refactor[rules] Updated check/fix

Updated check and fix for services.
Updated using launchctl print system instead of launchctl list

rules/audit/audit_auditd_enabled.yaml

@@ -11,7 +11,7 @@ discussion: |
 
   NOTE: Security auditing is NOT enabled by default on macOS Sequoia.
 check: |
-  LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
+  LAUNCHD_RUNNING=$(/bin/launchctl print system | /usr/bin/grep -c -E '\tcom.apple.auditd')
   AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
   if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
     echo "pass"

rules/os/os_httpd_disable.yaml

@@ -6,11 +6,15 @@ discussion: |
   NOTE: The built in web server service is disabled at startup by default macOS.
 check: |
   result="FAIL"
-  disabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"org.apache.httpd" => disabled')
+  enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"org.apache.httpd" => enabled')
   running=$(/bin/launchctl print system/org.apache.httpd 2>/dev/null)
   
-  if [[ -z "$running" ]] && [[ ! -z "$disabled" ]]; then
+  if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then
     result="PASS"
+  elif [[ -n "$running" ]]; then
+    result=result+" RUNNING"
+  elif [[ -n "$enabled" ]]; then
+    result=result+" ENABLED"
   fi
   echo $result
 result:

rules/os/os_time_server_enabled.yaml

@@ -5,7 +5,7 @@ discussion: |
 
   NOTE: The time synchronization daemon is enabled by default on macOS.
 check: |
-  /bin/launchctl list | /usr/bin/grep -c com.apple.timed
+  /bin/launchctl print system | /usr/bin/grep -c -E '\tcom.apple.timed'
 result:
   integer: 1
 fix: |

rules/os/os_uucp_disable.yaml

@@ -7,12 +7,24 @@ discussion: |
 
   NOTE: UUCP service is disabled at startup by default macOS.
 check: |
-  /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => disabled'
+  result="FAIL"
+  enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.apple.uucp" => enabled')
+  running=$(/bin/launchctl print system/com.apple.uucp 2>/dev/null)
+  
+  if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then
+    result="PASS"
+  elif [[ -n "$running" ]]; then
+    result=result+" RUNNING"
+  elif [[ -n "$enabled" ]]; then
+    result=result+" ENABLED"
+  fi
+  echo $result
 result:
-  integer: 1
+  string: PASS
 fix: |
   [source,bash]
   ----
+  /bin/launchctl bootout system/com.apple.uucp 
   /bin/launchctl disable system/com.apple.uucp
   ----
   The system may need to be restarted for the update to take effect.

rules/system_settings/system_settings_location_services_disable.yaml

@@ -15,7 +15,7 @@ fix: |
   [source,bash]
   ----
   /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool false; 
-  pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }')
+  pid=$(/bin/launchctl print system | /usr/bin/awk '/\tcom.apple.locationd/ {print $1}')
   kill -9 $pid
   ----
 references:

rules/system_settings/system_settings_location_services_enable.yaml

@@ -13,7 +13,7 @@ fix: |
   [source,bash]
   ----
   /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; 
-  pid=$(/bin/launchctl list | /usr/bin/awk '/com.apple.locationd/ { print $1 }')
+  pid=$(/bin/launchctl print system | /usr/bin/awk '/\tcom.apple.locationd/ {print $1}')
   kill -9 $pid
   ----
 references:

rules/system_settings/system_settings_screen_sharing_disable.yaml

@@ -5,12 +5,24 @@ discussion: |
 
   The information system _MUST_ be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling.
 check: |
-  /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" => disabled'
+  result="FAIL"
+  enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.apple.screensharing" => enabled')
+  running=$(/bin/launchctl print system/com.apple.screensharing 2>/dev/null)
+  
+  if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then
+    result="PASS"
+  elif [[ -n "$running" ]]; then
+    result=result+" RUNNING"
+  elif [[ -n "$enabled" ]]; then
+    result=result+" ENABLED"
+  fi
+  echo $result
 result:
   integer: 1
 fix: |
   [source,bash]
   ----
+  /bin/launchctl bootout system/com.apple.screensharing
   /bin/launchctl disable system/com.apple.screensharing
   ----
   NOTE - This will apply to the whole system

rules/system_settings/system_settings_ssh_disable.yaml

@@ -3,7 +3,18 @@ title: Disable SSH Server for Remote Access Sessions
 discussion: |
   SSH service _MUST_ be disabled for remote access.
 check: |
-  /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled'
+  result="FAIL"
+  enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.openssh.sshd" => enabled')
+  running=$(/bin/launchctl print system/com.openssh.sshd 2>/dev/null)
+  
+  if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then
+    result="PASS"
+  elif [[ -n "$running" ]]; then
+    result=result+" RUNNING"
+  elif [[ -n "$enabled" ]]; then
+    result=result+" ENABLED"
+  fi
+  echo $result
 result:
   integer: 1
 fix: |