实验:基本的系统安全控制
实验环境
某公司新增了一台企业级服务器,已安装运行RHEL 6操作系统,由系统运维部、软件开发部、技术服务部共同使用。由于用户数量众多,且使用时间不固定,要求针对账号和登录过程采取基本的安全措施。
需求描述
允许用户radmin使用su命令进行切换,其他用户一律禁止切换身份。
授权用户zhangsan管理所有员工的账号,但禁止其修改root用户的信息。
授权用户lisi能够执行/sbin、/usr/sbin目录下的所有特权命令,不需要密码验证。
所有的su、sudo操作,必须在系统日志文件中进行记录。
禁止使用Ctrl + Alt + Del快捷键,只开放tty3、tty5终端,为GRUB引导菜单设置密码。
允许用户radmin使用su命令进行切换,其他用户一律禁止切换身份
配置
vi /etc/pam.d/su
取消注释,以生效wheel组
添加用户radmin
[root@test2 jason]# useradd -g wheel radmin [root@test2 jason]# passwd radmin Changing password for user radmin. New password: BAD PASSWORD: it does not contain enough DIFFERENT characters BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully.
创建radmin的同时,指定radmin的基本组是wheel
查看属组等信息:
[root@test2 jason]# id radmin uid=509(radmin) gid=10(wheel) groups=10(wheel)
这里能看出来在wheel的组内
查看wheel组信息:
[root@test2 jason]# cat /etc/group | grep wheel wheel:x:10:xiao
这里有一个xiao用户,根据要求只能有radmin,所以删除这个组
从wheel组当中删除xiao
[root@test2 jason]# gpasswd -d xiao wheel Removing user xiao from group wheel
查看删除后的结果
[root@test2 jason]# cat /etc/group | grep wheel wheel:x:10:
可以看到wheel组当中已经没有了xiao这个用户
测试
1.radmin是否可以使用su命令进行切换
[root@test2 jason]# su radmin [radmin@test2 jason]$ su Password: [root@test2 jason]#
这里可以看出来从radmin切换到root的时候是可以执行的。
2.非radmin用户是否可以使用su命令进行切换
[root@test2 jason]# su jason [jason@test2 ~]$ su Password: su: incorrect password [jason@test2 ~]$ exit exit [root@test2 jason]# su xiao [xiao@test2 jason]$ su Password: su: incorrect password
从这里可以看出来当jason和xiao两个用户在使用su的时候是无法切换的。
授权用户zhangsan管理所有员工的账号,但禁止其修改root用户的信息。
配置
visudo
[root@test2 bin]# visudo ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # Defaultsrequiretty # # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaultsalways_set_home Defaultsenv_reset Defaultsenv_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaultsenv_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaultsenv_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaultsenv_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaultsenv_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaultssecure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere rootALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheelALL=(ALL) ALL ## Same thing without a password # %wheelALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d zhangsan test2=/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/usr/bin/passwd root ,!/usr/sbin/usermod root -- INSERT --
在结尾的地方加入zhangsan test2=/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/usr/bin/passwd root ,!/usr/sbin/usermod root
测试
1.zhangsan管理其他用户
更改密码
[zhangsan@test2 bin]$ sudo passwd obama [sudo] password for zhangsan: Changing password for user obama. New password: BAD PASSWORD: it does not contain enough DIFFERENT characters BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully.
通过usermod锁定和解锁
[zhangsan@test2 jason]$ sudo usermod -L kylin [sudo] password for zhangsan: [zhangsan@test2 jason]$ tail /etc/shadow | grep kylin tail: cannot open `/etc/shadow' for reading: Permission denied [zhangsan@test2 jason]$ sudo tail /etc/shadow | grep kylin Sorry, user zhangsan is not allowed to execute '/usr/bin/tail /etc/shadow' as root on test2. `//因为前面在visudo的时候并没有给/usr/bin/tail权限,所以不能执行` [zhangsan@test2 jason]$ su //切换回root用户 Password: [root@test2 jason]# tail /etc/shadow | grep kylkin [root@test2 jason]# tail /etc/shadow | grep kylin kylin:!!:16976:0:60:7::: //kylin后面有两个!!,表示已经锁定 [root@test2 jason]# su zhangsan [zhangsan@test2 jason]$ sudo usermod -U kylin [zhangsan@test2 jason]$ su Password: [root@test2 jason]# tail /etc/shadow | grep kylin kylin:!:16976:0:60:7::: //这里可以看到只有一个!,表示通过zhangsan账户已经解锁了kylin账户
删除用户
[zhangsan@test2 jason]$ tail /etc/passwd | grep kylin kylin:x:511:511::/home/kylin:/bin/bash //查看有kylin这个用户 [zhangsan@test2 jason]$ sudo userdel -r kylin //删除kylin用户 [sudo] password for zhangsan: userdel: /var/spool/mail/kylin not owned by kylin, not removing [zhangsan@test2 jason]$ tail /etc/passwd | grep kylin //再次查看kylin用户 [zhangsan@test2 jason]$ //没有查找到结果,说明已经删除成功
增加用户
[zhangsan@test2 bin]$ sudo useradd ubuntu //增加用户ubuntu [zhangsan@test2 bin]$ sudo passwd ubuntu //设置ubuntu密码 Changing password for user ubuntu. New password: BAD PASSWORD: it does not contain enough DIFFERENT characters BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully. [zhangsan@test2 bin]$ tail -1 /etc/passwd //查看ubuntu ubuntu:x:512:512::/home/ubuntu:/bin/bash //查找到ubuntu
2.zhangsan对root的修改的权限:
[zhangsan@test2 bin]$ sudo passwd root Sorry, user zhangsan is not allowed to execute '/usr/bin/passwd root' as root on test2. //显示zhagnsan不被允许执行'/usr/bin passwd root' [zhangsan@test2 bin]$ sudo usermod root Sorry, user zhangsan is not allowed to execute '/usr/sbin/usermod root' as root on test2. //提示zhangsan无法执行'/usr/bin/usermod root'
授权用户lisi能够执行/sbin、/usr/sbin目录下的所有特权命令,不需要密码验证。
创建lisi用户
[root@test2 jason]# useradd lisi [root@test2 jason]# passwd lisi Changing password for user lisi. New password: BAD PASSWORD: it does not contain enough DIFFERENT characters BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully. [root@test2 jason]# tail -1 /etc/passwd lisi:x:513:513::/home/lisi:/bin/bash [root@test2 jason]#
设置sudo权限范围
[root@test2 jason]# visudo ... ... ...//这里省略了前面的部分 ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d zhangsan test2=/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/usr/bin/passwd root ,!/usr/sbin/usermod root lisi test2=/sbin/*,/usr/sbin/* //在最后一行加入本行的内容。'/sbin/#'代表sbin目录下的所有。'/usr/sbin/*'是一样的作用。 :wq
从sbin中找一个来测试
[lisi@test2 sbin]$ sudo pvscan We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for lisi: //这里输入密码后,就会执行pvscan的操作,而下面的内容则是pvscan的结果 PV /dev/sdb2 VG mail_store lvm2 [20.01 GiB / 0 free] PV /dev/sdc2 VG mail_store lvm2 [20.01 GiB / 0 free] PV /dev/sdd1 VG mail_store lvm2 [100.00 GiB / 20.01 GiB free] PV /dev/sda2 VG vg_jason lvm2 [19.51 GiB / 0 free] PV /dev/sdb1 lvm2 [20.01 GiB] Total: 5 [179.53 GiB] / in use: 4 [159.52 GiB] / in no VG: 1 [20.01 GiB] [lisi@test2 sbin]$
从/usr/sbin中找一个测试
[lisi@test2 sbin]$ pwd /usr/sbin [lisi@test2 sbin]$ ls | grep quotastats quotastats //在/usr/bin/下面有quotastats的命令 [lisi@test2 sbin]$ sudo quotastats //用sudo来执行该命令 Kernel quota version: 6.5.1 //下面的结果中展示了当前磁盘配额的信息。 Number of dquot lookups: 0 Number of dquot drops: 0 Number of dquot reads: 0 Number of dquot writes: 0 Number of quotafile syncs: 12 Number of dquot cache hits: 0 Number of allocated dquots: 0 Number of free dquots: 0 Number of in use dquot entries (user/group): 0 [lisi@test2 sbin]$
所有的su、sudo操作,必须在系统日志文件中进行记录。
visudo
[root@test2 sbin]# visudo ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # Defaults requiretty # # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d zhangsan test2=/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/usr/bin/passwd root ,!/usr/sbin/usermod root lisi test2=/sbin/*,/usr/sbin/* Defaults logfile=/var/log/sudo :wq
在最后一行加入Defaults logfile=/var/log/sudo,这样所有的su、sudo操作都会记录在/var/log/sudo的文件当中
简单测试
[zhangsan@test2 sbin]$ sudo fdisk -l [sudo] password for zhangsan: Sorry, user zhangsan is not allowed to execute '/sbin/fdisk -l' as root on test2. [zhangsan@test2 sbin]$ sudo useradd kylin [sudo] password for zhangsan: Creating mailbox file: File exists [zhangsan@test2 sbin]$ su Password: [root@test2 sbin]# tail /var/log/sudo //查看/var/log下的sudo文件内容 Jun 25 09:43:14 : zhangsan : command not allowed ; TTY=pts/0 ; PWD=/usr/sbin ; USER=root ; COMMAND=/sbin/fdisk -l //这记录的是上面zhangsan使用sudo fdisk -l时候的信息 Jun 25 09:43:39 : zhangsan : TTY=pts/0 ; PWD=/usr/sbin ; USER=root ; COMMAND=/usr/sbin/useradd kylin //这里揭露的是增加用户kylin时候的信息。 [root@test2 sbin]#
禁止使用Ctrl + Alt + Del快捷键,
vi /etc/init/control-alt-delete
[root@test2 sysconfig]# vi /etc/init/control-alt-delete.conf # control-alt-delete - emergency keypress handling # # This task is run whenever the Control-Alt-Delete key combination is # pressed. Usually used to shut down the machine. # # Do not edit this file directly. If you want to change the behaviour, # please create a file control-alt-delete.override and put your changes there. #start on control-alt-delete #exec /sbin/shutdown -r now "Control-Alt-Delete pressed" ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ :wq
只开放tty3、tty5终端
vi /etc/init/start-ttys.conf
[root@test2 sysconfig]# vi /etc/init/start-ttys.conf # # This service starts the configured number of gettys. # # Do not edit this file directly. If you want to change the behaviour, # please create a file start-ttys.override and put your changes there. start on stopped rc RUNLEVEL=[2345] env ACTIVE_CONSOLES=/dev/tty[35] env X_TTY=/dev/tty1 task script . /etc/sysconfig/init for tty in $(echo $ACTIVE_CONSOLES) ; do [ "$RUNLEVEL" = "5" -a "$tty" = "$X_TTY" ] && continue initctl start tty TTY=$tty done end script ~ ~ ~ ~ ~ ~ ~ ~ ~ :wq
vi /etc/sysconfig/init
[root@test2 sysconfig]# vi /etc/sysconfig/init
# color => new RH6.0 bootup
# verbose => old-style bootup
# anything else => new style bootup without ANSI colors or positioning
BOOTUP=color
# column to start "[ OK ]" label in
RES_COL=60
# terminal sequence to move to that column. You could change this
# to something like "tput hpa ${RES_COL}" if your terminal supports it
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
# terminal sequence to set color to a 'success' color (currently: green)
SETCOLOR_SUCCESS="echo -en \\033[0;32m"
# terminal sequence to set color to a 'failure' color (currently: red)
SETCOLOR_FAILURE="echo -en \\033[0;31m"
# terminal sequence to set color to a 'warning' color (currently: yellow)
SETCOLOR_WARNING="echo -en \\033[0;33m"
# terminal sequence to reset to the default color.
SETCOLOR_NORMAL="echo -en \\033[0;39m"
# Set to anything other than 'no' to allow hotkey interactive startup...
PROMPT=yes
# Set to 'yes' to allow probing for devices with swap signatures
AUTOSWAP=no
# What ttys should gettys be started on?
ACTIVE_CONSOLES=/dev/tty[35]
# Set to '/sbin/sulogin' to prompt for password on single-user mode
# Set to '/sbin/sushell' otherwise
SINGLE=/sbin/sushell
~
:wq
测试
Alt+F5
Alt+F3
Alt+F1
Alt+F2
Alt+F4、F6都没有任何的反应
没有实现预料中的Alt+F3切换到tty3,Alt+F5切换到tty5。
为GRUB引导菜单设置密码
grub-mdf-crypt
vi /boot/grub/grub.conf
测试
重启
测试发现没有效果,分析,是自己的格式写的有问题,应该是password —md5 …而不是passwd
重新修改
再次重启
密码配置生效
转载于:https://blog.51cto.com/zencode/1792822
扫一扫
530
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
