usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity
Files
e98d16aec61cf26c812b78b31490d4e0a6911457
macos_security/rules/pwpolicy/pwpolicy_history_enforce.yaml
Bob Gendler fd7cb2755f Merge branch 'tahoe'
2025-12-18 13:31:02 -05:00

73 lines
2.1 KiB
YAML
Raw Blame History

id: pwpolicy_history_enforce
title: Prohibit Password Reuse for a Minimum of $ODV Generations
discussion: |
The macOS _MUST_ be configured to enforce a password history of at least $ODV previous passwords when a password is created.
This rule ensures that users are not allowed to reuse a password that was used in any of the $ODV previous password generations.
Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods.
NOTE: The guidance for password based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based off of common complexity values. But your organization may define its own password complexity rules.
check: |
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributePasswordHistoryDepth"]/following-sibling::*[1]/text()' - | /usr/bin/awk '{ if ($1 >= $ODV ) {print "pass"} else {print "fail"}}' | /usr/bin/uniq
result:
string: 'pass'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-95343-0
cci:
- CCI-000200
800-53r5:
- IA-5(1)
800-53r4:
- IA-5(1)
srg:
- SRG-OS-000077-GPOS-00045
- SRG-OS-000775-GPOS-00230
disa_stig:
- APPL-15-003009
800-171r3:
- 03.05.07
cis:
benchmark:
- 5.2.8 (level 1)
controls v8:
- 5.2
cmmc:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- '26.0'
odv:
hint: Number of previous passwords.
recommended: 5
cis_lvl1: 15
cis_lvl2: 15
stig: 5
tags:
- 800-171
- 800-53r4_low
- 800-53r4_moderate
- 800-53r4_high
- 800-53r5_low
- 800-53r5_moderate
- 800-53r5_high
- cis_lvl1
- cis_lvl2
- cisv8
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- cnssi-1253_moderate
severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
pinHistory: $ODV
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: PasscodeReuseLimit
ddm_value: $ODV
Reference in New Issue View Git Blame Copy Permalink