20061023
From Wsms
previous next
GO TO:
Linux Class Notes
Basic log files and security tools
Joe tells us about the advantages of being enroled in this course: some software companies give really good discounts to the students.
Contents |
[edit]
What happens when our Linux system starts
We have learned already how to recover system in Windows. Now we will do in in Linux. Remember about microsoft:
If you have a multiple system pointing to the correct partition, you can look the hidden files of the correct partition, and can examine how those files work.
Remember that in boot.ini, there are different kinds of notations for partition within an specific drive.
Linux generally uses grub as a bootloader. There is also an older Linux boot loader called lilo.[edit]The grub command and the grub file
Grub has asociated a configuration file /etc/grof.conf
To change this file, the command is grub
Some other things done to the system could change the grub file. For example, when the user updates the Linux Kernel, what's going to happen is that the update program will store a copy of a new kernel, to load the next time you reboot your system.
[edit]Examining the /etc/grub.conf file
We will find that grub has been generated by Anaconda
Anaconda is the instalation program (graphic instalation program asociated with Linux today)
default=0 identifies with series of lines are used within the timeout specified below (timeout=5). If the default is 0, the kernel used will be the first after the word "hiddenmenu", but if there is an upgrade of something, this default could change to the correct place the kernel-to-load is.
After, you find sections that have different names, and are added each time the kernel is updated. If you have problems rebooting the system, you can tab to the earlier kernel that has been loaded. (But, the chances that it happen will be very small)
The comments tells you where the partition is where this files are saved. User has to be very very carefull when examining and dealing with that partition.
[edit]
Examining processes in Linux
There is a tutorial that explains the boot proccess: http://www.yolinux.com/TUTORIALS/LinuxTutorialInitProcess.html
The init process is a parent process that is equivalent as svchost in windows.
[edit]The ps command
When user types ps and see fields about the process id and the terminal asociated with each process.
The ps ax command is the Linux equivalent to the task manager in windows.
In windows, we are interested in knowing about which process is using more resources from the system.
[edit]The top command
Tells about memory use, about users, resources, etc. To get out of it, you can use the q. For further information, take a look to the manual. You can kill processes using the kill command. Joe suggests that we spend a lot of time with the manual of all commands we have discussed, but specially with this. So, as a homework, type
man top
and study a lot.
[edit]The pstree command
Init starts the process tree. It strarts one process that is called the sshd (security shell daemon). It is started one for each attempt to login in the system. There starts a tree situation, that can be explored with pstree.
To see the process id, the modificator is -p
- A zombie process
- It used to be a portion of the ps tree that has no way of being traced back to the beginning. Nowadays it is not frecquent, because there is a portion of the kernel that is calle kflushd, and works all the time getting rid of those zombie processes.
Processes ids are asigned only once until the 32767 process number has been reached. Once this number is reached, the system begins to reuse the process numbers.
Since Linux system is used to be on and running for long periods of time (sometimes months and even years), there is an enormous posibility to reuse id numbers.
One way to find out that the webserver is running, is look for the processes asociated with the server. You type ps ax, and will list all the processes. If the webserver is running you should see the processes asociated with the webserver. You identify them because they have the string "httpd" somewhere on them.
To look for email services, you can grep the ps ax output, looking for the string "sendmail" on it.
[edit]
Modifying the system
In the oooold days, it was necesary to modify scripts, recompile them, and then link them to some libraries. Nowadays, it's not necesary to do all those steps.
When you install the system, you will have every thing you need, but sometimes you need to make modification to the kernel that is functioning inside your system. You have two commands to do this, and they will be discussed below. These commands have been used for long time in history, and the reason is that it is easier to use tape drives to restore backups when you have modified the system with this two following commands.
Sometimes you have to reload and recompile the kernel, to do dramatic changes in the system, such as rising the maximum number of files the system can have at one time.[edit]The service command
We will deal with services, that are applications that starts automatically when the system starts.
The services run at the run level when they get started. They are popular as targets to attack. In the windows environment we run the "services" program.
In windows is frequently necesary to restart services, because most of the times, to make changes to configuration files that have impact in the machine, the service asociated with the configuration file must to be restarted.
In Linux we have the same concept: service, enable, disable, start automaticaly, start manually, etc...
To do that, we use the /sbin/service command, following by the service to modify xxx, and one argument like stop, start, or restart.
The automatic part of this is that we can startup the system in a number of different modes (single user, text based mode, and so on). Actually, those levels are listed in the file /etc/inittab (we have also taken notes about it before: http://wsms.wikiplanet.com/mediawiki/index.php/20061010#Runlevels_in_Linux)
To install things in Linux, we use yum (http://wsms.wikiplanet.com/mediawiki/index.php/20061013#Yum_command)
we also have commands to modify how things work: chkconfig and setup We will use and discuss the setup command later in this course.
[edit]The /sbin/chkconfig command
It shows a list of services that are running.
Type /sbin/chkconfig --list | less
And you will obtain a list of processes divided into columns:
- The first column has the id of the process.
- Second column and fordwar says the 0 to 6 runtime levels, and says if this process is "on" at that level
[edit]The setup commandder
There is a command called "setup" that brings you a very early fashioned "graphical environment", to setup the system.
The envinronmental variable that tells the system how to deal with graphics is the LANG variable.
Once you do a change, you don't need to reboot the system, you better do the following:
service xxxx start
It is necesary to know how the system implements this features.
[edit]The /etc/rc.d folder
In redhat, there is a folder called /etc/rc.d. In that folder, there is a sub-folder for at least each runlevel.
Exploring /etc/rc.d/rc3.d, we find a lot of scripts. By convention, all those scripts names begin with capital S or K, that indicates if the script starts or kills a service. Then, you find three numbers, that is the consecutive number that the script is runned when you start or shut down the system.
So, what the providers of Linux has done for you is that they started a file, actually /etc/rc.d/rc.local file, that can contain executable commands, and is the last thing you run and load the kernel.
When the systems needs something to start automatically, it puts a script into this folder, and those scripts are loaded at the first time the system reboots.
If you want to see if a service is loaded automatically, you can ls that folder, and you can see the script that starts that service.
[edit]The rmmod command
