If this check allows users to log in with passwords older than "60" days, or if no such check exists, this is a finding. It may contain additional variables defined in the "policyParameters" section that follows it. Otherwise, in the array section that follows it, there should be a section that contains a check that compares the variable "policyAttributeLastPasswordChangeTime" to the variable "policyAttributeCurrentTime". If it does not exist, and password policy is not controlled by a directory service, this is a finding. Look for the line polic圜ategoryPasswordChange. usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies If password policy is set with the "pwpolicy" utility, run the following command instead: If the return is null, or is not “maxPINAgeInDays = 60” or set to a smaller value, this is a finding. usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep maxPINAgeInDays If password policy is set with a configuration profile, run the following command to check if the system is configured to require users to change their passwords every 60 days: Password policy can be set with a configuration profile or the "pwpolicy" utility. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.Īpple OS X 10.13 Security Technical Implementation Guideĭetails Check Text ( C-16127r397353_chk ) One method of minimizing this risk is to use complex passwords and periodically change them. Therefore, passwords need to be changed periodically. Any password, no matter how complex, can eventually be cracked.
0 kommentar(er)
