From 86ad1f3fb2691fe9963e2a87bb816919a720bec6 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 18 Oct 2022 21:19:55 -0400 Subject: [PATCH] refactor [rules] Updated check/fix New check and fix wrote for system_settings_system_wide_preferences_configure. This is required for Ventura for System Settings to work properly. --- ...ngs_system_wide_preferences_configure.yaml | 38 ++++++++++++++----- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml index 1d7f6d5f..6183d473 100644 --- a/rules/system_settings/system_settings_system_wide_preferences_configure.yaml +++ b/rules/system_settings/system_settings_system_wide_preferences_configure.yaml @@ -5,20 +5,31 @@ discussion: | Some Preference Panes in System Settings contain settings that affect the entire system. Requiring a password to unlock these system-wide settings reduces the risk of a non-authorized user modifying system configurations. check: | - /usr/bin/security authorizationdb read system.preferences 2> /dev/null | /usr/bin/grep -A 1 "shared" | /usr/bin/grep -c "" + authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine") + result="1" + for section in $authDBs; do + if [[ $(/usr/bin/security authorizationdb read "$section" 2> /dev/null | /usr/bin/grep -A 1 "shared" | /usr/bin/grep -c "") -ne 1 ]]; then + result="0" + fi + done + echo $result result: integer: 1 fix: | [source,bash] ---- - /usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist - key_value=$(/usr/libexec/PlistBuddy -c "Print :shared" /tmp/system.preferences.plist 2>&1) - if [[ "$key_value" == *"Does Not Exist"* ]]; then - /usr/libexec/PlistBuddy -c "Add :shared bool false" /tmp/system.preferences.plist - else - /usr/libexec/PlistBuddy -c "Set :shared false" /tmp/system.preferences.plist - fi - /usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist + authDBs=("system.preferences" "system.preferences.energysaver" "system.preferences.network" "system.preferences.printing" "system.preferences.sharing" "system.preferences.softwareupdate" "system.preferences.startupdisk" "system.preferences.timemachine") + + for section in $authDBs; do + /usr/bin/security -q authorizationdb read "$section" > "/tmp/$section.plist" + key_value=$(/usr/libexec/PlistBuddy -c "Print :shared" "/tmp/$section.plist" 2>&1) + if [[ "$key_value" == *"Does Not Exist"* ]]; then + /usr/libexec/PlistBuddy -c "Add :shared bool false" "/tmp/$section.plist" + else + /usr/libexec/PlistBuddy -c "Set :shared false" "/tmp/$section.plist" + fi + /usr/bin/security -q authorizationdb write "$section" < "/tmp/$section.plist" + done ---- references: cce: @@ -32,7 +43,7 @@ references: - AC-6(1) - AC-6(2) disa_stig: - - N/A + - APPL-12-002069 800-171r2: - 3.1.5 - 3.1.6 @@ -44,8 +55,15 @@ references: macOS: - "13.0" tags: + - 800-53r5_moderate + - 800-53r5_high + - 800-53r4_moderate + - 800-53r4_high + - 800-171 + - cnssi-1253 - cis_lvl1 - cis_lvl2 + - cisv8 severity: "medium" mobileconfig: false mobileconfig_info: \ No newline at end of file