?
Solved

Linux expired password script

Posted on 2012-12-26
6
Medium Priority
?
627 Views
Last Modified: 2013-01-02
Hello Folks,

I have a script that runs in bash and just to trying to put a simple if statement.

Trying to put an if statement that will check uid range from 1000 and up  in /etc/shadow
and ignore uid range of 0 - 999 and if the 5th field in /etc/shadow is 0 or not 60 change it to 60.

passwords must expire after 60 days. The DISA Stig is below.
 

my challenge below is:

Discussion:
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.



Responsibility:
System Administrator

Check Content:
Check the max days field (the 5th field) of /etc/shadow.
# more /etc/shadow
If the max days field is equal to 0 or greater than 60 for any user, this is a finding.

Fix Text:
Set the max days field to 60 for all user accounts.
# passwd -x 60 <user>
0
Comment
Question by:atom_jelly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 19

Expert Comment

by:jools
ID: 38723085
Its worded like a homework question.

What have you got so far?

You should be able to get the field you want using awk -F then check the values using the if statement, something like -z to check for null values and then the normal numeric checks for the range you want.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 38724369
To comply you need to do this for every user that has a password, regardless of UID. I'd use perl, like is attached. Also you'll want to set defaults in /etc/login.defs
pw-exp.txt
0
 

Author Comment

by:atom_jelly
ID: 38736224
Thanks JLevie,


I am very grateful for the script. I am still learning perl and I can understand it but I was wondering if you can help me with my request with this script.

for i in `awk -F: '$3 > 1000 { print $1 }' /home/amagana/_passwd`

do

 grep $i /home/amagana/_passwd | sed -i -e  "s/\:99999/\:60/g" /home/amagana/_shadow


done


my goal is to only change those the I have for $i but the sed is doing the replacement to 60 days for every one.

Thanks for any help.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:atom_jelly
ID: 38736471
I believe I fixed my script,

I just removed the grep and discovered that I can place a variable in my sed statement.

Like this:

for i in `awk -F: '$3 > 1000 { print $1 }' /etc/passwd`

do  

    sed -i -e  "/$i/ s/\:99999/\:60/g" /etc/shadow
   
done
0
 
LVL 40

Accepted Solution

by:
jlevie earned 2000 total points
ID: 38736615
That works. If you are doing this to satisfy the DISA requirement, all accounts with passwords must be set to expire.
0
 

Author Closing Comment

by:atom_jelly
ID: 38737837
This site gives me a feeling of accomplishment and my confidence is way when I come to this community.
0

Featured Post

How To Reduce Deployment Times With Pre-Baked AMIs

Even if we can't include all the files in the base image, we can sometimes include some of the larger files that we would otherwise have to download, and we can also sometimes remove the most time-consuming steps. This can help a lot with reducing deployment times.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question