mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 22:15:24 +01:00
IMP(5.3.1,5.3.2): add tests and upgrade PAM conf
This commit is contained in:
parent
feefee28e4
commit
8af91dd6a8
@ -15,8 +15,10 @@ HARDENING_LEVEL=3
|
||||
DESCRIPTION="Set lockout for failed password attemps."
|
||||
|
||||
PACKAGE='libpam-modules-bin'
|
||||
PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
|
||||
FILE='/etc/pam.d/login'
|
||||
PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
|
||||
PATTERN_ACCOUNT='pam_tally[2]?\.so'
|
||||
FILE_AUTH='/etc/pam.d/common-auth'
|
||||
FILE_ACCOUNT='/etc/pam.d/common-account'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -25,11 +27,17 @@ audit () {
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
ok "$PATTERN_AUTH is present in $FILE_AUTH"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
crit "$PATTERN_AUTH is not present in $FILE_AUTH"
|
||||
fi
|
||||
does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
|
||||
else
|
||||
crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -43,13 +51,21 @@ apply () {
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
ok "$PATTERN_AUTH is present in $FILE_AUTH"
|
||||
else
|
||||
crit "$PATTERN is not present in $FILE"
|
||||
add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
|
||||
fi
|
||||
warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
|
||||
add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
|
||||
fi
|
||||
does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
|
||||
else
|
||||
warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
|
||||
add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
@ -25,7 +25,7 @@ audit () {
|
||||
crit "$PACKAGE is not installed!"
|
||||
else
|
||||
ok "$PACKAGE is installed"
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
@ -43,11 +43,11 @@ apply () {
|
||||
crit "$PACKAGE is absent, installing it"
|
||||
apt_install $PACKAGE
|
||||
fi
|
||||
does_pattern_exist_in_file $FILE $PATTERN
|
||||
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$PATTERN is present in $FILE"
|
||||
else
|
||||
warn "$PATTERN is not present in $FILE"
|
||||
warn "$PATTERN is not present in $FILE, adding it"
|
||||
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
|
||||
fi
|
||||
}
|
||||
|
@ -6,5 +6,13 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so is present in /etc/pam.d/common-auth"
|
||||
register_test contain "[ OK ] pam_tally[2]?\.so is present in /etc/pam.d/common-account"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
@ -6,5 +6,12 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
describe Correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] ^password.*remember is present in /etc/pam.d/common-password"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user