Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gather info on expired passwords and locked accounts #474

Open
sigio opened this issue Oct 12, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@sigio
Copy link
Contributor

commented Oct 12, 2017

It would be nice if lynis would gather (and report in the portal/reports) information about user-accounts:

  • Expired or soon to expire passwords (passwd -e)
  • Locked accounts (passwd -S )
  • Expired accounts (chage -E / chage -l )
@justinamcafee

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2018

I'll take a swing at this. Where do I need to store the function? (I'm not great at this, but it looks easy enough to code and produce some formatted output. )

@mboelen

This comment has been minimized.

Copy link
Member

commented Jul 25, 2018

Hi @justinamcafee - You can add it as a separate test (e.g. AUTH-9350), if you are still up for it.

@chr0mag

This comment has been minimized.

Copy link
Contributor

commented Mar 8, 2019

Much of this is already covered:

  • AUTH-9288 checks for expired passwords (but not soon-to-expire passwords)
  • AUTH-9286 checks if min/max password aging is enabled system wide
  • AUTH-9282 checks for accounts w/out a set password expiry date

Since AUTH-9282/9283 already inspect passwd --status --all it would be simple to check for locked
accounts here as well by adding:

FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }')

...and then adding a new test case (eg. AUTH-9284) to output the locked accounts.

@mboelen Should system accounts be ignored when listing locked accounts? Most (all?) accounts with 0<UID<1000 and UID<65534 (nobody user) are locked so reporting this may not be helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.