Lion hardening guide or equivalent?

Discussion in 'Mac OS X Lion (10.7)' started by Bill in MD, Jan 15, 2012.

  1. Bill in MD macrumors newbie

    Joined:
    Jan 15, 2012
    #1
    As I understand it, the NSA used to provide Apple with hardening guides for Mac OS X. However, they have not done so for Lion.

    Does anyone know where I can get similar information for Lion?

    For example, I wish to set global password policy for users who are not on a Mac controlled by an OS X server. The man pages indicate that pwpolicy should do it, but as far as I can tell, pwpolicy does NOTHING to global policy.

    After sudoing to root, I issue this command:

    # pwpolicy -n /Local/Default -getglobalpolicy

    This returns a blank line. If I try to set a global policy:

    # pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=10"

    This returns with no errors (shown). However, if I ask to see all the global settings again, it once again returns a blank line. Experimenting with resetting the password indicates that the change didn't take.

    It appears that Apple is abandoning pwpolicy, but I don't know what I am supposed to use in its place.

    If any of you know where I can get this kind of low level administrative help, I would be very appreciative.
     
  2. eric/ Guest

    eric/

    Joined:
    Sep 19, 2011
    Location:
    Ohio, United States
    #2
    Nice find. Most of these tips still work with Lion.
     
  3. r0k macrumors 68040

    r0k

    Joined:
    Mar 3, 2008
    Location:
    Detroit
    #3
    Thanks for the link, Bill in Md and welcome to MacRumors! An excellent first post!! And yes, I agree with eric/ that the same things in the NSA's SL pdf file apply to Lion.
     
  4. Bill in MD thread starter macrumors newbie

    Joined:
    Jan 15, 2012
    #4
    OK, well I don't know what I'm going to do. The SL Security Config Guide (see pg 133) used pwpolicy to lock down passwords. If I assume it works on SL, then it no longer does for Lion, and I'm stuck. I guess I'm going to have to set policy per user.

    Thanks for the help.
     
  5. Bill in MD thread starter macrumors newbie

    Joined:
    Jan 15, 2012
    #5
    I tested this on a SL box, and the commands work:


    # pwpolicy -n /Local/Default -getglobalpolicy
    usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0

    # pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=10"

    # pwpolicy -n /Local/Default -getglobalpolicy
    usingHistory=10 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0


    You can see that it works on SL. I now have two questions:

    1) Is this something that Apple can help with?
    2) If not, then who can?

    Thanks for helping.
     
  6. MacDude macrumors newbie

    Joined:
    Oct 4, 2000
    #6
    Some of it works on Lion...

    I've got a need to do some of this as well, so I tried to get it to work on Mac OS X Lion 10.7.2 (Client, not bound to OD or anything)

    Code:
    jjh-mbp:~ jjh$ sudo pwpolicy -n /Local/Default -a jjh -setglobalpolicy minChars=5
    Password:
    jjh-mbp:~ jjh$ sudo pwpolicy -n /Local/Default -getglobalpolicy
    minChars=5 
    As you can see, it successfully set the minChars. Not sure about the other possibilities.
     
  7. zaidmc macrumors newbie

    zaidmc

    Joined:
    Sep 19, 2012
    #7
    I have a similar problem where it doesn't set anything. I want to set a local password policy on stand-alone machine on Mountain Lion.

    Anyone have any luck?
     

Share This Page