From 9d886d7bf987bdca1734c8a0c8f1e67599f07150 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Thu, 16 May 2019 17:40:40 +0800 Subject: [PATCH] 1, Add check rounds of pam_unix for 9.2.13 base stig-Ubuntu_16-04_LTS. 2,Fix a bug: when the configured values have different lengths, the reassignment is incorrect. --- .../9.2.13_pam_password_sha512_unix.sh | 25 +++++++++++++++++-- lib/utils.sh | 3 ++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/bin/hardening/9.2.13_pam_password_sha512_unix.sh b/bin/hardening/9.2.13_pam_password_sha512_unix.sh index d87351d..1a0f0ba 100755 --- a/bin/hardening/9.2.13_pam_password_sha512_unix.sh +++ b/bin/hardening/9.2.13_pam_password_sha512_unix.sh @@ -19,6 +19,8 @@ PATTERN='^password.*pam_unix.so' FILE='/etc/pam.d/common-password' KEYWORD='pam_unix.so' OPTIONNAME='sha512' +ROUNDS_KEY='rounds' +ROUNDS_V='5000' # This function will be called if the script status is on enabled / audit mode audit () { @@ -37,6 +39,13 @@ audit () { else crit "$OPTIONNAME is not configured" fi + check_param_pair_by_pam $FILE $KEYWORD $ROUNDS_KEY ge $ROUNDS_V + if [ $FNRET = 0 ]; then + ok "$ROUNDS_KEY set condition is $ROUNDS_V" + else + crit "$ROUNDS_KEY set is not match legally, $ROUNDS_KEY is set $ROUNDS_V" + #FNRET=3 + fi else crit "$PATTERN is not present in $FILE" FNRET=2 @@ -53,13 +62,25 @@ apply () { apt_install $PACKAGE elif [ $FNRET = 2 ]; then warn "$PATTERN is not present in $FILE" - add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512" "# pam-auth-update(8) for details." - elif [ $FNRET = 3 ]; then + add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000" "# pam-auth-update(8) for details." + fi + check_no_param_option_by_pam $KEYWORD $OPTIONNAME $FILE + if [ $FNRET = 3 ]; then crit "$FILE is not exist, please check" elif [ $FNRET = 4 ]; then crit "$OPTIONNAME is not conf in $FILE" add_option_to_password_check $FILE $KEYWORD $OPTIONNAME fi + check_param_pair_by_pam $FILE $KEYWORD $ROUNDS_KEY ge $ROUNDS_V + if [ $FNRET = 3 ]; then + crit "$FILE is not exist, please check" + elif [ $FNRET = 4 ]; then + crit "$ROUNDS_KEY is not conf" + add_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY=$ROUNDS_V" + elif [ $FNRET = 5 ]; then + crit "$ROUNDS_KEY set is not match legally, reset it to $ROUNDS_V" + reset_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY" "$ROUNDS_V" + fi } # This function will check config parameters required diff --git a/lib/utils.sh b/lib/utils.sh index af704e0..a34aa06 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -653,7 +653,8 @@ reset_option_to_password_check() # For example : # password requisite pam_cracklib.so minlen=8 difok=3 retry=1 # password requisite pam_cracklib.so minlen=8 difok=3 retry=3 - sed -i "s/${OPTIONNAME}=./${OPTIONNAME}=${OPTIONVAL}/" $PAMPWDFILE + cndt_value=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $PAMPWDFILE | grep "$KEYWORD.*$OPTIONNAME" | tr "\t" " " | tr " " "\n" | sed -n "/$OPTIONNAME/p" | awk -F "=" '{print $2}') + sed -i "s/${OPTIONNAME}=${cndt_value}/${OPTIONNAME}=${OPTIONVAL}/" $PAMPWDFILE } # Reset auth check option value when option is not set a correct value