最近因为一次容器内的 reboot操作差点引发了一场生产事故,所以对容器的基础镜像做了一些安全加固操作
功能:
-
非root用户禁止重启/关机,即不能执行以下命令: reboot/halt/poweroff/shutdown init 0/1/2/3/4/5/6/s/S/q/Q/u/U systemctl [-f] reboot/halt/shutdown/poweroff/rescue
-
非root用户禁止用sudo执行上述重启/关机命令,即不能执行 sudo XXX;
sudo su/sudo su -/sudo su - root/sudo -i/sudo -s
- 非root用户禁止修改密码,即禁止执行: passwd/sudo passwd
sudo su - xxx/yyy(某些事先定义好的用户)
'# cd /usr/sbin' '# rm -f reboot halt shutdown poweroff (init不能删)' '# cd /usr/lib/systemd/system/' '# rm -f systemd-reboot.service systemd-shutdownd.service systemd-halt.service systemd-poweroff.service' '# cd /usr/share/polkit-1/actions' '# rm -f org.freedesktop.login1.policy'
'# chmod o-x /usr/lib/systemd/systemd' '# chmod o-x /bin/systemctl' '# chmod o-x /bin/passwd'
'# visudo' '修改:
%wheel ALL=(ALL) NOPASSWD: ALL,!/bin/bash, !/bin/passwd, !/bin/su, !/bin/su -, !/bin/su - root, /bin/su - atlas, /bin/su - dolphinscheduler, /bin/su - druid, /bin/su - elasticsearch, /bin/su - flume, /bin/su - hbase, /bin/su - hdfs, /bin/su - hive, /bin/su - kafka, /bin/su - kibana, /bin/su - kylin, /bin/su - mysql, /bin/su - spark, /bin/su - sqoop, /bin/su - trino, /bin/su - turnilo, /bin/su - yarn, /bin/su - zeppelin, /bin/su - zookeeper, !/usr/sbin/init, !/bin/systemctl -f reboot, !/bin/systemctl -f halt, !/bin/systemctl -f shutdown, !/bin/systemctl -f poweroff, !/bin/systemctl -f rescue, !/bin/systemctl reboot, !/bin/systemctl halt, !/bin/systemctl shutdown, !/bin/systemctl poweroff, !/bin/systemctl rescue'
注:部分原有操作指令需要修改
sudo su - root -c 'cd /hadoop-3.2.1/bin/;hdfs namenode -format'
需要改成:
sudo -E /hadoop-3.2.1/bin/hdfs namenode -format
sudo su - mysql -c '/mysql-8.0.26/bin/mysqld_safe --user=mysql &'
(注:这里有一些争论,-E不能完全替代 su - root, 环境变量并不相同)
需要改成两句:
sudo su - mysql
/mysql-8.0.26/bin/mysqld_safe --user=mysql &