From e016533c9656d8061c44adc982141219b8438f9c Mon Sep 17 00:00:00 2001 From: YuQing Yang Date: Fri, 23 Feb 2024 12:15:29 +0800 Subject: [PATCH] access-and-control: Script logic optimization and bug fixes related to PAM file rules Fixes: #I937US 1. Fix typo in 1.27: enforce-forroot --> enforce-for-root 2. Update scripts and documentation for 1.28, 1.29, 1.30, 1.39, 1.44, 1.45 remediation-kits Scripts: - 1.28, 1.29, 1.30, 1.44, 1.45 modified to update user-defined rule sets - 1.39 optimized fix logic to avoid modifying PAM files or configurations that already meet requirements scanners Scripts: - 1.39 optimized detection logic to: 1. Add support for `umask u=rwx,g=rx,o=` format 2. Optimize logic (choose between PAM file modification and Bash file modification) Documentation: - Synchronize changes to scripts and check logic in related markdown documentation Signed-off-by: YuQing Yang --- ...rd-creation-requirements-are-configured.md | 10 +++--- ...-failed-password-attempts-is-configured.md | 23 ++++++++++--- .../1.29-ensure-password-reuse-is-limited.md | 21 +++++++++--- ...e-password-hashing-algorithm-is-sha-512.md | 19 +++++++++-- ...t-user-umask-is-027-or-more-restrictive.md | 17 +++++++--- ...d-reuse-limit-is-between-5-and-25-times.md | 21 +++++++++--- ...-failed-password-attempts-is-configured.md | 21 ++++++++++-- ...rd-creation-requirements-are-configured.sh | 2 +- ...-failed-password-attempts-is-configured.sh | 25 +++++++++++++-- .../1.29-ensure-password-reuse-is-limited.sh | 22 +++++++++++-- ...e-password-hashing-algorithm-is-sha-512.sh | 23 +++++++++++-- ...t-user-umask-is-027-or-more-restrictive.sh | 24 ++++++++++---- ...d-reuse-limit-is-between-5-and-25-times.sh | 32 ++++++++++++++++--- ...-failed-password-attempts-is-configured.sh | 25 +++++++++++++-- ...rd-creation-requirements-are-configured.sh | 2 +- ...t-user-umask-is-027-or-more-restrictive.sh | 13 +++++--- ...-failed-password-attempts-is-configured.sh | 4 +-- 17 files changed, 248 insertions(+), 56 deletions(-) diff --git a/benchmarks/access-and-control/1.27-ensure-password-creation-requirements-are-configured.md b/benchmarks/access-and-control/1.27-ensure-password-creation-requirements-are-configured.md index 235e260..1a125ef 100644 --- a/benchmarks/access-and-control/1.27-ensure-password-creation-requirements-are-configured.md +++ b/benchmarks/access-and-control/1.27-ensure-password-creation-requirements-are-configured.md @@ -8,7 +8,7 @@ `pam_pwquality.so`模块用于检查密码的强度。 它进行的检查包括:确保密码不是字典中的单词,有一定的长度,包含混合的字符(如字母、数字、其他)等等。 以下是`pam_pwquality.so`选项的定义。 -* `enforce-forroot` - 对`root`用户也执行策略 +* `enforce-for-root` - 对`root`用户也执行策略 * `retry=3` - 允许尝试3次,如都不符合规则,则发送失败信息。 * `minlen=14` - 密码必须是14个字符或以上。 @@ -52,9 +52,9 @@ **以上两组参数效果一致,可根据实际情况,任选其一进行配置。** -3. 执行以下命令,来更新`system-auth`和`password-auth`文件,像其中添加`enforce-forroot`及`retry=3`参数。 +3. 执行以下命令,来更新`system-auth`和`password-auth`文件,像其中添加`enforce-for-root`及`retry=3`参数。 -- `enforce-forroot` - 对`root`用户也执行策略 +- `enforce-for-root` - 对`root`用户也执行策略 - `retry=3` - 密码认证失败后可以尝试重新输入密码的次数 - 创建自定义规则并指定和应用规则: @@ -65,7 +65,7 @@ # authselect apply-changes ``` -`createP` 参数为自定义规则名称,可根据实际情况自定义修改。 +`user-profile` 为自定义规则名称,可根据实际情况自定义修改。 - 添加参数: ```bash @@ -73,7 +73,7 @@ customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) for FN in system-auth password-auth; do # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改 [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN - [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*enforcefor-root\s*.*$' $PTF) ]] && sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 enforce-forroot/' $PTF + [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*enforce-for-root\s*.*$' $PTF) ]] && sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 enforce-for-root/' $PTF [[ -n $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*\s+retry=\S+\s*.*$' $PTF) ]] && sed -ri '/pwquality/s/retry=\S+/retry=3/' $PTF || sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 retry=3/' $PTF done authselect apply-changes diff --git a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md index 59037f5..cd22cbd 100644 --- a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md +++ b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md @@ -17,16 +17,31 @@ ## 修复建议 -对`system-auth`及`password-auth`配置文件的参数进行配置。 +1. 执行以下命令,来更新`system-auth`和`password-auth`文件,像其中添加`deny`及`unlock_time`参数。 -1. 运行以下两个脚本,更新`system-auth`及`password-auth`文件,添加`deny=5`和`unlock_time=900`参数。: +- 创建自定义规则并指定和应用规则: ```bash -# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth +# currProfile=$(authselect current | awk 'NR == 1 {print $3}') +# authselect create-profile user-profile -b $currProfile +# authselect select custom/user-profile +# authselect apply-changes ``` +`user-profile` 为自定义规则名称,可根据实际情况自定义修改。 + +- 添加参数: ```bash -# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +for FN in system-auth password-auth; do + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改 + [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN + [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*deny=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=\S+/deny=5/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 deny=5 \3/' $PTF + [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 unlock_time=900 \3/' $PTF +done +authselect apply-changes +# 启用faillock模块 +authselect enable-feature with-faillock ``` ## 扫描检测 diff --git a/benchmarks/access-and-control/1.29-ensure-password-reuse-is-limited.md b/benchmarks/access-and-control/1.29-ensure-password-reuse-is-limited.md index 8bf6c58..dbe830f 100644 --- a/benchmarks/access-and-control/1.29-ensure-password-reuse-is-limited.md +++ b/benchmarks/access-and-control/1.29-ensure-password-reuse-is-limited.md @@ -14,22 +14,35 @@ ## 修复建议 -对`/etc/pam.d/system-auth`文件配置进行修改。 +1. 执行以下命令,来更新`system-auth`文件,像其中添加`remember`参数。 -1. 执行以下命令,修改`/etc/pam.d/system-auth`配置文件,增加`remember`参数,使其对密码复用进行限制: +- 创建自定义规则并指定和应用规则: ```bash -#!/bin/bash +# currProfile=$(authselect current | awk 'NR == 1 {print $3}') +# authselect create-profile user-profile -b $currProfile +# authselect select custom/user-profile +# authselect apply-changes +``` + +`user-profile` 为自定义规则名称,可根据实际情况自定义修改。 + +- 添加参数: +```bash if authselect current | awk 'NR == 1 {print $3}' | grep -q custom/; then - PTF=/etc/pam.d/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/system-auth)进行修改 + PTF=/etc/authselect/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth else PTF=/etc/pam.d/system-auth fi + if grep -Eq '^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+([^#]+\s+)*remember=\S+\s*.*$' $PTF; then sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/' $PTF else sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/' $PTF fi + +authselect apply-changes ``` ## 扫描检测 diff --git a/benchmarks/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.md b/benchmarks/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.md index ab6aaf1..ffcf986 100644 --- a/benchmarks/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.md +++ b/benchmarks/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.md @@ -14,10 +14,25 @@ 1. 执行以下命令,修改`password-auth`和`system-auth`配置文件中`pam_unix.so`的哈希算法配置为`SHA-512`: +- 创建自定义规则并指定和应用规则: + ```bash -# egrep -q "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/system-auth +# currProfile=$(authselect current | awk 'NR == 1 {print $3}') +# authselect create-profile user-profile -b $currProfile +# authselect select custom/user-profile +# authselect apply-changes +``` -# egrep -q "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/password-auth +`user-profile` 为自定义规则名称,可根据实际情况自定义修改。 + +- 添加参数: +```bash +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +for FN in system-auth password-auth; do + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改 + [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN + [[ -z $(grep -E '^\s*password\s+sufficient\s+pam_unix.so\s+.*sha512\s*.*$' $PTF) ]] && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' $PTF +done ``` ## 扫描检测 diff --git a/benchmarks/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.md b/benchmarks/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.md index da34d62..87ddca6 100644 --- a/benchmarks/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.md +++ b/benchmarks/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.md @@ -38,12 +38,13 @@ umask 可以用八进制数字(4、2、1)或字母(r、w、x)来设置 检查`/etc/bashrc`、`/etc/profile`以及`/etc/profile.d/`目录中所有以`*.sh`结尾的文件,添加或编辑所有的`umask`条目,使其符合安全要求:`umask 027`,`umask u=rwx,g=rx,o=`或更加严格的限制。 -1. 在以下文件中配置`umask`参数 +1. 设置默认用户 umask +- 可在以下文件中配置`umask`参数 * `/etc/bashrc` * `/etc/profile` * `/etc/profile.d/`目录中所有以`*.sh`结尾的文件: -可使用以下命令,检查`/etc/bashrc`、`/etc/profile`以及`/etc/profile.d/`目录中所有已配置的`umask`参数: +使用以下命令,检查`/etc/bashrc`、`/etc/profile`以及`/etc/profile.d/`目录中所有已配置的`umask`参数: ```bash # grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bashrc* @@ -61,19 +62,26 @@ umask 027 umask 027 ``` -2. 添加或修改`/etc/login.defs`文件中的`UMASK`及`USERGROUPS_ENAB`参数。 +如没有任何umask配置,需手动在以下文件之一中配置umask:/etc/profile、/etc/bashrc、/etc/profile.d/目录中以 .sh 结尾的文件。 + +OR + +2. 设置默认用户 umask +- 添加或修改`/etc/login.defs`文件中的`UMASK`及`USERGROUPS_ENAB`参数。 ```bash UMASK 027 USERGROUPS_ENAB no ``` -3. 编辑`/etc/pam.d/password-auth`及`/etc/pam.d/system-auth`,添加或编辑以下内容: +- 编辑`/etc/pam.d/password-auth`及`/etc/pam.d/system-auth`,添加或编辑以下内容: ```bash session optional pam_umask.so ``` +- **步骤1,步骤2可根据实际情况选择其中一组进行修复** + 默认的 UMASK 配置为:`UMASK 022`。 ## 扫描检测 @@ -106,4 +114,3 @@ No file should be returned 如以上两组命令的输出结果,均符合要求,则视为通过此项检查。 ## 参考 - diff --git a/benchmarks/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.md b/benchmarks/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.md index b099ea5..158c3c3 100644 --- a/benchmarks/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.md +++ b/benchmarks/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.md @@ -14,22 +14,35 @@ ## 修复建议 -对`/etc/pam.d/system-auth`文件配置进行修改。 +1. 执行以下命令,来更新`system-auth`文件,像其中添加`remember`参数。 -执行以下命令,修改`/etc/pam.d/system-auth`配置文件,增加`remember`参数,使其对密码复用进行限制: +- 创建自定义规则并指定和应用规则: ```bash -#!/bin/bash +# currProfile=$(authselect current | awk 'NR == 1 {print $3}') +# authselect create-profile user-profile -b $currProfile +# authselect select custom/user-profile +# authselect apply-changes +``` + +`user-profile` 为自定义规则名称,可根据实际情况自定义修改。 + +- 添加参数: +```bash if authselect current | awk 'NR == 1 {print $3}' | grep -q custom/; then - PTF=/etc/pam.d/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/system-auth)进行修改 + PTF=/etc/authselect/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth else PTF=/etc/pam.d/system-auth fi + if grep -Eq '^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+([^#]+\s+)*remember=\S+\s*.*$' $PTF; then sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/' $PTF else sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/' $PTF fi + +authselect apply-changes ``` ## 扫描检测 diff --git a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md index cf69ac0..6ef13d9 100644 --- a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md +++ b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md @@ -19,14 +19,29 @@ 对`system-auth`及`password-auth`配置文件的参数进行配置。 -1. 运行以下两个脚本,更新`system-auth`及`password-auth`文件,添加`deny=5`和`unlock_time=900`参数。: +- 创建自定义规则并指定和应用规则: ```bash -# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth +# currProfile=$(authselect current | awk 'NR == 1 {print $3}') +# authselect create-profile user-profile -b $currProfile +# authselect select custom/user-profile +# authselect apply-changes ``` +`user-profile` 为自定义规则名称,可根据实际情况自定义修改。 + +- 添加参数: ```bash -# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +for FN in system-auth password-auth; do + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改 + [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN + [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*deny=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=\S+/deny=5/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 deny=5 \3/' $PTF + [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 unlock_time=900 \3/' $PTF +done +authselect apply-changes +# 启用faillock模块 +authselect enable-feature with-faillock ``` ## 扫描检测 diff --git a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh index ff8b0c9..787b43a 100644 --- a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -15,7 +15,7 @@ customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) for FN in system-auth password-auth; do # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改 [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN - [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*enforcefor-root\s*.*$' $PTF) ]] && sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 enforce-forroot/' $PTF + [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*enforce-for-root\s*.*$' $PTF) ]] && sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 enforce-for-root/' $PTF [[ -n $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*\s+retry=\S+\s*.*$' $PTF) ]] && sed -ri '/pwquality/s/retry=\S+/retry=3/' $PTF || sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 retry=3/' $PTF done authselect apply-changes diff --git a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh index 23dc0ba..3f17a85 100644 --- a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,3 +1,24 @@ -grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth +#!/usr/bin/env bash -grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth \ No newline at end of file +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +currProfile=$(authselect current | awk 'NR == 1 {print $3}') +createP="user-profile" + +# 判断是否已有用户自定义规则集,如有则跳过创建步骤,改为直接追加已有的规则集 +if [[ -z $customProfile ]]; then + authselect create-profile $createP -b $currProfile + authselect select custom/$createP + authselect apply-changes +fi + +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +for FN in system-auth password-auth; do + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改 + [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN + [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*deny=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=\S+/deny=5/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 deny=5 \3/' $PTF + [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 unlock_time=900 \3/' $PTF +done + +authselect apply-changes +# 启用faillock模块 +authselect enable-feature with-faillock \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh b/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh index 34298a2..774eb43 100644 --- a/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh +++ b/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh @@ -1,11 +1,27 @@ -#!/bin/bash +#!/usr/bin/env bash + +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +currProfile=$(authselect current | awk 'NR == 1 {print $3}') +createP="user-profile" + +# 判断是否已有用户自定义规则集,如有则跳过创建步骤,改为直接追加已有的规则集 +if [[ -z $customProfile ]]; then + authselect create-profile $createP -b $currProfile + authselect select custom/$createP + authselect apply-changes +fi + if authselect current | awk 'NR == 1 {print $3}' | grep -q custom/; then - PTF=/etc/pam.d/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/system-auth)进行修改 + PTF=/etc/authselect/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth else PTF=/etc/pam.d/system-auth fi + if grep -Eq '^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+([^#]+\s+)*remember=\S+\s*.*$' $PTF; then sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/' $PTF else sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/' $PTF -fi \ No newline at end of file +fi + +authselect apply-changes diff --git a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh index 28c105e..9394c8b 100644 --- a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh +++ b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh @@ -1,2 +1,21 @@ -grep -Eq "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/system-auth -grep -Eq "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/password-auth +#!/usr/bin/env bash + +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +currProfile=$(authselect current | awk 'NR == 1 {print $3}') +createP="user-profile" + +# 判断是否已有用户自定义规则集,如有则跳过创建步骤,改为直接追加已有的规则集 +if [[ -z $customProfile ]]; then + authselect create-profile $createP -b $currProfile + authselect select custom/$createP + authselect apply-changes +fi + +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +for FN in system-auth password-auth; do + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改 + [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN + [[ -z $(grep -E '^\s*password\s+sufficient\s+pam_unix.so\s+.*sha512\s*.*$' $PTF) ]] && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' $PTF +done + +authselect apply-changes \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh index 91786ab..5e34b48 100644 --- a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,7 +1,17 @@ -[[ -z /etc/profile.d/set_umask.sh ]] && grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/set_umask.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile.d/set_umask.sh || echo "umask 027" >> /etc/profile.d/set_umask.sh -grep -Eq "(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/bashrc || echo "umask 027" >> /etc/bashrc -grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile || echo "umask 027" >> /etc/profile -grep -Eq "^(\s*)UMASK\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)UMASK\s+\S+(\s*#.*)?\s*$/\1UMASK 027\2/" /etc/login.defs || echo "UMASK 027" >> /etc/login.defs -grep -q "USERGROUPS_ENAB" /etc/login.defs && sed -ri "s/^(\s*)USERGROUPS_ENAB\s+\S+(\s*#.*)?\s*$/\1USERGROUPS_ENAB no\2/" /etc/login.defs || echo "USERGROUPS_ENAB no" >> /etc/login.defs -grep -Psq "^session optional pam_umask.so" /etc/pam.d/password-auth || echo "session optional pam_umask.so" >> /etc/pam.d/password-auth -grep -Psq "^session optional pam_umask.so" /etc/pam.d/system-auth || echo "session optional pam_umask.so" >> /etc/pam.d/system-auth +# 仅对/etc/login.defs /etc/profile* /etc/bashrc*中的umask值进行加固修复,不修改PAM文件中的pam_umask.so + +repairFile=$(grep -RPHi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bashrc* | cut -d: -f1 | sort -u) + +# 判断是否有需要修复的文件,如没有则跳过修复步骤 +if [[ -n $repairFile ]]; then + for file_name in $repairFile; do + for line_num in $(grep -PrHin "^(umask|\h+umask)" $file_name | awk -F: '{gsub(/^[ \t]+/, "", $2); print $2}'); do + # 获取umask的值,保留原本大小写格式 + rep_text=$(sed -n "${line_num}p" $file_name | grep -io umask) + sed -i "${line_num}s/^\( *\)${rep_text}.*/\1${rep_text} 027/" $file_name + done + done +fi + +# 判断,如果没有任何umask配置,则直接追加/etc/profile末尾 +grep -RPiq '(^[^#]*\s*umask\s+([0-7]{3})\b|\bumask\s+u=([rwx]*),g=([rwx]*),o=([rwx]*))' /etc/bashrc* /etc/profile* /etc/login.defs || echo "umask 027" >> /etc/profile \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh b/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh index 40b817c..774eb43 100644 --- a/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh +++ b/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh @@ -1,5 +1,27 @@ -passSuffRowNum=($(cat /etc/pam.d/system-auth | awk '{if($1 == "password" && $2 == "sufficient")print NR}')) -targetString="password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5" -if [ -n "$passSuffRowNum" ]; then - sed -i "${passSuffRowNum} c ${targetString}" /etc/pam.d/system-auth; -fi \ No newline at end of file +#!/usr/bin/env bash + +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +currProfile=$(authselect current | awk 'NR == 1 {print $3}') +createP="user-profile" + +# 判断是否已有用户自定义规则集,如有则跳过创建步骤,改为直接追加已有的规则集 +if [[ -z $customProfile ]]; then + authselect create-profile $createP -b $currProfile + authselect select custom/$createP + authselect apply-changes +fi + +if authselect current | awk 'NR == 1 {print $3}' | grep -q custom/; then + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/system-auth)进行修改 + PTF=/etc/authselect/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth +else + PTF=/etc/pam.d/system-auth +fi + +if grep -Eq '^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+([^#]+\s+)*remember=\S+\s*.*$' $PTF; then + sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/' $PTF +else + sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/' $PTF +fi + +authselect apply-changes diff --git a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh index 23dc0ba..3f17a85 100644 --- a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,3 +1,24 @@ -grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth +#!/usr/bin/env bash -grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth \ No newline at end of file +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +currProfile=$(authselect current | awk 'NR == 1 {print $3}') +createP="user-profile" + +# 判断是否已有用户自定义规则集,如有则跳过创建步骤,改为直接追加已有的规则集 +if [[ -z $customProfile ]]; then + authselect create-profile $createP -b $currProfile + authselect select custom/$createP + authselect apply-changes +fi + +customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) +for FN in system-auth password-auth; do + # 判断是否有自定义规则集,如没有或创建失败,则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改 + [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN + [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*deny=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=\S+/deny=5/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 deny=5 \3/' $PTF + [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 unlock_time=900 \3/' $PTF +done + +authselect apply-changes +# 启用faillock模块 +authselect enable-feature with-faillock \ No newline at end of file diff --git a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh index 9d5a008..e93bc67 100644 --- a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -30,7 +30,7 @@ check_pwquality_conf() { # 检查/etc/pam.d/password-auth和/etc/pam.d/system-auth文件中的条件 check_pam_files() { local files=("$PAM_PASSWORD_AUTH" "$PAM_SYSTEM_AUTH") - local patterns=("enforce-forroot" "retry=\d+") + local patterns=("enforce-for-root" "retry=\d+") for file in "${files[@]}"; do for pattern in "${patterns[@]}"; do diff --git a/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh index 175cda6..8a1e366 100644 --- a/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,6 +1,11 @@ -result=0 -umask_file=`grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bashrc* /etc/profile.d/*.sh` +# umask 设置标记,检查umask是否已配置 +umaskSetTag="" +# 以下两个条件,符合其中一种即为true +grep -Eiq '^\s*UMASK\s+(0[0-7][2-7]7|[0-7][2-7]7)\b' /etc/login.defs && grep -Eqi '^\s*USERGROUPS_ENAB\s*"?no"?\b' /etc/login.defs && grep -Eq '^\s*session\s+(optional|requisite|required)\s+pam_umask\.so\b' /etc/pam.d/common-session && umaskSetTag=true +grep -REiq '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/profile* /etc/bashrc* && umaskSetTag=true -[[ -z $umask_file ]] && grep -Eqi '^\s*USERGROUPS_ENAB\s*"?no"?\b' /etc/login.defs && grep -Piq '^session\s*optional\s*pam_umask\.so$' /etc/pam.d/password-auth && result=1 +# umask 合规标记,检查umask的值是否符合要求 +umaskComplianceTag="" +grep -RPiq '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bashrc* /etc/profile.d/*.sh || umaskComplianceTag=true -[[ $result == 1 ]] && echo 'pass' || echo 'fail' \ No newline at end of file +[[ $umaskSetTag == "true" ]] && [[ $umaskComplianceTag == "true" ]] && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh index 277dcaf..c4aaff3 100644 --- a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,5 +1,5 @@ -result_File_Password=`grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth | grep -Eio "deny=[0-9]+\sunlock_time=[0-9]+"` -result_File_System=`grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth | grep -Eio "deny=[0-9]+\sunlock_time=[0-9]+"` +result_File_Password=`grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth | grep -Eio "deny=[0-9]+\s+unlock_time=[0-9]+"` +result_File_System=`grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth | grep -Eio "deny=[0-9]+\s+unlock_time=[0-9]+"` result_Deny=true result_Unlock_Time=true -- Gitee