From 8af91dd6a80c6389e9073a8495e981a7686d5459 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Thu, 29 Oct 2020 16:45:15 +0100 Subject: [PATCH] IMP(5.3.1,5.3.2): add tests and upgrade PAM conf --- .../5.3.2_enable_lockout_failed_password.sh | 36 +++++++++++++------ bin/hardening/5.3.3_limit_password_reuse.sh | 6 ++-- .../5.3.2_enable_lockout_failed_password.sh | 10 +++++- tests/hardening/5.3.3_limit_password_reuse.sh | 9 ++++- 4 files changed, 46 insertions(+), 15 deletions(-) diff --git a/bin/hardening/5.3.2_enable_lockout_failed_password.sh b/bin/hardening/5.3.2_enable_lockout_failed_password.sh index 077601a..02bd546 100755 --- a/bin/hardening/5.3.2_enable_lockout_failed_password.sh +++ b/bin/hardening/5.3.2_enable_lockout_failed_password.sh @@ -15,8 +15,10 @@ HARDENING_LEVEL=3 DESCRIPTION="Set lockout for failed password attemps." PACKAGE='libpam-modules-bin' -PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so' -FILE='/etc/pam.d/login' +PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so' +PATTERN_ACCOUNT='pam_tally[2]?\.so' +FILE_AUTH='/etc/pam.d/common-auth' +FILE_ACCOUNT='/etc/pam.d/common-account' # This function will be called if the script status is on enabled / audit mode audit () { @@ -25,11 +27,17 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH" if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" + ok "$PATTERN_AUTH is present in $FILE_AUTH" else - crit "$PATTERN is not present in $FILE" + crit "$PATTERN_AUTH is not present in $FILE_AUTH" + fi + does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT" + if [ $FNRET = 0 ]; then + ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT" + else + crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT" fi fi } @@ -43,13 +51,21 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH" if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" + ok "$PATTERN_AUTH is present in $FILE_AUTH" else - crit "$PATTERN is not present in $FILE" - add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set" - fi + warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it" + add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details." + fi + does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT" + if [ $FNRET = 0 ]; then + ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT" + else + warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it" + add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details." + + fi } # This function will check config parameters required diff --git a/bin/hardening/5.3.3_limit_password_reuse.sh b/bin/hardening/5.3.3_limit_password_reuse.sh index 59a356d..cb16fb1 100755 --- a/bin/hardening/5.3.3_limit_password_reuse.sh +++ b/bin/hardening/5.3.3_limit_password_reuse.sh @@ -25,7 +25,7 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else @@ -43,11 +43,11 @@ apply () { crit "$PACKAGE is absent, installing it" apt_install $PACKAGE fi - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE "$PATTERN" if [ $FNRET = 0 ]; then ok "$PATTERN is present in $FILE" else - warn "$PATTERN is not present in $FILE" + warn "$PATTERN is not present in $FILE, adding it" add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." fi } diff --git a/tests/hardening/5.3.2_enable_lockout_failed_password.sh b/tests/hardening/5.3.2_enable_lockout_failed_password.sh index b333419..6f3e08d 100644 --- a/tests/hardening/5.3.2_enable_lockout_failed_password.sh +++ b/tests/hardening/5.3.2_enable_lockout_failed_password.sh @@ -6,5 +6,13 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so is present in /etc/pam.d/common-auth" + register_test contain "[ OK ] pam_tally[2]?\.so is present in /etc/pam.d/common-account" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/5.3.3_limit_password_reuse.sh b/tests/hardening/5.3.3_limit_password_reuse.sh index b333419..3f24583 100644 --- a/tests/hardening/5.3.3_limit_password_reuse.sh +++ b/tests/hardening/5.3.3_limit_password_reuse.sh @@ -6,5 +6,12 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "[ OK ] ^password.*remember is present in /etc/pam.d/common-password" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }