DISA customer pointed out potential issue with regex in pwpolicy_custom_regex_enforce #113

New Issue

Closed

opened 2026-01-19 18:29:16 +00:00 by michael · 12 comments

michael commented 2026-01-19 18:29:16 +00:00

Owner

Copy Link

Originally created by @akegerreis on GitHub.

Summary

APPL-14-003060 requires a password content policy that matches this regular expression:

.[A-Z]{1,}[a-z]{1,}.

The intent is to match passwords that contain “a minimum of one lowercase character and one uppercase character.”.

However, the DISA customer states the regular expression actually matches "uppercase characters immediately followed by lowercase characters". E.g. the current expression matches:

• AAAbbb

But not:

• bbbAAA
• AAA-bbb

The customer is suggesting the following regular expressions:
taking into account the context (ICU regular expression as part of a NSPredicate “matches” operator):

.([a-z].[A-Z]|[A-Z].[a-z]).

Or, using lookahead assertions:

(?=.[a-z])(?=.[A-Z]).*

Operating System version

macOS 14 (Sonoma)

Originally created by @akegerreis on GitHub. ### Summary APPL-14-003060 requires a password content policy that matches this regular expression: .*[A-Z]{1,}[a-z]{1,}.* The intent is to match passwords that contain “a minimum of one lowercase character and one uppercase character.”. However, the DISA customer states the regular expression actually matches "uppercase characters immediately followed by lowercase characters". E.g. the current expression matches: - AAAbbb But not: - bbbAAA - AAA-bbb The customer is suggesting the following regular expressions: taking into account the context (ICU regular expression as part of a NSPredicate “matches” operator): .*([a-z].*[A-Z]|[A-Z].*[a-z]).* Or, using lookahead assertions: (?=.*[a-z])(?=.*[A-Z]).* ### Operating System version macOS 14 (Sonoma)

michael closed this issue 2026-01-19 18:29:16 +00:00

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@georgalis commented on GitHub:

If this approach is more intelligible... the test could be fitted...
for a in AAABBB aaabbb aaaBBB AAAbbb AAA.BBB AAA.BBB aaa.BBB AAA.bbb ; do
printf "$a\t:"
echo "$a"
| grep '[a-z]'
| grep '[A-Z]' >/dev/null
&& echo okay
|| echo fail
done

AAABBB :fail
aaabbb :fail
aaaBBB :okay
AAAbbb :okay
AAA.BBB :fail
AAA.BBB :fail
aaa.BBB :okay
AAA.bbb :okay

cf
Apple macOS 14 (Sonoma) STIG: APPL-14-003060 (in version v1 r1)
https://app.xylok.io/reference/benchmark/apple_macos_14_stig/check/31e5ff2f-bdad-46ad-a315-875cbc567a9c/?version=c1bf4645-5306-4bd3-af7d-edfa35c63166

On Fri, Feb 23, 2024 at 12:40 PM bernstei @.***> wrote:

The regex in #363 https://github.com/usnistgov/macos_security/pull/363
would match AAA-bbb, but not bbbAAA. If the regex syntax allows logical
or, I think you could use .([A-Z]{1,}.[a-z]{1,}|[a-z]{1,}.[A-Z]{1,}).
(some of those parens or pipe characters might need to be escaped), or
perhaps two separate simple pwpolicy entries (similar to the ones
implementing the numeric and the special character reqs).

—
Reply to this email directly, view it on GitHub
https://github.com/usnistgov/macos_security/issues/358#issuecomment-1961961983,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAE3QC4VVHSWCKIJYFXPT4DYVD5FLAVCNFSM6AAAAABDK3R2O2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRRHE3DCOJYGM
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***>

--
George Georgalis, (415) 894-2710, http://www.galis.org/

@georgalis commented on GitHub: If this approach is more intelligible... the test could be fitted... for a in AAABBB aaabbb aaaBBB AAAbbb AAA.BBB AAA.BBB aaa.BBB AAA.bbb ; do printf "$a\t:" echo "$a" \ | grep '[a-z]' \ | grep '[A-Z]' >/dev/null \ && echo okay \ || echo fail done AAABBB :fail aaabbb :fail aaaBBB :okay AAAbbb :okay AAA.BBB :fail AAA.BBB :fail aaa.BBB :okay AAA.bbb :okay cf Apple macOS 14 (Sonoma) STIG: APPL-14-003060 (in version v1 r1) https://app.xylok.io/reference/benchmark/apple_macos_14_stig/check/31e5ff2f-bdad-46ad-a315-875cbc567a9c/?version=c1bf4645-5306-4bd3-af7d-edfa35c63166 On Fri, Feb 23, 2024 at 12:40 PM bernstei ***@***.***> wrote: > The regex in #363 <https://github.com/usnistgov/macos_security/pull/363> > would match AAA-bbb, but not bbbAAA. If the regex syntax allows logical > or, I think you could use .*([A-Z]{1,}.*[a-z]{1,}|[a-z]{1,}.*[A-Z]{1,}).* > (some of those parens or pipe characters might need to be escaped), or > perhaps two separate simple pwpolicy entries (similar to the ones > implementing the numeric and the special character reqs). > > — > Reply to this email directly, view it on GitHub > <https://github.com/usnistgov/macos_security/issues/358#issuecomment-1961961983>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAE3QC4VVHSWCKIJYFXPT4DYVD5FLAVCNFSM6AAAAABDK3R2O2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRRHE3DCOJYGM> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> > -- George Georgalis, (415) 894-2710, http://www.galis.org/

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@ion-ize commented on GitHub:

@bernstei Yeah, I realized that issue two after some further testing when my PR #363 was pushed. I have now submitted a new PR (#368) which includes a positive lookahead like you suggested here. The only difference with mine is that yours does not match an empty string while mine does but you cannot have an empty password with the other policies in place so it should not matter.

Here is the regex in my PR:

^(?=.*[A-Z])(?=.*[a-z]).*$

@robertgendler this should finally resolve this in a full capacity once #368 is approved and merged.

@ion-ize commented on GitHub: @bernstei Yeah, I realized that issue two after some further testing when my PR #363 was pushed. I have now submitted a new PR (#368) which includes a positive lookahead like you suggested here. The only difference with mine is that yours does not match an empty string while mine does but you cannot have an empty password with the other policies in place so it should not matter. Here is the regex in my PR: ``` ^(?=.*[A-Z])(?=.*[a-z]).*$ ``` @robertgendler this should finally resolve this in a full capacity once #368 is approved and merged.

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@bernstei commented on GitHub:

The regex in #363 would match AAA-bbb, but not bbbAAA, because it requires that the capital letter come first. If the regex syntax allows logical or, I think you could use .*([A-Z]{1,}.*[a-z]{1,}|[a-z]{1,}.*[A-Z]{1,}).* (some of those parens or pipe characters might need to be escaped), or perhaps two separate simple pwpolicy entries (similar to the ones implementing the numeric and the special character reqs).

The password policy mobileconfig that's generated (guess it's the <key>minComplexChars</key> <integer>1</integer> that causes it) leads to a pwpolicy prefs that include

                <dict>
                        <key>policyContent</key>
                        <string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string>
                        <key>policyIdentifier</key>
                        <string>Must have at least 1 uppercase letter</string>
                        <key>policyParameters</key>
                        <dict>
                                <key>minimumAlphaCharactersUpperCase</key>
                                <integer>1</integer>
                        </dict>
                </dict>
                <dict>
                        <key>policyContent</key>
                        <string>policyAttributePassword matches '(.*[a-z].*){1,}+'</string>
                        <key>policyIdentifier</key>
                        <string>Must have at least 1 lowercase letter</string>
                        <key>policyParameters</key>
                        <dict>
                                <key>minimumAlphaCharactersLowerCase</key>
                                <integer>1</integer>
                        </dict>
                </dict>

I don't know if there's any problem adding those to the pwpolicy manually (and I also really don't understand why putting customRegex in the mobileconfig requires that the profile be installed by an MDM, and fail to install manually).

@bernstei commented on GitHub: The regex in #363 would match `AAA-bbb`, but not `bbbAAA`, because it requires that the capital letter come first. If the regex syntax allows logical or, I think you could use `.*([A-Z]{1,}.*[a-z]{1,}|[a-z]{1,}.*[A-Z]{1,}).*` (some of those parens or pipe characters might need to be escaped), or perhaps two separate simple pwpolicy entries (similar to the ones implementing the numeric and the special character reqs). The password policy mobileconfig that's generated (guess it's the `<key>minComplexChars</key> <integer>1</integer>` that causes it) leads to a pwpolicy prefs that include ``` <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string> <key>policyIdentifier</key> <string>Must have at least 1 uppercase letter</string> <key>policyParameters</key> <dict> <key>minimumAlphaCharactersUpperCase</key> <integer>1</integer> </dict> </dict> <dict> <key>policyContent</key> <string>policyAttributePassword matches '(.*[a-z].*){1,}+'</string> <key>policyIdentifier</key> <string>Must have at least 1 lowercase letter</string> <key>policyParameters</key> <dict> <key>minimumAlphaCharactersLowerCase</key> <integer>1</integer> </dict> </dict> ``` I don't know if there's any problem adding those to the pwpolicy manually (and I also _really_ don't understand why putting `customRegex` in the mobileconfig requires that the profile be installed by an MDM, and fail to install manually).

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@bernstei commented on GitHub:

I've also discovered that the alphanumeric mobileconfig leads to the following regex in the xml returned by pwpolicy -getaccountpolicies

<string>policyAttributePassword matches '^(?=.*[0-9])(?=.*[a-zA-Z]).+'</string>

This definitely matches both 5a and a5, as I've verified by having it in place and going to the password changing System Pref, although I don't quite understand why.

I also just checked the regex from #363. It accepts AAaa, but not aaAA, which makes sense, but it also doesn't accept Aa or AAa or aaA (in the password change dialog box). It seems to require two of each, which I really don't understand.

This regex, using zero-width lookahead, constructed by analogy to the mobileconfig-derived alphanumeric regex, works, requiring a single upper case and a single lower case, in either order

'^(?=.*[A-Z])(?=.*[a-z]).+'

I think this is the correct way to implement the upper and lower case password complexity requirement, either as a customRegex in the mobileconfig or explicitly in a pwpolicy.xml

@bernstei commented on GitHub: I've also discovered that the alphanumeric mobileconfig leads to the following regex in the xml returned by `pwpolicy -getaccountpolicies` ``` <string>policyAttributePassword matches '^(?=.*[0-9])(?=.*[a-zA-Z]).+'</string> ``` This _definitely_ matches both `5a` and `a5`, as I've verified by having it in place and going to the password changing System Pref, although I don't quite understand why. I also just checked the regex from #363. It accepts `AAaa`, but not `aaAA`, which makes sense, but it also doesn't accept `Aa` or `AAa` or `aaA` (in the password change dialog box). It seems to require two of each, which I really don't understand. This regex, using zero-width lookahead, constructed by analogy to the mobileconfig-derived alphanumeric regex, works, requiring a single upper case and a single lower case, in either order ``` '^(?=.*[A-Z])(?=.*[a-z]).+' ``` I think this is the correct way to implement the upper and lower case password complexity requirement, either as a `customRegex` in the mobileconfig or explicitly in a `pwpolicy.xml`

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

Please check out the sonoma branch. PR #363 took care of it.

@robertgendler commented on GitHub: Please check out the sonoma branch. PR #363 took care of it.

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@bernstei commented on GitHub:

Thanks. Just for my edification, does anyone understand why a customRegex field in the mobileconfig makes it MDM-only?

@bernstei commented on GitHub: Thanks. Just for my edification, does anyone understand why a `customRegex` field in the mobileconfig makes it MDM-only?

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@ion-ize commented on GitHub:

@bernstei It's especially weird because Jamf does not seem to even support the customRegex key. We have to re-upload the mobileconfig every time we want to change this.

@ion-ize commented on GitHub: @bernstei It's especially weird because Jamf does not seem to even support the customRegex key. We have to re-upload the mobileconfig every time we want to change this.

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

PR #368 has been merged. Check it out.

@robertgendler commented on GitHub: PR #368 has been merged. Check it out.

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

No idea why. That's an Apple question.

In fact I'm not sure they know it's MDM only since no where in their documentation does it specify it must be sent via MDM server. We only found out due to it not installing and popping up with an error about that when manually installing it.

@robertgendler commented on GitHub: No idea why. That's an Apple question. In fact I'm not sure they know it's MDM only since no where in their documentation does it specify it must be sent via MDM server. We only found out due to it not installing and popping up with an error about that when manually installing it.

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

I believe this is all fixed in the sonoma branch. So closing the issue.

@robertgendler commented on GitHub: I believe this is all fixed in the `sonoma` branch. So closing the issue.

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@akegerreis commented on GitHub:

Here is what we are planning to put in our supplemental:

1.1.1 Smart Card Enforcement Exemption

Any and all use of exemptions to the smart card enforcement on Apple macOS
must be approved and documented with the site ISSM or AO.

1.1.1.1 Group Exemption

Starting in macOS 10.15, enforcement on a system can be granularly
configured by adding a field to /private/etc/SmartcardLogin.plist. The
NotEnforcedGroup can be added to the file to list a Directory group that
will not be included in smart card enforcement. To activate this feature,
enforceSmartCard and allowUnmappedUsers must be applied via a configuration
profile (com.apple.security.smartcard).

To configure the NotEnforcedGroup, the SmartcardLogin.plist should be
minimally configured as follows:

<?xml version="1.0" encoding="UTF-8"?>

<key>AttributeMapping</key>

<dict>

      <key>fields</key>

      <array>

          <string>NT Principal Name</string>

      </array>

      <key>formatString</key>

      <string>Kerberos:$1</string>

      <key>dsAttributeString</key>

      <string>dsAttrTypeStandard:AltSecurityIdentities</string>

</dict>

<key>TrustedAuthorities</key>

SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2

<key>NotEnforcedGroup</key>

<string>EXEMPTGROUP</key>

Once a system is configured for the NotEnforcedGroup, a user can be added to
the assigned group by running the following:

/usr/sbin/dseditgroup -o edit -a <exempt_user> -t user

1.1.1.2 User Exemption

Alternatively, if a single user needs to be exempt for a period of time,
kDSNativeAttrTypePrefix:SmartCardEnforcement can be set in the user's Open
Directory record. The following values can be set:

0 - The system default is respected.

1 - Smartcard enforcement is enabled.

2 - Smartcard enforcement is disabled.

In Active Directory environments, the value of the userAccountControl
attribute is respected.

Run the following command to set the exemption when booted from macOS:

/usr/bin/dscl . -append /Users/ SmartCardEnforcement 2

Run the following command to set the exemption when booted from Recovery:

/usr/bin/defaults write /Volumes/Macintosh
HD/var/db/dslocal/nodes/Default/users/ SmartCardEnforcement
-array-add 2

When booted to recovery on an Apple Silicon Mac, run the following after
setting the exemption.

/usr/sbin/diskutil apfs updatePreboot /Volumes/Macintosh\ HD

Regards,

Aaron Kegerreis | CISSP

DISA RE11 Cyber Standards Support

Chambersburg, PA 17201

@.*** (NIPR)

@.*** (SIPR)

From: Bob Gendler @.>
Sent: Wednesday, March 27, 2024 2:28 PM
To: usnistgov/macos_security @.>
Cc: Kegerreis, Aaron S CTR DISA (USA) @.>;
Author @.>
Subject: Re: [usnistgov/macos_security] DISA customer pointed out potential
issue with regex in pwpolicy_custom_regex_enforce (Issue #358)

I believe this is all fixed in the sonoma branch. So closing the issue.

Reply to this email directly, view it on GitHub
<https://usg01.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.c
om%2Fusnistgov%2Fmacos_security%2Fissues%2F358%23issuecomment-2023574128&dat
a=05%7C02%7Caaron.s.kegerreis.ctr%40mail.mil%7C6e3b158c3a8e44140a1d08dc4e8ba
42b%7C102d0191eeae4761b1cb1a83e86ef445%7C0%7C0%7C638471608861865201%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C0%7C%7C%7C&sdata=%2FaiX1IueXD5vUBJqBQ3guYBbRtrlDX5RJDg3zbNnD%2Bs%3D
&reserved=0> , or unsubscribe.
You are receiving this because you authored the thread.
<https://github.com/notifications/beacon/BCWDEQEXAO5ACLREBFGRWB3Y2MFS3A5CNFS
M6AAAAABDK3R2O2WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTT
YTVFHA.gif> Message ID:
@.***
@.***> >

@akegerreis commented on GitHub: Here is what we are planning to put in our supplemental: 1.1.1 Smart Card Enforcement Exemption Any and all use of exemptions to the smart card enforcement on Apple macOS must be approved and documented with the site ISSM or AO. 1.1.1.1 Group Exemption Starting in macOS 10.15, enforcement on a system can be granularly configured by adding a field to /private/etc/SmartcardLogin.plist. The NotEnforcedGroup can be added to the file to list a Directory group that will not be included in smart card enforcement. To activate this feature, enforceSmartCard and allowUnmappedUsers must be applied via a configuration profile (com.apple.security.smartcard). To configure the NotEnforcedGroup, the SmartcardLogin.plist should be minimally configured as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" http://www.apple.com/DTDs/PropertyList-1.0.dtd> <plist version="1.0"> <dict> <key>AttributeMapping</key> <dict> <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>Kerberos:$1</string> <key>dsAttributeString</key> <string>dsAttrTypeStandard:AltSecurityIdentities</string> </dict> <key>TrustedAuthorities</key> <array> <string>SHA256_HASH_OF_CERTDOMAIN_1,SHA256_HASH_OF_CERTDOMAIN_2</string> </array> <key>NotEnforcedGroup</key> <string>EXEMPTGROUP</key> </dict> </plist> Once a system is configured for the NotEnforcedGroup, a user can be added to the assigned group by running the following: /usr/sbin/dseditgroup -o edit -a <exempt_user> -t user <notenforcegroup> 1.1.1.2 User Exemption Alternatively, if a single user needs to be exempt for a period of time, kDSNativeAttrTypePrefix:SmartCardEnforcement can be set in the user's Open Directory record. The following values can be set: 0 - The system default is respected. 1 - Smartcard enforcement is enabled. 2 - Smartcard enforcement is disabled. In Active Directory environments, the value of the userAccountControl attribute is respected. Run the following command to set the exemption when booted from macOS: /usr/bin/dscl . -append /Users/<username> SmartCardEnforcement 2 Run the following command to set the exemption when booted from Recovery: /usr/bin/defaults write /Volumes/Macintosh\ HD/var/db/dslocal/nodes/Default/users/<username> SmartCardEnforcement -array-add 2 When booted to recovery on an Apple Silicon Mac, run the following after setting the exemption. /usr/sbin/diskutil apfs updatePreboot /Volumes/Macintosh\ HD Regards, Aaron Kegerreis | CISSP DISA RE11 Cyber Standards Support Chambersburg, PA 17201 ***@***.*** (NIPR) ***@***.*** (SIPR) From: Bob Gendler ***@***.***> Sent: Wednesday, March 27, 2024 2:28 PM To: usnistgov/macos_security ***@***.***> Cc: Kegerreis, Aaron S CTR DISA (USA) ***@***.***>; Author ***@***.***> Subject: Re: [usnistgov/macos_security] DISA customer pointed out potential issue with regex in pwpolicy_custom_regex_enforce (Issue #358) I believe this is all fixed in the sonoma branch. So closing the issue. - Reply to this email directly, view it on GitHub <https://usg01.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.c om%2Fusnistgov%2Fmacos_security%2Fissues%2F358%23issuecomment-2023574128&dat a=05%7C02%7Caaron.s.kegerreis.ctr%40mail.mil%7C6e3b158c3a8e44140a1d08dc4e8ba 42b%7C102d0191eeae4761b1cb1a83e86ef445%7C0%7C0%7C638471608861865201%7CUnknow n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6 Mn0%3D%7C0%7C%7C%7C&sdata=%2FaiX1IueXD5vUBJqBQ3guYBbRtrlDX5RJDg3zbNnD%2Bs%3D &reserved=0> , or unsubscribe. You are receiving this because you authored the thread. <https://github.com/notifications/beacon/BCWDEQEXAO5ACLREBFGRWB3Y2MFS3A5CNFS M6AAAAABDK3R2O2WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTT YTVFHA.gif> Message ID: ***@***.*** ***@***.***> >

michael commented 2026-01-19 18:29:17 +00:00

Author

Owner

Copy Link

@akegerreis commented on GitHub:

Sounds good, thanks!

Aaron Kegerreis | CISSP

DISA RE11 Cyber Standards Support

Chambersburg, PA 17201

@.*** (NIPR)

@.*** (SIPR)

From: Bob Gendler @.>
Sent: Wednesday, March 27, 2024 2:28 PM
To: usnistgov/macos_security @.>
Cc: Kegerreis, Aaron S CTR DISA (USA) @.>;
Author @.>
Subject: Re: [usnistgov/macos_security] DISA customer pointed out potential
issue with regex in pwpolicy_custom_regex_enforce (Issue #358)

I believe this is all fixed in the sonoma branch. So closing the issue.

Reply to this email directly, view it on GitHub
<https://usg01.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.c
om%2Fusnistgov%2Fmacos_security%2Fissues%2F358%23issuecomment-2023574128&dat
a=05%7C02%7Caaron.s.kegerreis.ctr%40mail.mil%7C6e3b158c3a8e44140a1d08dc4e8ba
42b%7C102d0191eeae4761b1cb1a83e86ef445%7C0%7C0%7C638471608861865201%7CUnknow
n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C0%7C%7C%7C&sdata=%2FaiX1IueXD5vUBJqBQ3guYBbRtrlDX5RJDg3zbNnD%2Bs%3D
&reserved=0> , or unsubscribe.
You are receiving this because you authored the thread.
<https://github.com/notifications/beacon/BCWDEQEXAO5ACLREBFGRWB3Y2MFS3A5CNFS
M6AAAAABDK3R2O2WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTT
YTVFHA.gif> Message ID:
@.***
@.***> >

@akegerreis commented on GitHub: Sounds good, thanks! Aaron Kegerreis | CISSP DISA RE11 Cyber Standards Support Chambersburg, PA 17201 ***@***.*** (NIPR) ***@***.*** (SIPR) From: Bob Gendler ***@***.***> Sent: Wednesday, March 27, 2024 2:28 PM To: usnistgov/macos_security ***@***.***> Cc: Kegerreis, Aaron S CTR DISA (USA) ***@***.***>; Author ***@***.***> Subject: Re: [usnistgov/macos_security] DISA customer pointed out potential issue with regex in pwpolicy_custom_regex_enforce (Issue #358) I believe this is all fixed in the sonoma branch. So closing the issue. - Reply to this email directly, view it on GitHub <https://usg01.safelinks.protection.office365.us/?url=https%3A%2F%2Fgithub.c om%2Fusnistgov%2Fmacos_security%2Fissues%2F358%23issuecomment-2023574128&dat a=05%7C02%7Caaron.s.kegerreis.ctr%40mail.mil%7C6e3b158c3a8e44140a1d08dc4e8ba 42b%7C102d0191eeae4761b1cb1a83e86ef445%7C0%7C0%7C638471608861865201%7CUnknow n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6 Mn0%3D%7C0%7C%7C%7C&sdata=%2FaiX1IueXD5vUBJqBQ3guYBbRtrlDX5RJDg3zbNnD%2Bs%3D &reserved=0> , or unsubscribe. You are receiving this because you authored the thread. <https://github.com/notifications/beacon/BCWDEQEXAO5ACLREBFGRWB3Y2MFS3A5CNFS M6AAAAABDK3R2O2WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTT YTVFHA.gif> Message ID: ***@***.*** ***@***.***> >

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#113