Linux system security Consolidation Fundamentals Chapter 1

For the powerful Linux, we will think that she shows strong, stable, and also very attractive. More how to use her, and did not have a lot of her safety article involved, a simple example from the common log audit and Pam user authentication block to do an instance application.

1. Operation Log Audit

The history of the system can tell us what we have done, but for this multi-user operating system, the operation logging from a single terminal is not enough to satisfy an audit of the operational commands.

Someone may be prompted as follows:

Chattr +a ~/.bash_history

This modification can avoid deleting. Bash_history or redirect to/dev/null.

(out of the question: Ln-sf/dev/null ~/.bash_history)

However, in this case, the user of the exception login I do not go to the operation. Bash_history the relevant permissions, directly execute histroy-c above these settings will not be done.

The following with the use of Prompt_command to achieve the timely recording of Operation commands.

1), append the following in/etc/profile:

Export History_file=/var/log/history/userhistory.logreadonly prompt_command= ' {date ' +%y-%m-%d%T ##### $ (Who am I |awk " {print \$1\ "\" \$2\ "\" \ $NF} ") # # # # (Id|awk" {print \$1} ") # # # # (History 1 | {read x cmd; echo "$cmd";}) ";} >> $HISTORY _file '

Reread Source/etc/profile can take effect.

Mkdir-p/var/log/history/

Touch/var/log/history/userhistory.log

chmod 002/var/log/history/userhistory.log

Chattr +a/var/log/history/userhistory.log

2), the use of logrotate to achieve log cutting.

#cat/etc/logrotate.d/userhistory/var/log/history/userhistory.log {Weekly Notifempty prerotate /usr/bin/chattr-a/var/log/history/userhistory.log endscript postrotate/bin/chmod 002/var/log/hi Story/userhistory.log/usr/bin/chattr +a/var/log/history/userhistory.log Endscript}

Specific parameter annotations and logrotate how to implement log cutting see

http://colynn.blog.51cto.com/5971950/1441436

2, Pam user authentication (pam_tally)

Because/etc/pam.d/login and/etc/pam.d/sshd will include System-auth,

Therefore, the direct configuration of the System-auth, from the TTY and terminal login will take effect,

Version 5

#cat/etc/pam.d/system-auth (Note the location of the entry) Auth requisite pam_tally.so deny=5 even_deny_root_account unlock_time= 300

Version 6

#cat/etc/pam.d/system-authauth requisite pam_tally2.so deny=5 even_deny_root unlock_time=300

Recommendation: Limit the user to include root, use a custom environment test, and then use it.

That's all.

This article is from the "Liu Can blog" blog, make sure to keep this source http://colynn.blog.51cto.com/5971950/1529574