mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
IMP(99.3.1): improve check with disabled passwords
This commit is contained in:
parent
96f3b74334
commit
a4969e6ba6
@ -31,6 +31,9 @@ audit () {
|
|||||||
passwd=$(echo "$line" | cut -d ":" -f 2)
|
passwd=$(echo "$line" | cut -d ":" -f 2)
|
||||||
if [[ $passwd = '!' || $passwd = '*' ]]; then
|
if [[ $passwd = '!' || $passwd = '*' ]]; then
|
||||||
continue
|
continue
|
||||||
|
elif [[ $passwd =~ ^!.*$ ]]; then
|
||||||
|
pw_found+="$user "
|
||||||
|
ok "User $user has a disabled password."
|
||||||
# Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
|
# Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
|
||||||
elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
|
elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
|
||||||
pw_found+="$user "
|
pw_found+="$user "
|
||||||
|
@ -13,6 +13,12 @@ test_audit() {
|
|||||||
register_test contain "User secaudit has a password that is not SHA512 hashed"
|
register_test contain "User secaudit has a password that is not SHA512 hashed"
|
||||||
run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
|
sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
|
||||||
|
describe Fail: Found disabled password
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "User secaudit has a disabled password"
|
||||||
|
run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
mv /tmp/shadow.bak /etc/shadow
|
mv /tmp/shadow.bak /etc/shadow
|
||||||
chpasswd << EOF
|
chpasswd << EOF
|
||||||
secaudit:mypassword
|
secaudit:mypassword
|
||||||
|
Loading…
Reference in New Issue
Block a user