The macOS system must set minimum password lifetime to 24 hours.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259551 | APPL-14-003070 | SV-259551r1038913_rule | Medium |
| Description |
| The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules. |
| STIG | Date |
| Apple macOS 14 (Sonoma) Security Technical Implementation Guide | 2024-12-04 |
Details
| Check Text (C-63290r941273_chk) |
| Verify the macOS system is configured to set minimum password lifetime to 24 hours with the following command: /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= 24 ) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding. |
| Fix Text (F-63198r1038912_fix) |
| Configure the macOS system to set minimum password lifetime to 24 hours. This setting may be enforced using local policy or by a directory service. To set local policy to require a minimum password lifetime, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributeLastPasswordChangeTime < policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)</string> <key>policyIdentifier</key> <string>Minimum Password Lifetime</string> <key>policyParameters</key> <dict> <key>policyAttributeMinimumLifetimeHours</key> <integer>24</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- |