Linux system security and application
- Account security control
- Password security control
- Command history limit
- su command
- PAM Security Authentication in Linux
- Use sudo mechanism to elevate permissions (sudo)
- Five, safety control of switch machine
- Six, terminal login security control
Account security control
A user account is the identity certificate or identification of a computer user. Everyone who wants to access system resources must rely on his user account to access the computer; in the Linux system, a variety of mechanisms are provided to ensure the proper and safe use of user accounts
Basic account security measures
System account cleanup
Set the shell of a non-login user to not log in
usermod -s /sbin/nologin 用户名 禁止用户登录
usermod -s /bin/false 用户名 禁止用户登录
Lock accounts that have not been used for a long time
usermod -L 用户名 锁定用户账户
passwd -l 用户名 锁定用户账户
Delete useless accounts
userdel [-r] 用户名
Lock account file
chattr +i /etc/passwd /etc/shadow 锁定账号文件
lsattr /etc/passwd /etc/shadow 查看账号文件
chattr -i /etc/passwd /etc/shadow 解锁账号文件
Command real machine operation
Password security control
Set password validity period
Modify the password profile for new users
vim /etc/login.defs
……
PASS_MAX_DAYS 30
New user real machine operation
Modify the password configuration file for existing users
[root@localhost ~]# chage -M 30 用户
[root@localhost ~]# cat /etc/shadow | grep 用户
Existing user actual machine operation
Require users to change their password the next time they log in
chage -d 0 lisi 强制在下次登陆时更改密码
cat /etc/shadow | grep 用户 shadow文件中的第三个字段被修改为0
Change password real machine operation
The third field is 0, you need to change the password when you log in next time
Command history limit
Reduce the number of recorded commands
[root@localhost ~]# vim /etc/profile #编辑profile文件
export HISTSIZE=20 #保存20条历史记录
[root@localhost ~]# source /etc/profile #执行一次配置文件,让配置文件生效
Command real machine operation
Automatically clear the command history when logging in
[root@localhost ~]#vi ~/.bashrc
echo " " > ~/.bash_history
Command real machine operation
Terminal automatic logout
Automatically log out after 600 seconds of inactivity
vim /etc/profile #编辑profile文件
export TMOUT=600 #设定时间600秒
[root@localhost ~]# source /etc/profile #调用配置文件
su command
Use su command to switch users
Purpose: Substitute User, switch user
`su -目标用户`
Password validation
root→any user, do not verify the password
Ordinary user→other users, verify the password of the target user
[root@localhost ~]$ su - root 带-选项表示将使用目标用户的登陆Shell环境
口令:
[root@localhost ~]# whoami
root
Prohibit users from using the su command
first step
Add users allowed to use the su command to the wheel group
gpasswd -a 用户 wheel #添加用户到wheel组中
grep wheel /etc/group #确定wheel组成员
Second step
Enable pam_wheel authentication module
Set in the /etc/pam.d/su file to prohibit users from using the su command
在/etc/pam.d/su文件里设置禁止用户使用su命令
vim /etc/pam.d/su 编辑/etc/pam.d/su文件
2 // auth sufficient pam_rootok.so
...
6 // #auth required pam_wheel.so use_uid #去掉此行开头的注释
...
【1】以上两行是默认状态(即开启第一行,注释第二行),这种状态下是允许所有用户间使用su命令进行切换的。
【2】两行都注释也是允许所有用户都能使用su命令,但root下使用su切换到其他普通用户需要输入密码;
如果第一行不注释,则root使用su切换普通用户就不需要输入密码
(pam_rootok.so模块的主要作用是使uid为0的用户,即 root用户能够直接通过认证而不用输入密码)
【3】如果开启第二行,表示只有root用户和wheel组内的用户才可以使用su命令
【4】如果注释第一行,开启第二行,表示只有wheel组内的用户才能使用su命令,root用户也被禁用su命令
View su operation record
Security log file: /var/log/secure
cat /var/log/secure 查看su命令操作记录
PAM Security Authentication in Linux
Linux-PAM is a linux pluggable authentication module, a set of customizable and dynamically loadable shared libraries, so that the local system administrator can choose the authentication method of the program at will
PAM uses the configuration file under /etc/pam.d/ to manage the authentication method of the program. The application program calls the corresponding PAM configuration file to call the local authentication module. The module is placed under /lib64/security to perform authentication in the form of loading a dynamic library. For example, when using the su command, the system will prompt to enter the password of the root user, which is achieved by the su command by calling the PAM module
Principles of PAM authentication
Generally follow the order
Service—>PAM (configuration file)—>pam_*.so
PAM first determines which service, then loads the corresponding PAM configuration file, and finally calls the PAM authentication module for security authentication
When a user accesses the server, a certain service program of the server sends the user's request to the PAM module for authentication
The PAM modules corresponding to the same application are also different
如果想查看某个程序是否支持 PAM 认证,可以用 ls 命令进行查看/etc/pam.d/。
示例:查看su是否支持PAM模块认证
ls /etc/pam.d | grep su
The composition of PAM certification
Each line is an independent certification process
Each line can be divided into three fields: authentication type, control type, PAM module, PAM module parameters
The first paragraph list PAM authentication module type
Authentication module type | effect |
---|---|
auth | Identify the user's identity, if prompted to enter a password, determine whether it is root |
account | Check the various attributes of the account, such as whether it is allowed to log in to the system, whether the account has expired, whether it has reached the maximum number of users, etc. |
password | Use user information to update data, such as changing user passwords |
session | Define the session operation management before login and after logout, such as login connection information, opening and closing of user data, mounting file system |
The second column represents the PAM control flag
Control type | effect |
---|---|
required | Indicates that a success value needs to be returned. If the return fails, the failure result will not be returned immediately, but the next verification of the same type will continue. After all modules of this type are executed, the failure will be returned. |
requisite | Similar to required, but if this module returns a failure, it will immediately return failure and indicate that this type of failure |
sufficient | If this module returns success, it will return success directly to the program, indicating that this type of success, if it fails, it will not affect the return value of this type |
optional | Do not return the success or failure, generally not used for verification, just display information (usually used for session type) |
include | Indicates that other PAM configuration files are called during the verification process. For example, many applications implement authentication by completely calling /etc/pam.d/system-auth (mainly responsible for the authentication of user login system) without the need to rewrite configuration items one by one. |
The third column represents the PAM module
The default is in the /lib64/security/ directory, if it is not in the default path, fill in the absolute path
The same module can appear in different module types, and it performs different operations in different types. This is because each module has different execution functions for different module types.
The fourth column represents PAM module parameters
Add according to the module used
The parameters passed to the module, there can be multiple parameters, separated by spaces
Supplementary description of control marks
required: Indicates that the success of the line and the module involved is a [necessary condition] for the user to pass the authentication. In other words, only when all required modules corresponding to the application program are successful, the program can pass the authentication; at the same time, if any module with the required mark has an error, PAM does not immediately return the error message to the application Program, but after all modules of this type have been called, the error message is returned to the program that called him
requisite: similar to required, only after the module with this mark returns successfully, the user can pass the authentication. The difference is that once it fails, it no longer executes the other modules behind in the heap, and the authentication process ends here, and the error message is returned immediately. Compared with the above required, it seems to be more open and fair
Sufficient: Indicates that the successful verification of the line and the module involved is a [sufficient condition] for the user to pass the authentication. That is to say, as long as the module marked as sufficient is verified successfully, PAM will immediately return a successful result to the application without having to try any other modules. It is the same even if the requisite or required control flags are used in the subsequent cascading modules. When the module marked as sufficient fails, the sufficient module will be treated as an optional. Therefore, the configuration item with the sufficient flag bit is unfair when the verification is performed incorrectly, which causes the entire verification to fail, but when the verification is successful, the door is opened. Therefore, the use of this control bit must be cautious.
optional: It means that the user can still pass the authentication even if the verification of the module involved in the row fails. In the PAM system, the module with this mark will continue to process the next module after it fails. That is to say, even if the verification of the module specified by the bank fails, the user is allowed to enjoy the services provided by the application. Using this flag, the PAM framework will ignore the verification error generated by this module and continue to execute the next cascaded module in sequence.
PAM security certification process
The legend
required will continue when the verification fails, but return Fail
If the requisite verification fails, the entire verification process will be ended immediately and Fail will be returned
If sufficient verification succeeds, it will return immediately and will not continue, otherwise the result will be ignored and continue
Optional is not used for verification, only display information (usually used for session type)
Use sudo mechanism to elevate permissions (sudo)
Usage purpose: execute authorized commands as other users (such as root)
Usage: sudo authorization command
Configure sudo authorization
visudo
或者
vim /etc/sudoers
注意:保存退出时必须执行:wq!才能保存
Authorization format
Syntax format:
用户 主机名=命令程序列表
用户 主机名=(用户) 命令程序列表
User: directly authorize the specified user name, or use the form of "% group name" (authorize all users in a group)
Host name: The host name that uses this rule. Localhost can be used if the host name is not configured, the actual host name is used if the host name is configured, and ALL means all hosts
(User): In what identity the user can execute the command. This item can be omitted. By default, the command is run as the root user
Command program list: The privileged commands that authorized users are allowed to execute through sudo mode. The full path of the command program needs to be filled in, and multiple commands are separated by commas ",". ALL means all commands in the system
[root@localhost ~]# vim /etc/sudoers
View sudo operation record
Need to enable Defaults logfile configuration
Default log file: /var/log/sudo
Enable sudo operation log
visudo
Defaults logfile = /var/log/sudo
Alias creation
用户别名 User_Alias
主机别名 Host_Alias
命令别名 Cmnd_Alias
Jerry localhost=/sbin/*,!/sbin/reboot,!/sbin/poweroff
通配符“*”表示所有,取反符号“!”表示排除
%whell ALL=NOPASSWD:ALL
表示wheel组成员无需验证密码即可使用sudo执行任何命令
使用关键字 User_Alias Host_Alias Cmnd_Alias 来进行设置别名(别名必须为大写)
User_Alias USERS=Tom,Jerry,Mike 用户的别名users包括:Tom,Jerry,Mike
Host_Alias HOSTS=localhost,bogon 主机别名hosts包括:localhost,bogon
Cmnd_Alias CMNDS=/sbin/ifconfig,/usr/sbin/useradd,/usr/sbin/userdel
USERS HOSTS=CMNDS 用户组 主机组 = 命令程序列表
Five, safety control of switch machine
Adjust BIOS boot settings
Set the first boot device to the hard disk where the current system is located
Prohibit booting the system from other devices (CD, U disk, network)
Set the security level to setup and set the administrator password
GRUB restrictions
Use grub2-mkpasswd-pbkdf2 to generate a key
Modify /etc/grub.d/00_header file, add password record
Generate a new grub.cfg configuration file
Restrict modification of GRUB boot parameters
Under normal circumstances, when the system is booted into the GRUB menu, press the e key to view and modify the GRUB boot parameters, which is a great threat to the server; a password can be set for the GRUB menu, and only the correct password is allowed to modify the boot parameter
grub2-mkpasswd-pbkdf2 #根据提示设置GRUB 菜单的密码
PBKDF2 hash of your password is grub.pbkdf2…… #省略部分内容为经过加密生成的密码字符串
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
vim /etc/grub.d/00_header
cat << EOF
set superusers="root" #设置用户名为root
password_pbkdf2 root grub.pbkdf2…… #设置密码,省略部分内容为经过加密生成的密码字符串
EOF
grub2-mkconfig -o /boot/grub2/grub.cfg #生成新的 grub.cfg 文件
Six, terminal login security control
Restrict root to log in only on secure terminals
Secure terminal configuration: /etc/securetty
[root@localhost ~]# vim /etc/securetty
#tty5 #禁止root用户从终端tty5,tty6登录
#tty6
Forbid ordinary users to log in
Create /etc/nologin file
After deleting the nologin file or restarting, it will return to normal
touch /etc/nologin #禁止普通用户登录
rm -rf /etc/nologin #取消登录限制