We help IT Professionals succeed at work.

Unix nagios account : audit requires it to have password expiry : how to work around it?

sunhux
sunhux used Ask the Experts™
on
We got an audit finding that our Solaris (& possibly Linux as well but I haven't
verify) OS account used for Nagios monitoring do not have password expiry.

Q1:
However, when a Solaris account got expired, it'll cause service disruption
(just like root's cron jobs): is there any way around this?

Q2:
Can we set the SHELL for the nagios account to   /bin/false or no shell so
that it's deemed as non-interactive account & don't require password
expiry?   Will Nagios still work with no shell or a false shell??

Q3:
if we change the password of this nagios account periodically, do we
need to change it in nagios (script or settings) somewhere?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017
Commented:
You can randomize, or set its shell to /bin/false as you noted. There is no credential exchange I. the agents it checks with do not use credential exchange, i
You could randomly reset the password from cron.
If not mistaken, some when editing the files directly, would run under the account, though you can do as root, while making sure when done to change ownership of the resulting file to be owned by nagios.
Fractional CTO
Distinguished Expert 2018
Commented:
Q1: However, when a Solaris account got expired, it'll cause service disruption (just like root's cron jobs): is there any way around this?

No. Expired accounts generally are a problem for some software.

This depends on exactly how your software was installed, as nagios is just software + this should never happen if nagios default packages are installed on Linux.

For Solaris, this goes back to how nagios might have been installed.

Q2: Can we set the SHELL for the nagios account to /bin/false or no shell so that it's deemed as non-interactive account & don't require password expiry?   Will Nagios still work with no shell or a false shell??

Yes.

Q3: if we change the password of this nagios account periodically, do we need to change it in nagios (script or settings) somewhere?

As arnold mentioned, you do this using a CRON job, running at whatever frequency you like.

And also as arnold mentioned, likely you must set the login shell to /bin/false or /usr/sbin/nologin because what's being checked for is the ability for a login process to begin. To pass this check likely requires blocking the login process with false or nologin.

Author

Commented:
or if it breaks Nagios when password gets changed (well, I don't even have one
such script that could change the password to a random one every 90 days, so
doing it manually is not feasible), does anyone do the following to fulfill audit:

2 persons from different departments key in their respective complex password
(so making up a combined password of at least 16 characters in length), write the
password separately on papers that are sealed in envelop.

Then once every 2 years, this password is renewed/reset & resealed in envelop.