运维脚本——9.配置漂移检测

F——

于 2025-02-22 19:17:13 发布

阅读量304

点赞数 8

分类专栏：运维文章标签：运维安全学习 web安全

本文链接：https://blog.youkuaiyun.com/weixin_66370632/article/details/145799351

版权

运维专栏收录该内容

16 篇文章

订阅专栏

场景：检测服务器配置与基准配置的差异，防止未经授权的修改。
示例：使用Ansible Playbook对比当前配置与标准模板。

- hosts: all
  tasks:
    - name: Check SSH configuration against baseline
      ansible.builtin.diff:
        path: /etc/ssh/sshd_config
        original_baseline: true
      register: ssh_diff

    - name: Alert if SSH config has drifted
      ansible.builtin.mail:
        to: 'ops-team@example.com'
        subject: '配置漂移告警 - SSH'
        body: 'SSH配置与基准不一致！差异：\n{{ ssh_diff.diff }}'
      when: ssh_diff.diff is defined

Shell脚本实现：

#!/bin/bash
# 对比当前配置与基准文件的差异
BASELINE="/opt/baseline/sshd_config.baseline"
CURRENT="/etc/ssh/sshd_config"

if diff $BASELINE $CURRENT > /dev/null; then
    echo "配置无差异"
else
    echo "配置存在差异！" | mail -s "SSH配置漂移告警" ops-team@example.com
    diff $BASELINE $CURRENT >> /var/log/config_drift.log
fi