System security and application

1. Basic measures for account security

1.1 Clearing System Accounts

  • Set the user to unable to log in,
  • Lock the account
  • Delete the account
  • Lock The account password is locked

Shell — /sbin/nologin is a special case. “Unable to login” simply means that the user cannot use bash or another shell to login to the system. It does not mean that the user cannot use system resources. For example, in each system account, print job has lp this account management, WWW server has Apache this account management, they can carry on the work of the system program, but can not land the host just.

1.1.1 Set the user to logon unavailable

[root@localhost ~]# tail /etc/passwd #### check SSSD :x:992:987:User for SSSD :/:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin gnome-initial-setup:x:991:986::/run/gnome-initial-setup/:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin lyn:x:1000:1000:Lyn:/home/lyn:/bin/bashCopy the code

1.1.2 Lock the user

[root@localhost ~]# passwd -l lyn Locks the lyn user password. [root@localhost ~]# su lyn1 [lyn1@localhost root]$su lyn Password: su: Identify the fault [root@localhost ~]# passwd -u lyn Unlock user lyn password. Passwd: The operation succeeds. [root@localhost ~]# passwd -u lyn Unlock user lyn password. Passwd: Operation succeeded [root@localhost ~]# su lyn1 [lyn1@localhost root]$su lyn Password: [lyn@localhost root]$Copy the code

1.1.3 Delete the account

Userdel -r User name Home directory Home directory No UID of the former owner of the primary fileCopy the code

1.1.4Locking configuration files

chattr

-a Allows files or directories to be used only for additional purposes. Only add

-i Do not change files or directories at will.

[root@localhost ~]# chattr + I /etc/passwd /shadow # add I [root@localhost ~]# useradd Unable to open/etc/passwd [root @ localhost ~] # lsattr/etc/passwd/etc/shadow -- -- -- -- -- -- I -- -- -- -- -- - / etc/passwd -- I -- -- -- -- -- -- -- -- -- -- - /etc/shadow chattr -i /etc/passwd /etc/shadowCopy the code

1.2 Password Security Control

1.2.1 Setting Password Rules

For new users

You can modify the contents in the /etc/login.defs file to set password rules

/ root @ localhost ~ # vim/etc/login. The defs # is suitable for the modified effect after modify user -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 25 PASS_MAX_DAYS 99999 26 PASS_MIN_DAYS 0 27 PASS_MIN_LEN 5 28 PASS_WARN_AGE 7 [root@localhost ~]# tail -5 /etc/shadow # Change the password validity periodCopy the code

You can run the chage command for existing users

chage

Chage [option] User name -m: specifies the minimum number of days in which the password can be changed. A value of zero means the password can be changed at any time. -m: indicates the maximum number of days that a password remains valid. -w: indicates the number of days that the user receives a warning message before the password expires. -e: indicates the account expiration date. After this day, the account will not be available. -d: indicates the date of the last change. -i: Stagnation. If a password has expired these days, the account will not be available. -l: indicates the current Settings. It is up to non-privileged users to determine when their passwords or accounts will expire. [root@localhost ~]#chage -d 0 lyn # Force lyn to change the password at the next login (the password meets complexity requirements) [root@localhost ~]#chage -m 30 lyn # Set the password validity period to 30 days [root@localhost ~]#cat /etc/shadow|tail -1 lyn:!! :19055:0:30:7:: Field 5 man 5 shadowCopy the code

1.3 Command History

The command history mechanism of Shell environment provides great convenience for users, but on the other hand, it also brings potential risks to users. As long as the command history file of the user is obtained, the operation process of the user’s command can be seen in a general view. If the user enters the password in plain text on the command line, the security barrier of the server is inadvertently added to the gap. In the Bash environment, the number of historical commands is controlled by the HISTSIZE variable, which is 1000 by default. By changing the value of the HISTSIZE variable in the /etc/profile file, you can affect all users in the system. For example, you can set up to record a maximum of 200 history commands.

# can use the following command to temporarily remove history command history - c clear/root @ localhost ~ # vim/etc/profile... Export HISTSIZE=200 ### exit exit exit password ############# [root@localhost ~]# vim. bash_logout # exit exit exit # ~/.bash_logout echo "" [root@localhost ~]# vm.bashrc # Echo "" >~/. Bash_history bash Windows desktop bash # Set timeout [root@localhost ~]# vi /etc/profile ................................. export TMOUT=60sCopy the code

1.4 Changing Users

  • The su command is switch user. You can change the user identity and run commands as the specified user
su [options...]  [-] [user [args...]]Copy the code

User switching mode:

Su UserName: non-login switchover, that is, the configuration file of the target user is not read and the current working directory is not changed, that is, incomplete switchover

Su – UserName: indicates a login switchover. The system reads the configuration file of the target user and switches to its home directory

Note: Root su to other users do not need a password. A password is required for switching between non-root users

Note: After su to the new user, use exit to return to the old user, rather than su to the old user, as this will generate many bash child processes and the environment may be messy.

Su su –

That is – option, switch user identity more thoroughly; Instead, only part of it is switched, which can cause some command execution problems or errors (such as the inability to use the service command).

[zhangsan@localhost ~]$PWD /home/zhangsan [zhangsan@localhost ~]$su [root@localhost zhangsan]# PWD /home/zhangsan [zhangsan@localhost ~]$su - 2 Jul 13 10:24:14 CST 2021pts/1 [root@localhost ~]# PWD /rootCopy the code

Limit the number of users who use the su command

[root@localhost ~]# gpasswd -a lisi wheel # Add user to wheel group root [root@localhost ~]#vim /etc/pam.d/su # Enable service #auth required pam_wheel.so use_uid vim /etc/pam.d/su 2 # auth sufficient pam_ rootok.so 6 #auth required pam_ wheel.so use_ _uid A) The above two lines are the default state (i.e. open the first line and comment the second line), which allows all users to switch between each other using the su command. All users can use the su command, but root' su switch to other common users need to enter a password; If the first line is not commented, root will su to switch to a common user without entering a password. (The PAM rootok. so module is used to authenticate a user whose UID is 0, that is, root, without entering a password.) C) If the second line is enabled, only users in the whee1 group can use the su command. If the second line is enabled, only users in the whee1 group can use the su command. The su command is also disabled for root users.Copy the code

1.5 PAM security authentication binary language

PAM: Pluggable Authentication module, Sun company developed in 1995 a general framework mechanism related to Authentication. PAM focuses only on how to validate user service API, by providing a dynamic link library and a unified API, will provide service and the service system of authentication, makes the system administrator can flexibly according to the need for different service without changing the configuration of different authentication service program an authentication framework, their own do not do certification.

http://www.linux-pam.org/ #官网 [root@localhost ~]# RPM -qi PAM [root@localhost ~]# RPM -ql PAM # / root @ localhost ~ # ls/usr/lib64 / security / *. So | wc - l # 60 module is binary, 60 [root@localhost ~]#ls /etc/security/ Some simple modules do not have the configuration file access.conf console.perms.d namespace.d sepermit.conf chroot.conf group.conf namespace.init time.conf console.apps limits.conf opasswd console.handlers limits.d pam_env.conf console.perms namespace.conf pwquality.conf D /* [root@localhost ~]# CD /etc/pam.d/ # how to call the module [root@localhost pam.d]#ls atd  login smtp chfn other smtp.postfix chsh passwd sshd config-util password-auth sssd-shadowutils crond password-auth-ac su cups pluto sudo fingerprint-auth polkit-1 sudo-i fingerprint-auth-ac postlogin su-l gdm-autologin postlogin-ac system-auth gdm-fingerprint ppp system-auth-ac gdm-launch-environment remote systemd-user gdm-password runuser vlock gdm-pin runuser-l vmtoolsd gdm-smartcard setup vsftpd ksu smartcard-auth xserver liveinst smartcard-auth-ac [root@localhost pam.d]#cat /etc/pam.d/ SSHD # File type #% pam-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session Optional pam_reauthorize. So prepare type: specifies the module type. Control: how the PAM library should handle the success or failure of the PAM module related to the service. Arguments: used to refer to the pathname of the corresponding program file for this moduleCopy the code

PAM provides a central authentication mechanism for all services. It is suitable for both local and remote login applications, such as Telnet, Rlogin, FSH, FTP, point-to-point protocol PPP, and SU. System administrators use PAM configuration files to formulate different authentication policies for different applications. Application developers invoke authentication methods by using the PAM API(pam_xxxx()) in the service program; PAM service module developers use PAM SPI to write modules (mainly call function pam_sm_xxxx() for PAM interface library call, add different authentication mechanism into the system; The PAM interface library (libPAM) reads the configuration file and associates the application with the corresponding PAM service module. Reuse other people’s development of the function, do not have to develop their own, session, password verification and other functions, has done a good call can be the future of versatility, so with PAM framework, similar to Taobao while ordinary buyers, sellers, Taobao is both buyers and sellers

1.5.1PAM related documents

  • Package name: PAM
  • Module file directory: /lib64/security/*.so
  • Module-specific setup file: /etc/security/
  • The application calls the configuration file of the PAM module
  1. Main configuration file: /etc/pam.conf. It does not exist by default
  2. Provide a dedicated configuration file for each application module: /etc/pam.d/APP_NAME
  3. Note: if /etc/pam.d exists, /etc/pam.conf is invalid

1.5.2PAMThe working principle of

PAM authentication generally follows the following sequence: Service(Service)→PAM(configuration file)→pam_* so

PAM authentication first determines the service, then loads the corresponding PAM configuration file (located in /etc/pam.d), and finally calls the authentication file (located in /lib64/security) for security authentication

Example PAM authentication process:

The user runs /usr/bin/passwd and enters the password. 2. Passwd calls PAM, which searches for PAM Settings in /etc/pam.d/. That is, PAM will search for the /etc/pam.d/passwd setting file 3. /etc/pam.d/passwd configuration file data, using PAM provided by the relevant modules to verify 4. The result is passed back to passwd, which decides what to do based on PAM’s response (either reenter the password or pass the authentication)

Dedicated configuration file in /etc/pam.d/ format

Type control module-path arguments application: indicates the service name, such as Telnet, login, FTP, etc. The service name “OTHER” stands for all OTHER service types that are not specified in this file: Control: PAM library how to handle the success or failure of the PAM module associated with the service, a keyword implementation module-path: used to specify the path name of the program file corresponding to this module; Arguments: used to pass Arguments to the module

1.6 sudo

superuser do

Sudo stands for superuser do, a tool that allows system administrators to let ordinary users execute some or all of root commands, such as HALT, reboot, su, etc. This not only reduces root user login and management time, but also improves security. In the earliest days, common users managed the system by using su to switch to super user. But one of the disadvantages of using su is that you must first tell the superuser the password. Launched around 1980, Sudo enabled ordinary users to gain access without having to know a superuser’s password. First, the super user registers the name of the common user, the specific commands that can be executed, and the identity of the user or user group in a special file (usually /etc/sudoers) to complete the authorization of the user (the user is called “sudoer”). When a common user needs to obtain special privileges, he can add “sudo” before the command. Sudo will ask the user for his/her password (to make sure that it is the user himself/herself on the terminal), and the system will run the process of the command as the super user. After that, for a period of time (5 minutes by default, customizable in /etc/sudoers), you don’t need to re-enter your password to use sudo. Some Unix systems, such as Ubuntu and Mac OS X, even use Sudo to replace superusers as administrative accounts because they do not require superusers’ passwords.

Sudo features:

  • Sudo can authorize specified users to run certain commands on specified hosts. If an unauthorized user tries to use Sudo, he or she is prompted to contact the administrator
  • Sudo provides rich logs detailing what each user does. It can upload logs to a central host or log server
  • Sudo uses a timestamp file to perform a similar “ticket-checking” system. When the user invokes sudo and enters its password, the user gets a 5-minute ticket
  • The sudo configuration file is the Sudoers file, which allows system administrators to centrally manage user permissions and hosts. The default location is /etc/sudoers, and the attribute must be 0440

The format of the configuration file is /etc/sudoers, /etc/sudoers.d/

The glob wildcard character is supported in the configuration file

/bin/mount /dev/cdrom/MNT /usr/bin/mount /dev/cdrom/MNT / # User host = (runas) command root ALL= ALL(absolute path) user: indicates the identity of the user who runs the command. Host: indicates which hosts are used to run multiple commands. 192.168.91.100-110 (runas) : indicates the identity of the user. # username (username) uid (id) % group_name (group name) % # gid (group id) user_alias | runas_alias (alias) MYUSER = zhangsan, lisi host: IP address or hostname host_alias localhost command: Command name directory sudoedit Cmnd_Alias Cmnd_Alias Cmnd_Alias  root ALL=(ALL) ALL ## Allow root to run any commands anywhere root ALL=(ALL) ALL lisi ALL=(root) /usr/bin/mount Lisi ALL=(root) /usr/bin/mount /dev/cdrom/MNT / # lisi ALL=(root) /usr/bin/mount /dev/cdrom/MNT / # Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL [root@localhost ~]#gpasswd -a liwu wheel Adding user "liwu" to the "wheel" group wheel indicates that the admin group is a special group. Members of the "wheel" group can use any command # think this setting makes sense. Root ALL=(ALL) ALL [root@localhost ~]#vim /etc/passwd # change the uid of root in the passwd file [root@localhost ~]$sudo -ulisi cat #### password question [root@localhost ~]#sudo -v #67 Defaults env_reset,timestamp_timeout=2 Visudo Defaults logfile = "/var/log/sudo"Copy the code

1.7 grub encryption

The/etc/grub. D. directory

All scripts that define each menu item are stored in the /etc/grub.d directory and must be named with a two-digit prefix. The purpose of these scripts is to define the order in which the scripts are executed and the corresponding menu items when building grub 2 menus, such as the 00_header file being read first.

file describe
00_header Set the default GRUB parameters
10_linux Multiple Linux versions exist on the system
20_ppc_terminfo Setting up the TTY Console
30_os_prober Set systems in other partitions (if there are multiple operating systems on the hard disk)
_custom 40 and 41 _custom User-defined configuration
Set up GRUB 2 encryption

Since GRUB 2 is responsible for booting Linux systems, its security as the first barrier in the system is important, and encrypting GRUB 2 provides security.

By default, GRUB 2 is accessible to anyone with physical access to the console. Anyone can select and edit any menu item and have direct access to the GRUB command line. To enable careful support, the environment variable superuser must be set to a set of user names (you can use Spaces, commas, and semicolons as separators) so that only the superuser is allowed to use the GRUB command line, edit menu items, and execute arbitrary menu items.

GRUB 2 passwords support the following two formats

  • Plain text password: The password data is not encrypted, resulting in poor security
  • PBKDF2 Encryption password: The password is encrypted using the PBKDF2 hash algorithm. The encrypted password data is stored in the file, which has high security.

Run the grub2-mkpasswd-pbkdf2 command to generate the pbkdf2 encrypted password, add the superuser and pbkdf2 encrypted password to the /etc/grub.d/00_header file, and run the grub2-mkconfig command to generate the GRUB configuration file.

Add user and PBKDF2 encryption passwords in the /etc/grub.d/00_header file in the following format.

[root@kgc ~]# grub2-mkpasswd-pbkdf2 # Reenter password: 123456 PBKDF2 hash of your password is Grub. Pbkdf2. Sha512.10000 E96097D1B1E470345D9FB62759335832B4A0F39CD4C9A57B502BD59CF1B8C393EEA37847984E242AAD4BFBB72E4BDC2 196E6A7495CE7C86BF3D2498A34CAC2B7.B2EB99ED40267AE9496357B78C0DC04CE79957980A4A3FFA577B7502D70A5412D2EAD5CE4DAAC0FE068621 CB29B76E44A7645EDCC7784FF20E113AF0B95E3467i [root@kgc ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak [root@kgc ~]# /etc/grub.d/00_header /etc/grub.d/00_header.bak [root@kgc ~]# vim /etc/grub.d/00_header Superusers ="root" # password_pbkdf2 root # set password Grub. Pbkdf2. Sha512.10000 E96097D1B1E470345D9FB62759335832B4A0F39CD4C9A57B502BD59CF1B8C393EEA37847984E242AAD4BFBB72E4BDC2 196E6A7495CE7C86BF3D2498A34CAC2B7.B2EB99ED40267AE9496357B78C0DC04CE79957980A4A3FFA577B7502D70A5412D2EAD5CE4DAAC0FE068621 CB29B76E44A7645EDCC7784FF20E113AF0B95E3467i EOF use grub2 - mkconfig command to generate new grub. CFG configuration file. [root@kgc ~]# grub2-mkconfig -o /boot/grub2/grub. CFG // Generate a new grub. CFG file. cat << EOF set superusers="root" password_pbkdf2 root Grub. Pbkdf2. Sha512.10000.4 F3CD9383616C3AAFB1E98A289CB707A6FEEDAE7BEFB10A59642FE641C8F13AD9A27EAD43DEB07D9F4228149C716FA4 0 c8c04e13e98ffac45ef7aa2ad76c96b9. 49 cec46b324dc9a94d0b461c711569adb79213708929b1891232db5fe31ec6f5a0a4e4d0a4aa0eaa64e38a 6876 eeb3b5ebf8991d0fb04537e1f39d1aa40d1ad5 EOF cat < < EOF set superusers = "user" password_pbkdf2 users encrypted password EOF [root@localhost ~]#grub2-setpasswordCopy the code