Merge pull request #569 from brodjieski/tahoe

Tahoe spell check
2026-02-03 14:03:24 +00:00 · 2025-11-14 10:50:23 -05:00
parent 8f53e62cb1 8e18c9e61e
commit e5819f5858
8 changed files with 56 additions and 16 deletions
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -0,0 +1,38 @@
+name: Spell Check
+
+on:
+  push:
+    branches-ignore:
+      - main
+  pull_request:
+    branches-ignore:
+      - main
+
+jobs:
+  spellcheck:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout the branch that triggered the workflow
+      - name: Checkout branch
+        uses: actions/checkout@v3
+
+      # Pull latest cspell files from main to keep them in sync
+      - name: Pull cspell config and dictionary from main
+        run: |
+          git fetch origin main
+          git checkout origin/main -- .github/cspell/
+
+      # Setup Node 20+ for cspell
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20'
+
+      # Install cspell globally
+      - name: Install cspell
+        run: npm install -g cspell@latest
+
+      # Run spell check
+      - name: Run cspell
+        run: npx cspell --no-progress --no-summary --config .github/cspell/cspell.json "**"
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ Civilian agencies are to use the National Checklist Program as required by [NIST
 |John Mahlman IV|Leidos
 |Aaron Kegerreis|DISA
 |Henry Stamerjohann|Declarative IT GmbH
-|Marco A Piñeryo II|State Department
+|Marco A Piñeyro II|State Department
 |Jason Blake|NIST
 |Blair Heiserman|NIST
 |Joshua Glemza|NASA
--- a/rules/os/os_external_storage_access_defined.yaml
+++ b/rules/os/os_external_storage_access_defined.yaml
@@ -3,7 +3,7 @@ title: Access to External Storage Must Be Defined
 discussion: |-
  Access to external storage _MUST_ be managed. 
  
-  NOTE: Apple's built in method using declative device management method only allows you to set external storage manament to Allowed, ReadOnly, and Disallowed.
+  NOTE: Apple's built in method using declarative device management method only allows you to set external storage management to Allowed, ReadOnly, and Disallowed.
 check: |
  /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq --raw-output '.Restrictions.ExternalStorage'
 result:
--- a/rules/os/os_network_storage_restriction.yaml
+++ b/rules/os/os_network_storage_restriction.yaml
@@ -3,7 +3,7 @@ title: Network Storage Must Be Restricted
 discussion: |-
  Network Storage _MUST_ be restricted. 
  
-  NOTE: Apple's built in method using declative device management method only allows you to set network storage manament to Allowed, ReadOnly, and Disallowed.
+  NOTE: Apple's built in method using declarative device management method only allows you to set network storage management to Allowed, ReadOnly, and Disallowed.
 check: |
  /usr/bin/plutil -convert json /var/db/ManagedConfigurationFiles/DiskManagement/DiskManagement_Settings.plist -o - | /usr/bin/jq --raw-output '.Restrictions.NetworkStorage'
 result:
--- a/rules/os/os_photos_enhanced_search_disable.yaml
+++ b/rules/os/os_photos_enhanced_search_disable.yaml
@@ -1,7 +1,7 @@
 id: os_photos_enhanced_search_disable
 title: Disable Photos Enhanced Visual Search
 discussion: |-
-  Enhanced Visualed Search _MUST_ be disabled in the Photos app.
+  Enhanced Visual Search _MUST_ be disabled in the Photos app.
  
  The information system _MUST_ be configured to provide only essential capabilities. Disabling Enhanced Visual Search will mitigate the risk of unwanted data being sent to Apple.
 check: |
--- a/rules/os/os_safari_clear_history_disable.yaml
+++ b/rules/os/os_safari_clear_history_disable.yaml
@@ -1,5 +1,5 @@
 id: os_safari_clear_history_disable
-title: Ensure Clearning of Browsing History in Safari Is Disabled
+title: Ensure Clearing of Browsing History in Safari Is Disabled
 discussion: |
  Clearing of browser history _MUST_ be disabled in Safari.
 check: |
@@ -36,4 +36,4 @@ tags:
 mobileconfig: true
 mobileconfig_info:
  com.apple.applicationaccess:
-    allowSafariHistoryClearing: false
+    allowSafariHistoryClearing: false
--- a/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml
+++ b/rules/os/os_sleep_and_display_sleep_apple_silicon_enable.yaml
@@ -4,15 +4,17 @@ discussion: |
  Apple Silicon MacBooks should set sleep timeout to 15 minutes (900 seconds) or less and the display sleep timeout should be 10 minutes (600 seconds) or less but less than the sleep setting.
 check: |
  error_count=0
-  if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then
-    sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}')
-    displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}')
-
-    if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then
-      ((error_count++))
-    fi
-    if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -gt "$sleepMode" ]]; then
-      ((error_count++))
+  if /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -q "MacBook"; then
+    cpuType=$(/usr/sbin/sysctl -n machdep.cpu.brand_string)
+    if echo "$cpuType" | grep -q "Apple"; then
+      sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}')
+      displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}')
+      if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 15 ]]; then
+        ((error_count++))
+      fi
+      if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 10 ]] || [[ "$displaysleepMode" -gt "$sleepMode" ]]; then
+        ((error_count++))
+      fi
    fi
  fi
  echo "$error_count"
--- a/rules/supplemental/supplemental_firewall_pf.yaml
+++ b/rules/supplemental/supplemental_firewall_pf.yaml
@@ -13,7 +13,7 @@ discussion: |
    *  The PF firewall can manipulate virtually any packet data and is highly configurable.
    ** More information on the BF firewall can be found here: https://www.openbsd.org/faq/pf/index.html

-  Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plis` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset.
+  Below is a script that configures ALF and the PF firewall to meet the requirements defined in NIST SP 800-53 (Rev. 5). The script will make sure the application layer firewall is enabled, set logging to "detailed", set built-in signed applications to automatically receive incoming connections, and set downloaded signed applications to automatically receive incoming connections. It will then create a custom rule set and copy `com.apple.pfctl.plist` from `/System/Library/LaunchDaemons/` into the `/Library/LaunchDaemons` folder and name it `800-53.pfctl.plist`. This is done to not conflict with the system's pf ruleset.

  The custom pf rules are created at `/etc/pf.anchors/800_53_pf_anchors`.