Linux expired password script

Hello Folks,

I have a script that runs in bash and just to trying to put a simple if statement.

Trying to put an if statement that will check uid range from 1000 and up  in /etc/shadow
and ignore uid range of 0 - 999 and if the 5th field in /etc/shadow is 0 or not 60 change it to 60.

passwords must expire after 60 days. The DISA Stig is below.

my challenge below is:

Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.

System Administrator

Check Content:
Check the max days field (the 5th field) of /etc/shadow.
# more /etc/shadow
If the max days field is equal to 0 or greater than 60 for any user, this is a finding.

Fix Text:
Set the max days field to 60 for all user accounts.
# passwd -x 60 <user>
Who is Participating?
jlevieConnect With a Mentor Commented:
That works. If you are doing this to satisfy the DISA requirement, all accounts with passwords must be set to expire.
Its worded like a homework question.

What have you got so far?

You should be able to get the field you want using awk -F then check the values using the if statement, something like -z to check for null values and then the normal numeric checks for the range you want.
To comply you need to do this for every user that has a password, regardless of UID. I'd use perl, like is attached. Also you'll want to set defaults in /etc/login.defs
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

atom_jellyAuthor Commented:
Thanks JLevie,

I am very grateful for the script. I am still learning perl and I can understand it but I was wondering if you can help me with my request with this script.

for i in `awk -F: '$3 > 1000 { print $1 }' /home/amagana/_passwd`


 grep $i /home/amagana/_passwd | sed -i -e  "s/\:99999/\:60/g" /home/amagana/_shadow


my goal is to only change those the I have for $i but the sed is doing the replacement to 60 days for every one.

Thanks for any help.
atom_jellyAuthor Commented:
I believe I fixed my script,

I just removed the grep and discovered that I can place a variable in my sed statement.

Like this:

for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`


    sed -i -e  "/$i/ s/\:99999/\:60/g" /etc/shadow
atom_jellyAuthor Commented:
This site gives me a feeling of accomplishment and my confidence is way when I come to this community.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.