[root@vdevops ~]# useradd wang #添加賬戶[root@vdevops ~]# passwd wang #設置密碼Changing password for user wang.New password: Retype new password: passwd: all authentication tokens updated successfully.[root@vdevops ~]# exit #退出以用戶"wang"為例，設置其為唯一擁有管理員權限的賬戶[root@vdevops ~]# usermod -G wheel wang[root@vdevops ~]# vim /etc/pam.d/su[html] view plain copy print?#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. # 取消下面一行的注釋 auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so 設置root賬戶的郵件轉發# Person who should get root's mail# 最后一行，取消注釋，改變用戶名稱root: wang

[root@vdevops ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago Main PID: 744 (firewalld) CGroup: /system.slice/firewalld.service └─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon... Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. 

[root@vdevops ~]# systemctl start firewalld #啟動防火墻 [root@vdevops ~]# systemctl enable firewalld #設置防火墻開機自啟 

#顯示默認區域 [root@vdevops ~]# firewall-cmd --get-default-zone public #顯示當前設置 [root@vdevops ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: #顯示全部區域 [root@vdevops ~]# firewall-cmd --list-all-zones block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: ... #顯示特定區域允許的服務 [root@vdevops ~]# firewall-cmd --list-service --zone=external ssh #改變默認區域 [root@vdevops ~]# firewall-cmd --set-default-zone=external success #改變制定區域的接口 [root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external success #顯示制定區域的狀態 [root@vdevops ~]# firewall-cmd --list-all --zone=external external (default, active) interfaces: eno16777736 eth1 sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: #注：改變制定區域的接口，前提是次接口在當前系統是存在的

[root@vdevops ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https #定義文件路徑如下，如果需要添加新的定義文件，在下面目錄添加相應的XML文件 [root@vdevops ~]# ls /usr/lib/firewalld/services amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml

#以添加http服務為例 [root@vdevops ~]# firewall-cmd --add-service=http success [root@vdevops ~]# firewall-cmd --list-service http ssh #移除添加的http <pre name="code" class="html">[root@vdevops ~]# firewall-cmd --remove-service=http success [root@vdevops ~]# firewall-cmd --list-service ssh #添加http服務，永久生效 [root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh

[root@vdevops ~]# firewall-cmd --add-port=465/tcp #添加端口 success [root@vdevops ~]# firewall-cmd --list-port 465/tcp [root@vdevops ~]# firewall-cmd --remove-port=465/tcp #移除端口 success [root@vdevops ~]# firewall-cmd --list-port [root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent #添加端口，永久生效 success [root@vdevops ~]# firewall-cmd --reload success [root@vdevops ~]# firewall-cmd --list-port 465/tcp

[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request #添加禁止回應請求 success [root@dlp ~]# firewall-cmd --list-icmp-blocks echo-request [root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request #移除添加的參數 success [root@dlp ~]# firewall-cmd --list-icmp-blocks [root@dlp ~]# firewall-cmd --get-icmptypes #顯示ICMP支持的功能 destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded

[root@vdevops ~]# systemctl stop firewalld #停止防火墻服務 [root@vdevops ~]# systemctl disable firewalld #禁止防火墻開機自啟 Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. 3、SELinux[html] view plain copy print?[root@vdevops ~]# getenforce #查看SELINUX工作模式 Enforcing [root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config #禁用SELINUX [root@vdevops ~]# setenforce 0 #臨時禁用SELINUX，無需重啟

[root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #設置靜態IP [root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #設置網關 [root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #設置DNS [root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #設置ipv4的類型為靜態 [root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 #重啟網絡接口 Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0) Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) [root@vdevops ~]# nmcli d show eno16777736 #查看網絡接口狀態 GENERAL.DEVICE: eno16777736 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:0C:29:B6:F5:5E GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: eno16777736 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 10.1.1.56/24 IP4.GATEWAY: 10.1.1.1 IP4.DNS[1]: 10.1.1.1 IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64 IP6.GATEWAY: [root@vdevops ~]# ip addr show #查看IP狀態 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:feb6:f55e/64 scope link valid_lft forever preferred_lft forever 

[root@vdevops ~]# vim /etc/default/grub #第六行，添加 GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" [root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img done [root@vdevops ~]# reboot #重啟系統

[root@vdevops ~]# vim /etc/default/grub #第六行添加 GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 <span style="color:#FF0000;">net.ifnames=0</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet [root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img done

# 顯示正在運行的服務 [root@vdevops ~]# systemctl -t service UNIT LOAD ACTIVE SUB DESCRIPTION auditd.service loaded active running Security Auditing Service avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus getty@tty1.service loaded active running Getty on tty1 ... ... ... systemd-udevd.service loaded active running udev Kernel Device Manager systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown systemd-user-sessions.service loaded active exited Permit User Sessions systemd-vconsole-setup.service loaded active exited Setup Virtual Console tuned.service loaded active running Dynamic System Tuning Daemon LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 39 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. # 顯示所有服務 [root@vdevops ~]# systemctl list-unit-files -t service UNIT FILE STATE auditd.service enabled autovt@.service disabled avahi-daemon.service enabled blk-availability.service disabled brandbot.service static ... ... ... systemd-user-sessions.service static systemd-vconsole-setup.service static teamd@.service static tuned.service enabled wpa_supplicant.service disabled 125 unit files listed.

[root@vdevops ~]# systemctl stop postfix #停止服務 [root@vdevops ~]# systemctl disable postfix Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service. [root@vdevops ~]# systemctl start postfix [root@vdevops ~]# systemctl enable postfix Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service. [root@vdevops ~]# systemctl status postfix ● postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago Main PID: 10071 (master) CGroup: /system.slice/postfix.service ├─10071 /usr/libexec/postfix/master -w ├─10072 pickup -l -t unix -u └─10073 qmgr -l -t unix -u Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol Oct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol Oct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix Oct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent. Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol Oct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol Hint: Some lines were ellipsized, use -l to show in full.

[root@vdevops ~]# chkconfig --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

yum update -y

[root@vdevops ~]# yum -y install yum-plugin-priorities # 設置官方源的優先級為[priority=1] [root@vdevops ~]# sed -i -e "s//]$//]/npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo

[root@vdevops ~]# yum -y install epel-release # 設置優先級[priority=5] [root@vdevops ~]# sed -i -e "s//]$//]/npriority=5/g" /etc/yum.repos.d/epel.repo # 可以通過設置enabled=0，來控制安裝軟件包時使用相應的源 [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo # 如果[enabled=0], 使用下面命令安裝軟件包 [root@vdevops ~]# yum --enablerepo=epel install [Package]

[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl # 設置優先級[priority=10] [root@vdevops ~]# sed -i -e "s//]$//]/npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo [root@vdevops ~]# sed -i -e "s//]$//]/npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo # 設置 [enabled=0] [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo # 設置[enabled=0], 通過下面命令使用相應源 [root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package] [root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]

[root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm # 設置優先級 [priority=10] [root@vdevops ~]# sed -i -e "s//]$//]/npriority=10/g" /etc/yum.repos.d/remi-safe.repo

[root@vdevops ~]# yum -y install vim-enhanced

[root@dlp ~]# vi /etc/profile # 在最后添加下面一行內容 alias vi='vim' [root@dlp ~]# source /etc/profile #重載

[root@vdevops ~]# visudo # 添加下面一行，使用戶“wang”擁有root的所有權限 wang ALL=(ALL) ALL # 普通用戶使用root命令 # 確保用戶為 'wang' [wang@vdevops ~]$ /usr/bin/cat /etc/shadow cat: /etc/shadow: Permission denied# denied normally [wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow [sudo] password for cent:# own password daemon:*:16231:0:99999:7::: adm:*:16231:0:99999:7::: lp:*:16231:0:99999:7::: ... ... # 輸入wang的密碼可以看到執行結果

[root@vdevops ~]# visudo # 49行: 定義別名SHUTDOWN Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init # 設置用戶wang不能執行別名SHUTDOWN對應的命令 wang ALL=(ALL) ALL, !SHUTDOWN # 確保用戶為'wang' [wang@vdevops ~]$ sudo /sbin/shutdown -r now Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally

[root@vdevops ~]# visudo # 51行: 為管理用戶的幾個命令設置別名為USERMGR Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd # 最后一行添加 %usermgr ALL=(ALL) USERMGR [root@vdevops ~]# groupadd usermgr [root@vdevops ~]# usermod -G usermgr wang # 確保用戶為wang [wang@vdevops ~]$ sudo /usr/sbin/useradd testuser #輸入用戶wang的密碼，查看創建結果，顯示成功 [wang@vdevops ~]$ sudo /usr/bin/passwd testuser Changing password for user testuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.

[root@vdevops ~]# visudo # 最后一行添加 Defaults syslog=local1 [root@vdevops ~]# vi /etc/rsyslog.conf # 在54行修改，添加<span style="color:#FF6666;">local1.none</span> *.info;mail.none;authpriv.none;cron.none;<span style="color:#FF6666;">local1.none</span> /var/log/messages # 添加下面一行內容 local1.* /var/log/sudo.log [root@vdevops ~]# systemctl restart rsyslog #重啟rsyslog服務