linux系统安全加固-升级glibc/bash

一、升级glibc
1、升级前查看是否有漏洞
[root@egwg-54-129 service]# ./test.sh 
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.12 revision 107
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc
2、登录https://access.redhat.com/security/cve/CVE-2015-0235，查看需升级的版本号


3、下载加固包
http://mirrors.aliyun.com/centos/6/os/x86_64/Packages/  （redhat6）


执行：
rpm -Uvh glibc-2.12-1.149.el6.i686.rpm glibc-2.12-1.149.el6.x86_64.rpm glibc-common-2.12-1.149.el6.x86_64.rpm  glibc-devel-2.12-1.149.el6.x86_64.rpm glibc-headers-2.12-1.149.el6.x86_64.rpm glibc-utils-2.12-1.149.el6.x86_64.rpm  nscd-2.12-1.149.el6.x86_64.rpm


4、升级后：[root@egwg-54-128 glibc]# ./test.sh 
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.12 revision 149
Not Vulnerable.  


漏洞检测脚本：
将脚本拷贝到test.sh文件中
#!/bin/bash
vercomp () {
if [[ $1 == $2 ]]
then
return 0
fi
local IFS=.
local i ver1=($1) ver2=($2)
    # fill empty fields in ver1 with zeros
    for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
ver1[i]=0
done
    for ((i=0; i<${#ver1[@]}; i++))
do
if [[ -z ${ver2[i]} ]]
then
            # fill empty fields in ver2 with zeros
ver2[i]=0
fi
        if ((10#${ver1[i]} > 10#${ver2[i]}))
then
return 1
fi
        if ((10#${ver1[i]} < 10#${ver2[i]}))
then
return 2
fi
done
return 0
}




glibc_vulnerable_version=2.17
glibc_vulnerable_revision=54
glibc_vulnerable_version2=2.5
glibc_vulnerable_revision2=122
glibc_vulnerable_version3=2.12
glibc_vulnerable_revision3=148
echo "Vulnerable glibc version <=" $glibc_vulnerable_version"-"$glibc_vulnerable_revision
echo "Vulnerable glibc version <=" $glibc_vulnerable_version2"-"$glibc_vulnerable_revision2
echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-1."$glibc_vulnerable_revision3




glibc_version=$(rpm -q glibc | awk -F"[-.]" '{print $2"."$3}' | sort -u)
if [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $5}' | sort -u)
else
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
fi
echo "Detected glibc version" $glibc_version" revision "$glibc_revision




vulnerable_text=$"This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc"




if [[ $glibc_version == $glibc_vulnerable_version ]]
then
vercomp $glibc_vulnerable_revision $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
then
vercomp $glibc_vulnerable_revision2 $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
vercomp $glibc_vulnerable_revision3 $glibc_revision
else
vercomp $glibc_vulnerable_version $glibc_version
fi




case $? in
    0) echo "$vulnerable_text";;
    1) echo "$vulnerable_text";;
    2) echo "Not Vulnerable.";;
esac




二、升级bash
1、检查是否有漏洞：
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
有漏洞：
[root@localhost ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
2、下载加固包
http://mirrors.aliyun.com/centos/6/os/x86_64/Packages/ 
下载bash-4.1.2-29.el6.x86_64（根据实际版本来升级）


3、查询当前版本
rpm -qa | grep bash
4、下载老版本
rpm -e bash-4.1.2-14.el6.x86_64
5、升级安装
rpm -ivh --force bash-4.1.2-29.el6.x86_64.rpm  --force --nodeps