系统初始化脚本是刚安装完操作系统之后运行的脚本,主要功能是将系统环境进行优化,并更改常用设置,统一系统环境配置,该脚本重复运行不会修改多次,运行完成后最好重启一下系统。
脚本功能:
1. 安装EPEL源并安装常用的lib库
2. 开启必要的服务,关于服务的策略是将所有的服务设置为off,只将必要的系统服务设置为on,具体开启的服务需要根据实际环境配置
3. 关闭SELinux
4. 将LANG设置为en_US.UTF-8
5. 将历史命令记录设置为100
6. 记录每个登陆用户运行的命令,除了root(或者用户有sudo权限)其他用户都无法修改和删除用户的历史命令日志文件,确保安全
7. 修改系统的hard/soft限制
8. 优化常用内核参数
9. 同步系统时间,将ntp加入cron
10. 创建默认的运维人员账户,给予sudo权限,并设置下次登陆强制修改密码
11. 设置完毕后重启系统
功能演示:
1. 运行脚本输出,每项设置成功都会输出绿色done,如果设置开启的服务不存在,则会用红色 not exits标出,已有的用户不会重复添加,最后提示是否立刻重启:
新增的运维账号首次登陆需修改密码,默认密码在脚本中修改:
可以查看所有登陆用户的运行命令:
除了root(或者用户有sudo权限)其他用户都无权限修改或删除命令日志文件
脚本源代码:
#!/bin/bash#===============================================================================#FILE:linux_init.sh##DESCRIPTION:Thisscriptisusedtoinstallusuallibs,closeunnecessaryservices,optimizekernelparametersandsoon#BLOG:http://waydee.blog.51cto.com/##CREATED:2012-4-1711:27:19#REVISION:1.0#===============================================================================set-onounset#Treatunsetvariablesasanerror#############VARIABLESDEFINED#############SRV_TEMP= /tmp/chkconfig_list.tmp #SRV_TEMPkeepresultfromchkconfigcommandSRV_ON= NetworkManageracpidauditdcrondhaldaemoniptablesirqbalancekudzulvm2-monitormcstransmessagebusmicrocode_ctlnetfsnetworkportmapreadahead_earlyrestorecondsmartdsshdsyslogxfsxinetdyum-updatesd #addservicestothisVARIABLESifyouwanttostartthemwhenlinuxstartINSTALL_LIBS= gccgcc-c++autoconflibjpeglibjpeg-devellibpnglibpng-develfreetypefreetype-devellibxml2libxml2-develzlibzlib-develglibcglibc-develglib2glib2-develbzip2bzip2-develncursesncurses-develcurlcurl-devele2fsprogse2fsprogs-develkrb5-devellibidnlibidn-developensslopenssl-develnss_ldapopenldapopenldap-developenldap-clientslibxslt-devellibevent-devellibtool-ltdlbisonlibtoolvim-enhanced #thelibsfileswillbeusedlaterHISTORY_DIR= /var/log/.history #thedirwheretologusercommandDONE= \e[0;32m\033[1mdone\e[m ADMIN_USER= test1test2test3 #defaultuserswhoareadministratorsDEFAULT_PASSWD= 123456 #setthedefaultpasswordforadministrators,itwillbechangedwhenuserfirstlogin#installEPELif[!-e/etc/yum.repos.d/epel.repo]thenrpm-ivhhttp://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm1 /dev/nullecho-e InstallEPELsource${DONE}. fi#installusuallibsyum-yinstall${INSTALL_LIBS}1 /dev/nullecho-e Installtheusuallibs${DONE}. #closeallservicesandsetnecessaryservicesonchkconfig--list|awk'{print$1}' ${SRV_TEMP}#closeallserviceswhilereadSERVICEdochkconfig--level345${SERVICE}off1 /dev/nulldone ${SRV_TEMP}#opennecessaryservicesforSRVSin${SRV_ON}doif[-e/etc/init.d/${SRVS}]thenchkconfig--level345${SRVS}on1 /dev/nullelseecho-e Service${SRVS}is\e[0;31m\033[1mnotexits\e[m. fidone#checkiftheserverisvmwarevirtualmachinechkconfig--list|grepvmware*2 1/dev/nullGREP_STATUS=$?if[[${GREP_STATUS}==0]]thenchkconfig--level345vmwareon1 /dev/nullchkconfig--level345vmware-USBArbitratoron1 /dev/nullchkconfig--level345vmware-workstation-serveron1 /dev/nullchkconfig--level345vmware-wsx-serveron1 /dev/nullchkconfig--level345vmamqpdon1 /dev/nullfiecho-e Stopunnecessaryservices${DONE}. #setselinuxdisabledsed-is/SELINUX=enforcing/SELINUX=disabled//etc/selinux/configecho-e SetSELinuxdisabled${DONE}. #setLANGen_US.UTF-8sed-is/LANG=.*$/LANG= en_US.UTF-8 //etc/sysconfig/i18necho-e SetLANGen_US.UTF-8${DONE}. #sethistory100sed-is/HISTSIZE=.*/HISTSIZE=100//etc/profileecho-e Sethistory100${DONE}. #logeverycommandforeveryuserif[!-d${HISTORY_DIR}]thenmkdir-p${HISTORY_DIR}chmod-R1777${HISTORY_DIR}fi#usePROMPT_COMMANDtologeveryusercommandmore/etc/profile|grepPROMPT_COMMAND2 1 /dev/nullCOMMAND_STATUS=$?if[[${COMMAND_STATUS}!=0]]then#exportHISTORY_FILE= ${HISTORY_DIR}/`date'+%y-%m-%d'`-`whoami`.log cat /etc/profile EOF#logeveryusercommandexportHISTORY_FILE= /var/log/.history/\`whoami\`-\`date'+%y-%m-%d'\`.log exportPROMPT_COMMAND='{date +%y-%m-%d%H:%M:%S-\$(whoami|awk {print\\\$1\ \ \\\$2\ \ \\\$5} )-\$(history1|{readxcmd;echo \$cmd }) } \$HISTORY_FILE'EOFecho-e Logusercommand${DONE}. fimore/etc/rc.local|fgrep ulimit-SHn65535 2 1 /dev/nullULIMIT_STATUS=$?if[[${ULIMIT_STATUS}!=0]]then#setlinuxlimitecho *softnofile60000 /etc/security/limits.confecho *hardnofile65535 /etc/security/limits.confecho ulimit-SHn65535 /etc/rc.localecho-e Sethard/softlimit${DONE}. echo source/etc/profile /etc/rc.localecho source/etc/profile /root/.bash_profilefi#linuxkerneloptimizecat /etc/sysctl.conf EOFnet.ipv4.ip_forward=0net.ipv4.conf.default.rp_filter=1net.ipv4.conf.default.accept_source_route=0kernel.sysrq=0kernel.core_uses_pid=1net.ipv4.tcp_syncookies=1#net.bridge.bridge-nf-call-ip6tables=0#net.bridge.bridge-nf-call-iptables=0#net.bridge.bridge-nf-call-arptables=0kernel.msgmnb=65536kernel.msgmax=65536kernel.shmmax=68719476736kernel.shmall=4294967296net.core.rmem_max=873200net.core.wmem_max=873200net.ipv4.tcp_wmem=8192436600873200net.ipv4.tcp_rmem=8192436600873200net.ipv4.tcp_mem=78643210485761572864net.ipv4.ip_local_port_range=102465000net.ipv4.tcp_max_tw_buckets=180000net.ipv4.icmp_echo_ignore_broadcasts=1net.ipv4.tcp_keepalive_probes=5net.ipv4.tcp_keepalive_intvl=15net.ipv4.tcp_retries1=3net.ipv4.tcp_retries2=15net.ipv4.tcp_tw_recycle=1net.ipv4.tcp_tw_reuse=1net.ipv4.tcp_max_orphans=131072net.core.somaxconn=1024net.core.netdev_max_backlog=1000net.ipv4.tcp_max_syn_backlog=20480net.ipv4.tcp_synack_retries=3net.ipv4.tcp_syn_retries=3net.ipv4.tcp_window_scaling=1net.ipv4.tcp_fin_timeout=30net.ipv4.tcp_keepalive_time=1800net.ipv4.tcp_sack=1net.ipv4.tcp_timestamps=0EOF#makeoptimizeeffectsysctl-p1 /dev/nullecho-e Optimizekernel${DONE}. #timeset/usr/sbin/ntpdatentp.fudan.edu.cn1 /dev/null#addtocronjobmore/var/spool/cron/root|grep ntp.fudan.edu.cn 2 1 /dev/nullNTP_STATUS=$?if[[${NTP_STATUS}!=0]]thencat /var/spool/cron/root EOF#timeset*/5****/usr/sbin/ntpdatentp.fudan.edu.cnEOFecho-e Timentpdateset${DONE}. fi#adddefaultadministratorsforADMINin${ADMIN_USER}doifcat/etc/passwd|awk-F:'{print$1}'|grep${ADMIN}2 1 /dev/nullthenecho-e User${ADMIN}hasbeen\e[0;32m\033[1madded\e[m. else#addnewuser,changepasswordwhenuserloginuseradd${ADMIN}echo ${DEFAULT_PASSWD} |passwd--stdin${ADMIN}2 1 /dev/nullusermod-L${ADMIN}chage-d0${ADMIN}usermod-U${ADMIN}echo-e AddUser\e[0;32m\033[1m${ADMIN}\e[mdone. #addusertosudoersfileecho ${ADMIN}ALL=(ALL)ALL /etc/sudoersfidone#initdone,andrebootsystemecho-e Doyouwantto\e[0;31m\033[1mreboot\e[msystemnow?[Y/N]:\t readREPLYcase$REPLYinY|y)echo Thesystemwillrebootnow... shutdown-rnow;;N|n)echo Youmustrebootlater... source/etc/profile;;*)echo Youmustinput[Y/N]. source/etc/profile;;esac
积极的人在每一次忧患中都看到一个机会,而消极的人则在每个机会都看到某种忧患。
