Renum 9.2.x to 5.3.x Pam password settings

renamed:    bin/hardening/9.2.1_enable_cracklib.sh -> bin/hardening/5.3.1_enable_cracklib.sh
	renamed:    bin/hardening/9.2.2_enable_lockout_failed_password.sh -> bin/hardening/5.3.2_enable_lockout_failed_password.sh
	renamed:    bin/hardening/9.2.3_limit_password_reuse.sh -> bin/hardening/5.3.3_limit_password_reuse.sh
	renamed:    tests/hardening/9.2.1_enable_cracklib.sh -> tests/hardening/5.3.1_enable_cracklib.sh
	renamed:    tests/hardening/9.2.3_limit_password_reuse.sh -> tests/hardening/5.3.2_enable_lockout_failed_password.sh
	renamed:    tests/hardening/9.2.2_enable_lockout_failed_password.sh -> tests/hardening/5.3.3_limit_password_reuse.sh

bin/hardening/5.3.1_enable_cracklib.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
+# 5.3.1 Ensure password creation requirements are configured (Scored)
 #
 
 set -e # One error, it's over
@@ -14,9 +14,13 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=2
 DESCRIPTION="Set password creation requirement parameters using pam.cracklib."
 
-PACKAGE='libpam-cracklib'
+PACKAGE='libpam-pwquality'
-PATTERN='^password.*pam_cracklib.so'
+
-FILE='/etc/pam.d/common-password'
+PATTERN_COMMON="pam_pwquality.so"
+FILE_COMMON="/etc/pam.d/common-password"
+
+PATTERNS_QUALITY=""
+FILE_QUALITY="/etc/security/pwquality.conf"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
@@ -25,12 +29,23 @@ audit () {
         crit "$PACKAGE is not installed!"
     else
         ok "$PACKAGE is installed"
-        does_pattern_exist_in_file $FILE $PATTERN
+        does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
         if [ $FNRET = 0 ]; then
-            ok "$PATTERN is present in $FILE"
+            ok "$PATTERN_COMMON is present in $FILE_COMMON"
         else
-            crit "$PATTERN is not present in $FILE"
+            crit "$PATTERN_COMMON is not present in $FILE_COMMON"
         fi
+        for PATTERN in $PATTERNS_QUALITY; do
+            OPTION=$(cut -d = -f 1 <<< $PATTERN)
+            PARAM=$(cut -d = -f 2 <<< $PATTERN)
+            PATTERN="$OPTION *= *$PARAM"
+            does_pattern_exist_in_file $FILE_QUALITY $PATTERN
+            if [ $FNRET = 0 ]; then
+                ok "$PATTERN is present in $FILE_QUALITY"
+            else
+                crit "$PATTERN is not present in $FILE_QUALITY"
+            fi
+        done
     fi
 }
 
@@ -52,6 +67,15 @@ apply () {
     fi 
 }
 
+# This function will create the config file for this check with default values
+create_config() {
+    cat <<EOF
+status=audit
+# Put your custom configuration here
+PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1"
+EOF
+}
+
 # This function will check config parameters required
 check_config() {
     :

bin/hardening/5.3.2_enable_lockout_failed_password.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 9.2.2 Set Lockout for Failed Password Attempts (Not Scored)
+# 5.3.2 Ensure lockout for failed password attempts is configured (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/5.3.3_limit_password_reuse.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 9.2.3 Limit Password Reuse (Scored)
+# 5.3.3 Ensure password reuse is limited (Scored)
 #
 
 set -e # One error, it's over

tests/hardening/5.3.1_enable_cracklib.sh

@@ -1,5 +1,9 @@
 # run-shellcheck
 test_audit() {
+
+    apt update
+    apt-get install -y libpam-pwquality
+
     describe Running on blank host
     register_test retvalshouldbe 0
     dismiss_count_for_test