I have multiple RH AS3 and RH ES4 systems. I would like to enforce the following ruleset: All user's must reset their passwords at least every 90 days, if they don't, after the 95th day, the account should be locked/disabled.
I've set these parameters up with /etc/default/useradd, /etc/login.defs, and my /etc/shadow file shows all the rules correctly. And, all of this works fine. When I run "chage -l <username>", I see what I expect to, and user's who've gone too long arent able to access the system after the 95th day.
My problem is, I'd like to be able to actually track that this is all working. Or, more to the point, I have security people who want to be able to verify that the rules are being enforced
Right now, they are able to report to me how long it's been since the user last changed their password (cool, np), but when they go to verify the account is "locked" they can't seem to do it.
Their first attempt seems to be that they check the encrypted password string in /etc/shadow for a ! or !! at the front to indicate the account is actually locked. I always thought this was how it was done, however, I've found that that only seems to go in if the account is manually locked, like via the passwd command. If the account is simply aged out and disabled by the default rules, the password string in /etc/shadow stays exactly the same, the user is just denied access.
So, I guess I'm asking, is there a good way to check that a user's account is locked out, other than grabbing the dates in either /etc/shadow (#days since password was last changed) and comparing it to today's date (which still doesnt really give me much) or looking at the "Password Inactive" field from chage and determining visually that the account is past that date and therefore just "know" that it is disabled.
It just seems that this would be something common enough to have this info available somewhere in the system, and not need a homegrown script to cull it out. Havent found anything so far though.
Any ideas?