[root@vdevops ~]# useradd wang #添加账户
[root@vdevops ~]# passwd wang #设置密码
Changing password for user wang.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@vdevops ~]# exit #退出
以用户"wang"为例，设置其为唯一拥有管理员权限的账户
[root@vdevops ~]# usermod -G wheel wang
[root@vdevops ~]# vim /etc/pam.d/su
[html] view plain copy print?
#%PAM-1.0 
auth sufficient pam_rootok.so 
# Uncomment the following line to implicitly trust users in the "wheel" group. 
#auth sufficient pam_wheel.so trust use_uid 
# Uncomment the following line to require a user to be in the "wheel" group. 
# 取消下面一行的注释 
auth required pam_wheel.so use_uid 
auth substack system-auth 
auth include postlogin 
account sufficient pam_succeed_if.so uid = 0 use_uid quiet 
account include system-auth 
password include system-auth 
session include system-auth 
session include postlogin 
session optional pam_xauth.so 
设置root账户的邮件转发
# Person who should get root's mail
# 最后一行，取消注释，改变用户名称
root: wang

[root@vdevops ~]# systemctl status firewalld 
● firewalld.service - firewalld - dynamic firewall daemon 
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) 
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago 
Main PID: 744 (firewalld) 
CGroup: /system.slice/firewalld.service 
└─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid 
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon... 
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. 

[root@vdevops ~]# systemctl start firewalld #启动防火墙 
[root@vdevops ~]# systemctl enable firewalld #设置防火墙开机自启 

#显示默认区域 
[root@vdevops ~]# firewall-cmd --get-default-zone 
public 
#显示当前设置 
[root@vdevops ~]# firewall-cmd --list-all 
public (default, active) 
interfaces: eno16777736 
sources: 
services: dhcpv6-client ssh 
ports: 
masquerade: no 
forward-ports: 
icmp-blocks: 
rich rules: 
#显示全部区域 
[root@vdevops ~]# firewall-cmd --list-all-zones 
block 
interfaces: 
sources: 
services: 
ports: 
masquerade: no 
forward-ports: 
icmp-blocks: 
rich rules: 

dmz 
interfaces: 
sources: 
services: ssh 
ports: 
masquerade: no 
forward-ports: 
icmp-blocks: 
rich rules: 
... 
#显示特定区域允许的服务 
[root@vdevops ~]# firewall-cmd --list-service --zone=external 
ssh 
#改变默认区域 
[root@vdevops ~]# firewall-cmd --set-default-zone=external 
success 
#改变制定区域的接口 
[root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external 
success 
#显示制定区域的状态 
[root@vdevops ~]# firewall-cmd --list-all --zone=external 
external (default, active) 
interfaces: eno16777736 eth1 
sources: 
services: ssh 
ports: 
masquerade: yes 
forward-ports: 
icmp-blocks: 
rich rules: 
#注：改变制定区域的接口，前提是次接口在当前系统是存在的

[root@vdevops ~]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https 
#定义文件路径如下，如果需要添加新的定义文件，在下面目录添加相应的XML文件 
[root@vdevops ~]# ls /usr/lib/firewalld/services 
amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml 
bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml 
bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml 
dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml 
dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml 
dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml 
dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml 
freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml

#以添加http服务为例 
[root@vdevops ~]# firewall-cmd --add-service=http 
success 
[root@vdevops ~]# firewall-cmd --list-service 
http ssh 
#移除添加的http 
<pre name="code" class="html">[root@vdevops ~]# firewall-cmd --remove-service=http 
success 
[root@vdevops ~]# firewall-cmd --list-service 
ssh 
#添加http服务，永久生效 
[root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess
[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh

[root@vdevops ~]# firewall-cmd --add-port=465/tcp #添加端口 
success 
[root@vdevops ~]# firewall-cmd --list-port 
465/tcp 
[root@vdevops ~]# firewall-cmd --remove-port=465/tcp #移除端口 
success 
[root@vdevops ~]# firewall-cmd --list-port 
[root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent #添加端口，永久生效 
success 
[root@vdevops ~]# firewall-cmd --reload 
success 
[root@vdevops ~]# firewall-cmd --list-port 
465/tcp

[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request #添加禁止回应请求 
success 
[root@dlp ~]# firewall-cmd --list-icmp-blocks 
echo-request 
[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request #移除添加的参数 
success 
[root@dlp ~]# firewall-cmd --list-icmp-blocks 
[root@dlp ~]# firewall-cmd --get-icmptypes #显示ICMP支持的功能 
destination-unreachable echo-reply echo-request parameter-problem redirect 
router-advertisement router-solicitation source-quench time-exceeded

[root@vdevops ~]# systemctl stop firewalld #停止防火墙服务 
[root@vdevops ~]# systemctl disable firewalld #禁止防火墙开机自启 
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. 
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. 
3、SELinux
[html] view plain copy print?
[root@vdevops ~]# getenforce #查看SELINUX工作模式 
Enforcing 
[root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config #禁用SELINUX 
[root@vdevops ~]# setenforce 0 #临时禁用SELINUX，无需重启

[root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #设置静态IP 
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #设置网关 
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #设置DNS 
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #设置ipv4的类型为静态 
[root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 #重启网络接口 
Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0) 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) 
[root@vdevops ~]# nmcli d show eno16777736 #查看网络接口状态 
GENERAL.DEVICE: eno16777736 
GENERAL.TYPE: ethernet 
GENERAL.HWADDR: 00:0C:29:B6:F5:5E 
GENERAL.MTU: 1500 
GENERAL.STATE: 100 (connected) 
GENERAL.CONNECTION: eno16777736 
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1 
WIRED-PROPERTIES.CARRIER: on 
IP4.ADDRESS[1]: 10.1.1.56/24 
IP4.GATEWAY: 10.1.1.1 
IP4.DNS[1]: 10.1.1.1 
IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64 
IP6.GATEWAY: 
[root@vdevops ~]# ip addr show #查看IP状态 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
inet 127.0.0.1/8 scope host lo 
valid_lft forever preferred_lft forever 
inet6 ::1/128 scope host 
valid_lft forever preferred_lft forever 
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 
link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff 
inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736 
valid_lft forever preferred_lft forever 
inet6 fe80::20c:29ff:feb6:f55e/64 scope link 
valid_lft forever preferred_lft forever 

[root@vdevops ~]# vim /etc/default/grub 
#第六行，添加 
GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" 
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg 
Generating grub configuration file ... 
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img 
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img 
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img 
done 
[root@vdevops ~]# reboot #重启系统

[root@vdevops ~]# vim /etc/default/grub 
#第六行添加 
GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 <span style="color:#FF0000;">net.ifnames=0</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet 
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg 
Generating grub configuration file ... 
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img 
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img 
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img 
done

# 显示正在运行的服务 
[root@vdevops ~]# systemctl -t service 
UNIT LOAD ACTIVE SUB DESCRIPTION 
auditd.service loaded active running Security Auditing Service 
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack 
crond.service loaded active running Command Scheduler 
dbus.service loaded active running D-Bus System Message Bus 
getty@tty1.service loaded active running Getty on tty1 
... 
... 
... 
systemd-udevd.service loaded active running udev Kernel Device Manager 
systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown 
systemd-user-sessions.service loaded active exited Permit User Sessions 
systemd-vconsole-setup.service loaded active exited Setup Virtual Console 
tuned.service loaded active running Dynamic System Tuning Daemon 
LOAD = Reflects whether the unit definition was properly loaded. 
ACTIVE = The high-level unit activation state, i.e. generalization of SUB. 
SUB = The low-level unit activation state, values depend on unit type. 
39 loaded units listed. Pass --all to see loaded but inactive units, too. 
To show all installed unit files use 'systemctl list-unit-files'. 
# 显示所有服务 
[root@vdevops ~]# systemctl list-unit-files -t service 
UNIT FILE STATE 
auditd.service enabled 
autovt@.service disabled 
avahi-daemon.service enabled 
blk-availability.service disabled 
brandbot.service static 
... 
... 
... 
systemd-user-sessions.service static 
systemd-vconsole-setup.service static 
teamd@.service static 
tuned.service enabled 
wpa_supplicant.service disabled 
125 unit files listed.

[root@vdevops ~]# systemctl stop postfix #停止服务 
[root@vdevops ~]# systemctl disable postfix 
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service. 
[root@vdevops ~]# systemctl start postfix 
[root@vdevops ~]# systemctl enable postfix 
Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service. 
[root@vdevops ~]# systemctl status postfix 
● postfix.service - Postfix Mail Transport Agent 
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled) 
Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago 
Main PID: 10071 (master) 
CGroup: /system.slice/postfix.service 
├─10071 /usr/libexec/postfix/master -w 
├─10072 pickup -l -t unix -u 
└─10073 qmgr -l -t unix -u 

Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol 
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol 
Oct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol 
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol 
Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol 
Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol 
Oct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix 
Oct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent. 
Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol 
Oct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol 
Hint: Some lines were ellipsized, use -l to show in full.

[root@vdevops ~]# chkconfig --list 
Note: This output shows SysV services only and does not include native 
systemd services. SysV configuration data might be overridden by native 
systemd configuration. 
If you want to list systemd services use 'systemctl list-unit-files'. 
To see services enabled on particular target use 
'systemctl list-dependencies [target]'. 
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off 
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

yum update -y

[root@vdevops ~]# yum -y install yum-plugin-priorities 
# 设置官方源的优先级为[priority=1] 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo

[root@vdevops ~]# yum -y install epel-release 
# 设置优先级[priority=5] 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo 
# 可以通过设置enabled=0，来控制安装软件包时使用相应的源 
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo 
# 如果[enabled=0], 使用下面命令安装软件包 
[root@vdevops ~]# yum --enablerepo=epel install [Package]

[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl 
# 设置优先级[priority=10] 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo 
# 设置 [enabled=0] 
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo 
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo 
# 设置[enabled=0], 通过下面命令使用相应源 
[root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package] 
[root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]

[root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm 
# 设置优先级 [priority=10] 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo

[root@vdevops ~]# yum -y install vim-enhanced

[root@dlp ~]# vi /etc/profile 
# 在最后添加下面一行内容 
alias vi='vim' 
[root@dlp ~]# source /etc/profile #重载

[root@vdevops ~]# visudo 
# 添加下面一行，使用户“wang”拥有root的所有权限 
wang ALL=(ALL) ALL 
# 普通用户使用root命令 
# 确保用户为 'wang' 
[wang@vdevops ~]$ /usr/bin/cat /etc/shadow 
cat: /etc/shadow: Permission denied# denied normally 
[wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow 
[sudo] password for cent:# own password 
daemon:*:16231:0:99999:7::: 
adm:*:16231:0:99999:7::: 
lp:*:16231:0:99999:7::: 
... 
... 
# 输入wang的密码可以看到执行结果

[root@vdevops ~]# visudo 
# 49行: 定义别名SHUTDOWN 
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init 
# 设置用户wang不能执行别名SHUTDOWN对应的命令 
wang ALL=(ALL) ALL, !SHUTDOWN 
# 确保用户为'wang' 
[wang@vdevops ~]$ sudo /sbin/shutdown -r now 
Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally

[root@vdevops ~]# visudo 
# 51行: 为管理用户的几个命令设置别名为USERMGR 
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd 
# 最后一行添加 
%usermgr ALL=(ALL) USERMGR 
[root@vdevops ~]# groupadd usermgr 
[root@vdevops ~]# usermod -G usermgr wang 
# 确保用户为wang 
[wang@vdevops ~]$ sudo /usr/sbin/useradd testuser 
#输入用户wang的密码，查看创建结果，显示成功 
[wang@vdevops ~]$ sudo /usr/bin/passwd testuser 
Changing password for user testuser. 
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.

[root@vdevops ~]# visudo 
# 最后一行添加 
Defaults syslog=local1 
[root@vdevops ~]# vi /etc/rsyslog.conf 
# 在54行修改，添加<span style="color:#FF6666;">local1.none</span> 
*.info;mail.none;authpriv.none;cron.none;<span style="color:#FF6666;">local1.none</span> 
/var/log/messages 
# 添加下面一行内容 
local1.* /var/log/sudo.log 
[root@vdevops ~]# systemctl restart rsyslog #重启rsyslog服务