From 0727a448535fbf7b50f48868da7590e8f1069b41 Mon Sep 17 00:00:00 2001
From: YuQing Yang <yyq01323329@alibaba-inc.com>
Date: Thu, 27 Jun 2024 10:33:06 +0800
Subject: [PATCH] Modify the execution logic of AuthSelect-related scripts. 1.
 Troubleshoot errors during the authselect command execution(add 'authselect
 check'):    1.27, 1.28, 1.29, 1.30, 1.44, 1.45 2. Fuzzy query GRUB 2
 files('user.cfg' --> '*.cfg'):    4.10

Fixes: #I9FFFL

Signed-off-by: YuQing Yang <yyq01323329@alibaba-inc.com>
---
 ...rd-creation-requirements-are-configured.md | 27 ++---------
 ...-failed-password-attempts-is-configured.md | 26 ++--------
 .../1.29-ensure-password-reuse-is-limited.md  | 29 ++----------
 ...e-password-hashing-algorithm-is-sha-512.md | 20 +-------
 ...d-reuse-limit-is-between-5-and-25-times.md | 29 ++----------
 ...-failed-password-attempts-is-configured.md | 26 ++--------
 ...rd-creation-requirements-are-configured.sh | 37 ++++++++++-----
 ...-failed-password-attempts-is-configured.sh | 45 ++++++++++++------
 .../1.29-ensure-password-reuse-is-limited.sh  | 47 +++++++++++--------
 ...e-password-hashing-algorithm-is-sha-512.sh | 39 ++++++++++-----
 ...d-reuse-limit-is-between-5-and-25-times.sh | 47 +++++++++++--------
 ...-failed-password-attempts-is-configured.sh | 45 ++++++++++++------
 ...rd-creation-requirements-are-configured.sh | 16 ++++---
 ...-failed-password-attempts-is-configured.sh | 10 ++--
 .../1.29-ensure-password-reuse-is-limited.sh  | 21 ++++++---
 ...e-password-hashing-algorithm-is-sha-512.sh |  2 +-
 ...d-reuse-limit-is-between-5-and-25-times.sh | 21 ++++++---
 ...-failed-password-attempts-is-configured.sh | 46 +++++++++++-------
 .../4.10-ensure-bootloader-password-is-set.sh |  2 +-
 19 files changed, 261 insertions(+), 274 deletions(-)

diff --git a/benchmarks/access-and-control/1.27-ensure-password-creation-requirements-are-configured.md b/benchmarks/access-and-control/1.27-ensure-password-creation-requirements-are-configured.md
index 1a125ef..5149021 100644
--- a/benchmarks/access-and-control/1.27-ensure-password-creation-requirements-are-configured.md
+++ b/benchmarks/access-and-control/1.27-ensure-password-creation-requirements-are-configured.md
@@ -52,31 +52,14 @@
 
 **以上两组参数效果一致，可根据实际情况，任选其一进行配置。**
 
-3. 执行以下命令，来更新`system-auth`和`password-auth`文件，像其中添加`enforce-for-root`及`retry=3`参数。
+3. 编辑`/etc/pam.d/system-auth`和`/etc/pam.d/password-auth`文件，向其中添加或追加`enforce-for-root`及`retry=3`参数。
 
 - `enforce-for-root` - 对`root`用户也执行策略
 - `retry=3` - 密码认证失败后可以尝试重新输入密码的次数
-- 创建自定义规则并指定和应用规则：
-
-```bash
-# currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-# authselect create-profile user-profile -b $currProfile
-# authselect select custom/user-profile
-# authselect apply-changes
-```
-
-`user-profile` 为自定义规则名称，可根据实际情况自定义修改。
-
 - 添加参数：
+
 ```bash
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-for FN in system-auth password-auth; do
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
-    [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
-    [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*enforce-for-root\s*.*$' $PTF) ]] && sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 enforce-for-root/' $PTF
-    [[ -n $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*\s+retry=\S+\s*.*$' $PTF) ]] && sed -ri '/pwquality/s/retry=\S+/retry=3/' $PTF || sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 retry=3/' $PTF
-done
-authselect apply-changes
+password    requisite    pam_pwquality.so  enforce-for-root retry=3
 ```
 
 ## 扫描检测
@@ -87,8 +70,8 @@ authselect apply-changes
 
 ```bash
 # grep pam_pwquality.so /etc/pam.d/system-auth /etc/pam.d/password-auth
-/etc/pam.d/system-auth:password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
-/etc/pam.d/password-auth:password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+/etc/pam.d/system-auth:password    requisite    pam_pwquality.so  enforce-for-root retry=3
+/etc/pam.d/password-auth:password    requisite    pam_pwquality.so  enforce-for-root retry=3
 ```
 
 2. 执行以下命令，验证密码长度配置是否符合要求（`minlen>=14`）：
diff --git a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
index 6d8a9dd..13e7519 100644
--- a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
+++ b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
@@ -17,31 +17,13 @@
 
 ## 修复建议
 
-1. 执行以下命令，来更新`system-auth`和`password-auth`文件，像其中添加`deny`及`unlock_time`参数。
-
-- 创建自定义规则并指定和应用规则：
-
-```bash
-# currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-# authselect create-profile user-profile -b $currProfile
-# authselect select custom/user-profile
-# authselect apply-changes
-```
-
-`user-profile` 为自定义规则名称，可根据实际情况自定义修改。
+1. 编辑`/etc/pam.d/system-auth`和`/etc/pam.d/password-auth`文件，向其中添加或追加`deny`及`unlock_time`参数。
 
 - 添加参数：
+
 ```bash
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-for FN in system-auth password-auth; do
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
-    [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
-    [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*deny=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=\S+/deny=5/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 deny=5 \3/' $PTF
-    [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 unlock_time=900 \3/' $PTF
-done
-authselect apply-changes
-# 启用faillock模块
-authselect enable-feature with-faillock
+auth    required    pam_faillock.so preauth silent deny=5 unlock_time=900
+auth    required    pam_faillock.so authfail deny=5 unlock_time=900
 ```
 
 ## 扫描检测
diff --git a/benchmarks/access-and-control/1.29-ensure-password-reuse-is-limited.md b/benchmarks/access-and-control/1.29-ensure-password-reuse-is-limited.md
index dbe830f..c97497a 100644
--- a/benchmarks/access-and-control/1.29-ensure-password-reuse-is-limited.md
+++ b/benchmarks/access-and-control/1.29-ensure-password-reuse-is-limited.md
@@ -14,35 +14,12 @@
 
 ## 修复建议
 
-1. 执行以下命令，来更新`system-auth`文件，像其中添加`remember`参数。
-
-- 创建自定义规则并指定和应用规则：
-
-```bash
-# currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-# authselect create-profile user-profile -b $currProfile
-# authselect select custom/user-profile
-# authselect apply-changes
-```
-
-`user-profile` 为自定义规则名称，可根据实际情况自定义修改。
+1. 编辑`/etc/pam.d/system-auth`文件，向其中添加或追加`remember`参数。
 
 - 添加参数：
 ```bash
-if authselect current | awk 'NR == 1 {print $3}' | grep -q custom/; then
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/system-auth)进行修改
-    PTF=/etc/authselect/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth
-else
-    PTF=/etc/pam.d/system-auth
-fi
-
-if grep -Eq '^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+([^#]+\s+)*remember=\S+\s*.*$' $PTF; then
-    sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/' $PTF
-else
-    sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/' $PTF
-fi
-
-authselect apply-changes
+password    requisite    pam_pwhistory.so    remember=5
+password    sufficient    pam_unix.so    remember=5
 ```
 
 ## 扫描检测
diff --git a/benchmarks/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.md b/benchmarks/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.md
index ffcf986..4410cd0 100644
--- a/benchmarks/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.md
+++ b/benchmarks/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.md
@@ -12,27 +12,11 @@
 
 设置密码哈希算法为 sha512。
 
-1. 执行以下命令，修改`password-auth`和`system-auth`配置文件中`pam_unix.so`的哈希算法配置为`SHA-512`：
-
-- 创建自定义规则并指定和应用规则：
-
-```bash
-# currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-# authselect create-profile user-profile -b $currProfile
-# authselect select custom/user-profile
-# authselect apply-changes
-```
-
-`user-profile` 为自定义规则名称，可根据实际情况自定义修改。
+1. 编辑`/etc/pam.d/system-auth`和`/etc/pam.d/password-auth`文件，向其中添加或追加`pam_unix.so`的哈希算法配置为`SHA-512`：
 
 - 添加参数：
 ```bash
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-for FN in system-auth password-auth; do
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
-    [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
-    [[ -z $(grep -E '^\s*password\s+sufficient\s+pam_unix.so\s+.*sha512\s*.*$' $PTF) ]] && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' $PTF
-done
+password    sufficient                                   pam_unix.so  sha512
 ```
 
 ## 扫描检测
diff --git a/benchmarks/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.md b/benchmarks/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.md
index 158c3c3..16d729d 100644
--- a/benchmarks/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.md
+++ b/benchmarks/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.md
@@ -14,35 +14,12 @@
 
 ## 修复建议
 
-1. 执行以下命令，来更新`system-auth`文件，像其中添加`remember`参数。
-
-- 创建自定义规则并指定和应用规则：
-
-```bash
-# currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-# authselect create-profile user-profile -b $currProfile
-# authselect select custom/user-profile
-# authselect apply-changes
-```
-
-`user-profile` 为自定义规则名称，可根据实际情况自定义修改。
+1. 编辑`/etc/pam.d/system-auth`文件，向其中添加或追加`remember`参数。
 
 - 添加参数：
 ```bash
-if authselect current | awk 'NR == 1 {print $3}' | grep -q custom/; then
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/system-auth)进行修改
-    PTF=/etc/authselect/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth
-else
-    PTF=/etc/pam.d/system-auth
-fi
-
-if grep -Eq '^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+([^#]+\s+)*remember=\S+\s*.*$' $PTF; then
-    sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/' $PTF
-else
-    sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/' $PTF
-fi
-
-authselect apply-changes
+password    requisite    pam_pwhistory.so    remember=5
+password    sufficient    pam_unix.so    remember=5
 ```
 
 ## 扫描检测
diff --git a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
index 6ef13d9..5d2189e 100644
--- a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
+++ b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
@@ -17,31 +17,13 @@
 
 ## 修复建议
 
-对`system-auth`及`password-auth`配置文件的参数进行配置。
-
-- 创建自定义规则并指定和应用规则：
-
-```bash
-# currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-# authselect create-profile user-profile -b $currProfile
-# authselect select custom/user-profile
-# authselect apply-changes
-```
-
-`user-profile` 为自定义规则名称，可根据实际情况自定义修改。
+1. 编辑`/etc/pam.d/system-auth`和`/etc/pam.d/password-auth`文件，向其中添加或追加`deny`及`unlock_time`参数。
 
 - 添加参数：
+
 ```bash
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-for FN in system-auth password-auth; do
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
-    [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
-    [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*deny=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=\S+/deny=5/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 deny=5 \3/' $PTF
-    [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 unlock_time=900 \3/' $PTF
-done
-authselect apply-changes
-# 启用faillock模块
-authselect enable-feature with-faillock
+auth    required    pam_faillock.so preauth silent deny=5 unlock_time=900
+auth    required    pam_faillock.so authfail deny=5 unlock_time=900
 ```
 
 ## 扫描检测
diff --git a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh
index 787b43a..fe2eff8 100644
--- a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh
+++ b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh
@@ -1,27 +1,38 @@
 #!/usr/bin/env bash
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-createP="user-profile"
+authselect check &> /dev/null && auCheck=0
 
-# 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
-if [[ -z $customProfile ]]; then
-    authselect create-profile $createP -b $currProfile
-    authselect select custom/$createP
-    authselect apply-changes
+if [[ $auCheck == "0" ]] ; then
+    customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+    currProfile=$(authselect current | awk 'NR == 1 {print $3}')
+    createP="user-profile"
+
+    # 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
+    if [[ -z $customProfile ]]; then
+        authselect create-profile $createP -b $currProfile
+        authselect select custom/$createP
+        authselect apply-changes
+    fi
 fi
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+[[ $auCheck == "0" ]] && customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) || customProfile=""
+# 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
 for FN in system-auth password-auth; do
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
     [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
+    [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so.*$' $PTF) ]] && ln=$(grep -En -m1 '^\s*password\s+' $PTF | cut -d: -f1) && sed -i "${ln}i\password    requisite    pam_pwquality.so " $PTF
     [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*enforce-for-root\s*.*$' $PTF) ]] && sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 enforce-for-root/' $PTF
     [[ -n $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*\s+retry=\S+\s*.*$' $PTF) ]] && sed -ri '/pwquality/s/retry=\S+/retry=3/' $PTF || sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 retry=3/' $PTF
 done
-authselect apply-changes
-
-grep -Eq "^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$/\minlen=14\2/" /etc/security/pwquality.conf || echo "minlen=14" >> /etc/security/pwquality.conf
+[[ $auCheck == "0" ]] && authselect apply-changes &> /dev/null
 
+minlenValue=$(grep -P "^\s*minlen\s*=.*" /etc/security/pwquality.conf | cut -d= -f2 | tr -d '[:space:]')
+if [[ -z $minlenValue ]] ; then
+    echo "minlen=14" >> /etc/security/pwquality.conf
+elif [[ $minlenValue =~ ^[0-9]+$ ]] && [[ $minlenValue -lt 14 ]] ; then
+    sed -ri "s/^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$/\minlen=14\2/" /etc/security/pwquality.conf
+else
+    sed -ri "s/^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$/\minlen=14\2/" /etc/security/pwquality.conf
+fi
 
 # minclass 与 credit 效果一致，任选其一即可，这里只修改minclass参数
 grep -Eq "^(\s*)minclass\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)minclass\s*=\s*\S+(\s*#.*)?\s*$/\minclass=4\2/" /etc/security/pwquality.conf || echo "minclass=4" >> /etc/security/pwquality.conf
diff --git a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
index 3f17a85..8a76518 100644
--- a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
+++ b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
@@ -1,24 +1,41 @@
 #!/usr/bin/env bash
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-createP="user-profile"
+authselect check &> /dev/null && auCheck=0
 
-# 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
-if [[ -z $customProfile ]]; then
-    authselect create-profile $createP -b $currProfile
-    authselect select custom/$createP
-    authselect apply-changes
+if [[ $auCheck == "0" ]] ; then
+    customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+    currProfile=$(authselect current | awk 'NR == 1 {print $3}')
+    createP="user-profile"
+
+    # 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
+    if [[ -z $customProfile ]]; then
+        authselect create-profile $createP -b $currProfile
+        authselect select custom/$createP
+        authselect apply-changes
+    fi
 fi
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+[[ $auCheck == "0" ]] && customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) || customProfile=""
+# 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
 for FN in system-auth password-auth; do
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
     [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
-    [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*deny=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=\S+/deny=5/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 deny=5 \3/' $PTF
-    [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 unlock_time=900 \3/' $PTF
+    [[ -z $(grep -E '^\s*auth\s+required\s+pam_faillock.so.*$' $PTF) ]] && ln=$(grep -En -m1 '^\s*auth\s+' $PTF | cut -d: -f1) && sed -i "${ln}i\auth    required    pam_faillock.so    preauth silent \nauth    required    pam_faillock.so    authfail " $PTF
+
+    denyLN=$(grep -En '^\s*auth\s+required\s+pam_faillock.so\s*.*' $PTF | grep -Pv "deny=" | cut -d: -f1)
+    if [[ -n $denyLN ]] ; then
+        for l in $denyLN; do sed -ri "${l}s/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*)$/\1\2 deny=5 /" $PTF ; done
+    elif [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s*.*deny=\S+\s*.*$' $PTF) ]] ;then
+        sed -ri "/pam_faillock.so/s/deny=\S+/deny=5/g" $PTF
+    fi
+
+    unlockLN=$(grep -En '^\s*auth\s+required\s+pam_faillock.so\s*.*' $PTF | grep -Pv "unlock_time=" | cut -d: -f1)
+    if [[ -n $unlockLN ]] ; then
+        for l in $unlockLN; do sed -ri "${l}s/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*)$/\1\2 unlock_time=900 /g" $PTF ; done
+    elif [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s*.*unlock_time=\S+\s*.*$' $PTF) ]] ;then
+        sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF
+    fi
 done
 
-authselect apply-changes
+[[ $auCheck == "0" ]] && authselect apply-changes &> /dev/null
 # 启用faillock模块
-authselect enable-feature with-faillock
\ No newline at end of file
+[[ $auCheck == "0" ]] && authselect enable-feature with-faillock &> /dev/null
\ No newline at end of file
diff --git a/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh b/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh
index 774eb43..b7a5482 100644
--- a/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh
+++ b/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh
@@ -1,27 +1,34 @@
 #!/usr/bin/env bash
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-createP="user-profile"
+authselect check &> /dev/null && auCheck=0
 
-# 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
-if [[ -z $customProfile ]]; then
-    authselect create-profile $createP -b $currProfile
-    authselect select custom/$createP
-    authselect apply-changes
-fi
+if [[ $auCheck == "0" ]] ; then
+    customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+    currProfile=$(authselect current | awk 'NR == 1 {print $3}')
+    createP="user-profile"
 
-if authselect current | awk 'NR == 1 {print $3}' | grep -q custom/; then
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/system-auth)进行修改
-    PTF=/etc/authselect/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth
-else
-    PTF=/etc/pam.d/system-auth
+    # 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
+    if [[ -z $customProfile ]]; then
+        authselect create-profile $createP -b $currProfile
+        authselect select custom/$createP
+        authselect apply-changes
+    fi
 fi
 
-if grep -Eq '^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+([^#]+\s+)*remember=\S+\s*.*$' $PTF; then
-    sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/' $PTF
-else
-    sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/' $PTF
-fi
+[[ $auCheck == "0" ]] && customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) || customProfile=""
+# 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
+for FN in system-auth; do
+    [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
+    [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwhistory.so.*$' $PTF) ]] && ln=$(grep -En -m1 '^\s*password\s+' $PTF | cut -d: -f1) && sed -i "${ln}i\password    requisite    pam_pwhistory.so " $PTF
+    [[ -z $(grep -E '^\s*password\s+sufficient\s+pam_unix.so.*$' $PTF) ]] && ln=$(grep -En -m1 '^\s*password\s+' $PTF | cut -d: -f1) && sed -i "${ln}i\password    sufficient    pam_unix.so " $PTF
+
+    rememberLN=$(grep -En '^\s*password\s+.*(pam_pwhistory.so|pam_unix.so)\s*.*' $PTF | grep -Pv "remember=" | cut -d: -f1)
+    if [[ -n $rememberLN ]] ; then
+        for l in $rememberLN; do sed -ri "${l}s/(^\s*password\s+)(\s+requisite\s+|\s+sufficient\s+)(\s+pam_pwhistory\.so\b\s*|\s+pam_unix\.so\b\s*)(.*)$/\1\2\3\4 remember=5 /" $PTF ; done
+    elif [[ -n $(grep -E '^\s*password\s+(requisite|sufficient)\s+(pam_pwhistory.so|pam_unix.so)\s*.*remember=\S+\s*.*$' $PTF) ]] ;then
+        sed -ri "/^\s*password\s+(requisite|sufficient)\s+(pam_pwhistory.so|pam_unix.so)/s/remember=\S+/remember=5/g" $PTF
+    fi
+
+done
 
-authselect apply-changes
+[[ $auCheck == "0" ]] && authselect apply-changes &> /dev/null
diff --git a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh
index 9394c8b..fa0e629 100644
--- a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh
+++ b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh
@@ -1,21 +1,34 @@
 #!/usr/bin/env bash
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-createP="user-profile"
-
-# 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
-if [[ -z $customProfile ]]; then
-    authselect create-profile $createP -b $currProfile
-    authselect select custom/$createP
-    authselect apply-changes
+authselect check &> /dev/null && auCheck=0
+
+if [[ $auCheck == "0" ]] ; then
+    customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+    currProfile=$(authselect current | awk 'NR == 1 {print $3}')
+    createP="user-profile"
+
+    # 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
+    if [[ -z $customProfile ]]; then
+        authselect create-profile $createP -b $currProfile
+        authselect select custom/$createP
+        authselect apply-changes
+    fi
 fi
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+
+[[ $auCheck == "0" ]] && customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) || customProfile=""
+# 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
 for FN in system-auth password-auth; do
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
     [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
-    [[ -z $(grep -E '^\s*password\s+sufficient\s+pam_unix.so\s+.*sha512\s*.*$' $PTF) ]] && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' $PTF
+    [[ -z $(grep -E '^\s*password\s+sufficient\s+pam_unix.so.*$' $PTF) ]] && ln=$(grep -En -m1 '^\s*password\s+' $PTF | cut -d: -f1) && sed -i "${ln}i\password    sufficient    pam_unix.so " $PTF
+
+    hashLN=$(grep -En '^\s*password\s+.*pam_unix.so\s*.*' $PTF | grep -Pv "(sha[0-9]+|md5)" | cut -d: -f1)
+    if [[ -n $hashLN ]] ; then
+        for l in $hashLN; do sed -ri "${l}s/(^\s*password\s+)(\s+sufficient\s+)(\s+pam_unix\.so\b\s*)(.*)$/\1\2\3 sha512 \4/" $PTF  ; done
+    elif [[ -n $(grep -E '^\s*password\s+sufficient\s+pam_unix.so\s*.*(sha[0-9]+|md5)\s*.*$' $PTF | grep -Pv "sha512") ]] ;then
+        sed -ri "/^\s*password\s+sufficient\s+pam_unix.so/s/(sha[0-9]+|md5)/sha512/g" $PTF
+    fi
+
 done
 
-authselect apply-changes
\ No newline at end of file
+[[ $auCheck == "0" ]] && authselect apply-changes &> /dev/null
diff --git a/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh b/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh
index 774eb43..b7a5482 100644
--- a/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh
+++ b/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh
@@ -1,27 +1,34 @@
 #!/usr/bin/env bash
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-createP="user-profile"
+authselect check &> /dev/null && auCheck=0
 
-# 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
-if [[ -z $customProfile ]]; then
-    authselect create-profile $createP -b $currProfile
-    authselect select custom/$createP
-    authselect apply-changes
-fi
+if [[ $auCheck == "0" ]] ; then
+    customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+    currProfile=$(authselect current | awk 'NR == 1 {print $3}')
+    createP="user-profile"
 
-if authselect current | awk 'NR == 1 {print $3}' | grep -q custom/; then
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/system-auth)进行修改
-    PTF=/etc/authselect/"$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)"/system-auth
-else
-    PTF=/etc/pam.d/system-auth
+    # 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
+    if [[ -z $customProfile ]]; then
+        authselect create-profile $createP -b $currProfile
+        authselect select custom/$createP
+        authselect apply-changes
+    fi
 fi
 
-if grep -Eq '^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+([^#]+\s+)*remember=\S+\s*.*$' $PTF; then
-    sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/' $PTF
-else
-    sed -ri 's/^\s*(password\s+(requisite|sufficient)\s+(pam_pwhistory\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/' $PTF
-fi
+[[ $auCheck == "0" ]] && customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) || customProfile=""
+# 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
+for FN in system-auth; do
+    [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
+    [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwhistory.so.*$' $PTF) ]] && ln=$(grep -En -m1 '^\s*password\s+' $PTF | cut -d: -f1) && sed -i "${ln}i\password    requisite    pam_pwhistory.so " $PTF
+    [[ -z $(grep -E '^\s*password\s+sufficient\s+pam_unix.so.*$' $PTF) ]] && ln=$(grep -En -m1 '^\s*password\s+' $PTF | cut -d: -f1) && sed -i "${ln}i\password    sufficient    pam_unix.so " $PTF
+
+    rememberLN=$(grep -En '^\s*password\s+.*(pam_pwhistory.so|pam_unix.so)\s*.*' $PTF | grep -Pv "remember=" | cut -d: -f1)
+    if [[ -n $rememberLN ]] ; then
+        for l in $rememberLN; do sed -ri "${l}s/(^\s*password\s+)(\s+requisite\s+|\s+sufficient\s+)(\s+pam_pwhistory\.so\b\s*|\s+pam_unix\.so\b\s*)(.*)$/\1\2\3\4 remember=5 /" $PTF ; done
+    elif [[ -n $(grep -E '^\s*password\s+(requisite|sufficient)\s+(pam_pwhistory.so|pam_unix.so)\s*.*remember=\S+\s*.*$' $PTF) ]] ;then
+        sed -ri "/^\s*password\s+(requisite|sufficient)\s+(pam_pwhistory.so|pam_unix.so)/s/remember=\S+/remember=5/g" $PTF
+    fi
+
+done
 
-authselect apply-changes
+[[ $auCheck == "0" ]] && authselect apply-changes &> /dev/null
diff --git a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
index 3f17a85..8a76518 100644
--- a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
+++ b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
@@ -1,24 +1,41 @@
 #!/usr/bin/env bash
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
-currProfile=$(authselect current | awk 'NR == 1 {print $3}')
-createP="user-profile"
+authselect check &> /dev/null && auCheck=0
 
-# 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
-if [[ -z $customProfile ]]; then
-    authselect create-profile $createP -b $currProfile
-    authselect select custom/$createP
-    authselect apply-changes
+if [[ $auCheck == "0" ]] ; then
+    customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+    currProfile=$(authselect current | awk 'NR == 1 {print $3}')
+    createP="user-profile"
+
+    # 判断是否已有用户自定义规则集，如有则跳过创建步骤，改为直接追加已有的规则集
+    if [[ -z $customProfile ]]; then
+        authselect create-profile $createP -b $currProfile
+        authselect select custom/$createP
+        authselect apply-changes
+    fi
 fi
 
-customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
+[[ $auCheck == "0" ]] && customProfile=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) || customProfile=""
+# 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
 for FN in system-auth password-auth; do
-    # 判断是否有自定义规则集，如没有或创建失败，则直接对最终文件(/etc/pam.d/password-auth,/etc/pam.d/system-auth)进行修改
     [[ -n $customProfile ]] && PTF=/etc/authselect/$customProfile/$FN || PTF=/etc/pam.d/$FN
-    [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*deny=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=\S+/deny=5/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 deny=5 \3/' $PTF
-    [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=\S+\s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF || sed -ri 's/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*[^{}])(\{.*\}|)$/\1\2 unlock_time=900 \3/' $PTF
+    [[ -z $(grep -E '^\s*auth\s+required\s+pam_faillock.so.*$' $PTF) ]] && ln=$(grep -En -m1 '^\s*auth\s+' $PTF | cut -d: -f1) && sed -i "${ln}i\auth    required    pam_faillock.so    preauth silent \nauth    required    pam_faillock.so    authfail " $PTF
+
+    denyLN=$(grep -En '^\s*auth\s+required\s+pam_faillock.so\s*.*' $PTF | grep -Pv "deny=" | cut -d: -f1)
+    if [[ -n $denyLN ]] ; then
+        for l in $denyLN; do sed -ri "${l}s/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*)$/\1\2 deny=5 /" $PTF ; done
+    elif [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s*.*deny=\S+\s*.*$' $PTF) ]] ;then
+        sed -ri "/pam_faillock.so/s/deny=\S+/deny=5/g" $PTF
+    fi
+
+    unlockLN=$(grep -En '^\s*auth\s+required\s+pam_faillock.so\s*.*' $PTF | grep -Pv "unlock_time=" | cut -d: -f1)
+    if [[ -n $unlockLN ]] ; then
+        for l in $unlockLN; do sed -ri "${l}s/^\s*(auth\s+required\s+pam_faillock\.so\s+)(.*)$/\1\2 unlock_time=900 /g" $PTF ; done
+    elif [[ -n $(grep -E '^\s*auth\s+required\s+pam_faillock.so\s*.*unlock_time=\S+\s*.*$' $PTF) ]] ;then
+        sed -ri '/pam_faillock.so/s/unlock_time=\S+/unlock_time=900/g' $PTF
+    fi
 done
 
-authselect apply-changes
+[[ $auCheck == "0" ]] && authselect apply-changes &> /dev/null
 # 启用faillock模块
-authselect enable-feature with-faillock
\ No newline at end of file
+[[ $auCheck == "0" ]] && authselect enable-feature with-faillock &> /dev/null
\ No newline at end of file
diff --git a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh
index c14f970..f7ad91b 100644
--- a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh
+++ b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh
@@ -15,14 +15,16 @@ PAM_SYSTEM_AUTH="/etc/pam.d/system-auth"
 # 检查/etc/security/pwquality.conf文件中的条件
 check_pwquality_conf() {
     # 检查minlen=14
-    check_file_contains "$PWQUALITY_CONF" '^minlen(?: |)=(?: |)14\b' || return 1
+    # check_file_contains "$PWQUALITY_CONF" '^minlen(?:\s*|)=(?:\s*|)14\b' || return 1
+    minlenValue=$(grep -P "^\s*minlen\s*=.*" /etc/security/pwquality.conf | cut -d= -f2 | tr -d '[:space:]')
+    [[ -n $minlenValue ]] && [[ $minlenValue =~ ^[0-9]+$ ]] && [[ $minlenValue -ge 14 ]] || return 1
 
     # 检查minclass=4 或者所有credit设置为-1
-    (check_file_contains "$PWQUALITY_CONF" '^minclass(?: |)=(?: |)4\b') || \
-    (check_file_contains "$PWQUALITY_CONF" '^dcredit(?: |)=(?: |)-1\b' && \
-     check_file_contains "$PWQUALITY_CONF" '^ucredit(?: |)=(?: |)-1\b' && \
-     check_file_contains "$PWQUALITY_CONF" '^ocredit(?: |)=(?: |)-1\b' && \
-     check_file_contains "$PWQUALITY_CONF" '^lcredit(?: |)=(?: |)-1\b') || return 1
+    (check_file_contains "$PWQUALITY_CONF" '^minclass(?:\s*|)=(?:\s*|)4\b') || \
+    (check_file_contains "$PWQUALITY_CONF" '^dcredit(?:\s*|)=(?:\s*|)-1\b' && \
+     check_file_contains "$PWQUALITY_CONF" '^ucredit(?:\s*|)=(?:\s*|)-1\b' && \
+     check_file_contains "$PWQUALITY_CONF" '^ocredit(?:\s*|)=(?:\s*|)-1\b' && \
+     check_file_contains "$PWQUALITY_CONF" '^lcredit(?:\s*|)=(?:\s*|)-1\b') || return 1
 
     return 0
 }
@@ -30,7 +32,7 @@ check_pwquality_conf() {
 # 检查/etc/pam.d/password-auth和/etc/pam.d/system-auth文件中的条件
 check_pam_files() {
     local files=("$PAM_PASSWORD_AUTH" "$PAM_SYSTEM_AUTH")
-    local patterns=("\benforce-for-root\b" "\bretry=\d+\b")
+    local patterns=("\benforce-for-root\b" "\bretry=[1-3]+\s*")
 
     for file in "${files[@]}"; do
         for pattern in "${patterns[@]}"; do
diff --git a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
index 8852beb..977e56e 100644
--- a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
+++ b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
@@ -1,5 +1,5 @@
-grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv ".*\bdeny=[0-9]+\b\s+.*unlock_time=[0-9]+\b.*" && echo 'fail' && exit 1
-grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv ".*\bdeny=[0-9]+\b\s+.*unlock_time=[0-9]+\b.*" && echo 'fail' && exit 1
+grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1
+grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1
 
 denyValuePassword=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bdeny=[0-9]+\b" /etc/pam.d/password-auth | grep -Pio "\bdeny=[0-9]+\b" | awk -F= '{print $2}')
 denyValueSystem=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bdeny=[0-9]+\b" /etc/pam.d/system-auth | grep -Pio "\bdeny=[0-9]+\b" | awk -F= '{print $2}')
@@ -7,8 +7,7 @@ unlockValuePassword=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bunl
 unlockValueSystem=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bunlock_time=[0-9]+\b" /etc/pam.d/system-auth | grep -Pio "\bunlock_time=[0-9]+\b" | awk -F= '{print $2}')
 
 if [[ -n $denyValuePassword && -n $denyValueSystem ]] ; then
-    for i in $denyValuePassword $denyValueSystem
-    do
+    for i in $denyValuePassword $denyValueSystem; do
         if [[ $i -gt 5 ]]; then
             echo 'fail'
             exit 1
@@ -21,8 +20,7 @@ fi
 
 
 if [[ -n $unlockValuePassword && -n $unlockValueSystem ]] ; then
-    for i in $unlockValuePassword $unlockValueSystem
-    do
+    for i in $unlockValuePassword $unlockValueSystem; do
         if [[ $i -lt 900 ]]; then
             echo 'fail'
             exit 1
diff --git a/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh b/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh
index 3f057f4..3d2e3ef 100644
--- a/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh
+++ b/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh
@@ -1,9 +1,18 @@
-result=false
+grep -Pi "^\h+password\h+sufficient\h+pam_unix.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1
+grep -Pi "^\h+password\h+requisite\h+pam_pwhistory.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1
 
-grep -Piq "^\h*password\h+(requisite|sufficient)\h+(pam_pwhistory\.so|pam_unix\.so)\h+([^#\n\r]+\h+)?remember=([5-9]|[1-9][0-9]+)\h*(\h+.*)?$" /etc/pam.d/system-auth && result=true
+rememberValue=$(grep -Poi "^\h*password\s+(sufficient|requisite)\s+(pam_unix.so|pam_pwhistory.so)\s+.*\bremember\s*=\s*[0-9]+" /etc/pam.d/system-auth | grep -Pio "\bremember\s*=\s*[0-9]+\b" | awk -F= '{print $2}')
 
-if [[ $result == true ]]; then
-    echo "pass"
+if [[ -n $rememberValue ]] ; then
+    for i in $rememberValue ; do
+        if [[ $i -lt 5 ]]; then
+            echo 'fail'
+            exit 1
+        fi
+    done
 else
-    echo "fail"
-fi
\ No newline at end of file
+    echo 'fail'
+    exit 1
+fi
+
+echo 'pass'
diff --git a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh
index af6481d..9dc74f6 100644
--- a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh
+++ b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh
@@ -1,6 +1,6 @@
 result=false
 
-grep -Eiq "^\s*\bpassword\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*\bpassword\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/system-auth && result=true
+grep -Eiq "^\s*password\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*password\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/system-auth && result=true
 
 if [[ $result == "true" ]]; then
     echo "pass"
diff --git a/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh b/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh
index 0d3975f..8ab4fb5 100644
--- a/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh
+++ b/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh
@@ -1,9 +1,18 @@
-val_remember=99999
-val_remember=`grep -Pi "^\h*password\h+(requisite|sufficient)\h+(pam_pwhistory\.so|pam_unix\.so)\h+([^#\n\r]+\h+)?remember=([5-9]|[1-9][0-9]+)\h*(\h+.*)?$" /etc/pam.d/system-auth | cut -d '=' -f2`
-[ ! -z $val_remember ] && result_remember=`echo "$val_remember >=5 && $val_remember <= 25" | bc`
+grep -Pi "^\s*password\h+sufficient\h+pam_unix.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1
+grep -Pi "^\s*password\h+requisite\h+pam_pwhistory.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1
 
-if [[ $result_remember -eq 1 ]]; then
-    echo 'pass'
+rememberValue=$(grep -Poi "^\s*password\s+(sufficient|requisite)\s+(pam_unix.so|pam_pwhistory.so)\s+.*\bremember\s*=\s*[0-9]+" /etc/pam.d/system-auth | grep -Pio "\bremember\s*=\s*[0-9]+\b" | awk -F= '{print $2}')
+
+if [[ -n $rememberValue ]] ; then
+    for i in $rememberValue; do
+        if [[ $i -lt 5 ]] || [[ $i -gt 25 ]] ; then
+            echo 'fail'
+            exit 1
+        fi
+    done
 else
     echo 'fail'
-fi
\ No newline at end of file
+    exit 1
+fi
+
+echo 'pass'
diff --git a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
index 2f69a05..6f39039 100644
--- a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
+++ b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
@@ -1,22 +1,34 @@
-result_File_Password=`grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth | grep -Eio "deny=[0-9]+\s+unlock_time=[0-9]+"`
-result_File_System=`grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth | grep -Eio "deny=[0-9]+\s+unlock_time=[0-9]+"`
-result_Deny=true
-result_Unlock_Time=true
+grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1
+grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1
 
-for i in `grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth | grep -Eio "deny=[0-9]+" | cut -d"=" -f 2`; do
-    if [[ $i -lt 3 ]] || [[ $i -gt 8 ]] ; then
-        result_Deny=false
-    fi
-done
+denyValuePassword=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bdeny=[0-9]+\b" /etc/pam.d/password-auth | grep -Pio "\bdeny=[0-9]+\b" | awk -F= '{print $2}')
+denyValueSystem=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bdeny=[0-9]+\b" /etc/pam.d/system-auth | grep -Pio "\bdeny=[0-9]+\b" | awk -F= '{print $2}')
+unlockValuePassword=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bunlock_time=[0-9]+\b" /etc/pam.d/password-auth | grep -Pio "\bunlock_time=[0-9]+\b" | awk -F= '{print $2}')
+unlockValueSystem=$(grep -Poi "^\s*auth\s+required\s+pam_faillock.so\s+.*\bunlock_time=[0-9]+\b" /etc/pam.d/system-auth | grep -Pio "\bunlock_time=[0-9]+\b" | awk -F= '{print $2}')
 
-for i in `grep -E '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth /etc/pam.d/system-auth | grep -Eio "unlock_time=[0-9]+" | cut -d"=" -f 2`; do
-    if [[ $i -lt 600 ]] || [[ $i -gt 1800 ]] ; then
-        result_Unlock_Time=false
-    fi
-done
+if [[ -n $denyValuePassword && -n $denyValueSystem ]] ; then
+    for i in $denyValuePassword $denyValueSystem; do
+        if [[ $i -lt 3 ]] || [[ $i -gt 8 ]]; then
+            echo 'fail'
+            exit 1
+        fi
+    done
+else
+    echo 'fail'
+    exit 1
+fi
 
-if [[ -n $result_File_Password && -n $result_File_System && $result_Deny == "true" && $result_Unlock_Time == "true" ]]; then
-    echo 'pass'
+
+if [[ -n $unlockValuePassword && -n $unlockValueSystem ]] ; then
+    for i in $unlockValuePassword $unlockValueSystem; do
+        if [[ $i -lt 600 ]] || [[ $i -gt 1800 ]]; then
+            echo 'fail'
+            exit 1
+        fi
+    done
 else
     echo 'fail'
-fi
\ No newline at end of file
+    exit 1
+fi
+
+echo 'pass'
diff --git a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh
index e46ce76..416b387 100644
--- a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh
+++ b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh
@@ -1,7 +1,7 @@
 result=false
 
 if [[ -e /boot/grub2/user.cfg  ]]; then
-    grep -Pq '^\h*GRUB2_PASSWORD\h*=\h*.+$' /boot/grub2/user.cfg && result=true
+    grep -Pqs '^\h*GRUB2_PASSWORD\h*=\h*.+$' /boot/grub2/*.cfg && result=true
     if [[ "$result" == "true" ]] ; then
         echo "pass"
     else
-- 
Gitee