DESTDIR

3 years ago · d492fc3986
parent e4d0d5c29c
commit d492fc3986
7 changed files with 286 additions and 1 deletions
--- a/DESTDIR/etc/security/pwquality.conf
+++ b/DESTDIR/etc/security/pwquality.conf
@ -0,0 +1,15 @@
+minlen = 8
+dcredit = 0
+ucredir = 0
+lcredit = 0
+ocredit = 0
+minclass = 0
+maxrepeat = 0
+maxsequence = 0
+maxclassrepeat = 0
+gecoscheck = 0
+dictcheck = 1
+usercheck = 1
+usersubstr = 0
+enforcing = 1
+retry = 1
--- a/DESTDIR/usr/share/linux-infosec-setupper/common.sh
+++ b/DESTDIR/usr/share/linux-infosec-setupper/common.sh
@ -0,0 +1,97 @@
+# prefix for testing
+DESTDIR="${DESTDIR:-}"
+PWQUALITY_CONF_FILE="${DESTDIR}/etc/security/pwquality.conf"
+VAR_DIR_ROOT="${DESTDIR}/var/lib/linux-infosec-setupper"
+VAR_DIR_PWQUALITY="${VAR_DIR_ROOT}/pwquality"
+VAR_DIR_AUDIT="${VAR_DIR_ROOT}/audit"
+SHARE_DIR_ROOT="${DESTDIR}/usr/share/linux-infosec-setupper"
+SHARE_DIR_PWQUALITY="${SHARE_DIR_ROOT}/pwquality"
+SHARE_DIR_AUDIT="${SHARE_DIR_ROOT}/audit"
+# /etc/audit/audit.rules is generated automatically from /etc/audit/rules.d/*,
+# do not edit it; also do not edit any other files, work only with ours,
+# assume that there are no other configs or they have lower priority
+AUDIT_RULES_FILE="${DESTDIR}/etc/audit/rules.d/90-linux-infosec-setupper.rules"
+AUDIT_DAEMON_CONFIG="${DESTDIR}/etc/audit/auditd.conf"
+AUDIT_DAEMON_SYSTEMD_OVERRIDE="${DESTDIR}/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf"
+# validate email, https://stackoverflow.com/a/2138832, https://stackoverflow.com/a/41192733
+REGEX_EMAIL="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$"
+
+error() {
+	printf "$@" 1>&2
+	echo '' 1>&2
+}
+
+# Translations
+TEXTDOMAIN=linux-infosec-setupper
+TEXTDOMAINDIR=/usr/share/locale
+
+# $1 - value
+# $2 - param name
+# (optional) $3 - anything, trigger check for non-negative
+_check_argument_is_number() {
+	if [[ "$1" == [0-9]* ]]; then
+		return 0
+	else
+		if [ -n "$3" ]; then
+			grep -Exq -- "(\-|\+)[0-9]*" <<< "$1" && return 0
+		fi
+		error $"Argument to %s must be a number" "$2"
+		return 1
+	fi
+}
+
+# $1 - value
+# $2 - param name
+_check_argument_value() {
+	if (( "$1" < "$2" )); then
+		error $"Argument to %s must be greater than %s" "$2" "$3"
+		return 1
+	else
+		return 0
+	fi
+}
+
+# $1 - value
+# $2 - param name
+_check_argument_is_string() {
+	if [[ "$1" == *[[:blank:]]* ]]; then
+		error $"Argument to %s must be a string without spaces"  "$2"
+		return 1
+	else
+		return 0
+	fi
+}
+
+# $1 - value
+# $2 - param name
+_check_argument_is_boolean(){
+	case "$1" in
+		"yes" ) return 0 ;;
+		"no" ) return 0 ;;
+		"" )
+			error $"Value of %s is empty, set yes or no" "$2"
+			return 1
+		;;
+		* )
+			error $"String %s is not a boolean, set yes or no" "$1"
+			return 1
+		;;
+	esac
+}
+
+# $1 - value
+# $2 - param name
+_check_argument_is_non_negative_number(){
+	# 2>/dev/null to avoid odd output if $1 is not a number
+	if ! test "$1" -lt 0 2>/dev/null; then
+		error $"Value of %s must be a non-negative number" "$2"
+		return 1
+	fi
+}
+
+_validate_email(){
+	if ! [[ "$1" =~ ${regex_email} ]] ; then
+		error $"%s is not a correct email" "$1"
+		return 1
+	fi
+}
--- a/DESTDIR/usr/share/linux-infosec-setupper/pwquality/back_pwquality.sh
+++ b/DESTDIR/usr/share/linux-infosec-setupper/pwquality/back_pwquality.sh
@ -0,0 +1,150 @@
+#!/bin/bash
+set -e
+
+source "${SHARE_DIR_ROOT}/common.sh"
+
+_mk_pwquality_conf() {
+	local failed=0
+	local difok=1 \
+	      minlen=8 \
+	      dcredit=0 \
+	      ucredit=0 \
+	      lcredit=0 \
+	      ocredit=0 \
+	      minclass=0 \
+	      maxrepeat=0 \
+	      maxsequence=0 \
+	      maxclassrepeat=0 \
+	      gecoscheck=0 \
+	      dictcheck=1 \
+	      usercheck=1 \
+	      usersubstr=0 \
+	      enforcing=1 \
+	      badwords \
+	      dictpath \
+	      retry=1 \
+	      enforce_for_root=0 \
+	      local_users_only=0
+	while [ -n "$1" ]; do
+		case "$1" in
+			--difok) shift;
+				_check_argument_is_number "$1" "--difok" || failed=1
+				difok="$1"
+				shift
+		;;
+			--minlen) shift;
+				_check_argument_value "$1" "6" "--minlen" || failed=1
+				minlen="$1"
+				shift
+		;;
+			--dcredit) shift;
+				_check_argument_is_number "$1" "--dcredit" "-" || failed=1
+				dcredit="$1"
+				shift
+		;;
+			--ucredit) shift;
+				_check_argument_is_number "$1" "--ucredit" "-" || failed=1
+				ucredit="$1"
+				shift
+		;;
+			--lcredit) shift;
+				_check_argument_is_number "$1" "--lcredit" "-" || failed=1
+				lcredit="$1"
+				shift
+		;;
+			--ocredit) shift;
+				_check_argument_is_number "$1" "--ocredit" "-" || failed=1
+				ocredit="$1"
+				shift
+		;;
+			--minclass) shift;
+				_check_argument_is_number "$1" "--minclass" || failed=1
+				minclass="$1"
+				shift
+		;;
+			--maxrepeat) shift;
+			 	_check_argument_is_number "$1" "--maxrepeat" || failed=1
+				maxrepeat="$1"
+				shift
+		;;
+			--maxsequence) shift;
+				_check_argument_is_number "$1" "--maxsequence" || failed=1
+				maxsequence="$1"
+				shift
+		;;
+			--maxclassrepeat) shift;
+				_check_argument_is_number "$1" "--maxclassrepeat" || failed=1
+				maxclassrepeat="$1"
+				shift
+		;;
+			--gecoscheck) shift;
+				_check_argument_is_number "$1" "--gecoscheck" || failed=1
+				[[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; }
+				geoscheck="$1"
+				shift
+		;;
+			--dictcheck) shift;
+				_check_argument_is_number "$1" "--dictcheck" || failed=1
+				[[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; }
+				dictcheck="$1"
+				shift
+		;;
+			--usercheck) shift;
+				_check_argument_is_number "$1" "--usercheck" || failed=1
+				[[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; }
+				usercheck="$1"
+				shift
+		;;
+			--usersubstr) shift;
+				_check_argument_is_number "$1" "--usersubstr" || failed=1
+				usersubstr="$1"
+				shift
+		;;
+			--enforcing) shift;
+				_check_argument_is_number "$1" "--enforcing" || failed=1
+				[[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; }
+				enforcing="$1"
+				shift
+		;;
+			--retry) shift;
+				_check_argument_is_number "$1" "--retry" || failed=1
+				shift
+		;;
+			--enforce_for_root) shift;
+				_check_argument_is_number "$1" "--enforce_for_root" || failed=1
+				[[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; }
+				enforce_for_root="$1"
+				shift
+		;;
+			--local_users_only) shift;
+				_check_argument_is_number "$1" "--local_users_only" || failed=1
+				[[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; }
+				local_users_only="$1"
+				shift
+		;;
+		esac
+	done
+	if [ "$failed" != 0 ]; then
+		return 1
+	fi
+cat <<EOF
+difok = $difok
+minlen = $minlen
+dcredit = $dcredit
+ucredit = $ucredit
+lcredit = $lcredit
+ocredit = $ocredit
+minclass = $minclass
+maxrepeat = $maxrepeat
+maxsequence = $maxsequence
+maxclassrepeat = $maxclassrepeat
+gecoscheck = $gecoscheck
+dictcheck = $dictcheck
+usercheck = $usercheck
+usersubstr = $usersubstr
+enforcing = $enforcing
+retry = $retry
+EOF
+if [ "$enforce_for_root" == 1 ]; then echo "enforce_for_root"; fi
+if [ "$local_users_only" == 1 ]; then echo "local_users_only"; fi
+}
--- a/DESTDIR/usr/share/linux-infosec-setupper/pwquality/parse_pwquality.sh
+++ b/DESTDIR/usr/share/linux-infosec-setupper/pwquality/parse_pwquality.sh
@ -0,0 +1,8 @@
+_pw_parse_conf() {
+while read -r line; do
+	case "$line" in
+		*=*) echo "${line// /}" ;;
+		*)   echo "${line}=1"   ;;
+	esac
+done < "${DESTDIR}/etc/security/pwquality.conf"
+}
--- a/DESTDIR/usr/share/linux-infosec-setupper/pwquality/pw_default
+++ b/DESTDIR/usr/share/linux-infosec-setupper/pwquality/pw_default
@ -0,0 +1,15 @@
+minlen = 8
+dcredit = 0
+ucredir = 0
+lcredit = 0
+ocredit = 0
+minclass = 0
+maxrepeat = 0
+maxsequence = 0
+maxclassrepeat = 0
+gecoscheck = 0
+dictcheck = 1
+usercheck = 1
+usersubstr = 0
+enforcing = 1
+retry = 1
--- a/DESTDIR/var/lib/linux-infosec-setupper/pwquality/pw_changed
+++ b/DESTDIR/var/lib/linux-infosec-setupper/pwquality/pw_changed
--- a/front_pwquality.sh
+++ b/front_pwquality.sh
@ -7,7 +7,7 @@ source "${DESTDIR}/usr/share/linux-infosec-setupper/common.sh"
 # We write our default config instead of the original one, so that the parsing works correctly
 if ! [[ -f "${VAR_DIR_PWQUALITY}/pw_changed" ]]; then
 	cat "${SHARE_DIR_PWQUALITY}/pw_default" > "${DESTDIR}/etc/security/pwquality.conf"
-	install -D -m 000 /dev/null "${VAR_DIR_PWQUALITY}/pw_changed"
+	install -D -m 444 /dev/null "${VAR_DIR_PWQUALITY}/pw_changed"
 fi	

 source "${SHARE_DIR_PWQUALITY}/parse_pwquality.sh"