Stuart VanZee wrote:
The company I work for is having their yearly Payment Card Industry
(PCI) assessment and while I believe that OpenBSD is the most secure
OS going, I am having some problems proving it. Here are some of
the issues I need to figure out.
8.5.9 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require users to change passwords at least every
90 days.
I have no idea how to set OpenBSD to do this, any suggestions?
You configure this in the login class for users (probably the default
and staff login classes) - see login.conf(5).
8.5.10 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require passwords to be at least seven characters long.
I know that OpenBSD uses 6 characters, is there a way to change this?
login.conf(5)
8.5.12 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require that new passwords cannot be the same as the
four previously used passwords.
I have no idea how to set OpenBSD to do this, any suggestions?
You can specify a passwordcheck program in login.conf(5), which you
could use to store (hashes of) passwords that have been previously used
by each user.
8.5.13 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require that a users account is locked out after not
more than six invalid logon attempts.
8.5.14 For a sample of system components, obtain and inspect system
configuration settings to verify that user password parameters
are set to require that once a users account is locked out, it
remains locked for a minimum of 30 minutes or until a system
administrator resets the account.
13 and 14 go togeather, I know that this isn't the scheme that OpenBSD
uses. In OpenBSD, each time a user fails a password attempt it takes
a little bit longer to get a new login prompt. Maybe if there was a
way that I could set it so that by the time six failures happen that
it takes 30 minutes to get the next login prompt. Does anyone know
how to do this or have any other suggestion?
I don't, I'm afraid, and a quick Google (which could have answered some
of your other questions) suggests that it's come up before both on misc@
and elsewhere. I know you don't want to hear about how the PCI DSS is
wrong, but in this case their wrongness is, I think, the reason it's not
an available option.
You could likely implement this yourself with a custom login style, though.
8.5.15 For a sample of system components, obtain and inspect system
configuration settings to verify that system/session idle time
out features have been set to 15 minutes or less.
This one requires that a user must re-enter the password if their
terminal is idle for more than 15 minutes. Any ideas how to do this
with OpenBSD?
You might be able to do this with tmux(1), if you force it to be started
for every user with some kind of global configuration. You might also
be able to go for strictly X11 logins, and then using xlock.
--
Matthew Weigel
hacker
unique & idempot . ent
