Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 634
  • Last Modified:

Linux expired password script

Hello Folks,

I have a script that runs in bash and just to trying to put a simple if statement.

Trying to put an if statement that will check uid range from 1000 and up  in /etc/shadow
and ignore uid range of 0 - 999 and if the 5th field in /etc/shadow is 0 or not 60 change it to 60.

passwords must expire after 60 days. The DISA Stig is below.
 

my challenge below is:

Discussion:
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.



Responsibility:
System Administrator

Check Content:
Check the max days field (the 5th field) of /etc/shadow.
# more /etc/shadow
If the max days field is equal to 0 or greater than 60 for any user, this is a finding.

Fix Text:
Set the max days field to 60 for all user accounts.
# passwd -x 60 <user>
0
atom_jelly
Asked:
atom_jelly
  • 3
  • 2
1 Solution
 
joolsCommented:
Its worded like a homework question.

What have you got so far?

You should be able to get the field you want using awk -F then check the values using the if statement, something like -z to check for null values and then the normal numeric checks for the range you want.
0
 
jlevieCommented:
To comply you need to do this for every user that has a password, regardless of UID. I'd use perl, like is attached. Also you'll want to set defaults in /etc/login.defs
pw-exp.txt
0
 
atom_jellyAuthor Commented:
Thanks JLevie,


I am very grateful for the script. I am still learning perl and I can understand it but I was wondering if you can help me with my request with this script.

for i in `awk -F: '$3 > 1000 { print $1 }' /home/amagana/_passwd`

do

 grep $i /home/amagana/_passwd | sed -i -e  "s/\:99999/\:60/g" /home/amagana/_shadow


done


my goal is to only change those the I have for $i but the sed is doing the replacement to 60 days for every one.

Thanks for any help.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
atom_jellyAuthor Commented:
I believe I fixed my script,

I just removed the grep and discovered that I can place a variable in my sed statement.

Like this:

for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`

do  

    sed -i -e  "/$i/ s/\:99999/\:60/g" /etc/shadow
   
done
0
 
jlevieCommented:
That works. If you are doing this to satisfy the DISA requirement, all accounts with passwords must be set to expire.
0
 
atom_jellyAuthor Commented:
This site gives me a feeling of accomplishment and my confidence is way when I come to this community.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now