From caace05766b6a6f16046c486365087ad380d17dc Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Tue, 9 Oct 2018 21:27:57 +0800
Subject: [PATCH] Fix 10.1.9 if value is greater

---
 .../10.1.9_set_fail_delay_seconds.sh          | 42 +++++++++----------
 1 file changed, 20 insertions(+), 22 deletions(-)

diff --git a/bin/hardening/10.1.9_set_fail_delay_seconds.sh b/bin/hardening/10.1.9_set_fail_delay_seconds.sh
index bcac643..6ec63ed 100755
--- a/bin/hardening/10.1.9_set_fail_delay_seconds.sh
+++ b/bin/hardening/10.1.9_set_fail_delay_seconds.sh
@@ -22,17 +22,26 @@ audit () {
     is_pkg_installed $PACKAGE
     if [ $FNRET != 0 ]; then
         crit "$PACKAGE is not installed!"
+        FNRET=1
     else
         ok "$PACKAGE is installed"
         for SSH_OPTION in $OPTIONS; do
             SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
             SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
+            PATTERN="^$SSH_PARAM[[:space:]]*"
             does_pattern_exist_in_file $FILE "$PATTERN"
             if [ $FNRET = 0 ]; then
                 ok "$PATTERN is present in $FILE"
+                if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs  | grep FAIL_DELAY | awk '{print $2}') -lt $SSH_VALUE ]; then
+                    crit "$SSH_PARAM value is less than $SSH_VALUE"
+                    FNRET=3
+                else
+                    ok "$SSH_PARAM value is equal or greater to  $SSH_VALUE"
+                    FNRET=0
+                fi
             else
                 crit "$PATTERN is not present in $FILE"
+                FNRET=2
             fi
         done
     fi
@@ -40,31 +49,20 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    is_pkg_installed $PACKAGE
+    SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
+    SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
     if [ $FNRET = 0 ]; then
-        ok "$PACKAGE is installed"
-    else
+        ok "FAIL_DELAY is set"
+    elif [ $FNRET = 1 ]; then
         crit "$PACKAGE is absent, installing it"
         apt_install $PACKAGE
+    elif [ $FNRET = 2 ]; then
+        warn "$SSH_PARAM is not present in $FILE, adding it"
+        add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
+    elif [ $FNRET = 3 ]; then
+        info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+        replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
     fi
-    for SSH_OPTION in $OPTIONS; do
-            SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1)
-            SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2)
-            PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE"
-            does_pattern_exist_in_file $FILE "$PATTERN"
-            if [ $FNRET = 0 ]; then
-                ok "$PATTERN is present in $FILE"
-            else
-                warn "$PATTERN is not present in $FILE, adding it"
-                does_pattern_exist_in_file $FILE "^$SSH_PARAM"
-                if [ $FNRET != 0 ]; then
-                    add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE"
-                else
-                    info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
-                    replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
-                fi
-            fi
-    done
 }
 
 # This function will check config parameters required