Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-76171 | AOSX-12-002090 | SV-90859r1_rule | Medium |
Description |
---|
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. |
STIG | Date |
---|---|
Apple OS X 10.12 Security Technical Implementation Guide | 2018-12-24 |
Check Text ( C-75857r1_chk ) |
---|
Password policy can be set with the "Password Policy" configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that users cannot reuse one of their five previously used passwords: system_profiler SPConfigurationProfileDataType | /usr/bin/grep pinHistory If "pinHistory" is not set to "5" or higher, or is undefined, this is a finding. If password policy is set with the "pwpolicy" utility, run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line " If it does not exist, and password policy is not controlled by a directory service, this is a finding. Otherwise, in the array section that follows it, there should be a If this parameter is not set to "5" or greater, or if no such check exists, this is a finding. |
Fix Text (F-82809r1_fix) |
---|
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace If the line " After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as lock out all local users, including administrators. |