cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a0b3523d419385ca26a3040fd1caccc866a76088
Linux-Server-Management-Too…/modules
T
History
cschantz a0b3523d41 ADD: Comprehensive password and user change tracking 
User request: "what about checking for recent password changes, or users
created, or like password or group file updates"

NEW FEATURES:
1. check_recent_password_changes()
   - Tracks password changes in last 7 days (using /etc/shadow)
   - Shows which accounts had passwords changed
   - Higher risk if root password changed recently
   - Detects recently unlocked accounts

2. check_recent_user_changes()
   - Detects users created in last 7 days (based on UID sequence + home dir age)
   - Shows user age in days
   - Tracks sudo/wheel group membership changes
   - Flags if sudo group modified in last 24 hours

3. Enhanced system file tampering detection:
   - Added /etc/group modification tracking
   - Added /etc/gshadow modification tracking
   - Shows exact hours since modification (not just "recently")
   - Tracks: /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow

4. Root password status display (ALWAYS shown):
   - Shows last root password change date
   - Shows days since last change
   - Warns if changed TODAY or within 7 days
   - Warns if not changed in over a year
   - Example: "Last password change: 2025-12-13 (52 days ago)"

DETECTION EXAMPLES:

If password changed recently:
  ⚠️ Recent-Password-Changes: 3-accounts
  Changed-passwords: user1,user2,root
  Risk: +35 (root) or +15 (other users)

If users created recently:
  ⚠️ Recently-Created-Users: testuser(2d) hacker(5d)
  Risk: +25

If sudo group modified:
  ⚠️ Sudo-Group-Modified-Recently: members=root,admin,newuser
  Risk: +30

If system files modified:
  ⚠️ /etc/passwd-Modified-5h-ago
  ⚠️ /etc/shadow-Modified-5h-ago
  ⚠️ /etc/group-Modified-3h-ago

Total Checks: 9 → 11 comprehensive integrity checks
- Added: Password changes
- Added: User/group changes
- Enhanced: System file tampering (now tracks 4 files + timestamps)

Output Enhancement:
- Root password age always displayed at top of compromise detection
- Clear warnings for suspicious timing (changed today, changed recently)
- Detailed findings show WHO changed and WHEN

Impact:
- Can now detect privilege escalation via user creation
- Can detect password changes during attack
- Can detect group membership manipulation
- Shows full audit trail of account changes

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 01:46:38 -05:00
..
backup
Fix NULL check issues (5 HIGH issues resolved)
2026-01-09 00:33:02 -05:00
diagnostics
Eliminate all bc command dependencies - replace with awk for portability
2025-12-03 20:49:46 -05:00
email
Fix integer comparison safety issues (6 HIGH priority)
2026-01-02 17:23:02 -05:00
maintenance
Fix HIGH priority issues: paths, globs, deps, wordsplit
2026-01-02 17:21:19 -05:00
performance
Proof of Caching now tests BOTH HTTP and HTTPS separately
2026-01-21 22:09:40 -05:00
security
ADD: Comprehensive password and user change tracking
2026-02-03 01:46:38 -05:00
website
Distinguish between Cloudflare Proxied (orange cloud) and DNS-Only (gray cloud)
2026-01-28 15:57:47 -05:00