Register
It is currently Tue Sep 30, 2014 7:50 am

Script - check password age on various flavors of *nix/Linux


All times are UTC - 6 hours


Post new topic Reply to topic  [ 9 posts ] 
Author Message
 PostPosted: Mon Nov 28, 2011 2:21 pm   

Joined: Mon May 31, 2010 7:40 pm
Posts: 25
Hello-

I am writing a script to check the password age for a given user. At the moment the script is interactive and once I have it working as desired I will make it so that it is fully automated.

The issue that I am running into at the moment is that I will deploy it across different versions of Unix/Linux.

I have an if statement that will check if the system is Linux/AIX and depending on the results I want to run certain commands.

If you take a look at the script, I have a variable such as DAYS. If I run this variable inside an if statement, I simply get an error and it fails.
I also tried making the DAYS variable into a function, however the results are the same.

What do I need to do to get this to work so that I don't have to type the whole variable inside the if statement as shown below?

My description may not be as well as I would like it to be, but please let me know if you have any questions?

Thanks-

Code:
#!/bin/sh
#set -x

HOST=`uname -n`
USER=`id -u`
RECIP="email.com"
MAX=30
SYS=`uname`

#--- Need root permissions to run script
if [[ $USER -ne 0 ]];
   then
echo "Must be root to run this script!!"
     exit 2
   else
echo -n "Please enter the local user name:"
#--- Prompt for username:
   read USER
fi

DAYS=`grep $USER /etc/shadow | cut -d: -f3`

#--- Find the epoch time since the user's password was last changed
DATE=`perl -e 'print int(time/(60*60*24))'`

#--- Compute the age of the user's password
AGE=`echo $DATE - $DAYS | bc`

NOTIFY="The user's password is $AGE days old on $HOST"

if [[ $SYS == Linux ]];
   then
DAYS=`grep $USER /etc/shadow | cut -d: -f3`
fi

if [[ $AGE -ge $MAX ]];
   then
echo $NOTIFY
fi

echo -n "Enter yes or no if you want to e-mail notification?:"
   read ANSWER
if [[ $ANSWER == [yY] ]];
   then
echo $NOTIFY |setx -s "Password age requirement has been exceeded!!" $RECIP
echo "Complete!"
fi


Last edited by canit0 on Wed Nov 30, 2011 10:13 am, edited 1 time in total.

Top
 Profile  
 PostPosted: Mon Nov 28, 2011 3:43 pm   

Joined: Mon Mar 02, 2009 3:03 am
Posts: 549
Hi,

[[ is not part of sh.
sh can do simple arithmetics, no need of bc.

what's the error message ?


Top
 Profile  
 PostPosted: Mon Nov 28, 2011 4:16 pm   

Joined: Mon May 31, 2010 7:40 pm
Posts: 25
Watael wrote:
Hi,

[[ is not part of sh.
sh can do simple arithmetics, no need of bc.

what's the error message ?


Thanks Watael-

I am looking to write the script using *case* now. I will respond if that doesn't go anywhere. I will post the script if I do finish it using case so others can use it.

Thanks-


Top
 Profile  
 PostPosted: Wed Nov 30, 2011 10:16 am   

Joined: Mon May 31, 2010 7:40 pm
Posts: 25
This is what I have so far. When I run this on Linux it works like a charm.

However, I am still sorting out some issues on AIX. I hope that someone can take this and use it or make it better. I will continue posting until the script is finished and fully functional, well, it kinda is now.

Code:
#!/bin/sh
set -x

HOST=`uname -n`
USER=`id -u`
MAX=30
SYS=`uname`

###--- Function to check password age for the Linux root account.
LINUX (){
        read USER

        CURRENT_EPOCH=`grep $USER /etc/shadow | cut -d: -f3`
        if [ "$CURRENT_EPOCH" = "" ]; then
                return
        fi

        # Find the epoch time since the user's password was last changed
        EPOCH=`perl -e 'print int(time/(60*60*24))'`

        # Compute the age of the user's password
        AGE=`echo $EPOCH - $CURRENT_EPOCH | bc`

        if [ "$AGE" -ge "$MAX" ]; then
            echo "The user's password is $AGE days old on $HOST"
        fi
}

AIX () {

       CURRENT_EPOCH=`awk 'BEGIN { i=0 } /root/ { while (i < 2 ) { getline; print $0; i++ } i=0}' "/test/passwd" |awk '/lastupdate/ {print $3}'`
       if [ "$CURRENT_EPOCH" = "" ]; then
                return
       fi

       # Determining
       EPOCH_DAYS=`perl -e 'print ($CURRENT_EPOCH/(60*60*24))'`

       # Find the epoch time since the user's password was last changed
       EPOCH=`perl -e 'print int(time/(60*60*24))'`

       # Compute the age of the user's password
       AGE=`echo $EPOCH - $EPOCH_DAYS | bc`

       if [ "$AGE" -ge "$MAX" ]; then
           echo "The user's password is $AGE days old on $HOST"
              else
           echo "Password is fine and is $AGE days old"
       fi
}

#--- Need root permissions to run script
if [[ $USER -ne 0 ]];
   then
echo "Must be root to run this script!!"
     exit 2
fi

case $(uname) in
Linux ) LINUX ;;
AIX ) AIX ;;
esac


Last edited by canit0 on Wed Nov 30, 2011 8:55 pm, edited 2 times in total.

Top
 Profile  
 PostPosted: Wed Nov 30, 2011 10:58 am   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
Hi canit0!

What sort of issues are you having on AIX? I don't have access to an AIX shell at the moment, but I used to do a lot of cross *nix scripting. Stuff that had to work on Linux, AIX, HPUX, and Solaris...


Top
 Profile YIM  
 PostPosted: Wed Nov 30, 2011 1:52 pm   

Joined: Mon May 31, 2010 7:40 pm
Posts: 25
jeo wrote:
Hi canit0!

What sort of issues are you having on AIX? I don't have access to an AIX shell at the moment, but I used to do a lot of cross *nix scripting. Stuff that had to work on Linux, AIX, HPUX, and Solaris...


Hi jeo-

Thank you for asking. I am not that familiar with AIX and the passwd file in /etc/security. When trying to calculate the password age using the lastupdate number for a given user I don't know what that number means if days, seconds, weeks, so I am working on that at the moment. But this script will need to work on AIX, Linux, HPUX, Solaris.

Ok, I just learned this is in seconds since EPOCH time. :) --> :((

-----------------------------------------------------------------

I just updated the script and *believe* to have it working in AIX.

I just converted the lastupdate time which is set to EPOCH time in seconds to EPOCH days.

Some one please confirm?

Code:
#!/bin/sh
set -x

HOST=`uname -n`
USER=`id -u`
MAX=30
SYS=`uname`

###--- Function to check password age for the Linux root account.
LINUX (){
        read USER

        CURRENT_EPOCH=`grep $USER /etc/shadow | cut -d: -f3`
        if [ "$CURRENT_EPOCH" = "" ]; then
                return
        fi

        # Find the epoch time since the user's password was last changed
        EPOCH=`perl -e 'print int(time/(60*60*24))'`

        # Compute the age of the user's password
        AGE=`echo $EPOCH - $CURRENT_EPOCH | bc`

        if [ "$AGE" -ge "$MAX" ]; then
            echo "The user's password is $AGE days old on $HOST"
        fi
}

AIX () {

       CURRENT_EPOCH=`awk 'BEGIN { i=0 } /root/ { while (i < 2 ) { getline; print $0; i++ } i=0}' "/test/passwd" |awk '/lastupdate/ {print $3}'`
       if [ "$CURRENT_EPOCH" = "" ]; then
                return
       fi

       # Converting EPOCH time in seconds to days
       EPOCH_DAYS=`perl -e 'print ($CURRENT_EPOCH/(60*60*24))'`

       # Find the epoch time since the user's password was last changed
       EPOCH=`perl -e 'print int(time/(60*60*24))'`

       # Compute the age of the user's password
       AGE=`echo $EPOCH - $EPOCH_DAYS | bc`

       if [ "$AGE" -ge "$MAX" ]; then
           echo "The user's password is $AGE days old on $HOST"
              else
           echo "Password is fine and is $AGE days old"
       fi
}

#--- Need root permissions to run script
if [[ $USER -ne 0 ]];
   then
echo "Must be root to run this script!!"
     exit 2
fi

case $(uname) in
Linux ) LINUX ;;
AIX ) AIX ;;
esac


I am having problems with the conversion and it is not working for AIX at this time.


Top
 Profile  
 PostPosted: Thu Dec 01, 2011 10:02 am   

Joined: Mon May 31, 2010 7:40 pm
Posts: 25
Can anybody tell me why this line in a script isn't returning the correct value?

Code:
EPOCH_DAYS=`perl -e 'print ($CURRENT_EPOCH/(60*60*24))'`


When I run the script I simply echo the value of each variable and $EPOCH_DAYS returns 0.

When I run each value manually on the command line it returns the right value. This is the value in the AIX function.

????


Top
 Profile  
 PostPosted: Thu Dec 01, 2011 8:43 pm   

Joined: Mon Mar 02, 2009 3:03 am
Posts: 549
because variables are not expanded inside single quotes.

sh can do simple arithmetics, no need of perl.


Top
 Profile  
 PostPosted: Thu Dec 01, 2011 9:28 pm   

Joined: Mon May 31, 2010 7:40 pm
Posts: 25
Watael wrote:
because variables are not expanded inside single quotes.

sh can do simple arithmetics, no need of perl.


Again, thank you Watael. Simply changing from single to double quotes the function AIX is working properly.

I've decided not to do HPUX because it sucks. :P Not really, I just don't have access to HPUX at the moment so I am just leaving this here in hope that someone can use it as the base for a better script or let me know how it can be improved.


Code:
#!/bin/sh
#set -x

HOST=`uname -n`
MAX=30
SYS=`uname`

###--- Function to check password age for the root account on Linux systems.
LINUX (){
        USER_ID=`id -u`

        #--- Need root permissions to run script
        if [ $USER_ID -ne 0 ]; then
             echo "Must be root to run this script!!"
           exit 2
        fi

        #--- Get the user's name to query the password age.
        echo "Enter the username:"
                read USER

        CURRENT_EPOCH=`grep $USER /etc/shadow | cut -d: -f3`
        if [ "$CURRENT_EPOCH" = "" ]; then
                return
        fi

        # Find the epoch time since the user's password was last changed
        EPOCH=`perl -e 'print int(time/(60*60*24))'`

        # Compute the age of the user's password
        AGE=`echo $EPOCH - $CURRENT_EPOCH | bc`

        if [[ "$AGE" -ge "$MAX" ]]; then
            echo "The user's password is $AGE days old on host $HOST"
        fi
}

###--- Function  to check the password age for the root account on AIX systems.
AIX () {
        USER_ID=`id -u`

        #--- Need root permissions to run script
        if [ $USER_ID -ne 0 ]; then
             echo "Must be root to run this script!!"
           exit 2
        fi

        CURRENT_EPOCH=`awk 'BEGIN { i=0 } /root/ { while (i < 2 ) { getline; print $0; i++ } i=0}' "/etc/security/passwd" |awk '/lastupdate/ {print $3}'`

        #if [ "$CURRENT_EPOCH" = "" ]; then
        #         return
        #fi

        # Converting EPOCH time in seconds to days
        EPOCH_DAYS=`perl -e "print int($CURRENT_EPOCH/(60*60*24))"`

        # Find the epoch time since the user's password was last changed
        EPOCH=`perl -e 'print int(time/(60*60*24))'`

        # Compute the age of the user's password
        AGE=`echo $EPOCH - $EPOCH_DAYS | bc`

        if [ "$AGE" -ge "$MAX" ]; then
           echo "The user's password is $AGE days old on host $HOST"
              else
           echo "Password is fine and is $AGE days old"
        fi
}

###--- Function  to check the password age for the root account on SunOS systems.
SUNOS (){
        SUSER=`/usr/xpg4/bin/id -u` # Used for Solaris OS.

        #--- Need root permissions to run script
        if [ $SUSER -ne 0 ]; then
             echo "Must be root to run this script!!"
           exit 2
        fi

        #--- Get the user's name to query the password age.
        echo "Enter the username:"
                read USER

        CURRENT_EPOCH=`grep $USER /etc/shadow | cut -d: -f3`
        if [ "$CURRENT_EPOCH" = "" ]; then
                return
        fi

        # Find the epoch time since the user's password was last changed
        EPOCH=`perl -e 'print int(time/(60*60*24))'`

        # Compute the age of the user's password
        AGE=`echo $EPOCH - $CURRENT_EPOCH | bc`

        if [ "$AGE" -ge "$MAX" ]; then
            echo "The user's password is $AGE days old on host $HOST"
        fi
}

case $SYS in
Linux ) LINUX ;;
AIX ) AIX ;;
SunOS ) SUNOS ;;
esac


Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: Bing [Bot] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP