diff --git a/Gemfile b/Gemfile index 88d00740..6afcd5aa 100644 --- a/Gemfile +++ b/Gemfile @@ -1,5 +1,5 @@ source 'https://rubygems.org' gem 'asciidoctor' -gem 'asciidoctor-pdf' +gem 'asciidoctor-pdf', "1.6.2" gem 'rouge' diff --git a/rules/os/os_blank_bluray_disable.yaml b/rules/os/os_blank_bluray_disable.yaml index ad2a56c3..48d4a5f3 100644 --- a/rules/os/os_blank_bluray_disable.yaml +++ b/rules/os/os_blank_bluray_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankbd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_blank_cd_disable.yaml b/rules/os/os_blank_cd_disable.yaml index 0033dd5f..7018d474 100644 --- a/rules/os/os_blank_cd_disable.yaml +++ b/rules/os/os_blank_cd_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankcd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_blank_dvd_disable.yaml b/rules/os/os_blank_dvd_disable.yaml index 0ab72723..cbd4a42d 100644 --- a/rules/os/os_blank_dvd_disable.yaml +++ b/rules/os/os_blank_dvd_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["blankdvd"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_burn_support_disable.yaml b/rules/os/os_burn_support_disable.yaml index 529218e6..8c4f1aa0 100644 --- a/rules/os/os_burn_support_disable.yaml +++ b/rules/os/os_burn_support_disable.yaml @@ -8,7 +8,7 @@ discussion: Some organizations rely on the use of removable media for storing and sharing data. Information System Security Officers (ISSOs) may make the risk-based decision not to disable external hard drives to avoid losing this functionality, but they are advised to first fully weigh the potential risks posed to their organization. ==== check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(ProhibitBurn = 0|BurnSupport = "off")' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -Ec '(BurnSupport = off;|ProhibitBurn = 1;)' result: integer: 2 fix: | diff --git a/rules/os/os_disk_image_disable.yaml b/rules/os/os_disk_image_disable.yaml index 16ee6177..b9c2f737 100644 --- a/rules/os/os_disk_image_disable.yaml +++ b/rules/os/os_disk_image_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["disk-image"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_dvdram_disable.yaml b/rules/os/os_dvdram_disable.yaml index c1eb08a8..da8f0efb 100644 --- a/rules/os/os_dvdram_disable.yaml +++ b/rules/os/os_dvdram_disable.yaml @@ -18,7 +18,7 @@ check: | .objectForKey('mount-controls'))["dvdram"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_removable_media_disable.yaml b/rules/os/os_removable_media_disable.yaml index ac91ee8a..0395dd24 100644 --- a/rules/os/os_removable_media_disable.yaml +++ b/rules/os/os_removable_media_disable.yaml @@ -20,7 +20,7 @@ check: | .objectForKey('mount-controls'))["harddisk-external"] EOS result: - string: "deny,eject" + string: "deny" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/os/os_ssh_server_alive_count_max_configure.yaml b/rules/os/os_ssh_server_alive_count_max_configure.yaml index 10c85df2..c68b5654 100644 --- a/rules/os/os_ssh_server_alive_count_max_configure.yaml +++ b/rules/os/os_ssh_server_alive_count_max_configure.yaml @@ -5,13 +5,27 @@ discussion: | NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/awk '/^ServerAliveCountMax/{print $2}' /etc/ssh/ssh_config + ret="pass" + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveralivecountmax 0") + if [[ "$sshCheck" == "0" ]]; then + ret="fail" + break + fi + done + /bin/echo $ret result: - integer: $ODV + string: pass fix: | [source,bash] ---- - /usr/bin/grep -q '^ServerAliveCountMax' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveCountMax.*/ServerAliveCountMax $ODV/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveCountMax $ODV' >> /etc/ssh/ssh_config + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') + configarray=( ${(f)config} ) + for c in $configarray; do + /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveCountMax' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveCountMax.*/ServerAliveCountMax 0/' "$c" || /bin/echo 'ServerAliveCountMax 0' >> "$c" + done + done ---- references: cce: diff --git a/rules/os/os_ssh_server_alive_interval_configure.yaml b/rules/os/os_ssh_server_alive_interval_configure.yaml index fd02610e..36880e10 100644 --- a/rules/os/os_ssh_server_alive_interval_configure.yaml +++ b/rules/os/os_ssh_server_alive_interval_configure.yaml @@ -7,13 +7,27 @@ discussion: | NOTE: /etc/ssh/ssh_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | - /usr/bin/awk '/^ServerAliveInterval/{print $2}' /etc/ssh/ssh_config + ret="pass" + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + sshCheck=$(/usr/bin/sudo -u $u /usr/bin/ssh -G . | /usr/bin/grep -c "^serveraliveinterval 900") + if [[ "$sshCheck" == "0" ]]; then + ret="fail" + break + fi + done + /bin/echo $ret result: - integer: $ODV + string: pass fix: | [source,bash] ---- - /usr/bin/grep -q '^ServerAliveInterval' /etc/ssh/ssh_config && /usr/bin/sed -i.bak 's/.*ServerAliveInterval.*/ServerAliveInterval $ODV/' /etc/ssh/ssh_config || /bin/echo 'ServerAliveInterval $ODV' >> /etc/ssh/ssh_config + for u in $(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 > 500 {print $1}'); do + config=$(/usr/bin/sudo -u $u /usr/bin/ssh -Gv . 2>&1 | /usr/bin/awk '/Reading configuration data/ {print $NF}'| /usr/bin/tr -d '\r') + configarray=( ${(f)config} ) + for c in $configarray; do + /usr/bin/sudo -u $u /usr/bin/grep -q '^ServerAliveInterval' "$c" && /usr/bin/sed -i '' 's/.*ServerAliveInterval.*/ServerAliveInterval 900/' "$c" || /bin/echo 'ServerAliveInterval 900' >> "$c" + done + done ---- references: cce: diff --git a/rules/os/os_sudo_timeout_configure.yaml b/rules/os/os_sudo_timeout_configure.yaml index f6ea78f1..fd107568 100644 --- a/rules/os/os_sudo_timeout_configure.yaml +++ b/rules/os/os_sudo_timeout_configure.yaml @@ -3,7 +3,7 @@ title: "Configure Sudo Timeout Period to $ODV" discussion: | The file /etc/sudoers _MUST_ include a timestamp_timout of $ODV. check: | - /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults\s+timestamp_timeout=$ODV" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs + /usr/bin/sudo /usr/bin/sudo -V | /usr/bin/grep -c "Authentication timestamp timeout: 0.0 minutes" result: integer: 1 fix: | diff --git a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml index bdb26f25..c61a44f0 100644 --- a/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_ask_for_password_delay_enforce.yaml @@ -6,11 +6,18 @@ discussion: | An unattended system with an excessive grace period is vulnerable to a malicious user. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('askForPasswordDelay').js + function run() { + let delay = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('askForPasswordDelay')) + if ( delay <= 5 ) { + return("true") + } else { + return("false") + } + } EOS result: - integer: $ODV + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml index 85f64b04..f17cd69d 100644 --- a/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml +++ b/rules/sysprefs/sysprefs_screensaver_timeout_enforce.yaml @@ -6,11 +6,18 @@ discussion: | This rule ensures that a full session lock is triggered within no more than $ODV seconds of inactivity. check: | /usr/bin/osascript -l JavaScript << EOS - $.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ - .objectForKey('idleTime').js + function run() { + let timeout = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.screensaver')\ + .objectForKey('idleTime')) + if ( timeout <= 1200 ) { + return("true") + } else { + return("false") + } + } EOS result: - integer: $ODV + string: "true" fix: | This is implemented by a Configuration Profile. references: diff --git a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml index 8a53aac4..8f57acf1 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_disable.yaml @@ -5,7 +5,7 @@ discussion: | Disabling the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | @@ -37,4 +37,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempreferences: DisabledPreferencePanes: - - com.apple.preferences.speech + - com.apple.preference.speech diff --git a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml index 791929ff..c7989af4 100644 --- a/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml +++ b/rules/sysprefs/sysprefs_siri_prefpane_hide.yaml @@ -5,7 +5,7 @@ discussion: | HIding the system preference pane prevents the users from configuring Siri. check: | - /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preferences.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' + /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'com.apple.preference.speech' | /usr/bin/awk '{ if ($1 >= 2) {print "1"} else {print "0"}}' result: integer: 1 fix: | @@ -37,4 +37,4 @@ mobileconfig: true mobileconfig_info: com.apple.systempreferences: HiddenPreferencePanes: - - com.apple.preferences.speech + - com.apple.preference.speech