Merge branch 'dev_monterey_rule_fixes' into monterey

rules/os/os_blank_bluray_disable.yaml

@@ -18,7 +18,7 @@ check: |
   .objectForKey('mount-controls'))["blankbd"]
   EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
   This is implemented by a Configuration Profile.
 references:

rules/os/os_blank_cd_disable.yaml

@@ -18,7 +18,7 @@ check: |
   .objectForKey('mount-controls'))["blankcd"]
   EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
   This is implemented by a Configuration Profile.
 references:

rules/os/os_blank_dvd_disable.yaml

@@ -18,7 +18,7 @@ check: |
   .objectForKey('mount-controls'))["blankdvd"]
   EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
   This is implemented by a Configuration Profile.
 references:

rules/os/os_burn_support_disable.yaml

@@ -8,7 +8,7 @@ discussion:
   Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
   ====
 check: |
-  /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(ProhibitBurn = 0|BurnSupport = "off")'
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(BurnSupport = off;|ProhibitBurn = 1;)'
 result:
   integer: 2
 fix: |

rules/os/os_disk_image_disable.yaml

@@ -18,7 +18,7 @@ check: |
   .objectForKey('mount-controls'))["disk-image"]
   EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
   This is implemented by a Configuration Profile.
 references:

rules/os/os_dvdram_disable.yaml

@@ -18,7 +18,7 @@ check: |
   .objectForKey('mount-controls'))["dvdram"]
   EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
   This is implemented by a Configuration Profile.
 references:

rules/os/os_policy_banner_loginwindow_enforce.yaml

@@ -19,8 +19,8 @@ fix: |
   [source,bash]
   ----
   bannerText="You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning."
-  /bin/mkdir /Library/Security/PolicyBanner.rtf
-  /usr/bin/textutil -convert rtf -output /Library/Security/PolicyBanner.rtf/TXT.rtf -stdin <<EOF              
+  /bin/mkdir /Library/Security/PolicyBanner.rtfd
+  /usr/bin/textutil -convert rtf -output /Library/Security/PolicyBanner.rtfd/TXT.rtf -stdin <<EOF              
   $bannerText
   EOF
   ----

rules/os/os_removable_media_disable.yaml

@@ -20,7 +20,7 @@ check: |
   .objectForKey('mount-controls'))["harddisk-external"]
   EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
   This is implemented by a Configuration Profile.
 references:

rules/os/os_ssh_server_alive_count_max_configure.yaml

@@ -5,13 +5,27 @@ discussion: |
 
   NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
 check: |
-  /usr/bin/grep -c "^ServerAliveCountMax 0" /etc/ssh/ssh_config
+  ret="pass"
+  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
+    sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0")
+    if [[ "$sshCheck" == "0" ]]; then
+      ret="fail"
+      break
+    fi
+  done
+  /bin/echo $ret
 result:
-  integer: 1
+  string: pass
 fix: |
   [source,bash]
   ----
-  /usr/bin/grep -q '^ServerAliveCountMax' /etc/ssh/ssh_config && /usr/bin/sed -i.bak  's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveCountMax 0' >> /etc/ssh/ssh_config
+  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do 
+    config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
+    configarray=( ${(f)config} )
+    for c in $configarray; do
+      /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' "$c" || /bin/echo 'ServerAliveCountMax 0' >> "$c"
+    done
+  done
   ----
 references:
   cce:

rules/os/os_ssh_server_alive_interval_configure.yaml

@@ -7,13 +7,27 @@ discussion: |
 
   NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
 check: |
-  /usr/bin/grep -c "^ServerAliveInterval 900" /etc/ssh/ssh_config
+  ret="pass"
+  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
+    sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveraliveinterval 900")
+    if [[ "$sshCheck" == "0" ]]; then
+      ret="fail"
+      break
+    fi
+  done
+  /bin/echo $ret
 result:
-  integer: 1
+  string: pass
 fix: |
   [source,bash]
   ----
-  /usr/bin/grep -q '^ServerAliveInterval' /etc/ssh/ssh_config && /usr/bin/sed -i.bak  's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveInterval 900' >> /etc/ssh/ssh_config
+  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do 
+    config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
+    configarray=( ${(f)config} )
+    for c in $configarray; do
+      /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' "$c" || /bin/echo 'ServerAliveInterval 900' >> "$c"
+    done
+  done
   ----
 references:
   cce:

rules/os/os_sudo_timeout_configure.yaml

@@ -3,7 +3,7 @@ title: "Configure Sudo Timeout Period to Zero"
 discussion: |
   The file /etc/sudoers _MUST_ include a timestamp_timout of zero.
 check: |
-  /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+timestamp_timeout=0" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs
+  /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes"
 result:
   integer: 1
 fix: |

rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml

@@ -6,11 +6,18 @@ discussion: |
   An unattended system with an excessive grace period is vulnerable to a malicious user. 
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
-  .objectForKey('askForPasswordDelay').js
+  function run() {
+    let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+  .objectForKey('askForPasswordDelay'))
+    if ( delay <= 5 ) {
+      return("true")
+    } else {
+      return("false")
+    }
+  }
   EOS
 result:
-  integer: 5
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:

rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml

@@ -6,11 +6,18 @@ discussion: |
   This rule ensures that a full session lock is triggered within no more than 20 minutes of inactivity.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
-  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
-  .objectForKey('idleTime').js
+  function run() {
+    let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+  .objectForKey('idleTime'))
+    if ( timeout <= 1200 ) {
+      return("true")
+    } else {
+      return("false")
+    }
+  }
   EOS
 result:
-  integer: 1200
+  string: "true"
 fix: |
   This is implemented by a Configuration Profile.
 references:

rules/sysprefs/sysprefs_siri_prefpane_disable.yaml

@@ -5,7 +5,7 @@ discussion: |
 
   Disabling the system preference pane prevents the users from configuring Siri. 
 check: |
-  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' 
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' 
 result:
   integer: 1
 fix: |
@@ -37,4 +37,4 @@ mobileconfig: true
 mobileconfig_info:
   com.apple.systempreferences:
     DisabledPreferencePanes: 
-      - com.apple.preferences.speech
+      - com.apple.preference.speech

rules/sysprefs/sysprefs_siri_prefpane_hide.yaml

@@ -5,7 +5,7 @@ discussion: |
 
   HIding the system preference pane prevents the users from configuring Siri. 
 check: |
-  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' 
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' 
 result:
   integer: 1
 fix: |
@@ -37,4 +37,4 @@ mobileconfig: true
 mobileconfig_info:
   com.apple.systempreferences:
     HiddenPreferencePanes: 
-      - com.apple.preferences.speech
+      - com.apple.preference.speech