From 57cbf7528758d92ca617229aee4c31882f171855 Mon Sep 17 00:00:00 2001
From: YuQing <yyq0391@163.com>
Date: Wed, 21 Dec 2022 15:08:45 +0800
Subject: [PATCH] Fix bug with Rule 1.28 and 1.45.

Signed-off-by: YuQing <yyq0391@163.com>
---
 ...out-for-failed-password-attempts-is-configured.md | 10 ++--------
 ...out-for-failed-password-attempts-is-configured.md | 10 ++--------
 ...out-for-failed-password-attempts-is-configured.sh | 10 ++--------
 ...out-for-failed-password-attempts-is-configured.sh | 12 ++----------
 4 files changed, 8 insertions(+), 34 deletions(-)

diff --git a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
index 7ee0708..64874fa 100644
--- a/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
+++ b/benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
@@ -22,17 +22,11 @@
 1. 运行以下两个脚本，更新`system-auth`及`password-auth`文件，添加`deny=5`和`unlock_time=900`参数。：
 
 ```bash
-cat >> /etc/pam.d/password-auth << EOF  
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth
 ```
 
 ```bash
-cat >> /etc/pam.d/system-auth << EOF  
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth
 ```
 
 ## 扫描检测
diff --git a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
index 286277a..cf69ac0 100644
--- a/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
+++ b/benchmarks/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.md
@@ -22,17 +22,11 @@
 1. 运行以下两个脚本，更新`system-auth`及`password-auth`文件，添加`deny=5`和`unlock_time=900`参数。：
 
 ```bash
-cat >> /etc/pam.d/password-auth << EOF  
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth
 ```
 
 ```bash
-cat >> /etc/pam.d/system-auth << EOF  
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+# sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth
 ```
 
 ## 扫描检测
diff --git a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
index 227dee7..23dc0ba 100644
--- a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
+++ b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
@@ -1,9 +1,3 @@
-cat >> /etc/pam.d/password-auth << EOF
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth
 
-cat >> /etc/pam.d/system-auth << EOF
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
\ No newline at end of file
+grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth
\ No newline at end of file
diff --git a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
index d162024..23dc0ba 100644
--- a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
+++ b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh
@@ -1,11 +1,3 @@
-grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || 
-cat >> /etc/pam.d/password-auth << EOF
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
+grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/password-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/password-auth
 
-grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || 
-cat >> /etc/pam.d/system-auth << EOF
-auth required pam_faillock.so preauth silent deny=5 unlock_time=900
-auth required pam_faillock.so authfail deny=5 unlock_time=900
-EOF
\ No newline at end of file
+grep -Eq '^\s*auth\s+required\s+pam_faillock.so\s+(preauth|authfail)\s+' /etc/pam.d/system-auth || sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent deny=5 unlock_time=900\nauth required pam_faillock.so authfail deny=5 unlock_time=900" /etc/pam.d/system-auth
\ No newline at end of file
-- 
Gitee