search

usnistgov / macos_security

macOS Security Compliance Project
Other
1.79k stars 202 forks source link

pwpolicy_account_lockout_enforce should check if value is less than or equal #147

Closed jmahlman closed 2 years ago

jmahlman commented 2 years ago

Problem to solve

When setting pwpolicy_account_lockout_enforce the check should accept if the number is less than the number passed.

Intended users

Anyone using the pwpolicy_account_lockout_enforce control.

Further details

This may be an edge case but some orgs have a maximum number of attempts but may also request some devices to have less than the maximum due to the device being in a less secure location. The wording to the rule actually specifically states:

The macOS MUST be configured to limit the number of failed login attempts to a maximum of 10. When the maximum number of failed attempts is reached, the account MUST be locked for a period of time after.

So this change is in line with the verbiage.

Proposal

Code the if statement in the the pwpolicy_account_lockout_enforce block from == to -le

#####----- Rule: pwpolicy_account_lockout_enforce -----#####
## Addresses the following NIST 800-53 controls: 
# * AC-7
rule_arch=""
if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then
    #echo 'Running the command to check the settings for: pwpolicy_account_lockout_enforce ...' | tee -a "$audit_log"
    unset result_value
    result_value=$(/usr/bin/osascript -l JavaScript << EOS
$.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
.objectForKey('maxFailedAttempts').js
EOS
)
    # expected result {'integer': '10'}

    # check to see if rule is exempt
    unset exempt
    unset exempt_reason

    exempt=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.cis_leidos.audit').objectForKey('pwpolicy_account_lockout_enforce'))["exempt"]
EOS
)
    exempt_reason=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.cis_leidos.audit').objectForKey('pwpolicy_account_lockout_enforce'))["exempt_reason"]
EOS
)

    if [[ $result_value -le "10" ]]; then
        /bin/echo "$(date -u) pwpolicy_account_lockout_enforce passed (Result: $result_value, Expected: "{'integer': '10'}")" | /usr/bin/tee -a "$audit_log"
        /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO
        /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce passed (Result: $result_value, Expected: "{'integer': '10'}")"
    else
        if [[ ! $exempt == "1" ]] || [[ -z $exempt ]];then
            /bin/echo "$(date -u) pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}")" | /usr/bin/tee -a "$audit_log"
            /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool YES
            /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}")"
        else
            /bin/echo "$(date -u) pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}") - Exemption Allowed (Reason: "$exempt_reason")" | /usr/bin/tee -a "$audit_log"
            /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO
            /usr/bin/logger "mSCP: cis_leidos - pwpolicy_account_lockout_enforce failed (Result: $result_value, Expected: "{'integer': '10'}") - Exemption Allowed (Reason: "$exempt_reason")"
            /bin/sleep 1
        fi
    fi

else
    /bin/echo "$(date -u) pwpolicy_account_lockout_enforce does not apply to this architechture" | tee -a "$audit_log"
    /usr/bin/defaults write "$audit_plist" pwpolicy_account_lockout_enforce -dict-add finding -bool NO
fi

Testing

Making this change manually and verified working.

robertgendler commented 2 years ago

The branch dev_mont_pwpolicy should have these changes.