diff --git a/bin/hardening/9.2.1_enable_cracklib.sh b/bin/hardening/5.3.1_enable_cracklib.sh similarity index 62% rename from bin/hardening/9.2.1_enable_cracklib.sh rename to bin/hardening/5.3.1_enable_cracklib.sh index 7d326f2..e2a439a 100755 --- a/bin/hardening/9.2.1_enable_cracklib.sh +++ b/bin/hardening/5.3.1_enable_cracklib.sh @@ -5,7 +5,7 @@ # # -# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# 5.3.1 Ensure password creation requirements are configured (Scored) # set -e # One error, it's over @@ -14,9 +14,13 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 DESCRIPTION="Set password creation requirement parameters using pam.cracklib." -PACKAGE='libpam-cracklib' -PATTERN='^password.*pam_cracklib.so' -FILE='/etc/pam.d/common-password' +PACKAGE='libpam-pwquality' + +PATTERN_COMMON="pam_pwquality.so" +FILE_COMMON="/etc/pam.d/common-password" + +PATTERNS_QUALITY="" +FILE_QUALITY="/etc/security/pwquality.conf" # This function will be called if the script status is on enabled / audit mode audit () { @@ -25,12 +29,23 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" + ok "$PATTERN_COMMON is present in $FILE_COMMON" else - crit "$PATTERN is not present in $FILE" + crit "$PATTERN_COMMON is not present in $FILE_COMMON" fi + for PATTERN in $PATTERNS_QUALITY; do + OPTION=$(cut -d = -f 1 <<< $PATTERN) + PARAM=$(cut -d = -f 2 <<< $PATTERN) + PATTERN="$OPTION *= *$PARAM" + does_pattern_exist_in_file $FILE_QUALITY $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE_QUALITY" + else + crit "$PATTERN is not present in $FILE_QUALITY" + fi + done fi } @@ -52,6 +67,15 @@ apply () { fi } +# This function will create the config file for this check with default values +create_config() { + cat <