From e00770d5ffaf86c4a1d1013499b99363b74f6925 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 25 Aug 2023 01:49:11 +0800 Subject: [PATCH] Optimize 9.2.14 audit items, and update README.md README-CN.md --- README-CN.md | 12 ++++++------ README.md | 12 ++++++------ .../9.2.14_pam_dictcheck_pwquality.sh | 19 +++++++++++++------ 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/README-CN.md b/README-CN.md index 739e0c4..029d25c 100644 --- a/README-CN.md +++ b/README-CN.md @@ -1,7 +1,7 @@ # harbian-audit审计与加固 ## 简介 -此项目是一个Debian GNU/Linux及CentOS 8发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10/11/12及CentOS 8,其它版本未充分测试。此项目主要是针对的Debian GNU/Linux服务器版本,对桌面版本的项没有实现。 +此项目是一个Debian GNU/Linux及CentOS 8及Ubuntu发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10/11/12及CentOS 8及Ubuntu22,其它版本未充分测试。此项目主要是针对服务器版本,对桌面版本的项没有实现。 此项目的框架基于[OVH-debian-cis](https://github.com/ovh/debian-cis),根据Debian GNU/Linux 9的一些特性进行了优化,并根据安全部署合规STIG([STIG Red_Hat_Enterprise_Linux_7_V2R5](redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip)及[STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip))及CIS([cisecurity.org](https://www.cisecurity.org/))进行了安全检查项的添加,同时也根据HardenedLinux社区就具体生产环境添加了一些安全检查项的审计功能的实现。此项目不仅具有安全项的审计功能,同时也有自动修改的功能。 审计功能的使用示例: @@ -17,12 +17,12 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening [...] ################### SUMMARY ################### - Total Available Checks : 270 - Total Runned Checks : 270 - Total Passed Checks : [ 226/270 ] - Total Failed Checks : [ 44/270 ] + Total Available Checks : 271 + Total Runned Checks : 271 + Total Passed Checks : [ 226/271 ] + Total Failed Checks : [ 44/271 ] Enabled Checks Percentage : 100.00 % - Conformity Percentage : 83.70 % + Conformity Percentage : 83.39 % ``` ## 快速上手使用介绍 diff --git a/README.md b/README.md index 0c5c878..7bb3c0d 100755 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Hardened Debian GNU/Linux and CentOS 8 distro auditing. -The main test environment is in debian GNU/Linux 9/10/11/12 and CentOS 8, and other versions are not fully tested. There are no implementations of desktop related items in this release. +The main test environment is in debian GNU/Linux 9/10/11/12 and CentOS 8 and ubuntu 22, and other versions are not fully tested. There are no implementations of desktop related items in this release. The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9/10/11/12 and CentOS 8, added and implemented check items for [STIG Red_Hat_Enterprise_Linux_7_V2R5](https://github.com/hardenedlinux/STIG-OS-mirror/blob/master/redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed. @@ -21,12 +21,12 @@ hardening [INFO] Treating /home/test/harbian-audit/bin/hardening [...] ################### SUMMARY ################### - Total Available Checks : 270 - Total Runned Checks : 270 - Total Passed Checks : [ 226/270 ] - Total Failed Checks : [ 44/270 ] + Total Available Checks : 271 + Total Runned Checks : 271 + Total Passed Checks : [ 226/271 ] + Total Failed Checks : [ 44/271 ] Enabled Checks Percentage : 100.00 % - Conformity Percentage : 83.70 % + Conformity Percentage : 83.39 % ``` ## Quickstart diff --git a/bin/hardening/9.2.14_pam_dictcheck_pwquality.sh b/bin/hardening/9.2.14_pam_dictcheck_pwquality.sh index cb023cf..995d543 100755 --- a/bin/hardening/9.2.14_pam_dictcheck_pwquality.sh +++ b/bin/hardening/9.2.14_pam_dictcheck_pwquality.sh @@ -6,13 +6,14 @@ # # 9.2.14 Must prevent the use of dictionary words for passwords: audit dictcheck option (Scored) -# Author : Samson wen, Samson +# Author : Samson wen, Samson # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 +PACKAGES='libpam-pwquality libpwquality1 libpwquality-common' # Redhat/CentOS default use pam_pwquality FILE_CENTOS='/etc/security/pwquality.conf' @@ -23,11 +24,11 @@ OPTIONNAME='dictcheck' CONDT_VAL=1 audit_centos () { - check_param_pair_by_value $FILE_CENTOS $OPTIONNAME eq $CONDT_VAL + check_param_pair_by_value $FILE_CENTOS $OPTIONNAME ge $CONDT_VAL if [ $FNRET = 0 ]; then - ok "Option $OPTIONNAME set condition is equal to $CONDT_VAL in $FILE_CENTOS" + ok "Option $OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then - crit "Option $OPTIONNAME set condition is not equal $CONDT_VAL in $FILE_CENTOS" + crit "Option $OPTIONNAME set condition is greater than or not equal $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 2 ]; then ok "Option $OPTIONNAME is not conf in $FILE_CENTOS, but because it default is enable, so pass" elif [ $FNRET = 3 ]; then @@ -51,14 +52,20 @@ audit () { apply_centos () { if [ $FNRET = 0 ]; then - ok "$OPTIONNAME set condition is equal to $CONDT_VAL in $FILE_CENTOS" + ok "$OPTIONNAME set condition is greater than or equal to $CONDT_VAL in $FILE_CENTOS" elif [ $FNRET = 1 ]; then warn "Set option $OPTIONNAME to $CONDT_VAL in $FILE_CENTOS" replace_in_file $FILE_CENTOS "^$OPTIONNAME.*" "$OPTIONNAME = $CONDT_VAL" elif [ $FNRET = 2 ]; then ok "Option $OPTIONNAME is not conf in $FILE_CENTOS, but because default set enable, so pass" elif [ $FNRET = 3 ]; then - crit "Config file $FILE_CENTOS is not exist!" + warn "Config file $FILE_CENTOS is not exist! Install $PACKAGES" + # For ubuntu deiban11 debian12 + if [ $OS_RELEASE -eq 3 -o $OS_RELEASE -eq 11 -o $OS_RELEASE -eq 12 ]; then + apt_install $PACKAGES + elif [ $OS_RELEASE -eq 2 ]; then + yum_install $PACKAGES + fi fi }