On 21 October 2009 c. 17:16:33 Stuart VanZee wrote: > The company I work for is having their yearly Payment Card Industry > (PCI) assessment and while I believe that OpenBSD is the most secure > OS going, I am having some problems proving it. Here are some of > the issues I need to figure out.
I'm assuming you're talking about console logins. If you're creating Web interface for example, then you have to implement such restrictions there; it does nothing with OpenBSD in that case. > 8.5.9 For a sample of system components, obtain and inspect system > configuration settings to verify that user password > parameters are set to require users to change passwords at least every > 90 days. > I have no idea how to set OpenBSD to do this, any suggestions? See login.conf(5), password-dead and password-warn. > 8.5.10 For a sample of system components, obtain and inspect system > configuration settings to verify that user password > parameters are set to require passwords to be at least seven > characters long. I know that OpenBSD uses 6 characters, is there a way > to change this? Same, minpasswordlen. > 8.5.12 For a sample of system components, obtain and inspect system > configuration settings to verify that user password > parameters are set to require that new passwords cannot be the same as > the four previously used passwords. > I have no idea how to set OpenBSD to do this, any suggestions? AFAIK, there is no such mechanism available, but you can use passwordcheck in login.conf(5). > 8.5.13 For a sample of system components, obtain and inspect system > configuration settings to verify that user password > parameters are set to require that a users account is locked out after > not more than six invalid logon attempts. AFAIK, no default mechanism too. Looks like this requires playing with login-tries and custom auth style. > 8.5.14 For a sample of system components, obtain and inspect system > configuration settings to verify that user password > parameters are set to require that once a users account is locked out, > it remains locked for a minimum of 30 minutes or until a system > administrator resets the account. > 13 and 14 go togeather, I know that this isn't the scheme that > OpenBSD uses. In OpenBSD, each time a user fails a password attempt > it takes a little bit longer to get a new login prompt. Maybe if > there was a way that I could set it so that by the time six failures > happen that it takes 30 minutes to get the next login prompt. Does > anyone know how to do this or have any other suggestion? Same as previous. > 8.5.15 For a sample of system components, obtain and inspect system > configuration settings to verify that system/session idle > time out features have been set to 15 minutes or less. > This one requires that a user must re-enter the password if their > terminal is idle for more than 15 minutes. Any ideas how to do > this with OpenBSD? wsconsctl display.screen_off=$(15*60000)) ... Hope all this helps. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?