增加user弱密码基线扫描项

data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.py

@@ -0,0 +1,143 @@
+#!/usr/bin/env python3
+
+# 导入所需库
+import os
+import sys
+import crypt
+from pathlib import Path
+
+# 定义密码字典文件路径（请根据实际情况修改）
+password_dict_path = '../../../../../data/dic/weakPassword'
+
+# 定义shadow文件路径
+shadow_file_path = "/etc/shadow"
+
+arg_lang = ""
+
+################################
+# 常量
+
+# for get_env_lang()
+STR_GET_ENV_LANG_ZH     = "语言环境为中文"
+STR_GET_ENV_LANG_EN     = "语言环境为英文"
+STR_GET_ENV_LANG_UNKNOW = "语言环境未知"
+
+# for is_root()
+STR_IS_ROOT_TRUE  = "当前用户为root权限"
+STR_IS_ROOT_FALSE = "当前用户没有root权限"
+
+# 最大密码过期天数
+MAX_EXPIRE_DAYS = 90
+
+################################
+# 环境检查函数
+
+def get_env_lang():
+#    lang = os.getenv("LANG")
+#    if lang.startswith("zh"):
+#        return STR_GET_ENV_LANG_ZH
+#    elif lang.startswith("en"):
+#        return STR_GET_ENV_LANG_EN
+#    else:
+#        return STR_GET_ENV_LANG_UNKNOW
+#
+    if arg_lang == "zh":
+        return STR_GET_ENV_LANG_ZH
+    elif arg_lang == "en":
+        return STR_GET_ENV_LANG_EN
+    else:
+        return STR_GET_ENV_LANG_UNKNOW
+
+def is_root():
+    if os.geteuid() == 0:
+        print(STR_IS_ROOT_TRUE)
+        return True
+    else:
+        print(STR_IS_ROOT_FALSE)
+        return False
+
+################################
+# 辅助函数
+def l_print(zh_str, en_str) :
+    if STR_GET_ENV_LANG_ZH == get_env_lang() :
+        print(zh_str);
+    else :
+        print(en_str);
+
+################################
+# 功能函数
+
+# 从密码字典文件中读取所有密码
+def read_passwords_from_dict(file_path):
+    with open(file_path, 'r') as password_dict:
+        passwords = [line.strip() for line in password_dict]
+    return passwords
+
+
+# 解析shadow文件，提取用户名、加密盐值和密码哈希
+def parse_shadow_file(file_path):
+    shadow_entries = []
+
+    with open(file_path, 'r') as shadow_file:
+        for line in shadow_file:
+            if not line.startswith("#"):
+                fields = line.strip().split(":")
+                username = fields[0]
+                encrypted_password = fields[1]
+
+                if encrypted_password != "*" and \
+                   encrypted_password != "!" and \
+                   encrypted_password != "!!" and \
+                   encrypted_password != "!*" and \
+                   encrypted_password != "*!" and \
+                   encrypted_password != ""         :
+                    method, salt, hashed_pass = encrypted_password.split("$")[1:]
+                    shadow_entries.append((username, method, salt, hashed_pass))
+
+    return shadow_entries
+
+
+# 使用crypt库进行密码哈希，比较与shadow文件中的哈希
+def check_password(username, method, salt, hashed_pass, password):
+    salt_string = f"${method}${salt}$"
+    encrypted_password = crypt.crypt(password, salt_string)
+
+    if encrypted_password == f"${method}${salt}${hashed_pass}":
+        l_print(f"[WARNING] 匹配出用户名存在弱密码: {username} ",
+                f"[WARNING] Match username using week password: {username}")
+        return True
+
+    return False
+
+
+if __name__ == "__main__":
+    arg_lang = sys.argv[1]
+
+    if False == is_root() :
+        l_print("[WARNING] 非root权限，此程序需要root权限",
+                "[WARNING] Non root permission, this program requires root permission")
+        exit(1)
+
+    # 从密码字典文件中读取密码
+    passwords = read_passwords_from_dict(password_dict_path)
+
+    # 解析shadow文件，获取用户名、加密盐值和密码哈希
+    shadow_entries = parse_shadow_file(shadow_file_path)
+
+    # 遍历shadow文件中的所有用户
+    is_got_match_pw = False
+    for username, method, salt, hashed_pass in shadow_entries:
+        for password in passwords:
+            # 检查密码是否匹配
+            if True == check_password(username, method, salt, hashed_pass, password) :
+                is_got_match_pw = True
+                #
+                break
+
+    if False == is_got_match_pw :
+        l_print(f"[OK] 没有发现弱密码",
+                f"[OK] No weak password found")
+        exit(0)
+
+    exit(1)
+