Hi I think everything you want is in login.conf(5).
You may need an external program to do 8.5.12. On Wed, Oct 21, 2009 at 09:16:33AM -0400, Stuart VanZee wrote: > The company I work for is having their yearly Payment Card Industry > (PCI) assessment and while I believe that OpenBSD is the most secure > OS going, I am having some problems proving it. Here are some of > the issues I need to figure out. > > 8.5.9 For a sample of system components, obtain and inspect system > configuration settings to verify that user password parameters > are set to require users to change passwords at least every > 90 days. > I have no idea how to set OpenBSD to do this, any suggestions? > > 8.5.10 For a sample of system components, obtain and inspect system > configuration settings to verify that user password parameters > are set to require passwords to be at least seven characters long. > I know that OpenBSD uses 6 characters, is there a way to change this? > > 8.5.12 For a sample of system components, obtain and inspect system > configuration settings to verify that user password parameters > are set to require that new passwords cannot be the same as the > four previously used passwords. > I have no idea how to set OpenBSD to do this, any suggestions? > > 8.5.13 For a sample of system components, obtain and inspect system > configuration settings to verify that user password parameters > are set to require that a users account is locked out after not > more than six invalid logon attempts. > > 8.5.14 For a sample of system components, obtain and inspect system > configuration settings to verify that user password parameters > are set to require that once a users account is locked out, it > remains locked for a minimum of 30 minutes or until a system > administrator resets the account. > 13 and 14 go togeather, I know that this isn't the scheme that OpenBSD > uses. In OpenBSD, each time a user fails a password attempt it takes > a little bit longer to get a new login prompt. Maybe if there was a > way that I could set it so that by the time six failures happen that > it takes 30 minutes to get the next login prompt. Does anyone know > how to do this or have any other suggestion? > > 8.5.15 For a sample of system components, obtain and inspect system > configuration settings to verify that system/session idle time > out features have been set to 15 minutes or less. > This one requires that a user must re-enter the password if their > terminal is idle for more than 15 minutes. Any ideas how to do this > with OpenBSD? > > > I am sure that there are others out there that use OpenBSD in an environment > that requires PCI compliance. How do you meet these requirements? > > BTW. While I usually don't mind constructive criticism, replies that > attack the requirements rather than show how to meet them aren't at all > helpfull and are a complete waste of time. We all understand that a one- > size-fits-all kind of standard like the PCI standard pretty much sucks > as far as actual benefit goes, but arguing with the Payment Card Industry > about it isn't an option, they don't listen, it's either comply with their > standard or don't get PCI approval. > > Stuart van Zee > [email protected]
