skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   2b7b16cbb5b22b0fd864d3de318d4b9a91ca8eab
  2.   SOURCES
  3.   scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
Blob Blame History Raw 
diff --git a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
index ca11120..b1dbd3a 100644
--- a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
+++ b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
@@ -1,18 +1,36 @@
 source ./templates/support.sh
 populate var_accounts_passwords_pam_faillock_deny
 
-for pamFile in "/etc/pam.d/system-auth /etc/pam.d/password-auth"
-do
+AUTH_FILES[0]="/etc/pam.d/system-auth"
+AUTH_FILES[1]="/etc/pam.d/password-auth"
 
-	if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
-		sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
-	else
-		sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
-	fi
+for pamFile in "${AUTH_FILES[@]}"
+do
 	
-	if grep -q "^auth.*[default=die].*pam_faillock.so.*authsucc.*deny=" /etc/pam.d/system-auth; then
-	        sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authsucc.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
+	# pam_faillock.so already present?
+	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then
+
+		# pam_faillock.so present, deny directive present?
+		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
+
+			# both pam_faillock.so & deny present, just correct deny directive value
+			sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
+			sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
+
+		# pam_faillock.so present, but deny directive not yet
+		else
+
+			# append correct deny value to appropriate places
+			sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
+			sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
+		fi
+
+	# pam_faillock.so not present yet
 	else
-	        sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authsucc/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
+
+		# insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
+		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
+		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
+		sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
 	fi
 done

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation