#!/bin/sh
#SYSTEMS: Solaris, Linux
#Check for the presence of /etc/shadow, verify it is mode 600 and owned by root.
MSG="# Checking /etc/shadow fields ...this may take a few minutes..."
SYSTEM=`uname -s`
######Solaris & Linux######
#Check modes...
if [ "$SYSTEM" = "SunOS" -o "$SYSTEM" = "Linux" ]; then
  echo ""; echo "$MSG"
  SHADOW=/etc/shadow
  if [ -f $SHADOW ]; then
    OWNER=`ls -l $SHADOW | awk '{print $3}'` 
    GROUP=`ls -l $SHADOW | awk '{print $4}'`
     MODE=`ls -l $SHADOW | awk '{print $1}'`
    if [ "$OWNER" != "root" ]; then
      echo "--WARN-- [SHADOW002w] File /etc/shadow exists but is not owned by root."
    fi
    if [ "$GROUP" != "sys" ]; then
      echo "--WARN-- [SHADOW003w] File /etc/shadow exists but is not a member of group 'sys'."
    fi
    if [ "$MODE" != "-r--------" ]; then
      echo "--WARN-- [SHADOW004w] File /etc/shadow exists but its mode is not 400."
    fi
    #
    #Determine today's LASTCHG field...
    THIS_YEAR=`date +%Y`
    DAYS_THIS_YEAR=`date +%j`
    TODAY=`expr 365 \* \( $THIS_YEAR - 1970 \) + \( $THIS_YEAR - 1969 \) / 4 + $DAYS_THIS_YEAR - 1`
    #Check for inactive field...
    TMPFILE=/tmp/usas_shadow.tmp
    if [ -f $TMPFILE ]; then
      rm $TMPFILE
    fi
    touch $TMPFILE
    for i in `cat /etc/shadow`; do  #This gives us a line at a time...
      PASS=`echo $i | awk -F: '{print $2}'`
      if [ "$PASS" != "^NP$" -a "$PASS" != "*LK*" -a "$PASS" != "*" -a "$PASS" != "x" -a "$PASS" != "X" ]; then   #Only checking accounts which are not locked and not AFS.
        PASSSIZ=`echo $PASS | wc -c`
        if [ "$PASSSIZ" -ge "14" ]; then  #A real password was found (13 + LF)...
          INVALID=`echo $i | awk -F: '{print $7}'`
          if [ "$INVALID" = "" ] || [ "$INVALID" -gt "181" ]; then
            USER=`echo $i | awk -F: '{print $1}'`
            if [ "$USER" != "root" ]; then  #Don't check for root's inactivity field
              echo "--WARN-- [SHADOW005w] Inactivity time for account '$USER' is not set or is more than 180 days." >> $TMPFILE
            fi
          fi
        fi
        LASTCHG=`echo $i | awk -F: '{print $3}'`
        LASTCHGDAYS=`expr $TODAY - $LASTCHG`  #Approximately...
        if [ "$LASTCHGDAYS" -gt "190" ]; then  #Password last changed over 6 months ago...
          USER=`echo $i | awk -F: '{print $1}'`
          echo "--WARN-- [SHADOW006w] The account '$USER' has a password $LASTCHGDAYS days old." >> $TMPFILE
        fi
      fi
    done
    cat $TMPFILE | sort +1; rm $TMPFILE
  else
    echo "--WARN-- [SHADOW001w] The shadow password file /etc/shadow does not exist."
  fi
date
fi

