1-基本安全措施
2016.6.23
- [系统账号清理](#
11-2-2密码安全控制
11-2-3命令历史、自动注销
系统账号清理
- 将非登录用户的shell设定为
/sbin/nologin - 锁定长期不使用的账号
- 删除无用的账号
- 锁定账号文件
passwd、shadow
chattr + i
lsattr
密码安全控制
- 设置密码有效期
- 要求用户下次登录时修改密码
针对一个用户改变密码有效期
[root@test2 jason]# chage -M 60 quota
[root@test2 jason]# tail /etc/shadow
sshd:!!:16938::::::
tcpdump:!!:16938::::::
jason:$6$GlEw28Jr0xjJyCxL$uiADaRiUCn5kWm9bHy3nKT.bL1vyanAVrepQExtONYzv78sZy1.iyB03hLzQfeaXwkF4lPBiBlCc5vqO0GylC0:16938:0:99999:7:::
tsengia:$6$ZUg480Hj$qxOk5LfdAzFUSKXrfZSx55Ibf65jU9ZgzmQOZvdOuL2btHPxOaPIeU6IgsLApL/JK41y/ImsdNr48xo2OQQBO0:16963:0:99999:7:::
obama:$6$wolTP/c7$uhfWKpshVLQjx4OVoU8lVrhi9AM/jIcMkrKLWsPBJyV4f9TUx6z733KEAD4xxx.QFA1mdYi97nRZ0oiDytyK7/:16963:0:99999:7:::
kylin:$6$3ZTSEXQv$9rfcvvZAAvemKXSmEMJix09aHUznlUF2NCmlC97dC09mWbpSPdn2hm/.UlV5Q982zJnEYPBV10W/LT7Wwqsvy0:16963:0:99999:7::17878:
handy:$6$ly/9mrWN$vRC7IVA5orGxfJjEdSCXI4aef6UFSn1SHnl1sW674TySkYiMXYszZAuXj5WEtibciptVJ98Xo2bQXdeJ0IFBk/:16963:0:99999:7:::
cucci:!!:16963:0:99999:7:::
development:!!:16975:0:99999:7:::
quota:$6$4V/vXh5.$zkIuAL5j0h/uRUeId030OPUbSUpVUvmAiEN4Frj8d.40UmtmJforjifc3OSsBbPLv2qUVal41JpGqP46zJm6i.:16975:0:60:7::: //这里60就是刚刚更改过的密码有效期
针对之后所有用户的密码有效期
/etc/login.defs
[root@test2 jason]# vim /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
66,0-1 Bot
将PASS_MAX_DAYS 60
新增加用户来测试上面login.defs是否生效
[root@test2 jason]# useradd xiao
[root@test2 jason]# passwd xiao
Changing password for user xiao.
New password:
BAD PASSWORD: it does not contain enough DIFFERENT characters
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@test2 jason]# tail /etc/shadow
tcpdump:!!:16938::::::
jason:$6$GlEw28Jr0xjJyCxL$uiADaRiUCn5kWm9bHy3nKT.bL1vyanAVrepQExtONYzv78sZy1.iyB03hLzQfeaXwkF4lPBiBlCc5vqO0GylC0:16938:0:99999:7:::
tsengia:$6$ZUg480Hj$qxOk5LfdAzFUSKXrfZSx55Ibf65jU9ZgzmQOZvdOuL2btHPxOaPIeU6IgsLApL/JK41y/ImsdNr48xo2OQQBO0:16963:0:99999:7:::
obama:$6$wolTP/c7$uhfWKpshVLQjx4OVoU8lVrhi9AM/jIcMkrKLWsPBJyV4f9TUx6z733KEAD4xxx.QFA1mdYi97nRZ0oiDytyK7/:16963:0:99999:7:::
kylin:$6$3ZTSEXQv$9rfcvvZAAvemKXSmEMJix09aHUznlUF2NCmlC97dC09mWbpSPdn2hm/.UlV5Q982zJnEYPBV10W/LT7Wwqsvy0:16963:0:99999:7::17878:
handy:$6$ly/9mrWN$vRC7IVA5orGxfJjEdSCXI4aef6UFSn1SHnl1sW674TySkYiMXYszZAuXj5WEtibciptVJ98Xo2bQXdeJ0IFBk/:16963:0:99999:7:::
cucci:!!:16963:0:99999:7:::
development:!!:16975:0:99999:7:::
quota:$6$4V/vXh5.$zkIuAL5j0h/uRUeId030OPUbSUpVUvmAiEN4Frj8d.40UmtmJforjifc3OSsBbPLv2qUVal41JpGqP46zJm6i.:16975:0:60:7:::
xiao:$6$b.SnFDK9$uljRcZ62SfJl5IopSshRNpysR3qd5BkQA5dD2JZsFoLXNg67mEdj9nG.f82Pc4j1K6.4xfAbHLQU8/XVfFJGB0:16975:0:60:7:::
[root@test2 jason]#
这里可以看到xiao用户的密码有效期是60天。也就是,这里面的是全局性的,而chage -M 是针对单一的用户,/etc/login.defs是针对之后所有的用户密码有效期。
要求用户下次登录需要密码
chage -d 0 xiao
[root@test2 jason]# chage -d 0 xiao
[root@test2 jason]# tail /etc/shadow | grep xiao
xiao:$6$b.SnFDK9$uljRcZ62SfJl5IopSshRNpysR3qd5BkQA5dD2JZsFoLXNg67mEdj9nG.f82Pc4j1K6.4xfAbHLQU8/XVfFJGB0:0:0:60:7::: //原来为16975的位置现在变成了0
[root@test2 jason]#
命令历史限制
- 减少记录的命令条数
- 注销时自动清空命令历史
终端自动注销
- 限制600秒后自动注销
vim /etc/profile(修改全区配置)
[root@test2 jason]# vim /etc/profile
# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}
if [ -x /usr/bin/id ]; then
if [ -z "$EUID" ]; then
# ksh workaround
EUID=`id -u`
UID=`id -ru`
fi
USER="`id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
fi
# Path manipulation
if [ "$EUID" = "0" ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
else
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
pathmunge /sbin after
fi
HOSTNAME=`/bin/hostname 2>/dev/null`
HISTSIZE=1000
if [ "$HISTCONTROL" = "ignorespace" ] ; then
export HISTCONTROL=ignoreboth
else
export HISTCONTROL=ignoredups
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
for i in /etc/profile.d/*.sh ; do
if [ -r "$i" ]; then
if [ "${-#*i}" != "$-" ]; then
. "$i"
else
. "$i" >/dev/null 2>&1
fi
fi
done
unset i
unset -f pathmunge
78,1 Bot
HISTSIZE=1000就是控制记录历史命令的变量。
source /etc/profile 让上面的生效
修改当前用户的
export HISTSIZE=200
设置自动清空历史记录
[root@test2 ~]# pwd
/root
[root@test2 ~]# ls -a
. .dbus .gnupg man2.txt .rnd
.. Desktop .gstreamer-0.10 man.txt .ssh
.abrt Documents .gtk-bookmarks .mozilla .tcshrc
anaconda-ks.cfg Downloads .gvfs Music Templates
.bash_history .esd_auth home.bak.tar.gzip mvtotrash Videos
.bash_logout etc.tar.gz .ICEauthority .nautilus .viminfo
.bash_profile .gconf .imsettings.log Pictures .xsession-errors
.bashrc .gconfd install.log Public .xsession-errors.old
.cache .gnome2 install.log.syslog .pulse
.config .gnome2_private .lesshst .pulse-cookie
.cshrc .gnote .local .recently-used.xbel
[root@test2 ~]# vim .bash_logout
# ~/.bash_logout
history -c
clear
~
~
...//省略
~
:wq
通过jason来看看
[jason@test2 root]$ cd
[jason@test2 ~]$ pwd
/home/jason
[jason@test2 ~]$ ls -a
. .cache .gconf .imsettings.log .pulse-cookie
.. .config .gconfd .local .recently-used.xbel
abc .dbus .gnome2 mdadm.txt .ssh
.abrt Desktop .gnote .mozilla Templates
.bash_history .dmrc .gnupg Music Videos
.bash_logout Documents .gstreamer-0.10 .nautilus .viminfo
.bash_profile Downloads .gtk-bookmarks Pictures .xauthrRJSOO
.bashrc .esd_auth .gvfs Public .xsession-errors
bootetc-bak.tar.bz2 file1 .ICEauthority .pulse
[jason@test2 ~]$
当前用户
TIMEOUT=600
全局配置
[root@test2 jason]# vim /etc/profile
# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}
if [ -x /usr/bin/id ]; then
if [ -z "$EUID" ]; then
# ksh workaround
EUID=`id -u`
UID=`id -ru`
fi
USER="`id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
fi
# Path manipulation
if [ "$EUID" = "0" ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
else
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
pathmunge /sbin after
fi
HOSTNAME=`/bin/hostname 2>/dev/null`
HISTSIZE=1000
TIMEOUT=600
if [ "$HISTCONTROL" = "ignorespace" ] ; then
export HISTCONTROL=ignoreboth
else
export HISTCONTROL=ignoredups
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
for i in /etc/profile.d/*.sh ; do
if [ -r "$i" ]; then
if [ "${-#*i}" != "$-" ]; then
. "$i"
else
. "$i" >/dev/null 2>&1
fi
fi
done
unset i
unset -f pathmunge
78,1 Bot
source /etc/profile
注意上面的改变在下次登录后才能生效。如果想要当下就生效,可以使用export