forked from konstruktoid/hardening
-
Notifications
You must be signed in to change notification settings - Fork 0
/
password
51 lines (42 loc) · 2 KB
/
password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
function f_password {
echo "[$SCRIPT_COUNT] $COMMONPASSWD, $COMMONAUTH and $PAMLOGIN"
if ! grep pam_pwhistory.so "$COMMONPASSWD"; then
sed -i '/the "Primary" block/apassword\trequired\t\t\tpam_pwhistory.so\tremember=5' "$COMMONPASSWD"
fi
cp ./config/pwquality.conf /etc/security/pwquality.conf
chmod 0644 /etc/security/pwquality.conf
if grep 'use_authtok try_first_pass sha512' "$COMMONPASSWD"; then
sed -i 's/try_first_pass sha512.*/try_first_pass sha512 rounds=65536/' "$COMMONPASSWD"
fi
sed -i -E 's/(nullok|nullok_secure)//g' "$COMMONAUTH"
if ! grep retry= "$COMMONPASSWD"; then
echo 'password requisite pam_pwquality.so retry=3' >> "$COMMONPASSWD"
fi
if [ -f "$FAILLOCKCONF" ]; then
if ! grep faillock "$COMMONAUTH"; then
sed -i 's/^# audit$/audit/' "$FAILLOCKCONF"
sed -i 's/^# local_users_only$/local_users_only/' "$FAILLOCKCONF"
sed -i 's/^# deny.*/deny = 5/' "$FAILLOCKCONF"
sed -i 's/^# fail_interval.*/fail_interval = 900/' "$FAILLOCKCONF"
sed -i '/pam_tally.*/d' "$COMMONACCOUNT"
sed -i 's/auth.*pam_unix.so/auth required pam_faillock.so preauth\nauth [success=1 default=ignore] pam_unix.so\nauth [default=die] pam_faillock.so authfail\nauth sufficient pam_faillock.so authsucc\n/' "$COMMONAUTH"
fi
if ! grep faillock "$COMMONACCOUNT"; then
echo 'account required pam_faillock.so' >> "$COMMONACCOUNT"
fi
else
if ! grep tally2 "$COMMONAUTH"; then
sed -i '/^$/a auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' "$COMMONAUTH"
sed -i '/pam_tally/d' "$COMMONACCOUNT"
fi
if ! grep tally2 "$COMMONACCOUNT"; then
sed -i '/^$/a account required pam_tally2.so' "$COMMONACCOUNT"
fi
fi
sed -i 's/pam_lastlog.so.*/pam_lastlog.so showfailed/' "$PAMLOGIN"
sed -i 's/delay=.*/delay=4000000/' "$PAMLOGIN"
cp "./misc/passwords.list" "/usr/share/dict/passwords"
grep -v '^$' /usr/share/dict/passwords | strings > /usr/share/dict/passwords_text
update-cracklib
((SCRIPT_COUNT++))
}