diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index ad2a56c3..48d4a5f3 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankbd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 0033dd5f..7018d474 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankcd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 0ab72723..cbd4a42d 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankdvd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 529218e6..8c4f1aa0 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -8,7 +8,7 @@ discussion: Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(ProhibitBurn = 0|BurnSupport = "off")' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(BurnSupport = off;|ProhibitBurn = 1;)' result: integer: 2 fix: | diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 16ee6177..b9c2f737 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["disk-image"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index c1eb08a8..da8f0efb 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["dvdram"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 46d0f3c0..68b13819 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -19,8 +19,8 @@ fix: | [source,bash] ---- bannerText="You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." - /bin/mkdir /Library/Security/PolicyBanner.rtf - /usr/bin/textutil -convert rtf -output /Library/Security/PolicyBanner.rtf/TXT.rtf -stdin < 500 {print $1}'); do + sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0") + if [[ "$sshCheck" == "0" ]]; then + ret="fail" + break + fi + done + /bin/echo $ret result: - integer: 1 + string: pass fix: | [source,bash] ---- - /usr/bin/grep -q '^ServerAliveCountMax' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveCountMax 0' >> /etc/ssh/ssh_config + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') + configarray=( ${(f)config} ) + for c in $configarray; do + /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' "$c" || /bin/echo 'ServerAliveCountMax 0' >> "$c" + done + done ---- references: cce: diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index 0b776351..e0b4115e 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -7,13 +7,27 @@ discussion: | NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^ServerAliveInterval 900" /etc/ssh/ssh_config + ret="pass" + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveraliveinterval 900") + if [[ "$sshCheck" == "0" ]]; then + ret="fail" + break + fi + done + /bin/echo $ret result: - integer: 1 + string: pass fix: | [source,bash] ---- - /usr/bin/grep -q '^ServerAliveInterval' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveInterval 900' >> /etc/ssh/ssh_config + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') + configarray=( ${(f)config} ) + for c in $configarray; do + /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' "$c" || /bin/echo 'ServerAliveInterval 900' >> "$c" + done + done ---- references: cce: diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 8ec1e888..e6287ebe 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Sudo Timeout Period to Zero" discussion: | The file /etc/sudoers _MUST_ include a timestamp_timout of zero. check: | - /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+timestamp_timeout=0" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes" result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index 45a83fe5..4233335c 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -6,11 +6,18 @@ discussion: | An unattended system with an excessive grace period is vulnerable to a malicious user. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('askForPasswordDelay').js + function run() { + let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('askForPasswordDelay')) + if ( delay <= 5 ) { + return("true") + } else { + return("false") + } + } EOS result: - integer: 5 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index a7186c0e..55aa51a5 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -6,11 +6,18 @@ discussion: | This rule ensures that a full session lock is triggered within no more than 20 minutes of inactivity. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('idleTime').js + function run() { + let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('idleTime')) + if ( timeout <= 1200 ) { + return("true") + } else { + return("false") + } + } EOS result: - integer: 1200 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml index 8a53aac4..8f57acf1 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | @@ -37,4 +37,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempreferences: DisabledPreferencePanes: - - com.apple.preferences.speech + - com.apple.preference.speech diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml index 791929ff..c7989af4 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -5,7 +5,7 @@ discussion: | HIding the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | @@ -37,4 +37,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempreferences: HiddenPreferencePanes: - - com.apple.preferences.speech + - com.apple.preference.speech