On Apr 16, 2004, at 2:03 PM, Thor Lancelot Simon wrote:

> FWIW, I just quickly read over the chapter, in particular section 6.
> It seems to me that nothing is required that can't be easily done with
> standard Unix facilities and some simple written policy for 
> administrators.
>
> The only two areas that look vaguely problematic are:
>
> 1) The password-strength requirements earlier in the document (you'll 
> need
>    to modify /etc/passwd to enforce these restrictions, but I believe 
> you
>    can in fact use the cracklib package to do this quite easily)
>
> 2) The "transaction log of all system changes" at integrity (or was it
>    audit?) level 2.  This probably requires forcing all changes to 
> system
>    configuration information to go through a setuid tool that logs 
> them;
>    alternately, you could force all root access to the system (whether
>    by login or by sudo) to use a shell that writes to an append-only
>    log file or logs over the network.
>
> Neither of these would be particularly troublesome to solve.

I really appreciate all the suggestions, tips and pointers people have 
been sending and posting.  The problem isn't so much of finding ways of 
complying with the requirements but of finding or defining a way that's 
acceptable to Security.  Most Security people who are responsible for 
enforcing and auditing systems for compliance aren't really computer 
knowledgeable and they're basically unwilling to push back on 
requirements they've been told to work with.  As a result they tend to 
shy away from breaking any new ground on how to do something and will 
only accept or approve Procedures for local use that have been approved 
elsewhere.

My reason for asking about Chapter 8 here was to see if anyone has 
addressed the requirements for NetBSD and has an approved plan in place 
that they'd be willing to share.  If I can point to a facility that is 
currently in compliance with Chapter 8 and has an approved plan that I 
can hand to my Security folks I'd only have to implement the plan.  If 
I have to interpret the Chapter 8 requirements, write a plan for 
compliance and work to push it up the line for acceptance I'm probably 
looking at many months of full-time work during which my systems will 
be turned off.  My Program can't afford that and I'll be forced to look 
for non-NetBSD solutions that already have approved plans in place.  
I'm resisting that because I'll loose the opportunity to promote NetBSD 
inside my company and with my customer and it will cost my employer and 
my customer a lot of time and money which doesn't really seem 
necessary.  (In my case the systems are in a closed area and not 
connected to the outside world.  Unless someone carries something out 
of the room with them, nothing can get out.  So the requirement to 
comply with Chapter 8 seems somewhat unnecessary and excessive, but 
that argument is a non-starter.)

If people had some proposed or approved plans that they'd be willing to 
share, possibly via the NetBSD Web-site, this would go a long way to 
help promote the use of NetBSD, especially in secure environments.

Thanks again,
-bob