IMP(99.3.1): improve check with disabled passwords

2024-11-22 13:37:02 +01:00 · 2019-08-28 11:49:01 +02:00 · 2019-08-28 11:49:01 +02:00 · a4969e6ba6
commit a4969e6ba6
parent 96f3b74334
2 changed files with 9 additions and 0 deletions
--- a/bin/hardening/99.3.1_acc_shadow_sha512.sh
+++ b/bin/hardening/99.3.1_acc_shadow_sha512.sh
@ -31,6 +31,9 @@ audit () {
        passwd=$(echo "$line" | cut -d ":" -f 2)
        if [[ $passwd = '!' || $passwd = '*' ]]; then
            continue
+        elif [[ $passwd =~ ^!.*$ ]]; then
+            pw_found+="$user "
+            ok "User $user has a disabled password."
        # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
        elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
            pw_found+="$user "
--- a/tests/hardening/99.3.1_acc_shadow_sha512.sh
+++ b/tests/hardening/99.3.1_acc_shadow_sha512.sh
@ -13,6 +13,12 @@ test_audit() {
    register_test contain "User secaudit has a password that is not SHA512 hashed"
    run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
+    describe Fail: Found disabled password
+    register_test retvalshouldbe 0
+    register_test contain "User secaudit has a disabled password"
+    run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    mv /tmp/shadow.bak /etc/shadow
    chpasswd << EOF
 secaudit:mypassword