Add check_password_option_by_pam function and 9.2.13_enable_password_sha512.sh

2018-09-11 04:59:15 +08:00 · 2018-09-11 04:59:15 +08:00 · 8976282fd1
parent eb25a4011c
commit 8976282fd1
2 changed files with 114 additions and 0 deletions
--- a/bin/hardening/9.2.13_enable_password_sha512.sh
+++ b/bin/hardening/9.2.13_enable_password_sha512.sh
@ -0,0 +1,87 @@
+#!/bin/bash
+
+#
+# harbian audit 7/8/9  Hardening
+#
+
+#
+# 9.2.13 Set password with the SHA512 algorithm (Scored)
+# Authors : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+
+PACKAGE='libpam-modules'
+PATTERN='^password.*pam_unix.so'
+FILE='/etc/pam.d/common-password'
+KEYWORD='pam_unix.so'
+OPTIONNAME='sha512'
+CONDT_VAL=5
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+        FNRET=1
+    else
+        ok "$PACKAGE is installed"
+        does_pattern_exist_in_file $FILE $PATTERN
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+            check_password_option_by_pam $KEYWORD $OPTIONNAME
+            if [ $FNRET = 0 ]; then
+                ok "$OPTIONNAME is already configured"
+            else
+                crit "$OPTIONNAME is not configured"
+            fi
+        else
+            crit "$PATTERN is not present in $FILE"
+            FNRET=2
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    if [ $FNRET = 0 ]; then
+        ok "$PACKAGE is installed"
+    elif [ $FNRET = 1 ]; then
+        crit "$PACKAGE is absent, installing it"
+        apt_install $PACKAGE
+    elif [ $FNRET = 2 ]; then
+        warn "$PATTERN is not present in $FILE"
+        add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
+    elif [ $FNRET = 3 ]; then
+        crit "$FILE is not exist, please check"
+    elif [ $FNRET = 4 ]; then
+        crit "$OPTIONNAME is not conf in $FILE"
+        add_option_to_password_check $FILE $KEYWORD $OPTIONNAME
+    fi 
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -480,6 +480,33 @@ check_password_by_pam()
    fi
 }

+# Only check option name 
+check_password_option_by_pam()
+{   
+    KEYWORD=$1
+    OPTION=$2
+
+    LOCATION="/etc/pam.d/common-password"
+
+    #Example:
+    #KEYWORD="pam_unix.so"
+    #OPTION="sha512"
+    
+    if [ -f "$LOCATION" ];then
+        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION" | wc -l)
+        echo $RESULT
+        if [ "$RESULT" -eq 1 ]; then
+            debug "$KEYWORD $OPTION is conf"
+            FNRET=0
+        else
+            debug "$KEYWORD $OPTION is not conf"
+            FNRET=4
+        fi
+    else
+        debug "$LOCATION is not exist"
+        FNRET=3   
+    fi
+}

 # Add password check option 
 add_option_to_password_check()