#!/bin/sh
#
#     tiger - A UN*X security checking system
#     This script is Copyright (C) 2002 Marc Heuse
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, 
#    or (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
# 
#    Please see the file `COPYING' for the complete copyright notice.
#
# check_neverlogin: verifies the users that never logged on to the system
#
# This small shellscript by Marc Heuse <marc@suse.de> (developed for SuSE
# security checks) checks for accounts which have got a password set
# but were logged on to. Meaning that they might still have their 
# initial weak password!
#
# 10/01/2003 jfs  Modified to do better error checking on the use of 
#                 Tiger_PasswdFiles. Also added code to remove temporary
#                 files created by the script.
# 10/09/2002 jfs  Adapted for Tiger
#
#-----------------------------------------------------------------------------
#
TigerInstallDir='.'

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
	echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
		exit 1
}
. $basedir/config

. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
	haveallcmds AWK GREP LASTLOG TEST GEN_PASSWD_SETS || exit 1
	haveallfiles BASEDIR WORKDIR ETCSHELLS || exit 1

	echo "--CONFIG-- [init003c] $0: Configuration ok..."
	exit 0
}
#------------------------------------------------------------------------

echo
echo "# Checking Logins not used on the system ..."
haveallcmds AWK GREP LASTLOG TEST GEN_PASSWD_SETS || exit 1
haveallfiles BASEDIR WORKDIR ETCSHELLS || exit 1

{
	> $WORKDIR/pass.list.$$
	if [ -n "$Tiger_PasswdFiles" -a -f "$Tiger_PasswdFiles" ]; then
  		$CAT $Tiger_PasswdFiles |
		while read passfile 
		do
			[ -f "$passfile" ] && echo "$passfile" >>$WORKDIR/pass.list.$$
		done
	fi
	if [ ! -s "$WORKDIR/pass.list.$$" ] 
	then
		$GEN_PASSWD_SETS $WORKDIR/pass.list.$$
	fi
}
# Just make this check just in case
if [ ! -r $WORKDIR/pass.list.$$ ]
then
	message FAIL pass008e "" "File $WORKDIR/pass.list.$$ is not readable"
	exit 1
fi


for user in `$LASTLOG | $AWK '/Never logged in/ {print$1}'`; do
  result=0
  $CAT $WORKDIR/pass.list.$$  |
  while read passwd_set ; do
  	SHELL=`$GREP "^$user:" $passwd_set | $AWK -F: '{print$7}'`
	$TEST -z "$SHELL" && SHELL="/bin/sh"
	$GREP -q "^$SHELL" $ETCSHELLS && export result=1
	$TEST "$result" = 1 && result=`$AWK -F:  "/^$user:/ "'{ if (length($2) > 12) printf("2\n"); if ($2 == "") printf("3\n"); }' $passwd_set` 
	# Note: if length is less than 2 then the account is locked (system
	# account)

	# Only add for debugging:
	#echo "Checking $user $SHELL $result"
	$TEST "$result" = 2 && \
		message FAIL acc024f "" "User $user has got a password and a valid shell ($SHELL) but never logged in."
	$TEST "$result" = 3  && \
		message FAIL acc024f "" "User $user has got NO password and a valid shell ($SHELL)."
   done 
done


if [ -f $WORKDIR/pass.list.$$ ] ; then
   if [ -z "$Tiger_PasswdFiles" ] ; then
         for passwd_set in `$CAT $WORKDIR/pass.list.$$`; do
                 delete $passwd_set $passwd_set.src
         done
   fi
   delete $WORKDIR/pass.list.$$
fi

exit 0
