The company I work for is having their yearly Payment Card Industry
(PCI) assessment and while I believe that OpenBSD is the most secure
OS going, I am having some problems proving it. Here are some of
the issues I need to figure out.
8.5.9 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require users to change passwords at least every
90 days.
I have no idea how to set OpenBSD to do this, any suggestions?
8.5.10 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require passwords to be at least seven characters long.
I know that OpenBSD uses 6 characters, is there a way to change this?
8.5.12 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require that new passwords cannot be the same as the
four previously used passwords.
I have no idea how to set OpenBSD to do this, any suggestions?
8.5.13 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require that a users account is locked out after not
more than six invalid logon attempts.
8.5.14 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require that once a users account is locked out, it
remains locked for a minimum of 30 minutes or until a system
administrator resets the account.
13 and 14 go togeather, I know that this isn't the scheme that OpenBSD
uses. In OpenBSD, each time a user fails a password attempt it takes
a little bit longer to get a new login prompt. Maybe if there was a
way that I could set it so that by the time six failures happen that
it takes 30 minutes to get the next login prompt. Does anyone know
how to do this or have any other suggestion?
8.5.15 For a sample of system components, obtain and inspect system
configuration settings to verify that system/session idle time
out features have been set to 15 minutes or less.
This one requires that a user must re-enter the password if their
terminal is idle for more than 15 minutes. Any ideas how to do this
with OpenBSD?
I am sure that there are others out there that use OpenBSD in an environment
that requires PCI compliance. How do you meet these requirements?
BTW. While I usually don't mind constructive criticism, replies that
attack the requirements rather than show how to meet them aren't at all
helpfull and are a complete waste of time. We all understand that a one-
size-fits-all kind of standard like the PCI standard pretty much sucks
as far as actual benefit goes, but arguing with the Payment Card Industry
about it isn't an option, they don't listen, it's either comply with their
standard or don't get PCI approval.
Stuart van Zee
stua...@datalinesys.com
