pwpolicy_account_lockout_enforce not presenting expected result in Log
ChrisButigieg opened this issue · comments
Expected Result not presenting in Log for pwpolicy_account_lockout_enforce
Output from disa-stig_xxx_baseline.log
Sat Mar 2 17:46:17 UTC 2024 pwpolicy_account_lockout_enforce failed (Result: yes
, Expected: "{'string': 'true'}") missing
There seems to be something off here. The expected result in the pwpolicy_account_lockout_enforce rule is
result:
string: "yes"
The log snippet posted indicates it's looking for "{'string': 'true'}"... which is incorrect.
Can you provide steps on how to reproduce this issue? If you can post both the entire log and the compliance script, we can take a look at that to see what might be happening. Which branch of the project are you using?
Worked with Eric Benfer on this today. We are using the sonoma branch of the project.
When running the following check, when maxFailedAttemptes=3 and minUntilFailedLoginReset=15 it produces a yes yes result
/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeMaximumFailedAuthentications"]/following-sibling::integer[1]/text()' - | /usr/bin/awk '{ if ($1 <= 3) {print "yes"} else {print "no"}}'
Interim solution was to add | /usr/bin/sort -u
to the check of the pwpolicy_account_lockout_enforce.yaml rule
It looks like the issue is if you apply both a configuration profile with the passcode settings along with applying the pwpolicy.xml file as-is from the project. This is causing duplicate entries in the password policies.
We will adjust the pwpolicy.xml file to not include those items that are set by configuration profile so that there aren't duplicates in the policy.
Merged into sonoma
. Gonna close the issue.