[PCI DSS 1.x] 8.5.8 Do not use group, shared, or generic accounts and passwords

[READ-ONLY] Archives [RETIRED] PCI DSS v.1.x Questions and Answers Implement Strong Access Control Measures
1

8.5.8.a For a sample of system components, critical servers, and wireless access points, examine user ID lists to verify the following

  • Generic User IDs and accounts are disabled or removed
  • Shared User IDs for system administration activities and other critical functions do not exist
  • Shared and generic User IDs are not used to administer wireless LANs and devices
    8.5.8.b Examine password policies/procedures to verify that group and shared passwords are explicitly prohibited
    8.5.8.c Interview system administrators to verify that group and shared passwords are not distributed, even if requested
2

Has anyone had issues with this policy in the mid-range server space? Our company has had some resistance to needing some shared ids in the Oracle admin or software install areas. In these cases, the users sign on with their personal id and sudo over to the admin id. Is this allowed under this policy? Are the sudo logs sufficient compensating contol?