10.2 Password Expiry
To meet the compliance standard of the STIG, set user accounts to expire after 60 days, and service accounts to expire after 365 days.
As part of an organization’s compliance policies, implement a procedure so that administrators do not forget to change their passwords within the active period. If the root account expires, there is no method in the appliance to re-instate the root password. It is imperative that site-specific policies are implemented to prevent administrative and root passwords from expiration.
Design Considerations
• Consider setting password expiry if compliance with the STIG is required, or if policy dictates it.
• Configure the root password not to expire. However, if it does expire, it can be reset by booting the appliance into single user mode.
• If administrators must log in to a command shell on the appliance, they must do so with a user-specific account that is set to expire after the required period.