Reorder check items.

bin/hardening/10.1.10_set_maxlogins_for_all_accounts.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 10.1.11 Set maxlogins for all accounts  (Scored)
+# 10.1.10 Set maxlogins for all accounts  (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 

bin/hardening/10.1.11_ensure_no_shosts_cfg_on_system.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 10.1.12 Ensure no shosts configure file on system (Scored)
+# 10.1.11 Ensure no shosts configure file on system (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 

bin/hardening/10.1.1_set_password_exp_days.sh

@@ -6,6 +6,7 @@
 
 #
 # 10.1.1 Set Password Expiration Days (Scored)
+# Modify by: Samson-W (sccxboy@gmail.com)
 #
 
 set -e # One error, it's over

bin/hardening/10.1.3_set_password_exp_warning_days.sh

@@ -6,6 +6,7 @@
 
 #
 # 10.1.3 Set Password Expiring Warning Days (Scored)
+# Modify by: Samson-W (sccxboy@gmail.com)
 #
 
 set -e # One error, it's over
@@ -16,6 +17,7 @@ HARDENING_LEVEL=3
 PACKAGE='login'
 OPTIONS='PASS_WARN_AGE=7'
 FILE='/etc/login.defs'
+SHA_FILE='/etc/shadow'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -24,18 +26,21 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        for SSH_OPTION in $OPTIONS; do
+		SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+		SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+		PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+		does_pattern_exist_in_file $FILE "$PATTERN"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+		if [ $FNRET = 0 ]; then
-            if [ $FNRET = 0 ]; then
+			ok "$PATTERN is present in $FILE"
-                ok "$PATTERN is present in $FILE"
+		else
-            else
+			crit "$PATTERN is not present in $FILE"
-                crit "$PATTERN is not present in $FILE"
+		fi
-            fi
+		if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
-        done
+			crit "Have least user's maxinum password lifttime is greater than $SSH_VALUE day"
-    fi
+		else
+			ok "All user's maxinum password lifttime is equal or less than $SSH_VALUE day"
+		fi
+	fi
 }
 
 # This function will be called if the script status is on enabled mode
@@ -47,24 +52,29 @@ apply () {
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
     fi
-    for SSH_OPTION in $OPTIONS; do
+	SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1)
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+	SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
+	PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+	does_pattern_exist_in_file $FILE "$PATTERN"
-            does_pattern_exist_in_file $FILE "$PATTERN"
+	if [ $FNRET = 0 ]; then
-            if [ $FNRET = 0 ]; then
+		ok "$PATTERN is present in $FILE"
-                ok "$PATTERN is present in $FILE"
+	else
-            else
+		warn "$PATTERN is not present in $FILE, adding it"
-                warn "$PATTERN is not present in $FILE, adding it"
+		does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
+		if [ $FNRET != 0 ]; then
-                if [ $FNRET != 0 ]; then
+			add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+		else
-                else
+			info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+			replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+		fi
-                fi
+	fi
-            fi
+	if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then
-    done
+		warn "Have least user's maxinum password lifttime is greater than $SSH_VALUE day, Fixing"
+		for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$6 < "'$SSH_VALUE'" {print $1}'); 
+		do 
+			chage --warndays $SSH_VALUE $USERNAME
+		done
+	fi
 }
 
 # This function will check config parameters required

bin/hardening/10.1.6_remove_nopasswd_sudoers.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 10.1.7 Remove nopasswd option from the sudoers configuration (Scored)
+# 10.1.6 Remove nopasswd option from the sudoers configuration (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 

bin/hardening/10.1.7_remove_noauthenticate_sudoers.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 10.1.8 Remove not authenticate option from the sudoers configuration (Scored)
+# 10.1.7 Remove not authenticate option from the sudoers configuration (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 

bin/hardening/10.1.8_set_fail_delay_seconds.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 10.1.9 Set FAIL_DELAY Parameters Using pam_faildelay (Scored)
+# 10.1.8 Set FAIL_DELAY Parameters Using pam_faildelay (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 

bin/hardening/10.1.9_set_create_home_bool.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 10.1.10 Set create home bool  (Scored)
+# 10.1.9 Set create home bool  (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 

bin/hardening/10.5_set_timeout_tty.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 10.6 Set Timeout on ttys
+# 10.5 Set Timeout on ttys
 #
 
 set -e # One error, it's over