The macOS system must set minimum password lifetime to 24 hours.

An XCCDF Rule

Description

The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. NOTE: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B states that complexity rules should be organizationally defined. The values defined are based on common complexity values, but each organization may define its own password complexity rules.

ID: SV-268548r1034796_rule
Version: APPL-15-003070
Severity: Medium
References: CCI-004066
Updated: about 2 months ago

Remediation Templates

Configure the macOS system to set minimum password lifetime to 24 hours.

This setting may be enforced using local policy or by a directory service.

To set local policy to require a minimum password lifetime, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent":
[source,xml]
----
<dict>
<key>policyContent</key>
<string>policyAttributeLastPasswordChangeTime &lt; policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)</string>
<key>policyIdentifier</key>
<string>Minimum Password Lifetime</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeMinimumLifetimeHours</key>
<integer>24</integer>
</dict>
</dict>
----
After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file".

[source,bash]
----
/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file
----

The macOS system must set minimum password lifetime to 24 hours.

Description

Remediation Templates

A Manual Procedure