-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STIG guidance leads to inconsistent failed password account locking time #360
Comments
From going over all of them, it does look like the settings in the guidance include everything needed that I'm aware of (haven't checked super systematically), except whatever the |
I've investigated a bit further. It seems like if you do the mobileconfig and the pwpolicy xml together, you end up with multiple instances of some of the rules, which leads to, if nothing else, errors in the guidance check scriptlets. If someone can clarify the intended way to use the various possible settings, I can follow it and see if I need to put together a more coherent bug report. |
Changes were made to the included pwpolicy.xml on the There is a bit of information in the Password Policy Supplemental that may be helpful. We will also look to add additional information to that section to help clarify things as best we can. As for the |
A DISA STIG baseline leads to inconsistent failed password unlock times in the mobileconfig and guidance
In Sec 10.3, it says unlock time should be 15 minutes. The resulting pwpolicy-related mobileconfig contains
<key>minutesUntilFailedLoginReset</key> <integer>15</integer>
. When you install it, the actual pwpolicy xml contains<key>autoEnableInSeconds</key> <integer>900</integer>
. However, Sec 15.4 (supplemental) includes a pwpolicy section that specifies<key>autoEnableInSeconds</key> <integer>300</integer>
.Frankly, In general, I'm confused by how the whole pwpolicy thing is supposed to work. It's not at all clear how the settings via the pwpolicy-related mobileconfig interact with the pwpolicy xml file in the guidance (15.4). What even happens if you install the mobileconfig and then run
pwpolicy -setaccountpolicies <file.xml>
? Maybe this is actually OK, if the mobileconfig overrides the conflicting pwpolicy.xml setting.And if you are supposed to use the pwpolicy xml in the guidance, why is it only written to the html? The script seems to contain only
pwpolicy_file=""
. Wouldn't it be useful to write it to an actualpwpolicy.xml
file?The text was updated successfully, but these errors were encountered: