debian-cis/bin/hardening/9.2.3_limit_password_reuse.sh

#!/bin/bash

#
# CIS Debian 7 Hardening
#

#
# 9.2.3 Limit Password Reuse (Scored)
#

set -e # One error, it's over
set -u # One variable unset, it's over

PACKAGE='libpam-modules'
PATTERN='^password.*remember'
FILE='/etc/pam.d/common-password'

# This function will be called if the script status is on enabled / audit mode
audit () {
    is_pkg_installed $PACKAGE
    if [ $FNRET != 0 ]; then
        crit "$PACKAGE is not installed !"
    else
        ok "$PACKAGE is installed"
        does_pattern_exists_in_file $FILE $PATTERN
        if [ $FNRET = 0 ]; then
            ok "$PATTERN is present in $FILE"
        else
            crit "$PATTERN is not present in $FILE"
        fi
    fi
}

# This function will be called if the script status is on enabled mode
apply () {
    is_pkg_installed $PACKAGE
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
        apt_install $PACKAGE
    fi
    does_pattern_exists_in_file $FILE $PATTERN
    if [ $FNRET = 0 ]; then
        ok "$PATTERN is present in $FILE"
    else
        warn "$PATTERN is not present in $FILE"
        add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
    fi 
}

# This function will check config parameters required
check_config() {
    :
}

# Source Root Dir Parameter
if [ ! -r /etc/default/cis-hardenning ]; then
    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
    exit 128
else
    . /etc/default/cis-hardenning
    if [ -z $CIS_ROOT_DIR ]; then
        echo "No CIS_ROOT_DIR variable, aborting"
    fi
fi 

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh 2016-04-15 14:24:45 +02:00			`#!/bin/bash`

			`#`
			`# CIS Debian 7 Hardening`
			`#`

			`#`
			`# 9.2.3 Limit Password Reuse (Scored)`
			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

			`PACKAGE='libpam-modules'`
			`PATTERN='^password.*remember'`
			`FILE='/etc/pam.d/common-password'`

			`# This function will be called if the script status is on enabled / audit mode`
			`audit () {`
			`is_pkg_installed $PACKAGE`
			`if [ $FNRET != 0 ]; then`
			`crit "$PACKAGE is not installed !"`
			`else`
			`ok "$PACKAGE is installed"`
			`does_pattern_exists_in_file $FILE $PATTERN`
			`if [ $FNRET = 0 ]; then`
			`ok "$PATTERN is present in $FILE"`
			`else`
			`crit "$PATTERN is not present in $FILE"`
			`fi`
			`fi`
			`}`

			`# This function will be called if the script status is on enabled mode`
			`apply () {`
			`is_pkg_installed $PACKAGE`
			`if [ $FNRET = 0 ]; then`
			`ok "$PACKAGE is installed"`
			`else`
			`crit "$PACKAGE is absent, installing it"`
			`apt_install $PACKAGE`
			`fi`
			`does_pattern_exists_in_file $FILE $PATTERN`
			`if [ $FNRET = 0 ]; then`
			`ok "$PATTERN is present in $FILE"`
			`else`
			`warn "$PATTERN is not present in $FILE"`
			`add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."`
			`fi`
			`}`

			`# This function will check config parameters required`
			`check_config() {`
			`:`
			`}`

			`# Source Root Dir Parameter`
			`if [ ! -r /etc/default/cis-hardenning ]; then`
			`echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"`
			`exit 128`
			`else`
			`. /etc/default/cis-hardenning`
			`if [ -z $CIS_ROOT_DIR ]; then`
			`echo "No CIS_ROOT_DIR variable, aborting"`
			`fi`
			`fi`

			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
			`[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh`