diff --git a/bin/hardening/5.4.1.1_set_password_exp_days.sh b/bin/hardening/5.4.1.1_set_password_exp_days.sh index d6aa082..5f04f78 100755 --- a/bin/hardening/5.4.1.1_set_password_exp_days.sh +++ b/bin/hardening/5.4.1.1_set_password_exp_days.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=3 DESCRIPTION="Set password expiration days." PACKAGE='login' -OPTIONS='PASS_MAX_DAYS=90' +OPTIONS='' FILE='/etc/login.defs' # This function will be called if the script status is on enabled / audit mode @@ -25,10 +25,10 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + for SHADOW_OPTION in $OPTIONS; do + SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) + SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" @@ -48,26 +48,36 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + for SHADOW_OPTION in $OPTIONS; do + SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) + SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done } +# This function will create the config file for this check with default values +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here your protocol for shadow +OPTIONS='PASS_MAX_DAYS=90' +EOF +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/5.4.1.2_set_password_min_days_change.sh b/bin/hardening/5.4.1.2_set_password_min_days_change.sh index 98dd466..6bd66e9 100755 --- a/bin/hardening/5.4.1.2_set_password_min_days_change.sh +++ b/bin/hardening/5.4.1.2_set_password_min_days_change.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=3 DESCRIPTION="Set password change minimum number of days." PACKAGE='login' -OPTIONS='PASS_MIN_DAYS=7' +OPTIONS='' FILE='/etc/login.defs' # This function will be called if the script status is on enabled / audit mode @@ -25,10 +25,10 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + for SHADOW_OPTION in $OPTIONS; do + SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) + SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" @@ -48,26 +48,36 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + for SHADOW_OPTION in $OPTIONS; do + SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) + SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done } +# This function will create the config file for this check with default values +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here your protocol for shadow +OPTIONS='PASS_MIN_DAYS=7' +EOF +} + # This function will check config parameters required check_config() { : diff --git a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh index b57e827..ea54781 100755 --- a/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/5.4.1.3_set_password_exp_warning_days.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=3 DESCRIPTION="Set password expiration warning days." PACKAGE='login' -OPTIONS='PASS_WARN_AGE=7' +OPTIONS='' FILE='/etc/login.defs' # This function will be called if the script status is on enabled / audit mode @@ -25,10 +25,10 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + for SHADOW_OPTION in $OPTIONS; do + SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) + SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" @@ -48,21 +48,21 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + for SHADOW_OPTION in $OPTIONS; do + SHADOW_PARAM=$(echo $SHADOW_OPTION | cut -d= -f 1) + SHADOW_VALUE=$(echo $SHADOW_OPTION | cut -d= -f 2) + PATTERN="^$SHADOW_PARAM[[:space:]]*$SHADOW_VALUE" does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" + does_pattern_exist_in_file $FILE "^$SHADOW_PARAM" if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + add_end_of_file $FILE "$SHADOW_PARAM $SHADOW_VALUE" else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + info "Parameter $SHADOW_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SHADOW_PARAM[[:space:]]*.*" "$SHADOW_PARAM $SHADOW_VALUE" fi fi done @@ -73,6 +73,16 @@ check_config() { : } +# This function will create the config file for this check with default values +create_config() { + cat << EOF +# shellcheck disable=2034 +status=audit +# Put here your protocol for shadow +OPTIONS='PASS_WARN_AGE=7' +EOF +} + # Source Root Dir Parameter if [ -r /etc/default/cis-hardening ]; then . /etc/default/cis-hardening diff --git a/tests/hardening/5.4.1.1_set_password_exp_days.sh b/tests/hardening/5.4.1.1_set_password_exp_days.sh index b333419..5ea33e4 100644 --- a/tests/hardening/5.4.1.1_set_password_exp_days.sh +++ b/tests/hardening/5.4.1.1_set_password_exp_days.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^PASS_MAX_DAYS[[:space:]]*90 is present in /etc/login.defs" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.4.1.2_set_password_min_days_change.sh b/tests/hardening/5.4.1.2_set_password_min_days_change.sh index b333419..228d4c1 100644 --- a/tests/hardening/5.4.1.2_set_password_min_days_change.sh +++ b/tests/hardening/5.4.1.2_set_password_min_days_change.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^PASS_MIN_DAYS[[:space:]]*7 is present in /etc/login.defs" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.4.1.3_set_password_exp_warning_days.sh b/tests/hardening/5.4.1.3_set_password_exp_warning_days.sh index b333419..7cb7785 100644 --- a/tests/hardening/5.4.1.3_set_password_exp_warning_days.sh +++ b/tests/hardening/5.4.1.3_set_password_exp_warning_days.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^PASS_WARN_AGE[[:space:]]*7 is present in /etc/login.defs" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }