Reorder check items.

This commit is contained in:
Samson-W 2019-05-13 17:34:34 +08:00
parent 0e9f690966
commit a1f02aaabf
9 changed files with 48 additions and 37 deletions

View File

@ -5,7 +5,7 @@
#
#
# 10.1.11 Set maxlogins for all accounts (Scored)
# 10.1.10 Set maxlogins for all accounts (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#

View File

@ -5,7 +5,7 @@
#
#
# 10.1.12 Ensure no shosts configure file on system (Scored)
# 10.1.11 Ensure no shosts configure file on system (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#

View File

@ -6,6 +6,7 @@
#
# 10.1.1 Set Password Expiration Days (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over

View File

@ -6,6 +6,7 @@
#
# 10.1.3 Set Password Expiring Warning Days (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
@ -16,6 +17,7 @@ HARDENING_LEVEL=3
PACKAGE='login'
OPTIONS='PASS_WARN_AGE=7'
FILE='/etc/login.defs'
SHA_FILE='/etc/shadow'
# This function will be called if the script status is on enabled / audit mode
audit () {
@ -24,18 +26,21 @@ audit () {
crit "$PACKAGE is not installed!"
else
ok "$PACKAGE is installed"
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
done
fi
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
crit "$PATTERN is not present in $FILE"
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
crit "Have least user's maxinum password lifttime is greater than $SSH_VALUE day"
else
ok "All user's maxinum password lifttime is equal or less than $SSH_VALUE day"
fi
fi
}
# This function will be called if the script status is on enabled mode
@ -47,24 +52,29 @@ apply () {
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
fi
for SSH_OPTION in $OPTIONS; do
SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
done
SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
else
warn "$PATTERN is not present in $FILE, adding it"
does_pattern_exist_in_file $FILE "^$SSH_PARAM"
if [ $FNRET != 0 ]; then
add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
fi
fi
if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
warn "Have least user's maxinum password lifttime is greater than $SSH_VALUE day, Fixing"
for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}');
do
chage --warndays $SSH_VALUE $USERNAME
done
fi
}
# This function will check config parameters required

View File

@ -5,7 +5,7 @@
#
#
# 10.1.7 Remove nopasswd option from the sudoers configuration (Scored)
# 10.1.6 Remove nopasswd option from the sudoers configuration (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#

View File

@ -5,7 +5,7 @@
#
#
# 10.1.8 Remove not authenticate option from the sudoers configuration (Scored)
# 10.1.7 Remove not authenticate option from the sudoers configuration (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#

View File

@ -5,7 +5,7 @@
#
#
# 10.1.9 Set FAIL_DELAY Parameters Using pam_faildelay (Scored)
# 10.1.8 Set FAIL_DELAY Parameters Using pam_faildelay (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#

View File

@ -5,7 +5,7 @@
#
#
# 10.1.10 Set create home bool (Scored)
# 10.1.9 Set create home bool (Scored)
# Author : Samson wen, Samson <sccxboy@gmail.com>
#

View File

@ -5,7 +5,7 @@
#
#
# 10.6 Set Timeout on ttys
# 10.5 Set Timeout on ttys
#
set -e # One error, it's over