STIG guidance leads to inconsistent failed password account locking time

[bernstei]

A DISA STIG baseline leads to inconsistent failed password unlock times in the mobileconfig and guidance

./scripts/generate_baseline.py -k stig
./scripts/generate_guidance.py -p -s build/baselines/stig.yaml 

In Sec 10.3, it says unlock time should be 15 minutes. The resulting pwpolicy-related mobileconfig contains <key>minutesUntilFailedLoginReset</key> <integer>15</integer>. When you install it, the actual pwpolicy xml contains <key>autoEnableInSeconds</key> <integer>900</integer>. However, Sec 15.4 (supplemental) includes a pwpolicy section that specifies <key>autoEnableInSeconds</key> <integer>300</integer>.

Frankly, In general, I'm confused by how the whole pwpolicy thing is supposed to work. It's not at all clear how the settings via the pwpolicy-related mobileconfig interact with the pwpolicy xml file in the guidance (15.4). What even happens if you install the mobileconfig and then run pwpolicy -setaccountpolicies <file.xml>? Maybe this is actually OK, if the mobileconfig overrides the conflicting pwpolicy.xml setting.

And if you are supposed to use the pwpolicy xml in the guidance, why is it only written to the html? The script seems to contain only pwpolicy_file="". Wouldn't it be useful to write it to an actual pwpolicy.xml file?

[bernstei]

From going over all of them, it does look like the settings in the guidance include everything needed that I'm aware of (haven't checked super systematically), except whatever the customRegex is supposed to do (seems to have replaced allowSimple False). Is that section in the guidance meant to be all the required pwpolicy settings?

[bernstei]

I've investigated a bit further. It seems like if you do the mobileconfig and the pwpolicy xml together, you end up with multiple instances of some of the rules, which leads to, if nothing else, errors in the guidance check scriptlets. If someone can clarify the intended way to use the various possible settings, I can follow it and see if I need to put together a more coherent bug report.

[brodjieski]

Changes were made to the included pwpolicy.xml on the dev_sonoma_issue373 branch. This is to alleviate the duplicate policies getting applied when using both a profile and pwpolicy to set policies.

There is a bit of information in the Password Policy Supplemental that may be helpful. We will also look to add additional information to that section to help clarify things as best we can.

As for the customRegex, that was added to address and replace the 2 policies for 1 upper and 1 lower case letter. There was some additional discussion about the regex involved. But the regex can literally be anything, and if there was a regex wizard out there, they could probably write one that could replace all of the individual policies ;)