CCE-85401-8| Platform: cpe:/o:apple:mac_os_11 | Date: (C)2022-12-28 (M)2023-07-04 |
The macOS _MUST_ be configured to disable accounts after 35 days of inactivity.
This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection.
Fix:
sudo pwpolicy setglobalpolicy 'maxMinutesOfNonUse=50400'
Note:
35 Days = 50400 minutes
Patching the CCE led to unexpected outcome and hence its not being automated. If you consider patching it manually please check the machine functionality post reboot.
Parameter:
[Number_of_Days_in_Mins]
Technical Mechanism:
To set the password policy, run the following command:
sudo pwpolicy setglobalpolicy 'maxMinutesOfNonUse=50400'
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 8.1 | Attack Vector: NETWORK |
| Exploit Score: 2.2 | Attack Complexity: HIGH |
| Impact Score: 5.9 | Privileges Required: NONE |
| Severity: HIGH | User Interaction: NONE |
| Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| | Confidentiality: HIGH |
| | Integrity: HIGH |
| | Availability: HIGH |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:80357 |
