atom_jelly
asked on
Linux expired password script
Hello Folks,
I have a script that runs in bash and just to trying to put a simple if statement.
Trying to put an if statement that will check uid range from 1000 and up in /etc/shadow
and ignore uid range of 0 - 999 and if the 5th field in /etc/shadow is 0 or not 60 change it to 60.
passwords must expire after 60 days. The DISA Stig is below.
my challenge below is:
Discussion:
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.
Responsibility:
System Administrator
Check Content:
Check the max days field (the 5th field) of /etc/shadow.
# more /etc/shadow
If the max days field is equal to 0 or greater than 60 for any user, this is a finding.
Fix Text:
Set the max days field to 60 for all user accounts.
# passwd -x 60 <user>
I have a script that runs in bash and just to trying to put a simple if statement.
Trying to put an if statement that will check uid range from 1000 and up in /etc/shadow
and ignore uid range of 0 - 999 and if the 5th field in /etc/shadow is 0 or not 60 change it to 60.
passwords must expire after 60 days. The DISA Stig is below.
my challenge below is:
Discussion:
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.
Responsibility:
System Administrator
Check Content:
Check the max days field (the 5th field) of /etc/shadow.
# more /etc/shadow
If the max days field is equal to 0 or greater than 60 for any user, this is a finding.
Fix Text:
Set the max days field to 60 for all user accounts.
# passwd -x 60 <user>
To comply you need to do this for every user that has a password, regardless of UID. I'd use perl, like is attached. Also you'll want to set defaults in /etc/login.defs
pw-exp.txt
pw-exp.txt
ASKER
Thanks JLevie,
I am very grateful for the script. I am still learning perl and I can understand it but I was wondering if you can help me with my request with this script.
for i in `awk -F: '$3 > 1000 { print $1 }' /home/amagana/_passwd`
do
grep $i /home/amagana/_passwd | sed -i -e "s/\:99999/\:60/g" /home/amagana/_shadow
done
my goal is to only change those the I have for $i but the sed is doing the replacement to 60 days for every one.
Thanks for any help.
I am very grateful for the script. I am still learning perl and I can understand it but I was wondering if you can help me with my request with this script.
for i in `awk -F: '$3 > 1000 { print $1 }' /home/amagana/_passwd`
do
grep $i /home/amagana/_passwd | sed -i -e "s/\:99999/\:60/g" /home/amagana/_shadow
done
my goal is to only change those the I have for $i but the sed is doing the replacement to 60 days for every one.
Thanks for any help.
ASKER
I believe I fixed my script,
I just removed the grep and discovered that I can place a variable in my sed statement.
Like this:
for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`
do
sed -i -e "/$i/ s/\:99999/\:60/g" /etc/shadow
done
I just removed the grep and discovered that I can place a variable in my sed statement.
Like this:
for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`
do
sed -i -e "/$i/ s/\:99999/\:60/g" /etc/shadow
done
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This site gives me a feeling of accomplishment and my confidence is way when I come to this community.
What have you got so far?
You should be able to get the field you want using awk -F then check the values using the if statement, something like -z to check for null values and then the normal numeric checks for the range you want.