2011年4月14日星期四

Oracle Database Concept

The database has logical structure and physical structures. Physical and logical structures are separate, the physical storage of data can be managed without affecting the access to logical storage structures.

Physical Database Structure includes datafiles, redo log files and control files.

 Data files

Every oracle database has one or more physical datafiles. The datafiles contain all the database data. The data of logical database structures, such as tables and indexes, is physically stored in the datafiles allocated for a database. The datafiels are located in the $ORACLE_BASE/oradata directory

  A data file can be associated with only one database. Datafiles can be set to automatically extend when the database runs out of space. One or more datafiles form a logical unit of database storage called a tablespace. .

Modified or new data is not necessarily written to a datafile immediately. Data is pooled in memory and written to the appropriate detafiles all at once, as determined by the database writer process (DBWn) background process.

Control Files

Every oracle database has a control file. A control file contains entries that specify the physical structure of the database.  Every time, an instance of an Oracle database is started, its control file identifies the database and redo log files that must be opened for database operation to proceed.

Redo log file

Parameter files

Alert and trace log file

backup files

Logical database structures

Table spaces

A database is divided into logical storage units called tablespaces, which group related logical structures together. One or more datafiles are explicitly created for each tablespace to physically store the data of all the logical structure. The combined size of the datafiles in a tablespace is the total storage capacity of the tablespace.

Every Oracle database contains a SYSTEM tablespace and a SYSAUX tablespace. Oracle creates them automatically when the database is created. Each of this two tablespaces has a datafiles, named system01.dbf and sysaux01.dbf.

Bigfile tablespaces and smallfile tablespace.

Online and offline tablespaces.

Data Blocks: At the finest level of granularity, oracle database data is stored in data blocks.

Extents: A specific number of contiguous data blocks,obtained in a single allocation, used to store a specific type of information.

Segments: A segment is a set of extents allocated for a certain logical structure. Type of segments include: Data Segment, Index Segment, Temporary segment for temporary tables, Rollback segment for undo,

2011年4月8日星期五

Login the Linux using single user mode

I

Technorati Tags: ,

t’s common to boot a Unix/Linux system into single user mode to debug boot problems.

1.  Select the kernel that should be booted.

2. Press ‘a’ to modify what parameters are passed to the kernel and init.

2.5 use Backspace to remove rhgb and quiet from the list of kernel parameters. The rhgb parameter starts up the graphical bootup display and quiet suppresses almost all of the kernel’s output on boot.

3. Type S. Adding an s to the end of the line tells the system to start in single user mode. Make sure there is space before the s. This can be an S, an s or the word single.

4. Press enter.

After the system has booted, a root shell will be loaded without requiring the root user’s password to be entered.

At the command prompt, verify that this is indeed a root shell by issuing the id command.

With root access, it is possible to perform a file system check, turn off services that are stopping the system from booting correctly, change the root password, fix incorrect network settings, etc.

Sometimes, it’s necessary to change runlevels from single user mode to the default runlevel for the system:

Press Ctrl + d

2011年4月7日星期四

Linux command

locate and which:
  using locate to find files in the file system. using which to locate command/shells under the $PATH.

dmesg
  print the boot able message. Seems it will print all the hda/sda and other drivers.  Examining the messages produced by the kernel as it loads is a good way to see what hardware has been detected. A copy of the kernel message is made during the boot sequence. The message is located at /var/log/dmesg file. So the dmesg command has the same effect as cat /var/log/dmesg.

dd
  convert and copy a file. For example,
  dd if=/dev/hda of=MBR bs=446 count=1
  will copy the /dev/hda (boot area) of the system to the file MBR.
  dd if=/dev/hda of=/dev/sda bs=446 count=1
  will backup the MBR of the system to the /dev/sda disk.
  the dd command will remove any partitions or data currenctly on the /dev/sda device.
  so pay special attention to the OF parameter of this command when it's a device.

mount and umount
  mount a file system and umount a file system.

passwd
  change the password of the current user. If the current root password is unknown, then you can boot to single user mode (where you will be automatically logged in as root without being prompted for a password) and then run the passwd command from the prompt.
  system-config-rootpassword will change the password of the root.

system-config-***
  system-config-time or system-config-date programs can change the time zone and the date/time settings after installation of the system.
  system-config-authentication program can be used to configure the password file location and encryption algorithm.
  system-config-*** tools are used to configure various devices and services.
 

lspci, kudzu, ddcprobe, lsusb
  lspci command can be used to show all devices connected to the PCI bus.
  kudzu command for getting information about the video card .
  kudze -p -c VIDEO
  ddcprobe command can detect the resolutions and refresh rates supported by the monitor.
  lsusb command seems to list all the usb hardware drivers.

sysctl
  /proc was to provide information about running process on the system. Commands link ps depend on /proc as the source of process information.  Inside /proc exists a sub-directory whose name corresponds with the PID of each process on the system.
  configuring the kernel via /proc/sys.
  using cat command and echo command to view and set the value in /proc/sys..
  cat /proc/sys/fs/file-max
  echo "110000" > /proc/sys/fs/file-max
  sysctl command is a better way to view and set value in /proc/.
to view:  # sysctl fs.file-max
   fs.file-max=767604
to set: # sysctl -w "fs.file-max=1100000"
  sysctl can also list all available kernel tuning options as shown:
  #sysctl -a
Add/modify the line in the /etc/sysctl.conf file can persist the kernel tuning parameters.  
  Changes to the values in /proc will not survive as reboot. so change the /etc/sysctl.conf file maybe a better way.
 
date and hwclock command, ntpdate and rdate
The hwclock command is the primary way of interacting with the hardware clock.
  hwclock --show
  hwclock --set --date "Fri Apr  8 13:33:12 HKT 2011"
  date --set "Fri Apr  8 13:33:12 HKT 2011"

RPM and the YUM..
  rpm database, typically located in the /var/lib/rpm directory, contains a list of all installed applications, and the files which belong to those applications.
  rpm package file's name:
  name-version-release.architecture.rpm
  The name indicates the software which is packages in that RPM. Usually, this name is the name of the application.
   Version indicates the version of the software which is packaged in that RPM.
   Release in the RPM package file name is used to indicate revisions of the packaging of that particular version of that application.
  Architecture is the platform on which that RPM can be executed, if binary. Typical values seen here include:
  i386 -any 32-bit interl-compatible CPU
  i686 - any 686-class 32-bit intel-compatible CPU
  x86_64 - any AMD64 or Intel EM64T CPUs
  ppc - any 32 bit powerPC CPU
  ppc64 - any 64-bit powerPC CPU
  ia64 - any 64 bit Itanium CPU
  noarch - the package can be used on any CPU architecture
  scr - package application source code, patches, and scripts specifying how that source code should be configured and compiled into binary RPMs.
  RPM package files are cpio archives with a binary header attached.
  The rpm command is one of the most important commands in the Linux command in the system.

/etc/yum.conf file and the /etc/yum.repos.d directory.

/sbin/runlevel
  command can be used to view the current runlevel. It also displays the previous run level.
  To switch runlevels, the standard way is to use the init or the telinit command.

/sbin/init
  the /etc/inittab file contains init program's configuration.

chkconfig , ntsysv and serviceconf
  update and query runlevel information for system services.
  To determine what the current configuration of a given daemon is ,issue the following command:
  chkconfig --list sshd
  This will list the availability of the sshd service in all the run levels.
  to view the status of all daemons run:
  chkconfig --list
The ntsysv and serviceconf commands provide a graphical browser, respectively of all services available on the system and the ability to select graphically which services should be started or stopped in a given run level. Using system-config-services is the ultimate choice.

Shutdown, reboot and poweroff
  The shutdown command is the preferred method of rebooting or shutting down linux. Shutdown will automatically notify all logged-in users of the impending action.  As the time approaches, it will alert logged-in users with a greater frequency and urgency.
 
uname
The uname command will print certain system information.
for example,
uname –r will print the kernal name and version.
 
useradd, userdel, usermod
New users can be added to the system by the root user with the useradd command. Behavior of the useradd program is controlled by the following:
   1. command-line switches
   2. /etc/login.defs configuration file
   3. /etc/default/useradd configuration file
useradd oracle
passwd oracle  --to set the password of the user oracle.
 
The corresponding userdel command is used to delete existing accounts. userdel only supports a single option –r, which tells the command to delete the user’s account, home directory and mail pool file.
 
In addition to editing the passwd file directly by vipw command, the usermod command can be used by root to modify existing accounts.  for example:
usermod –d /home2/brandon –m brandon
The command will move a user to a new home directory (updating the passwd entry and moving existing files).
usermod –G webguys,mis jdoe
will add the user jdoe to the secondary groups webguys and mis.
For the above command, maybe vigr to graphically edit the /etc/group file is also good choice.
 
The chage command to change a user password’s age.
chage –M 90 oracle
 
su:
su username.
The effective UID and GID will be switched to that of username, but nothing else about the environment will be changed. This can sometimes pose difficulties, since different users often have different PATH statements.
su – username
rather just switching effective UIDs and GIDs, it will change the entire environment, behaving as if logged in as username.
su –c command username
will just execute a command.
 

fdisk
to create a partition table of the disk.
to print the partition table for a given drive, use fdisk -l /dev/XXX, for example:
  fdisk -l /dev/hda
  fdisk -l /dev/sda
The most commonly used filesystem is ext3, the standard Linux filesystem.

mkfs
After creating a partition with fdisk or sfdisk, a filesystem is typically created on it using mkfs.
mkfs is the standard utility used to create linux filesystems.
--the following command will create an ext2 file system.
mkfs /dev/hda1
--the following command will create an MS-DOS file system.
mkfs -t msdos /dev/hda1  
The ext3 file system is essentially just an ext2 file system with a journaling file; the on-disk file system structures of ext2 and ext3 are identical.
mkfs -j
mkfs.ext3
mke2fs -j
the above commands will create an ext3 file system.

mount and umount
  A basic task of most administrators is maintaining file system layouts. New partitions can be transparently grafted into existing file system structures using the mount command.  These mounts are listed in /etc/fstab so they will occur automatically at boot.
  The mount and umount modify a text database, /etc/mtab, which lists all currently mounted partitions. The kernel itself also maintains a database, /proc/mounts, which lists all currently mounted partitions.  The /proc/mounts file tends to be more accurate than /etc/mtab.
  Figure out why the file system is still busy.
  fuser: displays the PIDs of processes using the specified files or file systems.
  lsof: lists information about files opened by processes
  lslk: lists locks held on local files.

 
Determining Disk usage
df and du command.
File system can run out of both free space (data blocks) and name space for new files (inodes), so usage of both needs to be monitored.
###du bind.ps evolution-1.o.tar.gz
will display the disk usage of the given two files.
###du –h bind.ps evolution-1.o.tar.gz
will display the disk usage of the given two files in a human readable format
 
df command can be used to display disk usage(blocks) on mounted file system.
####df –h
display the human readable format of the df command’s result.
 
Backup software
dump, restore, tar, cpio, star, pax…. cdrecord
didn’t consider the tar command as a backup software.

Viewing process
ps, pstree, top, jobs, pkill
ps - standard process listing tool.
  ps -ef |grep *** maybe the mostly used ps command.
  It can be replaced by the pgrep command.
pstree - show process tree
top - provides summary information and stats on each running
         process in real-time fashion
jobs - display backgrounded and suspended processes invoked from shell
  Tools like ps, top and pstree use the /proc file system to collect the data they need to operate.
   strace command: to watch the system calls that these commands make when running.
   stract ps
  In order to see threads in the output of ps, use the -m switch.
  pkill is a combination of pgrep and kill, use it carefully.

Signaling a Process
   Processes react to various signals sent to them by other processes or manually by the system administrator. Common signals include Hang Up: SIGHUP, Terminate : SIGTERM and Stop : SIGSTOP.
Process's priority.
  nice and renice command
  nice -5 mysql.  the kernel's process scheduler uses this nice value as a relative indicator that it is allowed shift the scheduling priority of that process.
  pgrep mysql
  renice 10 3306
  The mysql process (process id=3306) 's nice value would then be 5.
  As with the nice command, only root can use negative values with renice. In addition, only root can renice other users' processes.

Syslog facilities and priorities
  The facility is used to specify what type of program is generating the message.  syslogd can then be configured to handle messages from different sources differently.

System logs
  logrotate
Process accounting
ac
  The ac command is used to view summaries of user logins. It usually works even when process accounting is not being used.  It accesses the /var/log/wtmp file.
  ac --individual
  ac -d

Limiting resource consumption - via ulimit
The ulimit command provides control over the consumption of resources available to the shell and to processes started by it.
  What is a hard limit and a soft limit??? A hard limit can not be increased once it's set, a soft limit maybe increased to the value of the hard limit.



 




Linux disk drive name

The way linux assign names to disk drive is as follows:

HD/x/n:

HD- denotes that the disk drive is IDE based, if the drive is SCSI or SATA based, it will be designated as SD.

x-denotes the position of the drive. If it's installed in the IDE controllers as the primary master it will be designated as HDA. If as the primary slave it will be designated as HDB. If as the secondary master, HDC. HDD if the drive is installed as the secondary slave.

n- this denotes the partition number. For example, the first partition of the Primary Master will be designated as HDA1. Usually the primary partitions are designated with the number 1-4. The logical drives are given the number 5-n depends on how many logical partitions you have.

Linux Learning Notes

Pre-Installation consideration
  1. What partition schema will be used
     Software RAID:
     LVM:
     Traditional Partition schema
   2. What file system
   Each of the various file system types available have distinct advantages and disadvantages. System performance can be tuned by selecting a file system that best fits the expected usage of the system.
   3. Role of the system
   Every software package installed on the system should be considered a potential security vulnerability. One of the most important steps in securing a system is simply ensuring that it is not running any services that are not absolutely required.
   4. OS partition and drive constraints.
    Sharing partitions between operating systems. For example, create a single shared swap partition that is mounted by each of the three different versions of Linux installations.  For Linux and Windows co-exist dual booting, a data partition that will be very useful.
   5. Backing up and restoring the MBR
   Issue the following command as root to back up the MBR installed in the system. If Linux is not installed, using a bootable Linux disk or CD:
##if your hard disk is IDE based
  dd if=/dev/hda of=MBR bs=446 count=1
##in SCSI hard disks, issue the following command:
  dd if=/dev/sda of=MBR bs=446 count=1
Then the root's home directory got a MBR file.
To restore the MBR, issue the following command:
  dd if=MBR of=/dev/hda bs=446 count=1
####dd is the data replicate command. IF parameter is the source, and OF is the target.
   6. Partition consideration
     Partition table structure.
    File systems are not typically created on bare hard drives; rather, they are created on partitions. 
    Required Partitions:
   Partitions serve many useful purposes. They impose maximum size limits to file systems, making them useful security tools for constraining usage of system resources. Partitions also make it easy to divide up hard drive space into smaller functional units, simplifying long-term system management.
   First required partition is the /boot partition, contain only the essential files needed to boot linux.
   Second partition is a swap partition, used to page out programs from RAM.
   The third required partition is the root partition, /. needs to be large enough to contain all other files that will be installed.
   There maybe other partitions depends on different distribution of the Linux.
 
   Journaling File system implementation
All file systems are essentially databases which organize files on a disk by using metadata about files to locate them. When a file is modified in any way, two filesystem transactions are required. The first one updates the data and the other transaction updates the metadata. In an inconsistent file system, the data and the metadata disagree.  When the file system is in an inconsistent state, it must be repaired. using fsck.
   Journal-based file system remove this need for fsck to repair inconsistencies by keeping a journal of all intended transactions before they are carried out.  This introduces a little more filesystem overhead, but makes recovery in the case of any inconsistencies trivial, since any incomplete transactions listed in the journal simply need to be rolled back to repair the file system.
   Traditional Linux filesystem ext2 does not journal data or metadata.
   Some journal-based file systems include : ext3, ReiserFS, JFS by IBM, XFS.

Installation Modes:  GUI, Text, Kickstart.
  If a mouse is plugged into the system, and the installer is able to initialize video card, graphical mode is the default.  Text mode is similar to the graphical mode and is even available over serial consoles, making the installation of headless servers possible. Semi- and fully-automated installation is possible using kickstart configuration files.
   Seems the GUI install can use VNC, it's really amazing, maybe need a try.

Linux Devices Files
  The /dev directory is usually the only directory with any device files.

System boot procedure
  LILO and GRUB
   different processes and procedures.
/sbin/init program
  On all unix systems, the final action taken by the kernel during system boot-up is to start an initial program, usually /sbin/init. This initial program always has a process ID of 1, and its successful operation is absolutely essential for the stability of the system. Linux and most other unix kernels will crash if this initial program ever stops running for any some reasons.

  runlevel
After the kernel runs /sbin/init, and init reads it's configuration file and starts all programs listed there, bringing the system up to a predefined working state or run level.  BSD-style init programs only have one pre-defined runlevel to which they can start, while System V-derived init programs usually have a variety of different pre-defined runlevels which can be selected.  System-V style makes it possible to configure the system in a variety of different ways. These different runlevels can then be selected as necessary, depending upon circumstances. Most of the Unixes and Linux these days use System V-style init rather than BSD-style init.
  Predefined run levels include: Actually, the comments in the /etc/inittab file has the available run levels in this system.
  0 - halt
  1 - Prepare for single user mode
  2 - Full multi-user, without networking
  3 - Full multi-user mode with text mode login
  4 - unused
  5 - Full multi-user mode with graphical X11 login
  6 - reboot
  s,S,single - Single-user mode
  emergency - Given root shell (sulogin); no scripts run
On oracle EL init has been patched to run /bin/bash when entering runlevel S, rather than /sbin/sulogin. So changing or booting to either runlevels 1 or S provides a root shell without requiring a root password. On some distributions, the only way to get a root shell without providing the root password is to boot with the init=/bin/bash or similar kernel parameter.
  runlevels are implemented as directories on the system which contain shell scripts to start and stop specific services for the given runlevel. The system has directories for runlevels 0 through 6, respectively: runlevel 0 in /etc/rc0.d, runlevel 1 in /etc/rc1.d, ... The scripts within each directory are named with either a capital S or a capital K, followed by a two-digital number, followed by the name of the service  being referenced. Names beginning with capital S represent scripts with are started upon entering that runlevel, while the names beginning with capital K represent scripts which are stopped, while the numbers specify the order in which the scripts should be executed.
  All scripts in the /etc/init.d or the /ect/rc#.d must support two parameters: start and stop.

Service in the linux
  Service on Linux either get started directly by SysV Init scripts, or they get started by the xinetd super server. Which services automatically start in a given run level can be controlled manually; ln -s and rm can be used to create and delete symbolic links in the runlevel directories.
 
files /etc/passwd and /etc/group  store user account information. Each line of passwd file lists a separate user account and consists of seven colon-delimited fields.
group file contains separate lines for every group defined on the system.
 
using shadow system to overcome security deficiencies inherent in the original unix password system. Encrypted passwords are instead stored in separate files which only the root use can read. User password are stored in the shadow file. Group passwords are stored in the gshadow.

Login's behavior
  /etc/nologin : created by the root user to prevent all logins to the system by non-root users; All users attempting to login will be refused access and shown the contents of this nologin file.
  /etc/security: to restrict root access to the machine; root logins are permitted only on devices which are listed in this file.
  .hushlogin in the user's home directory: if exists, login will suppress display of most initial messages.
  /etc/issue and /etc/issue.net files: pre-login message.
  /etc/motd: displayed by the login program after a successful program.

PAM : pluggable authentication modules.

File sharing via NFS:
  NFS is the standard UNIX file sharing protocol.  Alternatives to NFS include AFS, Coda, GFS, SFS.
  /etc/exports file: All NFS shares are defined in the /etc/exports file.
  exportfs -vra : command to notify the kernel that the /etc/exports file has been changed and to re-read and make the current sharing match what is in the file.
 
Swap
System administrators need to pay close attention to swap usage and needs. Memory usage and swap usage can be checked using tools such as free, top, vmstat, cat /proc/meminfo and swapon -s
 
  Adding Additional swap space: a three steps process on page 228.

Disk usage
  df and du commands.
  file systems can run out of both free space(data blocks) and name space for new files (inodes), so usage of both needs to be monitored.
  
Disk Quotas
Quotas can be implemented on a user and/or group basis. User quotas are enabled by the usrquota mount option and group quotas are enabled by the grpquota mount option.
 
File Access Control Lists
Provide flexibility to assign permissions for multiple users and group to a single file. It’s different from the standard owner/group/other permissions.
The setfacl command…
using ls –l to check if a file has FACL attached.
-rw-rw----+ root root *** hello.txt
The + means there is a FACL attached.
 
Most backup software does not yet have the capability to backup FACLs along with other file metadata.
 
##################getfacl –R * > FACLs.txt
create a file with the ACLs of all files in the current directory, including sub-directories.
 
Then
#### setfacl --restore=FACLs.txt
 
Logical Volume Management
LVM
Linux has support for logical volumes management (LVM). LVM introduces an abstraction layer between the physical disk and the file system. In the 2.6 kernel, LVM2 was introduced and operates on top of a low level volume manager called device mapper.
 
Redundant Array of Independent Disk
RAID 
mdadm –monitor and mdmonitor
 
Task automation and process accounting
Automatic Job Execution
 
Cron
at
batch
 
Memory status
  Examining the memory usage on running systems:
free
cat /proc/meminfo
 
swap usage can be summarized by either of the following:
swapon –s
cat /proc/swaps
 
vmstat : to examine memory usage.
 
IO status
basic I/O information is provided by vmstat. In addition, iostat can be run with a few different options.
iostat –d: summary
iostat –c: provides a summary of CPU utilization
mpstat: provides detailed CPU utilization
   mpstat –p ALL: to display information about all processors on the system
 
TCP/IP fundamentals
Linux OS handles networking through virtual devices called interfaces.  For most practical purpose, an interface is a network connection, such as a connection to an ethernet network, or a modem connection, such as one negotiated using PPP or SLIP. Several interfaces can be bound to any single physical networking device. This is done through a method known as ‘IP aliasing’.
 
Local loopback interface
The loopback interface (lo) is a special network interface that points back to the machine itself.
ethtool
Display and configure ethernet interface settings.
 
runtime configuration change
ifconfig
The ifconfig lets multiple parameters of various network interfaces be controlled, including whether or not the interface is active(up) or not (down).
Using ifconfig, the configuration is defined on the command prompt and non-persistent across reboots. It does not consult the persistent configuration files in the /etc/sysconfig directory tree.
Modern replacement of ifconfig----ip..
ifconfig eth0 up  or ifconfig eth0 down
 
route:
tool for runtime management of network routing tables
 
ARP
 
DNS Resolver
cat /etc/hosts
 
Network configuration
system-config-network tool..
 
ping is useful for sending ICMP echo request packets to hosts. Any host which receives an ICMP echo request will reply with an ICMP echo response.  Ping to test connectivity between sites and the time elapsed between echo request and echo reply can be used to gauge the speed of the connection between the two hosts.
 
Probing for free addresses:
 
The X window System
The graphical environment for Linux is not a core part of the operating system. It is a service provided by a running process much like a web server.  The name X refers to both a network protocol and a software implementation of that protocol.  An server is responsible for controlling the video card on a system. An X client, for example a graphical text editor, communicates with the X server in order to display graphical content.  One of the greatest advantages of X is the fact that X clients only communicate with the X server via the X protocol. This means that X clients and X servers can natively and transparently communicate over a network. In fact, they can even running on entirely different operating systems.
 
Configure X Manually
The main X configuration file -- /etc/X11/xorg.conf
 
X font server, xfs. was created to move font rendering outside of the X server to another application.
 
All X clients use the value of the $DISPLAY environmental variable to determine which X server to use. Because multiple X servers can be run on the same host, each X server has a unique number, starting with 0 for the first server. $DISPLAY=hostname:0.
 
Remote X servers:
Remote X connection use TCP. The first X server on a host listens on port 6000, the second X server listens on 6001, and so on. So, $DISPLAY of theta.cn.oracle.com:0 means graphical application should make a network connection to TCP port 6000 on theta.cn.oracle.com to access the users’ X server.
 
When using putty to access a remote Linux machine. At first, I only knew the command line method.
 
When try to use the GUI type interface, for example, when issue the xclock or oracle’s installation startup script on the putty client, there is always a X connection to localhost:* broken. or can not open display error.
Every time, I used VNCView instead.
 
In order to use the X server connection, I have to install a X Window Server Like Xming X server on the PC.
 
After some cracking, the putty on my windows XP can issue GUI command to the remote linux server.
 
The putty’s setting as below:
1.  The keyboard’s back space key setting: Control- H
2.  SSH’s Auth: Allow agent forwarding
3.  SSH’s X11: enable X11 forwarding
                       X display location: localhost:0
xhost
The xhost command can be used to control host-based access control. Using xhost is extremely simple. On the server, simple specify any hosts which are permitted to connect to the server:
  xhost +foo.example.com
To revoke a specific permission to access the server, simply replace the plus sign with a minus sign.
  xhost –foo.example.com
 
X11 forwarding considerations
Using SSH to securely run remote graphical applications is simple because SSH does all of the heavy lifting. The following is a basic description of how SSH establishes a secure X connection:
   1. The SSH client connects and logs into the SSH Server
   2. The SSH client request X11 forwarding. The SSH server can deny this request
   3. The SSH server creates a lightweight proxy X server and sets $DISPLAY to the appropriate value
   4. The SSH server runs the xauth command to create an MIT magic cookie and sets $XAUTHORITY to the appropriate value
   5. The proxy X server on the SSH server passes X traffic to the SSH client over the encrypted SSH connection
   6. The SSH client filters out dangerous X requests limiting the capabilities of remote graphical applications
   7. The SSH client forwards acceptable X traffic to the real X server.
    Three points: A. The SSH server can refuse a client’s request to enable X11 forwarding. This is controlled by the X11Forwarding directive of the sshd_config configuration file.
     B.  The SSH server actual starts a lightweight proxy to tunnel X traffic. Because of the proxy, a $DISPLAY variable of localhost:10.0 is reasonable.
     C. the xauth command must be available to use X11 forwarding.
 
XDMCP
  X Display Manager Control Protocol
    can be used to run an entire desktop session on a remote system. and should only be used on a trusted network. XDMCP even supports remote graphical logins.
 
Alternative Remote Graphical Protocol
  VNC
   X allows individual applications to be run remotely and displayed locally, while VNC allows entire desktops to be displayed remotely.
  Using windows remotely by the rdesktop command.
 
Security Concepts
   Principle of Least Privilege
   Multiple Layers of Defense & Diversity in Layers of defense
   Only as secure as the weakest link
   Simplicity is a Virtue
   Security by Obscurity is not security
 
Tightening Default Security
   disabled all unneeded services
       1. standalone daemons
         using command: ntsysv, system-config-services or chkconfig
       2. xinetd
          Many services are started by an internet super-daemon like xinetd.
Staying current:
   bugs will present security implications.  An important task of all system administrators is ensuring that installed software is kept current and free of security holes.
 
SELinux Security Framework
  Allows administrator to specify security policy.  A policy details the interactions that are expected for correct operation of the system and its services.
The security policy determines the permissible interactions between objects on the system. To determine if a specific interaction is permitted, the system compares the security context of the interacting objects with the security policy.
 
system-config-securitylevel:  graphical application to ease the administration of SELinux and policy creation.
 
TCP Wrappers provides another tool for limiting access to services by remote IP address.

/>