usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

feat[script]: change for issue 267

Browse Source 
merged in iOS support in generate_guidance.py
This commit is contained in:
Dan Brodjieski
2023-09-14 15:54:39 -04:00
parent 53c8a74801
commit 1323b76a7a
3 changed files with 130 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
VERSION.yaml
View File

@@ -1,4 +1,5 @@
os: "11.0"
platform: macOS
version: "Big Sur Guidance, Revision 7.0"
cpe: o:apple:macos:11.0
date: "2023-06-26"

130
scripts/generate_guidance.py
View File

@@ -606,7 +606,7 @@ if [[ $EUID -ne 0 ]]; then
fi
ssh_key_check=0
if /usr/sbin/sshd -T &> /dev/null; then
if /usr/sbin/sshd -T &> /dev/null || /usr/sbin/sshd -G &>/dev/null; then
ssh_key_check=0
else
/usr/bin/ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
@@ -717,17 +717,28 @@ reset_plist(){{
compliance_count(){{
compliant=0
non_compliant=0
results=$(/usr/libexec/PlistBuddy -c "Print" /Library/Preferences/org.{baseline_name}.audit.plist)
while IFS= read -r line; do
if [[ "$line" =~ "finding = false" ]]; then
exempt_count=0
audit_plist="/Library/Preferences/org.{baseline_name}.audit.plist"
rule_names=($(/usr/libexec/PlistBuddy -c "Print" $audit_plist | awk '/= Dict/ {{print $1}}'))
for rule in ${{rule_names[@]}}; do
finding=$(/usr/libexec/PlistBuddy -c "Print $rule:finding" $audit_plist)
if [[ $finding == "false" ]];then
compliant=$((compliant+1))
elif [[ $finding == "true" ]];then
is_exempt=$(/usr/bin/osascript -l JavaScript << EOS 2>/dev/null
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('org.{baseline_name}.audit').objectForKey("$rule"))["exempt"]
EOS
)
if [[ $is_exempt == "1" ]]; then
exempt_count=$((exempt_count+1))
non_compliant=$((non_compliant+1))
else
non_compliant=$((non_compliant+1))
fi
fi
if [[ "$line" =~ "finding = true" ]]; then
non_compliant=$((non_compliant+1))
fi
done <<< "$results"
done
# Enable output of just the compliant or non-compliant numbers.
if [[ $1 = "compliant" ]]
@@ -737,40 +748,19 @@ compliance_count(){{
then
echo $non_compliant
else # no matching args output the array
array=($compliant $non_compliant)
array=($compliant $non_compliant $exempt_count)
echo ${{array[@]}}
fi
}}
exempt_count(){{
exempt=0
if [[ -e "/Library/Managed Preferences/org.{baseline_name}.audit.plist" ]];then
mscp_prefs="/Library/Managed Preferences/org.{baseline_name}.audit.plist"
else
mscp_prefs="/Library/Preferences/org.{baseline_name}.audit.plist"
fi
results=$(/usr/libexec/PlistBuddy -c "Print" "$mscp_prefs")
while IFS= read -r line; do
if [[ "$line" =~ "exempt = true" ]]; then
exempt=$((exempt+1))
fi
done <<< "$results"
echo $exempt
}}
generate_report(){{
count=($(compliance_count))
exempt_rules=$(exempt_count)
compliant=${{count[1]}}
non_compliant=${{count[2]}}
exempt_rules=${{count[3]}}
total=$((non_compliant + compliant - exempt_rules))
percentage=$(printf %.2f $(( compliant * 100. / total )) )
total=$((non_compliant + compliant))
percentage=$(printf %.2f $(( (compliant + exempt_rules) * 100. / total )) )
echo
echo "Number of tests passed: ${{GREEN}}$compliant${{STD}}"
echo "Number of test FAILED: ${{RED}}$non_compliant${{STD}}"
@@ -1082,7 +1072,7 @@ fi
if [[ "$ssh_key_check" -ne 0 ]]; then
/bin/rm /etc/ssh/ssh_host_rsa_key
/bin/rm /etc/ssh/ssh_host_rsa_key.public
/bin/rm /etc/ssh/ssh_host_rsa_key.pub
ssh_key_check=0
fi
"""
@@ -1133,9 +1123,10 @@ def fill_in_odv(resulting_yaml, parent_values):
if "$ODV" in resulting_yaml[field]:
resulting_yaml[field]=resulting_yaml[field].replace("$ODV", str(odv))
for result_value in resulting_yaml['result']:
if "$ODV" in str(resulting_yaml['result'][result_value]):
resulting_yaml['result'][result_value] = odv
if 'result' in resulting_yaml:
for result_value in resulting_yaml['result']:
if "$ODV" in str(resulting_yaml['result'][result_value]):
resulting_yaml['result'][result_value] = odv
if resulting_yaml['mobileconfig_info']:
for mobileconfig_type in resulting_yaml['mobileconfig_info']:
@@ -1582,7 +1573,7 @@ def parse_cis_references(reference):
string += "!CIS " + str(item).title() + "\n!\n"
string += "* "
for i in reference[item]:
string += str(i) + ", "
string += str(i) + "\n * "
string = string[:-2] + "\n"
else:
string += "!" + str(item) + "!* " + str(reference[item]) + "\n"
@@ -1655,7 +1646,8 @@ def main():
with open(version_file) as r:
version_yaml = yaml.load(r, Loader=yaml.SafeLoader)
adoc_templates = [ "adoc_rule",
adoc_templates = [ "adoc_rule_ios",
"adoc_rule",
"adoc_supplemental",
"adoc_rule_no_setting",
"adoc_rule_custom_refs",
@@ -1690,6 +1682,9 @@ def main():
# Setup AsciiDoc templates
with open(adoc_templates_dict['adoc_rule_ios']) as adoc_rule_ios_file:
adoc_rule_ios_template = Template(adoc_rule_ios_file.read())
with open(adoc_templates_dict['adoc_rule']) as adoc_rule_file:
adoc_rule_template = Template(adoc_rule_file.read())
@@ -2013,23 +2008,42 @@ def main():
rule_srg=srg
)
else:
rule_adoc = adoc_rule_template.substitute(
rule_title=rule_yaml['title'].replace('|', '\|'),
rule_id=rule_yaml['id'].replace('|', '\|'),
rule_discussion=rule_yaml['discussion'].replace('|', '\|'),
rule_check=rule_yaml['check'], # .replace('|', '\|'),
rule_fix=rulefix,
rule_cci=cci,
rule_80053r5=nist_controls,
rule_800171=nist_800171,
rule_disa_stig=disa_stig,
rule_cis=cis,
rule_cmmc=cmmc,
rule_cce=cce,
rule_tags=tags,
rule_srg=srg,
rule_result=result_value
)
if version_yaml['platform'] == "iOS/iPadOS":
rule_adoc = adoc_rule_ios_template.substitute(
rule_title=rule_yaml['title'].replace('|', '\|'),
rule_id=rule_yaml['id'].replace('|', '\|'),
rule_discussion=rule_yaml['discussion'].replace('|', '\|'),
rule_check=rule_yaml['check'], # .replace('|', '\|'),
rule_fix=rulefix,
rule_cci=cci,
rule_80053r5=nist_controls,
rule_800171=nist_800171,
rule_disa_stig=disa_stig,
rule_cis=cis,
rule_cmmc=cmmc,
rule_cce=cce,
rule_tags=tags,
rule_srg=srg,
rule_result=result_value
)
else:
rule_adoc = adoc_rule_template.substitute(
rule_title=rule_yaml['title'].replace('|', '\|'),
rule_id=rule_yaml['id'].replace('|', '\|'),
rule_discussion=rule_yaml['discussion'].replace('|', '\|'),
rule_check=rule_yaml['check'], # .replace('|', '\|'),
rule_fix=rulefix,
rule_cci=cci,
rule_80053r5=nist_controls,
rule_800171=nist_800171,
rule_disa_stig=disa_stig,
rule_cis=cis,
rule_cmmc=cmmc,
rule_cce=cce,
rule_tags=tags,
rule_srg=srg,
rule_result=result_value
)
adoc_output_file.write(rule_adoc)

57
templates/adoc_rule_ios.adoc Normal file
View File

@@ -0,0 +1,57 @@
=== $rule_title
$rule_discussion
$rule_check
====
**Remediation Description**
Perform the following to configure the system to meet the requirements:
$rule_fix
====
[cols="15%h, 85%a"]
|===
|ID
|$rule_id
|References
|
[cols="20%h,80%a"]
[frame="none"]
[grid="cols"]
!===
!800-53r5
!$rule_80053r5
ifdef::show_171[]
!800-171r2
!$rule_800171
endif::[]
ifdef::show_STIG[]
!DISA STIG(s)
!$rule_disa_stig
endif::[]
ifdef::show_CIS[]
$rule_cis
endif::[]
!CCE
!$rule_cce
ifdef::show_tags[]
!TAGS
!$rule_tags
endif::[]
!===
|
|===