Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-81737 | AOSX-13-002090 | SV-96451r1_rule | Medium |
Description |
---|
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. |
STIG | Date |
---|---|
Apple OS X 10.13 Security Technical Implementation Guide | 2019-12-20 |
Check Text ( C-81517r1_chk ) |
---|
Password policy can be set with the "Password Policy" configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that users cannot reuse one of their five previously used passwords: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep pinHistory If the return in null or not “pinHistory = 5” or greater, this is a finding. If password policy is set with the "pwpolicy" utility, run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line " If it does not exist, and password policy is not controlled by a directory service, this is a finding. Otherwise, in the array section that follows it, there should be a If this parameter is not set to "5" or greater, or if no such check exists, this is a finding. |
Fix Text (F-88585r1_fix) |
---|
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory service. To set the password policy without a configuration profile, run the following command to save a copy of the current "pwpolicy" account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace If the line " After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as lock out all local users, including administrators. |