Lion hardening guide or equivalent?

Bill in MD

macrumors newbie
Jan 15, 2012
3
0
0
As I understand it, the NSA used to provide Apple with hardening guides for Mac OS X. However, they have not done so for Lion.

Does anyone know where I can get similar information for Lion?

For example, I wish to set global password policy for users who are not on a Mac controlled by an OS X server. The man pages indicate that pwpolicy should do it, but as far as I can tell, pwpolicy does NOTHING to global policy.

After sudoing to root, I issue this command:

# pwpolicy -n /Local/Default -getglobalpolicy

This returns a blank line. If I try to set a global policy:

# pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=10"

This returns with no errors (shown). However, if I ask to see all the global settings again, it once again returns a blank line. Experimenting with resetting the password indicates that the change didn't take.

It appears that Apple is abandoning pwpolicy, but I don't know what I am supposed to use in its place.

If any of you know where I can get this kind of low level administrative help, I would be very appreciative.
 

eric/

Guest
Sep 19, 2011
1,676
12
0
Ohio, United States
As I understand it, the NSA used to provide Apple with hardening guides for Mac OS X. However, they have not done so for Lion.

Does anyone know where I can get similar information for Lion?

For example, I wish to set global password policy for users who are not on a Mac controlled by an OS X server. The man pages indicate that pwpolicy should do it, but as far as I can tell, pwpolicy does NOTHING to global policy.

After sudoing to root, I issue this command:

# pwpolicy -n /Local/Default -getglobalpolicy

This returns a blank line. If I try to set a global policy:

# pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=10"

This returns with no errors (shown). However, if I ask to see all the global settings again, it once again returns a blank line. Experimenting with resetting the password indicates that the change didn't take.

It appears that Apple is abandoning pwpolicy, but I don't know what I am supposed to use in its place.

If any of you know where I can get this kind of low level administrative help, I would be very appreciative.
Nice find. Most of these tips still work with Lion.
 

r0k

macrumors 68040
Mar 3, 2008
3,612
73
0
Detroit
www.r0k.org
Thanks for the link, Bill in Md and welcome to MacRumors! An excellent first post!! And yes, I agree with eric/ that the same things in the NSA's SL pdf file apply to Lion.
 

Bill in MD

macrumors newbie
Jan 15, 2012
3
0
0
OK, well I don't know what I'm going to do. The SL Security Config Guide (see pg 133) used pwpolicy to lock down passwords. If I assume it works on SL, then it no longer does for Lion, and I'm stuck. I guess I'm going to have to set policy per user.

Thanks for the help.
 

Bill in MD

macrumors newbie
Jan 15, 2012
3
0
0
I tested this on a SL box, and the commands work:


# pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0

# pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=10"

# pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=10 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0


You can see that it works on SL. I now have two questions:

1) Is this something that Apple can help with?
2) If not, then who can?

Thanks for helping.
 

MacDude

macrumors newbie
Oct 4, 2000
1
0
0
www.macdude.com
Some of it works on Lion...

I've got a need to do some of this as well, so I tried to get it to work on Mac OS X Lion 10.7.2 (Client, not bound to OD or anything)

Code:
jjh-mbp:~ jjh$ sudo pwpolicy -n /Local/Default -a jjh -setglobalpolicy minChars=5
Password:
jjh-mbp:~ jjh$ sudo pwpolicy -n /Local/Default -getglobalpolicy
minChars=5
As you can see, it successfully set the minChars. Not sure about the other possibilities.
 

zaidmc

macrumors newbie
Sep 19, 2012
5
0
0
I have a similar problem where it doesn't set anything. I want to set a local password policy on stand-alone machine on Mountain Lion.

Anyone have any luck?