harbian-audit/bin/hardening/9.2.11_pam_deny_times_tally...

#!/bin/bash

#
# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening
#

#
# 9.2.11 Set deny times for Password Attempts (Scored)
# Replaced pam_tally2 with pam_faillock in debian 11
# The number in the original document is 9.2.2
# for login and ssh service
# Author : Samson wen, Samson <sccxboy@gmail.com>
#

set -e # One error, it's over
set -u # One variable unset, it's over

HARDENING_LEVEL=3

PACKAGE='libpam-modules-bin'
AUTHFILE='/etc/pam.d/common-auth'
ADDPATTERNLINE='# pam-auth-update(8) for details.'
DENYOPTION='deny'
DENY_VAL=3

# This function will be called if the script status is on enabled / audit mode
audit_before11 () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
        FNRET=11
    else
        ok "$PACKAGE is installed"
        does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
        if [ $FNRET = 0 ]; then
                ok "$AUTHPATTERN is present in $AUTHFILE."
		check_param_pair_by_pam $AUTHFILE $PAMLIBNAME $DENYOPTION le $DENY_VAL
                if [ $FNRET = 0 ]; then
                	ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"
                else
                    	crit "$DENYOPTION set condition is not $DENY_VAL"
                fi
        else
            crit "$AUTHPATTERN is not present in $AUTHFILE"
            FNRET=2
        fi
    fi
}

audit_debian11 () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
        FNRET=11
    else
        ok "$PACKAGE is installed"
        does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
        if [ $FNRET = 0 ]; then
                ok "$AUTHPATTERN is present in $AUTHFILE."
                check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
		if [ $FNRET = 0 ]; then
			ok "Option $DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
		elif [ $FNRET = 1 ]; then
			crit "Option $DENYOPTION set condition is greater than $DENY_VAL in $SECCONFFILE"
		elif [ $FNRET = 2 ]; then
			crit "Option $DENYOPTION is not conf in $SECCONFFILE"
		elif [ $FNRET = 3 ]; then
			crit "Config file $SECCONFFILE is not exist!"
    		fi
	else
            crit "$AUTHPATTERN is not present in $AUTHFILE"
            FNRET=12
	fi
    fi
}

audit () {
	if [ $ISDEBIAN11 -eq 1 ]; then
		audit_debian11
	else
		audit_before11
	fi
}

apply_before11 () {
    if [ $FNRET = 0 ]; then
		ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"
    elif [ $FNRET = 11 ]; then
        warn "Apply:$PACKAGE is absent, installing it"
        install_package $PACKAGE
    elif [ $FNRET = 2 ]; then
        warn "Apply:$AUTHPATTERN is not present in $AUTHFILE"
		if [ $OS_RELEASE -eq 2 ]; then
			add_line_file_after_pattern_lastline "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
		else
			add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
		fi
    elif [ $FNRET = 3 ]; then
        crit "$AUTHFILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
        warn "Apply:$DENYOPTION is not conf"   
        add_option_to_auth_check $AUTHFILE $PAMLIBNAME "$DENYOPTION=$DENY_VAL"
    elif [ $FNRET = 5 ]; then                                                
        warn "Apply:$DENYOPTION set is not match legally, reset it to $DENY_VAL"
        reset_option_to_password_check $AUTHFILE $PAMLIBNAME "$DENYOPTION" "$DENY_VAL"
    fi
}

# Input: 
# Param1: return-value of call check_param_pair_by_value
# Function: Perform corresponding repair actions based on the return value of the error. 
apply_secconffile() {
	FNRET=$1
	if [ $FNRET = 0 ]; then
		ok "Option $DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
	elif [ $FNRET = 1 ]; then
		warn "Reset option $DENYOPTION to $DENY_VAL in $SECCONFFILE"
		replace_in_file $SECCONFFILE "^$DENYOPTION.*" "$DENYOPTION = $DENY_VAL"
	elif [ $FNRET = 2 ]; then
		warn "$DENYOPTION is not conf, add to $SECCONFFILE"
		add_end_of_file $SECCONFFILE "$DENYOPTION = $DENY_VAL"
	elif [ $FNRET = 3 ]; then
		warn "Config file $SECCONFFILE is not exist! Please check it by youself"
	else
		warn "This param $FNRET was not defined!!!"
	fi
}

apply_debian11 () {
	if [ $FNRET = 0 ]; then
		ok "$DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
    	elif [ $FNRET = 11 ]; then
        	warn "Apply:$PACKAGE is absent, installing it"
        	install_package $PACKAGE
        	does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
        	if [ $FNRET != 0 ]; then
			add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
                	check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
			apply_secconffile $FNRET
		fi
    	elif [ $FNRET = 12 ]; then
		add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
                check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
		apply_secconffile $FNRET
	else
		apply_secconffile $FNRET
	fi
}

# This function will be called if the script status is on enabled mode
apply () {
	if [ $ISDEBIAN11 = 1 ]; then
		apply_debian11
	else
		apply_before11
	fi
}

# This function will check config parameters required
check_config() {
	if [ $OS_RELEASE -eq 2 ]; then
		PACKAGE='pam'
		PAMLIBNAME='pam_faillock.so'
		AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
		AUTHFILE='/etc/pam.d/password-auth'
		AUTHRULE='auth    required pam_faillock.so deny=3 even_deny_root unlock_time=900'
		ADDPATTERNLINE='auth[[:space:]]*required'
	elif [ $OS_RELEASE -eq 1 ]; then
			ISDEBIAN11=0
			PAMLIBNAME='pam_tally2.so'
			AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
			AUTHRULE='auth    required pam_tally2.so deny=3 even_deny_root unlock_time=900'
	# ubuntu/debian11/debian12
	elif [ $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 ]; then
			ISDEBIAN11=1
			SECCONFFILE='/etc/security/faillock.conf'
			AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
			AUTHRULE='auth    required pam_faillock.so'
	fi
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`#!/bin/bash`

			`#`
Update 9.2.11 9.2.12 9.2.13 for Debian12 2023-06-11 20:18:30 +02:00			`# harbian-audit for Debian GNU/Linux 7/8/9/10/11/12 or CentOS 8 Hardening`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`#`

			`#`
Add audit and apply methods for enable even_deny_root with pam_tally2 2018-11-07 20:46:17 +01:00			`# 9.2.11 Set deny times for Password Attempts (Scored)`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`# Replaced pam_tally2 with pam_faillock in debian 11`
Modify 9.2.11 9.2.12 2018-10-29 20:13:25 +01:00			`# The number in the original document is 9.2.2`
Modify apply method for 9.2.11 2018-11-02 16:56:44 +01:00			`# for login and ssh service`
Implement audit and apply methods for 7.6 disable_wireless. 2019-04-12 10:07:44 +02:00			`# Author : Samson wen, Samson <sccxboy@gmail.com>`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

			`HARDENING_LEVEL=3`

			`PACKAGE='libpam-modules-bin'`
Modify apply method for 9.2.11 2018-11-02 16:56:44 +01:00			`AUTHFILE='/etc/pam.d/common-auth'`
Modify 9.2.11 2018-11-05 11:30:15 +01:00			`ADDPATTERNLINE='# pam-auth-update(8) for details.'`
Add audit and apply methods for set deny with pam_tally2 2018-11-07 09:12:50 +01:00			`DENYOPTION='deny'`
			`DENY_VAL=3`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00
			`# This function will be called if the script status is on enabled / audit mode`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`audit_before11 () {`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`is_pkg_installed $PACKAGE`
			`if [ $FNRET != 0 ]; then`
			`crit "$PACKAGE is not installed!"`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`FNRET=11`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`else`
			`ok "$PACKAGE is installed"`
Modify apply method for 9.2.11 2018-11-02 16:56:44 +01:00			`does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`if [ $FNRET = 0 ]; then`
Modify apply method for 9.2.11 2018-11-02 16:56:44 +01:00			`ok "$AUTHPATTERN is present in $AUTHFILE."`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`check_param_pair_by_pam $AUTHFILE $PAMLIBNAME $DENYOPTION le $DENY_VAL`
Add audit and apply methods for set deny with pam_tally2 2018-11-07 09:12:50 +01:00			`if [ $FNRET = 0 ]; then`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"`
Add audit and apply methods for set deny with pam_tally2 2018-11-07 09:12:50 +01:00			`else`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`crit "$DENYOPTION set condition is not $DENY_VAL"`
Add audit and apply methods for set deny with pam_tally2 2018-11-07 09:12:50 +01:00			`fi`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`else`
Modify apply method for 9.2.11 2018-11-02 16:56:44 +01:00			`crit "$AUTHPATTERN is not present in $AUTHFILE"`
Fix apply is not set to /etc/pam.d/login. 2018-09-13 11:51:37 +02:00			`FNRET=2`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`fi`
			`fi`
			`}`

Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`audit_debian11 () {`
			`is_pkg_installed $PACKAGE`
			`if [ $FNRET != 0 ]; then`
			`crit "$PACKAGE is not installed!"`
			`FNRET=11`
			`else`
			`ok "$PACKAGE is installed"`
			`does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN`
			`if [ $FNRET = 0 ]; then`
			`ok "$AUTHPATTERN is present in $AUTHFILE."`
			`check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL`
			`if [ $FNRET = 0 ]; then`
			`ok "Option $DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"`
			`elif [ $FNRET = 1 ]; then`
			`crit "Option $DENYOPTION set condition is greater than $DENY_VAL in $SECCONFFILE"`
			`elif [ $FNRET = 2 ]; then`
			`crit "Option $DENYOPTION is not conf in $SECCONFFILE"`
			`elif [ $FNRET = 3 ]; then`
			`crit "Config file $SECCONFFILE is not exist!"`
			`fi`
			`else`
			`crit "$AUTHPATTERN is not present in $AUTHFILE"`
			`FNRET=12`
			`fi`
			`fi`
			`}`

			`audit () {`
Modify 9.2.11 for support to ubuntu 22.04 2022-09-04 19:52:01 +02:00			`if [ $ISDEBIAN11 -eq 1 ]; then`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`audit_debian11`
			`else`
			`audit_before11`
			`fi`
			`}`

			`apply_before11 () {`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`if [ $FNRET = 0 ]; then`
Add add_line_file_after_pattern_lastline function. Add audit and apply methods for redhat/CentOS to 9.2.11. 2020-01-13 09:08:51 +01:00			`ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`elif [ $FNRET = 11 ]; then`
Modify apply method for 9.2.11 2018-11-02 16:56:44 +01:00			`warn "Apply:$PACKAGE is absent, installing it"`
Fix some bugs for CentOS8. 2019-12-27 20:51:09 +01:00			`install_package $PACKAGE`
Fix apply is not set to /etc/pam.d/login. 2018-09-13 11:51:37 +02:00			`elif [ $FNRET = 2 ]; then`
Modify apply method for 9.2.11 2018-11-02 16:56:44 +01:00			`warn "Apply:$AUTHPATTERN is not present in $AUTHFILE"`
Add add_line_file_after_pattern_lastline function. Add audit and apply methods for redhat/CentOS to 9.2.11. 2020-01-13 09:08:51 +01:00			`if [ $OS_RELEASE -eq 2 ]; then`
			`add_line_file_after_pattern_lastline "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"`
			`else`
			`add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"`
			`fi`
Add audit and apply methods for set deny with pam_tally2 2018-11-07 09:12:50 +01:00			`elif [ $FNRET = 3 ]; then`
			`crit "$AUTHFILE is not exist, please check"`
			`elif [ $FNRET = 4 ]; then`
			`warn "Apply:$DENYOPTION is not conf"`
			`add_option_to_auth_check $AUTHFILE $PAMLIBNAME "$DENYOPTION=$DENY_VAL"`
			`elif [ $FNRET = 5 ]; then`
			`warn "Apply:$DENYOPTION set is not match legally, reset it to $DENY_VAL"`
			`reset_option_to_password_check $AUTHFILE $PAMLIBNAME "$DENYOPTION" "$DENY_VAL"`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`fi`
			`}`

Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`# Input:`
			`# Param1: return-value of call check_param_pair_by_value`
			`# Function: Perform corresponding repair actions based on the return value of the error.`
			`apply_secconffile() {`
			`FNRET=$1`
			`if [ $FNRET = 0 ]; then`
			`ok "Option $DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"`
			`elif [ $FNRET = 1 ]; then`
			`warn "Reset option $DENYOPTION to $DENY_VAL in $SECCONFFILE"`
			`replace_in_file $SECCONFFILE "^$DENYOPTION.*" "$DENYOPTION = $DENY_VAL"`
			`elif [ $FNRET = 2 ]; then`
			`warn "$DENYOPTION is not conf, add to $SECCONFFILE"`
			`add_end_of_file $SECCONFFILE "$DENYOPTION = $DENY_VAL"`
			`elif [ $FNRET = 3 ]; then`
			`warn "Config file $SECCONFFILE is not exist! Please check it by youself"`
			`else`
			`warn "This param $FNRET was not defined!!!"`
			`fi`
			`}`

			`apply_debian11 () {`
			`if [ $FNRET = 0 ]; then`
			`ok "$DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"`
			`elif [ $FNRET = 11 ]; then`
			`warn "Apply:$PACKAGE is absent, installing it"`
			`install_package $PACKAGE`
			`does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN`
			`if [ $FNRET != 0 ]; then`
			`add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"`
			`check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL`
			`apply_secconffile $FNRET`
			`fi`
			`elif [ $FNRET = 12 ]; then`
			`add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"`
			`check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL`
			`apply_secconffile $FNRET`
			`else`
			`apply_secconffile $FNRET`
			`fi`
			`}`

			`# This function will be called if the script status is on enabled mode`
			`apply () {`
			`if [ $ISDEBIAN11 = 1 ]; then`
			`apply_debian11`
			`else`
			`apply_before11`
			`fi`
			`}`

Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`# This function will check config parameters required`
			`check_config() {`
Add add_line_file_after_pattern_lastline function. Add audit and apply methods for redhat/CentOS to 9.2.11. 2020-01-13 09:08:51 +01:00			`if [ $OS_RELEASE -eq 2 ]; then`
			`PACKAGE='pam'`
Modify 9.2.11 for support to ubuntu 22.04 2022-09-04 19:52:01 +02:00			`PAMLIBNAME='pam_faillock.so'`
			`AUTHPATTERN='^auth[[:space:]]required[[:space:]]pam_faillock.so'`
Add add_line_file_after_pattern_lastline function. Add audit and apply methods for redhat/CentOS to 9.2.11. 2020-01-13 09:08:51 +01:00			`AUTHFILE='/etc/pam.d/password-auth'`
Modify 9.2.11 for support to ubuntu 22.04 2022-09-04 19:52:01 +02:00			`AUTHRULE='auth required pam_faillock.so deny=3 even_deny_root unlock_time=900'`
Add add_line_file_after_pattern_lastline function. Add audit and apply methods for redhat/CentOS to 9.2.11. 2020-01-13 09:08:51 +01:00			`ADDPATTERNLINE='auth[[:space:]]*required'`
Modify 9.2.11 for support to ubuntu 22.04 2022-09-04 19:52:01 +02:00			`elif [ $OS_RELEASE -eq 1 ]; then`
Fix bug: Replaced pam_tally2 with pam_faillock in debian 11. 2021-08-15 20:14:00 +02:00			`ISDEBIAN11=0`
			`PAMLIBNAME='pam_tally2.so'`
			`AUTHPATTERN='^auth[[:space:]]required[[:space:]]pam_tally2.so'`
			`AUTHRULE='auth required pam_tally2.so deny=3 even_deny_root unlock_time=900'`
Update 9.2.11 9.2.12 9.2.13 for Debian12 2023-06-11 20:18:30 +02:00			`# ubuntu/debian11/debian12`
			`elif [ $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 ]; then`
Modify 9.2.11 for support to ubuntu 22.04 2022-09-04 19:52:01 +02:00			`ISDEBIAN11=1`
			`SECCONFFILE='/etc/security/faillock.conf'`
			`AUTHPATTERN='^auth[[:space:]]required[[:space:]]pam_faillock.so'`
			`AUTHRULE='auth required pam_faillock.so'`
Add add_line_file_after_pattern_lastline function. Add audit and apply methods for redhat/CentOS to 9.2.11. 2020-01-13 09:08:51 +01:00			`fi`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`}`

			`# Source Root Dir Parameter`
			`if [ -r /etc/default/cis-hardening ]; then`
			`. /etc/default/cis-hardening`
			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
			`exit 128`
			`fi`

			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
			`if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then`
			`. $CIS_ROOT_DIR/lib/main.sh`
			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`