Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl -w
- BEGIN { ($_pathname,$_filename)=($0=~m#(.*)/([^/]+)$#)?($1,$2):(".",$0); push @INC,$_pathname; };
- sub usage {
- ################################################################
- #
- # Title : report-passwdfile.pl
- #
- # Author : Damien Farah/Andy Thom
- #
- # Description :
- print STDERR "\nERROR: $_[0]\nUsage:\n", <<"EndOfDescription";
- $_filename <host> [ <host> ... ]
- EndOfDescription
- #
- # SCCS Version:
- #
- # History : 04Jun12 Damien - birth.
- #
- #################################################################
- exit 2;
- }
- #
- # Internal Variables
- ####################
- $| = 1; # No buffering STDOUT;
- my( $SSHCMD ) = "/usr/bin/ssh -t -o PreferredAuthentications=hostbased";
- my( $HOSTNAME ) = qx{/bin/hostname}; chop $HOSTNAME;
- # The "our" is required to import variables from the BEGIN above.
- our( $_pathname, $_filename );
- # If the ControlM environment is set, use the variables in our email.
- my( $CONTROLM ) = $ENV{CTM_SCHEDTAB}?"***\nRun by ControlM:\n----------------\nSchedTable: $ENV{CTM_SCHEDTAB}\nJobname/Memname: $ENV{CTM_JOBNAME}/$ENV{CTM_MEMNAME}\n":"";
- #
- # Required Libraries
- ####################
- use strict;
- use Parallel;
- #
- # Global Constants/Variables
- ############################
- #my( $EMAIL_TOLIST ) = "Damien.Farah\@bis.org";
- my( $EMAIL_TOLIST ) = "service.unix\@bis.org";
- #my( $EMAIL_TOLIST ) = "Mark.Gahan\@bis.org";
- my( $EMAIL_SUBJECT ) = "Linux Password File Check Report";
- my @MSG = "Please find below the output of the password check script which summarises the password issues found for each Linux server.";
- ##################################################################
- # Define the stub
- ##################################################################
- # Here we define the stub code. It is a piece of generic code that
- # runs on every server. It essentially decodes (base64) stdin
- # into a file which it then runs. In this way we can pass our
- # scripts through via stdin.
- my( $STUB ) = q{/usr/bin/perl -MMIME::Base64 -e '
- foreach ( @ARGV ) {
- s%([\\\"])%\\\\$&%go; # Quote \\s and "s
- $scriptargs .= qq{"$_" };
- }
- $scriptargs =~ s%([\\\"])%\\\\$&%go; # Quote \\s and "s
- my( $tmpscript ) = "/tmp/_monitor$$";
- local $/ = undef;
- if ( open(SCRIPT, ">$tmpscript") ) {
- chmod 0700, "$tmpscript";
- print SCRIPT decode_base64(<STDIN>);
- # Execute the temporary file - then remove it.
- exec qq{sh -c "$tmpscript $scriptargs; #rm -rf $tmpscript"};
- print stderr "ERROR: Failed executing command : $!\n";
- } else {
- print stderr "ERROR: Failed creating temporary file : $!\n";
- }
- exit 1; # If we got here then we had an error.
- ' -- };
- ##################################################################
- # Main
- ##################################################################
- usage "Arguments expected." if ( ! @ARGV );
- my( @hosts );
- my( $scriptargs ) = "";
- #MG added stuff...
- if ( $ARGV[0] eq '-r' ) {
- ( $scriptargs ) = "-r";
- shift (@ARGV);
- } else {
- my( $scriptargs ) = "";
- }
- my( $hostsflg ) = 1;
- foreach ( @ARGV ) {
- if ( /^\-\-$/o ) {
- $hostsflg = 0;
- } elsif ( $hostsflg ) {
- push @hosts, $_;
- } else {
- s%([\034"])%\\$&%g; # Quote \\s and "s
- $scriptargs .= qq{"$_" };
- }
- }
- usage "Please identify the hosts to run on." if ( ! @hosts );
- my( @email );
- my( %output );
- # Create a Parallel object to run our ssh's in parallel.
- my( $run ) = new Parallel(
- 'timeout' => 10,
- 'parallel' => 5,
- 'cball' => sub {
- my( $i, @stdout ) = @_;
- @{$output{$i}->{'stdout'}} = @stdout if ( @stdout );
- },
- 'cberrall' => sub {
- my( $i, @stderr ) = @_;
- @stderr = grep( !/^(#\|#|Inappropriate ioctl|Connection to \S+ closed.|Pseudo-terminal will not be allocated)/o, @stderr );
- @{$output{$i}->{'stderr'}} = @stderr if ( @stderr );
- },
- 'cbend' => sub {
- my( $i, $rc ) = @_;
- if ( exists $output{$i} || $rc > 0 ) {
- local $, = "\n";
- push @email, "***********************************************************";
- push @email, "* ${hosts[$i]}";
- push @email, "***********************************************************";
- push @email, @{$output{$i}->{'stdout'}} if ( $output{$i}->{'stdout'} );
- if ( exists $output{$i}->{'stderr'} ) {
- push @email, "************************* stderr **************************";
- push @email, @{$output{$i}->{'stderr'}};
- }
- if ( $rc > 0 ) {
- my( $exitcode, $signal ) = (($rc>>8),($rc&0x0f));
- push @email, "\nexitcode=$exitcode - signal=$signal";
- }
- push @email, "\n\n";
- }
- },
- );
- { # We run inside a block so that we can define local variables.
- use MIME::Base64;
- local $/ = undef;
- my( $script ) = encode_base64( <DATA> );
- $scriptargs =~ s%([\\"])%\\$1%g; # Quote \\s and "s
- $run->run( map { qq{echo "$script" |$SSHCMD $_ "$STUB $scriptargs" } } @hosts );
- }
- # If the output array has content, then email it appropriately.
- if ( @email && ( $scriptargs eq '-r' ) ) {
- my $bodyrep = <<'BLOCKEND';
- !! ATTENTION ACTION NEEDED !!
- You are being sent this email because you are listed as the owner or contact for one or more application accounts on the system(s) listed please review the relevant accounts in the Accounts for Review section below, in particular review the following:
- 1. Is the account still neeeded - If not indicate which accounts can be removed
- 2. Is the account owner/contact correct - If not indicate who is the correct contact for which account
- You can respond with a reply to this Email to the IMS/Unix team - service.unix&san@bis.org
- The Format of the report below is : <APPLICATION ACCOUNT>:<ACCOUNT OWNER(s) EMAIL DETAILS>:<ACCOUNT DESCRIPTION IF AVAILABLE>
- Regards,
- UNIX Team
- ACCOUNTS FOR REVIEW ARE AS FOLLOWS
- ######################################
- BLOCKEND
- # Copy the array to a new one
- my @copy_email = @email ;
- @email = "";
- my @elist = map { split(/:/, $_) } @copy_email;
- my @elist_multi_split = map { split(/,/, $_) } @elist;
- my @elist_mails = grep( /\@/, @elist_multi_split );
- my @lc_elist_mails = map { lc } @elist_mails;
- my @unique_elist = do { my %seen; grep { !$seen{$_}++ } @lc_elist_mails };
- my $email_addr = "" ;
- my ( @user_rep );
- my ( @user_items );
- foreach $email_addr (@unique_elist){
- #@user_rep = "";
- my @form_email = grep ( /$email_addr/i, @copy_email) ;
- # Get the lists of hosts the user has accounts for then foreach them
- my @hlist = map { (split /:/, $_)[-1] } @form_email;
- my @unique_hlist = do { my %seen; grep { !$seen{$_}++ } @hlist };
- foreach my $hlist_item (@unique_hlist) {
- push @user_rep, "*************************************************************";
- push @user_rep, "***************** Linux Server-$hlist_item ******************";
- push @user_rep, "*************************************************************";
- @user_items = grep ( /$hlist_item/, @form_email) ;
- my @clean_user_items = map {s/\:$hlist_item//g; $_; } @user_items;
- push @user_rep, @clean_user_items ;
- push @user_rep, " ";
- push @user_rep, " ";
- # Improvement idea Do the final formatting to niceify the report
- }
- open(MAIL,"|/usr/sbin/sendmail -t");
- print MAIL "To: $email_addr\n";
- #print MAIL "To: Mark.Gahan\@bis.org\n";
- print MAIL "Cc: Mark.Gahan\@bis.org\n";
- print MAIL "From: service.unix&san\@bis.org\n";
- print MAIL "Subject: Non Expiring Linux Application Account review - The following Linux accounts must be reviewed\n";
- print MAIL "$bodyrep";
- print MAIL join("\n", @user_rep), "\n";
- #print MAIL @user_rep;
- close MAIL;
- #print "sending mail to $email_addr\n";
- push @email, "Email sent to $email_addr\n";
- @user_rep = "";
- }
- # Zero the email array for a clean exit
- #@email = ();
- @MSG = "The password check script was executed in report mode, the following have been mailed the non-expiring application account review request:";
- }
- # If the output array has content, then email it appropriately.
- if ( @email ) {
- $"="\n";
- my( $hostlist ) = join(" ",@hosts);
- if (open(MAILX, qq{| /usr/sbin/sendmail -f "$_filename" $EMAIL_TOLIST})) {
- print MAILX <<"EOMAIL";
- To: $EMAIL_TOLIST
- Subject: $EMAIL_SUBJECT
- Hello :-)
- @MSG
- @email
- ==========================================
- This script [ ${HOSTNAME}:$_pathname/$_filename ]
- Run on host(s) [ $hostlist ]
- $CONTROLM
- EOMAIL
- close MAILX;
- }
- }
- __DATA__
- #!/bin/bash
- #####
- # passwordCheck2.sh
- #
- #
- # Description
- # ===========
- # This script will check the status of users passwords and send a Email to
- # the user is one of the following condtions is met:-
- #
- # (MG) Updated to V2.00 10-09-2015 To meet audit requirements for better control of ignore lists
- # Split the ignore list into system and app and added a reporting feature for yearly
- # App ignore list reviews
- #
- # - entry missing in /etc/shadow for user(s)
- #
- # - is the account locked (added: 28-02-2012)
- #
- # - empty password.
- #
- # - password has expired.
- #
- # - password change is overdue.
- #
- # - the password change warning period has been reached.
- #
- #
- #
- declare -i verboseMode=0
- declare -i testMode=0
- if [[ $1 == "-v" ]]; then
- verboseMode=1
- elif [[ $1 == "-t" ]]; then
- testMode=1
- elif [[ $1 == "-r" ]]; then
- reportMode=1
- fi
- declare -r myHostname=$(hostname --fqdn)
- declare -r myshortHostname=$(uname -n)
- #
- #####
- # Fields used in /etc/shadow
- #
- # 0 - UID
- # 1 - password
- # 2 - DAYS SINCE LAST CHANGE (since EPOCH)
- # 3 - days between changes (default 2)
- # 4 - MUST CHANGE AFTER x DAYS (default 60)
- # 5 - WARN x DAYS BEFORE EXPIRY (defualt 7)
- # 6 - DAYS AFTER PASSWORD EXPIRES THAT ACCOUNT IS DISABLED (default NULL)
- # 7 - DAYS SINCE EPOCH THAT ACCOUNT IS DISABLED (default NULL)
- #
- #
- declare -r UID_Shadow=0
- declare -r password_Shadow=1
- declare -r lastChange_Shadow=2
- declare -r mustChange_Shadow=4
- declare -r warnDate_Shadow=5
- declare -r expireDate_Shadow=7
- declare -r secondsPerDay=86400
- declare -i userID_Min=$(grep UID_MIN /etc/login.defs | tr "[:space:]" " " | tr -s " "|cut -f2 -d" ")
- declare -i userID_Max=$(grep UID_MAX /etc/login.defs | tr "[:space:]" " " | tr -s " "|cut -f2 -d" ")
- declare -i daysSinceEpoch=$(($(/bin/date +%s)/$secondsPerDay))
- #
- #-----------------------------------------------------------------------------
- # Variables for Email
- #
- #
- #declare adminEmailAddress="service.unix@bis.org"
- declare adminEmailAddress="mark.gahan@bis.org"
- declare CorpsecEmailAddress="Corporate.Security@bis.org"
- #declare CorpsecEmailAddress="Mark.Gahan@bis.org"
- [[ ${testMode} -eq 1 ]] && adminEmailAddress="andy.thom@bis.org"
- declare -r adminEmailSubject="Password Issues for $myHostname"
- declare adminEmailBody="Here is a summary of password issues: ...
- "
- declare -i sendAdminEmail=0
- declare -r lockedSubject='WARNING: Your account for user: $currentUser on $myHostname is locked'
- declare -r lockedBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!
- Your account for user: $currentUser on $myHostname has been locked.
- If you require your account unlocked or would like to have the account
- REMOVED please contact the IT Service Desk (8008) or contact a member of
- the IMS/Unix team - service.unix@bis.org.
- Regards,
- UNIX Team
- '
- declare -r emptySubject='WARNING: User: $currentUser on $myHostname has a EMPTY password'
- declare -r emptyBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!
- Your password for user: $currentUser on $myHostname is EMPTY.
- Please create a password for this user immediately or it WILL be disabled.
- If you have any issues changing your password please contact the IT Service
- Desk (8008) or contact a member of the IMS/Unix team - service.unix@bis.org.
- Regards,
- UNIX Team
- '
- declare -r expiredSubject='WARNING: Your password has expired: $currentUser on $myHostname'
- declare -r expiredBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!
- Your password for user: $currentUser on $myHostname has expired.
- Please change your password immediately or it may be disabled.
- If you have any issues changing your password please contact the IT Service
- Desk (8008) or contact a member of the IMS/Unix team - service.unix@bis.org.
- Regards,
- UNIX Team
- '
- declare -r warnSubject='WARNING: Your password for: $currentUser on $myHostname will expire in $passwordTimeLeft'
- declare -r warnBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!
- Your password for user: $currentUser on $myHostname will expire soon.
- Please change your password with-in the next $passwordTimeLeft days or it may be disabled.
- If you have any issues changing your password please contact the IT Service
- Desk (8008) or contact a member of the IMS/Unix team - service.unix@bis.org.
- Regards,
- UNIX Team
- '
- declare -r overdueSubject='WARNING: You MUST change your password for: $currentUser on $myHostname will expire in $passwordTimeLeft'
- declare -r overdueBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!
- You are now $passwordOverdueDays days overdue changing your password for user:-
- $currentUser on $myHostname.
- Please change your password IMMEDIATELY or it may be disabled.
- If you have any issues changing your password please contact the IT Service
- Desk (8008) or contact a member of the IMS/Unix team - service.unix@bis.org.
- Regards,
- UNIX Team
- '
- declare -r ReportSubject='Non Expiring Linux Application Account review: The System : $myHostname has the following Application accounts for review'
- declare ReportAppwarnBody='!! ATTENTION ACTION NEEDED !!
- You are being sent this email because you are listed as the owner or contact for one or more application accounts on the system please review the relevant accounts in the Accounts for Review section below, in particular review the following:
- 1. Is the account still neeeded - If not indicate which accounts can be removed
- 2. Is the account owner/contact correct - If not indicate who is the correct contact for which account on which system
- You can respond with a reply to this Email to the IMS/Unix team - service.unix&san@bis.org
- Regards,
- UNIX Team
- ACCOUNTS FOR REVIEW PER LINUX SERVER ARE AS FOLLOWS
- ##########################################################
- '
- declare -r MissAppwarnSubject='WARNING: The Linux application account : $sysUser on $myHostname No Longer exists on the system'
- declare -r MisssyswarnSubject='WARNING: The Linux system account : $sysUser on $myHostname No Longer exists on the system'
- declare -r MissAppwarnBody="!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!
- The Application account has been removed from this system but has been left in the application password check exclude list
- If the account is no longer required please contact the IMS/Unix team - service.unix@bis.org to have the account removed from the exclude list on this syetsm
- Regards,
- UNIX Team
- "
- declare -r MissSyswarnBody="!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!
- The System account has been removed from this system but has been left in the system password check exclude list
- If the account is no longer required please contact the IMS/Unix team - service.unix@bis.org to have the account removed from the exclude list on this syetsm
- Regards,
- UNIX Team
- "
- declare eMailSubject=""
- declare eMailBody=""
- declare eMailFrom='unix&san"," service <service.unix&san@bis.org>'
- declare -i sendEmail=0
- declare -r ignoreListFile="/opt/biz/etc/system_account.list"
- declare -r ignoreListFile_App="/opt/biz/etc/application_account.list"
- # In case the new files are not there..
- # Make use of the perl wrapper to echo the info and exit this host..
- #
- if [ ! -e $ignoreListFile ] || [ ! -e $ignoreListFile_App ];then
- echo Exclude files are missing on this system no checks or reports perfromed please ensure the audit-users.sh script has been executed on this host....
- exit 0
- fi
- # Get the users in those lists
- declare -r ignoreListAdmin=$(/bin/grep -v ^# $ignoreListFile)
- declare -r ignoreListApp=$(/bin/grep -v ^# $ignoreListFile_App | awk -F: '{print $1}')
- #
- #
- #-----------------------------------------------------------------------------
- #
- if [[ $verboseMode -eq 1 ]];then
- printf "UserID Min: [%d]\n" ${userID_Min}
- printf "UserID Max: [%d]\n" ${userID_Max}
- printf "Total Days: [%d]\n" ${daysSinceEpoch}
- fi
- #
- #####
- # Get the list of users with-in the MIN and MAX UID range ...
- #
- #
- declare -a userList=$(/usr/bin/awk -F: -v uidField=3 -v unameField=1 \
- -v uidMin=${userID_Min} -v uidMax=${userID_Max} \
- -- '$uidField>=uidMin && $uidField<=uidMax \
- {print $unameField}' /etc/passwd)
- #
- #####
- # Get the full list of users needed for checking missing users against ignore lists
- #
- #
- declare -a userList_Full=$(/usr/bin/awk -F: -v unameField=1 -- '{print $unameField}' /etc/passwd)
- declare -i ignoreUsers=0
- declare -i checkCount=0
- declare tempString=""
- #
- #####
- # Simple reporting and exit section for reporting of application users on the app ignore list...
- # to application owners - Typicly executed yearly
- #
- if [[ $reportMode -eq 1 ]]; then
- RepAppmailList=$(grep -v ^# $ignoreListFile_App | awk -F: '{print $2}' | tr ',' '\n' | sort | uniq | tr '\n' ',')
- if [[ -z $RepAppmailList ]]; then
- echo "No Application accounts to report on exiting..."
- exit 0
- fi
- #RepAppmailList=$(grep -v ^# $ignoreListFile_App | awk -F: '{print $2}' | tr ',' '\n' | sort | uniq | tr '\n' ',')
- RepUserlist=$(grep -v ^# $ignoreListFile_App)
- RepeMailSubject=$(eval "echo \"$ReportSubject\"")
- ReportAppwarnBody="${ReportAppwarnBody}\n${RepUserlist}"
- # echo -e "$ReportAppwarnBody" | /bin/mailx -s "$RepeMailSubject" -S from="$eMailFrom" $RepAppmailList
- echo -e " "
- declare item=""
- for item in $(grep -v ^# $ignoreListFile_App)
- do
- repuser=$(echo $item | cut -f1 -d":")
- repuser_email=$(echo $item | cut -f2 -d":")
- repuser_info=$(grep -w ^$repuser /etc/passwd | cut -f5 -d":" |sed -e 's/ /_/g')
- echo "$item:$repuser_info:$myHostname"
- done
- exit 0
- fi
- #
- #####
- # Check that all listd account names in the ignore files are accounts
- # that exist first check the systems then the app accounts
- # and also check the existing accounts in the lists are expiring
- for sysUser in $ignoreListAdmin; do
- MissSysUser=$(echo $userList_Full | /bin/grep -cw $sysUser)
- if [[ $MissSysUser -lt 1 ]]; then
- tempString=$(printf "\t%-15s: user is in the system ignore list but does not exist on the system, please investigate..." ${sysUser})
- adminEmailBody="${adminEmailBody}\n${tempString}"
- # Then send a mail to Corpsec to inform them of the removed user..
- EV_MisssyswarnSubject=$(eval "echo \"$MisssyswarnSubject\"")
- # echo -e "$MissSyswarnBody" | /bin/mailx -s "$EV_MisssyswarnSubject" $CorpsecEmailAddress
- (( sendAdminEmail++ ))
- fi
- if [[ $MissSysUser -eq 1 ]]; then
- chkSysPassExp=$(chage -l $sysUser | grep -w "Password expires" | grep -cw "never")
- if [[ ${chkSysPassExp} -lt 1 ]]; then
- tempString=$(printf "\t%-15s: user in the system ignore list and has an expiring password , please investigate..." ${sysUser})
- adminEmailBody="${adminEmailBody}\n${tempString}"
- (( sendAdminEmail++ ))
- fi
- fi
- done
- for sysUser in $ignoreListApp; do
- MissAppUser=$(echo $userList_Full | /bin/grep -cw $sysUser)
- if [[ $MissAppUser -lt 1 ]]; then
- MissAppEmail=$(grep $sysUser $ignoreListFile_App | awk -F: '{print $2}')
- tempString=$(printf "\t%-15s: user is in the Application ignore list but does not exist on the system, please remove the user from the exclude list if no longer required..." ${sysUser})
- adminEmailBody="${adminEmailBody}\n${tempString}"
- EV_MissAppwarnSubject=$(eval "echo \"$MissAppwarnSubject\"")
- echo -e "$MissAppwarnBody" | /bin/mailx -s "$EV_MissAppwarnSubject" $MissAppEmail
- (( sendAdminEmail++ ))
- fi
- if [[ $MissAppUser -eq 1 ]]; then
- chkAppPassExp=$(chage -l $sysUser | grep -w "Password expires" | grep -cw "never")
- if [[ ${chkAppPassExp} -lt 1 ]]; then
- tempString=$(printf "\t%-15s: user in the application ignore list has an expiring password , please investigate..." ${sysUser})
- adminEmailBody="${adminEmailBody}\n${tempString}"
- (( sendAdminEmail++ ))
- fi
- fi
- done
- #
- #####
- # Process the list of users and check for expiring password ...
- #
- #
- declare -r oldIFS=${IFS}
- for currentUser in $userList_Full; do
- ignoreUser=$(($(/bin/grep -cw $currentUser $ignoreListFile)))
- ignoreUser_App=$(($(/bin/grep -cw $currentUser $ignoreListFile_App)))
- declare userInfo=$(grep ^${currentUser} /etc/passwd | cut -f5 -d":")
- if [[ $ignoreUser -ge 1 ]]; then
- # Commented out the verbose reporting of ignores we just count them and report
- # [[ $verboseMode -eq 1 ]] && printf "Ignoring User: [%s]\n" ${currentUser}
- # tempString=$(printf "\t%-15s: user is in the System ignore list - no action taken." ${currentUser})
- # adminEmailBody="${adminEmailBody}\n${tempString}"
- # if [[ ${userInfo} ]]; then
- # tempString=`printf "\t (%s)" "${userInfo}"`
- # adminEmailBody="${adminEmailBody}\n${tempString}\n"
- # fi
- (( ignoreUsers++ ))
- elif [[ $ignoreUser_App -ge 1 ]]; then
- # [[ $verboseMode -eq 1 ]] && printf "Ignoring Application User: [%s]\n" ${currentUser}
- # tempString=$(printf "\t%-15s: user is in the Application ignore list - no action taken." ${currentUser})
- # adminEmailBody="${adminEmailBody}\n${tempString}"
- # if [[ ${userInfo} ]]; then
- # tempString=`printf "\t (%s)" "${userInfo}"`
- # adminEmailBody="${adminEmailBody}\n${tempString}\n"
- # fi
- (( ignoreUsers++ ))
- else
- (( checkCount++ ))
- IFS=":"
- declare -a userShadow=($(/bin/grep -w ^$currentUser /etc/shadow))
- IFS=${oldIFS}
- if [[ $verboseMode -eq 1 ]]; then
- printf "+++ Shadow User: [%s]\n\tPassword Date:[%d] Must Change: [%d] Warn: [%d] Expire Date:[%d]\n" ${userShadow[UID_Shadow]} \
- ${userShadow[lastChange_Shadow]} \
- ${userShadow[mustChange_Shadow]} \
- ${userShadow[warnDate_Shadow]} \
- ${userShadow[expireDate_Shadow]}
- fi
- #
- #####
- # 1 - Check there is actually a entry in /etc/shadow for the user
- #
- #
- if [[ ${#userShadow[*]} -eq 0 ]]; then
- (( sendAdminEmail++ ))
- [[ ${verboseMode} -eq 1 ]] && printf "\t*** NO ENTRY IN /etc/shadow for: [%s]\n" ${currentUser}
- tempString=`printf "*\t%-15s: URGENT! USER HAS NO ENTRY IN /etc/shadow - PLEASE FIX ASAP.\n" ${currentUser}`
- adminEmailBody="${adminEmailBody}\n${tempString}"
- if [[ ${userInfo} ]]; then
- tempString=`printf "\t (%s)" "${userInfo}"`
- adminEmailBody="${adminEmailBody}\n${tempString}\n"
- fi
- else
- declare -i nextChangeDate=${userShadow[lastChange_Shadow]}+${userShadow[mustChange_Shadow]}
- declare -i passwordOverdueDays=${daysSinceEpoch}-${userShadow[lastChange_Shadow]}-${userShadow[mustChange_Shadow]}
- declare -i passwordTimeLeft=${nextChangeDate}-${daysSinceEpoch}
- declare -i passwordLocked=$(passwd -S ${currentUser}|cut -f2 -d" " |grep -c "LK")
- [[ ${verboseMode} -eq 1 ]] && printf "\tUser: [%s]\n\tNext Change Date: [%d]\n\tTime Left: [%d]\n\tWarn Time: [%d]\n\tOverdue: [%d]\n" ${currentUser} ${nextChangeDate} ${passwordTimeLeft} ${userShadow[warnDate_Shadow]} ${passwordOverdueDays}
- [[ ${verboseMode} -eq 1 ]] && printf "Password Time Left........: [%d]\n" ${passwordTimeLeft}
- #
- #####
- # 6 - Check if the account is locked.
- #
- #
- if [[ ${passwordLocked} -eq 1 ]]; then
- sendEmail=1
- (( sendAdminEmail++ ))
- [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending LOCKED PASSWORD Email for: [%s]\n" ${currentUser}
- eMailSubject=$(eval "echo \"$lockedSubject\"")
- eMailBody=$(eval "echo \"$lockedBody\"")
- tempString=`printf "\t%-15s: account is locked.\n" ${currentUser}`
- adminEmailBody="${adminEmailBody}\n${tempString}"
- #
- #####
- # 2 - Check for EMPTY password
- #
- #
- elif [[ -z ${userShadow[password_Shadow]} ]]; then
- sendEmail=1
- (( sendAdminEmail++ ))
- [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending EMPTY PASSWORD Email for: [%s]\n" ${currentUser}
- eMailSubject=$(eval "echo \"$emptySubject\"")
- eMailBody=$(eval "echo \"$emptyBody\"")
- tempString=`printf "\t%-15s: has a EMPTY password - sending email." ${currentUser}`
- adminEmailBody="${adminEmailBody}\n${tempString}\n"
- #
- #####
- # 3 - Check if the password is expired
- #
- #
- elif [[ ${userShadow[expireDate_Shadow]} -ne 0 && \
- ${userShadow[expireDate_Shadow]} -le ${daysSinceEpoch} ]]; then
- sendEmail=1
- (( sendAdminEmail++ ))
- [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending EXPIRE Email for: [%s]\n" ${currentUser}
- eMailSubject=$(eval "echo \"$expiredSubject\"")
- eMailBody=$(eval "echo \"$expiredBody\"")
- tempString=`printf "\t%-15s: password has expired - sending email." ${currentUser}`
- adminEmailBody="${adminEmailBody}\n${tempString}\n"
- #
- #####
- # 4 - Check if the password is overdue for a change
- #
- #
- elif [[ ${passwordOverdueDays} -gt 0 ]]; then
- sendEmail=1
- (( sendAdminEmail++ ))
- [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending OVERDUE Email for: [%s]\n" ${currentUser}
- eMailSubject=$(eval "echo \"$overdueSubject\"")
- eMailBody=$(eval "echo \"$overdueBody\"")
- tempString=`printf "\t%-15s: password overdue by %02d days for changing - sending email." ${currentUser} ${passwordOverdueDays}`
- adminEmailBody="${adminEmailBody}\n${tempString}\n"
- #
- #####
- # 5 - Check if the password is with-in the warning period
- #
- #
- elif [[ ${passwordTimeLeft} -le ${userShadow[warnDate_Shadow]} ]]; then
- sendEmail=1
- (( sendAdminEmail++ ))
- [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending WARNING Email for: [%s]\n" ${currentUser}
- eMailSubject=$(eval "echo \"$warnSubject\"")
- eMailBody=$(eval "echo \"$warnBody\"")
- tempString=`printf "\t%-15s: password will expire in %02d days - sending email." ${currentUser} ${passwordTimeLeft}`
- adminEmailBody="${adminEmailBody}\n${tempString}\n"
- fi
- fi
- fi
- #
- #####
- # Send a Email to the user if required ...
- #
- #
- if [[ ${testMode} -eq 0 && ${sendEmail} -eq 1 ]]; then
- # printf "SENDING EMAIL TO: [%s]\n\n" ${currentUser}
- echo -e "$eMailBody" | /bin/mailx -s "$eMailSubject" ${currentUser}@bis.org
- # echo -e "$eMailBody" | /bin/mailx -s "$eMailSubject for ${currentUser}" Mark.Gahan@bis.org
- sendEmail=0
- fi
- done
- #
- #####
- # Send an Email to the ADMIN user(s) if required ...
- #
- #
- if [[ $sendAdminEmail -ge 1 ]]; then
- #
- #####
- # Create a summary for the ADMIN Email ...
- #
- #
- # printf "SENDING ADMIN EMAIL\n\n"
- adminEmailBody=$(echo -e ${adminEmailBody}) # To translate \n chars.
- cat <<-EOMAIL
- ${adminEmailBody}
- Summary:-
- =======
- Total Users Ignored: ${ignoreUsers}
- Total Users Checked: ${checkCount}
- Total Issues.......: ${sendAdminEmail}
- Ignored System Users listed in: ${ignoreListFile}
- Ignored Application Users listed in ${ignoreListFile_App}
- EOMAIL
- # echo -e "$adminEmailBody" | /bin/mailx -s "$adminEmailSubject" ${adminEmailAddress}
- fi
- #
- #####
- # Send back a valid return code - just incase this is used in Control-M
- #
- #
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement