Password policy note for 800-53r5 IA-5 and IA-5(1)

2026-03-20 15:30:25 +00:00 · 2021-06-30 15:19:33 -04:00
parent 5d324cb780
commit 26ceea7eb5
10 changed files with 18 additions and 2 deletions
--- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
@@ -4,6 +4,8 @@ discussion: |
  The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. 

  This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system.
+
+  NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
 check: |
  /usr/bin/profiles -P -o stdout | /usr/bin/awk -F " = " '/maxPINAgeInDays/{sub(/;.*/,"");print $2}'
 result:
--- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
@@ -4,6 +4,8 @@ discussion: |
  The macOS _MUST_ be configured to require at least one numeric character be used when a password is created.

  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. 
+
+  NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
 check: | 
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c "requireAlphanumeric = 1;"
 result:
--- a/rules/pwpolicy/pwpolicy_history_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml
@@ -16,7 +16,7 @@ references:
  cce:
    - CCE-85407-5
  cci: 
-  - CCI-000200
+    - CCI-000200
  800-53r5:
    - IA-5(1)
  800-53r4: 
--- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
@@ -4,6 +4,8 @@ discussion: |
  The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created.
  
  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. 
+
+  NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
 check: |
  /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersLowerCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}'
 result:
--- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
@@ -4,6 +4,8 @@ discussion: |
  The macOS _MUST_ be configured to require a minimum of 15 characters be used when a password is created.

  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. 
+
+  NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
 check: |
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minLength = 15' 
 result:
--- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
@@ -4,6 +4,8 @@ discussion: |
  The macOS _MUST_ be configured to enforce a minimum password lifetime limit of 24 hours.

  This rule discourages users from cycling through their previous passwords to get back to a preferred one.
+
+  NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
 check: | 
  /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeMinimumLifetimeHours"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}'
 result:
--- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
@@ -4,6 +4,8 @@ discussion: |
  The macOS _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a password is created.

  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
+
+  NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
 check: | 
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSimple = 0' 
 result:
--- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
@@ -6,6 +6,8 @@ discussion: |
  Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
  
  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
+  
+  NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
 check: | 
  /usr/bin/profiles -P -o stdout | /usr/bin/awk '/minComplexChars/{sub(/;.*/,"");print $3}'
 result:
--- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
@@ -4,6 +4,8 @@ discussion: |
  The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created.

  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. 
+  
+  NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
 check: |
  /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersUpperCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}'
 result:
--- a/sections/passwordpolicy.yaml
+++ b/sections/passwordpolicy.yaml
@@ -6,7 +6,7 @@

    [IMPORTANT]
    ====
-    The password policy recommendations used to develop these rules fall under the NIST SP 800-53 (Rev. 4), however the NIST SP 800-53 (Rev. 5) was released on September 23rd, 2020 with updated guidance on password policies. 
+    The password policy recommendations in the NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
    ====

    NOTE: The settings outlined in this section adhere to the recommendations provided in this document for systems that utilize passwords for local accounts. If systems are integrated with a directory service, local password policies should align with domain password policies to the fullest extent feasible.