|
 |
2b7b16 |
diff --git a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
|
|
|
2b7b16 |
index ca11120..b1dbd3a 100644
|
|
|
2b7b16 |
--- a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
|
|
|
2b7b16 |
+++ b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
|
|
|
2b7b16 |
@@ -1,18 +1,36 @@
|
|
|
2b7b16 |
source ./templates/support.sh
|
|
|
2b7b16 |
populate var_accounts_passwords_pam_faillock_deny
|
|
|
2b7b16 |
|
|
|
2b7b16 |
-for pamFile in "/etc/pam.d/system-auth /etc/pam.d/password-auth"
|
|
|
2b7b16 |
-do
|
|
|
2b7b16 |
+AUTH_FILES[0]="/etc/pam.d/system-auth"
|
|
|
2b7b16 |
+AUTH_FILES[1]="/etc/pam.d/password-auth"
|
|
|
2b7b16 |
|
|
|
2b7b16 |
- if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
|
|
|
2b7b16 |
- sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
|
|
|
2b7b16 |
- else
|
|
|
2b7b16 |
- sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
|
|
|
2b7b16 |
- fi
|
|
|
2b7b16 |
+for pamFile in "${AUTH_FILES[@]}"
|
|
|
2b7b16 |
+do
|
|
|
2b7b16 |
|
|
|
2b7b16 |
- if grep -q "^auth.*[default=die].*pam_faillock.so.*authsucc.*deny=" /etc/pam.d/system-auth; then
|
|
|
2b7b16 |
- sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authsucc.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
|
|
|
2b7b16 |
+ # pam_faillock.so already present?
|
|
|
2b7b16 |
+ if grep -q "^auth.*pam_faillock.so.*" $pamFile; then
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ # pam_faillock.so present, deny directive present?
|
|
|
2b7b16 |
+ if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ # both pam_faillock.so & deny present, just correct deny directive value
|
|
|
2b7b16 |
+ sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
|
|
|
2b7b16 |
+ sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ # pam_faillock.so present, but deny directive not yet
|
|
|
2b7b16 |
+ else
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ # append correct deny value to appropriate places
|
|
|
2b7b16 |
+ sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
|
|
|
2b7b16 |
+ sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
|
|
|
2b7b16 |
+ fi
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ # pam_faillock.so not present yet
|
|
|
2b7b16 |
else
|
|
|
2b7b16 |
- sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authsucc/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
|
|
|
2b7b16 |
+
|
|
|
2b7b16 |
+ # insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
|
|
|
2b7b16 |
+ sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
|
|
|
2b7b16 |
+ sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
|
|
|
2b7b16 |
+ sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account required pam_faillock.so" $pamFile
|
|
|
2b7b16 |
fi
|
|
|
2b7b16 |
done
|