From a4969e6ba66dbf78682b6e8e9a35751cdbb48c69 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Wed, 28 Aug 2019 11:49:01 +0200 Subject: [PATCH] IMP(99.3.1): improve check with disabled passwords --- bin/hardening/99.3.1_acc_shadow_sha512.sh | 3 +++ tests/hardening/99.3.1_acc_shadow_sha512.sh | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/bin/hardening/99.3.1_acc_shadow_sha512.sh b/bin/hardening/99.3.1_acc_shadow_sha512.sh index a1ca79c..bbad9fa 100755 --- a/bin/hardening/99.3.1_acc_shadow_sha512.sh +++ b/bin/hardening/99.3.1_acc_shadow_sha512.sh @@ -31,6 +31,9 @@ audit () { passwd=$(echo "$line" | cut -d ":" -f 2) if [[ $passwd = '!' || $passwd = '*' ]]; then continue + elif [[ $passwd =~ ^!.*$ ]]; then + pw_found+="$user " + ok "User $user has a disabled password." # Check password against $6$$, see `man 3 crypt` elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then pw_found+="$user " diff --git a/tests/hardening/99.3.1_acc_shadow_sha512.sh b/tests/hardening/99.3.1_acc_shadow_sha512.sh index 546d24b..7c4dbf1 100644 --- a/tests/hardening/99.3.1_acc_shadow_sha512.sh +++ b/tests/hardening/99.3.1_acc_shadow_sha512.sh @@ -13,6 +13,12 @@ test_audit() { register_test contain "User secaudit has a password that is not SHA512 hashed" run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow + describe Fail: Found disabled password + register_test retvalshouldbe 0 + register_test contain "User secaudit has a disabled password" + run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + mv /tmp/shadow.bak /etc/shadow chpasswd << EOF secaudit:mypassword