Hi all, I'm in the same boat as Deb.
Here's one of the tests that my Mac would be subjected to:
My scenario requires no network whatsoever, so for me I need to do local accounts only. When I'm done for the day I lock my HD in an approved safe. (Or my entire Mac Mini)
It seems that the pwpolicy stuff is there, it's just that the OS completely disregards it. You set Global Policy, you check Global Policy, looks good, you create new user, and Global Policy is right out the window. You check Global Policy and it's set fine. So the Global settings are not consulted when you create a new user (at least through the GUI - maybe CLI "new user" sticks with Global policy? - I dunno)
I've been wishing that there might be a way for someone to write up a new login "front-end" that might be better than the default login approach - unless Apple can come up with a DoD login option (?)
Another (minor) sticking point is the DoD Banner requirement at Login time. The current technique looses any font or bolded info and has a fixed max length.
I initially thought the end-all solution would be found in the CC Tools, but they're only part of the requirement (the audit part).
To answer Deb's concern about the "failed logins" I think that the auditd can be configured to do this by changing values in the file "audit_control" located in location:
/private/etc/security/audit_control
I got the flag values from the UNIX config guide - file "UNIX-STIG-V4R4-09-15-2003-FINAL-Revised-9-25-2003.doc" - sorry no link
I would be nice if there was a nice GUI to do all this.
--Shawn - I really appreciate all the work you done so far. Any chance this can be on Apple Federal's ToDo list soon?
Jason
_____________________________________ Jason C. Dickinson Terahertz Scientist Submillimeter-Wave Technology Laboratory University of Massachusetts Lowell ______________________________________
|