# 存储安全措施
# 磁盘加密：使用LUKS加密整个磁盘或分区
# 文件系统加密：使用eCryptfs加密特定目录
# 权限控制：设置适当的文件和目录权限
# 审计日志：记录存储访问和操作日志

# 使用LUKS加密

# 1. 安装cryptsetup
[root@localhost ~]# dnf install -y cryptsetup
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:01 ago on Fri 03 Apr 2026 10:00:00 CST.
Dependencies resolved.
================================================================================================================
Package Architecture Version Repository Size
================================================================================================================
Installing:
cryptsetup x86_64 2.4.3-6.el9 baseos 500 k
Installing dependencies:
libpwquality x86_64 1.4.4-8.el9 baseos 100 k
…
Complete!

# 2. 准备分区
[root@localhost ~]# fdisk /dev/sdb
Welcome to fdisk (util-linux 2.37.4).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-41943039, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-41943039, default 41943039):

Created a new partition 1 of type ‘Linux’ and of size 20 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

# 3. 格式化为LUKS分区
[root@localhost ~]# cryptsetup luksFormat /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type ‘yes’ in capital letters): YES
Enter passphrase for /dev/sdb1:
Verify passphrase:

# 4. 打开LUKS分区
[root@localhost ~]# cryptsetup luksOpen /dev/sdb1 encrypted_data
Enter passphrase for /dev/sdb1:

# 5. 查看映射设备
[root@localhost ~]# ls -l /dev/mapper/encrypted_data
lrwxrwxrwx 1 root root 7 Apr 3 10:00 /dev/mapper/encrypted_data -> ../dm-0

# 6. 格式化为ext4文件系统
[root@localhost ~]# mkfs.ext4 /dev/mapper/encrypted_data
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 5242880 4k blocks and 1310720 inodes
Filesystem UUID: abc123-def456-ghi789-jkl012-mno345
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

# 7. 创建挂载点并挂载
[root@localhost ~]# mkdir -p /secure-data
[root@localhost ~]# mount /dev/mapper/encrypted_data /secure-data

# 8. 验证挂载
[root@localhost ~]# df -h /secure-data
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/encrypted_data 20G 24K 20G 1% /secure-data

# 9. 配置开机自动挂载
[root@localhost ~]# cat /etc/crypttab
encrypted_data /dev/sdb1 none luks

[root@localhost ~]# echo “/dev/mapper/encrypted_data /secure-data ext4 defaults 0 0” >> /etc/fstab

# 10. 查看LUKS信息
[root@localhost ~]# cryptsetup luksDump /dev/sdb1
LUKS header information
Version: 2
Epoch: 5
Metadata area: 16384 bytes
Keyslots area: 16744448 bytes
UUID: abc123-def456-ghi789-jkl012-mno345
Label: (no label)
Subsystem: (no subsystem)

Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]

Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 4
Memory: 1048576
Threads: 4
Salt: abc123def456789012345678901234ab
AF stripes: 4000
Area offset: 32768 [bytes]
Area length: 258048 [bytes]
Digest ID: 0
Iterations: 10
Salt: abc123def456789012345678901234ab

# 使用eCryptfs加密

# 1. 安装ecryptfs-utils
[root@localhost ~]# dnf install -y ecryptfs-utils
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:01 ago on Fri 03 Apr 2026 10:00:00 CST.
Dependencies resolved.
================================================================================================================
Package Architecture Version Repository Size
================================================================================================================
Installing:
ecryptfs-utils x86_64 111-8.el9 baseos 200 k
Installing dependencies:
keyutils x86_64 1.6.1-4.el9 baseos 100 k
…
Complete!

# 2. 创建加密目录
[root@localhost ~]# mkdir -p /secure/private
[root@localhost ~]# mkdir -p /secure/private-data

# 3. 挂载eCryptfs
[root@localhost ~]# mount -t ecryptfs /secure/private /secure/private-data
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 128; max keysize = 256
2) blowfish: blocksize = 16; min keysize = 128; max keysize = 256
3) des3_ede: blocksize = 8; min keysize = 192; max keysize = 192
4) twofish: blocksize = 16; min keysize = 128; max keysize = 256
5) cast6: blocksize = 16; min keysize = 128; max keysize = 256
6) cast5: blocksize = 8; min keysize = 128; max keysize = 128
Selection [aes]: 1
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: 1
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [abc123def4567890]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=abc123def4567890
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=abc123def4567890
Mounted eCryptfs

# 4. 验证挂载
[root@localhost ~]# mount | grep private
/secure/private on /secure/private-data type ecryptfs (rw,relatime,ecryptfs_fnek_sig=abc123def4567890,ecryptfs_sig=abc123def4567890,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)

# 5. 创建测试文件
[root@localhost ~]# echo “This is a secret file” > /secure/private-data/secret.txt

# 6. 查看加密文件
[root@localhost ~]# ls -la /secure/private/
total 4
-rw-r–r– 1 root root 32 Apr 3 10:00 ECRYPTFS_FNEK_ENCRYPTED.FWabc123def4567890

# 7. 卸载eCryptfs
[root@localhost ~]# umount /secure/private-data

# 8. 配置开机自动挂载
[root@localhost ~]# cat > /etc/fstab << 'EOF' /secure/private /secure/private-data ecryptfs rw,relatime,ecryptfs_fnek_sig=abc123def4567890,ecryptfs_sig=abc123def4567890,ecryptfs_cipher=aes,ecryptfs_key_bytes=16 0 0 EOF # 9. 保存签名 [root@localhost ~]# ecryptfs-add-passphrase --fnek Passphrase: Inserted auth tok with sig [abc123def4567890] into the user session keyring Inserted auth tok with sig [def4567890123456] into the user session keyring

# 存储权限管理

# 1. 查看当前权限
[root@localhost ~]# ls -la /data
total 8
drwxr-xr-x 2 root root 4096 Apr 3 10:00 .
dr-xr-xr-x. 26 root root 4096 Apr 3 10:00 ..
-rw-r–r– 1 root root 0 Apr 3 10:00 file1.txt
-rw-r–r– 1 root root 0 Apr 3 10:00 file2.txt

# 2. 修改目录权限
[root@localhost ~]# chmod 750 /data
[root@localhost ~]# ls -la /data
total 8
drwxr-x— 2 root root 4096 Apr 3 10:00 .
dr-xr-xr-x. 26 root root 4096 Apr 3 10:00 ..
-rw-r–r– 1 root root 0 Apr 3 10:00 file1.txt
-rw-r–r– 1 root root 0 Apr 3 10:00 file2.txt

# 3. 修改文件权限
[root@localhost ~]# chmod 600 /data/file1.txt
[root@localhost ~]# ls -la /data/file1.txt
-rw——- 1 root root 0 Apr 3 10:00 /data/file1.txt

# 4. 修改所有者
[root@localhost ~]# chown user1:group1 /data/file2.txt
[root@localhost ~]# ls -la /data/file2.txt
-rw-r–r– 1 user1 group1 0 Apr 3 10:00 /data/file2.txt

# 5. 设置SGID位
[root@localhost ~]# chmod g+s /data
[root@localhost ~]# ls -la /data
total 8
drwxr-xr-s 2 root root 4096 Apr 3 10:00 .
dr-xr-xr-x. 26 root root 4096 Apr 3 10:00 ..
-rw——- 1 root root 0 Apr 3 10:00 file1.txt
-rw-r–r– 1 user1 group1 0 Apr 3 10:00 file2.txt

# 6. 设置粘滞位
[root@localhost ~]# chmod +t /tmp
[root@localhost ~]# ls -la /tmp | head -5
total 8
drwxrwxrwt. 8 root root 4096 Apr 3 10:00 .
dr-xr-xr-x. 26 root root 4096 Apr 3 10:00 ..
drwx—— 2 root root 4096 Apr 3 10:00 systemd-private-abc123def456

# 7. 使用ACL设置更细粒度的权限
[root@localhost ~]# setfacl -m u:user2:rw /data/file1.txt
[root@localhost ~]# getfacl /data/file1.txt
# file: data/file1.txt
# owner: root
# group: root
user::rw-
user:user2:rw-
group::—
mask::rw-
other::—

# 8. 设置默认ACL
[root@localhost ~]# setfacl -d -m u:user2:rw /data
[root@localhost ~]# getfacl /data
# file: data
# owner: root
# group: root
user::rwx
group::r-x
other::—
default:user::rwx
default:group::r-x
default:other::—
default:user:user2:rw-

# 存储审计

# 1. 安装auditd
[root@localhost ~]# dnf install -y audit
Updating Subscription Management repositories.
Last metadata expiration check: 0:00:01 ago on Fri 03 Apr 2026 10:00:00 CST.
Dependencies resolved.
================================================================================================================
Package Architecture Version Repository Size
================================================================================================================
Installing:
audit x86_64 3.0.7-5.el9 baseos 500 k
Installing dependencies:
audit-libs x86_64 3.0.7-5.el9 baseos 200 k
…
Complete!

# 2. 启动auditd服务
[root@localhost ~]# systemctl start auditd
[root@localhost ~]# systemctl enable auditd
Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /usr/lib/systemd/system/auditd.service.

# 3. 配置审计规则
[root@localhost ~]# cat > /etc/audit/rules.d/storage-audit.rules << 'EOF' # 监控/data目录的访问 -w /data/ -p wa -k data_access # 监控/etc/fstab的修改 -w /etc/fstab -p wa -k fstab_change # 监控加密设备的访问 -w /dev/mapper/ -p rw -k encrypted_access # 监控备份目录的访问 -w /backup/ -p wa -k backup_access # 监控用户登录 -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins EOF # 4. 重新加载审计规则 [root@localhost ~]# augenrules --load No rules enabled 1 # 5. 验证审计规则 [root@localhost ~]# auditctl -l -w /data/ -p wa -k data_access -w /etc/fstab -p wa -k fstab_change -w /dev/mapper/ -p rw -k encrypted_access -w /backup/ -p wa -k backup_access -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins # 6. 查看审计日志 [root@localhost ~]# ausearch -k data_access ---- time->Fri Apr 3 10:00:00 2026
type=PATH msg=audit(1234567890.123:456): item=0 name=”/data/file1.txt” inode=123456 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1234567890.123:456): cwd=”/root”
type=SYSCALL msg=audit(1234567890.123:456): arch=c000003e syscall=2 success=yes exit=3 a0=7fff12345678 a1=0 a2=0 a3=0 items=1 ppid=1234 pid=5678 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=”cat” exe=”/usr/bin/cat” key=(null)
type=PROCTITLE msg=audit(1234567890.123:456): proctitle=636174002F646174612F66696C65312E747874

# 7. 查看实时审计日志
[root@localhost ~]# ausearch -i -m avc -ts recent
—-

# 8. 生成审计报告
[root@localhost ~]# aureport -k
Summary Report
======================
Range of time in logs: 04/03/2026 10:00:00.000 – 04/03/2026 10:30:00.000
Selected time for report: 04/03/2026 10:00:00 – 04/03/2026 10:30:00.00
Number of changes in configuration: 10
Number of changes to accounts, groups, or roles: 0
Number of logins: 5
Number of failed logins: 0
Number of authentications: 5
Number of users: 2
Number of terminals: 2
Number of host names: 1
Number of executables: 10
Number of files: 20
Number of AVC’s: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 6
Number of process IDs: 15
Number of events: 50

# 9. 配置审计日志轮转
[root@localhost ~]# cat > /etc/audit/auditd.conf << 'EOF' log_file = /var/log/audit/audit.log log_format = ENRICHED num_logs = 5 max_log_file = 10M max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND priority_boost = 4 flush = INCREMENTAL freq = 50 max_log_file_action = ROTATE EOF # 10. 重启auditd服务 [root@localhost ~]# systemctl restart auditd [root@localhost ~]# systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled) Active: active (running) since Fri 2026-04-03 10:00:00 CST; 30min ago Main PID: 1234 (auditd) Tasks: 1 (limit: 4915) Memory: 5.0M CPU: 50ms CGroup: /system.slice/auditd.service └─1234 /usr/sbin/

风哥提示：

auditd

# 实战案例：配置完整的存储安全系统

# 1. 创建加密磁盘
[root@localhost ~]# fdisk /dev/sdc
Welcome to fdisk (util-linux 2.37.4).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-41943039, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-41943039, default 41943039):

Created a new partition 1 of type ‘Linux’ and of size 20 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

# 2. 格式化为LUKS分区
[root@localhost ~]# cryptsetup luksFormat /dev/sdc1
WARNING!
========
This will overwrite data on /dev/sdc1 irrevocably.

Are you sure? (Type ‘yes’ in capital letters): YES
Enter passphrase for /dev/sdc1:
Verify passphrase:

# 3. 打开LUKS分区
[root@localhost ~]# cryptsetup luksOpen /dev/sdc1 secure_storage
Enter passphrase for /dev/sdc1:

# 4. 格式化为ext4文件系统
[root@localhost ~]# mkfs.ext4 /dev/mapper/secure_storage
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 5242880 4k blocks and 1310720 inodes
Filesystem UUID: def456-ghi789-jkl012-mno345-pqr678
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000

# 5. 创建挂载点并挂载
[root@localhost ~]# mkdir -p /secure-storage
[root@localhost ~]# mount /dev/mapper/secure_storage /secure-storage

# 6. 设置目录权限
[root@localhost ~]# chmod 750 /secure-storage
[root@localhost ~]# chown root:secure-group /secure-storage

# 7. 创建安全组
[root@localhost ~]# groupadd secure-group

# 8. 配置审计规则
[root@localhost ~]# cat > /etc/audit/rules.d/secure-storage.rules << 'EOF' # 监控安全存储的访问 -w /secure-storage/ -p wa -k secure_storage_access # 监控LUKS设备的访问 -w /dev/mapper/secure_storage -p rw -k luks_access # 监控cryptsetup命令 -a exit,always -F arch=b64 -S cryptsetup -F auid>=1000 -F auid!=4294967295 -k cryptsetup_usage
EOF

# 9. 重新加载审计规则
[root@localhost ~]# augenrules –load

# 10. 配置开机自动挂载
[root@localhost ~]# cat /etc/crypttab
secure_storage /dev/sdc1 none luks

[root@localhost ~]# echo “/dev/mapper/secure_storage /secure-storage ext4 defaults 0 0” >> /etc/fstab

# 11. 创建访问控制脚本
[root@localhost ~]# cat > /usr/local/bin/secure-storage-access.sh << 'EOF' #!/bin/bash # script.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn # 安全存储访问控制脚本 SECURE_STORAGE="/secure-storage" SECURE_GROUP="secure-group" LOG_FILE="/var/log/secure-storage-access.log" # 记录日志函数 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> $LOG_FILE
}

# 检查访问权限
check_access() {
USER=$1
ACTION=$2

if groups $USER | grep -q $SECURE_GROUP; then
log “User $USER granted $ACTION access to $SECURE_STORAGE”
return 0
else
log “User $USER denied $ACTION access to $SECURE_STORAGE”
return 1
fi
}

# 主函数
main() {
case “$1” in
check)
check_access “$2” “$3”
;;
*)
echo “Usage: $0 check ”
exit 1
;;
esac
}

# 执行主函数
main “$@”
EOF

# 12. 设置脚本执行权限
[root@localhost ~]# chmod +x /usr/local/bin/secure-storage-access.sh

# 13. 配置sudo规则
[root@localhost ~]# cat > /etc/sudoers.d/secure-storage << 'EOF' # 安全存储访问控制 %secure-group ALL=(root) NOPASSWD: /usr/local/bin/secure-storage-access.sh EOF # 14. 测试访问控制 [root@localhost ~]# /usr/local/bin/secure-storage-access.sh check user1 read User user1 denied read access to /secure-storage # 15. 添加用户到安全组 [root@localhost ~]# usermod -aG secure-group user1 # 16. 再次测试访问控制 [root@localhost ~]# /usr/local/bin/secure-storage-access.sh check user1 read User user1 granted read access to /secure-storage # 17. 查看审计日志 [root@localhost ~]# ausearch -k secure_storage_access ---- time->Fri Apr 3 10:00:00 2026
type=PATH msg=audit(1234567890.123:456): item=0 name=”/secure-storage/” inode=123456 dev=08:02 mode=040750 ouid=0 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1234567890.123:456): cwd=”/root”
type=SYSCALL msg=audit(1234567890.123:456): arch=c000003e syscall=80 success=yes exit=0 a0=7fff12345678 a1=0 a2=0 a3=0 items=1 ppid=1234 pid=5678 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm=”ls” exe=”/usr/bin/ls” key=secure_storage_access
type=PROCTITLE msg=audit(1234567890.123:456): proctitle=6C73002F7365637572652D73746F72616765