Admin guide¶
Warning
These general guidances provide a baseline system security and stability without being overly restrictive. They have been tested and recommended by experienced Linux SysAdmins from LUG @ USTC and TUNA.
If you must violate any of them, make sure you understand the consequences and, in case of failure, know how to recover.
SSH hardening¶
All servers MUST disable SSH password login:
PasswordAuthentication no
Any server with password login enabled MUST be fixed immediately.
If for any reason password login is required, enable it for just that specific user:
PasswordAuthentication no
Match user example
PasswordAuthentication yes
Sudo rules¶
We grant sudo access to regular users upon request, with the belief that everyone is reasonable and responsible. In case of repeated or severe violations that displays signs of ignorance, we reserve the right to revoke access.
Bear in mind the famous sudo warning:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Do not change system environment¶
This includes, but not limited to, creating or modifying these files:
/etc/environment/etc/profileand anything under/etc/profile.d
Note that installing certain software may indirectly modify the system environment.
Consequences of violation¶
Example during system maintenance:
Failed to open connection to "system" message bus: Failed to connect to socket /opt/anaconda/var/run/dbus/system_bus_socket: No such file or directory
Caused by adding LD_LIBRARY_PATH in /etc/profile.
Ref: https://blog.csdn.net/sinat_42720573/article/details/88657228
Exceptions¶
If you must add something globally that applies to all users, exclude the root user by wrapping anything in an if conditional.
if [ $(id -u) -ne 0 ]; then
export LD_LIBRARY_PATH=...
fi