mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
IMP(5.3.1,5.3.2): add tests and upgrade PAM conf
This commit is contained in:
parent
feefee28e4
commit
8af91dd6a8
@ -15,8 +15,10 @@ HARDENING_LEVEL=3
|
|||||||
DESCRIPTION="Set lockout for failed password attemps."
|
DESCRIPTION="Set lockout for failed password attemps."
|
||||||
|
|
||||||
PACKAGE='libpam-modules-bin'
|
PACKAGE='libpam-modules-bin'
|
||||||
PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so'
|
PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
|
||||||
FILE='/etc/pam.d/login'
|
PATTERN_ACCOUNT='pam_tally[2]?\.so'
|
||||||
|
FILE_AUTH='/etc/pam.d/common-auth'
|
||||||
|
FILE_ACCOUNT='/etc/pam.d/common-account'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
@ -25,11 +27,17 @@ audit () {
|
|||||||
crit "$PACKAGE is not installed!"
|
crit "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
does_pattern_exist_in_file $FILE $PATTERN
|
does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
|
||||||
if [ $FNRET = 0 ]; then
|
if [ $FNRET = 0 ]; then
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN_AUTH is present in $FILE_AUTH"
|
||||||
else
|
else
|
||||||
crit "$PATTERN is not present in $FILE"
|
crit "$PATTERN_AUTH is not present in $FILE_AUTH"
|
||||||
|
fi
|
||||||
|
does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
|
||||||
|
else
|
||||||
|
crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -43,12 +51,20 @@ apply () {
|
|||||||
crit "$PACKAGE is absent, installing it"
|
crit "$PACKAGE is absent, installing it"
|
||||||
apt_install $PACKAGE
|
apt_install $PACKAGE
|
||||||
fi
|
fi
|
||||||
does_pattern_exist_in_file $FILE $PATTERN
|
does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
|
||||||
if [ $FNRET = 0 ]; then
|
if [ $FNRET = 0 ]; then
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN_AUTH is present in $FILE_AUTH"
|
||||||
else
|
else
|
||||||
crit "$PATTERN is not present in $FILE"
|
warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
|
||||||
add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set"
|
add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
|
||||||
|
fi
|
||||||
|
does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
|
||||||
|
else
|
||||||
|
warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
|
||||||
|
add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
|
||||||
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ audit () {
|
|||||||
crit "$PACKAGE is not installed!"
|
crit "$PACKAGE is not installed!"
|
||||||
else
|
else
|
||||||
ok "$PACKAGE is installed"
|
ok "$PACKAGE is installed"
|
||||||
does_pattern_exist_in_file $FILE $PATTERN
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ $FNRET = 0 ]; then
|
if [ $FNRET = 0 ]; then
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN is present in $FILE"
|
||||||
else
|
else
|
||||||
@ -43,11 +43,11 @@ apply () {
|
|||||||
crit "$PACKAGE is absent, installing it"
|
crit "$PACKAGE is absent, installing it"
|
||||||
apt_install $PACKAGE
|
apt_install $PACKAGE
|
||||||
fi
|
fi
|
||||||
does_pattern_exist_in_file $FILE $PATTERN
|
does_pattern_exist_in_file $FILE "$PATTERN"
|
||||||
if [ $FNRET = 0 ]; then
|
if [ $FNRET = 0 ]; then
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN is present in $FILE"
|
||||||
else
|
else
|
||||||
warn "$PATTERN is not present in $FILE"
|
warn "$PATTERN is not present in $FILE, adding it"
|
||||||
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
|
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -6,5 +6,13 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
describe Correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "[ OK ] ^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so is present in /etc/pam.d/common-auth"
|
||||||
|
register_test contain "[ OK ] pam_tally[2]?\.so is present in /etc/pam.d/common-account"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -6,5 +6,12 @@ test_audit() {
|
|||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
describe Correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "[ OK ] ^password.*remember is present in /etc/pam.d/common-password"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user