Audit Check List
Centos 6,7 add domain
Preparation Part (1-4 step)
================
1.setting network
for example
[root@root ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0C:29:FA:8D:58
TYPE=Ethernet
UUID=242e17f4-f4bf-4647-9b46-4a1df083dc8a
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=10.16.32.104
NETMASK=255.255.255.192
GATEWAY=10.16.32.65
DNS1=10.16.42.7
2. Setting DNS
run command
[root@root ~]# echo "nameserver 10.16.42.7" > /etc/resolv.conf
[root@root ~]# echo "nameserver 10.16.98.7" >> /etc/resolv.conf
[root@root ~]# echo "search buyabs.corp" >> /etc/resolv.conf
3. configure /etc/hosts
127.0.0.1 $host_name.buyabs.corp $host_name"
for example
hostname is server name
[root@root ~]# hostname
root
[root@root ~]# cat /etc/hosts
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 root.buyabs.corp root
4.time syncchronization
ntpdate 10.16.42.7 2.Setting network
================
add domain
================
5.installation package
yum install bind-utils nscd samba-common pam_krb5 samba-winbind*
6.run command
authconfig --enablewinbind --enablewinbindauth --disablecache --smbsecurity=ads --smbworkgroup=ABS_CORP --smbrealm=BUYABS.CORP --smbidmapuid=1000-10000 --smbidmapgid=1000-10000 --winbindtemplatehomedir=/home/%D/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablewinbindoffline --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall
7.add domain
net ads join -U February // February is user privileges account
8.reboot winbind service
/etc/init.d/winbind restart //Centos 6 release
Centos7 winbind 服务启动(systemctl start winbind.service) //Centos 7 release
PS: You can't login server until setting_SID.
注:
1.查看域的信息
net ads info
2.验证是否加成功
[root@localhost yum.repos.d]# id cy79
uid=1002(cy79) gid=1000(zabbix) groups=1000(zabbix),1001(_ gp all it cnsh),1002(_ gp all employees cnsh),1003(_ gp team it cn),1004(_ gp all employees cn),1005(_ gp helpdesk it cnsh),1006($duplicate-7294),1007($duplicate-6ef3),1008($duplicate-62e6),1009($duplicate-7db2),1010($duplicate-a546),1011($duplicate-9431),1012($duplicate-7286),1013($duplicate-5e3d),1014($duplicate-9b2a),1015($duplicate-6e97),1016($duplicate-7af0),1017($duplicate-7d8d),1018($duplicate-6ef0),1019($duplicate-6508),1020($duplicate-62f2),1021($duplicate-6eeb),1022($duplicate-a389),1023($duplicate-7b30),1024($duplicate-7289),1025($duplicate-6efa),1026($duplicate-ad7e),1027($duplicate-64fc),1028($duplicate-6503),1029($duplicate-62ea),1030($duplicate-630b),1031($duplicate-6b37),1032($duplicate-709f),1033($duplicate-729b),1034($duplicate-70a0),1035($duplicate-5e49),1036($duplicate-7a74),1037($duplicate-64f6),1038($duplicate-7094),1039($duplicate-68ca),1040($duplicate-62ef),1041($duplicate-5ece),1042($duplicate-7091),1043($duplicate-6516),1044($duplicate-630e),1045(rtcuniversaluseradmins),1046(xxx webmaster),1047(csuseradministrator),1048(_ gp all employees us),1049(_ gp team it us desktopsupport),1050(rtcuniversalglobalreadonlygroup),1051(alerts-backups),1052(_ gp all employees cnsh),1053(rtcuniversaluserreadonlygroup),1054(rtcuniversalreadonlyadmins),1055(allowed wifi ne-test users),1057(_ gp all it cnsh),1058(xxx mkt),1059(_ gp team it cn),1060(_ gp all employees cn),1062(sms operators (us)),1063(_ gp all it),1064(rtcuniversalserverreadonlygroup),1065(team-backup admins),1066(webvpn.cn.g2),1067(_ gp helpdesk it cnsh),1068(_ gp team mis nesc cncd eims exception),1069(_ gp noc cnsh)
3.加入检查log 的路径 &命令
[root@VSZABBIX01 ~]# tail -f /var/log/secure
4.涉及的 config文件路径
[root@VSZABBIX01 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BUYABS.CORP
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
BUYABS.CORP = {
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
buyabs.corp = BUYABS.CORP
.buyabs.corp = BUYABS.CORP
[root@root ~]# vim /etc/ssh/sshd_config
PermitRootLogin no
[root@root ~]# service sshd restart
Add the SID's aim is to make users can access the server machine.
1.add SID to /etc/security/pam_winbind.conf
require_membership_of = $sid
for example:
source file
;require_membership_of =
modified file
require_membership_of = S-1-5-21-1017008757-1827167444-311576647-32715 // take away ";" and add the sid behind =
多个SID之间拿逗号隔开
check user SID:
[root@root ~]# wbinfo -n bruce
S-1-5-21-1017008757-1827167444-311576647-96630 SID_USER (1)
check group SID:
[root@root ~]# wbinfo -n _\ gp\ xxx\ cnsh
S-1-5-21-1017008757-1827167444-311576647-32715 SID_DOM_GROUP (2)
2.open sudo access permission
echo "%domain\ users ALL=(ALL) ALL" >> /etc/sudoers
change iptables
allow all necessary tcp/udp ports like 22/161/1311
1.Centos 6
vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 1311 -j ACCEPT |
Then run service iptables restart
2.Centos 7
|
Open port in firewall-cmd firewall-cmd --zone=<zone> --add-service=http --permanent firewall-cmd --zone=<zone> --add-port=80/tcp --permanent firewall-cmd --zone=public --add-port=161/udp --permanent firewall-cmd --zone=public --add-port=1311/tcp --permanent reload the firewall for changes to take effect firewall-cmd --reload |
Change_YUM_update/resource_to ssrpm02
[root@root ~]# cd /etc/yum.repos.d/
mv below file to yum.repos.d and backup the original file
copy repos in documents to /et/yum.repos.d/ & name as Centos-Base.repo
浙公网安备 33010602011771号