On 21 October 2009 c. 17:16:33 Stuart VanZee wrote:
> The company I work for is having their yearly Payment Card Industry
> (PCI) assessment and while I believe that OpenBSD is the most secure
> OS going, I am having some problems proving it. Here are some of
> the issues I need to figure out.
I'm assuming you're talking about console logins. If you're creating Web
interface for example, then you have to implement such restrictions
there; it does nothing with OpenBSD in that case.
> 8.5.9 For a sample of system components, obtain and inspect system
> configuration settings to verify that user password
> parameters are set to require users to change passwords at least every
> 90 days.
> I have no idea how to set OpenBSD to do this, any suggestions?
See login.conf(5), password-dead and password-warn.
> 8.5.10 For a sample of system components, obtain and inspect system
> configuration settings to verify that user password
> parameters are set to require passwords to be at least seven
> characters long. I know that OpenBSD uses 6 characters, is there a way
> to change this?
Same, minpasswordlen.
> 8.5.12 For a sample of system components, obtain and inspect system
> configuration settings to verify that user password
> parameters are set to require that new passwords cannot be the same as
> the four previously used passwords.
> I have no idea how to set OpenBSD to do this, any suggestions?
AFAIK, there is no such mechanism available, but you can use
passwordcheck in login.conf(5).
> 8.5.13 For a sample of system components, obtain and inspect system
> configuration settings to verify that user password
> parameters are set to require that a users account is locked out after
> not more than six invalid logon attempts.
AFAIK, no default mechanism too. Looks like this requires playing with
login-tries and custom auth style.
> 8.5.14 For a sample of system components, obtain and inspect system
> configuration settings to verify that user password
> parameters are set to require that once a users account is locked out,
> it remains locked for a minimum of 30 minutes or until a system
> administrator resets the account.
> 13 and 14 go togeather, I know that this isn't the scheme that
> OpenBSD uses. In OpenBSD, each time a user fails a password attempt
> it takes a little bit longer to get a new login prompt. Maybe if
> there was a way that I could set it so that by the time six failures
> happen that it takes 30 minutes to get the next login prompt. Does
> anyone know how to do this or have any other suggestion?
Same as previous.
> 8.5.15 For a sample of system components, obtain and inspect system
> configuration settings to verify that system/session idle
> time out features have been set to 15 minutes or less.
> This one requires that a user must re-enter the password if their
> terminal is idle for more than 15 minutes. Any ideas how to do
> this with OpenBSD?
wsconsctl display.screen_off=$(15*60000))
... Hope all this helps.
--
Best wishes,
Vadim Zhukov
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
