From 39dc43adb260de857243b90210147242d73001a2 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 15 Jan 2020 02:54:00 +0800 Subject: [PATCH] Modify audit and apply methods for redhat/CentOS to 9.2.15 9.2.16 9.2.17 Add reset_ok function. --- ..._pam_printlastlog_to_showfailed_lastlog.sh | 12 +++- .../9.2.16_pam_limit_password_reuse.sh | 58 ++++++++++++------- .../9.2.17_pam_even_deny_root_tally2.sh | 22 +++++-- lib/common.sh | 6 ++ 4 files changed, 71 insertions(+), 27 deletions(-) diff --git a/bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh b/bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh index ccd2d7d..121b8f6 100755 --- a/bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh +++ b/bin/hardening/9.2.15_pam_printlastlog_to_showfailed_lastlog.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS8 Hardening # # @@ -64,7 +64,15 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE='pam' + PATTERN='^session.*pam_lastlog.so' + FILE='/etc/pam.d/postlogin' + KEYWORD='pam_lastlog.so' + OPTIONNAME='showfailed' + else + : + fi } # Source Root Dir Parameter diff --git a/bin/hardening/9.2.16_pam_limit_password_reuse.sh b/bin/hardening/9.2.16_pam_limit_password_reuse.sh index 4f22295..e5a4bb1 100755 --- a/bin/hardening/9.2.16_pam_limit_password_reuse.sh +++ b/bin/hardening/9.2.16_pam_limit_password_reuse.sh @@ -1,11 +1,11 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS8 Hardening # # -# 9.2.12 Limit Password Reuse (Scored) +# 9.2.16 Limit Password Reuse (Scored) # The number in the original document is 9.2.3 # @@ -16,8 +16,10 @@ HARDENING_LEVEL=3 PACKAGE='libpam-modules' PATTERN='^password.*pam_pwhistory.so' -FILE='/etc/pam.d/common-password' +FILES='/etc/pam.d/common-password' KEYWORD='pam_pwhistory.so' +ADDPATTERNLINE='# pam-auth-update(8) for details.' +AUTHRULE='password required pam_pwhistory.so remember=5' OPTIONNAME='remember' CONDT_VAL=5 @@ -29,32 +31,39 @@ audit () { FNRET=1 else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - check_param_pair_by_pam $FILE $KEYWORD $OPTIONNAME ge $CONDT_VAL - if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition to $CONDT_VAL is ok" - else - crit "$OPTIONNAME set condition to $CONDT_VAL is error" - fi - else - crit "$PATTERN is not present in $FILE" - FNRET=2 - fi + for FILE in $FILES; do + does_pattern_exist_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + check_param_pair_by_pam $FILE $KEYWORD $OPTIONNAME ge $CONDT_VAL + if [ $FNRET = 0 ]; thena + ok "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL" + reset_ok + return + else + crit "$OPTIONNAME set condition is not less-than-or-equal-to $CONDT_VAL" + fi + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + done fi } # This function will be called if the script status is on enabled mode apply () { if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" + ok "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL" elif [ $FNRET = 1 ]; then crit "$PACKAGE is absent, installing it" install_package $PACKAGE elif [ $FNRET = 2 ]; then - warn "$PATTERN is not present in $FILE" - add_line_file_before_pattern $FILE "password required pam_pwhistory.so remember=5" "# pam-auth-update(8) for details." + if [ $OS_RELEASE -eq 2 ]; then + add_line_file_after_pattern_lastline "$FILE" "$AUTHRULE" "$ADDPATTERNLINE" + else + add_line_file_before_pattern $FILE "$AUTHRULE" "$ADDPATTERNLINE" + fi elif [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then @@ -62,13 +71,20 @@ apply () { add_option_to_password_check $FILE $KEYWORD "$OPTIONNAME=$CONDT_VAL" elif [ $FNRET = 5 ]; then reset_option_to_password_check $FILE $KEYWORD $OPTIONNAME $CONDT_VAL - crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL" + crit "$OPTIONNAME set is not less-than-or-equal-to $CONDT_VAL, reset it to $CONDT_VAL" fi } # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE='pam' + FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth' + AUTHRULE='password requisite pam_pwhistory.so use_authtok remember=5 retry=3' + ADDPATTERNLINE='password[[:space:]]*requisite' + else + : + fi } # Source Root Dir Parameter diff --git a/bin/hardening/9.2.17_pam_even_deny_root_tally2.sh b/bin/hardening/9.2.17_pam_even_deny_root_tally2.sh index 72822f6..a33c563 100755 --- a/bin/hardening/9.2.17_pam_even_deny_root_tally2.sh +++ b/bin/hardening/9.2.17_pam_even_deny_root_tally2.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 9 Hardening +# harbian audit 9 or CentOS8 Hardening # # @@ -50,13 +50,17 @@ audit () { # This function will be called if the script status is on enabled mode apply () { if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" + ok "$DENYROOT is already configured" elif [ $FNRET = 1 ]; then warn "Apply:$PACKAGE is absent, installing it" install_package $PACKAGE elif [ $FNRET = 2 ]; then warn "Apply:$AUTHPATTERN is not present in $AUTHFILE" - add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE" + if [ $OS_RELEASE -eq 2 ]; then + add_line_file_after_pattern_lastline "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE" + else + add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE" + fi elif [ $FNRET = 3 ]; then crit "$AUTHFILE is not exist, please check" elif [ $FNRET = 4 ]; then @@ -67,7 +71,17 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 2 ]; then + PACKAGE='pam' + PAMLIBNAME='pam_faillock.so' + AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so' + AUTHFILE='/etc/pam.d/password-auth' + AUTHRULE='auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900' + ADDPATTERNLINE='auth[[:space:]]*required' + DENYROOT='even_deny_root' + else + : + fi } # Source Root Dir Parameter diff --git a/lib/common.sh b/lib/common.sh index 528dbb4..b0f8e1f 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -84,3 +84,9 @@ info () { debug () { if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi } + +reset_ok () { + info "Reset to ok!!!" + CRITICAL_ERRORS_NUMBER=0 +} +