Unix nagios account : audit requires it to have password expiry : how to work around it?
We got an audit finding that our Solaris (& possibly Linux as well but I haven't
verify) OS account used for Nagios monitoring do not have password expiry.
Q1:
However, when a Solaris account got expired, it'll cause service disruption
(just like root's cron jobs): is there any way around this?
Q2:
Can we set the SHELL for the nagios account to /bin/false or no shell so
that it's deemed as non-interactive account & don't require password
expiry? Will Nagios still work with no shell or a false shell??
Q3:
if we change the password of this nagios account periodically, do we
need to change it in nagios (script or settings) somewhere?
or if it breaks Nagios when password gets changed (well, I don't even have one
such script that could change the password to a random one every 90 days, so
doing it manually is not feasible), does anyone do the following to fulfill audit:
2 persons from different departments key in their respective complex password
(so making up a combined password of at least 16 characters in length), write the
password separately on papers that are sealed in envelop.
Then once every 2 years, this password is renewed/reset & resealed in envelop.
such script that could change the password to a random one every 90 days, so
doing it manually is not feasible), does anyone do the following to fulfill audit:
2 persons from different departments key in their respective complex password
(so making up a combined password of at least 16 characters in length), write the
password separately on papers that are sealed in envelop.
Then once every 2 years, this password is renewed/reset & resealed in envelop.