The company I work for is having their yearly Payment Card Industry (PCI) assessment and while I believe that OpenBSD is the most secure OS going, I am having some problems proving it. Here are some of the issues I need to figure out.
8.5.9 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days. I have no idea how to set OpenBSD to do this, any suggestions? 8.5.10 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require passwords to be at least seven characters long. I know that OpenBSD uses 6 characters, is there a way to change this? 8.5.12 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that new passwords cannot be the same as the four previously used passwords. I have no idea how to set OpenBSD to do this, any suggestions? 8.5.13 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that a users account is locked out after not more than six invalid logon attempts. 8.5.14 For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require that once a users account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account. 13 and 14 go togeather, I know that this isn't the scheme that OpenBSD uses. In OpenBSD, each time a user fails a password attempt it takes a little bit longer to get a new login prompt. Maybe if there was a way that I could set it so that by the time six failures happen that it takes 30 minutes to get the next login prompt. Does anyone know how to do this or have any other suggestion? 8.5.15 For a sample of system components, obtain and inspect system configuration settings to verify that system/session idle time out features have been set to 15 minutes or less. This one requires that a user must re-enter the password if their terminal is idle for more than 15 minutes. Any ideas how to do this with OpenBSD? I am sure that there are others out there that use OpenBSD in an environment that requires PCI compliance. How do you meet these requirements? BTW. While I usually don't mind constructive criticism, replies that attack the requirements rather than show how to meet them aren't at all helpfull and are a complete waste of time. We all understand that a one- size-fits-all kind of standard like the PCI standard pretty much sucks as far as actual benefit goes, but arguing with the Payment Card Industry about it isn't an option, they don't listen, it's either comply with their standard or don't get PCI approval. Stuart van Zee stua...@datalinesys.com