Linux Security-User account-File system-user switch and sudo right

System Hardening (Local security of the server)

1 User account Security

2 File system security (configuration of System configuration file security services)

Important Data files

Mounted File System mount

Types of file permissions rwx suid sgid t-bit facl

++++++++++++++++++++++++++++++++++++++++++

Prevent normal users from shutting down: Build a 700 folder mkdir-m 700 folder name

Cd/etc/security/console.spps

MV Poweroff Reboot Halt and other copies to the newly created directory ordinary users will not be able to shut down the computer

++++++++++++++++++++++++++++++++++++++++++

Create a user and specify a validity period useradd-e 2016-04-30 Tom

View user password expiration chage-l Tom

Add User Login Default profile/etc/login.defs

Clear User Password passwd-d Tom

+++++++++++++++++++++++++++++++++++++++++++++++++

Mount [-T file system type] [-o mount option] Device system directory

Defaults default mount (man Mount/defaults)

/etc/fstab which devices are automatically mounted when the system is started

MOUNT-T file system Type-o Noexec.nosuid/dev/sdc1/disk noexec indicates that this hangs in the directory without exec permissions, nosuid means to remove root-owned permissions

Experiment:

Vim a.sh

RM-RF/*

: Wq

CP a.sh/disk/

chmod +x/disk/a.sh

Cd/disk

./a.sh the script has execute permission and cannot execute because/disk has no EXEC permission

++++++++++++++++++++++++++++++++++++

Add a or I (or =) attribute to the file (I immutable a can only be appended)

Lsattr/etc/resolv.conf #查看文件的属性

Chattr +a or +i file name lock protection file

Chattr-a or-I file name unlock protected file

++++++++++++++++++++++++++++++++++++++++++

Encryption for Grub

Encryption Grup

Title xxxxxxxx

Boot (boot system)/boot/grub/grub.conf

/etc/grub.conf

Encrypt plaintext password/boot/grub/grub.conf title top row plus password 1234567

Cryptographic encryption generates password: Grub-md-crypt copy generated to password placed on title up and down line password--MD5 * * * (Generate to password)

++++++++++++++++++++++++++++++++++++++++++++

Disable Ctrl+alt+del Hotkey Configuration

/etc/init/control-alt-delete.conf

#start on Control-alt-delete Log off

Disable Normal user login Touch/etc/nologin normal users cannot log on to the system immediately

++++++++++++++++++++++++++++++

Delete the following file contents or modify to prevent external intrusion and view:

/etc/issue used for local login (prompt kernel, system version information)

/etc/issue.net remote login (prompt kernel, system version information)

+++++++++++++++++++++++++++++

The last file to load before logging into the system (you can execute various scripts or commands)/etc/rc.local

++++++++++++++++++++++++++++++

Which TTY terminals are allowed to be enabled

Configuration file/etc/sysconfig/init (default 23 lines)

ACTIVE_CONSOLES=/DEV/TTY[1-6] Modify this configuration

Only allow root to log in from a specified number of terminals

Configuration file/etc/securetty

++++++++++++++++++++++++++++++++++

View current login account WhoAmI

User switch su user name or Su-user name

Su-User name-C "command" executes the command with the specified user without switching the user (requires knowledge of the specified user password)

Su-oracle-c ".... /bin/lsnrctl Start "

Su-oracle-c ".... /bin/dbstart $ORACLE _home "

Su-root-c "Touch/tmp/test.txt"

Viewing the use of SU switching

Cat/var/log/secure

++++++++++++++++++++++++++++++++++++++++++++++++++

Extracting sudo

/etc/sudoers configuration file (Quick Open File command Visudo)

Right for ordinary users: sudo

Sudo-l View your Udo authorization

Sudo-u Zhangsan Mkdir/tmp/haha Create a new folder in another user with the permissions of the user Zhangsan

Sudo/sbin/ifconfig eth0:1 1.1.1.1 Switch to user, execute sudo command

Example:/% name (representing group)

User host list = command list

Root all= (All) all allows root to run all commands on all hosts

Root all= (All) nopasswd:all allow ROOT to run all commands without entering a password on all hosts

Mike Localhost,svr=/sbin/*,!/sbin/ifconfig Eth0 allows Mike to perform all commands under/sbin/with root, but disables the ability to modify the parameters of the eth0 NIC

Mike Localhost,localdomain=/sbin/* allows Mike to execute all commands under/sbin/with root in the Localdomain host

Mike Localhost,localdomain=/sbin/ifconfig allows Mike to execute ifconfig a command under/sbin/in the Localdomain host

sudo alias settings (simplified operation

User_alias Hahazu Uppercase) =tom,mike,jim user alias

Host_alias server=mail,svr,pc205 Host Alias

Cmnd_alias Mingling=/bin/rpm,/usr/bin/yum Command Alias

Hahazu server=mingling

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Modify global configuration, enable logging

Defaults logfile= "/var/log/sudo" once again sudo generates a log file

Linux Security-User account-File system-user switch and sudo right