Modify 9.2.11~9.2.13 to be compatible with CentOS.

2019-08-28 16:31:19 +08:00 · 2019-08-28 16:31:19 +08:00 · b95a9b07c2
parent 19914f08ab
commit b95a9b07c2
3 changed files with 57 additions and 9 deletions
--- a/bin/hardening/9.2.11_pam_deny_times_tally2.sh
+++ b/bin/hardening/9.2.11_pam_deny_times_tally2.sh
@ -2,6 +2,7 @@

 #
 # harbian audit 7/8/9  Hardening
+# todo for centos
 #

 #
--- a/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh
+++ b/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh
@ -2,6 +2,7 @@

 #
 # harbian audit 7/8/9  Hardening
+# todo centos
 #

 #
--- a/bin/hardening/9.2.13_pam_password_sha512_unix.sh
+++ b/bin/hardening/9.2.13_pam_password_sha512_unix.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
 #

 #
@ -22,8 +22,10 @@ OPTIONNAME='sha512'
 ROUNDS_KEY='rounds'
 ROUNDS_V='5000'

-# This function will be called if the script status is on enabled / audit mode
-audit () {
+# For CentOS
+FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth'
+
+audit_debian () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -53,12 +55,34 @@ audit () {
    fi
 }

-# This function will be called if the script status is on enabled mode
-apply () {
+audit_redhat () {
+	for FILE in $FILES; do
+		does_pattern_exist_in_file $FILE "$PATTERN.*$OPTIONNAME"
+		if [ $FNRET -eq 0 ]; then
+			ok "$OPTIONNAME is already configured in $FILE"
+		else
+			crit "$OPTIONNAME is not configured in $FILE"
+		fi
+	done
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		audit_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		audit_redhat
+	else
+		crit "Current OS is not support!"
+		FNRET=44
+	fi
+}
+
+apply_debian () {
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
    elif [ $FNRET = 1 ]; then
-        crit "$PACKAGE is absent, installing it"
+        warn "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    elif [ $FNRET = 2 ]; then
        warn "$PATTERN is not present in $FILE"
@ -68,21 +92,43 @@ apply () {
    if [ $FNRET = 3 ]; then
        crit "$FILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
-        crit "$OPTIONNAME is not conf in $FILE"
+        warn "$OPTIONNAME is not conf in $FILE"
        add_option_to_password_check $FILE $KEYWORD $OPTIONNAME
    fi 
 	check_param_pair_by_pam $FILE $KEYWORD $ROUNDS_KEY ge $ROUNDS_V 
    if [ $FNRET = 3 ]; then
        crit "$FILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
-        crit "$ROUNDS_KEY is not conf"
+        warn "$ROUNDS_KEY is not conf"
        add_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY=$ROUNDS_V"
    elif [ $FNRET = 5 ]; then
-        crit "$ROUNDS_KEY set is not match legally, reset it to $ROUNDS_V"
+        warn "$ROUNDS_KEY set is not match legally, reset it to $ROUNDS_V"
        reset_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY" "$ROUNDS_V"
    fi 
 }

+apply_redhat () {
+	for FILE in $FILES; do
+		does_pattern_exist_in_file $FILE "$PATTERN.*$OPTIONNAME"
+		if [ $FNRET -eq 0 ]; then
+			ok "$OPTIONNAME is already configured in $FILE"
+		else
+			warn "$OPTIONNAME is not configured in $FILE, set it"
+			sed -i "s;\($PATTERN.*$OPTIONNAME\);\1 $OPTIONNAME;" $FILE
+		fi
+	done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		apply_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		apply_redhat
+	else
+		crit "Current OS is not support!"
+	fi
+}
 # This function will check config parameters required
 check_config() {
    :