Modify 9.2.12_limit_password_reuse to support audit and apply for don't conf and value is error

2018-09-11 04:18:07 +08:00 · 2018-09-11 04:18:07 +08:00 · 416415d78e
parent f548ebc250
commit 416415d78e
2 changed files with 28 additions and 13 deletions
--- a/bin/hardening/9.2.12_limit_password_reuse.sh
+++ b/bin/hardening/9.2.12_limit_password_reuse.sh
@ -5,7 +5,7 @@
 #

 #
-# 9.2.3 Limit Password Reuse (Scored)
+# 9.2.12 Limit Password Reuse (Scored)
 #

 set -e # One error, it's over
@ -14,40 +14,54 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3

 PACKAGE='libpam-modules'
-PATTERN='^password.*remember'
+PATTERN='^password.*pam_unix.so'
 FILE='/etc/pam.d/common-password'
+KEYWORD='pam_unix.so'
+OPTIONNAME='remember'
+CONDT_VAL=5

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
+        FNRET=1
    else
        ok "$PACKAGE is installed"
        does_pattern_exist_in_file $FILE $PATTERN
        if [ $FNRET = 0 ]; then
            ok "$PATTERN is present in $FILE"
+            check_password_by_pam $KEYWORD $OPTIONNAME ge $CONDT_VAL
+            if [ $FNRET = 0 ]; then
+                ok "$OPTIONNAME set condition to $CONDT_VAL is ok"
+            else
+                crit "$OPTIONNAME set condition to $CONDT_VAL is error"
+            fi
        else
            crit "$PATTERN is not present in $FILE"
+            FNRET=2
        fi
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
-    else
+    elif [ $FNRET = 1 ]; then
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
-    fi
-    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
-    else
+    elif [ $FNRET = 2 ]; then
        warn "$PATTERN is not present in $FILE"
        add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
+    elif [ $FNRET = 3 ]; then
+        crit "$FILE is not exist, please check"
+    elif [ $FNRET = 4 ]; then
+        crit "$OPTIONNAME is not conf in $FILE"
+        add_option_to_password_check $FILE $KEYWORD "$OPTIONNAME=$CONDT_VAL"
+    elif [ $FNRET = 5 ]; then
+        reset_option_to_password_check $FILE $KEYWORD $OPTIONNAME $CONDT_VAL 
+        crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
    fi 
 }

--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -443,14 +443,15 @@ verify_integrity_all_packages()

 check_password_by_pam()
 {   
-    OPTION=$1
-    COMPARE=$2
-    CONDITION=$3
+    KEYWORD=$1
+    OPTION=$2
+    COMPARE=$3
+    CONDITION=$4

    LOCATION="/etc/pam.d/common-password"
-    KEYWORD="pam_cracklib.so"

    #Example:
+    #KEYWORD="pam_cracklib.so"
    #OPTION="ocredit"
    #COMPARE="gt"
    #CONDITION="-1"