結果だけでなく過程も見てください

たい焼きさんの日々の奮闘を綴る日記です。

CentOS(バージョン7以降)の新規インストール時に行う作業をスクリプト化したもの

新しいバージョンのCentOS/RedHat(バージョン7以降)がリリースされた場合などに使用するスクリプトです。
基本的にセキュリティはゆるゆるなので状況に応じて設定を変更してください。

やっていることはざっと以下の通りです。

  • rootで実行しているかチェック
  • umaskを0022に設定
  • 変更を行うファイルのバックアップをコピーするためのディレクトリ作成
  • SELinux無効化
  • perlのインストール
  • gccのインストール (コメントアウトしてます)
  • gdbのインストール (コメントアウトしてます)
  • Sambaサーバーのインストール (IPフィルタは127.と192.168.1.になってます)
  • firewalldの無効化
  • wgetのインストール
  • SSHでrootログイン不可化 (コメントアウトしてます)
  • umaskを元に戻す
#!/bin/sh


BK_DIR=~/init_backup


function file_backup() {
  srcfile=$1
  dstfile=$2

  i=0
  while [ $i -le 100000 ]
  do
    if [ ! -e ${dstfile}.${i} ]
    then
      cp -p ${srcfile} ${dstfile}.${i}

      if [ $? -eq 0 ]
      then
        echo "[Info ] Copying file succeeded(${dstfile}.${i})."
        break
      else
        echo "[Error] Copying file failed(${dstfile}.${i})."
      fi
    fi
    i=`expr $i + 1`
  done
}


# --------------------------------------------------------------------
# Check Superuser

if [ ${EUID:-${UID}} != 0 ]
then
  echo "[Error] You must run this script with Superuser."
  exit -1
fi


# --------------------------------------------------------------------
# Set umask

OLD_MASK=`umask`
umask 0022


# --------------------------------------------------------------------
# Create backup

echo "################## Create backup directory ##################"

if [ ! -e ${BK_DIR} ]
then
  mkdir -p ${BK_DIR}
  chmod 0755 ${BK_DIR}

  echo "[Info ] backup dir(${BK_DIR}) has created."
else
  echo "[Info ] backup dir(${BK_DIR}) has been already created. Skipped."
fi

echo ""


# --------------------------------------------------------------------
# Disable SELinux

echo "################## Disable SELinux ##################"

cat /etc/selinux/config | grep "SELINUX=disabled" > /dev/null
if [ $? -ne 0 ]
then
  mkdir -p ${BK_DIR}/etc/selinux
  file_backup /etc/selinux/config ${BK_DIR}/etc/selinux/config

  sed -i -e "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

  # Disable current shell SELinux either.
  setenforce 0

  echo "[Info ] Disable SELinux has done."
else
  echo "[Info ] Disable SELinux has already done. Skipped."
fi

echo ""


# --------------------------------------------------------------------
# Install perl

echo "################## Install perl ##################"

rpm -q perl
if [ $? -ne 0 ]
then
  # perl is not installed.
  yum -y install perl

  sleep 1
fi


# --------------------------------------------------------------------
# Install gcc

#echo "################## Install gcc ##################"
#
#rpm -q gcc
#if [ $? -ne 0 ]
#then
#  # gcc is not installed.
#  yum -y install gcc
#
#  sleep 1
#fi


# --------------------------------------------------------------------
# Install gdb

#echo "################## Install gdb ##################"
#
#rpm -q gdb
#if [ $? -ne 0 ]
#then
#  # gdb is not installed.
#  yum -y install gdb
#
#  sleep 1
#fi


# --------------------------------------------------------------------
# Install & Setup Samba Server

echo "################## Install & Setup Samba Server ##################"

systemctl status smb | grep "Loaded: not-found"
if [ $? -ne 0 ]
then
  # smbd is not installed.
  yum -y install samba

  sleep 1

  # Backup original smb.conf
  mkdir -p ${BK_DIR}/etc/samba
  file_backup /etc/samba/smb.conf ${BK_DIR}/etc/samba/smb.conf

  # Create empty smb.conf, 
  echo "[global]" > /etc/samba/smb.conf
  echo "encrypt passwords = yes" >> /etc/samba/smb.conf
  echo "" >> /etc/samba/smb.conf
  echo "dos charset = CP932" >> /etc/samba/smb.conf
  echo "unix charset = UTF-8" >> /etc/samba/smb.conf
  # echo "display charset = UTF-8" >> /etc/samba/smb.conf
  echo "" >> /etc/samba/smb.conf
  echo "workgroup = WORKGROUP" >> /etc/samba/smb.conf
  echo "hosts allow = 127. 192.168.1." >> /etc/samba/smb.conf
  echo "server string = Samba Server Version %v" >> /etc/samba/smb.conf
  echo "" >> /etc/samba/smb.conf
  echo "security = user" >> /etc/samba/smb.conf
  echo "passdb backend = tdbsam" >> /etc/samba/smb.conf
  echo "" >> /etc/samba/smb.conf
  echo "log file = /var/log/samba/log.%m" >> /etc/samba/smb.conf
  echo "max log size = 50" >> /etc/samba/smb.conf
  echo "" >> /etc/samba/smb.conf
  echo "[shareall]" >> /etc/samba/smb.conf
  echo "path = /" >> /etc/samba/smb.conf
  echo "writable = yes" >> /etc/samba/smb.conf
  echo "printable = no" >> /etc/samba/smb.conf
  echo "public = yes" >> /etc/samba/smb.conf
  echo "create mode = 755" >> /etc/samba/smb.conf
  echo "directory mode = 755" >> /etc/samba/smb.conf
  echo "socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384" >> /etc/samba/smb.conf
  echo "" >> /etc/samba/smb.conf

  echo "[Info ] Create Samba user."
  pdbedit -a -u root

  # Start samba service.
  systemctl start smb
  systemctl start nmb

  # Enable to boot samba service automatically.
  systemctl enable smb
  systemctl enable nmb

  firewall-cmd --add-service=samba
  firewall-cmd --add-service=samba --permanent

  echo "[Info] Install & Setup Samba Server has done."
else
  echo "[Info] Install & Setup Samba Server has already done. Skipped."
fi

echo ""


# --------------------------------------------------------------------
# Disable firewalld

echo "################## Disable firewalld ##################"

systemctl is-enabled firewalld | grep enabled
if [ $? -eq 0 ]
then
  # firewalld is now running.
  systemctl stop firewalld
  systemctl disable firewalld

  echo "[Info] Disable firewalld has done."
else
  echo "[Info] Disable firewalld has already done. Skipped."
fi

echo ""


# --------------------------------------------------------------------
# Install wget

echo "################## Install wget ##################"

yum list installed | grep wget
if [ $? -eq 1 ]
then
  yum -y install wget

  sleep 1
fi

echo ""


# --------------------------------------------------------------------
# Disable SSH root Login

#echo "################## Disable SSH root Login ##################"

#cat /etc/ssh/sshd_config | grep -x "PermitRootLogin no"
#if [ $? -ne 0 ]
#then
#  mkdir -p ${BK_DIR}/etc/ssh
#  file_backup /etc/ssh/sshd_config ${BK_DIR}/etc/ssh/sshd_config
#
#  cat /etc/ssh/sshd_config | grep -x "#PermitRootLogin .*"
#  if [ $? -eq 0 ]
#  then
#    sed -i -e "s/#PermitRootLogin .*/PermitRootLogin no/g" /etc/ssh/sshd_config
#  fi
#
#  echo "[Info ] Disable SSH root Login has done. SSH service will be restarted..."
#
#  systemctl restart sshd
#else
#  echo "[Info ] Disable SSH root Login has already done. Skipped."
#fi

echo ""


# --------------------------------------------------------------------
# Set umask back

umask ${OLD_MASK}


echo ""
echo "[Info] All processes has done."
プライバシーポリシー お問い合わせ