WEBVTT 1 00:00:00.160 --> 00:00:02.879 Welcome to the deep dive. This is where we take 2 00:00:02.919 --> 00:00:07.200 those really comprehensive system administration guides, the ones that are 3 00:00:07.480 --> 00:00:10.320 you know, packed with practical knowledge, and we boil them down. 4 00:00:10.439 --> 00:00:12.519 We focus on the foundations you really have to. 5 00:00:12.439 --> 00:00:16.600 Get right exactly, and today we're tackling red hat enterprise 6 00:00:16.679 --> 00:00:17.879 Linux aid administration. 7 00:00:18.359 --> 00:00:21.440 Our source material is, well, it's a pretty deep guide 8 00:00:21.440 --> 00:00:23.600 to mastering RHL. 9 00:00:23.079 --> 00:00:26.039 Eight right, and our goal here is specific pull out 10 00:00:26.079 --> 00:00:30.120 that essential day one knowledge, the stuff that really defines 11 00:00:30.199 --> 00:00:32.359 professional it work using Linux. 12 00:00:32.520 --> 00:00:35.479 We're going beyond just listing commands. We want the best 13 00:00:35.479 --> 00:00:40.520 practices for the command line, managing users securely, understanding modern 14 00:00:40.520 --> 00:00:41.280 system services. 15 00:00:41.359 --> 00:00:43.479 Yeah, we're aiming for clarity, trying to cut through the 16 00:00:43.560 --> 00:00:46.000 jargon and give you a solid base. We'll cover navigating 17 00:00:46.079 --> 00:00:49.479 the system, how permissions actually work, and you know what 18 00:00:49.719 --> 00:00:52.119 RHL eight does under the hood, because. 19 00:00:51.880 --> 00:00:54.520 Getting these fundamentals right from the start that's key, isn't. 20 00:00:54.320 --> 00:00:58.520 It absolutely critical. It's the difference between a system that 21 00:00:58.640 --> 00:01:01.840 runs smoothly for years and one that just becomes a 22 00:01:01.840 --> 00:01:05.840 tangled mess later on. Doesn't matter if it's physical, VM cloud, 23 00:01:06.680 --> 00:01:08.799 these basics save you headaches down the line. 24 00:01:08.879 --> 00:01:12.239 Okay, let's get into it, starting where every admin spends 25 00:01:12.280 --> 00:01:14.319 their time, the command line. 26 00:01:14.560 --> 00:01:17.879 The shell right, Linux is multi user from the ground up, 27 00:01:18.079 --> 00:01:22.400 and that means understanding the difference between a regular user and. 28 00:01:23.400 --> 00:01:25.439 Well, the boss for Route account. 29 00:01:25.040 --> 00:01:28.760 Precisely, your regular user account operates with limited privileges. But 30 00:01:28.959 --> 00:01:31.959 Root internally known as user ID zero, that's the super user. 31 00:01:32.040 --> 00:01:35.280 It has total control, absolute power over the system. 32 00:01:35.359 --> 00:01:37.159 And there's a really simple visual cue for this, right. 33 00:01:37.280 --> 00:01:38.719 Don't think you have to burn into your brain. 34 00:01:38.879 --> 00:01:41.000 The command prompt, that's it. If you're a regular user, 35 00:01:41.000 --> 00:01:43.560 you see a dollar sign a lot, but if you're 36 00:01:43.640 --> 00:01:46.439 logged in as Root, that prompt changes immediately to the 37 00:01:46.439 --> 00:01:47.640 hash symbol hashtag. 38 00:01:47.760 --> 00:01:48.640 That's the warning sign. 39 00:01:48.719 --> 00:01:52.120 That's the big red flashing light. Seeing that hashtag means 40 00:01:52.159 --> 00:01:56.120 one typo could wreck your system. So extreme caution is mandatory. 41 00:01:56.239 --> 00:01:57.879 No ifs ands or butts. 42 00:01:58.200 --> 00:02:02.200 So if I'm logged in as say myself, a regular user, 43 00:02:02.239 --> 00:02:04.680 and I need to do something administrative or maybe just 44 00:02:04.719 --> 00:02:06.680 switch to another user account temporarily, you. 45 00:02:06.719 --> 00:02:10.840 Use the sum command substitute user. Okay, And here's the kicker. 46 00:02:11.240 --> 00:02:14.280 If you are already Route, you can use SUN to 47 00:02:14.360 --> 00:02:17.199 become any other user on the system just by typing 48 00:02:17.280 --> 00:02:19.879 so username you don't need their password. 49 00:02:20.000 --> 00:02:22.879 Wow. Okay, that really shows the power of root. 50 00:02:23.039 --> 00:02:25.919 It absolutely does, and using SO with the DASH is 51 00:02:25.960 --> 00:02:30.319 important too. It properly initializes the new user's environment, like 52 00:02:30.439 --> 00:02:32.000 environment variables and paths. 53 00:02:32.120 --> 00:02:35.439 Right. Speaking of the environment, let's talk about the Linux philosophy. 54 00:02:35.800 --> 00:02:39.840 Everything is a file, even things like disks or running processes. 55 00:02:39.960 --> 00:02:42.360 Yeah, that's a core concept. Your hard drives show up 56 00:02:42.400 --> 00:02:45.439 under DEV, running process info is under PROC. It's all 57 00:02:45.479 --> 00:02:46.840 represented in the file system. 58 00:02:46.919 --> 00:02:49.240 And before we run commands, effectively, we need to understand 59 00:02:49.360 --> 00:02:52.680 environment variables. You mention them, what are they and like, 60 00:02:52.879 --> 00:02:53.840 how do we see them? 61 00:02:53.879 --> 00:02:57.439 They're basically name settings that control how your shell and 62 00:02:57.560 --> 00:03:01.759 other programs behave. Think of them as personalization. The easiest 63 00:03:01.759 --> 00:03:03.639 way to see one is with the echo command, So 64 00:03:03.879 --> 00:03:06.960 echoshell will tell you which shell program you're actually using 65 00:03:07.120 --> 00:03:08.520 maybe Bash maybe. 66 00:03:08.639 --> 00:03:11.000 And echo path. That one's important. 67 00:03:11.039 --> 00:03:14.759 Crucial. Path is a list of directories. When you type 68 00:03:14.759 --> 00:03:17.919 a command, the shell looks through those directories in order 69 00:03:17.960 --> 00:03:20.360 to find the program. If it's not in your path, 70 00:03:20.400 --> 00:03:22.960 you have to touch the full location like has been 71 00:03:23.039 --> 00:03:24.000 some command. 72 00:03:23.759 --> 00:03:27.199 Got it? So the environment dictates what's easy to run. 73 00:03:27.840 --> 00:03:31.159 Now navigating this file system which starts at the root directory. 74 00:03:31.639 --> 00:03:32.879 Any shortcuts for speed? 75 00:03:33.439 --> 00:03:38.599 Definitely, you absolutely need to know tilled for your home directory, 76 00:03:38.759 --> 00:03:41.039 right for the current directory you're in, and DOTT for 77 00:03:41.080 --> 00:03:43.039 the directory one level up the parent directory. 78 00:03:43.120 --> 00:03:44.479 Standard stuff but essential. 79 00:03:44.680 --> 00:03:49.319 But the real game changer. Bash autocomplete using the tab key. 80 00:03:49.479 --> 00:03:51.800 Ah. Yes, this saves so much time. 81 00:03:51.639 --> 00:03:54.479 It's incredible. Hit tab once and if the command or 82 00:03:54.560 --> 00:03:57.199 file name you started typing is unique, Bash just fills 83 00:03:57.240 --> 00:03:59.960 it in for you instantly, and if it's not unique, 84 00:04:00.080 --> 00:04:03.080 hit tab twice. Bash will then list all the postile 85 00:04:03.080 --> 00:04:07.240 completions right there for you. Works for commands, file names, 86 00:04:07.599 --> 00:04:11.080 directory paths. Everything cuts down typos dramatically. 87 00:04:11.199 --> 00:04:13.199 Don't forget history either, Oh absolutely. 88 00:04:13.360 --> 00:04:15.599 The history command shows you your previous commands. You can 89 00:04:15.599 --> 00:04:18.199 easily rerun complex ones about typing them all over again. 90 00:04:18.360 --> 00:04:19.079 Super useful. 91 00:04:19.240 --> 00:04:21.920 Okay, so we can find commands run them. Now. What 92 00:04:22.000 --> 00:04:25.399 about managing the output? That's where IO redirection comes in 93 00:04:25.480 --> 00:04:26.480 the standard streams. 94 00:04:26.680 --> 00:04:30.439 Yep, there are three main ones. STDOU standard output that's 95 00:04:30.480 --> 00:04:33.800 the normal results of a command. Okay, stir R standal 96 00:04:33.959 --> 00:04:36.839 error that's where error messages go. They're kept separate right, 97 00:04:36.879 --> 00:04:40.079 that's useful, and STDI and standard input, which is where 98 00:04:40.079 --> 00:04:42.199 a command can receive data from. 99 00:04:42.319 --> 00:04:44.879 And we use special symbols to redirect these exactly. 100 00:04:45.160 --> 00:04:49.920 The greater than symbol S sends stdou to a file 101 00:04:50.399 --> 00:04:51.879 overwriting anything already there. 102 00:04:51.959 --> 00:04:53.439 Careful with that one very careful. 103 00:04:53.839 --> 00:04:56.839 Double greater then ed does the same, but appends the 104 00:04:56.879 --> 00:04:58.920 output to the end of the file, which is often 105 00:04:59.000 --> 00:05:00.000 safer and error. 106 00:05:00.279 --> 00:05:02.199 How do we handle STDR. 107 00:05:01.879 --> 00:05:05.079 You use two. The two club refers specifically to stur 108 00:05:05.560 --> 00:05:08.839 so command two air loog dot txt sends only the 109 00:05:08.959 --> 00:05:12.720 error messages to that file, leaving the normal output stdout 110 00:05:13.079 --> 00:05:15.839 on your screen or letting you redirect it elsewhere. 111 00:05:16.000 --> 00:05:19.800 That separation is really powerful for scripting, which brings us 112 00:05:19.839 --> 00:05:23.920 to the pipe operator, the vertical bar ah the pipe. 113 00:05:23.959 --> 00:05:26.920 This is where Linux command line power really shines. It 114 00:05:27.000 --> 00:05:29.959 takes the stdot of the command on its left the 115 00:05:30.040 --> 00:05:33.360 normal output right and directly connects it or pipes it 116 00:05:33.560 --> 00:05:36.000 right into the stdo end of the command on. 117 00:05:35.959 --> 00:05:38.160 Its right, so you can chain commands together. 118 00:05:37.959 --> 00:05:41.360 Precisely without needing temporary files cluttering things up. You gave 119 00:05:41.399 --> 00:05:44.439 a great example earlier finding specific files. 120 00:05:44.079 --> 00:05:45.680 Like counting certain files under source. 121 00:05:45.800 --> 00:05:47.879 Yeah, you can do. Find a source to list everything. 122 00:05:48.199 --> 00:05:51.360 Pipe that output into rep keyword to filter for lines 123 00:05:51.399 --> 00:05:54.879 containing your keyword. Then pipe that output into WCSHL to 124 00:05:54.879 --> 00:05:55.560 count the lines. 125 00:05:55.720 --> 00:06:00.399 Find repwcdshel one line no tem files super efficient. 126 00:06:00.480 --> 00:06:03.920 That's the beauty of it. Small tools chain together incredible. 127 00:06:03.959 --> 00:06:07.439 Okay, let's move into section two, Security and access management. 128 00:06:07.720 --> 00:06:10.639 We've talked about the immense power of root that naturally 129 00:06:10.720 --> 00:06:13.120 leads to needing ways to manage permissions carefully. 130 00:06:13.199 --> 00:06:16.680 It forces you into that least privileged mindset. You just 131 00:06:16.720 --> 00:06:18.959 can't run everything as root. The risk is way too. 132 00:06:18.839 --> 00:06:22.720 High, which brings us to the standard POSX permissions, user group, 133 00:06:23.040 --> 00:06:24.399 other UGO. 134 00:06:24.680 --> 00:06:28.040 Right, every file and directory has an owner, user, and 135 00:06:28.079 --> 00:06:31.800 associated group, and then permissions for others everyone else. 136 00:06:31.879 --> 00:06:35.639 We usually see these as RWX read, write, execute, but 137 00:06:35.720 --> 00:06:39.079 the system often uses numbers octal notation. Quick reminder on. 138 00:06:39.000 --> 00:06:41.639 That ezpz read is four, write is to execute is 139 00:06:41.639 --> 00:06:44.920 one at them up yep sox is four plus two 140 00:06:44.920 --> 00:06:47.600 plus one annual seven artipsx is four plus zero plus 141 00:06:47.639 --> 00:06:49.720 one E plus five r is just four. So a 142 00:06:49.759 --> 00:06:52.199 common permission like rwxrxrx is. 143 00:06:52.240 --> 00:06:55.279 Seven for the user r wx five for the group 144 00:06:55.639 --> 00:06:59.040 RFX and five for others RX. So seven fifty five 145 00:06:59.160 --> 00:07:02.240 you got it. Seven. Now there are some special permissions too. 146 00:07:02.560 --> 00:07:06.720 What's one administrators really need to understand, especially regarding shared directories. 147 00:07:06.879 --> 00:07:08.839 Ah, you're probably thinking of the sticky bit. 148 00:07:08.959 --> 00:07:11.120 That's the one represented by a t right. 149 00:07:11.319 --> 00:07:14.120 You often see it on world writable directories like TAMP. 150 00:07:14.360 --> 00:07:16.920 When the sticky bit is set on a directory, it 151 00:07:17.079 --> 00:07:20.199 changes the rules slightly. How So, even if everyone has 152 00:07:20.279 --> 00:07:23.319 right permission in the directory, a user can only delete 153 00:07:23.480 --> 00:07:26.439 or rename files that they themselves own inside that directory, 154 00:07:26.560 --> 00:07:28.480 or the owner of the directory can of course. 155 00:07:28.279 --> 00:07:31.199 So it stops users from messing with each other's files 156 00:07:31.240 --> 00:07:32.959 in a shared space like TIAM. 157 00:07:32.959 --> 00:07:37.399 Exactly prevents accidental or malicious deletion of files you didn't create. 158 00:07:37.839 --> 00:07:41.240 Okay, So to maintain that least privilege idea, we don't 159 00:07:41.279 --> 00:07:45.160 want users logging in as root all the time or 160 00:07:45.199 --> 00:07:46.519 even using sue constantly. 161 00:07:46.720 --> 00:07:50.720 That's where pseudo comes in precisely. Pseudo superrouser do it 162 00:07:50.839 --> 00:07:54.000 lets a permitted user run a specific command as another user, 163 00:07:54.160 --> 00:07:55.079 usually as root. 164 00:07:55.439 --> 00:07:56.839 And the key difference from just using. 165 00:07:56.759 --> 00:08:00.920 Sue auditability pseudologs who ran what can when and as 166 00:08:00.959 --> 00:08:04.279 whom it's all about accountability. Using SUE to become root 167 00:08:04.360 --> 00:08:06.680 gives you a rootshell, and then it's harder to track 168 00:08:06.759 --> 00:08:10.279 exactly which commands we're run with elevated privileges. 169 00:08:09.680 --> 00:08:11.680 And by default, who gets to use pseudo? 170 00:08:11.920 --> 00:08:15.439 By default in RHL, root can use it naturally and 171 00:08:15.480 --> 00:08:18.920 any members of the administrative wheel group. So managing membership 172 00:08:18.920 --> 00:08:21.600 of the wheel group is a key security control point. 173 00:08:21.680 --> 00:08:25.279 It makes sense now managing the users themselves over time 174 00:08:26.120 --> 00:08:30.040 life cycle management. How do we enforce things like password changes? 175 00:08:30.560 --> 00:08:33.960 RHL provides the change command for that change age. Okay, 176 00:08:34.120 --> 00:08:37.240 you use it to set password aging policies for users. 177 00:08:37.720 --> 00:08:41.240 Key options are dash M for the maximum number of 178 00:08:41.360 --> 00:08:42.720 days a pathword. 179 00:08:42.320 --> 00:08:44.240 Is valid before they must change it right. 180 00:08:44.960 --> 00:08:47.080 H i S sets how many days the account can 181 00:08:47.080 --> 00:08:50.360 be inactive after password expiry before it gets locked automatically. 182 00:08:50.720 --> 00:08:53.720 Enforcing these really helps maintain security hygiene definitely. 183 00:08:53.799 --> 00:08:57.080 It protects against stale accounts and forces regular password updates. 184 00:08:57.120 --> 00:08:59.039 And what if you need to lock an account immediately, 185 00:08:59.600 --> 00:09:01.120 say someone leaves the company? 186 00:09:01.240 --> 00:09:03.759 Quickest way is user mod dash L username. 187 00:09:03.960 --> 00:09:06.000 The ash L is for a lock and what does 188 00:09:06.039 --> 00:09:09.440 that actually do under the hood? Is there something visible yep. 189 00:09:09.960 --> 00:09:12.200 If you were to look in the accept shadow file 190 00:09:12.320 --> 00:09:16.000 where the encrypted password hashes are stored, locking the account 191 00:09:16.240 --> 00:09:19.440 inserts an exclamation mark ah right at the beginning of 192 00:09:19.440 --> 00:09:20.360 the password hash. 193 00:09:20.159 --> 00:09:22.679 Field AH, so it invalidates. 194 00:09:22.120 --> 00:09:25.559 The hash exactly, makes it impossible to authenticate with that 195 00:09:25.600 --> 00:09:29.080 password until an admin unlocks it using user mod dushu. 196 00:09:29.519 --> 00:09:31.320 It's instant and effective. 197 00:09:31.600 --> 00:09:35.000 Okay, fascinating. Let's move into section three the more modern 198 00:09:35.039 --> 00:09:38.919 system operations in RHL eight. Let's talk systemed. It replaced 199 00:09:38.919 --> 00:09:41.759 the older in its systems. Why was that necessary? What 200 00:09:41.840 --> 00:09:42.759 problem did it solve? 201 00:09:42.919 --> 00:09:45.919 The big one was boot time. Older systems like cisvin 202 00:09:45.960 --> 00:09:49.480 it booted sequentially. Service A had to fully start and 203 00:09:49.559 --> 00:09:53.879 report success before service B could even begin loading, creating bottlenecks, 204 00:09:53.960 --> 00:09:57.120 huge bottlenecks, especially on systems with many services. It led 205 00:09:57.120 --> 00:10:00.759 to really long boot times. System, which runs as PID one, 206 00:10:00.840 --> 00:10:03.480 the very first process started by the kernel, tackles this 207 00:10:03.840 --> 00:10:05.000 using parallel processing. 208 00:10:05.120 --> 00:10:06.480 It manages things through units. 209 00:10:06.720 --> 00:10:09.720 That's the core concept. Everything system manages is a unit. 210 00:10:10.120 --> 00:10:13.960 There are service units for demons, socket units for network sockets, 211 00:10:14.200 --> 00:10:16.759 target units, which are like groups of other units similar 212 00:10:16.759 --> 00:10:18.360 to run levels. Timer units. 213 00:10:18.399 --> 00:10:19.759 Timer units what are those? For? 214 00:10:20.080 --> 00:10:23.960 System? Timers are essentially the modern integrated way to run 215 00:10:24.080 --> 00:10:29.000 jobs periodically. They replace the traditional Kron demon for many tasks. 216 00:10:29.120 --> 00:10:33.039 Uh, like cron jobs, but managed by systems. Yeah. Any 217 00:10:33.080 --> 00:10:33.919 common examples. 218 00:10:34.120 --> 00:10:37.440 A good one is f strem dot timer on systems 219 00:10:37.440 --> 00:10:40.559 with SSDs. This timer usually runs weekly to trigger the 220 00:10:40.639 --> 00:10:43.919 strum command, which tells the SSD controller which blocks are 221 00:10:43.919 --> 00:10:48.080 no longer in use, helping maintain performance. It's managed entirely. 222 00:10:47.679 --> 00:10:50.600 By systems, so more robust than Kron. 223 00:10:50.440 --> 00:10:54.679 Perhaps generally Yes, better logging, integration, dependency management, that kind 224 00:10:54.679 --> 00:10:54.919 of thing. 225 00:10:55.000 --> 00:10:59.759 Okay, let's pivot slightly. Time synchronization. Why is having accurate 226 00:10:59.759 --> 00:11:01.919 time so critical on network systems? 227 00:11:02.039 --> 00:11:05.200 Oh, it's non negotiable. Think about logs. If your server's 228 00:11:05.240 --> 00:11:08.600 clocks are out of sync, correlating events across machines to 229 00:11:08.639 --> 00:11:12.799 troubleshoot an issue becomes a nightmare maybe impossible, And many 230 00:11:12.799 --> 00:11:17.759 security protocols like cerberos rely heavily on tightly synchronized time. 231 00:11:18.200 --> 00:11:22.519 If clocks drift too far apart, authentication just fails. Financial 232 00:11:22.600 --> 00:11:26.840 transactions databases, accurate time is fundamental. 233 00:11:26.360 --> 00:11:28.679 And our HL eight uses crony for this. 234 00:11:29.000 --> 00:11:33.679 Yes, Crony is the default NTP Network Time Protocol client 235 00:11:33.799 --> 00:11:34.240 and server. 236 00:11:34.759 --> 00:11:37.600 Now, there's something interesting about how CRONY handles time adjustments, 237 00:11:37.639 --> 00:11:39.279 isn't there. It doesn't just jump the clock. 238 00:11:39.399 --> 00:11:42.240 That's a key insight. Yeah, Crony is designed to be 239 00:11:42.399 --> 00:11:45.600 very application friendly. After it gets an initial sink, if 240 00:11:45.639 --> 00:11:48.879 it detects the system clock is drifting, it generally avoids 241 00:11:48.879 --> 00:11:51.320 making a sudden, large jump or stepping the clock. 242 00:11:51.480 --> 00:11:52.440 What does it do instead? 243 00:11:52.559 --> 00:11:55.639 It slightly adjusts the rate at which the system clock runs, 244 00:11:55.919 --> 00:11:59.159 making it run a tiny bit faster or slower until 245 00:11:59.200 --> 00:12:01.480 it smoothly convert with the reference time source. 246 00:12:01.639 --> 00:12:03.720 So it maintains a continuous flow of time from the 247 00:12:03.759 --> 00:12:05.200 OS and application. 248 00:12:04.759 --> 00:12:07.919 Perspective, exactly, it prevents those sudden time shifts that could 249 00:12:07.960 --> 00:12:11.799 confuse applications that rely on steady time progression, like databases 250 00:12:12.000 --> 00:12:15.720 or real time monitoring systems. It prioritizes continuity. 251 00:12:15.919 --> 00:12:20.080 Very clever. Okay, last bit in this section basic resource checks. 252 00:12:20.679 --> 00:12:21.919 What are the go to commands? 253 00:12:22.200 --> 00:12:24.559 For a quick look? Free gives you memory and swap 254 00:12:24.720 --> 00:12:29.039 usage and df disc free shows you disk space usage 255 00:12:29.240 --> 00:12:33.200 per file system usually DFH for human readable sizes. 256 00:12:33.360 --> 00:12:36.279 Simple but essential. Now what happens when the system runs 257 00:12:36.320 --> 00:12:37.039 at a RAM. 258 00:12:37.159 --> 00:12:39.720 There's something called the O and killer ah, yes, the 259 00:12:39.840 --> 00:12:42.879 out of memory killer. When the kernel detects its critically 260 00:12:42.879 --> 00:12:46.080 low on memory, the OM killer activates. Its job is 261 00:12:46.120 --> 00:12:48.720 to pick one or more processes and terminate them to 262 00:12:48.799 --> 00:12:52.279 free up memory and hopefully save the system from crashing entirely. 263 00:12:52.519 --> 00:12:54.519 But it can pick the wrong process, right, I've heard 264 00:12:54.559 --> 00:12:55.240 horror stories. 265 00:12:55.360 --> 00:12:58.600 It absolutely can. The OM killer uses heuristics, but it 266 00:12:58.679 --> 00:13:01.480 might kill your critical dayatabase to save a less important 267 00:13:01.480 --> 00:13:04.759 web server worker, for example. It prioritizes freeing memory and 268 00:13:04.840 --> 00:13:07.200 not necessarily preserving the most important service. 269 00:13:07.440 --> 00:13:10.159 So why would an admin sometimes choose to make the 270 00:13:10.200 --> 00:13:12.200 system crash instead using panic. 271 00:13:12.440 --> 00:13:16.799 It sounds counterintuitive, but in some high availability scenarios, a 272 00:13:16.879 --> 00:13:21.799 controlled crash is better than unpredictable behavior. Setting paticonum tells 273 00:13:21.840 --> 00:13:24.799 the kernel, if you run out of memory, just panic 274 00:13:24.840 --> 00:13:26.679 and crash the whole system immediately. 275 00:13:26.879 --> 00:13:27.679 Why is that better? 276 00:13:27.759 --> 00:13:30.960 Because a crash often generates a core dump, a snapshot 277 00:13:31.000 --> 00:13:33.720 of the system's memory state at the time of failure. 278 00:13:34.320 --> 00:13:37.440 This gives you detailed forensic data to analyze why it 279 00:13:37.519 --> 00:13:40.679 ran out of memory. Letting the OME killer randomly killed 280 00:13:40.720 --> 00:13:43.279 processes can lead to a cascade of failures that's much 281 00:13:43.279 --> 00:13:46.279 harder to diagnose after the fact. It's about getting reliable 282 00:13:46.360 --> 00:13:47.320 data from the failure. 283 00:13:47.440 --> 00:13:50.399 Okay, that makes sense in critical environments. Let's move to 284 00:13:50.440 --> 00:13:54.480 our last section, Section four. Hardening and newer technologies. Standard 285 00:13:54.480 --> 00:13:59.320 file permissions ugorics are called discretionary access control or DAC. 286 00:14:00.039 --> 00:14:00.679 What is selenic? 287 00:14:00.720 --> 00:14:04.279 Adding on top of that, Selenic Security Enhanced Linux provides 288 00:14:04.360 --> 00:14:09.080 mandatory Access control MAC. It's an additional layer of security enforcement, 289 00:14:09.120 --> 00:14:11.679 managed by policy, not just by the file owner. 290 00:14:12.200 --> 00:14:13.720 How does it work? Conceptually? 291 00:14:14.000 --> 00:14:17.559 It works by confining processes. Each process runs in a 292 00:14:17.600 --> 00:14:22.480 specific security context or domain, like HTTDT for the Apache webserver. 293 00:14:23.120 --> 00:14:28.200 SELNX policy then dictates exactly what resources, files, ports, other 294 00:14:28.279 --> 00:14:31.639 processes a process in that context is allowed to interact 295 00:14:31.679 --> 00:14:34.320 with regardless of the standard Linux permissions. 296 00:14:34.639 --> 00:14:37.759 So even if a file is world readable, SELENICX might 297 00:14:37.799 --> 00:14:40.200 stop the webserver from reading it if the policy doesn't 298 00:14:40.200 --> 00:14:40.559 allow it. 299 00:14:40.759 --> 00:14:44.240 Precisely, it enforces the principle of least privilege at a 300 00:14:44.279 --> 00:14:47.200 much deeper level based on system wide policy. 301 00:14:47.600 --> 00:14:51.960 Now, SELinux has a reputation, let's say, for causing headaches 302 00:14:52.000 --> 00:14:54.799 during troubleshooting, the temptation is just to turn it off. 303 00:14:55.000 --> 00:14:56.519 Why is that usually a terrible. 304 00:14:56.240 --> 00:14:59.240 Idea because you're essentially disabling a massive part of the 305 00:14:59.240 --> 00:15:03.600 system's defense. Most Selenix problems aren't bugs in silinicx itself. 306 00:15:03.759 --> 00:15:07.679 They're usually caused by files having the wrong security context label, like. 307 00:15:07.639 --> 00:15:09.840 If you moved web content into placing. 308 00:15:09.519 --> 00:15:13.000 Correctly exactly, or installed software in a non standard location. 309 00:15:13.559 --> 00:15:16.559 The fix isn't set in forth zero disabling it. The 310 00:15:16.600 --> 00:15:19.600 fix is usually to restore the correct file context using 311 00:15:19.600 --> 00:15:23.039 restore con or maybe tweak a specific policy rule using 312 00:15:23.080 --> 00:15:25.960 sale Linux booleians sets you bul or the semanaged tool. 313 00:15:26.279 --> 00:15:28.960 Disabling it leaves you far more vulnerable. If a service 314 00:15:29.039 --> 00:15:30.399 is compromised, learn. 315 00:15:30.240 --> 00:15:33.360 To troubleshoot it, don't just disable it. Yeah, got it? Okay? 316 00:15:33.360 --> 00:15:38.759 Remote access SSH secure shell It replaced older insecure things 317 00:15:38.799 --> 00:15:39.879 like Telnet and FTP. 318 00:15:40.080 --> 00:15:43.080 Right absolutely. SSH is the standard for secure remote log 319 00:15:43.120 --> 00:15:44.000 in and file transfer. 320 00:15:44.080 --> 00:15:47.519 And while passwords work, what's the better, more secure and 321 00:15:47.639 --> 00:15:49.440 automation friendly way to authenticate? 322 00:15:49.679 --> 00:15:52.720 Key based authentication? Public key cryptography. 323 00:15:52.840 --> 00:15:53.440 How does that work? 324 00:15:53.519 --> 00:15:56.480 Briefly, you generate a pair of keys, a private key, 325 00:15:56.519 --> 00:15:58.720 which you keep secret and secure on your client machine 326 00:15:59.000 --> 00:16:01.200 and a public key which you copy to the server, 327 00:16:01.360 --> 00:16:04.240 usually into the dotsch authorized keys file in your home directory. 328 00:16:04.240 --> 00:16:06.600 There and the server uses the public key to verify 329 00:16:06.720 --> 00:16:09.279 you have the private key without the private key ever, 330 00:16:09.360 --> 00:16:09.960 leaving your. 331 00:16:09.840 --> 00:16:13.720 Machine correct no passwords flying over the network. Much more secure. 332 00:16:14.159 --> 00:16:16.559 But there's the catch with permissions es. 333 00:16:17.159 --> 00:16:18.879 SSH is picky, very picky. 334 00:16:19.320 --> 00:16:21.840 Your eight ish directory on the server must have strict 335 00:16:21.840 --> 00:16:25.960 permissions usually seven hundred only owner access, and the authorized 336 00:16:26.000 --> 00:16:29.039 keys file itself should be readable only by you, like 337 00:16:29.080 --> 00:16:32.960 six hundred. If permissions are too open, SSH will refuse 338 00:16:33.000 --> 00:16:35.159 to use the keys as a security measure. 339 00:16:35.240 --> 00:16:37.840 Good tip. Finally, let's touch on containers. They give you 340 00:16:37.960 --> 00:16:41.960 process isolation kind of like VMS, but lighter weight. RHL 341 00:16:42.000 --> 00:16:45.720 eight focuses on tools like Podman, build a SCOPEO. What's 342 00:16:45.759 --> 00:16:47.919 the main security angle here, especially with Podman. 343 00:16:48.120 --> 00:16:51.080 The big push with Podman is rootless containers. This is 344 00:16:51.159 --> 00:16:55.240 a significant security improvement over say, the traditional Docker model, 345 00:16:55.399 --> 00:16:57.720 which relied on a root privileged demon So. 346 00:16:57.799 --> 00:17:00.919 Podman can run containers without needing root pleges itself. 347 00:17:01.039 --> 00:17:04.759 Yes, you can run containers entirely as a regular unprivileged user. 348 00:17:05.039 --> 00:17:07.960 This means if a process inside the container somehow escapes 349 00:17:08.039 --> 00:17:11.119 or gets compromised, the attacker is contained as that regular 350 00:17:11.200 --> 00:17:14.000 user on the host system, not as route. It dramatically 351 00:17:14.079 --> 00:17:15.279 shrinks the attack surface. 352 00:17:15.599 --> 00:17:18.440 That's a huge win. So podman runs them. What about 353 00:17:18.480 --> 00:17:19.559 BUILDA and SCOPEO. 354 00:17:19.920 --> 00:17:24.200 BUILDA is specifically designed for building container images, often using 355 00:17:24.400 --> 00:17:28.119 definition files called container files, similar to Docker files. It's 356 00:17:28.160 --> 00:17:31.160 focused just on the build process, okay. And SCOPEO is 357 00:17:31.200 --> 00:17:34.640 a utility for working with container images on remote registries. 358 00:17:35.000 --> 00:17:38.440 You can use it to inspect images, copy them between registries, 359 00:17:38.480 --> 00:17:41.400 delete them all without needing to pull the entire image 360 00:17:41.440 --> 00:17:44.640 down locally or run a full container engine. It's about 361 00:17:44.680 --> 00:17:45.480 image management. 362 00:17:45.759 --> 00:17:50.400 So podman build a SCOPEO plus red Hat's Universal Base 363 00:17:50.440 --> 00:17:54.000 image UBI. That's the RAHL stack for containers. 364 00:17:54.119 --> 00:17:56.000 That's the modern secure stack. 365 00:17:56.079 --> 00:17:58.240 Yes wow, okay, We've covered a lot of ground there, 366 00:17:58.279 --> 00:18:01.200 from the absolute basics of the shell and user identity, 367 00:18:01.480 --> 00:18:05.960 through permissions, pseudo, the whole system of architecture, timekeeping, resource monitoring, 368 00:18:06.119 --> 00:18:09.240 and then into advanced hardening with selnux, SSH keys and 369 00:18:09.279 --> 00:18:10.400 secure contenter tooling. 370 00:18:10.559 --> 00:18:13.720 It really shows how these foundational pieces build on each other. 371 00:18:14.359 --> 00:18:18.759 Understanding the shell enable scripting. Understanding permissions enables Pseudo and SELinux. 372 00:18:19.400 --> 00:18:23.799 Understanding systems helps you manage the services running inside containers. 373 00:18:24.200 --> 00:18:25.000 It's all connected. 374 00:18:25.160 --> 00:18:29.200 The journey from just using Linux to really administering it 375 00:18:29.240 --> 00:18:34.720 effectively hinges on grasping these fundamentals. How it boots, manages resources, 376 00:18:34.799 --> 00:18:35.720 enforces security. 377 00:18:35.799 --> 00:18:39.079 Absolutely. That core understanding is what lets you solve complex 378 00:18:39.119 --> 00:18:39.839 problems later. 379 00:18:40.359 --> 00:18:42.319 So before we wrap up, let's leave you with that 380 00:18:42.400 --> 00:18:45.720 final provocative thought, the ultimate break glass in case of 381 00:18:45.759 --> 00:18:50.200 emergency knowledge, what happens if you completely lose the root password? 382 00:18:50.599 --> 00:18:53.160 How do you recover access without reinstalling everything? 383 00:18:53.359 --> 00:18:56.240 Ah, the ultimate test of system understanding. The sources point 384 00:18:56.279 --> 00:18:59.160 to intervening very early in the boot process, within the 385 00:18:59.200 --> 00:19:00.640 grub boot loader. 386 00:19:00.400 --> 00:19:03.359 Menu, before Linux even really starts exactly. 387 00:19:03.039 --> 00:19:05.839 You edit the kernel's boot parameters before it loads. You 388 00:19:05.880 --> 00:19:08.119 add the parameter dot break to the end of the kernel. 389 00:19:07.880 --> 00:19:09.519 Line word dot break. What does that do? 390 00:19:09.960 --> 00:19:12.759 It tells the system to pause the boot process very 391 00:19:12.759 --> 00:19:16.319 early on, before it mounts the main root file system ReadWrite, 392 00:19:16.599 --> 00:19:20.240 and before it loads security policies like selenux. It drops 393 00:19:20.279 --> 00:19:24.039 you into a minimal emergency shell, and from there, from 394 00:19:24.039 --> 00:19:26.799 that minimal shell, the actual root file system is usually 395 00:19:26.839 --> 00:19:29.680 mounted read only under sysroute. You need to remind it 396 00:19:29.759 --> 00:19:34.359 read write mount rosis route. Then you use croute cisroute 397 00:19:34.400 --> 00:19:37.599 to change your root directory into the real system's root. 398 00:19:37.880 --> 00:19:41.000 So now you're effectively operating inside your main system, but 399 00:19:41.079 --> 00:19:43.079 without the usual security constraints. 400 00:19:43.119 --> 00:19:45.960 Active yet correct, and then you can simply run the 401 00:19:45.960 --> 00:19:48.799