catalogue
Set the Shell of the non logged in user to / sbin/nologin
Lock accounts that have not been used for a long time
Delete useless or long-term unused accounts
Lock account files passwd and shadow
Require the user to change the password at the next login
2, User switching and rights raising
sudo command basic information
Usage: sudo authorization command
sudo [parameter options] Command
1, Account security
1. System account cleaning
Set the Shell of the non logged in user to / sbin/nologin
Lock accounts that have not been used for a long time
passwd -l user #lock usermod -L user passwd -u user #unlock usermod -U user
Delete useless or long-term unused accounts
[root@localhost ~]# vim /etc/passwd #Set / sbin/nologin after entering
Lock account files passwd and shadow
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow #Lock account file [root@localhost ~]# chattr -i /etc/passwd /etc/shadow #Unlock account file [root@localhost ~]# lsattr /etc/passwd /etc/shadow #View file status ----i----------- /etc/passwd ----i----------- /etc/shadow [root@localhost ~]# useradd zs3 #The account file is locked and cannot be created or edited useradd: Cannot open /etc/passwd
2. Password security
Password validity
[root@localhost ~]# vim /etc/login.defs #Set password expiration period for later users
PASS_MAX_DAYS Days
[root@localhost ~]# useradd zs2
[root@localhost ~]# chage -l zs2
Last password modification time : 8 October, 2021
Password expiration time : 9 September 9, 2021
Password expiration time : never
Account expiration time : never
Minimum number of days between password changes : 0
Maximum number of days between two password changes : 30
Password expiration warning : 5
root@localhost ~]# chage -l zs1 Last password modification time : 8 August 8, 2021 Password expiration time : never Password expiration time : never Account expiration time : 8 October, 2021 Minimum number of days between password changes : 0 Maximum number of days between two password changes : 99999 Password expiration warning : 5 [root@localhost ~]# chage -M 30 zs1 #Set password validity for existing users [root@localhost ~]# chage -l zs1 Last password modification time : 8 August 8, 2021 Password expiration time : 9 September 9, 2021 Password expiration time : never Account expiration time : 8 October, 2021 Minimum number of days between password changes : 0 Maximum number of days between two password changes : 30 Password expiration warning : 5
Require the user to change the password at the next login
[root@localhost ~]# chage -d 0 zs1 #Force the password to be changed at the next login [root@localhost ~]# chage -d 9999999999 zs1 #Cancel setting to change password at next login
2, User switching and rights raising
1. su command
Purpose: subinstitute user
Format: su - user
Password verification
root - no need to verify password
Normal user - verify the target user password
2. sudo rights
sudo command basic information
File location: / etc/sudoers
Purpose: execute authorized commands as other users (such as root)
Usage: sudo authorization command
Syntax format:
User} hostname = command program list
User {hostname = (user) command program list
[ly1@localhost root]$ useradd zs5 #New user
bash: /usr/sbin/useradd: insufficient privilege
[root@localhost ~]# visudo
zs1 localhost=/usr/sbin/useradd
[ly1@localhost root]$ sudo useradd zs5 #New user succeededsudo [parameter options] Command
-l list the available and prohibited commands on the host; Generally, after configuring / etc/sudoers, use this command to check and test whether the configuration is correct;
-v time stamp of the authentication user; If the user enters the user's password after running sudo, he can directly perform sudo operation without entering the password in a short time; Use - v to track the latest timestamp;
-u specify a user to perform a specific operation;
-k delete the timestamp, and the next sudo command requires the user to provide a password;
Enable sudo operation log
Sudo log records are available for administrators to view. You can see the user's sudo operation records from the / var/log/sudo file
Another method is / var/log/secure log to view sudo user steps