diff --git a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml index 475468b2..cd94cc09 100644 --- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/awk -F " = " '/maxPINAgeInDays/{sub(/;.*/,"");print $2}' result: diff --git a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml index 98ffea37..37bb0cb3 100644 --- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one numeric character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c "requireAlphanumeric = 1;" result: diff --git a/rules/pwpolicy/pwpolicy_history_enforce.yaml b/rules/pwpolicy/pwpolicy_history_enforce.yaml index a75d480e..93b7ee5f 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml @@ -16,7 +16,7 @@ references: cce: - CCE-85407-5 cci: - - CCI-000200 + - CCI-000200 800-53r5: - IA-5(1) 800-53r4: diff --git a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml index 70c3a752..6d0a6f6e 100644 --- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersLowerCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: diff --git a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml index 9c7f0f07..487962f7 100644 --- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require a minimum of 15 characters be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minLength = 15' result: diff --git a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml index 45cb6d38..7aeef2a6 100644 --- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeMinimumLifetimeHours"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: diff --git a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml index cfc16c0f..06e27081 100644 --- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml +++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSimple = 0' result: diff --git a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml index 419730c8..bddd6c53 100644 --- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml @@ -6,6 +6,8 @@ discussion: | Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/profiles -P -o stdout | /usr/bin/awk '/minComplexChars/{sub(/;.*/,"");print $3}' result: diff --git a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml index ad02e7f0..7e675226 100644 --- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml +++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml @@ -4,6 +4,8 @@ discussion: | The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created. This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. + + NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. check: | /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersUpperCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}' result: diff --git a/sections/passwordpolicy.yaml b/sections/passwordpolicy.yaml index b6e8f52c..02dd17bb 100644 --- a/sections/passwordpolicy.yaml +++ b/sections/passwordpolicy.yaml @@ -6,7 +6,7 @@ [IMPORTANT] ==== - The password policy recommendations used to develop these rules fall under the NIST SP 800-53 (Rev. 4), however the NIST SP 800-53 (Rev. 5) was released on September 23rd, 2020 with updated guidance on password policies. + The password policy recommendations in the NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules. ==== NOTE: The settings outlined in this section adhere to the recommendations provided in this document for systems that utilize passwords for local accounts. If systems are integrated with a directory service, local password policies should align with domain password policies to the fullest extent feasible. \ No newline at end of file