mirror of https://github.com/CISOfy/lynis.git
Changes to AUTH-9286 to check for minimum age as well
This commit is contained in:
parent
7afc82a8aa
commit
7b3299fcb9
|
@ -110,6 +110,8 @@ unset LANG
|
|||
OS=""; OS_MODE=""
|
||||
OS_REDHAT_OR_CLONE=0
|
||||
OSIRISBINARY=""
|
||||
PASSWORD_MAXIMUM_DAYS=-1
|
||||
PASSWORD_MINIMUM_DAYS=-1
|
||||
PAM_2F_AUTH_ENABLED=0
|
||||
PAM_2F_AUTH_REQUIRED=0
|
||||
PAM_AUTH_BRUTE_FORCE_PROTECTION=0
|
||||
|
|
|
@ -663,20 +663,36 @@
|
|||
#
|
||||
# Test : AUTH-9286
|
||||
# Description : Check user password aging
|
||||
# Notes : MIN = minimum age, avoid rotation of passwords too quickly
|
||||
# : MAX = maximum age, ensure regular change of passwords
|
||||
if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
logtext "Test: Checking PASS_MIN_DAYS option in /etc/login.defs "
|
||||
FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'`
|
||||
if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
|
||||
logtext "Result: password minimum age is not configured"
|
||||
Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
|
||||
AddHP 0 1
|
||||
else
|
||||
logtext "Result: password needs to be at least ${FIND} days old"
|
||||
PASSWORD_MINIMUM_DAYS=${FIND}
|
||||
Display --indent 2 --text "- Checking user password aging (minimum)" --result CONFIGURED --color GREEN
|
||||
AddHP 3 3
|
||||
fi
|
||||
|
||||
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
|
||||
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
|
||||
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
|
||||
logtext "Result: password aging limits are not configured"
|
||||
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
|
||||
Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
|
||||
AddHP 0 1
|
||||
else
|
||||
logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS"
|
||||
logtext "Result: value of PASS_MAX_DAYS is ${FIND}"
|
||||
Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN
|
||||
logtext "Result: max password age is ${FIND} days"
|
||||
PASSWORD_MAXIMUM_DAYS=${FIND}
|
||||
Display --indent 2 --text "- Checking user password aging (maximum)" --result CONFIGURED --color GREEN
|
||||
AddHP 3 3
|
||||
fi
|
||||
fi
|
||||
|
@ -1144,6 +1160,8 @@ report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
|
|||
if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
|
||||
report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
|
||||
fi
|
||||
report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
|
||||
report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"
|
||||
|
||||
wait_for_keypress
|
||||
|
||||
|
|
Loading…
Reference in New Issue