usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

pwpolicy_minimum_length_enforce fails when min length > ODV #28

New Issue
Closed
opened 2026-01-19 18:28:58 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:28:58 +00:00
Owner
Copy Link

Originally created by @phaninder-scalefusion on GitHub.

Summary

The pwpolicy_minimum_length_enforce script fails if the configured minimum length is greater than the CIS ODV (e.g., policy requires 15, admin sets 20).

Steps to reproduce

  1. Configure password minimum length to 20.
  2. Run compliance check with ODV=15.
  3. Observe failure.

Operating System version

(macOS 13 / 14 / 15)

Intel or Apple Silicon

Both

Current behavior

Script only accepts exact match, fails if policy is stricter.

Expected behavior

Script should pass if configured value >= ODV.

Possible fix

Update script logic to:
/usr/bin/pwpolicy -getaccountpolicies 2>/dev/null | tail +2 | grep -oE "policyAttributePassword matches '.\{[0-9]+," | awk -F'[{,]' -v ODV=$ODV '{if ($2 > max) max=$2} END {print (max >= ODV) ? "true" : "false"}'

Additional note

The same issue is noticed in pwpolicy_max_lifetime_enforce and pwpolicy_history_enforce

Originally created by @phaninder-scalefusion on GitHub. ### Summary The `pwpolicy_minimum_length_enforce` script fails if the configured minimum length is greater than the CIS ODV (e.g., policy requires 15, admin sets 20). ### Steps to reproduce 1. Configure password minimum length to 20. 2. Run compliance check with ODV=15. 3. Observe failure. ### Operating System version (macOS 13 / 14 / 15) ### Intel or Apple Silicon Both ### Current behavior Script only accepts exact match, fails if policy is stricter. ### Expected behavior Script should pass if configured value >= ODV. ### Possible fix Update script logic to: ` /usr/bin/pwpolicy -getaccountpolicies 2>/dev/null | tail +2 | grep -oE "policyAttributePassword matches '.\{[0-9]+," | awk -F'[{,]' -v ODV=$ODV '{if ($2 > max) max=$2} END {print (max >= ODV) ? "true" : "false"}' ` ### Additional note The same issue is noticed in `pwpolicy_max_lifetime_enforce` and `pwpolicy_history_enforce`
michael commented 2026-01-19 18:28:59 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Changes have been merged into primary branches.

@brodjieski commented on GitHub: Changes have been merged into primary branches.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#28
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?