Tcp_wrapper, sudo, nsswitch, Pam for service and security management are described below.
First, Tcp_wrapper
1. Tcp_wrapper Base--------------------TCP Wrapper
Tcp_wrapper Dependent library files: libwrap.so
(1), determine whether to be tcp_wrapper access control: Dynamic Link (libwrap.so library file), Static link (strings command)
Applications that are dynamically linked to the Libwrap.so library: # Ldd/path/to/app_file | grep libwrap
Static library file application: # Strings COMMAND
(2), common services based on Tcp_wrapper access control: SSHD,VSFTPD
Several services: OpenSSH, HTTP, MySQL, VSFTPD, NFS, Samba
2. tcp_wrappers configuration file----------------------/etc/hosts.allow,/etc/hosts.deny
Format: Daemon_list:client_list [[[: Option]: option] ...]
(1), daemon_list--------------application file name (/usr/sbin/*)
Three ways to Daemon_list: Single program file name, multiple program filename (comma separated), all applications (all)
(2), client_list------------3 kinds of ways
Single IP address or host name, network address, access control list
Client_list four types of access control lists: All, known, UNKNOWN, PARANOID
(3): Option--------------3 class options
Option's three types of options are: Deny, allow, spawn
Spawn:%c-------------------Client Information
%s-------------------Service-side information
Cases:
Daemon_list:all-------------all applications (processes)
client_list:172.16.0.0/255.255.0.0
172.16.
All------------of all hosts
Known----------a host that can be accessed normally
UNKNOWN---------hosts that cannot be accessed properly
: Option:deny: Deny access rule, Hosts.allow file
Allow: Allows access to the rule, in the Hosts.deny file
Spawn: Generate, Initiate, execute
Cases:
Vsftpd:172.16.0.0/16:allow---------------/etc/host.allow (default allowed)
Vsftpd:all EXCEPT 172.16. EXCEPT 172.16.67.1------------------/etc/hosts.deny (default deny)
Example: Recording for sshd, VSFTPD service
SSHD, Vsftpd:all:spawn/bin/echo $ (/bin/date)%c attempt login%s >>/var/log/tcpwrapper.log
Second, sudo
1, sudo basic---------------as root user execution
Sudo's authorization profile:/etc/sudoers
2. configuration file Content---------------/etc/sudoers
There are two types of/etc/sudoers content: alias definition, user specification (authorization)
(1), alias definition--------------alias all uppercase
Format: Alias_type aliasname = item1, item2, ...
Alias_type:user_alias, Host_alias, Runas_alias, Cmnd_alias:
Alias_type-------------Using hump type
AliasName-------------Use ALL caps
Example: User_alias useradminusers = Tom, Jerry, CentOS, SuSE,%myclass-----------------"%" in the alias definition, represents the group.
Cmnd_alias useradmincommands =/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd [a-zA-Z0-9]*,! /USR/BIN/PASSWD Root,/usr/sbin/usermod
(2), user Specifications (Authorization):-----------------edit/etc/sudoers, only one license per line
Format: Who where= (whom)
The sections of the format are explained as follows:
Who----------authorized target users (5 ways)
Username---------------Single User name
#uid------------Single User uid
%groupname------------All accounts in the specified group
% #gid-----------Specify the group of known GID, all user accounts therein
User_alias--------------defined aliases
Where--------------authorized client host (3 types)
Ip/hostname------------a single host
Network address--------------Internet addresses
Host_alias--------------defined aliases
whom-----------------real identity, usually root
What-------------authorized to run the command
Command-------------individual commands
All commands in directory------------directories
Sudoedit---------------authorized user to execute the sudo command
Cmnd_alias-----------defined aliases
Example: Little all= (Root)/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd [a-za-z0-9]*,! /USR/BIN/PASSWD Root
Example: Little all= (Root)/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/su! /USR/BIN/SU Root
Note: Visudo command:-----------------edit/etc/sudoers file, with "syntax correction" function
(3), sudo command:----------------user authorization
Format: sudo [option] ... command
Common options:
-u user--------------Specify user identity
-L[L] [command]------------------Show all commands that can be run with sudo
(4), the label in the authorization
PASSWD--------------need a password.
NOPASSWD-------------can have no password
Example: Cmnd_alias useradmincommands = nopasswd:/usr/sbin/useradd, PASSWD:/usr/sbin/userdel,/usr/bin/passwd [a-zA-Z0-9]*, ! /USR/BIN/PASSWD Root,/usr/sbin/usermod
Special commands for sudo: passwd, Su, sudo, sudoedit
Third, Nsswitch
1. Nsswitch Basic---------------Name Service switch
Name resolution: A natural language that resolves to a numeric symbol in machine language.
Resolution: Find the Repository based on the keyword to find information related to the keyword.
Universal framework: Calling interface for Applications
Common framework for name resolution in Linux: Libraries (/lib64/libnss*,/usr/lib64/libnss*)
2. Parsing the configuration file of the library application----------/etc/nsswitch.conf
Format: Db:store_format1 store_format2 ....
Lookup Key Return Status: (4 kinds) Success, NotFound, Unavail, Tryagain
Response of the status return value: Return, continue
3. getent command------------Get a response from the name server
Format: getent database [key]
Four, Pam
1, Pam Basic--------------Universal Certification Framework
Common framework for implementing PAM in Linux: Libraries (/lib64/security/*)
2. configuration file-------------/lib64/security/*
There are two types of Pam profiles: Global profile, private configuration file. Where the global configuration file is deprecated.
(1), Global authentication profile-------------------/etc/pam.conf
Format: Application type control Module-path module-arguments
(2), private configuration file------------------/etc/pam.d/*app_name*
Format: Type control Module-path module-arguments
Type
Auth---------------Certification, authorization
Accounts------------account management, independent of certification
Password------------The complexity of the password when the user modifies the password
Session-------------Additional Actions
Control
Required----------------not be satisfied, certification must fail, the certification process is not interrupted
Requisite---------------not be satisfied, authentication must fail, immediately interrupt
Sufficient------------conditions are met, authentication successful, immediate interruption
Optional-------------does not affect certification
Include----------------other configuration files to the current location, similar to the copy
Substack---------------Copy and run on the sub-stack without affecting the main stack
Module-path---------------can be a relative path, an absolute path
Module-arguments------------Default Module parameters
Example: Auth required pam_shells.so--------------------pam_shells.so module Certification
3. pam_limits.so module-------------Limit the use of various system resources during user session
Format: pam_limits.so [Change_uid] [conf=/path/to/limits.conf] [debug] [utmp_early] [Noaudit]
Configuration files:--------------/etc/security/limits.conf,/etc/security/limits.d/*
Format:<domain> <type> <item> <value>
Doemain:----------------User name/group name
Username---------------Single User name
%groupname/@groupname------------All accounts in the specified group
Type:----------------soft/hard limit, different from soft and hard limits in disk quotas
Hard:------------Rigid limit
Soft:------------Soft limit
-:--------------Any
Item
Core:-------------file Size (KB)
Date:--------------Maximum data size (KB)
Fsize:---------------Maximum file size (KB)
Memlock:-------------Maximum free memory space (KB)
Nofile:---------------The maximum number of files that can be opened
RSS:--------------maximum space to reside in kilobytes (KB)
Stack:-----------------Maximum stack space (KB)
CPU:-----------------Maximum CPU usage time (MIN)
Nproc:-----------------maximum number of running processes
As:--------------address space limitations
Locks:--------------Maximum number of locked files
Nice:--------------Nice value
Maxlogins:--------------The maximum number of times a user can log on to a system
Value:-----------------Specific value
Example:-------------/etc/security/limits.conf
@student Hard Nproc 20
@faculty Soft Nproc 20
@faculty Hard Nproc 50
FTP Hard Nproc 0
@student-maxlogins 4
4, pam_listfile.so module------------------------to achieve access control based on user/group, hostname/IP, terminal
Format: pam_listfile.so Item=[tty|user|rhost|ruser|group|shell] Sense=[allow|deny] File=/path/filename onerr=[succeed| Fail] [apply=[user| @group]] [quiet]
Common options:
Item=[tty|user|rhost|ruser|group|shell]:----------------rules for which targets or conditions are listed
Sense=[allow|deny]:----------How to control when a qualifying item is found in the configuration file. If a qualifying item is not found, the general validation will pass
File=/path/filename:--------------------Specifies the full path name of the configuration file
Onerr=[succeed|fail]:-------------------The default return value when an error occurs
apply=[user| @group]:----------------The type of user (user or group) to which the rule applies
Quiet
Example: Auth required pam_listfile.so \
Onerr=succeed Item=user Sense=deny file=/etc/ftpusers
Example: Auth required pam_listfile.so \
Onerr=fail Item=user Sense=allow file=/etc/loginusers
5, pam_time.so Module-------------------provide time-based control, the user can only be logged in a certain period of time
Format: pam_time.so [debug] [Noaudit]
Common options:
Debug
Noaudit:
Configuration file:/etc/security/time.conf
Format: Services;ttys;users;times
Example: login; Tty* &!ttyp*;!root;! al0000-2400
Example: games; *;!waster; wd0000-2400 | wk1800-0800
Cases:
# vim/etc/security/time.conf
login; Tty3; User1; al0100-0200 User1 1 to 2 to sign in.
login; Tty3; User1; All
sshd; * ; * ; al0100-0200
Tcp_wrapper, sudo, Nsswitch, Pam