|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +# run-shellcheck |
| 4 | +# |
| 5 | +# CIS Debian Hardening |
| 6 | +# |
| 7 | + |
| 8 | +# |
| 9 | +# Ensure pam_pwhistory module is enabled (Automated) |
| 10 | +# |
| 11 | + |
| 12 | +set -e # One error, it's over |
| 13 | +set -u # One variable unset, it's over |
| 14 | + |
| 15 | +# shellcheck disable=2034 |
| 16 | +HARDENING_LEVEL=3 |
| 17 | +# shellcheck disable=2034 |
| 18 | +DESCRIPTION="Ensure use_authtok is enabled " |
| 19 | + |
| 20 | +PAM_FILE="/etc/pam.d/common-password" |
| 21 | +PAM_PATTERN="^[^#]pam_unix.so.*use_authtok" |
| 22 | + |
| 23 | +# This function will be called if the script status is on enabled / audit mode |
| 24 | +audit() { |
| 25 | + PAM_VALID=1 |
| 26 | + |
| 27 | + if $SUDO_CMD grep "$PAM_PATTERN" "$PAM_FILE" 2>/dev/null; then |
| 28 | + ok "use_authtok is enabled" |
| 29 | + PAM_VALID=0 |
| 30 | + else |
| 31 | + crit "use_authtok is not enabled" |
| 32 | + fi |
| 33 | +} |
| 34 | + |
| 35 | +# This function will be called if the script status is on enabled mode |
| 36 | +apply() { |
| 37 | + if [ "$PAM_VALID" -ne 0 ]; then |
| 38 | + # we need to configure it in files present in /usr/share/pam-configs/, in the "Password" sections, but not in |
| 39 | + # the "Password-Initial" section |
| 40 | + local output_file="/$HOME/use_authtok_awk_output" |
| 41 | + |
| 42 | + for pam_file in /usr/share/pam-configs/*; do |
| 43 | + # if we are in section "Password", f=1 |
| 44 | + # if we are in any section (line starting by any word ending with ':') but not in "Password" section, f=0 |
| 45 | + # if f==1 then check for pam_unix.so and use_authtok, and add the later if absent |
| 46 | + # use a temporary file, as we can not replace in place |
| 47 | + awk '/Password:/ {f=1} /[a-zA-Z].*:/ && ! /Password:/ {f=0} f{if (/pam_unix\.so/ && ! /use_authtok/) sub("pam_unix.so","pam_unix.so use_authtok")} {print}' "$pam_file" >"$output_file" |
| 48 | + |
| 49 | + does_file_exist "$output_file" |
| 50 | + if [ "$FNRET" -eq 0 ]; then |
| 51 | + pam_file_basename=$(basename "$pam_file") |
| 52 | + |
| 53 | + info "backup $pam_file to $HOME" |
| 54 | + mv "$pam_file" "$HOME"/"$pam_file_basename"_"$(date +%s)" |
| 55 | + info "replace $pam_file" |
| 56 | + mv "$output_file" "$pam_file" |
| 57 | + rm -f "$output_file" |
| 58 | + |
| 59 | + info "Applying 'pam-auth-update' to enable use_authtok" |
| 60 | + DEBIAN_FRONTEND='noninteractive' pam-auth-update --force --enable "$pam_file_basename" |
| 61 | + fi |
| 62 | + |
| 63 | + done |
| 64 | + fi |
| 65 | +} |
| 66 | + |
| 67 | +# This function will check config parameters required |
| 68 | +check_config() { |
| 69 | + : |
| 70 | +} |
| 71 | + |
| 72 | +# Source Root Dir Parameter |
| 73 | +if [ -r /etc/default/cis-hardening ]; then |
| 74 | + # shellcheck source=../../debian/default |
| 75 | + . /etc/default/cis-hardening |
| 76 | +fi |
| 77 | +if [ -z "$CIS_LIB_DIR" ]; then |
| 78 | + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." |
| 79 | + echo "Cannot source CIS_LIB_DIR variable, aborting." |
| 80 | + exit 128 |
| 81 | +fi |
| 82 | + |
| 83 | +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) |
| 84 | +if [ -r "${CIS_LIB_DIR}"/main.sh ]; then |
| 85 | + # shellcheck source=../../lib/main.sh |
| 86 | + . "${CIS_LIB_DIR}"/main.sh |
| 87 | +else |
| 88 | + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" |
| 89 | + exit 128 |
| 90 | +fi |
0 commit comments