From 0213394cf7f59b1c5960b23f7373cd416c0becda Mon Sep 17 00:00:00 2001 From: Christian Cleberg Date: Tue, 6 May 2025 19:13:30 -0500 Subject: rename os dir --- operating-systems/linux/README.org | 447 ------------------------------ operating-systems/linux/passwords.sh | 70 ----- operating-systems/linux/ssh_root_login.sh | 3 - os/linux/README.org | 447 ++++++++++++++++++++++++++++++ os/linux/passwords.sh | 70 +++++ os/linux/ssh_root_login.sh | 3 + 6 files changed, 520 insertions(+), 520 deletions(-) delete mode 100644 operating-systems/linux/README.org delete mode 100644 operating-systems/linux/passwords.sh delete mode 100644 operating-systems/linux/ssh_root_login.sh create mode 100644 os/linux/README.org create mode 100644 os/linux/passwords.sh create mode 100644 os/linux/ssh_root_login.sh diff --git a/operating-systems/linux/README.org b/operating-systems/linux/README.org deleted file mode 100644 index ecbbcc1..0000000 --- a/operating-systems/linux/README.org +++ /dev/null @@ -1,447 +0,0 @@ -#+title: Linux - -* =ssh_root_login.sh= - -#+begin_src shell -./ssh_root_login.sh -#+end_src - -#+begin_src -PermitRootLogin no -#+end_src - -* =passwords.sh= - -#+begin_src shell -./passwords.sh -#+end_src - -#+begin_src -Starting analysis of authentication and login parameters... -Checking /etc/pam.d/system-auth for password parameters... -/etc/pam.d/system-auth file not found. -Analyzing /etc/login.defs... -Contents of /etc/login.defs: -# -# /etc/login.defs - Configuration control definitions for the login package. -# -# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. -# If unspecified, some arbitrary (and possibly incorrect) value will -# be assumed. All other items are optional - if not specified then -# the described action or option will be inhibited. -# -# Comment lines (lines beginning with "#") and blank lines are ignored. -# -# Modified for Linux. --marekm - -# REQUIRED for useradd/userdel/usermod -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, -# MAIL_DIR takes precedence. -# -# Essentially: -# - MAIL_DIR defines the location of users mail spool files -# (for mbox use) by appending the username to MAIL_DIR as defined -# below. -# - MAIL_FILE defines the location of the users mail spool files as the -# fully-qualified filename obtained by prepending the user home -# directory before $MAIL_FILE -# -# NOTE: This is no more used for setting up users MAIL environment variable -# which is, starting from shadow 4.0.12-1 in Debian, entirely the -# job of the pam_mail PAM modules -# See default PAM configuration files provided for -# login, su, etc. -# -# This is a temporary situation: setting these variables will soon -# move to /etc/default/useradd and the variables will then be -# no more supported -MAIL_DIR /var/mail -#MAIL_FILE .mail - -# -# Enable logging and display of /var/log/faillog login failure info. -# This option conflicts with the pam_tally PAM module. -# -FAILLOG_ENAB yes - -# -# Enable display of unknown usernames when login failures are recorded. -# -# WARNING: Unknown usernames may become world readable. -# See #290803 and #298773 for details about how this could become a security -# concern -LOG_UNKFAIL_ENAB no - -# -# Enable logging of successful logins -# -LOG_OK_LOGINS no - -# -# Enable "syslog" logging of su activity - in addition to sulog file logging. -# SYSLOG_SG_ENAB does the same for newgrp and sg. -# -SYSLOG_SU_ENAB yes -SYSLOG_SG_ENAB yes - -# -# If defined, all su activity is logged to this file. -# -#SULOG_FILE /var/log/sulog - -# -# If defined, file which maps tty line to TERM environment parameter. -# Each line of the file is in a format something like "vt100 tty01". -# -#TTYTYPE_FILE /etc/ttytype - -# -# If defined, login failures will be logged here in a utmp format -# last, when invoked as lastb, will read /var/log/btmp, so... -# -FTMP_FILE /var/log/btmp - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then a "ps" will display the -# command is "-su". If not defined, then "ps" would display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# If defined, file which inhibits all the usual chatter during the login -# sequence. If a full pathname, then hushed mode will be enabled if the -# user's name or shell are found in the file. If not a full pathname, then -# hushed mode will be enabled if the file exists in the user's home directory. -# -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins - -# -# *REQUIRED* The default PATH settings, for superuser and normal users. -# -# (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games - -# -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a "write" program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP to the group number and -# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign -# TTYPERM to either 622 or 600. -# -# In Debian /usr/bin/bsd-write or similar programs are setgid tty -# However, the default and recommended value for TTYPERM is still 0600 -# to not allow anyone to write to anyone else console or terminal - -# Users can still allow other people to write them by issuing -# the "mesg y" command. - -TTYGROUP tty -TTYPERM 0600 - -# -# Login configuration initializations: -# -# ERASECHAR Terminal ERASE character ('\010' = backspace). -# KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# UMASK Default "umask" value. -# -# The ERASECHAR and KILLCHAR are used only on System V machines. -# -# UMASK is the default umask value for pam_umask and is used by -# useradd and newusers to set the mode of the new home directories. -# 022 is the "historical" value in Debian for UMASK -# 027, or even 077, could be considered better for privacy -# There is no One True Answer here : each sysadmin must make up his/her -# mind. -# -# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value -# for private user groups, i. e. the uid is the same as gid, and username is -# the same as the primary group name: for these, the user permissions will be -# used as group permissions, e. g. 022 will become 002. -# -# Prefix these values with "0" to get octal, "0x" to get hexadecimal. -# -ERASECHAR 0177 -KILLCHAR 025 -UMASK 022 - -# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new -# home directories. -# If HOME_MODE is not set, the value of UMASK is used to create the mode. -HOME_MODE 0750 - -# -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 - -# -# Min/max values for automatic uid selection in useradd -# -UID_MIN 1000 -UID_MAX 60000 -# System accounts -#SYS_UID_MIN 100 -#SYS_UID_MAX 999 -# Extra per user uids -SUB_UID_MIN 100000 -SUB_UID_MAX 600100000 -SUB_UID_COUNT 65536 - -# -# Min/max values for automatic gid selection in groupadd -# -GID_MIN 1000 -GID_MAX 60000 -# System accounts -#SYS_GID_MIN 100 -#SYS_GID_MAX 999 -# Extra per user group ids -SUB_GID_MIN 100000 -SUB_GID_MAX 600100000 -SUB_GID_COUNT 65536 - -# -# Max number of login retries if password is bad. This will most likely be -# overriden by PAM, since the default pam_unix module has it's own built -# in of 3 retries. However, this is a safe fallback in case you are using -# an authentication module that does not enforce PAM_MAXTRIES. -# -LOGIN_RETRIES 5 - -# -# Max time in seconds for login -# -LOGIN_TIMEOUT 60 - -# -# Which fields may be changed by regular users using chfn - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# -CHFN_RESTRICT rwh - -# -# Should login be allowed if we can't cd to the home directory? -# Default is no. -# -DEFAULT_HOME yes - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -#USERDEL_CMD /usr/sbin/userdel_local - -# -# Enable setting of the umask group bits to be the same as owner bits -# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is -# the same as gid, and username is the same as the primary group name. -# -# If set to yes, userdel will remove the user's group if it contains no -# more members, and useradd will create by default a group with the name -# of the user. -# -USERGROUPS_ENAB yes - -# -# Instead of the real user shell, the program specified by this parameter -# will be launched, although its visible name (argv[0]) will be the shell's. -# The program may do whatever it wants (logging, additional authentification, -# banner, ...) before running the actual shell. -# -# FAKE_SHELL /bin/fakeshell - -# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# upon these devices. -# -# This variable is used by login and su. -# -#CONSOLE /etc/consoles -#CONSOLE console:tty01:tty02:tty03:tty04 - -# -# List of groups to add to the user's supplementary group set -# when logging in on the console (as determined by the CONSOLE -# setting). Default is none. -# -# Use with caution - it is possible for users to gain permanent -# access to these groups, even when not logged in on the console. -# How to do it is left as an exercise for the reader... -# -# This variable is used by login and su. -# -#CONSOLE_GROUPS floppy:audio:cdrom - -# -# If set to "yes", new passwords will be encrypted using the MD5-based -# algorithm compatible with the one used by recent releases of FreeBSD. -# It supports passwords of unlimited length and longer salt strings. -# Set to "no" if you need to copy encrypted passwords to other systems -# which don't understand the new algorithm. Default is "no". -# -# This variable is deprecated. You should use ENCRYPT_METHOD. -# -#MD5_CRYPT_ENAB no - -# -# If set to MD5, MD5-based algorithm will be used for encrypting password -# If set to SHA256, SHA256-based algorithm will be used for encrypting password -# If set to SHA512, SHA512-based algorithm will be used for encrypting password -# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password -# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password -# If set to DES, DES-based algorithm will be used for encrypting password (default) -# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. -# Overrides the MD5_CRYPT_ENAB option -# -# Note: It is recommended to use a value consistent with -# the PAM modules configuration. -# -ENCRYPT_METHOD SHA512 - -# -# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -# -# Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute-force the password. -# However, more CPU resources will be needed to authenticate users if -# this value is increased. -# -# If not specified, the libc will choose the default number of rounds (5000), -# which is orders of magnitude too low for modern hardware. -# The values must be within the 1000-999999999 range. -# If only one of the MIN or MAX values is set, then this value will be used. -# If MIN > MAX, the highest value will be used. -# -#SHA_CRYPT_MIN_ROUNDS 5000 -#SHA_CRYPT_MAX_ROUNDS 5000 - -# -# Only works if ENCRYPT_METHOD is set to YESCRYPT. -# -# Define the YESCRYPT cost factor. -# With a higher cost factor, it is more difficult to brute-force the password. -# However, more CPU time and more memory will be needed to authenticate users -# if this value is increased. -# -# If not specified, a cost factor of 5 will be used. -# The value must be within the 1-11 range. -# -#YESCRYPT_COST_FACTOR 5 - -# -# The pwck(8) utility emits a warning for any system account with a home -# directory that does not exist. Some system accounts intentionally do -# not have a home directory. Such accounts may have this string as -# their home directory in /etc/passwd to avoid a spurious warning. -# -NONEXISTENT /nonexistent - -# -# Allow newuidmap and newgidmap when running under an alternative -# primary group. -# -#GRANT_AUX_GROUP_SUBIDS yes - -# -# Select the HMAC cryptography algorithm. -# Used in pam_timestamp module to calculate the keyed-hash message -# authentication code. -# -# Note: It is recommended to check hmac(3) to see the possible algorithms -# that are available in your system. -# -#HMAC_CRYPTO_ALGO SHA512 - -################# OBSOLETED BY PAM ############## -# # -# These options are now handled by PAM. Please # -# edit the appropriate file in /etc/pam.d/ to # -# enable the equivelants of them. -# -############### - -#MOTD_FILE -#DIALUPS_CHECK_ENAB -#LASTLOG_ENAB -#MAIL_CHECK_ENAB -#OBSCURE_CHECKS_ENAB -#PORTTIME_CHECKS_ENAB -#SU_WHEEL_ONLY -#CRACKLIB_DICTPATH -#PASS_CHANGE_TRIES -#PASS_ALWAYS_WARN -#ENVIRON_FILE -#NOLOGINS_FILE -#ISSUE_FILE -#PASS_MIN_LEN -#PASS_MAX_LEN -#ULIMIT -#ENV_HZ -#CHFN_AUTH -#CHSH_AUTH -#FAIL_DELAY - -################# OBSOLETED ####################### -# # -# These options are no more handled by shadow. # -# # -# Shadow utilities will display a warning if they # -# still appear. # -# # -################################################### - -# CLOSE_SESSIONS -# LOGIN_STRING -# NO_PASSWORD_CONSOLE -# QMAIL_DIR - - - - -Login restrictions and parameters in /etc/login.defs: -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_WARN_AGE Number of days warning given before a password expires. -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 -UID_MIN 1000 -UID_MAX 60000 -#SYS_UID_MIN 100 -#SYS_UID_MAX 999 -SUB_UID_MIN 100000 -SUB_UID_MAX 600100000 -SUB_UID_COUNT 65536 -GID_MIN 1000 -GID_MAX 60000 -#SYS_GID_MIN 100 -#SYS_GID_MAX 999 -SUB_GID_MIN 100000 -SUB_GID_MAX 600100000 -SUB_GID_COUNT 65536 -LOGIN_RETRIES 5 -LOGIN_TIMEOUT 60 -#PASS_MIN_LEN - -Analysis complete. -#+end_src diff --git a/operating-systems/linux/passwords.sh b/operating-systems/linux/passwords.sh deleted file mode 100644 index 61d0f93..0000000 --- a/operating-systems/linux/passwords.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash - -# Function to extract and format password complexity parameters from /etc/pam.d/system-auth -extract_password_params() { - echo "Checking /etc/pam.d/system-auth for password parameters..." - - if [ -f /etc/pam.d/system-auth ]; then - # Extract the line containing the password complexity parameters - param_line=$(grep -E 'difok=.* minlen=.* dcredit=.* ocredit=.* ucredit=.* lcredit=.* minclass=.* maxsequence=.*' /etc/pam.d/system-auth) - - if [ -n "$param_line" ]; then - echo "Password complexity parameters found:" - echo "$param_line" - echo "" - - # Extract individual parameters using regex - minlen=$(echo "$param_line" | grep -oP 'minlen=\K\d+') - lcredit=$(echo "$param_line" | grep -oP 'lcredit=\K\d+') - ucredit=$(echo "$param_line" | grep -oP 'ucredit=\K\d+') - dcredit=$(echo "$param_line" | grep -oP 'dcredit=\K\d+') - ocredit=$(echo "$param_line" | grep -oP 'ocredit=\K\d+') - minclass=$(echo "$param_line" | grep -oP 'minclass=\K\d+') - - # Note: These parameters might not be present in the same line, so we set default values if not found - remember=$(grep -oP 'remember=\K\d+' /etc/pam.d/system-auth || echo "N/A") - retry=$(grep -oP 'retry=\K\d+' /etc/pam.d/system-auth || echo "N/A") - unlock_time=$(grep -oP 'unlock_time=\K\d+' /etc/pam.d/system-auth || echo "N/A") - - # Format the extracted parameters into a table - echo "Formatted Password Complexity Parameters:" - echo "---------------------------------------------------" - echo -e "Minlen : $minlen characters" - echo -e "Lcredit : $lcredit lowercase" - echo -e "Ucredit : $ucredit uppercase" - echo -e "Dcredit : $dcredit numbers" - echo -e "Ocredit : $ocredit special" - echo -e "Remember : $remember password history" - echo -e "Minclass : $minclass character types" - echo -e "Retry : $retry incorrect passwords" - echo -e "Unlock_time: $unlock_time seconds until unlocked" - else - echo "No password complexity parameters found in /etc/pam.d/system-auth." - fi - else - echo "/etc/pam.d/system-auth file not found." - fi -} - -# Function to analyze /etc/login.defs -analyze_login_defs() { - echo "Analyzing /etc/login.defs..." - if [ -f /etc/login.defs ]; then - echo "Contents of /etc/login.defs:" - cat /etc/login.defs - echo "" - - # Analysis - echo "Login restrictions and parameters in /etc/login.defs:" - grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_MIN_LEN|PASS_WARN_AGE|UID_MIN|UID_MAX|GID_MIN|GID_MAX|LOGIN_RETRIES|LOGIN_TIMEOUT|UID|GID' /etc/login.defs - echo "" - else - echo "/etc/login.defs file not found." - fi -} - -# Main script execution -echo "Starting analysis of authentication and login parameters..." -extract_password_params -analyze_login_defs -echo "Analysis complete." \ No newline at end of file diff --git a/operating-systems/linux/ssh_root_login.sh b/operating-systems/linux/ssh_root_login.sh deleted file mode 100644 index fdcdcf8..0000000 --- a/operating-systems/linux/ssh_root_login.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -grep -E "PermitRootLogin" /etc/ssh/sshd_config diff --git a/os/linux/README.org b/os/linux/README.org new file mode 100644 index 0000000..ecbbcc1 --- /dev/null +++ b/os/linux/README.org @@ -0,0 +1,447 @@ +#+title: Linux + +* =ssh_root_login.sh= + +#+begin_src shell +./ssh_root_login.sh +#+end_src + +#+begin_src +PermitRootLogin no +#+end_src + +* =passwords.sh= + +#+begin_src shell +./passwords.sh +#+end_src + +#+begin_src +Starting analysis of authentication and login parameters... +Checking /etc/pam.d/system-auth for password parameters... +/etc/pam.d/system-auth file not found. +Analyzing /etc/login.defs... +Contents of /etc/login.defs: +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value +# for private user groups, i. e. the uid is the same as gid, and username is +# the same as the primary group name: for these, the user permissions will be +# used as group permissions, e. g. 022 will become 002. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0750 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 +# Extra per user uids +SUB_UID_MIN 100000 +SUB_UID_MAX 600100000 +SUB_UID_COUNT 65536 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 +# Extra per user group ids +SUB_GID_MIN 100000 +SUB_GID_MAX 600100000 +SUB_GID_COUNT 65536 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5, MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD SHA512 + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. +# +# If not specified, the libc will choose the default number of rounds (5000), +# which is orders of magnitude too low for modern hardware. +# The values must be within the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 + +# +# Only works if ENCRYPT_METHOD is set to YESCRYPT. +# +# Define the YESCRYPT cost factor. +# With a higher cost factor, it is more difficult to brute-force the password. +# However, more CPU time and more memory will be needed to authenticate users +# if this value is increased. +# +# If not specified, a cost factor of 5 will be used. +# The value must be within the 1-11 range. +# +#YESCRYPT_COST_FACTOR 5 + +# +# The pwck(8) utility emits a warning for any system account with a home +# directory that does not exist. Some system accounts intentionally do +# not have a home directory. Such accounts may have this string as +# their home directory in /etc/passwd to avoid a spurious warning. +# +NONEXISTENT /nonexistent + +# +# Allow newuidmap and newgidmap when running under an alternative +# primary group. +# +#GRANT_AUX_GROUP_SUBIDS yes + +# +# Select the HMAC cryptography algorithm. +# Used in pam_timestamp module to calculate the keyed-hash message +# authentication code. +# +# Note: It is recommended to check hmac(3) to see the possible algorithms +# that are available in your system. +# +#HMAC_CRYPTO_ALGO SHA512 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + + +Login restrictions and parameters in /etc/login.defs: +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 +UID_MIN 1000 +UID_MAX 60000 +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 +SUB_UID_MIN 100000 +SUB_UID_MAX 600100000 +SUB_UID_COUNT 65536 +GID_MIN 1000 +GID_MAX 60000 +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 +SUB_GID_MIN 100000 +SUB_GID_MAX 600100000 +SUB_GID_COUNT 65536 +LOGIN_RETRIES 5 +LOGIN_TIMEOUT 60 +#PASS_MIN_LEN + +Analysis complete. +#+end_src diff --git a/os/linux/passwords.sh b/os/linux/passwords.sh new file mode 100644 index 0000000..61d0f93 --- /dev/null +++ b/os/linux/passwords.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# Function to extract and format password complexity parameters from /etc/pam.d/system-auth +extract_password_params() { + echo "Checking /etc/pam.d/system-auth for password parameters..." + + if [ -f /etc/pam.d/system-auth ]; then + # Extract the line containing the password complexity parameters + param_line=$(grep -E 'difok=.* minlen=.* dcredit=.* ocredit=.* ucredit=.* lcredit=.* minclass=.* maxsequence=.*' /etc/pam.d/system-auth) + + if [ -n "$param_line" ]; then + echo "Password complexity parameters found:" + echo "$param_line" + echo "" + + # Extract individual parameters using regex + minlen=$(echo "$param_line" | grep -oP 'minlen=\K\d+') + lcredit=$(echo "$param_line" | grep -oP 'lcredit=\K\d+') + ucredit=$(echo "$param_line" | grep -oP 'ucredit=\K\d+') + dcredit=$(echo "$param_line" | grep -oP 'dcredit=\K\d+') + ocredit=$(echo "$param_line" | grep -oP 'ocredit=\K\d+') + minclass=$(echo "$param_line" | grep -oP 'minclass=\K\d+') + + # Note: These parameters might not be present in the same line, so we set default values if not found + remember=$(grep -oP 'remember=\K\d+' /etc/pam.d/system-auth || echo "N/A") + retry=$(grep -oP 'retry=\K\d+' /etc/pam.d/system-auth || echo "N/A") + unlock_time=$(grep -oP 'unlock_time=\K\d+' /etc/pam.d/system-auth || echo "N/A") + + # Format the extracted parameters into a table + echo "Formatted Password Complexity Parameters:" + echo "---------------------------------------------------" + echo -e "Minlen : $minlen characters" + echo -e "Lcredit : $lcredit lowercase" + echo -e "Ucredit : $ucredit uppercase" + echo -e "Dcredit : $dcredit numbers" + echo -e "Ocredit : $ocredit special" + echo -e "Remember : $remember password history" + echo -e "Minclass : $minclass character types" + echo -e "Retry : $retry incorrect passwords" + echo -e "Unlock_time: $unlock_time seconds until unlocked" + else + echo "No password complexity parameters found in /etc/pam.d/system-auth." + fi + else + echo "/etc/pam.d/system-auth file not found." + fi +} + +# Function to analyze /etc/login.defs +analyze_login_defs() { + echo "Analyzing /etc/login.defs..." + if [ -f /etc/login.defs ]; then + echo "Contents of /etc/login.defs:" + cat /etc/login.defs + echo "" + + # Analysis + echo "Login restrictions and parameters in /etc/login.defs:" + grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_MIN_LEN|PASS_WARN_AGE|UID_MIN|UID_MAX|GID_MIN|GID_MAX|LOGIN_RETRIES|LOGIN_TIMEOUT|UID|GID' /etc/login.defs + echo "" + else + echo "/etc/login.defs file not found." + fi +} + +# Main script execution +echo "Starting analysis of authentication and login parameters..." +extract_password_params +analyze_login_defs +echo "Analysis complete." \ No newline at end of file diff --git a/os/linux/ssh_root_login.sh b/os/linux/ssh_root_login.sh new file mode 100644 index 0000000..fdcdcf8 --- /dev/null +++ b/os/linux/ssh_root_login.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +grep -E "PermitRootLogin" /etc/ssh/sshd_config -- cgit v1.2.3-70-g09d2