tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-30 17:15:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Modify 9.2.12_limit_password_reuse to support audit and apply for don't conf and value is error

Browse Source
This commit is contained in:
Samson-W 2018-09-11 04:18:07 +08:00
parent f548ebc250
commit 416415d78e
2 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
bin/hardening/9.2.12_limit_password_reuse.sh
View File

@ -5,7 +5,7 @@
# #
# #
# 9.2.3 Limit Password Reuse (Scored) # 9.2.12 Limit Password Reuse (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
@ -14,40 +14,54 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
PACKAGE='libpam-modules' PACKAGE='libpam-modules'
PATTERN='^password.*remember' PATTERN='^password.*pam_unix.so'
FILE='/etc/pam.d/common-password' FILE='/etc/pam.d/common-password'
KEYWORD='pam_unix.so'
OPTIONNAME='remember'
CONDT_VAL=5
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
is_pkg_installed $PACKAGE is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
FNRET=1
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
check_password_by_pam $KEYWORD $OPTIONNAME ge $CONDT_VAL
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME set condition to $CONDT_VAL is ok"
else
crit "$OPTIONNAME set condition to $CONDT_VAL is error"
fi
else else
crit "$PATTERN is not present in $FILE" crit "$PATTERN is not present in $FILE"
FNRET=2
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
else elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi elif [ $FNRET = 2 ]; then
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE" warn "$PATTERN is not present in $FILE"
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME is not conf in $FILE"
add_option_to_password_check $FILE $KEYWORD "$OPTIONNAME=$CONDT_VAL"
elif [ $FNRET = 5 ]; then
reset_option_to_password_check $FILE $KEYWORD $OPTIONNAME $CONDT_VAL
crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
fi fi
} }

9
lib/utils.sh
View File

@ -443,14 +443,15 @@ verify_integrity_all_packages()
check_password_by_pam() check_password_by_pam()
{ {
OPTION=$1 KEYWORD=$1
COMPARE=$2 OPTION=$2
CONDITION=$3 COMPARE=$3
CONDITION=$4
LOCATION="/etc/pam.d/common-password" LOCATION="/etc/pam.d/common-password"
KEYWORD="pam_cracklib.so"
#Example: #Example:
#KEYWORD="pam_cracklib.so"
#OPTION="ocredit" #OPTION="ocredit"
#COMPARE="gt" #COMPARE="gt"
#CONDITION="-1" #CONDITION="-1"