近期甲方领导突然要把装机标准化文档内容变成脚本,执行完就能完成基础配置。参考了当时给的某银行脚本,改成这个,记录一下。
#!/bin/bash
# This script is for Linux(Centos,Redhat,OracleLinux) optimization.
# 本脚本包含以下内容:
# 1 常用命令安装 cmdInstall
# 2 关闭防火墙和SELinux stopFirewallSelinux
# 3 标准参数设置 setParameter
# 3.1 用户资源参数配置 userLimit
# 3.2 内核参数配置 mainParameter
# 4 系统安全加固 securityCheck
# 4.1 登录安全检查 loginSecurityCheck
# 4.2 history时间戳 historyTimestamp
# 5 时间同步设置 serviceNtp
# 显示字体颜色变量
rsred="\033[31m"
rsgreen="\033[32m"
rsend="\033[0m"
# 获取时间
datetime=`date +%Y%m%d`
checktime=$(date +%Y%m%d_%H:%M)
# 日志保存文件
checklog=./"syscheck_${datetime}".log
mkfifo info.fifo
mkfifo error.fifo
#创建管道文件
cat info.fifo | tee -a $checklog &
exec 1>info.fifo
cat error.fifo | tee -a $checklog &
exec 2>error.fifo
#把执行过程输出到info文件中
echo -e "**************** 标准环境配置: $checktime *****************"
#--------------------------------------------------------------------------------------
# 1 常用命令安装
cmdInstall(){
echo "***************************************************************"
echo "* *"
echo "* 1 常用命令安装 *"
echo "* *"
echo "***************************************************************"
dir=`pwd`
#unzip $rpmdir/rpm.zip $rpmdir/rpm
yum localinstall -y $dir/rpm/*.rpm
}
#--------------------------------------------------------------------------------------
# 2 关闭防火墙和SELinux
stopFirewallSelinux(){
echo -e "\n***************************************************************"
echo "* *"
echo "* 2 关闭防火墙和SELinux *"
echo "* *"
echo "***************************************************************"
systemctl stop firewalld.service
systemctl disable firewalld.service
echo -e "已关闭:firewalld 防火墙"
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
echo -e "已关闭 SELinux"
}
#--------------------------------------------------------------------------------------
# 3 标准参数设置
setParameter(){
userLimit
mainParameter
}
#--------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------
# 3.1 用户资源参数配置
userLimit(){
echo -e "\n***************************************************************"
echo "* *"
echo "* 3.2 用户资源参数配置 *"
echo "* *"
echo "***************************************************************"
#先备份,再修改配置文件
nprocfile="/etc/security/limits.conf"
cp $nprocfile $nprocfile.$datetime
echo -e "* soft nofile 10240\n* hard nofile 10240\n* soft nproc 10240\n* hard nproc 10240" >> /etc/security/limits.conf
echo -e "已修改用户资源参数配置文件:$nprocfile\n\n"
cat $nprocfile
}
#--------------------------------------------------------------------------------------
# 3.2 内核参数配置
mainParameter(){
echo -e "\n***************************************************************"
echo "* *"
echo "* 3.3 内核参数配置 *"
echo "* *"
echo "***************************************************************"
#先备份,然后修改配置文件
nprocfile="/etc/sysctl.conf"
cp $nprocfile $nprocfile.$datetime
echo -e "vm.swappiness=10\nnet.ipv4.tcp_keepalive_time=120\nnet.ipv4.tcp_keepalive_probes=5\nnet.ipv4.tcp_keepalive_intvl=15" >> /etc/sysctl.conf
sysctl -p
#使配置生效
echo -e "已修改kernel、vm、fs、net参数配置:/etc/sysctl.conf"
}
#--------------------------------------------------------------------------------------
# 4 系统安全加固
securityCheck(){
loginSecurityCheck
historyTimestamp
}
#--------------------------------------------------------------------------------------
# 4.1 登录安全检查
loginSecurityCheck(){
echo "***************************************************************"
echo "* *"
echo "* 4.1 登录安全检查 *"
echo "* *"
echo "***************************************************************"
#如果直接用脚本展示banner,会导致sftp无法使用。这里先生成脚本,然后通过计划任务将得到的结果写入/etc/motd。
#以文本的形式展示banner,此信息每小时的第五分钟更新一次。
cat <<\EOF > /usr/local/bin/linux_os_banner.sh
#!/bin/bash
#
# Author : Li Zhi
# Version: 1.0
#
# Process count
PROCCOUNT=$( ps -Afl | wc -l )
PROCCOUNT=$( expr $PROCCOUNT - 5 )
# Uptime
UPTIME=$(</proc/uptime)
UPTIME=${UPTIME%%.*}
SECONDS=$(( UPTIME%60 ))
MINUTES=$(( UPTIME/60%60 ))
HOURS=$(( UPTIME/60/60%24 ))
DAYS=$(( UPTIME/60/60/24 ))
# SYSTEM INFO
# Hostname (UPPERCASE)
HOSTNAME=$( echo $(hostname) | tr '[a-z]' '[A-Z]' )
# IP Address (list all ip addresses)
IP_ADDRESS=$(echo $(ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p' | sed ':a;N;$!ba;s/\n/ , /g') )
# System : Description of the distribution
# SYSTEM=$(echo $(lsb_release -d | awk -F':' '{print $2}' | sed 's/^\s*//g') )
SYSTEM=$(cat /etc/redhat-release)
# Kernel release
KERNEL=$( echo $(uname -r) )
# CPU Info
CPU_INFO=$(echo $(more /proc/cpuinfo | grep processor | wc -l ) "x" $(more /proc/cpuinfo | grep 'model name' | uniq |awk -F":" '{print $2}') )
# Total Memory
MEMORY=$(echo $(free -m |grep Mem: | awk -F " " '{print $2}') M)
# Memory Used
MEMORY_USED=$(echo $(free -m |grep Mem: | awk -F " " '{print $3}') M)
## get current storage information, how many space a left :)
STORAGE=$(df -h |sed -e 's/^File.*$/\x1b[0;37m&\x1b[1;32m/' | sed -e 's/^Datei.*$/\x1b[0;37m&\x1b[1;32m/' )
echo -e "
\033[1;31m+++++++++++++++++: \033[0;37mSystem Data\033[1;31m :+++++++++++++++++++++++++++++++
+ \033[0;37mHostname \033[1;31m= \033[1;32m$HOSTNAME
\033[1;31m+ \033[0;37mAddress \033[1;31m= \033[1;32m$IP_ADDRESS
\033[1;31m+ \033[0;37mSystem \033[1;31m= \033[1;32m$SYSTEM
\033[1;31m+ \033[0;37mKernel \033[1;31m= \033[1;32m$KERNEL
\033[1;31m+ \033[0;37mUptime \033[1;31m= \033[1;32m$DAYS days, $HOURS hours, $MINUTES minutes, $SECONDS seconds
\033[1;31m+ \033[0;37mCPU Info \033[1;31m= \033[1;32m$CPU_INFO
\033[1;31m+ \033[0;37mMemory \033[1;31m= \033[1;32m$MEMORY
\033[1;31m+ \033[0;37mMemory Used \033[1;31m= \033[1;32m$MEMORY_USED
\033[1;31m+++++++++++++++++: \033[0;37mUser Data\033[1;31m :++++++++++++++++++++++++++++++++
+ \033[0;37mUsername \033[1;31m= \033[1;32m`whoami`
\033[1;31m+ \033[0;37mProcesses \033[1;31m= \033[1;32m$PROCCOUNT of `ulimit -u` MAX
\033[1;31m+++++++++++++++++: \033[0;37mStorage Data\033[1;31m :+++++++++++++++++++++++++++++
\033[1;31m+$STORAGE
\033[1;31m+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\033[0m"
EOF
cron_job="5 * * * * /bin/sh /usr/local/bin/linux_os_banner.sh > /etc/motd"
#备份原有计划任务到文件中(/root/crontab.bak)
crontab -l > crontab.bak
#导出原有计划任务到文件中(conf)
crontab -l > conf
#注释原有类似任务
sed -i '/linux_os_banner.sh/ s/^\(.*\)$/#\1/g' conf
#将新计划任务追加到conf文件中
echo "$cron_job" >> conf
#将conf文件内容写入计划任务
crontab conf
#删除刚才生成的conf文件
rm -f conf
#显示计划任务内容
crontab -l
#查看备份文件(/root/crontab.bak)
ls -l /root/crontab.bak
echo -e $rsgreen"已设置Banner警告信息" $rsend
}
#--------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------
# 5 时间同步设置
serviceNtp(){
echo "***************************************************************"
echo "* *"
echo "* 5 时间同步设置 *"
echo "* *"
echo "***************************************************************"
configchrony="/etc/chrony.conf"
ntpIP="192.168.1.100"
####安装ntp客户端、并且配置ntp客户端####
ntpnum=`rpm -qa | egrep -wc 'chrony'`
if [ $ntpnum -eq 1 ];then
echo "本机已安装chrony.可配置chrony client."
else
echo "Notice: chrony didn't exit.Please install."
exit 10
fi
cp $configchrony $configchrony.$datetime
#2. 增加NTP服务器配置
echo -e "server $ntpIP iburst" >> $configchrony
systemctl restart chronyd
systemctl enable chronyd
chronyc sources -v
}
# 1 常用命令安装
cmdInstall
# 2 关闭防火墙和SELinux
stopFirewallSelinux
# 3 标准参数设置
setParameter
# 4 系统安全加固
securityCheck
# 5 时间同步设置
serviceNtp
#3秒后退出
sleep 3
exit 0