Unix / Linux - Local Users Information : Passwords Never Expire

2015-05-10T00:00:00
ID LOCALUSERS_PWEXPIRY.NASL
Type nessus
Reporter Tenable
Modified 2017-08-28T00:00:00

Description

Using the supplied credentials, Nessus was able to list local users that are enabled and whose passwords never expire.

                                        
                                            #TRUSTED a5941f888946c5b83ea1fdd195a5f5a2a81a68b7d1b335445407f032610ecb0f30348b751d119275bbe4462cae9764d7578a2033b766cc49a3063c12b5ea5fc0a44984b80f63790ad3ccd0f7f5cef07795c58e03425908408aa0b0e17b1505c62784e0c89d46463e7ec60f3ce795f37264ba6d7cd2b0f9ebec72d6dcbabcc7c6659659f03518da3964fe432786e9a47068feb861e508c9d4d7fc6418124dbf610a04e39f48ecffb21a9d1c9d7a3f50461d740612f167cd99edc257d6acb8958ae2d70c335d95e95b67755e9370f5933251a96c425c140f87858b0485e663e564a3502b9c5ae0c3a0b21414c2bfd8ae0a28eebc59892bbdaf685d10066cf2a0e786905996a888c59ed4f3a972d35c5bbbce0101c1f81fd0f2364e9785e3e8ac9cba7f4c9d21bfdc4ceba244506e4c3861cdade41aea8072be0dc92498ee5fc5e679ef8fa6b1378e9b4288ba18d889d2c493d5cc74e41b63a862a024aec256f2fb0c7decc48bb953d9bc6f15558a23bdbd562977af3d5f37769fb40f4b66abfebf542bdc2a483aea1e56f76be8996c0bab9a027b793a08fa2d6c49e4bc351b5492b4553f0623510ad7b84acdcc279eab9d7312fbb684d09c5ca747d49d5f23933f484e0037edf6e4a468318d15dca4a745a628ae31124bdb64aeb2f05b6dc7941a491c7e5278f8ce7c73371098a7650a833630349c251c4fca9640d49861b67da9
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83303);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2017/08/28");

  script_osvdb_id(755);

  script_name(english:"Unix / Linux - Local Users Information : Passwords Never Expire");
  script_summary(english:"Lists local users whose passwords never expire.");

  script_set_attribute(attribute:"synopsis", value:
"At least one local user has a password that never expires.");
  script_set_attribute(attribute:"description", value:
"Using the supplied credentials, Nessus was able to list local users
that are enabled and whose passwords never expire.");
  script_set_attribute(attribute:"solution", value:
"Allow or require users to change their passwords regularly.");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled");

  exit(0);
}

include("audit.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("global_settings.inc");
include("misc_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

# Do not run against Windows and some Unix-like systems
supported = FALSE;
dist = "";
if (
  get_kb_item("Host/CentOS/release") ||
  get_kb_item("Host/Debian/release") ||
  get_kb_item("Host/Gentoo/release") ||
  get_kb_item("Host/Mandrake/release") ||
  get_kb_item("Host/RedHat/release") ||
  get_kb_item("Host/Slackware/release") ||
  get_kb_item("Host/SuSE/release") ||
  get_kb_item("Host/Ubuntu/release")
)
{
  supported = TRUE;
  dist = "linux";
  field = 5;
}
else if (
  get_kb_item("Host/FreeBSD/release") 
)
{
  supported = TRUE;
  dist = "bsd";
  field = 6;
}

if (!supported) exit(0, "Account expiration checks are not supported on the remote OS at this time.");

# We may support other protocols here
if ( islocalhost() )
{
  if (!defined_func("pread")) exit(1, "'pread()' is not defined.");
  info_t = INFO_LOCAL;
}
else
{
  sock_g = ssh_open_connection();
  if (!sock_g) audit(AUDIT_FN_FAIL, 'ssh_open_connection');
  info_t = INFO_SSH;
}

if (dist == "linux")
  cmd = "cat /etc/shadow";
else
  cmd = "cat /etc/master.passwd";

validfile = FALSE;
noexpiry = make_list();
buf = info_send_cmd(cmd:cmd);
if (info_t == INFO_SSH) ssh_close_connection();
if (buf)
{
  lines = split(buf);
  if (!empty_or_null(lines))
  {
    foreach line (lines)
    {
      acct_fields = split(line, sep:':', keep:FALSE);
      if (max_index(acct_fields) >= 7)
      {
        validfile = TRUE;
        # Skip locked / expired accounts
        if (acct_fields[1] == '*' || acct_fields[1] == '!' || acct_fields[1] == "!!")
          continue;
        if (dist == "bsd" && acct_fields[1] =~ '\\*LOCKED\\*')
          continue;

        if (dist == "linux" && !empty_or_null(acct_fields[7]))
        {
          if (!empty_or_null(acct_fields[6]))
            timetoexpire = int(acct_fields[6]) * 86400;
          else timetoexpire = 0;

          expire_timestamp = int(acct_fields[7]) * 86400 + timetoexpire;
          current_timestamp = unixtime();
          if (expire_timestamp < current_timestamp)
            continue;
        }

        if (empty_or_null(acct_fields[field - 1]) || int(acct_fields[field - 1]) == 99999 || (dist == "bsd" && acct_fields[field - 1] == 0))
          noexpiry = make_list(noexpiry, acct_fields[0]);
      }
    }
  }
}
else
{
  errmsg = ssh_cmd_error();
  if ('Permission denied' >< errmsg)
    exit(1, "The supplied user account does not have sufficient privileges to read the password file.");
  else
    exit(1, errmsg);
}
if (!validfile)
  exit(1, "The password file did not use the expected format.");

if (!empty_or_null(noexpiry))
{
  count = 0;
  foreach user (noexpiry)
  {
    count += 1;
    set_kb_item(name:"SSH/LocalUsers/PwNeverExpires/"+count, value:user);
  }

  if (report_verbosity > 0)
  {
    report =
      '\nNessus found the following unlocked users with passwords that do not expire :' +
      '\n  - ' + join(noexpiry, sep:'\n  - ') + '\n';
    security_note(port:0, extra:report);
  }
  else security_note(0);
  exit(0);
}
audit(AUDIT_HOST_NOT, 'affected');