The Sarbanes-Oxley Act of 2002 has got to be a low point in our countries regulation history. This miserable piece of legislation costs anyone who has to comply with it millions of dollars and provides nothing in return. IT departments get hammered with insane requirements, and moronic auditors that eat up hours like it's cotton candy. " Screen shot this, prove that", and one ridiculous question after another until you want to stick a shank into all of them. If your organization can avoid this hell, then it is worth it to do so. How? Stay private. The instant you go public...you can join me and the auditors in our little version of purgatory. Rant finished.
Linux related question:
How to prove that password policies are enforced on Linux systems?
I have used ticketing systems to documentation steps, and severely limited access to my Linux systems in order to comply with this requirement, but auditors always want more. They want an automated foolproof system that enforces policy and will take nobody's word for it. I am looking into how to enforce such policies on my linux boxes now. I have some reading to do and will publish my findings.