Skip to main content

macos_password_policy Resource

All Desktop resources page


Use the macos_password_policy resource to set password complexity, password length, etc on macOS systems.

New in Chef Desktop 1.0.

Syntax

The full syntax for all of the properties that are available to the macos_password_policy resource is:

macos_password_policy 'name' do
  exempt_user                      String
  lockout_time                     Integer
  max_failed_logins                Integer
  maximum_password_age             Integer # default value: 365
  minimum_lowercase_letters        Integer # default value: 0
  minimum_numeric_characters       Integer # default value: 0
  minimum_password_length          Integer # default value: 12
  minimum_special_characters       Integer # default value: 0
  minimum_uppercase_letters        Integer # default value: 0
  remember_how_many_passwords      Integer # default value: 3
  action                           Symbol # defaults to :set if not specified
end

where:

  • macos_password_policy is the resource.
  • name is the name given to the resource block.
  • action identifies which steps Chef Infra Client will take to bring the node into the desired state.
  • exempt_user, lockout_time, max_failed_logins, maximum_password_age, minimum_lowercase_letters, minimum_numeric_characters, minimum_password_length, minimum_special_characters, minimum_uppercase_letters, and remember_how_many_passwords are the properties available to this resource.

Actions

The macos_password_policy resource has the following actions:

:nothing
This resource block doesn’t act unless notified by another resource to take action. Once notified, this resource block either runs immediately or is queued up to run at the end of a Chef Infra Client run.
:set
This action sets the password policy as defined in its properties.

Properties

The macos_password_policy resource has the following properties:

exempt_user
Ruby Type: String

A user to whom the password policy is not applied

lockout_time
Ruby Type: Integer

The amount of time your account is locked out after you exceed max failed logins

max_failed_logins
Ruby Type: Integer

The maximum number of failed logins before you are locked out

maximum_password_age
Ruby Type: Integer | Default Value: 365

The maximum age in days for a password before it must be changed, defaults to 365

minimum_lowercase_letters
Ruby Type: Integer | Default Value: 0

The minimum number of lower case letters that must be in a password

minimum_numeric_characters
Ruby Type: Integer | Default Value: 0

The minimum number of numbers that must be in a password

minimum_password_length
Ruby Type: Integer | Default Value: 12

The minimum length a password must be

minimum_special_characters
Ruby Type: Integer | Default Value: 0

The minimum number of special characters that must be in a password. Eg. *&^%

minimum_uppercase_letters
Ruby Type: Integer | Default Value: 0

The minimum number of upper case letters that must be in a password

remember_how_many_passwords
Ruby Type: Integer | Default Value: 3

The number of previous passwords to remember to prevent users for keeping stale passwords

Common Resource Functionality

Chef resources include common properties, notifications, and resource guards.

Common Properties

The following properties are common to every resource:

compile_time

Ruby Type: true, false | Default Value: false

Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).

ignore_failure

Ruby Type: true, false, :quiet | Default Value: false

Continue running a recipe if a resource fails for any reason. :quiet won’t display the full stack trace and the recipe will continue to run if a resource fails.

retries

Ruby Type: Integer | Default Value: 0

The number of attempts to catch exceptions and retry the resource.

retry_delay

Ruby Type: Integer | Default Value: 2

The delay in seconds between retry attempts.

sensitive

Ruby Type: true, false | Default Value: false

Ensure that sensitive resource data isn’t logged by Chef Infra Client.

Notifications

notifies

Ruby Type: Symbol, 'Chef::Resource[String]'

A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.

If the referenced resource doesn’t exist, an error is raised. In contrast, subscribes won’t fail if the source resource isn’t found.

A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:

:before

Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.

:delayed

Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.

:immediate, :immediately

Specifies that a notification should be run immediately, for each resource notified.

The syntax for notifies is:

notifies :action, 'resource[name]', :timer
subscribes

Ruby Type: Symbol, 'Chef::Resource[String]'

A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.

Note that subscribes doesn’t apply the specified action to the resource that it listens to - for example:

file '/etc/nginx/ssl/example.crt' do
  mode '0600'
  owner 'root'
end

service 'nginx' do
  subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end

In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes doesn’t make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.

If the other resource doesn’t exist, the subscription won’t raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource doesn’t exist.

A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:

:before

Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.

:delayed

Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.

:immediate, :immediately

Specifies that a notification should be run immediately, for each resource notified.

The syntax for subscribes is:

subscribes :action, 'resource[name]', :timer

Guards

A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:

  • A string is executed as a shell command. If the command returns 0, the guard is applied. If the command returns any other value, then the guard property isn’t applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.
  • A block is executed as Ruby code that must return either true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property isn’t applied.

A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it’s being executed, and then if the desired state is present, for Chef Infra Client to don’thing.

Properties

The following properties can be used to define a guard that’s evaluated during the execution phase of a Chef Infra Client run:

not_if

Prevent a resource from executing when the condition returns true.

only_if

Allow a resource to execute only if the condition returns true.

Examples

The following examples demonstrate various approaches for using the macos_password_policy resource in recipes:

Set the local password policy:

macos_password_policy 'Setup appropriate password complexity and rules' do
  max_failed_logins 5
  lockout_time 2
  maximum_password_age 365
  minimum_password_length 12
  minimum_numeric_characters 0
  minimum_lowercase_letters 0
  minimum_uppercase_letters 0
  minimum_special_characters 0
  remember_how_many_passwords 3
  exempt_user 'MyAdmin'
  action :set
end

Thank you for your feedback!

×