Optimize 9.2.14 audit items, and update README.md README-CN.md

2023-08-25 01:49:11 +08:00 · 2023-08-25 01:49:11 +08:00 · e00770d5ff
parent 9545137a08
commit e00770d5ff
3 changed files with 25 additions and 18 deletions
--- a/README-CN.md
+++ b/README-CN.md
@ -1,7 +1,7 @@
 # harbian-audit审计与加固

 ## 简介 
-此项目是一个Debian GNU/Linux及CentOS 8发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10/11/12及CentOS 8，其它版本未充分测试。此项目主要是针对的Debian GNU/Linux服务器版本，对桌面版本的项没有实现。
+此项目是一个Debian GNU/Linux及CentOS 8及Ubuntu发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10/11/12及CentOS 8及Ubuntu22，其它版本未充分测试。此项目主要是针对服务器版本，对桌面版本的项没有实现。
 此项目的框架基于[OVH-debian-cis](https://github.com/ovh/debian-cis)，根据Debian GNU/Linux 9的一些特性进行了优化，并根据安全部署合规STIG（[STIG Red_Hat_Enterprise_Linux_7_V2R5](redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip)及[STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip)）及CIS（[cisecurity.org](https://www.cisecurity.org/)）进行了安全检查项的添加，同时也根据HardenedLinux社区就具体生产环境添加了一些安全检查项的审计功能的实现。此项目不仅具有安全项的审计功能，同时也有自动修改的功能。

 审计功能的使用示例： 
@ -17,12 +17,12 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening

 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 270
-         Total Runned Checks : 270
-         Total Passed Checks : [ 226/270 ]
-         Total Failed Checks : [  44/270 ]
+      Total Available Checks : 271
+         Total Runned Checks : 271
+         Total Passed Checks : [ 226/271 ]
+         Total Failed Checks : [  44/271 ]
   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 83.70 %
+       Conformity Percentage : 83.39 %
 ```
 ## 快速上手使用介绍

--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@

 Hardened Debian GNU/Linux and CentOS 8 distro auditing.  

-The main test environment is in debian GNU/Linux 9/10/11/12 and CentOS 8, and other versions are not fully tested. There are no implementations of desktop related items in this release.
+The main test environment is in debian GNU/Linux 9/10/11/12 and CentOS 8 and ubuntu 22, and other versions are not fully tested. There are no implementations of desktop related items in this release.

 The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9/10/11/12 and CentOS 8, added and implemented check items for [STIG Red_Hat_Enterprise_Linux_7_V2R5](https://github.com/hardenedlinux/STIG-OS-mirror/blob/master/redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed. 

@ -21,12 +21,12 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening

 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 270
-         Total Runned Checks : 270
-         Total Passed Checks : [ 226/270 ]
-         Total Failed Checks : [  44/270 ]
+      Total Available Checks : 271
+         Total Runned Checks : 271
+         Total Passed Checks : [ 226/271 ]
+         Total Failed Checks : [  44/271 ]
   Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 83.70 %
+       Conformity Percentage : 83.39 %
 ```

 ## Quickstart
--- a/bin/hardening/9.2.14_pam_dictcheck_pwquality.sh
+++ b/bin/hardening/9.2.14_pam_dictcheck_pwquality.sh
@ -6,13 +6,14 @@

 #
 # 9.2.14  Must prevent the use of dictionary words for passwords: audit dictcheck option (Scored)
-# Author : Samson wen, Samson <sccxboy@gmail.com>
+# Author : Samson wen, Samson <samson@hardenedlinux.org>
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=2
+PACKAGES='libpam-pwquality libpwquality1 libpwquality-common'

 # Redhat/CentOS default use pam_pwquality
 FILE_CENTOS='/etc/security/pwquality.conf'
@ -23,11 +24,11 @@ OPTIONNAME='dictcheck'
 CONDT_VAL=1

 audit_centos () {
-	check_param_pair_by_value $FILE_CENTOS $OPTIONNAME eq $CONDT_VAL  
+	check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL  
 	if [ $FNRET = 0 ]; then
-		ok "Option $OPTIONNAME set condition is equal to $CONDT_VAL in $FILE_CENTOS"
+		ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
 	elif [ $FNRET = 1 ]; then
-		crit "Option $OPTIONNAME set condition is not equal $CONDT_VAL in $FILE_CENTOS"
+		crit "Option $OPTIONNAME set condition is greater than or not equal $CONDT_VAL in $FILE_CENTOS"
 	elif [ $FNRET = 2 ]; then
 		ok "Option $OPTIONNAME is not conf in $FILE_CENTOS, but because it default is enable, so pass"
 	elif [ $FNRET = 3 ]; then
@ -51,14 +52,20 @@ audit () {

 apply_centos () {
 	if [ $FNRET = 0 ]; then
-		ok "$OPTIONNAME set condition is equal to $CONDT_VAL in $FILE_CENTOS"
+		ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS"
 	elif [ $FNRET = 1 ]; then
 		warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS"
 		replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL"
 	elif [ $FNRET = 2 ]; then
 		ok "Option $OPTIONNAME is not conf in $FILE_CENTOS, but because default set enable, so pass"
 	elif [ $FNRET = 3 ]; then
-		crit "Config file $FILE_CENTOS is not exist!"
+		warn "Config file $FILE_CENTOS is not exist! Install $PACKAGES"
+		# For ubuntu deiban11 debian12
+		if [ $OS_RELEASE -eq 3 -o  $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 ]; then
+        		apt_install $PACKAGES
+		elif [ $OS_RELEASE -eq 2 ]; then
+			yum_install  $PACKAGES
+		fi
    fi
 }