2016-04-15 14:24:45 +02:00
#!/bin/bash
#
2019-02-06 15:19:14 +01:00
# CIS Debian Hardening
2016-04-15 14:24:45 +02:00
#
#
2019-09-11 15:40:00 +02:00
# 5.3.2 Ensure lockout for failed password attempts is configured (Scored)
2016-04-15 14:24:45 +02:00
#
set -e # One error, it's over
set -u # One variable unset, it's over
2017-05-18 18:40:09 +02:00
HARDENING_LEVEL = 3
2017-10-31 17:44:15 +01:00
DESCRIPTION = "Set lockout for failed password attemps."
2017-05-18 18:40:09 +02:00
2016-04-15 14:24:45 +02:00
PACKAGE = 'libpam-modules-bin'
PATTERN = '^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
FILE = '/etc/pam.d/login'
# This function will be called if the script status is on enabled / audit mode
audit ( ) {
is_pkg_installed $PACKAGE
if [ $FNRET != 0 ] ; then
2016-04-21 18:32:36 +02:00
crit " $PACKAGE is not installed! "
2016-04-15 14:24:45 +02:00
else
ok " $PACKAGE is installed "
2016-04-25 15:15:49 +02:00
does_pattern_exist_in_file $FILE $PATTERN
2016-04-15 14:24:45 +02:00
if [ $FNRET = 0 ] ; then
ok " $PATTERN is present in $FILE "
else
crit " $PATTERN is not present in $FILE "
fi
fi
}
# This function will be called if the script status is on enabled mode
apply ( ) {
is_pkg_installed $PACKAGE
if [ $FNRET = 0 ] ; then
ok " $PACKAGE is installed "
else
crit " $PACKAGE is absent, installing it "
apt_install $PACKAGE
fi
2016-04-25 15:15:49 +02:00
does_pattern_exist_in_file $FILE $PATTERN
2016-04-15 14:24:45 +02:00
if [ $FNRET = 0 ] ; then
ok " $PATTERN is present in $FILE "
else
crit " $PATTERN is not present in $FILE "
add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
fi
}
# This function will check config parameters required
check_config( ) {
:
}
# Source Root Dir Parameter
2017-10-25 14:50:39 +02:00
if [ -r /etc/default/cis-hardening ] ; then
2016-04-18 17:39:14 +02:00
. /etc/default/cis-hardening
2017-10-25 14:50:39 +02:00
fi
if [ -z " $CIS_ROOT_DIR " ] ; then
2017-11-17 15:13:27 +01:00
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
2017-10-25 14:50:39 +02:00
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
2016-04-15 14:24:45 +02:00
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
2016-04-21 23:19:50 +02:00
if [ -r $CIS_ROOT_DIR /lib/main.sh ] ; then
. $CIS_ROOT_DIR /lib/main.sh
else
echo " Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening "
exit 128
fi