Avatar of atom_jelly
atom_jelly
Flag for United States of America asked on

Linux expired password script

Hello Folks,

I have a script that runs in bash and just to trying to put a simple if statement.

Trying to put an if statement that will check uid range from 1000 and up  in /etc/shadow
and ignore uid range of 0 - 999 and if the 5th field in /etc/shadow is 0 or not 60 change it to 60.

passwords must expire after 60 days. The DISA Stig is below.
 

my challenge below is:

Discussion:
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.



Responsibility:
System Administrator

Check Content:
Check the max days field (the 5th field) of /etc/shadow.
# more /etc/shadow
If the max days field is equal to 0 or greater than 60 for any user, this is a finding.

Fix Text:
Set the max days field to 60 for all user accounts.
# passwd -x 60 <user>
Unix OSShell ScriptingScripting Languages

Avatar of undefined
Last Comment
atom_jelly

8/22/2022 - Mon
Julian Parker

Its worded like a homework question.

What have you got so far?

You should be able to get the field you want using awk -F then check the values using the if statement, something like -z to check for null values and then the normal numeric checks for the range you want.
jlevie

To comply you need to do this for every user that has a password, regardless of UID. I'd use perl, like is attached. Also you'll want to set defaults in /etc/login.defs
pw-exp.txt
atom_jelly

ASKER
Thanks JLevie,


I am very grateful for the script. I am still learning perl and I can understand it but I was wondering if you can help me with my request with this script.

for i in `awk -F: '$3 > 1000 { print $1 }' /home/amagana/_passwd`

do

 grep $i /home/amagana/_passwd | sed -i -e  "s/\:99999/\:60/g" /home/amagana/_shadow


done


my goal is to only change those the I have for $i but the sed is doing the replacement to 60 days for every one.

Thanks for any help.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
atom_jelly

ASKER
I believe I fixed my script,

I just removed the grep and discovered that I can place a variable in my sed statement.

Like this:

for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`

do  

    sed -i -e  "/$i/ s/\:99999/\:60/g" /etc/shadow
   
done
ASKER CERTIFIED SOLUTION
jlevie

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
atom_jelly

ASKER
This site gives me a feeling of accomplishment and my confidence is way when I come to this community.