pwpolicy_account_lockout_enforce should check if value is less than or equal #240

New Issue

Closed

opened 2026-01-19 18:29:46 +00:00 by michael · 1 comment

michael commented 2026-01-19 18:29:46 +00:00

Owner

Copy Link

Originally created by @jmahlman on GitHub.

Originally assigned to: @robertgendler on GitHub.

Problem to solve

When setting pwpolicy_account_lockout_enforce the check should accept if the number is less than the number passed.

Intended users

Anyone using the pwpolicy_account_lockout_enforce control.

Further details

This may be an edge case but some orgs have a maximum number of attempts but may also request some devices to have less than the maximum due to the device being in a less secure location. The wording to the rule actually specifically states:

The macOS MUST be configured to limit the number of failed login attempts to a maximum of 10. When the maximum number of failed attempts is reached, the account MUST be locked for a period of time after.

So this change is in line with the verbiage.

Proposal

Code the if statement in the the pwpolicy_account_lockout_enforce block from == to -le

#####----- Rule: pwpolicy_account_lockout_enforce -----#####
## Addresses the following NIST 800-53 controls: 
# * AC-7
rule_arch=""
if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then
    #echo 'Running the command to check the settings for: pwpolicy_account_lockout_enforce ...' | tee -a "$audit_log"
    unset result_value
    result_value=$(/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
.objectForKey('maxFailedAttempts').js
EOS
)
    # expected result {'integer': '10'}


    # check to see if rule is exempt
    unset exempt
    unset exempt_reason

    exempt=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.cis_leidos.audit').objectForKey('pwpolicy_account_lockout_enforce'))["exempt"]
EOS
)
    exempt_reason=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.cis_leidos.audit').objectForKey('pwpolicy_account_lockout_enforce'))["exempt_reason"]
EOS
)

    if [[ $result_value -le "10" ]]; then
        /bin/echo "$(date -u) pwpolicy_account_lockout_enforce passed (Result: $result_value, Expected: "{'integer': '10'}")" | /usr/bin/tee -a "$audit_log"
        /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO
        /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce passed (Result: $result_value, Expected: "{'integer': '10'}")"
    else
        if [[ ! $exempt == "1" ]] || [[ -z $exempt ]];then
            /bin/echo "$(date -u) pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}")" | /usr/bin/tee -a "$audit_log"
            /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool YES
            /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}")"
        else
            /bin/echo "$(date -u) pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}") - Exemption Allowed (Reason: "$exempt_reason")" | /usr/bin/tee -a "$audit_log"
            /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO
            /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}") - Exemption Allowed (Reason: "$exempt_reason")"
            /bin/sleep 1
        fi
    fi


else
    /bin/echo "$(date -u) pwpolicy_account_lockout_enforce does not apply to this architechture" | tee -a "$audit_log"
    /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO
fi

Testing

Making this change manually and verified working.

Originally created by @jmahlman on GitHub. Originally assigned to: @robertgendler on GitHub. ### Problem to solve When setting `pwpolicy_account_lockout_enforce` the check should accept if the number is less than the number passed. ### Intended users Anyone using the `pwpolicy_account_lockout_enforce` control. ### Further details This may be an edge case but some orgs have a _maximum_ number of attempts but may also request some devices to have less than the maximum due to the device being in a less secure location. The wording to the rule actually specifically states: > The macOS MUST be configured to limit the number of failed login attempts to a maximum of 10. When the maximum number of failed attempts is reached, the account MUST be locked for a period of time after. So this change is in line with the verbiage. ### Proposal Code the if statement in the the pwpolicy_account_lockout_enforce block from `==` to `-le` ```bash #####----- Rule: pwpolicy_account_lockout_enforce -----##### ## Addresses the following NIST 800-53 controls: # * AC-7 rule_arch="" if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then #echo 'Running the command to check the settings for: pwpolicy_account_lockout_enforce ...' | tee -a "$audit_log" unset result_value result_value=$(/usr/bin/osascript -l JavaScript << EOS $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ .objectForKey('maxFailedAttempts').js EOS ) # expected result {'integer': '10'} # check to see if rule is exempt unset exempt unset exempt_reason exempt=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.cis_leidos.audit').objectForKey('pwpolicy_account_lockout_enforce'))["exempt"] EOS ) exempt_reason=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.cis_leidos.audit').objectForKey('pwpolicy_account_lockout_enforce'))["exempt_reason"] EOS ) if [[ $result_value -le "10" ]]; then /bin/echo "$(date -u) pwpolicy_account_lockout_enforce passed (Result: $result_value, Expected: "{'integer': '10'}")" | /usr/bin/tee -a "$audit_log" /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce passed (Result: $result_value, Expected: "{'integer': '10'}")" else if [[ ! $exempt == "1" ]] || [[ -z $exempt ]];then /bin/echo "$(date -u) pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}")" | /usr/bin/tee -a "$audit_log" /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool YES /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}")" else /bin/echo "$(date -u) pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}") - Exemption Allowed (Reason: "$exempt_reason")" | /usr/bin/tee -a "$audit_log" /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}") - Exemption Allowed (Reason: "$exempt_reason")" /bin/sleep 1 fi fi else /bin/echo "$(date -u) pwpolicy_account_lockout_enforce does not apply to this architechture" | tee -a "$audit_log" /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO fi ``` ### Testing Making this change manually and verified working.

michael closed this issue 2026-01-19 18:29:46 +00:00

michael commented 2026-01-19 18:29:46 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

The branch dev_mont_pwpolicy should have these changes.

@robertgendler commented on GitHub: The branch [dev_mont_pwpolicy](https://github.com/usnistgov/macos_security/tree/dev_mont_passwordpolicy) should have these changes.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#240