RHS333 Network Security Errata and Expansions Page 1
RHEL5u8-en-4-20120312 Draft, Requesting Feedback Updated 09/20/2012
Student Guide Type Detail
xix RHS342 Developing Red Hat Firewall Solutions is no longer on the schedule. Should this be removed
from the coursebook or is it available as a custom request?
p11 This page could use editing for both grammar and sentence structure.
Lab 2.2 TCP Wrappers, Step 4
p55 Replace
[root@serverX+100]# echo "in.telnetd:ALL:/var/mesg/deny" >> etc/hosts.deny
with
[root@serverX+100]# echo "in.telnetd:ALL:twist /var/mesg/deny" >> etc/hosts.deny
Lab 2.2 TCP Wrappers, Step 6.
p55 Use student account to test telnet, since the system does not allow root logins from terminals not configured
as secure. To root telnet from pseudo-terminals (since coming from a VM host), add the following entries:
[root@serverX+100]# vi /etc/securetty
...
pts/0
pts/1
pts/2
pts/3
.... for as many concurrent pseudo-terminals as may be used.
Lab 2.3 xinetd SENSOR traps, Step 3.
p56 Ensure that remaining unrequested options are commented.
Lab 2.4 Understanding file context, Step 5.
p59 scontext service context
tcontext target context
Lab 3.1 Setting up a private Certificate Authority, Step 5.
p85 Enter the CommonName without the quotes: ServerX+100 Certificate Authority
To see the contents of the finished certificate for troubleshooting:
[root@serverX+100 ~]# openssl x509 -in /etc/pki/CA/my-ca.crt -text -noout
Lab 3.3 Signing certificates, Step 5.
p97 Again, run mutt as mary from stationX.
Lab 3.5 Revocation of a license, Step 1.
p99 After importing the CA certificate into Firefox, it will list alphabetically under "Example Inc."
Lab 4.1 Improving named service security, Step 2.
p141
:%s/X+100/116/
Information - extended commentary or notice.
Important - significant commentary or warning.
Edit - typographic corrections, for improved clarity or accuracy.
Error - the exercise or associated software does not perform as documented.
Research - a reference or a reminder for additional research.
No Machine - relevent when running in the Virtual Training environment.
New - added or modified since the previous published errata.
Legend
RHS333 Network Security Errata and Expansions Page 2
RHEL5u8-en-4-20120312 Draft, Requesting Feedback Updated 09/20/2012
Student Guide Type Detail
Lab 4.1 Improving named service security, Step 2.
p141
Restart the service and test on the serverX+100 master server before the stationX slave restart and test. The
lab should be performed in the following order:
Lab 4.1 The lab solution only shows the commands on stationX. Restart on both stationX and serverX+100 before
p143 testing using dig from each system.
Lab 5.1 Step 6.
nisdomainname SERVER116.EXAMPLE.COM
p184
If problem starting ypserv (port conflict), reboot server, which will release rpc ports already handed out.
Or, set up ypserv for another port.
Step 6
p222 Will display nobody nobody
Lab 6.2 Exporting an NFSv4 file system with AUTH_SYS, Step 5.
p224
Although the solution states that the rpc.idmapd error can be safely ignored, the issue may increase the
confusion when other problems occur in this step. The following work-around should be completed before
performing the mount /home/nfs. In the init script find and edit the lockfile variable to read:
[root@serverX+100]# vi /etc/init.d/rpcidmapd
...
prog="rpc.idmapd"
#LOCKFILE=/var/lock/subsys/$prog
LOCKFILE=/var/lock/subsys/rpcidmapd
p228 Step 8
Will again display nfsuser nfsuser
p228 Also stop autofs before the modprobe -r
p315 Connection closed by foreign host
end of table
RHS333 Network Security Errata and Expansions Page 3
RHEL5u8-en-4-20120312 Draft, Requesting Feedback Updated 09/20/2012
INSTRUCTOR CONFIDENTIAL
Instruct Guide Type Detail
Currently, there is no separate Instructor Guide for this course.
end of table
RHS333 Network Security Errata and Expansions Page 4
RHEL5u8-en-4-20120312 Draft, Requesting Feedback Updated 09/20/2012
INSTRUCTOR CONFIDENTIAL
Scope Type Course Comments
Book layout Having both separate unit and overall book page numbering is confusing. Because the per-unit scheme
does not include lab pages, it is necessary to use both schemes during class. As an instructor, I would prefer
having only an overall book page numbering scheme.
Setup Important! Confirm the server1 time after installation. If server1 did not use UTC for a previous class,
then setting UTC during installation will cause the resulting RHEL-displayed time to be wrong. If the time
is not correct, then perform these steps prior to kickstarting any student systems:
[root@server1 ~]# service ntpd stop
[root@server1 ~]# date MMDDhhmm
[root@server1 ~]# vi /etc/sysconfig/clock (to set timezone, if necessary)
[root@server1 ~]# date (to confirm time and timezone)
[root@server1 ~]# hwclock --utc --systohc
[root@server1 ~]# service ntpd start
Setup Like other courses that use VMs, the student virtual machine kickstart configuration files default to the
Central timezone. Either change the kickstart configuration before kickstarting student systems, or have the
student use system-config-date to change the timezone, time and NTP on each VM after first boot.
Kerberos The server1 DNS named reverse lookup is missing all of the serverX+200 systems records. This causes ssh
logins to serverX+200 using kerberos principals to always ask for a password, regardless of any GSSAPI
configuration. These DNS records are missing by design in the RHCSS curriculum for other security
classes. Only if a student asks, add the following records (for 201 to 220) to the 192.168.0.zone file:
201 IN PTR server201.example.com.
202 IN PTR server202.example.com.
. . .
220 IN PTR server220.example.com.
TXT_DB error number 2 is a DB_ERROR_INDEX_CLASH. Two crs requests with the same Common
Name.
end of table