系统安全
PAM安全认证流程
查看当前系统pam
[root@localhost ~]# rpm -qi pam
Name : pam
Version : 1.1.8
Release : 18.el7
Architecture: x86_64
Install Date: 2024年03月11日 星期一 18时29分11秒
Group : System Environment/Base
Size : 2625254
License : BSD and GPLv2+
Signature : RSA/SHA256, 2016年11月21日 星期一 03时52分37秒, Key ID 24c6a8a7f4a80eb5
Source RPM : pam-1.1.8-18.el7.src.rpm
Build Date : 2016年11月06日 星期日 07时14分20秒
Build Host : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.linux-pam.org/
Summary : An extensible library which provides authentication for applications
Description :
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without
having to recompile programs that handle authentication.
查看模块
[root@localhost ~]# rpm -ql pam
/etc/pam.d
/etc/pam.d/config-util
/etc/pam.d/fingerprint-auth
/etc/pam.d/other
/etc/pam.d/password-auth
/etc/pam.d/postlogin
/etc/pam.d/smartcard-auth
/etc/pam.d/system-auth
/etc/security
/etc/security/access.conf
/etc/security/chroot.conf
...
文件含义
[root@localhost ~]#ls /usr/lib64/security/*.so|wc -l ----二进制文件,不会直接修改
60
[root@localhost ~]#ls /etc/security/ ----和上面的模块配合使用,有些比较简单的模块没有配置文件
access.conf console.perms.d namespace.d sepermit.conf
chroot.conf group.conf namespace.init time.conf
console.apps limits.conf opasswd
console.handlers limits.d pam_env.conf
console.perms namespace.conf pwquality.conf
#修改配置文件
/etc/security
/etc/pam.d/*
[root@localhost ~]#cd /etc/pam.d/ ----在这个文件夹下存放的是应用程序怎么调用模块的配置文件
limit
限制用户可打开的文件数量,可运行的进程数量,可用内存空间
查看限制信息
[root@localhost ~]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 7168
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 7168
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
临时修改最大文件数(基本不用)
[root@localhost ~]# ulimit -n 10000
[root@localhost ~]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 7168
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 10000 ----临时修改
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 7168
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
永久修改不用重启
[root@localhost ~]# vim /etc/security/limits.conf
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
* - nofile 10000
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
| domain | type | item | value |
|---|---|---|---|
| 用户名 | soft 软限制 | nofile 最大的打开文件数 | unlimited 是一个特殊值,用于表示不限制 |
| * 所有用户 | hard 硬限制 | nproc 最大进程数 | |
| @ 组 | - 两种都有 | core 限制核心文件的大小 |
sudo提权操作
其他用户在使用命令前加sudo可使用超级管理员权限操作,需授权
查看sudo详细信息
[root@localhost ~]# rpm -qi sudo
Name : sudo
Version : 1.8.19p2
Release : 10.el7
Architecture: x86_64
Install Date: 2024年03月11日 星期一 18时34分23秒
Group : Applications/System
Size : 4051619
License : ISC
Signature : RSA/SHA256, 2017年08月11日 星期五 03时59分29秒, Key ID 24c6a8a7f4a80eb5
Source RPM : sudo-1.8.19p2-10.el7.src.rpm
Build Date : 2017年08月04日 星期五 22时38分18秒
Build Host : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.courtesan.com/sudo/
Summary : Allows restricted root access for specified users
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis. It is not a replacement for the shell. Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.
sudo的配置文件
[root@localhost ~]# rpm -qc sudo
/etc/pam.d/sudo
/etc/pam.d/sudo-i
/etc/sudo-ldap.conf
/etc/sudo.conf ----默认配置,不需要修改
/etc/sudoers ----修改项,使用visudo修改(可检测语法)
[root@localhost ~]# visudo -c ----文件语法检查
/etc/sudoers:解析正确
配置文件格式说明
/etc/sudoers:总的一个配置,里面有较多配置查找编辑较为麻烦
/etc/sudoers.d/ :子配置文件夹,可用于存放各个用户单独的配置文件
配置格式
#用户 登入主机 = (代表用户) 命令
#user host = (runas) command
root ALL = (root) command
user: 运行命令者的身份
host: 通过哪些主机 多个 192.168.91.100 - 110 localhost
(runas):以哪个用户的身份
command: 运行哪些命令
User和runas:
username(用户名)
#uid(id号)
%group_name(组名)
%#gid(组id)
user_alias|runas_alias(别名) MYUSER=zhangsan,lisi
host:
ip或hostname(IP地址或主机名)
host_alias(别名) localhost
command:
command name (命令)
directory (文件夹里的命令)
sudoedit (可以编辑sudoers这个文件,变相变成管理员)
Cmnd_Alias (命令别名)
别名使用
#主机名
Host_Alias MYHOSTS = kgc,localhost
#用户名
User_Alias MYUSERS = zhangsan,wangwu,lisi
#3统一使用命令
Cmnd_Alias MYCMNDS = /sbin/*,!/sbin/reboot,!/sbin/poweroff,!/sbin/init,!/usr/bin/rm
MYUSERS MYHOSTS=NOPASSWD:MYCMNDS
#用户 主机 = 不需要输入密码:命令
