Skip to content

Commit aced6e6

Browse files
author
Samson.W
authored
Merge pull request #34 from Samson-W/master
Fix a bug: Replaced pam_tally2 with pam_faillock in debian 11.
2 parents 0d85939 + 79670bd commit aced6e6

File tree

5 files changed

+358
-29
lines changed

5 files changed

+358
-29
lines changed

bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66

77
#
88
# 8.1.26 Recored pam_tally/pam_tally2 command usage(Only for Debian) (Scored)
9+
# Replaced pam_tally2 with faillock in debian 11
910
# Author : Samson wen, Samson <sccxboy@gmail.com> Author add this
1011
#
1112

@@ -74,13 +75,23 @@ apply () {
7475
}
7576

7677
# This function will check config parameters required
78+
# Replaced pam_tally2 with faillock in debian 11
7779
check_config() {
80+
is_debian_11
7881
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
82+
if [ $FNRET = 1 ]; then
7983
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam
8084
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam'
85+
elif [ $FNRET = 0 ]; then
86+
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -k privileged-pam'
87+
fi
8188
else
89+
if [ $FNRET = 1 ]; then
8290
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
8391
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
92+
elif [ $FNRET = 0 ]; then
93+
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
94+
fi
8495
fi
8596
}
8697

bin/hardening/9.2.11_pam_deny_times_tally2.sh

Lines changed: 106 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66

77
#
88
# 9.2.11 Set deny times for Password Attempts (Scored)
9+
# Replaced pam_tally2 with pam_faillock in debian 11
910
# The number in the original document is 9.2.2
1011
# for login and ssh service
1112
# Author : Samson wen, Samson <sccxboy@gmail.com>
@@ -17,30 +18,27 @@ set -u # One variable unset, it's over
1718
HARDENING_LEVEL=3
1819

1920
PACKAGE='libpam-modules-bin'
20-
PAMLIBNAME='pam_tally2.so'
21-
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
2221
AUTHFILE='/etc/pam.d/common-auth'
23-
AUTHRULE='auth required pam_tally2.so deny=3 even_deny_root unlock_time=900'
2422
ADDPATTERNLINE='# pam-auth-update(8) for details.'
2523
DENYOPTION='deny'
2624
DENY_VAL=3
2725

2826
# This function will be called if the script status is on enabled / audit mode
29-
audit () {
27+
audit_before11 () {
3028
is_pkg_installed $PACKAGE
3129
if [ $FNRET != 0 ]; then
3230
crit "$PACKAGE is not installed!"
33-
FNRET=1
31+
FNRET=11
3432
else
3533
ok "$PACKAGE is installed"
3634
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
3735
if [ $FNRET = 0 ]; then
3836
ok "$AUTHPATTERN is present in $AUTHFILE."
39-
check_param_pair_by_pam $AUTHFILE $PAMLIBNAME $DENYOPTION le $DENY_VAL
37+
check_param_pair_by_pam $AUTHFILE $PAMLIBNAME $DENYOPTION le $DENY_VAL
4038
if [ $FNRET = 0 ]; then
41-
ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"
39+
ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"
4240
else
43-
crit "$DENYOPTION set condition is not $DENY_VAL"
41+
crit "$DENYOPTION set condition is not $DENY_VAL"
4442
fi
4543
else
4644
crit "$AUTHPATTERN is not present in $AUTHFILE"
@@ -49,11 +47,45 @@ audit () {
4947
fi
5048
}
5149

52-
# This function will be called if the script status is on enabled mode
53-
apply () {
50+
audit_debian11 () {
51+
is_pkg_installed $PACKAGE
52+
if [ $FNRET != 0 ]; then
53+
crit "$PACKAGE is not installed!"
54+
FNRET=11
55+
else
56+
ok "$PACKAGE is installed"
57+
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
58+
if [ $FNRET = 0 ]; then
59+
ok "$AUTHPATTERN is present in $AUTHFILE."
60+
check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
61+
if [ $FNRET = 0 ]; then
62+
ok "Option $DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
63+
elif [ $FNRET = 1 ]; then
64+
crit "Option $DENYOPTION set condition is greater than $DENY_VAL in $SECCONFFILE"
65+
elif [ $FNRET = 2 ]; then
66+
crit "Option $DENYOPTION is not conf in $SECCONFFILE"
67+
elif [ $FNRET = 3 ]; then
68+
crit "Config file $SECCONFFILE is not exist!"
69+
fi
70+
else
71+
crit "$AUTHPATTERN is not present in $AUTHFILE"
72+
FNRET=12
73+
fi
74+
fi
75+
}
76+
77+
audit () {
78+
if [ $ISDEBIAN11 = 1 ]; then
79+
audit_debian11
80+
else
81+
audit_before11
82+
fi
83+
}
84+
85+
apply_before11 () {
5486
if [ $FNRET = 0 ]; then
5587
ok "$DENYOPTION set condition is less-than-or-equal-to $DENY_VAL"
56-
elif [ $FNRET = 1 ]; then
88+
elif [ $FNRET = 11 ]; then
5789
warn "Apply:$PACKAGE is absent, installing it"
5890
install_package $PACKAGE
5991
elif [ $FNRET = 2 ]; then
@@ -74,6 +106,56 @@ apply () {
74106
fi
75107
}
76108

109+
# Input:
110+
# Param1: return-value of call check_param_pair_by_value
111+
# Function: Perform corresponding repair actions based on the return value of the error.
112+
apply_secconffile() {
113+
FNRET=$1
114+
if [ $FNRET = 0 ]; then
115+
ok "Option $DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
116+
elif [ $FNRET = 1 ]; then
117+
warn "Reset option $DENYOPTION to $DENY_VAL in $SECCONFFILE"
118+
replace_in_file $SECCONFFILE "^$DENYOPTION.*" "$DENYOPTION = $DENY_VAL"
119+
elif [ $FNRET = 2 ]; then
120+
warn "$DENYOPTION is not conf, add to $SECCONFFILE"
121+
add_end_of_file $SECCONFFILE "$DENYOPTION = $DENY_VAL"
122+
elif [ $FNRET = 3 ]; then
123+
warn "Config file $SECCONFFILE is not exist! Please check it by youself"
124+
else
125+
warn "This param $FNRET was not defined!!!"
126+
fi
127+
}
128+
129+
apply_debian11 () {
130+
if [ $FNRET = 0 ]; then
131+
ok "$DENYOPTION set condition is less than or equal to $DENY_VAL in $SECCONFFILE"
132+
elif [ $FNRET = 11 ]; then
133+
warn "Apply:$PACKAGE is absent, installing it"
134+
install_package $PACKAGE
135+
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
136+
if [ $FNRET != 0 ]; then
137+
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
138+
check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
139+
apply_secconffile $FNRET
140+
fi
141+
elif [ $FNRET = 12 ]; then
142+
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
143+
check_param_pair_by_value $SECCONFFILE $DENYOPTION le $DENY_VAL
144+
apply_secconffile $FNRET
145+
else
146+
apply_secconffile $FNRET
147+
fi
148+
}
149+
150+
# This function will be called if the script status is on enabled mode
151+
apply () {
152+
if [ $ISDEBIAN11 = 1 ]; then
153+
apply_debian11
154+
else
155+
apply_before11
156+
fi
157+
}
158+
77159
# This function will check config parameters required
78160
check_config() {
79161
if [ $OS_RELEASE -eq 2 ]; then
@@ -84,7 +166,19 @@ check_config() {
84166
AUTHRULE='auth required pam_failloc.so deny=3 even_deny_root unlock_time=900'
85167
ADDPATTERNLINE='auth[[:space:]]*required'
86168
else
87-
:
169+
is_debian_11
170+
# faillock for Debian 11
171+
if [ $FNRET = 0 ]; then
172+
ISDEBIAN11=1
173+
SECCONFFILE='/etc/security/faillock.conf'
174+
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
175+
AUTHRULE='auth required pam_faillock.so'
176+
else
177+
ISDEBIAN11=0
178+
PAMLIBNAME='pam_tally2.so'
179+
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
180+
AUTHRULE='auth required pam_tally2.so deny=3 even_deny_root unlock_time=900'
181+
fi
88182
fi
89183
}
90184

bin/hardening/9.2.12_pam_lockout_failed_tally2.sh

Lines changed: 103 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66

77
#
88
# 9.2.12 Set Lockout for Failed Password Attempts (Scored)
9+
# Replaced pam_tally2 with pam_faillock in debian 11
910
# for login and ssh service
1011
#
1112

@@ -15,20 +16,17 @@ set -u # One variable unset, it's over
1516
HARDENING_LEVEL=3
1617

1718
PACKAGE='libpam-modules-bin'
18-
PAMLIBNAME='pam_tally2.so'
19-
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
2019
AUTHFILE='/etc/pam.d/common-auth'
21-
AUTHRULE='auth required pam_tally2.so deny=3 even_deny_root unlock_time=900'
2220
ADDPATTERNLINE='# pam-auth-update(8) for details.'
2321
UNLOCKOPTION='unlock_time'
2422
UNLOCK_VAL=900
2523

2624
# This function will be called if the script status is on enabled / audit mode
27-
audit () {
25+
audit_before11 () {
2826
is_pkg_installed $PACKAGE
2927
if [ $FNRET != 0 ]; then
3028
crit "$PACKAGE is not installed!"
31-
FNRET=1
29+
FNRET=11
3230
else
3331
ok "$PACKAGE is installed"
3432
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
@@ -47,15 +45,49 @@ audit () {
4745
fi
4846
}
4947

50-
# This function will be called if the script status is on enabled mode
51-
apply () {
48+
audit_debian11 () {
49+
is_pkg_installed $PACKAGE
50+
if [ $FNRET != 0 ]; then
51+
crit "$PACKAGE is not installed!"
52+
FNRET=11
53+
else
54+
ok "$PACKAGE is installed"
55+
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
56+
if [ $FNRET = 0 ]; then
57+
ok "$AUTHPATTERN is present in $AUTHFILE."
58+
check_param_pair_by_value $SECCONFFILE $UNLOCKOPTION le $UNLOCK_VAL
59+
if [ $FNRET = 0 ]; then
60+
ok "Option $UNLOCKOPTION set condition is less than or equal to $UNLOCK_VAL in $SECCONFFILE"
61+
elif [ $FNRET = 1 ]; then
62+
crit "Option $UNLOCKOPTION set condition is greater than $UNLOCK_VAL in $SECCONFFILE"
63+
elif [ $FNRET = 2 ]; then
64+
crit "Option $UNLOCKOPTION is not conf in $SECCONFFILE"
65+
elif [ $FNRET = 3 ]; then
66+
crit "Config file $SECCONFFILE is not exist!"
67+
fi
68+
else
69+
crit "$AUTHPATTERN is not present in $AUTHFILE"
70+
FNRET=12
71+
fi
72+
fi
73+
}
74+
75+
audit () {
76+
if [ $ISDEBIAN11 = 1 ]; then
77+
audit_debian11
78+
else
79+
audit_before11
80+
fi
81+
}
82+
83+
apply_before11 () {
5284
if [ $FNRET = 0 ]; then
5385
ok "$UNLOCKOPTION set condition is greater-than-or-equal-to $UNLOCK_VAL"
5486
elif [ $FNRET = 1 ]; then
5587
warn "Apply:$PACKAGE is absent, installing it"
5688
install_package $PACKAGE
5789
elif [ $FNRET = 2 ]; then
58-
warn "Apply:$AUTHPATTERN is not present in $AUTHFILE"
90+
warn "Apply:$AUTHPATTERN is not present in $AUTHFILE"
5991
if [ $OS_RELEASE -eq 2 ]; then
6092
add_line_file_after_pattern_lastline "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
6193
else
@@ -72,6 +104,56 @@ apply () {
72104
fi
73105
}
74106

107+
# Input:
108+
# Param1: return-value of call check_param_pair_by_value
109+
# Function: Perform corresponding repair actions based on the return value of the error.
110+
apply_secconffile() {
111+
FNRET=$1
112+
if [ $FNRET = 0 ]; then
113+
ok "Option $UNLOCKOPTION set condition is less than or equal to $UNLOCK_VAL in $SECCONFFILE"
114+
elif [ $FNRET = 1 ]; then
115+
warn "Reset option $UNLOCKOPTION to $UNLOCK_VAL in $SECCONFFILE"
116+
replace_in_file $SECCONFFILE "^$UNLOCKOPTION.*" "$UNLOCKOPTION = $UNLOCK_VAL"
117+
elif [ $FNRET = 2 ]; then
118+
warn "$UNLOCKOPTION is not conf, add to $SECCONFFILE"
119+
add_end_of_file $SECCONFFILE "$UNLOCKOPTION = $UNLOCK_VAL"
120+
elif [ $FNRET = 3 ]; then
121+
warn "Config file $SECCONFFILE is not exist! Please check it by youself"
122+
else
123+
warn "This param $FNRET was not defined!!!"
124+
fi
125+
}
126+
127+
apply_debian11 () {
128+
if [ $FNRET = 0 ]; then
129+
ok "$UNLOCKOPTION set condition is less than or equal to $UNLOCK_VAL in $SECCONFFILE"
130+
elif [ $FNRET = 11 ]; then
131+
warn "Apply:$PACKAGE is absent, installing it"
132+
install_package $PACKAGE
133+
does_pattern_exist_in_file $AUTHFILE $AUTHPATTERN
134+
if [ $FNRET != 0 ]; then
135+
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
136+
check_param_pair_by_value $SECCONFFILE $UNLOCKOPTION le $UNLOCK_VAL
137+
apply_secconffile $FNRET
138+
fi
139+
elif [ $FNRET = 12 ]; then
140+
add_line_file_after_pattern "$AUTHFILE" "$AUTHRULE" "$ADDPATTERNLINE"
141+
check_param_pair_by_value $SECCONFFILE $UNLOCKOPTION le $UNLOCK_VAL
142+
apply_secconffile $FNRET
143+
else
144+
apply_secconffile $FNRET
145+
fi
146+
}
147+
148+
# This function will be called if the script status is on enabled mode
149+
apply () {
150+
if [ $ISDEBIAN11 = 1 ]; then
151+
apply_debian11
152+
else
153+
apply_before11
154+
fi
155+
}
156+
75157
# This function will check config parameters required
76158
check_config() {
77159
if [ $OS_RELEASE -eq 2 ]; then
@@ -82,7 +164,19 @@ check_config() {
82164
AUTHRULE='auth required pam_failloc.so deny=3 even_deny_root unlock_time=900'
83165
ADDPATTERNLINE='auth[[:space:]]*required'
84166
else
85-
:
167+
is_debian_11
168+
# faillock for Debian 11
169+
if [ $FNRET = 0 ]; then
170+
ISDEBIAN11=1
171+
SECCONFFILE='/etc/security/faillock.conf'
172+
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_faillock.so'
173+
AUTHRULE='auth required pam_faillock.so'
174+
else
175+
ISDEBIAN11=0
176+
PAMLIBNAME='pam_tally2.so'
177+
AUTHPATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally2.so'
178+
AUTHRULE='auth required pam_tally2.so deny=3 even_deny_root unlock_time=900'
179+
fi
86180
fi
87181
}
88182

0 commit comments

Comments
 (0)