How to configure a CentOS system to restrict user access to system processes

How to configure the CentOS system to restrict user access to system processes

In a Linux system, users can access and control system processes through the command line or other methods. However, sometimes we need to restrict certain users' access to system processes to enhance system security and prevent malicious behavior. This article will introduce how to configure on CentOS systems to restrict user access to system processes.

1. Use PAM configuration restrictions

PAM, Pluggable Authentication Modules, is a modular authentication mechanism in Linux systems. By modifying the PAM configuration file, we can implement restrictions on users. Here are the steps on how to configure PAM to restrict user access to system processes:

First, edit the /etc/security/access.conf file:

sudo vi /etc/security/access.conf

Add the following content to the file:

-:user:ALL, EXCEPT root systemd

This will prevent the 'user' user from accessing all system processes except root and systemd users.

Next, edit the /etc/pam.d/login file:

sudo vi /etc/pam.d/login

Add the following at the end of the file:

account required pam_access.so

This will check when the user logs in/ Access rules in the etc/security/access.conf file.

Finally, restart the system to make the PAM configuration take effect:

sudo reboot

2. Use the Linux system permission management tool

In addition to PAM, the Linux system also provides Other permission management tools such as selinux and sudoers files. Here's how to use these two tools to limit user access to system processes:

SELinux is a security subsystem that implements mandatory access control. By modifying the selinux configuration file, we can restrict user access to system processes. Edit the /etc/selinux/config file:

sudo vi /etc/selinux/config

Set the value of SELINUX to enforcing:

SELINUX=enforcing

Save and close the file.

Then, restart the system for the configuration to take effect:

sudo reboot

sudoers is a configuration file used to manage user permissions. By modifying the sudoers file, we can assign specific permissions to users. Edit the sudoers file:

sudo visudo

Add the following content in the file:

user ALL=(ALL) ALL
user ALL=!/bin/kill

This will allow the 'user' user to use sudo commands and restrict its access to the kill command (used to kill processes) access permission.

Save and close the file.

3. Use ACL to set process access permissions

ACL, or Access Control List, is an additional permission setting in the Linux system. By using ACLs, we can set access permissions for specific processes for specific users or user groups. The following are the steps on how to use ACL to restrict user access to system processes:

First, install the acl package:

sudo yum install acl

Then, use setfacl for files that need to restrict process access The command sets ACL rules for users or user groups. For example, to restrict the 'user1' user's access to process 1:

sudo setfacl -m u:user1:--- /proc/1

This will disable the 'user1' user's access to process 1.

You can use the getfacl command to check whether the ACL rules have taken effect:

getfacl /proc/1

After the configuration is completed, the user's access to system processes will be restricted.

Summary:

This article describes how to configure on CentOS systems to restrict user access to system processes. By using PAM configuration files, selinux and sudoers files, and ACL settings, we can effectively prevent malicious users from accessing and operating system processes. These measures can further improve the security and stability of the system. In actual use, please choose the appropriate configuration method based on actual needs and follow security best practices.

The above is the detailed content of How to configure a CentOS system to restrict user access to system processes. For more information, please follow other related articles on the PHP Chinese website!