/usr/share/openscap/sectool-sce/01_shadow.sh is in libopenscap8 1.2.15-1build1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 | #!/bin/bash
# ----------------------------------------------------------- #
# Copyright (C) 2008 Red Hat, Inc. #
# Written by Michel Samia <msamia@redhat.com> #
# Adapted for SCE by Martin Preisler <mpreisle@redhat.com> #
# #
# passwd.sh #
# more info in passwd.dsc #
# ----------------------------------------------------------- #
#constants
passwd=/etc/passwd
group=/etc/group
shadow=/etc/shadow
group_shadow=/etc/gshadow
if [[ $UID -ne '0' ]]
then
echo "You have to be logged as root to run this test!"
exit ${XCCDF_RESULT_ERROR}
fi
RET=$XCCDF_RESULT_PASS
function check_file_perm () {
if [[ -a "${1}" ]]; then
local -i CPERM=$(stat -c '%a' "${1}")
if (( ${CPERM} != $2 )); then
if (( (8#${CPERM} | 8#${2}) == 8#${2} )); then
if (( ${4} == 1 )); then
echo "Permissions on $(stat -c '%F' "${1}") \"${1}\" are more restrictive than required: ${CPERM} (${6:-uknown}, required persmissions are ${2})"
fi
else
if (( ${4} == 1 )); then
echo "Wrong permissions on $(stat -c '%F' "${1}") \"${1}\": ${CPERM} (${6:-unknown}, required permissions are ${2})"
RET=$XCCDF_RESULT_FAIL
fi
fi
fi
if ! (stat -c '%U:%G' "${1}" | grep -q "${3}"); then
if (( ${4} == 1 )); then
echo "Wrong owner/group on $(stat -c '%F' "${1}"): \"${1}\" (${6:-unknown}, required owner/group is ${3})"
RET=$XCCDF_RESULT_FAIL
fi
fi
else
if (( ${4} == 1 )); then
echo "Missing file or directory: \"${1}\" (${6:-unknown})"
RET=$XCCDF_RESULT_FAIL
fi
fi
}
# gets a value of a constant defined in a c/c++ header file by #define
# usage example:
# getValueFromH '/usr/include/bits/utmp.h' 'UT_NAMESIZE'
# echo $ReturnVal
function getValueFromH {
if ! [[ -r "$1" ]]; then
report 'WARNING' 1234 "Can't read a constant $2, header file $1 not found"
return 0
else
line="$(egrep "^#define $2..*" $1)"
if [[ -n "$line" ]]; then
local -i retval=$(echo "$line" | cut -f2)
return $retval
else
report 'WARNING' 1234 "Can't read a constant $2 from file $1, definition of the constant not found in this file"
return 0
fi
fi
}
# function isValidName
# tests a string whether it is a valid group/user name
# 1 - true
# 0 - false
function isValidName {
# first we need to set LC_ALL to C to get ranges working case-sensitively
oldLC_ALL=${LC_ALL}
LC_ALL="C"
# this constant contains a regex which recognizes, if the string is valid name of user or group
allowedNamesRegex='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
echo $1 | egrep -q "$allowedNamesRegex"
returnValue=$[ 1 - $? ]
LC_ALL=${oldLC_ALL}
return $returnValue
}
# permissions on /etc/shadow and /etc/gshadow should be 400, should be owned by root:root
check_file_perm $shadow 000 root:root 1 $E_BAD_PERMISSIONS_SHADOW "User shadow database"
check_file_perm $group_shadow 000 root:root 1 $E_BAD_PERMISSIONS_SHADOW "Group shadow database"
i=0
while read line
do
i=$[i+1]
##### empty line #####
if [[ "$line" == "" ]]
then
echo "$shadow: Line $i is empty"
echo "Please delete this line."
[[ "$RET" == $XCCDF_RESULT_FAIL ]] | RET=$XCCDF_RESULT_INFORMATIONAL
continue
fi
##### number of fields #####
nf=`echo "$line" | awk -F: '{printf NF}'`
if [ "$nf" -ne "9" ]
then
echo $line
echo "$shadow: Line $i has wrong number of fields"
echo "Please see 'man 5 shadow' and correct this line."
RET=$XCCDF_RESULT_FAIL
continue
fi
# now we can parse these fields, we know that all fields exist
username="`echo $line | awk -F: '{print $1}'`"
pass="`echo $line | awk -F: '{print $2}'`"
uid="`echo $line | awk -F: '{print $3}'`"
gid="`echo $line | awk -F: '{print $4}'`"
##### line has an empty login field #####
if [[ "$username" == "" ]]
then
echo "$shadow: Line $i: missing username!"
echo "Check this line, fill in first item (username), or delete whole line."
RET=$XCCDF_RESULT_FAIL
fi
##### disallowed characters #####
isValidName $username
if [ $? -ne 1 ]
then
echo "$shadow: Line $i: User $username contains disallowed characters in his login."
echo "Check this line and rename user's login to contain lowercase letters only."
RET=$XCCDF_RESULT_FAIL
fi
##### too long username #####
getValueFromH '/usr/include/bits/utmp.h' 'UT_NAMESIZE'
MaxLength=$?
length=`echo "$username" | wc -m`
if [ $length -gt $MaxLength ]
then
echo "$shadow: Line $i: User $username has too long username."
echo "Check this line in $shadow and rename user's login to be shorter than $MaxLength characters"
RET=$XCCDF_RESULT_FAIL
fi
##### password empty #####
if [[ "$pass" == "" ]]
then
echo "$shadow: Line $i: User $username has no password!"
echo "Run 'passwd' utility immediately to set his password!"
RET=$XCCDF_RESULT_FAIL
fi
done<<EOF
`cat $shadow`
EOF
##### two users with same username #####
while read user
do
if [[ "$user" -ne "" ]]
then
lines="`grep -n -e "^$user:" $shadow | awk -F: '{ print $1 }'| tr '\n' ','`"
lines="${lines%','}" # remove last comma
echo "Duplicate login '$user' ($shadow lines $lines)"
echo "Please change usernames on these lines to be different or delete duplicate records"
RET=$XCCDF_RESULT_FAIL
fi
done<<EOF
`awk -F: '{ if ($1 != "") print $1 }' $shadow | sort | uniq -d`
EOF
exit $RET
|