harbian-audit/bin/hardening/9.2.16_pam_limit_password_r...

#!/bin/bash

#
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening
#

#
# 9.2.16 Limit Password Reuse (Scored)
# The number in the original document is 9.2.3
#

set -e # One error, it's over
set -u # One variable unset, it's over

HARDENING_LEVEL=3

PACKAGE='libpam-modules'
PATTERN='^password.*pam_pwhistory.so'
FILES='/etc/pam.d/common-password'
KEYWORD='pam_pwhistory.so'
ADDPATTERNLINE='# pam-auth-update(8) for details.'
AUTHRULE='password required pam_pwhistory.so remember=5'
OPTIONNAME='remember'
CONDT_VAL=5

# This function will be called if the script status is on enabled / audit mode
audit () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
        FNRET=1
    else
        ok "$PACKAGE is installed"
		for FILE in $FILES; do
        	does_pattern_exist_in_file $FILE $PATTERN
        	if [ $FNRET = 0 ]; then
            	ok "$PATTERN is present in $FILE"
            	check_param_pair_by_pam $FILE $KEYWORD $OPTIONNAME ge $CONDT_VAL
            	if [ $FNRET = 0 ]; then
					ok "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL"
					reset_ok
					return
            	else
                	crit "$OPTIONNAME set condition is not less-than-or-equal-to $CONDT_VAL"
            	fi
        	else
            	crit "$PATTERN is not present in $FILE"
            	FNRET=2
        	fi
		done
    fi
}

# This function will be called if the script status is on enabled mode
apply () {
    if [ $FNRET = 0 ]; then
		ok "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL"
    elif [ $FNRET = 1 ]; then
        crit "$PACKAGE is absent, installing it"
        install_package $PACKAGE
    elif [ $FNRET = 2 ]; then
		if [ $OS_RELEASE -eq 2 ]; then
			add_line_file_after_pattern_lastline  "$FILE" "$AUTHRULE" "$ADDPATTERNLINE"
		else
			add_line_file_before_pattern $FILE "$AUTHRULE" "$ADDPATTERNLINE"
		fi
    elif [ $FNRET = 3 ]; then
        crit "$FILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
        crit "$OPTIONNAME is not conf in $FILE"
        add_option_to_password_check $FILE $KEYWORD "$OPTIONNAME=$CONDT_VAL"
    elif [ $FNRET = 5 ]; then
        reset_option_to_password_check $FILE $KEYWORD $OPTIONNAME $CONDT_VAL 
		crit "$OPTIONNAME set is not less-than-or-equal-to $CONDT_VAL, reset it to $CONDT_VAL"
    fi 
}

# This function will check config parameters required
check_config() {
	if [ $OS_RELEASE -eq 2 ]; then  
		PACKAGE='pam'
		FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth'
		AUTHRULE='password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3'
		ADDPATTERNLINE='password[[:space:]]*requisite'
	else
		:
	fi
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`#!/bin/bash`

			`#`
Update comment: CentOS8->CentOS 8. 2020-02-28 08:02:13 +01:00			`# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`#`

			`#`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`# 9.2.16 Limit Password Reuse (Scored)`
Modify 9.2.11 9.2.12 2018-10-29 20:13:25 +01:00			`# The number in the original document is 9.2.3`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

			`HARDENING_LEVEL=3`

			`PACKAGE='libpam-modules'`
Rename and reorder number for pam module check. 2019-05-10 09:49:17 +02:00			`PATTERN='^password.*pam_pwhistory.so'`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`FILES='/etc/pam.d/common-password'`
Rename and reorder number for pam module check. 2019-05-10 09:49:17 +02:00			`KEYWORD='pam_pwhistory.so'`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`ADDPATTERNLINE='# pam-auth-update(8) for details.'`
			`AUTHRULE='password required pam_pwhistory.so remember=5'`
Modify 9.2.12_limit_password_reuse to support audit and apply for don't conf and value is error 2018-09-10 22:18:07 +02:00			`OPTIONNAME='remember'`
			`CONDT_VAL=5`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00
			`# This function will be called if the script status is on enabled / audit mode`
			`audit () {`
			`is_pkg_installed $PACKAGE`
			`if [ $FNRET != 0 ]; then`
			`crit "$PACKAGE is not installed!"`
Modify 9.2.12_limit_password_reuse to support audit and apply for don't conf and value is error 2018-09-10 22:18:07 +02:00			`FNRET=1`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`else`
			`ok "$PACKAGE is installed"`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`for FILE in $FILES; do`
			`does_pattern_exist_in_file $FILE $PATTERN`
			`if [ $FNRET = 0 ]; then`
			`ok "$PATTERN is present in $FILE"`
			`check_param_pair_by_pam $FILE $KEYWORD $OPTIONNAME ge $CONDT_VAL`
Fix a bug for 9.2.16 2020-01-14 19:59:42 +01:00			`if [ $FNRET = 0 ]; then`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`ok "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL"`
			`reset_ok`
			`return`
			`else`
			`crit "$OPTIONNAME set condition is not less-than-or-equal-to $CONDT_VAL"`
			`fi`
			`else`
			`crit "$PATTERN is not present in $FILE"`
			`FNRET=2`
			`fi`
			`done`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`fi`
			`}`

			`# This function will be called if the script status is on enabled mode`
			`apply () {`
			`if [ $FNRET = 0 ]; then`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`ok "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL"`
Modify 9.2.12_limit_password_reuse to support audit and apply for don't conf and value is error 2018-09-10 22:18:07 +02:00			`elif [ $FNRET = 1 ]; then`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`crit "$PACKAGE is absent, installing it"`
Fix some bugs for CentOS8. 2019-12-27 20:51:09 +01:00			`install_package $PACKAGE`
Modify 9.2.12_limit_password_reuse to support audit and apply for don't conf and value is error 2018-09-10 22:18:07 +02:00			`elif [ $FNRET = 2 ]; then`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`if [ $OS_RELEASE -eq 2 ]; then`
			`add_line_file_after_pattern_lastline "$FILE" "$AUTHRULE" "$ADDPATTERNLINE"`
			`else`
			`add_line_file_before_pattern $FILE "$AUTHRULE" "$ADDPATTERNLINE"`
			`fi`
Modify 9.2.12_limit_password_reuse to support audit and apply for don't conf and value is error 2018-09-10 22:18:07 +02:00			`elif [ $FNRET = 3 ]; then`
			`crit "$FILE is not exist, please check"`
			`elif [ $FNRET = 4 ]; then`
			`crit "$OPTIONNAME is not conf in $FILE"`
			`add_option_to_password_check $FILE $KEYWORD "$OPTIONNAME=$CONDT_VAL"`
			`elif [ $FNRET = 5 ]; then`
			`reset_option_to_password_check $FILE $KEYWORD $OPTIONNAME $CONDT_VAL`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`crit "$OPTIONNAME set is not less-than-or-equal-to $CONDT_VAL, reset it to $CONDT_VAL"`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`fi`
			`}`

			`# This function will check config parameters required`
			`check_config() {`
Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. 2020-01-14 19:54:00 +01:00			`if [ $OS_RELEASE -eq 2 ]; then`
			`PACKAGE='pam'`
			`FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth'`
			`AUTHRULE='password requisite pam_pwhistory.so use_authtok remember=5 retry=3'`
			`ADDPATTERNLINE='password[[:space:]]*requisite'`
			`else`
			`:`
			`fi`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`}`

			`# Source Root Dir Parameter`
			`if [ -r /etc/default/cis-hardening ]; then`
			`. /etc/default/cis-hardening`
			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
			`exit 128`
			`fi`

			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
			`if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then`
			`. $CIS_ROOT_DIR/lib/main.sh`
			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`