• file
• latest
• revisions
• annotate
• diff
• comparison
• raw

security.d/chk_passwd@8ba6a0e2d2ca (annotated)

security.d/chk_passwd

Sat, 31 Mar 2007 13:32:06 +0200

author

mbse

date

Sat, 31 Mar 2007 13:32:06 +0200

changeset 0

8ba6a0e2d2ca

child 7

2c71590b2373

permissions

-rw-r--r--

Initial revision

0 8ba6a0e2d2ca Initial revision mbse parents: diff changeset	1	#!/bin/bash
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	2	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	3	# $Id$
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	4	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	5	#############################################################################
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	6	# Copyright (C) 2005
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	7	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	8	# Michiel Broek <mbse@mbse.dds.nl>
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	9	# Beekmansbos 10
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	10	# 1971 BV IJmuiden
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	11	# the Netherlands
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	12	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	13	# This file is part of SlackSecCheckSripts.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	14	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	15	# This package is free software; you can redistribute it and/or modify it
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	16	# under the terms of the GNU General Public License as published by the
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	17	# Free Software Foundation; either version 2, or (at your option) any
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	18	# later version.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	19	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	20	# SlackSecCheckSripts is distributed in the hope that it will be useful, but
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	21	# WITHOUT ANY WARRANTY; without even the implied warranty of
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	22	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	23	# General Public License for more details.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	24	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	25	# You should have received a copy of the GNU General Public License
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	26	# along with MBSE BBS; see the file COPYING. If not, write to the Free
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	27	# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	28	#############################################################################
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	29
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	30
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	31	PATH=/sbin:/usr/sbin:/bin:/usr/bin
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	32
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	33	umask 077
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	34	TZ=UTC; export TZ
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	35	LANG=C; export LANG
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	36
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	37	max_loginlen=${max_loginlen:-32}
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	38
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	39	MP=/etc/passwd
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	40	SP=/etc/shadow
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	41
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	42
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	43	SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	44
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	45	trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	46
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	47	if ! cd "$SECUREDIR"; then
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	48	echo "Can not cd to $SECUREDIR".
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	49	exit 1
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	50	fi
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	51
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	52	TMP2=secure1.$$
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	53	MPBYUID=secure2.$$
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	54	COMBINED=secure3.$$
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	55	OUTPUT=secure4.$$
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	56
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	57	# Combine passwd and shadow files.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	58	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	59	join -t : -j 1 $MP $SP > $COMBINED
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	60
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	61
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	62	# These are used several times.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	63	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	64	awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	65
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	66
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	67	# Check the master password file syntax.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	68	# Usernames may have a $ character at the end for Samba
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	69	# machine and trust accounts.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	70	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	71	awk -v "len=$max_loginlen" '
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	72	BEGIN {
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	73	while ( getline < "/etc/shells" > 0 ) {
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	74	if ($0 ~ /^\#/ || $0 ~ /^$/ )
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	75	continue;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	76	shells[$1]++;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	77	}
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	78	FS=":";
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	79	}
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	80
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	81	{
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	82	if ($0 ~ /^[ ]*$/) {
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	83	printf "\tLine %d is a blank line.\n", NR;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	84	next;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	85	}
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	86	if (NF != 15 && ($1 != "+" || NF != 1))
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	87	printf "\tLine %d has the wrong number of fields.\n", NR;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	88	if ($1 == "+" ) {
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	89	if (NF != 1 && $3 == 0)
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	90	printf "\tLine %d includes entries with uid 0.\n", NR;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	91	next;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	92	}
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	93	if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9\$])*$/)
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	94	printf "\tLogin %s has non-alphanumeric characters.\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	95	if (length($1) > len)
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	96	printf "\tLogin %s has more than "len" characters.\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	97	if ($7 == "" && $8 !~ /!/ && $8 != "*")
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	98	printf "\tLogin %s does not have a shell\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	99	if ($7 != "" && ! shells[$7] && $8 !~ /!/ && $8 != "*")
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	100	printf "\tLogin %s does not have a valid shell (%s)\n", $1, $7;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	101	if ($7 != "" && shells[$7] && ($8 ~ /!/ && $8 = "*"))
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	102	printf "\tLogin %s account is locked.\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	103	if ($8 == "")
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	104	printf "\tLogin %s has no password.\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	105	if ($9 == "0")
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	106	printf "\tLogin %s password is expired.\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	107	if ($3 == 0 && $1 != "root" && $1 != "toor")
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	108	printf "\tLogin %s has a user id of 0.\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	109	if ($3 < 0)
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	110	printf "\tLogin %s has a negative user id.\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	111	if ($4 < 0)
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	112	printf "\tLogin %s has a negative group id.\n", $1;
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	113	}' < $COMBINED > $OUTPUT
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	114	if [ -s $OUTPUT ] ; then
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	115	printf "\nChecking the $MP and $SP files:\n"
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	116	cat $OUTPUT
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	117	fi
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	118
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	119	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	120	if [ -s $OUTPUT ] ; then
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	121	printf "\n$MP has duplicate user names.\n"
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	122	column $OUTPUT
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	123	fi
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	124
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	125	# To not exclude 'toor', a standard duplicate root account, from the duplicate
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	126	# account test, uncomment the line below (without egrep in it)and comment
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	127	# out the line (with egrep in it) below it.
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	128	#
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	129	#< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	130	< $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	131	if [ -s $TMP2 ] ; then
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	132	printf "\n$MP has duplicate user id's.\n"
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	133	while read uid; do
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	134	grep -w $uid $MPBYUID
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	135	done < $TMP2 | column
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	136	fi
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	137
8ba6a0e2d2ca Initial revision mbse parents: diff changeset	138