- PDF Free Download

1 5 8

159 5 8 PA M m i n l e n d c re d i t u c re d i t l c redit o c redit 5 /etc/pam.d/passwd vi /etc/pam.d/passwd password required /lib/security/pam_stack.so service=system-auth passwd s y s t e m - a u t h 3 PA M vi /etc/pam.d/system-auth s y s t e m - a u t h password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so / e t c / p a m. d / p a s s w d PA M p a m _ c r a c k l i b m i n l e n password required /lib/security/pam_cracklib.so retry=3 minlen=12 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so

1 6 0 / e t c / p a m. d / p a s s w d #% P A M - 1. 0 a u t h required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_cracklib.so retry=3 minlen=12 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required / l i b / s e c u r i t y / p a m _ d e n y. s o / e t c / p a m. d / s y s t e m - a u t h #% P A M - 1. 0 #. # a u t h c o n f i g. auth required / l i b / s e c u r i t y / p a m _ e n v. s o auth sufficient /lib/security/pam_unix.so likeauth nullok auth required / l i b / s e c u r i t y / p a m _ d e n y. s o account required / l i b / s e c u r i t y / p a m _ u n i x. s o session required / l i b / s e c u r i t y / p a m _ l i m i t s. s o session required / l i b / s e c u r i t y / p a m _ u n i x. s o c r e d i t m i n l e n = 12 1 m i n l e n m i n l e n cracklib h t t p : / / w w w. u s. k e r n e l. o r g / p u b / l i n u x / l i b s / p a m / L i n u x - P A M - h t m l / p a m. h t m l

161 minlen 14 gjtodgsdf1$ 1 1 g j t o d g s d f 1 $ 1 1 1 1 $ 2 11 3 1 d c r e d i t = u c r e d i t l c r e d i t o c r e d i t 4 1 4 l c re d i t = 0 9 10 c re d i t 8 5

1 6 2 B I O S L I L O s h u t d o w n re b o o t halt [root@deep /]# rm -f /etc/security/console.apps/<servicename> s e r v i c e n a m e xserver ro o t X X x d m X r o o t xserver [root@deep /]# rm -f /etc/security/console.apps/halt [root@deep /]# rm -f /etc/security/console.apps/poweroff [root@deep /]# rm -f /etc/security/console.apps/reboot [root@deep /]# rm -f /etc/security/console.apps/shutdown [root@deep /]# rm -f /etc/security/console.apps/xserver ( x s e r v e r r o t X ) halt, powero ff, re b o o t shutdown x s e r v e r X -

163 L i n u x - PAM / e t c / p a m. d / p a m _ c o n s o l e. s o 1 root d i s a b l i n g. s h #!/bin/sh cd /etc/pam.d for i in * ; do sed / [ ^ # ]. * p a m _ c o n s o l e. s o / s / ^ / # / < $i > foo && mv foo $i d o n e 2 [root@deep /]# [root@deep /]# chmod 700 disabling.sh./ d i s a b l i n g. s h / e t c / p a m. d p a m _ c o n s o l e. s o security

1 6 4 / e t c / s e c u r i t y / a c c e s s. c o n f access.conf a c c e s s. c o n f 1 vi /etc/security/access.conf access.conf -:ALL EXCEPT root gmourani:all ro o t g m o u r a n i ro o t g m o u r a n i I P 207. 35. 78. 2 access.conf -:ALL EXCEPT root gmourani:207.35.78.2 - : A L L : L O C A L LOCAL r o o t ro o t 207. 35. 78. 2 g m o u r a n i r o o t 207. 35. 78. 2

165 2 a c c e s s. c o n f / e t c / p a m. d / l o g i n s s h d vi /etc/pam.d/login login account required /lib/security/pam_access.so / e t c / p a m. d / l o g i n # % P A M - 1. 0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_access.so password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth c o n s o l e. p e rm s pam_console.so x d m X pam_console.so / e t c / s e c u r i t y / c o n s o l e. p e rm s

1 6 6 floppy, cdrom, scanner 1 X c o n s o l e. p e rm s GUI sound, jaz c o n s o l e. p e rm s vi /etc/security/console.perm s c o n s o l e. p e rms # file classes --. <console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] <xconsole>=:[0-9]\.[0-9] :[0-9] # device classes --. < f l o p y > = / d e v / f d [ 0-1 ]* <sound>=/dev/dsp* /dev/audio* /dev/midi* \ /dev/mixer* /dev/sequencer <cdrom>=/dev/cdrom* /dev/cdwriter* < p i l o t > = / d e v / p i l o t < j a z > = / d e v / j a z < z i p > = / d e v / z i p < s c a n e r > = / d e v / s c a n e r <fb>=/dev/fb /dev/fb[0-9]* < k b d > = / d e v / k b d < j o y s t i c k > = / d e v / j s * <v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* < g p m > = / d e v / g p m c t l <dri>=/dev/dri/* /dev/nvidia* # <console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0640 root.sys

167 <console> 0600 <cdrom> 0600 root.disk <console> 0600 <pilot> 0660 root.tty <console> 0600 <jaz> 0660 root.disk <console> 0600 <zip> 0660 root.disk <console> 0600 <scanner> 0600 root <console> 0600 <fb> 0600 root <console> 0600 <kbd> 0600 root <console> 0600 <joystick> 0600 root <console> 0600 <v4l> 0600 root <console> 0700 <gpm> 0700 root <xconsole> 0600 /dev/console 0600 root.root <xconsole> 0600 <dri> 0600 root # file classes --. <console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] # device classes -- these are shell-style globs < f l o p y > = / d e v / f d [ 0-1 ]* <cdrom>=/dev/cdrom* /dev/cdwriter* < p i l o t > = / d e v / p i l o t <fb>=/dev/fb /dev/fb[0-9]* < k b d > = / d e v / k b d < g p m > = / d e v / g p m c t l <dri>=/dev/dri/* /dev/nvidia* # <console> 0660 <floppy> 0660 root.floppy <console> 0600 <cdrom> 0600 root.disk <console> 0600 <pilot> 0660 root.tty <console> 0600 <fb> 0600 root <console> 0600 <kbd> 0600 root <console> 0700 <gpm> 0700 root G U I sound, zip jaz

1 6 8 / e t c / s e c u r i t y limits.conf 1 vi /etc/security/limits.conf l i m i t s. c o n f * hard core 0 * hard rss 5000 * hard nproc 20 ro o t c o re 0 c o re n p roc 20 20 rss 5000 5 M ro o t w w w SQL mysql u s e r s vi /etc/security/limits.conf l i m i t s. c o n f

169 @users hard core 0 @users hard rss 5000 @users hard nproc 35 @ u s e r s G U I u s e r s 1 00 1 00 u s e r s u s e r s [root@deep /]# useradd -g100 admin - g 100 100 u s e r s a d m i n u s e r s 2 /etc/pam.d/login session required /lib/security/pam_limits.so / e t c / p a m. d / l o g i n # % P A M - 1. 0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so services=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so services=system-auth account required /lib/security/pam_access.so

1 7 0 password required /lib/security/pam_stack.so services=system-auth session required /lib/security/pam_stack.so services=system-auth session required /lib/security/pam_limits.so - PA M p a m _ t i m e. s o time.conf /etc/security t i m e. c o n f time.conf vi /etc/security/time.conf t i m e. c o n f login ; tty* &!ttyp* ;!root!gmourani ;!Al0000-2400 ro o t g m o u r a n i t i m e. c o n f a d m i n 8 6 vi /etc/security/time.conf t i m e. c o n f login ; * ;!admin ;!Wd0000-2400!Tu0800-1800

171 time.conf / e t c / p a m. d / l o g i n sshd vi /etc/pam.d/login login account required /lib/security/pam_time.so / e t c / p a m. d / l o g i n # % P A M - 1. 0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so services=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so services=system-auth account required /lib/security/pam_access.so account required /lib/security/pam_time.so password required /lib/security/pam_stack.so services=system-auth session required /lib/security/pam_stack.so services=system-auth session required /lib/security/pam_limits.so s u Substitute User s u ro o t ro o t s u ro o t su / e t c / p a m. d su s u root

1 7 2 1 vi /etc/pam.d/su su auth required /lib/security/pam_wheel.so use_uid / e t c / p a m. d / s u #% P A M - 1. 0 auth sufficient /lib/security/pam_rootok.so # w h e l. # auth sufficient /lib/security/pam_wheel.so trust use_uid # w h e l. auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so w h e e l s u ro o t w h e e l w h e e l T T Y VC ro o t 2 /etc/pam.d/su w h e e l s u ro o t a d m i n w h e e l su ro o t [root@deep /]# usermod -G10 admin G 1 0 w h e e l a d m i n w h e e l

173 s u ro o t s u / e t c / p a m. d / s u w h e e l w h e e l ro o t ro o t w h e e l s u ro o t ro o t su vi /etc/pam.d/su auth sufficient /lib/security/pam_wheel.so trust use_uid / e t c / p a m. d / s u #% P A M - 1. 0 auth sufficient /lib/security/pam_rootok.so # w h e l. auth sufficient /lib/security/pam_wheel.so trust use_uid # w h e l. auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so