elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(5.3.1,5.3.2): add tests and upgrade PAM conf

Browse Source
This commit is contained in:
Thibault Ayanides 2020-10-29 16:45:15 +01:00
parent feefee28e4
commit 8af91dd6a8
4 changed files with 46 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
bin/hardening/5.3.2_enable_lockout_failed_password.sh
View File

@ -15,8 +15,10 @@ HARDENING_LEVEL=3
DESCRIPTION="Set lockout for failed password attemps." DESCRIPTION="Set lockout for failed password attemps."
PACKAGE='libpam-modules-bin' PACKAGE='libpam-modules-bin'
PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so' PATTERN_AUTH='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so'
FILE='/etc/pam.d/login' PATTERN_ACCOUNT='pam_tally[2]?\.so'
FILE_AUTH='/etc/pam.d/common-auth'
FILE_ACCOUNT='/etc/pam.d/common-account'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -25,11 +27,17 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN_AUTH is present in $FILE_AUTH"
else else
crit "$PATTERN is not present in $FILE" crit "$PATTERN_AUTH is not present in $FILE_AUTH"
fi
does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
if [ $FNRET = 0 ]; then
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
else
crit "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT"
fi fi
fi fi
} }
@ -43,13 +51,21 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE_AUTH "$PATTERN_AUTH"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN_AUTH is present in $FILE_AUTH"
else else
crit "$PATTERN is not present in $FILE" warn "$PATTERN_AUTH is not present in $FILE_AUTH, adding it"
add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set" add_line_file_before_pattern $FILE_AUTH "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" "# pam-auth-update(8) for details."
fi fi
does_pattern_exist_in_file $FILE_ACCOUNT "$PATTERN_ACCOUNT"
if [ $FNRET = 0 ]; then
ok "$PATTERN_ACCOUNT is present in $FILE_ACCOUNT"
else
warn "$PATTERN_ACCOUNT is not present in $FILE_ACCOUNT, adding it"
add_line_file_before_pattern $FILE_ACCOUNT "account required pam_tally.so" "# pam-auth-update(8) for details."
fi
} }
# This function will check config parameters required # This function will check config parameters required

6
bin/hardening/5.3.3_limit_password_reuse.sh
View File

@ -25,7 +25,7 @@ audit () {
crit "$PACKAGE is not installed!" crit "$PACKAGE is not installed!"
else else
ok "$PACKAGE is installed" ok "$PACKAGE is installed"
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
@ -43,11 +43,11 @@ apply () {
crit "$PACKAGE is absent, installing it" crit "$PACKAGE is absent, installing it"
apt_install $PACKAGE apt_install $PACKAGE
fi fi
does_pattern_exist_in_file $FILE $PATTERN does_pattern_exist_in_file $FILE "$PATTERN"
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "$PATTERN is present in $FILE" ok "$PATTERN is present in $FILE"
else else
warn "$PATTERN is not present in $FILE" warn "$PATTERN is not present in $FILE, adding it"
add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details."
fi fi
} }

10
tests/hardening/5.3.2_enable_lockout_failed_password.sh
View File

@ -6,5 +6,13 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] ^auth[[:space:]]*required[[:space:]]*pam_tally[2]?\.so is present in /etc/pam.d/common-auth"
register_test contain "[ OK ] pam_tally[2]?\.so is present in /etc/pam.d/common-account"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }

9
tests/hardening/5.3.3_limit_password_reuse.sh
View File

@ -6,5 +6,12 @@ test_audit() {
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests describe Correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "[ OK ] ^password.*remember is present in /etc/pam.d/common-password"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
} }