我正在制作操作系统安装后脚本,其中将包括强化部分。在这个强化部分中,它将从文件 A 中读取内核参数并与文件 /etc/sysctl.conf 进行比较,如果参数在 sysctl.conf 中不可用,那么它将把它添加到 sysctl.conf 中。
自定义文件中的参数
################## Hardening ############################
kernel.exec-shield = 1
kernel.randomize_va_space = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.tcp_timestamps = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
##########################################################
现在我添加了这些行以进行强化。
for i in $(cat /etc/sysctl.conf)
do
if ! grep -Fxq " $i " /etc/sysctl.conf
then
echo -e "$i" > ~/testfile
fi
done
这个脚本的问题在于它将内核参数中的每个空格视为空格行,并且问题从“for i in $(cat /etc/sysctl.conf)”的开头开始
这是调试信息
./LinuxHardening.sh
++ date
+ LOGDATE='Mon Feb 9 07:58:07 EST 2015'
+ echo Mon Feb 9 07:58:07 EST 2015
+ tee HardeningLog
Mon Feb 9 07:58:07 EST 2015
+ echo -e '\n############ Kernel Hardening ############'
+ tee -a HardeningLog
############ Kernel Hardening ############
++ cat kernelparms
+ for i in '$(cat kernelparms)'
+ grep -Fxq '##################' /etc/sysctl.conf
+ echo -e '##################'
+ for i in '$(cat kernelparms)'
+ grep -Fxq Hardening /etc/sysctl.conf
+ echo -e Hardening
+ for i in '$(cat kernelparms)'
+ grep -Fxq '############################' /etc/sysctl.conf
+ echo -e '############################'
+ for i in '$(cat kernelparms)'
+ grep -Fxq kernel.exec-shield /etc/sysctl.conf
+ echo -e kernel.exec-shield
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 1 /etc/sysctl.conf
+ echo -e 1
+ for i in '$(cat kernelparms)'
+ grep -Fxq kernel.randomize_va_space /etc/sysctl.conf
+ echo -e kernel.randomize_va_space
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 1 /etc/sysctl.conf
+ echo -e 1
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf
+ echo -e net.ipv4.icmp_echo_ignore_broadcasts
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 1 /etc/sysctl.conf
+ echo -e 1
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf
+ echo -e net.ipv4.icmp_ignore_bogus_error_responses
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 1 /etc/sysctl.conf
+ echo -e 1
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.tcp_syncookies /etc/sysctl.conf
+ echo -e net.ipv4.tcp_syncookies
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 1 /etc/sysctl.conf
+ echo -e 1
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.conf.all.log_martians /etc/sysctl.conf
+ echo -e net.ipv4.conf.all.log_martians
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 1 /etc/sysctl.conf
+ echo -e 1
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.conf.all.accept_redirects /etc/sysctl.conf
+ echo -e net.ipv4.conf.all.accept_redirects
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 0 /etc/sysctl.conf
+ echo -e 0
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.conf.all.rp_filter /etc/sysctl.conf
+ echo -e net.ipv4.conf.all.rp_filter
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 1 /etc/sysctl.conf
+ echo -e 1
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.conf.all.send_redirects /etc/sysctl.conf
+ echo -e net.ipv4.conf.all.send_redirects
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 0 /etc/sysctl.conf
+ echo -e 0
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.conf.default.accept_redirects /etc/sysctl.conf
+ echo -e net.ipv4.conf.default.accept_redirects
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 0 /etc/sysctl.conf
+ echo -e 0
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.conf.default.log_martians /etc/sysctl.conf
+ echo -e net.ipv4.conf.default.log_martians
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 1 /etc/sysctl.conf
+ echo -e 1
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv4.tcp_timestamps /etc/sysctl.conf
+ echo -e net.ipv4.tcp_timestamps
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 0 /etc/sysctl.conf
+ echo -e 0
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv6.conf.all.accept_redirects /etc/sysctl.conf
+ echo -e net.ipv6.conf.all.accept_redirects
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 0 /etc/sysctl.conf
+ echo -e 0
+ for i in '$(cat kernelparms)'
+ grep -Fxq net.ipv6.conf.default.accept_redirects /etc/sysctl.conf
+ echo -e net.ipv6.conf.default.accept_redirects
+ for i in '$(cat kernelparms)'
+ grep -Fxq = /etc/sysctl.conf
+ echo -e =
+ for i in '$(cat kernelparms)'
+ grep -Fxq 0 /etc/sysctl.conf
+ echo -e 0
+ for i in '$(cat kernelparms)'
+ grep -Fxq '##########################################################' /etc/sysctl.conf
+ echo -e '##########################################################'
答案1
为什么不使用 while 逐行读取:
while read -r line
do
if ! grep -Fxq " $line " /etc/sysctl.conf
then
echo -e "$line" >> ~/testfile
fi
done </etc/sysctl.conf
并将 > 替换为 >>。
答案2
尝试类似的方法:
while read i
do
if ! grep -Fxq " $i " /etc/sysctl.conf
then
echo -e "$i" >> ~/testfile
fi
done<kernelparms
答案3
与awk
和关联数组:
awk '!/^($|#)/{arr[$1]=$0}END{for(param in arr) print arr[param]}' /etc/sysctl.conf custom.conf
如果顺序很重要:
awk '!/^($|#)/{
arr[$1] = $0
}
END {
for(key in arr)
print arr[key]
}' /etc/sysctl.conf custom.conf | sort > hardened.conf
!/^($|#)/
- 忽略注释行或空行
{arr[$1]=$0}
- 将每一行存储到 arr 中,并将其与内核参数相关联;每次看到相同的参数(即从custom.conf
最后一个要读取的文件)时,该行都会更新
END{for(param in arr) print arr[param]}
- 读取所有输入后,打印每个内核参数的关联行。
答案4
设置IFS=$'\n'
它不会将空格视为新行。