tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-04-08 17:15:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1009 from danielorihuela/feature/get-info-on-locked-accounts

Browse Source 
[AUTH-9284] Feature: gather locked accounts info
This commit is contained in:
Michael Boelen 2020-10-22 14:13:34 +02:00 committed by GitHub
commit e67f786caa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
include/tests_authentication
View File

@ -859,23 +859,27 @@
PREQS_MET="YES"
FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
;;
*)
PREQS_MET="YES"
FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
FIND3=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
;;
esac
elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then
PREQS_MET="YES"
FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L" || $2=="LK") print $1 }' | sort | uniq ; done)
else
LogText "Result: skipping test for this Linux version"
ReportManual "AUTH-9282:01"
PREQS_MET="NO"
FIND_P=""
FIND2=""
FIND3=""
fi
else
PREQS_MET="NO"
@ -921,6 +925,36 @@
fi
#
#################################################################################
#
# Test : AUTH-9284
# Description : Search locked accounts
Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts"
if [ "${SKIPTEST}" -eq 0 ]; then
LogText "Test: Checking locked accounts"
NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq)
LOCKED_NON_SYSTEM_ACCOUNTS=0
for account in ${FIND3};do
if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then
LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS+1))
fi
done
if [ $LOCKED_NON_SYSTEM_ACCOUNTS -eq 0 ]; then
LogText "Result: all accounts seem to be unlocked"
Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more locked accounts"
for account in ${FIND3}; do
if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then
LogText "Locked account: ${account}"
Report "locked_account=${account}"
fi
done
Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Found locked accounts"
fi
fi
#
#################################################################################
#
# Test : AUTH-9286
# Description : Check user password aging