From 8976282fd13fda5833f8d8c74452edef43dca52f Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 11 Sep 2018 04:59:15 +0800 Subject: [PATCH] Add check_password_option_by_pam function and 9.2.13_enable_password_sha512.sh --- .../9.2.13_enable_password_sha512.sh | 87 +++++++++++++++++++ lib/utils.sh | 27 ++++++ 2 files changed, 114 insertions(+) create mode 100755 bin/hardening/9.2.13_enable_password_sha512.sh diff --git a/bin/hardening/9.2.13_enable_password_sha512.sh b/bin/hardening/9.2.13_enable_password_sha512.sh new file mode 100755 index 0000000..3e230c9 --- /dev/null +++ b/bin/hardening/9.2.13_enable_password_sha512.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# harbian audit 7/8/9 Hardening +# + +# +# 9.2.13 Set password with the SHA512 algorithm (Scored) +# Authors : Samson wen, Samson +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=3 + +PACKAGE='libpam-modules' +PATTERN='^password.*pam_unix.so' +FILE='/etc/pam.d/common-password' +KEYWORD='pam_unix.so' +OPTIONNAME='sha512' +CONDT_VAL=5 + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed!" + FNRET=1 + else + ok "$PACKAGE is installed" + does_pattern_exist_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + check_password_option_by_pam $KEYWORD $OPTIONNAME + if [ $FNRET = 0 ]; then + ok "$OPTIONNAME is already configured" + else + crit "$OPTIONNAME is not configured" + fi + else + crit "$PATTERN is not present in $FILE" + FNRET=2 + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + elif [ $FNRET = 1 ]; then + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + elif [ $FNRET = 2 ]; then + warn "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." + elif [ $FNRET = 3 ]; then + crit "$FILE is not exist, please check" + elif [ $FNRET = 4 ]; then + crit "$OPTIONNAME is not conf in $FILE" + add_option_to_password_check $FILE $KEYWORD $OPTIONNAME + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/lib/utils.sh b/lib/utils.sh index bc899ef..f99d899 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -480,6 +480,33 @@ check_password_by_pam() fi } +# Only check option name +check_password_option_by_pam() +{ + KEYWORD=$1 + OPTION=$2 + + LOCATION="/etc/pam.d/common-password" + + #Example: + #KEYWORD="pam_unix.so" + #OPTION="sha512" + + if [ -f "$LOCATION" ];then + RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION" | wc -l) + echo $RESULT + if [ "$RESULT" -eq 1 ]; then + debug "$KEYWORD $OPTION is conf" + FNRET=0 + else + debug "$KEYWORD $OPTION is not conf" + FNRET=4 + fi + else + debug "$LOCATION is not exist" + FNRET=3 + fi +} # Add password check option add_option_to_password_check()