Our RSA Authentication Manager servers are using SUSE Linux. What pam.d password policy is used for the rsaadmin account (i.e. password expiration, length, etc.)?
I think I might have my answer, but just need confirmation. Most of the attributes are configured under common-password, but expiration is configured under login.defs, correct?
Sorry. One more question in addition to what I've posted. We have one box that is reporting that the encryption method as blowfish and one as SHA512. I'm not sure who changed that, but what are the ramifications for changing that and how do you do it?
This is not written in stone, but 8.3 patch 4 (184.108.40.206.0) --not released yet--, will rectify blowfish/md5 for new passwords or password changes. Old passwords will remain until changed/reset.
We have this hardening information guide for the default configuration
RSA Authentication Manager 8.3 System Hardening Guide
You can also open a support case, and discuss additional STiG hardening scripts.
We do not recommend making changes to the OS and accounts outside RSA documentation, as the RSA server, as a whole, is considered a 'black-box' implementation, and this is not 'just Suse Linux' and the OS is not entirely separate from the Authentication Manager services. Not all common Linux OS hardening procedures are workable in the same way on the RSA Authentication Manager server. You may make a change that would prevent proper operation, prevent patching or disaster recovery, or may increase risk rather than decrease risk.
Retrieving data ...