http://mp.weixin.qq.com/s?__biz=MzkwNjY1Mzc0Nw==&mid=2247484238&idx=1&sn=ca66551c31e37b8d726f151265fc9211&chksm=c0e47a12f793f3049fefde6e9ebe9ec4e2c7626b8594511bd314783719c216bd9929962a71e6&scene=21#wechat_redirect之前写了一个Linux系统等保加固2.0的shell脚本,有朋友说不支持Ubuntu24.04的版本,于是我下载了24.04的版本进行测试,发现是脚本中第119行和124行关于字符截取方式语法报错,导致脚本中途有执行失败的情况,第119行和124行具体代码如下:
if [[ ${maxday#*[[:space:]]} -gt 90 ]];thenif [[ ${minday#*[[:space:]]} -gt 0 ]];then
为两个判断语句,提示报错“[[: PASS_MAX_DAYS 90: syntax error in expression (error token is "90")”。通过bash -x xxx.sh查看执行步骤,发现是${minday#*[[:space:]]}没有正确处理字符串截取,导致判断语句成了[[ PASS_MAX_DAYS 90 -gt 90 ]],这样肯定是无法进行大小比较的,导致脚本报错,我通过命令行的方式发现可以正确截取字符串。
命令行可以,脚本应该没问题,创建一个测试脚本试了一下
#!/bin/bashmaxday=$(grep -i "^pass_max_days" /etc/login.defs)if [[ ${maxday#*[[:space:]]} -gt 0 ]];thenecho "success"elseecho "falid"fi
执行结果还是一样,提示语法错误,将脚本修改为
#!/bin/bashmaxday=$(grep -i "^pass_max_days" /etc/login.defs)if [[ ${maxday#*[[:space:]]} -gt 0 ]];thenecho "success"echo ${maxday#*[[:space:]]}elseecho "falid"echo ${maxday#*[[:space:]]}fi
执行结果如下
说明在if判断语句内无法识别,于是将脚本简单修改了一下,把字符截取从if判断语句中踢出去,单独赋给一个变量。
function pwexpired() {login_file="/etc/login.defs"maxday=$(grep -i "^pass_max_days" /etc/login.defs)minday=$(grep -i "^pass_min_days" /etc/login.defs)maxtimes=${maxday#*[[:space:]]}mintimes=${minday#*[[:space:]]}if [[ ${maxtimes} -gt 90 ]];then`sed -i "s/${maxday}/PASS_MAX_DAYS 90/g" ${login_file}` && echo "已修改密码最大过期时间为90天"elseecho "${maxday}"fiif [[ ${mintimes} -gt 0 ]];then`sed -i "s/${minday}/PASS_MIN_DAYS 0/g" ${login_file}` && echo "已修改密码最小过期时间为0天"elseecho "${minday}"fi}
改成这样经过我的测试是没有问题的,可以正常执行。但是我没有搞懂为啥if判断语句里面不行,而且仅仅是Ubuntu24.04不行,Ubuntu20.04和Centos7.9都是可以的。
在测试中发现Ubuntu24.04 auditd.server审计服务不存在,无法启动,所以在对脚本增加了audit安装的功能,最后在Centos7.9、Ubuntu20.04、Ubuntu24.04三个不同的系统版本中测试了脚本,都是没有问题的,完整版脚本如下:
#!/bin/bash#该脚本用户加固Linux系统,主要包括修改密码策略,登录策略,开启审计服务等#作者:Mr.shi#version:V1.1.0#更新历史:# 2024-08-15 1.1.0版本适配Ubuntu及其衍生版本# 2024-11-16 1.2.0版本:##############################################################1.适配Ubuntu24.04,修改/etc/login.defs失败 ##2.增加缺失audit和rsyslog安装功能 ##3.ubuntu sshd_config中permitrootlogin配置修改不适配问题 ###############################################################全局变量#pwquality_file="/etc/security/pwquality.conf"#PS3="请输入你的选择:"#修改函数function modifying() {filename=$1oldparm=$2newparm=$3`sed -i "s/${oldparm}/${newparm}/g" ${filename}`if [[ $? == 0 ]];thenecho "${filename}文件${newparm}参数修改成功"return 0elseecho "${filename}文件${newparm}参数修改失败"return 1fi}function pwquality() {version=$1new_minlen="minlen=8"new_dcredit="dcredit=-1"new_ucredit="ucredit=-1"new_lcredit="lcredit=-1"new_ocredit="ocredit=-1"new_minclass="minclass=3"common_pass="/etc/pam.d/common-password"common_auth="/etc/pam.d/common-auth"pwquality_file="/etc/security/pwquality.conf"if [[ -f "${pwquality_file}" ]] && [[ ${version} == *centos* ]];thenminlen=$(grep "minlen" ${pwquality_file})dcredit=$(grep "dcredit" ${pwquality_file})ucredit=$(grep "ucredit" ${pwquality_file})lcredit=$(grep "lcredit" ${pwquality_file})ocredit=$(grep "ocredit" ${pwquality_file})minclass=$(grep "minclass" ${pwquality_file})if [[ -n ${minlen} ]];thenmodifying "${pwquality_file}" "${minlen}" "${new_minlen}"modifying "${pwquality_file}" "${dcredit}" "${new_dcredit}"modifying "${pwquality_file}" "${ucredit}" "${new_ucredit}"modifying "${pwquality_file}" "${lcredit}" "${new_lcredit}"modifying "${pwquality_file}" "${ocredit}" "${new_ocredit}"modifying "${pwquality_file}" "${minclass}" "${new_minclass}"elseecho "${minlen}参数不存在"fielif [[ ${version} == *ubuntu* ]];thenvalue_auth=$(grep -i "^auth.*pam_unix" ${common_auth} | sed 's/\[/\\[/g' | sed 's/\]/\\]/g')value_pass=$(grep -i "^pass.*pam_unix" ${common_pass} | sed 's/\[/\\[/g' | sed 's/\]/\\]/g')new_value_pass="${value_pass} remember=5 retry=3 minlen=8 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minclass=3"new_value_auth="${value_auth} deny=5 unlock_ time=1800 even_deny_root root_unlock_time=1800"modifying "${common_pass}" "${value_pass}" "${new_value_pass}"modifying "${common_auth}" "${value_auth}" "${new_value_auth}"elseecho "pwquality函数执行falid"fi}function pam() {#REHL适用if [[ -f /etc/pam.d/password-auth ]];thensed -i "4i auth required pam_tally2.so onerr=fail deny=5 unlock_ time=1800 even_deny_root root_unlock_time=1800" /etc/pam.d/password-authsed -i "46i export TMOUT=600" /etc/profile && source /etc/profileelseecho "添加失败"fi}function sshd() {#禁止root用户直接登录sshd_config="/etc/ssh/sshd_config"yes="#PermitRootLogin yes"prohibit="#PermitRootLogin prohibit-password"no="PermitRootLogin no"prohibitpassword=if [[ -f ${sshd_config} ]];thenyesorno=$(grep -i "permitrootlogin" ${sshd_config} | awk '{print $2}' | head -n 1)if [[ ${yesorno} == "yes" ]];thenmodifying "${sshd_config}" "${yes}" "${no}" && systemctl restart sshd || systemctl restart ssh.serviceelif [[ ${yesorno} == prohibit* ]];thenmodifying "${sshd_config}" "${prohibit}" "${no}" && systemctl restart sshd || systemctl restart ssh.serviceelseecho "检查通过"fielseecho "${sshd_config}文件不存在"fi}function logset() {logrotate="/etc/logrotate.conf"dates=$(grep "^rotate [[:digit:]]$" /etc/logrotate.conf)rotate=$(grep "^[a-z]\{3,\}ly$" /etc/logrotate.conf)if [[ -f ${logrotate} ]];thenmodifying "${logrotate}" "${rotate}" "monthly"modifying "${logrotate}" "${dates}" "rotate 6"fi}#安装服务function installservice() {#判断网络local version=${1}local service=${2}`ping -c 4 -w 5 223.5.5.5 &> /dev/null`if [[ $? -eq 0 ]];thenif [[ ${version} == *centos* ]];then`yum -y install ${service} && echo "${service}安装成功并启动"`elif [[ ${version} == *ubuntu* ]];then`apt-get -y install ${service} && echo "${service}安装成功并启动"`elseecho "版本不支持"fielseecho "error,please check"fi}#判断auditd和rsyslog服务是否启动,如果未启动启动服务function services() {auditd=$(systemctl status auditd | grep -i "running" | wc -l)rsyslog=$(systemctl status rsyslog | grep -i "running" | wc -l)version=${1}services1="audit*"services2="rsyslog"if [[ ${auditd} == 1 ]];thenecho "audit服务正常"elif [[ ${auditd} == 0 ]];thenecho "auditd服务异常或者未启动"`systemctl start auditd`if [[ $? -ne 0 ]];theninstallservice ${version} ${services1}elif [[ $? -eq 0 ]];thenecho "重启auidtd服务成功"fifiif [[ ${rsyslog} == 1 ]];thenecho "rsyslog服务正常"elif [[ ${rsyslog} == 0 ]];thenecho "rsyslog服务异常或者未启动"systemctl start rsyslogif [[ $? -ne 0 ]];theninstallservice ${version} ${services2}elif [[ $? -eq 0 ]];thenecho "重启rsyslog服务成功"fifi}function pwexpired() {login_file="/etc/login.defs"maxday=$(grep -i "^pass_max_days" /etc/login.defs)minday=$(grep -i "^pass_min_days" /etc/login.defs)maxtimes=${maxday#*[[:space:]]}mintimes=${minday#*[[:space:]]}if [[ ${maxtimes} -gt 90 ]];then`sed -i "s/${maxday}/PASS_MAX_DAYS 90/g" ${login_file}` && echo "已修改密码最大过期时间为90天"elseecho "${maxday}"fiif [[ ${mintimes} -gt 0 ]];then`sed -i "s/${minday}/PASS_MIN_DAYS 0/g" ${login_file}` && echo "已修改密码最小过期时间为0天"elseecho "${minday}"fi}#主函数function main() {version=$(cat /etc/*release | grep -i "^ID=")if [[ `id -u` == 0 ]];thenif [[ ${version#*=} == *ubuntu* ]];thenecho "本系统为${version#*=}"pwquality ${version#*=}pwexpiredsshdlogsetservices ${version#*=}sed -i '$a export TMOUT=600' /etc/profile && source /etc/profileelif [[ ${version#*=} == *centos* ]];thenecho "本系统为${version#*=}"pwquality ${version#*=}pwexpiredpamsshdlogsetservices ${version#*=}elseecho "本脚本当前支持centos7.9和Ubuntu20.04/24.04,其他版本未测试"fielseecho "请在root账号下执行本脚本"fi}#执行主函数main
以上脚本不足之处将继续改进、迭代!请各位大佬多多指教!
标签:grep,Windows,pwquality,echo,etc,V1.2,file,Linux,fi From: https://blog.csdn.net/jxiang213/article/details/143881080