Olaw2jr · May 15, 2024 11:51
diff --git a/passpolicy.sh b/passpolicy.sh
 #!/usr/bin/env bash

 # Output file name
 timestamp=$(date +"%Y%m%d%H%M%S")
 output_file="password_policy_audit_$(md5hash $timestamp).csv"

 # Header for the CSV file
 echo "Timestamp,User,Password Length,Password Expiry,Password Complexity,Password History,Password Auto Lock,Session Timeout,Root Enforcement" > "$output_file"

 # Check if sudo is available
 if ! command -v sudo &> /dev/null; then
    echo "Error: sudo is required to run this script."
    exit 1
 fi

 # Get password policy information with error handling
 password_policy=$(sudo grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_MIN_LEN|pam_pwquality.so|pam_tally2.so|TMOUT' /etc/login.defs /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/security/pwquality.conf 2>/dev/null)
 if [ $? -ne 0 ]; then
    echo "Error while fetching password policy information."
    exit 1
 fi

 # Extract password expiry, length, strength requirements
 pass_max_days=$(echo "$password_policy" | grep PASS_MAX_DAYS | awk '{print $2}')
 pass_min_days=$(echo "$password_policy" | grep PASS_MIN_DAYS | awk '{print $2}')
 pass_min_len=$(echo "$password_policy" | grep PASS_MIN_LEN | awk '{print $2}')
 pass_complexity=$(echo "$password_policy" | grep -oE 'minclass=([0-9]+)' | awk -F= '{print $2}')
 pass_history=$(echo "$password_policy" | grep -oE 'remember=([0-9]+)' | awk -F= '{print $2}')

 # Check if password auto lock and session timeout are enforced
 auto_lock=$(echo "$password_policy" | grep -oE 'deny=[0-9]+' | awk -F= '{print $2}')
 session_timeout=$(echo "$password_policy" | grep -oE 'TMOUT=[0-9]+' | awk -F= '{print $2}')

 # Check if root user password is enforced
 root_enforcement=$(sudo grep -E '^root\s+password' /etc/pam.d/system-auth /etc/pam.d/password-auth | grep -oE 'requisite|required')

 # Output password policy information for each user
 while IFS=: read -r username _; do
    password_info=$(sudo chage --list "$username" 2>/dev/null)
    if [ $? -ne 0 ]; then
        echo "Skipping user $username: unable to fetch password information."
        continue
    fi

    password_expiry=$(echo "$password_info" | grep 'Password expires' | awk '{print $NF}')
    echo "$timestamp,$username,$pass_min_len,$password_expiry,$pass_complexity,$pass_history,$auto_lock,$session_timeout,$root_enforcement" >> "$output_file"
    echo "Processed user: $username" # User feedback
 done < <(awk -F: '($3 >= 1000) && ($1 != "nobody") {print $1,$6}' /etc/passwd)

 echo "Password policy audit completed. Results saved to: $output_file"
	#!/usr/bin/env bash

	# Output file name
	timestamp=$(date +"%Y%m%d%H%M%S")
	output_file="password_policy_audit_$(md5hash $timestamp).csv"

	# Header for the CSV file
	echo "Timestamp,User,Password Length,Password Expiry,Password Complexity,Password History,Password Auto Lock,Session Timeout,Root Enforcement" > "$output_file"

	# Check if sudo is available
	if ! command -v sudo &> /dev/null; then
	echo "Error: sudo is required to run this script."
	exit 1
	fi

	# Get password policy information with error handling
	password_policy=$(sudo grep -E 'PASS_MAX_DAYS\|PASS_MIN_DAYS\|PASS_MIN_LEN\|pam_pwquality.so\|pam_tally2.so\|TMOUT' /etc/login.defs /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/security/pwquality.conf 2>/dev/null)
	if [ $? -ne 0 ]; then
	echo "Error while fetching password policy information."
	exit 1
	fi

	# Extract password expiry, length, strength requirements
	pass_max_days=$(echo "$password_policy" \| grep PASS_MAX_DAYS \| awk '{print $2}')
	pass_min_days=$(echo "$password_policy" \| grep PASS_MIN_DAYS \| awk '{print $2}')
	pass_min_len=$(echo "$password_policy" \| grep PASS_MIN_LEN \| awk '{print $2}')
	pass_complexity=$(echo "$password_policy" \| grep -oE 'minclass=([0-9]+)' \| awk -F= '{print $2}')
	pass_history=$(echo "$password_policy" \| grep -oE 'remember=([0-9]+)' \| awk -F= '{print $2}')

	# Check if password auto lock and session timeout are enforced
	auto_lock=$(echo "$password_policy" \| grep -oE 'deny=[0-9]+' \| awk -F= '{print $2}')
	session_timeout=$(echo "$password_policy" \| grep -oE 'TMOUT=[0-9]+' \| awk -F= '{print $2}')

	# Check if root user password is enforced
	root_enforcement=$(sudo grep -E '^root\s+password' /etc/pam.d/system-auth /etc/pam.d/password-auth \| grep -oE 'requisite\|required')

	# Output password policy information for each user
	while IFS=: read -r username _; do
	password_info=$(sudo chage --list "$username" 2>/dev/null)
	if [ $? -ne 0 ]; then
	echo "Skipping user $username: unable to fetch password information."
	continue
	fi

	password_expiry=$(echo "$password_info" \| grep 'Password expires' \| awk '{print $NF}')
	echo "$timestamp,$username,$pass_min_len,$password_expiry,$pass_complexity,$pass_history,$auto_lock,$session_timeout,$root_enforcement" >> "$output_file"
	echo "Processed user: $username" # User feedback
	done < <(awk -F: '($3 >= 1000) && ($1 != "nobody") {print $1,$6}' /etc/passwd)

	echo "Password policy audit completed. Results saved to: $output_file"