I am trying to run a script which gets the username of every locked account on a Linux system. The server is a Gentoo Hardened Server with SELinux. I tried by writing some Python which looks in /shadow/passwd for the obligatory '!' instead of a password hash.
I was going to just use this...
def get_users_blacklist(users):
f = open('shadow.example', 'r') #f is for file
blacklist = [] #obvious
for l in f: #l is for line
s = l.split(':') #s is for shadower
for u in users: #u is for user
if (u == s[0]):
if (s[1] == "!"):
blacklist.append(u)
return blacklist
It takes a list of users to check and if the password field in shadow is '!' (account disabled) then it adds them to a list.
However on my server the script can't read /etc/shadow
because of SELinux and there is a 'permission denied' error using it. I need some other way of ascertaining this information about users. Google is mixing in the many results to lock a users account and I can't find the command to check if an account is locked.
I tried 'audit2allow' to allow sysadm_r Python scripts to read /etc/shadow but got a 'neverallow' error from semodule
when inserting the rules. This is actually pretty hard and pretty risky.
What I am trying to do is ban all passwordless accounts in the group users
in sshd_config automatically. There is an issue where users whom's accounts have been deactivated with `passwd -l user' can still get in with SSH pubkey auth. I want to apply this to the server of many users, so I wrote a script.
The script: https://pastebin.com/Z5T7GS4J
I think there should be some utility involving filecaps that can tell me if a users password has been locked/removed from the system. I could not find it on Google. It is not an option to put SELinux in permissive mode for my solution, because of automation and also a lack of clustering.