elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-21 18:23:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: invalid behavior on sid/alternative in 5.3.4/99.5.4.5.1 (#237)

Browse Source
This commit is contained in:
Hugo COURTIAL
2024-04-09 17:12:31 +02:00
committed by GitHub
parent f7cdf438d4
commit 6079b16611
4 changed files with 84 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
bin/hardening/5.3.4_acc_pam_sha512.sh
View File

@ -49,7 +49,7 @@ apply() {
ok "$CONF_LINE is present in $CONF_FILE"
else
warn "$CONF_LINE is not present in $CONF_FILE"
if [ "$DEB_MAJ_VER" -ge "11" ]; then
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so yescrypt" "# pam-auth-update(8) for details."
else
add_line_file_before_pattern "$CONF_FILE" "password [success=1 default=ignore] pam_unix.so sha512" "# pam-auth-update(8) for details."
@ -67,12 +67,11 @@ check_config() {
# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
_set_vars_jit() {
if [ "$DEB_MAJ_VER" -ge "11" ]; then
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*(sha512|yescrypt)" # https://github.com/ovh/debian-cis/issues/158
else
CONF_LINE="^\s*password\s.+\s+pam_unix\.so\s+.*sha512"
fi
unset -f _set_vars_jit
}
# Source Root Dir Parameter

5
bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh
View File

@ -48,7 +48,7 @@ apply() {
if [ "$FNRET" != 0 ]; then
add_end_of_file "$CONF_FILE" "$CONF_LINE"
else
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
info "Parameter $CONF_LINE is present but with the wrong value -- Fixing"
replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE"
fi
fi
@ -63,14 +63,13 @@ check_config() {
# We need to call this in the subs called by main.sh when it is sourced, otherwise it would
# either be too soon (DEB_MAJ_VER not defined) or too late (test has already been run)
_set_vars_jit() {
if [ "$DEB_MAJ_VER" -ge "11" ]; then
if [ "$DEB_MAJ_VER" = "sid" ] || [ "$DEB_MAJ_VER" -ge "11" ]; then
CONF_LINE_REGEX="ENCRYPT_METHOD (SHA512|yescrypt|YESCRYPT)"
CONF_LINE="ENCRYPT_METHOD YESCRYPT"
else
CONF_LINE_REGEX="ENCRYPT_METHOD SHA512"
CONF_LINE="ENCRYPT_METHOD SHA512"
fi
unset -f _set_vars_jit
}
# Source Root Dir Parameter