Untitled

#!/usr/bin/perl -w
BEGIN { ($_pathname,$_filename)=($0=~m#(.*)/([^/]+)$#)?($1,$2):(".",$0); push @INC,$_pathname; };

sub usage {
################################################################
#
# Title       : report-passwdfile.pl
#
# Author      : Damien Farah/Andy Thom
#
# Description :
print STDERR "\nERROR: $_[0]\nUsage:\n", <<"EndOfDescription";

    $_filename <host> [ <host> ... ]

EndOfDescription
#
# SCCS Version:
#
# History : 04Jun12 Damien - birth.
#
#################################################################
exit 2;
}

#
# Internal Variables
####################
$| = 1;     # No buffering STDOUT;
my( $SSHCMD ) = "/usr/bin/ssh -t -o PreferredAuthentications=hostbased";
my( $HOSTNAME ) = qx{/bin/hostname}; chop $HOSTNAME;
# The "our" is required to import variables from the BEGIN above.
our( $_pathname, $_filename );
# If the ControlM environment is set, use the variables in our email.
my( $CONTROLM ) = $ENV{CTM_SCHEDTAB}?"***\nRun by ControlM:\n----------------\nSchedTable: $ENV{CTM_SCHEDTAB}\nJobname/Memname: $ENV{CTM_JOBNAME}/$ENV{CTM_MEMNAME}\n":"";


#
# Required Libraries
####################
use strict;
use Parallel;

#
# Global Constants/Variables
############################
#my( $EMAIL_TOLIST ) = "Damien.Farah\@bis.org";
my( $EMAIL_TOLIST ) = "service.unix\@bis.org";
#my( $EMAIL_TOLIST ) = "Mark.Gahan\@bis.org";
my( $EMAIL_SUBJECT ) = "Linux Password File Check Report";
my @MSG = "Please find below the output of the password check script which summarises the password issues found for each Linux server.";


##################################################################
# Define the stub
##################################################################
# Here we define the stub code. It is a piece of generic code that
#   runs on every server. It essentially decodes (base64) stdin
#   into a file which it then runs. In this way we can pass our
#   scripts through via stdin.
my( $STUB ) = q{/usr/bin/perl -MMIME::Base64 -e '
        foreach ( @ARGV ) {
                s%([\\\"])%\\\\$&%go; # Quote \\s and "s
                $scriptargs .= qq{"$_" };
        }
        $scriptargs =~ s%([\\\"])%\\\\$&%go; # Quote \\s and "s
        my( $tmpscript ) = "/tmp/_monitor$$";
        local $/ = undef;
        if ( open(SCRIPT, ">$tmpscript") ) {
                chmod 0700, "$tmpscript";
                print SCRIPT decode_base64(<STDIN>);

                # Execute the temporary file - then remove it.
                exec qq{sh -c "$tmpscript $scriptargs; #rm -rf $tmpscript"};

                print stderr "ERROR: Failed executing command : $!\n";
        } else {
                print stderr "ERROR: Failed creating temporary file : $!\n";
        }
        exit 1; # If we got here then we had an error.
' -- };


##################################################################
# Main
##################################################################
usage "Arguments expected." if ( ! @ARGV );
my( @hosts );
my( $scriptargs ) = "";
#MG added stuff...
if ( $ARGV[0] eq '-r' ) {
        ( $scriptargs ) = "-r";
        shift (@ARGV);
} else {
my( $scriptargs ) = "";
}
my( $hostsflg ) = 1;
foreach ( @ARGV ) {
        if ( /^\-\-$/o ) {
                $hostsflg = 0;
        } elsif ( $hostsflg ) {
                push @hosts, $_;
        } else {
                s%([\034"])%\\$&%g; # Quote \\s and "s
                $scriptargs .= qq{"$_" };
        }
}
usage "Please identify the hosts to run on." if ( ! @hosts );

my( @email );
my( %output );
# Create a Parallel object to run our ssh's in parallel.
my( $run ) = new Parallel(
                'timeout' => 10,
                'parallel' => 5,
                'cball' => sub {
                        my( $i, @stdout ) = @_;
                        @{$output{$i}->{'stdout'}} = @stdout if ( @stdout );
                },
                'cberrall' => sub {
                        my( $i, @stderr ) = @_;
                        @stderr = grep( !/^(#\|#|Inappropriate ioctl|Connection to \S+ closed.|Pseudo-terminal will not be allocated)/o, @stderr );
                        @{$output{$i}->{'stderr'}} = @stderr if ( @stderr );
                },
                'cbend' => sub {
                        my( $i, $rc ) = @_;
                        if ( exists $output{$i} || $rc > 0 ) {
                                local $, = "\n";
                                push @email, "***********************************************************";
                                push @email, "*                      ${hosts[$i]}";
                                push @email, "***********************************************************";
                                push @email, @{$output{$i}->{'stdout'}} if ( $output{$i}->{'stdout'} );
                                if ( exists $output{$i}->{'stderr'} ) {
                                        push @email, "************************* stderr **************************";
                                        push @email, @{$output{$i}->{'stderr'}};
                                }
                                if ( $rc > 0 ) {
                                        my( $exitcode, $signal ) = (($rc>>8),($rc&0x0f));
                                        push @email, "\nexitcode=$exitcode - signal=$signal";
                                }
                                push @email, "\n\n";
                        }
                },
);

{ # We run inside a block so that we can define local variables.
        use MIME::Base64;
        local $/ = undef;
        my( $script ) = encode_base64( <DATA> );
        $scriptargs =~ s%([\\"])%\\$1%g; # Quote \\s and "s
        $run->run( map { qq{echo "$script" |$SSHCMD $_ "$STUB $scriptargs" } } @hosts );
}


# If the output array has content, then email it appropriately.
if ( @email && ( $scriptargs eq '-r' ) ) {
my $bodyrep = <<'BLOCKEND';
!! ATTENTION ACTION NEEDED !!

You are being sent this email because you are listed as the owner or contact for one or more application accounts on the system(s) listed please review the relevant accounts in the Accounts for Review section below, in particular review the following:


            1. Is the account still neeeded                     - If not indicate which accounts can be removed
            2. Is the account owner/contact correct             - If not indicate who is the correct contact for which account


You can respond with a reply to this Email to the IMS/Unix team - service.unix&san@bis.org

The Format of the report below is : <APPLICATION ACCOUNT>:<ACCOUNT OWNER(s) EMAIL DETAILS>:<ACCOUNT DESCRIPTION IF AVAILABLE>


Regards,


UNIX Team

ACCOUNTS FOR REVIEW ARE AS FOLLOWS
######################################
BLOCKEND

# Copy the array to a new one
my @copy_email = @email ;
@email = "";
my @elist = map { split(/:/, $_) } @copy_email;
my @elist_multi_split = map { split(/,/, $_) } @elist;
my @elist_mails = grep( /\@/, @elist_multi_split );
my @lc_elist_mails = map { lc } @elist_mails;
my @unique_elist = do { my %seen; grep { !$seen{$_}++ } @lc_elist_mails };
my $email_addr = "" ;
my ( @user_rep );
my ( @user_items );
foreach $email_addr (@unique_elist){
#@user_rep = "";
        my @form_email = grep ( /$email_addr/i, @copy_email) ;
# Get the lists of hosts the user has accounts for then foreach them
        my @hlist = map { (split /:/, $_)[-1] } @form_email;
        my @unique_hlist = do { my %seen; grep { !$seen{$_}++ } @hlist };
                foreach my $hlist_item (@unique_hlist) {
                push @user_rep, "*************************************************************";
                push @user_rep, "***************** Linux Server-$hlist_item ******************";
                push @user_rep, "*************************************************************";
                @user_items = grep ( /$hlist_item/, @form_email) ;
                my @clean_user_items =  map {s/\:$hlist_item//g; $_; } @user_items;
                push @user_rep, @clean_user_items ;
                push @user_rep, "                                                           ";
                push @user_rep, "                                                           ";
# Improvement idea Do the final formatting to niceify the report
}
open(MAIL,"|/usr/sbin/sendmail -t");
print MAIL "To: $email_addr\n";
#print MAIL "To:  Mark.Gahan\@bis.org\n";
print MAIL "Cc: Mark.Gahan\@bis.org\n";
print MAIL "From: service.unix&san\@bis.org\n";
print MAIL "Subject: Non Expiring Linux Application Account review - The following Linux accounts must be reviewed\n";
print MAIL "$bodyrep";
print MAIL join("\n", @user_rep), "\n";
#print MAIL @user_rep;
close MAIL;
#print "sending mail to $email_addr\n";
push @email, "Email sent to $email_addr\n";
@user_rep = "";
}
# Zero the email array for a clean exit
#@email = ();
@MSG = "The password check script was executed in report mode, the following have been mailed the non-expiring application account review request:";
}
# If the output array has content, then email it appropriately.
if ( @email ) {
    $"="\n";
    my( $hostlist ) = join(" ",@hosts);
    if (open(MAILX, qq{| /usr/sbin/sendmail -f "$_filename" $EMAIL_TOLIST})) {
        print MAILX <<"EOMAIL";
To: $EMAIL_TOLIST
Subject: $EMAIL_SUBJECT

Hello :-)

@MSG

@email


==========================================
  This script [ ${HOSTNAME}:$_pathname/$_filename ]
  Run on host(s) [ $hostlist ]

$CONTROLM
EOMAIL
        close MAILX;
    }
}


__DATA__
#!/bin/bash
#####
# passwordCheck2.sh
#
#
# Description
# ===========
# This script will check the status of users passwords and send a Email to
# the user is one of the following condtions is met:-
#
# (MG) Updated to V2.00 10-09-2015 To meet audit requirements for better control of ignore lists
# Split the ignore list into system and app and added a reporting feature for yearly
# App ignore list reviews
#
# - entry missing in /etc/shadow for user(s)
#
# - is the account locked (added: 28-02-2012)
#
# - empty password.
#
# - password has expired.
#
# - password change is overdue.
#
# - the password change warning period has been reached.
#
#
#

declare -i verboseMode=0
declare -i testMode=0
if [[ $1 == "-v" ]]; then
        verboseMode=1
elif [[ $1 == "-t" ]]; then
        testMode=1
elif  [[ $1 == "-r" ]]; then
    reportMode=1
fi


declare -r myHostname=$(hostname --fqdn)
declare -r myshortHostname=$(uname -n)

#
#####
# Fields used in /etc/shadow
#
# 0 - UID
# 1 - password
# 2 - DAYS SINCE LAST CHANGE (since EPOCH)
# 3 - days between changes (default 2)
# 4 - MUST CHANGE AFTER x DAYS (default 60)
# 5 - WARN x DAYS BEFORE EXPIRY (defualt 7)
# 6 - DAYS AFTER PASSWORD EXPIRES THAT ACCOUNT IS DISABLED (default NULL)
# 7 - DAYS SINCE EPOCH THAT ACCOUNT IS DISABLED (default NULL)
#
#
declare -r UID_Shadow=0
declare -r password_Shadow=1
declare -r lastChange_Shadow=2
declare -r mustChange_Shadow=4
declare -r warnDate_Shadow=5
declare -r expireDate_Shadow=7


declare -r secondsPerDay=86400

declare -i userID_Min=$(grep UID_MIN /etc/login.defs | tr "[:space:]"  " " | tr -s " "|cut -f2 -d" ")
declare -i userID_Max=$(grep UID_MAX /etc/login.defs | tr "[:space:]"  " " | tr -s " "|cut -f2 -d" ")
declare -i daysSinceEpoch=$(($(/bin/date +%s)/$secondsPerDay))


#
#-----------------------------------------------------------------------------
# Variables for Email
#
#
#declare adminEmailAddress="service.unix@bis.org"
declare adminEmailAddress="mark.gahan@bis.org"
declare CorpsecEmailAddress="Corporate.Security@bis.org"
#declare CorpsecEmailAddress="Mark.Gahan@bis.org"

[[ ${testMode} -eq 1 ]] && adminEmailAddress="andy.thom@bis.org"

declare -r adminEmailSubject="Password Issues for $myHostname"
declare    adminEmailBody="Here is a summary of password issues: ...


"
declare -i sendAdminEmail=0


declare -r lockedSubject='WARNING: Your account for user: $currentUser on $myHostname is locked'
declare -r lockedBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!


Your account for user: $currentUser on $myHostname has been locked.


If you require your account unlocked or would like to have the account
REMOVED please contact the IT Service Desk (8008) or contact a member of
the IMS/Unix team - service.unix@bis.org.


Regards,


        UNIX Team

'


declare -r emptySubject='WARNING: User: $currentUser on $myHostname has a EMPTY password'
declare -r emptyBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!


Your password for user: $currentUser on $myHostname is EMPTY.

Please create a password for this user immediately or it WILL be disabled.


If you have any issues changing your password please contact the IT Service
Desk (8008) or contact a member of the IMS/Unix team - service.unix@bis.org.


Regards,


        UNIX Team

'


declare -r expiredSubject='WARNING: Your password has expired: $currentUser on $myHostname'
declare -r expiredBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!


Your password for user: $currentUser on $myHostname has expired.

Please change your password immediately or it may be disabled.


If you have any issues changing your password please contact the IT Service
Desk (8008) or contact a member of the IMS/Unix team - service.unix@bis.org.


Regards,


        UNIX Team

'


declare -r warnSubject='WARNING: Your password for: $currentUser on $myHostname will expire in $passwordTimeLeft'
declare -r warnBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!


Your password for user: $currentUser on $myHostname will expire soon.

Please change your password with-in the next $passwordTimeLeft days or it may be disabled.


If you have any issues changing your password please contact the IT Service
Desk (8008) or contact a member of the IMS/Unix team - service.unix@bis.org.


Regards,


        UNIX Team

'


declare -r overdueSubject='WARNING: You MUST change your password for: $currentUser on $myHostname will expire in $passwordTimeLeft'
declare -r overdueBody='!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!


You are now $passwordOverdueDays days overdue changing your password for user:-

    $currentUser on $myHostname.


Please change your password IMMEDIATELY or it may be disabled.


If you have any issues changing your password please contact the IT Service
Desk (8008) or contact a member of the IMS/Unix team - service.unix@bis.org.


Regards,


        UNIX Team

'

declare -r ReportSubject='Non Expiring Linux Application Account review: The System : $myHostname has the following Application accounts for review'
declare  ReportAppwarnBody='!! ATTENTION ACTION NEEDED !!

You are being sent this email because you are listed as the owner or contact for one or more application accounts on the system please review the relevant accounts in the Accounts for Review section below, in particular review the following:


            1. Is the account still neeeded                      - If not indicate which accounts can be removed
            2. Is the account owner/contact correct     - If not indicate who is the correct contact for which account on which system


You can respond with a reply to this Email to the IMS/Unix team - service.unix&san@bis.org


Regards,


UNIX Team

ACCOUNTS FOR REVIEW PER LINUX SERVER ARE AS FOLLOWS
##########################################################
'
declare -r MissAppwarnSubject='WARNING: The Linux application account : $sysUser on $myHostname No Longer exists on the system'
declare -r MisssyswarnSubject='WARNING: The Linux system account : $sysUser on $myHostname No Longer exists on the system'
declare -r MissAppwarnBody="!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!

The Application account has been removed from this system but has been left in the application password check exclude list
If the account is no longer required please contact the IMS/Unix team - service.unix@bis.org to have the account removed from the exclude list on this syetsm


Regards,


    UNIX Team
"


declare -r MissSyswarnBody="!! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !!

The System account has been removed from this system but has been left in the system password check exclude list
If the account is no longer required please contact the IMS/Unix team - service.unix@bis.org to have the account removed from the exclude list on this syetsm


Regards,


    UNIX Team
"


declare    eMailSubject=""
declare    eMailBody=""
declare    eMailFrom='unix&san"," service <service.unix&san@bis.org>'
declare -i sendEmail=0

declare -r ignoreListFile="/opt/biz/etc/system_account.list"
declare -r ignoreListFile_App="/opt/biz/etc/application_account.list"

# In case the new files are not there..
# Make use of the perl wrapper to echo the info and exit this host..
#
if [ ! -e $ignoreListFile ] || [ ! -e $ignoreListFile_App ];then
        echo Exclude files are missing on this system no checks or reports perfromed please ensure the audit-users.sh script has been executed on this host....
exit 0
fi

# Get the users in those lists
declare -r ignoreListAdmin=$(/bin/grep -v ^# $ignoreListFile)
declare -r ignoreListApp=$(/bin/grep -v ^# $ignoreListFile_App | awk -F: '{print $1}')

#
#
#-----------------------------------------------------------------------------
#


if [[ $verboseMode -eq 1 ]];then
        printf "UserID Min: [%d]\n" ${userID_Min}
        printf "UserID Max: [%d]\n" ${userID_Max}
        printf "Total Days: [%d]\n" ${daysSinceEpoch}
fi


#
#####
# Get the list of users with-in the MIN and MAX UID range ...
#
#
declare -a userList=$(/usr/bin/awk -F:    -v uidField=3 -v unameField=1 \
                                                -v uidMin=${userID_Min}  -v uidMax=${userID_Max}  \
                                                -- '$uidField>=uidMin  && $uidField<=uidMax \
                        {print $unameField}' /etc/passwd)
#
#####
# Get the full list of users needed for checking missing users against ignore lists
#
#
declare -a userList_Full=$(/usr/bin/awk -F: -v unameField=1 -- '{print $unameField}' /etc/passwd)


declare -i ignoreUsers=0
declare -i checkCount=0
declare    tempString=""


#
#####
# Simple reporting and exit section for reporting of application users on the app ignore list...
# to application owners - Typicly executed yearly
#

if [[ $reportMode -eq 1 ]]; then

    RepAppmailList=$(grep -v ^# $ignoreListFile_App | awk -F: '{print $2}' | tr ',' '\n' | sort | uniq | tr '\n' ',')
                if [[ -z $RepAppmailList ]]; then
                        echo "No Application accounts to report on exiting..."
                exit 0
                fi
    #RepAppmailList=$(grep -v ^# $ignoreListFile_App | awk -F: '{print $2}' | tr ',' '\n' | sort | uniq | tr '\n' ',')
    RepUserlist=$(grep -v ^# $ignoreListFile_App)
    RepeMailSubject=$(eval "echo  \"$ReportSubject\"")
    ReportAppwarnBody="${ReportAppwarnBody}\n${RepUserlist}"
#    echo -e "$ReportAppwarnBody" | /bin/mailx -s "$RepeMailSubject" -S from="$eMailFrom" $RepAppmailList
echo -e " "
declare item=""
for item in $(grep -v ^# $ignoreListFile_App)
do
repuser=$(echo $item | cut -f1 -d":")
repuser_email=$(echo $item | cut -f2 -d":")
repuser_info=$(grep -w ^$repuser /etc/passwd | cut -f5 -d":" |sed -e 's/ /_/g')
echo "$item:$repuser_info:$myHostname"

done
    exit 0
fi


#
#####
# Check that all listd account names in the ignore files are accounts
# that exist first check the systems then the app accounts
# and also check the existing accounts in the lists are expiring


for sysUser in $ignoreListAdmin; do
                MissSysUser=$(echo $userList_Full | /bin/grep -cw $sysUser)
                if [[ $MissSysUser -lt 1 ]]; then
        tempString=$(printf "\t%-15s: user is in the system ignore list but does not exist on the system, please investigate..." ${sysUser})
        adminEmailBody="${adminEmailBody}\n${tempString}"
# Then send a mail to Corpsec to inform them of the removed user..
                EV_MisssyswarnSubject=$(eval "echo \"$MisssyswarnSubject\"")
#               echo -e "$MissSyswarnBody" | /bin/mailx -s "$EV_MisssyswarnSubject" $CorpsecEmailAddress
                (( sendAdminEmail++ ))
fi

if [[ $MissSysUser -eq 1 ]]; then
                chkSysPassExp=$(chage -l $sysUser | grep -w "Password expires" | grep -cw "never")
        if [[ ${chkSysPassExp} -lt 1 ]]; then
        tempString=$(printf "\t%-15s: user in the system ignore list and has an expiring password , please investigate..." ${sysUser})
        adminEmailBody="${adminEmailBody}\n${tempString}"
                (( sendAdminEmail++ ))
                fi
fi
done


for sysUser in $ignoreListApp; do
                MissAppUser=$(echo $userList_Full | /bin/grep -cw $sysUser)
                if [[ $MissAppUser -lt 1 ]]; then
                MissAppEmail=$(grep $sysUser $ignoreListFile_App | awk -F: '{print $2}')
        tempString=$(printf "\t%-15s: user is in the Application ignore list but does not exist on the system, please remove the user from the exclude list if no longer required..." ${sysUser})
        adminEmailBody="${adminEmailBody}\n${tempString}"
                EV_MissAppwarnSubject=$(eval "echo \"$MissAppwarnSubject\"")
                echo -e "$MissAppwarnBody" | /bin/mailx -s "$EV_MissAppwarnSubject" $MissAppEmail
                (( sendAdminEmail++ ))
                fi

if [[ $MissAppUser -eq 1 ]]; then
                chkAppPassExp=$(chage -l $sysUser | grep -w "Password expires" | grep -cw "never")
        if [[ ${chkAppPassExp} -lt 1 ]]; then
                tempString=$(printf "\t%-15s: user in the application ignore list has an expiring password , please investigate..." ${sysUser})
                adminEmailBody="${adminEmailBody}\n${tempString}"
                        (( sendAdminEmail++ ))
        fi
fi
done


#
#####
# Process the list of users and check for expiring password ...
#
#
declare -r oldIFS=${IFS}


for currentUser in $userList_Full; do
        ignoreUser=$(($(/bin/grep -cw $currentUser $ignoreListFile)))
        ignoreUser_App=$(($(/bin/grep -cw $currentUser $ignoreListFile_App)))


        declare userInfo=$(grep ^${currentUser} /etc/passwd | cut -f5 -d":")

        if [[ $ignoreUser -ge 1 ]]; then
# Commented out the verbose reporting of ignores we just count them and report
#               [[ $verboseMode -eq 1 ]] && printf "Ignoring User: [%s]\n" ${currentUser}

#               tempString=$(printf "\t%-15s: user is in the System ignore list - no action taken." ${currentUser})
#               adminEmailBody="${adminEmailBody}\n${tempString}"

#       if [[ ${userInfo} ]]; then
#                       tempString=`printf "\t                 (%s)" "${userInfo}"`
#                       adminEmailBody="${adminEmailBody}\n${tempString}\n"
#               fi
                (( ignoreUsers++ ))

    elif [[ $ignoreUser_App -ge 1 ]]; then
#            [[ $verboseMode -eq 1 ]] && printf "Ignoring Application User: [%s]\n" ${currentUser}


#        tempString=$(printf "\t%-15s: user is in the Application ignore list - no action taken." ${currentUser})
#        adminEmailBody="${adminEmailBody}\n${tempString}"

#        if [[ ${userInfo} ]]; then
#            tempString=`printf "\t                 (%s)" "${userInfo}"`
#            adminEmailBody="${adminEmailBody}\n${tempString}\n"
#        fi
        (( ignoreUsers++ ))

        else

                (( checkCount++ ))

                IFS=":"
                declare -a userShadow=($(/bin/grep -w ^$currentUser /etc/shadow))
                IFS=${oldIFS}

                if [[ $verboseMode -eq 1 ]]; then
                        printf "+++ Shadow User: [%s]\n\tPassword Date:[%d] Must Change: [%d] Warn: [%d] Expire Date:[%d]\n" ${userShadow[UID_Shadow]}   \
                                        ${userShadow[lastChange_Shadow]}        \
                                        ${userShadow[mustChange_Shadow]}        \
                                        ${userShadow[warnDate_Shadow]}          \
                                        ${userShadow[expireDate_Shadow]}
                fi


                #
                #####
                # 1 - Check there is actually a entry in /etc/shadow for the user
                #
                #
                if [[ ${#userShadow[*]} -eq 0 ]]; then
                        (( sendAdminEmail++ ))

                        [[ ${verboseMode} -eq 1 ]] && printf "\t*** NO ENTRY IN /etc/shadow for: [%s]\n" ${currentUser}


                        tempString=`printf "*\t%-15s: URGENT! USER HAS NO ENTRY IN /etc/shadow - PLEASE FIX ASAP.\n" ${currentUser}`
                        adminEmailBody="${adminEmailBody}\n${tempString}"

                        if [[ ${userInfo} ]]; then
                                tempString=`printf "\t                 (%s)" "${userInfo}"`
                                adminEmailBody="${adminEmailBody}\n${tempString}\n"
                        fi

                else
                        declare -i nextChangeDate=${userShadow[lastChange_Shadow]}+${userShadow[mustChange_Shadow]}
                        declare -i passwordOverdueDays=${daysSinceEpoch}-${userShadow[lastChange_Shadow]}-${userShadow[mustChange_Shadow]}

                        declare -i passwordTimeLeft=${nextChangeDate}-${daysSinceEpoch}

                        declare -i passwordLocked=$(passwd -S ${currentUser}|cut -f2 -d" " |grep -c "LK")


                        [[ ${verboseMode} -eq 1 ]] && printf "\tUser: [%s]\n\tNext Change Date: [%d]\n\tTime Left: [%d]\n\tWarn Time: [%d]\n\tOverdue: [%d]\n" ${currentUser} ${nextChangeDate} ${passwordTimeLeft} ${userShadow[warnDate_Shadow]} ${passwordOverdueDays}


                        [[ ${verboseMode} -eq 1 ]] && printf "Password Time Left........: [%d]\n" ${passwordTimeLeft}


                        #
                        #####
                        # 6 - Check if the account is locked.
                        #
                        #
                        if [[ ${passwordLocked} -eq 1 ]]; then
                                sendEmail=1
                                (( sendAdminEmail++ ))
                                [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending LOCKED PASSWORD Email for: [%s]\n" ${currentUser}

                                eMailSubject=$(eval "echo \"$lockedSubject\"")
                                eMailBody=$(eval "echo \"$lockedBody\"")

                                tempString=`printf "\t%-15s: account is locked.\n" ${currentUser}`
                                adminEmailBody="${adminEmailBody}\n${tempString}"


                        #
                        #####
                        # 2 - Check for EMPTY password
                        #
                        #
                        elif [[ -z ${userShadow[password_Shadow]} ]]; then
                                sendEmail=1
                                (( sendAdminEmail++ ))


                                [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending EMPTY PASSWORD Email for: [%s]\n" ${currentUser}

                                eMailSubject=$(eval "echo \"$emptySubject\"")
                                eMailBody=$(eval "echo \"$emptyBody\"")

                                tempString=`printf "\t%-15s: has a EMPTY password - sending email." ${currentUser}`
                                adminEmailBody="${adminEmailBody}\n${tempString}\n"


                        #
                        #####
                        # 3 - Check if the password is expired
                        #
                        #
                        elif [[ ${userShadow[expireDate_Shadow]} -ne 0 &&       \
                                        ${userShadow[expireDate_Shadow]} -le ${daysSinceEpoch} ]]; then
                                sendEmail=1
                                (( sendAdminEmail++ ))


                                [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending EXPIRE Email for: [%s]\n" ${currentUser}

                                eMailSubject=$(eval "echo \"$expiredSubject\"")
                                eMailBody=$(eval "echo \"$expiredBody\"")

                                tempString=`printf "\t%-15s: password has expired - sending email." ${currentUser}`
                                adminEmailBody="${adminEmailBody}\n${tempString}\n"


                        #
                        #####
                        # 4 - Check if the password is overdue for a change
                        #
                        #
                        elif [[ ${passwordOverdueDays} -gt 0 ]]; then
                                sendEmail=1
                                (( sendAdminEmail++ ))
                                [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending OVERDUE Email for: [%s]\n" ${currentUser}

                                eMailSubject=$(eval "echo \"$overdueSubject\"")
                                eMailBody=$(eval "echo \"$overdueBody\"")

                                tempString=`printf "\t%-15s: password overdue by %02d days for changing - sending email." ${currentUser} ${passwordOverdueDays}`
                                adminEmailBody="${adminEmailBody}\n${tempString}\n"


                        #
                        #####
                        # 5 - Check if the password is with-in the warning period
                        #
                        #
                        elif [[ ${passwordTimeLeft} -le ${userShadow[warnDate_Shadow]} ]]; then
                                sendEmail=1
                                (( sendAdminEmail++ ))
                                [[ ${verboseMode} -eq 1 ]] && printf "\t*** Sending WARNING Email for: [%s]\n" ${currentUser}

                                eMailSubject=$(eval "echo \"$warnSubject\"")
                                eMailBody=$(eval "echo \"$warnBody\"")

                                tempString=`printf "\t%-15s: password will expire in %02d days - sending email." ${currentUser} ${passwordTimeLeft}`
                                adminEmailBody="${adminEmailBody}\n${tempString}\n"
                        fi
                fi

        fi


        #
        #####
        # Send a Email to the user if required ...
        #
        #
        if [[ ${testMode} -eq 0 && ${sendEmail} -eq 1 ]]; then
#               printf "SENDING EMAIL TO: [%s]\n\n" ${currentUser}
                echo -e "$eMailBody" | /bin/mailx -s "$eMailSubject" ${currentUser}@bis.org
#               echo -e "$eMailBody" | /bin/mailx -s "$eMailSubject for ${currentUser}" Mark.Gahan@bis.org
                sendEmail=0
        fi
done


#
#####
# Send an Email to the ADMIN user(s) if required ...
#
#
if [[ $sendAdminEmail -ge 1 ]]; then
        #
        #####
        # Create a summary for the ADMIN Email ...
        #
        #
#       printf "SENDING ADMIN EMAIL\n\n"
        adminEmailBody=$(echo -e ${adminEmailBody}) # To translate \n chars.
        cat <<-EOMAIL

        ${adminEmailBody}

        Summary:-
        =======

        Total Users Ignored: ${ignoreUsers}
        Total Users Checked: ${checkCount}
        Total Issues.......: ${sendAdminEmail}

        Ignored System Users listed in: ${ignoreListFile}

        Ignored Application Users listed in ${ignoreListFile_App}

EOMAIL
#       echo -e "$adminEmailBody" | /bin/mailx -s "$adminEmailSubject" ${adminEmailAddress}
fi


#
#####
# Send back a valid return code - just incase this is used in Control-M
#
#
exit 0