Chinaunix首页 | 论坛 | 博客
  • 博客访问: 311721
  • 博文数量: 43
  • 博客积分: 1590
  • 博客等级: 上尉
  • 技术积分: 508
  • 用 户 组: 普通用户
  • 注册时间: 2006-11-22 22:16
个人简介

温柔的IT民工~

文章分类

全部博文(43)

文章存档

2013年(1)

2012年(2)

2011年(2)

2010年(7)

2009年(8)

2008年(15)

2007年(8)

分类:

2010-09-04 10:01:30

CID

Control Activity

Review Procedures (with CIS Benchmark Ref. #’s)

Expected Results

AIX1

Ensure Patches, Packages and Initial Lockdown of the system is appropriate.

1.1   Apply latest OS patches

Installing up-to-date vendor patches and developing a procedure for keeping up-to-date with vendor patches are critical for the security and reliability of the system.

 

1.2   Configure SSH

Ensure both the ssh client and ssshd server are configured to use only SSH protocol 2, as security vulnerabilities have been found in the first SSH protocol.

 

1.3   Install TCP wrappers package

Download pre-complied TCP Wrappers package from

(TCP Wrappers is installed in this section and configured in section 2.2)

The system has up-to-date patches and packages, and the system is locked-down to reduce the number of vulnerabilities.

AIX2

Minimize xinetd network services to disable standard services.

2.1 Disable standard services

for SVC in ftp telnet shell kshell login klogin exec \

 echo discard chargen daytime time ttdbserver dtspc; do

echo "Disabling $SVC TCP"

chsubserver -d -v $SVC -p tcp

done

for SVC in ntalk rstatd rusersd rwalld sprayd pcnfsd \

 echo discard chargen daytime time cmsd; do

echo "Disabling $SVC UDP"

chsubserver -d -v $SVC -p udp

done

refresh -s inetd

 

2.2 Configure TCP Wrappers to limit access

1. Create /etc/hosts.allowand /etc/hosts.deny per available documentation and to suit your particular environment. Configuring TCP Wrappers is beyond the scope of this Benchmark.

Note: Do not deny access to your system without allowing access.

2. Modify /etc/inetd.conf:

cd /etc

awk '($3 ~ /^tcp/) && ($6 !~ /(internal|tcpd)$/) \

 { $7 = $6; $6 = "/usr/local/bin/tcpd" }; \

 { print }' inetd.conf > inetd.conf.with_tcp_wrappers

cp inetd.conf.with_tcp_wrappers inetd.conf

chown root:system inetd.conf

chmod 644 inetd.conf inetd.conf.with_tcp_wrappers

 

Test your configuration now by using the /usr/local/bin/tcpdchkcommand and by logging in remotely.

Standard services that do not meet a specific business need are disabled.

AIX3

Minimize boot services to disable unused system daemon.

3.1 Disable login prompts on serial ports

AIX5L only:

for i in `grep ^tty /etc/inittab | cut -f1 -d:`; do

 echo "Disabling login from port /dev/$i"

 chitab "$i:2:off:/usr/sbin/getty /dev/$i"

done

 

3.2 Disable inetd, if possible

if [ `grep -Evc '^[ \t]*(#|$)' /etc/inetd.conf` -eq 0 ]; then

 echo "Turning off inetd"

 chrctcp -d inetd

 stopsrc -s inetd

fi

 

If the actions in Section 2 of this benchmark resulted in all inetd-based services being disabled, there is no point in running inetdat boot time.

 

3.3 Disable email server, if possible

stopsrc -s sendmail

chrctcp -d sendmail

cd /var/spool/cron/crontabs

crontab -l > root.tmp

if [ `grep -c "sendmail -q" root.tmp` -eq 0 ]; then

 echo "0 * * * * /usr/sbin/sendmail -q" >> root.tmp

 crontab root.tmp

fi

rm -f root.tmp

This will make sendmail run the queue once an hour, sending out any mail that may have accumulated on the machine (from cronjobs, etc).

 

3.4 Disable NIS Server processes if possible

Use the SMIT fast-path

smit remove

to remove the bos.net.nis.serverfileset or use the command:

[ `lslpp -L bos.net.nis.server 2>&1 | \

grep -c "not installed"` -eq 0 ] && \

/usr/lib/instl/sm_inst installp_cmd -u \

-f'bos.net.nis.server'

 

3.5 Disable NIS Client processes if possible

Use the SMIT fast-path

smit remove

to remove the bos.net.nis.clientfileset or use the command:

[ `lslpp -L bos.net.nis.client 2>&1 | \

grep -c "not installed"` -eq 0 ] && \

/usr/lib/instl/sm_inst installp_cmd -u \

-f'bos.net.nis.client'

 

3.9 Turn off services which are not commonly used

(AIX 4.3.3):

for SVC in routed gated named timed rwhod \

 snmpd dpid2 lpd portmap ndpd-router ndpd-host; do

echo "Turning off $SVC"

stopsrc -s $SVC

chrctcp -d $SVC

done

for SVC in piobe httpdlite pmd writesrv; do

echo "Turning off $SVC"

rmitab $SVC

done

 

(AIX 5):

for SVC in routed gated named timed rwhod mrouted \

snmpd hostmibd dpid2 lpd portmap autoconf6 \

ndpd-router ndpd-host; do

 echo "Turning off $SVC"

stopsrc -s $SVC

chrctcp -d $SVC

done

for SVC in piobe i4ls httpdlite pmd writesrv; do

echo "Turning off $SVC"


stopsrc -s $SVC

 rmitab $SVC

done

 

3.11 Only enable SNMP if absolutely necessary

chrctcp -a snmpd

chrctcp -a dpid2

chrctcp -a hostmibd

 

Note: Make sure the community name is changed from default Public

 

3.12 Only enable portmap if absolutely necessary

chrctcp -a portmap

 

3.13 Only enable IPv6 if absolutely necessary

chrctcp -a autoconf6

chrctcp -a ndpd-router

chrctcp -a ndpd-host

 

3.15 Only enable i4ls and NCS if absolutely necessary

mkitab -i cron "i4ls:2:wait:/usr/bin/startsrc -swritesrv"

chrctcp -a writesrv

 

3.16 Only enable writesrv, pmd, httpdlite if absolutely

necessary

writesrv

mkitab -i cron "writesrv:2:wait:/usr/bin/startsrc -swritesrv"

chrctcp -a writesrv

 

pmd

mkitab -i cron "pmd:2:wait:/usr/bin/pmd > /dev/console 2>&1 #

Start PM daemon"

chrctcp -a pmd

 

httpdlite

mkitab -i cron

"httpdlite:2:once:/usr/IMNSearch/httpdlite/httpdlite -r

/etc/IMNSearch/httpdlite/httpdlite.conf & >/dev/console 2>&1"

chrctcp -a httpdlite

Unused boot services disabled to maximize system performance, and it greatly reduces the chance that the machine will be running a vulnerable daemon.

AIX4

Kernel tuning to harden the system configuration.

4.1 Disable core dumps

Edit /etc/security/limits and change the core value in the default stanza to:

core 0

Add the following line below it:

core_hard = 0

Execute these commands:

echo "# Added by CISecurity Benchmark" >> /etc/profile

echo "ulimit -c 0" >> /etc/profile

chdev -l sys0 -a fullcore=false

 

4.2 Network parameter modifications

cat < /etc/rc.net-tune

#!/bin/ksh

# Deal with SYN-flood attacks as best we can.

/usr/sbin/no -o clean_partial_conns=1

# Do not allow SMURF broadcast attacks.

/usr/sbin/no -o directed_broadcast=0

# Don't allow other machines to reset our netmask

/usr/sbin/no -o icmpaddressmask=0

# Ignore redirects, don't send them ourselves.

# ICMP Redirect is a poor excuse for a routing protocol.

/usr/sbin/no -o ipignoreredirects=1

/usr/sbin/no -o ipsendredirects=0

# Refuse to have anything to do with source-routed packets.

/usr/sbin/no -o ipsrcrouteforward=0

/usr/sbin/no -o ipsrcrouterecv=0

/usr/sbin/no -o ipsrcroutesend=0

/usr/sbin/no -o nonlocsrcroute=0

EOF

chmod +x /etc/rc.net-tune

mkitab -i rctcpip "rcnettune:2:wait:/etc/rc.net-tune > \

 /dev/console 2>&1"

 

4.3 Restrict NFS Client requests to privileged ports

cat <> /etc/rc.net-tune

# Require NFS to use privileged ports

/usr/sbin/nfso -o portcheck=1 -o nfs_use_reserved_ports=1

EOF

A more secure system.

AIX5

System logging in order to keep track of activity on the system.

5.1 Capture messages sent to syslog (especially the AUTH facility)

printf "### Following lines added by CISecurity \

AIX Benchmark Section 5.1\n\

auth.info\t\t/var/adm/authlog\n\

*.info;auth.none\t\t/var/adm/syslog\n" \

 >> /etc/syslog.conf

touch /var/adm/authlog /var/adm/syslog

chown root:system /var/adm/authlog

chmod 600 /var/adm/authlog

chmod 640 /var/adm/syslog

stopsrc -s syslogd

startsrc -s syslogd

 

5.2 Configure syslogd to send logs to a remote loghost

In the script below, replace loghost with the proper name (FQDN, if necessary) of your loghost.

printf "### Following lines added by CISecurity \

AIX Benchmark Section 5.2\n\

auth.info\t\t@loghost

*.info;auth.none\t\t@loghost

*.emerg\t\t@loghost\n\

local7.*\t\t@loghost\n" >> /etc/syslog.conf

stopsrc -s syslogd

startsrc -s syslogd

 

5.3 Prevent Syslog from accepting messages from the network

chssys -s syslogd -a "-r"

stopsrc -s syslogd

startsrc -s syslogd

 

5.4 Enable sar accounting

Install the bos.acct fileset as it is required when making use of the sar utility.

 

Note: The following crontabentries are an example only. You need to adjust the times of the report and the period the data is collected. Refer to sar documentation.

 

lslpp -i bos.acct >/dev/null 2>&1

if [ "$?" != 0 ]; then

 echo "bos.acct not installed, cannot proceed"

else

 

 su -adm -c "crontab -l > /tmp/crontab.adm"

 cat << EOF >> /tmp/crontab.adm

0 8-17 * * 1-5 /usr/lib/sa/sa1 1200 3 &

0 * * * 0,6 /usr/lib/sa/sa1 &

0 18-7 * * 1-5 /usr/lib/sa/sa1 &

5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 3600 -A &

EOF

 mkdir -p /var/adm/sa

chown adm:adm /var/adm/sa

 chmod 755 /var/adm/sa

 su -adm -c "crontab /tmp/crontab.adm"

fi

 

5.5 Enable kernel-level auditing

To activate auditing:

audit on

 

To start auditing automatically at next boot:

mkitab -i cron "audit:2:once:/usr/sbin/audit start 2>&1 >

/dev/console"

telinit q

echo "audit shutdown" >> /usr/sbin/shutdown

 

5.6 Confirm Permissions On System Log Files

for FILE in \

/smit.log \

/var/adm/cron/log \

/var/tmp/dpid2.log \

/var/tmp/hostmibd.log \

/var/tmp/snmpd.log \

/var/adm/ras/*

/var/ct/RMstart.log

do

 if [ -f $FILE ]; then

echo "Fixing log file permissions on $FILE"

chmod o-rw $FILE

 fi

done

Secured logging of system activity.

AIX6

File/directory permissions/access are restricted to authorized users and regularly reviewed.

6.1 Verify passwd and group file permissions

chown -R root:security /etc/passwd /etc/group /etc/security

chown -R root:audit /etc/security/audit

chmod 644 /etc/passwd /etc/group

chmod 750 /etc/security

chmod -R go-w,o-r /etc/security

 

6.2 World-writable directories should have their sticky bit set

Administrators who wish to obtain a list of these directories may execute the following commands:

for part in `mount | grep dev | awk '{print $2}' | \

 grep -Ev 'cdrom|nfs'`; do

 echo "Searching $part"

 find $part -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

done

 

6.3 Find unauthorized world-writable files

Administrators who wish to obtain a list of the world-writable files currently installed on the system may run the following commands:

 

for part in `mount | grep dev | awk '{print $2}' | \

 egrep -v 'cdrom|nfs'`; do

 echo "Searching $part"

 find $part -xdev -type f \

\( -perm -0002 -a ! -perm -1000 \) -print

done

 

There should be no entries returned.

 

6.4 Find unauthorized SUID/SGID system executables

Administrators who wish to obtain a list of the set-UID and set-GID programs currently installed on the system may run the following commands:

 

for part in `mount | grep dev | awk '{print $2}' | \

 egrep -v 'cdrom|nfs'`; do

 echo "Searching $part"

 find $part \( -perm -04000 -o -perm -02000 \) \

-type f -xdev -ls

Done

 

6.5 Find “unowned” files and directories

Administrators who wish to locate these files on their system may run the following command:

 

find / \( -nouser -o -nogroup \) -ls

System access is available only to authorized users with appropriate file/directory permissions.

AIX7

System access, authentication, and authorization privileges are restricted to authorized user accounts and regularly reviewed.

7.1 Remove /etc/hosts.equiv

[ -f /etc/hosts.equiv ] && rm -f /etc/hosts.equiv

 

7.2 Create /etc/ftpusers

lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME; do

 if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ]; then

 echo "Adding $NAME to /etc/ftpusers"

 echo $NAME >> /etc/ftpusers.new

 fi

done

sort -u /etc/ftpusers.new > /etc/ftpusers

rm /etc/ftpusers.new

chown root:system /etc/ftpusers

chmod 600 /etc/ftpusers

 

7.3 Disable XDMCP port

if [ ! -f /etc/dt/config/Xconfig ]; then

mkdir -p /etc/dt/config

cp /usr/dt/config/Xconfig /etc/dt/config

fi

cd /etc/dt/config

awk '/Dtlogin.requestPort:/ \

 { print "Dtlogin.requestPort: 0"; next } \

 { print }' Xconfig > Xconfig.new

mv Xconfig.new Xconfig

chown root:bin Xconfig

chmod 444 Xconfig

 

7.4 Prevent X Server from listening on port 6000/tcp

if [ -f /etc/dt/config/Xservers ]; then

file=/etc/dt/config/Xservers

else

 file=/usr/dt/config/Xservers

fi

awk '/Xsun/ && !/^#/ && !/-nolisten tcp/ \

 { print $0 " -nolisten tcp"; next }; \

 { print }' $file > $file.new

mkdir -p /etc/dt/config

mv $file.new /etc/dt/config/Xservers

chown root:bin /etc/dt/config/Xservers

chmod 444 /etc/dt/config/Xservers

 

7.6 Remove empty crontab files and restrict file permissions

cd /var/spool/cron/crontabs

for file in *; do

 lines=`grep -Ev '^[ \t]*#' $file | wc -l | sed 's/

//g'`

 if [ $lines -eq 0 ]; then

echo "Removing $file"

rm $file

 fi

done

chgrp -R cron /var/spool/cron/crontabs

chmod -R o= /var/spool/cron/crontabs

chmod 770 /var/spool/cron/crontabs

 

7.7 Restrict at and cron to authorized users

cd /var/adm/cron

rm -f cron.deny at.deny

echo root > cron.allow

echo root > at.allow

ls /var/spool/cron/crontabs | grep -v root >> cron.allow

ls /var/spool/cron/atjobs | grep -v root >> at.allow

chown root:sys cron.allow at.allow

chmod 400 cron.allow at.allow

cat at.allow

cat cron.allow

cat at.deny cron.deny # this should fail

 

7.8 Restrict root logins to system console

chuser rlogin=false login=true su=true sugroups=system root

Authorized user accounts have system access, authentication and authorization to access the system.

AIX8

User accounts and environment secured and reviewed regularly.

8.1 Block system accounts

for user in daemon bin sys adm uucp nuucp printq guest

nobody lpd sshd; do

 chuser rlogin=false login=false "$user"

done

 

8.2 Set password and account expiration on active accounts

Action (AIX 4.3.3):

 

chsec -f /etc/security/user -s default -a maxage=13

chsec -f /etc/security/user -s default -a minlen=8

chsec -f /etc/security/user -s default -a minage=1

chsec -f /etc/security/user -s default -a pwdwarntime=28

 

8.3 Verify there are no accounts with empty password fields

pwdck -n ALL

 

8.4 Verify no legacy '+' entries exist in passwd, and group files

The command:

grep ^+: /etc/passwd /etc/group

should return no lines of output.

 

8.5 Verify no UID 0 accounts exist other than root

The command:

lsuser -a id ALL | grep "id=0" | awk '{print $1}'

should return only the word "root".

 

8.6 No '.' or group/world-writable directory in root's $PATH

To find ‘.’ in $PATH:

echo $PATH | grep -E '(^|:)(\.|:|$)'

 

To find group- or world-writable directories in $PATH:

find `echo $PATH | tr ':' ' '` -type d \

\( -perm -002 -o -perm -020 \) -ls

 

These commands should produce no output.

 

8.7 User home directories should be mode 750 or more

restrictive

NEW_PERMS=750

lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME; do

 if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -ge 200 ]; then

HOME=`lsuser -a home $NAME | cut -f 2 -d =`

echo "Changing $NAME homedir $HOME"

chmod $NEW_PERMS $HOME

 fi

done

if [ `grep -c "chmod $NEW_PERMS $1" \

 /usr/lib/security/mkuser.sys` -eq 0 ]; then

sed -e "s/mkdir \$1/mkdir \$1 \&\& chmod $NEW_PERMS \$1/g" \

/usr/lib/security/mkuser.sys > /tmp/mkuser.tmp

mv /tmp/mkuser.tmp /usr/lib/security/mkuser.sys

chmod 750 /usr/lib/security/mkuser.sys

fi

 

8.8 No user dot-files should be world-writable

lsuser -a home ALL |cut -f2 -d= | while read HOMEDIR; do

echo "Examining $HOMEDIR"

if [ -d $HOMEDIR ]; then

 ls -a $HOMEDIR | grep -Ev "^.$|^..$" | \

while read FILE; do

 if [ -f $FILE ]; then

echo "Adjusting $FILE"

chmod go-w $FILE

 fi

done

else

echo "No home dir for $HOMEDIR"

fi

done

 

8.9 Remove user .netrc and .rhosts files

find / -name .netrc

find / -name .rhosts

 

Stop!!! Read the discussion before proceeding.

 

lsuser -a home ALL |cut -f2 -d= | while read HOME; do

 if [ -e "$HOME/.netrc" ]; then

 echo "Removing $HOME/.netrc"

 rm -f "$HOME/.netrc"

 fi

 

 if [ -e "$HOME/.rhosts" ]; then

 echo "Removing $HOME/.rhosts"

 rm -f "$HOME/.rhosts"

 fi

done

 

Discussion:

 

.netrc files may contain unencrypted passwords which may be used to attack other systems.  While the above modifications are relatively benign, making global modifications to user home directories without alerting your user community can result in unexpected outages and unhappy users. If the first command returns any results, carefully evaluate the ramifications of removing those files before executing the remaining commands as you may end up impacting an application that has not had time to revise its architecture to a more secure design.

 

8.10 Set Default umask for users

Change existing users

lsuser -a home ALL | awk '{print $1}' | while read user; do

 chuser umask=077 $user

done

 

Change default profile

To set a system-wide default, edit the file /etc/security/userand replace the default umask value in the umaskline entry for the default stanza with 077.

 

8.11 Set default umask for the FTP daemon

chsubserver -c -v ftp -p tcp "ftpd -l -u077"

refresh -s inetd

 

 

8.12 Set “mesg n” as the default for all users

echo "mesg n" >> /etc/profile

echo "mesg n" >> /etc/csh.login

 

8.13 Removing unnecessary default user accounts

Note: Read discussion first!!!

 

# Remove users

LIST="uucp nuucp lpd guest printq"

for USERS in $LIST; do

 rmuser -p $USERS

 rmgroup $USERS

done

 

# Remove groups

LIST="uucp printq"

for USERS in $LIST; do

 rmgroup $USERS

done

 

Discussion:

User ID Description

uucp, nuucp Owner of hidden files used by uucp protocol. The uucp user account is used for the UNIX-to-UNIX Copy Program, which is a group of commands, programs, and files, present on most AIX systems, that allows the user to communicate with another AIX system over a dedicated line or a telephone line.

lpd Owner of files used by printing subsystem

guest Allows access to users who do not have access to accounts

 

In addition, these group ID's may be removed if your system does not need them:

 

Group ID Description

uucp Group to which uucp and nuucp users belong

printq Group to which lpd user belongs

 

Note: You may get one or more errors stating the group or user does not exist. This is harmless and may be ignored.

Local administrator regularly reviews user account and environment.  Documentation of the review is created and maintained for at least one year.

AIX9

Warning banners prior to user logon.

9.1 Create warnings for network and physical access services

Edit the banner currently in /etc/motdas required by your Enterprise. The following

script is a template taken from the Bastille Linux project:

 

Important: You need to change “The Company” in the text below to an appropriate value for your organization

 

cd /etc

# Remember to enter name of your company here:

COMPANYNAME="its owner"

cat <

 | sed -e "s/its owner/${COMPANYNAME}/g" > /etc/motd

********************************************************

NOTICE TO USERS

 

This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only.

Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

 

Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.

 

By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.

***********************************************************

EOM

chown bin:bin /etc/motd

chmod 644 /etc/motd

 

9.2 Create warnings for GUI-based logins

for file in /usr/dt/config/*/Xresources; do

dir=`dirname $file | sed s/usr/etc/`

mkdir -p $dir

if [ ! -f $dir/Xresources ]; then

 cp $file $dir/Xresources

fi

WARN="Authorized uses only. All activity may be monitored and reported."

echo "Dtlogin*greeting.labelString: $WARN" >>$dir/Xresources

echo "Dtlogin*greeting.persLabelString: $WARN" >>$dir/Xresources

done

chown root:sys /etc/dt/config/*/Xresources

chmod 644 /etc/dt/config/*/Xresources

 

9.3 Create warnings for telnet daemon

chsec -f /etc/security/login.cfg -s default -a

herald="Authorized uses only. All activity may be monitored

and reported\n\r\nlogin: "

 

9.4 Create warnings for FTP daemon

dspcat -g /usr/lib/nls/msg/en_US/ftpd.cat > /tmp/ftpd.tmp

sed "s/\"\%s FTP server (\%s) ready.\"/\"\%s Authorized

uses only. All activity may be monitored and reported\"/" \

/tmp/ftpd.tmp > /tmp/ftpd.msg

gencat ftpd.cat /tmp/ftpd.msg

 

AIX 5.1 and later:

echo “herald: /etc/ftpmotd” >> /etc/ftpaccess.ctl

cat << EOF >> /etc/ftpmotd

Authorized uses only. All activity may be monitored and

reported

EOF

Warning banners prior to user logon may assist the prosecution of trespassers on the computer system.

AIX10

Additional security notes to further harden the system configuration.

SN.1 Create symlinks for dangerous files

for FILE in /.rhosts /.shosts /etc/hosts.equiv \

 /etc/shosts.equiv; do

 [ -e $FILE ] && rm -f $FILE

 ln -s /dev/null $FILE

done

 

SN.2 Change default greeting string for sendmail

cd /etc/mail

awk '/O SmtpGreetingMessage=/ \

 { print "O SmtpGreetingMessage=mailer ready"; next}

 { print }' sendmail.cf > sendmail.cf.new

mv -f sendmail.cf.new sendmail.cf

chown root:bin sendmail.cf

chmod 444 sendmail.cf

 

SN.4 Limit number of failed login attempts

chsec -f /etc/security/user -s default -a loginretries=3

The system is further protected from unauthorized or inappropriate access and/or activity.

阅读(6063) | 评论(0) | 转发(0) |
0

上一篇:开网店了

下一篇:aix常用命令

给主人留下些什么吧!~~