Monday, 3 July 2017

HTTP TRACE / TRACK Methods Enabled (CVE-2004-2320, CVE-2010-0386, CVE-2003-1567)

Treat: "The remote Web server supports the TRACE and/or TRACK HTTP methods, which makes it easier for remote attackers to steal cookies and authentication credentials or bypass the HttpOnly protection mechanism.
 
Track / Trace are required to be disabled to be PCI compliance."

Impact: If this vulnerability is successfully exploited, attackers can potentially steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism.

Solution: Disable these methods in your web server's configuration file.

Fix:  echo TraceEnable off >>/etc/httpd/conf/httpd.conf

Restart apache service

Disable TLSv1.0 and enable TLSv1.2 protocol in apache

Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -tls1

If the test is successful, then the target support TLSv1


[root@test ~]# grep SSLProtocol /etc/httpd/conf.modules.d/ssl.conf
#  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLProtocol TLSv1.2
[root@test ~]#


CVE-2016-2183: Disable and stop using DES and 3DES ciphers in tomcat

Title: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
CVEID: CVE-2016-2183

Threat: "Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. 
All versions of SSL/TLS protocol support cipher suites which use DES or 3DES as the symmetric encryption cipher are affected."

Impact: Remote attackers can obtain cleartext data via a birthday attack against a long-duration encrypted session.

Solution: "Disable and stop using DES and 3DES ciphers.
The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -cipher ""DES:3DES"" -ssl2
openssl s_client -connect ip:port -cipher ""DES:3DES"" -ssl3
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1_1
openssl s_client -connect ip:port -cipher ""DES:3DES"" -tls1_2

If any of these tests is successful, then the target is vulnerable to Sweet32."

Fix: In file /etc/tomcat/server.xml remove SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

Post modifying file should look like below

               ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"

Disable TLSv1 in java

Check which Java is currently running

[root@test ~]# java -version
java version "1.7.0_141"
OpenJDK Runtime Environment (rhel-2.6.10.1.el7_3-x86_64 u141-b02)
OpenJDK 64-Bit Server VM (build 24.141-b02, mixed mode)


Make changes in respective java.security file

Look for jdk.tls.disabledAlgorithms

[root@test ~]# grep TLSv1 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224

Update like below

[root@test ~]# grep TLSv1 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224, TLSv1

Restart respective java service to take effect.


CVE-2016-2183 : Disable and stop using DES and 3DES ciphers in apache

TITLE: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
CVEID: CVE-2016-2183

We need to add DES and 3DES in /etc/httpd/conf.modules.d/ssl.conf file in order to disable it.

Look for SSLCipherSuite line

[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
[root@test ~]#

Modify like below

[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!DES:!3DES
[root@test ~]#

Restart the required services for the port which u got vulnerability.

The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -cipher "DES:3DES" -ssl2
openssl s_client -connect ip:port -cipher "DES:3DES" -ssl3
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1_1
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1_2


[root@test ~]# openssl s_client -connect 10.10.10.1:443 -cipher "DES:3DES" -tls1_2
CONNECTED(00000003)
140592171460512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140592171460512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1499085145
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
[root@test ~]#


Monday, 5 June 2017

ansible playbook to check selinux status


# ansible-playbook selinux.yml --user ranjith --extra-vars "host=10.10.10.11"

---
- hosts: "{{ host }}"
  become: yes
  become_method: sudo
  tasks:
    - name: getting selinux status
      command: getenforce
      register: result

    - name: removing old status file
      local_action: file path={{ playbook_dir }}/{{ inventory_hostname }}-selinux-{{ result.stdout }} state=absent

    - name: saving selinux status
      local_action: file path={{ playbook_dir }}/{{ inventory_hostname }}-selinux-{{ result.stdout }} state=touch

This playbook creates a file in the playbook directory in name like 10.10.10.11-selinux-Disabled

Sunday, 4 June 2017

Ansible playbook to register rhel 6 and rhel 7 clients to satellite 6

Below playbook can be used to register rhel 6/7 clients to get unregistered from existing satellite 5 and registers it to satellite 6.

The clients gets registered with respective activation key in my case the activation key names are RHEL6 and RHEL7.

# ansible-playbook register.yml --extra-vars "host=givehostip|groupname" --extra-vars "satelliteip=givesatelliteip" --user ranjith

---
- hosts: "{{ host }}"
  become: yes
  become_method: sudo
  tasks:
    - name: Download and install a copy of the CA Certificate for the Red Hat Satellite 6 server
      yum:
        disable_gpg_check: yes
        name: http://{{satelliteip}}/pub/katello-ca-consumer-latest.noarch.rpm
        state: present
      when:
        - ansible_distribution_major_version == "6" or ansible_distribution_major_version == "7"
    - name: Setting enabled=1 in subscription-manager.conf
      lineinfile:
        path: /etc/yum/pluginconf.d/subscription-manager.conf
        regexp: '^enabled'
        line: 'enabled=1'
      when:
        - ansible_distribution_major_version == "6" or ansible_distribution_major_version == "7"
    - name: Setting enabled=0 in rhnplugin.conf
      lineinfile:
        path: /etc/yum/pluginconf.d/rhnplugin.conf
        regexp: '^enabled'
        line: 'enabled=0'
      when:
        - ansible_distribution_major_version == "6" or ansible_distribution_major_version == "7"
    - name: delete the rhn registration locally
      command: mv /etc/sysconfig/rhn/systemid /etc/sysconfig/rhn/systemid.bak
      when:
        - ansible_distribution_major_version == "6" or ansible_distribution_major_version == "7"
      ignore_errors: True
    - name: Register with activationkey matching Red Hat Enterprise Server Version 6
      redhat_subscription:
        state: present
        activationkey: RHEL6
        org_id: Default_Organization
      when:
        - ansible_distribution_major_version == "6"
    - name: Register with activationkey matching Red Hat Enterprise Server Version 7
      redhat_subscription:
        state: present
        activationkey: RHEL7
        org_id: Default_Organization
      when:
        - ansible_distribution_major_version == "7"
    - name: Skipping server matching Red Hat Enterprise Server Version 5
      shell: echo "This certainly is history!"
      when:
        - ansible_distribution_major_version == "5"
    - name: Install katello-agent
      yum:
        name: katello-agent
        state: present
      when:
        - ansible_distribution_major_version == "6" or ansible_distribution_major_version == "7"

Ansible playbook to patch and reboot RHEL 6 and RHEL 7 servers

How to run:

If single host give host ip like below in the command else for group patch, update the /etc/ansible/hosts file with server list and give the group name as host variable value. The playbook also collects required information like mount status resolv.conf and ntpstat as per my requirement, you can add your commands in the shell section. The information collected will be stored in the name of serverip-prepatch.txt and serverip-postpatch.txt and saves it in the playbook directory.


# ansible-playbook patchreboot.yml --extra-vars "host=10.10.11.70" --user ranjith

---
- hosts: "{{ host }}"
  become: yes
  become_method: sudo
  tasks:
    - name: running prepatch info commands
      shell: |
        df -hP
        cat /etc/resolv.conf
        ntpstat
      register: prepatch
      ignore_errors: True
    - name: removing old prepatch info file
      local_action: file path={{ playbook_dir }}/{{ inventory_hostname }}-prepatch.txt state=absent
    - name: storing prepatch info
      local_action: copy content={{ prepatch.stdout }} dest={{ playbook_dir }}/{{ inventory_hostname }}-prepatch.txt
    - name: upgrade all packages
      yum:
        name: '*'
        state: latest
    - name: restart server
      command: /sbin/reboot
      async: 0
      poll: 0
      ignore_errors: true
    - name: Pause for 180 seconds
      pause: minutes=3
    - name: wait for the server to restart
      local_action: wait_for host={{ inventory_hostname }}
                    port=22
                    delay=15
                    timeout=300
                    state=started
                    connect_timeout=15
    - name: restarting ntpserver
      service:
        name: ntpd
        state: restarted
        enabled: yes
    - name: running postpatch info commands
      shell: |
        df -hP
        cat /etc/resolv.conf
        sleep 10
        ntpstat
      register: postpatch
      ignore_errors: True
    - name: removing old postpatch info file
      local_action: file path={{ playbook_dir }}/{{ inventory_hostname }}-postpatch.txt state=absent
    - name: storing postpatch info
      local_action: copy content={{ postpatch.stdout }} dest={{ playbook_dir }}/{{ inventory_hostname }}-postpatch.txt

Sunday, 29 January 2017

INTRODUCTION TO SYSTEMD

Systemd is a system and service manager for Linux operating systems. It is designed to be backwards compatible with SysV init scripts, and provides a number of features such as parallel startup of system services at boot time, on-demand activation of daemons, support for system state snapshots, or dependency-based service control logic. In Red Hat Enterprise Linux 7, systemd replaces Upstart as the default init system.

 Systemd Unit Locations

Directory                                             Description
/usr/lib/systemd/system/            Systemd units distributed with installed RPM packages.
/run/systemd/system/                  Systemd units created at run time. This directory takes precedence over the directory with installed service units.
/etc/systemd/system/                   Systemd units created and managed by the system administrator. This directory takes precedence over the directory with runtime units.

MANAGING SYSTEM SERVICES

Previous versions of Red Hat Enterprise Linux, which were distributed with SysV init or Upstart, used init scripts located in the /etc/rc.d/init.d/ directory. These init scripts were typically written in Bash, and allowed the system administrator to control the state of services and daemons in their system. In Red Hat Enterprise Linux 7, these init scripts have been replaced with service units.
Service units end with the .service file extension and serve a similar purpose as init scripts. To view, start, stop, restart, enable, or disable system services, use the systemctl command as described in Table 21.2.1 “Comparison of the service Utility with systemctl ”, Table 21.2.2 “Comparison of the chkconfig Utility with systemctl”, and in the section below. The service and chkconfig commands are still available in the system and work as expected, but are only included for compatibility reasons and should be avoided.

Comparison of the service Utility with systemctl

service
systemctl
Description
service name start
systemctl start name.service
Starts a service.
service name stop
systemctl stop name.service
Stops a service.
service name restart
systemctl restart name.service
Restarts a service.
service name condrestart
systemctl try-restart name.service
Restarts a service only if it is running.
service name reload
systemctl reload name.service
Reloads configuration.
service name status
systemctl status name.service
systemctl is-active name.service
Checks if a service is running.
service --status-all
systemctl list-units --type service --all
Displays the status of all services.

Comparison of the chkconfig Utility with systemctl

chkconfig
systemctl
Description
chkconfig name on
systemctl enable name.service
Enables a service.
chkconfig name off
systemctl disable name.service
Disables a service.
chkconfig --list name
systemctl status name.service
systemctl is-enabled name.service
Checks if a service is enabled.
chkconfig --list
systemctl list-unit-files --type service
Lists all services and checks if they are enabled.
chkconfig --list
systemctl list-dependencies --after
Lists services that are ordered to start before the specified unit.
chkconfig --list
systemctl list-dependencies --before
Lists services that are ordered to start after the specified unit.

Starting a Service


To start a service unit that corresponds to a system service, type the following at a shell prompt as root:
systemctl start name.service
Replace name with the name of the service unit you want to start (for example, gdm). This command starts the selected service unit in the current session.
Example Starting a Service
The service unit for the Apache HTTP Server is named httpd.service. To activate this service unit and start the httpd daemon in the current session, run the following command as root:
~]# systemctl start httpd.service

Stopping a Service

To stop a service unit that corresponds to a system service, type the following at a shell prompt as root:
systemctl stop name.service
Replace name with the name of the service unit you want to stop (for example, bluetooth). This command stops the selected service unit in the current session.
Example Stopping a Service
The service unit for the bluetoothd daemon is named bluetooth.service. To deactivate this service unit and stop the bluetoothd daemon in the current session, run the following command as root:
~]# systemctl stop bluetooth.service

 Restarting a Service

To restart a service unit that corresponds to a system service, type the following at a shell prompt as root:
systemctl restart name.service
Replace name with the name of the service unit you want to restart (for example, httpd). This command stops the selected service unit in the current session and immediately starts it again. Importantly, if the selected service unit is not running, this command starts it too. To tell systemd to restart a service unit only if the corresponding service is already running, run the following command as root:
systemctl try-restart name.service
Certain system services also allow you to reload their configuration without interrupting their execution. To do so, type as root:
systemctl reload name.service
Note that system services that do not support this feature ignore this command altogether. For convenience, the systemctl command also supports the reload-or-restart and reload-or-try-restart commands that restart such services instead.
Example Restarting a Service
In order to prevent users from encountering unnecessary error messages or partially rendered web pages, the Apache HTTP Server allows you to edit and reload its configuration without the need to restart it and interrupt actively processed requests. To do so, type the following at a shell prompt as root:
~]# systemctl reload httpd.service

Enabling a Service

To configure a service unit that corresponds to a system service to be automatically started at boot time, type the following at a shell prompt as root:
systemctl enable name.service
Replace name with the name of the service unit you want to enable (for example, httpd). This command reads the [Install] section of the selected service unit and creates appropriate symbolic links to the /usr/lib/systemd/system/name.service file in the /etc/systemd/system/ directory and its subdirectories. This command does not, however, rewrite links that already exist. If you want to ensure that the symbolic links are re-created, use the following command as root:
systemctl reenable name.service
This command disables the selected service unit and immediately enables it again.

Example Enabling a Service
To configure the Apache HTTP Server to start automatically at boot time, run the following command as root:
~]# systemctl enable httpd.service
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'

Disabling a Service

To prevent a service unit that corresponds to a system service from being automatically started at boot time, type the following at a shell prompt as root:
systemctl disable name.service
Replace name with the name of the service unit you want to disable (for example, bluetooth). This command reads the [Install] section of the selected service unit and removes appropriate symbolic links to the /usr/lib/systemd/system/name.service file from the /etc/systemd/system/ directory and its subdirectories. In addition, you can mask any service unit to prevent it from being started manually or by another service. To do so, run the following command as root:
systemctl mask name.service
This command replaces the /etc/systemd/system/name.service file with a symbolic link to /dev/null, rendering the actual unit file inaccessible to systemd. To revert this action and unmask a service unit, type as root:
systemctl unmask name.service
Example Disabling a Service
To prevent this service unit from starting at boot time, type the following at a shell prompt as root:
~]# systemctl disable bluetooth.service
rm '/etc/systemd/system/dbus-org.bluez.service'

rm '/etc/systemd/system/bluetooth.target.wants/bluetooth.service'

Changing the Time Zone in RHEL 7

To list all available time zones, type the following at a shell prompt:
~]# timedatectl list-timezones
To change the currently used time zone, type as root:
~]# timedatectl set-timezone time_zone
Replace time_zone with any of the values listed by the timedatectl list-timezones command.
Example Changing the Time Zone
To identify which time zone is closest to your present location, use the timedatectl command with the list-timezones command line option. For example, to list all available time zones in Europe, type:
~]# timedatectl list-timezones | grep Europe
Europe/Amsterdam
Europe/Andorra
Europe/Athens
Europe/Belgrade
Europe/Berlin
Europe/Bratislava
To change the time zone to Europe/Prague, type as root:

~]# timedatectl set-timezone Europe/Prague

NTP configuration in RHEL 7

The Network Time Protocol (NTP) enables the accurate dissemination of time and date information in order to keep the time clocks on networked computer systems synchronized to a common reference over the network or the Internet. Many standards bodies around the world have atomic clocks which may be made available as a reference. The satellites that make up the Global Position System contain more than one atomic clock, making their time signals potentially very accurate. Their signals can be deliberately degraded for military reasons. An ideal situation would be where each site has a server, with its own reference clock attached, to act as a site-wide time server. Many devices which obtain the time and date via low frequency radio transmissions or the Global Position System (GPS) exist. However for most situations, a range of publicly accessible time servers connected to the Internet at geographically dispersed locations can be used. These NTP servers provide “Coordinated Universal Time” (UTC). Information about these time servers can found at www.pool.ntp.org.
Accurate time keeping is important for a number of reasons in IT. In networking for example, accurate time stamps in packets and logs are required. Logs are used to investigate service and security issues and so time stamps made on different systems must be made by synchronized clocks to be of real value. As systems and networks become increasingly faster, there is a corresponding need for clocks with greater accuracy and resolution. In some countries there are legal obligations to keep accurately synchronized clocks. Please see www.ntp.org for more information. In Linux systems, NTP is implemented by a daemon running in user space. The default NTP user space daemon in Red Hat Enterprise Linux 7 is chronyd. It must be disabled if you want to use the ntpd daemon.

[root@RHEL7 ~]# systemctl stop chronyd
[root@RHEL7 ~]# systemctl disable chronyd
[root@RHEL7 ~]# yum install ntp
Configure ntp.conf file like shown below
[root@RHEL7 ~]# cat /etc/ntp.conf
tinker panic 0
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server 10.18.17.32 iburst
server 10.18.17.33 iburst
server 10.18.11.30 iburst
server 10.18.11.31 iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
[root@RHEL7 ~]# systemctl restart ntpd
[root@RHEL7 ~]# systemctl status ntpd
[root@RHEL7 ~]# systemctl enable ntpd
[root@RHEL7 ~]# ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 10.18.17.32    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
 10.18.17.33    .INIT.          16 u    - 1024    0    0.000    0.000   0.000
*10.18.11.30    10.18.11.30     5 u  261  512  377    0.827   -8.280  10.270
+10.18.11.31    10.18.11.30     5 u  497  512  377    0.720  -23.474  11.101

[root@RHEL7 ~]# ntpstat
synchronised to NTP server (10.18.11.30) at stratum 6
   time correct to within 388 ms
   polling server every 512 s
[root@RHEL7 ~]#

timedatectl command gives a detailed info about system time and date

[root@RHEL7 ~]# timedatectl
      Local time: Thu 2015-12-31 00:27:00 CST
  Universal time: Thu 2015-12-31 06:27:00 UTC
        RTC time: Thu 2015-12-31 06:27:00
       Time zone: America/Chicago (CST, -0600)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2015-11-01 01:59:59 CDT
                  Sun 2015-11-01 01:00:00 CST
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2016-03-13 01:59:59 CST
                  Sun 2016-03-13 03:00:00 CDT

VMware tools in RHEL 7

The open-vm-tools package is a suite of open source virtualization utilities and drivers which improve performance and user experience when running Red Hat Enterprise Linux 7 as a guest on a VMware vSphere ESX(i) hypervisor. The open-vm-tools package provides a secure and authenticated mechanism for performing various operations on the guest operating system from the hypervisor.

Red Hat Enterprise Linux 7 includes the latest stable release of open-vm-tools. Updates to the open-vm-tools package are provided with the operating system maintenance updates and patches.

[root@RHEL7 ~]# rpm -qa |grep open-vm
open-vm-tools-9.10.2-4.el7.x86_64
open-vm-tools-desktop-9.10.2-4.el7.x86_64
[root@RHEL7 ~]#

To interact with open-vm-tools , issue commands to the vmtoolsd service from a guest with the systemctl command, for example:

To query whether open-vm-tools is running:

# systemctl status vmtoolsd.service

To start open-vm-tools:

# systemctl start vmtoolsd.service

To start open-vm-tools on boot, enable the vmtoolsd service:

# systemctl enable vmtoolsd.service

To restart open-vm-tools:

# systemctl restart vmtoolsd.service

To stop open-vm-tools:

# systemctl stop vmtoolsd.service

To disable the vmtoolsd service from running at boot:

# systemctl disable vmtoolsd.service

For additional help with the vmtoolsd and other commands, run:


# systemctl help vmtoolsd

CONFIGURE NIC (NETWORK INTERFACE CARD) BONDING in RHEL 7

NIC (Network Interface Card) bonding is also known as Network bonding. It can be defined as the aggregation or combination of multiple NIC into a single bond interface. Its main purpose is to provide high availability and redundancy.

Policy Details
Ploicy Name
Code
Description
balance-rr
0
Round-Robin policy for fault tolerance
active-backup
1
Active-Backup policy for fault tolerance
balance-xor
2
Exclusive-OR policy for fault tolerance
broadcast
3
All transmissions are sent on all slave interfaces.
802.3ad
4
Dynamic link aggregation policy
balance-tlb
5
Transmit Load Balancing policy for fault tolerance
balance-alb
6
Active Load Balancing policy for fault tolerance

Prerequisite:

If bonding module is not loaded on your linux box then use the below command to load.

# modprobe bonding

To list the bonding module info, use following command.

# modinfo bonding
[root@localhost ~]# modinfo bonding
filename:       /lib/modules/3.10.0-229.el7.x86_64/kernel/drivers/net/bonding/bonding.ko
alias:          rtnl-link-bond
author:         Thomas Davis, tadavis@lbl.gov and many others
description:    Ethernet Channel Bonding Driver, v3.7.1
version:        3.7.1
license:        GPL
rhelversion:    7.1

create a file bonding.conf in /etc/modprobe.d/

[root@localhost ~]# vi /etc/modprobe.d/bonding.conf
alias bond0 bonding
[root@localhost ~]#

Create a bond interface file. In my case its bond0

[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# vi ifcfg-bond0
DEVICE=bond0
TYPE=Bond
NAME=bond0
BONDING_MASTER=yes
BOOTPROTO=none
ONBOOT=yes
IPADDR=x.x.x.x
NETMASK=x.x.x.x
GATEWAY=x.x.x.x
DNS1=x.x.x.x
BONDING_OPTS="mode=1 miimon=100"
[root@localhost network-scripts]#

Choose desired bond policy and make changes in BONDING_OPTS field. In my case I have chosen mode 1 which is active backup.

Configure the existing interfaces as slave to bond0

[root@localhost network-scripts]# cat ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
DEVICE=eth0
ONBOOT=yes
HWADDR="00:50:56:96:64:9d"
MASTER=bond0
SLAVE=yes
[root@localhost network-scripts]# cat ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=none
DEVICE=eth1
ONBOOT=yes
HWADDR="00:50:56:96:18:a6"
MASTER=bond0
SLAVE=yes
[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:50:56:96:64:9d
Slave queue ID: 0

Slave Interface: eth1
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:50:56:96:18:a6
Slave queue ID: 0
[root@localhost ~]#


We have successfully configured nic bonding with Bonding Mode: fault-tolerance (active-backup)

HOW TO DISABLE CTRL-ALT-DEL IN RHEL7

Disable the ctrl + Alt + delete key combination, one need to mask a service. This is like disabling a service,
Run the following command:
[root@RHEL7 ~]# ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
Or
[root@RHEL7 ~]# systemctl mask ctrl-alt-del.target
Created symlink from /etc/systemd/system/ctrl-alt-del.target to /dev/null.
NOTE: systemd will recognize units symlinked to /dev/null and show them as masked. If one try to send key combination, this will fail with following similar error.
However above steps will not disable ctrl + Alt + delete key combination, in GUI mode. To disable it in GUI change keyboard settings.
Navigate to  Applications -> System Tools -> Settings -> Keyboard  -> Shortcuts -> System

Set value of `Logout` as Disabled