From d492fc3986d1f3c8ceea61d49d581b34a2f2d62e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=90=D1=80=D1=82=D0=B5=D0=BC=D0=B8=D0=B9?= Date: Sat, 19 Jun 2021 22:21:07 +0300 Subject: [PATCH] DESTDIR --- DESTDIR/etc/security/pwquality.conf | 15 ++ .../share/linux-infosec-setupper/common.sh | 97 +++++++++++ .../pwquality/back_pwquality.sh | 150 ++++++++++++++++++ .../pwquality/parse_pwquality.sh | 8 + .../pwquality/pw_default | 15 ++ .../pwquality/pw_changed | 0 front_pwquality.sh | 2 +- 7 files changed, 286 insertions(+), 1 deletion(-) create mode 100644 DESTDIR/etc/security/pwquality.conf create mode 100644 DESTDIR/usr/share/linux-infosec-setupper/common.sh create mode 100644 DESTDIR/usr/share/linux-infosec-setupper/pwquality/back_pwquality.sh create mode 100755 DESTDIR/usr/share/linux-infosec-setupper/pwquality/parse_pwquality.sh create mode 100644 DESTDIR/usr/share/linux-infosec-setupper/pwquality/pw_default create mode 100644 DESTDIR/var/lib/linux-infosec-setupper/pwquality/pw_changed diff --git a/DESTDIR/etc/security/pwquality.conf b/DESTDIR/etc/security/pwquality.conf new file mode 100644 index 0000000..6dcdb2b --- /dev/null +++ b/DESTDIR/etc/security/pwquality.conf @@ -0,0 +1,15 @@ +minlen = 8 +dcredit = 0 +ucredir = 0 +lcredit = 0 +ocredit = 0 +minclass = 0 +maxrepeat = 0 +maxsequence = 0 +maxclassrepeat = 0 +gecoscheck = 0 +dictcheck = 1 +usercheck = 1 +usersubstr = 0 +enforcing = 1 +retry = 1 diff --git a/DESTDIR/usr/share/linux-infosec-setupper/common.sh b/DESTDIR/usr/share/linux-infosec-setupper/common.sh new file mode 100644 index 0000000..d94dacd --- /dev/null +++ b/DESTDIR/usr/share/linux-infosec-setupper/common.sh @@ -0,0 +1,97 @@ +# prefix for testing +DESTDIR="${DESTDIR:-}" +PWQUALITY_CONF_FILE="${DESTDIR}/etc/security/pwquality.conf" +VAR_DIR_ROOT="${DESTDIR}/var/lib/linux-infosec-setupper" +VAR_DIR_PWQUALITY="${VAR_DIR_ROOT}/pwquality" +VAR_DIR_AUDIT="${VAR_DIR_ROOT}/audit" +SHARE_DIR_ROOT="${DESTDIR}/usr/share/linux-infosec-setupper" +SHARE_DIR_PWQUALITY="${SHARE_DIR_ROOT}/pwquality" +SHARE_DIR_AUDIT="${SHARE_DIR_ROOT}/audit" +# /etc/audit/audit.rules is generated automatically from /etc/audit/rules.d/*, +# do not edit it; also do not edit any other files, work only with ours, +# assume that there are no other configs or they have lower priority +AUDIT_RULES_FILE="${DESTDIR}/etc/audit/rules.d/90-linux-infosec-setupper.rules" +AUDIT_DAEMON_CONFIG="${DESTDIR}/etc/audit/auditd.conf" +AUDIT_DAEMON_SYSTEMD_OVERRIDE="${DESTDIR}/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf" +# validate email, https://stackoverflow.com/a/2138832, https://stackoverflow.com/a/41192733 +REGEX_EMAIL="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$" + +error() { + printf "$@" 1>&2 + echo '' 1>&2 +} + +# Translations +TEXTDOMAIN=linux-infosec-setupper +TEXTDOMAINDIR=/usr/share/locale + +# $1 - value +# $2 - param name +# (optional) $3 - anything, trigger check for non-negative +_check_argument_is_number() { + if [[ "$1" == [0-9]* ]]; then + return 0 + else + if [ -n "$3" ]; then + grep -Exq -- "(\-|\+)[0-9]*" <<< "$1" && return 0 + fi + error $"Argument to %s must be a number" "$2" + return 1 + fi +} + +# $1 - value +# $2 - param name +_check_argument_value() { + if (( "$1" < "$2" )); then + error $"Argument to %s must be greater than %s" "$2" "$3" + return 1 + else + return 0 + fi +} + +# $1 - value +# $2 - param name +_check_argument_is_string() { + if [[ "$1" == *[[:blank:]]* ]]; then + error $"Argument to %s must be a string without spaces" "$2" + return 1 + else + return 0 + fi +} + +# $1 - value +# $2 - param name +_check_argument_is_boolean(){ + case "$1" in + "yes" ) return 0 ;; + "no" ) return 0 ;; + "" ) + error $"Value of %s is empty, set yes or no" "$2" + return 1 + ;; + * ) + error $"String %s is not a boolean, set yes or no" "$1" + return 1 + ;; + esac +} + +# $1 - value +# $2 - param name +_check_argument_is_non_negative_number(){ + # 2>/dev/null to avoid odd output if $1 is not a number + if ! test "$1" -lt 0 2>/dev/null; then + error $"Value of %s must be a non-negative number" "$2" + return 1 + fi +} + +_validate_email(){ + if ! [[ "$1" =~ ${regex_email} ]] ; then + error $"%s is not a correct email" "$1" + return 1 + fi +} diff --git a/DESTDIR/usr/share/linux-infosec-setupper/pwquality/back_pwquality.sh b/DESTDIR/usr/share/linux-infosec-setupper/pwquality/back_pwquality.sh new file mode 100644 index 0000000..2ec48d6 --- /dev/null +++ b/DESTDIR/usr/share/linux-infosec-setupper/pwquality/back_pwquality.sh @@ -0,0 +1,150 @@ +#!/bin/bash +set -e + +source "${SHARE_DIR_ROOT}/common.sh" + +_mk_pwquality_conf() { + local failed=0 + local difok=1 \ + minlen=8 \ + dcredit=0 \ + ucredit=0 \ + lcredit=0 \ + ocredit=0 \ + minclass=0 \ + maxrepeat=0 \ + maxsequence=0 \ + maxclassrepeat=0 \ + gecoscheck=0 \ + dictcheck=1 \ + usercheck=1 \ + usersubstr=0 \ + enforcing=1 \ + badwords \ + dictpath \ + retry=1 \ + enforce_for_root=0 \ + local_users_only=0 + while [ -n "$1" ]; do + case "$1" in + --difok) shift; + _check_argument_is_number "$1" "--difok" || failed=1 + difok="$1" + shift + ;; + --minlen) shift; + _check_argument_value "$1" "6" "--minlen" || failed=1 + minlen="$1" + shift + ;; + --dcredit) shift; + _check_argument_is_number "$1" "--dcredit" "-" || failed=1 + dcredit="$1" + shift + ;; + --ucredit) shift; + _check_argument_is_number "$1" "--ucredit" "-" || failed=1 + ucredit="$1" + shift + ;; + --lcredit) shift; + _check_argument_is_number "$1" "--lcredit" "-" || failed=1 + lcredit="$1" + shift + ;; + --ocredit) shift; + _check_argument_is_number "$1" "--ocredit" "-" || failed=1 + ocredit="$1" + shift + ;; + --minclass) shift; + _check_argument_is_number "$1" "--minclass" || failed=1 + minclass="$1" + shift + ;; + --maxrepeat) shift; + _check_argument_is_number "$1" "--maxrepeat" || failed=1 + maxrepeat="$1" + shift + ;; + --maxsequence) shift; + _check_argument_is_number "$1" "--maxsequence" || failed=1 + maxsequence="$1" + shift + ;; + --maxclassrepeat) shift; + _check_argument_is_number "$1" "--maxclassrepeat" || failed=1 + maxclassrepeat="$1" + shift + ;; + --gecoscheck) shift; + _check_argument_is_number "$1" "--gecoscheck" || failed=1 + [[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; } + geoscheck="$1" + shift + ;; + --dictcheck) shift; + _check_argument_is_number "$1" "--dictcheck" || failed=1 + [[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; } + dictcheck="$1" + shift + ;; + --usercheck) shift; + _check_argument_is_number "$1" "--usercheck" || failed=1 + [[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; } + usercheck="$1" + shift + ;; + --usersubstr) shift; + _check_argument_is_number "$1" "--usersubstr" || failed=1 + usersubstr="$1" + shift + ;; + --enforcing) shift; + _check_argument_is_number "$1" "--enforcing" || failed=1 + [[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; } + enforcing="$1" + shift + ;; + --retry) shift; + _check_argument_is_number "$1" "--retry" || failed=1 + shift + ;; + --enforce_for_root) shift; + _check_argument_is_number "$1" "--enforce_for_root" || failed=1 + [[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; } + enforce_for_root="$1" + shift + ;; + --local_users_only) shift; + _check_argument_is_number "$1" "--local_users_only" || failed=1 + [[ "$1" =~ (0|1) ]] || { error $"The received parameters are not correct. Expected %s, received %s" $"0 or 1" "$1"; failed=1; } + local_users_only="$1" + shift + ;; + esac + done + if [ "$failed" != 0 ]; then + return 1 + fi +cat < "${DESTDIR}/etc/security/pwquality.conf" - install -D -m 000 /dev/null "${VAR_DIR_PWQUALITY}/pw_changed" + install -D -m 444 /dev/null "${VAR_DIR_PWQUALITY}/pw_changed" fi source "${SHARE_DIR_PWQUALITY}/parse_pwquality.sh"