os_hibernate_mode_apple_silicon_enable checking is broken #128

New Issue

Closed

opened 2026-01-19 18:29:20 +00:00 by michael · 1 comment

michael commented 2026-01-19 18:29:20 +00:00

Owner

Copy Link

Originally created by @nihil-admirari on GitHub.

Summary

os_hibernate_mode_apple_silicon_enable check doesn't run on MacBook Air M2 13 and even if it were to run it would've tested only “Battery Power” profile, allowing other profiles to be misconfigured. Here is the relevant code:

error_count=0
if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then
  echo check is running # DEBUG ADDED BY ME

  hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}')
  sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}')
  displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}')

  if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then
    ((error_count++))
  fi
  if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then
    ((error_count++))
  fi
  if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then
    ((error_count++))
  fi
else # DEBUG ADDED BY ME
  echo check is not running # DEBUG ADDED BY ME
fi
echo "$error_count"

Steps to reproduce

1. Misconfigure all the profiles by running

   pmset -a sleep 60 displaysleep 3 hibernatemode 3
   

2. Run the above code on a MacBook Air M2 13 (I think other devices are no different, but I have access only to this one.)

Operating System version

macOS 14.2.1

Intel or Apple Silicon

Apple Silicon

What is the current bug behavior?

The check with my debugging additions prints

check is not running
0

The number of errors is 0, despite all profiles having a long sleep, display sleep that is lower than sleep, and hibernate mode that is not 25.

What is the expected correct behavior?

The first line is just for debugging:

check is running
3

Relevant logs and/or screenshots

/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice with everything that looks like a serial numbers removed:

+-o J413AP  <class IOPlatformExpertDevice, id 0x100000222, registered, matched, active, busy 0 (5231 ms), retain 36>
    {
      "IOPolledInterface" = "AppleARMWatchdogTimerHibernateHandler is not serializable"
      "#address-cells" = <02000000>
      "AAPL,phandle" = <01000000>
      "serial-number" = <--redacted-->
      "IOBusyInterest" = "IOCommand is not serializable"
      "target-type" = <"J413">
      "platform-name" = <--redacted-->
      "name" = <"device-tree">
      "region-info" = <--redacted-->
      "manufacturer" = <"Apple Inc.">
      "target-sub-type" = <"J413AP">
      "compatible" = <"J413AP","Mac14,2","AppleARM">
      "config-number" = <--redacted-->
      "IOPlatformSerialNumber" = "--redacted--"
      "regulatory-model-number" = <--redacted-->
      "time-stamp" = <"Tue Nov 14 20:37:20 PST 2023">
      "clock-frequency" = <00366e01>
      "model" = <"Mac14,2">
      "mlb-serial-number" = <--redacted-->
      "model-number" = <--redacted-->
      "device-tree-tag" = <"EmbeddedDeviceTrees-8408.61.1">
      "IOConsoleSecurityInterest" = "IOCommand is not serializable"
      "IONWInterrupts" = "IONWInterrupts"
      "model-config" = <"Amphenol;MoPED=--redacted--">
      "device_type" = <"bootrom">
      "#size-cells" = <02000000>
      "IOPlatformUUID" = "--redacted--"
    }

The output has no MacBook string in it, and thus

/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"

fails.

Possible fixes

CIS “2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep and Display Sleep (Apple Silicon) (Automated)” uses a different command to find out whether the device is a MacBook or not:

/usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -e MacBook

I'm not actually sure why this check is even needed. If the rule is not supposed to apply to desktop Macs, the fix should use pmset -b -c instead of pmset -a.

The following awk script validates the values of all power profiles

/usr/bin/pmset -g custom | awk -v err=0 -v si=0 -v di=0 '
    $1 == "sleep" { sleep[si++] = $2 }
    $1 == "displaysleep" { displaysleep[di++] = $2 }
    $1 == "hibernatemode" && $2 != 25 { ++err }

    END {
        if (si != di) {
            ++err
        } else {
            for (i = 0; i < si; ++i) {
                if (!sleep[i] || !displaysleep[i] \
                    || sleep[i] > 10 \
                    || displaysleep[i] > 15 \
                    || displaysleep[i] < sleep[i])
                {
                    ++err
                }
            }
        }
        print err
}'

Every displaysleep and sleep line gets its own entry in the arrays; entries at the same index are assumed to come from the same power profile.

Also, it looks like sleep and display sleep timers are enforceable with a profile:

<key>com.apple.EnergySaver.desktop.ACPower</key>
<dict>
  <key>Display Sleep Timer</key>
  <integer>15</integer>
  <key>System Sleep Timer</key>
  <integer>10</integer>
</dict>
<key>com.apple.EnergySaver.portable.ACPower</key>
<dict>
  <key>Display Sleep Timer</key>
  <integer>15</integer>
  <key>System Sleep Timer</key>
  <integer>10</integer>
</dict>
<key>com.apple.EnergySaver.portable.BatteryPower</key>
<dict>
  <key>Display Sleep Timer</key>
  <integer>15</integer>
  <key>System Sleep Timer</key>
  <integer>10</integer>
</dict>

Despite CIS “2.9.3 Ensure Wake for Network Access Is Disabled (Automated)” having a note about com.apple.EnergySaver.*:

Note: … This profile will only apply the setting at installation and is not sticky.

in my tests, even though pmset parameters can be changed, they revert to profile values after a restart (including the womp that CIS note is talking about (see system_settings_wake_network_access_disable)).

If the profile approach is adopted, then the awk script should validate only the hibernatemode. Sleep timers can be checked by grepping the output of profiles.

Originally created by @nihil-admirari on GitHub. ### Summary [`os_hibernate_mode_apple_silicon_enable`](https://github.com/usnistgov/macos_security/blob/sonoma/rules/os/os_hibernate_mode_apple_silicon_enable.yaml) check doesn't run on MacBook Air M2 13 and even if it were to run it would've tested only “Battery Power” profile, allowing other profiles to be misconfigured. Here is the relevant code: ```bash error_count=0 if /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook"; then echo check is running # DEBUG ADDED BY ME hibernateMode=$(/usr/bin/pmset -b -g | /usr/bin/grep hibernatemode 2>&1 | /usr/bin/awk '{print $2}') sleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep '^\s*sleep' 2>&1 | /usr/bin/awk '{print $2}') displaysleepMode=$(/usr/bin/pmset -b -g | /usr/bin/grep displaysleep 2>&1 | /usr/bin/awk '{print $2}') if [[ "$sleepMode" == "" ]] || [[ "$sleepMode" -gt 10 ]]; then ((error_count++)) fi if [[ "$displaysleepMode" == "" ]] || [[ "$displaysleepMode" -gt 15 ]] || [[ "$displaysleepMode" -lt "$sleepMode" ]]; then ((error_count++)) fi if [[ "$hibernateMode" == "" ]] || [[ "$hibernateMode" != 25 ]]; then ((error_count++)) fi else # DEBUG ADDED BY ME echo check is not running # DEBUG ADDED BY ME fi echo "$error_count" ``` ### Steps to reproduce 1. Misconfigure all the profiles by running ```sh pmset -a sleep 60 displaysleep 3 hibernatemode 3 ``` 2. Run the above code on a MacBook Air M2 13 (I think other devices are no different, but I have access only to this one.) ### Operating System version macOS 14.2.1 ### Intel or Apple Silicon Apple Silicon ### What is the current *bug* behavior? The check with my debugging additions prints ``` check is not running 0 ``` The number of errors is 0, despite all profiles having a long sleep, display sleep that is lower than sleep, and hibernate mode that is not 25. ### What is the expected *correct* behavior? The first line is just for debugging: ``` check is running 3 ``` ### Relevant logs and/or screenshots `/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice` with everything that looks like a serial numbers removed: ``` +-o J413AP <class IOPlatformExpertDevice, id 0x100000222, registered, matched, active, busy 0 (5231 ms), retain 36> { "IOPolledInterface" = "AppleARMWatchdogTimerHibernateHandler is not serializable" "#address-cells" = <02000000> "AAPL,phandle" = <01000000> "serial-number" = <--redacted--> "IOBusyInterest" = "IOCommand is not serializable" "target-type" = <"J413"> "platform-name" = <--redacted--> "name" = <"device-tree"> "region-info" = <--redacted--> "manufacturer" = <"Apple Inc."> "target-sub-type" = <"J413AP"> "compatible" = <"J413AP","Mac14,2","AppleARM"> "config-number" = <--redacted--> "IOPlatformSerialNumber" = "--redacted--" "regulatory-model-number" = <--redacted--> "time-stamp" = <"Tue Nov 14 20:37:20 PST 2023"> "clock-frequency" = <00366e01> "model" = <"Mac14,2"> "mlb-serial-number" = <--redacted--> "model-number" = <--redacted--> "device-tree-tag" = <"EmbeddedDeviceTrees-8408.61.1"> "IOConsoleSecurityInterest" = "IOCommand is not serializable" "IONWInterrupts" = "IONWInterrupts" "model-config" = <"Amphenol;MoPED=--redacted--"> "device_type" = <"bootrom"> "#size-cells" = <02000000> "IOPlatformUUID" = "--redacted--" } ``` The output has no `MacBook` string in it, and thus ```sh /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice 2>&1 | /usr/bin/grep -q "MacBook" ``` fails. ### Possible fixes CIS “2.9.1.2 Ensure the OS Is Not Active When Resuming from Sleep and Display Sleep (Apple Silicon) (Automated)” uses a different command to find out whether the device is a MacBook or not: ```sh /usr/bin/sudo /usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep -e MacBook ``` I'm not actually sure why this check is even needed. If the rule is not supposed to apply to desktop Macs, the fix should use `pmset -b -c` instead of `pmset -a`. The following awk script validates the values of all power profiles ```sh /usr/bin/pmset -g custom | awk -v err=0 -v si=0 -v di=0 ' $1 == "sleep" { sleep[si++] = $2 } $1 == "displaysleep" { displaysleep[di++] = $2 } $1 == "hibernatemode" && $2 != 25 { ++err } END { if (si != di) { ++err } else { for (i = 0; i < si; ++i) { if (!sleep[i] || !displaysleep[i] \ || sleep[i] > 10 \ || displaysleep[i] > 15 \ || displaysleep[i] < sleep[i]) { ++err } } } print err }' ``` Every `displaysleep` and `sleep` line gets its own entry in the arrays; entries at the same index are assumed to come from the same power profile. Also, it looks like sleep and display sleep timers are enforceable with a profile: ```xml <key>com.apple.EnergySaver.desktop.ACPower</key> <dict> <key>Display Sleep Timer</key> <integer>15</integer> <key>System Sleep Timer</key> <integer>10</integer> </dict> <key>com.apple.EnergySaver.portable.ACPower</key> <dict> <key>Display Sleep Timer</key> <integer>15</integer> <key>System Sleep Timer</key> <integer>10</integer> </dict> <key>com.apple.EnergySaver.portable.BatteryPower</key> <dict> <key>Display Sleep Timer</key> <integer>15</integer> <key>System Sleep Timer</key> <integer>10</integer> </dict> ``` Despite CIS “2.9.3 Ensure Wake for Network Access Is Disabled (Automated)” having a note about `com.apple.EnergySaver.*`: > Note: … This profile will only apply the setting at installation and is not sticky. in my tests, even though `pmset` parameters can be changed, they revert to profile values after a restart (including the `womp` that CIS note is talking about (see `system_settings_wake_network_access_disable`)). If the profile approach is adopted, then the awk script should validate only the `hibernatemode`. Sleep timers can be checked by grepping the output of `profiles`.

michael closed this issue 2026-01-19 18:29:20 +00:00

michael commented 2026-01-19 18:29:20 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

CIS has updated their benchmarks and removed this for Apple Silicon. Closing the issue.

@robertgendler commented on GitHub: CIS has updated their benchmarks and removed this for Apple Silicon. Closing the issue.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#128