Detections
Analytics
AOSX-13-002090 - The macOS system must prohibit password reuse for a minimum of five generations.
Information
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.Solution
This setting may be enforced using the 'Passcode Policy' configuration profile or by a directory service.To set the password policy without a configuration profile, run the following command to save a copy of the current 'pwpolicy' account policy file:
/usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist
Open the generated file in a text editor. If the file does not yet contain any policy settings, replace <dict/> with <dict></dict>. If there already is a policy block that refers to password history, ensure it is set to '5'. If the line '<key>policyCategoryPasswordContent</key>' is not present in the file, add the following text immediately after the opening <dict> tag in the file:
<key>policyCategoryPasswordContent</key>
<array>
<dict>
<key>policyContent</key>
<string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string>
<key>policyIdentifier</key>
<string>Password History</string>
<key>policyParameters</key>
<dict>
<key>policyAttributePasswordHistoryDepth</key>
<integer>5</integer>
</dict>
</dict>
</array>
If the line '<key>policyCategoryPasswordContent</key>' is already present in the file, the following text should be added just after the opening <array> tag that follows the line instead:
<dict>
<key>policyContent</key>
<string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string>
<key>policyIdentifier</key>
<string>Password History</string>
<key>policyParameters</key>
<dict>
<key>policyAttributePasswordHistoryDepth</key>
<integer>5</integer>
</dict>
</dict>
After saving the file and exiting to the command prompt, run the following command to load the new policy file:
/usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist
Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as lock out all local users, including administrators.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apple_OS_X_10-13_V2R5_STIG.zip
Item Details
Audit Name: DISA STIG Apple Mac OSX 10.13 v2r5
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1)(e), CAT|II, CCI|CCI-000200, Rule-ID|SV-214928r609363_rule, STIG-ID|AOSX-13-002090, STIG-Legacy|SV-96451, STIG-Legacy|V-81737, Vuln-ID|V-214928
Plugin: Unix
Control ID: 4c7f6f037b793f275fa0979e6a3dce4caa8b7f3ca27b21b56bd8288e178d87ed