Add --final method for reset password for reguler and root user, and reinit aide database
This commit is contained in:
Samson-W
parent
5a066aa04f
commit
ba786480b5
|
|
@ -24,6 +24,7 @@ ALLOW_SERVICE_LIST=0
|
||||||
SET_HARDENING_LEVEL=0
|
SET_HARDENING_LEVEL=0
|
||||||
SUDO_MODE=''
|
SUDO_MODE=''
|
||||||
INIT_G_CONFIG=0
|
INIT_G_CONFIG=0
|
||||||
|
FINAL_G_CONFIG=0
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
cat << EOF
|
cat << EOF
|
||||||
|
|
@ -82,6 +83,12 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
|
||||||
Use --allow-service-list to get a list of supported services.
|
Use --allow-service-list to get a list of supported services.
|
||||||
Example:
|
Example:
|
||||||
bin/hardening.sh --set-hardening-level 5 --allow-service dns,http
|
bin/hardening.sh --set-hardening-level 5 --allow-service dns,http
|
||||||
|
|
||||||
|
--final
|
||||||
|
The final action that needs to be done when all repairs are completed. The action items are:
|
||||||
|
1. Use passwd to change the password of the regular and root user to update the user
|
||||||
|
password strength and robustness;
|
||||||
|
2. Aide reinitializes.
|
||||||
|
|
||||||
OPTIONS:
|
OPTIONS:
|
||||||
|
|
||||||
|
|
@ -148,6 +155,8 @@ while [[ $# > 0 ]]; do
|
||||||
--init)
|
--init)
|
||||||
INIT_G_CONFIG=1
|
INIT_G_CONFIG=1
|
||||||
;;
|
;;
|
||||||
|
--final
|
||||||
|
FINAL_G_CONFIG=1
|
||||||
*)
|
*)
|
||||||
usage
|
usage
|
||||||
;;
|
;;
|
||||||
|
|
@ -170,6 +179,7 @@ fi
|
||||||
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
|
||||||
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
|
||||||
|
|
||||||
|
# For --init
|
||||||
if [ $INIT_G_CONFIG -eq 1 ]; then
|
if [ $INIT_G_CONFIG -eq 1 ]; then
|
||||||
if [ -r /etc/redhat-release ]; then
|
if [ -r /etc/redhat-release ]; then
|
||||||
info "This OS is redhat/CentOS."
|
info "This OS is redhat/CentOS."
|
||||||
|
|
@ -194,6 +204,36 @@ else
|
||||||
exit 128
|
exit 128
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# For --final
|
||||||
|
if [ $FINAL_G_CONFIG -eq 1 ]; then
|
||||||
|
# Reset passwd for regular and root user
|
||||||
|
USERSNAME=$(cat /etc/passwd | awk -F':' '{if($3>=1000 && $3<65534) {print $1}}')
|
||||||
|
for USER in $USERSNAME; do
|
||||||
|
RESETCONTIN="n"
|
||||||
|
read -p "Will password of $USER be reset, are you sure to continue?(Y/n)" RESETCONTIN
|
||||||
|
if [ "$RESETCONTIN" == "Y" ]; then
|
||||||
|
sudo -u $USER passwd
|
||||||
|
else
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
RESETCONTIN="n"
|
||||||
|
read -p "Will password of root be reset, are you sure to continue?(Y/n)" RESETCONTIN
|
||||||
|
if [ "$RESETCONTIN" == "Y" ]; then
|
||||||
|
passwd
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Reinit aide database
|
||||||
|
info "Will reinitialize the AIDE database"
|
||||||
|
if [ $OS_RELEASE -eq 1 ]; then
|
||||||
|
aideinit
|
||||||
|
elif [ $OS_RELEASE -eq 2 ]; then
|
||||||
|
aide --init
|
||||||
|
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
# If --allow-service-list is specified, don't run anything, just list the supported services
|
# If --allow-service-list is specified, don't run anything, just list the supported services
|
||||||
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then
|
||||||
declare -a HARDENING_EXCEPTIONS_LIST
|
declare -a HARDENING_EXCEPTIONS_LIST
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue