arch/pkg/de-p1st-pam/faillock.conf.holoscript
2022-04-15 17:54:32 +02:00

49 lines
1.1 KiB
Bash

#!/bin/sh
# stdin: default config
# stdout: modified config
set -e
# save stdin in variable
stdin="$(cat)"
# write stdin
echo "$stdin"
# - https://wiki.archlinux.org/title/Security#Lock_out_user_after_three_failed_login_attempts
# Make locks persistent over reboot.
#
# Assert
echo "=== assert dir ===" 1>&2
echo "$stdin" | grep --quiet '^# dir = /var/run/faillock$'
! echo "$stdin" | grep --quiet '^dir[[:space:]]*='
# Insert
echo 'dir = /var/lib/faillock'
# Lock account after 5 failed entries.
#
# Assert
echo "=== assert deny ===" 1>&2
echo "$stdin" | grep --quiet '^# deny = 3$'
! echo "$stdin" | grep --quiet '^deny[[:space:]]*='
# Insert
echo 'deny = 5'
# Also lock root
#
# Assert
echo "=== assert even_deny_root ===" 1>&2
echo "$stdin" | grep --quiet '^# even_deny_root$'
! echo "$stdin" | grep --quiet '^even_deny_root[[:space:]]*'
# Insert
echo 'even_deny_root'
# Different unlock time for root: 60s
#
# Assert
echo "=== assert root_unlock_time ===" 1>&2
echo "$stdin" | grep --quiet '^# root_unlock_time = 900$'
! echo "$stdin" | grep --quiet '^root_unlock_time[[:space:]]*='
# Insert
echo 'root_unlock_time = 60'