usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

os_policy_banner_ssh_configure fails on Ventura even after remediation #172

New Issue
Closed
opened 2026-01-19 18:29:30 +00:00 by michael · 8 comments
michael commented 2026-01-19 18:29:30 +00:00
Owner
Copy Link

Originally created by @bernstei on GitHub.

Originally assigned to: @robertgendler on GitHub.

With the ventura dev branch and Ventura 13.4 os_policy_banner_ssh_configure fails because the grep -c $bannerText /etc/banner, which checks for the correct text, reports the number of lines that match, but since it's a multi-line string it's returning the number of lines = 13, rather than the 1 that the test seems to expect.

I have no idea whether this is new behavior from grep -c, but it should be fixed somehow. Could test for 13 (or better yet find some way to figure out how many lines are actually going to end up in the file from the string itself) or for >= 1. I'd suggest using the return status of grep -q, but that doesn't seem to work properly for me with multiline strings - it returns a match even when I pass the wrong string, e.g. concatenate something to the beginning of the banner string.

Originally created by @bernstei on GitHub. Originally assigned to: @robertgendler on GitHub. With the ventura dev branch and Ventura 13.4 `os_policy_banner_ssh_configure` fails because the `grep -c $bannerText /etc/banner`, which checks for the correct text, reports the number of lines that match, but since it's a multi-line string it's returning the number of lines = 13, rather than the 1 that the test seems to expect. I have no idea whether this is new behavior from `grep -c`, but it should be fixed somehow. Could test for 13 (or better yet find some way to figure out how many lines are actually going to end up in the file from the string itself) or for >= 1. I'd suggest using the return status of `grep -q`, but that doesn't seem to work properly for me with multiline strings - it returns a match even when I pass the wrong string, e.g. concatenate something to the beginning of the banner string.
michael commented 2026-01-19 18:29:30 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Well then the ODV would need to be changed if additional text is added.

I'll create a branch and switch it to the test.

@robertgendler commented on GitHub: Well then the ODV would need to be changed if additional text is added. I'll create a branch and switch it to the test.
michael commented 2026-01-19 18:29:30 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Good find!

  bannerText="$ODV"
  if /usr/bin/diff -q /etc/banner <(echo "$bannerText"); then
    echo "1"
  else
    echo "0"
  fi

Maybe this for the check instead.

@robertgendler commented on GitHub: Good find! ``` bannerText="$ODV" if /usr/bin/diff -q /etc/banner <(echo "$bannerText"); then echo "1" else echo "0" fi ``` Maybe this for the check instead.
michael commented 2026-01-19 18:29:30 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Well I found another way also
test "$(cat /etc/banner)" = "$bannerText" && echo "1" || echo "0"

I think I like test better as it won't fail if there's an additional return character at the end.

Thoughts on either?

@robertgendler commented on GitHub: Well I found another way also `test "$(cat /etc/banner)" = "$bannerText" && echo "1" || echo "0"` I think I like test better as it won't fail if there's an additional return character at the end. Thoughts on either?
michael commented 2026-01-19 18:29:30 +00:00
Author
Owner
Copy Link

@bernstei commented on GitHub:

Looks plausible to me (although I can believe there could be issues with newlines, etc). Do you want to make a branch, or should I just patch my script and test it live?

@bernstei commented on GitHub: Looks plausible to me (although I can believe there could be issues with newlines, etc). Do you want to make a branch, or should I just patch my script and test it live?
michael commented 2026-01-19 18:29:30 +00:00
Author
Owner
Copy Link

@bernstei commented on GitHub:

I like the test based one as well, although both it and the diff based one will fail if there's additional text in the banner, which I'm not sure is desirable.

@bernstei commented on GitHub: I like the `test` based one as well, although both it and the diff based one will fail if there's additional text in the banner, which I'm not sure is desirable.
michael commented 2026-01-19 18:29:30 +00:00
Author
Owner
Copy Link

@georgalis commented on GitHub:

You could test a grep for the banner string, but that would pass if, for example, the standard banner was followed by a clear screen char, or other ways the banner might be obfuscated, yet still there. I'd recommend test = '$banner_text" it could still be obfuscated with characters in user profile, but that's on the user, I guess. Also, for testing, cmd && echo 0 || echo 1 is better representative of the signals (exit codes) in play, though I typically use y and n when I don't typo ;-)

@georgalis commented on GitHub: You could test a grep for the banner string, but that would pass if, for example, the standard banner was followed by a clear screen char, or other ways the banner might be obfuscated, yet still there. I'd recommend test `= '$banner_text"` it could still be obfuscated with characters in user profile, but that's on the user, I guess. Also, for testing, `cmd && echo 0 || echo 1` is better representative of the signals (exit codes) in play, though I typically use y and n when I don't typo ;-)
michael commented 2026-01-19 18:29:30 +00:00
Author
Owner
Copy Link

@bernstei commented on GitHub:

I was more thinking of someone went in and edited to add another line after the DoD standard banner. I guess the remediation script would overwrite that, so it's not a idea anyway.

@bernstei commented on GitHub: I was more thinking of someone went in and edited to add another line after the DoD standard banner. I guess the remediation script would overwrite that, so it's not a idea anyway.
michael commented 2026-01-19 18:29:30 +00:00
Author
Owner
Copy Link

@georgalis commented on GitHub:

regarding exit codes, if you are using bash or a compatible shell, this has been very helpful:
export PS1="\${?%0} \u@\h:\w "
the "$? variable expansion" will prepend your prompt with the exit code, unless the prior command exited without error. For example, a script can be littered with exit 2 ; exit 3 ; exit 4 ; exit 5 within logic, to identify the specific break point in play, for debugging.

@georgalis commented on GitHub: regarding exit codes, if you are using bash or a compatible shell, this has been very helpful: `export PS1="\${?%0} \u@\h:\w "` the "`$?` variable expansion" will prepend your prompt with the exit code, unless the prior command exited without error. For example, a script can be littered with `exit 2 ; exit 3 ; exit 4 ; exit 5` within logic, to identify the specific break point in play, for debugging.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#172
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?