Last active
February 21, 2018 06:13
-
-
Save christippett/a8f94993ac21fa2b1466676921a90955 to your computer and use it in GitHub Desktop.
OSX Password Policy (passes CIS-CAT scan)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>policyCategoryAuthentication</key> | |
<array> | |
<dict> | |
<key>policyContent</key> | |
<string>(policyAttributeFailedAuthentications < policyAttributeMaximumFailedAuthentications) OR (policyAttributeCurrentTime > (policyAttributeLastFailedAuthenticationTime + autoEnableInSeconds))</string> | |
<key>policyIdentifier</key> | |
<string>Authentication Lockout</string> | |
<key>policyParameters</key> | |
<dict> | |
<key>autoEnableInSeconds</key> | |
<integer>300</integer> | |
<key>policyAttributeMaximumFailedAuthentications</key> | |
<integer>5</integer> | |
</dict> | |
</dict> | |
</array> | |
<key>policyCategoryPasswordChange</key> | |
<array> | |
<dict> | |
<key>policyContent</key> | |
<string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + policyAttributeExpiresEveryNDays * 24 * 60 * 60</string> | |
<key>policyIdentifier</key> | |
<string>Change every 90 days</string> | |
<key>policyParameters</key> | |
<dict> | |
<key>policyAttributeExpiresEveryNDays</key> | |
<integer>90</integer> | |
</dict> | |
</dict> | |
</array> | |
<key>policyCategoryPasswordContent</key> | |
<array> | |
<dict> | |
<key>policyContent</key> | |
<string>policyAttributePassword matches '.{9,}+'</string> | |
<key>policyIdentifier</key> | |
<string>Password must be a minimum of 15 characters in length</string> | |
<key>policyParameters</key> | |
<dict> | |
<key>minimumLength</key> | |
<integer>15</integer> | |
</dict> | |
</dict> | |
<dict> | |
<key>policyContent</key> | |
<string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string> | |
<key>policyIdentifier</key> | |
<string>Password must have at least 1 number</string> | |
<key>policyParameters</key> | |
<dict> | |
<key>minimumNumericCharacters</key> | |
<integer>1</integer> | |
</dict> | |
</dict> | |
<dict> | |
<key>policyContent</key> | |
<string>policyAttributePassword matches '(.*[0-9].*){1,}+'</string> | |
<key>policyIdentifier</key> | |
<string>Password must have at least 1 letter</string> | |
<key>policyParameters</key> | |
<dict> | |
<key>minimumAlphaCharacters</key> | |
<integer>1</integer> | |
</dict> | |
</dict> | |
<dict> | |
<key>policyContent</key> | |
<string>policyAttributePassword matches '(.*[A-Z].*){1,}+'</string> | |
<key>policyIdentifier</key> | |
<string>Password must have both uppercase and lowercase letters</string> | |
<key>policyParameters</key> | |
<dict> | |
<key>minimumAlphaCharactersUpperCase</key> | |
<integer>1</integer> | |
<key>minimumAlphaCharactersLowerCase</key> | |
<integer>1</integer> | |
</dict> | |
</dict> | |
<dict> | |
<key>policyContent</key> | |
<string>policyAttributePassword matches '(.*[^a-zA-Z0-9].*){1,}+'</string> | |
<key>policyIdentifier</key> | |
<string>Password must have at least 1 special character</string> | |
<key>policyParameters</key> | |
<dict> | |
<key>minimumSymbols</key> | |
<integer>1</integer> | |
</dict> | |
</dict> | |
<dict> | |
<key>policyContent</key> | |
<string>none policyAttributePasswordHashes in policyAttributePasswordHistory</string> | |
<key>policyIdentifier</key> | |
<string>Password must differ from past 15 passwords</string> | |
<key>policyParameters</key> | |
<dict> | |
<key>policyAttributePasswordHistoryDepth</key> | |
<integer>15</integer> | |
</dict> | |
</dict> | |
</array> | |
</dict> | |
</plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment