From 4bb01e5c2eed2d4579f2d2ff805eded515a92a8f Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 4 Mar 2020 14:50:07 +0800 Subject: [PATCH] Modify audit and apply methods for CentOS 8 to 10.1.5 --- .../10.1.5_set_password_lock_inactive_user.sh | 91 +++++++++++++++++-- 1 file changed, 84 insertions(+), 7 deletions(-) diff --git a/bin/hardening/10.1.5_set_password_lock_inactive_user.sh b/bin/hardening/10.1.5_set_password_lock_inactive_user.sh index 2ec87d0..eb98581 100755 --- a/bin/hardening/10.1.5_set_password_lock_inactive_user.sh +++ b/bin/hardening/10.1.5_set_password_lock_inactive_user.sh @@ -7,6 +7,9 @@ # # 10.1.5 Ensure inactive password lock is 30 days or less (Scored) # Author: Samson-W (sccxboy@gmail.com) +# STIG for Ubuntu_16-04_LTS_STIG_V1R2_Manual: INACTIVE=35 +# STIG for U_Red_Hat_Enterprise_Linux_7_V2R5: INACTIVE=0 +# # set -e # One error, it's over @@ -15,19 +18,17 @@ set -u # One variable unset, it's over HARDENING_LEVEL=3 OPTIONS='INACTIVE=30' +OPTIONS_REDHAT='INACTIVE=0' SHA_FILE='/etc/shadow' DISABLE_V='-1' FILE='/etc/default/useradd' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}') if [ $INACTIVE_V -eq $DISABLE_V ]; then crit "INACTIVE feature has disabled." - elif [ $INACTIVE_V -eq 0 ]; then - crit "INACTIVE value has disabled." elif [ $INACTIVE_V -gt $SSH_VALUE ]; then crit "INACTIVE value is greater than $SSH_VALUE day" else @@ -45,8 +46,31 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +audit_redhat () { + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + INACTIVE_V=$(useradd -D | grep $SSH_PARAM | awk -F= '{print $2}') + if [ $INACTIVE_V -eq $DISABLE_V ]; then + crit "INACTIVE feature has disabled." + elif [ $INACTIVE_V -eq $SSH_VALUE ]; then + ok "All user's INACTIVE value has set $SSH_VALUE: disables the account as soon as the password has expired" + else + crit "All user's INACTIVE value is not set $SSH_VALUE: disables the account as soon as the password has expired" + fi +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 2 ]; then + audit_redhat + else + warn "Current OS is not support!" + fi +} + +apply_debian () { SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) PATTERN="^$SSH_PARAM=$SSH_VALUE" @@ -82,9 +106,62 @@ apply () { fi } +apply_redhat () { + SSH_PARAM=$(echo $OPTIONS | cut -d= -f 1) + SSH_VALUE=$(echo $OPTIONS | cut -d= -f 2) + PATTERN="^$SSH_PARAM=$SSH_VALUE" + does_pattern_exist_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE, adding it" + does_pattern_exist_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM=$SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" + replace_in_file $FILE "^$SSH_PARAM.*" "$SSH_PARAM=$SSH_VALUE" + fi + fi + if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $7}' | wc -w) -eq 0 ]; then + warn "Have least user's INACTIVE password lifttime is not set. Fixing" + for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '{print $1}'); + do + chage --inactive $SSH_VALUE $USERNAME + done + else + if [ $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}' | wc -l) -gt 0 ]; then + warn "All user's INACTIVE value is not set $SSH_VALUE, fixing it." + for USERNAME in $(egrep ^[^:]+:[^\!*] $SHA_FILE | awk -F: '$7 > "'$SSH_VALUE'" {print $1}'); + do + chage --inactive $SSH_VALUE $USERNAME + done + else + ok "All user's INACTIVE value has set $SSH_VALUE: disables the account as soon as the password has expired" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 2 ]; then + apply_redhat + else + warn "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + : + elif [ $OS_RELEASE -eq 2 ]; then + OPTIONS=$OPTIONS_REDHAT + else + warn "Current OS is not support!" + fi } # Source Root Dir Parameter