4-系统引导和登录控制

2016.6.23

开关机安全控制

调整BIOS引导设置

  • 将第一引导设备设为当前系统所在硬盘
  • 禁止从其他设备(光盘、U盘、网络)引导系统
  • 将安全级别设为setup,并设置管理员密码

禁用重启热键Ctrl+Alt+Del

  • 避免因用户误操作导致重启

vi /etc/init/control-alt-delete.conf

[root@test2 ~]# vi /etc/init/control-alt-delete.conf

# control-alt-delete - emergency keypress handling
#
# This task is run whenever the Control-Alt-Delete key combination is
# pressed.  Usually used to shut down the machine.
#
# Do not edit this file directly. If you want to change the behaviour,
# please create a file control-alt-delete.override and put your changes there.

#start on control-alt-delete

#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
:wq

默认状态下这两行是没有注释的。添加注释后就可以实现禁用重启热键

GRUB菜单限制

  • 未经授权禁止修改启动参数
  • 未经授权禁止进入指定系统

密码设置方式(grub.conf)

  • password 明文密码串
  • password --md5 加密密码串

密码记录的位置

  • 全局部位(第一个“title”之前)
  • 系统引导部分(每个“title”部分之后)

GRUB限制的实现

  • 使用grub-md5-crypt获得加密字串
  • 修改grub.conf文件,添加密码记录
[root@test2 ~]# grub-md5-crypt
Password:
[root@test2 ~]#

终端登录安全控制:

减少开放终端个数


限制root只在安全终端登录

  • 安全终端配置:/etc/securetty

禁止普通用户登录

  • 建立/etc/nologin文件
  • 删除nologin文件或重启后即恢复正常

编辑/etc/securetty,实现root只在安全终端登录

[root@test2 txts]# vi /etc/securetty

console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
#tty9
#tty10
#tty11
~
~
~
~
:wq

编辑/etc/init/start-ttys.conf实现只能登录到456终端

[root@test2 ~]# vi /etc/init/start-ttys.conf

#
#
# This service starts the configured number of gettys.
#
# Do not edit this file directly. If you want to change the behaviour,
# please create a file start-ttys.override and put your changes there.

start on stopped rc RUNLEVEL=[2345]

env ACTIVE_CONSOLES=/dev/tty[456]
env X_TTY=/dev/tty1
task
script
        . /etc/sysconfig/init
        for tty in $(echo $ACTIVE_CONSOLES) ; do
                [ "$RUNLEVEL" = "5" -a "$tty" = "$X_TTY" ] && continue
                initctl start tty TTY=$tty
        done
end script
~
~
~
~
~
~
~
~
~
:wq

编辑 /etc/sysconfig/init

[root@test2 ~]# vi /etc/sysconfig/init

# color => new RH6.0 bootup
# verbose => old-style bootup
# anything else => new style bootup without ANSI colors or positioning
BOOTUP=color
# column to start "[  OK  ]" label in
RES_COL=60
# terminal sequence to move to that column. You could change this
# to something like "tput hpa ${RES_COL}" if your terminal supports it
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
# terminal sequence to set color to a 'success' color (currently: green)
SETCOLOR_SUCCESS="echo -en \\033[0;32m"
# terminal sequence to set color to a 'failure' color (currently: red)
SETCOLOR_FAILURE="echo -en \\033[0;31m"
# terminal sequence to set color to a 'warning' color (currently: yellow)
SETCOLOR_WARNING="echo -en \\033[0;33m"
# terminal sequence to reset to the default color.
SETCOLOR_NORMAL="echo -en \\033[0;39m"
# Set to anything other than 'no' to allow hotkey interactive startup...
PROMPT=yes
# Set to 'yes' to allow probing for devices with swap signatures
AUTOSWAP=no
# What ttys should gettys be started on?
ACTIVE_CONSOLES=/dev/tty[456]
# Set to '/sbin/sulogin' to prompt for password on single-user mode
# Set to '/sbin/sushell' otherwise
SINGLE=/sbin/sushell
~
:wq

注意这两块要同时设置才会生效

touch /etc/nologin

results matching ""

    No results matching ""