Simple setting of Linux Account Security

At work, I found that many colleagues prefer to use the root management system and do not have a dedicated management account. Using a single root account for management brings both risks to the system and inconvenience to user management and audit. Therefore, we should consider creating separate user accounts for System Administrators and Users, restrict permissions. Of course, you also need to set the root account, such as the complexity of the password and account logon restrictions (such as ssh and terminal logon. This article briefly discusses account security settings. In addition to account security, we should pay more attention to the security awareness and Operation Specifications of management personnel.

1) create a common user account and a Management Group

Different user groups are created to assign different permissions to system administrators and create user accounts for system administrators and personnel in need. For example:

A. Create Management Group manager and Development Group develop

Groupadd manager

Groupadd develop

B. Create users jack, harry, and tom

Useradd jack

Useradd harry

Useradd tom

C. Set the initial password 123456 for the user and force the first login to change the password

Echo 123456 | passwd -- stdin jack

Echo 123456 | passwd -- stdin harry

Echo 123456 | passwd -- stdin tom

Chage-d 0 jack

Chage-d 0 harry

Chage-d 0 tom

 

D. Add a user to a specified group

Usermod-a-G manager jack

Usermod-a-G manager harry

Usermod-a-G develop tom

Create the Administrator group manager and general group develop, add users jack and harry to the manager group, add tom to the develop group, and control and assign user permissions through the group.

 

2) Set password policies

It mainly involves the complexity and reliability of passwords. Such as the minimum number of digits of the password, update cycle, service life, and confidentiality (encryption algorithm, user. It is mainly controlled by the pam_cracklib.so module developed by login. defs and Redhat. The RHEL password policy is set in/etc/login. defs. Note that these configurations are invalid for the root user. If the/etc/shadow file has the same options, the setting in/etc/shadow prevails, while pam_cracklib.so controls the password complexity.

PASS_MAX_DAYS 30 # set the maximum password to 30 days

PASS_MIN_DAYS 3 # It takes at least three days to change the password. 0 indicates no restriction.

PASS_MIN_LEN 12 # set the minimum password to 12 characters

PASS_WARN_AGE 5 # Set the reminder to start 5 days before expiration

ENCRYPT_METHOD MD5 # Set to use MD5 encryption (DES/MD5/SHA256/SHA512, etc)

LOGIN_RETRIES 3 # Number of Logon retries

LOGIN_TIMEOUT 20 # logon expiration time (s)

Use man login. defs to view other options.

 

3) PAM pluggable verification module

PAM (Plugable Authentication Module) is an Authentication mechanism proposed by Sun. The administrator can flexibly configure different authentication methods for different services as needed without changing the service program. It is also convenient to add new authentication methods to the system. Many applications can be integrated with PAM. Of course, the login verification process of the operating system can also be performed by configuring PAM. For example, specifying the password complexity and the number of failed login attempts by the user, the security configurations for these accounts are listed below.

A. Password Complexity

Modify the/etc/pam. d/system-auth Configuration:

Minimum Password: 2 upper-case letters, 3 lower-case letters, 3 numbers, and 2 Characters

There is a behavior in the file:

Password requisite pam_cracklib.so try_first_pass retry = 3

Append the following parameters:

Ucredit =-2 lcredit =-3 dcredit =-3 ocredit =-2

B. Stop logging on if any pam_tally-related error occurs during verification.

Auth required pam_tally.so onerr = fail magic_root

C. If the password is incorrectly entered five times in a row during account verification, the account will be locked for 600 seconds through pam_tally.

Account required pam_tally.so deny = 5 lock_time = 600 magic_root reset

4) use sudo Permissions

Through more rigorous management, sudo Refined User permission control, including authorized host access, user accounts, and commands. sudo requires users to use their own account passwords to execute authorization commands, this avoids disclosing the password of the root user account to common users.

4.1 sudo features:

1. Restrict the specified user from running certain commands on the specified host.

2. Provide logs to record operations performed by users using sudo, and save records in server logs

3. allows the system administrator to centrally manage user permissions and the server location when these permissions are used.

4. strictly control the use time of root permissions. After the root permission is obtained through sudo, you can use this permission within 5 minutes (default). After the permission is exceeded, you must re-verify the password.

Run rpm-qa | grep sudo to check whether the sudo package is installed. If not, download and install it.

: Http://www.sudo.ws/

Because the default/sbin and/usr/sbin commands are executable by other users, we recommend that you first use

Chmod o-x/sbin/*/usr/sbin/* is canceled, and then the authorized user executes the command through sudo.

# Note: Other problems may occur. For example, if an error is displayed during logon, run the following command to fix the problem:

Chmod o + x/sbin/consoletype

Or, if a common user installs software for execution, the user may not have the permission to call the path (to be observed). It is recommended that you cancel the x permission of other users for some important commands first, such as shutdow, halt, init, etc.

 

4.2 sudo Configuration

A. directly modify the file/etc/sudoers (syntax detection is not performed, which is highly risky)

B. Use the specific modification command mongodo (the syntax will be checked after modification, and a misunderstanding is prompted. We recommend that you use it). By default, mongodo uses vi to open the configuration file and use vi to modify the file. We can use -- with-editor = path to specify the editor during compilation (path is the path of the specified editor ).

The instance type to be configured in the/etc/sudoers file is as follows:

User_Alias Host_Alias = (Runas_Alias) Cmnd_Alias

1 ). user_Alias can be a single or multiple users, system group (identified by %), network group (identified by +), (commonly used system groups, such as % manager, authorize a manager group user in the system)

2 ). runas_Alias indicates that the execution is performed as defined in this template. It can be one or more users, the system group (marked as %), and the Network Group (marked as + ), ID (ID starting)

3). Host_Alias indicates that the host defined by this template can be executed. You can use the host name, IP address, and CIDR block.

4). Cmnd_Alias defines the alias of the command template, which can be

A. Command, use full path

B. Directory. Use the full path to end with a slash (/).

C. Other templates that allow nesting and wildcards

4.2.1 enable separate log:

Visudo Add:

Defaults logfile = "/var/log/sudo"

Edit/etc/rsyslog. conf and add:

Local2.debug/var/log/sudo

4.2.2 configure the sudo File

Run the cmddo command to add the following parameters:

Host_Alias WEBSERVERS = 192.168.1.0/24,172.16 .1.1

Cmnd_Alias NETWORKING =/sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,/usr/bin/net,/sbin/iptables

Cmnd_Alias SOFTWARE =/bin/rpm,/usr/bin/up2date,/usr/bin/yum

Cmnd_Alias SERVICES =/sbin/service,/sbin/chkconfig

Cmnd_Alias STORAGE =/sbin/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount

Cmnd_Alias DELEGATING =/usr/sbin/mongodo,/bin/chown,/bin/chmod,/bin/chgrp

Cmnd_Alias PROCESSES =/bin/nice,/bin/kill,/usr/bin/kill,/usr/bin/killall

Cmnd_Alias DRIVERS =/sbin/modprobe

Cmnd_Alias ALLOW = NETWORKING, SERVICES, PROCESSES, STORAGE, SOFTWARE, DELEGATING, DRIVERS

Cmnd_Alias DENY =! /Bin/bash ,! /Usr/bin/passwd root ,! /Usr/sbin/usermod-* root ,! /Sbin/shutdown ,! /Usr/bin/halt ,! /Sbin/init ,! /Usr/bin/chattr

% Manager ALL =/bin/su, NOPASSWD: ALLOW, DENY

% DevelopWEBSERVERS = NETWORKING, DENY

Define the Host_Alias and Cmnd_Alias templates. The DENY template commands indicate that the use of sudo-I to switch to root is not allowed, the use of sudo to change the root password is not allowed, and the use of sudo to add users to the root group is not allowed, you cannot use sudo to execute the shutdown command, halt to execute the command, sudo to execute the init command, or sudo to execute the chattr command (you can also remove it !, And then use it in the following reference! DENY. We recommend that you use sudo-l to disable the command ). Note the/bin/su command in the definition of % manager. This means that the manager group can switch to the root account using su and requires password verification for the Logon account. If the command is placed at the end, no password is required for switching.

Make sure that the account has been configured and sudo permissions have been set, and then add them. Otherwise, you must remove the I attribute before changing it.

Chmod 600/etc/passwd

Chmod 600/etc/gshadow

Chmod 600/etc/groups

Chmod 600/etc/gshadow

Chmod 600/etc/sudoers

Chattr + I/etc/sudoers

 

 

4.3 basic sudo operations

Sudo-l [l] [-AknS] [-g groupname | # gid] [-p prompt] [-U user name] [-u user name | # uid] [- g groupname | # gid] [command]

Common sudo options:

Sudo command: Execute command as root

Sudo-bcommand: Execute the specified command in the background

Sudo-h list usage

Sudo-l lists the commands that can be executed by the current user. This option can be used only by users in sudoers.

Sudo-u username # uid command executes the command as the specified user identity, followed by a user name or uid other than root

Sudo-e file is not a command, but a file modification, which is equivalent to the sudoedit command.

 

 

Iii. Centralized LDAP Authentication

As the system platform expands, application servers also grow rapidly, making system management more difficult and complex. for user account management, we should consider building a centralized authentication system in the future, this can reduce management costs, enhance Account Management Security, and reduce the complexity of system management and maintenance. However, for centralized management, you must pay attention to the security of the authentication server. If an authorized account is compromised or leaked, all servers that authorize the account to log on will be compromised. This will be discussed later...

For the full-text script, see the attachment. It is tested based on RHEL 6.2 x64 ....