update de-p1st-pam

This commit is contained in:
Daniel Langbein 2022-04-15 17:36:53 +02:00
parent 64154fb649
commit 4387a23410
3 changed files with 58 additions and 13 deletions

View File

@ -2,7 +2,7 @@
_pkgname=pam _pkgname=pam
_reponame=arch _reponame=arch
pkgname="de-p1st-$_pkgname" pkgname="de-p1st-$_pkgname"
pkgver=0.0.3 pkgver=0.0.4
pkgrel=1 pkgrel=1
pkgdesc="PAM configuration" pkgdesc="PAM configuration"
arch=('any') arch=('any')
@ -19,4 +19,5 @@ package() {
cd "${_reponame}/pkg/${pkgname}" cd "${_reponame}/pkg/${pkgname}"
install -Dm0544 system-login.holoscript "$pkgdir"/usr/share/holo/files/20-"$pkgname"/etc/pam.d/system-login.holoscript install -Dm0544 system-login.holoscript "$pkgdir"/usr/share/holo/files/20-"$pkgname"/etc/pam.d/system-login.holoscript
install -Dm0544 faillock.conf.holoscript "$pkgdir"/usr/share/holo/files/20-"$pkgname"/etc/security/faillock.conf.holoscript
} }

View File

@ -0,0 +1,44 @@
#!/bin/sh
# stdin: default config
# stdout: modified config
set -e
# save stdin in variable
stdin="$(cat)"
# write stdin
echo "$stdin"
# - https://wiki.archlinux.org/title/Security#Lock_out_user_after_three_failed_login_attempts
# Make locks persistent over reboot.
#
# Assert
echo "$stdin" | grep --quiet '^# dir = /var/run/faillock$'
! echo "$stdin" | grep --quiet '^dir[[:space:]]*='
# Insert
echo 'dir = /var/lib/faillock'
# Lock account after 5 failed entries.
#
# Assert
echo "$stdin" | grep --quiet '^# deny = 3$'
! echo "$stdin" | grep --quiet '^deny[[:space:]]*='
# Insert
echo 'deny = 5'
# Also lock root
#
# Assert
echo "$stdin" | grep --quiet '^# even_deny_root$'
! echo "$stdin" | grep --quiet '^even_deny_root[[:space:]]*'
# Insert
echo 'even_deny_root'
# Different unlock time for root: 60s
#
# Assert
echo "$stdin" | grep --quiet '^root_unlock_time = 900$'
! echo "$stdin" | grep --quiet '^root_unlock_time[[:space:]]*='
# Insert
echo 'root_unlock_time = 60'

View File

@ -8,23 +8,23 @@ stdin="$(cat)"
# assertions # assertions
echo "=== assert UsePAM ===" 1>&2 echo "=== assert UsePAM ===" 1>&2
echo "$stdin" | grep --quiet '^UsePAM yes$' echo "$stdin" | grep --quiet '^UsePAM[[:space:]]+yes$'
# #
echo "=== assert PermitRootLogin ===" 1>&2 echo "=== assert PermitRootLogin ===" 1>&2
echo "$stdin" | grep --quiet '^#PermitRootLogin\s.*$' echo "$stdin" | grep --quiet '^#PermitRootLogin[[:space:]]*'
! echo "$stdin" | grep --quiet '^PermitRootLogin\s.*$' ! echo "$stdin" | grep --quiet '^PermitRootLogin[[:space:]]+'
echo "=== assert PubkeyAuthentication ===" 1>&2 echo "=== assert PubkeyAuthentication ===" 1>&2
echo "$stdin" | grep --quiet '^#PubkeyAuthentication\s.*$' echo "$stdin" | grep --quiet '^#PubkeyAuthentication[[:space:]]*'
! echo "$stdin" | grep --quiet '^PubkeyAuthentication\s.*$' ! echo "$stdin" | grep --quiet '^PubkeyAuthentication\[[:space:]]+'
echo "=== assert PasswordAuthentication ===" 1>&2 echo "=== assert PasswordAuthentication ===" 1>&2
echo "$stdin" | grep --quiet '^#PasswordAuthentication\s.*$' echo "$stdin" | grep --quiet '^#PasswordAuthentication[[:space:]]*'
! echo "$stdin" | grep --quiet '^PasswordAuthentication\s.*$' ! echo "$stdin" | grep --quiet '^PasswordAuthentication[[:space:]]+'
echo "=== assert PermitEmptyPasswords ===" 1>&2 echo "=== assert PermitEmptyPasswords ===" 1>&2
echo "$stdin" | grep --quiet '^#PermitEmptyPasswords\s.*$' echo "$stdin" | grep --quiet '^#PermitEmptyPasswords[[:space:]]*'
! echo "$stdin" | grep --quiet '^PermitEmptyPasswords\s.*$' ! echo "$stdin" | grep --quiet '^PermitEmptyPasswords[[:space:]]+'
echo "=== assert X11Forwarding ===" 1>&2 echo "=== assert X11Forwarding ===" 1>&2
echo "$stdin" | grep --quiet '^#X11Forwarding\s.*$' echo "$stdin" | grep --quiet '^#X11Forwarding[[:space:]]*'
! echo "$stdin" | grep --quiet '^X11Forwarding\s.*$' ! echo "$stdin" | grep --quiet '^X11Forwarding[[:space:]]+'
echo "=== sed ===" 1>&2 echo "=== sed ===" 1>&2
echo "$stdin" | sed ' echo "$stdin" | sed '