passwd安全加固脚本分享

前言


有的时候,使用chattr未必可以保证passwd不被篡改。下面分享的是/etc/passwd的安全加固脚本,相对的解决篡改问题。

使用前提:
要在$file1路径添加一份passwd的备份,可使passwd被改写后恢复,因此要保证passwd备份为正常的。
当新添加/修改服务或用户时,要先"chattr -i ",再修改;然后将修改后的/etc/passwd拷贝到file1路径下,且要在设定的sleep的时间内完成,否则用户修改不会生效。

此脚本建议使用后台运行:

chmod +x /script/check_passwd.sh
nohup /script/check_passwd.sh  &


#!/bin/bash
		    

check() {
			    
	TIME=`date +%F-%R`
	file1=/etc/back/passwd
	file2=/etc/passwd
   
   if [ -s $flie2 ];then

	    lsattr $file2 | grep i > /dev/null 
		if [ $? -eq 0 ];then
			echo "$TIME passwd file rights is ok" >> /var/log/passwd_file.log

	#当/etc/passwd中存在UID为0,且非root用户的用户,就删除改用户
			awk -F ':' '($3==0){print $1}' $file2 |grep -v root > /var/log/userdel.log			                 
			for duser in `cat  /var/log/userdel.log`
			do
				chattr -i /etc/passwd	        									                                   
				userdel -r $duser
				#sed -i "/$duser/d" /etc/passwd 
				#sed -i "/$duser/d" /etc/group
				#sed -i  "/$duser/d" /etc/shadow
				rm -rf /home/$duser
				rm -rf /var/spool/mail/$duser
				#userdel -r $duser
				chattr +i /etc/passwd													   			              
			done 
			
		else
	
   #下方是判断文件内容是否一致 
    
    		diff $file1 $file2 > /dev/null

			if [ $? -eq 0 ]; then
            	echo "$TIME  file are same"   >> /var/log/diff.log
            else
	        	echo "$TIME  file are different"  >> /var/log/diff.log
			fi
	
			tail -n1  /var/log/diff.log |grep different  > /dev/null

			if   [ $? -eq 0 ]; then
				chattr -i $file2
				\cp $file1 $file2
				chattr +i $file2
				echo "$TIME ERROR: passwd file is update" >> /var/log/passwd_file.log
    		fi	
    	fi
    else
				
				\cp $file1 $file2
				chattr +i $file2
				echo "$TIME ERROR: passwd file does not exist;passwd file is update" >> /var/log/passwd_file.log
    fi

}


while true
do
	check
	sleep 3600                                                     
done


备注:当复制粘贴导致窜行时,建议手打。

你可能感兴趣的:(运维日常的FAQ,脚本)