mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-26 07:21:22 +01:00
IMP(5.3.1): add test and config function for check
This commit is contained in:
parent
774af39a34
commit
feefee28e4
@ -16,11 +16,11 @@ DESCRIPTION="Set password creation requirement parameters using pam.cracklib."
|
|||||||
|
|
||||||
PACKAGE='libpam-pwquality'
|
PACKAGE='libpam-pwquality'
|
||||||
|
|
||||||
PATTERN_COMMON="pam_pwquality.so"
|
PATTERN_COMMON='pam_pwquality.so'
|
||||||
FILE_COMMON="/etc/pam.d/common-password"
|
FILE_COMMON='/etc/pam.d/common-password'
|
||||||
|
|
||||||
PATTERNS_QUALITY=""
|
OPTIONS=''
|
||||||
FILE_QUALITY="/etc/security/pwquality.conf"
|
FILE_QUALITY='/etc/security/pwquality.conf'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
@ -35,11 +35,12 @@ audit () {
|
|||||||
else
|
else
|
||||||
crit "$PATTERN_COMMON is not present in $FILE_COMMON"
|
crit "$PATTERN_COMMON is not present in $FILE_COMMON"
|
||||||
fi
|
fi
|
||||||
for PATTERN in $PATTERNS_QUALITY; do
|
for PW_OPT in $OPTIONS; do
|
||||||
OPTION=$(cut -d = -f 1 <<< $PATTERN)
|
PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
|
||||||
PARAM=$(cut -d = -f 2 <<< $PATTERN)
|
PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
|
||||||
PATTERN="$OPTION *= *$PARAM"
|
PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
|
||||||
does_pattern_exist_in_file $FILE_QUALITY $PATTERN
|
does_pattern_exist_in_file $FILE_QUALITY "$PATTERN"
|
||||||
|
|
||||||
if [ $FNRET = 0 ]; then
|
if [ $FNRET = 0 ]; then
|
||||||
ok "$PATTERN is present in $FILE_QUALITY"
|
ok "$PATTERN is present in $FILE_QUALITY"
|
||||||
else
|
else
|
||||||
@ -58,13 +59,32 @@ apply () {
|
|||||||
crit "$PACKAGE is absent, installing it"
|
crit "$PACKAGE is absent, installing it"
|
||||||
apt_install $PACKAGE
|
apt_install $PACKAGE
|
||||||
fi
|
fi
|
||||||
does_pattern_exist_in_file $FILE $PATTERN
|
does_pattern_exist_in_file $FILE_COMMON $PATTERN_COMMON
|
||||||
if [ $FNRET = 0 ]; then
|
if [ $FNRET = 0 ]; then
|
||||||
ok "$PATTERN is present in $FILE"
|
ok "$PATTERN_COMMON is present in $FILE_COMMON"
|
||||||
else
|
else
|
||||||
crit "$PATTERN is not present in $FILE"
|
warn "$PATTERN_COMMON is not present in $FILE_COMMON"
|
||||||
add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details."
|
add_line_file_before_pattern $FILE_COMMON "password requisite pam_pwquality.so retry=3" "# pam-auth-update(8) for details."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
for PW_OPT in $OPTIONS; do
|
||||||
|
PW_PARAM=$(echo $PW_OPT | cut -d= -f1)
|
||||||
|
PW_VALUE=$(echo $PW_OPT | cut -d= -f2)
|
||||||
|
PATTERN="^$PW_PARAM[[:space:]]+=[[:space:]]+$PW_VALUE"
|
||||||
|
does_pattern_exist_in_file $FILE_QUALITY $PATTERN
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$PATTERN is present in $FILE_QUALITY"
|
||||||
|
else
|
||||||
|
warn "$PATTERN is not present in $FILE_QUALITY, adding it"
|
||||||
|
does_pattern_exist_in_file $FILE_QUALITY "^$PW_PARAM"
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
add_end_of_file $FILE_QUALITY "$PW_PARAM = $PW_VALUE"
|
||||||
|
else
|
||||||
|
info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
|
||||||
|
replace_in_file $FILE_QUALITY "^$PW_PARAM*.*" "$PW_PARAM = $PW_VALUE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will create the config file for this check with default values
|
# This function will create the config file for this check with default values
|
||||||
@ -72,7 +92,7 @@ create_config() {
|
|||||||
cat <<EOF
|
cat <<EOF
|
||||||
status=audit
|
status=audit
|
||||||
# Put your custom configuration here
|
# Put your custom configuration here
|
||||||
PATTERNS_QUALITY="^minlen=14 ^dcredit=-1 ^ucredit=-1 ^ocredit=-1 ^lcredit=-1"
|
OPTIONS="minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -5,10 +5,22 @@ test_audit() {
|
|||||||
apt-get install -y libpam-pwquality
|
apt-get install -y libpam-pwquality
|
||||||
|
|
||||||
describe Running on blank host
|
describe Running on blank host
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 1
|
||||||
dismiss_count_for_test
|
register_test contain "libpam-pwquality is installed"
|
||||||
# shellcheck disable=2154
|
# shellcheck disable=2154
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
describe Correcting situation
|
||||||
|
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||||
|
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||||
|
|
||||||
|
describe Checking resolved state
|
||||||
|
register_test retvalshouldbe 0
|
||||||
|
register_test contain "[ OK ] pam_pwquality.so is present in /etc/pam.d/common-password"
|
||||||
|
register_test contain "[ OK ] ^minlen[[:space:]]+=[[:space:]]+14 is present in /etc/security/pwquality.conf"
|
||||||
|
register_test contain "[ OK ] ^dcredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf"
|
||||||
|
register_test contain "[ OK ] ^ucredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf"
|
||||||
|
register_test contain "[ OK ] ^ocredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf"
|
||||||
|
register_test contain "[ OK ] ^lcredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.con"
|
||||||
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user