CN115827408A - Linux initialization tuning device - Google Patents
Linux initialization tuning device Download PDFInfo
- Publication number
- CN115827408A CN115827408A CN202211508048.4A CN202211508048A CN115827408A CN 115827408 A CN115827408 A CN 115827408A CN 202211508048 A CN202211508048 A CN 202211508048A CN 115827408 A CN115827408 A CN 115827408A
- Authority
- CN
- China
- Prior art keywords
- account
- linux
- tuning device
- configuration
- disk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a Linux initialization and tuning device, wherein an operating system of the device comprises various Linux operating systems such as Rehat, centos, ubuntu, domestic trusted Linux and the like, the device consists of a system basic configuration module, a system tuning module, a security protection configuration module and a common software installation module, the system basic configuration module comprises network configuration, disk partition, YUM source configuration and application account creation, the system tuning module comprises a forbidden firewall, a forbidden SELINUX, a high-risk service closing and system parameter tuning, and the security protection configuration module comprises an opensh service upgrading service, a polki upgrading strategy, an account locking strategy, account login limitation, an account password expiration strategy and an account password intensity strategy. The invention integrates the conventional system configuration and optimization, safety reinforcement and software installation in the system operation and maintenance, can realize automation and configurability, and improves the system operation and maintenance efficiency.
Description
Technical Field
The invention relates to the field of computer security, in particular to a Linux initialization tuning device.
Background
Linux is a Unix-like operating system which is free to use and spread freely, and is an operating system which is multi-user, multi-task, multi-thread and multi-CPU (central processing unit) supporting. Linux is an open source software with stable system performance, and a core firewall component of the Linux has high efficiency and simple configuration, so that the Linux is more and more widely used in a plurality of enterprise networks. The Linux can be used as a server by network operation and maintenance personnel and can also be used as a network firewall.
The Linux kernel development and debugging or daily operation and maintenance analysis needs to monitor the Linux system behavior, which is a problem that development and operation and maintenance personnel pay special attention to. At present, most of L i n u x system behavior monitoring is based on tracking point (tracepoint) technology of L i n u x system call (syscall) to monitor most of system call, network connection, disk file operation, network read-write, process behavior, shell command operation and the like. Such as the following commonly used tools: strace, ftrace, tcpdump, lsof, htop, iftop, systemTap, and other tools.
The existing Linux system behavior monitoring mainly adopts the following method:
1. adopts Linux kprobes debugging technology
The kprobes debugging technology is a lightweight kernel debugging technology designed by kernel developers specially for the convenience of tracking the execution state of kernel functions. With kprobes technology, kernel developers can dynamically insert probe points into most specified functions of the kernel to collect the needed debug state information, so that the developers know which system calls were called, when they were called, whether execution was correct, what the entries and returns of functions were, etc., and screen out or dump log files of these information.
2. Tracepoints technology for syscall using Linux kernel
And registering a hook according to tracepoint of syscall in the kernel to call a probe function of a user, recording related information in the probe function, and outputting or dumping a log file by using the information screen, thereby achieving the purpose of monitoring.
In chinese patent application document CN104008337B, it is disclosed that a Hook is used to monitor the system call of a Linux kernel, and when it is monitored that the system call set with Hook is called by a user mode process, it is determined whether the user mode process exists in a white list; when the user mode process exists in the white list, allowing the user mode process to call the system call; when the user mode process does not exist in the white list, forbidding the user mode process to call the system call; wherein the whitelist includes one or more user-mode processes that are allowed to perform system calls.
The prior art has at least the following disadvantages:
1. and opening the corresponding compiling item when the kernel is required to be compiled, and if the corresponding compiling item is not opened, the corresponding kernel cannot be normally used and needs to be recompiled.
2. The system is only suitable for debugging kernel developers or starting operation and maintenance personnel on site, and the characteristics of all tools are different, so that the requirement for comprehensive monitoring of the system cannot be met.
3. Does not provide good storage capability for behavioral data, and provides simple output or log storage. Due to the fact that the data caching function is not available, the behavior data are prone to losing, and afterwards data playback or analysis cannot be well supported.
4. The system cannot be deployed on line in real time, can be started only after or in the process of the operation, the maintenance or the automation requirement of safety monitoring cannot be met. The load of server operation is increased on the high-throughput and high-concurrency server.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a Linux initialization and tuning device.
The technical scheme of the invention is as follows:
a Linux initialization tuning device comprises:
the system basic configuration module comprises network configuration, disk partition, YUM source configuration and application account creation;
the system tuning module comprises a firewall forbidding module, a SELINUX forbidding module, a high-risk service closing module and a system parameter tuning module;
the security and protection configuration module comprises patch upgrading, account locking strategy, account login limitation and account password strategy;
common software installation modules include monitoring deployment, network tools, disk I/O tools, and file tools.
The network configuration comprises IP configuration protocol, starting self-starting, IPv4 address, subnet mask, gateway and DNS configuration;
the disk partitioning comprises partitioning, formatting, mounting and starting-up mounting of a disk;
the YUM source is configured to configure a local YUM source for a server which cannot be connected to the Internet;
the application account is used for creating an account number and a directory of the application and endowing corresponding authority to standardize the deployment of the application system.
The system parameter optimization comprises tcp protocol parameters, kernel parameter optimization and maximum file opening number of a local port range and maximum process number optimization of a single user.
And the patch upgrading comprises upgrading opensh service and upgrading polkit.
The account password policy comprises an account password expiration policy and an account password strength policy.
Wherein the monitoring deployment comprises zabbix _ agent and tcping;
the zabbix _ agent is used for monitoring server resources, middleware, a database, a log, a port and an interface;
tcping is used to monitor the status of the ports of the server.
Wherein the network tool comprises nc, iftop and mtr;
nc is used for debugging and checking the network toolkit;
the iftop is used for displaying the local network flow condition and the flow set of the mutual communication;
the mtr integrates ping and traceroute functions and can visually display results.
Wherein, the disk I/O tool comprises iostat and iotop;
iostat is used for checking I/O performance including the use conditions of a disk and a CPU;
the iotop is used for displaying real-time disk I/O conditions.
Wherein the file tool comprises an lsof for viewing a current file open condition of the system.
Compared with the prior art, the invention has the beneficial effects that: the invention comprises a system basic configuration module, a system tuning module, a security configuration module and a common software installation module. The system basic configuration module comprises network configuration, disk partition, YUM source configuration, application account creation and the like, configuration time can be shortened, and application system deployment is standardized; the system tuning module comprises a forbidden firewall, a forbidden SELINUX, a closed high-risk service, a system parameter tuning and the like, so that the system operation performance can be improved, and some common problems of program operation are avoided; the security and protection setting module comprises an opensh upgrading service, a polkit upgrading service, an account locking strategy, an account login limitation, an account password expiration strategy, an account password strength strategy and the like, so that an operating system is reinforced, and the system security is improved; the common software installation modules comprise zabbix _ agent, iostat, lsof, nc, iotop, iftop, mtr, tcping and the like, and are convenient for system operation and maintenance implementation and monitoring management. According to the invention, the conventional system configuration and tuning, the safety reinforcement and the software installation in the system operation and maintenance are integrated, so that automation and configurability can be realized, the system operation and maintenance efficiency is improved, the system deployment is standardized, and the performance and the safety of the system are improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a frame diagram of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Examples
Referring to fig. 1, the present embodiment provides a Linux initialization and tuning device, an operating system of the Linux initialization and tuning device includes various Linux operating systems such as Rehat, centos, ubuntu, and domestic trusted Linux, and the device is composed of a system basic configuration module, a system tuning module, a security configuration module, and a common software installation module.
The system basic configuration module comprises:
network configuration: the method comprises the following steps of configuring an IP configuration protocol, starting up self-starting, an IPv4 address, a subnet mask, a gateway, a DNS and the like, wherein the IP allocated server can be selected not to be configured;
partitioning a magnetic disk: partitioning, formatting, mounting and starting up mounting are carried out on the disk, the partition type is LVM, the partition type is selected to be convenient for expanding and compressing the disk space, and disk resources are reasonably utilized; the file system types can be selected during formatting, including ext4, xfs and the like;
YUM source configuration: local yum sources are configured for servers which cannot be connected to the Internet, and common software and dependency packages are convenient to install;
creating an application account: the method comprises the steps of creating an application account and a directory and endowing corresponding permissions, standardizing application system deployment, and avoiding the problems of too much permission, insufficient disk space of a root partition and the like, wherein the problems comprise starting of a non-root account and appointed deployment of the directory instead of the root partition.
The system tuning module comprises:
disable firewall and disable SELINUX: disabling an operating system firewall and a SELINUX by default so as to avoid unnecessary problems in the implementation and deployment process;
closing high-risk service: the Linux system currently has two network management tools, namely a network manager and a network, if the two network management tools are configured, conflicts can be caused, and the network manager can clear routes when the network is disconnected;
and (3) system parameter optimization: the method comprises core parameter optimization such as tcp protocol parameters, local port range and the like, maximum file opening number optimization and maximum process number optimization of a single user.
The security and equity protection configuration module comprises:
patch upgrading: upgrading opensh service and upgrading polkit;
upgrading the opensh service: because the own opensh version of the Linux operating system is lower, the loophole appears more frequently, and the risk level is very high, the Linux operating system is upgraded to a safe version during initialization, because the Linux operating system possibly cannot log in a server through ssh in the upgrading process, telnet service needs to be installed to prevent the server from logging in, and the telnet service is closed after the upgrading verification is finished;
upgrading polkit: the Linux operating system has a low polkit version and is attacked, and the Linux operating system is upgraded to a safe version during initialization;
account locking policy: setting an account login failure locking strategy, wherein the maximum failure frequency is 5 times, and the locking time is 300 seconds;
and account login limitation: limiting remote login of a root user, locking a useless account of a system, setting an account umask value, setting account login timeout time, and modifying login Banner related information so as to limit remote login of an administrator user and limit resource use after account login;
account password policy: the method comprises an account password expiration strategy and an account password strength strategy;
account password expiration policy: setting account passwords, wherein the maximum valid period of the passwords is 90 days, the minimum valid period is 10 days, and the expiration prompting time of the passwords is 7 days;
account password strength policy: setting an account password complexity strategy, wherein the minimum length is 8 bits, and the minimum length at least comprises one number, capital and lower case letters and special symbols;
the common software installation module comprises:
monitoring deployment, including zabbix _ agent and tcping;
zabbix _ agent: monitoring server resources, middleware, databases, logs, ports, interfaces, and the like;
tcping: monitoring the state of a port of a server;
the network tool comprises nc, iftop and mtr;
nc: debugging and inspecting a network toolkit, which can be used for creating TCP/IP connections;
and (4) iftop: displaying the local network flow condition and the flow set of mutual communication;
mtr: the network management tool is a network management tool which integrates ping and traceroute functions and can visually display results;
the disk I/O tool comprises iostat and iotop;
iostat: checking the I/O performance including the use conditions of a disk, a CPU and the like;
iotop: displaying real-time disk I/O conditions;
the document tool includes lsof;
lsof: and checking the current file opening condition of the system, such as which processes open a certain file, and the like.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions and improvements made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. A Linux initialization tuning device is characterized by comprising:
the system basic configuration module comprises network configuration, disk partition, YUM source configuration and application account creation;
the system tuning module comprises a forbidden firewall, a forbidden SELINUX, a closed high-risk service and system parameter tuning;
the security and protection configuration module comprises patch upgrading, account locking strategy, account login limitation and account password strategy;
common software installation modules include monitoring deployment, network tools, disk I/O tools, and file tools.
2. The Linux initialization tuning device of claim 1, wherein:
the network configuration comprises the configuration of an IP configuration protocol, starting self-starting, an IPv4 address, a subnet mask, a gateway and a DNS;
the disk partitioning comprises partitioning, formatting, mounting and starting-up mounting of a disk;
the YUM source is configured to configure a local YUM source for a server which cannot be connected to the Internet;
the application account is used for creating an account number and a directory of the application and endowing corresponding authority to standardize the deployment of the application system.
3. The Linux initialization tuning device of claim 1, wherein: the system parameter optimization comprises tcp protocol parameters, kernel parameter optimization and maximum file opening number of a local port range and maximum process number optimization of a single user.
4. The Linux initialization tuning device of claim 1, wherein: the patch upgrading comprises upgrading opensh service and upgrading polkit.
5. The Linux initialization tuning device of claim 1, wherein: the account password policy comprises an account password expiration policy and an account password strength policy.
6. The Linux initialization tuning device of claim 1, wherein: the monitoring deployment comprises zabbix _ agent and tcping;
the zabbix _ agent is used for monitoring server resources, middleware, a database, a log, a port and an interface;
tcping is used to monitor the status of the ports of the server.
7. The Linux initialization tuning device of claim 1, wherein: the network tool comprises nc, iftop and mtr;
nc is used for debugging and checking the network toolkit;
the iftop is used for displaying the local network flow condition and the flow set of the mutual communication;
the mtr integrates ping and traceroute functions and can visually display results.
8. The Linux initialization tuning device of claim 1, wherein: the disk I/O tool comprises iostat and iotop;
iostat is used for checking I/O performance including the use conditions of a disk and a CPU;
the iotop is used for displaying real-time disk I/O conditions.
9. The Linux initialization tuning device of claim 1, wherein: the file tool includes lsof, which is used to view the current file open status of the system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211508048.4A CN115827408A (en) | 2022-11-29 | 2022-11-29 | Linux initialization tuning device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211508048.4A CN115827408A (en) | 2022-11-29 | 2022-11-29 | Linux initialization tuning device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115827408A true CN115827408A (en) | 2023-03-21 |
Family
ID=85532472
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211508048.4A Pending CN115827408A (en) | 2022-11-29 | 2022-11-29 | Linux initialization tuning device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115827408A (en) |
-
2022
- 2022-11-29 CN CN202211508048.4A patent/CN115827408A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8789193B2 (en) | Method and apparatus for detecting events pertaining to potential change in vulnerability status | |
| US7325252B2 (en) | Network security testing | |
| US7895651B2 (en) | Content tracking in a network security system | |
| US8782800B2 (en) | Parametric content control in a network security system | |
| US8984636B2 (en) | Content extractor and analysis system | |
| EP1805641B1 (en) | A method and device for questioning a plurality of computerized devices | |
| US8272058B2 (en) | Centralized timed analysis in a network security system | |
| US20090271504A1 (en) | Techniques for agent configuration | |
| US11720669B1 (en) | Interactive shell event detection | |
| US20030028803A1 (en) | Network vulnerability assessment system and method | |
| US20090271863A1 (en) | Identifying unauthorized privilege escalations | |
| US20070028302A1 (en) | Distributed meta-information query in a network | |
| US20050182969A1 (en) | Periodic filesystem integrity checks | |
| WO2005101789A1 (en) | A system for real-time network based vulnerability assessment of a host/device | |
| WO2005059720A1 (en) | Method and apparatus for monitoring operation of processing systems, related network and computer program product therefor | |
| AU2006259409A1 (en) | Duration of alerts and scanning of large data stores | |
| CN109189652A (en) | A kind of acquisition method and system of close network terminal behavior data | |
| CN115827408A (en) | Linux initialization tuning device | |
| KR102156359B1 (en) | A Method for Checking Vulnerability Diagnosis Command Execution through Sending Pre-Command and Its System | |
| CN113608821A (en) | Data processing method and device of boundary safety equipment | |
| CN114884699B (en) | Vulnerability detection method, device, equipment and storage medium | |
| US20240095370A1 (en) | Protecting software development environments from malicious actors | |
| CN115827009A (en) | Method and system for deploying Ambari based on automatic script | |
| Agbariah | Automated policy compliance and change detection managed service in data networks | |
| CN114489659A (en) | Product deployment method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |