Passwd & Shadow Crosscheck
In this example, we report if users are in /etc/passwd but not in /etc/shadow, or vice-versa.
The PasswdShadowCrosscheck script might send an alert message like the following:
PIKT ALERT
Sun May 18 02:12:43 2003
athens4
WARNING:
PasswdShadowCrosscheck
Report users in /etc/passwd but not in /etc/shadow and vice-versa
grieg in /etc/shadow, not in /etc/passwd
The script follows.
PasswdShadowCrosscheck
init
status =piktstatus
level =piktlevel
task "Report users in /etc/passwd but not in /etc/shadow
and vice-versa"
// generate an input list of account names appearing only in
// one of the two files (/etc/passwd, /etc/shadow) but not both
input proc "=nawk -F: '{print $1}' =passwd =shadow |
=sort | =uniq -u"
begin
// record all accounts in passwd file in #passwd[] array
if #fopen(PASSWD, "=passwd", "r") != #err()
while #read(PASSWD) > 0
do #split($p, $rdlin, ":")
=incr(#passwd[$p[1]])
endwhile
do #fclose(PASSWD)
else
output mail "can't open =passwd for reading!"
quit
endif
rule
if ! #defined(#passwd[$inlin])
output mail "$inlin in =shadow, not in =passwd"
else
output mail "$inlin in =passwd, not in =shadow"
endif
This is just one program example. You could add rules, or write new scripts, for example to crosscheck entries between: /etc/passwd and /etc/group, /etc/passwd and the NIS passwd file (if any), /etc/passwd and /etc/aliases, etc.
For more examples, see Samples.
