-
Notifications
You must be signed in to change notification settings - Fork 237
Rules
id
The id should match the file name, without the yaml file extension.
title
The title is a human-readable title of the rule.
discussion
The discussion should provide a concise description of the intended use of the rule.
check
Every rule will have a check. Most rules should be able to be validated and checked with a shell based check.
result
Expected results from the check.
fix
The fix will appear in a document when generated. If a fix includes [source,bash] the fix will be used for generating the script to enforce the rule.
references
The references include a CCE and a mapping of the security frameworks, guidance, and individual controls, which have been mapped to the rule.
macOS
The version of macOS for which this rule is validated.
odv
Sets Organization Defined Values. If a rule falls under this designation, the odv section will/should be added. At a minimum this field should contain a hint (provides a description when tailoring a baseline) and a default value which replaces the $ODV variable.
tags
Tags are keywords used to categorize and identify related rules and can be added to or modified as needed. Tags can also be used to make index-based searching of the rules faster and easier.
mobileconfig
The mobileconfig and mobileconfig_info are related. If mobileconfig is set to "true", the information required for creating the mobileconfig configuration profile is required in the mobileconfig_info area.
ddm_info
If a rule can be applied using declarative device management, ddm_info and all the associated keys will be present within the rule file.
id: pwpolicy_custom_regex_enforce
title: Require Passwords to Match the Defined Custom Regular Expression
discussion: |
The macOS _MUST_ be configured to meet complexity requirements defined in $ODV.
This rule enforces password complexity by requiring users to set passwords that are less vulnerable to malicious users.
NOTE: To comply with Executive Order 14028, “Improving the Nation's Cybersecurity”, OMB M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, and NIST SP-800-63b, “Digital Identity Guidelines: Authentication and Lifecycle Management” federal, military, and intelligence communities must adopt the following configuration settings. Password policies must not require the use of complexity policies such as upper characters, lower characters, or special characters. Password policies must also not require the use of regular rotation. Password policies should define a minimum length. Multifactor authentication should be used where ever possible.
NOTE: The configuration profile generated must be installed from an MDM server.
check: |
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath 'boolean(//*[contains(text(),"policyAttributePassword matches '\''$ODV'\''")])' -
result:
string: 'true'
fix: |
This is implemented by a Configuration Profile.
references:
cce:
- CCE-94334-0
cci:
- CCI-000192
- CCI-000193
- CCI-004066
- CCI-004066
- CCI-004064
- CCI-004065
800-53r5:
- IA-5(1)
800-53r4:
- IA-5
- IA-5(1)
disa_stig:
- APPL-15-003060
srg:
- SRG-OS-000070-GPOS-00038
- SRG-OS-000069-GPOS-00037
800-171r3:
- 03.05.07
cis:
benchmark:
- 5.2.6 (level 2)
controls v8:
- 5.2
cmmc:
- IA.L2-3.5.7
- IA.L2-3.5.8
- IA.L2-3.5.9
macOS:
- '15.0'
odv:
hint: Custom regex (recommended is 1 upper, 1 lowercase, and 1 numeric digit)
recommended: ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$
cis_lvl2: ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$
stig: ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$
tags:
- cis_lvl2
- cisv8
- cnssi-1253_low
- cnssi-1253_high
- cmmc_lvl2
- stig
- cnssi-1253_moderate
severity: medium
mobileconfig: true
mobileconfig_info:
com.apple.mobiledevice.passwordpolicy:
customRegex:
passwordContentRegex: $ODV
passwordContentDescription:
default: Password must match custom regex.
ddm_info:
declarationtype: com.apple.configuration.passcode.settings
ddm_key: CustomRegex
ddm_value:
Regex: $ODV
Description: Password must match custom regex.