From 8a7a85640655c9770689f450e09b1999381f4aef Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Apr 2022 13:34:00 -0400 Subject: [PATCH 1/9] #128 changed check to use sudo sudo -V --- rules/os/os_sudo_timeout_configure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index 8ec1e888..e6287ebe 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Sudo Timeout Period to Zero" discussion: | The file /etc/sudoers _MUST_ include a timestamp_timout of zero. check: | - /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+timestamp_timeout=0" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes" result: integer: 1 fix: | From f99b7c7cc02ef9e277da060d90afde8261b45ff9 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Apr 2022 13:37:39 -0400 Subject: [PATCH 2/9] #130 changed com.apple.preferences.speech to com.apple.preference.speech --- rules/sysprefs/sysprefs_siri_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_siri_prefpane_hide.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml index 8a53aac4..190c90a5 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -37,4 +37,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempreferences: DisabledPreferencePanes: - - com.apple.preferences.speech + - com.apple.preference.speech diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml index 791929ff..23a39882 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -37,4 +37,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempreferences: HiddenPreferencePanes: - - com.apple.preferences.speech + - com.apple.preference.speech From 6bcec6e04e62d4623ee08d13c4bb1c4f5cf8b2a1 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Apr 2022 13:49:41 -0400 Subject: [PATCH 3/9] #131 removed eject from the check result --- rules/os/os_blank_bluray_disable.yaml | 2 +- rules/os/os_blank_cd_disable.yaml | 2 +- rules/os/os_blank_dvd_disable.yaml | 2 +- rules/os/os_disk_image_disable.yaml | 2 +- rules/os/os_dvdram_disable.yaml | 2 +- rules/os/os_removable_media_disable.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index ad2a56c3..48d4a5f3 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankbd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 0033dd5f..7018d474 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankcd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 0ab72723..cbd4a42d 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankdvd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 16ee6177..b9c2f737 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["disk-image"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index c1eb08a8..da8f0efb 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["dvdram"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index ac91ee8a..0395dd24 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -20,7 +20,7 @@ check: | .objectForKey('mount-controls'))["harddisk-external"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: From 7f0b54b12e5452c3b34a751ea55b1adeadf0ced3 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Apr 2022 13:55:08 -0400 Subject: [PATCH 4/9] #132 fixed check for burnsupport --- rules/os/os_burn_support_disable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 529218e6..8c4f1aa0 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -8,7 +8,7 @@ discussion: Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(ProhibitBurn = 0|BurnSupport = "off")' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(BurnSupport = off;|ProhibitBurn = 1;)' result: integer: 2 fix: | From 322d0c2bca6a1fcfc29a7a7804c4770c88548cfd Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Apr 2022 13:58:48 -0400 Subject: [PATCH 5/9] #133 fix updated with rtfd not just rtf --- rules/os/os_policy_banner_loginwindow_enforce.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/os/os_policy_banner_loginwindow_enforce.yaml b/rules/os/os_policy_banner_loginwindow_enforce.yaml index 46d0f3c0..68b13819 100644 --- a/rules/os/os_policy_banner_loginwindow_enforce.yaml +++ b/rules/os/os_policy_banner_loginwindow_enforce.yaml @@ -19,8 +19,8 @@ fix: | [source,bash] ---- bannerText="You are accessing a U.S. Government information system, which includes: 1) this computer, 2) this computer network, 3) all Government-furnished computers connected to this network, and 4) all Government-furnished devices and storage media attached to this network or to a computer on this network. You understand and consent to the following: you may access this information system for authorized use only; unauthorized use of the system is prohibited and subject to criminal and civil penalties; you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system at any time and for any lawful Government purpose, the Government may monitor, intercept, audit, and search and seize any communication or data transiting or stored on this information system; and any communications or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. This information system may contain Controlled Unclassified Information (CUI) that is subject to safeguarding or dissemination controls in accordance with law, regulation, or Government-wide policy. Accessing and using this system indicates your understanding of this warning." - /bin/mkdir /Library/Security/PolicyBanner.rtf - /usr/bin/textutil -convert rtf -output /Library/Security/PolicyBanner.rtf/TXT.rtf -stdin < Date: Wed, 20 Apr 2022 15:19:00 -0400 Subject: [PATCH 6/9] fixed preferences to preference in check --- rules/sysprefs/sysprefs_siri_prefpane_disable.yaml | 2 +- rules/sysprefs/sysprefs_siri_prefpane_hide.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml index 190c90a5..8f57acf1 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml index 23a39882..c7989af4 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -5,7 +5,7 @@ discussion: | HIding the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | From 89e6b244dbcfeecd491b5178dd415f05b9814751 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Wed, 20 Apr 2022 21:15:45 -0400 Subject: [PATCH 7/9] check changed to be less than or equal to --- ..._screensaver_ask_for_password_delay_enforce.yaml | 13 ++++++++++--- .../sysprefs_screensaver_timeout_enforce.yaml | 13 ++++++++++--- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index 45a83fe5..4233335c 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -6,11 +6,18 @@ discussion: | An unattended system with an excessive grace period is vulnerable to a malicious user. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('askForPasswordDelay').js + function run() { + let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('askForPasswordDelay')) + if ( delay <= 5 ) { + return("true") + } else { + return("false") + } + } EOS result: - integer: 5 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index a7186c0e..55aa51a5 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -6,11 +6,18 @@ discussion: | This rule ensures that a full session lock is triggered within no more than 20 minutes of inactivity. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('idleTime').js + function run() { + let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('idleTime')) + if ( timeout <= 1200 ) { + return("true") + } else { + return("false") + } + } EOS result: - integer: 1200 + string: "true" fix: | This is implemented by a Configuration Profile. references: From d6e8d3dae48ee16786fa4d1d4eb5dadf8edaf246 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 28 Apr 2022 14:24:01 -0400 Subject: [PATCH 8/9] ssh check --- ...s_ssh_server_alive_count_max_configure.yaml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index e196534f..f4aaa2f2 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -5,13 +5,27 @@ discussion: | NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^ServerAliveCountMax 0" /etc/ssh/ssh_config + ret="Pass" + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0") + if [[ "$sshCheck" == "0" ]]; then + ret="Fail" + break + fi + done + /bin/echo $ret result: integer: 1 fix: | [source,bash] ---- - /usr/bin/grep -q '^ServerAliveCountMax' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveCountMax 0' >> /etc/ssh/ssh_config + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| tr -d '\r') + configarray=( ${(f)config} ) + for c in $configarray; do + /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' "$c" || /bin/echo 'ServerAliveCountMax 0' >> "$c" + done + done ---- references: cce: From a08538431b78225bc0eed11c2f6f314b69809bf9 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Thu, 28 Apr 2022 15:20:04 -0400 Subject: [PATCH 9/9] more ssh checks --- ..._ssh_server_alive_count_max_configure.yaml | 8 ++++---- ...s_ssh_server_alive_interval_configure.yaml | 20 ++++++++++++++++--- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index f4aaa2f2..236e7409 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -5,22 +5,22 @@ discussion: | NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - ret="Pass" + ret="pass" for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0") if [[ "$sshCheck" == "0" ]]; then - ret="Fail" + ret="fail" break fi done /bin/echo $ret result: - integer: 1 + string: pass fix: | [source,bash] ---- for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do - config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| tr -d '\r') + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') configarray=( ${(f)config} ) for c in $configarray; do /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' "$c" || /bin/echo 'ServerAliveCountMax 0' >> "$c" diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index 0b776351..e0b4115e 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -7,13 +7,27 @@ discussion: | NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/grep -c "^ServerAliveInterval 900" /etc/ssh/ssh_config + ret="pass" + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveraliveinterval 900") + if [[ "$sshCheck" == "0" ]]; then + ret="fail" + break + fi + done + /bin/echo $ret result: - integer: 1 + string: pass fix: | [source,bash] ---- - /usr/bin/grep -q '^ServerAliveInterval' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveInterval 900' >> /etc/ssh/ssh_config + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') + configarray=( ${(f)config} ) + for c in $configarray; do + /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' "$c" || /bin/echo 'ServerAliveInterval 900' >> "$c" + done + done ---- references: cce: