usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Rule: os_password_hint_remove reports wrong for Guest account in the as-is audit script #124

New Issue
Closed
opened 2026-01-19 18:29:19 +00:00 by michael · 4 comments
michael commented 2026-01-19 18:29:19 +00:00
Owner
Copy Link

Originally created by @mikaellofgren on GitHub.

Summary

This code reports a finding for the Guest account even if no hint is provided
result_value=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs)

Steps to reproduce

Run the command:
/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs
and it outputs 1 even if no other accounts has a hint

It can be verified with reading hints directly on the users
Guest:
dscl . -read /Users/Guest hint
Outputs: dsAttrTypeNative:hint:

Try another account with no hint outputs
dscl . -read /Users/someother.account hint
Outputs: No such key: hint

Operating System version

macOS 14.2.1

Intel or Apple Silicon

Intel and Silicon

What is the current bug behavior?

It outputs a finding 1 instead of 0

What is the expected correct behavior?

It should report 0 as in no finding

Relevant logs and/or screenshots

Output of checks

Possible fixes

Adding this check and report result value 0 if HINT is empty seems to work

HINT=$(dscl . -list /Users hint | awk '{ print $2 }')

if [ -z "$HINT" ]; then
	result_value=0
fi

in the code for rule
#####----- Rule: os_password_hint_remove -----#####

Originally created by @mikaellofgren on GitHub. ### Summary This code reports a finding for the Guest account even if no hint is provided `result_value=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs)` ### Steps to reproduce Run the command: `/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/xargs` and it outputs 1 even if no other accounts has a hint It can be verified with reading hints directly on the users Guest: `dscl . -read /Users/Guest hint` Outputs: `dsAttrTypeNative:hint:` Try another account with no hint outputs `dscl . -read /Users/someother.account hint` Outputs: `No such key: hint` ### Operating System version macOS 14.2.1 ### Intel or Apple Silicon Intel and Silicon ### What is the current *bug* behavior? It outputs a finding 1 instead of 0 ### What is the expected *correct* behavior? It should report 0 as in no finding ### Relevant logs and/or screenshots - ### Output of checks - ### Possible fixes Adding this check and report result value 0 if HINT is empty seems to work ``` HINT=$(dscl . -list /Users hint | awk '{ print $2 }') if [ -z "$HINT" ]; then result_value=0 fi ``` in the code for rule #####----- Rule: os_password_hint_remove -----#####
michael commented 2026-01-19 18:29:19 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Mikael - thank you for submitting the feedback. I went ahead and built your suggestions into the rule. When you get a moment, would you be able to verify that this works in your setup? The branch with the change is dev_sonoma_issue343.

@brodjieski commented on GitHub: Mikael - thank you for submitting the feedback. I went ahead and built your suggestions into the rule. When you get a moment, would you be able to verify that this works in your setup? The branch with the change is dev_sonoma_issue343.
michael commented 2026-01-19 18:29:19 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Because the way the check is written to use nested command substitutions, it sets result_value to the output of the echo call that meets the condition. It then later compares result_value to the expected value. This is the result of how the compliance script is built. When you tested, did you build out a compliance script from the generate_guidance.py? or did you just pull the code out and try to test it one-off? If you want to test it one-off, you can try this snippet:


result_value=$(HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }')

if [ -z "$HINT" ]; then
  echo "PASS"
else
  echo "FAIL"
fi
)

echo $result_value
@brodjieski commented on GitHub: Because the way the check is written to use nested command substitutions, it sets `result_value` to the output of the `echo` call that meets the condition. It then later compares `result_value` to the expected value. This is the result of how the compliance script is built. When you tested, did you build out a compliance script from the `generate_guidance.py`? or did you just pull the code out and try to test it one-off? If you want to test it one-off, you can try this snippet: ```#!/bin/zsh result_value=$(HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }') if [ -z "$HINT" ]; then echo "PASS" else echo "FAIL" fi ) echo $result_value ```
michael commented 2026-01-19 18:29:19 +00:00
Author
Owner
Copy Link

@mikaellofgren commented on GitHub:

Thanks that was quick!
When looking quickly and testing this block
it looks like you added variable HINT into variable result_value and that seems not to work in my quick testing

result_value=$(HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }')

if [ -z "$HINT" ]; then
  echo "PASS"
else
  echo "FAIL"
fi

So my two suggestions in this either
you keep the HINT variable only and then set result_value depending if fail or not

HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }')

if [ -z "$HINT" ]; then
  result_value="PASS"
else
  result_value="FAIL"
fi

or you use result_value all the way like this

result_value=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }')
 
if [ -z "$result_value" ]; then
   result_value="PASS"
 else
   result_value="FAIL"
 fi

That should do it I hope...

@mikaellofgren commented on GitHub: Thanks that was quick! When looking quickly and testing this block it looks like you added variable HINT into variable result_value and that seems not to work in my quick testing ``` result_value=$(HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }') if [ -z "$HINT" ]; then echo "PASS" else echo "FAIL" fi ``` So my two suggestions in this either you keep the HINT variable only and then set result_value depending if fail or not ``` HINT=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }') if [ -z "$HINT" ]; then result_value="PASS" else result_value="FAIL" fi ``` or you use result_value all the way like this ``` result_value=$(/usr/bin/dscl . -list /Users hint | /usr/bin/awk '{ print $2 }') if [ -z "$result_value" ]; then result_value="PASS" else result_value="FAIL" fi ``` That should do it I hope...
michael commented 2026-01-19 18:29:19 +00:00
Author
Owner
Copy Link

@mikaellofgren commented on GitHub:

Ahh pulled out the code, but this one seems to work. Thanks!

@mikaellofgren commented on GitHub: Ahh pulled out the code, but this one seems to work. Thanks!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#124
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?