[Fed-Talk] Re: Please help (NISPOM Compliance)
[Fed-Talk] Re: Please help (NISPOM Compliance)
- Subject: [Fed-Talk] Re: Please help (NISPOM Compliance)
- From: "Dan O'Donnell" <email@hidden>
- Date: Thu, 04 Aug 2005 12:27:24 -0700
On 8/4/05 12:04 PM, "email@hidden"
<email@hidden> wrote:
>
> Debbie Tropiano wrote:
>
>> Hello -
>>
>> I posted this on Friday and have gotten no replies...
>>
>> Is it even possible to meet all of the NISPOM requirements with a Mac?
>> Or should I just give up now and remove them from my network? Without
>> any assistance or pointers, that's the only option that I have left.
>>
>> Anyway, I've installed (but still need to figure out) the Common
>> Criteria tools which I gather handles the system auditing aspect.
>> We're using a custom developed server for user authentication, so
>> have the password rules covered (strong passwords, expiration, etc)
>> via NIS, but it doesn't handle the unsuccessful login problem.
>> I've read that can be handled via PAM. Has anyone successfully
>> done this? If so, what needs to be done? Is there something else
>> that needs to be installed or what?
>>
>>
>>
> Enforceable password policy has been mentioned many, many times and I
> have yet to see a satisfactory answer for NASA's needs either
Consider you may need to do some degree or implementation of the following.
(Devil is in the details too...)
1. Locking screen saver.
Comes on at :10 min. of inactivity and requires account/password to unlock.
These are configurable by account, but you can set it to this as default for
new accounts by editing the plist file at
/System/Library/Frameworks/Screensaver.framework/Resources/EngineDefaults.pl
ist.
2. Audit Logging
Requires Apple's Common Criteria tools (separate installs for 10.3.6-.9 vs.
10.4.x). This also requires adding a line in /etc/hostconfig for
AUDIT=-YES-. Read the PDF in the CC installer. Shawn wrote it and it is well
written (good explanations clearly made). Audit logs (syslog) probably have
to be forwarded to and stored on a different machine. Be advised that these
files can get big, especially if the machine is not restarted for long
periods.
3. Password complexity
This is controlled by a directory server. Your choice whether to use Active
Directory (Windows), LDAP (*nix) or Open Directory (OSX Server). Complexity
requirements are: a) expiration at 90 days, b) minimum of eight non-blank
characters, letters and numbers, c) special characters and upper and lower
case in the alpha characters, and d) lockout after specified number of
unsuccessful attempts to login.
(Bonus points if you figure out how to do c.) Check man pwpolicy for more
info on the built-in capabilities. (Be advised that being in the man pages
doesn't mean that it works without a server.)
4. Directory authentication may or may not be required by your inspector,
but if it is not yet anticipate that it will be soon.
Apple has the Active Directory plug-in built in to Directory Access. While
it works, it is rudimentary compared to third-party options. It also has
some problems (UID conflicts) if there are accounts (other than local root)
already on the box.
5. Clearing machines (YMMV)
To make a machine eligible to return to the outside world you may need to
wipe its hard drive so that nothing can be recovered from the drive.
Existing files can be securely removed with srm (man srm), but wiping free
space may require other methods.
<http://www.jiiva.com/> - AutoScrubber
<http://www.subrosasoft.com/thestore/downloads.php> - File Utilities
Freerasor
<http://www.allume.com/mac/secure_delete/>
--------------------
This email message is for the sole use of the intended recipient(s) and
may contain privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden