第1章 知识概述
提纲:
- 各种命令
- 与用户有关的文件和目录
- 如何让普通用户具有root用户的权限
- 行为审计
-
1.1 用户的分类
root用户 皇帝 UID:0
特点:权限最高 想干啥就干啥
虚拟用户 (傀儡) UID:1-499
特点:每个服务、程序运行的时+候都需要一个用户
傀儡用户不需要用来登录系统(无法登陆)
傀儡用户
grep nobody /etc/passwd
su - nobody
[[email protected] ~]# grep nobody /etc/passwd
nobody:x:99:99:Nobody:/:/sbin/nologin #虚拟用户的命令解释器与普通用户的不同
[[email protected] ~]# su - nobody
This account is currently not available.
[[email protected] ~]# grep mysql /etc/passwd
mysql:x:503:503::/home/mysql:/sbin/nogin/
[[email protected] ~]# su - mysql
su: warning: cannot change directory to/home/mysql: No such file or directory
su: /sbin/nogin/: No such file or directory
普通用户 贫民 UID:500+(UID从500开始)
[[email protected] ~]# grep baoge /etc/passwd
baoge:x:505:505::/home/baoge:/bin/bash
特点:可以登录系统,但执行命令时需要授权才行
1.2 与用户有关的文件或目录
1.2.1 与用户有关的文件
/etc/passwd ###存放用户的信息
/etc/shadow ###存放用户密码信息
/etc/group ###存放用户组的信息
/etc/gshadow ###存放用户组密码信息
ls-l /etc/passwd /etc/shadow /etc/group /etc/gshadow
[[email protected] ~]# ls -l /etc/passwd /etc/shadow /etc/group /etc/gshadow
-rw-r--r-- 1 root root 625 Nov 17 00:17 /etc/group
---------- 1 root root 509 Nov 17 00:17 /etc/gshadow
-rw-r--r-- 1 root root 1215 Nov 17 00:17/etc/passwd
---------- 1 root root 1099 Nov 17 00:18/etc/shadow
###当往系统里添加一个用户后可以看到这四个文件的修改时间发生了改变
[[email protected] ~]# ls -l /etc/passwd /etc/shadow /etc/group /etc/gshadow
-rw-r--r-- 1 root root 642 Nov 18 05:45 /etc/group
---------- 1 root root 523 Nov 18 05:45 /etc/gshadow
-rw-r--r-- 1 root root 1262 Nov 18 05:45/etc/passwd
---------- 1 root root 1131 Nov 18 05:45/etc/shadow
###/etc/passwd文件每一列的意思
[[email protected] ~]# head -2 /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
用户名:密码:UID:GID:用户的说明信息:家目录:用户使用的shell/命令解释器
###/etc/shadow文件内容存放用户真实的密码
[[email protected] /]# head -5 /etc/shadow
root:$6$HNvpPdkF3RQwb5.I$XIvA1gY0NdjayrekrQXYtj33TPX16TiRHNr4a1PVHEiulhiwfib1msnUtR43ReZCij1M5ibNs/1cFCVCVMaIg/:17486:0:99999:7:::
bin:*:17246:0:99999:7:::
daemon:*:17246:0:99999:7:::
adm:*:17246:0:99999:7:::
lp:*:17246:0:99999:7:::
###/etc/group文件内容
[[email protected] /]# head -5 /etc/group
root:x:0:
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sys:x:3:bin,adm
adm:x:4:adm,daemon
###/etc/gshadow文件内容
[[email protected] /]# head -5 /etc/gshadow
root:::
bin:::bin,daemon
daemon:::bin,daemon
sys:::bin,adm
adm:::adm,daemon
###系统中可以使用的命令解释器
[[email protected] ~]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/bin/tcsh
/bin/csh
###/bin/sh与/bin/bash的关系
[[email protected] ~]# ls -l /bin/sh /bin/bash
-rwxr-xr-x 1 root root942200 Mar 23 2017 /bin/bash
lrwxrwxrwx. 1 root root 4 Nov 16 13:45 /bin/sh -> bash
/bin/sh是/bin/bash的软链接 但是给用户设置命令解释器时不能设置为/bin/sh
1.2.2 与用户有关的目录
/etc/skel所有新用户老家的模板
/etc/skel目录中有什么 我们添加一个新用户的家目录中就有什么
添加新用户的时候系统会把目录中的文件复制到新用户家里
[[email protected] /]# ls -l /etc/skel
total 0
###显示目录中的隐藏文件 参数-a的作用
[[email protected] /]# ls -a /etc/skel
. .. .bash_logout .bash_profile .bashrc
显示目录中的隐藏文件的详细信息
[[email protected] /]# ls -la /etc/skel
total 20
drwxr-xr-x. 2 root root 4096 Nov 16 13:45 .
drwxr-xr-x. 78 root root 4096 Nov 16 23:09 ..
-rw-r--r--. 1 root root 18 Mar 23 2017 .bash_logout
-rw-r--r--. 1 root root 176 Mar 23 2017 .bash_profile #/etc/profile 用户自己的环境变量和别名
-rw-r--r--. 1 root root 124 Mar 23 2017 .bashrc #/etc/bashrc 别名 这个用户生效
1.2.2.1【企业故障案例1】登录用户时出现-bash-4.1$怎么解决??
故障模拟
###切换到alex用户下
[[email protected] ~]# su - alex
###发疯打自己
###或者rm-rf .bash* rm ~/.* -fr
[[email protected] ~]$ rm -rf /*
rm: cannot remove `/bin/false‘: Permission denied
rm: cannot remove `/bin/stty‘: Permission denied
rm: cannot remove `/bin/unicode_start‘: Permissiondenied
rm: cannot remove `/bin/kill‘: Permission denied
rm: cannot remove `/bin/traceroute6‘: Permissiondenied
rm: cannot remove `/bin/cpio‘: Permission denied
rm: cannot remove `/bin/env‘: Permission denied
......
rm: cannot remove `/var/cache/man/X11R6/cat9‘:Permission denied
rm: cannot remove `/var/cache/man/cat1‘:Permission denied
rm: cannot remove `/var/cache/man/cat9‘:Permission denied
rm: cannot remove `/var/cache/abrt-di‘: Permissiondenied
rm: cannot remove `/var/cache/ldconfig‘:Permission denied
rm: cannot remove `/var/account/pacct‘: Permissiondenied
rm: cannot remove `/var/empty/sshd‘: Permissiondenied
[[email protected] ~]$ su root
Password:
[[email protected] alex]#
###再次进到alex用户下可以发现故障出现了
[[email protected] alex]# su - alex
-bash-4.1$
-bash-4.1$ pwd
/home/alex
-bash-4.1$ ls
-bash-4.1$ whoami
alex
-bash-4.1$ ls -l /data
total 0
-bash-4.1$ ls -ld /data
drwxr-xr-x. 2 root root 4096 Nov 16 13:56 /data
-bash-4.1$ ls -l /home
total 16
drwx------ 2 alex alex 4096 Nov 18 06:13 alex
drwx------ 2 baoge baoge 4096 Nov 17 00:05 baoge
drwx------ 2 oldboy oldboy 4096 Nov 17 10:04 oldboy
drwx------ 2 xiaoyanzi xiaoyanzi 4096 Nov 18 05:45xiaoyanzi
可以发现命令可以用
原因与解决办法
原因:与用户环境变量有关的文件被删除
解决办法:从哪里复制一份/etc/skel /home/oldboy
退出有问题的用户重新登录
[[email protected] alex]# su - alex
-bash-4.1$
-bash-4.1$ cp /etc/skel/.bash* ~
-bash-4.1$ logout
[[email protected] alex]#
###问题已经解决
[[email protected] alex]# su alex
[[email protected] ~]$
1.2.2.2以点开头的文件或目录
###国法
/etc/profile √
/etc/bashrc
###家规
~/.bash_profile
~/.bashrc
1.3 linux系统用户管理(与用户有关的命令)
查看当前linux系统的版本、内核等信息,命令如下
查看系统版本号
cat /etc/redhat-release
查看系统版本号
[[email protected] /]# cat /etc/redhat-release
CentOS release 6.9 (Final)
查看内核版本号
[[email protected] /]# uname -r
2.6.32-696.el6.x86_64
表示系统是64位
[[email protected] /]# uname -m
x86_64
1.3.1 useradd添加用户
添加普通用户
[[email protected] /]# useradd oldboy
[[email protected] /]# id oldboy
uid=504(oldboy) gid=504(oldboy) groups=504(oldboy)y
uid=890(oldboy) gid=890(oldboy) groups=890(oldboy)
命令参数:
-u 指定用户的UID(数字 唯一相当于人的身份证号)
-s 指定用户使用的shell(命令解释器)
/bin/sh 默认的shell
/sbin/nologin 虚拟用户(傀儡用户)的shell
-M 表示不创建家目录一般创建虚拟用户使用
-g 指定用户属于的组(组的名字)
###创建虚拟用户
[[email protected] baoge]# useradd -u 888 -s /sbin/nologin-M mysql888
[[email protected]]# id mysql888
uid=888(mysql888) gid=888(mysql888)groups=888(mysql888)
### -s /sbin/nologin 不让这个用户登录系统
[[email protected] baoge]# grep mysql888 /etc/passwd
mysql888:x:888:888::/home/mysql888:/sbin/nologin
[[email protected] baoge]# ls /home/mysql888
ls: cannot access /home/mysql888: No such file or directory
问题:
[[email protected] baoge]# useradd -u 888 -s /sbin/nologin-M mysql777
useradd: UID 888 is not unique
表示用户的UID 888不是唯一的已经被占用 此时应该换一个UID号就可解决这个问题
[[email protected] baoge]# useradd -u 889 -s /sbin/nologin -M mysql777
[[email protected] baoge]# id mysql777
uid=889(mysql777) gid=889(mysql777) groups=889(mysql777)
[[email protected] baoge]# useradd -s /sbin/nologin -M mysql
Creating mailbox file: File exists
[[email protected] baoge]# id mysql
uid=890(mysql) gid=890(mysql) groups=890(mysql)
[[email protected] baoge]# ls /home/
alex baoge oldboy xiaoyanzi
[[email protected] baoge]# ls /home/mysql
ls: cannot access /home/mysql: No such file or directory
1.3.2 userdel删除用户
在/etc/passwd中注释掉这个用户的一行也相当于把这个用户删除了
userdel默认不删除用户的家目录和邮箱
-r 递归删除与用户有关的所有信息(家目录)
1.3.3 usermod 修改用户的信息(已经存在的用户)
-s 修改用户使用的shell
-g 属于的家庭
-c 给用户添加说明信息
-stdin 从管道中获取用户的密码(非交互式设置的密码)
[[email protected] ~]# su mysql
This account is currently not available.
[[email protected] ~]# grep mysql /etc/passwd
mysql:x:890:890::/home/mysql:/sbin/nologin
[[email protected] ~]# grep mysql /etc/passwd
mysql777:x:889:889::/home/mysql777:/sbin/nologin
mysql:x:890:890::/home/mysql:/sbin/nologin
[[email protected] ~]# usermod -s /bin/bash mysql
[[email protected] ~]# grep mysql /etc/passwd
mysql:x:890:890::/home/mysql:/bin/bash
[[email protected] ~]# su mysql
bash-4.1$ #cp /etc/skel/.bash* ~
cp: target `/home/mysql‘ is not a directory
###由于虚拟用户没有家目录 所以即使改变了它的shell,还是无法使用
-c参数 useradd命令在创建用户时也可以用该参数
[[email protected] ~]# usermod -c "The user is lbh" baoge
[[email protected] ~]# grep baoge /etc/passwd
baoge:x:505:505:Theuser is lbh:/home/baoge:/bin/bash
1.3.4 passwd 为用户创建密码
为用户创建密码
[[email protected] /]# passwd oldboy
Changing password for user oldboy.
New password: #123456
Retype new password: #123456
passwd: all authentication tokens updated successfully.
- 注意
- 一般情况下,在企业生产环境中应该尽量避免直接切到root用户下操作,除非有超越普通用户权限的系统维护要求。
- 还可以通过下面的命令一步到位设置密码(其中,oldboy为用户名,密码为123456),
[[email protected] /]# useradd baoge
[[email protected] /]# id baoge
uid=505(baoge) gid=505(baoge)groups=505(baoge)
###另一种添加用户密码的方法
[[email protected] /]# echo"123456"|passwd --stdin baoge && history -c
Changing password for user baoge.
passwd: all authentication tokens updatedsuccessfully.
[[email protected] ~]# echo 654321|passwd --stdin baoge
Changing password for user baoge.
passwd: all authentication tokens updatedsuccessfully.
###让密码更安全
[[email protected] ~]# echo 123456|passwd --stdin baoge&& history -c
Changing password for user baoge.
passwd: all authentication tokens updatedsuccessfully.
[[email protected] ~]# ls -l .bash*
-rw-------. 1 root root 10049 Nov 18 08:17.bash_history
-rw-r--r--. 1 root root 18 May 20 2009 .bash_logout
-rw-r--r--. 1 root root 176 May 20 2009 .bash_profile
-rw-r--r--. 1 root root 176 Sep 23 2004 .bashrc
###在当前用户的家目录中的.bash_history 文件中存放的是使用命令的历史记录
[[email protected] ~]# head .bash_history
ls
cd /
ls
mkdir -p data oldboy
ls
id
ls
ifconfig
setup
ifup eth0
[[email protected] ~]# tail .bash_history
sh bj.sh 10 10 10
vim bj.sh
sh bj.sh 10 10 10
sh bj.sh 10 8
sh bj.sh 10 20
sh bj.sh 10 10
su mysql888
grep mysql888 /etc/passwd
usermod -s /bin/bash mysql888
su mysql888
1.3.4.1【企业密码管理要求】
- 密码复杂12位以上字母数字特殊字符
- 保存密码:(两款软件)
keepass(软件,密码存放在本地,本地保险柜)
lastpass(在线版本,银行的保险柜)
- 大的企业用户和密码统一管理(相当于活动目录 AD)openldap域)
- 动态密码:动态口令,第三方提供自己开发也很简单。
-
更安全的方法
- /var/log/secure日志的分析:failure failed
- 锁头chattr +i +a lsattr锁定命令或文件
- 指纹(find+md5sum+定时任务)监视常用命令和文件
md5sum-c/--check
【企业面试题】
批量添加10个用户stu01,stu02....stu10,并设置8位随机密码(禁止使用for,while等循环)
方法1:
[[email protected]/]# echo stu{01..10}|tr " " "\n"|sed -r ‘s#(.*)#useradd \1; pass=$((RANDOM+10000000)); echo "$pass"|passwd --stdin \1; echo -e"\1 \t `echo "$pass"`">>/tmp/oldboy.log#g‘|bash
方法2:
echostu{11..12}|xargs -n1 useradd ;echo stu{11..12}:`cat /dev/urandom|tr -dc0-9|fold -w8|head -1`|xargs -n1|tee -a pass.txt|chpasswd
方法3:
echostu{21..30} | tr ‘ ‘ ‘\n‘ | sed -e ‘s/^/useradd /‘ -e ‘s/\(stu[0-9]\{2\}\)$/\1\&\& echo "\1:`echo $[$RANDOM**3] | cut -c1-8`" | tee -auserInfo.txt | cut -d: -f2 | passwd --stdin \1/‘ | bash
方法4:
echostu{01..10} |tr ‘ ‘ ‘\n‘|sed -rn ‘[email protected]^(.*)[email protected] \1 ; echo $RANDOM|md5sum|cut-c 1-8 >/data/\1;cat /data/\1|passwd --stdin \[email protected]‘|bash
1.3.5 groupadd创建用户组
-g 指定用户组的gid数字
1.3.6 用户查询命令
1.3.6.1id查看用户的信息
- 一个用户是否存在
- 查询用户的UID和GID
- 属于哪个用户组
[[email protected] ~]# id alex;idbaoge;id oldboy;id xiaoyanzi;id mysql
uid=506(alex) gid=506(alex) groups=506(alex)
uid=505(baoge) gid=505(baoge) groups=505(baoge)
uid=504(oldboy) gid=504(oldboy) groups=504(oldboy)
uid=507(xiaoyanzi) gid=507(xiaoyanzi) groups=507(xiaoyanzi)
uid=890(mysql) gid=890(mysql) groups=890(mysql)
1.3.6.2w 显示系统中已经远程登录的用户干了些啥
[[email protected] baoge]# w
10:25:20 up1 day, 11:22, 3 users, load average: 0.00, 0.00, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root tty1 - Thu23 35:21m 0.01s 0.01s -bash
root pts/0 10.0.0.253 05:33 1:55 0.71s 0.20s bash
root pts/1 10.0.0.253 06:29 0.00s 0.24s 0.00s w
开俩窗口,在其中的一个里面执行man别退出
[[email protected] baoge]# w
10:26:47 up1 day, 11:24, 3 users, load average: 0.00, 0.00, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root tty1 - Thu23 35:22m 0.01s 0.01s -bash
root pts/0 10.0.0.253 05:33 9.00s 0.78s 0.03s man ls
root pts/1 10.0.0.253 06:29 0.00s 0.25s 0.00s w
[[email protected] baoge]# w
10:30:45 up1 day, 11:28, 3 users, load average: 0.00, 0.00, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root tty1 - Thu23 35:26m 0.01s 0.01s -bash
root pts/0 10.0.0.253 05:33 7.00s 0.80s 0.08s htop
root pts/1 10.0.0.253 06:29 0.00s 0.25s 0.00s w
[[email protected] baoge]# w
10:38:22 up1 day, 11:35, 4 users, load average: 0.00, 0.00, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root tty1 - Thu23 35:34m 0.01s 0.01s -bash
root pts/0 10.0.0.253 05:33 7:44 2.82s 2.10s htop
root pts/1 10.0.0.253 06:29 0.00s 0.25s 0.00s w
baoge pts/2 10.0.0.253 10:37 13.00s 0.01s 0.01s -bash
[[email protected] baoge]# w
10:38:45 up1 day, 11:36, 4 users, load average: 0.00, 0.00, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root tty1 - Thu23 35:34m 0.01s 0.01s -bash
root pts/0 10.0.0.253 05:33 8:07 2.93s 2.21s htop
root pts/1 10.0.0.253 06:29 0.00s 0.25s 0.00s w
baoge pts/2 10.0.0.253 10:37 3.00s 0.01s 0.00s sl
[[email protected] baoge]# w
10:39:05 up1 day, 11:36, 4 users, load average: 0.00, 0.00, 0.00
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root tty1 - Thu23 35:34m 0.01s 0.01s -bash
root pts/0 10.0.0.253 05:33 8:27 3.02s 2.30s htop
root pts/1 10.0.0.253 06:29 0.00s 0.25s 0.00s w
baoge pts/2 10.0.0.253 10:37 4.00s 0.03s 0.02s htop
何人 何处 干啥
1.3.6.3last 用户登录的信息
- 用户登录的信息 (哪个用户在什么时候在哪远程登录你的系统)
[[email protected] baoge]# last
baoge pts/2 10.0.0.253 Sat Nov 18 10:37 still logged in
root pts/1 10.0.0.253 Sat Nov 18 06:29 still logged in
root pts/0 10.0.0.253 Sat Nov 18 05:33 still logged in
root pts/0 10.0.0.253 Fri Nov 17 11:22 - 11:23 (00:00)
root pts/4 10.0.0.253 Fri Nov 17 08:14 - 22:31 (14:17)
root pts/3 10.0.0.253 Fri Nov 17 00:28 - 10:04 (09:36)
root pts/2 10.0.0.253 Fri Nov 17 00:27 - 10:04 (09:37)
root pts/2 10.0.0.253 Fri Nov 17 00:27 - 00:27 (00:00)
root pts/1 10.0.0.253 Fri Nov 17 00:26 - 10:04 (09:37)
root pts/0 10.0.0.253 Fri Nov 17 00:01 - 10:04 (10:03)
root pts/0 10.0.0.253 Thu Nov 16 23:04 - 00:01 (00:57)
root tty1 ThuNov 16 23:03 still logged in
reboot system boot 2.6.32-696.el6.x ThuNov 16 23:02 - 10:50 (1+11:47)
root pts/0 10.0.0.253 Thu Nov 16 14:39 - 18:48 (04:08)
root tty1 ThuNov 16 14:39 - crash (08:23)
reboot system boot 2.6.32-696.el6.x ThuNov 16 14:38 - 10:50 (1+20:11)
root pts/0 10.0.0.253 Thu Nov 16 14:33 - down (00:04)
root tty1 ThuNov 16 14:32 - down (00:05)
reboot system boot 2.6.32-696.el6.x ThuNov 16 14:31 - 14:38 (00:07)
root pts/0 10.0.0.253 Thu Nov 16 14:22 - down (00:08)
root pts/0 10.0.0.253 Thu Nov 16 14:18 - 14:21 (00:03)
root tty1 ThuNov 16 14:17 - down (00:12)
reboot system boot 2.6.32-696.el6.x ThuNov 16 14:16 - 14:30 (00:13)
root pts/0 10.0.0.253 Thu Nov 16 13:59 - down (00:16)
root tty1 ThuNov 16 13:55 - down (00:20)
reboot system boot 2.6.32-696.el6.x ThuNov 16 13:55 - 14:16 (00:20)
1.3.6.4lastlog显示linux中所有用户最近一次远程登录的信息
[[email protected] baoge]# lastlog
Username Port From Latest
root pts/1 10.0.0.253 Sat Nov 18 06:29:34 +0800 2017
bin **Neverlogged in**
daemon **Neverlogged in**
adm **Neverlogged in**
lp **Never logged in**
sync **Never loggedin**
shutdown **Neverlogged in**
halt **Neverlogged in**
mail **Neverlogged in**
uucp **Neverlogged in**
operator **Neverlogged in**
games **Neverlogged in**
gopher **Neverlogged in**
ftp **Neverlogged in**
nobody **Neverlogged in**
dbus **Neverlogged in**
vcsa **Neverlogged in**
abrt **Neverlogged in**
haldaemon **Neverlogged in**
ntp **Neverlogged in**
saslauth **Neverlogged in**
postfix **Neverlogged in**
sshd **Neverlogged in**
tcpdump **Neverlogged in**
oldboy **Neverlogged in**
baoge pts/2 10.0.0.253 Sat Nov 18 10:37:03 +0800 2017
alex **Neverlogged in**
xiaoyanzi **Neverlogged in**
mysql777 **Neverlogged in**
mysql **Neverlogged in**
1.3.7 su切换用户
[[email protected] /]# whoami
root
切换到oldboy用户下
[[email protected] /]# su oldboy
[[email protected] /]$ whoami
oldboy
总结:su 与su -的区别
前者(su)在切换到 root 用户之后仍然保持旧的(或者说原始用户的)环境;
而后者(su -)则是创建一个新的环境(由 root 用户 ~/.bashrc 文件所设置的环境),相当于使用 root 用户正常登录(从登录屏幕登录)。
实例演示:
su
[[email protected] /]# cd data
[[email protected] data]# pwd
/data
[[email protected] data]# su oldboy
[[email protected] data]$
[[email protected] data]$ su root
Password:
[[email protected] data]# pwd
/data
与切换用户前位置不变
su -
[[email protected] data]$ su - root
Password:
[[email protected] ~]# pwd
/root
使用su-后会回到初始位置,相当于重新登录了一次
[[email protected] ~]# su oldboy
[[email protected] root]$ env |grep -i root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
MAIL=/var/spool/mail/root
PWD=/root
[[email protected] ~]# su - oldboy
[[email protected] ~]$ env |grep -i root
参考博客:
老男孩老师博客:http://oldboy.blog.51cto.com/2561410/1053606
1.4 sudo给普通用户提权
让某个用户运行某个命令的时候可以是root
[[email protected] ~]# su - baoge
[[email protected] ~]$ tail /var/log/cron
tail: cannot open `/var/log/cron‘ for reading:Permission denied
[[email protected] ~]$ ls -l /var/log/cron
-rw-------. 1 root root 33516 Nov 18 11:01/var/log/cron
##权限不够
解决办法:
##1.改变这些日志的权限 rw----r--
##3.给tail 加上suid权限
##sudo 给baoge一把尚方宝剑
看看我有什么尚方宝剑
[[email protected] root]$ sudo -l
We trust you have received the usual lecture from the localSystem
Administrator. It usually boils down to these three things:
#1) Respect theprivacy of others.
#2) Think before youtype.
#3) With great powercomes great responsibility.
[sudo] password for baoge:
sudo: 1 incorrect password attempts
Sorry, user baoge may not run sudo on test.
visudo给baoge一把尚方宝剑<=======> vim /etc/sudoers 编辑
[[email protected] root]$
###在root用户下执行visudo在92行添加
baoge /usr/bin/tail
###检查语法
[[email protected] ~]# visudo -c
/etc/sudoers: parsed OK
baoge用户下测试
[[email protected] root]$ sudo tail/var/log/cron
[sudo] password for baoge:
Nov 18 10:50:01 test CROND[7021]: (root)CMD (/usr/lib64/sa/sa1 1 1)
Nov 18 11:00:01 test CROND[7027]: (root)CMD (/usr/lib64/sa/sa1 1 1)
Nov 18 11:01:01 test CROND[7058]: (root)CMD (run-parts /etc/cron.hourly)
Nov 18 11:01:01 testrun-parts(/etc/cron.hourly)[7058]: starting 0anacron
Nov 18 11:01:01 testrun-parts(/etc/cron.hourly)[7067]: finished 0anacron
Nov 18 11:10:01 test CROND[7091]: (root)CMD (/usr/lib64/sa/sa1 1 1)
Nov 18 11:20:01 test CROND[7243]: (root)CMD (/usr/lib64/sa/sa1 1 1)
Nov 18 11:30:01 test CROND[7357]: (root)CMD (/usr/lib64/sa/sa1 1 1)
Nov 18 11:40:01 test CROND[7401]: (root)CMD (/usr/lib64/sa/sa1 1 1)
Nov 18 11:50:01 test CROND[7514]: (root)CMD (/usr/lib64/sa/sa1 1 1)
You have mail in /var/spool/mail/root
无密码
baoge ALL=(ALL) NOPASSWD:/usr/bin/tail
[[email protected] root]$ sudo tail/var/log/cron
Nov 18 10:40:01 test CROND[7016]: (root)CMD (/usr/lib64/sa/sa1 1 1)
Nov 18 10:50:01 test CROND[7021]: (root)CMD (/usr/lib64/sa/sa1 1 1)
Nov 18 11:00:01 test CROND[7027]: (root) CMD (/usr/lib64/sa/sa11 1)
Nov 18 11:01:01 test CROND[7058]: (root) CMD (run-parts/etc/cron.hourly)
Nov 18 11:01:01 test run-parts(/etc/cron.hourly)[7058]: starting0anacron
Nov 18 11:01:01 test run-parts(/etc/cron.hourly)[7067]: finished0anacron
Nov 18 11:10:01 test CROND[7091]: (root) CMD (/usr/lib64/sa/sa11 1)
Nov 18 11:20:01 test CROND[7243]: (root) CMD (/usr/lib64/sa/sa11 1)
Nov 18 11:30:01 test CROND[7357]: (root) CMD (/usr/lib64/sa/sa11 1)
Nov 18 11:40:01 test CROND[7401]: (root) CMD (/usr/lib64/sa/sa11 1)
让一个人用户不用密码使用所有命令
visudo
baoge ALL=(ALL) NOPASSWD: ALL
[[email protected] root]$ tail -2 /var/log/cron
tail: cannot open `/var/log/cron‘ for reading: Permission denied
[[email protected] root]$ sudo tail -2 /var/log/cron
Nov 18 12:01:01 test run-parts(/etc/cron.hourly)[7552]: starting0anacron
Nov 18 12:01:01 test run-parts(/etc/cron.hourly)[7561]: finished0anacron
[[email protected] root]$ sudo head -2 /var/log/cron
Nov 16 13:55:30 test crond[1521]: (CRON) STARTUP (1.4.4)
Nov 16 13:55:30 test crond[1521]: (CRON) INFO (RANDOM_DELAY willbe scaled with factor 17% if used.)
[[email protected] root]$ sudo ll /var/log/cron
sudo: ll: command not found
[[email protected] root]$ sudo ls -l /var/log/cron
-rw-------. 1 root root 34152 Nov 18 12:01 /var/log/cron
[[email protected] root]$ sudo ls -ld /var/log/cron
-rw-------. 1 root root 34152 Nov 18 12:01 /var/log/cron
[[email protected] root]$ sudo ls -la /var/log/cron
-rw-------. 1 root root 34152 Nov 18 12:01 /var/log/cron
alex上的操作
[[email protected] ~]$ sudo -l
[sudo] password for alex:
We trust you have received the usual lecture fromthe local System
Administrator. It usually boils down to thesethree things:
#1)Respect the privacy of others.
#2)Think before you type.
#3) Withgreat power comes great responsibility. -spider man
Sorry, useralex may not run sudo on test.
抱歉, alex用户 不能在这台服务器运行sudo.
#给alex用户授权 cat
visudo ##编辑sudo授权(root用户下授权)
#第92行 插入
alex ALL=(ALL) /bin/cat
[[email protected] ~] grep alex /etc/sudoers
alex ALL=(ALL) /bin/cat
###alex用户
[[email protected] ~] $ sudo -l
[sudo] password for alex:
Matching Defaults entries for alex on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAYHOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANGLC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS_XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User alex may run the following commands on thishost:
(ALL)/bin/cat
[[email protected] ~]$ cat /var/log/cron
cat: /var/log/cron: Permission denied
[[email protected] ~]$ sudo cat /var/log/cron
linux中的续行符号 \
[[email protected] ~]# echo133333333\aaaaaaaannnvvvvvvv\dddddddddddd1111111111111111111111\nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
133333333aaaaaaaannnvvvvvvvdddddddddddd1111111111111111111111nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
1.5 日志审计
记录用户的操作
- 奇治的堡垒机:商业产品
- Python开发的开源产品
- gateone web跳板机
- 跳板机(堡垒机)jumpserver部署
- alex写的crazyEYE
- shell跳板机
1.6 md5sum系统安全
给重要的文件或命令 做一个指纹 定时任务+md5sum定时检查
实例演示:
toucholdboy.txt
[[email protected] ~]# touch oldboy.txt
[[email protected] ~]#
1.6.1给这个文件创建指纹
文件的内容变化 === 指纹变化
[[email protected] ~]# md5sum oldboy.txt
d41d8cd98f00b204e9800998ecf8427e oldboy.txt
[[email protected] ~]# md5sum oldboy.txt
d41d8cd98f00b204e9800998ecf8427e oldboy.txt
[[email protected] ~]# echo hellobe baoge>>oldboy.txt
[[email protected] ~]# md5sum oldboy.txt
59f2acf5bd3704c8164cad952999fdd5 oldboy.txt
1.6.2如何快速的对比指纹
1.6.2.1把你的指纹记录下来
[[email protected] ~]# md5sum oldboy.txt
59f2acf5bd3704c8164cad952999fdd5 oldboy.txt
[[email protected] ~]# md5sum oldboy.txt>>zhiwen.log
[[email protected] ~]# cat zhiwen.log
59f2acf5bd3704c8164cad952999fdd5 oldboy.txt
1.6.2.2如何进行对比
[[email protected] ~]# md5sum -c zhiwen.log
oldboy.txt: OK
[[email protected] ~]# >oldboy.txt
[[email protected] ~]# md5sum -c zhiwen.log
oldboy.txt: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOTmatch
1.6.2.3【实例演示2】
把/etc/passwd /etc/shadow /etc/group /etc/gshadow 指纹放在 /tmp/zhiwen.log中
并进行指纹对比。
1. 创建指纹列表
[[email protected] ~]# md5sum /etc/passwd /etc/shadow/etc/group /etc/gshadow
22b439ca7da9b3bcf419b97053afaa44 /etc/passwd
7fce5901e768bea2b2b586a65fdcfcbe /etc/shadow
9e25c2328e6fc38da6dd6fd2445585ed /etc/group
bddcaff4debb54414b3b7e4a27444f95 /etc/gshadow
[[email protected] ~]# md5sum /etc/passwd /etc/shadow/etc/group /etc/gshadow >/tmp/zhiwen.log
[[email protected] ~]# cat /tmp/zhiwen.log
22b439ca7da9b3bcf419b97053afaa44 /etc/passwd
7fce5901e768bea2b2b586a65fdcfcbe /etc/shadow
9e25c2328e6fc38da6dd6fd2445585ed /etc/group
bddcaff4debb54414b3b7e4a27444f95 /etc/gshadow
2. 根据指纹列表对比文件内容是否变化
[[email protected] ~]# md5sum --check /tmp/zhiwen.log
/etc/passwd: OK
/etc/shadow: OK
/etc/group: OK
/etc/gshadow: OK
[[email protected] ~]# md5sum -c/tmp/zhiwen.log
/etc/passwd: OK
/etc/shadow: OK
/etc/group: OK
/etc/gshadow: OK
清空指纹存放文件再进行对比指纹
[[email protected] ~]# >/tmp/zhiwen.log
[[email protected] ~]# md5sum -c /tmp/zhiwen.log
md5sum: /tmp/zhiwen.log: no properlyformatted MD5 checksum lines found