From 4387a23410f48d6d6614351773ce79e42331e72b Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Fri, 15 Apr 2022 17:36:53 +0200 Subject: [PATCH] update de-p1st-pam --- pkg/de-p1st-pam/PKGBUILD | 5 +-- pkg/de-p1st-pam/faillock.conf.holoscript | 44 ++++++++++++++++++++++++ pkg/de-p1st-ssh/sshd_config.holoscript | 22 ++++++------ 3 files changed, 58 insertions(+), 13 deletions(-) create mode 100644 pkg/de-p1st-pam/faillock.conf.holoscript diff --git a/pkg/de-p1st-pam/PKGBUILD b/pkg/de-p1st-pam/PKGBUILD index 4bcf8d9..49c3d7c 100644 --- a/pkg/de-p1st-pam/PKGBUILD +++ b/pkg/de-p1st-pam/PKGBUILD @@ -2,7 +2,7 @@ _pkgname=pam _reponame=arch pkgname="de-p1st-$_pkgname" -pkgver=0.0.3 +pkgver=0.0.4 pkgrel=1 pkgdesc="PAM configuration" arch=('any') @@ -18,5 +18,6 @@ sha256sums=('SKIP') package() { cd "${_reponame}/pkg/${pkgname}" - install -Dm0544 system-login.holoscript "$pkgdir"/usr/share/holo/files/20-"$pkgname"/etc/pam.d/system-login.holoscript + install -Dm0544 system-login.holoscript "$pkgdir"/usr/share/holo/files/20-"$pkgname"/etc/pam.d/system-login.holoscript + install -Dm0544 faillock.conf.holoscript "$pkgdir"/usr/share/holo/files/20-"$pkgname"/etc/security/faillock.conf.holoscript } diff --git a/pkg/de-p1st-pam/faillock.conf.holoscript b/pkg/de-p1st-pam/faillock.conf.holoscript new file mode 100644 index 0000000..6bbf0c0 --- /dev/null +++ b/pkg/de-p1st-pam/faillock.conf.holoscript @@ -0,0 +1,44 @@ +#!/bin/sh +# stdin: default config +# stdout: modified config +set -e + +# save stdin in variable +stdin="$(cat)" + +# write stdin +echo "$stdin" + +# - https://wiki.archlinux.org/title/Security#Lock_out_user_after_three_failed_login_attempts + +# Make locks persistent over reboot. +# +# Assert +echo "$stdin" | grep --quiet '^# dir = /var/run/faillock$' +! echo "$stdin" | grep --quiet '^dir[[:space:]]*=' +# Insert +echo 'dir = /var/lib/faillock' + +# Lock account after 5 failed entries. +# +# Assert +echo "$stdin" | grep --quiet '^# deny = 3$' +! echo "$stdin" | grep --quiet '^deny[[:space:]]*=' +# Insert +echo 'deny = 5' + +# Also lock root +# +# Assert +echo "$stdin" | grep --quiet '^# even_deny_root$' +! echo "$stdin" | grep --quiet '^even_deny_root[[:space:]]*' +# Insert +echo 'even_deny_root' + +# Different unlock time for root: 60s +# +# Assert +echo "$stdin" | grep --quiet '^root_unlock_time = 900$' +! echo "$stdin" | grep --quiet '^root_unlock_time[[:space:]]*=' +# Insert +echo 'root_unlock_time = 60' diff --git a/pkg/de-p1st-ssh/sshd_config.holoscript b/pkg/de-p1st-ssh/sshd_config.holoscript index 390d24b..ee069e0 100755 --- a/pkg/de-p1st-ssh/sshd_config.holoscript +++ b/pkg/de-p1st-ssh/sshd_config.holoscript @@ -8,23 +8,23 @@ stdin="$(cat)" # assertions echo "=== assert UsePAM ===" 1>&2 -echo "$stdin" | grep --quiet '^UsePAM yes$' +echo "$stdin" | grep --quiet '^UsePAM[[:space:]]+yes$' # echo "=== assert PermitRootLogin ===" 1>&2 -echo "$stdin" | grep --quiet '^#PermitRootLogin\s.*$' -! echo "$stdin" | grep --quiet '^PermitRootLogin\s.*$' +echo "$stdin" | grep --quiet '^#PermitRootLogin[[:space:]]*' +! echo "$stdin" | grep --quiet '^PermitRootLogin[[:space:]]+' echo "=== assert PubkeyAuthentication ===" 1>&2 -echo "$stdin" | grep --quiet '^#PubkeyAuthentication\s.*$' -! echo "$stdin" | grep --quiet '^PubkeyAuthentication\s.*$' +echo "$stdin" | grep --quiet '^#PubkeyAuthentication[[:space:]]*' +! echo "$stdin" | grep --quiet '^PubkeyAuthentication\[[:space:]]+' echo "=== assert PasswordAuthentication ===" 1>&2 -echo "$stdin" | grep --quiet '^#PasswordAuthentication\s.*$' -! echo "$stdin" | grep --quiet '^PasswordAuthentication\s.*$' +echo "$stdin" | grep --quiet '^#PasswordAuthentication[[:space:]]*' +! echo "$stdin" | grep --quiet '^PasswordAuthentication[[:space:]]+' echo "=== assert PermitEmptyPasswords ===" 1>&2 -echo "$stdin" | grep --quiet '^#PermitEmptyPasswords\s.*$' -! echo "$stdin" | grep --quiet '^PermitEmptyPasswords\s.*$' +echo "$stdin" | grep --quiet '^#PermitEmptyPasswords[[:space:]]*' +! echo "$stdin" | grep --quiet '^PermitEmptyPasswords[[:space:]]+' echo "=== assert X11Forwarding ===" 1>&2 -echo "$stdin" | grep --quiet '^#X11Forwarding\s.*$' -! echo "$stdin" | grep --quiet '^X11Forwarding\s.*$' +echo "$stdin" | grep --quiet '^#X11Forwarding[[:space:]]*' +! echo "$stdin" | grep --quiet '^X11Forwarding[[:space:]]+' echo "=== sed ===" 1>&2 echo "$stdin" | sed '