From c863a013051d5d91b95a3f10414e9b5c07f5c878 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Wed, 11 Sep 2019 15:40:00 +0200 Subject: [PATCH] Renum 9.2.x to 5.3.x Pam password settings renamed: bin/hardening/9.2.1_enable_cracklib.sh -> bin/hardening/5.3.1_enable_cracklib.sh renamed: bin/hardening/9.2.2_enable_lockout_failed_password.sh -> bin/hardening/5.3.2_enable_lockout_failed_password.sh renamed: bin/hardening/9.2.3_limit_password_reuse.sh -> bin/hardening/5.3.3_limit_password_reuse.sh renamed: tests/hardening/9.2.1_enable_cracklib.sh -> tests/hardening/5.3.1_enable_cracklib.sh renamed: tests/hardening/9.2.3_limit_password_reuse.sh -> tests/hardening/5.3.2_enable_lockout_failed_password.sh renamed: tests/hardening/9.2.2_enable_lockout_failed_password.sh -> tests/hardening/5.3.3_limit_password_reuse.sh --- ...e_cracklib.sh => 5.3.1_enable_cracklib.sh} | 38 +++++++++++++++---- ...> 5.3.2_enable_lockout_failed_password.sh} | 2 +- ...reuse.sh => 5.3.3_limit_password_reuse.sh} | 2 +- ...word_reuse.sh => 5.3.1_enable_cracklib.sh} | 4 ++ ...> 5.3.2_enable_lockout_failed_password.sh} | 0 ...sword.sh => 5.3.3_limit_password_reuse.sh} | 0 6 files changed, 37 insertions(+), 9 deletions(-) rename bin/hardening/{9.2.1_enable_cracklib.sh => 5.3.1_enable_cracklib.sh} (62%) rename bin/hardening/{9.2.2_enable_lockout_failed_password.sh => 5.3.2_enable_lockout_failed_password.sh} (96%) rename bin/hardening/{9.2.3_limit_password_reuse.sh => 5.3.3_limit_password_reuse.sh} (97%) rename tests/hardening/{9.2.3_limit_password_reuse.sh => 5.3.1_enable_cracklib.sh} (82%) rename tests/hardening/{9.2.1_enable_cracklib.sh => 5.3.2_enable_lockout_failed_password.sh} (100%) rename tests/hardening/{9.2.2_enable_lockout_failed_password.sh => 5.3.3_limit_password_reuse.sh} (100%) diff --git a/bin/hardening/9.2.1_enable_cracklib.sh b/bin/hardening/5.3.1_enable_cracklib.sh similarity index 62% rename from bin/hardening/9.2.1_enable_cracklib.sh rename to bin/hardening/5.3.1_enable_cracklib.sh index 7d326f2..e2a439a 100755 --- a/bin/hardening/9.2.1_enable_cracklib.sh +++ b/bin/hardening/5.3.1_enable_cracklib.sh @@ -5,7 +5,7 @@ # # -# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# 5.3.1 Ensure password creation requirements are configured (Scored) # set -e # One error, it's over @@ -14,9 +14,13 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 DESCRIPTION="Set password creation requirement parameters using pam.cracklib." -PACKAGE='libpam-cracklib' -PATTERN='^password.*pam_cracklib.so' -FILE='/etc/pam.d/common-password' +PACKAGE='libpam-pwquality' + +PATTERN_COMMON="pam_pwquality.so" +FILE_COMMON="/etc/pam.d/common-password" + +PATTERNS_QUALITY="" +FILE_QUALITY="/etc/security/pwquality.conf" # This function will be called if the script status is on enabled / audit mode audit () { @@ -25,12 +29,23 @@ audit () { crit "$PACKAGE is not installed!" else ok "$PACKAGE is installed" - does_pattern_exist_in_file $FILE $PATTERN + does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" + ok "$PATTERN_COMMON is present in $FILE_COMMON" else - crit "$PATTERN is not present in $FILE" + crit "$PATTERN_COMMON is not present in $FILE_COMMON" fi + for PATTERN in $PATTERNS_QUALITY; do + OPTION=$(cut -d = -f 1 <<< $PATTERN) + PARAM=$(cut -d = -f 2 <<< $PATTERN) + PATTERN="$OPTION *= *$PARAM" + does_pattern_exist_in_file $FILE_QUALITY $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE_QUALITY" + else + crit "$PATTERN is not present in $FILE_QUALITY" + fi + done fi } @@ -52,6 +67,15 @@ apply () { fi } +# This function will create the config file for this check with default values +create_config() { + cat <