From a24451feab34cfa1e81e6b8d8277b0648a2b1665 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 9 Aug 2022 15:18:46 -0400 Subject: [PATCH 1/2] updated compliance count --- scripts/generate_guidance.py | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 83f6cd6e..8be927d1 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -704,17 +704,39 @@ compliance_count(){{ fi }} +exempt_count(){{ + exempt=0 + + if [[ -e "/Library/Managed Preferences/org.{baseline_name}.audit.plist" ]];then + mscp_prefs="/Library/Managed Preferences/org.{baseline_name}.audit.plist" + else + mscp_prefs="/Library/Preferences/org.{baseline_name}.audit.plist" + fi + + results=$(/usr/libexec/PlistBuddy -c "Print" "$mscp_prefs") + + while IFS= read -r line; do + if [[ "$line" =~ "exempt = true" ]]; then + exempt=$((exempt+1)) + fi + done <<< "$results" + + /bin/echo $exempt +}} + generate_report(){{ count=($(compliance_count)) + exempt_rules=$(exempt_count) compliant=${{count[1]}} non_compliant=${{count[2]}} - total=$((non_compliant + compliant)) + total=$((non_compliant + compliant - exempt_rules)) percentage=$(printf %.2f $(( compliant * 100. / total )) ) /bin/echo echo "Number of tests passed: ${{GREEN}}$compliant${{STD}}" echo "Number of test FAILED: ${{RED}}$non_compliant${{STD}}" + echo "Number of exempt rules: ${{YELLOW}}$exempt_rules${{STD}}" echo "You are ${{YELLOW}}$percentage%${{STD}} percent compliant!" pause }} @@ -882,7 +904,7 @@ EOS /usr/bin/logger "mSCP: {7} - {5} failed (Result: $result_value, Expected: "{3}")" else /bin/echo "$(date -u) {5} failed (Result: $result_value, Expected: "{3}") - Exemption Allowed (Reason: "$exempt_reason")" | /usr/bin/tee -a "$audit_log" - /usr/bin/defaults write "$audit_plist" {0} -dict-add finding -bool NO + /usr/bin/defaults write "$audit_plist" {0} -dict-add finding -bool YES /usr/bin/logger "mSCP: {7} - {5} failed (Result: $result_value, Expected: "{3}") - Exemption Allowed (Reason: "$exempt_reason")" /bin/sleep 1 fi From 17ba38be31c685559a44b4db6610bcba0fe996c5 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 9 Aug 2022 15:25:05 -0400 Subject: [PATCH 2/2] issue #146 --- scripts/generate_guidance.py | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/scripts/generate_guidance.py b/scripts/generate_guidance.py index 8be927d1..5bd949aa 100755 --- a/scripts/generate_guidance.py +++ b/scripts/generate_guidance.py @@ -600,12 +600,6 @@ YELLOW='\e[33m' audit_plist="/Library/Preferences/org.{baseline_name}.audit.plist" audit_log="/Library/Logs/{baseline_name}_baseline.log" -lastComplianceScan=$(defaults read /Library/Preferences/org.{baseline_name}.audit.plist lastComplianceCheck) - -if [[ $lastComplianceScan == "" ]];then - lastComplianceScan="No scans have been run" -fi - # pause function pause(){{ vared -p "Press [Enter] key to continue..." -c fackEnterKey @@ -650,6 +644,12 @@ ask() {{ # function to display menus show_menus() {{ + lastComplianceScan=$(defaults read /Library/Preferences/org.{baseline_name}.audit.plist lastComplianceCheck) + + if [[ $lastComplianceScan == "" ]];then + lastComplianceScan="No scans have been run" + fi + /usr/bin/clear /bin/echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" /bin/echo " M A I N - M E N U" @@ -675,6 +675,12 @@ read_options(){{ esac }} +# function to reset and remove plist file. Used to clear out any previous findings +reset_plist(){{ + echo "Clearing results from /Library/Preferences/org.{baseline_name}.audit.plist" + defaults delete /Library/Preferences/org.{baseline_name}.audit.plist +}} + # Generate the Compliant and Non-Compliant counts. Returns: Array (Compliant, Non-Compliant) compliance_count(){{ compliant=0 @@ -1016,7 +1022,9 @@ fi } -zparseopts -D -E -check=check -fix=fix -stats=stats -compliant=compliant -non_compliant=non_compliant +zparseopts -D -E -check=check -fix=fix -stats=stats -compliant=compliant -non_compliant=non_compliant -reset=reset + +if [[ $reset ]]; then reset_plist; fi if [[ $check ]] || [[ $fix ]] || [[ $stats ]] || [[ $compliant ]] || [[ $non_compliant ]]; then if [[ $fix ]]; then run_fix; fi