1.3.3 Set password lifetime, warning time and grace time for local credentials

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

NX-OS has commands to adjust the permitted lifetime of passphrases for local credentials, as well as the 'warning time' before expiry and the 'grace time' after expiry. If local credentials are in use, it is recommended that these be set to a value appropriate to the organization. Note that these timers cannot be set for the 'admin' credential.

Rationale:

Impact:

If local credentials are in regular use, it is recommended that a reasonable (non default) value be set for the passphrase timer values.
The default of an infinite lifetime is of course not appropriate. Previous guidance of password changes on 30 or 60 day cycles however is also not appropriate if complex passwords are used and enforced. Some middle ground should be set - for instance, a password change cycle on a 6 or 12 month rotation is often easy to track.

This entire discussion illustrates clearly why it is most often advisable to use a back-end authentication source for credential storage. In an organization that has multiple switches and other infrastructure, setting a password rotation is a recipe that has the risk of missing or entirely forgetting the change date, or of missing one or more devices in the change procedure. Since password recovery after the grace period involves a reboot of the entire switch, this end result is undesirable in the extreme.

The best recommendation is to set a long, complex password for any local administrative accounts, then use a back-end authentication source, so that these local accounts are only used in the event that the back-end authentication source is not reachable.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To set passphrase timers globally:

switch(config)# userpassphrase default-warntime <days>
switch(config)# userpassphrase default-gracetime <days>
switch(config)# userpassphrase default-lifetime <days>

example:

switch(config)# userpassphrase default-warntime 10
switch(config)# userpassphrase default-gracetime 10
switch(config)# userpassphrase default-lifetime 180

To set passphrase time values per-user:

switch(config)# username <userid> passphrase lifetime <days> warntime <time in days> gradetime <time in days>

example

switch(config)# username test passphrase lifetime 180 warntime 10 gracetime 10

Default Value:

By default, the passphrase time values per-user are:

Lifetime: 99999 (this value indicates no expiry, or an infinite lifetime)

Gracetime: 3 days

Warntime: 14 days

By default, there are no global default values set, they are assigned per local user as the local accounts are created.

By default the 'admin' account does not have any associated timers, and these values cannot be set for this account.

See Also

https://workbench.cisecurity.org/files/3102