Rename 9.2.2 to 9.2.11, 9.2.3 to 9.2..12. Add 9.2.2_enable_minlen_cracklib.sh.

2018-09-10 04:18:51 +08:00 · 2018-09-10 04:18:51 +08:00 · 4772f4f4cc
parent a28c55758c
commit 4772f4f4cc
5 changed files with 105 additions and 39 deletions
--- a/bin/hardening/9.2.11_enable_lockout_failed_password.sh
+++ b/bin/hardening/9.2.11_enable_lockout_failed_password.sh
--- a/bin/hardening/9.2.12_limit_password_reuse.sh
+++ b/bin/hardening/9.2.12_limit_password_reuse.sh
--- a/bin/hardening/9.2.1_enable_retry_cracklib.sh
+++ b/bin/hardening/9.2.1_enable_retry_cracklib.sh
@ -5,7 +5,8 @@
 #

 #
-# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib: audit retry option (Scored)
+# Authors : Samson wen, Samson <sccxboy@gmail.com>
 #

 set -e # One error, it's over
@ -18,28 +19,10 @@ PAMLIBNAME='pam_cracklib.so'
 PATTERN='^password.*pam_cracklib.so'
 FILE='/etc/pam.d/common-password'

-OPTION_RETRY='retry'
-OPTION_MINLEN='minlen'
-OPTION_DCREDIT='dcredit'
-OPTION_UCREDIT='ucredit'
-OPTION_OCREDIT='ocredit'
-OPTION_LCREDIT='lcredit'
-OPTION_DIFOK='difok'
-OPTION_MINCLASS='minclass'
-OPTION_MAXREPEAT='maxrepeat'
-OPTION_MAXCLASSREPEAT='maxclassrepeat'
+OPTIONNAME='retry'

 # condition 
-RETRY_CONDT=3
-MINLEN_CONDT=14
-DCREDIT_CONDT=-1
-UCREDIT_CONDT=-1
-OCUEDIT_CONDT=-1
-LCREDIT_CONDT=-1
-DIFOK_CONDT=8
-MINCLASS_CONDT=4
-MAXREPEAT=3
-MAXCLASSREPEAT_CONDT=4
+CONDT_VAL=3

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -51,20 +34,12 @@ audit () {
        ok "$PACKAGE is installed"
        does_pattern_exist_in_file $FILE $PATTERN
        if [ $FNRET = 0 ]; then
-            #ok "$PATTERN is present in $FILE"
-            #check_password_by_pam $OPTION_DCREDIT gt $DCREDIT_CONDT  
-            #if [ $FNRET = 0 ]; then
-            #    ok "$OPTION_DCREDIT set condition is $DCREDIT_CONDT"
-            #else
-            #    crit "$OPTION_DCREDIT set condition is $DCREDIT_CONDT"
-            #    FNRET=1
-            #fi
            ok "$PATTERN is present in $FILE"
-            check_password_by_pam $OPTION_RETRY eq $RETRY_CONDT  
+            check_password_by_pam $OPTIONNAME eq $CONDT_VAL  
            if [ $FNRET = 0 ]; then
-                ok "$OPTION_RETRY set condition is $RETRY_CONDT"
+                ok "$OPTIONNAME set condition is $CONDT_VAL"
            else
-                crit "$OPTION_RETRY set condition is $RETRY_CONDT"
+                crit "$OPTIONNAME set condition is $CONDT_VAL"
                #FNRET=3
            fi
        else
@ -76,7 +51,6 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-#    is_pkg_installed $PACKAGE
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
    elif [ $FNRET = 1 ]; then
@ -88,11 +62,11 @@ apply () {
    elif [ $FNRET = 3 ]; then
        crit "$FILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
-        crit "$OPTION_RETRY is not conf"
-        add_option_to_password_check $FILE $PAMLIBNAME "$OPTION_RETRY=$RETRY_CONDT"
+        crit "$OPTIONNAME is not conf"
+        add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
    elif [ $FNRET = 5 ]; then
-        crit "$OPTION_RETRY set is not match legally, reset it to $RETRY_CONDT"
-        reset_option_to_password_check $FILE $PAMLIBNAME "$OPTION_RETRY" "$RETRY_CONDT"
+        crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
+        reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
    fi 
 }

--- a/bin/hardening/9.2.2_enable_minlen_cracklib.sh
+++ b/bin/hardening/9.2.2_enable_minlen_cracklib.sh
@ -0,0 +1,94 @@
+#!/bin/bash
+
+#
+# harbian audit 7/8/9  Hardening
+#
+
+#
+# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib: audit minlen option (Scored)
+# Authors : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=2
+
+PACKAGE='libpam-cracklib'
+PAMLIBNAME='pam_cracklib.so'
+PATTERN='^password.*pam_cracklib.so'
+FILE='/etc/pam.d/common-password'
+
+OPTIONNAME='minlen'
+
+# condition 
+CONDT_VAL=14
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+        FNRET=1
+    else
+        ok "$PACKAGE is installed"
+        does_pattern_exist_in_file $FILE $PATTERN
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+            check_password_by_pam $OPTIONNAME ge $CONDT_VAL  
+            if [ $FNRET = 0 ]; then
+                ok "$OPTIONNAME set condition is $CONDT_VAL"
+            else
+                crit "$OPTIONNAME set condition is $CONDT_VAL"
+                #FNRET=3
+            fi
+        else
+            crit "$PATTERN is not present in $FILE"
+            FNRET=2
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    if [ $FNRET = 0 ]; then
+        ok "$PACKAGE is installed"
+    elif [ $FNRET = 1 ]; then
+        crit "$PACKAGE is absent, installing it"
+        apt_install $PACKAGE
+    elif [ $FNRET = 2 ]; then
+        crit "$PATTERN is not present in $FILE, add default config to $FILE"
+        add_line_file_before_pattern $FILE "password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
+    elif [ $FNRET = 3 ]; then
+        crit "$FILE is not exist, please check"
+    elif [ $FNRET = 4 ]; then
+        crit "$OPTIONNAME is not conf"
+        add_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
+    elif [ $FNRET = 5 ]; then
+        crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
+        reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
+    fi 
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -487,7 +487,6 @@ add_option_to_password_check()
    #local PAMPWDFILE="/etc/pam.d/common-password"
    #local KEYWORD="pam_cracklib.so"
    #local OPTIONSTR="retry=3"
-    set -x
    local PAMPWDFILE=$1
    local KEYWORD=$2
    local OPTIONSTR=$3
@ -507,7 +506,6 @@ reset_option_to_password_check()
    #local KEYWORD="pam_cracklib.so"
    #local OPTIONNAME="retry"
    #local OPTIONVAL="3"
-    set -x
    local PAMPWDFILE=$1
    local KEYWORD=$2
    local OPTIONNAME=$3