Compliance Settings

Preamble

This guide will explain the various compliance settings that Psono offers in order to fulfill various security and compliance standards (HIPAA, ISO27001, PCI-DSS, ...).

TIP

All features starting with COMPLIANCE_ are only available in the Enterprise Edition.

Settings

Enforce central security reports

If you have the requirement to audit your user's passwords and check passwords for data breaches and so on, then this setting comes in handy. Normally users can choose whether to upload the result of a security report to the server or not. This setting will force all users to upload the results of the security report to the server so an admin or auditor can analyze it.

Configure in your settings.yml the following line

COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS: True # or default False

Restart the server afterward

Enforce breach detection in security reports

You may want that all passwords are checked against haveibeenpwned's breach database when a user creates a security report. This flag automatically checks the flag for the HIBP breach detection and doesn't give the user any option to uncheck it.

Configure in your settings.yml the following line

COMPLIANCE_ENFORCE_BREACH_DETECTION: True # or default False

Restart the server afterward

Enforce regular security reports

If you have the requirement that your user's audit their passwords regularly, then you can force them to do so in a fix interval.

Configure in your settings.yml the following line

COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL: 2592000

(The value is in seconds, so 2592000 seconds = 30x24x3600 seconds = 30 days) A value of 0 would disable it. Restart the server afterward

Enforce second factor

If you have the requirement to enforce a second factor for all users, you can do so with this setting.

Configure in your settings.yml the following line

COMPLIANCE_ENFORCE_2FA: True # or default False

Restart the server afterward

Disable exports

Maybe you don't want to allow your users to export their passwords. Then you can enforce this restriction with this setting.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_EXPORT: True # or default False

Restart the server afterward

Disable export of shared items

Maybe you don't want to allow your users to export shared items and only their own ones. Then you can enforce this restriction with this setting.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS: True # or default False

Restart the server afterward

Disable unmanaged groups

Maybe you don't want to allow your users to create their own groups. Then you can disable this feature with this setting.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_UNMANAGED_GROUPS: True # or default False

Restart the server afterward

Disable self deletion

Maybe you don't want to allow your users to delete their own account. You can achieve this with this setting.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_DELETE_ACCOUNT: True # or default False

Restart the server afterward

Disable api keys

Maybe you don't want to allow your users to bypass second factor restriction with API keys, then you can disable them with this setting.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_API_KEYS: True # or default False

Restart the server afterward

Force or prevent server secrets

The server will by default keep for SAML / OIDC / LDAP users a backup of the user's keys and as such not ask the user for encryption password during login, while the server won't know / store those keys for regular AUTHKEY users (COMPLIANCE_SERVER_SECRETS: 'auto'). You may want to change this behavior and potentially force users to use a separate encryption password (COMPLIANCE_SERVER_SECRETS: 'noone', most secure but no way to regain access to an account if a user loses his encryption password) or force even AUTHKEY users to hand over their keys to the server (COMPLIANCE_SERVER_SECRETS: 'all', least secure, but allows admins to set a new password for a user if he loses his password)

Configure in your settings.yml the following line

COMPLIANCE_SERVER_SECRETS: 'noone' # or 'all' or default 'auto'

Restart the server afterward

Disable emergency codes

This setting allows you to disable emergency codes.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_EMERGENCY_CODES: True # or default False

Restart the server afterward

Disable recovery codes

This setting allows you to disable recovery codes.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_RECOVERY_CODES: True # or default False

Restart the server afterward

Disable file repositories

Maybe you have the requirement that all file exchange need to go through an antivirus scanner or just don't want to provide your users the possibility to bypass internet proxies that are configured to prevent data exfiltration. This setting allows you to disable file repositories.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_FILE_REPOSITORIES: True # or default False

Restart the server afterward

Disable link shares

Link shares allow users to share content with "not registered" users, as such it's harder to audit access. This setting allows you to disable link shares.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_LINK_SHARES: True # or default False

Restart the server afterward

Disable offline mode

You may want to restrict users to create an "offline copy" and as such enter "offline mode". This setting allows you to disable the offline mode.

Configure in your settings.yml the following line

COMPLIANCE_DISABLE_OFFLINE_MODE: True # or default False

Restart the server afterward

Restrict maximum offline cache duration

You may want to restrict how long a user can use the offline cache without a server connection. This setting allows you to configure this.

Configure in your settings.yml the following line

COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID: 31536000

(The value is in seconds, so 31536000 seconds = 365x24x3600 seconds = 365 days) Restart the server afterward.

TIP

This feature currently only works for the mobile app.

Enforce minimum password length

One of the classics. This feature allows you to enforce a minimum password length.

Configure in your settings.yml the following line

COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH: 14

Restart the server afterward

Enforce minimum password complexity

Another classic. This feature allows you to enforce how many security groups the password needs to pass in order to be rated complex enough. Psono security groups distinguish between lowercase, uppercase, numbers, special chars. So a setting of 3 would require that a password matches at least 3 of the mentioned 4 security groups.

Configure in your settings.yml the following line

COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY: 3

Restart the server afterward

IP Restrictions

This feature allows you to restrict the usage (webclient, apps, portal, API keys) of Psono to certain ip ranges. Specifically excluded are link shares and all API endpoints for the fileserver, SCIM and remote management commands.

Configure in your settings.yml the following line

COMPLIANCE_IP_RESTRICTIONS: '10.5.0.0/24,10.4.0.0/16'

Restart the server afterward

Clipboard clear delay

The clipboard is usually cleared automatically once a user copies something to the clipboard. This setting configures the default in seconds. A value of 0 disables it.

Configure in your settings.yml the following line

COMPLIANCE_CLIPBOARD_CLEAR_DELAY: 30

Restart the server afterward

Minimum clipboard clear delay

The clipboard is usually cleared automatically once a user copies something to the clipboard. This setting configures the minimum a user can set in seconds.

Configure in your settings.yml the following line

COMPLIANCE_MIN_CLIPBOARD_CLEAR_DELAY: 0

Restart the server afterward

Maximum clipboard clear delay

The clipboard is usually cleared automatically once a user copies something to the clipboard. This setting configures the maximum a user can set in seconds.

Configure in your settings.yml the following line

COMPLIANCE_MAX_CLIPBOARD_CLEAR_DELAY: 600

Restart the server afterward

Password generator default password length

You can provide a default configuration for the password generator. This setting configures the default length for newly generated passwords. Please take note that a user can always overwrite this setting.

Configure in your settings.yml the following line

COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH: 16

Restart the server afterward

Password generator default uppercase letters

You can provide a default configuration for the password generator. This setting configures the default set of uppercase letters for newly generated passwords. Please take note that a user can always overwrite this setting.

Configure in your settings.yml the following line

COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'

Restart the server afterward

Password generator default lowercase letters

You can provide a default configuration for the password generator. This setting configures the default set of lowercase letters for newly generated passwords. Please take note that a user can always overwrite this setting.

Configure in your settings.yml the following line

COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE: 'abcdefghijklmnopqrstuvwxyz'

Restart the server afterward

Password generator default numbers

You can provide a default configuration for the password generator. This setting configures the default set of numbers for newly generated passwords. Please take note that a user can always overwrite this setting.

Configure in your settings.yml the following line

COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS: '0123456789'

Restart the server afterward

Password generator default special characters

You can provide a default configuration for the password generator. This setting configures the default set of special characters for newly generated passwords. Please take note that a user can always overwrite this setting.

Configure in your settings.yml the following line

COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS: ',.-;:_#''+*~!"§$%&/()=?{[]}\\'

Restart the server afterward

WARNING

Make sure that you escape the characters properly. The YAML format maybe be "less intuitive" as you might think.

Logout after inactivity

Another classic. You can enforce an automatic logout after a certain time of inactivity. This setting can be used to configured a timer that resets with every interaction and allows the session to be active for another X seconds.

Configure in your settings.yml the following line

AUTO_PROLONGATION_TOKEN_TIME_VALID: 900

(The value is in seconds, so 900 seconds = 15x60 seconds = 15 minutes) Restart the server afterward

Multiple sessions

Maybe you need to prevent that a user is logged in with multiple devices. Then you can prevent multiple sessions with the setting below, forcing a user to be logged out on other devices once he logs in.

Configure in your settings.yml the following line

ALLOW_MULTIPLE_SESSIONS: False # or default True

Restart the server afterward

Max session lifetime of webclient sessions

Allows you to restrict the time that a session from a webclient (and extensions) is valid.

Configure in your settings.yml the following line

MAX_WEB_TOKEN_TIME_VALID: 2592000

(The value is in seconds, so 2592000 seconds = 30x24x3600 seconds = 30 days) Restart the server afterward

TIP

This feature will not work together with AUTO_PROLONGATION_TOKEN_TIME_VALID

Max session lifetime of app sessions

Allows you to restrict the time that a session from an app is valid.

Configure in your settings.yml the following line

MAX_APP_TOKEN_TIME_VALID: 31536000

(The value is in seconds, so 31536000 seconds = 365x24x3600 seconds = 365 days) Restart the server afterward

TIP

This feature will not work together with AUTO_PROLONGATION_TOKEN_TIME_VALID

Max session lifetime of api key sessions

Allows you to restrict the time that a session from an api key is valid.

Configure in your settings.yml the following line

MAX_API_KEY_TOKEN_TIME_VALID: 600

(The value is in seconds, so 600 seconds = 10x60 seconds = 10 minutes) Restart the server afterward

TIP

This feature will not work together with AUTO_PROLONGATION_TOKEN_TIME_VALID

Prevent old passwords to be reused

Allows you to restrict old passwords so they cannot be reused. This setting allows you to specify how many of their last passwords should be blocked.

Configure in your settings.yml the following line

DISABLE_LAST_PASSWORDS: 3

Restart the server afterward