Modify 9.2.11~9.2.13 to be compatible with CentOS.

2019-08-28 16:31:19 +08:00 · 2019-08-28 16:31:19 +08:00 · b95a9b07c2
parent 19914f08ab
commit b95a9b07c2
3 changed files with 57 additions and 9 deletions
--- a/bin/hardening/9.2.11_pam_deny_times_tally2.sh
+++ b/bin/hardening/9.2.11_pam_deny_times_tally2.sh
@ -2,6 +2,7 @@
 #
 # harbian audit 7/8/9  Hardening
 # todo for centos
 #
 #
--- a/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh
+++ b/bin/hardening/9.2.12_pam_lockout_failed_tally2.sh
@ -2,6 +2,7 @@
 #
 # harbian audit 7/8/9  Hardening
 # todo centos
 #
 #
--- a/bin/hardening/9.2.13_pam_password_sha512_unix.sh
+++ b/bin/hardening/9.2.13_pam_password_sha512_unix.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
 #
 #
@ -22,8 +22,10 @@ OPTIONNAME='sha512'
 ROUNDS_KEY='rounds'
 ROUNDS_V='5000'
-# This function will be called if the script status is on enabled / audit mode
+# For CentOS
-audit () {
+FILES='/etc/pam.d/system-auth /etc/pam.d/password-auth'
 audit_debian () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed!"
@ -53,12 +55,34 @@ audit () {
    fi
 }
-# This function will be called if the script status is on enabled mode
+audit_redhat () {
-apply () {
+	for FILE in $FILES; do
 		does_pattern_exist_in_file $FILE "$PATTERN.*$OPTIONNAME"
 		if [ $FNRET -eq 0 ]; then
 			ok "$OPTIONNAME is already configured in $FILE"
 		else
 			crit "$OPTIONNAME is not configured in $FILE"
 		fi
 	done
 }
 # This function will be called if the script status is on enabled / audit mode
 audit () {
 	if [ $OS_RELEASE -eq 1 ]; then
 		audit_debian
 	elif [ $OS_RELEASE -eq 2 ]; then
 		audit_redhat
 	else
 		crit "Current OS is not support!"
 		FNRET=44
 	fi
 }
 apply_debian () {
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
    elif [ $FNRET = 1 ]; then
-        crit "$PACKAGE is absent, installing it"
+        warn "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    elif [ $FNRET = 2 ]; then
        warn "$PATTERN is not present in $FILE"
@ -68,21 +92,43 @@ apply () {
    if [ $FNRET = 3 ]; then
        crit "$FILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
-        crit "$OPTIONNAME is not conf in $FILE"
+        warn "$OPTIONNAME is not conf in $FILE"
        add_option_to_password_check $FILE $KEYWORD $OPTIONNAME
    fi 
 	check_param_pair_by_pam $FILE $KEYWORD $ROUNDS_KEY ge $ROUNDS_V 
    if [ $FNRET = 3 ]; then
        crit "$FILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
-        crit "$ROUNDS_KEY is not conf"
+        warn "$ROUNDS_KEY is not conf"
        add_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY=$ROUNDS_V"
    elif [ $FNRET = 5 ]; then
-        crit "$ROUNDS_KEY set is not match legally, reset it to $ROUNDS_V"
+        warn "$ROUNDS_KEY set is not match legally, reset it to $ROUNDS_V"
        reset_option_to_password_check $FILE $KEYWORD "$ROUNDS_KEY" "$ROUNDS_V"
    fi 
 }
 apply_redhat () {
 	for FILE in $FILES; do
 		does_pattern_exist_in_file $FILE "$PATTERN.*$OPTIONNAME"
 		if [ $FNRET -eq 0 ]; then
 			ok "$OPTIONNAME is already configured in $FILE"
 		else
 			warn "$OPTIONNAME is not configured in $FILE, set it"
 			sed -i "s;\($PATTERN.*$OPTIONNAME\);\1 $OPTIONNAME;" $FILE
 		fi
 	done
 }
 # This function will be called if the script status is on enabled mode
 apply () {
 	if [ $OS_RELEASE -eq 1 ]; then
 		apply_debian
 	elif [ $OS_RELEASE -eq 2 ]; then
 		apply_redhat
 	else
 		crit "Current OS is not support!"
 	fi
 }
 # This function will check config parameters required
 check_config() {
    :