From bc76a18fbcda10f174142919a098876c24831a6f Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Thu, 13 Sep 2018 03:45:11 +0800
Subject: [PATCH] Add 9.2.14 to check nullok option of auth pam_unix

---
 .../9.2.14_enable_auth_without_nullpwd.sh     | 91 +++++++++++++++++++
 lib/utils.sh                                  | 37 ++++++++
 2 files changed, 128 insertions(+)
 create mode 100755 bin/hardening/9.2.14_enable_auth_without_nullpwd.sh

diff --git a/bin/hardening/9.2.14_enable_auth_without_nullpwd.sh b/bin/hardening/9.2.14_enable_auth_without_nullpwd.sh
new file mode 100755
index 0000000..6411d68
--- /dev/null
+++ b/bin/hardening/9.2.14_enable_auth_without_nullpwd.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+
+#
+# harbian audit 7/8/9  Hardening
+#
+
+#
+# 9.2.14 Configure password without blank or null passwords (Scored)
+# Authors : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=3
+
+PACKAGE='libpam-modules'
+PATTERN='^auth.*pam_unix.so'
+FILE='/etc/pam.d/common-auth'
+KEYWORD='pam_unix.so'
+OPTIONNAME1='nullok'
+OPTIONNAME2='nullok_secure'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    is_pkg_installed $PACKAGE
+    if [ $FNRET != 0 ]; then
+        crit "$PACKAGE is not installed!"
+        FNRET=1
+    else
+        ok "$PACKAGE is installed"
+        does_pattern_exist_in_file $FILE $PATTERN
+        if [ $FNRET = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+            check_auth_option_nullok_by_pam $KEYWORD $OPTIONNAME1 $OPTIONNAME2
+            if [ $FNRET = 0 ]; then
+                ok "$OPTIONNAME1 is not configured"
+            elif [ $FNRET = 4 ]; then
+                crit "$OPTIONNAME1 is  configured"
+            elif [ $FNRET = 5 ]; then
+                crit "$OPTIONNAME2 is  configured"
+            fi
+        else
+            crit "$PATTERN is not present in $FILE"
+            FNRET=2
+        fi
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    if [ $FNRET = 0 ]; then
+        ok "$PACKAGE is installed"
+    elif [ $FNRET = 1 ]; then
+        crit "$PACKAGE is absent, installing it"
+        apt_install $PACKAGE
+    elif [ $FNRET = 2 ]; then
+        ok "$PATTERN is not present in $FILE, not need add"
+    elif [ $FNRET = 3 ]; then
+        crit "$FILE is not exist, please check"
+    elif [ $FNRET = 4 ]; then
+        info "Delete option $OPTIONNAME1 from $FILE"
+        sed -ie "s/$OPTIONNAME1//" $FILE
+    elif [ $FNRET = 5 ]; then
+        info "Delete option $OPTIONNAME2 from $FILE"
+        sed -ie "s/$OPTIONNAME2//" $FILE
+    fi 
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
diff --git a/lib/utils.sh b/lib/utils.sh
index f99d899..c11bbbe 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -545,3 +545,40 @@ reset_option_to_password_check()
     # password  requisite           pam_cracklib.so  minlen=8 difok=3 retry=3
     sed -ie "s/${OPTIONNAME}=./${OPTIONNAME}=${OPTIONVAL}/" $PAMPWDFILE
 }
+
+# Only check option name 
+check_auth_option_nullok_by_pam()
+{   
+    KEYWORD=$1
+    OPTION1=$2
+    OPTION2=$3
+
+    LOCATION="/etc/pam.d/common-auth"
+
+    #Example:
+    #KEYWORD="pam_unix.so"
+    #OPTION1="nullok"
+    #OPTION2="nullok_secure"
+    
+    if [ -f "$LOCATION" ];then
+        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION2" | wc -l)
+        if [ "$RESULT" -eq 1 ]; then
+            debug "$KEYWORD $OPTION2 is conf, that is error conf"
+            FNRET=5
+        else
+            debug "$KEYWORD $OPTION2 is not conf, that is ok"
+            RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION1" | wc -l)
+            if [ "$RESULT" -eq 1 ]; then
+                debug "$KEYWORD $OPTION1 is conf, that is error conf"
+                FNRET=4
+            else
+                debug "$KEYWORD $OPTION1 is not conf, that is ok"
+                FNRET=0
+            fi
+        fi
+    else
+        debug "$LOCATION is not exist"
+        FNRET=3   
+    fi
+}
+