ComplianceAsCode · jan-cerny · Aug 2, 2024 · Jul 2, 2024 · Aug 1, 2024 · jan-cerny
diff --git a/...s-restrictions/account_expiration/account_disable_inactivity_password_auth/bash/shared.sh b/...s-restrictions/account_expiration/account_disable_inactivity_password_auth/bash/shared.sh
@@ -16,13 +16,17 @@ fi
 {{{ bash_ensure_pam_module_line("$PAM_FILE_PATH",
                                 'auth',
                                 'sufficient', 
-                                'pam_unix.so') }}}
+                                'pam_unix.so',
+                                '^\s*auth.*required.*pam_lastlog\.so.*') }}}
 # Ensure pam_unix.so is configured after pam_lastlog.so
 if ! grep -Pz \
     "auth\s*required\s*pam_lastlog\.so[^#]*inactive=35[\s\S]*\n\s*auth\s*sufficient\s*pam_unix\.so"\
     "$PAM_FILE_PATH"  ; then
-    PAM_LASTLOG_LINE="$(grep -oP '^\s*auth.*pam_lastlog\.so.*' $PAM_FILE_PATH)"
-    sed -i "0,/^\s*auth.*pam_unix\.so.*/i$PAM_LASTLOG_LINE" "$PAM_FILE_PATH"
+    readarray -t pam_lastlog_lines <<< $(grep -oP '^\s*auth.*pam_lastlog\.so[^#]*inactive=35.*' $PAM_FILE_PATH)
+    sed -i "/^\s*auth.*pam_lastlog\.so[^#]*inactive=35.*/d" "$PAM_FILE_PATH"
+    for line in "${pam_lastlog_lines[@]}"; do
+        sed -i "/^\s*auth.*pam_unix\.so.*/i$line" "$PAM_FILE_PATH"
+    done
 fi
 if [ -f /usr/bin/authselect ]; then
     authselect apply-changes -b --backup=after-hardening-pam_lastlog.so-inactive.backup

diff --git a/...nts-restrictions/account_expiration/account_disable_inactivity_system_auth/bash/shared.sh b/...nts-restrictions/account_expiration/account_disable_inactivity_system_auth/bash/shared.sh
@@ -16,13 +16,17 @@ fi
 {{{ bash_ensure_pam_module_line("$PAM_FILE_PATH",
                                 'auth',
                                 'sufficient',
-                                'pam_unix.so') }}}
+                                'pam_unix.so',
+                                '^\s*auth.*required.*pam_lastlog\.so.*') }}}
 # Ensure pam_unix.so is configured after pam_lastlog.so
 if ! grep -Pz \
     "auth\s*required\s*pam_lastlog\.so[^#]*inactive=35[\s\S]*\n\s*auth\s*sufficient\s*pam_unix\.so"\
     "$PAM_FILE_PATH"  ; then
-    PAM_LASTLOG_LINE="$(grep -oP '^\s*auth.*pam_lastlog\.so.*' $PAM_FILE_PATH)"
-    sed -i "0,/^\s*auth.*pam_unix\.so.*/i$PAM_LASTLOG_LINE" "$PAM_FILE_PATH"
+    readarray -t pam_lastlog_lines <<< $(grep -oP '^\s*auth.*pam_lastlog\.so[^#]*inactive=35.*' $PAM_FILE_PATH)
+    sed -i "/^\s*auth.*pam_lastlog\.so[^#]*inactive=35.*/d" "$PAM_FILE_PATH"
+    for line in "${pam_lastlog_lines[@]}"; do
+        sed -i "/^\s*auth.*pam_unix\.so.*/i$line" "$PAM_FILE_PATH"
+    done
 fi
 if [ -f /usr/bin/authselect ]; then
     authselect apply-changes -b --backup=after-hardening-pam_lastlog.so-inactive.backup