CentOS 7安裝完成后初始化的方法

更新時(shí)間：2016年10月26日 14:45:36 作者：shaonbean

這篇文章主要介紹了CentOS 7安裝完成后初始化的方法,本文分步驟給大家介紹的非常詳細(xì)，具有參考借鑒價(jià)值，需要的朋友可以參考下

1、添加用戶

新增名為"wang"的用戶

[root@vdevops ~]# useradd wang #添加賬戶
[root@vdevops ~]# passwd wang #設(shè)置密碼
Changing password for user wang.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@vdevops ~]# exit #退出
以用戶"wang"為例，設(shè)置其為唯一擁有管理員權(quán)限的賬戶
[root@vdevops ~]# usermod -G wheel wang
[root@vdevops ~]# vim /etc/pam.d/su
[html] view plain copy print?
#%PAM-1.0 
auth sufficient pam_rootok.so 
# Uncomment the following line to implicitly trust users in the "wheel" group. 
#auth sufficient pam_wheel.so trust use_uid 
# Uncomment the following line to require a user to be in the "wheel" group. 
# 取消下面一行的注釋 
auth required pam_wheel.so use_uid 
auth substack system-auth 
auth include postlogin 
account sufficient pam_succeed_if.so uid = 0 use_uid quiet 
account include system-auth 
password include system-auth 
session include system-auth 
session include postlogin 
session optional pam_xauth.so 
設(shè)置root賬戶的郵件轉(zhuǎn)發(fā)
# Person who should get root's mail
# 最后一行，取消注釋，改變用戶名稱
root: wang

2、設(shè)置防火墻和SELINUX

【1】防火墻

查看防火墻狀態(tài)

[root@vdevops ~]# systemctl status firewalld 
● firewalld.service - firewalld - dynamic firewall daemon 
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) 
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago 
Main PID: 744 (firewalld) 
CGroup: /system.slice/firewalld.service 
└─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid 
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon... 
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.

防火墻基本操作

[root@vdevops ~]# systemctl start firewalld #啟動(dòng)防火墻 
[root@vdevops ~]# systemctl enable firewalld #設(shè)置防火墻開機(jī)自啟

默認(rèn)情況下，“public”區(qū)域應(yīng)用于NIC，dhcpv6-client和ssh是允許的。

當(dāng)使用“firewall-cmd”命令操作時(shí)，如果輸入命令不帶“--zone = ***”規(guī)范，則配置設(shè)置為默認(rèn)區(qū)域。

#顯示默認(rèn)區(qū)域 
[root@vdevops ~]# firewall-cmd --get-default-zone 
public 
#顯示當(dāng)前設(shè)置 
[root@vdevops ~]# firewall-cmd --list-all 
public (default, active) 
interfaces: eno16777736 
sources: 
services: dhcpv6-client ssh 
ports: 
masquerade: no 
forward-ports: 
icmp-blocks: 
rich rules: 
#顯示全部區(qū)域 
[root@vdevops ~]# firewall-cmd --list-all-zones 
block 
interfaces: 
sources: 
services: 
ports: 
masquerade: no 
forward-ports: 
icmp-blocks: 
rich rules: 

dmz 
interfaces: 
sources: 
services: ssh 
ports: 
masquerade: no 
forward-ports: 
icmp-blocks: 
rich rules: 
... 
#顯示特定區(qū)域允許的服務(wù) 
[root@vdevops ~]# firewall-cmd --list-service --zone=external 
ssh 
#改變默認(rèn)區(qū)域 
[root@vdevops ~]# firewall-cmd --set-default-zone=external 
success 
#改變制定區(qū)域的接口 
[root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external 
success 
#顯示制定區(qū)域的狀態(tài) 
[root@vdevops ~]# firewall-cmd --list-all --zone=external 
external (default, active) 
interfaces: eno16777736 eth1 
sources: 
services: ssh 
ports: 
masquerade: yes 
forward-ports: 
icmp-blocks: 
rich rules: 
#注：改變制定區(qū)域的接口，前提是次接口在當(dāng)前系統(tǒng)是存在的

顯示默認(rèn)定義的服務(wù)

[root@vdevops ~]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https 
#定義文件路徑如下，如果需要添加新的定義文件，在下面目錄添加相應(yīng)的XML文件 
[root@vdevops ~]# ls /usr/lib/firewalld/services 
amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml 
bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml 
bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml 
dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml 
dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml 
dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml 
dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml 
freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml

添加或刪除允許的服務(wù)，重新啟動(dòng)系統(tǒng)后，更改將恢復(fù)。如果永久更改設(shè)置，請(qǐng)?zhí)砑印?-permanent”選項(xiàng)。

#以添加http服務(wù)為例 
[root@vdevops ~]# firewall-cmd --add-service=http 
success 
[root@vdevops ~]# firewall-cmd --list-service 
http ssh 
#移除添加的http 
<pre name="code" class="html">[root@vdevops ~]# firewall-cmd --remove-service=http 
success 
[root@vdevops ~]# firewall-cmd --list-service 
ssh 
#添加http服務(wù)，永久生效 
[root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess
[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh

添加和移除端口

[root@vdevops ~]# firewall-cmd --add-port=465/tcp #添加端口 
success 
[root@vdevops ~]# firewall-cmd --list-port 
465/tcp 
[root@vdevops ~]# firewall-cmd --remove-port=465/tcp #移除端口 
success 
[root@vdevops ~]# firewall-cmd --list-port 
[root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent #添加端口，永久生效 
success 
[root@vdevops ~]# firewall-cmd --reload 
success 
[root@vdevops ~]# firewall-cmd --list-port 
465/tcp

加或刪除禁止的ICMP類型

[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request #添加禁止回應(yīng)請(qǐng)求 
success 
[root@dlp ~]# firewall-cmd --list-icmp-blocks 
echo-request 
[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request #移除添加的參數(shù) 
success 
[root@dlp ~]# firewall-cmd --list-icmp-blocks 
[root@dlp ~]# firewall-cmd --get-icmptypes #顯示ICMP支持的功能 
destination-unreachable echo-reply echo-request parameter-problem redirect 
router-advertisement router-solicitation source-quench time-exceeded

【2】如果不需要防火墻服務(wù)，關(guān)閉如下

[root@vdevops ~]# systemctl stop firewalld #停止防火墻服務(wù) 
[root@vdevops ~]# systemctl disable firewalld #禁止防火墻開機(jī)自啟 
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. 
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. 
3、SELinux
[html] view plain copy print?
[root@vdevops ~]# getenforce #查看SELINUX工作模式 
Enforcing 
[root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config #禁用SELINUX 
[root@vdevops ~]# setenforce 0 #臨時(shí)禁用SELINUX，無需重啟

4、網(wǎng)絡(luò)設(shè)置

【1】、設(shè)置靜態(tài)IP和改變接口名稱

[root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #設(shè)置靜態(tài)IP 
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #設(shè)置網(wǎng)關(guān) 
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #設(shè)置DNS 
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #設(shè)置ipv4的類型為靜態(tài) 
[root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 #重啟網(wǎng)絡(luò)接口 
Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0) 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) 
[root@vdevops ~]# nmcli d show eno16777736 #查看網(wǎng)絡(luò)接口狀態(tài) 
GENERAL.DEVICE: eno16777736 
GENERAL.TYPE: ethernet 
GENERAL.HWADDR: 00:0C:29:B6:F5:5E 
GENERAL.MTU: 1500 
GENERAL.STATE: 100 (connected) 
GENERAL.CONNECTION: eno16777736 
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1 
WIRED-PROPERTIES.CARRIER: on 
IP4.ADDRESS[1]: 10.1.1.56/24 
IP4.GATEWAY: 10.1.1.1 
IP4.DNS[1]: 10.1.1.1 
IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64 
IP6.GATEWAY: 
[root@vdevops ~]# ip addr show #查看IP狀態(tài) 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
inet 127.0.0.1/8 scope host lo 
valid_lft forever preferred_lft forever 
inet6 ::1/128 scope host 
valid_lft forever preferred_lft forever 
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 
link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff 
inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736 
valid_lft forever preferred_lft forever 
inet6 fe80::20c:29ff:feb6:f55e/64 scope link 
valid_lft forever preferred_lft forever

【2】禁用IPV6

[root@vdevops ~]# vim /etc/default/grub 
#第六行，添加 
GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" 
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg 
Generating grub configuration file ... 
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img 
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img 
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img 
done 
[root@vdevops ~]# reboot #重啟系統(tǒng)

【3】如果要將網(wǎng)絡(luò)接口名稱用作ethX，請(qǐng)按如下所示進(jìn)行配置。

[root@vdevops ~]# vim /etc/default/grub 
#第六行添加 
GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 <span style="color:#FF0000;">net.ifnames=0</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet 
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg 
Generating grub configuration file ... 
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img 
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img 
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img 
done

4、服務(wù)設(shè)置

[1]、查看服務(wù)狀態(tài)

# 顯示正在運(yùn)行的服務(wù) 
[root@vdevops ~]# systemctl -t service 
UNIT LOAD ACTIVE SUB DESCRIPTION 
auditd.service loaded active running Security Auditing Service 
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack 
crond.service loaded active running Command Scheduler 
dbus.service loaded active running D-Bus System Message Bus 
getty@tty1.service loaded active running Getty on tty1 
... 
... 
... 
systemd-udevd.service loaded active running udev Kernel Device Manager 
systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown 
systemd-user-sessions.service loaded active exited Permit User Sessions 
systemd-vconsole-setup.service loaded active exited Setup Virtual Console 
tuned.service loaded active running Dynamic System Tuning Daemon 
LOAD = Reflects whether the unit definition was properly loaded. 
ACTIVE = The high-level unit activation state, i.e. generalization of SUB. 
SUB = The low-level unit activation state, values depend on unit type. 
39 loaded units listed. Pass --all to see loaded but inactive units, too. 
To show all installed unit files use 'systemctl list-unit-files'. 
# 顯示所有服務(wù) 
[root@vdevops ~]# systemctl list-unit-files -t service 
UNIT FILE STATE 
auditd.service enabled 
autovt@.service disabled 
avahi-daemon.service enabled 
blk-availability.service disabled 
brandbot.service static 
... 
... 
... 
systemd-user-sessions.service static 
systemd-vconsole-setup.service static 
teamd@.service static 
tuned.service enabled 
wpa_supplicant.service disabled 
125 unit files listed.

[2]、設(shè)置停止啟動(dòng)自動(dòng)的服務(wù)

[root@vdevops ~]# systemctl stop postfix #停止服務(wù) 
[root@vdevops ~]# systemctl disable postfix 
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service. 
[root@vdevops ~]# systemctl start postfix 
[root@vdevops ~]# systemctl enable postfix 
Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service. 
[root@vdevops ~]# systemctl status postfix 
● postfix.service - Postfix Mail Transport Agent 
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled) 
Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago 
Main PID: 10071 (master) 
CGroup: /system.slice/postfix.service 
├─10071 /usr/libexec/postfix/master -w 
├─10072 pickup -l -t unix -u 
└─10073 qmgr -l -t unix -u 

Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol 
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol 
Oct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol 
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol 
Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol 
Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol 
Oct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix 
Oct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent. 
Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol 
Oct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol 
Hint: Some lines were ellipsized, use -l to show in full.

[3]、還有一些SysV服務(wù)。它們由chkconfig控制，如下所示

[root@vdevops ~]# chkconfig --list 
Note: This output shows SysV services only and does not include native 
systemd services. SysV configuration data might be overridden by native 
systemd configuration. 
If you want to list systemd services use 'systemctl list-unit-files'. 
To see services enabled on particular target use 
'systemctl list-dependencies [target]'. 
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off 
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

5、更新系統(tǒng)添加其他源

yum update -y

添加其它源

添加一些有用的外部存儲(chǔ)庫來安裝有用的軟件

【1】安裝插件以向每個(gè)安裝的存儲(chǔ)庫添加優(yōu)先級(jí)。

[root@vdevops ~]# yum -y install yum-plugin-priorities 
# 設(shè)置官方源的優(yōu)先級(jí)為[priority=1] 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo

【2】添加從Fedora項(xiàng)目提供的EPEL存儲(chǔ)庫

[root@vdevops ~]# yum -y install epel-release 
# 設(shè)置優(yōu)先級(jí)[priority=5] 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo 
# 可以通過設(shè)置enabled=0，來控制安裝軟件包時(shí)使用相應(yīng)的源 
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo 
# 如果[enabled=0], 使用下面命令安裝軟件包 
[root@vdevops ~]# yum --enablerepo=epel install [Package]

【3】添加CentOS SCLo軟件集合存儲(chǔ)庫。

[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl 
# 設(shè)置優(yōu)先級(jí)[priority=10] 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo 
# 設(shè)置 [enabled=0] 
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo 
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo 
# 設(shè)置[enabled=0], 通過下面命令使用相應(yīng)源 
[root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package] 
[root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]

【4】添加Remi的RPM存儲(chǔ)庫，它提供了許多有用的包

[root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm 
# 設(shè)置優(yōu)先級(jí) [priority=10] 
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo

6、配置特色的vim

【1】安裝vim

[root@vdevops ~]# yum -y install vim-enhanced

【2】設(shè)置別名

設(shè)置命令別名。（適用于以下所有用戶，如果您申請(qǐng)某個(gè)用戶，請(qǐng)?jiān)凇?#12316;/ .bashrc”中寫入相同的設(shè)置）

[root@dlp ~]# vi /etc/profile 
# 在最后添加下面一行內(nèi)容 
alias vi='vim' 
[root@dlp ~]# source /etc/profile #重載

或者

echo "alias vi='vim'" >> /etc/profile && source /etc/profile

【3】配置vim，針對(duì)所有用戶生效修改/etc/vimrc，針對(duì)特定用戶生效修改~/.vimrc

主要用語法高亮，插件使用，自動(dòng)縮進(jìn)等功能，本文不做詳細(xì)操作，后續(xù)會(huì)專門寫一篇關(guān)于優(yōu)化vim使用的博文，工欲善其事必先利其器

7、設(shè)置sudo

配置sudo以區(qū)分用戶的職責(zé)，如果一些人共享權(quán)限，必手動(dòng)安裝sudo，因?yàn)樗J(rèn)安裝，即使“最小安裝”

【1】設(shè)置普通用戶擁有root的所有權(quán)限

[root@vdevops ~]# visudo 
# 添加下面一行，使用戶“wang”擁有root的所有權(quán)限 
wang ALL=(ALL) ALL 
# 普通用戶使用root命令 
# 確保用戶為 'wang' 
[wang@vdevops ~]$ /usr/bin/cat /etc/shadow 
cat: /etc/shadow: Permission denied# denied normally 
[wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow 
[sudo] password for cent:# own password 
daemon:*:16231:0:99999:7::: 
adm:*:16231:0:99999:7::: 
lp:*:16231:0:99999:7::: 
... 
... 
# 輸入wang的密碼可以看到執(zhí)行結(jié)果

【2】設(shè)置用戶不能執(zhí)行危險(xiǎn)命令

[root@vdevops ~]# visudo 
# 49行: 定義別名SHUTDOWN 
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init 
# 設(shè)置用戶wang不能執(zhí)行別名SHUTDOWN對(duì)應(yīng)的命令 
wang ALL=(ALL) ALL, !SHUTDOWN 
# 確保用戶為'wang' 
[wang@vdevops ~]$ sudo /sbin/shutdown -r now 
Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally

【3】創(chuàng)建一個(gè)特殊的組，組用戶可以執(zhí)行部分root命令

[root@vdevops ~]# visudo 
# 51行: 為管理用戶的幾個(gè)命令設(shè)置別名為USERMGR 
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd 
# 最后一行添加 
%usermgr ALL=(ALL) USERMGR 
[root@vdevops ~]# groupadd usermgr 
[root@vdevops ~]# usermod -G usermgr wang 
# 確保用戶為wang 
[wang@vdevops ~]$ sudo /usr/sbin/useradd testuser 
#輸入用戶wang的密碼，查看創(chuàng)建結(jié)果，顯示成功 
[wang@vdevops ~]$ sudo /usr/bin/passwd testuser 
Changing password for user testuser. 
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.

【4】設(shè)置sudo日志

sudo的日志保存在/ var / log / secure中，但它中有很多種類的日志。如果你想保持只有sudo的日志在一個(gè)文件，設(shè)置如下：

[root@vdevops ~]# visudo 
# 最后一行添加 
Defaults syslog=local1 
[root@vdevops ~]# vi /etc/rsyslog.conf 
# 在54行修改，添加<span style="color:#FF6666;">local1.none</span> 
*.info;mail.none;authpriv.none;cron.none;<span style="color:#FF6666;">local1.none</span> 
/var/log/messages 
# 添加下面一行內(nèi)容 
local1.* /var/log/sudo.log 
[root@vdevops ~]# systemctl restart rsyslog #重啟rsyslog服務(wù)

以上所述是小編給大家介紹的CentOS 7安裝完成后初始化的方法，希望對(duì)大家有所幫助，如果大家有任何疑問請(qǐng)給我留言，小編會(huì)及時(shí)回復(fù)大家的。在此也非常感謝大家對(duì)腳本之家網(wǎng)站的支持！

您可能感興趣的文章: