Unix / Linux - Local Users Information : Passwords Never Expire

2015-05-10T00:00:00
ID LOCALUSERS_PWEXPIRY.NASL
Type nessus
Reporter Tenable
Modified 2018-08-10T00:00:00

Description

Using the supplied credentials, Nessus was able to list local users that are enabled and whose passwords never expire.

                                        
                                            #TRUSTED 522d99e1ce635bb0f1abef0952d2cede419e712fede4ab350d31bb34e0825e9edf6e95754420d62706518df83c9d743b71c338ec325301d69811b3a6a05b0e311dd47250a3a04c4b8b84e160e54bea2257619456a795b7364b8567e11b7eca62ae1bf07f5e0576847466eb7f2e4aeacb736b1d0ae55a4ca3031fc2c43d49a69ee607bf8ec18452d15d89b2d198e24c7dbdad92d8ce500d0c2449b32c9eac876b207cd57c3887cd2eaeea1957b19f98f856fa35e347643c5f6c753d5adb59ef4dde2caff6a6e90886b0bef574e5df65b315553abdbacbd34c8462b7a057c455a6157501c08babbb5ed27345a40ea06d1ebaa96282f97ebb326e9a85b188367d76640951d0db17881c66cfc5732df4d410e1392af38bf4a84d8c5e0729cb7014b99fab6112a327c9687bbcfbc5573be937c966febee4f15316ce5001cb35eca5a502997c7ef443720a944ce6c880f8c03f705120f13f04f0468d42a50a39908e2267669f3546c36a671efe3ab8e855fa3615e211ea8a70b650160f0f6004c472f36c96c09210038e104803f23be5aa76df6e7d055e973f1f6573f5ea53621e94bfa7381841baec9bec10eaa7e59e89ca145f590308f24b7117e118919d638e95cf1f49cdd097a76400d8bb57627d06c0a87dd99ce98686c7f655c29adaf188db8942b21fabe89cde9be246732398437235a9bf2e29a0a46689a02aa4c971624377
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83303);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/10");


  script_name(english:"Unix / Linux - Local Users Information : Passwords Never Expire");
  script_summary(english:"Lists local users whose passwords never expire.");

  script_set_attribute(attribute:"synopsis", value:
"At least one local user has a password that never expires.");
  script_set_attribute(attribute:"description", value:
"Using the supplied credentials, Nessus was able to list local users
that are enabled and whose passwords never expire.");
  script_set_attribute(attribute:"solution", value:
"Allow or require users to change their passwords regularly.");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled");

  exit(0);
}

include("audit.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("global_settings.inc");
include("misc_func.inc");
include("data_protection.inc");

if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

# Do not run against Windows and some Unix-like systems
supported = FALSE;
dist = "";
if (
  get_kb_item("Host/CentOS/release") ||
  get_kb_item("Host/Debian/release") ||
  get_kb_item("Host/Gentoo/release") ||
  get_kb_item("Host/Mandrake/release") ||
  get_kb_item("Host/RedHat/release") ||
  get_kb_item("Host/Slackware/release") ||
  get_kb_item("Host/SuSE/release") ||
  get_kb_item("Host/Ubuntu/release")
)
{
  supported = TRUE;
  dist = "linux";
  field = 5;
}
else if (
  get_kb_item("Host/FreeBSD/release") 
)
{
  supported = TRUE;
  dist = "bsd";
  field = 6;
}

if (!supported) exit(0, "Account expiration checks are not supported on the remote OS at this time.");

# We may support other protocols here
if ( islocalhost() )
{
  if (!defined_func("pread")) exit(1, "'pread()' is not defined.");
  info_t = INFO_LOCAL;
}
else
{
  sock_g = ssh_open_connection();
  if (!sock_g) audit(AUDIT_FN_FAIL, 'ssh_open_connection');
  info_t = INFO_SSH;
}

if (dist == "linux")
  cmd = "cat /etc/shadow";
else
  cmd = "cat /etc/master.passwd";

validfile = FALSE;
noexpiry = make_list();
buf = info_send_cmd(cmd:cmd);
if (info_t == INFO_SSH) ssh_close_connection();
if (buf)
{
  lines = split(buf);
  if (!empty_or_null(lines))
  {
    foreach line (lines)
    {
      acct_fields = split(line, sep:':', keep:FALSE);
      if (max_index(acct_fields) >= 7)
      {
        validfile = TRUE;
        # Skip locked / expired accounts
        if (acct_fields[1] == '*' || acct_fields[1] == '!' || acct_fields[1] == "!!")
          continue;
        if (dist == "bsd" && acct_fields[1] =~ '\\*LOCKED\\*')
          continue;

        if (dist == "linux" && !empty_or_null(acct_fields[7]))
        {
          if (!empty_or_null(acct_fields[6]))
            timetoexpire = int(acct_fields[6]) * 86400;
          else timetoexpire = 0;

          expire_timestamp = int(acct_fields[7]) * 86400 + timetoexpire;
          current_timestamp = unixtime();
          if (expire_timestamp < current_timestamp)
            continue;
        }

        if (empty_or_null(acct_fields[field - 1]) || int(acct_fields[field - 1]) == 99999 || (dist == "bsd" && acct_fields[field - 1] == 0))
          noexpiry = make_list(noexpiry, acct_fields[0]);
      }
    }
  }
}
else
{
  errmsg = ssh_cmd_error();
  if ('Permission denied' >< errmsg)
    exit(1, "The supplied user account does not have sufficient privileges to read the password file.");
  else
    exit(1, errmsg);
}
if (!validfile)
  exit(1, "The password file did not use the expected format.");

if (!empty_or_null(noexpiry))
{
  count = 0;
  foreach user (noexpiry)
  {
    count += 1;
    set_kb_item(name:"SSH/LocalUsers/PwNeverExpires/"+count, value:user);
  }

  if (report_verbosity > 0)
  {
    users = join(noexpiry, sep:'\n  - ');
    users = data_protection::sanitize_user_enum(users:users);
    report =
      '\nNessus found the following unlocked users with passwords that do not expire :' +
      '\n  - ' + users + '\n';
    security_note(port:0, extra:report);
  }
  else security_note(0);
  exit(0);
}
audit(AUDIT_HOST_NOT, 'affected');