ISO 3.0-server three power separation configuration

【 background 】
Equal insurance 3.0 requirement , We need to do a good job in the separation of powers for the system . The following is the understanding of the separation of powers ： To configure 、 to grant authorization 、 Audit . this 3 In terms of , Do the three power separation control of server users , For your reference .

One 【 user 】
1. System administrator
function ： Operating system installation 、 To configure , Application installation, etc
2. Audit Manager
function ： Log audit , Internet behavior management, etc
3. Security administrator
function ： Intrusion detection 、 Anti virus 、 Situational perception 、 Vulnerability scanning, etc

Two 【 Configuration operation 】

1. System administrator ：
user ：user1
Unified system administrator account : user1
Configure permissions according to your application path .
for example ： Apply path configuration ：/opt/app/
# Add users ：
useradd -d /opt/app user1
passwd user1
usermod -G user1 user1

# Put the table of contents /opt/app/ And all the documents below 、 The file owner of the subdirectory Change to user1 and user1 Group
chown -R user1:user1 /opt/app/

# Give the catalog Set the permissions
chmod 770 /opt/app/

2. Audit Manager
useradd shenji
passwd shenji

# Modifying the audit account permission only has the function of viewing
vi /etc/sudoers

shenji ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head

# Restrict the audit administrator to only allow access /var/log
chown -R shenji:shenji /var/log
chmod 700 /var/log

3. Security administrator
useradd -d /etc anquan
passwd anquan

# Restrict security administrators to only allow access /etc
# Appoint /etc Only audit administrators are allowed to access
chown -R anquan:anquan /etc

# Give the catalog /etc Set the permissions
#700 Indicates that you are only allowed to access , No other users are allowed to access
chmod 700 /etc