Disable oper/prog password aging for CIS

They are service accounts accessed only through sudo.
nvi-inc · Mar 24, 2024 · 1895190 · 1895190
1 parent efce947
commit 1895190
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/cis-setup.adoc b/cis-setup.adoc
@@ -26,11 +26,13 @@
 :toclevels: 3
 :toc:
 Dave Horsley and Ed Himwich
-Version 1.1.2 - February 2024
+Version 1.1.3 - March 2024
 
 :sectnums!:
 == Document revision history
 
+* 1.1.3 -- Disable _oper_ and _prog_ password expiration, they don't have passwords
+
 * 1.1.2 -- Correct responses to _adduser_; create _~AUID/.ssh_ in case
 it doesn't already exist
 
@@ -716,6 +718,13 @@ If the accounts haven't been disabled for login already, do so:
     usermod -L oper
     usermod -L prog
 
+Disable password aging and account inactivity expiration for the
+_oper_ and _prog_ accounts. Execute:
+
+----
+chage -I -1 -M 99999 oper
+chage -I -1 -M 99999 prog
+----
 To prevent connecting with _ssh_ using a key, create (or add _oper_
 and _prog_ to an existing) `DenyUsers` line in _/etc/ssh/sshd_config_:
 
@@ -1413,8 +1422,8 @@ keys, for this account. Execute:
 usermod -L spare
 ----
 
-.. Disable password aging and inactivity time-out for the _spare_
-account. Execute:
+.. Disable password aging and account inactivity expiration for the
+_spare_ account. Execute:
 
 +