tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Modify audit and apply methods for CentOS 8 to 10.1.5

Browse Source
This commit is contained in:
Samson-W 2020-03-04 14:50:07 +08:00
parent e8b70e9bf7
commit 4bb01e5c2e
1 changed files with 84 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
bin/hardening/10.1.5_set_password_lock_inactive_user.sh
View File

@ -7,6 +7,9 @@
# #
# 10.1.5 Ensure inactive password lock is 30 days or less (Scored) # 10.1.5 Ensure inactive password lock is 30 days or less (Scored)
# Author: Samson-W (sccxboy@gmail.com) # Author: Samson-W (sccxboy@gmail.com)
# STIG for Ubuntu_16-04_LTS_STIG_V1R2_Manual: INACTIVE=35
# STIG for U_Red_Hat_Enterprise_Linux_7_V2R5: INACTIVE=0
#
# #
set -e # One error, it's over set -e # One error, it's over
@ -15,19 +18,17 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
OPTIONS='INACTIVE=30' OPTIONS='INACTIVE=30'
OPTIONS_REDHAT='INACTIVE=0'
SHA_FILE='/etc/shadow' SHA_FILE='/etc/shadow'
DISABLE_V='-1' DISABLE_V='-1'
FILE='/etc/default/useradd' FILE='/etc/default/useradd'
# This function will be called if the script status is on enabled / audit mode audit_debian () {
audit () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}') INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}')
if [ $INACTIVE_V -eq $DISABLE_V ]; then if [ $INACTIVE_V -eq $DISABLE_V ]; then
crit "INACTIVE feature has disabled." crit "INACTIVE feature has disabled."
elif [ $INACTIVE_V -eq 0 ]; then
crit "INACTIVE value has disabled."
elif [ $INACTIVE_V -gt $SSH_VALUE ]; then elif [ $INACTIVE_V -gt $SSH_VALUE ]; then
crit "INACTIVE value is greater than $SSH_VALUE day" crit "INACTIVE value is greater than $SSH_VALUE day"
else else
@ -45,8 +46,31 @@ audit () {
fi fi
} }
# This function will be called if the script status is on enabled mode audit_redhat () {
apply () { SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}')
if [ $INACTIVE_V -eq $DISABLE_V ]; then
crit "INACTIVE feature has disabled."
elif [ $INACTIVE_V -eq $SSH_VALUE ]; then
ok "All user's INACTIVE value has set $SSH_VALUE: disables the account as soon as the password has expired"
else
crit "All user's INACTIVE value is not set $SSH_VALUE: disables the account as soon as the password has expired"
fi
}
# This function will be called if the script status is on enabled / audit mode
audit () {
if [ $OS_RELEASE -eq 1 ]; then
audit_debian
elif [ $OS_RELEASE -eq 2 ]; then
audit_redhat
else
warn "Current OS is not support!"
fi
}
apply_debian () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM=$SSH_VALUE" PATTERN="^$SSH_PARAM=$SSH_VALUE"
@ -82,9 +106,62 @@ apply () {
fi fi
} }
apply_redhat () {
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM=$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM=$SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM.*" "$SSH_PARAM=$SSH_VALUE"
fi
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $7}' | wc -w) -eq 0 ]; then
warn "Have least user's INACTIVE password lifttime is not set. Fixing"
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $1}');
do
chage --inactive $SSH_VALUE $USERNAME
done
else
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
warn "All user's INACTIVE value is not set $SSH_VALUE, fixing it."
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}');
do
chage --inactive $SSH_VALUE $USERNAME
done
else
ok "All user's INACTIVE value has set $SSH_VALUE: disables the account as soon as the password has expired"
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $OS_RELEASE -eq 1 ]; then
apply_debian
elif [ $OS_RELEASE -eq 2 ]; then
apply_redhat
else
warn "Current OS is not support!"
fi
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: if [ $OS_RELEASE -eq 1 ]; then
:
elif [ $OS_RELEASE -eq 2 ]; then
OPTIONS=$OPTIONS_REDHAT
else
warn "Current OS is not support!"
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter