[go: up one dir, main page]

CN110677404B - User access control method for Linux host - Google Patents

User access control method for Linux host Download PDF

Info

Publication number
CN110677404B
CN110677404B CN201910909244.4A CN201910909244A CN110677404B CN 110677404 B CN110677404 B CN 110677404B CN 201910909244 A CN201910909244 A CN 201910909244A CN 110677404 B CN110677404 B CN 110677404B
Authority
CN
China
Prior art keywords
user
linux
host
agent program
node agent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910909244.4A
Other languages
Chinese (zh)
Other versions
CN110677404A (en
Inventor
向上文
李秀生
毛航
王洪华
雷涛
田勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan XW Bank Co Ltd
Original Assignee
Sichuan XW Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan XW Bank Co Ltd filed Critical Sichuan XW Bank Co Ltd
Priority to CN201910909244.4A priority Critical patent/CN110677404B/en
Publication of CN110677404A publication Critical patent/CN110677404A/en
Application granted granted Critical
Publication of CN110677404B publication Critical patent/CN110677404B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a control method for user access of a Linux host, which comprises the following steps: step A: deploying an access control centralized management system, deploying a node agent program in a target host, and acquiring all user names allowing to log in the target host through the node agent program; and B: initialization for the first time: modifying a bottom configuration file of the Linux system through a node agent program, and setting the authority of the user names of all target hosts to be forbidden to log in from any place; and C: and (3) initializing for the second time: and modifying a bottom layer configuration file through a node agent program according to different role attributes of the user names to selectively open the login addresses and/or the network interaction addresses of the user names. The method realizes the user-level access control of the local user and the network user by initializing twice and modifying the bottom configuration file of the operating system, so that the access authority of the Linux host user is controlled in a minimized way, and the safety management and control with higher precision are realized.

Description

User access control method for Linux host
Technical Field
The invention relates to a method for controlling host access of a computer user, in particular to a method for controlling user access of a Linux host.
Background
At present, users of Linux hosts generally realize the control of host login and access through a security audit system and network layer-based access control. The implementation technique has the possibility of being bypassed.
In the access control based on the security audit system, the control mode can only limit the Linux host which can be locally accessed and operated by a user through the security audit system, and cannot limit the network access among the hosts, namely, a user can log in the adjacent host from one Linux host through a network, thereby bypassing the access limit set by the security audit system.
Although access among the Linux hosts can be limited through access control based on the network layer, specific Linux host users can not be limited to log in, that is, the control precision of the control mode cannot reach a user level.
Therefore, the two current login/access control modes have obvious defects, so that the Linux host has potential safety hazards.
Disclosure of Invention
The invention provides a control method for user access of a Linux host, which can control the local host and the network login of the Linux host, and improve the security of the Linux host.
The invention discloses a control method for user access of a Linux host, which comprises the following steps:
step A: deploying an access control centralized management system in the same intranet environment as the target host, deploying a node agent program in the target host, and acquiring all user names allowing to log in the target host through the node agent program; the access control centralized management system and the target host are mutually independent in the same intranet.
And B: initialization for the first time: modifying a bottom configuration file of the Linux system through a node agent program, and setting all permissions of user names which are allowed to log in a target host computer to be forbidden to log in from any place;
and C: and (3) initializing for the second time: and according to different role attributes of the user names, modifying the bottom configuration file of the Linux system through a node agent program to selectively open the login address and/or the network interaction address of each user name.
The network interaction is logging in and accessing to the adjacent host computer through the network. The invention realizes the user-level access control of local users and network users by initializing twice and modifying the bottom configuration file of the operating system, so that the access authority of the Linux host computer user is controlled in a minimized way, and the higher-precision safety management and control are realized.
Specifically, in the first initialization of step B, the interaction permissions of all user names are set as the prohibited attribute in the Linux system bottom configuration file, and the source addresses in the login-permitted attributes of all user names are set as the null value (none).
Specifically, in the second initialization of step C, when the authority of a user name is selectively opened, at least one of the login address and the network interaction address of the user name is opened, or both are set as prohibited.
Further, when a new user name allows to log in/access the Linux host, or the authority of the original user name in the Linux host is changed, the operation steps include:
step D: when the authority of the user name is changed, a change request is made through the access control centralized management system;
step E: the access control centralized management system generates a change instruction according to the request, and after the administrator confirms the change instruction, the access control centralized management system stores the change instruction into the database and simultaneously issues the change instruction to the node agent program of the corresponding target host;
step F: and the node agent program of the target host completes the change by modifying the bottom configuration file of the Linux system according to the change instruction and returns a change result to the access control centralized management system.
Specifically, the step F includes:
f1: according to the change instruction, a node agent program of the target host reads user information in a Linux host bottom layer configuration file, wherein the user information comprises a name field and a bash field in an accountInfo file, and modifies/etc/password configuration files according to the change instruction;
f2: reading network access information in a Linux host bottom layer configuration file by a node agent program of a target host, wherein the network access information comprises an accessIP field in an accountInfo file, and modifying iptables configuration according to a change instruction;
f3: and the node agent program of the target host checks whether the configuration file is changed correctly or not, and returns a result to the access control centralized management system.
The control method for the user access of the Linux host realizes the user-level access control of local users and network users and higher-precision safety management and control, realizes the flow and standardization of the access control management of the host in an enterprise, and is convenient for future inquiry and trace after all generated change operation instructions are stored.
The present invention will be described in further detail with reference to the following examples. This should not be understood as limiting the scope of the above-described subject matter of the present invention to the following examples. Various substitutions and alterations according to the general knowledge and conventional practice in the art are intended to be included within the scope of the present invention without departing from the technical spirit of the present invention as described above.
Drawings
FIG. 1 is a flowchart of a method for controlling user access of a Linux host according to the present invention.
Detailed Description
As shown in fig. 1, the method for controlling user access of a Linux host according to the present invention includes:
step A: deploying an access control centralized management system in the same intranet environment as the target host, deploying a node agent program in the target host, and acquiring all user names allowing to log in the target host through the node agent program; the access control centralized management system and the target host are mutually independent in the same intranet.
And B, step B: initialization for the first time: modifying a Linux system bottom layer configuration file through a node agent program, setting the interaction authority of all user names allowing login of a target host as a forbidden attribute, and setting source addresses in the allowed login attributes of all the user names as null values (none), namely setting all the user names to be forbidden to login from any place; as shown in table 1:
table 1:
Figure BDA0002214239130000031
step C: and (3) initializing for the second time: and according to different role attributes of the user names, modifying the bottom configuration file of the Linux system through a node agent program to selectively open the login address and/or the network interaction address of each user name. When the authority of a user name is selectively opened, at least one of the login address and the network interaction address of the user name is opened or both are set as forbidden, as shown in table 2:
table 2:
Figure BDA0002214239130000032
step D: when the authority of the user name is changed, a change request is made through the access control centralized management system;
and E, step E: the access control centralized management system generates a change instruction according to the request, and after the administrator confirms the change instruction, the access control centralized management system stores the change instruction into the database and simultaneously issues the change instruction to the node agent program of the corresponding target host; the generated change instruction is, for example:
Figure BDA0002214239130000033
Figure BDA0002214239130000041
step F: and the node agent program of the target host completes the change by modifying the bottom configuration file of the Linux system according to the change instruction and returns a change result to the access control centralized management system. When the Linux system bottom configuration file is modified, the method comprises the following steps:
f1: according to the change instruction, a node agent program of the target host reads user information in a Linux host bottom layer configuration file, wherein the user information comprises name and bash fields in an accountInfo file, and modifies/etc/password configuration files according to the change instruction;
f2: reading network access information in a Linux host bottom layer configuration file by a node agent program of a target host, wherein the network access information comprises an accessIP field in an accountInfo file, and modifying iptables configuration according to a change instruction;
f3: and the node agent program of the target host checks whether the configuration file is changed correctly or not, and returns a result to the access control centralized management system.
By means of two times of initialization and by means of modifying the bottom configuration files of the operating system, user-level access control of local users and network users is achieved, access authority of Linux host users is controlled in a minimized mode, and high-precision safety management and control are achieved.

Claims (4)

1. The control method for the user access of the Linux host is characterized by comprising the following steps:
step A: deploying an access control centralized management system in the same intranet environment as the target host, deploying a node agent program in the target host, and acquiring all user names allowing to log in the target host through the node agent program;
and B: initialization for the first time: modifying a bottom configuration file of the Linux system through a node agent program, and setting all permissions of user names which are allowed to log in a target host computer to be forbidden to log in from any place;
and C: and (3) initializing for the second time: according to different role attributes of the user names, modifying a bottom configuration file of a Linux system through a node agent program to selectively open the login addresses and/or network interaction addresses of the user names;
in the second initialization of the step C, when the authority of a user name is selectively opened, at least one of the login address and the network interaction address of the user name is opened or both are set as forbidden.
2. The method of claim 1 for controlling user access to a Linux host, characterized by: and B, in the first initialization of the step B, setting the interaction authority of all the user names as a forbidden attribute in a bottom layer configuration file of the Linux system, and setting source addresses in the login-allowed attributes of all the user names as null values.
3. The control method for user access of a Linux host according to one of claims 1 to 2, characterized in that:
step D: when the authority of the user name is changed, a change request is made through the access control centralized management system;
step E: the access control centralized management system generates a change instruction according to the request, and after the administrator confirms the change instruction, the access control centralized management system stores the change instruction into the database and simultaneously issues the change instruction to the node agent program of the corresponding target host;
step F: and the node agent program of the target host completes the change by modifying the bottom configuration file of the Linux system according to the change instruction and returns a change result to the access control centralized management system.
4. The method of claim 3 for controlling user access to a Linux host, characterized by: the step F comprises the following steps:
f1: according to the change instruction, a node agent program of the target host reads user information in a Linux host bottom layer configuration file, wherein the user information comprises name and bash fields in an accountInfo file, and modifies/etc/password configuration files according to the change instruction;
f2: reading network access information in a Linux host bottom layer configuration file by a node agent program of a target host, wherein the network access information comprises an accessIP field in an accountInfo file, and modifying iptables configuration according to a change instruction;
f3: and the node agent program of the target host checks whether the configuration file is changed correctly or not, and returns a result to the access control centralized management system.
CN201910909244.4A 2019-09-25 2019-09-25 User access control method for Linux host Active CN110677404B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910909244.4A CN110677404B (en) 2019-09-25 2019-09-25 User access control method for Linux host

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910909244.4A CN110677404B (en) 2019-09-25 2019-09-25 User access control method for Linux host

Publications (2)

Publication Number Publication Date
CN110677404A CN110677404A (en) 2020-01-10
CN110677404B true CN110677404B (en) 2022-06-24

Family

ID=69079164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910909244.4A Active CN110677404B (en) 2019-09-25 2019-09-25 User access control method for Linux host

Country Status (1)

Country Link
CN (1) CN110677404B (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8087065B2 (en) * 2006-11-17 2011-12-27 Mcafee, Inc. Method and system for implementing mandatory file access control in native discretionary access control environments
CN101695033A (en) * 2009-09-25 2010-04-14 上海交通大学 Network fragility analyzing system based on privilege lift
CN102333090A (en) * 2011-09-28 2012-01-25 辽宁国兴科技有限公司 Internal control bastion host and security access method of internal network resources
CN105703925A (en) * 2014-11-25 2016-06-22 上海天脉聚源文化传媒有限公司 Security reinforcement method and system for Linux system
CN104615916B (en) * 2014-12-12 2018-06-19 腾讯科技(深圳)有限公司 Account management method and device, account authority control method and device
CN107070951A (en) * 2017-05-25 2017-08-18 北京北信源软件股份有限公司 A kind of intranet security guard system and method
CN107277026A (en) * 2017-06-29 2017-10-20 福建天泉教育科技有限公司 A kind of Intranet access method and terminal

Also Published As

Publication number Publication date
CN110677404A (en) 2020-01-10

Similar Documents

Publication Publication Date Title
US10404708B2 (en) System for secure file access
US9992068B2 (en) Rule based mobile device management delegation
US9471577B2 (en) Hierarchical multi-tenancy management of system resources in resource groups
US8381306B2 (en) Translating role-based access control policy to resource authorization policy
CN101836186B (en) A method and system for communicating between isolation environments
CN108475288B (en) System, method and equipment for unified access control of combined database
US7882544B2 (en) Inherited role-based access control system, method and program product
US10650158B2 (en) System and method for secure file access of derivative works
US20120131646A1 (en) Role-based access control limited by application and hostname
US20140115660A1 (en) Methods and systems for forcing an application to store data in a secure storage location
US20120150858A1 (en) Partitioning management of system resources across multiple users
US8166472B2 (en) Installation utility system and method
US8316420B2 (en) Access control on dynamically instantiated portal applications
CN105225072A (en) A kind of access management method of multi-application system and system
US12250212B2 (en) Computer user credentialing and verification system
CN110677404B (en) User access control method for Linux host
WO2018175643A1 (en) System and method for providing restricted access to production files in a code development environment
US20230421609A1 (en) Organization based access control with boundary access policies
CN112823501A (en) System and method for determining data connections between software applications
Stanek Windows group policy: The personal trainer for Windows Server 2012 and Windows Server 2012 R2
US12132735B1 (en) Specification language for generating graph reachability-based analyses for cloud-based system resources
Stanek InsideOUT
Stefanovic et al. Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide: Deploy, Configure, and Troubleshoot Identity Services and Group Policy in Windows Server 2016
Bera et al. A WLAN security management framework based on formal spatio‐temporal RBAC model
Solutions Group Policy Fast Start: A Quick Start Guide for Group Policy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant