Fix issues #1 An error occurred when executing the su command after applying 10.1.9

2018-10-16 08:21:51 +08:00 · 2018-10-16 08:21:51 +08:00 · da51ac2cda
parent efd22bfbc6
commit da51ac2cda
2 changed files with 44 additions and 5 deletions
--- a/bin/hardening/10.1.9_set_fail_delay_seconds.sh
+++ b/bin/hardening/10.1.9_set_fail_delay_seconds.sh
@ -60,12 +60,13 @@ apply () {
        crit "$PATTERN is not present in $FILE, add default config to $FILE"
        add_line_file_before_pattern $FILE "auth       optional   pam_faildelay.so  delay=4000000" "# Outputs an issue file prior to each login prompt (Replaces the"
    elif [ $FNRET = 3 ]; then
-        crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
-        reset_option_to_password_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
+        crit "$FILE is not exist, please check"
    elif [ $FNRET = 4 ]; then
-        crit "444"
+        crit "$OPTIONNAME is not conf"
+        add_option_to_auth_check $FILE $PAMLIBNAME "$OPTIONNAME=$CONDT_VAL"
     elif [ $FNRET = 5 ]; then
-        crit "555555555555"
+        crit "$OPTIONNAME set is not match legally, reset it to $CONDT_VAL"
+        reset_option_to_auth_check $FILE $PAMLIBNAME "$OPTIONNAME" "$CONDT_VAL"
    fi 
 }

--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -527,6 +527,24 @@ add_option_to_password_check()
    sed -ie "s;\(^password.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE  
 }

+# Add auth check option 
+add_option_to_auth_check() 
+{
+    #Example:
+    #local PAMPWDFILE="/etc/pam.d/common-password"
+    #local KEYWORD="pam_cracklib.so"
+    #local OPTIONSTR="retry=3"
+    local PAMPWDFILE=$1
+    local KEYWORD=$2
+    local OPTIONSTR=$3
+    debug "Setting $OPTIONSTR for $KEYWORD"
+    backup_file "$PAMPWDFILE"
+    # For example : 
+    # password  requisite           pam_cracklib.so  minlen=8 difok=3
+    # password  requisite           pam_cracklib.so  minlen=8 difok=3 retry=3
+    sed -ie "s;\(^auth.*$KEYWORD.*\);\1 $OPTIONSTR;" $PAMPWDFILE  
+}
+
 # Reset password check option value when option is not set a correct value 
 reset_option_to_password_check()
 {
@ -547,6 +565,26 @@ reset_option_to_password_check()
    sed -ie "s/${OPTIONNAME}=./${OPTIONNAME}=${OPTIONVAL}/" $PAMPWDFILE
 }

+# Reset auth check option value when option is not set a correct value 
+reset_option_to_auth_check()
+{
+    #Example:
+    #local PAMPWDFILE="/etc/pam.d/common-password"
+    #local KEYWORD="pam_cracklib.so"
+    #local OPTIONNAME="retry"
+    #local OPTIONVAL="3"
+    local PAMPWDFILE=$1
+    local KEYWORD=$2
+    local OPTIONNAME=$3
+    local OPTIONVAL=$4
+    debug "Setting $OPTION for $KEYWORD reset option value to $OPTIONVAL"
+    backup_file "$PAMPWDFILE"
+    # For example : 
+    # password  requisite           pam_cracklib.so  minlen=8 difok=3 retry=1
+    # password  requisite           pam_cracklib.so  minlen=8 difok=3 retry=3
+    sed -ie "s/${OPTIONNAME}=.*/${OPTIONNAME}=${OPTIONVAL}/" $PAMPWDFILE
+}
+
 # Only check option name 
 check_auth_option_nullok_by_pam()
 {