- 论坛徽章:
- 0
|
#!/usr/bin/ksh
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos610 src/bos/usr/lib/security/aixpert/scripts/comntrows.sh 1.4
#
# Licensed Materials - Property of IBM
#
# Restricted Materials of IBM
#
# COPYRIGHT International Business Machines Corp. 2006,2007
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
# @(#)84 1.4 src/bos/usr/lib/security/aixpert/scripts/comntrows.sh, aixpert, bos610 2/25/07 07:36:10
# COMPONENT_NAME : (AIXPERT) comntrows.sh
# FUNCTIONS : None
# ORIGINS : 27
#
# Command Line Arguments : The script takes 5 command line arguments.
# The first argument mentions the unique string
# or daemon or script in a line that has to be
# disabled/commented. The second argument mentions
# the file where the enrty corresponding to the
# daemon/script/string (mentioned by the first
# argument) is present. The third argument should
# be the comment character in the file specified
# by the second argument.
# The fourth argument mentions whether the script
# or daemon has to be disabled/enabled. Value 'a'
# indicates that the daemon should be enabled and
# 'd' indicates that the daemon should be disabled.
# The fifth argument is optional and should be rulename.
#
# Syntax : comntrows {daemon|scriptname} filename
# commentchar {a|d} [rulename]
#
# OUTPUT : None
#
# Description : This script disables/enables the daemons/scripts
# by commenting/uncommenting the corresponding entries
# from the specified file. If the rulename is specified
# and if there are any changes done by the rule, then
# an undo rule with name Undo$5 <timestamp> will be
# generated.This script should be run with
# superuser privileges.
export PATH=/usr/bin:/usr/sbin PATH
# Initialize variables AIXPERT_FIFO, LOG, REPORT and UNDOXML
. /etc/security/aixpert/bin/initialize_variables
TMP=/etc/security/aixpert/tmp/comtrows
PID=$$
# Log output and errors to /etc/security/aixpert/log/aixpert.log
exec 1>>$LOG
exec 2>&1
if ( [ $# -lt 4 ] || [ $# -gt 5 ] ) || ( [ "$4" != "a" ] && [ "$4" != "d" ] )
then
dspmsg -s 6 aixpert.cat 1 "Usage :\
comntrows daemon|scriptname filename commentchar {a|d} [rulename]\n"
exit 1
fi
# echo all the commands and the current time and date to the AIXpert log
set -x
date
echo $0
# Check whether the file specified by argument 2 is a regular file or not.
if [ -f $2 ]
then
# Determine whether the entry for the daemon/script exists/commented/uncommented
# Status value 'a' states that the daemon/process is uncommented in /etc/inittab.
# Value 'd' states that the daemon/process is commented, and value 'n' specifies
# that the daemon/process's entry doesnt exist in the /etc/inittab file.
status=`awk -v dmn=$1 -v cmt=$3 -v exist="n" '
BEGIN {
format=sprintf("(^[\t ]*%s)|(^[\t ]*[^%s]+%s)",dmn,cmt,dmn);
comformat=sprintf("^[\t ]*%s.*%s",cmt,dmn);
}
{
if(match($0,format))
{
exist="a";
}
else if(match($0,comformat))
{
exist="d"
}
}
END {
printf("%s",exist)
}' $2`
# If the entry for the daemon/script exists and is commented/uncommented
# when the script has been invoked to uncomment/comment respectively
# the daemon/script entry.
# Check whether AIXPERT_CHECK_REPORT environment variable is set/not.
report=`echo $AIXPERT_CHECK_REPORT`
if ( [ "$status" != "n" ] && [ "$4" != "$status" ] )
then
if [ "$report" = "1" ]
then
if [ "$status" = "a" ]
then
curstat="enabled"
desstat="disabled"
else
curstat="disabled"
desstat="enabled"
fi
dspmsg -s 6 aixpert.cat 2 "comntrows.sh:\
Daemon/Script/String:%s in file %s should have status %s,\
however it is %s now\n" $1 $2 $desstat $curstat >>$REPORT
dspmsg -s 6 aixpert.cat 2 "comntrows.sh:\
Daemon/Script/String:%s in file %s should have status %s,\
however it is %s now\n" $1 $2 $desstat $curstat >>$AIXPERT_FIFO
exit 1
fi
# Construct the regular expression string to be searched using
# the arguments $1(daemon name) and $3 (comment char),
# when a match is found comment/uncomment the line with argument
# $3 as comment char, Store the output of awk in $TMP$PID
if [ "$4" = "d" ]
then
awk -v dmn=$1 -v cmt=$3 '
BEGIN {
format=sprintf("(^[\t ]*%s)|(^[\t ]*[^%s]+%s)",dmn,cmt,dmn);
}
{
if(match($0,format))
{
print cmt $0
}
else
print $0
}' $2 >>$TMP$PID
else
awk -v dmn=$1 -v cmt=$3 '
BEGIN {
format=sprintf("(^[\t ]*%s.*%s)",cmt,dmn);
}
{
if(match($0,format))
{
# replace the first occurence of comment in the record
sub(cmt,"",$0)
}
print $0
}' $2 >>$TMP$PID
fi
# Move the file $TMP$PID to $2
mv $TMP$PID $2
elif [ "$status" = "n" ]
then
if [ "$report" = "1" ]
then
if [ "$4" = "a" ]
then
desstat="enabled"
else
desstat="disabled"
fi
dspmsg -s 6 aixpert.cat 6 "comntrows.sh:\
Daemon/Script/String:%s should have status %s,\
however its entry is not found in file %s\n" $1 $desstat $2 >>$REPORT
dspmsg -s 6 aixpert.cat 6 "comntrows.sh:\
Daemon/Script/String:%s should have status %s,\
however its entry is not found in file %s\n" $1 $desstat $2 >>$AIXPERT_FIFO
exit 1
else
# Entry not found in $2
dspmsg -s 6 aixpert.cat 7 "comntrows.sh:\
Daemon/Script/String:%s's entry not found in file %s\n" $1 $2
exit 1
fi
fi
if [ "$4" = "d" ]
then
daemon=`echo $1|awk -F ":" '{print $1}'`
# Check whether string specified by argument $1 is a daemon or not
# Stop the daemon, if it's in active state
lssrc -s $daemon
if [ $? -eq 0 ]
then
lssrc -s $daemon|grep active
if [ $? -eq 0 ]
then
# Dynamic Security Check
if [ "$report" = "1" ]
then
dspmsg -s 6 aixpert.cat 3\
"comntrows.sh: Daemon:%s is still active, however is should be in\
inoperative state\n" $1 >>$REPORT
dspmsg -s 6 aixpert.cat 3\
"comntrows.sh: Daemon:%s is still active, however is should be in\
inoperative state\n" $1 >>$AIXPERT_FIFO
exit 1
fi
stopsrc -s $daemon
fi
fi
elif [ "$4" = "a" ]
then
daemon=`echo $1|awk -F ":" '{print $1}'`
# Check whether string specified by argument $1
# is a daemon or not, Start the daemon, if it's not active
lssrc -s $daemon
if [ $? -eq 0 ]
then
lssrc -s $daemon|grep inoperative
if [ $? -eq 0 ]
then
# Dynamic Security Check
if [ "$report" = "1" ]
then
dspmsg -s 6 aixpert.cat 4\
"comntrows.sh: Daemon:%s is in inoperative state, however it should be\
active\n" $1 >>$REPORT
dspmsg -s 6 aixpert.cat 4\
"comntrows.sh: Daemon:%s is in inoperative state, however it should be\
active\n" $1 >>$AIXPERT_FIFO
exit 1
fi
startsrc -s $daemon
fi
fi
fi
# Dynamic Security Check
if [ "$report" = "1" ]
then
exit 0 # Everything is fine
fi
if [ $# -eq 5 ]
then
empty=`grep "^<AIXPertUndo>" $UNDOXML`
if [ "$empty" = "" ]
then
echo "\n<AIXPertUndo>\n</AIXPertUndo>" >> $UNDOXML
fi
# Get the rulename and put it in undo rule
name=`echo $AIXPERT_NAME`
# Get the rule description & pass it to undo rule
desc=`echo $AIXPERT_DESC`
# Add an undo XML rule to the file $UNDOXML
awk -v rulehalf1="\t<AIXPertEntry name=\"$name\">\n\
\t\t<AIXPertRuleType type=\"Undo\"/>\n\
\t\t<AIXPertDescription>Undo action for \"$desc\"</AIXPertDescription>\n\
\t\t<AIXPertPrereqList/>\n"\
-v rulehalf2="\t\t<AIXPertCommand>/etc/security/aixpert/bin/comntrows\
</AIXPertCommand>\n\t\t<AIXPertArgs>$1 $2 $3 $status</AIXPertArgs>\n\
\t\t<AIXPertGroup>Rules for /etc/inittab</AIXPertGroup>\n\
\t</AIXPertEntry>" '{if(match($0,"^[\t ]*</AIXPertUndo>" ==0) print $0;\
else print rulehalf1 rulehalf2 "\n" $0}' $UNDOXML >$TMP$PID
mv $TMP$PID $UNDOXML
fi
else
dspmsg -s 6 aixpert.cat 5 "comntrows.sh: The file %s doesn't exist\n" $2
fi
exit 0
|
这段代码是AIX5.3以后的新功能AIX Security Expert中的实现方式,但是有点看不懂,也是通过awk来实现的,有没有人能解读一下其中最核心的部分啊?
这个脚本名字是comntrows,可以直接被调用,调用方式为 ./comntrows qdaemon: /etc/inittab : d 如果将d改为a,就可以将注释的冒号从inittab中去掉。d表示注释掉该行,a表示恢复该行。 |
|
免费注册
发表于 2010-01-04 16:49
