From 416415d78ef72c8ac32428fef48ff1456c8a4791 Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Tue, 11 Sep 2018 04:18:07 +0800
Subject: [PATCH] Modify 9.2.12_limit_password_reuse to support audit and apply
 for don't conf and value is error

---
 bin/hardening/9.2.12_limit_password_reuse.sh | 32 ++++++++++++++------
 lib/utils.sh                                 |  9 +++---
 2 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/bin/hardening/9.2.12_limit_password_reuse.sh b/bin/hardening/9.2.12_limit_password_reuse.sh
index d8a16dc..3a51eb4 100755
--- a/bin/hardening/9.2.12_limit_password_reuse.sh
+++ b/bin/hardening/9.2.12_limit_password_reuse.sh
@@ -5,7 +5,7 @@
 #
 
 #
-# 9.2.3 Limit Password Reuse (Scored)
+# 9.2.12 Limit Password Reuse (Scored)
 #
 
 set -e # One error, it's over
@@ -14,40 +14,54 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 
 PACKAGE='libpam-modules'
-PATTERN='^password.*remember'
+PATTERN='^password.*pam_unix.so'
 FILE='/etc/pam.d/common-password'
+KEYWORD='pam_unix.so'
+OPTIONNAME='remember'
+CONDT_VAL=5
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     is_pkg_installed $PACKAGE
     if [ $FNRET != 0 ]; then
         crit "$PACKAGE is not installed!"
+        FNRET=1
     else
         ok "$PACKAGE is installed"
         does_pattern_exist_in_file $FILE $PATTERN
         if [ $FNRET = 0 ]; then
             ok "$PATTERN is present in $FILE"
+            check_password_by_pam $KEYWORD $OPTIONNAME ge $CONDT_VAL
+            if [ $FNRET = 0 ]; then
+                ok "$OPTIONNAME set condition to $CONDT_VAL is ok"
+            else
+                crit "$OPTIONNAME set condition to $CONDT_VAL is error"
+            fi
         else
             crit "$PATTERN is not present in $FILE"
+            FNRET=2
         fi
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
     if [ $FNRET = 0 ]; then
         ok "$PACKAGE is installed"
-    else
+    elif [ $FNRET = 1 ]; then
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
-    fi
-    does_pattern_exist_in_file $FILE $PATTERN
-    if [ $FNRET = 0 ]; then
-        ok "$PATTERN is present in $FILE"
-    else
+    elif [ $FNRET = 2 ]; then
         warn "$PATTERN is not present in $FILE"
         add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
+    elif [ $FNRET = 3 ]; then
+        crit "$FILE is not exist, please check"
+    elif [ $FNRET = 4 ]; then
+        crit "$OPTIONNAME is not conf in $FILE"
+        add_option_to_password_check $FILE $KEYWORD "$OPTIONNAME=$CONDT_VAL"
+    elif [ $FNRET = 5 ]; then
+        reset_option_to_password_check $FILE $KEYWORD $OPTIONNAME $CONDT_VAL 
+        crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
     fi 
 }
 
diff --git a/lib/utils.sh b/lib/utils.sh
index d699ff2..bc899ef 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -443,14 +443,15 @@ verify_integrity_all_packages()
 
 check_password_by_pam()
 {   
-    OPTION=$1
-    COMPARE=$2
-    CONDITION=$3
+    KEYWORD=$1
+    OPTION=$2
+    COMPARE=$3
+    CONDITION=$4
 
     LOCATION="/etc/pam.d/common-password"
-    KEYWORD="pam_cracklib.so"
 
     #Example:
+    #KEYWORD="pam_cracklib.so"
     #OPTION="ocredit"
     #COMPARE="gt"
     #CONDITION="-1"