取下云厂商的镜像,进行安全优化
2020-10-15 本文已影响0人
又增加了奇奇怪怪的知识
背景:客户公司因为有新的要求需要将云上的系统拿来下重新进行修改以便于提升安全性,那么正好今天目前有些时间我们来按照客户说的方式来进行一系列的操作吧。
- 问答环节:
- 为什么非要采用云上的镜像来进行修改,而不使用自己自定义的镜像呢?
因为云上的镜像对于内核参数做了优化,更其更加适合高并发场景。
- 基于怎样的情况需要对系统镜像进行重新修改?
因为客户这边安全部门根据某云厂商对CIS机构的推荐安全配置做出的总结来进行修改。
- 操作环节:
-
1.1从云上取下来的kvm的虚拟化的镜像文件,我们我们需要转换成vmware的或者oracle两家公司的标准,或者直接使用kvm虚拟化直接修改。(选择后者)
-
1.2取下来的云主机root密码我不知道啊,客户的镜像啊,那么只有进行破解密码了。
-
1.2.1 破解密码操作环节
--------------------------------------------------------------------------------------------------------
CentOS Linux 7 Rescue ce01317416c548b796c0f253751f9eba (3.10.0-1127.19.1>
CentOS Linux (3.10.0-1127.19.1.el7.x86_64) 7 (Core)
CentOS Linux (3.10.0-1062.18.1.el7.x86_64) 7 (Core)
CentOS Linux (0-rescue-0ea734564f9a4e2881b866b82d679dfc) 7 (Core)
Use the ^ and v keys to change the selection.
Press 'e' to edit the selected item, or 'c' for a command prompt.
--------------------------------------------------------------------------------------------------------
setparams 'CentOS Linux 7 Rescue ce01317416c548b796c0f253751f9eba (3.10.0-1127\
.19.1.el7.x86_64)'
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 4b499d7\
6-769a-40a0-93dc-4a31a59add28
else
search --no-floppy --fs-uuid --set=root 4b499d76-769a-40a0-93dc-4a31\v
a59add28
fi
linux16 /boot/vmlinuz-0-rescue-ce01317416c548b796c0f253751f9eba root=U\
UID=4b499d76-769a-40a0-93dc-4a31a59add28 ro crashkernel=auto console=ttyS0 con\
sole=tty0 panic=5 net.ifnames=0 biosdevname=0 intel_idle.max_cstate=1 intel_ps\
tate=disable LANG=en_US.utf8 在此处添加: rd.break
initrd16 /boot/initramfs-0-rescue-ce01317416c548b796c0f253751f9eba.img
tate=disable LANG=en_US.utf8
Press Ctrl-x to start, Ctrl-c for a command prompt or Escape to
discard edits and return to the menu. Pressing Tab lists
possible completions.
--------------------------------------------------------------------------------------------------------
接下来按ctrl+x重启系统,启动内容太多进行省略
# mount –o remount,rw /sysroot
# chroot /sysroot
# passwd root 进行修改密码
云上镜像SELinux没有开,那么完全可以不用管他。
然后重启服务器即可。
Authorized uses only. All activity may be monitored and reported.
packer-5f743718 login: root
Password:
Last failed login: Thu Oct 15 14:15:45 CST 2020 on ttyS0
There were 2 failed login attempts since the last successful login.
Last login: Wed Sep 30 15:53:01 on
[root@packer-5f743718 ~]#
- 1.3 需求方面部分来说:
- 1.3.1 需要对系统盘重新分区,将/tmp 和 /var/tmp 进行重新挂载。要求说/tmp 需要20个G, /var/tmp需要5个G。
- 1.3.2 对系统盘进行扩容,算上后期冗余调整一共需要扩容30个G。
[root@localhost ~]# virsh list
Id 名称 状态
----------------------------------------------------
3 centos7.0 running
[root@localhost ~]# virsh destroy 3
域 3 被删除
# 开始扩容
[root@localhost ~]# qemu-img resize /var/lib/libvirt/images/img2020093008431241.qcow2 +30G
Image resized.
[root@localhost ~]# virsh start centos7.0
域 centos7.0 已开始
[root@packer-5f743718 ~]# lsblk /dev/vda
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 253:0 0 80G 0 disk
└─vda1 253:1 0 50G 0 part /
[root@packer-5f743718 ~]# df -lh
Filesystem Size Used Avail Use% Mounted on
devtmpfs 485M 0 485M 0% /dev
tmpfs 496M 0 496M 0% /dev/shm
tmpfs 496M 612K 495M 1% /run
tmpfs 496M 0 496M 0% /sys/fs/cgroup
/dev/vda1 50G 4.0G 44G 9% /
tmpfs 100M 0 100M 0% /run/user/0
- 开始准备新增分区
[root@packer-5f743718 ~]# fdisk /dev/vda
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): p
Disk /dev/vda: 85.9 GB, 85899345920 bytes, 167772160 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0009ac89
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 104857566 52427759+ 83 Linux
Command (m for help): n
Partition type:
p primary (1 primary, 0 extended, 3 free)
e extended
Select (default p):
Using default response p
Partition number (2-4, default 2):
First sector (104857567-167772159, default 104857600):
Using default value 104857600
Last sector, +sectors or +size{K,M,G} (104857600-167772159, default 167772159): +20G
Partition 2 of type Linux and of size 20 GiB is set
Command (m for help): n
Partition type:
p primary (2 primary, 0 extended, 2 free)
e extended
Select (default p):
Using default response p
Partition number (3,4, default 3):
First sector (104857567-167772159, default 146800640):
Using default value 146800640
Last sector, +sectors or +size{K,M,G} (146800640-167772159, default 167772159): +5G
Partition 3 of type Linux and of size 5 GiB is set
Command (m for help): p
Disk /dev/vda: 85.9 GB, 85899345920 bytes, 167772160 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0009ac89
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 104857566 52427759+ 83 Linux
/dev/vda2 104857600 146800639 20971520 83 Linux
/dev/vda3 146800640 157286399 5242880 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
- 重新刷新分区表
[root@packer-5f743718 ~]# partprobe
[root@packer-5f743718 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 253:0 0 80G 0 disk
├─vda1 253:1 0 50G 0 part /
├─vda2 253:2 0 20G 0 part
└─vda3 253:3 0 5G 0 part
- 分区完毕后那么进入格式化,挂载等操作。
[root@packer-5f743718 /]# mkfs.ext4 /dev/vda2
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
1310720 inodes, 5242880 blocks
262144 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2153775104
160 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
You have new mail in /var/spool/mail/root
[root@packer-5f743718 /]# mkfs.ext4 /dev/vda3
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
327680 inodes, 1310720 blocks
65536 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
后续步骤:
挂载-复制-写入fstab。不再演示.最终结果如下。
[root@packer-5f743718 ~]# df -lh
Filesystem Size Used Avail Use% Mounted on
devtmpfs 485M 0 485M 0% /dev
tmpfs 496M 0 496M 0% /dev/shm
tmpfs 496M 560K 495M 1% /run
tmpfs 496M 0 496M 0% /sys/fs/cgroup
/dev/vda1 50G 4.0G 44G 9% /
/dev/vda3 4.8G 21M 4.6G 1% /var/tmp
/dev/vda2 20G 45M 19G 1% /tmp
tmpfs 100M 0 100M 0% /run/user/0
