Payment Card Industry (PCI) Data Security Standard HELP!

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Payment Card Industry (PCI) Data Security Standard HELP!

Stuart VanZee
The company I work for is having their yearly Payment Card Industry
(PCI) assessment and while I believe that OpenBSD is the most secure
OS going, I am having some problems proving it.  Here are some of
the issues I need to figure out.

8.5.9    For a sample of system components, obtain and inspect system
         configuration settings to verify that user password parameters
         are set to require users to change passwords at least every
         90 days.
     I have no idea how to set OpenBSD to do this, any suggestions?

8.5.10   For a sample of system components, obtain and inspect system
         configuration settings to verify that user password parameters
         are set to require passwords to be at least seven characters long.
     I know that OpenBSD uses 6 characters, is there a way to change this?

8.5.12   For a sample of system components, obtain and inspect system
         configuration settings to verify that user password parameters
         are set to require that new passwords cannot be the same as the
         four previously used passwords.
     I have no idea how to set OpenBSD to do this, any suggestions?

8.5.13   For a sample of system components, obtain and inspect system
         configuration settings to verify that user password parameters
         are set to require that a users account is locked out after not
         more than six invalid logon attempts.

8.5.14   For a sample of system components, obtain and inspect system
         configuration settings to verify that user password parameters
         are set to require that once a users account is locked out, it
         remains locked for a minimum of 30 minutes or until a system
         administrator resets the account.
     13 and 14 go togeather, I know that this isn't the scheme that OpenBSD
     uses.  In OpenBSD, each time a user fails a password attempt it takes
     a little bit longer to get a new login prompt.  Maybe if there was a
     way that I could set it so that by the time six failures happen that
     it takes 30 minutes to get the next login prompt.  Does anyone know
     how to do this or have any other suggestion?

8.5.15   For a sample of system components, obtain and inspect system
         configuration settings to verify that system/session idle time
         out features have been set to 15 minutes or less.
     This one requires that a user must re-enter the password if their
     terminal is idle for more than 15 minutes.  Any ideas how to do this
     with OpenBSD?


I am sure that there are others out there that use OpenBSD in an environment
that requires PCI compliance.  How do you meet these requirements?

BTW.  While I usually don't mind constructive criticism, replies that
attack the requirements rather than show how to meet them aren't at all
helpfull and are a complete waste of time.  We all understand that a one-
size-fits-all kind of standard like the PCI standard pretty much sucks
as far as actual benefit goes, but arguing with the Payment Card Industry
about it isn't an option, they don't listen, it's either comply with their
standard or don't get PCI approval.

Stuart van Zee
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Payment Card Industry (PCI) Data Security Standard HELP!

Vadim Zhukov
On 21 October 2009 c. 17:16:33 Stuart VanZee wrote:
> The company I work for is having their yearly Payment Card Industry
> (PCI) assessment and while I believe that OpenBSD is the most secure
> OS going, I am having some problems proving it.  Here are some of
> the issues I need to figure out.

I'm assuming you're talking about console logins. If you're creating Web
interface for example, then you have to implement such restrictions
there; it does nothing with OpenBSD in that case.

> 8.5.9    For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password
> parameters are set to require users to change passwords at least every
> 90 days.
>      I have no idea how to set OpenBSD to do this, any suggestions?

See login.conf(5), password-dead and password-warn.

> 8.5.10   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password
> parameters are set to require passwords to be at least seven
> characters long. I know that OpenBSD uses 6 characters, is there a way
> to change this?

Same, minpasswordlen.

> 8.5.12   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password
> parameters are set to require that new passwords cannot be the same as
> the four previously used passwords.
>      I have no idea how to set OpenBSD to do this, any suggestions?

AFAIK, there is no such mechanism available, but you can use
passwordcheck in login.conf(5).

> 8.5.13   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password
> parameters are set to require that a users account is locked out after
> not more than six invalid logon attempts.

AFAIK, no default mechanism too. Looks like this requires playing with
login-tries and custom auth style.

> 8.5.14   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password
> parameters are set to require that once a users account is locked out,
> it remains locked for a minimum of 30 minutes or until a system
> administrator resets the account.
>      13 and 14 go togeather, I know that this isn't the scheme that
> OpenBSD uses.  In OpenBSD, each time a user fails a password attempt
> it takes a little bit longer to get a new login prompt.  Maybe if
> there was a way that I could set it so that by the time six failures
> happen that it takes 30 minutes to get the next login prompt.  Does
> anyone know how to do this or have any other suggestion?

Same as previous.

> 8.5.15   For a sample of system components, obtain and inspect system
>          configuration settings to verify that system/session idle
> time out features have been set to 15 minutes or less.
>      This one requires that a user must re-enter the password if their
>      terminal is idle for more than 15 minutes.  Any ideas how to do
> this with OpenBSD?

wsconsctl display.screen_off=$(15*60000))

... Hope all this helps.

--
  Best wishes,
    Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Reply | Threaded
Open this post in threaded view
|

Re: Payment Card Industry (PCI) Data Security Standard HELP!

Nicholas Marriott-2
In reply to this post by Stuart VanZee
Hi

I think everything you want is in login.conf(5).

You may need an external program to do 8.5.12.


On Wed, Oct 21, 2009 at 09:16:33AM -0400, Stuart VanZee wrote:

> The company I work for is having their yearly Payment Card Industry
> (PCI) assessment and while I believe that OpenBSD is the most secure
> OS going, I am having some problems proving it.  Here are some of
> the issues I need to figure out.
>
> 8.5.9    For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require users to change passwords at least every
>          90 days.
>      I have no idea how to set OpenBSD to do this, any suggestions?
>
> 8.5.10   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require passwords to be at least seven characters long.
>      I know that OpenBSD uses 6 characters, is there a way to change this?
>
> 8.5.12   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require that new passwords cannot be the same as the
>          four previously used passwords.
>      I have no idea how to set OpenBSD to do this, any suggestions?
>
> 8.5.13   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require that a users account is locked out after not
>          more than six invalid logon attempts.
>
> 8.5.14   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require that once a users account is locked out, it
>          remains locked for a minimum of 30 minutes or until a system
>          administrator resets the account.
>      13 and 14 go togeather, I know that this isn't the scheme that OpenBSD
>      uses.  In OpenBSD, each time a user fails a password attempt it takes
>      a little bit longer to get a new login prompt.  Maybe if there was a
>      way that I could set it so that by the time six failures happen that
>      it takes 30 minutes to get the next login prompt.  Does anyone know
>      how to do this or have any other suggestion?
>
> 8.5.15   For a sample of system components, obtain and inspect system
>          configuration settings to verify that system/session idle time
>          out features have been set to 15 minutes or less.
>      This one requires that a user must re-enter the password if their
>      terminal is idle for more than 15 minutes.  Any ideas how to do this
>      with OpenBSD?
>
>
> I am sure that there are others out there that use OpenBSD in an environment
> that requires PCI compliance.  How do you meet these requirements?
>
> BTW.  While I usually don't mind constructive criticism, replies that
> attack the requirements rather than show how to meet them aren't at all
> helpfull and are a complete waste of time.  We all understand that a one-
> size-fits-all kind of standard like the PCI standard pretty much sucks
> as far as actual benefit goes, but arguing with the Payment Card Industry
> about it isn't an option, they don't listen, it's either comply with their
> standard or don't get PCI approval.
>
> Stuart van Zee
> [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Payment Card Industry (PCI) Data Security Standard HELP!

K Kadow
In reply to this post by Stuart VanZee
On Wed, Oct 21, 2009 at 8:16 AM, Stuart VanZee <[hidden email]>
wrote:
> The company I work for is having their yearly Payment Card Industry
> (PCI) assessment and while I believe that OpenBSD is the most secure
> OS going, I am having some problems proving it.  Here are some of
> the issues I need to figure out.

Most of these requirements can be met by eliminating local user
passwords entirely.

That is, disable "passwd" login type in login.conf and use an external
authentication mechanism (e.g login_radius).  Then all of these
enforcement behaviors are a problem for the RADIUS server, not each
individual machine (aside from for root logins on the actual console).

If no central RADIUS is available, or if a local fallback is needed, a
second option might be to convert to S/Key locally on each machine.
As an OTP, this may be exempt from the lockout/retry/reuse
requirements of PCI?


>     This one requires that a user must re-enter the password if their
>     terminal is idle for more than 15 minutes.  Any ideas how to do this
>     with OpenBSD?

I use 'idled' to log out idle SSH/console sessions.


> I am sure that there are others out there that use OpenBSD in an
environment
> that requires PCI compliance.  How do you meet these requirements?

Reply | Threaded
Open this post in threaded view
|

Re: Payment Card Industry (PCI) Data Security Standard HELP!

Matthew Weigel
In reply to this post by Stuart VanZee
Stuart VanZee wrote:

> The company I work for is having their yearly Payment Card Industry
> (PCI) assessment and while I believe that OpenBSD is the most secure
> OS going, I am having some problems proving it.  Here are some of
> the issues I need to figure out.
>
> 8.5.9    For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require users to change passwords at least every
>          90 days.
>      I have no idea how to set OpenBSD to do this, any suggestions?

You configure this in the login class for users (probably the default
and staff login classes) - see login.conf(5).

> 8.5.10   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require passwords to be at least seven characters long.
>      I know that OpenBSD uses 6 characters, is there a way to change this?

login.conf(5)

> 8.5.12   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require that new passwords cannot be the same as the
>          four previously used passwords.
>      I have no idea how to set OpenBSD to do this, any suggestions?

You can specify a passwordcheck program in login.conf(5), which you
could use to store (hashes of) passwords that have been previously used
by each user.

> 8.5.13   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require that a users account is locked out after not
>          more than six invalid logon attempts.
>
> 8.5.14   For a sample of system components, obtain and inspect system
>          configuration settings to verify that user password parameters
>          are set to require that once a users account is locked out, it
>          remains locked for a minimum of 30 minutes or until a system
>          administrator resets the account.
>      13 and 14 go togeather, I know that this isn't the scheme that OpenBSD
>      uses.  In OpenBSD, each time a user fails a password attempt it takes
>      a little bit longer to get a new login prompt.  Maybe if there was a
>      way that I could set it so that by the time six failures happen that
>      it takes 30 minutes to get the next login prompt.  Does anyone know
>      how to do this or have any other suggestion?

I don't, I'm afraid, and a quick Google (which could have answered some
of your other questions) suggests that it's come up before both on misc@
and elsewhere.  I know you don't want to hear about how the PCI DSS is
wrong, but in this case their wrongness is, I think, the reason it's not
an available option.

You could likely implement this yourself with a custom login style, though.

> 8.5.15   For a sample of system components, obtain and inspect system
>          configuration settings to verify that system/session idle time
>          out features have been set to 15 minutes or less.
>      This one requires that a user must re-enter the password if their
>      terminal is idle for more than 15 minutes.  Any ideas how to do this
>      with OpenBSD?

You might be able to do this with tmux(1), if you force it to be started
for every user with some kind of global configuration.  You might also
be able to go for strictly X11 logins, and then using xlock.
--
  Matthew Weigel
  hacker
  unique & idempot . ent

Reply | Threaded
Open this post in threaded view
|

Re: Payment Card Industry (PCI) Data Security Standard HELP!

Stuart VanZee
In reply to this post by Stuart VanZee
>Matthew Weigel
>
> I don't, I'm afraid, and a quick Google (which could have
> answered some
> of your other questions) suggests that it's come up before
> both on misc@
> and elsewhere.  I know you don't want to hear about how the
> PCI DSS is
> wrong, but in this case their wrongness is, I think, the
> reason it's not
> an available option.
>
> You could likely implement this yourself with a custom login
> style, though.
>

Thank you all for the help.

Yes, more than a few people have pointed out how poorly
I did at Goggling this.  I really have no excuses for that.
I was searching from the wrong direction I guess.

On the bright side, because this list houses some of the best
brainpower anywhere I have all but two of the requirements
finished (yes, the easy ones) and one of the two left I'm sure
I can handle on my own.  That being 8.5.12 which forces users
not to reuse passwords.  I'm pretty sure a passwordcheck in
login.conf will do that once I code the program to track them.

The last is 8.5.13 locking users out after 6 failed login
attempts.  Quite frankly I find this to be a pretty stupid
requirement as it causes a built in denial of service. I see
how creating a custom Authentication style would allow me to
do this (in spite of my reservations), but I don't really do
much in the way of c coding these days.  I have been looking
at the code in login.c and login_passwd.c and I understand
about half of it (I think).  If anyone could give me a shove
in the right direction I would sincerely appreciate it.

s

Reply | Threaded
Open this post in threaded view
|

Re: Payment Card Industry (PCI) Data Security Standard HELP!

Matthew Weigel
Stuart VanZee wrote:

> The last is 8.5.13 locking users out after 6 failed login
> attempts.  Quite frankly I find this to be a pretty stupid
> requirement as it causes a built in denial of service. I see
> how creating a custom Authentication style would allow me to
> do this (in spite of my reservations), but I don't really do
> much in the way of c coding these days.  I have been looking
> at the code in login.c and login_passwd.c and I understand
> about half of it (I think).  If anyone could give me a shove
> in the right direction I would sincerely appreciate it.

You might also want to see if you can accomplish what you want with
login_radius or login_ldap (the latter is in ports) and a RADIUS or LDAP
server.
--
  Matthew Weigel
  hacker
  unique & idempot . ent

Reply | Threaded
Open this post in threaded view
|

Re: Payment Card Industry (PCI) Data Security Standard HELP!

Vadim Zhukov
In reply to this post by Stuart VanZee
On 22 October 2009 c. 22:58:53 Stuart VanZee wrote:
> The last is 8.5.13 locking users out after 6 failed login
> attempts.  Quite frankly I find this to be a pretty stupid
> requirement as it causes a built in denial of service. I see
> how creating a custom Authentication style would allow me to
> do this (in spite of my reservations), but I don't really do
> much in the way of c coding these days.  I have been looking
> at the code in login.c and login_passwd.c and I understand
> about half of it (I think).  If anyone could give me a shove
> in the right direction I would sincerely appreciate it.

Maybe I'll say something stupid but could not it be treated as "reset
login session"? Then you can easily tune it via login.conf. I'd suggest
you to have a talk with someone already implemented this requirement...

--
  Best wishes,
    Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Reply | Threaded
Open this post in threaded view
|

Re: Payment Card Industry (PCI) Data Security Standard HELP!

Wakefield-2
In reply to this post by Stuart VanZee
> On the bright side, because this list houses some of the best
> brainpower anywhere I have all but two of the requirements
> finished (yes, the easy ones) and one of the two left I'm sure
> I can handle on my own.

Would you mind sharing any non-confidential OpenBSD-related
questions/answers of the PCI questionnaire with the list?