diff --git a/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh index a706c8b..dc04042 100755 --- a/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh +++ b/bin/hardening/99.5.4.5.1_acc_logindefs_sha512.sh @@ -49,7 +49,6 @@ apply() { info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" replace_in_file "$CONF_FILE" "^$(echo "$CONF_LINE" | cut -d ' ' -f1)[[:space:]]*.*" "$CONF_LINE" fi - /etc/init.d/ssh reload >/dev/null 2>&1 fi } diff --git a/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh index 9613aa3..1e76138 100755 --- a/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh +++ b/bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh @@ -37,7 +37,7 @@ audit() { pw_found+="$user " ok "User $user has a disabled password." # Check password against $6$$, see `man 3 crypt` - elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then + elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then pw_found+="$user " ok "User $user has suitable SHA512 hashed password." else diff --git a/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh b/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh index 1c7b7cd..25e176a 100644 --- a/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh +++ b/tests/hardening/99.5.4.5.2_acc_shadow_sha512.sh @@ -29,4 +29,12 @@ EOF register_test retvalshouldbe 0 register_test contain "User secaudit has suitable SHA512 hashed password" run sha512pass /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + chpasswd -c SHA512 -s 1000 <