On Fri, Apr 16, 2004 at 02:56:13PM -0400, Thor Lancelot Simon wrote:
> On Fri, Apr 16, 2004 at 10:24:17AM -0600, John R. Shannon wrote:
> > The document source is:
> > 
> > http://www.dss.mil/isec/nispom.htm
> > 
> > The reference is to Chapter 8 of the National Industrial Security Program 
> > (NISPOM). Contractors, that handle classified data, must comply with NISPOM.
> 
> I'm familiar with this document, but not with the chapter in question,
> which seems to be new in Change 2.
> 
> I'd be willing to prepare a document on how to make a NetBSD system
> fit the Protection Requirements of section 6, but not for free -- this
> kind of standards-conformance work is *hard*, and I'm *busy*!  On the
> other hand perhaps someone with similar interests and more time will
> step forward; it'd certainly be a significant feather in the Project's
> cap.

FWIW, I just quickly read over the chapter, in particular section 6.
It seems to me that nothing is required that can't be easily done with
standard Unix facilities and some simple written policy for administrators.

The only two areas that look vaguely problematic are:

1) The password-strength requirements earlier in the document (you'll need
   to modify /etc/passwd to enforce these restrictions, but I believe you
   can in fact use the cracklib package to do this quite easily)

2) The "transaction log of all system changes" at integrity (or was it
   audit?) level 2.  This probably requires forcing all changes to system
   configuration information to go through a setuid tool that logs them;
   alternately, you could force all root access to the system (whether
   by login or by sudo) to use a shell that writes to an append-only
   log file or logs over the network.

Neither of these would be particularly troublesome to solve.

Thor