From ad03fffee0ea89cc14c0dda6acabb8b00a117b93 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Thu, 10 Feb 2022 20:47:25 -0500 Subject: [PATCH] checks updated to jxa checks --- rules/os/os_erase_content_and_settings_disable.yaml | 7 +++++-- rules/os/os_skip_screen_time_prompt_enable.yaml | 7 +++++-- .../pwpolicy/pwpolicy_account_lockout_enforce_five.yaml | 7 +++++-- rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml | 7 +++++-- rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml | 7 +++++-- .../sysprefs/sysprefs_install_macos_updates_enforce.yaml | 7 +++++-- .../sysprefs_loginwindow_loginwindowtext_enable.yaml | 9 ++++++--- .../sysprefs_software_update_app_update_enforce.yaml | 7 +++++-- .../sysprefs_software_update_download_enforce.yaml | 7 +++++-- rules/sysprefs/sysprefs_wifi_menu_enable.yaml | 7 +++++-- 10 files changed, 51 insertions(+), 21 deletions(-) diff --git a/rules/os/os_erase_content_and_settings_disable.yaml b/rules/os/os_erase_content_and_settings_disable.yaml index 2c2b0c49..89e54d1b 100644 --- a/rules/os/os_erase_content_and_settings_disable.yaml +++ b/rules/os/os_erase_content_and_settings_disable.yaml @@ -3,9 +3,12 @@ title: "Disable Erase Content and Settings" discussion: Erase Content and Settings _MUST_ be disabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowEraseContentAndSettings = 0' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\ + .objectForKey('allowEraseContentAndSettings').js + EOS result: - integer: 1 + string: "false" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_skip_screen_time_prompt_enable.yaml b/rules/os/os_skip_screen_time_prompt_enable.yaml index 7e656ade..b6e27de3 100644 --- a/rules/os/os_skip_screen_time_prompt_enable.yaml +++ b/rules/os/os_skip_screen_time_prompt_enable.yaml @@ -3,9 +3,12 @@ title: "Disable Screen Time Prompt During Setup Assistant" discussion: The prompt for Screen Time setup during Setup Assistant _MUST_ be disabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipScreenTime = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SetupAssistant.managed')\ + .objectForKey('SkipScreenTime').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml index 04c3fcb2..f16a0e60 100644 --- a/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml +++ b/rules/pwpolicy/pwpolicy_account_lockout_enforce_five.yaml @@ -5,9 +5,12 @@ discussion: | This rule protects against malicious users attempting to gain access to the system via brute-force hacking methods. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'maxFailedAttempts = 5' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('maxFailedAttempts').js + EOS result: - integer: 1 + integer: 5 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml index fb82453c..04c02ae8 100644 --- a/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml +++ b/rules/pwpolicy/pwpolicy_history_enforce_fifteen.yaml @@ -6,8 +6,11 @@ discussion: | This rule ensures that users are not allowed to re-use a password that was used in any of the fifteen previous password generations. Limiting password reuse protects against malicious users attempting to gain access to the system via brute-force hacking methods. -check: | - /usr/bin/profiles -P -o stdout | /usr/bin/awk '/pinHistory/{sub(/;.*/,"");print $3}' +check: | + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.passwordpolicy')\ + .objectForKey('pinHistory').js + EOS result: integer: 15 fix: | diff --git a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml index 1e277bd0..280e3c57 100644 --- a/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_bluetooth_menu_enable.yaml @@ -3,9 +3,12 @@ title: "Enable Bluetooth Menu" discussion: | The bluetooth menu _MUST_ be enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'Bluetooth = 18' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ + .objectForKey('Bluetooth').js + EOS result: - integer: 1 + integer: 18 fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml index 5431ec75..bc7437d7 100644 --- a/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml +++ b/rules/sysprefs/sysprefs_install_macos_updates_enforce.yaml @@ -3,9 +3,12 @@ title: "Enforce macOS Updates are Automatically Installed" discussion: | Software Update _MUST_ be configured to enforce automatic installation of macOS updates is enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticallyInstallMacOSUpdates = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('AutomaticallyInstallMacOSUpdates').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml index 5adda5a1..2072084d 100644 --- a/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml +++ b/rules/sysprefs/sysprefs_loginwindow_loginwindowtext_enable.yaml @@ -3,9 +3,12 @@ title: "Configure Login Window to Show A Custom Message" discussion: | The login window _MUST_ be configured to show a custom access warning message. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'LoginwindowText' -result: - integer: 1 + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.loginwindow')\ + .objectForKey('LoginwindowText').js + EOS +result: + string: "Approved message goes here" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml index edb6e858..42be3ad5 100644 --- a/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_app_update_enforce.yaml @@ -3,9 +3,12 @@ title: "Enforce Software Update App Update Updates Automatically" discussion: | Software Update _MUST_ be configured to enforce automatic updates of App Updates is enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticallyInstallAppUpdates = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.SoftwareUpdate')\ + .objectForKey('AutomaticallyInstallAppUpdates').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml index 5691d7cd..3efb8246 100644 --- a/rules/sysprefs/sysprefs_software_update_download_enforce.yaml +++ b/rules/sysprefs/sysprefs_software_update_download_enforce.yaml @@ -3,9 +3,12 @@ title: "Enforce Software Update Downloads Updates Automatically" discussion: | Software Update _MUST_ be configured to enforce automatic downloads of updates is enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AutomaticDownload = 1' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.mobiledevice.SoftwareUpdate')\ + .objectForKey('AutomaticDownload').js + EOS result: - integer: 1 + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml index c016e63f..5ae623ee 100644 --- a/rules/sysprefs/sysprefs_wifi_menu_enable.yaml +++ b/rules/sysprefs/sysprefs_wifi_menu_enable.yaml @@ -3,9 +3,12 @@ title: "Enable Wifi Menu" discussion: | The WiFi menu _MUST_ be enabled. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'WiFi = 18' + /usr/bin/osascript -l JavaScript << EOS + $.NSUserDefaults.alloc.initWithSuiteName('com.apple.controlcenter')\ + .objectForKey('WiFi').js + EOS result: - integer: 1 + integer: 18 fix: | This is implemented by a Configuration Profile. references: