Lion hardening guide or equivalent?

Bill in MD

macrumors newbie
Original poster
Jan 15, 2012
3
0
As I understand it, the NSA used to provide Apple with hardening guides for Mac OS X. However, they have not done so for Lion.

Does anyone know where I can get similar information for Lion?

For example, I wish to set global password policy for users who are not on a Mac controlled by an OS X server. The man pages indicate that pwpolicy should do it, but as far as I can tell, pwpolicy does NOTHING to global policy.

After sudoing to root, I issue this command:

# pwpolicy -n /Local/Default -getglobalpolicy

This returns a blank line. If I try to set a global policy:

# pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=10"

This returns with no errors (shown). However, if I ask to see all the global settings again, it once again returns a blank line. Experimenting with resetting the password indicates that the change didn't take.

It appears that Apple is abandoning pwpolicy, but I don't know what I am supposed to use in its place.

If any of you know where I can get this kind of low level administrative help, I would be very appreciative.
 

eric/

Guest
Sep 19, 2011
1,681
13
Ohio, United States
As I understand it, the NSA used to provide Apple with hardening guides for Mac OS X. However, they have not done so for Lion.

Does anyone know where I can get similar information for Lion?

For example, I wish to set global password policy for users who are not on a Mac controlled by an OS X server. The man pages indicate that pwpolicy should do it, but as far as I can tell, pwpolicy does NOTHING to global policy.

After sudoing to root, I issue this command:

# pwpolicy -n /Local/Default -getglobalpolicy

This returns a blank line. If I try to set a global policy:

# pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=10"

This returns with no errors (shown). However, if I ask to see all the global settings again, it once again returns a blank line. Experimenting with resetting the password indicates that the change didn't take.

It appears that Apple is abandoning pwpolicy, but I don't know what I am supposed to use in its place.

If any of you know where I can get this kind of low level administrative help, I would be very appreciative.
Nice find. Most of these tips still work with Lion.
 

r0k

macrumors 68040
Mar 3, 2008
3,610
73
Detroit
Thanks for the link, Bill in Md and welcome to MacRumors! An excellent first post!! And yes, I agree with eric/ that the same things in the NSA's SL pdf file apply to Lion.
 

Bill in MD

macrumors newbie
Original poster
Jan 15, 2012
3
0
OK, well I don't know what I'm going to do. The SL Security Config Guide (see pg 133) used pwpolicy to lock down passwords. If I assume it works on SL, then it no longer does for Lion, and I'm stuck. I guess I'm going to have to set policy per user.

Thanks for the help.
 

Bill in MD

macrumors newbie
Original poster
Jan 15, 2012
3
0
I tested this on a SL box, and the commands work:


# pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0

# pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=10"

# pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=10 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0


You can see that it works on SL. I now have two questions:

1) Is this something that Apple can help with?
2) If not, then who can?

Thanks for helping.
 

MacDude

macrumors newbie
Oct 4, 2000
1
0
Some of it works on Lion...

I've got a need to do some of this as well, so I tried to get it to work on Mac OS X Lion 10.7.2 (Client, not bound to OD or anything)

Code:
jjh-mbp:~ jjh$ sudo pwpolicy -n /Local/Default -a jjh -setglobalpolicy minChars=5
Password:
jjh-mbp:~ jjh$ sudo pwpolicy -n /Local/Default -getglobalpolicy
minChars=5
As you can see, it successfully set the minChars. Not sure about the other possibilities.
 

zaidmc

macrumors newbie
Sep 19, 2012
5
0
I have a similar problem where it doesn't set anything. I want to set a local password policy on stand-alone machine on Mountain Lion.

Anyone have any luck?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.