macos_security/rules/os/os_password_hint_remove.yaml

id: os_password_hint_remove
title: Remove Password Hint From User Accounts
discussion: |
  User accounts _MUST_ not contain password hints.
check: |
  HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }')

  if [ -z "$HINT" ]; then
    echo "PASS"
  else
    echo "FAIL"
  fi
result:
  string: PASS
fix: |
  [source,bash]
  ----
  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
    /usr/bin/dscl . -delete /Users/$u hint
  done
  ----
references:
  cce:
    - CCE-94248-2
  cci:
    - CCI-000206
  800-53r5:
    - IA-6
  800-53r4:
    - IA-6
  800-171r3:
    - 03.05.11
  cis:
    benchmark:
      - 2.12.1 (level 1)
    controls v8:
      - 5.2
  cmmc:
    - IA.L2-3.5.11
  srg:
    - SRG-OS-000079-GPOS-00047
  disa_stig:
    - APPL-15-003014
macOS:
  - '15.0'
tags:
  - cis_lvl1
  - cis_lvl2
  - cisv8
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
  - stig
  - cnssi-1253_moderate
severity: medium
mobileconfig: false
mobileconfig_info: