Password expiration local console operator

MatthiasW · March 20, 2023, 12:42pm

In case of having local console operators I would like to check potential password expiration date. However, I did not find this information. Any ideas? Dokumentation did not help me:

https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Console/c_monitoring_operators.html
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_list_of_advanced_options.html#conceptTueSep160103122014

JasonWalker · March 20, 2023, 12:49pm

So you have maximumPasswordAgeDays configured already and want to report when the expiration will occur for each operator?

MatthiasW · March 20, 2023, 1:15pm

Exact. Last expiration was during my vacation, bad luck for my colleagues

JasonWalker · March 20, 2023, 3:01pm

Hm. I thought I made some progress with Session Relevance to get the maximum password age:

(name of it, value of it | "none") of bes deployment options

with results like

maximumPasswordAgeDays, 720
passwordComplexityDescription, ( Passwords must contain 8 characters or more, both uppercase and lowercase letters, and at least 1 digit. )
passwordComplexityRegex, ( (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:digit:]]).{8,} )

But, after getting the maximumPasswordAgeDays, I haven’t found a ‘bes user’ property or even a REST API call that will retrieve the operators’ last password change time.

So far I’ve managed to build a SQL query that retrieves them, though, if this helps at all.

select username
  , PasswordLastChanged
  , MaxPasswordAge
  , DATEADD(day, CAST(MaxPasswordAge as int), PasswordLastChanged) as PasswordExpirationTime
FROM 
  (SELECT userinfo.username as username
  , userinfo.PasswordLastChanged as PasswordLastChanged
  , (
      SELECT adminfield.FieldContents AS MaxPasswordAge from [BFEnterprise].[dbo].[ADMINFIELDS]  as adminfield 
      WHERE adminfield.FieldName='Z:maximumPasswordAgeDays' 
     ) as MaxPasswordAge
  FROM bfenterprise.dbo.USERINFO as userinfo
  where userinfo.ldapID is NULL
) AS test

Results sample

username	PasswordLastChanged	MaxPasswordAge	PasswordExpirationTime
mo	2023-01-06 02:31:12.190	720	2024-12-26 02:31:12.190
bfc	2023-02-02 18:42:51.453	720	2025-01-22 18:42:51.453
bfi_service	2023-02-02 18:51:21.810	720	2025-01-22 18:51:21.810

MatthiasW · March 21, 2023, 8:09am

Oh, seems to be more tricky than expected. As a first step, SQL statement is pretty helpful, thanks very much.
I assume posting an idea / RFE to add this feature might be helpful for the future. Usually I prefer LDAP authenticated users of course but in some cases a local operator makes sense in my opinion.