Monitor password expiration

Using Nagios for password expiration monitoring.
By Kostas Koutsogiannopoulos

The bash script here is taking user name, warning, critical thresholds in days as arguments returning user' s password status in a format parsable by Nagios.

It is also returning the suitable exit codes needed by Nagios in order to trigger the alerts.

You can use it in nrpe with commands like this bellow:

command[check_admin_exp]=sudo /opt/nagios/libexec/check_passwd_exp.sh -u admin -w 5 -c 1

As you can see the script needs sudo in order to access /etc/shadow file.

#!/bin/bash

#PROGPATH=`echo $0 | /bin/sed -e 's,[\\/][^\\/][^\\/]*$,,'`

LIBEXEC="/opt/nagios/libexec"
. $LIBEXEC/utils.sh

# Default values (days):
critical=3
warning=10

# Parse arguments
args=`getopt -o hu:w:c: --long help,user:,warning:,critical:,path: -u -n $0 -- "$@"`
[ $? != 0 ] && echo "$0: Could not parse arguments" && echo "Usage: $0 -h | -u <user> [-c <critical>] [-w <warning>]" && exit
set -- $args

while true ; do
    case "$1" in
        -c|--critical) critical=$2;shift 2;;
        -w|--warning)  warning=$2;shift 2;;
        -u|--user)   user=$2;shift 2;;
        -h|--help)     echo "check_passwd_expiration - v1.00"
           echo "Copyright (c) 2015 Kostas Koutsogiannopoulos <ckout@epilis.gr>"
           echo "This plugin checks the expiration date user password."
           echo ""
           echo "Usage: $0 -h | -u <user> [-c <critical>] [-w <warning>]"
           echo "NOTE: -u must be specified"
           echo ""
           echo "Options:"
           echo "-h"
           echo "     Print detailed help"
           echo "-u"
           echo "     User name to check"
           echo "-w"
           echo "     Days to result in warning status"
           echo "-c"
           echo "     Days to result in critical status"
           echo ""
           echo "This plugin will read /etc/shadow to get the expiration date for the user name. "
           echo "Example:"
           echo "     $0 -u username -w 10 -c 3"
           echo ""
           exit;;
        --) shift; break;;
        *)  echo "Internal error!" ; exit 1 ;;
    esac
done

[ -z $user ] && echo "UNKNOWN - There is no user to check" && exit $STATE_UNKNOWN

# Calculate days until expiration
CURRENT_EPOCH=`grep $user /etc/shadow | cut -d: -f3`
if [ "$CURRENT_EPOCH" = "" ]; then
        return
fi
# Find the epoch time since the user's password was last changed
EPOCH=`perl -e 'print int(time/(60*60*24))'`

# Compute the age of the user's password
AGE=`echo $EPOCH - $CURRENT_EPOCH | bc`

# Compute and display the number of days until password expiration
MAX=`grep $USER /etc/shadow | cut -d: -f5`

# DEBUG
#echo "User is $user"
#echo "currentepoch is $CURRENT_EPOCH"
#echo "epoch is $EPOCH"
#echo "age of users pass is: $AGE"
#echo "number of days until pass expi is: $MAX"
#echo "Warning is $warning"
#echo "Critical is $critical"
expdays=`echo $MAX - $AGE | bc`

# Trigger alarms if applicable
[ -z "$expdays" ] && echo "UNKNOWN - User doesn't exist." && exit $STATE_UNKNOWN
[ $expdays -lt 0 ] && echo "CRITICAL - User's password expired on $EPOCH" && exit $STATE_CRITICAL
[ $expdays -lt $critical ] && echo "CRITICAL - User's password will expire in $expdays days" && exit $STATE_CRITICAL
[ $expdays -lt $warning ]&& echo "WARNING - User's password will expire in $expdays days" && exit $STATE_WARNING

# No alarms? Ok, everything is right.
echo "OK - User's password will expire in $expdays days"
exit $STATE_OK