Update auditd rules of 8.1.26: replaced pam_tally2 with faillock in debian 11.

2021-08-16 00:57:51 +08:00 · 2021-08-16 00:57:51 +08:00 · f175cf4639
parent 6b89d4cb24
commit f175cf4639
2 changed files with 27 additions and 0 deletions
--- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
+++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
@ -6,6 +6,7 @@

 #
 # 8.1.26  Recored pam_tally/pam_tally2 command usage(Only for Debian) (Scored)
+# Replaced pam_tally2 with faillock in debian 11
 # Author : Samson wen, Samson <sccxboy@gmail.com> Author add this 
 #

@ -74,13 +75,23 @@ apply () {
 }

 # This function will check config parameters required
+# Replaced pam_tally2 with faillock in debian 11
 check_config() {
+	is_debian_11
 	if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
+		if [ $FNRET = 1 ]; then
 AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam
 -a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam'
+		elif [ $FNRET = 0 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -k privileged-pam'
+		fi
 	else
+		if [ $FNRET = 1 ]; then
 AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
 -a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
+		elif [ $FNRET = 0 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
+		fi
 	fi
 }

--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -98,6 +98,22 @@ is_debian_10()
 	fi
 }

+is_debian_11()
+{
+	if [ -r /etc/debian_version ]; then
+    	if $(cat /etc/debian_version | grep -q "^11.[0-9]"); then
+       		debug "Debian version is 11."
+        	FNRET=0
+    	else
+        	debug "Debian version is not 11."
+        	FNRET=1
+    	fi
+	else
+		debug "Current OS is not Debian."
+		FNRET=2
+	fi
+}
+
 is_64bit_arch()
 {
 	if $(uname -m | grep -q "64"); then