An error occurred:

Check: APPL-14-003070

Apple macOS 14 (Sonoma) STIG: APPL-14-003070 (in versions v1 r2 through v1 r1)

Title

The macOS system must set minimum password lifetime to 24 hours. (Cat II impact)

Discussion

The macOS must be configured to enforce a minimum password lifetime limit of 24 hours. This rule discourages users from cycling through their previous passwords to get back to a preferred one. Note: The guidance for password-based authentication in NIST 800-53 (Rev 5) and NIST 800-63B state that complexity rules should be organizationally defined. The values defined are based on common complexity values, but an organization may define its own password complexity rules.

Check Content

Verify the macOS system is configured to set minimum password lifetime to 24 hours with the following command: /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMinimumLifetimeHours"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 >= 24 ) {print "yes"} else {print "no"}}' If the result is not "yes", this is a finding.

Fix Text

Configure the macOS system to set minimum password lifetime to 24 hours. This setting may be enforced using local policy or by a directory service. To set local policy to require a minimum password lifetime, edit the current password policy to contain the following <dict> within the "policyCategoryPasswordContent": [source,xml] ---- <dict> <key>policyContent</key> <string>policyAttributeLastPasswordChangeTime &lt; policyAttributeCurrentTime - (policyAttributeMinimumLifetimeHours * 60 * 60)</string> <key>policyIdentifier</key> <string>Minimum Password Lifetime</string> <key>policyParameters</key> <dict> <key>policyAttributeMinimumLifetimeHours</key> <integer>24</integer> </dict> </dict> ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- Note: Refer to the password policy supplemental on more information on how to implement password policies on macOS.

Additional Identifiers

Rule ID: SV-259551r941275_rule

Vulnerability ID: V-259551

Group Title: SRG-OS-000075-GPOS-00043

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000198

The information system enforces minimum password lifetime restrictions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5 (1)

Password-Based Authentication