Linux Security-User account-File system-user switch and sudo right

Source: Internet
Author: User
Tags account security

System Hardening (Local security of the server)

1 User account Security

2 File system security (configuration of System configuration file security services)

Important Data files

Mounted File System mount

Types of file permissions rwx suid sgid t-bit facl

++++++++++++++++++++++++++++++++++++++++++

Prevent normal users from shutting down: Build a 700 folder mkdir-m 700 folder name

Cd/etc/security/console.spps

MV Poweroff Reboot Halt and other copies to the newly created directory ordinary users will not be able to shut down the computer

++++++++++++++++++++++++++++++++++++++++++

Create a user and specify a validity period useradd-e 2016-04-30 Tom

View user password expiration chage-l Tom

Add User Login Default profile/etc/login.defs

Clear User Password passwd-d Tom

+++++++++++++++++++++++++++++++++++++++++++++++++

Mount [-T file system type] [-o mount option] Device system directory


Defaults default mount (man Mount/defaults)

/etc/fstab which devices are automatically mounted when the system is started

MOUNT-T file system Type-o Noexec.nosuid/dev/sdc1/disk noexec indicates that this hangs in the directory without exec permissions, nosuid means to remove root-owned permissions

Experiment:

Vim a.sh

RM-RF/*

: Wq

CP a.sh/disk/

chmod +x/disk/a.sh

Cd/disk

./a.sh the script has execute permission and cannot execute because/disk has no EXEC permission

++++++++++++++++++++++++++++++++++++

Add a or I (or =) attribute to the file (I immutable a can only be appended)

Lsattr/etc/resolv.conf #查看文件的属性

Chattr +a or +i file name lock protection file

Chattr-a or-I file name unlock protected file


++++++++++++++++++++++++++++++++++++++++++

Encryption for Grub

Encryption Grup

Title xxxxxxxx

Boot (boot system)/boot/grub/grub.conf

/etc/grub.conf

Encrypt plaintext password/boot/grub/grub.conf title top row plus password 1234567

Cryptographic encryption generates password: Grub-md-crypt copy generated to password placed on title up and down line password--MD5 * * * (Generate to password)

++++++++++++++++++++++++++++++++++++++++++++

Disable Ctrl+alt+del Hotkey Configuration

/etc/init/control-alt-delete.conf

#start on Control-alt-delete Log off


Disable Normal user login Touch/etc/nologin normal users cannot log on to the system immediately

++++++++++++++++++++++++++++++

Delete the following file contents or modify to prevent external intrusion and view:

/etc/issue used for local login (prompt kernel, system version information)

/etc/issue.net remote login (prompt kernel, system version information)

+++++++++++++++++++++++++++++

The last file to load before logging into the system (you can execute various scripts or commands)/etc/rc.local


++++++++++++++++++++++++++++++

Which TTY terminals are allowed to be enabled

Configuration file/etc/sysconfig/init (default 23 lines)

ACTIVE_CONSOLES=/DEV/TTY[1-6] Modify this configuration


Only allow root to log in from a specified number of terminals

Configuration file/etc/securetty

++++++++++++++++++++++++++++++++++

View current login account WhoAmI

User switch su user name or Su-user name

Su-User name-C "command" executes the command with the specified user without switching the user (requires knowledge of the specified user password)

Su-oracle-c ".... /bin/lsnrctl Start "

Su-oracle-c ".... /bin/dbstart $ORACLE _home "

Su-root-c "Touch/tmp/test.txt"


Viewing the use of SU switching

Cat/var/log/secure

++++++++++++++++++++++++++++++++++++++++++++++++++

Extracting sudo

/etc/sudoers configuration file (Quick Open File command Visudo)

Right for ordinary users: sudo

Sudo-l View your Udo authorization

Sudo-u Zhangsan Mkdir/tmp/haha Create a new folder in another user with the permissions of the user Zhangsan

Sudo/sbin/ifconfig eth0:1 1.1.1.1 Switch to user, execute sudo command


Example:/% name (representing group)

User host list = command list

Root all= (All) all allows root to run all commands on all hosts

Root all= (All) nopasswd:all allow ROOT to run all commands without entering a password on all hosts

Mike Localhost,svr=/sbin/*,!/sbin/ifconfig Eth0 allows Mike to perform all commands under/sbin/with root, but disables the ability to modify the parameters of the eth0 NIC

Mike Localhost,localdomain=/sbin/* allows Mike to execute all commands under/sbin/with root in the Localdomain host

Mike Localhost,localdomain=/sbin/ifconfig allows Mike to execute ifconfig a command under/sbin/in the Localdomain host


sudo alias settings (simplified operation

User_alias Hahazu Uppercase) =tom,mike,jim user alias

Host_alias server=mail,svr,pc205 Host Alias

Cmnd_alias Mingling=/bin/rpm,/usr/bin/yum Command Alias

Hahazu server=mingling

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Modify global configuration, enable logging

Defaults logfile= "/var/log/sudo" once again sudo generates a log file









Linux Security-User account-File system-user switch and sudo right

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.