Windows Steps Gp & Linux Scripting
WRITE A SHELL SCRIPT FOR specific user accounts have no rights to install or uninstall any software or delete any settings
To restrict specific user accounts from installing or uninstalling software or deleting settings on a Windows system, you can utilize Group Policy settings. Here's a step-by-step guide to achieve this:
Open Local Group Policy Editor:
- Press
Win + R
, typegpedit.msc
, and press Enter.
- Press
Navigate to the AppLocker Policy:
- In the Local Group Policy Editor, navigate to
Computer Configuration
->Windows Settings
->Security Settings
->Application Control Policies
->AppLocker
.
- In the Local Group Policy Editor, navigate to
Create Default Rules:
Right-click on
AppLocker
, and selectProperties
.Make sure the
Configured
option is selected underExecutable Rules
,Windows Installer Rules
, andScript Rules
.Click
OK
.
Create Executable Rules:
Right-click on
Executable Rules
, selectCreate Default Rules
.This will create default rules that allow members of the Administrators group to run all applications, while restricting standard users.
Create Windows Installer Rules:
Right-click on
Windows Installer Rules
, selectCreate Default Rules
.This will create default rules that allow members of the Administrators group to install applications via Windows Installer, while restricting standard users.
Create Script Rules:
Right-click on
Script Rules
, selectCreate New Rule
.Select
Deny
for the Action.Choose the appropriate conditions to apply the rule (e.g., specific users or groups).
Specify the path or the hash of the scripts you want to restrict.
Click
Create
.
Enforce Group Policy:
Open Command Prompt as Administrator.
Run the command:
gpupdate /force
.This will force an update of Group Policy settings.
After completing these steps, the specified user accounts will be restricted from installing or uninstalling software, as well as from deleting settings via scripts. Ensure that you thoroughly test these restrictions before applying them in a production environment, as they may impact system functionality. Additionally, keep in mind that Group Policy settings may vary depending on your Windows version and edition.
LINUX ENVIORNMENT
In a Linux environment, restricting user accounts from installing or uninstalling software or deleting settings typically involves managing permissions and access controls. Below is a basic shell script that demonstrates how you might restrict specific user accounts from performing these actions:
bashCopy code#!/bin/bash
# This script restricts specific user accounts from installing or uninstalling software
# and deleting settings in a Linux environment.
# List of restricted user accounts
restricted_users=("user1" "user2")
# Loop through each restricted user
for user in "${restricted_users[@]}"; do
echo "Restricting user '$user' from installing or uninstalling software..."
# Remove the user from sudo group
sudo deluser "$user" sudo
# Deny write access to apt package cache
sudo chown root:root /var/cache/apt/archives
sudo chmod 755 /var/cache/apt/archives
sudo chmod g-s /var/cache/apt/archives
# Deny write access to dpkg lock files
sudo chown root:root /var/lib/dpkg/lock-frontend
sudo chmod 644 /var/lib/dpkg/lock-frontend
sudo chmod g-s /var/lib/dpkg/lock-frontend
done
echo "User restrictions applied."
This script performs the following actions:
Removes specified user accounts from the
sudo
group, which grants administrative privileges.Denies write access to the APT package cache directory (
/var/cache/apt/archives
), preventing users from installing or uninstalling software usingapt
.Denies write access to the dpkg lock files, which are necessary for installing or uninstalling packages.
Before running this script, make sure to replace "user1" "user2"
with the usernames of the accounts you want to restrict.
Please note that this script assumes the use of sudo
for administrative tasks. Adjustments may be necessary depending on your specific system configuration and package management tools. Additionally, running this script requires administrative privileges (sudo
).
The system keeps all the event records of the specific user accounts
To keep track of event records for specific user accounts on a Windows system, you can utilize the built-in auditing features. Here's how you can configure auditing for specific user accounts:
Enable Auditing:
Press
Win + R
, typesecpol.msc
, and press Enter to open the Local Security Policy editor.Navigate to
Advanced Audit Policy Configuration
->System Audit Policies
->Logon/Logoff
.Double-click on "Audit Logoff" and select
Success
andFailure
options if you want to audit successful and failed logoff attempts.Similarly, configure auditing for "Audit Logon" if you want to monitor logon attempts.
Configure Audit Settings:
- After selecting the appropriate audit policies, close the Local Security Policy editor.
Apply Auditing to Specific User Accounts:
Right-click on the file, folder, or registry key you want to audit.
Select
Properties
->Security
->Advanced
->Auditing
.Click on
Add
.Type the name of the user account you want to audit, and then click
Check Names
to verify.Click
OK
.Select the type of access you want to audit (e.g.,
Read
,Write
,Delete
).Click
OK
to apply the audit settings.Viewing Audit Logs:
To view audit logs, you can use the Event Viewer (
eventvwr.msc
).Navigate to
Windows Logs
->Security
.Look for events with event IDs related to logon/logoff activities.
Please note that enabling auditing can generate a significant number of events, which may impact system performance and consume disk space. Therefore, it's essential to configure auditing selectively and regularly monitor the audit logs for any suspicious activities. Additionally, you may need administrative privileges to configure auditing settings.
LINUX
To capture event records for specific user accounts on a Linux system, you can utilize the system's logging facilities. Here's a basic shell script that continuously monitors log files for events related to specific user accounts:
bashCopy code#!/bin/bash
# Specify the user accounts you want to monitor
user_accounts=("user1" "user2")
# Specify the log file to monitor (e.g., /var/log/auth.log for authentication events)
log_file="/var/log/auth.log"
# Function to monitor log file for events related to specified user accounts
monitor_logs() {
echo "Monitoring log file $log_file for events related to specified user accounts..."
# Continuously monitor the log file
tail -n0 -F "$log_file" | while read line; do
# Check if the line contains events related to any of the specified user accounts
for user in "${user_accounts[@]}"; do
if echo "$line" | grep -q "$user"; then
echo "$(date +"%Y-%m-%d %H:%M:%S") - Event related to user '$user' detected:"
echo "$line"
fi
done
done
}
# Call the monitor_logs function
monitor_logs
This script continuously monitors the specified log file (/var/log/auth.log
in this example) for events related to specific user accounts. When an event related to any of the specified user accounts is detected, it prints the timestamp and the event to the console.
Before running this script, make sure to:
Replace
"user1" "user2"
with the usernames of the accounts you want to monitor.Adjust the
log_file
variable to specify the path of the log file you want to monitor. You may need to choose a different log file depending on the types of events you're interested in (e.g.,/var/log/auth.log
for authentication events,/var/log/syslog
for system logs, etc.).
To run the script, save it to a file (e.g., monitor_
logs.sh
), grant execute permission (chmod +x monitor_
logs.sh
), and then execute it (./monitor_
logs.sh
). Keep in mind that running this script requires sufficient permissions to access the log files. Additionally, you may need to run the script with root privileges to access certain log files.
UNCHANGABLE WALLPAPER
If you want to intentionally make the wallpaper unchangeable in Windows, you can do so by applying certain settings or restrictions. Here are some methods you can use:
Group Policy Editor:
Press
Win + R
, typegpedit.msc
, and press Enter.Navigate to
User Configuration
->Administrative Templates
->Control Panel
->Personalization
.Double-click on "Prevent changing desktop background".
Select "Enabled" to prevent users from changing the wallpaper.
Click Apply and then OK.
Registry Editor:
Press
Win + R
, typeregedit
, and press Enter.Navigate to the following registry key:
sqlCopy codeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
If the
System
key doesn't exist, right-click onPolicies
, selectNew
->Key
, and name itSystem
.Right-click on the right pane, select
New
->DWORD (32-bit) Value
, and name itNoChangingWallPaper
.Double-click on
NoChangingWallPaper
and set its value to1
.
After applying these settings, users will not be able to change the wallpaper on the Windows system unless these restrictions are removed. Please note that modifying Group Policy or the registry should be done with caution, as incorrect changes can cause system instability or other issues. Always backup your system or registry before making changes.
LINUX
To make the wallpaper unchangeable in Linux, you need to set the appropriate permissions on the wallpaper file and the wallpaper directory. Here's a shell script that demonstrates how to achieve this:
bashCopy code#!/bin/bash
# Specify the path to the wallpaper file
wallpaper_file="/path/to/your/wallpaper.jpg"
# Specify the path to the directory containing the wallpaper file
wallpaper_directory=$(dirname "$wallpaper_file")
# Set read-only permissions for the wallpaper file
chmod 444 "$wallpaper_file"
# Set read-only and execute permissions for the wallpaper directory
chmod 555 "$wallpaper_directory"
echo "Wallpaper is now unchangeable."
Save this script to a file, for example, make_wallpaper_
unchangeable.sh
, and grant execute permission to the script using the command chmod +x make_wallpaper_
unchangeable.sh
.
Replace /path/to/your/wallpaper.jpg
with the actual path to your wallpaper file.
To execute the script, open a terminal, navigate to the directory where you saved the script, and run it using ./make_wallpaper_
unchangeable.sh
.
This script sets the wallpaper file to read-only mode (444), which prevents any modifications to the file. Additionally, it sets the wallpaper directory to read-only and execute mode (555), which prevents any modifications to the directory and prevents files from being added or removed from the directory. Therefore, users will not be able to change the wallpaper until these permissions are modified.
To automatically lock the system after a period of inactivity in Windows
To automatically lock the system after a period of inactivity in Windows, you can use a combination of Power Options and Screensaver settings. Here's how you can do it:
Configure Screen Saver:
Right-click on the desktop and select
Personalize
.In the Personalization window, click on
Lock screen
settings.Scroll down and click on
Screen saver settings
.In the Screen Saver Settings window, select a screen saver (for example,
Blank
) from the dropdown menu.Check the box labeled
On resume, display logon screen
.Set the
Wait
time to 15 minutes or your preferred duration.Click
Apply
and thenOK
.
Set Power Options:
Press
Win + X
and selectPower Options
.Click on
Change plan settings
next to your selected power plan.Click on
Change advanced power settings
.In the Power Options window, scroll down and find
Display
.Expand
Display
and thenConsole lock display off timeout
.Set the timeout value to 15 minutes.
Click
Apply
and thenOK
.
With these settings configured, the system will automatically lock itself after 15 minutes of inactivity. The screen saver will start after the specified idle time, and when you move the mouse or press any key, you'll be prompted to enter your password to unlock the system.
LINUX
To automatically lock the system after a period of inactivity using a shell script on a Linux system, you can utilize the xautolock
utility along with xdg-screensaver
. Here's a shell script that achieves this:
bashCopy code#!/bin/bash
# Set the time after which the system will be locked (in seconds)
lock_timeout=$((15*60))
# Start xautolock to trigger the lock after the specified idle time
xautolock -time $lock_timeout -locker "xdg-screensaver lock" &
Save this script to a file, for example, auto_lock_
system.sh
, and grant execute permission to the script using the command chmod +x auto_lock_
system.sh
.
To execute the script, open a terminal, navigate to the directory where you saved the script, and run it using ./auto_lock_
system.sh
.
This script uses xautolock
to trigger the lock after the specified idle time (lock_timeout
). When the system is idle for the specified duration, xdg-screensaver lock
is executed to lock the screen. Adjust the lock_timeout
variable to set the desired idle time before the system locks.
WRITE A SHELL SCRIPT TO RESET THE PASSWORD OF SUDO USER
Resetting the password of a sudo user in Linux typically involves using the passwd
command. Here's a shell script that resets the password of a sudo user:
bashCopy code#!/bin/bash
# Check if the script is run as root
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# Check if a username is provided as an argument
if [ $# -ne 1 ]; then
echo "Usage: $0 <username>"
exit 1
fi
username=$1
# Check if the user exists
if ! id "$username" &>/dev/null; then
echo "User '$username' does not exist"
exit 1
fi
# Reset the password for the user
echo "Enter new password for user '$username':"
passwd "$username"
echo "Password for user '$username' has been reset successfully"
Save this script to a file, for example, reset_sudo_user_
password.sh
, and grant execute permission to the script using the command chmod +x reset_sudo_user_
password.sh
.
To execute the script:
Open a terminal.
Navigate to the directory where you saved the script.
Run the script with the username of the sudo user as an argument. For example:
bashCopy code./reset_sudo_user_password.sh username
Replace
username
with the actual username of the sudo user.
This script checks if it's run as root, verifies that a username is provided as an argument, checks if the user exists, prompts you to enter a new password for the user, and then resets the password using the passwd
command.