Skip to content

Instantly share code, notes, and snippets.

@christippett
Last active February 21, 2018 06:13
Show Gist options
  • Save christippett/a8f94993ac21fa2b1466676921a90955 to your computer and use it in GitHub Desktop.
Save christippett/a8f94993ac21fa2b1466676921a90955 to your computer and use it in GitHub Desktop.
OSX Password Policy (passes CIS-CAT scan)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>policyCategoryAuthentication</key>
<array>
<dict>
<key>policyContent</key>
<string>(policyAttributeFailedAuthentications &lt; policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime &gt; (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string>
<key>policyIdentifier</key>
<string>Authentication Lockout</string>
<key>policyParameters</key>
<dict>
<key>autoEnableInSeconds</key>
<integer>300</integer>
<key>policyAttributeMaximumFailedAuthentications</key>
<integer>5</integer>
</dict>
</dict>
</array>
<key>policyCategoryPasswordChange</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeCurrentTime &gt; policyAttributeLastPasswordChangeTime + policyAttributeExpiresEveryNDays * 24 * 60 * 60</string>
<key>policyIdentifier</key>
<string>Change every 90 days</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeExpiresEveryNDays</key>
<integer>90</integer>
</dict>
</dict>
</array>
<key>policyCategoryPasswordContent</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '.{9,}+'</string>
<key>policyIdentifier</key>
<string>Password must be a minimum of 15 characters in length</string>
<key>policyParameters</key>
<dict>
<key>minimumLength</key>
<integer>15</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Password must have at least 1 number</string>
<key>policyParameters</key>
<dict>
<key>minimumNumericCharacters</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Password must have at least 1 letter</string>
<key>policyParameters</key>
<dict>
<key>minimumAlphaCharacters</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Password must have both uppercase and lowercase letters</string>
<key>policyParameters</key>
<dict>
<key>minimumAlphaCharactersUpperCase</key>
<integer>1</integer>
<key>minimumAlphaCharactersLowerCase</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>policyAttributePassword matches '(.*[^a-zA-Z0-9].*){1,}+'</string>
<key>policyIdentifier</key>
<string>Password must have at least 1 special character</string>
<key>policyParameters</key>
<dict>
<key>minimumSymbols</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>policyContent</key>
<string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string>
<key>policyIdentifier</key>
<string>Password must differ from past 15 passwords</string>
<key>policyParameters</key>
<dict>
<key>policyAttributePasswordHistoryDepth</key>
<integer>15</integer>
</dict>
</dict>
</array>
</dict>
</plist>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment