From 2abe82b10a442c4dd3c10d1d1aee296323cc7f37 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 13 Sep 2022 13:35:47 -0400 Subject: [PATCH 1/2] refactor[rules]: Launchctl refactor for Ventura Ventura changes how launchctl status is reported Issue #167 --- rules/os/os_httpd_disable.yaml | 2 +- rules/os/os_nfsd_disable.yaml | 2 +- rules/os/os_tftpd_disable.yaml | 2 +- rules/os/os_uucp_disable.yaml | 2 +- rules/system_settings/system_settings_rae_disable.yaml | 2 +- .../system_settings/system_settings_screen_sharing_disable.yaml | 2 +- rules/system_settings/system_settings_smbd_disable.yaml | 2 +- rules/system_settings/system_settings_ssh_disable.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/os/os_httpd_disable.yaml b/rules/os/os_httpd_disable.yaml index 72f0bd73..34a5b900 100644 --- a/rules/os/os_httpd_disable.yaml +++ b/rules/os/os_httpd_disable.yaml @@ -5,7 +5,7 @@ discussion: | NOTE: The built in web server service is disabled at startup by default macOS. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"org.apache.httpd" => disabled' result: integer: 1 fix: | diff --git a/rules/os/os_nfsd_disable.yaml b/rules/os/os_nfsd_disable.yaml index ebc21796..2a079d7e 100644 --- a/rules/os/os_nfsd_disable.yaml +++ b/rules/os/os_nfsd_disable.yaml @@ -3,7 +3,7 @@ title: "Disable Network File System Service" discussion: | Support for Network File Systems (NFS) services is non-essential and, therefore, _MUST_ be disabled. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.nfsd" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.nfsd" => disabled' result: integer: 1 fix: | diff --git a/rules/os/os_tftpd_disable.yaml b/rules/os/os_tftpd_disable.yaml index 5bfac844..bfff38b8 100644 --- a/rules/os/os_tftpd_disable.yaml +++ b/rules/os/os_tftpd_disable.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: TFTP service is disabled at startup by default macOS. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => disabled' result: integer: 1 fix: | diff --git a/rules/os/os_uucp_disable.yaml b/rules/os/os_uucp_disable.yaml index 420c626d..38214197 100644 --- a/rules/os/os_uucp_disable.yaml +++ b/rules/os/os_uucp_disable.yaml @@ -7,7 +7,7 @@ discussion: | NOTE: UUCP service is disabled at startup by default macOS. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.uucp" => disabled' result: integer: 1 fix: | diff --git a/rules/system_settings/system_settings_rae_disable.yaml b/rules/system_settings/system_settings_rae_disable.yaml index fa7fbf10..47c6696c 100644 --- a/rules/system_settings/system_settings_rae_disable.yaml +++ b/rules/system_settings/system_settings_rae_disable.yaml @@ -5,7 +5,7 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling Remote Apple Events helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AEServer" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.AEServer" => disabled' result: integer: 1 fix: | diff --git a/rules/system_settings/system_settings_screen_sharing_disable.yaml b/rules/system_settings/system_settings_screen_sharing_disable.yaml index 1a7d8cad..20830271 100644 --- a/rules/system_settings/system_settings_screen_sharing_disable.yaml +++ b/rules/system_settings/system_settings_screen_sharing_disable.yaml @@ -5,7 +5,7 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. Disabling screen sharing and ARD helps prevent the unauthorized connection of devices, the unauthorized transfer of information, and unauthorized tunneling. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.screensharing" => disabled' result: integer: 1 fix: | diff --git a/rules/system_settings/system_settings_smbd_disable.yaml b/rules/system_settings/system_settings_smbd_disable.yaml index b22f2d69..1eb39809 100644 --- a/rules/system_settings/system_settings_smbd_disable.yaml +++ b/rules/system_settings/system_settings_smbd_disable.yaml @@ -5,7 +5,7 @@ discussion: | The information system _MUST_ be configured to provide only essential capabilities. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.smbd" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.smbd" => disabled' result: integer: 1 fix: | diff --git a/rules/system_settings/system_settings_ssh_disable.yaml b/rules/system_settings/system_settings_ssh_disable.yaml index 0f66bf32..884c353f 100644 --- a/rules/system_settings/system_settings_ssh_disable.yaml +++ b/rules/system_settings/system_settings_ssh_disable.yaml @@ -5,7 +5,7 @@ discussion: | Remote access sessions _MUST_ use FIPS validated encrypted methods to protect unauthorized individuals from gaining access. check: | - /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => true' + /bin/launchctl print-disabled system | /usr/bin/grep -c '"com.openssh.sshd" => disabled' result: integer: 1 fix: | From b219680537cee70597b111f27144ac7a6da5cc06 Mon Sep 17 00:00:00 2001 From: Bob Gendler Date: Tue, 13 Sep 2022 14:51:32 -0400 Subject: [PATCH 2/2] refactor[script]:Update to generate_scap for 13.0 Added a condition for ventura launchctl disable checks Related to Issue #167 --- scripts/generate_scap.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_scap.py b/scripts/generate_scap.py index 56ec8584..cb4570c5 100755 --- a/scripts/generate_scap.py +++ b/scripts/generate_scap.py @@ -2568,7 +2568,7 @@ def generate_scap(all_rules, all_baselines, args): continue if "launchctl" in command[2] or "launchctl" in rule_yaml['fix']: - if "disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix']: + if "disable" in command[2] and "=> true" in rule_yaml['check'] or "unload -w" in rule_yaml['fix'] or "disable" in command[2] and "=> disabled" in rule_yaml['check']: oval_definition = oval_definition + '''