1. 1 虚拟机操作
-
例:
-
制作虚拟机:
virt-install -n M10Srv20_80_14 --memory 4096 --vcpus=2 --disk /data/kvm/M10Srv20_80_14.img,format=qcow2,size=92 --os-type=linux --cdrom /data/kvm/ubuntu-18.04.3-live-server-amd64.iso --vnc --vncport=5904 --vnclisten=0.0.0.0 --network bridge=br0,model=virtio
-
配置虚拟机:
- 操作虚拟机
virsh list --all
virsh start/shutdown M10Srv20_80_14
virsh edit (虚拟机name)
- 克隆虚拟机
virt-clone --connect=qemu:///system -o M10Srv20_80_14 -n M10Srv20_80_15 -f /data/kvm/M10Srv20_80_15.img
2. 系统加固
2.1. 升级前准备操作
- 开放root密码
- 升级内核
dpkg -i linux-image-unsigned-4.18.20-041820-generic_4.18.20-041820.201812030624_amd64.deb linux-modules-4.18.20-041820-generic_4.18.20-041820.201812030624_amd64.deb
- chown -R 1000:1000 /opt/
- 配置apt源(指向内部源)
- 注意:ntp指向内部时间同步服务器、有ktb字样的内容要删除、dns服务器给定再加、ntp源去掉KTB环境
2.2. 升级项
2.2.1. 磁盘分区
- 加固方法:
使用官方网站提供的ubuntu-18.04.3-live-server-amd64.iso镜像,按照安装提示将磁盘按表格分区,安装系统。 - 检查方法
lsblk
df -lTh
2.2.2. 添加内部环境的apt源
scp 10.10.108.121:/root/formssi.pub /root
cd /root;apt-key add formssi.pub
echo "deb http://10.10.108.121:1111 /packages/" >/etc/apt/sources.list
apt-get update
apt-get install -y python
2.2.3. 系统打补丁
- 加固方法
下载包地址:https://usn.ubuntu.com/4079-2/?_ga=2.234059806.1471299125.1572330724-850771604.1572330724
dpkg -i libsox3 sox
- 检查方法
dpkg -l | grep libsox3
dokg -l | greo sox
2.2.4. log files
- 要求
Log files are used by the system and application to record actions, errors, warnings, and problems. They are often quite useful for investigating system quirks, for discovering the root causes of tricky problems, and for watching attackers. There are typically two types of log files in the operating Environment system log files that are typically managed by the syslog daemon and application logs that are created by the application. Log files that are base on requirement, keeping the log files more than 7 days and require a log rotation.
系统和应用程序使用日志文件来记录操作,错误,警告和问题。它们通常对于调查系统异常,发现棘手问题的根本原因以及监视攻击者非常有用。操作系统环境日志文件中通常有两种类型的日志文件,它们通常由syslog守护程序管理,而应用程序由应用程序创建。根据需要的日志文件,将日志文件保留7天以上,并且需要轮换日志。
2.2.4.1. enable logging
- 加固方法
vi /etc/rsyslog.conf
echo "*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log" >> /etc/rsyslog.conf
- 检查方法