as /etc/profile and /etc/bashrc-- when it starts. Commands in /etc/profile are executed at login time. Commands in /etc/bashrc are executed for each invocation of bash. Changes to these systemwide files affect all users on the system. 24.6.2.2. New account home directories New user directories are populated automatically by copying /etc/skel and its contents. The system administrator may add, modify, and delete files in /etc/skel as needed for the local environment. 24.6.3. Objective 3: Configure and Use System Log Files to Meet Administrative and Security Needs 24.6.3.1. Syslog The syslog system displays and records messages describing system events. Messages can be placed on the console, in log files, and on the text screens of users. Syslog is configured by /etc/syslog.conf in the form facility.level action:
facility The creator of the message, selected from among auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, or local0 tHRough local7.
level Specifies a severity threshold beyond which messages are logged and is one of (from lowest to highest severity) debug, info, notice, warning, err, crit, alert, or emerg. The special level none disables a facility.
action The destination for messages that correspond to a given selector. It can be a filename, @hostname, a comma-separated list of users, or an asterisk, meaning all logged-in users. Together, facility.levels comprise the message selector. Most syslog messages go to /var/log/messages. 24.6.3.2. Log file rotation 24.6.3.3. Examining log files Files in /var/log (such as messages)and elsewhere can be examined using utilities such as tail, less, and grep. Information in syslogd log files includes date, time, origin hostname, message sender, and descriptive text. To debug problems using log file information, first look at the hostname and sender, then at the message text. 24.6.4. Objective 4: Automate System Administration Tasks by Scheduling Jobs to Run in the Future 24.6.4.1. Using cron The cron facility consists of crond, the cron daemon, and crontab files containing job-scheduling information. cron is intended for the execution of commands on a periodic basis. crond examines all crontab files every minute. Each system user has access to cron through a personal crontab file. The crontab command, shown here, allows the crontab file to be edited and viewed:
crontab View, or with -e, edit crontab files. Entries in the crontab file are in the form of: minute hour day month dayofweek command Asterisks in any of the time fields match all possible values. In addition to personal crontab files, the system has its own crontab files: /etc/crontab as well as files in /etc/cron.d. 24.6.4.2. Using at 24.6.4.3. User access 24.6.5. Objective 5: Maintain an Effective Data Backup Strategy System backup provides protection against disk failures, accidental file deletion, accidental file corruption, and disasters. System backup provides access to historical data. Full backups save all files. Differential backups save files modified or created since the last full backup. Incremental backups save files modified or created since the last full or incremental backup. A full backup will be coupled with either differential or incremental backups, but not both. Backup media are rotated to assure high-quality backups. Backup media must be verified to assure data integrity. Backup is often performed using tar and mt, as follows:
tar files Archive or restore files recursively, to tape or to a tarfile.
mt operation Control a tape drive, including skipping over multiple archives on tape, rewinding, and ejecting. operations include fsf, bsf, rewind, and offline (see the manpage for a complete list). Backup should include everything necessary to restore a system to operation in the event of a disaster. Examples include /etc, /home, /var/log, and /var/spool, though individual requirements vary. 24.6.6. Objective 6: Maintain System Time |