#!/bin/sh
#SYSTEMS: Solaris, Linux
#This script checks the password parameters in /etc/default/passwd
#on Solaris and in the PAM configuration on Linux.
MSG="# Checking password parameters..."
SYSTEM=`uname -s`
######Solaris######
if [ "$SYSTEM" = "SunOS" ]; then
  echo ""; echo "$MSG"
  PWDEFFILE="/etc/default/passwd"
  if [ -r "$PWDEFFILE" ]; then 
    PWLEN=`grep "^PASSLENGTH=" $PWDEFFILE | awk -F'=' '{print $2}'`
    PWMAX=`grep "^MAXWEEKS="   $PWDEFFILE | awk -F'=' '{print $2}'`
    if [ $PWLEN = "" ]; then #PASSLENGTH not set...
      echo "--WARN-- [PASSWD002w] The 'PASSLENGTH' variable in $PWDEFFILE is not set.  It should be set to at least '6'."
    else
      if [ "$PWLEN" -lt 6 ]; then #PASSLENGTH is too short...
          echo "--WARN-- [PASSWD002w] The 'PASSLENGTH' variable in $PWDEFFILE is '$PWLEN', which is less than the recommended value of '6'."
      fi
    fi
    if [ "$PWMAX" = "" ]; then #Password aging not configured...
      echo "--INFO-- [PASSWD001i] The 'MAXWEEKS' variable in $PWDEFFILE is not set indicating that password-aging is not enabled."
    else
      if [ $PWMAX -gt 26 ]; then #Password aging is set to longer than 26 weeks...
	echo "--INFO-- [PASSWD001i] The 'MAXWEEKS' variable in $PWDEFFILE is set to $PWMAX, which is more than the recommended value of '26'."
      fi
    fi
  fi
fi
######Linux######
if [ "$SYSTEM" = "Linux" ]; then
  echo ""; echo "$MSG"
  # NOTE: The pam library 'pam_cracklib.so' obsoletes the 'login.defs' file
  # when it comes to the password length parameter, so it will be checked first.
  # Also, since the presense of an /etc/pam.d directory obsoletes a pam.conf
  # directory, the check will be done in the order: /etc/pam.d./passwd then
  # /etc/pam.conf then /etc/login.defs.
  #
  # Check password length...
  PAMDPASSWD=/etc/pam.d/passwd
  PAMCONF=/etc/pam.conf
  LOGDEFFILE=/etc/login.defs
  CRACK=-1
  if [ -f $PAMDPASSWD ]; then
    PAMFILE=$PAMDPASSWD
    CRACK=`grep "^password" $PAMDPASSWD | grep -c "pam_cracklib.so"`
  elif [ -f $PAMCONF ]; then
    PAMFILE=$PAMCONF
    CRACK=`grep "password" $PAMCONF | grep -c "pam_cracklib.so"`
  fi
  if [ "$CRACK" -eq 0 ]; then 
    echo "--WARN-- [PASSWD003w] The pam file $PAMFILE does not use the 'pam_cracklib.so module for the 'passwd' command'." 
  fi
  if [ -f $LOGDEFFILE -a "$CRACK" -eq 0 ]; then
    PWLEN=`grep "^PASS_MIN_LEN"  $LOGDEFFILE | awk '{print $2}'`
    if [ "$PWLEN" = "" ]; then #PASSLENGTH not set...
      echo "--WARN-- [PASSWD002w] 'PASS_MIN_LEN' in $LOGDEFFILE is not set.  Should be set to at least '6'."
    elif [ "$PWLEN" -lt 6 ]; then #PASSLENGTH is too short...
      echo "--WARN-- [PASSWD002w] 'PASS_MIN_LEN' in $LOGDEFFILE is '$PWLEN'. Should be set to at least '6'."
    fi
  fi
  # Check password aging...
  if [ -f $LOGDEFFILE ]; then
    PWMAX=`grep "^PASS_MAX_DAYS" $LOGDEFFILE | awk '{print $2}'`
    if [ "$PWMAX" = "" ]; then #Password aging not configured...
      echo "--INFO-- [PASSWD001i] The 'PASS_MAX_DAYS' variable in $LOGDEFFILE is not set indicating that password-aging is not enabled."
    elif [ $PWMAX -gt 180 ]; then #Password aging is set to longer than 180 days...
      echo "--INFO-- [PASSWD001i] The 'PASS_MAX_DAYS' variable in $LOGDEFFILE is set to $PWMAX, which is more than the recommended value of '180'."
    fi
  fi
fi
