Linux system security

Several files related to system security:

/etc/shells //Available Shell environment

/etc/passwd//user account information

/etc/shadow//user password information

/etc/group//Group information

/var/log/secure//su log information

/etc/sysconfig/network//Host name configuration file

Lock user password:

Usermod-l username

Passwd-l username

Unlock user password:

Usermod-u username

Passwd-u username

Passwd-s//view user status

User File Management:

/etc/skel//template directory for all user home directories

. bash_profile//Log on to the system when executed

. bash_logout//execution at logoff

. BASHRC//switch Shell when executing

File Lock:

chattr +i file//Lock files

Chattr-i file//Unlock Files

Lsattr//view file status

User Password Management:

Chage-d 0 Username//Mandatory user login must change password

CHAGE-M username//Set User password expiration date

Sed-i ' s/^pass_max_days.*/pass_max_days 30/'/etc/login.defs//user password created later by default is valid for 30 days

Command History Management:

History//view command histories

History-c//emptying command history

Sed-i ' s/histsize.*/histsize=10/'/etc/profile//Modify command history By default number of bars is 10

echo ' Export tmout=600 ' >>/etc/profile//Set terminal in 600 Ms No action will log off user

. /etc/profile//Read configuration file to make modified configuration take effect

SU Command management:

SU-L username//Switch User

Echo ' auth required pam_wheel.so use_uid ' >>/etc/pam.d/su//Set the specified user to use SU to switch users

GPASSWD-A username Wheel//will allow users with the Sue command to be added to the wheel group

The sudo command is detailed:

sudo: The current user, able to execute the specified command on the specified host with another specified user

Config file:/etc/sudoers,sudo definition file, general use Visudo to edit sudoers file, Visudo will check grammar automatically

Authorized user to allow logon host = (run as user, typically root) Run command

Example: Lisi all= (Root)/sbin/ifconfig//Allow Lisi users to run the ifconfig command as root on all hosts

Alias (group) settings:

1, User_alias(user alias)

2. Host_alias(host alias)

3. Cmnd_alias(command alias)

User aliases can include:

1, the user's user name

2, group name, with% as the guide

3. Other user aliases that have been defined

Host aliases can include:

1. Host Name

2. IP Address

3. Other host aliases that have already been defined

Command aliases can contain:

1, the absolute path of the command

2. Other defined command aliases

Note: The name of the alias must be in all uppercase English letters

Special Lattice settings:

COM =/usr/bin/passwd [a-za-z]*//must have a letter in the user name when using the passwd command

ELSE =! /USR/BIN/PASSWD root//cannot use the command to execute passwd root

Generally one uses:

NAME =/usr/bin/passwd [a-za-z]*,! /USR/BIN/PASSWD root //Does not allow password setting for root! reverse

This format is typically used when a command can pose a threat to the security of the root user itself.

Examples of aliases:

User_alias USER = User1,user2,user3,user4,user5 ... //Set user aliases

Host_alias HOST = Host1,host2,host3,host4,host5 ... //Set host Alias

Cmnd_alias comd = comd1,comd2,comd3,comd4,comd5 ... //SET command aliases

Disable Ctrl+alt+del restart:

/etc/init/control-alt-delete.conf//Comment out all the contents of the configuration file

Set Grub Password

/boot/grub/grub.conf //Modify GRUB configuration file

Grub-md5-crypt//Generate an encrypted string

Password--md5 encrypted string //grub Edit Password

Thedifference before and after title//title

Password--md5 encrypted string //Kernel load password

TTY Terminal number control:

/etc/init/start-ttys.conf//tty terminal configuration file

Env Active_consoles=/dev/tty[1-6]//profile contents, number of opening of the terminal

Env x_tty=/dev/tty1//config file contents, default login Terminal

/etc/sysconfig/init//tty terminal configuration file

ACTIVE_CONSOLES=/DEV/TTY[1-6]//profile contents, number of opening of the terminal, if you want to change the need to change two files at a time

Control root User Login terminal

/etc/securetty//Allow root user to log in from which Terminal, config file

Prohibit all ordinary users from logging on to the system

Touch/etc/nologin//Only need to create a file

This article is from the "Automated Operations" blog, please be sure to keep this source http://hongchen99.blog.51cto.com/12534281/1908207

Linux system security