linux系统安全加固-升级glibc/bash
2015-03-17 15:35
561 查看
一、升级glibc
1、升级前查看是否有漏洞
[root@egwg-54-129 service]# ./test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.12 revision 107
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc
2、登录https://access.redhat.com/security/cve/CVE-2015-0235,查看需升级的版本号
3、下载加固包
http://mirrors.aliyun.com/centos/6/os/x86_64/Packages/ (redhat6)
执行:
rpm -Uvh glibc-2.12-1.149.el6.i686.rpm glibc-2.12-1.149.el6.x86_64.rpm glibc-common-2.12-1.149.el6.x86_64.rpm glibc-devel-2.12-1.149.el6.x86_64.rpm glibc-headers-2.12-1.149.el6.x86_64.rpm glibc-utils-2.12-1.149.el6.x86_64.rpm nscd-2.12-1.149.el6.x86_64.rpm
4、升级后:[root@egwg-54-128 glibc]# ./test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.12 revision 149
Not Vulnerable.
漏洞检测脚本:
将脚本拷贝到test.sh文件中
#!/bin/bash
vercomp () {
if [[ $1 == $2 ]]
then
return 0
fi
local IFS=.
local i ver1=($1) ver2=($2)
# fill empty fields in ver1 with zeros
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
ver1[i]=0
done
for ((i=0; i<${#ver1[@]}; i++))
do
if [[ -z ${ver2[i]} ]]
then
# fill empty fields in ver2 with zeros
ver2[i]=0
fi
if ((10#${ver1[i]} > 10#${ver2[i]}))
then
return 1
fi
if ((10#${ver1[i]} < 10#${ver2[i]}))
then
return 2
fi
done
return 0
}
glibc_vulnerable_version=2.17
glibc_vulnerable_revision=54
glibc_vulnerable_version2=2.5
glibc_vulnerable_revision2=122
glibc_vulnerable_version3=2.12
glibc_vulnerable_revision3=148
echo "Vulnerable glibc version <=" $glibc_vulnerable_version"-"$glibc_vulnerable_revision
echo "Vulnerable glibc version <=" $glibc_vulnerable_version2"-"$glibc_vulnerable_revision2
echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-1."$glibc_vulnerable_revision3
glibc_version=$(rpm -q glibc | awk -F"[-.]" '{print $2"."$3}' | sort -u)
if [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $5}' | sort -u)
else
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
fi
echo "Detected glibc version" $glibc_version" revision "$glibc_revision
vulnerable_text=$"This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc"
if [[ $glibc_version == $glibc_vulnerable_version ]]
then
vercomp $glibc_vulnerable_revision $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
then
vercomp $glibc_vulnerable_revision2 $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
vercomp $glibc_vulnerable_revision3 $glibc_revision
else
vercomp $glibc_vulnerable_version $glibc_version
fi
case $? in
0) echo "$vulnerable_text";;
1) echo "$vulnerable_text";;
2) echo "Not Vulnerable.";;
esac
二、升级bash
1、检查是否有漏洞:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
有漏洞:
[root@localhost ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
2、下载加固包
http://mirrors.aliyun.com/centos/6/os/x86_64/Packages/
下载bash-4.1.2-29.el6.x86_64(根据实际版本来升级)
3、查询当前版本
rpm -qa | grep bash
4、下载老版本
rpm -e bash-4.1.2-14.el6.x86_64
5、升级安装
rpm -ivh --force bash-4.1.2-29.el6.x86_64.rpm --force --nodeps
1、升级前查看是否有漏洞
[root@egwg-54-129 service]# ./test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.12 revision 107
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc
2、登录https://access.redhat.com/security/cve/CVE-2015-0235,查看需升级的版本号
3、下载加固包
http://mirrors.aliyun.com/centos/6/os/x86_64/Packages/ (redhat6)
执行:
rpm -Uvh glibc-2.12-1.149.el6.i686.rpm glibc-2.12-1.149.el6.x86_64.rpm glibc-common-2.12-1.149.el6.x86_64.rpm glibc-devel-2.12-1.149.el6.x86_64.rpm glibc-headers-2.12-1.149.el6.x86_64.rpm glibc-utils-2.12-1.149.el6.x86_64.rpm nscd-2.12-1.149.el6.x86_64.rpm
4、升级后:[root@egwg-54-128 glibc]# ./test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.12 revision 149
Not Vulnerable.
漏洞检测脚本:
将脚本拷贝到test.sh文件中
#!/bin/bash
vercomp () {
if [[ $1 == $2 ]]
then
return 0
fi
local IFS=.
local i ver1=($1) ver2=($2)
# fill empty fields in ver1 with zeros
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
ver1[i]=0
done
for ((i=0; i<${#ver1[@]}; i++))
do
if [[ -z ${ver2[i]} ]]
then
# fill empty fields in ver2 with zeros
ver2[i]=0
fi
if ((10#${ver1[i]} > 10#${ver2[i]}))
then
return 1
fi
if ((10#${ver1[i]} < 10#${ver2[i]}))
then
return 2
fi
done
return 0
}
glibc_vulnerable_version=2.17
glibc_vulnerable_revision=54
glibc_vulnerable_version2=2.5
glibc_vulnerable_revision2=122
glibc_vulnerable_version3=2.12
glibc_vulnerable_revision3=148
echo "Vulnerable glibc version <=" $glibc_vulnerable_version"-"$glibc_vulnerable_revision
echo "Vulnerable glibc version <=" $glibc_vulnerable_version2"-"$glibc_vulnerable_revision2
echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-1."$glibc_vulnerable_revision3
glibc_version=$(rpm -q glibc | awk -F"[-.]" '{print $2"."$3}' | sort -u)
if [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $5}' | sort -u)
else
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
fi
echo "Detected glibc version" $glibc_version" revision "$glibc_revision
vulnerable_text=$"This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Update the glibc and ncsd packages on your system using the packages released with the following:
yum install glibc"
if [[ $glibc_version == $glibc_vulnerable_version ]]
then
vercomp $glibc_vulnerable_revision $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
then
vercomp $glibc_vulnerable_revision2 $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
vercomp $glibc_vulnerable_revision3 $glibc_revision
else
vercomp $glibc_vulnerable_version $glibc_version
fi
case $? in
0) echo "$vulnerable_text";;
1) echo "$vulnerable_text";;
2) echo "Not Vulnerable.";;
esac
二、升级bash
1、检查是否有漏洞:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
有漏洞:
[root@localhost ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
2、下载加固包
http://mirrors.aliyun.com/centos/6/os/x86_64/Packages/
下载bash-4.1.2-29.el6.x86_64(根据实际版本来升级)
3、查询当前版本
rpm -qa | grep bash
4、下载老版本
rpm -e bash-4.1.2-14.el6.x86_64
5、升级安装
rpm -ivh --force bash-4.1.2-29.el6.x86_64.rpm --force --nodeps
相关文章推荐
- Linux系统安全加固(一)
- 为linux系统引导和登录提供安全加固
- Linux系统安全加固常规优化
- linux系统安全加固脚本
- Linux系统安全加固策略(二)
- Linux 系统深度安全加固
- 通过Linux系统伪装方法加固服务器安全
- Linux升级Glibc时系统奔溃是什么原因如何解决
- 【安全运维】 linux 系统账户,网络,简易安全加固方案(第一部分),经测试可行
- 影响 Linux 系统安全基石的 glibc 严重漏洞
- 利用sudo加固Linux系统安全
- Linux系统安全加固(一)
- Linux系统安全加固(一)
- 【安全运维】linux系统加固(第二部分),经测试可行
- 深入分析Linux系统深度安全加固
- linux系统安全加固
- 加固Linux系统----更新和添加安全补丁
- linux系统安全加固脚本
- linux系统安全加固
- Linux系统安全加固策略(一)