From 6bad6b058bcdcfd536bad57f05470304b9020b6f Mon Sep 17 00:00:00 2001
From: "danielorihuelarodriguez@gmail.com" <danielorihuelarodriguez@gmail.com>
Date: Mon, 10 Aug 2020 19:27:43 +0200
Subject: feature: gather locked accounts info

---
 include/tests_authentication | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'include/tests_authentication')

diff --git a/include/tests_authentication b/include/tests_authentication
index 3dbe08f7..48877a35 100644
--- a/include/tests_authentication
+++ b/include/tests_authentication
@@ -859,23 +859,27 @@
                     PREQS_MET="YES"
                     FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
                     FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
+                    FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
                     ;;
                 *)
                     PREQS_MET="YES"
                     FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
                     FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
+                    FIND3=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
                     ;;
             esac
         elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then
             PREQS_MET="YES"
             FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
             FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
+            FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq ; done)
         else
             LogText "Result: skipping test for this Linux version"
             ReportManual "AUTH-9282:01"
             PREQS_MET="NO"
             FIND_P=""
             FIND2=""
+            FIND3=""
         fi
      else
         PREQS_MET="NO"
@@ -921,6 +925,31 @@
     fi
 #
 #################################################################################
+#
+    # Test        : AUTH-9284
+    # Description : Search locked accounts
+    Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts"
+    if [ "${SKIPTEST}" -eq 0 ]; then
+        LogText "Test: Checking locked accounts"
+        SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 <= 999 || $3 == 65534 {print $1}' /etc/passwd | sort | uniq)
+        if [ "${FIND3}" = "${SYSTEM_ACCOUNTS}" ]; then
+            LogText "Result: all accounts seem to be unlocked"
+            Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN
+        else
+            LogText "Result: found one or more locked accounts"
+            NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq)
+            for I in ${FIND3}; do
+                if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${I}" > /dev/null ; then
+                    LogText "Locked account: ${I}"
+                    Report "locked_account=${I}"
+                fi
+            done
+            Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED
+            ReportWarning "${TEST_NO}" "Found locked accounts"
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : AUTH-9286
     # Description : Check user password aging
-- 
cgit v1.2.3


From c857ee7cf2c3e11b37c84d41e50f7f39806a4a4f Mon Sep 17 00:00:00 2001
From: "danielorihuelarodriguez@gmail.com" <danielorihuelarodriguez@gmail.com>
Date: Sun, 23 Aug 2020 19:54:59 +0200
Subject: fix: take into account unlocked system accounts

---
 include/tests_authentication | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'include/tests_authentication')

diff --git a/include/tests_authentication b/include/tests_authentication
index 48877a35..27b6b29f 100644
--- a/include/tests_authentication
+++ b/include/tests_authentication
@@ -931,17 +931,22 @@
     Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts"
     if [ "${SKIPTEST}" -eq 0 ]; then
         LogText "Test: Checking locked accounts"
-        SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 <= 999 || $3 == 65534 {print $1}' /etc/passwd | sort | uniq)
-        if [ "${FIND3}" = "${SYSTEM_ACCOUNTS}" ]; then
+        NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq)
+        LOCKED_NON_SYSTEM_ACCOUNTS=0
+        for account in ${FIND3};do
+            if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then
+                LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS+1))
+            fi
+        done
+        if [ $LOCKED_NON_SYSTEM_ACCOUNTS -eq 0 ]; then
             LogText "Result: all accounts seem to be unlocked"
             Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN
         else
             LogText "Result: found one or more locked accounts"
-            NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq)
-            for I in ${FIND3}; do
-                if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${I}" > /dev/null ; then
-                    LogText "Locked account: ${I}"
-                    Report "locked_account=${I}"
+            for account in ${FIND3}; do
+                if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then
+                    LogText "Locked account: ${account}"
+                    Report "locked_account=${account}"
                 fi
             done
             Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED
-- 
cgit v1.2.3


From 5ca6b7ed7985d63bed1689121f7c4aad00fb53df Mon Sep 17 00:00:00 2001
From: "danielorihuelarodriguez@gmail.com" <danielorihuelarodriguez@gmail.com>
Date: Fri, 28 Aug 2020 23:19:37 +0200
Subject: feature: take into account LK

Some distributions like CentOS 8 contains "LK" instead of "L" for
locked users.
---
 include/tests_authentication | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'include/tests_authentication')

diff --git a/include/tests_authentication b/include/tests_authentication
index 27b6b29f..7ef56982 100644
--- a/include/tests_authentication
+++ b/include/tests_authentication
@@ -872,7 +872,7 @@
             PREQS_MET="YES"
             FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
             FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
-            FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq ; done)
+            FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L" || $2=="LK") print $1 }' | sort | uniq ; done)
         else
             LogText "Result: skipping test for this Linux version"
             ReportManual "AUTH-9282:01"
-- 
cgit v1.2.3