#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  5.3.1       Ensure password creation requirements are configured
#  5.3.2       Ensure lockout for failed password attempts is configured
#  5.3.3       Ensure password reuse is limited
#  5.4.1.1     Ensure password expiration is 365 days or less
#  5.4.1.2     Ensure minimum days between password changes is 7 or more
#  5.4.1.4     Ensure inactive password lock is 30 days or less
#  5.6         Ensure access to the su command is restricted
#----------------------------------------------------------------------

augtool --autosave --backup --noautoload >/dev/null <<'EOD'
    transform Simplevars.lns incl /etc/security/pwquality.conf
    transform Login_defs.lns incl /etc/login.defs
    transform Shellvars.lns  incl /etc/default/useradd
    transform Pam.lns        incl /etc/pam.d/*
    load

    ######################################################################
    # Ensure password creation requirements are configured (5.3.1)
    ######################################################################
    set /files/etc/security/pwquality.conf/minlen 14
    set /files/etc/security/pwquality.conf/dcredit -1
    set /files/etc/security/pwquality.conf/ucredit -1
    set /files/etc/security/pwquality.conf/ocredit -1
    set /files/etc/security/pwquality.conf/lcredit -1

    ######################################################################
    # Ensure lockout for failed password attempts is configured (5.3.2)
    ######################################################################
    defvar pam_file /files/etc/pam.d/system-auth
    rm $pam_file/*[type="auth"][module="pam_faillock.so"]
    ins 01 before $pam_file/*[type="auth"][module="pam_unix.so"]
    set $pam_file/01/type    auth
    set $pam_file/01/control required
    set $pam_file/01/module  pam_faillock.so
    set $pam_file/01/argument[1] preauth
    set $pam_file/01/argument[2] audit
    set $pam_file/01/argument[3] silent
    set $pam_file/01/argument[4] deny=5
    set $pam_file/01/argument[5] unlock_time=900

    set $pam_file/*[type="auth"][module="pam_unix.so"]/control '[success=1 default=bad]'

    ins 02 after $pam_file/*[type="auth"][module="pam_unix.so"]
    set $pam_file/02/type    auth
    set $pam_file/02/control '[default=die]'
    set $pam_file/02/module  pam_faillock.so
    set $pam_file/02/argument[1] authfail
    set $pam_file/02/argument[2] audit
    set $pam_file/02/argument[3] deny=5
    set $pam_file/02/argument[4] unlock_time=900

    ins 03 after $pam_file/02
    set $pam_file/03/type    auth
    set $pam_file/03/control 'sufficient'
    set $pam_file/03/module  pam_faillock.so
    set $pam_file/03/argument[1] authsucc
    set $pam_file/03/argument[2] audit
    set $pam_file/03/argument[3] deny=5
    set $pam_file/03/argument[4] unlock_time=900

    # Now repeat it for password-auth
    defvar pam_file /files/etc/pam.d/password-auth
    rm $pam_file/*[type="auth"][module="pam_faillock.so"]
    ins 01 before $pam_file/*[type="auth"][module="pam_unix.so"]
    set $pam_file/01/type    auth
    set $pam_file/01/control required
    set $pam_file/01/module  pam_faillock.so
    set $pam_file/01/argument[1] preauth
    set $pam_file/01/argument[2] audit
    set $pam_file/01/argument[3] silent
    set $pam_file/01/argument[4] deny=5
    set $pam_file/01/argument[5] unlock_time=900

    set $pam_file/*[type="auth"][module="pam_unix.so"]/control '[success=1 default=bad]'

    ins 02 after $pam_file/*[type="auth"][module="pam_unix.so"]
    set $pam_file/02/type    auth
    set $pam_file/02/control '[default=die]'
    set $pam_file/02/module  pam_faillock.so
    set $pam_file/02/argument[1] authfail
    set $pam_file/02/argument[2] audit
    set $pam_file/02/argument[3] deny=5
    set $pam_file/02/argument[4] unlock_time=900

    ins 03 after $pam_file/02
    set $pam_file/03/type    auth
    set $pam_file/03/control 'sufficient'
    set $pam_file/03/module  pam_faillock.so
    set $pam_file/03/argument[1] authsucc
    set $pam_file/03/argument[2] audit
    set $pam_file/03/argument[3] deny=5
    set $pam_file/03/argument[4] unlock_time=900

    ######################################################################
    # Ensure password reuse is limited (5.3.3)
    ######################################################################
    defvar pam_file /files/etc/pam.d/system-auth
    rm $pam_file/*[type='password'][control='required'][module='pam_pwhistory.so']
    ins 04 after $pam_file/*[type='password'][control='requisite'][module='pam_pwquality.so']
    set $pam_file/04/type password
    set $pam_file/04/control required
    set $pam_file/04/module pam_pwhistory.so
    set $pam_file/04/argument[1] remember=5

    # now repeat it for password-auth
    defvar pam_file /files/etc/pam.d/password-auth
    rm $pam_file/*[type='password'][control='required'][module='pam_pwhistory.so']
    ins 04 after $pam_file/*[type='password'][control='requisite'][module='pam_pwquality.so']
    set $pam_file/04/type password
    set $pam_file/04/control required
    set $pam_file/04/module pam_pwhistory.so
    set $pam_file/04/argument[1] remember=5


    ######################################################################
    # Ensure password expiration is 365 days or less (5.4.1.1)
    ######################################################################
    set /files/etc/login.defs/PASS_MAX_DAYS 365

    ######################################################################
    # Ensure minimum days between password changes is 7 or more (5.4.1.2)
    ######################################################################
    set /files/etc/login.defs/PASS_MIN_DAYS 7

    ######################################################################
    # Ensure inactive password lock is 30 days or less (5.4.1.4)
    ######################################################################
    set /files/etc/default/useradd/INACTIVE 30

    ######################################################################
    # Ensure access to the su command is restricted (5.6)
    ######################################################################
    rm /files/etc/pam.d/su/#comment[ . =~ regexp('auth[ \t]+required[ \t]+pam_wheel.so[ \t]+use_uid')]
    rm /files/etc/pam.d/su/*[following-sibling::*[type='auth'][control='substack'][module='system-auth']][type='auth'][control='required'][module='pam_wheel.so']
    ins 01 before /files/etc/pam.d/su/*[type='auth'][control='substack'][module='system-auth']
    set /files/etc/pam.d/su/01/type auth
    set /files/etc/pam.d/su/01/control required
    set /files/etc/pam.d/su/01/module pam_wheel.so
    set /files/etc/pam.d/su/01/argument[1] use_uid

EOD

