2022-04-15 17:36:53 +02:00
|
|
|
#!/bin/sh
|
|
|
|
# stdin: default config
|
|
|
|
# stdout: modified config
|
|
|
|
set -e
|
|
|
|
|
|
|
|
# save stdin in variable
|
|
|
|
stdin="$(cat)"
|
|
|
|
|
|
|
|
# write stdin
|
|
|
|
echo "$stdin"
|
|
|
|
|
|
|
|
# - https://wiki.archlinux.org/title/Security#Lock_out_user_after_three_failed_login_attempts
|
|
|
|
|
|
|
|
# Make locks persistent over reboot.
|
|
|
|
#
|
|
|
|
# Assert
|
2022-04-15 17:54:32 +02:00
|
|
|
echo "=== assert dir ===" 1>&2
|
2022-04-15 17:36:53 +02:00
|
|
|
echo "$stdin" | grep --quiet '^# dir = /var/run/faillock$'
|
|
|
|
! echo "$stdin" | grep --quiet '^dir[[:space:]]*='
|
|
|
|
# Insert
|
|
|
|
echo 'dir = /var/lib/faillock'
|
|
|
|
|
|
|
|
# Lock account after 5 failed entries.
|
|
|
|
#
|
|
|
|
# Assert
|
2022-04-15 17:54:32 +02:00
|
|
|
echo "=== assert deny ===" 1>&2
|
2022-04-15 17:36:53 +02:00
|
|
|
echo "$stdin" | grep --quiet '^# deny = 3$'
|
|
|
|
! echo "$stdin" | grep --quiet '^deny[[:space:]]*='
|
|
|
|
# Insert
|
|
|
|
echo 'deny = 5'
|
|
|
|
|
|
|
|
# Also lock root
|
|
|
|
#
|
|
|
|
# Assert
|
2022-04-15 17:54:32 +02:00
|
|
|
echo "=== assert even_deny_root ===" 1>&2
|
2022-04-15 17:36:53 +02:00
|
|
|
echo "$stdin" | grep --quiet '^# even_deny_root$'
|
|
|
|
! echo "$stdin" | grep --quiet '^even_deny_root[[:space:]]*'
|
|
|
|
# Insert
|
|
|
|
echo 'even_deny_root'
|
|
|
|
|
|
|
|
# Different unlock time for root: 60s
|
|
|
|
#
|
|
|
|
# Assert
|
2022-04-15 17:54:32 +02:00
|
|
|
echo "=== assert root_unlock_time ===" 1>&2
|
|
|
|
echo "$stdin" | grep --quiet '^# root_unlock_time = 900$'
|
2022-04-15 17:36:53 +02:00
|
|
|
! echo "$stdin" | grep --quiet '^root_unlock_time[[:space:]]*='
|
|
|
|
# Insert
|
|
|
|
echo 'root_unlock_time = 60'
|