Solved

Linux expired password script

Posted on 2012-12-26
6
624 Views
Last Modified: 2013-01-02
Hello Folks,

I have a script that runs in bash and just to trying to put a simple if statement.

Trying to put an if statement that will check uid range from 1000 and up  in /etc/shadow
and ignore uid range of 0 - 999 and if the 5th field in /etc/shadow is 0 or not 60 change it to 60.

passwords must expire after 60 days. The DISA Stig is below.
 

my challenge below is:

Discussion:
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.



Responsibility:
System Administrator

Check Content:
Check the max days field (the 5th field) of /etc/shadow.
# more /etc/shadow
If the max days field is equal to 0 or greater than 60 for any user, this is a finding.

Fix Text:
Set the max days field to 60 for all user accounts.
# passwd -x 60 <user>
0
Comment
Question by:atom_jelly
  • 3
  • 2
6 Comments
 
LVL 19

Expert Comment

by:jools
ID: 38723085
Its worded like a homework question.

What have you got so far?

You should be able to get the field you want using awk -F then check the values using the if statement, something like -z to check for null values and then the normal numeric checks for the range you want.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 38724369
To comply you need to do this for every user that has a password, regardless of UID. I'd use perl, like is attached. Also you'll want to set defaults in /etc/login.defs
pw-exp.txt
0
 

Author Comment

by:atom_jelly
ID: 38736224
Thanks JLevie,


I am very grateful for the script. I am still learning perl and I can understand it but I was wondering if you can help me with my request with this script.

for i in `awk -F: '$3 > 1000 { print $1 }' /home/amagana/_passwd`

do

 grep $i /home/amagana/_passwd | sed -i -e  "s/\:99999/\:60/g" /home/amagana/_shadow


done


my goal is to only change those the I have for $i but the sed is doing the replacement to 60 days for every one.

Thanks for any help.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 

Author Comment

by:atom_jelly
ID: 38736471
I believe I fixed my script,

I just removed the grep and discovered that I can place a variable in my sed statement.

Like this:

for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`

do  

    sed -i -e  "/$i/ s/\:99999/\:60/g" /etc/shadow
   
done
0
 
LVL 40

Accepted Solution

by:
jlevie earned 500 total points
ID: 38736615
That works. If you are doing this to satisfy the DISA requirement, all accounts with passwords must be set to expire.
0
 

Author Closing Comment

by:atom_jelly
ID: 38737837
This site gives me a feeling of accomplishment and my confidence is way when I come to this community.
0

Featured Post

The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Recently, an awarded photographer, Selina De Maeyer (http://www.selinademaeyer.com/), completed a photo shoot of a beautiful event (http://www.sintjacobantwerpen.be/verslag-en-fotoreportage-van-de-sacramentsprocessie-door-antwerpen#thumbnails) in An…
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question