Discussion edits pwpolicy

2026-02-03 14:03:24 +00:00 · 2020-08-17 17:27:16 -04:00
parent 872e4c3e7b
commit b8ff03489d
14 changed files with 66 additions and 40 deletions
--- a/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_60_day_enforce.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_60_day_enforce
-title: "Enforce a 60-day maximum password lifetime restriction"
+title: "Restrict Maximum Password Lifetime to 60 Days"
 discussion: |
-  The macOS must limit the lifetime of a password to a maxiumum of at least 60 days and force users to change their passwords.
+  The macOS _MUST_ be configured to enforce a maximum password lifetime limit of at least 60 days. 
+
+  This rule ensures that users are forced to change their passwords frequently enough to prevent malicious users from gaining and maintaining access to the system.
 check: |
  /usr/bin/profiles -P -o stdout | /usr/bin/awk -F " = " '/maxPINAgeInDays/{sub(/;.*/,"");print $2}'
 result:
--- a/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_inactivity_enforce.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_account_inactivity_enforce
-title: "Disable accounts after 35 days of inactivity"
+title: "Disable Accounts after 35 Days of Inactivity"
 discussion: |
-  The macOS must disable accounts after 35 days of inactivity.
+  The macOS _MUST_ be configured to disable accounts after 35 days of inactivity.
+
+  This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection. 
 check: | 
  /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeInactiveDays"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}'
 result:
--- a/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_account_lockout_enforce
-title: "Enforce a limit of 3 consecutive failed logon attempts"
+title: "Limit Consecutive Failed Login Attempts to Three"
 discussion: |
-  The macOS must limit the number of failed attempts to a maximum of 3 attempts. The account must be locked for a period of time after the maximum failed attempts.
+  The macOS _MUST_ be configured to limit the number of failed login attempts to a maximum of three. When the maximum number of failed attempts is reached, the account _MUST_ be locked for a period of time after.
+
+  This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. 
 check: |
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'maxFailedAttempts = 3' 
 result:
--- a/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_account_lockout_timeout_enforce.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_account_lockout_timeout_enforce
-title: "Enforce account lockout time period of 15 minutes after the maximum failed logon attempts"
+title: "Set Account Lockout Time to 15 Minutes"
 discussion: |
-  macOS must enforce a lockout time period of at least 15 minutes after the maxium failed logon attempts.
+  The macOS _MUST_ be configured to enforce a lockout time period of at least 15 minutes when the maximum number of failed logon attempts is reached.
+
+  This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. 
 check: |
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minutesUntilFailedLoginReset = 15' 
 result:
--- a/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_alpha_numeric_enforce.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_alpha_numeric_enforce
-title: "Enforce password complexity by requiring that at least 1 numeric character be used"
+title: "Require Passwords Contain a Minimum of One Numeric Character"
 discussion: |
-  macOS must require at least 1 numeric character be used when creating a password.
+  The macOS _MUST_ be configured to require at least one numeric character be used when a password is created.
+
+  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. 
 check: | 
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c "requireAlphanumeric = 1;"
 result:
--- a/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_emergency_accounts_disable.yaml
@@ -1,10 +1,14 @@
 id: pwpolicy_emergency_accounts_disable
-title: "Automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours"
+title: "Automatically Remove or Disable Emergency Accounts within 72 Hours"
 discussion: |
-  Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. 
-  
-  Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers. 
-  
+  The macOS MUST be configured to automatically remove or disable emergency accounts within 72 hours or less. 
+
+  Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.
+
+  Although the ability to create and use emergency administrator accounts is necessary for performing system maintenance during emergencies, these accounts present vulnerabilities to the system if they are not disabled and removed when they are no longer needed. Configuring the macOS to automatically remove or disable emergency accounts within 72 hours of creation mitigates the risks posed if one were to be created and accidentally left active once the crisis is resolved. 
+
+  Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account created for use by vendors or system maintainers.
+
  To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
 check: |
  The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
--- a/rules/pwpolicy/pwpolicy_history_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_history_enforce.yaml
@@ -1,7 +1,11 @@
 id: pwpolicy_history_enforce
-title: "Prohibit password reuse a minimum of 5 previous passwords"
+title: "Prohibit Password Reuse for a Minimum of Five Generations"
 discussion: |
-  macOS must be configured to enforce a password history of at a minimum 5 previous passwords. It must not allow re-use of those 5 previous generations of passwords.
+  The macOS _MUST_ be configured to enforce a password history of at least five previous passwords when a password is created. 
+
+  This rule ensures that users are  not allowed to re-use a password that was used in any of the five previous password generations. 
+
+  Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods.
 check: | 
  /usr/bin/profiles -P -o stdout | /usr/bin/awk '/pinHistory/{sub(/;.*/,"");print $3}'
 result:
--- a/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_lower_case_character_enforce.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_lower_case_character_enforce
-title: "Enforce password complexity by requiring that at least 1 lower-case character be used"
+title: "Require Passwords Contain a Minimum of One Lowercase Character"
 discussion: |
-  macOS must require at least 1 lower-case character be used when creating a password.
+  The macOS _MUST_ be configured to require at least one lower-case character be used when a password is created.
+  
+  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. 
 check: |
  /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersLowerCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}'
 result:
--- a/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_length_enforce.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_minimum_length_enforce
-title: "Enforce a minimum 15-character password length"
+title: "Require a Minimum Password Length of 15 Characters"
 discussion: |
-  The minimum password length must be set to 15 characters. 
+  The macOS _MUST_ be configured to require a minimum of 15 characters be used when a password is created.
+
+  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. 
 check: |
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'minLength = 15' 
 result:
--- a/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_minimum_lifetime_enforce.yaml
@@ -1,7 +1,7 @@
 id: pwpolicy_minimum_lifetime_enforce
-title: "Enforce 24 hours as the minimum password lifetime"
+title: "Set Minimum Password Lifetime to 24 Hours"
 discussion: |
-  macOS must enforce a minimum password lifetime limit of 24 hours.
+  The macOS _MUST_ be configured to enforce a minimum password lifetime limit of 24 hours.
 check: | 
  /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="policyAttributeMinimumLifetimeHours"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}'
 result:
--- a/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_simple_sequence_disable.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_simple_sequence_disable
-title: "Enforce password complexity by requiring that repeating, ascending, and descending character sequences in passcodes are not used."
+title: "Prohibit Repeating, Ascending, and Descending Character Sequences"
 discussion: |
-  The use of repeating, ascending, and descending character sequences in passcodes is not allowed.
+  The macOS _MUST_ be configured to prohibit the use of repeating, ascending, and descending character sequences when a password is created.
+
+  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
 check: | 
  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowSimple = 0' 
 result:
--- a/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_special_character_enforce.yaml
@@ -1,7 +1,11 @@
 id: pwpolicy_special_character_enforce
-title: "Enforce password complexity by requiring that at least 1 special character be used"
+title: "Require Passwords Contain a Minimum of One Special Character"
 discussion: |
-  macOS must require at least 1 special character be used when creating a password. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
+  The macOS _MUST_ be configured to require at least one special character be used when a password is created.
+
+  Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
+  
+  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
 check: | 
  /usr/bin/profiles -P -o stdout | /usr/bin/awk '/minComplexChars/{sub(/;.*/,"");print $3}'
 result:
--- a/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
+++ b/rules/pwpolicy/pwpolicy_temporary_accounts_disable.yaml
@@ -1,16 +1,12 @@
 id: pwpolicy_temporary_accounts_disable
-title: "Automatically remove or disable temporary user accounts after 72 hours"
+title: "Automatically Remove or Disable Temporary User Accounts within 72 Hours"
 discussion: |
-  If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
-  
-  Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.
-  
-  If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a defined time period of 72 hours.
-  
-  To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
-  
-  If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set. 
-  
+  An automated termination _MUST_ be set for 72 hours or less for all temporary accounts upon account creation. 
+
+  If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created.
+
+  If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set.
+
  If there are no temporary accounts defined on the system, this is Not Applicable.
 check: |
  The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
--- a/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
+++ b/rules/pwpolicy/pwpolicy_upper_case_character_enforce.yaml
@@ -1,7 +1,9 @@
 id: pwpolicy_upper_case_character_enforce
-title: "Enforce password complexity by requiring that at least 1 upper-case character be used"
+title: "Require Passwords Contain a Minimum of One Uppercase Character"
 discussion: |
-  macOS must require at least 1 upper-case character be used when creating a password.
+  The macOS _MUST_ be configured to require at least one uppercase character be used when a password is created.
+
+  This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users. 
 check: |
  /usr/bin/pwpolicy getaccountpolicies | /usr/bin/grep -v "Getting global account policies" | /usr/bin/xmllint --xpath '/plist/dict/array/dict/dict[key="minimumAlphaCharactersUpperCase"]/integer' - | /usr/bin/awk -F '[<>]' '{print $3}'
 result: