usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Fixed logic for supported payloads

Browse Source
This commit is contained in:
Dan Brodjieski
2021-10-18 12:30:03 -04:00
parent c8fd5f9f67
commit 5ba3ccf0bc
2 changed files with 75 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
includes/supported_payloads.yaml
View File

@@ -112,3 +112,4 @@ payloads_types:
- com.apple.AdLib
- .GlobalPreferences
- com.apple.preferences.sharing.SharingPrefsExtension
- com.apple.controlcenter

134
scripts/generate_guidance.py
View File

@@ -391,34 +391,46 @@ def generate_profiles(baseline_name, build_path, parent_dir, baseline_yaml, sign
for sections in baseline_yaml['profile']:
for profile_rule in sections['rules']:
for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
rule_yaml = get_rule_yaml(rule, False)
logging.debug(f"checking for rule file for {profile_rule}")
if glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
rule = glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True)[0]
custom=True
logging.debug(f"{rule}")
elif glob.glob('../rules/*/{}.yaml'.format(profile_rule)):
rule = glob.glob('../rules/*/{}.yaml'.format(profile_rule))[0]
custom=False
logging.debug(f"{rule}")
#for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
rule_yaml = get_rule_yaml(rule, custom)
if rule_yaml['mobileconfig']:
for payload_type, info in rule_yaml['mobileconfig_info'].items():
try:
if payload_type not in manifests['payloads_types']:
profile_errors.append(rule)
raise ValueError(
"{}: Payload Type is not supported".format(payload_type))
else:
pass
except (KeyError, ValueError) as e:
if rule_yaml['mobileconfig']:
for payload_type, info in rule_yaml['mobileconfig_info'].items():
valid = True
try:
if payload_type not in manifests['payloads_types']:
profile_errors.append(rule)
#print(e)
raise ValueError(
"{}: Payload Type is not supported".format(payload_type))
else:
pass
except (KeyError, ValueError) as e:
profile_errors.append(rule)
logging.debug(e)
valid = False
try:
if isinstance(info, list):
raise ValueError(
"Payload key is non-conforming")
else:
pass
except (KeyError, ValueError) as e:
profile_errors.append(rule)
#print(e)
try:
if isinstance(info, list):
raise ValueError(
"Payload key is non-conforming")
else:
pass
except (KeyError, ValueError) as e:
profile_errors.append(rule)
logging.debug(e)
valid = False
if valid:
if payload_type == "com.apple.ManagedClient.preferences":
for payload_domain, settings in info.items():
for key, value in settings.items():
@@ -571,6 +583,9 @@ plb="/usr/libexec/PlistBuddy"
CURRENT_USER=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {{ print $3 }}')
CURR_USER_UID=$(/usr/bin/id -u $CURR_USER)
# get system architecture
arch=$(/usr/bin/arch)
# configure colors for text
RED='\e[31m'
STD='\e[39m'
@@ -744,8 +759,6 @@ fi
defaults write "$audit_plist" lastComplianceCheck "$(date)"
"""
#compliance_script_file.write(check_zsh_header)
# Read all rules in the section and output the check functions
for sections in baseline_yaml['profile']:
for profile_rule in sections['rules']:
@@ -759,13 +772,20 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)"
custom=False
logging.debug(f"{rule}")
#for rule in glob.glob('../rules/*/{}.yaml'.format(profile_rule)) + glob.glob('../custom/rules/**/{}.yaml'.format(profile_rule),recursive=True):
rule_yaml = get_rule_yaml(rule, custom)
if rule_yaml['id'].startswith("supplemental"):
continue
if "manual" in rule_yaml['tags']:
continue
if "arm64" in rule_yaml['tags']:
arch="arm64"
elif "intel" in rule_yaml['tags']:
arch="i386"
else:
arch=""
# grab the 800-53 controls
try:
rule_yaml['references']['800-53r5']
@@ -774,21 +794,6 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)"
else:
nist_80053r5 = rule_yaml['references']['800-53r5']
#try:
# rule_yaml['references']['disa_stig']
#except KeyError:
# stig_ref = rule_yaml['id']
#else:
# if rule_yaml['references']['disa_stig'][0] == "N/A":
# stig_ref = [rule_yaml['id']]
# else:
# stig_ref = rule_yaml['references']['disa_stig']
#
#if "STIG" in baseline_yaml['title']:
# logging.debug(f'Setting STIG reference for logging: {stig_ref}')
# log_reference_id = stig_ref
#else:
# log_reference_id = [rule_yaml['id']]
if reference == "default":
log_reference_id = [rule_yaml['id']]
else:
@@ -847,31 +852,40 @@ defaults write "$audit_plist" lastComplianceCheck "$(date)"
zsh_check_text = """
#####----- Rule: {0} -----#####
## Addresses the following NIST 800-53 controls: {1}
#echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log"
unset result_value
result_value=$({2})
# expected result {3}
rule_arch="{6}"
if [[ "$arch" == "$rule_arch" ]] || [[ -z "$rule_arch" ]]; then
#echo 'Running the command to check the settings for: {0} ...' | tee -a "$audit_log"
unset result_value
result_value=$({2})
# expected result {3}
# check to see if rule is exempt
unset exempt
unset exempt_reason
exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null)
exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null)
if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then
if [[ $result_value == "{4}" ]]; then
echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
# check to see if rule is exempt
unset exempt
unset exempt_reason
exempt=$($plb -c "print {0}:exempt" "$audit_plist_managed" 2>/dev/null)
exempt_reason=$($plb -c "print {0}:exempt_reason" "$audit_plist_managed" 2>/dev/null)
if [[ ! $exempt == "true" ]] || [[ -z $exempt ]];then
if [[ $result_value == "{4}" ]]; then
echo "$(date -u) {5} passed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool NO
else
echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool YES
fi
elif [[ ! -z "$exempt_reason" ]];then
echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool NO
else
echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}")" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool YES
/bin/sleep 1
fi
elif [[ ! -z "$exempt_reason" ]];then
echo "$(date -u) {5} has an exemption (Reason: "$exempt_reason")" | tee -a "$audit_log"
else
echo "$(date -u) {5} does not apply to this architechture" | tee -a "$audit_log"
defaults write "$audit_plist" {0} -dict-add finding -bool NO
/bin/sleep 1
fi
""".format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id))
""".format(rule_yaml['id'], nist_controls.replace("\n", "\n#"), check.strip(), result, result_value, ' '.join(log_reference_id), arch)
check_function_string = check_function_string + zsh_check_text