resync with monterey

2026-03-17 22:32:09 +00:00 · 2022-05-24 16:10:38 -04:00
parent 0eef896e4c 0afcf54827
commit d196e491cb
15 changed files with 67 additions and 25 deletions
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 source 'https://rubygems.org'

 gem 'asciidoctor'
-gem 'asciidoctor-pdf'
+gem 'asciidoctor-pdf', "1.6.2"
 gem 'rouge'
--- a/rules/os/os_blank_bluray_disable.yaml
+++ b/rules/os/os_blank_bluray_disable.yaml
@@ -18,7 +18,7 @@ check: |
  .objectForKey('mount-controls'))["blankbd"]
  EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
  This is implemented by a Configuration Profile.
 references:
--- a/rules/os/os_blank_cd_disable.yaml
+++ b/rules/os/os_blank_cd_disable.yaml
@@ -18,7 +18,7 @@ check: |
  .objectForKey('mount-controls'))["blankcd"]
  EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
  This is implemented by a Configuration Profile.
 references:
--- a/rules/os/os_blank_dvd_disable.yaml
+++ b/rules/os/os_blank_dvd_disable.yaml
@@ -18,7 +18,7 @@ check: |
  .objectForKey('mount-controls'))["blankdvd"]
  EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
  This is implemented by a Configuration Profile.
 references:
--- a/rules/os/os_burn_support_disable.yaml
+++ b/rules/os/os_burn_support_disable.yaml
@@ -8,7 +8,7 @@ discussion:
  Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization.
  ====
 check: |
-  /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(ProhibitBurn = 0|BurnSupport = "off")'
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(BurnSupport = off;|ProhibitBurn = 1;)'
 result:
  integer: 2
 fix: |
--- a/rules/os/os_disk_image_disable.yaml
+++ b/rules/os/os_disk_image_disable.yaml
@@ -18,7 +18,7 @@ check: |
  .objectForKey('mount-controls'))["disk-image"]
  EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
  This is implemented by a Configuration Profile.
 references:
--- a/rules/os/os_dvdram_disable.yaml
+++ b/rules/os/os_dvdram_disable.yaml
@@ -18,7 +18,7 @@ check: |
  .objectForKey('mount-controls'))["dvdram"]
  EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
  This is implemented by a Configuration Profile.
 references:
--- a/rules/os/os_removable_media_disable.yaml
+++ b/rules/os/os_removable_media_disable.yaml
@@ -20,7 +20,7 @@ check: |
  .objectForKey('mount-controls'))["harddisk-external"]
  EOS
 result:
-  string: "deny,eject"
+  string: "deny"
 fix: |
  This is implemented by a Configuration Profile.
 references:
--- a/rules/os/os_ssh_server_alive_count_max_configure.yaml
+++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml
@@ -5,13 +5,27 @@ discussion: |

  NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
 check: |
-  /usr/bin/awk '/^ServerAliveCountMax/{print $2}' /etc/ssh/ssh_config
+  ret="pass"
+  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
+    sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0")
+    if [[ "$sshCheck" == "0" ]]; then
+      ret="fail"
+      break
+    fi
+  done
+  /bin/echo $ret
 result:
-  integer: $ODV
+  string: pass
 fix: |
  [source,bash]
  ----
-  /usr/bin/grep -q '^ServerAliveCountMax' /etc/ssh/ssh_config && /usr/bin/sed -i.bak  's/.*ServerAliveCountMax.*/ServerAliveCountMax $ODV/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveCountMax $ODV' >> /etc/ssh/ssh_config
+  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do 
+    config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
+    configarray=( ${(f)config} )
+    for c in $configarray; do
+      /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' "$c" || /bin/echo 'ServerAliveCountMax 0' >> "$c"
+    done
+  done
  ----
 references:
  cce:
--- a/rules/os/os_ssh_server_alive_interval_configure.yaml
+++ b/rules/os/os_ssh_server_alive_interval_configure.yaml
@@ -7,13 +7,27 @@ discussion: |

  NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system.
 check: |
-  /usr/bin/awk '/^ServerAliveInterval/{print $2}' /etc/ssh/ssh_config
+  ret="pass"
+  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do
+    sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveraliveinterval 900")
+    if [[ "$sshCheck" == "0" ]]; then
+      ret="fail"
+      break
+    fi
+  done
+  /bin/echo $ret
 result:
-  integer: $ODV
+  string: pass
 fix: |
  [source,bash]
  ----
-  /usr/bin/grep -q '^ServerAliveInterval' /etc/ssh/ssh_config && /usr/bin/sed -i.bak  's/.*ServerAliveInterval.*/ServerAliveInterval $ODV/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveInterval $ODV' >> /etc/ssh/ssh_config
+  for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do 
+    config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r')
+    configarray=( ${(f)config} )
+    for c in $configarray; do
+      /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' "$c" || /bin/echo 'ServerAliveInterval 900' >> "$c"
+    done
+  done
  ----
 references:
  cce:
--- a/rules/os/os_sudo_timeout_configure.yaml
+++ b/rules/os/os_sudo_timeout_configure.yaml
@@ -3,7 +3,7 @@ title: "Configure Sudo Timeout Period to $ODV"
 discussion: |
  The file /etc/sudoers _MUST_ include a timestamp_timout of $ODV.
 check: |
-  /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+timestamp_timeout=$ODV" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs
+  /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes"
 result:
  integer: 1
 fix: |
--- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml
+++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml
@@ -6,11 +6,18 @@ discussion: |
  An unattended system with an excessive grace period is vulnerable to a malicious user. 
 check: |
  /usr/bin/osascript -l JavaScript << EOS
-  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
-  .objectForKey('askForPasswordDelay').js
+  function run() {
+    let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+  .objectForKey('askForPasswordDelay'))
+    if ( delay <= 5 ) {
+      return("true")
+    } else {
+      return("false")
+    }
+  }
  EOS
 result:
-  integer: $ODV
+  string: "true"
 fix: |
  This is implemented by a Configuration Profile.
 references:
--- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml
+++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml
@@ -6,11 +6,18 @@ discussion: |
  This rule ensures that a full session lock is triggered within no more than $ODV seconds of inactivity.
 check: |
  /usr/bin/osascript -l JavaScript << EOS
-  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
-  .objectForKey('idleTime').js
+  function run() {
+    let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\
+  .objectForKey('idleTime'))
+    if ( timeout <= 1200 ) {
+      return("true")
+    } else {
+      return("false")
+    }
+  }
  EOS
 result:
-  integer: $ODV
+  string: "true"
 fix: |
  This is implemented by a Configuration Profile.
 references:
--- a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml
+++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml
@@ -5,7 +5,7 @@ discussion: |

  Disabling the system preference pane prevents the users from configuring Siri. 
 check: |
-  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' 
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' 
 result:
  integer: 1
 fix: |
@@ -37,4 +37,4 @@ mobileconfig: true
 mobileconfig_info:
  com.apple.systempreferences:
    DisabledPreferencePanes: 
-      - com.apple.preferences.speech
+      - com.apple.preference.speech
--- a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml
+++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml
@@ -5,7 +5,7 @@ discussion: |

  HIding the system preference pane prevents the users from configuring Siri. 
 check: |
-  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' 
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' 
 result:
  integer: 1
 fix: |
@@ -37,4 +37,4 @@ mobileconfig: true
 mobileconfig_info:
  com.apple.systempreferences:
    HiddenPreferencePanes: 
-      - com.apple.preferences.speech
+      - com.apple.preference.speech