CN110677404A - User access control method for Linux host - Google Patents
User access control method for Linux host Download PDFInfo
- Publication number
- CN110677404A CN110677404A CN201910909244.4A CN201910909244A CN110677404A CN 110677404 A CN110677404 A CN 110677404A CN 201910909244 A CN201910909244 A CN 201910909244A CN 110677404 A CN110677404 A CN 110677404A
- Authority
- CN
- China
- Prior art keywords
- user
- linux
- host
- agent program
- node agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a control method for user access of a Linux host, which comprises the following steps: step A: deploying an access control centralized management system, deploying a node agent program in a target host, and acquiring all user names allowing to log in the target host through the node agent program; and B: initialization for the first time: modifying a bottom configuration file of the Linux system through a node agent program, and setting the authority of the user names of all target hosts to be forbidden to log in from any place; and C: and (3) initializing for the second time: and modifying a bottom layer configuration file through a node agent program according to different role attributes of the user names to selectively open the login addresses and/or the network interaction addresses of the user names. The invention realizes the user-level access control of local users and network users by initializing twice and modifying the bottom configuration file of the operating system, so that the access authority of the Linux host computer user is controlled in a minimized way, and the higher-precision safety management and control are realized.
Description
Technical Field
The invention relates to a method for controlling host access of computer users, in particular to a method for controlling user access of a Linux host.
Background
At present, users of Linux hosts generally realize the control of host login and access through a security audit system and network layer-based access control. The implementation technique has the possibility of being bypassed.
In the access control based on the security audit system, the control mode can only limit the Linux host which can be locally accessed and operated by a user through the security audit system, and cannot limit the network access among the hosts, namely, a user can log in the adjacent host from one Linux host through a network, thereby bypassing the access limit set by the security audit system.
Although access among the Linux hosts can be limited through access control based on the network layer, specific Linux host users can not be limited to log in, that is, the control precision of the control mode cannot reach the user level.
Therefore, the two current login/access control modes have obvious defects, so that the Linux host has potential safety hazards.
Disclosure of Invention
The invention provides a control method for user access of a Linux host, which can control the local host and the network login of the Linux host, and improve the security of the Linux host.
The invention discloses a control method for user access of a Linux host, which comprises the following steps:
step A: deploying an access control centralized management system in the same intranet environment as the target host, deploying a node agent program in the target host, and acquiring all user names allowing to log in the target host through the node agent program; the access control centralized management system and the target host are mutually independent in the same intranet.
And B: initialization for the first time: modifying a bottom configuration file of the Linux system through a node agent program, and setting all permissions of user names which are allowed to log in a target host computer to be forbidden to log in from any place;
and C: and (3) initializing for the second time: and according to different role attributes of the user names, modifying the bottom configuration file of the Linux system through a node agent program to selectively open the login address and/or the network interaction address of each user name.
The network interaction is logging in and accessing to the adjacent host computer through the network. The invention realizes the user-level access control of local users and network users by initializing twice and modifying the bottom configuration file of the operating system, so that the access authority of the Linux host computer user is controlled in a minimized way, and the higher-precision safety management and control are realized.
Specifically, in the first initialization of step B, the interaction permissions of all user names are set as the prohibited attribute in the Linux system bottom configuration file, and the source addresses in the login-permitted attributes of all user names are set as the null value (none).
Specifically, in the second initialization of step C, when the authority of a user name is selectively opened, at least one of the login address and the network interaction address of the user name is opened, or both are set as prohibited.
Further, when a new user name allows to log in/access the Linux host, or the authority of the original user name in the Linux host is changed, the operation steps include:
step D: when the authority of the user name is changed, a change request is made through the access control centralized management system;
step E: the access control centralized management system generates a change instruction according to the request, and after the administrator confirms the change instruction, the access control centralized management system stores the change instruction into the database and simultaneously issues the change instruction to the node agent program of the corresponding target host;
step F: and the node agent program of the target host completes the change by modifying the bottom configuration file of the Linux system according to the change instruction and returns a change result to the access control centralized management system.
Specifically, the step F includes:
f1: according to the change instruction, a node agent program of the target host reads user information in a Linux host bottom layer configuration file, wherein the user information comprises name and bash fields in an accountInfo file, and modifies/etc/password configuration files according to the change instruction;
f2: reading network access information in a Linux host bottom layer configuration file by a node agent program of a target host, wherein the network access information comprises an accessIP field in an accountInfo file, and modifying iptables configuration according to a change instruction;
f3: and the node agent program of the target host checks whether the configuration file is changed correctly or not, and returns a result to the access control centralized management system.
The control method for the user access of the Linux host realizes the user-level access control of local users and network users and higher-precision safety management and control, realizes the flow and standardization of the access control management of the host in an enterprise, and is convenient for future inquiry and trace after all generated change operation instructions are stored.
The present invention will be described in further detail with reference to the following examples. This should not be understood as limiting the scope of the above-described subject matter of the present invention to the following examples. Various substitutions and alterations according to the general knowledge and conventional practice in the art are intended to be included within the scope of the present invention without departing from the technical spirit of the present invention as described above.
Drawings
FIG. 1 is a flowchart of a method for controlling user access of a Linux host according to the present invention.
Detailed Description
As shown in fig. 1, the method for controlling user access of a Linux host according to the present invention includes:
step A: deploying an access control centralized management system in the same intranet environment as the target host, deploying a node agent program in the target host, and acquiring all user names allowing to log in the target host through the node agent program; the access control centralized management system and the target host are mutually independent in the same intranet.
And B: initialization for the first time: modifying a Linux system bottom layer configuration file through a node agent program, setting the interaction authority of all user names allowing login of a target host as a forbidden attribute, and setting source addresses in the allowed login attributes of all the user names as null values (none), namely setting all the user names to be forbidden to login from any place; as shown in table 1:
table 1:
and C: and (3) initializing for the second time: and according to different role attributes of the user names, modifying the bottom configuration file of the Linux system through a node agent program to selectively open the login address and/or the network interaction address of each user name. When the authority of a user name is selectively opened, at least one of the login address and the network interaction address of the user name is opened or both are set as forbidden, as shown in table 2:
table 2:
step D: when the authority of the user name is changed, a change request is made through the access control centralized management system;
step E: the access control centralized management system generates a change instruction according to the request, and after the administrator confirms the change instruction, the access control centralized management system stores the change instruction into the database and simultaneously issues the change instruction to the node agent program of the corresponding target host; the generated change instruction is, for example:
step F: and the node agent program of the target host completes the change by modifying the bottom configuration file of the Linux system according to the change instruction and returns a change result to the access control centralized management system. When the Linux system bottom configuration file is modified, the method comprises the following steps:
f1: according to the change instruction, a node agent program of the target host reads user information in a Linux host bottom layer configuration file, wherein the user information comprises name and bash fields in an accountInfo file, and modifies/etc/password configuration files according to the change instruction;
f2: reading network access information in a Linux host bottom layer configuration file by a node agent program of a target host, wherein the network access information comprises an accessIP field in an accountInfo file, and modifying iptables configuration according to a change instruction;
f3: and the node agent program of the target host checks whether the configuration file is changed correctly or not, and returns a result to the access control centralized management system.
By means of two-time initialization and modification of the operating system bottom configuration file, user-level access control of local users and network users is achieved, access authority of Linux host users is controlled in a minimized mode, and higher-precision safety management and control are achieved.
Claims (5)
1. The control method for the user access of the Linux host is characterized by comprising the following steps:
step A: deploying an access control centralized management system in the same intranet environment as the target host, deploying a node agent program in the target host, and acquiring all user names allowing to log in the target host through the node agent program;
and B: initialization for the first time: modifying a bottom configuration file of the Linux system through a node agent program, and setting all permissions of user names which are allowed to log in a target host computer to be forbidden to log in from any place;
and C: and (3) initializing for the second time: and according to different role attributes of the user names, modifying the bottom configuration file of the Linux system through a node agent program to selectively open the login address and/or the network interaction address of each user name.
2. The method of claim 1 for controlling user access to a Linux host, characterized by: and B, in the first initialization of the step B, setting the interaction authority of all the user names as a forbidden attribute in a bottom layer configuration file of the Linux system, and setting source addresses in the login-allowed attributes of all the user names as null values.
3. The method of claim 1 for controlling user access to a Linux host, characterized by: in the second initialization of the step C, when the authority of a user name is selectively opened, at least one of the login address and the network interaction address of the user name is opened or both are set as forbidden.
4. The control method for user access of a Linux host according to one of claims 1 to 3, characterized by:
step D: when the authority of the user name is changed, a change request is made through the access control centralized management system;
step E: the access control centralized management system generates a change instruction according to the request, and after the administrator confirms the change instruction, the access control centralized management system stores the change instruction into the database and simultaneously issues the change instruction to the node agent program of the corresponding target host;
step F: and the node agent program of the target host completes the change by modifying the bottom configuration file of the Linux system according to the change instruction and returns a change result to the access control centralized management system.
5. The method of claim 4 for controlling user access to a Linux host, characterized by: the step F comprises the following steps:
f1: according to the change instruction, a node agent program of the target host reads user information in a Linux host bottom layer configuration file, wherein the user information comprises name and bash fields in an accountInfo file, and modifies/etc/password configuration files according to the change instruction;
f2: reading network access information in a Linux host bottom layer configuration file by a node agent program of a target host, wherein the network access information comprises an accessIP field in an accountInfo file, and modifying iptables configuration according to a change instruction;
f3: and the node agent program of the target host checks whether the configuration file is changed correctly or not, and returns a result to the access control centralized management system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910909244.4A CN110677404B (en) | 2019-09-25 | 2019-09-25 | User access control method for Linux host |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910909244.4A CN110677404B (en) | 2019-09-25 | 2019-09-25 | User access control method for Linux host |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110677404A true CN110677404A (en) | 2020-01-10 |
| CN110677404B CN110677404B (en) | 2022-06-24 |
Family
ID=69079164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910909244.4A Active CN110677404B (en) | 2019-09-25 | 2019-09-25 | User access control method for Linux host |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110677404B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101695033A (en) * | 2009-09-25 | 2010-04-14 | 上海交通大学 | Network fragility analyzing system based on privilege lift |
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| US20140137185A1 (en) * | 2007-02-08 | 2014-05-15 | Oren Tirosh | Method and system for implementing mandatory file access control in native discretionary access control environments |
| CN104615916A (en) * | 2014-12-12 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Account management method and device and account permission control method and device |
| CN105703925A (en) * | 2014-11-25 | 2016-06-22 | 上海天脉聚源文化传媒有限公司 | Security reinforcement method and system for Linux system |
| CN107070951A (en) * | 2017-05-25 | 2017-08-18 | 北京北信源软件股份有限公司 | A kind of intranet security guard system and method |
| CN107277026A (en) * | 2017-06-29 | 2017-10-20 | 福建天泉教育科技有限公司 | A kind of Intranet access method and terminal |
-
2019
- 2019-09-25 CN CN201910909244.4A patent/CN110677404B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140137185A1 (en) * | 2007-02-08 | 2014-05-15 | Oren Tirosh | Method and system for implementing mandatory file access control in native discretionary access control environments |
| CN101695033A (en) * | 2009-09-25 | 2010-04-14 | 上海交通大学 | Network fragility analyzing system based on privilege lift |
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| CN105703925A (en) * | 2014-11-25 | 2016-06-22 | 上海天脉聚源文化传媒有限公司 | Security reinforcement method and system for Linux system |
| CN104615916A (en) * | 2014-12-12 | 2015-05-13 | 腾讯科技(深圳)有限公司 | Account management method and device and account permission control method and device |
| CN107070951A (en) * | 2017-05-25 | 2017-08-18 | 北京北信源软件股份有限公司 | A kind of intranet security guard system and method |
| CN107277026A (en) * | 2017-06-29 | 2017-10-20 | 福建天泉教育科技有限公司 | A kind of Intranet access method and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110677404B (en) | 2022-06-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10404708B2 (en) | System for secure file access | |
| US9471577B2 (en) | Hierarchical multi-tenancy management of system resources in resource groups | |
| JP5356221B2 (en) | Convert role-based access control policies to resource authorization policies | |
| US9992068B2 (en) | Rule based mobile device management delegation | |
| US9367703B2 (en) | Methods and systems for forcing an application to store data in a secure storage location | |
| CN101836186B (en) | A method and system for communicating between isolation environments | |
| US10650158B2 (en) | System and method for secure file access of derivative works | |
| CN114514507B (en) | System and method for supporting quota policy language in cloud infrastructure environment | |
| US7882544B2 (en) | Inherited role-based access control system, method and program product | |
| US9075955B2 (en) | Managing permission settings applied to applications | |
| US20120131646A1 (en) | Role-based access control limited by application and hostname | |
| US20240007458A1 (en) | Computer user credentialing and verification system | |
| CN110677404B (en) | User access control method for Linux host | |
| WO2018175643A1 (en) | System and method for providing restricted access to production files in a code development environment | |
| KR101488349B1 (en) | Limitation system of use for information storage server by graded authority and the method | |
| CN112823501A (en) | System and method for determining data connections between software applications | |
| Stanek | Windows group policy: The personal trainer for Windows Server 2012 and Windows Server 2012 R2 | |
| US20090048888A1 (en) | Techniques for claim staking in a project stage-based environment | |
| US20230421609A1 (en) | Organization based access control with boundary access policies | |
| Bera et al. | A WLAN security management framework based on formal spatio‐temporal RBAC model | |
| Stanek et al. | InsideOUT | |
| KR20080015176A (en) | Meta access control model | |
| WO2015174977A1 (en) | Accessing data content using closures | |
| Holme et al. | MCTS self-paced training kit (exam 70-640): configuring Windows server 2008 active directory | |
| Leung et al. | Authorizing Your Users |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |