Firewalld is a dynamic firewall manager for Linux systems that provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces.

Significance of Zones:

• Definition: Zones represent the trust level of the interface used for a connection. Each zone has its own set of rules.
• Common Zones:
  • Drop: Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
  • Block: Incoming network connections are rejected with an icmp-host-prohibited message.
  • Public: For use in public areas. You do not trust the other computers on the network, but selected incoming connections are accepted.
  • Work/Home: For use in work or home areas where you mostly trust the other computers.
  • Trusted: All network connections are accepted.
• Management: Administrators can assign network interfaces to specific zones using firewall-cmd.

Hardening a Linux system involves reducing the surface of vulnerability. Key steps include:

1. User Management: Enforce strong password policies, disable the root login via SSH, and use sudo for administrative tasks to ensure accountability.
2. Minimize Software Footprint: Install only necessary packages. The fewer services running, the fewer attack vectors available. Remove or disable unused services.
3. SSH Hardening: Configure /etc/ssh/sshd_config to change the default port (22), disable password authentication (enforce key-based auth), and restrict specific users (AllowUsers).
4. Firewall Configuration: Configure a firewall (like iptables, ufw, or firewalld) to deny all incoming traffic by default and only allow specific ports/services required for operation.
5. Keep System Updated: Regularly apply security patches and updates using the package manager (yum update or apt upgrade) to fix known vulnerabilities.

SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) security architecture for Linux. It provides a mechanism for supporting access control security policies, restricting users and programs to the minimum privileges required.

Modes of Operation:

1. Enforcing: This is the default mode. SELinux security policy is enforced, and access is denied based on policy rules. Violations are logged.
2. Permissive: SELinux is active but does not enforce the security policy. Instead of denying access, it logs warnings for actions that would have been denied in Enforcing mode. This is useful for troubleshooting.
3. Disabled: SELinux is turned off entirely. No policies are loaded, and no labeling occurs.

A Bash script is a plain text file containing a series of commands.

Basic Components:

1. Interpreter Directive (Shebang): The first line of the script.
2. Comments: Lines starting with # used for documentation (ignored by the shell).
3. Commands: System commands (e.g., ls, cp), control structures (loops, if-else), and variables.
4. Execution Permission: The file must have the executable bit set (chmod +x script.sh).

Significance of the Shebang (#!):

• It is an absolute path to the interpreter that should be used to execute the script.
• Example: #!/bin/bash tells the system to use the Bash shell.
• If omitted, the script runs in the user's current shell, which might lead to syntax errors if the current shell differs from the script's intended syntax.

tcpdump is a command-line packet analyzer tool used to capture or filter TCP/IP packets received or transferred over a network interface.

Usage:
It captures packet headers and data, useful for debugging network issues or security analysis.

Examples:

1. Capture specific interface:
   tcpdump -i eth0
   This captures all packets flowing through the eth0 interface.
2. Capture specific port:
   tcpdump port 80
   This captures traffic only related to HTTP (port 80).
3. Capture specific source IP:
   tcpdump src 192.168.1.5
   This captures packets originating from the specified IP address.

AppArmor (Application Armor) and SELinux are both Linux kernel security modules that provide Mandatory Access Control (MAC).

• Policy Identification:
  • AppArmor: Uses Path-based identification. It restricts programs based on the file path of the executable. Policies are easier to read and configure.
  • SELinux: Uses Inode/Label-based identification. Files are assigned security context labels (User:Role:Type:Level). Even if a file is moved, the label persists.
• Complexity:
  • AppArmor: Generally considered easier to learn and configure for specific applications.
  • SELinux: More complex and granular, offering finer control over system processes and files.
• Default Distributions:
  • AppArmor: Default on Ubuntu and SUSE.
  • SELinux: Default on RHEL, CentOS, and Fedora.

PAM is a mechanism to integrate multiple low-level authentication schemes into a high-level API. It allows system administrators to choose how applications authenticate users without recompiling the applications.

Architecture:
PAM separates the tasks of authentication into four independent management groups:

1. Auth: Verifies the user's identity (e.g., password prompt).
2. Account: Checks if the user is allowed access (e.g., time of day, account expiration).
3. Password: Handles password updates and complexity checks.
4. Session: Manages actions before and after user login (e.g., mounting directories, logging).

Configuration:

• Configuration files are located in /etc/pam.d/.
• Each application (e.g., sshd, sudo, login) has its own file in this directory defining which modules are used.

bash

!/bin/bash

FILENAME="data.txt"

Check if file exists (-e) AND is writable (-w)

if [ -w "$FILENAME" ]; then
echo "The file '$FILENAME' exists and is writable."
echo "Appending date to file..."
date >> "$FILENAME"
else
if [ -e "$FILENAME" ]; then
echo "The file exists but is NOT writable."
else
echo "The file '$FILENAME' does not exist."
fi
fi

Explanation of Operators:

• -e: Returns true if the file exists.
• -w: Returns true if the file exists and write permission is granted.

Bash supports three main types of loops:

1. For Loop: Iterates over a list of items or a range of numbers.

   • Syntax:
     bash
     for i in {1..5}
     do
     echo "Number $i"
     done

2. While Loop: Executes commands as long as the condition remains true.

   • Syntax:
     bash
     count=1
     while [ $count -le 5 ]
     do
     echo "Count: $count"
     ((count++))
     done

3. Until Loop: Executes commands as long as the condition is false (until it becomes true).

   • Syntax:
     bash
     until [ $count -gt 5 ]
     do
     echo "Processing..."
     ((count++))
     done

Generating a self-signed certificate involves using OpenSSL. The process typically follows these steps:

1. Generate Private Key: Create a secure private key.
   openssl genrsa -out server.key 2048
2. Generate CSR (Certificate Signing Request): Create a request containing organization details linked to the key.
   openssl req -new -key server.key -out server.csr
3. Generate Self-Signed Certificate: Sign the CSR with your own private key (acting as the CA) to create the certificate (.crt).
   openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Alternatively, this can be done in a single command using: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt.

Linux uses file descriptors (FD) for data streams: stdin (0), stdout (1), and stderr (2).

1. Output Redirection (> and >>):

   • >: Redirects stdout to a file, overwriting the file. Example: ls > list.txt.
   • >>: Redirects stdout to a file, appending to it. Example: date >> log.txt.

2. Input Redirection (<):

   • Feeds the content of a file into a command. Example: wc -l < list.txt.

3. Error Redirection (2>):

   • Redirects standard error. Example: command 2> error.log.

4. Redirecting both stdout and stderr:

   • command > output.txt 2>&1 or command &> output.txt sends both success messages and errors to the same file.

sudo (SuperUser DO) allows a permitted user to execute a command as the superuser or another user. It is configured via the /etc/sudoers file, which should always be edited using the visudo command to check for syntax errors.

Syntax of /etc/sudoers entry:
user_name host_name=(target_user:target_group) commands

• user_name: The user getting the privileges (e.g., alice or %wheel for a group).
• host_name: The host where the rule applies (usually ALL).
• target_user: The user the command will run as (usually ALL).
• commands: The specific commands allowed (e.g., /bin/ls, or ALL).

Example:
alice ALL=(ALL) ALL
This allows user 'alice' to run any command on any host as any user.

The case statement is a logical control structure used to execute different blocks of code based on matching a variable against specific patterns. It is often cleaner than multiple if-elif-else statements.

Syntax Structure:
bash
case $VARIABLE in
pattern1)
commands
;;
pattern2)
commands
;;
*)
default_commands
;;
esac

Key Elements:

• Starts with case and ends with esac.
• Patterns end with ).
• Blocks end with double semicolons ;;.
• The wildcard *) acts as a default/catch-all case.

Positional Parameters are special variables used to access arguments passed to a script or function when it is executed.

• $0: The name of the script itself.
• 9: The first through ninth arguments provided.
• ${10}: Arguments beyond 9 must be enclosed in braces.
• $#: The total count of arguments passed.
• *``**: Represents all arguments passed.

Example:
If a script myscript.sh is run as ./myscript.sh apple banana:

• $0 = ./myscript.sh
• $1 = apple
• $2 = banana
• $# = 2

To configure firewalld permanently, the --permanent flag is used. Without this flag, changes are lost after a reboot.

Steps:

1. Add the Rule:
   firewall-cmd --zone=public --add-service=http --permanent

   • --zone=public: Specifies the zone.
   • --add-service=http: Opens the port associated with the HTTP service (port 80).
   • --permanent: Writes the rule to the configuration file.

2. Reload Firewall:
   firewall-cmd --reload
   This is necessary to apply the permanent configuration changes immediately without rebooting.

3. Verification:
   firewall-cmd --zone=public --list-all

Command Substitution allows the output of a command to replace the command name itself. This is used to assign the output of a command to a variable or use it as an argument for another command.

Method 1: Using $(...) (Recommended)

• This is the modern, POSIX-compliant method.
• Example: CURRENT_DATE=$(date)

Method 2: Using Backticks `...` (Legacy)

• This is the older method but is less readable and harder to nest.
• Example: CURRENT_DATE=date``

Usage:
echo "The current directory is $(pwd)" results in the shell executing pwd and inserting the path into the string.

SSH is a cryptographic network protocol for operating network services securely over an unsecured network, most notably for remote login.

Key-Based Authentication Mechanism:

1. Key Generation: The user generates a key pair (Public and Private) using ssh-keygen.
2. Public Key Placement: The user's Public Key is copied to the server's ~/.ssh/authorized_keys file.
3. Connection Attempt: When the user tries to connect, the server generates a random challenge and encrypts it using the stored Public Key.
4. Decryption: The client receives the challenge. Only the client holding the corresponding Private Key can decrypt it.
5. Access: The client sends the decrypted challenge back. If it matches, the server grants access without requiring a password.

Exit Status is an integer value returned by a command to the parent process (shell) upon termination to indicate success or failure.

• 0: Indicates Success.
• Non-zero (1-255): Indicates Failure (specific numbers often denote specific error types).

Accessing Exit Status:
The variable $? holds the exit status of the most recently executed command.

Usage in Logic:
Scripts use this to decide flow:
bash
grep "user" /etc/passwd
if [ $? -eq 0 ]; then
echo "User found."
else
echo "User not found."
fi

Note: if statements implicitly check the exit status of the command provided.

Arithmetic Expansion allows the shell to perform integer arithmetic evaluations. It follows the syntax $(( expression )).

Features:

• Supports basic operators: +, -, *, /, % (modulus), and ** (exponentiation).
• Variables inside the double parentheses do not strictly require the $ prefix.

Examples:

1. Basic Math:
   result=$(( 5 + 5 )) (result is 10)

2. Using Variables:
   bash
   num1=10
   num2=20
   sum=$(( num1 + num2 ))

3. Incrementing:
   (( num1++ )) (Increments the value of num1)