For the powerful Linux, we will think that she shows strong, stable, and also very attractive. More how to use her, and did not have a lot of her safety article involved, a simple example from the common log audit and Pam user authentication block to do an instance application.
1. Operation Log Audit
The history of the system can tell us what we have done, but for this multi-user operating system, the operation logging from a single terminal is not enough to satisfy an audit of the operational commands.
Someone may be prompted as follows:
Chattr +a ~/.bash_history
This modification can avoid deleting. Bash_history or redirect to/dev/null.
(out of the question: Ln-sf/dev/null ~/.bash_history)
However, in this case, the user of the exception login I do not go to the operation. Bash_history the relevant permissions, directly execute histroy-c above these settings will not be done.
The following with the use of Prompt_command to achieve the timely recording of Operation commands.
1), append the following in/etc/profile:
Export History_file=/var/log/history/userhistory.logreadonly prompt_command= ' {date ' +%y-%m-%d%T ##### $ (Who am I |awk " {print \$1\ "\" \$2\ "\" \ $NF} ") # # # # (Id|awk" {print \$1} ") # # # # (History 1 | {read x cmd; echo "$cmd";}) ";} >> $HISTORY _file '
Reread Source/etc/profile can take effect.
Mkdir-p/var/log/history/
Touch/var/log/history/userhistory.log
chmod 002/var/log/history/userhistory.log
Chattr +a/var/log/history/userhistory.log
2), the use of logrotate to achieve log cutting.
#cat/etc/logrotate.d/userhistory/var/log/history/userhistory.log {Weekly Notifempty prerotate /usr/bin/chattr-a/var/log/history/userhistory.log endscript postrotate/bin/chmod 002/var/log/hi Story/userhistory.log/usr/bin/chattr +a/var/log/history/userhistory.log Endscript}
Specific parameter annotations and logrotate how to implement log cutting see
http://colynn.blog.51cto.com/5971950/1441436
2, Pam user authentication (pam_tally)
Because/etc/pam.d/login and/etc/pam.d/sshd will include System-auth,
Therefore, the direct configuration of the System-auth, from the TTY and terminal login will take effect,
Version 5
#cat/etc/pam.d/system-auth (Note the location of the entry) Auth requisite pam_tally.so deny=5 even_deny_root_account unlock_time= 300
Version 6
#cat/etc/pam.d/system-authauth requisite pam_tally2.so deny=5 even_deny_root unlock_time=300
Recommendation: Limit the user to include root, use a custom environment test, and then use it.
That's all.
This article is from the "Liu Can blog" blog, make sure to keep this source http://colynn.blog.51cto.com/5971950/1529574