-
Notifications
You must be signed in to change notification settings - Fork 125
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Revert "fix: clean obsolete check 99.5.4.5.1, now handled by 5.3.4 (#215
)" This reverts commit 670c8c6. We still want to verify the preexisting hashes in /etc/shadow, even if the PAM configuration is correct for new passwords (5.3.4).
- Loading branch information
Showing
2 changed files
with
125 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| #!/bin/bash | ||
|
|
||
| # run-shellcheck | ||
| # | ||
| # OVH Security audit | ||
| # | ||
|
|
||
| # | ||
| # 99.5.4.5.2 Check that any password that may exist in /etc/shadow is SHA512 hashed and salted | ||
| # | ||
|
|
||
| set -e # One error, it's over | ||
| set -u # One variable unset, it's over | ||
|
|
||
| # shellcheck disable=2034 | ||
| HARDENING_LEVEL=2 | ||
| # shellcheck disable=2034 | ||
| DESCRIPTION="Check that any password that may exist in /etc/shadow is SHA512 hashed and salted" | ||
| FILE="/etc/shadow" | ||
|
|
||
| # This function will be called if the script status is on enabled / audit mode | ||
| audit() { | ||
| # Review shadow file for existing passwords | ||
| pw_found="" | ||
| users_reviewed="" | ||
| if $SUDO_CMD [ ! -r "$FILE" ]; then | ||
| crit "$FILE is not readable" | ||
| return | ||
| fi | ||
| for line in $($SUDO_CMD cut -d ":" -f 1,2 /etc/shadow); do | ||
| users_reviewed+="$line " | ||
| user=$(echo "$line" | cut -d ":" -f 1) | ||
| passwd=$(echo "$line" | cut -d ":" -f 2) | ||
| if [[ $passwd = '!' || $passwd = '*' ]]; then | ||
| continue | ||
| elif [[ $passwd =~ ^!.*$ ]]; then | ||
| pw_found+="$user " | ||
| ok "User $user has a disabled password." | ||
| # Check password against $6$<salt>$<encrypted>, see `man 3 crypt` | ||
| elif [[ $passwd =~ ^\$6(\$rounds=[0-9]+)?\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then | ||
| pw_found+="$user " | ||
| ok "User $user has suitable SHA512 hashed password." | ||
| else | ||
| pw_found+="$user " | ||
| crit "User $user has a password that is not SHA512 hashed." | ||
| fi | ||
| done | ||
| if [[ -z "$users_reviewed" ]]; then | ||
| crit "No users were reviewed in $FILE !" | ||
| return | ||
| fi | ||
| if [[ -z "$pw_found" ]]; then | ||
| ok "There is no password in $FILE" | ||
| fi | ||
| } | ||
|
|
||
| # This function will be called if the script status is on enabled mode | ||
| apply() { | ||
| : | ||
| } | ||
|
|
||
| # This function will check config parameters required | ||
| check_config() { | ||
| : | ||
| } | ||
|
|
||
| # Source Root Dir Parameter | ||
| if [ -r /etc/default/cis-hardening ]; then | ||
| # shellcheck source=../../debian/default | ||
| . /etc/default/cis-hardening | ||
| fi | ||
| if [ -z "$CIS_LIB_DIR" ]; then | ||
| echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." | ||
| echo "Cannot source CIS_LIB_DIR variable, aborting." | ||
| exit 128 | ||
| fi | ||
|
|
||
| # Main function, will call the proper functions given the configuration (audit, enabled, disabled) | ||
| if [ -r "${CIS_LIB_DIR}"/main.sh ]; then | ||
| # shellcheck source=../../lib/main.sh | ||
| . "${CIS_LIB_DIR}"/main.sh | ||
| else | ||
| echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" | ||
| exit 128 | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| # shellcheck shell=bash | ||
| # run-shellcheck | ||
| test_audit() { | ||
| describe Running on blank host | ||
| register_test retvalshouldbe 0 | ||
| register_test contain "There is no password in /etc/shadow" | ||
| dismiss_count_for_test | ||
| # shellcheck disable=2154 | ||
| run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all | ||
|
|
||
| cp -a /etc/shadow /tmp/shadow.bak | ||
| sed -i 's/secaudit:!/secaudit:mypassword/' /etc/shadow | ||
| describe Fail: Found unsecure password | ||
| register_test retvalshouldbe 1 | ||
| register_test contain "User secaudit has a password that is not SHA512 hashed" | ||
| run unsecpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all | ||
|
|
||
| sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow | ||
| describe Fail: Found disabled password | ||
| register_test retvalshouldbe 0 | ||
| register_test contain "User secaudit has a disabled password" | ||
| run lockedpasswd "${CIS_CHECKS_DIR}/${script}.sh" --audit-all | ||
|
|
||
| mv /tmp/shadow.bak /etc/shadow | ||
| chpasswd -c SHA512 <<EOF | ||
| secaudit:mypassword | ||
| EOF | ||
| describe Pass: Found properly hashed password | ||
| register_test retvalshouldbe 0 | ||
| register_test contain "User secaudit has suitable SHA512 hashed password" | ||
| run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all | ||
|
|
||
| chpasswd -c SHA512 -s 1000 <<EOF | ||
| secaudit:mypassword | ||
| EOF | ||
| describe Pass: Found properly hashed password with custom round number | ||
| register_test retvalshouldbe 0 | ||
| register_test contain "User secaudit has suitable SHA512 hashed password" | ||
| run sha512pass "${CIS_CHECKS_DIR}/${script}.sh" --audit-all | ||
| } |