1、添加用户
新增名为"wang"的用户
[root@vdevops ~]# useradd wang #添加账户[root@vdevops ~]# passwd wang #设置密码Changing password for user wang.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@vdevops ~]# exit #退出
以用户"wang"为例,设置其为唯一拥有管理员权限的账户
[root@vdevops ~]# usermod -G wheel wang
[root@vdevops ~]# vim /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.# 取消下面一行的注释auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so# 设置root账户的邮件转发# Person who should get root's mail
# 最后一行,取消注释,改变用户名称
root: wang
2、设置防火墙和SELINUX
【1】防火墙
查看防火墙状态
[root@vdevops ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Hint: Some lines were ellipsized, use -l to show in full.
3、还有一些SysV服务。它们由chkconfig控制,如下所示
[root@vdevops ~]# chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
【6】更新系统添加其他源
yum update -y
添加其它源
添加一些有用的外部存储库来安装有用的软件
1、安装插件以向每个安装的存储库添加优先级。
[root@vdevops ~]# yum -y install yum-plugin-priorities# 设置官方源的优先级为[priority=1][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo
2、添加从Fedora项目提供的EPEL存储库
[root@vdevops ~]# yum -y install epel-release# 设置优先级[priority=5][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo
# 可以通过设置enabled=0,来控制安装软件包时使用相应的源
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo# 如果[enabled=0], 使用下面命令安装软件包[root@vdevops ~]# yum --enablerepo=epel install [Package]
3、添加CentOS SCLo软件集合存储库。
[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl# 设置优先级[priority=10][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo# 设置 [enabled=0][root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo# 设置[enabled=0], 通过下面命令使用相应源[root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package]
[root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]
4、添加Remi的RPM存储库,它提供了许多有用的包
[root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm# 设置优先级 [priority=10][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo
【7】配置特色的vim
1、安装vim [root@vdevops ~]# yum -y install vim-enhanced
2、设置别名
设置命令别名。 (适用于以下所有用户,如果您申请某个用户,请在“〜/ .bashrc”中写入相同的设置)
[root@dlp ~]# vi /etc/profile# 在最后添加下面一行内容alias vi='vim'
[root@dlp ~]# source /etc/profile #重载
或者
echo "alias vi='vim'" >> /etc/profile && source /etc/profile
3、配置vim,针对所有用户生效修改/etc/vimrc,针对特定用户生效修改~/.vimrc
主要用语法高亮,插件使用,自动缩进等功能,本文不做详细操作,后续会专门写一篇关于优化vim使用的博文,工欲善其事必先利其器
【8】设置sudo
配置sudo以区分用户的职责,如果一些人共享权限,必手动安装sudo,因为它默认安装,即使“最小安装”
1、设置普通用户拥有root的所有权限
[root@vdevops ~]# visudo# 添加下面一行,使用户“wang”拥有root的所有权限wang ALL=(ALL) ALL# 普通用户使用root命令# 确保用户为 'wang'[wang@vdevops ~]$ /usr/bin/cat /etc/shadow
cat: /etc/shadow: Permission denied# denied normally
[wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow
[sudo] password for cent:# own password
daemon:*:16231:0:99999:7:::
adm:*:16231:0:99999:7:::
lp:*:16231:0:99999:7:::
...
...# 输入wang的密码可以看到执行结果
2、设置用户不能执行危险命令
[root@vdevops ~]# visudo# 49行: 定义别名SHUTDOWNCmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init# 设置用户wang不能执行别名SHUTDOWN对应的命令wang ALL=(ALL) ALL, !SHUTDOWN# 确保用户为'wang'[wang@vdevops ~]$ sudo /sbin/shutdown -r now
Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally
3、创建一个特殊的组,组用户可以执行部分root命令
[root@vdevops ~]# visudo# 51行: 为管理用户的几个命令设置别名为USERMGRCmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd# 最后一行添加%usermgr ALL=(ALL) USERMGR
[root@vdevops ~]# groupadd usermgr
[root@vdevops ~]# usermod -G usermgr wang# 确保用户为wang[wang@vdevops ~]$ sudo /usr/sbin/useradd testuser#输入用户wang的密码,查看创建结果,显示成功[wang@vdevops ~]$ sudo /usr/bin/passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
4、设置sudo日志
sudo的日志保存在/ var / log / secure中,但它中有很多种类的日志。如果你想保持只有sudo的日志在一个文件,设置如下:
[root@vdevops ~]# visudo# 最后一行添加Defaults syslog=local1
[root@vdevops ~]# vi /etc/rsyslog.conf# 在54行修改,添加local1.none*.info;mail.none;authpriv.none;cron.none;local1.none/var/log/messages# 添加下面一行内容local1.* /var/log/sudo.log
[root@vdevops ~]# systemctl restart rsyslog #重启rsyslo