configure-nilrt-snac: configure faillock

Signed-off-by: Alex Hearn <[email protected]>
ni · Sep 5, 2024 · fddd735 · fddd735
1 parent d09a5b9
commit fddd735
Showing 1 changed file with 28 additions and 4 deletions.
diff --git a/src/configure-nilrt-snac b/src/configure-nilrt-snac
@@ -7,6 +7,8 @@ PREFIX_ROOT="$(realpath ${SCRIPT_ROOT}/../../)"
 source "${SCRIPT_ROOT}/util.sh"
 
 ## CONSTANTS
+FAILLOCK_CONF=/etc/security/faillock.conf
+PAM_CONF=/etc/pam.d/common-auth
 OPKG_CONF=/etc/opkg/snac.conf
 WIREGUARD_TOOLS_DEB='http://ftp.us.debian.org/debian/pool/main/w/wireguard/wireguard-tools_1.0.20210914-1+b1_amd64.deb'
 USBGUARD_SRC_URL="https://github.com/USBGuard/usbguard/releases/download/usbguard-1.1.2/usbguard-1.1.2.tar.gz"
@@ -27,14 +29,14 @@ check_euid_root() {
 # NOTE: The ip_tables kernel module is only loaded once the first call to iptables has been made, (inlcuding rule creation).
 check_iptables() {
 	log INFO Checking iptables configuration...
-	
+
 	log DEBUG Installing iptables...
 	opkg install iptables
 
 	# This call also ensures that the module gets loaded
 	log DEBUG Checking iptables user tools...
 	if ! iptables -L; then
-		echo ERROR iptables binary 
+		echo ERROR iptables binary
 		exit $EX_CHECK_FAILURE
 	fi >/dev/null
 
@@ -82,7 +84,7 @@ configure_opkg() {
 
 	echo "# NILRT SNAC configuration opkg runparts. Do not hand-edit." >"${OPKG_CONF}"
 	echo "option autoremove 1" >>"${OPKG_CONF}"
-	
+
 	log DEBUG Removing unsupported package feeds...
 	rm -fv /etc/opkg/NI-dist.conf
 	# TODO Uncomment this once we have moved all necessary packages into the core feeds.
@@ -158,7 +160,7 @@ install_cryptsetup() {
 # Rips niauth out of the system.
 remove_niauth() {
 	log INFO Removing NIAuth...
-	
+
 	# Manually remove the 'Essential' mark on NI-Auth and its siblings, so that they can be removed.
 	#trap "opkg update >/dev/null" EXIT
 
@@ -201,6 +203,26 @@ EOF
 	set -e
 }
 
+# Install and configure pam-plugin-faillock.
+# Any non-root account will get locked after 3 failed authentications within 15 minutes.
+configure_faillock() {
+	log INFO Configuring faillock...
+
+	log DEBUG Installing pam-plugin-faillock...
+	opkg install pam-plugin-faillock
+
+	log DEBUG Configuring faillock settings...
+	sed -i 's/^# audit$/audit/' "${FAILLOCK_CONF}"
+	sed -i 's/^# silent$/silent/' "${FAILLOCK_CONF}"
+	sed -i 's/^# deny = 3$/deny = 3/' "${FAILLOCK_CONF}"
+	sed -i 's/^# fail_interval = 900$/fail_interval = 900/' "${FAILLOCK_CONF}"
+	sed -i 's/^# unlock_time = 600$/unlock_time = 0/' "${FAILLOCK_CONF}"
+
+	log DEBUG Enabling faillock...
+	sed -E -i 's/^(.+)success=1(.+)$/auth    requisite pam_faillock.so preauth\n\1success=2\2\nauth    [default=die] pam_faillock.so authfail/' "${PAM_CONF}"
+	echo "auth    sufficient pam_faillock.so authsucc" >>"${PAM_CONF}"
+}
+
 
 ## MAIN
 # runtime environment safety checks
@@ -241,5 +263,7 @@ enable_pwquality
 
 disable_wifi
 
+configure_faillock
+
 syslog notice SNAC configuration completed.
 exit 0