Add check_password_option_by_pam function and 9.2.13_enable_password_sha512.sh

2018-09-11 04:59:15 +08:00 · 2018-09-11 04:59:15 +08:00 · 8976282fd1
parent eb25a4011c
commit 8976282fd1
2 changed files with 114 additions and 0 deletions
--- a/bin/hardening/9.2.13_enable_password_sha512.sh
+++ b/bin/hardening/9.2.13_enable_password_sha512.sh
@ -0,0 +1,87 @@
 #!/bin/bash
 #
 # harbian audit 7/8/9  Hardening
 #
 #
 # 9.2.13 Set password with the SHA512 algorithm (Scored)
 # Authors : Samson wen, Samson <sccxboy@gmail.com>
 #
 set -e # One error, it's over
 set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 PACKAGE='libpam-modules'
 PATTERN='^password.*pam_unix.so'
 FILE='/etc/pam.d/common-password'
 KEYWORD='pam_unix.so'
 OPTIONNAME='sha512'
 CONDT_VAL=5
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
        FNRET=1
    else
        ok "$PACKAGE is installed"
        does_pattern_exist_in_file $FILE $PATTERN
        if [ $FNRET = 0 ]; then
            ok "$PATTERN is present in $FILE"
            check_password_option_by_pam $KEYWORD $OPTIONNAME
            if [ $FNRET = 0 ]; then
                ok "$OPTIONNAME is already configured"
            else
                crit "$OPTIONNAME is not configured"
            fi
        else
            crit "$PATTERN is not present in $FILE"
            FNRET=2
        fi
    fi
 }
 # This function will be called if the script status is on enabled mode
 apply () {
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
    elif [ $FNRET = 1 ]; then
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    elif [ $FNRET = 2 ]; then
        warn "$PATTERN is not present in $FILE"
        add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
    elif [ $FNRET = 3 ]; then
        crit "$FILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
        crit "$OPTIONNAME is not conf in $FILE"
        add_option_to_password_check $FILE $KEYWORD $OPTIONNAME
    fi 
 }
 # This function will check config parameters required
 check_config() {
    :
 }
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
 fi
 if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
 fi
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
 if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
 fi
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -480,6 +480,33 @@ check_password_by_pam()
    fi
 }
 # Only check option name 
 check_password_option_by_pam()
 {   
    KEYWORD=$1
    OPTION=$2
    LOCATION="/etc/pam.d/common-password"
    #Example:
    #KEYWORD="pam_unix.so"
    #OPTION="sha512"
    if [ -f "$LOCATION" ];then
        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION" | wc -l)
        echo $RESULT
        if [ "$RESULT" -eq 1 ]; then
            debug "$KEYWORD $OPTION is conf"
            FNRET=0
        else
            debug "$KEYWORD $OPTION is not conf"
            FNRET=4
        fi
    else
        debug "$LOCATION is not exist"
        FNRET=3   
    fi
 }
 # Add password check option 
 add_option_to_password_check()