Unix nagios account : audit requires it to have password expiry : how to work around it?
We got an audit finding that our Solaris (& possibly Linux as well but I haven't
verify) OS account used for Nagios monitoring do not have password expiry.
However, when a Solaris account got expired, it'll cause service disruption
(just like root's cron jobs): is there any way around this?
Can we set the SHELL for the nagios account to /bin/false or no shell so
that it's deemed as non-interactive account & don't require password
expiry? Will Nagios still work with no shell or a false shell??
if we change the password of this nagios account periodically, do we
need to change it in nagios (script or settings) somewhere?
such script that could change the password to a random one every 90 days, so
doing it manually is not feasible), does anyone do the following to fulfill audit:
2 persons from different departments key in their respective complex password
(so making up a combined password of at least 16 characters in length), write the
password separately on papers that are sealed in envelop.
Then once every 2 years, this password is renewed/reset & resealed in envelop.