Link to home
Create AccountLog in
Avatar of sunhux
sunhux

asked on

Unix nagios account : audit requires it to have password expiry : how to work around it?

We got an audit finding that our Solaris (& possibly Linux as well but I haven't
verify) OS account used for Nagios monitoring do not have password expiry.

Q1:
However, when a Solaris account got expired, it'll cause service disruption
(just like root's cron jobs): is there any way around this?

Q2:
Can we set the SHELL for the nagios account to   /bin/false or no shell so
that it's deemed as non-interactive account & don't require password
expiry?   Will Nagios still work with no shell or a false shell??

Q3:
if we change the password of this nagios account periodically, do we
need to change it in nagios (script or settings) somewhere?
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of sunhux
sunhux

ASKER

or if it breaks Nagios when password gets changed (well, I don't even have one
such script that could change the password to a random one every 90 days, so
doing it manually is not feasible), does anyone do the following to fulfill audit:

2 persons from different departments key in their respective complex password
(so making up a combined password of at least 16 characters in length), write the
password separately on papers that are sealed in envelop.

Then once every 2 years, this password is renewed/reset & resealed in envelop.