[SunHELP] root passwd expired

Sheldon T. Hall shel at tandem.artell.net
Thu Dec 1 15:44:38 CST 2005

Brian Dunbar says ...
> On Nov 30, 2005, at 4:16 PM, Sheldon T. Hall wrote:
> > Quoth stephen price ...
> > [I said ...]
> >>> Lemme ask that another way ... Why have root's
> >>> password expire at all?  What
> >>> benefit do you get from root password expiration?
> >>>
> >>
> >> Answer - compliance with a whole list of federal
> >> government, military, financial or general industry
> >> "must-comply" regulations, standards, procedures and
> >> documents, depending upon your industry and product.
> >>
> >> Here's a few examples of regulations/standards I run
> >> into that compliance auditors will reference that
> >> require root password expiration::
> >>
> >> 1) sarbanes-oxley (sox)
> >> 2) gramm-leach-bliley act (glba)
> >> 3) national industrial security program operating
> >> manual (nispom)
> >> 4) health insurance portability and accountability
> >> (hipaa)
> >> 5) federal financial institutions examination council
> >> (ffiec)
> >
> > Just gag me with a spoon full of porkbarrel with ridiculous-
> > intrusion sauce.
> >
> > I have some passing acquaintance with HIPAA, but of the others I'm
> > blissfully ignorant.  In all cases, though, it would seem wiser to
> > specify
> > the result of security measures, rather than having committees of
> > non-technical people dictate the measures themselves.  I can't
> > imagine that
> > the scheduled changing of a password makes it any more secure that a
> > well-chosen password that's properly guarded and changed when
> > conditions
> > require.
> It would - probably is - wiser to specify a result not the steps.
> But you'll fail the audit.   Failing the audit can result in fines,
> possible jail time, drop in stock price.
> The auditors I've seen are non-technical and reading from a script.

They really ought to be easy to fool, then.

> Process doesn't matter, compliance does.  It's kinda like taking a
> physics major, handing him, say, a best practices book for 'how to
> play football' and having him audit Brett Farve's performance.

Heh.  Good thing I don't have to play in that league.

> None of this mattes to HugeMegaCo - the cost of compliance is
> lost in the noise.  it's killing IT departments at smaller
> public companies.

Might be time to do a management-led LBO and wait for a more-favorable
business climate; you'd be private and subject to fewer rules.  Or just sell
out to a MegaCorp now.

I've never been very good at following company rules, and, better yet, I've
never suffered any significant career inconvenience from it.  Maybe I've
just been in the wrong (or right) places.

It's pretty easy to prove that, historically, the environments with the
fewest rules promote the most progress.  If the companies who are subject to
those rules don't work to change them  to something more sensible, some
other company, or country, will reap the benefit.

So, yeah, do what you have to do, which, to me, looks like "let the
passwords expire, and have a back way in."


More information about the SunHELP mailing list