tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add 9.2.14 to check nullok option of auth pam_unix

This commit is contained in:
Samson-W 2018-09-13 03:45:11 +08:00
parent b3787fbc27
commit bc76a18fbc
2 changed files with 128 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
bin/hardening/9.2.14_enable_auth_without_nullpwd.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/bash
#
# harbian audit 7/8/9 Hardening
#
#
# 9.2.14 Configure password without blank or null passwords (Scored)
# Authors : Samson wen, Samson <sccxboy@gmail.com>
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=3
PACKAGE='libpam-modules'
PATTERN='^auth.*pam_unix.so'
FILE='/etc/pam.d/common-auth'
KEYWORD='pam_unix.so'
OPTIONNAME1='nullok'
OPTIONNAME2='nullok_secure'
# This function will be called if the script status is on enabled / audit mode
audit () {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ]; then
crit "$PACKAGE is not installed!"
FNRET=1
else
ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN
if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE"
check_auth_option_nullok_by_pam $KEYWORD $OPTIONNAME1 $OPTIONNAME2
if [ $FNRET = 0 ]; then
ok "$OPTIONNAME1 is not configured"
elif [ $FNRET = 4 ]; then
crit "$OPTIONNAME1 is configured"
elif [ $FNRET = 5 ]; then
crit "$OPTIONNAME2 is configured"
fi
else
crit "$PATTERN is not present in $FILE"
FNRET=2
fi
fi
}
# This function will be called if the script status is on enabled mode
apply () {
if [ $FNRET = 0 ]; then
ok "$PACKAGE is installed"
elif [ $FNRET = 1 ]; then
crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE
elif [ $FNRET = 2 ]; then
ok "$PATTERN is not present in $FILE, not need add"
elif [ $FNRET = 3 ]; then
crit "$FILE is not exist, please check"
elif [ $FNRET = 4 ]; then
info "Delete option $OPTIONNAME1 from $FILE"
sed -ie "s/$OPTIONNAME1//" $FILE
elif [ $FNRET = 5 ]; then
info "Delete option $OPTIONNAME2 from $FILE"
sed -ie "s/$OPTIONNAME2//" $FILE
fi
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi

37
lib/utils.sh
View File

@ -545,3 +545,40 @@ reset_option_to_password_check()
# password requisite pam_cracklib.so minlen=8 difok=3 retry=3
sed -ie "s/${OPTIONNAME}=./${OPTIONNAME}=${OPTIONVAL}/" $PAMPWDFILE
}
# Only check option name
check_auth_option_nullok_by_pam()
{
KEYWORD=$1
OPTION1=$2
OPTION2=$3
LOCATION="/etc/pam.d/common-auth"
#Example:
#KEYWORD="pam_unix.so"
#OPTION1="nullok"
#OPTION2="nullok_secure"
if [ -f "$LOCATION" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION2" | wc -l)
if [ "$RESULT" -eq 1 ]; then
debug "$KEYWORD $OPTION2 is conf, that is error conf"
FNRET=5
else
debug "$KEYWORD $OPTION2 is not conf, that is ok"
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION1" | wc -l)
if [ "$RESULT" -eq 1 ]; then
debug "$KEYWORD $OPTION1 is conf, that is error conf"
FNRET=4
else
debug "$KEYWORD $OPTION1 is not conf, that is ok"
FNRET=0
fi
fi
else
debug "$LOCATION is not exist"
FNRET=3
fi
}