Devops Tools

Windows Steps Gp & Linux Scripting

Goutam Kumar's photo
Goutam Kumar
·

11 min read

WRITE A SHELL SCRIPT FOR specific user accounts have no rights to install or uninstall any software or delete any settings

To restrict specific user accounts from installing or uninstalling software or deleting settings on a Windows system, you can utilize Group Policy settings. Here's a step-by-step guide to achieve this:

  1. Open Local Group Policy Editor:

    • Press Win + R, type gpedit.msc, and press Enter.

  2. Navigate to the AppLocker Policy:

    • In the Local Group Policy Editor, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker.

  3. Create Default Rules:

    • Right-click on AppLocker, and select Properties.

    • Make sure the Configured option is selected under Executable Rules, Windows Installer Rules, and Script Rules.

    • Click OK.

  4. Create Executable Rules:

    • Right-click on Executable Rules, select Create Default Rules.

    • This will create default rules that allow members of the Administrators group to run all applications, while restricting standard users.

  5. Create Windows Installer Rules:

    • Right-click on Windows Installer Rules, select Create Default Rules.

    • This will create default rules that allow members of the Administrators group to install applications via Windows Installer, while restricting standard users.

  6. Create Script Rules:

    • Right-click on Script Rules, select Create New Rule.

    • Select Deny for the Action.

    • Choose the appropriate conditions to apply the rule (e.g., specific users or groups).

    • Specify the path or the hash of the scripts you want to restrict.

    • Click Create.

  7. Enforce Group Policy:

    • Open Command Prompt as Administrator.

    • Run the command: gpupdate /force.

    • This will force an update of Group Policy settings.

After completing these steps, the specified user accounts will be restricted from installing or uninstalling software, as well as from deleting settings via scripts. Ensure that you thoroughly test these restrictions before applying them in a production environment, as they may impact system functionality. Additionally, keep in mind that Group Policy settings may vary depending on your Windows version and edition.

LINUX ENVIORNMENT

In a Linux environment, restricting user accounts from installing or uninstalling software or deleting settings typically involves managing permissions and access controls. Below is a basic shell script that demonstrates how you might restrict specific user accounts from performing these actions:

bashCopy code#!/bin/bash

# This script restricts specific user accounts from installing or uninstalling software
# and deleting settings in a Linux environment.

# List of restricted user accounts
restricted_users=("user1" "user2")

# Loop through each restricted user
for user in "${restricted_users[@]}"; do
    echo "Restricting user '$user' from installing or uninstalling software..."
    # Remove the user from sudo group
    sudo deluser "$user" sudo

    # Deny write access to apt package cache
    sudo chown root:root /var/cache/apt/archives
    sudo chmod 755 /var/cache/apt/archives
    sudo chmod g-s /var/cache/apt/archives

    # Deny write access to dpkg lock files
    sudo chown root:root /var/lib/dpkg/lock-frontend
    sudo chmod 644 /var/lib/dpkg/lock-frontend
    sudo chmod g-s /var/lib/dpkg/lock-frontend
done

echo "User restrictions applied."

This script performs the following actions:

  1. Removes specified user accounts from the sudo group, which grants administrative privileges.

  2. Denies write access to the APT package cache directory (/var/cache/apt/archives), preventing users from installing or uninstalling software using apt.

  3. Denies write access to the dpkg lock files, which are necessary for installing or uninstalling packages.

Before running this script, make sure to replace "user1" "user2" with the usernames of the accounts you want to restrict.

Please note that this script assumes the use of sudo for administrative tasks. Adjustments may be necessary depending on your specific system configuration and package management tools. Additionally, running this script requires administrative privileges (sudo).

The system keeps all the event records of the specific user accounts

To keep track of event records for specific user accounts on a Windows system, you can utilize the built-in auditing features. Here's how you can configure auditing for specific user accounts:

  1. Enable Auditing:

    • Press Win + R, type secpol.msc, and press Enter to open the Local Security Policy editor.

    • Navigate to Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff.

    • Double-click on "Audit Logoff" and select Success and Failure options if you want to audit successful and failed logoff attempts.

    • Similarly, configure auditing for "Audit Logon" if you want to monitor logon attempts.

  2. Configure Audit Settings:

    • After selecting the appropriate audit policies, close the Local Security Policy editor.

  3. Apply Auditing to Specific User Accounts:

    • Right-click on the file, folder, or registry key you want to audit.

    • Select Properties -> Security -> Advanced -> Auditing.

    • Click on Add.

    • Type the name of the user account you want to audit, and then click Check Names to verify.

    • Click OK.

    • Select the type of access you want to audit (e.g., Read, Write, Delete).

    • Click OK to apply the audit settings.

  4. Viewing Audit Logs:

    • To view audit logs, you can use the Event Viewer (eventvwr.msc).

    • Navigate to Windows Logs -> Security.

    • Look for events with event IDs related to logon/logoff activities.

Please note that enabling auditing can generate a significant number of events, which may impact system performance and consume disk space. Therefore, it's essential to configure auditing selectively and regularly monitor the audit logs for any suspicious activities. Additionally, you may need administrative privileges to configure auditing settings.

LINUX

To capture event records for specific user accounts on a Linux system, you can utilize the system's logging facilities. Here's a basic shell script that continuously monitors log files for events related to specific user accounts:

bashCopy code#!/bin/bash

# Specify the user accounts you want to monitor
user_accounts=("user1" "user2")

# Specify the log file to monitor (e.g., /var/log/auth.log for authentication events)
log_file="/var/log/auth.log"

# Function to monitor log file for events related to specified user accounts
monitor_logs() {
    echo "Monitoring log file $log_file for events related to specified user accounts..."

    # Continuously monitor the log file
    tail -n0 -F "$log_file" | while read line; do
        # Check if the line contains events related to any of the specified user accounts
        for user in "${user_accounts[@]}"; do
            if echo "$line" | grep -q "$user"; then
                echo "$(date +"%Y-%m-%d %H:%M:%S") - Event related to user '$user' detected:"
                echo "$line"
            fi
        done
    done
}

# Call the monitor_logs function
monitor_logs

This script continuously monitors the specified log file (/var/log/auth.log in this example) for events related to specific user accounts. When an event related to any of the specified user accounts is detected, it prints the timestamp and the event to the console.

Before running this script, make sure to:

  1. Replace "user1" "user2" with the usernames of the accounts you want to monitor.

  2. Adjust the log_file variable to specify the path of the log file you want to monitor. You may need to choose a different log file depending on the types of events you're interested in (e.g., /var/log/auth.log for authentication events, /var/log/syslog for system logs, etc.).

To run the script, save it to a file (e.g., monitor_logs.sh), grant execute permission (chmod +x monitor_logs.sh), and then execute it (./monitor_logs.sh). Keep in mind that running this script requires sufficient permissions to access the log files. Additionally, you may need to run the script with root privileges to access certain log files.

UNCHANGABLE WALLPAPER

If you want to intentionally make the wallpaper unchangeable in Windows, you can do so by applying certain settings or restrictions. Here are some methods you can use:

  1. Group Policy Editor:

    • Press Win + R, type gpedit.msc, and press Enter.

    • Navigate to User Configuration -> Administrative Templates -> Control Panel -> Personalization.

    • Double-click on "Prevent changing desktop background".

    • Select "Enabled" to prevent users from changing the wallpaper.

    • Click Apply and then OK.

  2. Registry Editor:

    • Press Win + R, type regedit, and press Enter.

    • Navigate to the following registry key:

        sqlCopy codeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

    • If the System key doesn't exist, right-click on Policies, select New -> Key, and name it System.

    • Right-click on the right pane, select New -> DWORD (32-bit) Value, and name it NoChangingWallPaper.

    • Double-click on NoChangingWallPaper and set its value to 1.

After applying these settings, users will not be able to change the wallpaper on the Windows system unless these restrictions are removed. Please note that modifying Group Policy or the registry should be done with caution, as incorrect changes can cause system instability or other issues. Always backup your system or registry before making changes.

LINUX

To make the wallpaper unchangeable in Linux, you need to set the appropriate permissions on the wallpaper file and the wallpaper directory. Here's a shell script that demonstrates how to achieve this:

bashCopy code#!/bin/bash

# Specify the path to the wallpaper file
wallpaper_file="/path/to/your/wallpaper.jpg"

# Specify the path to the directory containing the wallpaper file
wallpaper_directory=$(dirname "$wallpaper_file")

# Set read-only permissions for the wallpaper file
chmod 444 "$wallpaper_file"

# Set read-only and execute permissions for the wallpaper directory
chmod 555 "$wallpaper_directory"

echo "Wallpaper is now unchangeable."

Save this script to a file, for example, make_wallpaper_unchangeable.sh, and grant execute permission to the script using the command chmod +x make_wallpaper_unchangeable.sh.

Replace /path/to/your/wallpaper.jpg with the actual path to your wallpaper file.

To execute the script, open a terminal, navigate to the directory where you saved the script, and run it using ./make_wallpaper_unchangeable.sh.

This script sets the wallpaper file to read-only mode (444), which prevents any modifications to the file. Additionally, it sets the wallpaper directory to read-only and execute mode (555), which prevents any modifications to the directory and prevents files from being added or removed from the directory. Therefore, users will not be able to change the wallpaper until these permissions are modified.

To automatically lock the system after a period of inactivity in Windows

To automatically lock the system after a period of inactivity in Windows, you can use a combination of Power Options and Screensaver settings. Here's how you can do it:

  1. Configure Screen Saver:

    • Right-click on the desktop and select Personalize.

    • In the Personalization window, click on Lock screen settings.

    • Scroll down and click on Screen saver settings.

    • In the Screen Saver Settings window, select a screen saver (for example, Blank) from the dropdown menu.

    • Check the box labeled On resume, display logon screen.

    • Set the Wait time to 15 minutes or your preferred duration.

    • Click Apply and then OK.

  2. Set Power Options:

    • Press Win + X and select Power Options.

    • Click on Change plan settings next to your selected power plan.

    • Click on Change advanced power settings.

    • In the Power Options window, scroll down and find Display.

    • Expand Display and then Console lock display off timeout.

    • Set the timeout value to 15 minutes.

    • Click Apply and then OK.

With these settings configured, the system will automatically lock itself after 15 minutes of inactivity. The screen saver will start after the specified idle time, and when you move the mouse or press any key, you'll be prompted to enter your password to unlock the system.

LINUX

To automatically lock the system after a period of inactivity using a shell script on a Linux system, you can utilize the xautolock utility along with xdg-screensaver. Here's a shell script that achieves this:

bashCopy code#!/bin/bash

# Set the time after which the system will be locked (in seconds)
lock_timeout=$((15*60))

# Start xautolock to trigger the lock after the specified idle time
xautolock -time $lock_timeout -locker "xdg-screensaver lock" &

Save this script to a file, for example, auto_lock_system.sh, and grant execute permission to the script using the command chmod +x auto_lock_system.sh.

To execute the script, open a terminal, navigate to the directory where you saved the script, and run it using ./auto_lock_system.sh.

This script uses xautolock to trigger the lock after the specified idle time (lock_timeout). When the system is idle for the specified duration, xdg-screensaver lock is executed to lock the screen. Adjust the lock_timeout variable to set the desired idle time before the system locks.

WRITE A SHELL SCRIPT TO RESET THE PASSWORD OF SUDO USER

Resetting the password of a sudo user in Linux typically involves using the passwd command. Here's a shell script that resets the password of a sudo user:

bashCopy code#!/bin/bash

# Check if the script is run as root
if [ "$(id -u)" != "0" ]; then
    echo "This script must be run as root" 1>&2
    exit 1
fi

# Check if a username is provided as an argument
if [ $# -ne 1 ]; then
    echo "Usage: $0 <username>"
    exit 1
fi

username=$1

# Check if the user exists
if ! id "$username" &>/dev/null; then
    echo "User '$username' does not exist"
    exit 1
fi

# Reset the password for the user
echo "Enter new password for user '$username':"
passwd "$username"

echo "Password for user '$username' has been reset successfully"

Save this script to a file, for example, reset_sudo_user_password.sh, and grant execute permission to the script using the command chmod +x reset_sudo_user_password.sh.

To execute the script:

  1. Open a terminal.

  2. Navigate to the directory where you saved the script.

  3. Run the script with the username of the sudo user as an argument. For example:

     bashCopy code./reset_sudo_user_password.sh username

    Replace username with the actual username of the sudo user.

This script checks if it's run as root, verifies that a username is provided as an argument, checks if the user exists, prompts you to enter a new password for the user, and then resets the password using the passwd command.