[SunHELP] root passwd expired

Brian Dunbar brian.dunbar at plexus.com
Thu Dec 1 13:58:45 CST 2005 

On Nov 30, 2005, at 4:16 PM, Sheldon T. Hall wrote:

> Quoth stephen price ...
> [I said ...]
>>> Lemme ask that another way ... Why have root's
>>> password expire at all?  What
>>> benefit do you get from root password expiration?
>>>
>>
>> Answer - compliance with a whole list of federal
>> government, military, financial or general industry
>> "must-comply" regulations, standards, procedures and
>> documents, depending upon your industry and product.
>>
>> Here's a few examples of regulations/standards I run
>> into that compliance auditors will reference that
>> require root password expiration::
>>
>> 1) sarbanes-oxley (sox)
>> 2) gramm-leach-bliley act (glba)
>> 3) national industrial security program operating
>> manual (nispom)
>> 4) health insurance portability and accountability
>> (hipaa)
>> 5) federal financial institutions examination council
>> (ffiec)
>
> Just gag me with a spoon full of porkbarrel with ridiculous- 
> intrusion sauce.
>
> I have some passing acquaintance with HIPAA, but of the others I'm
> blissfully ignorant.  In all cases, though, it would seem wiser to  
> specify
> the result of security measures, rather than having committees of
> non-technical people dictate the measures themselves.  I can't  
> imagine that
> the scheduled changing of a password makes it any more secure that a
> well-chosen password that's properly guarded and changed when  
> conditions
> require.

It would - probably is - wiser to specify a result not the steps.   
But you'll fail the audit.   Failing the audit can result in fines,  
possible jail time, drop in stock price.

The auditors I've seen are non-technical and reading from a script.   
Process doesn't matter, compliance does.  It's kinda like taking a  
physics major, handing him, say, a best practices book for 'how to  
play football' and having him audit Brett Farve's performance.

A: Your stance is all wrong when you drop back and throw a lateral.
Brett: What?  Who are you? You know I'm like .... one of the best  
quarterbacks in the league?  Ah must be doing something right ...
A: Throw like that and you'll fail the audit.  This is about  
standards not performance - your feet have to go here and there and  
your back has to bend back at a precise 10 degree angle.
Brett: Dang.

None of this mattes to HugeMegaCo - the cost of compliance is lost in  
the noise.  it's killing IT departments at smaller public companies.

Brian Dunbar
System Administrator II
Desk: (920) 751-3364
Cell: (920) 716-2027
brian.dunbar at plexus.com
http://www.plexus.com

More information about the SunHELP mailing list