Gather info on expired passwords and locked accounts

[sigio]

It would be nice if lynis would gather (and report in the portal/reports) information about user-accounts:

• Expired or soon to expire passwords (passwd -e)
• Locked accounts (passwd -S )
• Expired accounts (chage -E / chage -l )

[justinamcafee]

I'll take a swing at this. Where do I need to store the function? (I'm not great at this, but it looks easy enough to code and produce some formatted output. )

[mboelen]

Hi @justinamcafee - You can add it as a separate test (e.g. AUTH-9350), if you are still up for it.

[chr0mag]

Much of this is already covered:

• AUTH-9288 checks for expired passwords (but not soon-to-expire passwords)
• AUTH-9286 checks if min/max password aging is enabled system wide
• AUTH-9282 checks for accounts w/out a set password expiry date

Since AUTH-9282/9283 already inspect passwd --status --all it would be simple to check for locked
accounts here as well by adding:

FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }')

...and then adding a new test case (eg. AUTH-9284) to output the locked accounts.

@mboelen Should system accounts be ignored when listing locked accounts? Most (all?) accounts with 0<UID<1000 and UID<65534 (nobody user) are locked so reporting this may not be helpful.