From 297b4fa343d503544169d561f33af02e71f6cb72 Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Mon, 5 Sep 2022 13:45:01 +0000
Subject: [PATCH] Fix  pam-tally2.so is missing in Ubuntu #38

---
 bin/hardening/9.2.12_pam_lockout_failed_tally2.sh | 14 ++++++++++----
 bin/hardening/9.2.13_pam_even_deny_root_tally2.sh |  8 +++++++-
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh b/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh
index 2eb44a3..a5ca531 100755
--- a/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh
+++ b/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh
@@ -158,12 +158,12 @@ apply () {
 check_config() {
 	if [ $OS_RELEASE -eq 2 ]; then
 		PACKAGE='pam'
-		PAMLIBNAME='pam_failloc.so'
-		AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_failloc.so'
+		PAMLIBNAME='pam_faillock.so'
+		AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
 		AUTHFILE='/etc/pam.d/password-auth'
-		AUTHRULE='auth    required pam_failloc.so deny=3 even_deny_root unlock_time=900'
+		AUTHRULE='auth    required pam_faillock.so deny=3 even_deny_root unlock_time=900'
 		ADDPATTERNLINE='auth[[:space:]]*required'
-	else
+	elif [ $OS_RELEASE -eq 1 ]; then
 		is_debian_11
 		# faillock for Debian 11 
                 if [ $FNRET = 0 ]; then
@@ -177,6 +177,12 @@ check_config() {
 			AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
 			AUTHRULE='auth    required pam_tally2.so deny=3 even_deny_root unlock_time=900'
 		fi
+	# same to debian11
+	elif [ $OS_RELEASE -eq 3 ]; then
+			ISDEBIAN11=1
+			SECCONFFILE='/etc/security/faillock.conf'
+			AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
+			AUTHRULE='auth    required pam_faillock.so'
 	fi
 }
 
diff --git a/bin/hardening/9.2.13_pam_even_deny_root_tally2.sh b/bin/hardening/9.2.13_pam_even_deny_root_tally2.sh
index a67dc68..5aa47e4 100755
--- a/bin/hardening/9.2.13_pam_even_deny_root_tally2.sh
+++ b/bin/hardening/9.2.13_pam_even_deny_root_tally2.sh
@@ -156,7 +156,7 @@ check_config() {
 		AUTHRULE='auth    required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900'
 		ADDPATTERNLINE='auth[[:space:]]*required'
 		DENYROOT='even_deny_root'
-	else
+	elif [ $OS_RELEASE -eq 1 ]; then
 		is_debian_11
 		# faillock for Debian 11 
                 if [ $FNRET = 0 ]; then
@@ -170,6 +170,12 @@ check_config() {
 			AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
 			AUTHRULE='auth    required pam_tally2.so deny=3 even_deny_root unlock_time=900'
 		fi
+	# same to debian11
+	elif [ $OS_RELEASE -eq 3 ]; then
+			ISDEBIAN11=1
+			SECCONFFILE='/etc/security/faillock.conf'
+			AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
+			AUTHRULE='auth    required pam_faillock.so'
 	fi
 }