Darren, This is a great idea. I very much support these types of changes being made to OpenSolaris. I do have one concern, namely, that the proposed settings do not meet the recommendations of groups such as the Center for Internet Security, the NSA, and DISA. You can find a copy of the CIS Solaris 10 Benchmark at:
http://www.opensolaris.org/os/community/security/files/CIS_Solaris_10_Benchmark_v4.pdf The CIS recommendations were developed through consensus with representation from academia, industry and government and I personally would prefer that we adopt their recommended values for these parameters wherever possible in order to minimize the amount of post-installation work customers will have to do in order to meet these guidelines. If we disagree with these parameters, then we should take our concerns to this group. Setting these parameters to values that do not match current Sun/CIS/NSA/DISA recommended practices is suboptimal at best (if we do not work with the groups to iron out our differences). The CIS recommended values (for those you are proposing) are as follows: 1. /etc/default/passwd:HISTORY=10 2. /etc/default/passwd:PASSLENGTH=8 3) /etc/default/passwd:DICTIONDBDIR=/var/passwd For these values, we are only talking about differing with respect to HISTORY (values of 2 versus 10). Note that the value of 10 comes more from the DISA site and there is guidance in the CIS Benchmark that states that if this is too burdensome you could go with a value of 4. So, in this case, both 4 and 10 are accepted. Could we change your recommendation of 2 to match the CIS recommendation of 4? How fixed on 2 are you? :-) In addition, CIS also recommends setting: 4. /etc/default/passwd:MINUPPER=1 5. /etc/default/passwd:MINLOWER=1 What do you think of these added restrictions? In addition, of course, I very much support the new CRYPT_DEFAULT=5 option as it has been requested by a number of customers. Having this as a default would be a welcome addition! g This message posted from opensolaris.org
